CVE database update : 2024-12-03

LAYER: meta
PACKAGE NAME: python3-setuptools
PACKAGE VERSION: 69.1.1
CVE: CVE-2013-1633
CVE STATUS: Patched
CVE SUMMARY: easy_install in setuptools before 0.7 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to the default use of the product.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1633

LAYER: meta
PACKAGE NAME: python3-setuptools
PACKAGE VERSION: 69.1.1
CVE: CVE-2022-40897
CVE STATUS: Patched
CVE SUMMARY: Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-40897

LAYER: meta
PACKAGE NAME: python3-setuptools
PACKAGE VERSION: 69.1.1
CVE: CVE-2024-6345
CVE STATUS: Patched
CVE SUMMARY: A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-6345

LAYER: meta
PACKAGE NAME: cracklib-native
PACKAGE VERSION: 2.9.11
CVE: CVE-1999-1140
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in CrackLib 2.5 may allow local users to gain root privileges via a long GECOS field.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-1999-1140

LAYER: meta
PACKAGE NAME: cracklib-native
PACKAGE VERSION: 2.9.11
CVE: CVE-2016-6318
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in the FascistGecosUser function in lib/fascist.c in cracklib allows local users to cause a denial of service (application crash) or gain privileges via a long GECOS field, involving longbuffer.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6318

LAYER: meta
PACKAGE NAME: libtasn1-native
PACKAGE VERSION: 4.19.0
CVE: CVE-2004-0401
CVE STATUS: Patched
CVE SUMMARY: Unknown vulnerability in libtasn1 0.1.x before 0.1.2, and 0.2.x before 0.2.7, related to the DER parsing functions.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0401

LAYER: meta
PACKAGE NAME: libtasn1-native
PACKAGE VERSION: 4.19.0
CVE: CVE-2006-0645
CVE STATUS: Patched
CVE SUMMARY: Tiny ASN.1 Library (libtasn1) before 0.2.18, as used by (1) GnuTLS 1.2.x before 1.2.10 and 1.3.x before 1.3.4, and (2) GNU Shishi, allows attackers to crash the DER decoder and possibly execute arbitrary code via "out-of-bounds access" caused by invalid input, as demonstrated by the ProtoVer SSL test suite.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-0645

LAYER: meta
PACKAGE NAME: libtasn1-native
PACKAGE VERSION: 4.19.0
CVE: CVE-2012-1569
CVE STATUS: Patched
CVE SUMMARY: The asn1_get_length_der function in decoding.c in GNU Libtasn1 before 2.12, as used in GnuTLS before 3.0.16 and other products, does not properly handle certain large length values, which allows remote attackers to cause a denial of service (heap memory corruption and application crash) or possibly have unspecified other impact via a crafted ASN.1 structure.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1569

LAYER: meta
PACKAGE NAME: libtasn1-native
PACKAGE VERSION: 4.19.0
CVE: CVE-2014-3467
CVE STATUS: Patched
CVE SUMMARY: Multiple unspecified vulnerabilities in the DER decoder in GNU Libtasn1 before 3.6, as used in GnuTLS, allow remote attackers to cause a denial of service (out-of-bounds read) via crafted ASN.1 data.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3467

LAYER: meta
PACKAGE NAME: libtasn1-native
PACKAGE VERSION: 4.19.0
CVE: CVE-2014-3468
CVE STATUS: Patched
CVE SUMMARY: The asn1_get_bit_der function in GNU Libtasn1 before 3.6 does not properly report an error when a negative bit length is identified, which allows context-dependent attackers to cause out-of-bounds access via crafted ASN.1 data.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3468

LAYER: meta
PACKAGE NAME: libtasn1-native
PACKAGE VERSION: 4.19.0
CVE: CVE-2014-3469
CVE STATUS: Patched
CVE SUMMARY: The (1) asn1_read_value_type and (2) asn1_read_value functions in GNU Libtasn1 before 3.6 allows context-dependent attackers to cause a denial of service (NULL pointer dereference and crash) via a NULL value in an ivalue argument.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3469

LAYER: meta
PACKAGE NAME: libtasn1-native
PACKAGE VERSION: 4.19.0
CVE: CVE-2015-2806
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in asn1_der_decoding in libtasn1 before 4.4 allows remote attackers to have unspecified impact via unknown vectors.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-2806

LAYER: meta
PACKAGE NAME: libtasn1-native
PACKAGE VERSION: 4.19.0
CVE: CVE-2015-3622
CVE STATUS: Patched
CVE SUMMARY: The _asn1_extract_der_octet function in lib/decoding.c in GNU Libtasn1 before 4.5 allows remote attackers to cause a denial of service (out-of-bounds heap read) via a crafted certificate.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3622

LAYER: meta
PACKAGE NAME: libtasn1-native
PACKAGE VERSION: 4.19.0
CVE: CVE-2016-4008
CVE STATUS: Patched
CVE SUMMARY: The _asn1_extract_der_octet function in lib/decoding.c in GNU Libtasn1 before 4.8, when used without the ASN1_DECODE_FLAG_STRICT_DER flag, allows remote attackers to cause a denial of service (infinite recursion) via a crafted certificate.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4008

LAYER: meta
PACKAGE NAME: libtasn1-native
PACKAGE VERSION: 4.19.0
CVE: CVE-2017-10790
CVE STATUS: Patched
CVE SUMMARY: The _asn1_check_identifier function in GNU Libtasn1 through 4.12 causes a NULL pointer dereference and crash when reading crafted input that triggers assignment of a NULL value within an asn1_node structure. It may lead to a remote denial of service attack.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-10790

LAYER: meta
PACKAGE NAME: libtasn1-native
PACKAGE VERSION: 4.19.0
CVE: CVE-2017-6891
CVE STATUS: Patched
CVE SUMMARY: Two errors in the "asn1_find_node()" function (lib/parser_aux.c) within GnuTLS libtasn1 version 4.10 can be exploited to cause a stacked-based buffer overflow by tricking a user into processing a specially crafted assignments file via the e.g. asn1Coding utility.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-6891

LAYER: meta
PACKAGE NAME: libtasn1-native
PACKAGE VERSION: 4.19.0
CVE: CVE-2018-1000654
CVE STATUS: Patched
CVE SUMMARY: GNU Libtasn1-4.13 libtasn1-4.13 version libtasn1-4.13, libtasn1-4.12 contains a DoS, specifically CPU usage will reach 100% when running asn1Paser against the POC due to an issue in _asn1_expand_object_id(p_tree), after a long time, the program will be killed. This attack appears to be exploitable via parsing a crafted file.
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1000654

LAYER: meta
PACKAGE NAME: libtasn1-native
PACKAGE VERSION: 4.19.0
CVE: CVE-2018-6003
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the _asn1_decode_simple_ber function in decoding.c in GNU Libtasn1 before 4.13. Unlimited recursion in the BER decoder leads to stack exhaustion and DoS.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-6003

LAYER: meta
PACKAGE NAME: libtasn1-native
PACKAGE VERSION: 4.19.0
CVE: CVE-2021-46848
CVE STATUS: Patched
CVE SUMMARY: GNU Libtasn1 before 4.19.0 has an ETYPE_OK off-by-one array size check that affects asn1_encode_simple_der.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 9.1
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-46848

LAYER: meta
PACKAGE NAME: libidn2-native
PACKAGE VERSION: 2.3.7
CVE: CVE-2017-14061
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the _isBidi function in bidi.c in Libidn2 before 2.0.4 allows remote attackers to cause a denial of service or possibly have unspecified other impact.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14061

LAYER: meta
PACKAGE NAME: libidn2-native
PACKAGE VERSION: 2.3.7
CVE: CVE-2017-14062
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the decode_digit function in puny_decode.c in Libidn2 before 2.0.4 allows remote attackers to cause a denial of service or possibly have unspecified other impact.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14062

LAYER: meta
PACKAGE NAME: libidn2-native
PACKAGE VERSION: 2.3.7
CVE: CVE-2019-12290
CVE STATUS: Patched
CVE SUMMARY: GNU libidn2 before 2.2.0 fails to perform the roundtrip checks specified in RFC3490 Section 4.2 when converting A-labels to U-labels. This makes it possible in some circumstances for one domain to impersonate another. By creating a malicious domain that matches a target domain except for the inclusion of certain punycoded Unicode characters (that would be discarded when converted first to a Unicode label and then back to an ASCII label), arbitrary domains can be impersonated.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-12290

LAYER: meta
PACKAGE NAME: libidn2-native
PACKAGE VERSION: 2.3.7
CVE: CVE-2019-18224
CVE STATUS: Patched
CVE SUMMARY: idn2_to_ascii_4i in lib/lookup.c in GNU libidn2 before 2.1.1 has a heap-based buffer overflow via a long domain string.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-18224

LAYER: meta
PACKAGE NAME: zip
PACKAGE VERSION: 3.0
CVE: CVE-2004-1010
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in Info-Zip 2.3 and possibly earlier versions, when using recursive folder compression, allows remote attackers to execute arbitrary code via a ZIP file containing a long pathname.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-1010

LAYER: meta
PACKAGE NAME: zip
PACKAGE VERSION: 3.0
CVE: CVE-2018-13410
CVE STATUS: Ignored
CVE DETAIL: disputed
CVE DESCRIPTION: Disputed and also Debian doesn't consider a vulnerability
CVE SUMMARY: Info-ZIP Zip 3.0, when the -T and -TT command-line options are used, allows attackers to cause a denial of service (invalid free and application crash) or possibly have unspecified other impact because of an off-by-one error. NOTE: it is unclear whether there are realistic scenarios in which an untrusted party controls the -TT value, given that the entire purpose of -TT is execution of arbitrary commands
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-13410

LAYER: meta
PACKAGE NAME: zip
PACKAGE VERSION: 3.0
CVE: CVE-2018-13684
CVE STATUS: Ignored
CVE DETAIL: cpe-incorrect
CVE DESCRIPTION: Not for zip but for smart contract implementation for it
CVE SUMMARY: The mintToken function of a smart contract implementation for ZIP, an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-13684

LAYER: meta
PACKAGE NAME: zip
PACKAGE VERSION: 3.0
CVE: CVE-2023-39135
CVE STATUS: Patched
CVE SUMMARY: An issue in Zip Swift v2.1.2 allows attackers to execute a path traversal attack via a crafted zip entry.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-39135

LAYER: meta
PACKAGE NAME: acl-native
PACKAGE VERSION: 2.3.2
CVE: CVE-2009-4411
CVE STATUS: Patched
CVE SUMMARY: The (1) setfacl and (2) getfacl commands in XFS acl 2.2.47, when running in recursive (-R) mode, follow symbolic links even when the --physical (aka -P) or -L option is specified, which might allow local users to modify the ACL for arbitrary files or directories via a symlink attack.
CVSS v2 BASE SCORE: 3.7
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-4411

LAYER: meta-networking
PACKAGE NAME: nbd
PACKAGE VERSION: 3.24
CVE: CVE-2005-3534
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the Network Block Device (nbd) server 2.7.5 and earlier, and 2.8.0 through 2.8.2, allows remote attackers to execute arbitrary code via a large request, which is written past the end of the buffer because nbd does not account for memory taken by the reply header.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-3534

LAYER: meta-networking
PACKAGE NAME: nbd
PACKAGE VERSION: 3.24
CVE: CVE-2011-0530
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the mainloop function in nbd-server.c in the server in Network Block Device (nbd) before 2.9.20 might allow remote attackers to execute arbitrary code via a long request.  NOTE: this issue exists because of a CVE-2005-3534 regression.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-0530

LAYER: meta-networking
PACKAGE NAME: nbd
PACKAGE VERSION: 3.24
CVE: CVE-2011-1925
CVE STATUS: Patched
CVE SUMMARY: nbd-server.c in Network Block Device (nbd-server) 2.9.21 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) by causing a negotiation failure, as demonstrated by specifying a name for a non-existent export.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1925

LAYER: meta-networking
PACKAGE NAME: nbd
PACKAGE VERSION: 3.24
CVE: CVE-2013-6410
CVE STATUS: Patched
CVE SUMMARY: nbd-server in Network Block Device (nbd) before 3.5 does not properly check IP addresses, which might allow remote attackers to bypass intended access restrictions via an IP address that has a partial match in the authfile configuration file.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-6410

LAYER: meta-networking
PACKAGE NAME: nbd
PACKAGE VERSION: 3.24
CVE: CVE-2013-7441
CVE STATUS: Patched
CVE SUMMARY: The modern style negotiation in Network Block Device (nbd-server) 2.9.22 through 3.3 allows remote attackers to cause a denial of service (root process termination) by (1) closing the connection during negotiation or (2) specifying a name for a non-existent export.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-7441

LAYER: meta-networking
PACKAGE NAME: nbd
PACKAGE VERSION: 3.24
CVE: CVE-2015-0847
CVE STATUS: Patched
CVE SUMMARY: nbd-server.c in Network Block Device (nbd-server) before 3.11 does not properly handle signals, which allows remote attackers to cause a denial of service (deadlock) via unspecified vectors.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0847

LAYER: meta
PACKAGE NAME: libyaml-native
PACKAGE VERSION: 0.2.5
CVE: CVE-2013-6393
CVE STATUS: Patched
CVE SUMMARY: The yaml_parser_scan_tag_uri function in scanner.c in LibYAML before 0.1.5 performs an incorrect cast, which allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via crafted tags in a YAML document, which triggers a heap-based buffer overflow.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-6393

LAYER: meta
PACKAGE NAME: libyaml-native
PACKAGE VERSION: 0.2.5
CVE: CVE-2014-2525
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the yaml_parser_scan_uri_escapes function in LibYAML before 0.1.6 allows context-dependent attackers to execute arbitrary code via a long sequence of percent-encoded characters in a URI in a YAML file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-2525

LAYER: meta
PACKAGE NAME: libyaml-native
PACKAGE VERSION: 0.2.5
CVE: CVE-2014-9130
CVE STATUS: Patched
CVE SUMMARY: scanner.c in LibYAML 0.1.5 and 0.1.6, as used in the YAML-LibYAML (aka YAML-XS) module for Perl, allows context-dependent attackers to cause a denial of service (assertion failure and crash) via vectors involving line-wrapping.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9130

LAYER: meta
PACKAGE NAME: nettle-native
PACKAGE VERSION: 3.9.1
CVE: CVE-2015-8803
CVE STATUS: Patched
CVE SUMMARY: The ecc_256_modp function in ecc-256.c in Nettle before 3.2 does not properly handle carry propagation and produces incorrect output in its implementation of the P-256 NIST elliptic curve, which allows attackers to have unspecified impact via unknown vectors, a different vulnerability than CVE-2015-8805.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8803

LAYER: meta
PACKAGE NAME: nettle-native
PACKAGE VERSION: 3.9.1
CVE: CVE-2015-8804
CVE STATUS: Patched
CVE SUMMARY: x86_64/ecc-384-modp.asm in Nettle before 3.2 does not properly handle carry propagation and produces incorrect output in its implementation of the P-384 NIST elliptic curve, which allows attackers to have unspecified impact via unknown vectors.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8804

LAYER: meta
PACKAGE NAME: nettle-native
PACKAGE VERSION: 3.9.1
CVE: CVE-2015-8805
CVE STATUS: Patched
CVE SUMMARY: The ecc_256_modq function in ecc-256.c in Nettle before 3.2 does not properly handle carry propagation and produces incorrect output in its implementation of the P-256 NIST elliptic curve, which allows attackers to have unspecified impact via unknown vectors, a different vulnerability than CVE-2015-8803.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8805

LAYER: meta
PACKAGE NAME: nettle-native
PACKAGE VERSION: 3.9.1
CVE: CVE-2016-6489
CVE STATUS: Patched
CVE SUMMARY: The RSA and DSA decryption code in Nettle makes it easier for attackers to discover private keys via a cache side channel attack.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6489

LAYER: meta
PACKAGE NAME: nettle-native
PACKAGE VERSION: 3.9.1
CVE: CVE-2018-16869
CVE STATUS: Patched
CVE SUMMARY: A Bleichenbacher type side-channel based padding oracle attack was found in the way nettle handles endian conversion of RSA decrypted PKCS#1 v1.5 data. An attacker who is able to run a process on the same physical core as the victim process, could use this flaw extract plaintext or in some cases downgrade any TLS connections to a vulnerable server.
CVSS v2 BASE SCORE: 3.3
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-16869

LAYER: meta
PACKAGE NAME: nettle-native
PACKAGE VERSION: 3.9.1
CVE: CVE-2021-20305
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in Nettle in versions before 3.7.2, where several Nettle signature verification functions (GOST DSA, EDDSA & ECDSA) result in the Elliptic Curve Cryptography point (ECC) multiply function being called with out-of-range scalers, possibly resulting in incorrect results. This flaw allows an attacker to force an invalid signature, causing an assertion failure or possible validation. The highest threat to this vulnerability is to confidentiality, integrity, as well as system availability.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-20305

LAYER: meta
PACKAGE NAME: nettle-native
PACKAGE VERSION: 3.9.1
CVE: CVE-2021-3580
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the way nettle's RSA decryption functions handled specially crafted ciphertext. An attacker could use this flaw to provide a manipulated ciphertext leading to application crash and denial of service.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3580

LAYER: meta
PACKAGE NAME: nettle-native
PACKAGE VERSION: 3.9.1
CVE: CVE-2023-36660
CVE STATUS: Patched
CVE SUMMARY: The OCB feature in libnettle in Nettle 3.9 before 3.9.1 allows memory corruption.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-36660

LAYER: meta
PACKAGE NAME: gawk
PACKAGE VERSION: 5.3.0
CVE: CVE-2023-4156
CVE STATUS: Patched
CVE SUMMARY: A heap out-of-bounds read flaw was found in builtin.c in the gawk package. This issue may lead to a crash and could be used to read sensitive information.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.4
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-4156

LAYER: meta
PACKAGE NAME: libxslt-native
PACKAGE VERSION: 1.1.39
CVE: CVE-2008-2935
CVE STATUS: Patched
CVE SUMMARY: Multiple heap-based buffer overflows in the rc4 (1) encryption (aka exsltCryptoRc4EncryptFunction) and (2) decryption (aka exsltCryptoRc4DecryptFunction) functions in crypto.c in libexslt in libxslt 1.1.8 through 1.1.24 allow context-dependent attackers to execute arbitrary code via an XML file containing a long string as "an argument in the XSL input."
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-2935

LAYER: meta
PACKAGE NAME: libxslt-native
PACKAGE VERSION: 1.1.39
CVE: CVE-2011-1202
CVE STATUS: Patched
CVE SUMMARY: The xsltGenerateIdFunction function in functions.c in libxslt 1.1.26 and earlier, as used in Google Chrome before 10.0.648.127 and other products, allows remote attackers to obtain potentially sensitive information about heap memory addresses via an XML document containing a call to the XSLT generate-id XPath function.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1202

LAYER: meta
PACKAGE NAME: libxslt-native
PACKAGE VERSION: 1.1.39
CVE: CVE-2011-3970
CVE STATUS: Patched
CVE SUMMARY: libxslt, as used in Google Chrome before 17.0.963.46, allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3970

LAYER: meta
PACKAGE NAME: libxslt-native
PACKAGE VERSION: 1.1.39
CVE: CVE-2012-2870
CVE STATUS: Patched
CVE SUMMARY: libxslt 1.1.26 and earlier, as used in Google Chrome before 21.0.1180.89, does not properly manage memory, which might allow remote attackers to cause a denial of service (application crash) via a crafted XSLT expression that is not properly identified during XPath navigation, related to (1) the xsltCompileLocationPathPattern function in libxslt/pattern.c and (2) the xsltGenerateIdFunction function in libxslt/functions.c.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2870

LAYER: meta
PACKAGE NAME: libxslt-native
PACKAGE VERSION: 1.1.39
CVE: CVE-2012-6139
CVE STATUS: Patched
CVE SUMMARY: libxslt before 1.1.28 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via an (1) empty match attribute in a XSL key to the xsltAddKey function in keys.c or (2) uninitialized variable to the xsltDocumentFunction function in functions.c.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-6139

LAYER: meta
PACKAGE NAME: libxslt-native
PACKAGE VERSION: 1.1.39
CVE: CVE-2013-4520
CVE STATUS: Patched
CVE SUMMARY: xslt.c in libxslt before 1.1.25 allows context-dependent attackers to cause a denial of service (crash) via a stylesheet that embeds a DTD, which causes a structure to be accessed as a different type.  NOTE: this issue is due to an incomplete fix for CVE-2012-2825.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4520

LAYER: meta
PACKAGE NAME: libxslt-native
PACKAGE VERSION: 1.1.39
CVE: CVE-2015-7995
CVE STATUS: Patched
CVE SUMMARY: The xsltStylePreCompute function in preproc.c in libxslt 1.1.28 does not check if the parent node is an element, which allows attackers to cause a denial of service via a crafted XML file, related to a "type confusion" issue.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7995

LAYER: meta
PACKAGE NAME: libxslt-native
PACKAGE VERSION: 1.1.39
CVE: CVE-2015-9019
CVE STATUS: Patched
CVE SUMMARY: In libxslt 1.1.29 and earlier, the EXSLT math.random function was not initialized with a random seed during startup, which could cause usage of this function to produce predictable outputs.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-9019

LAYER: meta
PACKAGE NAME: libxslt-native
PACKAGE VERSION: 1.1.39
CVE: CVE-2016-1683
CVE STATUS: Patched
CVE SUMMARY: numbers.c in libxslt before 1.1.29, as used in Google Chrome before 51.0.2704.63, mishandles namespace nodes, which allows remote attackers to cause a denial of service (out-of-bounds heap memory access) or possibly have unspecified other impact via a crafted document.
CVSS v2 BASE SCORE: 5.1
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-1683

LAYER: meta
PACKAGE NAME: libxslt-native
PACKAGE VERSION: 1.1.39
CVE: CVE-2016-1684
CVE STATUS: Patched
CVE SUMMARY: numbers.c in libxslt before 1.1.29, as used in Google Chrome before 51.0.2704.63, mishandles the i format token for xsl:number data, which allows remote attackers to cause a denial of service (integer overflow or resource consumption) or possibly have unspecified other impact via a crafted document.
CVSS v2 BASE SCORE: 5.1
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-1684

LAYER: meta
PACKAGE NAME: libxslt-native
PACKAGE VERSION: 1.1.39
CVE: CVE-2016-4607
CVE STATUS: Patched
CVE SUMMARY: libxslt in Apple iOS before 9.3.3, OS X before 10.11.6, iTunes before 12.4.2 on Windows, iCloud before 5.2.1 on Windows, tvOS before 9.2.2, and watchOS before 2.2.2 allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors, a different vulnerability than CVE-2016-4608, CVE-2016-4609, CVE-2016-4610, and CVE-2016-4612.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4607

LAYER: meta
PACKAGE NAME: libxslt-native
PACKAGE VERSION: 1.1.39
CVE: CVE-2016-4608
CVE STATUS: Patched
CVE SUMMARY: libxslt in Apple iOS before 9.3.3, OS X before 10.11.6, iTunes before 12.4.2 on Windows, iCloud before 5.2.1 on Windows, tvOS before 9.2.2, and watchOS before 2.2.2 allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors, a different vulnerability than CVE-2016-4607, CVE-2016-4609, CVE-2016-4610, and CVE-2016-4612.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4608

LAYER: meta
PACKAGE NAME: libxslt-native
PACKAGE VERSION: 1.1.39
CVE: CVE-2016-4609
CVE STATUS: Patched
CVE SUMMARY: libxslt in Apple iOS before 9.3.3, OS X before 10.11.6, iTunes before 12.4.2 on Windows, iCloud before 5.2.1 on Windows, tvOS before 9.2.2, and watchOS before 2.2.2 allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors, a different vulnerability than CVE-2016-4607, CVE-2016-4608, CVE-2016-4610, and CVE-2016-4612.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4609

LAYER: meta
PACKAGE NAME: libxslt-native
PACKAGE VERSION: 1.1.39
CVE: CVE-2016-4610
CVE STATUS: Patched
CVE SUMMARY: libxslt in Apple iOS before 9.3.3, OS X before 10.11.6, iTunes before 12.4.2 on Windows, iCloud before 5.2.1 on Windows, tvOS before 9.2.2, and watchOS before 2.2.2 allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors, a different vulnerability than CVE-2016-4607, CVE-2016-4608, CVE-2016-4609, and CVE-2016-4612.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4610

LAYER: meta
PACKAGE NAME: libxslt-native
PACKAGE VERSION: 1.1.39
CVE: CVE-2017-5029
CVE STATUS: Patched
CVE SUMMARY: The xsltAddTextString function in transform.c in libxslt 1.1.29, as used in Blink in Google Chrome prior to 57.0.2987.98 for Mac, Windows, and Linux and 57.0.2987.108 for Android, lacked a check for integer overflow during a size calculation, which allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5029

LAYER: meta
PACKAGE NAME: libxslt-native
PACKAGE VERSION: 1.1.39
CVE: CVE-2019-11068
CVE STATUS: Patched
CVE SUMMARY: libxslt through 1.1.33 allows bypass of a protection mechanism because callers of xsltCheckRead and xsltCheckWrite permit access even upon receiving a -1 error code. xsltCheckRead can return -1 for a crafted URL that is not actually invalid and is subsequently loaded.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-11068

LAYER: meta
PACKAGE NAME: libxslt-native
PACKAGE VERSION: 1.1.39
CVE: CVE-2019-13117
CVE STATUS: Patched
CVE SUMMARY: In numbers.c in libxslt 1.1.33, an xsl:number with certain format strings could lead to a uninitialized read in xsltNumberFormatInsertNumbers. This could allow an attacker to discern whether a byte on the stack contains the characters A, a, I, i, or 0, or any other character.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-13117

LAYER: meta
PACKAGE NAME: libxslt-native
PACKAGE VERSION: 1.1.39
CVE: CVE-2019-13118
CVE STATUS: Patched
CVE SUMMARY: In numbers.c in libxslt 1.1.33, a type holding grouping characters of an xsl:number instruction was too narrow and an invalid character/length combination could be passed to xsltNumberFormatDecimal, leading to a read of uninitialized stack data.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-13118

LAYER: meta
PACKAGE NAME: libxslt-native
PACKAGE VERSION: 1.1.39
CVE: CVE-2019-18197
CVE STATUS: Patched
CVE SUMMARY: In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclosed.
CVSS v2 BASE SCORE: 5.1
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-18197

LAYER: meta
PACKAGE NAME: libxslt-native
PACKAGE VERSION: 1.1.39
CVE: CVE-2019-5815
CVE STATUS: Patched
CVE SUMMARY: Type confusion in xsltNumberFormatGetMultipleLevel prior to libxslt 1.1.33 could allow attackers to potentially exploit heap corruption via crafted XML data.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-5815

LAYER: meta
PACKAGE NAME: libxslt-native
PACKAGE VERSION: 1.1.39
CVE: CVE-2021-30560
CVE STATUS: Patched
CVE SUMMARY: Use after free in Blink XSLT in Google Chrome prior to 91.0.4472.164 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-30560

LAYER: meta
PACKAGE NAME: libxslt-native
PACKAGE VERSION: 1.1.39
CVE: CVE-2022-29824
CVE STATUS: Ignored
CVE DETAIL: not-applicable-config
CVE DESCRIPTION: Static linking to libxml2 is not enabled.
CVE SUMMARY: In libxml2 before 2.9.14, several buffer handling functions in buf.c (xmlBuf*) and tree.c (xmlBuffer*) don't check for integer overflows. This can result in out-of-bounds memory writes. Exploitation requires a victim to open a crafted, multi-gigabyte XML file. Other software using libxml2's buffer functions, for example libxslt through 1.1.35, is affected as well.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-29824

LAYER: meta
PACKAGE NAME: nettle
PACKAGE VERSION: 3.9.1
CVE: CVE-2015-8803
CVE STATUS: Patched
CVE SUMMARY: The ecc_256_modp function in ecc-256.c in Nettle before 3.2 does not properly handle carry propagation and produces incorrect output in its implementation of the P-256 NIST elliptic curve, which allows attackers to have unspecified impact via unknown vectors, a different vulnerability than CVE-2015-8805.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8803

LAYER: meta
PACKAGE NAME: nettle
PACKAGE VERSION: 3.9.1
CVE: CVE-2015-8804
CVE STATUS: Patched
CVE SUMMARY: x86_64/ecc-384-modp.asm in Nettle before 3.2 does not properly handle carry propagation and produces incorrect output in its implementation of the P-384 NIST elliptic curve, which allows attackers to have unspecified impact via unknown vectors.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8804

LAYER: meta
PACKAGE NAME: nettle
PACKAGE VERSION: 3.9.1
CVE: CVE-2015-8805
CVE STATUS: Patched
CVE SUMMARY: The ecc_256_modq function in ecc-256.c in Nettle before 3.2 does not properly handle carry propagation and produces incorrect output in its implementation of the P-256 NIST elliptic curve, which allows attackers to have unspecified impact via unknown vectors, a different vulnerability than CVE-2015-8803.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8805

LAYER: meta
PACKAGE NAME: nettle
PACKAGE VERSION: 3.9.1
CVE: CVE-2016-6489
CVE STATUS: Patched
CVE SUMMARY: The RSA and DSA decryption code in Nettle makes it easier for attackers to discover private keys via a cache side channel attack.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6489

LAYER: meta
PACKAGE NAME: nettle
PACKAGE VERSION: 3.9.1
CVE: CVE-2018-16869
CVE STATUS: Patched
CVE SUMMARY: A Bleichenbacher type side-channel based padding oracle attack was found in the way nettle handles endian conversion of RSA decrypted PKCS#1 v1.5 data. An attacker who is able to run a process on the same physical core as the victim process, could use this flaw extract plaintext or in some cases downgrade any TLS connections to a vulnerable server.
CVSS v2 BASE SCORE: 3.3
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-16869

LAYER: meta
PACKAGE NAME: nettle
PACKAGE VERSION: 3.9.1
CVE: CVE-2021-20305
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in Nettle in versions before 3.7.2, where several Nettle signature verification functions (GOST DSA, EDDSA & ECDSA) result in the Elliptic Curve Cryptography point (ECC) multiply function being called with out-of-range scalers, possibly resulting in incorrect results. This flaw allows an attacker to force an invalid signature, causing an assertion failure or possible validation. The highest threat to this vulnerability is to confidentiality, integrity, as well as system availability.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-20305

LAYER: meta
PACKAGE NAME: nettle
PACKAGE VERSION: 3.9.1
CVE: CVE-2021-3580
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the way nettle's RSA decryption functions handled specially crafted ciphertext. An attacker could use this flaw to provide a manipulated ciphertext leading to application crash and denial of service.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3580

LAYER: meta
PACKAGE NAME: nettle
PACKAGE VERSION: 3.9.1
CVE: CVE-2023-36660
CVE STATUS: Patched
CVE SUMMARY: The OCB feature in libnettle in Nettle 3.9 before 3.9.1 allows memory corruption.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-36660

LAYER: meta
PACKAGE NAME: rsync-native
PACKAGE VERSION: 3.2.7
CVE: CVE-1999-0473
CVE STATUS: Patched
CVE SUMMARY: The rsync command before rsync 2.3.1 may inadvertently change the permissions of the client's working directory to the permissions of the directory being transferred.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-1999-0473

LAYER: meta
PACKAGE NAME: rsync-native
PACKAGE VERSION: 3.2.7
CVE: CVE-2002-0048
CVE STATUS: Patched
CVE SUMMARY: Multiple signedness errors (mixed signed and unsigned numbers) in the I/O functions of rsync 2.4.6, 2.3.2, and other versions allow remote attackers to cause a denial of service and execute arbitrary code in the rsync client or server.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-0048

LAYER: meta
PACKAGE NAME: rsync-native
PACKAGE VERSION: 3.2.7
CVE: CVE-2002-0080
CVE STATUS: Patched
CVE SUMMARY: rsync, when running in daemon mode, does not properly call setgroups before dropping privileges, which could provide supplemental group privileges to local users, who could then read certain files that would otherwise be disallowed.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-0080

LAYER: meta
PACKAGE NAME: rsync-native
PACKAGE VERSION: 3.2.7
CVE: CVE-2003-0962
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in rsync before 2.5.7, when running in server mode, allows remote attackers to execute arbitrary code and possibly escape the chroot jail.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-0962

LAYER: meta
PACKAGE NAME: rsync-native
PACKAGE VERSION: 3.2.7
CVE: CVE-2004-0426
CVE STATUS: Patched
CVE SUMMARY: rsync before 2.6.1 does not properly sanitize paths when running a read/write daemon without using chroot, which allows remote attackers to write files outside of the module's path.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0426

LAYER: meta
PACKAGE NAME: rsync-native
PACKAGE VERSION: 3.2.7
CVE: CVE-2004-0792
CVE STATUS: Patched
CVE SUMMARY: Directory traversal vulnerability in the sanitize_path function in util.c for rsync 2.6.2 and earlier, when chroot is disabled, allows attackers to read or write certain files.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0792

LAYER: meta
PACKAGE NAME: rsync-native
PACKAGE VERSION: 3.2.7
CVE: CVE-2006-2083
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the receive_xattr function in the extended attributes patch (xattr.c) for rsync before 2.6.8 might allow attackers to execute arbitrary code via crafted extended attributes that trigger a buffer overflow.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-2083

LAYER: meta
PACKAGE NAME: rsync-native
PACKAGE VERSION: 3.2.7
CVE: CVE-2007-4091
CVE STATUS: Patched
CVE SUMMARY: Multiple off-by-one errors in the sender.c in rsync 2.6.9 might allow remote attackers to execute arbitrary code via directory names that are not properly handled when calling the f_name function.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-4091

LAYER: meta
PACKAGE NAME: rsync-native
PACKAGE VERSION: 3.2.7
CVE: CVE-2007-6199
CVE STATUS: Patched
CVE SUMMARY: rsync before 3.0.0pre6, when running a writable rsync daemon that is not using chroot, allows remote attackers to access restricted files via unknown vectors that cause rsync to create a symlink that points outside of the module's hierarchy.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-6199

LAYER: meta
PACKAGE NAME: rsync-native
PACKAGE VERSION: 3.2.7
CVE: CVE-2007-6200
CVE STATUS: Patched
CVE SUMMARY: Unspecified vulnerability in rsync before 3.0.0pre6, when running a writable rsync daemon, allows remote attackers to bypass exclude, exclude_from, and filter and read or write hidden files via (1) symlink, (2) partial-dir, (3) backup-dir, and unspecified (4) dest options.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-6200

LAYER: meta
PACKAGE NAME: rsync-native
PACKAGE VERSION: 3.2.7
CVE: CVE-2008-1720
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in rsync 2.6.9 to 3.0.1, with extended attribute (xattr) support enabled, might allow remote attackers to execute arbitrary code via unknown vectors.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1720

LAYER: meta
PACKAGE NAME: rsync-native
PACKAGE VERSION: 3.2.7
CVE: CVE-2011-1097
CVE STATUS: Patched
CVE SUMMARY: rsync 3.x before 3.0.8, when certain recursion, deletion, and ownership options are used, allows remote rsync servers to cause a denial of service (heap memory corruption and application crash) or possibly execute arbitrary code via malformed data.
CVSS v2 BASE SCORE: 5.1
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1097

LAYER: meta
PACKAGE NAME: rsync-native
PACKAGE VERSION: 3.2.7
CVE: CVE-2014-2855
CVE STATUS: Patched
CVE SUMMARY: The check_secret function in authenticate.c in rsync 3.1.0 and earlier allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a user name which does not exist in the secrets file.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-2855

LAYER: meta
PACKAGE NAME: rsync-native
PACKAGE VERSION: 3.2.7
CVE: CVE-2014-9512
CVE STATUS: Patched
CVE SUMMARY: rsync 3.1.1 allows remote attackers to write to arbitrary files via a symlink attack on a file in the synchronization path.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9512

LAYER: meta
PACKAGE NAME: rsync-native
PACKAGE VERSION: 3.2.7
CVE: CVE-2017-15994
CVE STATUS: Patched
CVE SUMMARY: rsync 3.1.3-development before 2017-10-24 mishandles archaic checksums, which makes it easier for remote attackers to bypass intended access restrictions. NOTE: the rsync development branch has significant use beyond the rsync developers, e.g., the code has been copied for use in various GitHub projects.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15994

LAYER: meta
PACKAGE NAME: rsync-native
PACKAGE VERSION: 3.2.7
CVE: CVE-2017-16548
CVE STATUS: Patched
CVE SUMMARY: The receive_xattr function in xattrs.c in rsync 3.1.2 and 3.1.3-development does not check for a trailing '\0' character in an xattr name, which allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) or possibly have unspecified other impact by sending crafted data to the daemon.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-16548

LAYER: meta
PACKAGE NAME: rsync-native
PACKAGE VERSION: 3.2.7
CVE: CVE-2017-17433
CVE STATUS: Patched
CVE SUMMARY: The recv_files function in receiver.c in the daemon in rsync 3.1.2, and 3.1.3-development before 2017-12-03, proceeds with certain file metadata updates before checking for a filename in the daemon_filter_list data structure, which allows remote attackers to bypass intended access restrictions.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 3.7
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17433

LAYER: meta
PACKAGE NAME: rsync-native
PACKAGE VERSION: 3.2.7
CVE: CVE-2017-17434
CVE STATUS: Patched
CVE SUMMARY: The daemon in rsync 3.1.2, and 3.1.3-development before 2017-12-03, does not check for fnamecmp filenames in the daemon_filter_list data structure (in the recv_files function in receiver.c) and also does not apply the sanitize_paths protection mechanism to pathnames found in "xname follows" strings (in the read_ndx_and_attrs function in rsync.c), which allows remote attackers to bypass intended access restrictions.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17434

LAYER: meta
PACKAGE NAME: rsync-native
PACKAGE VERSION: 3.2.7
CVE: CVE-2018-5764
CVE STATUS: Patched
CVE SUMMARY: The parse_arguments function in options.c in rsyncd in rsync before 3.1.3 does not prevent multiple --protect-args uses, which allows remote attackers to bypass an argument-sanitization protection mechanism.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-5764

LAYER: meta
PACKAGE NAME: rsync-native
PACKAGE VERSION: 3.2.7
CVE: CVE-2020-14387
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in rsync in versions since 3.2.0pre1. Rsync improperly validates certificate with host mismatch vulnerability. A remote, unauthenticated attacker could exploit the flaw by performing a man-in-the-middle attack using a valid certificate for another hostname which could compromise confidentiality and integrity of data transmitted using rsync-ssl. The highest threat from this vulnerability is to data confidentiality and integrity. This flaw affects rsync versions before 3.2.4.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 7.4
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-14387

LAYER: meta
PACKAGE NAME: rsync-native
PACKAGE VERSION: 3.2.7
CVE: CVE-2022-29154
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in rsync before 3.2.5 that allows malicious remote servers to write arbitrary files inside the directories of connecting peers. The server chooses which files/directories are sent to the client. However, the rsync client performs insufficient validation of file names. A malicious rsync server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the rsync client target directory and subdirectories (for example, overwrite the .ssh/authorized_keys file).
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.4
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-29154

LAYER: meta
PACKAGE NAME: libtirpc
PACKAGE VERSION: 1.3.4
CVE: CVE-2013-1950
CVE STATUS: Patched
CVE SUMMARY: The svc_dg_getargs function in libtirpc 0.2.3 and earlier allows remote attackers to cause a denial of service (rpcbind crash) via a Sun RPC request with crafted arguments that trigger a free of an invalid pointer.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1950

LAYER: meta
PACKAGE NAME: libtirpc
PACKAGE VERSION: 1.3.4
CVE: CVE-2017-8779
CVE STATUS: Patched
CVE SUMMARY: rpcbind through 0.2.4, LIBTIRPC through 1.0.1 and 1.0.2-rc through 1.0.2-rc3, and NTIRPC through 1.4.3 do not consider the maximum RPC data size during memory allocation for XDR strings, which allows remote attackers to cause a denial of service (memory consumption with no subsequent free) via a crafted UDP packet to port 111, aka rpcbomb.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8779

LAYER: meta
PACKAGE NAME: libtirpc
PACKAGE VERSION: 1.3.4
CVE: CVE-2018-14621
CVE STATUS: Patched
CVE SUMMARY: An infinite loop vulnerability was found in libtirpc before version 1.0.2-rc2. With the port to using poll rather than select, exhaustion of file descriptors would cause the server to enter an infinite loop, consuming a large amount of CPU time and denying service to other clients until restarted.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-14621

LAYER: meta
PACKAGE NAME: libtirpc
PACKAGE VERSION: 1.3.4
CVE: CVE-2018-14622
CVE STATUS: Patched
CVE SUMMARY: A null-pointer dereference vulnerability was found in libtirpc before version 0.3.3-rc3. The return value of makefd_xprt() was not checked in all instances, which could lead to a crash when the server exhausted the maximum number of available file descriptors. A remote attacker could cause an rpc-based application to crash by flooding it with new connections.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-14622

LAYER: meta
PACKAGE NAME: libtirpc
PACKAGE VERSION: 1.3.4
CVE: CVE-2021-46828
CVE STATUS: Patched
CVE DETAIL: fixed-version
CVE DESCRIPTION: fixed in 1.3.3rc1 so not present in 1.3.3
CVE SUMMARY: In libtirpc before 1.3.3rc1, remote attackers could exhaust the file descriptors of a process that uses libtirpc because idle TCP connections are mishandled. This can, in turn, lead to an svc_run infinite loop without accepting new connections.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-46828

LAYER: meta
PACKAGE NAME: gnutls-native
PACKAGE VERSION: 3.8.4
CVE: CVE-2004-2531
CVE STATUS: Patched
CVE SUMMARY: X.509 Certificate Signature Verification in Gnu transport layer security library (GnuTLS) 1.0.16 allows remote attackers to cause a denial of service (CPU consumption) via certificates containing long chains and signed with large RSA keys.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-2531

LAYER: meta
PACKAGE NAME: gnutls-native
PACKAGE VERSION: 3.8.4
CVE: CVE-2005-1431
CVE STATUS: Patched
CVE SUMMARY: The "record packet parsing" in GnuTLS 1.2 before 1.2.3 and 1.0 before 1.0.25 allows remote attackers to cause a denial of service, possibly related to padding bytes in gnutils_cipher.c.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-1431

LAYER: meta
PACKAGE NAME: gnutls-native
PACKAGE VERSION: 3.8.4
CVE: CVE-2006-4790
CVE STATUS: Patched
CVE SUMMARY: verify.c in GnuTLS before 1.4.4, when using an RSA key with exponent 3, does not properly handle excess data in the digestAlgorithm.parameters field when generating a hash, which allows remote attackers to forge a PKCS #1 v1.5 signature that is signed by that RSA key and prevents GnuTLS from correctly verifying X.509 and other certificates that use PKCS, a variant of CVE-2006-4339.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-4790

LAYER: meta
PACKAGE NAME: gnutls-native
PACKAGE VERSION: 3.8.4
CVE: CVE-2006-7239
CVE STATUS: Patched
CVE SUMMARY: The _gnutls_x509_oid2mac_algorithm function in lib/gnutls_algorithms.c in GnuTLS before 1.4.2 allows remote attackers to cause a denial of service (crash) via a crafted X.509 certificate that uses a hash algorithm that is not supported by GnuTLS, which triggers a NULL pointer dereference.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-7239

LAYER: meta
PACKAGE NAME: gnutls-native
PACKAGE VERSION: 3.8.4
CVE: CVE-2008-1948
CVE STATUS: Patched
CVE SUMMARY: The _gnutls_server_name_recv_params function in lib/ext_server_name.c in libgnutls in gnutls-serv in GnuTLS before 2.2.4 does not properly calculate the number of Server Names in a TLS 1.0 Client Hello message during extension handling, which allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a zero value for the length of Server Names, which leads to a buffer overflow in session resumption data in the pack_security_parameters function, aka GNUTLS-SA-2008-1-1.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1948

LAYER: meta
PACKAGE NAME: gnutls-native
PACKAGE VERSION: 3.8.4
CVE: CVE-2008-1949
CVE STATUS: Patched
CVE SUMMARY: The _gnutls_recv_client_kx_message function in lib/gnutls_kx.c in libgnutls in gnutls-serv in GnuTLS before 2.2.4 continues to process Client Hello messages within a TLS message after one has already been processed, which allows remote attackers to cause a denial of service (NULL dereference and crash) via a TLS message containing multiple Client Hello messages, aka GNUTLS-SA-2008-1-2.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1949

LAYER: meta
PACKAGE NAME: gnutls-native
PACKAGE VERSION: 3.8.4
CVE: CVE-2008-1950
CVE STATUS: Patched
CVE SUMMARY: Integer signedness error in the _gnutls_ciphertext2compressed function in lib/gnutls_cipher.c in libgnutls in GnuTLS before 2.2.4 allows remote attackers to cause a denial of service (buffer over-read and crash) via a certain integer value in the Random field in an encrypted Client Hello message within a TLS record with an invalid Record Length, which leads to an invalid cipher padding length, aka GNUTLS-SA-2008-1-3.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1950

LAYER: meta
PACKAGE NAME: gnutls-native
PACKAGE VERSION: 3.8.4
CVE: CVE-2008-2377
CVE STATUS: Patched
CVE SUMMARY: Use-after-free vulnerability in the _gnutls_handshake_hash_buffers_clear function in lib/gnutls_handshake.c in libgnutls in GnuTLS 2.3.5 through 2.4.0 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via TLS transmission of data that is improperly used when the peer calls gnutls_handshake within a normal session, leading to attempted access to a deallocated libgcrypt handle.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-2377

LAYER: meta
PACKAGE NAME: gnutls-native
PACKAGE VERSION: 3.8.4
CVE: CVE-2008-4989
CVE STATUS: Patched
CVE SUMMARY: The _gnutls_x509_verify_certificate function in lib/x509/verify.c in libgnutls in GnuTLS before 2.6.1 trusts certificate chains in which the last certificate is an arbitrary trusted, self-signed certificate, which allows man-in-the-middle attackers to insert a spoofed certificate for any Distinguished Name (DN).
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-4989

LAYER: meta
PACKAGE NAME: gnutls-native
PACKAGE VERSION: 3.8.4
CVE: CVE-2009-1415
CVE STATUS: Patched
CVE SUMMARY: lib/pk-libgcrypt.c in libgnutls in GnuTLS before 2.6.6 does not properly handle invalid DSA signatures, which allows remote attackers to cause a denial of service (application crash) and possibly have unspecified other impact via a malformed DSA key that triggers a (1) free of an uninitialized pointer or (2) double free.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-1415

LAYER: meta
PACKAGE NAME: gnutls-native
PACKAGE VERSION: 3.8.4
CVE: CVE-2009-1416
CVE STATUS: Patched
CVE SUMMARY: lib/gnutls_pk.c in libgnutls in GnuTLS 2.5.0 through 2.6.5 generates RSA keys stored in DSA structures, instead of the intended DSA keys, which might allow remote attackers to spoof signatures on certificates or have unspecified other impact by leveraging an invalid DSA key.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-1416

LAYER: meta
PACKAGE NAME: gnutls-native
PACKAGE VERSION: 3.8.4
CVE: CVE-2009-1417
CVE STATUS: Patched
CVE SUMMARY: gnutls-cli in GnuTLS before 2.6.6 does not verify the activation and expiration times of X.509 certificates, which allows remote attackers to successfully present a certificate that is (1) not yet valid or (2) no longer valid, related to lack of time checks in the _gnutls_x509_verify_certificate function in lib/x509/verify.c in libgnutls_x509, as used by (a) Exim, (b) OpenLDAP, and (c) libsoup.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-1417

LAYER: meta
PACKAGE NAME: gnutls-native
PACKAGE VERSION: 3.8.4
CVE: CVE-2009-2409
CVE STATUS: Patched
CVE SUMMARY: The Network Security Services (NSS) library before 3.12.3, as used in Firefox; GnuTLS before 2.6.4 and 2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other products support MD2 with X.509 certificates, which might allow remote attackers to spoof certificates by using MD2 design flaws to generate a hash collision in less than brute-force time.  NOTE: the scope of this issue is currently limited because the amount of computation required is still large.
CVSS v2 BASE SCORE: 5.1
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-2409

LAYER: meta
PACKAGE NAME: gnutls-native
PACKAGE VERSION: 3.8.4
CVE: CVE-2009-2730
CVE STATUS: Patched
CVE SUMMARY: libgnutls in GnuTLS before 2.8.2 does not properly handle a '\0' character in a domain name in the subject's (1) Common Name (CN) or (2) Subject Alternative Name (SAN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-2730

LAYER: meta
PACKAGE NAME: gnutls-native
PACKAGE VERSION: 3.8.4
CVE: CVE-2009-3555
CVE STATUS: Patched
CVE SUMMARY: The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a "plaintext injection" attack, aka the "Project Mogul" issue.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-3555

LAYER: meta
PACKAGE NAME: gnutls-native
PACKAGE VERSION: 3.8.4
CVE: CVE-2009-5138
CVE STATUS: Patched
CVE SUMMARY: GnuTLS before 2.7.6, when the GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT flag is not enabled, treats version 1 X.509 certificates as intermediate CAs, which allows remote attackers to bypass intended restrictions by leveraging a X.509 V1 certificate from a trusted CA to issue new certificates, a different vulnerability than CVE-2014-1959.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-5138

LAYER: meta
PACKAGE NAME: gnutls-native
PACKAGE VERSION: 3.8.4
CVE: CVE-2010-0731
CVE STATUS: Patched
CVE SUMMARY: The gnutls_x509_crt_get_serial function in the GnuTLS library before 1.2.1, when running on big-endian, 64-bit platforms, calls the asn1_read_value with a pointer to the wrong data type and the wrong length value, which allows remote attackers to bypass the certificate revocation list (CRL) check and cause a stack-based buffer overflow via a crafted X.509 certificate, related to extraction of a serial number.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-0731

LAYER: meta
PACKAGE NAME: gnutls-native
PACKAGE VERSION: 3.8.4
CVE: CVE-2011-4128
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the gnutls_session_get_data function in lib/gnutls_session.c in GnuTLS 2.12.x before 2.12.14 and 3.x before 3.0.7, when used on a client that performs nonstandard session resumption, allows remote TLS servers to cause a denial of service (application crash) via a large SessionTicket.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-4128

LAYER: meta
PACKAGE NAME: gnutls-native
PACKAGE VERSION: 3.8.4
CVE: CVE-2012-0390
CVE STATUS: Patched
CVE SUMMARY: The DTLS implementation in GnuTLS 3.0.10 and earlier executes certain error-handling code only if there is a specific relationship between a padding length and the ciphertext size, which makes it easier for remote attackers to recover partial plaintext via a timing side-channel attack, a related issue to CVE-2011-4108.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-0390

LAYER: meta
PACKAGE NAME: gnutls-native
PACKAGE VERSION: 3.8.4
CVE: CVE-2012-1569
CVE STATUS: Patched
CVE SUMMARY: The asn1_get_length_der function in decoding.c in GNU Libtasn1 before 2.12, as used in GnuTLS before 3.0.16 and other products, does not properly handle certain large length values, which allows remote attackers to cause a denial of service (heap memory corruption and application crash) or possibly have unspecified other impact via a crafted ASN.1 structure.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1569

LAYER: meta
PACKAGE NAME: gnutls-native
PACKAGE VERSION: 3.8.4
CVE: CVE-2012-1573
CVE STATUS: Patched
CVE SUMMARY: gnutls_cipher.c in libgnutls in GnuTLS before 2.12.17 and 3.x before 3.0.15 does not properly handle data encrypted with a block cipher, which allows remote attackers to cause a denial of service (heap memory corruption and application crash) via a crafted record, as demonstrated by a crafted GenericBlockCipher structure.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1573

LAYER: meta
PACKAGE NAME: gnutls-native
PACKAGE VERSION: 3.8.4
CVE: CVE-2012-1663
CVE STATUS: Patched
CVE SUMMARY: Double free vulnerability in libgnutls in GnuTLS before 3.0.14 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted certificate list.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1663

LAYER: meta
PACKAGE NAME: gnutls-native
PACKAGE VERSION: 3.8.4
CVE: CVE-2013-1619
CVE STATUS: Patched
CVE SUMMARY: The TLS implementation in GnuTLS before 2.12.23, 3.0.x before 3.0.28, and 3.1.x before 3.1.7 does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169.
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1619

LAYER: meta
PACKAGE NAME: gnutls-native
PACKAGE VERSION: 3.8.4
CVE: CVE-2013-2116
CVE STATUS: Patched
CVE SUMMARY: The _gnutls_ciphertext2compressed function in lib/gnutls_cipher.c in GnuTLS 2.12.23 allows remote attackers to cause a denial of service (buffer over-read and crash) via a crafted padding length.  NOTE: this might be due to an incorrect fix for CVE-2013-0169.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2116

LAYER: meta
PACKAGE NAME: gnutls-native
PACKAGE VERSION: 3.8.4
CVE: CVE-2013-4466
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the dane_query_tlsa function in the DANE library (libdane) in GnuTLS 3.1.x before 3.1.15 and 3.2.x before 3.2.5 allows remote servers to cause a denial of service (memory corruption) via a response with more than four DANE entries.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4466

LAYER: meta
PACKAGE NAME: gnutls-native
PACKAGE VERSION: 3.8.4
CVE: CVE-2013-4487
CVE STATUS: Patched
CVE SUMMARY: Off-by-one error in the dane_raw_tlsa in the DANE library (libdane) in GnuTLS 3.1.x before 3.1.16 and 3.2.x before 3.2.6 allows remote servers to cause a denial of service (memory corruption) via a response with more than four DANE entries.  NOTE: this issue is due to an incomplete fix for CVE-2013-4466.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4487

LAYER: meta
PACKAGE NAME: gnutls-native
PACKAGE VERSION: 3.8.4
CVE: CVE-2014-0092
CVE STATUS: Patched
CVE SUMMARY: lib/x509/verify.c in GnuTLS before 3.1.22 and 3.2.x before 3.2.12 does not properly handle unspecified errors when verifying X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers via a crafted certificate.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0092

LAYER: meta
PACKAGE NAME: gnutls-native
PACKAGE VERSION: 3.8.4
CVE: CVE-2014-1959
CVE STATUS: Patched
CVE SUMMARY: lib/x509/verify.c in GnuTLS before 3.1.21 and 3.2.x before 3.2.11 treats version 1 X.509 certificates as intermediate CAs, which allows remote attackers to bypass intended restrictions by leveraging a X.509 V1 certificate from a trusted CA to issue new certificates.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-1959

LAYER: meta
PACKAGE NAME: gnutls-native
PACKAGE VERSION: 3.8.4
CVE: CVE-2014-3465
CVE STATUS: Patched
CVE SUMMARY: The gnutls_x509_dn_oid_name function in lib/x509/common.c in GnuTLS 3.0 before 3.1.20 and 3.2.x before 3.2.10 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted X.509 certificate, related to a missing LDAP description for an OID when printing the DN.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3465

LAYER: meta
PACKAGE NAME: gnutls-native
PACKAGE VERSION: 3.8.4
CVE: CVE-2014-3466
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the read_server_hello function in lib/gnutls_handshake.c in GnuTLS before 3.1.25, 3.2.x before 3.2.15, and 3.3.x before 3.3.4 allows remote servers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a long session id in a ServerHello message.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3466

LAYER: meta
PACKAGE NAME: gnutls-native
PACKAGE VERSION: 3.8.4
CVE: CVE-2014-3467
CVE STATUS: Patched
CVE SUMMARY: Multiple unspecified vulnerabilities in the DER decoder in GNU Libtasn1 before 3.6, as used in GnuTLS, allow remote attackers to cause a denial of service (out-of-bounds read) via crafted ASN.1 data.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3467

LAYER: meta
PACKAGE NAME: gnutls-native
PACKAGE VERSION: 3.8.4
CVE: CVE-2014-3468
CVE STATUS: Patched
CVE SUMMARY: The asn1_get_bit_der function in GNU Libtasn1 before 3.6 does not properly report an error when a negative bit length is identified, which allows context-dependent attackers to cause out-of-bounds access via crafted ASN.1 data.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3468

LAYER: meta
PACKAGE NAME: gnutls-native
PACKAGE VERSION: 3.8.4
CVE: CVE-2014-3469
CVE STATUS: Patched
CVE SUMMARY: The (1) asn1_read_value_type and (2) asn1_read_value functions in GNU Libtasn1 before 3.6 allows context-dependent attackers to cause a denial of service (NULL pointer dereference and crash) via a NULL value in an ivalue argument.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3469

LAYER: meta
PACKAGE NAME: gnutls-native
PACKAGE VERSION: 3.8.4
CVE: CVE-2014-8155
CVE STATUS: Patched
CVE SUMMARY: GnuTLS before 2.9.10 does not verify the activation and expiration dates of CA certificates, which allows man-in-the-middle attackers to spoof servers via a certificate issued by a CA certificate that is (1) not yet valid or (2) no longer valid.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8155

LAYER: meta
PACKAGE NAME: gnutls-native
PACKAGE VERSION: 3.8.4
CVE: CVE-2014-8564
CVE STATUS: Patched
CVE SUMMARY: The _gnutls_ecc_ansi_x963_export function in gnutls_ecc.c in GnuTLS 3.x before 3.1.28, 3.2.x before 3.2.20, and 3.3.x before 3.3.10 allows remote attackers to cause a denial of service (out-of-bounds write) via a crafted (1) Elliptic Curve Cryptography (ECC) certificate or (2) certificate signing requests (CSR), related to generating key IDs.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8564

LAYER: meta
PACKAGE NAME: gnutls-native
PACKAGE VERSION: 3.8.4
CVE: CVE-2015-0282
CVE STATUS: Patched
CVE SUMMARY: GnuTLS before 3.1.0 does not verify that the RSA PKCS #1 signature algorithm matches the signature algorithm in the certificate, which allows remote attackers to conduct downgrade attacks via unspecified vectors.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0282

LAYER: meta
PACKAGE NAME: gnutls-native
PACKAGE VERSION: 3.8.4
CVE: CVE-2015-0294
CVE STATUS: Patched
CVE SUMMARY: GnuTLS before 3.3.13 does not validate that the signature algorithms match when importing a certificate.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0294

LAYER: meta
PACKAGE NAME: gnutls-native
PACKAGE VERSION: 3.8.4
CVE: CVE-2015-3308
CVE STATUS: Patched
CVE SUMMARY: Double free vulnerability in lib/x509/x509_ext.c in GnuTLS before 3.3.14 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted CRL distribution point.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3308

LAYER: meta
PACKAGE NAME: gnutls-native
PACKAGE VERSION: 3.8.4
CVE: CVE-2015-6251
CVE STATUS: Patched
CVE SUMMARY: Double free vulnerability in GnuTLS before 3.3.17 and 3.4.x before 3.4.4 allows remote attackers to cause a denial of service via a long DistinguishedName (DN) entry in a certificate.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-6251

LAYER: meta
PACKAGE NAME: gnutls-native
PACKAGE VERSION: 3.8.4
CVE: CVE-2015-8313
CVE STATUS: Patched
CVE SUMMARY: GnuTLS incorrectly validates the first byte of padding in CBC modes
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8313

LAYER: meta
PACKAGE NAME: gnutls-native
PACKAGE VERSION: 3.8.4
CVE: CVE-2016-4456
CVE STATUS: Patched
CVE SUMMARY: The "GNUTLS_KEYLOGFILE" environment variable in gnutls 3.4.12 allows remote attackers to overwrite and corrupt arbitrary files in the filesystem.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4456

LAYER: meta
PACKAGE NAME: gnutls-native
PACKAGE VERSION: 3.8.4
CVE: CVE-2016-7444
CVE STATUS: Patched
CVE SUMMARY: The gnutls_ocsp_resp_check_crt function in lib/x509/ocsp.c in GnuTLS before 3.4.15 and 3.5.x before 3.5.4 does not verify the serial length of an OCSP response, which might allow remote attackers to bypass an intended certificate validation mechanism via vectors involving trailing bytes left by gnutls_malloc.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7444

LAYER: meta
PACKAGE NAME: gnutls-native
PACKAGE VERSION: 3.8.4
CVE: CVE-2017-5334
CVE STATUS: Patched
CVE SUMMARY: Double free vulnerability in the gnutls_x509_ext_import_proxy function in GnuTLS before 3.3.26 and 3.5.x before 3.5.8 allows remote attackers to have unspecified impact via crafted policy language information in an X.509 certificate with a Proxy Certificate Information extension.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5334

LAYER: meta
PACKAGE NAME: gnutls-native
PACKAGE VERSION: 3.8.4
CVE: CVE-2017-5335
CVE STATUS: Patched
CVE SUMMARY: The stream reading functions in lib/opencdk/read-packet.c in GnuTLS before 3.3.26 and 3.5.x before 3.5.8 allow remote attackers to cause a denial of service (out-of-memory error and crash) via a crafted OpenPGP certificate.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5335

LAYER: meta
PACKAGE NAME: gnutls-native
PACKAGE VERSION: 3.8.4
CVE: CVE-2017-5336
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in the cdk_pk_get_keyid function in lib/opencdk/pubkey.c in GnuTLS before 3.3.26 and 3.5.x before 3.5.8 allows remote attackers to have unspecified impact via a crafted OpenPGP certificate.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5336

LAYER: meta
PACKAGE NAME: gnutls-native
PACKAGE VERSION: 3.8.4
CVE: CVE-2017-5337
CVE STATUS: Patched
CVE SUMMARY: Multiple heap-based buffer overflows in the read_attribute function in GnuTLS before 3.3.26 and 3.5.x before 3.5.8 allow remote attackers to have unspecified impact via a crafted OpenPGP certificate.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5337

LAYER: meta
PACKAGE NAME: gnutls-native
PACKAGE VERSION: 3.8.4
CVE: CVE-2017-7507
CVE STATUS: Patched
CVE SUMMARY: GnuTLS version 3.5.12 and earlier is vulnerable to a NULL pointer dereference while decoding a status response TLS extension with valid contents. This could lead to a crash of the GnuTLS server application.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7507

LAYER: meta
PACKAGE NAME: gnutls-native
PACKAGE VERSION: 3.8.4
CVE: CVE-2017-7869
CVE STATUS: Patched
CVE SUMMARY: GnuTLS before 2017-02-20 has an out-of-bounds write caused by an integer overflow and heap-based buffer overflow related to the cdk_pkt_read function in opencdk/read-packet.c. This issue (which is a subset of the vendor's GNUTLS-SA-2017-3 report) is fixed in 3.5.10.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7869

LAYER: meta
PACKAGE NAME: gnutls-native
PACKAGE VERSION: 3.8.4
CVE: CVE-2018-10844
CVE STATUS: Patched
CVE SUMMARY: It was found that the GnuTLS implementation of HMAC-SHA-256 was vulnerable to a Lucky thirteen style attack. Remote attackers could use this flaw to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data using crafted packets.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-10844

LAYER: meta
PACKAGE NAME: gnutls-native
PACKAGE VERSION: 3.8.4
CVE: CVE-2018-10845
CVE STATUS: Patched
CVE SUMMARY: It was found that the GnuTLS implementation of HMAC-SHA-384 was vulnerable to a Lucky thirteen style attack. Remote attackers could use this flaw to conduct distinguishing attacks and plain text recovery attacks via statistical analysis of timing data using crafted packets.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-10845

LAYER: meta
PACKAGE NAME: gnutls-native
PACKAGE VERSION: 3.8.4
CVE: CVE-2018-10846
CVE STATUS: Patched
CVE SUMMARY: A cache-based side channel in GnuTLS implementation that leads to plain text recovery in cross-VM attack setting was found. An attacker could use a combination of "Just in Time" Prime+probe attack in combination with Lucky-13 attack to recover plain text using crafted packets.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 5.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-10846

LAYER: meta
PACKAGE NAME: gnutls-native
PACKAGE VERSION: 3.8.4
CVE: CVE-2018-16868
CVE STATUS: Patched
CVE SUMMARY: A Bleichenbacher type side-channel based padding oracle attack was found in the way gnutls handles verification of RSA decrypted PKCS#1 v1.5 data. An attacker who is able to run process on the same physical core as the victim process, could use this to extract plaintext or in some cases downgrade any TLS connections to a vulnerable server.
CVSS v2 BASE SCORE: 3.3
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-16868

LAYER: meta
PACKAGE NAME: gnutls-native
PACKAGE VERSION: 3.8.4
CVE: CVE-2019-3829
CVE STATUS: Patched
CVE SUMMARY: A vulnerability was found in gnutls versions from 3.5.8 before 3.6.7. A memory corruption (double free) vulnerability in the certificate verification API. Any client or server application that verifies X.509 certificates with GnuTLS 3.5.8 or later is affected.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-3829

LAYER: meta
PACKAGE NAME: gnutls-native
PACKAGE VERSION: 3.8.4
CVE: CVE-2019-3836
CVE STATUS: Patched
CVE SUMMARY: It was discovered in gnutls before version 3.6.7 upstream that there is an uninitialized pointer access in gnutls versions 3.6.3 or later which can be triggered by certain post-handshake messages.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-3836

LAYER: meta
PACKAGE NAME: gnutls-native
PACKAGE VERSION: 3.8.4
CVE: CVE-2020-11501
CVE STATUS: Patched
CVE SUMMARY: GnuTLS 3.6.x before 3.6.13 uses incorrect cryptography for DTLS. The earliest affected version is 3.6.3 (2018-07-16) because of an error in a 2017-10-06 commit. The DTLS client always uses 32 '\0' bytes instead of a random value, and thus contributes no randomness to a DTLS negotiation. This breaks the security guarantees of the DTLS protocol.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 7.4
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-11501

LAYER: meta
PACKAGE NAME: gnutls-native
PACKAGE VERSION: 3.8.4
CVE: CVE-2020-13777
CVE STATUS: Patched
CVE SUMMARY: GnuTLS 3.6.x before 3.6.14 uses incorrect cryptography for encrypting a session ticket (a loss of confidentiality in TLS 1.2, and an authentication bypass in TLS 1.3). The earliest affected version is 3.6.4 (2018-09-24) because of an error in a 2018-09-18 commit. Until the first key rotation, the TLS server always uses wrong data in place of an encryption key derived from an application.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 7.4
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-13777

LAYER: meta
PACKAGE NAME: gnutls-native
PACKAGE VERSION: 3.8.4
CVE: CVE-2020-24659
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in GnuTLS before 3.6.15. A server can trigger a NULL pointer dereference in a TLS 1.3 client if a no_renegotiation alert is sent with unexpected timing, and then an invalid second handshake occurs. The crash happens in the application's error handling path, where the gnutls_deinit function is called after detecting a handshake failure.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-24659

LAYER: meta
PACKAGE NAME: gnutls-native
PACKAGE VERSION: 3.8.4
CVE: CVE-2021-20231
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in gnutls. A use after free issue in client sending key_share extension may lead to memory corruption and other consequences.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-20231

LAYER: meta
PACKAGE NAME: gnutls-native
PACKAGE VERSION: 3.8.4
CVE: CVE-2021-20232
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in gnutls. A use after free issue in client_send_params in lib/ext/pre_shared_key.c may lead to memory corruption and other potential consequences.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-20232

LAYER: meta
PACKAGE NAME: gnutls-native
PACKAGE VERSION: 3.8.4
CVE: CVE-2021-4209
CVE STATUS: Patched
CVE SUMMARY: A NULL pointer dereference flaw was found in GnuTLS. As Nettle's hash update functions internally call memcpy, providing zero-length input may cause undefined behavior. This flaw leads to a denial of service after authentication in rare circumstances.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-4209

LAYER: meta
PACKAGE NAME: gnutls-native
PACKAGE VERSION: 3.8.4
CVE: CVE-2022-2509
CVE STATUS: Patched
CVE SUMMARY: A vulnerability found in gnutls. This security flaw happens because of a double free error occurs during verification of pkcs7 signatures in gnutls_pkcs7_verify function.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2509

LAYER: meta
PACKAGE NAME: gnutls-native
PACKAGE VERSION: 3.8.4
CVE: CVE-2023-0361
CVE STATUS: Patched
CVE SUMMARY: A timing side-channel in the handling of RSA ClientKeyExchange messages was discovered in GnuTLS. This side-channel can be sufficient to recover the key encrypted in the RSA ciphertext across a network in a Bleichenbacher style attack. To achieve a successful decryption the attacker would need to send a large amount of specially crafted messages to the vulnerable server. By recovering the secret from the ClientKeyExchange message, the attacker would be able to decrypt the application data exchanged over that connection.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.4
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-0361

LAYER: meta
PACKAGE NAME: gnutls-native
PACKAGE VERSION: 3.8.4
CVE: CVE-2023-5981
CVE STATUS: Patched
CVE SUMMARY: A vulnerability was found that the response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from response times of ciphertexts with correct PKCS#1 v1.5 padding.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-5981

LAYER: meta
PACKAGE NAME: gnutls-native
PACKAGE VERSION: 3.8.4
CVE: CVE-2024-0553
CVE STATUS: Patched
CVE SUMMARY: A vulnerability was found in GnuTLS. The response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from the response times of ciphertexts with correct PKCS#1 v1.5 padding. This issue may allow a remote attacker to perform a timing side-channel attack in the RSA-PSK key exchange, potentially leading to the leakage of sensitive data. CVE-2024-0553 is designated as an incomplete resolution for CVE-2023-5981.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-0553

LAYER: meta
PACKAGE NAME: gnutls-native
PACKAGE VERSION: 3.8.4
CVE: CVE-2024-0567
CVE STATUS: Patched
CVE SUMMARY: A vulnerability was found in GnuTLS, where a cockpit (which uses gnuTLS) rejects a certificate chain with distributed trust. This issue occurs when validating a certificate chain with cockpit-certificate-ensure. This flaw allows an unauthenticated, remote client or attacker to initiate a denial of service attack.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-0567

LAYER: meta
PACKAGE NAME: gmp
PACKAGE VERSION: 6.3.0
CVE: CVE-2021-43618
CVE STATUS: Patched
CVE SUMMARY: GNU Multiple Precision Arithmetic Library (GMP) through 6.2.1 has an mpz/inp_raw.c integer overflow and resultant buffer overflow via crafted input, leading to a segmentation fault on 32-bit platforms.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-43618

LAYER: meta
PACKAGE NAME: libtasn1
PACKAGE VERSION: 4.19.0
CVE: CVE-2004-0401
CVE STATUS: Patched
CVE SUMMARY: Unknown vulnerability in libtasn1 0.1.x before 0.1.2, and 0.2.x before 0.2.7, related to the DER parsing functions.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0401

LAYER: meta
PACKAGE NAME: libtasn1
PACKAGE VERSION: 4.19.0
CVE: CVE-2006-0645
CVE STATUS: Patched
CVE SUMMARY: Tiny ASN.1 Library (libtasn1) before 0.2.18, as used by (1) GnuTLS 1.2.x before 1.2.10 and 1.3.x before 1.3.4, and (2) GNU Shishi, allows attackers to crash the DER decoder and possibly execute arbitrary code via "out-of-bounds access" caused by invalid input, as demonstrated by the ProtoVer SSL test suite.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-0645

LAYER: meta
PACKAGE NAME: libtasn1
PACKAGE VERSION: 4.19.0
CVE: CVE-2012-1569
CVE STATUS: Patched
CVE SUMMARY: The asn1_get_length_der function in decoding.c in GNU Libtasn1 before 2.12, as used in GnuTLS before 3.0.16 and other products, does not properly handle certain large length values, which allows remote attackers to cause a denial of service (heap memory corruption and application crash) or possibly have unspecified other impact via a crafted ASN.1 structure.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1569

LAYER: meta
PACKAGE NAME: libtasn1
PACKAGE VERSION: 4.19.0
CVE: CVE-2014-3467
CVE STATUS: Patched
CVE SUMMARY: Multiple unspecified vulnerabilities in the DER decoder in GNU Libtasn1 before 3.6, as used in GnuTLS, allow remote attackers to cause a denial of service (out-of-bounds read) via crafted ASN.1 data.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3467

LAYER: meta
PACKAGE NAME: libtasn1
PACKAGE VERSION: 4.19.0
CVE: CVE-2014-3468
CVE STATUS: Patched
CVE SUMMARY: The asn1_get_bit_der function in GNU Libtasn1 before 3.6 does not properly report an error when a negative bit length is identified, which allows context-dependent attackers to cause out-of-bounds access via crafted ASN.1 data.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3468

LAYER: meta
PACKAGE NAME: libtasn1
PACKAGE VERSION: 4.19.0
CVE: CVE-2014-3469
CVE STATUS: Patched
CVE SUMMARY: The (1) asn1_read_value_type and (2) asn1_read_value functions in GNU Libtasn1 before 3.6 allows context-dependent attackers to cause a denial of service (NULL pointer dereference and crash) via a NULL value in an ivalue argument.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3469

LAYER: meta
PACKAGE NAME: libtasn1
PACKAGE VERSION: 4.19.0
CVE: CVE-2015-2806
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in asn1_der_decoding in libtasn1 before 4.4 allows remote attackers to have unspecified impact via unknown vectors.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-2806

LAYER: meta
PACKAGE NAME: libtasn1
PACKAGE VERSION: 4.19.0
CVE: CVE-2015-3622
CVE STATUS: Patched
CVE SUMMARY: The _asn1_extract_der_octet function in lib/decoding.c in GNU Libtasn1 before 4.5 allows remote attackers to cause a denial of service (out-of-bounds heap read) via a crafted certificate.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3622

LAYER: meta
PACKAGE NAME: libtasn1
PACKAGE VERSION: 4.19.0
CVE: CVE-2016-4008
CVE STATUS: Patched
CVE SUMMARY: The _asn1_extract_der_octet function in lib/decoding.c in GNU Libtasn1 before 4.8, when used without the ASN1_DECODE_FLAG_STRICT_DER flag, allows remote attackers to cause a denial of service (infinite recursion) via a crafted certificate.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4008

LAYER: meta
PACKAGE NAME: libtasn1
PACKAGE VERSION: 4.19.0
CVE: CVE-2017-10790
CVE STATUS: Patched
CVE SUMMARY: The _asn1_check_identifier function in GNU Libtasn1 through 4.12 causes a NULL pointer dereference and crash when reading crafted input that triggers assignment of a NULL value within an asn1_node structure. It may lead to a remote denial of service attack.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-10790

LAYER: meta
PACKAGE NAME: libtasn1
PACKAGE VERSION: 4.19.0
CVE: CVE-2017-6891
CVE STATUS: Patched
CVE SUMMARY: Two errors in the "asn1_find_node()" function (lib/parser_aux.c) within GnuTLS libtasn1 version 4.10 can be exploited to cause a stacked-based buffer overflow by tricking a user into processing a specially crafted assignments file via the e.g. asn1Coding utility.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-6891

LAYER: meta
PACKAGE NAME: libtasn1
PACKAGE VERSION: 4.19.0
CVE: CVE-2018-1000654
CVE STATUS: Patched
CVE SUMMARY: GNU Libtasn1-4.13 libtasn1-4.13 version libtasn1-4.13, libtasn1-4.12 contains a DoS, specifically CPU usage will reach 100% when running asn1Paser against the POC due to an issue in _asn1_expand_object_id(p_tree), after a long time, the program will be killed. This attack appears to be exploitable via parsing a crafted file.
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1000654

LAYER: meta
PACKAGE NAME: libtasn1
PACKAGE VERSION: 4.19.0
CVE: CVE-2018-6003
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the _asn1_decode_simple_ber function in decoding.c in GNU Libtasn1 before 4.13. Unlimited recursion in the BER decoder leads to stack exhaustion and DoS.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-6003

LAYER: meta
PACKAGE NAME: libtasn1
PACKAGE VERSION: 4.19.0
CVE: CVE-2021-46848
CVE STATUS: Patched
CVE SUMMARY: GNU Libtasn1 before 4.19.0 has an ETYPE_OK off-by-one array size check that affects asn1_encode_simple_der.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 9.1
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-46848

LAYER: meta
PACKAGE NAME: libmicrohttpd
PACKAGE VERSION: 1.0.1
CVE: CVE-2013-7038
CVE STATUS: Patched
CVE SUMMARY: The MHD_http_unescape function in libmicrohttpd before 0.9.32 might allow remote attackers to obtain sensitive information or cause a denial of service (crash) via unspecified vectors that trigger an out-of-bounds read.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-7038

LAYER: meta
PACKAGE NAME: libmicrohttpd
PACKAGE VERSION: 1.0.1
CVE: CVE-2013-7039
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in the MHD_digest_auth_check function in libmicrohttpd before 0.9.32, when MHD_OPTION_CONNECTION_MEMORY_LIMIT is set to a large value, allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a long URI in an authentication header.
CVSS v2 BASE SCORE: 5.1
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-7039

LAYER: meta
PACKAGE NAME: libmicrohttpd
PACKAGE VERSION: 1.0.1
CVE: CVE-2021-3466
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in libmicrohttpd. A missing bounds check in the post_process_urlencoded function leads to a buffer overflow, allowing a remote attacker to write arbitrary data in an application that uses libmicrohttpd. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. Only version 0.9.70 is vulnerable.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3466

LAYER: meta
PACKAGE NAME: libmicrohttpd
PACKAGE VERSION: 1.0.1
CVE: CVE-2023-27371
CVE STATUS: Patched
CVE SUMMARY: GNU libmicrohttpd before 0.9.76 allows remote DoS (Denial of Service) due to improper parsing of a multipart/form-data boundary in the postprocessor.c MHD_create_post_processor() method. This allows an attacker to remotely send a malicious HTTP POST packet that includes one or more '\0' bytes in a multipart/form-data boundary field, which - assuming a specific heap layout - will result in an out-of-bounds read and a crash in the find_boundary() function.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-27371

LAYER: meta
PACKAGE NAME: cracklib
PACKAGE VERSION: 2.9.11
CVE: CVE-1999-1140
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in CrackLib 2.5 may allow local users to gain root privileges via a long GECOS field.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-1999-1140

LAYER: meta
PACKAGE NAME: cracklib
PACKAGE VERSION: 2.9.11
CVE: CVE-2016-6318
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in the FascistGecosUser function in lib/fascist.c in cracklib allows local users to cause a denial of service (application crash) or gain privileges via a long GECOS field, involving longbuffer.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6318

LAYER: meta
PACKAGE NAME: fontconfig
PACKAGE VERSION: 2.15.0
CVE: CVE-2016-5384
CVE STATUS: Patched
CVE SUMMARY: fontconfig before 2.12.1 does not validate offsets, which allows local users to trigger arbitrary free calls and consequently conduct double free attacks and execute arbitrary code via a crafted cache file.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5384

LAYER: meta
PACKAGE NAME: libpcre2
PACKAGE VERSION: 10.43
CVE: CVE-2015-3210
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in PCRE 8.34 through 8.37 and PCRE2 10.10 allows remote attackers to execute arbitrary code via a crafted regular expression, as demonstrated by /^(?P=B)((?P=B)(?J:(?P<B>c)(?P<B>a(?P=B)))>WGXCREDITS)/, a different vulnerability than CVE-2015-8384.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3210

LAYER: meta
PACKAGE NAME: libpcre2
PACKAGE VERSION: 10.43
CVE: CVE-2015-3217
CVE STATUS: Patched
CVE SUMMARY: PCRE 7.8 and 8.32 through 8.37, and PCRE2 10.10 mishandle group empty matches, which might allow remote attackers to cause a denial of service (stack-based buffer overflow) via a crafted regular expression, as demonstrated by /^(?:(?(1)\\.|([^\\\\W_])?)+)+$/.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3217

LAYER: meta
PACKAGE NAME: libpcre2
PACKAGE VERSION: 10.43
CVE: CVE-2016-3191
CVE STATUS: Patched
CVE SUMMARY: The compile_branch function in pcre_compile.c in PCRE 8.x before 8.39 and pcre2_compile.c in PCRE2 before 10.22 mishandles patterns containing an (*ACCEPT) substring in conjunction with nested parentheses, which allows remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror, aka ZDI-CAN-3542.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3191

LAYER: meta
PACKAGE NAME: libpcre2
PACKAGE VERSION: 10.43
CVE: CVE-2017-7186
CVE STATUS: Patched
CVE SUMMARY: libpcre1 in PCRE 8.40 and libpcre2 in PCRE2 10.23 allow remote attackers to cause a denial of service (segmentation violation for read access, and application crash) by triggering an invalid Unicode property lookup.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7186

LAYER: meta
PACKAGE NAME: libpcre2
PACKAGE VERSION: 10.43
CVE: CVE-2017-8399
CVE STATUS: Patched
CVE SUMMARY: PCRE2 before 10.30 has an out-of-bounds write caused by a stack-based buffer overflow in pcre2_match.c, related to a "pattern with very many captures."
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8399

LAYER: meta
PACKAGE NAME: libpcre2
PACKAGE VERSION: 10.43
CVE: CVE-2017-8786
CVE STATUS: Patched
CVE SUMMARY: pcre2test.c in PCRE2 10.23 allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8786

LAYER: meta
PACKAGE NAME: libpcre2
PACKAGE VERSION: 10.43
CVE: CVE-2019-20454
CVE STATUS: Patched
CVE SUMMARY: An out-of-bounds read was discovered in PCRE before 10.34 when the pattern \X is JIT compiled and used to match specially crafted subjects in non-UTF mode. Applications that use PCRE to parse untrusted input may be vulnerable to this flaw, which would allow an attacker to crash the application. The flaw occurs in do_extuni_no_utf in pcre2_jit_compile.c.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-20454

LAYER: meta
PACKAGE NAME: libpcre2
PACKAGE VERSION: 10.43
CVE: CVE-2022-1586
CVE STATUS: Patched
CVE SUMMARY: An out-of-bounds read vulnerability was discovered in the PCRE2 library in the compile_xclass_matchingpath() function of the pcre2_jit_compile.c file. This involves a unicode property matching issue in JIT-compiled regular expressions. The issue occurs because the character was not fully read in case-less matching within JIT.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 9.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1586

LAYER: meta
PACKAGE NAME: libpcre2
PACKAGE VERSION: 10.43
CVE: CVE-2022-1587
CVE STATUS: Patched
CVE SUMMARY: An out-of-bounds read vulnerability was discovered in the PCRE2 library in the get_recurse_data_length() function of the pcre2_jit_compile.c file. This issue affects recursions in JIT-compiled regular expressions caused by duplicate data transfers.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 9.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1587

LAYER: meta
PACKAGE NAME: libpcre2
PACKAGE VERSION: 10.43
CVE: CVE-2022-41409
CVE STATUS: Patched
CVE SUMMARY: Integer overflow vulnerability in pcre2test before 10.41 allows attackers to cause a denial of service or other unspecified impacts via negative input.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-41409

LAYER: meta
PACKAGE NAME: libpng
PACKAGE VERSION: 1.6.42
CVE: CVE-2002-0660
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in libpng 1.0.12-3.woody.2 and libpng3 1.2.1-1.1.woody.2 on Debian GNU/Linux 3.0, and other operating systems, may allow attackers to cause a denial of service and possibly execute arbitrary code, a different vulnerability than CVE-2002-0728.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-0660

LAYER: meta
PACKAGE NAME: libpng
PACKAGE VERSION: 1.6.42
CVE: CVE-2002-0728
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the progressive reader for libpng 1.2.x before 1.2.4, and 1.0.x before 1.0.14, allows attackers to cause a denial of service (crash) via a PNG data stream that has more IDAT data than indicated by the IHDR chunk.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-0728

LAYER: meta
PACKAGE NAME: libpng
PACKAGE VERSION: 1.6.42
CVE: CVE-2002-1363
CVE STATUS: Patched
CVE SUMMARY: Portable Network Graphics (PNG) library libpng 1.2.5 and earlier does not correctly calculate offsets, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a buffer overflow attack on the row buffers.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-1363

LAYER: meta
PACKAGE NAME: libpng
PACKAGE VERSION: 1.6.42
CVE: CVE-2004-0421
CVE STATUS: Patched
CVE SUMMARY: The Portable Network Graphics library (libpng) 1.0.15 and earlier allows attackers to cause a denial of service (crash) via a malformed PNG image file that triggers an error that causes an out-of-bounds read when creating the error message.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0421

LAYER: meta
PACKAGE NAME: libpng
PACKAGE VERSION: 1.6.42
CVE: CVE-2004-0597
CVE STATUS: Patched
CVE SUMMARY: Multiple buffer overflows in libpng 1.2.5 and earlier, as used in multiple products, allow remote attackers to execute arbitrary code via malformed PNG images in which (1) the png_handle_tRNS function does not properly validate the length of transparency chunk (tRNS) data, or the (2) png_handle_sBIT or (3) png_handle_hIST functions do not perform sufficient bounds checking.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0597

LAYER: meta
PACKAGE NAME: libpng
PACKAGE VERSION: 1.6.42
CVE: CVE-2004-0598
CVE STATUS: Patched
CVE SUMMARY: The png_handle_iCCP function in libpng 1.2.5 and earlier allows remote attackers to cause a denial of service (application crash) via a certain PNG image that triggers a null dereference.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0598

LAYER: meta
PACKAGE NAME: libpng
PACKAGE VERSION: 1.6.42
CVE: CVE-2004-0599
CVE STATUS: Patched
CVE SUMMARY: Multiple integer overflows in the (1) png_read_png in pngread.c or (2) png_handle_sPLT functions in pngrutil.c or (3) progressive display image reading capability in libpng 1.2.5 and earlier allow remote attackers to cause a denial of service (application crash) via a malformed PNG image.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0599

LAYER: meta
PACKAGE NAME: libpng
PACKAGE VERSION: 1.6.42
CVE: CVE-2006-0481
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the alpha strip capability in libpng 1.2.7 allows context-dependent attackers to cause a denial of service (crash) when the png_do_strip_filler function is used to strip alpha channels out of the image.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-0481

LAYER: meta
PACKAGE NAME: libpng
PACKAGE VERSION: 1.6.42
CVE: CVE-2006-3334
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the png_decompress_chunk function in pngrutil.c in libpng before 1.2.12 allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via unspecified vectors related to "chunk error processing," possibly involving the "chunk_name".
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-3334

LAYER: meta
PACKAGE NAME: libpng
PACKAGE VERSION: 1.6.42
CVE: CVE-2006-5793
CVE STATUS: Patched
CVE SUMMARY: The sPLT chunk handling code (png_set_sPLT function in pngset.c) in libpng 1.0.6 through 1.2.12 uses a sizeof operator on the wrong data type, which allows context-dependent attackers to cause a denial of service (crash) via malformed sPLT chunks that trigger an out-of-bounds read.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-5793

LAYER: meta
PACKAGE NAME: libpng
PACKAGE VERSION: 1.6.42
CVE: CVE-2006-7244
CVE STATUS: Patched
CVE SUMMARY: Memory leak in pngwutil.c in libpng 1.2.13beta1, and other versions before 1.2.15beta3, allows context-dependent attackers to cause a denial of service (memory leak or segmentation fault) via a JPEG image containing an iCCP chunk with a negative embedded profile length.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-7244

LAYER: meta
PACKAGE NAME: libpng
PACKAGE VERSION: 1.6.42
CVE: CVE-2007-2445
CVE STATUS: Patched
CVE SUMMARY: The png_handle_tRNS function in pngrutil.c in libpng before 1.0.25 and 1.2.x before 1.2.17 allows remote attackers to cause a denial of service (application crash) via a grayscale PNG image with a bad tRNS chunk CRC value.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-2445

LAYER: meta
PACKAGE NAME: libpng
PACKAGE VERSION: 1.6.42
CVE: CVE-2007-5266
CVE STATUS: Patched
CVE SUMMARY: Off-by-one error in ICC profile chunk handling in the png_set_iCCP function in pngset.c in libpng before 1.0.29 beta1 and 1.2.x before 1.2.21 beta1 allows remote attackers to cause a denial of service (crash) via a crafted PNG image that prevents a name field from being NULL terminated.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-5266

LAYER: meta
PACKAGE NAME: libpng
PACKAGE VERSION: 1.6.42
CVE: CVE-2007-5267
CVE STATUS: Patched
CVE SUMMARY: Off-by-one error in ICC profile chunk handling in the png_set_iCCP function in pngset.c in libpng before 1.2.22 beta1 allows remote attackers to cause a denial of service (crash) via a crafted PNG image, due to an incorrect fix for CVE-2007-5266.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-5267

LAYER: meta
PACKAGE NAME: libpng
PACKAGE VERSION: 1.6.42
CVE: CVE-2007-5268
CVE STATUS: Patched
CVE SUMMARY: pngrtran.c in libpng before 1.0.29 and 1.2.x before 1.2.21 use (1) logical instead of bitwise operations and (2) incorrect comparisons, which might allow remote attackers to cause a denial of service (crash) via a crafted PNG image.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-5268

LAYER: meta
PACKAGE NAME: libpng
PACKAGE VERSION: 1.6.42
CVE: CVE-2007-5269
CVE STATUS: Patched
CVE SUMMARY: Certain chunk handlers in libpng before 1.0.29 and 1.2.x before 1.2.21 allow remote attackers to cause a denial of service (crash) via crafted (1) pCAL (png_handle_pCAL), (2) sCAL (png_handle_sCAL), (3) tEXt (png_push_read_tEXt), (4) iTXt (png_handle_iTXt), and (5) ztXT (png_handle_ztXt) chunking in PNG images, which trigger out-of-bounds read operations.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-5269

LAYER: meta
PACKAGE NAME: libpng
PACKAGE VERSION: 1.6.42
CVE: CVE-2008-1382
CVE STATUS: Patched
CVE SUMMARY: libpng 1.0.6 through 1.0.32, 1.2.0 through 1.2.26, and 1.4.0beta01 through 1.4.0beta19 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a PNG file with zero length "unknown" chunks, which trigger an access of uninitialized memory.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1382

LAYER: meta
PACKAGE NAME: libpng
PACKAGE VERSION: 1.6.42
CVE: CVE-2008-3964
CVE STATUS: Patched
CVE SUMMARY: Multiple off-by-one errors in libpng before 1.2.32beta01, and 1.4 before 1.4.0beta34, allow context-dependent attackers to cause a denial of service (crash) or have unspecified other impact via a PNG image with crafted zTXt chunks, related to (1) the png_push_read_zTXt function in pngread.c, and possibly related to (2) pngtest.c.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-3964

LAYER: meta
PACKAGE NAME: libpng
PACKAGE VERSION: 1.6.42
CVE: CVE-2008-5907
CVE STATUS: Patched
CVE SUMMARY: The png_check_keyword function in pngwutil.c in libpng before 1.0.42, and 1.2.x before 1.2.34, might allow context-dependent attackers to set the value of an arbitrary memory location to zero via vectors involving creation of crafted PNG files with keywords, related to an implicit cast of the '\0' character constant to a NULL pointer.  NOTE: some sources incorrectly report this as a double free vulnerability.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-5907

LAYER: meta
PACKAGE NAME: libpng
PACKAGE VERSION: 1.6.42
CVE: CVE-2008-6218
CVE STATUS: Patched
CVE SUMMARY: Memory leak in the png_handle_tEXt function in pngrutil.c in libpng before 1.2.33 rc02 and 1.4.0 beta36 allows context-dependent attackers to cause a denial of service (memory exhaustion) via a crafted PNG file.
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-6218

LAYER: meta
PACKAGE NAME: libpng
PACKAGE VERSION: 1.6.42
CVE: CVE-2009-0040
CVE STATUS: Patched
CVE SUMMARY: The PNG reference library (aka libpng) before 1.0.43, and 1.2.x before 1.2.35, as used in pngcrush and other applications, allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted PNG file that triggers a free of an uninitialized pointer in (1) the png_read_png function, (2) pCAL chunk handling, or (3) setup of 16-bit gamma tables.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-0040

LAYER: meta
PACKAGE NAME: libpng
PACKAGE VERSION: 1.6.42
CVE: CVE-2009-2042
CVE STATUS: Patched
CVE SUMMARY: libpng before 1.2.37 does not properly parse 1-bit interlaced images with width values that are not divisible by 8, which causes libpng to include uninitialized bits in certain rows of a PNG file and might allow remote attackers to read portions of sensitive memory via "out-of-bounds pixels" in the file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-2042

LAYER: meta
PACKAGE NAME: libpng
PACKAGE VERSION: 1.6.42
CVE: CVE-2009-5063
CVE STATUS: Patched
CVE SUMMARY: Memory leak in the embedded_profile_len function in pngwutil.c in libpng before 1.2.39beta5 allows context-dependent attackers to cause a denial of service (memory leak or segmentation fault) via a JPEG image containing an iCCP chunk with a negative embedded profile length.  NOTE: this is due to an incomplete fix for CVE-2006-7244.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-5063

LAYER: meta
PACKAGE NAME: libpng
PACKAGE VERSION: 1.6.42
CVE: CVE-2010-0205
CVE STATUS: Patched
CVE SUMMARY: The png_decompress_chunk function in pngrutil.c in libpng 1.0.x before 1.0.53, 1.2.x before 1.2.43, and 1.4.x before 1.4.1 does not properly handle compressed ancillary-chunk data that has a disproportionately large uncompressed representation, which allows remote attackers to cause a denial of service (memory and CPU consumption, and application hang) via a crafted PNG file, as demonstrated by use of the deflate compression method on data composed of many occurrences of the same character, related to a "decompression bomb" attack.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-0205

LAYER: meta
PACKAGE NAME: libpng
PACKAGE VERSION: 1.6.42
CVE: CVE-2010-1205
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in pngpread.c in libpng before 1.2.44 and 1.4.x before 1.4.3, as used in progressive applications, might allow remote attackers to execute arbitrary code via a PNG image that triggers an additional data row.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-1205

LAYER: meta
PACKAGE NAME: libpng
PACKAGE VERSION: 1.6.42
CVE: CVE-2010-2249
CVE STATUS: Patched
CVE SUMMARY: Memory leak in pngrutil.c in libpng before 1.2.44, and 1.4.x before 1.4.3, allows remote attackers to cause a denial of service (memory consumption and application crash) via a PNG image containing malformed Physical Scale (aka sCAL) chunks.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2249

LAYER: meta
PACKAGE NAME: libpng
PACKAGE VERSION: 1.6.42
CVE: CVE-2011-0408
CVE STATUS: Patched
CVE SUMMARY: pngrtran.c in libpng 1.5.x before 1.5.1 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted palette-based PNG image that triggers a buffer overflow, related to the png_do_expand_palette function, the png_do_rgb_to_gray function, and an integer underflow.  NOTE: some of these details are obtained from third party information.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-0408

LAYER: meta
PACKAGE NAME: libpng
PACKAGE VERSION: 1.6.42
CVE: CVE-2011-2501
CVE STATUS: Patched
CVE SUMMARY: The png_format_buffer function in pngerror.c in libpng 1.0.x before 1.0.55, 1.2.x before 1.2.45, 1.4.x before 1.4.8, and 1.5.x before 1.5.4 allows remote attackers to cause a denial of service (application crash) via a crafted PNG image that triggers an out-of-bounds read during the copying of error-message data.  NOTE: this vulnerability exists because of a CVE-2004-0421 regression. NOTE: this is called an off-by-one error by some sources.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2501

LAYER: meta
PACKAGE NAME: libpng
PACKAGE VERSION: 1.6.42
CVE: CVE-2011-2690
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in libpng 1.0.x before 1.0.55, 1.2.x before 1.2.45, 1.4.x before 1.4.8, and 1.5.x before 1.5.4, when used by an application that calls the png_rgb_to_gray function but not the png_set_expand function, allows remote attackers to overwrite memory with an arbitrary amount of data, and possibly have unspecified other impact, via a crafted PNG image.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2690

LAYER: meta
PACKAGE NAME: libpng
PACKAGE VERSION: 1.6.42
CVE: CVE-2011-2691
CVE STATUS: Patched
CVE SUMMARY: The png_err function in pngerror.c in libpng 1.0.x before 1.0.55, 1.2.x before 1.2.45, 1.4.x before 1.4.8, and 1.5.x before 1.5.4 makes a function call using a NULL pointer argument instead of an empty-string argument, which allows remote attackers to cause a denial of service (application crash) via a crafted PNG image.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2691

LAYER: meta
PACKAGE NAME: libpng
PACKAGE VERSION: 1.6.42
CVE: CVE-2011-2692
CVE STATUS: Patched
CVE SUMMARY: The png_handle_sCAL function in pngrutil.c in libpng 1.0.x before 1.0.55, 1.2.x before 1.2.45, 1.4.x before 1.4.8, and 1.5.x before 1.5.4 does not properly handle invalid sCAL chunks, which allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a crafted PNG image that triggers the reading of uninitialized memory.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2692

LAYER: meta
PACKAGE NAME: libpng
PACKAGE VERSION: 1.6.42
CVE: CVE-2011-3045
CVE STATUS: Patched
CVE SUMMARY: Integer signedness error in the png_inflate function in pngrutil.c in libpng before 1.4.10beta01, as used in Google Chrome before 17.0.963.83 and other products, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted PNG file, a different vulnerability than CVE-2011-3026.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3045

LAYER: meta
PACKAGE NAME: libpng
PACKAGE VERSION: 1.6.42
CVE: CVE-2011-3048
CVE STATUS: Patched
CVE SUMMARY: The png_set_text_2 function in pngset.c in libpng 1.0.x before 1.0.59, 1.2.x before 1.2.49, 1.4.x before 1.4.11, and 1.5.x before 1.5.10 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted text chunk in a PNG image file, which triggers a memory allocation failure that is not properly handled, leading to a heap-based buffer overflow.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3048

LAYER: meta
PACKAGE NAME: libpng
PACKAGE VERSION: 1.6.42
CVE: CVE-2011-3328
CVE STATUS: Patched
CVE SUMMARY: The png_handle_cHRM function in pngrutil.c in libpng 1.5.4, when color-correction support is enabled, allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a malformed PNG image containing a cHRM chunk associated with a certain zero value.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3328

LAYER: meta
PACKAGE NAME: libpng
PACKAGE VERSION: 1.6.42
CVE: CVE-2011-3464
CVE STATUS: Patched
CVE SUMMARY: Off-by-one error in the png_formatted_warning function in pngerror.c in libpng 1.5.4 through 1.5.7 might allow remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via unspecified vectors, which trigger a stack-based buffer overflow.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3464

LAYER: meta
PACKAGE NAME: libpng
PACKAGE VERSION: 1.6.42
CVE: CVE-2012-3425
CVE STATUS: Patched
CVE SUMMARY: The png_push_read_zTXt function in pngpread.c in libpng 1.0.x before 1.0.58, 1.2.x before 1.2.48, 1.4.x before 1.4.10, and 1.5.x before 1.5.10 allows remote attackers to cause a denial of service (out-of-bounds read) via a large avail_in field value in a PNG image.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-3425

LAYER: meta
PACKAGE NAME: libpng
PACKAGE VERSION: 1.6.42
CVE: CVE-2013-6954
CVE STATUS: Patched
CVE SUMMARY: The png_do_expand_palette function in libpng before 1.6.8 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via (1) a PLTE chunk of zero bytes or (2) a NULL palette, related to pngrtran.c and pngset.c.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-6954

LAYER: meta
PACKAGE NAME: libpng
PACKAGE VERSION: 1.6.42
CVE: CVE-2013-7353
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the png_set_unknown_chunks function in libpng/pngset.c in libpng before 1.5.14beta08 allows context-dependent attackers to cause a denial of service (segmentation fault and crash) via a crafted image, which triggers a heap-based buffer overflow.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-7353

LAYER: meta
PACKAGE NAME: libpng
PACKAGE VERSION: 1.6.42
CVE: CVE-2013-7354
CVE STATUS: Patched
CVE SUMMARY: Multiple integer overflows in libpng before 1.5.14rc03 allow remote attackers to cause a denial of service (crash) via a crafted image to the (1) png_set_sPLT or (2) png_set_text_2 function, which triggers a heap-based buffer overflow.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-7354

LAYER: meta
PACKAGE NAME: libpng
PACKAGE VERSION: 1.6.42
CVE: CVE-2014-0333
CVE STATUS: Patched
CVE SUMMARY: The png_push_read_chunk function in pngpread.c in the progressive decoder in libpng 1.6.x through 1.6.9 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via an IDAT chunk with a length of zero.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0333

LAYER: meta
PACKAGE NAME: libpng
PACKAGE VERSION: 1.6.42
CVE: CVE-2014-9495
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the png_combine_row function in libpng before 1.5.21 and 1.6.x before 1.6.16, when running on 64-bit systems, might allow context-dependent attackers to execute arbitrary code via a "very wide interlaced" PNG image.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9495

LAYER: meta
PACKAGE NAME: libpng
PACKAGE VERSION: 1.6.42
CVE: CVE-2015-0973
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the png_read_IDAT_data function in pngrutil.c in libpng before 1.5.21 and 1.6.x before 1.6.16 allows context-dependent attackers to execute arbitrary code via IDAT data with a large width, a different vulnerability than CVE-2014-9495.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0973

LAYER: meta
PACKAGE NAME: libpng
PACKAGE VERSION: 1.6.42
CVE: CVE-2015-7981
CVE STATUS: Patched
CVE SUMMARY: The png_convert_to_rfc1123 function in png.c in libpng 1.0.x before 1.0.64, 1.2.x before 1.2.54, and 1.4.x before 1.4.17 allows remote attackers to obtain sensitive process memory information via crafted tIME chunk data in an image file, which triggers an out-of-bounds read.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7981

LAYER: meta
PACKAGE NAME: libpng
PACKAGE VERSION: 1.6.42
CVE: CVE-2015-8126
CVE STATUS: Patched
CVE SUMMARY: Multiple buffer overflows in the (1) png_set_PLTE and (2) png_get_PLTE functions in libpng before 1.0.64, 1.1.x and 1.2.x before 1.2.54, 1.3.x and 1.4.x before 1.4.17, 1.5.x before 1.5.24, and 1.6.x before 1.6.19 allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a small bit-depth value in an IHDR (aka image header) chunk in a PNG image.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8126

LAYER: meta
PACKAGE NAME: libpng
PACKAGE VERSION: 1.6.42
CVE: CVE-2015-8472
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the png_set_PLTE function in libpng before 1.0.65, 1.1.x and 1.2.x before 1.2.55, 1.3.x, 1.4.x before 1.4.18, 1.5.x before 1.5.25, and 1.6.x before 1.6.20 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a small bit-depth value in an IHDR (aka image header) chunk in a PNG image.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-8126.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 7.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8472

LAYER: meta
PACKAGE NAME: libpng
PACKAGE VERSION: 1.6.42
CVE: CVE-2015-8540
CVE STATUS: Patched
CVE SUMMARY: Integer underflow in the png_check_keyword function in pngwutil.c in libpng 0.90 through 0.99, 1.0.x before 1.0.66, 1.1.x and 1.2.x before 1.2.56, 1.3.x and 1.4.x before 1.4.19, and 1.5.x before 1.5.26 allows remote attackers to have unspecified impact via a space character as a keyword in a PNG image, which triggers an out-of-bounds read.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8540

LAYER: meta
PACKAGE NAME: libpng
PACKAGE VERSION: 1.6.42
CVE: CVE-2016-10087
CVE STATUS: Patched
CVE SUMMARY: The png_set_text_2 function in libpng 0.71 before 1.0.67, 1.2.x before 1.2.57, 1.4.x before 1.4.20, 1.5.x before 1.5.28, and 1.6.x before 1.6.27 allows context-dependent attackers to cause a NULL pointer dereference vectors involving loading a text chunk into a png structure, removing the text, and then adding another text chunk to the structure.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10087

LAYER: meta
PACKAGE NAME: libpng
PACKAGE VERSION: 1.6.42
CVE: CVE-2016-3751
CVE STATUS: Patched
CVE SUMMARY: Unspecified vulnerability in libpng before 1.6.20, as used in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-07-01, allows attackers to gain privileges via a crafted application, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bug 23265085.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3751

LAYER: meta
PACKAGE NAME: libpng
PACKAGE VERSION: 1.6.42
CVE: CVE-2017-12652
CVE STATUS: Patched
CVE SUMMARY: libpng before 1.6.32 does not properly check the length of chunks against the user limit.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-12652

LAYER: meta
PACKAGE NAME: libpng
PACKAGE VERSION: 1.6.42
CVE: CVE-2018-13785
CVE STATUS: Patched
CVE SUMMARY: In libpng 1.6.34, a wrong calculation of row_factor in the png_check_chunk_length function (pngrutil.c) may trigger an integer overflow and resultant divide-by-zero while processing a crafted PNG file, leading to a denial of service.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-13785

LAYER: meta
PACKAGE NAME: libpng
PACKAGE VERSION: 1.6.42
CVE: CVE-2018-14048
CVE STATUS: Patched
CVE SUMMARY: An issue has been found in libpng 1.6.34. It is a SEGV in the function png_free_data in png.c, related to the recommended error handling for png_read_image.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-14048

LAYER: meta
PACKAGE NAME: libpng
PACKAGE VERSION: 1.6.42
CVE: CVE-2018-14550
CVE STATUS: Patched
CVE SUMMARY: An issue has been found in third-party PNM decoding associated with libpng 1.6.35. It is a stack-based buffer overflow in the function get_token in pnm2png.c in pnm2png.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-14550

LAYER: meta
PACKAGE NAME: libpng
PACKAGE VERSION: 1.6.42
CVE: CVE-2019-6129
CVE STATUS: Patched
CVE SUMMARY: png_create_info_struct in png.c in libpng 1.6.36 has a memory leak, as demonstrated by pngcp. NOTE: a third party has stated "I don't think it is libpng's job to free this buffer.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-6129

LAYER: meta
PACKAGE NAME: libpng
PACKAGE VERSION: 1.6.42
CVE: CVE-2019-7317
CVE STATUS: Patched
CVE SUMMARY: png_image_free in png.c in libpng 1.6.x before 1.6.37 has a use-after-free because png_image_free_function is called under png_safe_execute.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-7317

LAYER: meta
PACKAGE NAME: libpng
PACKAGE VERSION: 1.6.42
CVE: CVE-2021-4214
CVE STATUS: Patched
CVE SUMMARY: A heap overflow flaw was found in libpngs' pngimage.c program. This flaw allows an attacker with local network access to pass a specially crafted PNG file to the pngimage utility, causing an application to crash, leading to a denial of service.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-4214

LAYER: meta
PACKAGE NAME: json-c-native
PACKAGE VERSION: 0.17
CVE: CVE-2013-6370
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the printbuf APIs in json-c before 0.12 allows remote attackers to cause a denial of service via unspecified vectors.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-6370

LAYER: meta
PACKAGE NAME: json-c-native
PACKAGE VERSION: 0.17
CVE: CVE-2013-6371
CVE STATUS: Patched
CVE SUMMARY: The hash functionality in json-c before 0.12 allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted JSON data, involving collisions.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-6371

LAYER: meta
PACKAGE NAME: json-c-native
PACKAGE VERSION: 0.17
CVE: CVE-2020-12762
CVE STATUS: Patched
CVE SUMMARY: json-c through 0.14 has an integer overflow and out-of-bounds write via a large JSON file, as demonstrated by printbuf_memappend.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-12762

LAYER: meta
PACKAGE NAME: json-c-native
PACKAGE VERSION: 0.17
CVE: CVE-2021-32292
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in json-c from 20200420 (post 0.14 unreleased code) through 0.15-20200726. A stack-buffer-overflow exists in the auxiliary sample program json_parse which is located in the function parseit.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-32292

LAYER: meta
PACKAGE NAME: re2c-native
PACKAGE VERSION: 3.1
CVE: CVE-2018-21232
CVE STATUS: Patched
CVE SUMMARY: re2c before 2.0 has uncontrolled recursion that causes stack consumption in find_fixed_tags.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-21232

LAYER: meta
PACKAGE NAME: re2c-native
PACKAGE VERSION: 3.1
CVE: CVE-2020-11958
CVE STATUS: Patched
CVE SUMMARY: re2c 1.3 has a heap-based buffer overflow in Scanner::fill in parse/scanner.cc via a long lexeme.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-11958

LAYER: meta
PACKAGE NAME: re2c-native
PACKAGE VERSION: 3.1
CVE: CVE-2022-23901
CVE STATUS: Patched
CVE SUMMARY: A stack overflow re2c 2.2 exists due to infinite recursion issues in src/dfa/dead_rules.cc.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-23901

LAYER: meta
PACKAGE NAME: libseccomp
PACKAGE VERSION: 2.5.5
CVE: CVE-2019-9893
CVE STATUS: Patched
CVE SUMMARY: libseccomp before 2.4.0 did not correctly generate 64-bit syscall argument comparisons using the arithmetic operators (LT, GT, LE, GE), which might able to lead to bypassing seccomp filters and potential privilege escalations.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-9893

LAYER: meta
PACKAGE NAME: gpgme-native
PACKAGE VERSION: 1.23.2
CVE: CVE-2007-1263
CVE STATUS: Patched
CVE SUMMARY: GnuPG 1.4.6 and earlier and GPGME before 1.1.4, when run from the command line, does not visually distinguish signed and unsigned portions of OpenPGP messages with multiple components, which might allow remote attackers to forge the contents of a message without detection.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-1263

LAYER: meta
PACKAGE NAME: gpgme-native
PACKAGE VERSION: 1.23.2
CVE: CVE-2014-3564
CVE STATUS: Patched
CVE SUMMARY: Multiple heap-based buffer overflows in the status_handler function in (1) engine-gpgsm.c and (2) engine-uiserver.c in GPGME before 1.5.1 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via vectors related to "different line lengths in a specific order."
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3564

LAYER: meta
PACKAGE NAME: gpgme-native
PACKAGE VERSION: 1.23.2
CVE: CVE-2020-8945
CVE STATUS: Patched
CVE SUMMARY: The proglottis Go wrapper before 0.1.1 for the GPGME library has a use-after-free, as demonstrated by use for container image pulls by Docker or CRI-O. This leads to a crash or potential code execution during GPG signature verification.
CVSS v2 BASE SCORE: 5.1
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-8945

LAYER: meta
PACKAGE NAME: libgcc-initial
PACKAGE VERSION: 13.3.0
CVE: CVE-1999-1439
CVE STATUS: Patched
CVE SUMMARY: gcc 2.7.2 allows local users to overwrite arbitrary files via a symlink attack on temporary .i, .s, or .o files.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-1999-1439

LAYER: meta
PACKAGE NAME: libgcc-initial
PACKAGE VERSION: 13.3.0
CVE: CVE-2000-1219
CVE STATUS: Patched
CVE SUMMARY: The -ftrapv compiler option in gcc and g++ 3.3.3 and earlier does not handle all types of integer overflows, which may leave applications vulnerable to vulnerabilities related to overflows.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2000-1219

LAYER: meta
PACKAGE NAME: libgcc-initial
PACKAGE VERSION: 13.3.0
CVE: CVE-2002-2439
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the new[] operator in gcc before 4.8.0 allows attackers to have unspecified impacts.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-2439

LAYER: meta
PACKAGE NAME: libgcc-initial
PACKAGE VERSION: 13.3.0
CVE: CVE-2006-1902
CVE STATUS: Patched
CVE SUMMARY: fold_binary in fold-const.c in GNU Compiler Collection (gcc) 4.1 improperly handles pointer overflow when folding a certain expr comparison to a corresponding offset comparison in cases other than EQ_EXPR and NE_EXPR, which might introduce buffer overflow vulnerabilities into applications that could be exploited by context-dependent attackers.NOTE: the vendor states that the essence of the issue is "not correctly interpreting an offset to a pointer as a signed value."
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-1902

LAYER: meta
PACKAGE NAME: libgcc-initial
PACKAGE VERSION: 13.3.0
CVE: CVE-2008-1367
CVE STATUS: Patched
CVE SUMMARY: gcc 4.3.x does not generate a cld instruction while compiling functions used for string manipulation such as memcpy and memmove on x86 and i386, which can prevent the direction flag (DF) from being reset in violation of ABI conventions and cause data to be copied in the wrong direction during signal handling in the Linux kernel, which might allow context-dependent attackers to trigger memory corruption. NOTE: this issue was originally reported for CPU consumption in SBCL.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1367

LAYER: meta
PACKAGE NAME: libgcc-initial
PACKAGE VERSION: 13.3.0
CVE: CVE-2008-1685
CVE STATUS: Patched
CVE SUMMARY: gcc 4.2.0 through 4.3.0 in GNU Compiler Collection, when casts are not used, considers the sum of a pointer and an int to be greater than or equal to the pointer, which might lead to removal of length testing code that was intended as a protection mechanism against integer overflow and buffer overflow attacks, and provide no diagnostic message about this removal. NOTE: the vendor has determined that this compiler behavior is correct according to section 6.5.6 of the C99 standard (aka ISO/IEC 9899:1999)
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1685

LAYER: meta
PACKAGE NAME: libgcc-initial
PACKAGE VERSION: 13.3.0
CVE: CVE-2013-4598
CVE STATUS: Patched
CVE SUMMARY: The Groups, Communities and Co (GCC) module 7.x-1.x before 7.x-1.1 for Drupal does not properly check permission, which allows remote attackers to access the configuration pages via unspecified vectors.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4598

LAYER: meta
PACKAGE NAME: libgcc-initial
PACKAGE VERSION: 13.3.0
CVE: CVE-2015-5276
CVE STATUS: Patched
CVE SUMMARY: The std::random_device class in libstdc++ in the GNU Compiler Collection (aka GCC) before 4.9.4 does not properly handle short reads from blocking sources, which makes it easier for context-dependent attackers to predict the random values via unspecified vectors.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-5276

LAYER: meta
PACKAGE NAME: libgcc-initial
PACKAGE VERSION: 13.3.0
CVE: CVE-2017-11671
CVE STATUS: Patched
CVE SUMMARY: Under certain circumstances, the ix86_expand_builtin function in i386.c in GNU Compiler Collection (GCC) version 4.6, 4.7, 4.8, 4.9, 5 before 5.5, and 6 before 6.4 will generate instruction sequences that clobber the status flag of the RDRAND and RDSEED intrinsics before it can be read, potentially causing failures of these instructions to go unreported. This could potentially lead to less randomness in random number generation.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 4.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-11671

LAYER: meta
PACKAGE NAME: libgcc-initial
PACKAGE VERSION: 13.3.0
CVE: CVE-2018-12886
CVE STATUS: Patched
CVE SUMMARY: stack_protect_prologue in cfgexpand.c and stack_protect_epilogue in function.c in GNU Compiler Collection (GCC) 4.1 through 8 (under certain circumstances) generate instruction sequences when targeting ARM targets that spill the address of the stack protector guard, which allows an attacker to bypass the protection of -fstack-protector, -fstack-protector-all, -fstack-protector-strong, and -fstack-protector-explicit against stack overflow by controlling what the stack canary is compared against.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-12886

LAYER: meta
PACKAGE NAME: libgcc-initial
PACKAGE VERSION: 13.3.0
CVE: CVE-2019-15847
CVE STATUS: Patched
CVE SUMMARY: The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This occurred because a volatile operation was not specified. For example, within a single execution of a program, the output of every __builtin_darn() call may be the same.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-15847

LAYER: meta
PACKAGE NAME: libgcc-initial
PACKAGE VERSION: 13.3.0
CVE: CVE-2021-37322
CVE STATUS: Ignored
CVE DETAIL: cpe-incorrect
CVE DESCRIPTION: Is a binutils 2.26 issue, not gcc
CVE SUMMARY: GCC c++filt v2.26 was discovered to contain a use-after-free vulnerability via the component cplus-dem.c.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-37322

LAYER: meta
PACKAGE NAME: libgcc-initial
PACKAGE VERSION: 13.3.0
CVE: CVE-2021-3826
CVE STATUS: Patched
CVE SUMMARY: Heap/stack buffer overflow in the dlang_lname function in d-demangle.c in libiberty allows attackers to potentially cause a denial of service (segmentation fault and crash) via a crafted mangled symbol.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3826

LAYER: meta
PACKAGE NAME: libgcc-initial
PACKAGE VERSION: 13.3.0
CVE: CVE-2021-46195
CVE STATUS: Patched
CVE SUMMARY: GCC v12.0 was discovered to contain an uncontrolled recursion via the component libiberty/rust-demangle.c. This vulnerability allows attackers to cause a Denial of Service (DoS) by consuming excessive CPU and memory resources.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-46195

LAYER: meta
PACKAGE NAME: libgcc-initial
PACKAGE VERSION: 13.3.0
CVE: CVE-2022-27943
CVE STATUS: Patched
CVE SUMMARY: libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-27943

LAYER: meta
PACKAGE NAME: libgcc-initial
PACKAGE VERSION: 13.3.0
CVE: CVE-2023-4039
CVE STATUS: Patched
CVE DETAIL: fixed-version
CVE DESCRIPTION: Fixed via CVE-2023-4039.patch included here. Set the status explictly to deal with all recipes that share the gcc-source
CVE SUMMARY: 

**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains 
that target AArch64 allows an attacker to exploit an existing buffer 
overflow in dynamically-sized local variables in your application 
without this being detected. This stack-protector failure only applies 
to C99-style dynamically-sized local variables or those created using 
alloca(). The stack-protector operates as intended for statically-sized 
local variables.

The default behavior when the stack-protector 
detects an overflow is to terminate your application, resulting in 
controlled loss of availability. An attacker who can exploit a buffer 
overflow without triggering the stack-protector might be able to change 
program flow control to cause an uncontrolled loss of availability or to
 go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.






CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-4039

LAYER: meta
PACKAGE NAME: libpcre2-native
PACKAGE VERSION: 10.43
CVE: CVE-2015-3210
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in PCRE 8.34 through 8.37 and PCRE2 10.10 allows remote attackers to execute arbitrary code via a crafted regular expression, as demonstrated by /^(?P=B)((?P=B)(?J:(?P<B>c)(?P<B>a(?P=B)))>WGXCREDITS)/, a different vulnerability than CVE-2015-8384.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3210

LAYER: meta
PACKAGE NAME: libpcre2-native
PACKAGE VERSION: 10.43
CVE: CVE-2015-3217
CVE STATUS: Patched
CVE SUMMARY: PCRE 7.8 and 8.32 through 8.37, and PCRE2 10.10 mishandle group empty matches, which might allow remote attackers to cause a denial of service (stack-based buffer overflow) via a crafted regular expression, as demonstrated by /^(?:(?(1)\\.|([^\\\\W_])?)+)+$/.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3217

LAYER: meta
PACKAGE NAME: libpcre2-native
PACKAGE VERSION: 10.43
CVE: CVE-2016-3191
CVE STATUS: Patched
CVE SUMMARY: The compile_branch function in pcre_compile.c in PCRE 8.x before 8.39 and pcre2_compile.c in PCRE2 before 10.22 mishandles patterns containing an (*ACCEPT) substring in conjunction with nested parentheses, which allows remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror, aka ZDI-CAN-3542.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3191

LAYER: meta
PACKAGE NAME: libpcre2-native
PACKAGE VERSION: 10.43
CVE: CVE-2017-7186
CVE STATUS: Patched
CVE SUMMARY: libpcre1 in PCRE 8.40 and libpcre2 in PCRE2 10.23 allow remote attackers to cause a denial of service (segmentation violation for read access, and application crash) by triggering an invalid Unicode property lookup.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7186

LAYER: meta
PACKAGE NAME: libpcre2-native
PACKAGE VERSION: 10.43
CVE: CVE-2017-8399
CVE STATUS: Patched
CVE SUMMARY: PCRE2 before 10.30 has an out-of-bounds write caused by a stack-based buffer overflow in pcre2_match.c, related to a "pattern with very many captures."
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8399

LAYER: meta
PACKAGE NAME: libpcre2-native
PACKAGE VERSION: 10.43
CVE: CVE-2017-8786
CVE STATUS: Patched
CVE SUMMARY: pcre2test.c in PCRE2 10.23 allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8786

LAYER: meta
PACKAGE NAME: libpcre2-native
PACKAGE VERSION: 10.43
CVE: CVE-2019-20454
CVE STATUS: Patched
CVE SUMMARY: An out-of-bounds read was discovered in PCRE before 10.34 when the pattern \X is JIT compiled and used to match specially crafted subjects in non-UTF mode. Applications that use PCRE to parse untrusted input may be vulnerable to this flaw, which would allow an attacker to crash the application. The flaw occurs in do_extuni_no_utf in pcre2_jit_compile.c.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-20454

LAYER: meta
PACKAGE NAME: libpcre2-native
PACKAGE VERSION: 10.43
CVE: CVE-2022-1586
CVE STATUS: Patched
CVE SUMMARY: An out-of-bounds read vulnerability was discovered in the PCRE2 library in the compile_xclass_matchingpath() function of the pcre2_jit_compile.c file. This involves a unicode property matching issue in JIT-compiled regular expressions. The issue occurs because the character was not fully read in case-less matching within JIT.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 9.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1586

LAYER: meta
PACKAGE NAME: libpcre2-native
PACKAGE VERSION: 10.43
CVE: CVE-2022-1587
CVE STATUS: Patched
CVE SUMMARY: An out-of-bounds read vulnerability was discovered in the PCRE2 library in the get_recurse_data_length() function of the pcre2_jit_compile.c file. This issue affects recursions in JIT-compiled regular expressions caused by duplicate data transfers.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 9.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1587

LAYER: meta
PACKAGE NAME: libpcre2-native
PACKAGE VERSION: 10.43
CVE: CVE-2022-41409
CVE STATUS: Patched
CVE SUMMARY: Integer overflow vulnerability in pcre2test before 10.41 allows attackers to cause a denial of service or other unspecified impacts via negative input.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-41409

LAYER: meta
PACKAGE NAME: make-native
PACKAGE VERSION: 4.4.1
CVE: CVE-2000-0151
CVE STATUS: Patched
CVE SUMMARY: GNU make follows symlinks when it reads a Makefile from stdin, which allows other local users to execute commands.
CVSS v2 BASE SCORE: 6.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2000-0151

LAYER: meta
PACKAGE NAME: libcap-native
PACKAGE VERSION: 2.69
CVE: CVE-2011-4099
CVE STATUS: Patched
CVE SUMMARY: The capsh program in libcap before 2.22 does not change the current working directory when the --chroot option is specified, which allows local users to bypass the chroot restrictions via unspecified vectors.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-4099

LAYER: meta
PACKAGE NAME: libcap-native
PACKAGE VERSION: 2.69
CVE: CVE-2023-2602
CVE STATUS: Patched
CVE SUMMARY: A vulnerability was found in the pthread_create() function in libcap. This issue may allow a malicious actor to use cause __real_pthread_create() to return an error, which can exhaust the process memory.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 3.3
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-2602

LAYER: meta
PACKAGE NAME: libcap-native
PACKAGE VERSION: 2.69
CVE: CVE-2023-2603
CVE STATUS: Patched
CVE SUMMARY: A vulnerability was found in libcap. This issue occurs in the _libcap_strdup() function and can lead to an integer overflow if the input string is close to 4GiB.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-2603

LAYER: meta
PACKAGE NAME: libbsd-native
PACKAGE VERSION: 0.12.1
CVE: CVE-2016-2090
CVE STATUS: Patched
CVE SUMMARY: Off-by-one vulnerability in the fgetwln function in libbsd before 0.8.2 allows attackers to have unspecified impact via unknown vectors, which trigger a heap-based buffer overflow.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2090

LAYER: meta
PACKAGE NAME: libbsd-native
PACKAGE VERSION: 0.12.1
CVE: CVE-2019-20367
CVE STATUS: Patched
CVE SUMMARY: nlist.c in libbsd before 0.10.0 has an out-of-bounds read during a comparison for a symbol name from the string table (strtab).
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 9.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-20367

LAYER: meta
PACKAGE NAME: acl
PACKAGE VERSION: 2.3.2
CVE: CVE-2009-4411
CVE STATUS: Patched
CVE SUMMARY: The (1) setfacl and (2) getfacl commands in XFS acl 2.2.47, when running in recursive (-R) mode, follow symbolic links even when the --physical (aka -P) or -L option is specified, which might allow local users to modify the ACL for arbitrary files or directories via a symlink attack.
CVSS v2 BASE SCORE: 3.7
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-4411

LAYER: meta
PACKAGE NAME: libffi
PACKAGE VERSION: 3.4.6
CVE: CVE-2017-1000376
CVE STATUS: Patched
CVE SUMMARY: libffi requests an executable stack allowing attackers to more easily trigger arbitrary code execution by overwriting the stack. Please note that libffi is used by a number of other libraries. It was previously stated that this affects libffi version 3.2.1 but this appears to be incorrect. libffi prior to version 3.1 on 32 bit x86 systems was vulnerable, and upstream is believed to have fixed this issue in version 3.1.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-1000376

LAYER: meta
PACKAGE NAME: gcc
PACKAGE VERSION: 13.3.0
CVE: CVE-1999-1439
CVE STATUS: Patched
CVE SUMMARY: gcc 2.7.2 allows local users to overwrite arbitrary files via a symlink attack on temporary .i, .s, or .o files.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-1999-1439

LAYER: meta
PACKAGE NAME: gcc
PACKAGE VERSION: 13.3.0
CVE: CVE-2000-1219
CVE STATUS: Patched
CVE SUMMARY: The -ftrapv compiler option in gcc and g++ 3.3.3 and earlier does not handle all types of integer overflows, which may leave applications vulnerable to vulnerabilities related to overflows.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2000-1219

LAYER: meta
PACKAGE NAME: gcc
PACKAGE VERSION: 13.3.0
CVE: CVE-2002-2439
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the new[] operator in gcc before 4.8.0 allows attackers to have unspecified impacts.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-2439

LAYER: meta
PACKAGE NAME: gcc
PACKAGE VERSION: 13.3.0
CVE: CVE-2006-1902
CVE STATUS: Patched
CVE SUMMARY: fold_binary in fold-const.c in GNU Compiler Collection (gcc) 4.1 improperly handles pointer overflow when folding a certain expr comparison to a corresponding offset comparison in cases other than EQ_EXPR and NE_EXPR, which might introduce buffer overflow vulnerabilities into applications that could be exploited by context-dependent attackers.NOTE: the vendor states that the essence of the issue is "not correctly interpreting an offset to a pointer as a signed value."
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-1902

LAYER: meta
PACKAGE NAME: gcc
PACKAGE VERSION: 13.3.0
CVE: CVE-2008-1367
CVE STATUS: Patched
CVE SUMMARY: gcc 4.3.x does not generate a cld instruction while compiling functions used for string manipulation such as memcpy and memmove on x86 and i386, which can prevent the direction flag (DF) from being reset in violation of ABI conventions and cause data to be copied in the wrong direction during signal handling in the Linux kernel, which might allow context-dependent attackers to trigger memory corruption. NOTE: this issue was originally reported for CPU consumption in SBCL.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1367

LAYER: meta
PACKAGE NAME: gcc
PACKAGE VERSION: 13.3.0
CVE: CVE-2008-1685
CVE STATUS: Patched
CVE SUMMARY: gcc 4.2.0 through 4.3.0 in GNU Compiler Collection, when casts are not used, considers the sum of a pointer and an int to be greater than or equal to the pointer, which might lead to removal of length testing code that was intended as a protection mechanism against integer overflow and buffer overflow attacks, and provide no diagnostic message about this removal. NOTE: the vendor has determined that this compiler behavior is correct according to section 6.5.6 of the C99 standard (aka ISO/IEC 9899:1999)
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1685

LAYER: meta
PACKAGE NAME: gcc
PACKAGE VERSION: 13.3.0
CVE: CVE-2013-4598
CVE STATUS: Patched
CVE SUMMARY: The Groups, Communities and Co (GCC) module 7.x-1.x before 7.x-1.1 for Drupal does not properly check permission, which allows remote attackers to access the configuration pages via unspecified vectors.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4598

LAYER: meta
PACKAGE NAME: gcc
PACKAGE VERSION: 13.3.0
CVE: CVE-2015-5276
CVE STATUS: Patched
CVE SUMMARY: The std::random_device class in libstdc++ in the GNU Compiler Collection (aka GCC) before 4.9.4 does not properly handle short reads from blocking sources, which makes it easier for context-dependent attackers to predict the random values via unspecified vectors.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-5276

LAYER: meta
PACKAGE NAME: gcc
PACKAGE VERSION: 13.3.0
CVE: CVE-2017-11671
CVE STATUS: Patched
CVE SUMMARY: Under certain circumstances, the ix86_expand_builtin function in i386.c in GNU Compiler Collection (GCC) version 4.6, 4.7, 4.8, 4.9, 5 before 5.5, and 6 before 6.4 will generate instruction sequences that clobber the status flag of the RDRAND and RDSEED intrinsics before it can be read, potentially causing failures of these instructions to go unreported. This could potentially lead to less randomness in random number generation.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 4.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-11671

LAYER: meta
PACKAGE NAME: gcc
PACKAGE VERSION: 13.3.0
CVE: CVE-2018-12886
CVE STATUS: Patched
CVE SUMMARY: stack_protect_prologue in cfgexpand.c and stack_protect_epilogue in function.c in GNU Compiler Collection (GCC) 4.1 through 8 (under certain circumstances) generate instruction sequences when targeting ARM targets that spill the address of the stack protector guard, which allows an attacker to bypass the protection of -fstack-protector, -fstack-protector-all, -fstack-protector-strong, and -fstack-protector-explicit against stack overflow by controlling what the stack canary is compared against.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-12886

LAYER: meta
PACKAGE NAME: gcc
PACKAGE VERSION: 13.3.0
CVE: CVE-2019-15847
CVE STATUS: Patched
CVE SUMMARY: The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This occurred because a volatile operation was not specified. For example, within a single execution of a program, the output of every __builtin_darn() call may be the same.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-15847

LAYER: meta
PACKAGE NAME: gcc
PACKAGE VERSION: 13.3.0
CVE: CVE-2021-37322
CVE STATUS: Ignored
CVE DETAIL: cpe-incorrect
CVE DESCRIPTION: Is a binutils 2.26 issue, not gcc
CVE SUMMARY: GCC c++filt v2.26 was discovered to contain a use-after-free vulnerability via the component cplus-dem.c.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-37322

LAYER: meta
PACKAGE NAME: gcc
PACKAGE VERSION: 13.3.0
CVE: CVE-2021-3826
CVE STATUS: Patched
CVE SUMMARY: Heap/stack buffer overflow in the dlang_lname function in d-demangle.c in libiberty allows attackers to potentially cause a denial of service (segmentation fault and crash) via a crafted mangled symbol.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3826

LAYER: meta
PACKAGE NAME: gcc
PACKAGE VERSION: 13.3.0
CVE: CVE-2021-46195
CVE STATUS: Patched
CVE SUMMARY: GCC v12.0 was discovered to contain an uncontrolled recursion via the component libiberty/rust-demangle.c. This vulnerability allows attackers to cause a Denial of Service (DoS) by consuming excessive CPU and memory resources.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-46195

LAYER: meta
PACKAGE NAME: gcc
PACKAGE VERSION: 13.3.0
CVE: CVE-2022-27943
CVE STATUS: Patched
CVE SUMMARY: libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-27943

LAYER: meta
PACKAGE NAME: gcc
PACKAGE VERSION: 13.3.0
CVE: CVE-2023-4039
CVE STATUS: Patched
CVE DETAIL: fixed-version
CVE DESCRIPTION: Fixed via CVE-2023-4039.patch included here. Set the status explictly to deal with all recipes that share the gcc-source
CVE SUMMARY: 

**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains 
that target AArch64 allows an attacker to exploit an existing buffer 
overflow in dynamically-sized local variables in your application 
without this being detected. This stack-protector failure only applies 
to C99-style dynamically-sized local variables or those created using 
alloca(). The stack-protector operates as intended for statically-sized 
local variables.

The default behavior when the stack-protector 
detects an overflow is to terminate your application, resulting in 
controlled loss of availability. An attacker who can exploit a buffer 
overflow without triggering the stack-protector might be able to change 
program flow control to cause an uncontrolled loss of availability or to
 go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.






CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-4039

LAYER: meta
PACKAGE NAME: util-linux-libuuid
PACKAGE VERSION: 2.39.3
CVE: CVE-2024-28085
CVE STATUS: Patched
CVE SUMMARY: wall in util-linux through 2.40, often installed with setgid tty permissions, allows escape sequences to be sent to other users' terminals through argv. (Specifically, escape sequences received from stdin are blocked, but escape sequences received from argv are not blocked.) There may be plausible scenarios where this leads to account takeover.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 3.3
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-28085

LAYER: meta
PACKAGE NAME: libmicrohttpd-native
PACKAGE VERSION: 1.0.1
CVE: CVE-2013-7038
CVE STATUS: Patched
CVE SUMMARY: The MHD_http_unescape function in libmicrohttpd before 0.9.32 might allow remote attackers to obtain sensitive information or cause a denial of service (crash) via unspecified vectors that trigger an out-of-bounds read.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-7038

LAYER: meta
PACKAGE NAME: libmicrohttpd-native
PACKAGE VERSION: 1.0.1
CVE: CVE-2013-7039
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in the MHD_digest_auth_check function in libmicrohttpd before 0.9.32, when MHD_OPTION_CONNECTION_MEMORY_LIMIT is set to a large value, allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a long URI in an authentication header.
CVSS v2 BASE SCORE: 5.1
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-7039

LAYER: meta
PACKAGE NAME: libmicrohttpd-native
PACKAGE VERSION: 1.0.1
CVE: CVE-2021-3466
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in libmicrohttpd. A missing bounds check in the post_process_urlencoded function leads to a buffer overflow, allowing a remote attacker to write arbitrary data in an application that uses libmicrohttpd. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. Only version 0.9.70 is vulnerable.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3466

LAYER: meta
PACKAGE NAME: libmicrohttpd-native
PACKAGE VERSION: 1.0.1
CVE: CVE-2023-27371
CVE STATUS: Patched
CVE SUMMARY: GNU libmicrohttpd before 0.9.76 allows remote DoS (Denial of Service) due to improper parsing of a multipart/form-data boundary in the postprocessor.c MHD_create_post_processor() method. This allows an attacker to remotely send a malicious HTTP POST packet that includes one or more '\0' bytes in a multipart/form-data boundary field, which - assuming a specific heap layout - will result in an out-of-bounds read and a crash in the find_boundary() function.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-27371

LAYER: meta
PACKAGE NAME: libarchive-native
PACKAGE VERSION: 3.7.4
CVE: CVE-2007-3641
CVE STATUS: Patched
CVE SUMMARY: archive_read_support_format_tar.c in libarchive before 2.2.4 does not properly compute the length of a certain buffer when processing a malformed pax extension header, which allows user-assisted remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted (1) PAX or (2) TAR archive that triggers a buffer overflow.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-3641

LAYER: meta
PACKAGE NAME: libarchive-native
PACKAGE VERSION: 3.7.4
CVE: CVE-2007-3644
CVE STATUS: Patched
CVE SUMMARY: archive_read_support_format_tar.c in libarchive before 2.2.4 allows user-assisted remote attackers to cause a denial of service (infinite loop) via (1) an end-of-file condition within a pax extension header or (2) a malformed pax extension header in an (a) PAX or a (b) TAR archive.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-3644

LAYER: meta
PACKAGE NAME: libarchive-native
PACKAGE VERSION: 3.7.4
CVE: CVE-2007-3645
CVE STATUS: Patched
CVE SUMMARY: archive_read_support_format_tar.c in libarchive before 2.2.4 allows user-assisted remote attackers to cause a denial of service (crash) via (1) an end-of-file condition within a tar header that follows a pax extension header or (2) a malformed pax extension header in an (a) PAX or a (b) TAR archive, which results in a NULL pointer dereference, a different issue than CVE-2007-3644.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-3645

LAYER: meta
PACKAGE NAME: libarchive-native
PACKAGE VERSION: 3.7.4
CVE: CVE-2010-4666
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in libarchive 3.0 pre-release code allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted CAB file, which is not properly handled during the reading of Huffman code data within LZX compressed data.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4666

LAYER: meta
PACKAGE NAME: libarchive-native
PACKAGE VERSION: 3.7.4
CVE: CVE-2011-1777
CVE STATUS: Patched
CVE SUMMARY: Multiple buffer overflows in the (1) heap_add_entry and (2) relocate_dir functions in archive_read_support_format_iso9660.c in libarchive through 2.8.5 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted ISO9660 image.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1777

LAYER: meta
PACKAGE NAME: libarchive-native
PACKAGE VERSION: 3.7.4
CVE: CVE-2011-1778
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in libarchive through 2.8.5 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted TAR archive.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1778

LAYER: meta
PACKAGE NAME: libarchive-native
PACKAGE VERSION: 3.7.4
CVE: CVE-2011-1779
CVE STATUS: Patched
CVE SUMMARY: Multiple use-after-free vulnerabilities in libarchive 2.8.4 and 2.8.5 allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted (1) TAR archive or (2) ISO9660 image.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1779

LAYER: meta
PACKAGE NAME: libarchive-native
PACKAGE VERSION: 3.7.4
CVE: CVE-2013-0211
CVE STATUS: Patched
CVE SUMMARY: Integer signedness error in the archive_write_zip_data function in archive_write_set_format_zip.c in libarchive 3.1.2 and earlier, when running on 64-bit machines, allows context-dependent attackers to cause a denial of service (crash) via unspecified vectors, which triggers an improper conversion between unsigned and signed types, leading to a buffer overflow.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0211

LAYER: meta
PACKAGE NAME: libarchive-native
PACKAGE VERSION: 3.7.4
CVE: CVE-2015-2304
CVE STATUS: Patched
CVE SUMMARY: Absolute path traversal vulnerability in bsdcpio in libarchive 3.1.2 and earlier allows remote attackers to write to arbitrary files via a full pathname in an archive.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-2304

LAYER: meta
PACKAGE NAME: libarchive-native
PACKAGE VERSION: 3.7.4
CVE: CVE-2015-8915
CVE STATUS: Patched
CVE SUMMARY: bsdcpio in libarchive before 3.2.0 allows remote attackers to cause a denial of service (invalid read and crash) via crafted cpio file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8915

LAYER: meta
PACKAGE NAME: libarchive-native
PACKAGE VERSION: 3.7.4
CVE: CVE-2015-8916
CVE STATUS: Patched
CVE SUMMARY: bsdtar in libarchive before 3.2.0 returns a success code without filling the entry when the header is a "split file in multivolume RAR," which allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a crafted rar file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8916

LAYER: meta
PACKAGE NAME: libarchive-native
PACKAGE VERSION: 3.7.4
CVE: CVE-2015-8917
CVE STATUS: Patched
CVE SUMMARY: bsdtar in libarchive before 3.2.0 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via an invalid character in the name of a cab file.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8917

LAYER: meta
PACKAGE NAME: libarchive-native
PACKAGE VERSION: 3.7.4
CVE: CVE-2015-8918
CVE STATUS: Patched
CVE SUMMARY: The archive_string_append function in archive_string.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (crash) via a crafted cab files, related to "overlapping memcpy."
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8918

LAYER: meta
PACKAGE NAME: libarchive-native
PACKAGE VERSION: 3.7.4
CVE: CVE-2015-8919
CVE STATUS: Patched
CVE SUMMARY: The lha_read_file_extended_header function in archive_read_support_format_lha.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (out-of-bounds heap) via a crafted (1) lzh or (2) lha file.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8919

LAYER: meta
PACKAGE NAME: libarchive-native
PACKAGE VERSION: 3.7.4
CVE: CVE-2015-8920
CVE STATUS: Patched
CVE SUMMARY: The _ar_read_header function in archive_read_support_format_ar.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (out-of-bounds stack read) via a crafted ar file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8920

LAYER: meta
PACKAGE NAME: libarchive-native
PACKAGE VERSION: 3.7.4
CVE: CVE-2015-8921
CVE STATUS: Patched
CVE SUMMARY: The ae_strtofflags function in archive_entry.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted mtree file.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8921

LAYER: meta
PACKAGE NAME: libarchive-native
PACKAGE VERSION: 3.7.4
CVE: CVE-2015-8922
CVE STATUS: Patched
CVE SUMMARY: The read_CodersInfo function in archive_read_support_format_7zip.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a crafted 7z file, related to the _7z_folder struct.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8922

LAYER: meta
PACKAGE NAME: libarchive-native
PACKAGE VERSION: 3.7.4
CVE: CVE-2015-8923
CVE STATUS: Patched
CVE SUMMARY: The process_extra function in libarchive before 3.2.0 uses the size field and a signed number in an offset, which allows remote attackers to cause a denial of service (crash) via a crafted zip file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8923

LAYER: meta
PACKAGE NAME: libarchive-native
PACKAGE VERSION: 3.7.4
CVE: CVE-2015-8924
CVE STATUS: Patched
CVE SUMMARY: The archive_read_format_tar_read_header function in archive_read_support_format_tar.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted tar file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8924

LAYER: meta
PACKAGE NAME: libarchive-native
PACKAGE VERSION: 3.7.4
CVE: CVE-2015-8925
CVE STATUS: Patched
CVE SUMMARY: The readline function in archive_read_support_format_mtree.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (invalid read) via a crafted mtree file, related to newline parsing.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8925

LAYER: meta
PACKAGE NAME: libarchive-native
PACKAGE VERSION: 3.7.4
CVE: CVE-2015-8926
CVE STATUS: Patched
CVE SUMMARY: The archive_read_format_rar_read_data function in archive_read_support_format_rar.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (crash) via a crafted rar archive.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8926

LAYER: meta
PACKAGE NAME: libarchive-native
PACKAGE VERSION: 3.7.4
CVE: CVE-2015-8927
CVE STATUS: Patched
CVE SUMMARY: The trad_enc_decrypt_update function in archive_read_support_format_zip.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (out-of-bounds heap read and crash) via a crafted zip file, related to reading the password.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8927

LAYER: meta
PACKAGE NAME: libarchive-native
PACKAGE VERSION: 3.7.4
CVE: CVE-2015-8928
CVE STATUS: Patched
CVE SUMMARY: The process_add_entry function in archive_read_support_format_mtree.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted mtree file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8928

LAYER: meta
PACKAGE NAME: libarchive-native
PACKAGE VERSION: 3.7.4
CVE: CVE-2015-8929
CVE STATUS: Patched
CVE SUMMARY: Memory leak in the __archive_read_get_extract function in archive_read_extract2.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service via a tar file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8929

LAYER: meta
PACKAGE NAME: libarchive-native
PACKAGE VERSION: 3.7.4
CVE: CVE-2015-8930
CVE STATUS: Patched
CVE SUMMARY: bsdtar in libarchive before 3.2.0 allows remote attackers to cause a denial of service (infinite loop) via an ISO with a directory that is a member of itself.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8930

LAYER: meta
PACKAGE NAME: libarchive-native
PACKAGE VERSION: 3.7.4
CVE: CVE-2015-8931
CVE STATUS: Patched
CVE SUMMARY: Multiple integer overflows in the (1) get_time_t_max and (2) get_time_t_min functions in archive_read_support_format_mtree.c in libarchive before 3.2.0 allow remote attackers to have unspecified impact via a crafted mtree file, which triggers undefined behavior.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8931

LAYER: meta
PACKAGE NAME: libarchive-native
PACKAGE VERSION: 3.7.4
CVE: CVE-2015-8932
CVE STATUS: Patched
CVE SUMMARY: The compress_bidder_init function in archive_read_support_filter_compress.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (crash) via a crafted tar file, which triggers an invalid left shift.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8932

LAYER: meta
PACKAGE NAME: libarchive-native
PACKAGE VERSION: 3.7.4
CVE: CVE-2015-8933
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the archive_read_format_tar_skip function in archive_read_support_format_tar.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (crash) via a crafted tar file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8933

LAYER: meta
PACKAGE NAME: libarchive-native
PACKAGE VERSION: 3.7.4
CVE: CVE-2015-8934
CVE STATUS: Patched
CVE SUMMARY: The copy_from_lzss_window function in archive_read_support_format_rar.c in libarchive 3.2.0 and earlier allows remote attackers to cause a denial of service (out-of-bounds heap read) via a crafted rar file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8934

LAYER: meta
PACKAGE NAME: libarchive-native
PACKAGE VERSION: 3.7.4
CVE: CVE-2016-10209
CVE STATUS: Patched
CVE SUMMARY: The archive_wstring_append_from_mbs function in archive_string.c in libarchive 3.2.2 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted archive file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10209

LAYER: meta
PACKAGE NAME: libarchive-native
PACKAGE VERSION: 3.7.4
CVE: CVE-2016-10349
CVE STATUS: Patched
CVE SUMMARY: The archive_le32dec function in archive_endian.h in libarchive 3.2.2 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10349

LAYER: meta
PACKAGE NAME: libarchive-native
PACKAGE VERSION: 3.7.4
CVE: CVE-2016-10350
CVE STATUS: Patched
CVE SUMMARY: The archive_read_format_cab_read_header function in archive_read_support_format_cab.c in libarchive 3.2.2 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10350

LAYER: meta
PACKAGE NAME: libarchive-native
PACKAGE VERSION: 3.7.4
CVE: CVE-2016-1541
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the zip_read_mac_metadata function in archive_read_support_format_zip.c in libarchive before 3.2.0 allows remote attackers to execute arbitrary code via crafted entry-size values in a ZIP archive.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-1541

LAYER: meta
PACKAGE NAME: libarchive-native
PACKAGE VERSION: 3.7.4
CVE: CVE-2016-4300
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the read_SubStreamsInfo function in archive_read_support_format_7zip.c in libarchive before 3.2.1 allows remote attackers to execute arbitrary code via a 7zip file with a large number of substreams, which triggers a heap-based buffer overflow.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4300

LAYER: meta
PACKAGE NAME: libarchive-native
PACKAGE VERSION: 3.7.4
CVE: CVE-2016-4301
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in the parse_device function in archive_read_support_format_mtree.c in libarchive before 3.2.1 allows remote attackers to execute arbitrary code via a crafted mtree file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4301

LAYER: meta
PACKAGE NAME: libarchive-native
PACKAGE VERSION: 3.7.4
CVE: CVE-2016-4302
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the parse_codes function in archive_read_support_format_rar.c in libarchive before 3.2.1 allows remote attackers to execute arbitrary code via a RAR file with a zero-sized dictionary.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4302

LAYER: meta
PACKAGE NAME: libarchive-native
PACKAGE VERSION: 3.7.4
CVE: CVE-2016-4809
CVE STATUS: Patched
CVE SUMMARY: The archive_read_format_cpio_read_header function in archive_read_support_format_cpio.c in libarchive before 3.2.1 allows remote attackers to cause a denial of service (application crash) via a CPIO archive with a large symlink.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4809

LAYER: meta
PACKAGE NAME: libarchive-native
PACKAGE VERSION: 3.7.4
CVE: CVE-2016-5418
CVE STATUS: Patched
CVE SUMMARY: The sandboxing code in libarchive 3.2.0 and earlier mishandles hardlink archive entries of non-zero data size, which might allow remote attackers to write to arbitrary files via a crafted archive file.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5418

LAYER: meta
PACKAGE NAME: libarchive-native
PACKAGE VERSION: 3.7.4
CVE: CVE-2016-5844
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the ISO parser in libarchive before 3.2.1 allows remote attackers to cause a denial of service (application crash) via a crafted ISO file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5844

LAYER: meta
PACKAGE NAME: libarchive-native
PACKAGE VERSION: 3.7.4
CVE: CVE-2016-6250
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the ISO9660 writer in libarchive before 3.2.1 allows remote attackers to cause a denial of service (application crash) or execute arbitrary code via vectors related to verifying filename lengths when writing an ISO9660 archive, which trigger a buffer overflow.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 8.6
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6250

LAYER: meta
PACKAGE NAME: libarchive-native
PACKAGE VERSION: 3.7.4
CVE: CVE-2016-7166
CVE STATUS: Patched
CVE SUMMARY: libarchive before 3.2.0 does not limit the number of recursive decompressions, which allows remote attackers to cause a denial of service (memory consumption and application crash) via a crafted gzip file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7166

LAYER: meta
PACKAGE NAME: libarchive-native
PACKAGE VERSION: 3.7.4
CVE: CVE-2016-8687
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in the safe_fprintf function in tar/util.c in libarchive 3.2.1 allows remote attackers to cause a denial of service via a crafted non-printable multibyte character in a filename.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8687

LAYER: meta
PACKAGE NAME: libarchive-native
PACKAGE VERSION: 3.7.4
CVE: CVE-2016-8688
CVE STATUS: Patched
CVE SUMMARY: The mtree bidder in libarchive 3.2.1 does not keep track of line sizes when extending the read-ahead, which allows remote attackers to cause a denial of service (crash) via a crafted file, which triggers an invalid read in the (1) detect_form or (2) bid_entry function in libarchive/archive_read_support_format_mtree.c.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8688

LAYER: meta
PACKAGE NAME: libarchive-native
PACKAGE VERSION: 3.7.4
CVE: CVE-2016-8689
CVE STATUS: Patched
CVE SUMMARY: The read_Header function in archive_read_support_format_7zip.c in libarchive 3.2.1 allows remote attackers to cause a denial of service (out-of-bounds read) via multiple EmptyStream attributes in a header in a 7zip archive.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8689

LAYER: meta
PACKAGE NAME: libarchive-native
PACKAGE VERSION: 3.7.4
CVE: CVE-2017-14166
CVE STATUS: Patched
CVE SUMMARY: libarchive 3.3.2 allows remote attackers to cause a denial of service (xml_data heap-based buffer over-read and application crash) via a crafted xar archive, related to the mishandling of empty strings in the atol8 function in archive_read_support_format_xar.c.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14166

LAYER: meta
PACKAGE NAME: libarchive-native
PACKAGE VERSION: 3.7.4
CVE: CVE-2017-14501
CVE STATUS: Patched
CVE SUMMARY: An out-of-bounds read flaw exists in parse_file_info in archive_read_support_format_iso9660.c in libarchive 3.3.2 when extracting a specially crafted iso9660 iso file, related to archive_read_format_iso9660_read_header.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14501

LAYER: meta
PACKAGE NAME: libarchive-native
PACKAGE VERSION: 3.7.4
CVE: CVE-2017-14502
CVE STATUS: Patched
CVE SUMMARY: read_header in archive_read_support_format_rar.c in libarchive 3.3.2 suffers from an off-by-one error for UTF-16 names in RAR archives, leading to an out-of-bounds read in archive_read_format_rar_read_header.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14502

LAYER: meta
PACKAGE NAME: libarchive-native
PACKAGE VERSION: 3.7.4
CVE: CVE-2017-14503
CVE STATUS: Patched
CVE SUMMARY: libarchive 3.3.2 suffers from an out-of-bounds read within lha_read_data_none() in archive_read_support_format_lha.c when extracting a specially crafted lha archive, related to lha_crc16.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14503

LAYER: meta
PACKAGE NAME: libarchive-native
PACKAGE VERSION: 3.7.4
CVE: CVE-2017-5601
CVE STATUS: Patched
CVE SUMMARY: An error in the lha_read_file_header_1() function (archive_read_support_format_lha.c) in libarchive 3.2.2 allows remote attackers to trigger an out-of-bounds read memory access and subsequently cause a crash via a specially crafted archive.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5601

LAYER: meta
PACKAGE NAME: libarchive-native
PACKAGE VERSION: 3.7.4
CVE: CVE-2018-1000877
CVE STATUS: Patched
CVE SUMMARY: libarchive version commit 416694915449219d505531b1096384f3237dd6cc onwards (release v3.1.0 onwards) contains a CWE-415: Double Free vulnerability in RAR decoder - libarchive/archive_read_support_format_rar.c, parse_codes(), realloc(rar->lzss.window, new_size) with new_size = 0 that can result in Crash/DoS. This attack appear to be exploitable via the victim must open a specially crafted RAR archive.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1000877

LAYER: meta
PACKAGE NAME: libarchive-native
PACKAGE VERSION: 3.7.4
CVE: CVE-2018-1000878
CVE STATUS: Patched
CVE SUMMARY: libarchive version commit 416694915449219d505531b1096384f3237dd6cc onwards (release v3.1.0 onwards) contains a CWE-416: Use After Free vulnerability in RAR decoder - libarchive/archive_read_support_format_rar.c that can result in Crash/DoS - it is unknown if RCE is possible. This attack appear to be exploitable via the victim must open a specially crafted RAR archive.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1000878

LAYER: meta
PACKAGE NAME: libarchive-native
PACKAGE VERSION: 3.7.4
CVE: CVE-2018-1000879
CVE STATUS: Patched
CVE SUMMARY: libarchive version commit 379867ecb330b3a952fb7bfa7bffb7bbd5547205 onwards (release v3.3.0 onwards) contains a CWE-476: NULL Pointer Dereference vulnerability in ACL parser - libarchive/archive_acl.c, archive_acl_from_text_l() that can result in Crash/DoS. This attack appear to be exploitable via the victim must open a specially crafted archive file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1000879

LAYER: meta
PACKAGE NAME: libarchive-native
PACKAGE VERSION: 3.7.4
CVE: CVE-2018-1000880
CVE STATUS: Patched
CVE SUMMARY: libarchive version commit 9693801580c0cf7c70e862d305270a16b52826a7 onwards (release v3.2.0 onwards) contains a CWE-20: Improper Input Validation vulnerability in WARC parser - libarchive/archive_read_support_format_warc.c, _warc_read() that can result in DoS - quasi-infinite run time and disk usage from tiny file. This attack appear to be exploitable via the victim must open a specially crafted WARC file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1000880

LAYER: meta
PACKAGE NAME: libarchive-native
PACKAGE VERSION: 3.7.4
CVE: CVE-2019-1000019
CVE STATUS: Patched
CVE SUMMARY: libarchive version commit bf9aec176c6748f0ee7a678c5f9f9555b9a757c1 onwards (release v3.0.2 onwards) contains a CWE-125: Out-of-bounds Read vulnerability in 7zip decompression, archive_read_support_format_7zip.c, header_bytes() that can result in a crash (denial of service). This attack appears to be exploitable via the victim opening a specially crafted 7zip file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-1000019

LAYER: meta
PACKAGE NAME: libarchive-native
PACKAGE VERSION: 3.7.4
CVE: CVE-2019-1000020
CVE STATUS: Patched
CVE SUMMARY: libarchive version commit 5a98dcf8a86364b3c2c469c85b93647dfb139961 onwards (version v2.8.0 onwards) contains a CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in ISO9660 parser, archive_read_support_format_iso9660.c, read_CE()/parse_rockridge() that can result in DoS by infinite loop. This attack appears to be exploitable via the victim opening a specially crafted ISO9660 file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-1000020

LAYER: meta
PACKAGE NAME: libarchive-native
PACKAGE VERSION: 3.7.4
CVE: CVE-2019-11463
CVE STATUS: Patched
CVE SUMMARY: A memory leak in archive_read_format_zip_cleanup in archive_read_support_format_zip.c in libarchive 3.3.4-dev allows remote attackers to cause a denial of service via a crafted ZIP file because of a HAVE_LZMA_H typo. NOTE: this only affects users who downloaded the development code from GitHub. Users of the product's official releases are unaffected.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-11463

LAYER: meta
PACKAGE NAME: libarchive-native
PACKAGE VERSION: 3.7.4
CVE: CVE-2019-18408
CVE STATUS: Patched
CVE SUMMARY: archive_read_format_rar_read_data in archive_read_support_format_rar.c in libarchive before 3.4.0 has a use-after-free in a certain ARCHIVE_FAILED situation, related to Ppmd7_DecodeSymbol.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-18408

LAYER: meta
PACKAGE NAME: libarchive-native
PACKAGE VERSION: 3.7.4
CVE: CVE-2019-19221
CVE STATUS: Patched
CVE SUMMARY: In Libarchive 3.4.0, archive_wstring_append_from_mbs in archive_string.c has an out-of-bounds read because of an incorrect mbrtowc or mbtowc call. For example, bsdtar crashes via a crafted archive.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19221

LAYER: meta
PACKAGE NAME: libarchive-native
PACKAGE VERSION: 3.7.4
CVE: CVE-2020-21674
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in archive_string_append_from_wcs() (archive_string.c) in libarchive-3.4.1dev allows remote attackers to cause a denial of service (out-of-bounds write in heap memory resulting into a crash) via a crafted archive file. NOTE: this only affects users who downloaded the development code from GitHub. Users of the product's official releases are unaffected.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-21674

LAYER: meta
PACKAGE NAME: libarchive-native
PACKAGE VERSION: 3.7.4
CVE: CVE-2020-9308
CVE STATUS: Patched
CVE SUMMARY: archive_read_support_format_rar5.c in libarchive before 3.4.2 attempts to unpack a RAR5 file with an invalid or corrupted header (such as a header size of zero), leading to a SIGSEGV or possibly unspecified other impact.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-9308

LAYER: meta
PACKAGE NAME: libarchive-native
PACKAGE VERSION: 3.7.4
CVE: CVE-2021-23177
CVE STATUS: Patched
CVE SUMMARY: An improper link resolution flaw while extracting an archive can lead to changing the access control list (ACL) of the target of the link. An attacker may provide a malicious archive to a victim user, who would trigger this flaw when trying to extract the archive. A local attacker may use this flaw to change the ACL of a file on the system and gain more privileges.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-23177

LAYER: meta
PACKAGE NAME: libarchive-native
PACKAGE VERSION: 3.7.4
CVE: CVE-2021-31566
CVE STATUS: Patched
CVE SUMMARY: An improper link resolution flaw can occur while extracting an archive leading to changing modes, times, access control lists, and flags of a file outside of the archive. An attacker may provide a malicious archive to a victim user, who would trigger this flaw when trying to extract the archive. A local attacker may use this flaw to gain more privileges in a system.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-31566

LAYER: meta
PACKAGE NAME: libarchive-native
PACKAGE VERSION: 3.7.4
CVE: CVE-2021-36976
CVE STATUS: Patched
CVE SUMMARY: libarchive 3.4.1 through 3.5.1 has a use-after-free in copy_string (called from do_uncompress_block and process_block).
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-36976

LAYER: meta
PACKAGE NAME: libarchive-native
PACKAGE VERSION: 3.7.4
CVE: CVE-2022-26280
CVE STATUS: Patched
CVE SUMMARY: Libarchive v3.6.0 was discovered to contain an out-of-bounds read via the component zipx_lzma_alone_init.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-26280

LAYER: meta
PACKAGE NAME: libarchive-native
PACKAGE VERSION: 3.7.4
CVE: CVE-2022-36227
CVE STATUS: Patched
CVE SUMMARY: In libarchive before 3.6.2, the software does not check for an error after calling calloc function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference. NOTE: the discoverer cites this CWE-476 remark but third parties dispute the code-execution impact: "In rare circumstances, when NULL is equivalent to the 0x0 memory address and privileged code can access it, then writing or reading memory is possible, which may lead to code execution."
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-36227

LAYER: meta
PACKAGE NAME: libarchive-native
PACKAGE VERSION: 3.7.4
CVE: CVE-2023-30571
CVE STATUS: Ignored
CVE DETAIL: upstream-wontfix
CVE DESCRIPTION: upstream has documented that reported function is not thread-safe
CVE SUMMARY: Libarchive through 3.6.2 can cause directories to have world-writable permissions. The umask() call inside archive_write_disk_posix.c changes the umask of the whole process for a very short period of time; a race condition with another thread can lead to a permanent umask 0 setting. Such a race condition could lead to implicit directory creation with permissions 0777 (without the sticky bit), which means that any low-privileged local user can delete and rename files inside those directories.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 3.9
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-30571

LAYER: meta
PACKAGE NAME: libarchive-native
PACKAGE VERSION: 3.7.4
CVE: CVE-2024-37407
CVE STATUS: Patched
CVE SUMMARY: Libarchive before 3.7.4 allows name out-of-bounds access when a ZIP archive has an empty-name file and mac-ext is enabled. This occurs in slurp_central_directory in archive_read_support_format_zip.c.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 9.1
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-37407

LAYER: meta
PACKAGE NAME: libarchive-native
PACKAGE VERSION: 3.7.4
CVE: CVE-2024-48957
CVE STATUS: Unpatched
CVE SUMMARY: execute_filter_audio in archive_read_support_format_rar.c in libarchive before 3.7.5 allows out-of-bounds access via a crafted archive file because src can move beyond dst.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-48957

LAYER: meta
PACKAGE NAME: libarchive-native
PACKAGE VERSION: 3.7.4
CVE: CVE-2024-48958
CVE STATUS: Unpatched
CVE SUMMARY: execute_filter_delta in archive_read_support_format_rar.c in libarchive before 3.7.5 allows out-of-bounds access via a crafted archive file because src can move beyond dst.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-48958

LAYER: meta
PACKAGE NAME: freetype
PACKAGE VERSION: 2.13.2
CVE: CVE-2006-0747
CVE STATUS: Patched
CVE SUMMARY: Integer underflow in Freetype before 2.2 allows remote attackers to cause a denial of service (crash) via a font file with an odd number of blue values, which causes the underflow when decrementing by 2 in a context that assumes an even number of values.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-0747

LAYER: meta
PACKAGE NAME: freetype
PACKAGE VERSION: 2.13.2
CVE: CVE-2006-1861
CVE STATUS: Patched
CVE SUMMARY: Multiple integer overflows in FreeType before 2.2 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via attack vectors related to (1) bdf/bdflib.c, (2) sfnt/ttcmap.c, (3) cff/cffgload.c, and (4) the read_lwfn function and a crafted LWFN file in base/ftmac.c.  NOTE: item 4 was originally identified by CVE-2006-2493.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-1861

LAYER: meta
PACKAGE NAME: freetype
PACKAGE VERSION: 2.13.2
CVE: CVE-2006-2661
CVE STATUS: Patched
CVE SUMMARY: ftutil.c in Freetype before 2.2 allows remote attackers to cause a denial of service (crash) via a crafted font file that triggers a null dereference.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-2661

LAYER: meta
PACKAGE NAME: freetype
PACKAGE VERSION: 2.13.2
CVE: CVE-2006-3467
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in FreeType before 2.2 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted PCF file, as demonstrated by the Red Hat bad1.pcf test file, due to a partial fix of CVE-2006-1861.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-3467

LAYER: meta
PACKAGE NAME: freetype
PACKAGE VERSION: 2.13.2
CVE: CVE-2007-2754
CVE STATUS: Patched
CVE SUMMARY: Integer signedness error in truetype/ttgload.c in Freetype 2.3.4 and earlier might allow remote attackers to execute arbitrary code via a crafted TTF image with a negative n_points value, which leads to an integer overflow and heap-based buffer overflow.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-2754

LAYER: meta
PACKAGE NAME: freetype
PACKAGE VERSION: 2.13.2
CVE: CVE-2007-3506
CVE STATUS: Patched
CVE SUMMARY: The ft_bitmap_assure_buffer function in src/base/ftbimap.c in FreeType 2.3.3 allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via unspecified vectors involving bitmap fonts, related to a "memory buffer overwrite bug."
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-3506

LAYER: meta
PACKAGE NAME: freetype
PACKAGE VERSION: 2.13.2
CVE: CVE-2008-1806
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in FreeType2 before 2.3.6 allows context-dependent attackers to execute arbitrary code via a crafted set of 16-bit length values within the Private dictionary table in a Printer Font Binary (PFB) file, which triggers a heap-based buffer overflow.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1806

LAYER: meta
PACKAGE NAME: freetype
PACKAGE VERSION: 2.13.2
CVE: CVE-2008-1807
CVE STATUS: Patched
CVE SUMMARY: FreeType2 before 2.3.6 allow context-dependent attackers to execute arbitrary code via an invalid "number of axes" field in a Printer Font Binary (PFB) file, which triggers a free of arbitrary memory locations, leading to memory corruption.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1807

LAYER: meta
PACKAGE NAME: freetype
PACKAGE VERSION: 2.13.2
CVE: CVE-2008-1808
CVE STATUS: Patched
CVE SUMMARY: Multiple off-by-one errors in FreeType2 before 2.3.6 allow context-dependent attackers to execute arbitrary code via (1) a crafted table in a Printer Font Binary (PFB) file or (2) a crafted SHC instruction in a TrueType Font (TTF) file, which triggers a heap-based buffer overflow.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1808

LAYER: meta
PACKAGE NAME: freetype
PACKAGE VERSION: 2.13.2
CVE: CVE-2009-0946
CVE STATUS: Patched
CVE SUMMARY: Multiple integer overflows in FreeType 2.3.9 and earlier allow remote attackers to execute arbitrary code via vectors related to large values in certain inputs in (1) smooth/ftsmooth.c, (2) sfnt/ttcmap.c, and (3) cff/cffload.c.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-0946

LAYER: meta
PACKAGE NAME: freetype
PACKAGE VERSION: 2.13.2
CVE: CVE-2010-2497
CVE STATUS: Patched
CVE SUMMARY: Integer underflow in glyph handling in FreeType before 2.4.0 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2497

LAYER: meta
PACKAGE NAME: freetype
PACKAGE VERSION: 2.13.2
CVE: CVE-2010-2498
CVE STATUS: Patched
CVE SUMMARY: The psh_glyph_find_strong_points function in pshinter/pshalgo.c in FreeType before 2.4.0 does not properly implement hinting masks, which allows remote attackers to cause a denial of service (heap memory corruption and application crash) or possibly execute arbitrary code via a crafted font file that triggers an invalid free operation.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2498

LAYER: meta
PACKAGE NAME: freetype
PACKAGE VERSION: 2.13.2
CVE: CVE-2010-2499
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the Mac_Read_POST_Resource function in base/ftobjs.c in FreeType before 2.4.0 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted LaserWriter PS font file with an embedded PFB fragment.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2499

LAYER: meta
PACKAGE NAME: freetype
PACKAGE VERSION: 2.13.2
CVE: CVE-2010-2500
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the gray_render_span function in smooth/ftgrays.c in FreeType before 2.4.0 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2500

LAYER: meta
PACKAGE NAME: freetype
PACKAGE VERSION: 2.13.2
CVE: CVE-2010-2519
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the Mac_Read_POST_Resource function in base/ftobjs.c in FreeType before 2.4.0 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted length value in a POST fragment header in a font file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2519

LAYER: meta
PACKAGE NAME: freetype
PACKAGE VERSION: 2.13.2
CVE: CVE-2010-2520
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the Ins_IUP function in truetype/ttinterp.c in FreeType before 2.4.0, when TrueType bytecode support is enabled, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file.
CVSS v2 BASE SCORE: 5.1
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2520

LAYER: meta
PACKAGE NAME: freetype
PACKAGE VERSION: 2.13.2
CVE: CVE-2010-2527
CVE STATUS: Patched
CVE SUMMARY: Multiple buffer overflows in demo programs in FreeType before 2.4.0 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2527

LAYER: meta
PACKAGE NAME: freetype
PACKAGE VERSION: 2.13.2
CVE: CVE-2010-2541
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in ftmulti.c in the ftmulti demo program in FreeType before 2.4.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2541

LAYER: meta
PACKAGE NAME: freetype
PACKAGE VERSION: 2.13.2
CVE: CVE-2010-2805
CVE STATUS: Patched
CVE SUMMARY: The FT_Stream_EnterFrame function in base/ftstream.c in FreeType before 2.4.2 does not properly validate certain position values, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2805

LAYER: meta
PACKAGE NAME: freetype
PACKAGE VERSION: 2.13.2
CVE: CVE-2010-2806
CVE STATUS: Patched
CVE SUMMARY: Array index error in the t42_parse_sfnts function in type42/t42parse.c in FreeType before 2.4.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via negative size values for certain strings in FontType42 font files, leading to a heap-based buffer overflow.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2806

LAYER: meta
PACKAGE NAME: freetype
PACKAGE VERSION: 2.13.2
CVE: CVE-2010-2807
CVE STATUS: Patched
CVE SUMMARY: FreeType before 2.4.2 uses incorrect integer data types during bounds checking, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2807

LAYER: meta
PACKAGE NAME: freetype
PACKAGE VERSION: 2.13.2
CVE: CVE-2010-2808
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the Mac_Read_POST_Resource function in base/ftobjs.c in FreeType before 2.4.2 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via a crafted Adobe Type 1 Mac Font File (aka LWFN) font.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2808

LAYER: meta
PACKAGE NAME: freetype
PACKAGE VERSION: 2.13.2
CVE: CVE-2010-3053
CVE STATUS: Patched
CVE SUMMARY: bdf/bdflib.c in FreeType before 2.4.2 allows remote attackers to cause a denial of service (application crash) via a crafted BDF font file, related to an attempted modification of a value in a static string.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-3053

LAYER: meta
PACKAGE NAME: freetype
PACKAGE VERSION: 2.13.2
CVE: CVE-2010-3054
CVE STATUS: Patched
CVE SUMMARY: Unspecified vulnerability in FreeType 2.3.9, and other versions before 2.4.2, allows remote attackers to cause a denial of service via vectors involving nested Standard Encoding Accented Character (aka seac) calls, related to psaux.h, cffgload.c, cffgload.h, and t1decode.c.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-3054

LAYER: meta
PACKAGE NAME: freetype
PACKAGE VERSION: 2.13.2
CVE: CVE-2010-3311
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in base/ftstream.c in libXft (aka the X FreeType library) in FreeType before 2.4 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted Compact Font Format (CFF) font file that triggers a heap-based buffer overflow, related to an "input stream position error" issue, a different vulnerability than CVE-2010-1797.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-3311

LAYER: meta
PACKAGE NAME: freetype
PACKAGE VERSION: 2.13.2
CVE: CVE-2010-3814
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the Ins_SHZ function in ttinterp.c in FreeType 2.4.3 and earlier allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted SHZ bytecode instruction, related to TrueType opcodes, as demonstrated by a PDF document with a crafted embedded font.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-3814

LAYER: meta
PACKAGE NAME: freetype
PACKAGE VERSION: 2.13.2
CVE: CVE-2010-3855
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the ft_var_readpackedpoints function in truetype/ttgxvar.c in FreeType 2.4.3 and earlier allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted TrueType GX font.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-3855

LAYER: meta
PACKAGE NAME: freetype
PACKAGE VERSION: 2.13.2
CVE: CVE-2011-0226
CVE STATUS: Patched
CVE SUMMARY: Integer signedness error in psaux/t1decode.c in FreeType before 2.4.6, as used in CoreGraphics in Apple iOS before 4.2.9 and 4.3.x before 4.3.4 and other products, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted Type 1 font in a PDF document, as exploited in the wild in July 2011.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-0226

LAYER: meta
PACKAGE NAME: freetype
PACKAGE VERSION: 2.13.2
CVE: CVE-2011-2895
CVE STATUS: Patched
CVE SUMMARY: The LZW decompressor in (1) the BufCompressedFill function in fontfile/decompress.c in X.Org libXfont before 1.4.4 and (2) compress/compress.c in 4.3BSD, as used in zopen.c in OpenBSD before 3.8, FreeBSD, NetBSD 4.0.x and 5.0.x before 5.0.3 and 5.1.x before 5.1.1, FreeType 2.1.9, and other products, does not properly handle code words that are absent from the decompression table when encountered, which allows context-dependent attackers to trigger an infinite loop or a heap-based buffer overflow, and possibly execute arbitrary code, via a crafted compressed stream, a related issue to CVE-2006-1168 and CVE-2011-2896.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2895

LAYER: meta
PACKAGE NAME: freetype
PACKAGE VERSION: 2.13.2
CVE: CVE-2012-1126
CVE STATUS: Patched
CVE SUMMARY: FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via crafted property data in a BDF font.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1126

LAYER: meta
PACKAGE NAME: freetype
PACKAGE VERSION: 2.13.2
CVE: CVE-2012-1127
CVE STATUS: Patched
CVE SUMMARY: FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via crafted glyph or bitmap data in a BDF font.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1127

LAYER: meta
PACKAGE NAME: freetype
PACKAGE VERSION: 2.13.2
CVE: CVE-2012-1128
CVE STATUS: Patched
CVE SUMMARY: FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (NULL pointer dereference and memory corruption) or possibly execute arbitrary code via a crafted TrueType font.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1128

LAYER: meta
PACKAGE NAME: freetype
PACKAGE VERSION: 2.13.2
CVE: CVE-2012-1129
CVE STATUS: Patched
CVE SUMMARY: FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via a crafted SFNT string in a Type 42 font.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1129

LAYER: meta
PACKAGE NAME: freetype
PACKAGE VERSION: 2.13.2
CVE: CVE-2012-1130
CVE STATUS: Patched
CVE SUMMARY: FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via crafted property data in a PCF font.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1130

LAYER: meta
PACKAGE NAME: freetype
PACKAGE VERSION: 2.13.2
CVE: CVE-2012-1131
CVE STATUS: Patched
CVE SUMMARY: FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, on 64-bit platforms allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via vectors related to the cell table of a font.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1131

LAYER: meta
PACKAGE NAME: freetype
PACKAGE VERSION: 2.13.2
CVE: CVE-2012-1132
CVE STATUS: Patched
CVE SUMMARY: FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via crafted dictionary data in a Type 1 font.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1132

LAYER: meta
PACKAGE NAME: freetype
PACKAGE VERSION: 2.13.2
CVE: CVE-2012-1133
CVE STATUS: Patched
CVE SUMMARY: FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap write operation and memory corruption) or possibly execute arbitrary code via crafted glyph or bitmap data in a BDF font.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1133

LAYER: meta
PACKAGE NAME: freetype
PACKAGE VERSION: 2.13.2
CVE: CVE-2012-1134
CVE STATUS: Patched
CVE SUMMARY: FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap write operation and memory corruption) or possibly execute arbitrary code via crafted private-dictionary data in a Type 1 font.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1134

LAYER: meta
PACKAGE NAME: freetype
PACKAGE VERSION: 2.13.2
CVE: CVE-2012-1135
CVE STATUS: Patched
CVE SUMMARY: FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via vectors involving the NPUSHB and NPUSHW instructions in a TrueType font.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1135

LAYER: meta
PACKAGE NAME: freetype
PACKAGE VERSION: 2.13.2
CVE: CVE-2012-1136
CVE STATUS: Patched
CVE SUMMARY: FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap write operation and memory corruption) or possibly execute arbitrary code via crafted glyph or bitmap data in a BDF font that lacks an ENCODING field.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1136

LAYER: meta
PACKAGE NAME: freetype
PACKAGE VERSION: 2.13.2
CVE: CVE-2012-1137
CVE STATUS: Patched
CVE SUMMARY: FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via a crafted header in a BDF font.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1137

LAYER: meta
PACKAGE NAME: freetype
PACKAGE VERSION: 2.13.2
CVE: CVE-2012-1138
CVE STATUS: Patched
CVE SUMMARY: FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via vectors involving the MIRP instruction in a TrueType font.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1138

LAYER: meta
PACKAGE NAME: freetype
PACKAGE VERSION: 2.13.2
CVE: CVE-2012-1139
CVE STATUS: Patched
CVE SUMMARY: Array index error in FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid stack read operation and memory corruption) or possibly execute arbitrary code via crafted glyph data in a BDF font.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1139

LAYER: meta
PACKAGE NAME: freetype
PACKAGE VERSION: 2.13.2
CVE: CVE-2012-1140
CVE STATUS: Patched
CVE SUMMARY: FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via a crafted PostScript font object.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1140

LAYER: meta
PACKAGE NAME: freetype
PACKAGE VERSION: 2.13.2
CVE: CVE-2012-1141
CVE STATUS: Patched
CVE SUMMARY: FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via a crafted ASCII string in a BDF font.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1141

LAYER: meta
PACKAGE NAME: freetype
PACKAGE VERSION: 2.13.2
CVE: CVE-2012-1142
CVE STATUS: Patched
CVE SUMMARY: FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap write operation and memory corruption) or possibly execute arbitrary code via crafted glyph-outline data in a font.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1142

LAYER: meta
PACKAGE NAME: freetype
PACKAGE VERSION: 2.13.2
CVE: CVE-2012-1143
CVE STATUS: Patched
CVE SUMMARY: FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (divide-by-zero error) via a crafted font.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1143

LAYER: meta
PACKAGE NAME: freetype
PACKAGE VERSION: 2.13.2
CVE: CVE-2012-1144
CVE STATUS: Patched
CVE SUMMARY: FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap write operation and memory corruption) or possibly execute arbitrary code via a crafted TrueType font.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1144

LAYER: meta
PACKAGE NAME: freetype
PACKAGE VERSION: 2.13.2
CVE: CVE-2012-5668
CVE STATUS: Patched
CVE SUMMARY: FreeType before 2.4.11 allows context-dependent attackers to cause a denial of service (NULL pointer dereference and crash) via vectors related to BDF fonts and the improper handling of an "allocation error" in the bdf_free_font function.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-5668

LAYER: meta
PACKAGE NAME: freetype
PACKAGE VERSION: 2.13.2
CVE: CVE-2012-5669
CVE STATUS: Patched
CVE SUMMARY: The _bdf_parse_glyphs function in FreeType before 2.4.11 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via vectors related to BDF fonts and an incorrect calculation that triggers an out-of-bounds read.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-5669

LAYER: meta
PACKAGE NAME: freetype
PACKAGE VERSION: 2.13.2
CVE: CVE-2012-5670
CVE STATUS: Patched
CVE SUMMARY: The _bdf_parse_glyphs function in FreeType before 2.4.11 allows context-dependent attackers to cause a denial of service (out-of-bounds write and crash) via vectors related to BDF fonts and an ENCODING field with a negative value.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-5670

LAYER: meta
PACKAGE NAME: freetype
PACKAGE VERSION: 2.13.2
CVE: CVE-2014-2240
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in the cf2_hintmap_build function in cff/cf2hints.c in FreeType before 2.5.3 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large number of stem hints in a font file.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-2240

LAYER: meta
PACKAGE NAME: freetype
PACKAGE VERSION: 2.13.2
CVE: CVE-2014-2241
CVE STATUS: Patched
CVE SUMMARY: The (1) cf2_initLocalRegionBuffer and (2) cf2_initGlobalRegionBuffer functions in cff/cf2ft.c in FreeType before 2.5.3 do not properly check if a subroutine exists, which allows remote attackers to cause a denial of service (assertion failure), as demonstrated by a crafted ttf file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-2241

LAYER: meta
PACKAGE NAME: freetype
PACKAGE VERSION: 2.13.2
CVE: CVE-2014-9656
CVE STATUS: Patched
CVE SUMMARY: The tt_sbit_decoder_load_image function in sfnt/ttsbit.c in FreeType before 2.5.4 does not properly check for an integer overflow, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a crafted OpenType font.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9656

LAYER: meta
PACKAGE NAME: freetype
PACKAGE VERSION: 2.13.2
CVE: CVE-2014-9657
CVE STATUS: Patched
CVE SUMMARY: The tt_face_load_hdmx function in truetype/ttpload.c in FreeType before 2.5.4 does not establish a minimum record size, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a crafted TrueType font.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9657

LAYER: meta
PACKAGE NAME: freetype
PACKAGE VERSION: 2.13.2
CVE: CVE-2014-9658
CVE STATUS: Patched
CVE SUMMARY: The tt_face_load_kern function in sfnt/ttkern.c in FreeType before 2.5.4 enforces an incorrect minimum table length, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a crafted TrueType font.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9658

LAYER: meta
PACKAGE NAME: freetype
PACKAGE VERSION: 2.13.2
CVE: CVE-2014-9659
CVE STATUS: Patched
CVE SUMMARY: cff/cf2intrp.c in the CFF CharString interpreter in FreeType before 2.5.4 proceeds with additional hints after the hint mask has been computed, which allows remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted OpenType font.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-2240.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9659

LAYER: meta
PACKAGE NAME: freetype
PACKAGE VERSION: 2.13.2
CVE: CVE-2014-9660
CVE STATUS: Patched
CVE SUMMARY: The _bdf_parse_glyphs function in bdf/bdflib.c in FreeType before 2.5.4 does not properly handle a missing ENDCHAR record, which allows remote attackers to cause a denial of service (NULL pointer dereference) or possibly have unspecified other impact via a crafted BDF font.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9660

LAYER: meta
PACKAGE NAME: freetype
PACKAGE VERSION: 2.13.2
CVE: CVE-2014-9661
CVE STATUS: Patched
CVE SUMMARY: type42/t42parse.c in FreeType before 2.5.4 does not consider that scanning can be incomplete without triggering an error, which allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via a crafted Type42 font.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9661

LAYER: meta
PACKAGE NAME: freetype
PACKAGE VERSION: 2.13.2
CVE: CVE-2014-9662
CVE STATUS: Patched
CVE SUMMARY: cff/cf2ft.c in FreeType before 2.5.4 does not validate the return values of point-allocation functions, which allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted OTF font.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9662

LAYER: meta
PACKAGE NAME: freetype
PACKAGE VERSION: 2.13.2
CVE: CVE-2014-9663
CVE STATUS: Patched
CVE SUMMARY: The tt_cmap4_validate function in sfnt/ttcmap.c in FreeType before 2.5.4 validates a certain length field before that field's value is completely calculated, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a crafted cmap SFNT table.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9663

LAYER: meta
PACKAGE NAME: freetype
PACKAGE VERSION: 2.13.2
CVE: CVE-2014-9664
CVE STATUS: Patched
CVE SUMMARY: FreeType before 2.5.4 does not check for the end of the data during certain parsing actions, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a crafted Type42 font, related to type42/t42parse.c and type1/t1load.c.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9664

LAYER: meta
PACKAGE NAME: freetype
PACKAGE VERSION: 2.13.2
CVE: CVE-2014-9665
CVE STATUS: Patched
CVE SUMMARY: The Load_SBit_Png function in sfnt/pngshim.c in FreeType before 2.5.4 does not restrict the rows and pitch values of PNG data, which allows remote attackers to cause a denial of service (integer overflow and heap-based buffer overflow) or possibly have unspecified other impact by embedding a PNG file in a .ttf font file.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9665

LAYER: meta
PACKAGE NAME: freetype
PACKAGE VERSION: 2.13.2
CVE: CVE-2014-9666
CVE STATUS: Patched
CVE SUMMARY: The tt_sbit_decoder_init function in sfnt/ttsbit.c in FreeType before 2.5.4 proceeds with a count-to-size association without restricting the count value, which allows remote attackers to cause a denial of service (integer overflow and out-of-bounds read) or possibly have unspecified other impact via a crafted embedded bitmap.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9666

LAYER: meta
PACKAGE NAME: freetype
PACKAGE VERSION: 2.13.2
CVE: CVE-2014-9667
CVE STATUS: Patched
CVE SUMMARY: sfnt/ttload.c in FreeType before 2.5.4 proceeds with offset+length calculations without restricting the values, which allows remote attackers to cause a denial of service (integer overflow and out-of-bounds read) or possibly have unspecified other impact via a crafted SFNT table.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9667

LAYER: meta
PACKAGE NAME: freetype
PACKAGE VERSION: 2.13.2
CVE: CVE-2014-9668
CVE STATUS: Patched
CVE SUMMARY: The woff_open_font function in sfnt/sfobjs.c in FreeType before 2.5.4 proceeds with offset+length calculations without restricting length values, which allows remote attackers to cause a denial of service (integer overflow and heap-based buffer overflow) or possibly have unspecified other impact via a crafted Web Open Font Format (WOFF) file.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9668

LAYER: meta
PACKAGE NAME: freetype
PACKAGE VERSION: 2.13.2
CVE: CVE-2014-9669
CVE STATUS: Patched
CVE SUMMARY: Multiple integer overflows in sfnt/ttcmap.c in FreeType before 2.5.4 allow remote attackers to cause a denial of service (out-of-bounds read or memory corruption) or possibly have unspecified other impact via a crafted cmap SFNT table.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9669

LAYER: meta
PACKAGE NAME: freetype
PACKAGE VERSION: 2.13.2
CVE: CVE-2014-9670
CVE STATUS: Patched
CVE SUMMARY: Multiple integer signedness errors in the pcf_get_encodings function in pcf/pcfread.c in FreeType before 2.5.4 allow remote attackers to cause a denial of service (integer overflow, NULL pointer dereference, and application crash) via a crafted PCF file that specifies negative values for the first column and first row.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9670

LAYER: meta
PACKAGE NAME: freetype
PACKAGE VERSION: 2.13.2
CVE: CVE-2014-9671
CVE STATUS: Patched
CVE SUMMARY: Off-by-one error in the pcf_get_properties function in pcf/pcfread.c in FreeType before 2.5.4 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted PCF file with a 0xffffffff size value that is improperly incremented.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9671

LAYER: meta
PACKAGE NAME: freetype
PACKAGE VERSION: 2.13.2
CVE: CVE-2014-9672
CVE STATUS: Patched
CVE SUMMARY: Array index error in the parse_fond function in base/ftmac.c in FreeType before 2.5.4 allows remote attackers to cause a denial of service (out-of-bounds read) or obtain sensitive information from process memory via a crafted FOND resource in a Mac font file.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9672

LAYER: meta
PACKAGE NAME: freetype
PACKAGE VERSION: 2.13.2
CVE: CVE-2014-9673
CVE STATUS: Patched
CVE SUMMARY: Integer signedness error in the Mac_Read_POST_Resource function in base/ftobjs.c in FreeType before 2.5.4 allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted Mac font.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9673

LAYER: meta
PACKAGE NAME: freetype
PACKAGE VERSION: 2.13.2
CVE: CVE-2014-9674
CVE STATUS: Patched
CVE SUMMARY: The Mac_Read_POST_Resource function in base/ftobjs.c in FreeType before 2.5.4 proceeds with adding to length values without validating the original values, which allows remote attackers to cause a denial of service (integer overflow and heap-based buffer overflow) or possibly have unspecified other impact via a crafted Mac font.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9674

LAYER: meta
PACKAGE NAME: freetype
PACKAGE VERSION: 2.13.2
CVE: CVE-2014-9675
CVE STATUS: Patched
CVE SUMMARY: bdf/bdflib.c in FreeType before 2.5.4 identifies property names by only verifying that an initial substring is present, which allows remote attackers to discover heap pointer values and bypass the ASLR protection mechanism via a crafted BDF font.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9675

LAYER: meta
PACKAGE NAME: freetype
PACKAGE VERSION: 2.13.2
CVE: CVE-2014-9745
CVE STATUS: Patched
CVE SUMMARY: The parse_encoding function in type1/t1load.c in FreeType before 2.5.3 allows remote attackers to cause a denial of service (infinite loop) via a "broken number-with-base" in a Postscript stream, as demonstrated by 8#garbage.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9745

LAYER: meta
PACKAGE NAME: freetype
PACKAGE VERSION: 2.13.2
CVE: CVE-2014-9746
CVE STATUS: Patched
CVE SUMMARY: The (1) t1_parse_font_matrix function in type1/t1load.c, (2) cid_parse_font_matrix function in cid/cidload.c, (3) t42_parse_font_matrix function in type42/t42parse.c, and (4) ps_parser_load_field function in psaux/psobjs.c in FreeType before 2.5.4 do not check return values, which allows remote attackers to cause a denial of service (uninitialized memory access and application crash) or possibly have unspecified other impact via a crafted font.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9746

LAYER: meta
PACKAGE NAME: freetype
PACKAGE VERSION: 2.13.2
CVE: CVE-2014-9747
CVE STATUS: Patched
CVE SUMMARY: The t42_parse_encoding function in type42/t42parse.c in FreeType before 2.5.4 does not properly update the current position for immediates-only mode, which allows remote attackers to cause a denial of service (infinite loop) via a Type42 font.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9747

LAYER: meta
PACKAGE NAME: freetype
PACKAGE VERSION: 2.13.2
CVE: CVE-2015-9290
CVE STATUS: Patched
CVE SUMMARY: In FreeType before 2.6.1, a buffer over-read occurs in type1/t1parse.c on function T1_Get_Private_Dict where there is no check that the new values of cur and limit are sensible before going to Again.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-9290

LAYER: meta
PACKAGE NAME: freetype
PACKAGE VERSION: 2.13.2
CVE: CVE-2015-9381
CVE STATUS: Patched
CVE SUMMARY: FreeType before 2.6.1 has a heap-based buffer over-read in T1_Get_Private_Dict in type1/t1parse.c.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-9381

LAYER: meta
PACKAGE NAME: freetype
PACKAGE VERSION: 2.13.2
CVE: CVE-2015-9382
CVE STATUS: Patched
CVE SUMMARY: FreeType before 2.6.1 has a buffer over-read in skip_comment in psaux/psobjs.c because ps_parser_skip_PS_token is mishandled in an FT_New_Memory_Face operation.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-9382

LAYER: meta
PACKAGE NAME: freetype
PACKAGE VERSION: 2.13.2
CVE: CVE-2015-9383
CVE STATUS: Patched
CVE SUMMARY: FreeType before 2.6.2 has a heap-based buffer over-read in tt_cmap14_validate in sfnt/ttcmap.c.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-9383

LAYER: meta
PACKAGE NAME: freetype
PACKAGE VERSION: 2.13.2
CVE: CVE-2016-10244
CVE STATUS: Patched
CVE SUMMARY: The parse_charstrings function in type1/t1load.c in FreeType 2 before 2.7 does not ensure that a font contains a glyph name, which allows remote attackers to cause a denial of service (heap-based buffer over-read) or possibly have unspecified other impact via a crafted file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10244

LAYER: meta
PACKAGE NAME: freetype
PACKAGE VERSION: 2.13.2
CVE: CVE-2016-10328
CVE STATUS: Patched
CVE SUMMARY: FreeType 2 before 2016-12-16 has an out-of-bounds write caused by a heap-based buffer overflow related to the cff_parser_run function in cff/cffparse.c.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10328

LAYER: meta
PACKAGE NAME: freetype
PACKAGE VERSION: 2.13.2
CVE: CVE-2017-7857
CVE STATUS: Patched
CVE SUMMARY: FreeType 2 before 2017-03-08 has an out-of-bounds write caused by a heap-based buffer overflow related to the TT_Get_MM_Var function in truetype/ttgxvar.c and the sfnt_init_face function in sfnt/sfobjs.c.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7857

LAYER: meta
PACKAGE NAME: freetype
PACKAGE VERSION: 2.13.2
CVE: CVE-2017-7858
CVE STATUS: Patched
CVE SUMMARY: FreeType 2 before 2017-03-07 has an out-of-bounds write related to the TT_Get_MM_Var function in truetype/ttgxvar.c and the sfnt_init_face function in sfnt/sfobjs.c.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7858

LAYER: meta
PACKAGE NAME: freetype
PACKAGE VERSION: 2.13.2
CVE: CVE-2017-7864
CVE STATUS: Patched
CVE SUMMARY: FreeType 2 before 2017-02-02 has an out-of-bounds write caused by a heap-based buffer overflow related to the tt_size_reset function in truetype/ttobjs.c.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7864

LAYER: meta
PACKAGE NAME: freetype
PACKAGE VERSION: 2.13.2
CVE: CVE-2017-8105
CVE STATUS: Patched
CVE SUMMARY: FreeType 2 before 2017-03-24 has an out-of-bounds write caused by a heap-based buffer overflow related to the t1_decoder_parse_charstrings function in psaux/t1decode.c.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8105

LAYER: meta
PACKAGE NAME: freetype
PACKAGE VERSION: 2.13.2
CVE: CVE-2017-8287
CVE STATUS: Patched
CVE SUMMARY: FreeType 2 before 2017-03-26 has an out-of-bounds write caused by a heap-based buffer overflow related to the t1_builder_close_contour function in psaux/psobjs.c.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8287

LAYER: meta
PACKAGE NAME: freetype
PACKAGE VERSION: 2.13.2
CVE: CVE-2018-6942
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in FreeType 2 through 2.9. A NULL pointer dereference in the Ins_GETVARIATION() function within ttinterp.c could lead to DoS via a crafted font file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-6942

LAYER: meta
PACKAGE NAME: freetype
PACKAGE VERSION: 2.13.2
CVE: CVE-2020-15999
CVE STATUS: Patched
CVE SUMMARY: Heap buffer overflow in Freetype in Google Chrome prior to 86.0.4240.111 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-15999

LAYER: meta
PACKAGE NAME: freetype
PACKAGE VERSION: 2.13.2
CVE: CVE-2022-27404
CVE STATUS: Patched
CVE SUMMARY: FreeType commit 1e2eb65048f75c64b68708efed6ce904c31f3b2f was discovered to contain a heap buffer overflow via the function sfnt_init_face.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-27404

LAYER: meta
PACKAGE NAME: freetype
PACKAGE VERSION: 2.13.2
CVE: CVE-2022-27405
CVE STATUS: Patched
CVE SUMMARY: FreeType commit 53dfdcd8198d2b3201a23c4bad9190519ba918db was discovered to contain a segmentation violation via the function FNT_Size_Request.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-27405

LAYER: meta
PACKAGE NAME: freetype
PACKAGE VERSION: 2.13.2
CVE: CVE-2022-27406
CVE STATUS: Patched
CVE SUMMARY: FreeType commit 22a0cccb4d9d002f33c1ba7a4b36812c7d4f46b5 was discovered to contain a segmentation violation via the function FT_Request_Size.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-27406

LAYER: meta
PACKAGE NAME: libsolv-native
PACKAGE VERSION: 0.7.28
CVE: CVE-2018-20532
CVE STATUS: Patched
CVE SUMMARY: There is a NULL pointer dereference at ext/testcase.c (function testcase_read) in libsolvext.a in libsolv through 0.7.2 that will cause a denial of service.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20532

LAYER: meta
PACKAGE NAME: libsolv-native
PACKAGE VERSION: 0.7.28
CVE: CVE-2018-20533
CVE STATUS: Patched
CVE SUMMARY: There is a NULL pointer dereference at ext/testcase.c (function testcase_str2dep_complex) in libsolvext.a in libsolv through 0.7.2 that will cause a denial of service.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20533

LAYER: meta
PACKAGE NAME: libsolv-native
PACKAGE VERSION: 0.7.28
CVE: CVE-2018-20534
CVE STATUS: Patched
CVE SUMMARY: There is an illegal address access at ext/testcase.c in libsolv.a in libsolv through 0.7.2 that will cause a denial of service. NOTE: third parties dispute this issue stating that the issue affects the test suite and not the underlying library. It cannot be exploited in any real-world application
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20534

LAYER: meta
PACKAGE NAME: libsolv-native
PACKAGE VERSION: 0.7.28
CVE: CVE-2019-20387
CVE STATUS: Patched
CVE SUMMARY: repodata_schema2id in repodata.c in libsolv before 0.7.6 has a heap-based buffer over-read via a last schema whose length is less than the length of the input schema.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-20387

LAYER: meta
PACKAGE NAME: libsolv-native
PACKAGE VERSION: 0.7.28
CVE: CVE-2021-3200
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow vulnerability in libsolv 2020-12-13 via the Solver * testcase_read(Pool *pool, FILE *fp, const char *testcase, Queue *job, char **resultp, int *resultflagsp function at src/testcase.c: line 2334, which could cause a denial of service
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 3.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3200

LAYER: meta
PACKAGE NAME: libsolv-native
PACKAGE VERSION: 0.7.28
CVE: CVE-2021-33928
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow vulnerability in function pool_installable in src/repo.h in libsolv before 0.7.17 allows attackers to cause a Denial of Service.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-33928

LAYER: meta
PACKAGE NAME: libsolv-native
PACKAGE VERSION: 0.7.28
CVE: CVE-2021-33929
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow vulnerability in function pool_disabled_solvable in src/repo.h in libsolv before 0.7.17 allows attackers to cause a Denial of Service.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-33929

LAYER: meta
PACKAGE NAME: libsolv-native
PACKAGE VERSION: 0.7.28
CVE: CVE-2021-33930
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow vulnerability in function pool_installable_whatprovides in src/repo.h in libsolv before 0.7.17 allows attackers to cause a Denial of Service.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-33930

LAYER: meta
PACKAGE NAME: libsolv-native
PACKAGE VERSION: 0.7.28
CVE: CVE-2021-33938
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow vulnerability in function prune_to_recommended in src/policy.c in libsolv before 0.7.17 allows attackers to cause a Denial of Service.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-33938

LAYER: meta
PACKAGE NAME: libsolv-native
PACKAGE VERSION: 0.7.28
CVE: CVE-2021-44568
CVE STATUS: Patched
CVE SUMMARY: Two heap-overflow vulnerabilities exist in openSUSE/libsolv libsolv through 13 Dec 2020 in the decisionmap variable via the resolve_dependencies function at src/solver.c (line 1940 & line 1995), which could cause a remote Denial of Service.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-44568

LAYER: meta
PACKAGE NAME: socat
PACKAGE VERSION: 1.8.0.0
CVE: CVE-2004-1484
CVE STATUS: Patched
CVE SUMMARY: Format string vulnerability in the _msg function in error.c in socat 1.4.0.3 and earlier, when used as an HTTP proxy client and run with the -ly option, allows remote attackers or local users to execute arbitrary code via format string specifiers in a syslog message.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-1484

LAYER: meta
PACKAGE NAME: socat
PACKAGE VERSION: 1.8.0.0
CVE: CVE-2010-2799
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in the nestlex function in nestlex.c in Socat 1.5.0.0 through 1.7.1.2 and 2.0.0-b1 through 2.0.0-b3, when bidirectional data relay is enabled, allows context-dependent attackers to execute arbitrary code via long command-line arguments.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2799

LAYER: meta
PACKAGE NAME: socat
PACKAGE VERSION: 1.8.0.0
CVE: CVE-2012-0219
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the xioscan_readline function in xio-readline.c in socat 1.4.0.0 through 1.7.2.0 and 2.0.0-b1 through 2.0.0-b4 allows local users to execute arbitrary code via the READLINE address.
CVSS v2 BASE SCORE: 6.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-0219

LAYER: meta
PACKAGE NAME: socat
PACKAGE VERSION: 1.8.0.0
CVE: CVE-2013-3571
CVE STATUS: Patched
CVE SUMMARY: socat 1.2.0.0 before 1.7.2.2 and 2.0.0-b1 before 2.0.0-b6, when used for a listen type address and the fork option is enabled, allows remote attackers to cause a denial of service (file descriptor consumption) via multiple request that are refused based on the (1) sourceport, (2) lowport, (3) range, or (4) tcpwrap restrictions.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-3571

LAYER: meta
PACKAGE NAME: socat
PACKAGE VERSION: 1.8.0.0
CVE: CVE-2014-0019
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in socat 1.3.0.0 through 1.7.2.2 and 2.0.0-b1 through 2.0.0-b6 allows local users to cause a denial of service (segmentation fault) via a long server name in the PROXY-CONNECT address in the command line.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0019

LAYER: meta
PACKAGE NAME: socat
PACKAGE VERSION: 1.8.0.0
CVE: CVE-2015-1379
CVE STATUS: Patched
CVE SUMMARY: The signal handler implementations in socat before 1.7.3.0 and 2.0.0-b8 allow remote attackers to cause a denial of service (process freeze or crash).
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1379

LAYER: meta
PACKAGE NAME: socat
PACKAGE VERSION: 1.8.0.0
CVE: CVE-2016-2217
CVE STATUS: Patched
CVE SUMMARY: The OpenSSL address implementation in Socat 1.7.3.0 and 2.0.0-b8 does not use a prime number for the DH, which makes it easier for remote attackers to obtain the shared secret.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2217

LAYER: meta
PACKAGE NAME: gcc-source-13.3.0
PACKAGE VERSION: 13.3.0
CVE: CVE-1999-1439
CVE STATUS: Patched
CVE SUMMARY: gcc 2.7.2 allows local users to overwrite arbitrary files via a symlink attack on temporary .i, .s, or .o files.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-1999-1439

LAYER: meta
PACKAGE NAME: gcc-source-13.3.0
PACKAGE VERSION: 13.3.0
CVE: CVE-2000-1219
CVE STATUS: Patched
CVE SUMMARY: The -ftrapv compiler option in gcc and g++ 3.3.3 and earlier does not handle all types of integer overflows, which may leave applications vulnerable to vulnerabilities related to overflows.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2000-1219

LAYER: meta
PACKAGE NAME: gcc-source-13.3.0
PACKAGE VERSION: 13.3.0
CVE: CVE-2002-2439
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the new[] operator in gcc before 4.8.0 allows attackers to have unspecified impacts.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-2439

LAYER: meta
PACKAGE NAME: gcc-source-13.3.0
PACKAGE VERSION: 13.3.0
CVE: CVE-2006-1902
CVE STATUS: Patched
CVE SUMMARY: fold_binary in fold-const.c in GNU Compiler Collection (gcc) 4.1 improperly handles pointer overflow when folding a certain expr comparison to a corresponding offset comparison in cases other than EQ_EXPR and NE_EXPR, which might introduce buffer overflow vulnerabilities into applications that could be exploited by context-dependent attackers.NOTE: the vendor states that the essence of the issue is "not correctly interpreting an offset to a pointer as a signed value."
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-1902

LAYER: meta
PACKAGE NAME: gcc-source-13.3.0
PACKAGE VERSION: 13.3.0
CVE: CVE-2008-1367
CVE STATUS: Patched
CVE SUMMARY: gcc 4.3.x does not generate a cld instruction while compiling functions used for string manipulation such as memcpy and memmove on x86 and i386, which can prevent the direction flag (DF) from being reset in violation of ABI conventions and cause data to be copied in the wrong direction during signal handling in the Linux kernel, which might allow context-dependent attackers to trigger memory corruption. NOTE: this issue was originally reported for CPU consumption in SBCL.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1367

LAYER: meta
PACKAGE NAME: gcc-source-13.3.0
PACKAGE VERSION: 13.3.0
CVE: CVE-2008-1685
CVE STATUS: Patched
CVE SUMMARY: gcc 4.2.0 through 4.3.0 in GNU Compiler Collection, when casts are not used, considers the sum of a pointer and an int to be greater than or equal to the pointer, which might lead to removal of length testing code that was intended as a protection mechanism against integer overflow and buffer overflow attacks, and provide no diagnostic message about this removal. NOTE: the vendor has determined that this compiler behavior is correct according to section 6.5.6 of the C99 standard (aka ISO/IEC 9899:1999)
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1685

LAYER: meta
PACKAGE NAME: gcc-source-13.3.0
PACKAGE VERSION: 13.3.0
CVE: CVE-2013-4598
CVE STATUS: Patched
CVE SUMMARY: The Groups, Communities and Co (GCC) module 7.x-1.x before 7.x-1.1 for Drupal does not properly check permission, which allows remote attackers to access the configuration pages via unspecified vectors.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4598

LAYER: meta
PACKAGE NAME: gcc-source-13.3.0
PACKAGE VERSION: 13.3.0
CVE: CVE-2015-5276
CVE STATUS: Patched
CVE SUMMARY: The std::random_device class in libstdc++ in the GNU Compiler Collection (aka GCC) before 4.9.4 does not properly handle short reads from blocking sources, which makes it easier for context-dependent attackers to predict the random values via unspecified vectors.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-5276

LAYER: meta
PACKAGE NAME: gcc-source-13.3.0
PACKAGE VERSION: 13.3.0
CVE: CVE-2017-11671
CVE STATUS: Patched
CVE SUMMARY: Under certain circumstances, the ix86_expand_builtin function in i386.c in GNU Compiler Collection (GCC) version 4.6, 4.7, 4.8, 4.9, 5 before 5.5, and 6 before 6.4 will generate instruction sequences that clobber the status flag of the RDRAND and RDSEED intrinsics before it can be read, potentially causing failures of these instructions to go unreported. This could potentially lead to less randomness in random number generation.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 4.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-11671

LAYER: meta
PACKAGE NAME: gcc-source-13.3.0
PACKAGE VERSION: 13.3.0
CVE: CVE-2018-12886
CVE STATUS: Patched
CVE SUMMARY: stack_protect_prologue in cfgexpand.c and stack_protect_epilogue in function.c in GNU Compiler Collection (GCC) 4.1 through 8 (under certain circumstances) generate instruction sequences when targeting ARM targets that spill the address of the stack protector guard, which allows an attacker to bypass the protection of -fstack-protector, -fstack-protector-all, -fstack-protector-strong, and -fstack-protector-explicit against stack overflow by controlling what the stack canary is compared against.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-12886

LAYER: meta
PACKAGE NAME: gcc-source-13.3.0
PACKAGE VERSION: 13.3.0
CVE: CVE-2019-15847
CVE STATUS: Patched
CVE SUMMARY: The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This occurred because a volatile operation was not specified. For example, within a single execution of a program, the output of every __builtin_darn() call may be the same.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-15847

LAYER: meta
PACKAGE NAME: gcc-source-13.3.0
PACKAGE VERSION: 13.3.0
CVE: CVE-2021-37322
CVE STATUS: Ignored
CVE DETAIL: cpe-incorrect
CVE DESCRIPTION: Is a binutils 2.26 issue, not gcc
CVE SUMMARY: GCC c++filt v2.26 was discovered to contain a use-after-free vulnerability via the component cplus-dem.c.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-37322

LAYER: meta
PACKAGE NAME: gcc-source-13.3.0
PACKAGE VERSION: 13.3.0
CVE: CVE-2021-3826
CVE STATUS: Patched
CVE SUMMARY: Heap/stack buffer overflow in the dlang_lname function in d-demangle.c in libiberty allows attackers to potentially cause a denial of service (segmentation fault and crash) via a crafted mangled symbol.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3826

LAYER: meta
PACKAGE NAME: gcc-source-13.3.0
PACKAGE VERSION: 13.3.0
CVE: CVE-2021-46195
CVE STATUS: Patched
CVE SUMMARY: GCC v12.0 was discovered to contain an uncontrolled recursion via the component libiberty/rust-demangle.c. This vulnerability allows attackers to cause a Denial of Service (DoS) by consuming excessive CPU and memory resources.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-46195

LAYER: meta
PACKAGE NAME: gcc-source-13.3.0
PACKAGE VERSION: 13.3.0
CVE: CVE-2022-27943
CVE STATUS: Patched
CVE SUMMARY: libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-27943

LAYER: meta
PACKAGE NAME: gcc-source-13.3.0
PACKAGE VERSION: 13.3.0
CVE: CVE-2023-4039
CVE STATUS: Patched
CVE DETAIL: fixed-version
CVE DESCRIPTION: Fixed via CVE-2023-4039.patch included here. Set the status explictly to deal with all recipes that share the gcc-source
CVE SUMMARY: 

**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains 
that target AArch64 allows an attacker to exploit an existing buffer 
overflow in dynamically-sized local variables in your application 
without this being detected. This stack-protector failure only applies 
to C99-style dynamically-sized local variables or those created using 
alloca(). The stack-protector operates as intended for statically-sized 
local variables.

The default behavior when the stack-protector 
detects an overflow is to terminate your application, resulting in 
controlled loss of availability. An attacker who can exploit a buffer 
overflow without triggering the stack-protector might be able to change 
program flow control to cause an uncontrolled loss of availability or to
 go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.






CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-4039

LAYER: meta
PACKAGE NAME: git-native
PACKAGE VERSION: 2.44.1
CVE: CVE-2008-5516
CVE STATUS: Patched
CVE SUMMARY: The web interface in git (gitweb) 1.5.x before 1.5.5 allows remote attackers to execute arbitrary commands via shell metacharacters related to git_search.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-5516

LAYER: meta
PACKAGE NAME: git-native
PACKAGE VERSION: 2.44.1
CVE: CVE-2010-2542
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in the is_git_directory function in setup.c in Git before 1.7.2.1 allows local users to gain privileges via a long gitdir: field in a .git file in a working copy.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2542

LAYER: meta
PACKAGE NAME: git-native
PACKAGE VERSION: 2.44.1
CVE: CVE-2010-3906
CVE STATUS: Patched
CVE SUMMARY: Cross-site scripting (XSS) vulnerability in Gitweb 1.7.3.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the (1) f and (2) fp parameters.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-3906

LAYER: meta
PACKAGE NAME: git-native
PACKAGE VERSION: 2.44.1
CVE: CVE-2013-0308
CVE STATUS: Patched
CVE SUMMARY: The imap-send command in GIT before 1.8.1.4 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0308

LAYER: meta
PACKAGE NAME: git-native
PACKAGE VERSION: 2.44.1
CVE: CVE-2014-9390
CVE STATUS: Patched
CVE SUMMARY: Git before 1.8.5.6, 1.9.x before 1.9.5, 2.0.x before 2.0.5, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 on Windows and OS X; Mercurial before 3.2.3 on Windows and OS X; Apple Xcode before 6.2 beta 3; mine all versions before 08-12-2014; libgit2 all versions up to 0.21.2; Egit all versions before 08-12-2014; and JGit all versions before 08-12-2014 allow remote Git servers to execute arbitrary commands via a tree containing a crafted .git/config file with (1) an ignorable Unicode codepoint, (2) a git~1/config representation, or (3) mixed case that is improperly handled on a case-insensitive filesystem.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9390

LAYER: meta
PACKAGE NAME: git-native
PACKAGE VERSION: 2.44.1
CVE: CVE-2014-9938
CVE STATUS: Patched
CVE SUMMARY: contrib/completion/git-prompt.sh in Git before 1.9.3 does not sanitize branch names in the PS1 variable, allowing a malicious repository to cause code execution.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9938

LAYER: meta
PACKAGE NAME: git-native
PACKAGE VERSION: 2.44.1
CVE: CVE-2016-2315
CVE STATUS: Patched
CVE SUMMARY: revision.c in git before 2.7.4 uses an incorrect integer data type, which allows remote attackers to execute arbitrary code via a (1) long filename or (2) many nested trees, leading to a heap-based buffer overflow.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2315

LAYER: meta
PACKAGE NAME: git-native
PACKAGE VERSION: 2.44.1
CVE: CVE-2016-2324
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in Git before 2.7.4 allows remote attackers to execute arbitrary code via a (1) long filename or (2) many nested trees, which triggers a heap-based buffer overflow.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2324

LAYER: meta
PACKAGE NAME: git-native
PACKAGE VERSION: 2.44.1
CVE: CVE-2017-1000117
CVE STATUS: Patched
CVE SUMMARY: A malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL can result in any program that exists on the victim's machine being executed. Such a URL could be placed in the .gitmodules file of a malicious project, and an unsuspecting victim could be tricked into running "git clone --recurse-submodules" to trigger the vulnerability.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-1000117

LAYER: meta
PACKAGE NAME: git-native
PACKAGE VERSION: 2.44.1
CVE: CVE-2017-14867
CVE STATUS: Patched
CVE SUMMARY: Git before 2.10.5, 2.11.x before 2.11.4, 2.12.x before 2.12.5, 2.13.x before 2.13.6, and 2.14.x before 2.14.2 uses unsafe Perl scripts to support subcommands such as cvsserver, which allows attackers to execute arbitrary OS commands via shell metacharacters in a module name. The vulnerable code is reachable via git-shell even without CVS support.
CVSS v2 BASE SCORE: 9.0
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:S/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14867

LAYER: meta
PACKAGE NAME: git-native
PACKAGE VERSION: 2.44.1
CVE: CVE-2017-15298
CVE STATUS: Patched
CVE SUMMARY: Git through 2.14.2 mishandles layers of tree objects, which allows remote attackers to cause a denial of service (memory consumption) via a crafted repository, aka a Git bomb. This can also have an impact of disk consumption; however, an affected process typically would not survive its attempt to build the data structure in memory before writing to disk.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15298

LAYER: meta
PACKAGE NAME: git-native
PACKAGE VERSION: 2.44.1
CVE: CVE-2018-1000021
CVE STATUS: Patched
CVE SUMMARY: GIT version 2.15.1 and earlier contains a Input Validation Error vulnerability in Client that can result in problems including messing up terminal configuration to RCE. This attack appear to be exploitable via The user must interact with a malicious git server, (or have their traffic modified in a MITM attack).
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 5.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1000021

LAYER: meta
PACKAGE NAME: git-native
PACKAGE VERSION: 2.44.1
CVE: CVE-2018-11233
CVE STATUS: Patched
CVE SUMMARY: In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x before 2.17.1, code to sanity-check pathnames on NTFS can result in reading out-of-bounds memory.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-11233

LAYER: meta
PACKAGE NAME: git-native
PACKAGE VERSION: 2.44.1
CVE: CVE-2018-11235
CVE STATUS: Patched
CVE SUMMARY: In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x before 2.17.1, remote code execution can occur. With a crafted .gitmodules file, a malicious project can execute an arbitrary script on a machine that runs "git clone --recurse-submodules" because submodule "names" are obtained from this file, and then appended to $GIT_DIR/modules, leading to directory traversal with "../" in a name. Finally, post-checkout hooks from a submodule are executed, bypassing the intended design in which hooks are not obtained from a remote server.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-11235

LAYER: meta
PACKAGE NAME: git-native
PACKAGE VERSION: 2.44.1
CVE: CVE-2018-17456
CVE STATUS: Patched
CVE SUMMARY: Git before 2.14.5, 2.15.x before 2.15.3, 2.16.x before 2.16.5, 2.17.x before 2.17.2, 2.18.x before 2.18.1, and 2.19.x before 2.19.1 allows remote code execution during processing of a recursive "git clone" of a superproject if a .gitmodules file has a URL field beginning with a '-' character.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-17456

LAYER: meta
PACKAGE NAME: git-native
PACKAGE VERSION: 2.44.1
CVE: CVE-2018-19486
CVE STATUS: Patched
CVE SUMMARY: Git before 2.19.2 on Linux and UNIX executes commands from the current working directory (as if '.' were at the end of $PATH) in certain cases involving the run_command() API and run-command.c, because there was a dangerous change from execvp to execv during 2017.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19486

LAYER: meta
PACKAGE NAME: git-native
PACKAGE VERSION: 2.44.1
CVE: CVE-2019-1348
CVE STATUS: Patched
CVE SUMMARY: An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. The --export-marks option of git fast-import is exposed also via the in-stream command feature export-marks=... and it allows overwriting arbitrary paths.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 3.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-1348

LAYER: meta
PACKAGE NAME: git-native
PACKAGE VERSION: 2.44.1
CVE: CVE-2019-1353
CVE STATUS: Patched
CVE SUMMARY: An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. When running Git in the Windows Subsystem for Linux (also known as "WSL") while accessing a working directory on a regular Windows drive, none of the NTFS protections were active.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-1353

LAYER: meta
PACKAGE NAME: git-native
PACKAGE VERSION: 2.44.1
CVE: CVE-2019-1387
CVE STATUS: Patched
CVE SUMMARY: An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. Recursive clones are currently affected by a vulnerability that is caused by too-lax validation of submodule names, allowing very targeted attacks via remote code execution in recursive clones.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-1387

LAYER: meta
PACKAGE NAME: git-native
PACKAGE VERSION: 2.44.1
CVE: CVE-2019-19604
CVE STATUS: Patched
CVE SUMMARY: Arbitrary command execution is possible in Git before 2.20.2, 2.21.x before 2.21.1, 2.22.x before 2.22.2, 2.23.x before 2.23.1, and 2.24.x before 2.24.1 because a "git submodule update" operation can run commands found in the .gitmodules file of a malicious repository.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19604

LAYER: meta
PACKAGE NAME: git-native
PACKAGE VERSION: 2.44.1
CVE: CVE-2020-11008
CVE STATUS: Patched
CVE SUMMARY: Affected versions of Git have a vulnerability whereby Git can be tricked into sending private credentials to a host controlled by an attacker. This bug is similar to CVE-2020-5260(GHSA-qm7j-c969-7j4q). The fix for that bug still left the door open for an exploit where _some_ credential is leaked (but the attacker cannot control which one). Git uses external "credential helper" programs to store and retrieve passwords or other credentials from secure storage provided by the operating system. Specially-crafted URLs that are considered illegal as of the recently published Git versions can cause Git to send a "blank" pattern to helpers, missing hostname and protocol fields. Many helpers will interpret this as matching _any_ URL, and will return some unspecified stored password, leaking the password to an attacker's server. The vulnerability can be triggered by feeding a malicious URL to `git clone`. However, the affected URLs look rather suspicious; the likely vector would be through systems which automatically clone URLs not visible to the user, such as Git submodules, or package systems built around Git. The root of the problem is in Git itself, which should not be feeding blank input to helpers. However, the ability to exploit the vulnerability in practice depends on which helpers are in use. Credential helpers which are known to trigger the vulnerability: - Git's "store" helper - Git's "cache" helper - the "osxkeychain" helper that ships in Git's "contrib" directory Credential helpers which are known to be safe even with vulnerable versions of Git: - Git Credential Manager for Windows Any helper not in this list should be assumed to trigger the vulnerability.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 4.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-11008

LAYER: meta
PACKAGE NAME: git-native
PACKAGE VERSION: 2.44.1
CVE: CVE-2020-5260
CVE STATUS: Patched
CVE SUMMARY: Affected versions of Git have a vulnerability whereby Git can be tricked into sending private credentials to a host controlled by an attacker. Git uses external "credential helper" programs to store and retrieve passwords or other credentials from secure storage provided by the operating system. Specially-crafted URLs that contain an encoded newline can inject unintended values into the credential helper protocol stream, causing the credential helper to retrieve the password for one server (e.g., good.example.com) for an HTTP request being made to another server (e.g., evil.example.com), resulting in credentials for the former being sent to the latter. There are no restrictions on the relationship between the two, meaning that an attacker can craft a URL that will present stored credentials for any host to a host of their choosing. The vulnerability can be triggered by feeding a malicious URL to git clone. However, the affected URLs look rather suspicious; the likely vector would be through systems which automatically clone URLs not visible to the user, such as Git submodules, or package systems built around Git. The problem has been patched in the versions published on April 14th, 2020, going back to v2.17.x. Anyone wishing to backport the change further can do so by applying commit 9a6bbee (the full release includes extra checks for git fsck, but that commit is sufficient to protect clients against the vulnerability). The patched versions are: 2.17.4, 2.18.3, 2.19.4, 2.20.3, 2.21.2, 2.22.3, 2.23.2, 2.24.2, 2.25.3, 2.26.1.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 9.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-5260

LAYER: meta
PACKAGE NAME: git-native
PACKAGE VERSION: 2.44.1
CVE: CVE-2021-21300
CVE STATUS: Patched
CVE SUMMARY: Git is an open-source distributed revision control system. In affected versions of Git a specially crafted repository that contains symbolic links as well as files using a clean/smudge filter such as Git LFS, may cause just-checked out script to be executed while cloning onto a case-insensitive file system such as NTFS, HFS+ or APFS (i.e. the default file systems on Windows and macOS). Note that clean/smudge filters have to be configured for that. Git for Windows configures Git LFS by default, and is therefore vulnerable. The problem has been patched in the versions published on Tuesday, March 9th, 2021. As a workaound, if symbolic link support is disabled in Git (e.g. via `git config --global core.symlinks false`), the described attack won't work. Likewise, if no clean/smudge filters such as Git LFS are configured globally (i.e. _before_ cloning), the attack is foiled. As always, it is best to avoid cloning repositories from untrusted sources. The earliest impacted version is 2.14.2. The fix versions are: 2.30.1, 2.29.3, 2.28.1, 2.27.1, 2.26.3, 2.25.5, 2.24.4, 2.23.4, 2.22.5, 2.21.4, 2.20.5, 2.19.6, 2.18.5, 2.17.62.17.6.
CVSS v2 BASE SCORE: 5.1
CVSS v3 BASE SCORE: 8.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-21300

LAYER: meta
PACKAGE NAME: git-native
PACKAGE VERSION: 2.44.1
CVE: CVE-2021-40330
CVE STATUS: Patched
CVE SUMMARY: git_connect_git in connect.c in Git before 2.30.1 allows a repository path to contain a newline character, which may result in unexpected cross-protocol requests, as demonstrated by the git://localhost:1234/%0d%0a%0d%0aGET%20/%20HTTP/1.1 substring.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-40330

LAYER: meta
PACKAGE NAME: git-native
PACKAGE VERSION: 2.44.1
CVE: CVE-2022-23521
CVE STATUS: Patched
CVE SUMMARY: Git is distributed revision control system. gitattributes are a mechanism to allow defining attributes for paths. These attributes can be defined by adding a `.gitattributes` file to the repository, which contains a set of file patterns and the attributes that should be set for paths matching this pattern. When parsing gitattributes, multiple integer overflows can occur when there is a huge number of path patterns, a huge number of attributes for a single pattern, or when the declared attribute names are huge. These overflows can be triggered via a crafted `.gitattributes` file that may be part of the commit history. Git silently splits lines longer than 2KB when parsing gitattributes from a file, but not when parsing them from the index. Consequentially, the failure mode depends on whether the file exists in the working tree, the index or both. This integer overflow can result in arbitrary heap reads and writes, which may result in remote code execution. The problem has been patched in the versions published on 2023-01-17, going back to v2.30.7. Users are advised to upgrade. There are no known workarounds for this issue.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-23521

LAYER: meta
PACKAGE NAME: git-native
PACKAGE VERSION: 2.44.1
CVE: CVE-2022-24765
CVE STATUS: Patched
CVE SUMMARY: Git for Windows is a fork of Git containing Windows-specific patches. This vulnerability affects users working on multi-user machines, where untrusted parties have write access to the same hard disk. Those untrusted parties could create the folder `C:\.git`, which would be picked up by Git operations run supposedly outside a repository while searching for a Git directory. Git would then respect any config in said Git directory. Git Bash users who set `GIT_PS1_SHOWDIRTYSTATE` are vulnerable as well. Users who installed posh-gitare vulnerable simply by starting a PowerShell. Users of IDEs such as Visual Studio are vulnerable: simply creating a new project would already read and respect the config specified in `C:\.git\config`. Users of the Microsoft fork of Git are vulnerable simply by starting a Git Bash. The problem has been patched in Git for Windows v2.35.2. Users unable to upgrade may create the folder `.git` on all drives where Git commands are run, and remove read/write access from those folders as a workaround. Alternatively, define or extend `GIT_CEILING_DIRECTORIES` to cover the _parent_ directory of the user profile, e.g. `C:\Users` if the user profile is located in `C:\Users\my-user-name`.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 6.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-24765

LAYER: meta
PACKAGE NAME: git-native
PACKAGE VERSION: 2.44.1
CVE: CVE-2022-24975
CVE STATUS: Patched
CVE SUMMARY: The --mirror documentation for Git through 2.35.1 does not mention the availability of deleted content, aka the "GitBleed" issue. This could present a security risk if information-disclosure auditing processes rely on a clone operation without the --mirror option. Note: This has been disputed by multiple 3rd parties who believe this is an intended feature of the git binary and does not pose a security risk.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-24975

LAYER: meta
PACKAGE NAME: git-native
PACKAGE VERSION: 2.44.1
CVE: CVE-2022-29187
CVE STATUS: Patched
CVE SUMMARY: Git is a distributed revision control system. Git prior to versions 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, and 2.30.5, is vulnerable to privilege escalation in all platforms. An unsuspecting user could still be affected by the issue reported in CVE-2022-24765, for example when navigating as root into a shared tmp directory that is owned by them, but where an attacker could create a git repository. Versions 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, and 2.30.5 contain a patch for this issue. The simplest way to avoid being affected by the exploit described in the example is to avoid running git as root (or an Administrator in Windows), and if needed to reduce its use to a minimum. While a generic workaround is not possible, a system could be hardened from the exploit described in the example by removing any such repository if it exists already and creating one as root to block any future attacks.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-29187

LAYER: meta
PACKAGE NAME: git-native
PACKAGE VERSION: 2.44.1
CVE: CVE-2022-39253
CVE STATUS: Patched
CVE SUMMARY: Git is an open source, scalable, distributed revision control system. Versions prior to 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4 are subject to exposure of sensitive information to a malicious actor. When performing a local clone (where the source and target of the clone are on the same volume), Git copies the contents of the source's `$GIT_DIR/objects` directory into the destination by either creating hardlinks to the source contents, or copying them (if hardlinks are disabled via `--no-hardlinks`). A malicious actor could convince a victim to clone a repository with a symbolic link pointing at sensitive information on the victim's machine. This can be done either by having the victim clone a malicious repository on the same machine, or having them clone a malicious repository embedded as a bare repository via a submodule from any source, provided they clone with the `--recurse-submodules` option. Git does not create symbolic links in the `$GIT_DIR/objects` directory. The problem has been patched in the versions published on 2022-10-18, and backported to v2.30.x. Potential workarounds: Avoid cloning untrusted repositories using the `--local` optimization when on a shared machine, either by passing the `--no-local` option to `git clone` or cloning from a URL that uses the `file://` scheme. Alternatively, avoid cloning repositories from untrusted sources with `--recurse-submodules` or run `git config --global protocol.file.allow user`.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-39253

LAYER: meta
PACKAGE NAME: git-native
PACKAGE VERSION: 2.44.1
CVE: CVE-2022-39260
CVE STATUS: Patched
CVE SUMMARY: Git is an open source, scalable, distributed revision control system. `git shell` is a restricted login shell that can be used to implement Git's push/pull functionality via SSH. In versions prior to 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4, the function that splits the command arguments into an array improperly uses an `int` to represent the number of entries in the array, allowing a malicious actor to intentionally overflow the return value, leading to arbitrary heap writes. Because the resulting array is then passed to `execv()`, it is possible to leverage this attack to gain remote code execution on a victim machine. Note that a victim must first allow access to `git shell` as a login shell in order to be vulnerable to this attack. This problem is patched in versions 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4 and users are advised to upgrade to the latest version. Disabling `git shell` access via remote logins is a viable short-term workaround.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-39260

LAYER: meta
PACKAGE NAME: git-native
PACKAGE VERSION: 2.44.1
CVE: CVE-2022-41903
CVE STATUS: Patched
CVE SUMMARY: Git is distributed revision control system. `git log` can display commits in an arbitrary format using its `--format` specifiers. This functionality is also exposed to `git archive` via the `export-subst` gitattribute. When processing the padding operators, there is a integer overflow in `pretty.c::format_and_pad_commit()` where a `size_t` is stored improperly as an `int`, and then added as an offset to a `memcpy()`. This overflow can be triggered directly by a user running a command which invokes the commit formatting machinery (e.g., `git log --format=...`). It may also be triggered indirectly through git archive via the export-subst mechanism, which expands format specifiers inside of files within the repository during a git archive. This integer overflow can result in arbitrary heap writes, which may result in arbitrary code execution. The problem has been patched in the versions published on 2023-01-17, going back to v2.30.7. Users are advised to upgrade. Users who are unable to upgrade should disable `git archive` in untrusted repositories. If you expose git archive via `git daemon`, disable it by running `git config --global daemon.uploadArch false`.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-41903

LAYER: meta
PACKAGE NAME: git-native
PACKAGE VERSION: 2.44.1
CVE: CVE-2022-41953
CVE STATUS: Patched
CVE SUMMARY: Git GUI is a convenient graphical tool that comes with Git for Windows. Its target audience is users who are uncomfortable with using Git on the command-line. Git GUI has a function to clone repositories. Immediately after the local clone is available, Git GUI will automatically post-process it, among other things running a spell checker called `aspell.exe` if it was found. Git GUI is implemented as a Tcl/Tk script. Due to the unfortunate design of Tcl on Windows, the search path when looking for an executable _always includes the current directory_. Therefore, malicious repositories can ship with an `aspell.exe` in their top-level directory which is executed by Git GUI without giving the user a chance to inspect it first, i.e. running untrusted code. This issue has been addressed in version 2.39.1. Users are advised to upgrade. Users unable to upgrade should avoid using Git GUI for cloning. If that is not a viable option, at least avoid cloning from untrusted sources.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.6
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-41953

LAYER: meta
PACKAGE NAME: git-native
PACKAGE VERSION: 2.44.1
CVE: CVE-2023-22490
CVE STATUS: Patched
CVE SUMMARY: Git is a revision control system. Using a specially-crafted repository, Git prior to versions 2.39.2, 2.38.4, 2.37.6, 2.36.5, 2.35.7, 2.34.7, 2.33.7, 2.32.6, 2.31.7, and 2.30.8 can be tricked into using its local clone optimization even when using a non-local transport. Though Git will abort local clones whose source `$GIT_DIR/objects` directory contains symbolic links, the `objects` directory itself may still be a symbolic link. These two may be combined to include arbitrary files based on known paths on the victim's filesystem within the malicious repository's working copy, allowing for data exfiltration in a similar manner as CVE-2022-39253.

A fix has been prepared and will appear in v2.39.2 v2.38.4 v2.37.6 v2.36.5 v2.35.7 v2.34.7 v2.33.7 v2.32.6, v2.31.7 and v2.30.8. If upgrading is impractical, two short-term workarounds are available. Avoid cloning repositories from untrusted sources with `--recurse-submodules`. Instead, consider cloning repositories without recursively cloning their submodules, and instead run `git submodule update` at each layer. Before doing so, inspect each new `.gitmodules` file to ensure that it does not contain suspicious module URLs.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-22490

LAYER: meta
PACKAGE NAME: git-native
PACKAGE VERSION: 2.44.1
CVE: CVE-2023-23946
CVE STATUS: Patched
CVE SUMMARY: Git, a revision control system, is vulnerable to path traversal prior to versions 2.39.2, 2.38.4, 2.37.6, 2.36.5, 2.35.7, 2.34.7, 2.33.7, 2.32.6, 2.31.7, and 2.30.8. By feeding a crafted input to `git apply`, a path outside the working tree can be overwritten as the user who is running `git apply`. A fix has been prepared and will appear in v2.39.2, v2.38.4, v2.37.6, v2.36.5, v2.35.7, v2.34.7, v2.33.7, v2.32.6, v2.31.7, and v2.30.8. As a workaround, use `git apply --stat` to inspect a patch before applying; avoid applying one that creates a symbolic link and then creates a file beyond the symbolic link.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.2
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-23946

LAYER: meta
PACKAGE NAME: git-native
PACKAGE VERSION: 2.44.1
CVE: CVE-2023-25652
CVE STATUS: Patched
CVE SUMMARY: Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, by feeding specially crafted input to `git apply --reject`, a path outside the working tree can be overwritten with partially controlled contents (corresponding to the rejected hunk(s) from the given patch). A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid using `git apply` with `--reject` when applying patches from an untrusted source. Use `git apply --stat` to inspect a patch before applying; avoid applying one that create a conflict where a link corresponding to the `*.rej` file exists.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-25652

LAYER: meta
PACKAGE NAME: git-native
PACKAGE VERSION: 2.44.1
CVE: CVE-2023-29007
CVE STATUS: Patched
CVE SUMMARY: Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, a specially crafted `.gitmodules` file with submodule URLs that are longer than 1024 characters can used to exploit a bug in `config.c::git_config_copy_or_rename_section_in_file()`. This bug can be used to inject arbitrary configuration into a user's `$GIT_DIR/config` when attempting to remove the configuration section associated with that submodule. When the attacker injects configuration values which specify executables to run (such as `core.pager`, `core.editor`, `core.sshCommand`, etc.) this can lead to a remote code execution. A fix A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid running `git submodule deinit` on untrusted repositories or without prior inspection of any submodule sections in `$GIT_DIR/config`.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-29007

LAYER: meta
PACKAGE NAME: expat
PACKAGE VERSION: 2.6.3
CVE: CVE-2009-3560
CVE STATUS: Patched
CVE SUMMARY: The big2_toUtf8 function in lib/xmltok.c in libexpat in Expat 2.0.1, as used in the XML-Twig module for Perl, allows context-dependent attackers to cause a denial of service (application crash) via an XML document with malformed UTF-8 sequences that trigger a buffer over-read, related to the doProlog function in lib/xmlparse.c, a different vulnerability than CVE-2009-2625 and CVE-2009-3720.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-3560

LAYER: meta
PACKAGE NAME: expat
PACKAGE VERSION: 2.6.3
CVE: CVE-2009-3720
CVE STATUS: Patched
CVE SUMMARY: The updatePosition function in lib/xmltok_impl.c in libexpat in Expat 2.0.1, as used in Python, PyXML, w3c-libwww, and other software, allows context-dependent attackers to cause a denial of service (application crash) via an XML document with crafted UTF-8 sequences that trigger a buffer over-read, a different vulnerability than CVE-2009-2625.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-3720

LAYER: meta
PACKAGE NAME: expat
PACKAGE VERSION: 2.6.3
CVE: CVE-2012-0876
CVE STATUS: Patched
CVE SUMMARY: The XML parser (xmlparse.c) in expat before 2.1.0 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via an XML file with many identifiers with the same value.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-0876

LAYER: meta
PACKAGE NAME: expat
PACKAGE VERSION: 2.6.3
CVE: CVE-2012-1147
CVE STATUS: Patched
CVE SUMMARY: readfilemap.c in expat before 2.1.0 allows context-dependent attackers to cause a denial of service (file descriptor consumption) via a large number of crafted XML files.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1147

LAYER: meta
PACKAGE NAME: expat
PACKAGE VERSION: 2.6.3
CVE: CVE-2012-1148
CVE STATUS: Patched
CVE SUMMARY: Memory leak in the poolGrow function in expat/lib/xmlparse.c in expat before 2.1.0 allows context-dependent attackers to cause a denial of service (memory consumption) via a large number of crafted XML files that cause improperly-handled reallocation failures when expanding entities.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1148

LAYER: meta
PACKAGE NAME: expat
PACKAGE VERSION: 2.6.3
CVE: CVE-2012-6702
CVE STATUS: Patched
CVE SUMMARY: Expat, when used in a parser that has not called XML_SetHashSalt or passed it a seed of 0, makes it easier for context-dependent attackers to defeat cryptographic protection mechanisms via vectors involving use of the srand function.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-6702

LAYER: meta
PACKAGE NAME: expat
PACKAGE VERSION: 2.6.3
CVE: CVE-2013-0340
CVE STATUS: Patched
CVE SUMMARY: expat 2.1.0 and earlier does not properly handle entities expansion unless an application developer uses the XML_SetEntityDeclHandler function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue.  NOTE: it could be argued that because expat already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be REJECTed, and each affected application would need its own CVE.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0340

LAYER: meta
PACKAGE NAME: expat
PACKAGE VERSION: 2.6.3
CVE: CVE-2015-1283
CVE STATUS: Patched
CVE SUMMARY: Multiple integer overflows in the XML_GetBuffer function in Expat through 2.1.0, as used in Google Chrome before 44.0.2403.89 and other products, allow remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via crafted XML data, a related issue to CVE-2015-2716.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1283

LAYER: meta
PACKAGE NAME: expat
PACKAGE VERSION: 2.6.3
CVE: CVE-2016-0718
CVE STATUS: Patched
CVE SUMMARY: Expat allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a malformed input document, which triggers a buffer overflow.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-0718

LAYER: meta
PACKAGE NAME: expat
PACKAGE VERSION: 2.6.3
CVE: CVE-2016-4472
CVE STATUS: Patched
CVE SUMMARY: The overflow protection in Expat is removed by compilers with certain optimization settings, which allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via crafted XML data.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-1283 and CVE-2015-2716.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4472

LAYER: meta
PACKAGE NAME: expat
PACKAGE VERSION: 2.6.3
CVE: CVE-2016-5300
CVE STATUS: Patched
CVE SUMMARY: The XML parser in Expat does not use sufficient entropy for hash initialization, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted identifiers in an XML document.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0876.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5300

LAYER: meta
PACKAGE NAME: expat
PACKAGE VERSION: 2.6.3
CVE: CVE-2017-11742
CVE STATUS: Patched
CVE SUMMARY: The writeRandomBytes_RtlGenRandom function in xmlparse.c in libexpat in Expat 2.2.1 and 2.2.2 on Windows allows local users to gain privileges via a Trojan horse ADVAPI32.DLL in the current working directory because of an untrusted search path, aka DLL hijacking.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-11742

LAYER: meta
PACKAGE NAME: expat
PACKAGE VERSION: 2.6.3
CVE: CVE-2017-9233
CVE STATUS: Patched
CVE SUMMARY: XML External Entity vulnerability in libexpat 2.2.0 and earlier (Expat XML Parser Library) allows attackers to put the parser in an infinite loop using a malformed external entity definition from an external DTD.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9233

LAYER: meta
PACKAGE NAME: expat
PACKAGE VERSION: 2.6.3
CVE: CVE-2018-20843
CVE STATUS: Patched
CVE SUMMARY: In libexpat in Expat before 2.2.7, XML input including XML names that contain a large number of colons could make the XML parser consume a high amount of RAM and CPU resources while processing (enough to be usable for denial-of-service attacks).
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20843

LAYER: meta
PACKAGE NAME: expat
PACKAGE VERSION: 2.6.3
CVE: CVE-2019-15903
CVE STATUS: Patched
CVE SUMMARY: In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a heap-based buffer over-read.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-15903

LAYER: meta
PACKAGE NAME: expat
PACKAGE VERSION: 2.6.3
CVE: CVE-2021-45960
CVE STATUS: Patched
CVE SUMMARY: In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) places in the storeAtts function in xmlparse.c can lead to realloc misbehavior (e.g., allocating too few bytes, or only freeing memory).
CVSS v2 BASE SCORE: 9.0
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:S/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-45960

LAYER: meta
PACKAGE NAME: expat
PACKAGE VERSION: 2.6.3
CVE: CVE-2021-46143
CVE STATUS: Patched
CVE SUMMARY: In doProlog in xmlparse.c in Expat (aka libexpat) before 2.4.3, an integer overflow exists for m_groupSize.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-46143

LAYER: meta
PACKAGE NAME: expat
PACKAGE VERSION: 2.6.3
CVE: CVE-2022-22822
CVE STATUS: Patched
CVE SUMMARY: addBinding in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-22822

LAYER: meta
PACKAGE NAME: expat
PACKAGE VERSION: 2.6.3
CVE: CVE-2022-22823
CVE STATUS: Patched
CVE SUMMARY: build_model in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-22823

LAYER: meta
PACKAGE NAME: expat
PACKAGE VERSION: 2.6.3
CVE: CVE-2022-22824
CVE STATUS: Patched
CVE SUMMARY: defineAttribute in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-22824

LAYER: meta
PACKAGE NAME: expat
PACKAGE VERSION: 2.6.3
CVE: CVE-2022-22825
CVE STATUS: Patched
CVE SUMMARY: lookup in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-22825

LAYER: meta
PACKAGE NAME: expat
PACKAGE VERSION: 2.6.3
CVE: CVE-2022-22826
CVE STATUS: Patched
CVE SUMMARY: nextScaffoldPart in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-22826

LAYER: meta
PACKAGE NAME: expat
PACKAGE VERSION: 2.6.3
CVE: CVE-2022-22827
CVE STATUS: Patched
CVE SUMMARY: storeAtts in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-22827

LAYER: meta
PACKAGE NAME: expat
PACKAGE VERSION: 2.6.3
CVE: CVE-2022-23852
CVE STATUS: Patched
CVE SUMMARY: Expat (aka libexpat) before 2.4.4 has a signed integer overflow in XML_GetBuffer, for configurations with a nonzero XML_CONTEXT_BYTES.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-23852

LAYER: meta
PACKAGE NAME: expat
PACKAGE VERSION: 2.6.3
CVE: CVE-2022-23990
CVE STATUS: Patched
CVE SUMMARY: Expat (aka libexpat) before 2.4.4 has an integer overflow in the doProlog function.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-23990

LAYER: meta
PACKAGE NAME: expat
PACKAGE VERSION: 2.6.3
CVE: CVE-2022-25235
CVE STATUS: Patched
CVE SUMMARY: xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-25235

LAYER: meta
PACKAGE NAME: expat
PACKAGE VERSION: 2.6.3
CVE: CVE-2022-25236
CVE STATUS: Patched
CVE SUMMARY: xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator characters into namespace URIs.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-25236

LAYER: meta
PACKAGE NAME: expat
PACKAGE VERSION: 2.6.3
CVE: CVE-2022-25313
CVE STATUS: Patched
CVE SUMMARY: In Expat (aka libexpat) before 2.4.5, an attacker can trigger stack exhaustion in build_model via a large nesting depth in the DTD element.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-25313

LAYER: meta
PACKAGE NAME: expat
PACKAGE VERSION: 2.6.3
CVE: CVE-2022-25314
CVE STATUS: Patched
CVE SUMMARY: In Expat (aka libexpat) before 2.4.5, there is an integer overflow in copyString.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-25314

LAYER: meta
PACKAGE NAME: expat
PACKAGE VERSION: 2.6.3
CVE: CVE-2022-25315
CVE STATUS: Patched
CVE SUMMARY: In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-25315

LAYER: meta
PACKAGE NAME: expat
PACKAGE VERSION: 2.6.3
CVE: CVE-2022-40674
CVE STATUS: Patched
CVE SUMMARY: libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.1
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-40674

LAYER: meta
PACKAGE NAME: expat
PACKAGE VERSION: 2.6.3
CVE: CVE-2022-43680
CVE STATUS: Patched
CVE SUMMARY: In libexpat through 2.4.9, there is a use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate in out-of-memory situations.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-43680

LAYER: meta
PACKAGE NAME: expat
PACKAGE VERSION: 2.6.3
CVE: CVE-2023-52425
CVE STATUS: Patched
CVE SUMMARY: libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-52425

LAYER: meta
PACKAGE NAME: expat
PACKAGE VERSION: 2.6.3
CVE: CVE-2023-52426
CVE STATUS: Patched
CVE SUMMARY: libexpat through 2.5.0 allows recursive XML Entity Expansion if XML_DTD is undefined at compile time.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-52426

LAYER: meta
PACKAGE NAME: expat
PACKAGE VERSION: 2.6.3
CVE: CVE-2024-45490
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-45490

LAYER: meta
PACKAGE NAME: expat
PACKAGE VERSION: 2.6.3
CVE: CVE-2024-45491
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in libexpat before 2.6.3. dtdCopy in xmlparse.c can have an integer overflow for nDefaultAtts on 32-bit platforms (where UINT_MAX equals SIZE_MAX).
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-45491

LAYER: meta
PACKAGE NAME: expat
PACKAGE VERSION: 2.6.3
CVE: CVE-2024-45492
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in libexpat before 2.6.3. nextScaffoldPart in xmlparse.c can have an integer overflow for m_groupSize on 32-bit platforms (where UINT_MAX equals SIZE_MAX).
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-45492

LAYER: meta
PACKAGE NAME: python3-jinja2-native
PACKAGE VERSION: 3.1.4
CVE: CVE-2014-0012
CVE STATUS: Patched
CVE SUMMARY: FileSystemBytecodeCache in Jinja2 2.7.2 does not properly create temporary directories, which allows local users to gain privileges by pre-creating a temporary directory with a user's uid.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-1402.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0012

LAYER: meta
PACKAGE NAME: python3-jinja2-native
PACKAGE VERSION: 3.1.4
CVE: CVE-2014-1402
CVE STATUS: Patched
CVE SUMMARY: The default configuration for bccache.FileSystemBytecodeCache in Jinja2 before 2.7.2 does not properly create temporary files, which allows local users to gain privileges via a crafted .cache file with a name starting with __jinja2_ in /tmp.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-1402

LAYER: meta
PACKAGE NAME: python3-jinja2-native
PACKAGE VERSION: 3.1.4
CVE: CVE-2016-10745
CVE STATUS: Patched
CVE SUMMARY: In Pallets Jinja before 2.8.1, str.format allows a sandbox escape.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 8.6
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10745

LAYER: meta
PACKAGE NAME: python3-jinja2-native
PACKAGE VERSION: 3.1.4
CVE: CVE-2019-10906
CVE STATUS: Patched
CVE SUMMARY: In Pallets Jinja before 2.10.1, str.format_map allows a sandbox escape.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 8.6
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-10906

LAYER: meta
PACKAGE NAME: python3-jinja2-native
PACKAGE VERSION: 3.1.4
CVE: CVE-2019-8341
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Jinja2 2.10. The from_string function is prone to Server Side Template Injection (SSTI) where it takes the "source" parameter as a template object, renders it, and then returns it. The attacker can exploit it with {{INJECTION COMMANDS}} in a URI. NOTE: The maintainer and multiple third parties believe that this vulnerability isn't valid because users shouldn't use untrusted templates without sandboxing
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-8341

LAYER: meta
PACKAGE NAME: python3-jinja2-native
PACKAGE VERSION: 3.1.4
CVE: CVE-2020-28493
CVE STATUS: Patched
CVE SUMMARY: This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the `_punctuation_re regex` operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-28493

LAYER: meta
PACKAGE NAME: python3-jinja2-native
PACKAGE VERSION: 3.1.4
CVE: CVE-2024-22195
CVE STATUS: Patched
CVE SUMMARY: Jinja is an extensible templating engine. Special placeholders in the template allow writing code similar to Python syntax. It is possible to inject arbitrary HTML attributes into the rendered HTML template, potentially leading to Cross-Site Scripting (XSS). The Jinja `xmlattr` filter can be abused to inject arbitrary HTML attribute keys and values, bypassing the auto escaping mechanism and potentially leading to XSS. It may also be possible to bypass attribute validation checks if they are blacklist-based.

CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.4
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-22195

LAYER: meta
PACKAGE NAME: coreutils
PACKAGE VERSION: 9.4
CVE: CVE-2005-1039
CVE STATUS: Patched
CVE SUMMARY: Race condition in Core Utilities (coreutils) 5.2.1, when (1) mkdir, (2) mknod, or (3) mkfifo is running with the -m switch, allows local users to modify permissions of other files.
CVSS v2 BASE SCORE: 3.7
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-1039

LAYER: meta
PACKAGE NAME: coreutils
PACKAGE VERSION: 9.4
CVE: CVE-2008-1946
CVE STATUS: Patched
CVE SUMMARY: The default configuration of su in /etc/pam.d/su in GNU coreutils 5.2.1 allows local users to gain the privileges of a (1) locked or (2) expired account by entering the account name on the command line, related to improper use of the pam_succeed_if.so module.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1946

LAYER: meta
PACKAGE NAME: coreutils
PACKAGE VERSION: 9.4
CVE: CVE-2009-4135
CVE STATUS: Patched
CVE SUMMARY: The distcheck rule in dist-check.mk in GNU coreutils 5.2.1 through 8.1 allows local users to gain privileges via a symlink attack on a file in a directory tree under /tmp.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-4135

LAYER: meta
PACKAGE NAME: coreutils
PACKAGE VERSION: 9.4
CVE: CVE-2014-9471
CVE STATUS: Patched
CVE SUMMARY: The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted date string, as demonstrated by the "--date=TZ="123"345" @1" string to the touch or date command.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9471

LAYER: meta
PACKAGE NAME: coreutils
PACKAGE VERSION: 9.4
CVE: CVE-2015-1865
CVE STATUS: Patched
CVE SUMMARY: fts.c in coreutils 8.4 allows local users to delete arbitrary files.
CVSS v2 BASE SCORE: 3.3
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1865

LAYER: meta
PACKAGE NAME: coreutils
PACKAGE VERSION: 9.4
CVE: CVE-2015-4041
CVE STATUS: Patched
CVE SUMMARY: The keycompare_mb function in sort.c in sort in GNU Coreutils through 8.23 on 64-bit platforms performs a size calculation without considering the number of bytes occupied by multibyte characters, which allows attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via long UTF-8 strings.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-4041

LAYER: meta
PACKAGE NAME: coreutils
PACKAGE VERSION: 9.4
CVE: CVE-2015-4042
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the keycompare_mb function in sort.c in sort in GNU Coreutils through 8.23 might allow attackers to cause a denial of service (application crash) or possibly have unspecified other impact via long strings.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-4042

LAYER: meta
PACKAGE NAME: coreutils
PACKAGE VERSION: 9.4
CVE: CVE-2016-2781
CVE STATUS: Ignored
CVE DETAIL: disputed
CVE DESCRIPTION: runcon is not really a sandbox command, use `runcon ... setsid ...` to avoid this particular issue.
CVE SUMMARY: chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 6.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2781

LAYER: meta
PACKAGE NAME: coreutils
PACKAGE VERSION: 9.4
CVE: CVE-2017-18018
CVE STATUS: Patched
CVE SUMMARY: In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX "-R -L" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-18018

LAYER: meta
PACKAGE NAME: coreutils
PACKAGE VERSION: 9.4
CVE: CVE-2024-0684
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the GNU coreutils "split" program. A heap overflow with user-controlled data of multiple hundred bytes in length could occur in the line_bytes_split() function, potentially leading to an application crash and denial of service.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-0684

LAYER: meta
PACKAGE NAME: libarchive
PACKAGE VERSION: 3.7.4
CVE: CVE-2007-3641
CVE STATUS: Patched
CVE SUMMARY: archive_read_support_format_tar.c in libarchive before 2.2.4 does not properly compute the length of a certain buffer when processing a malformed pax extension header, which allows user-assisted remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted (1) PAX or (2) TAR archive that triggers a buffer overflow.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-3641

LAYER: meta
PACKAGE NAME: libarchive
PACKAGE VERSION: 3.7.4
CVE: CVE-2007-3644
CVE STATUS: Patched
CVE SUMMARY: archive_read_support_format_tar.c in libarchive before 2.2.4 allows user-assisted remote attackers to cause a denial of service (infinite loop) via (1) an end-of-file condition within a pax extension header or (2) a malformed pax extension header in an (a) PAX or a (b) TAR archive.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-3644

LAYER: meta
PACKAGE NAME: libarchive
PACKAGE VERSION: 3.7.4
CVE: CVE-2007-3645
CVE STATUS: Patched
CVE SUMMARY: archive_read_support_format_tar.c in libarchive before 2.2.4 allows user-assisted remote attackers to cause a denial of service (crash) via (1) an end-of-file condition within a tar header that follows a pax extension header or (2) a malformed pax extension header in an (a) PAX or a (b) TAR archive, which results in a NULL pointer dereference, a different issue than CVE-2007-3644.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-3645

LAYER: meta
PACKAGE NAME: libarchive
PACKAGE VERSION: 3.7.4
CVE: CVE-2010-4666
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in libarchive 3.0 pre-release code allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted CAB file, which is not properly handled during the reading of Huffman code data within LZX compressed data.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4666

LAYER: meta
PACKAGE NAME: libarchive
PACKAGE VERSION: 3.7.4
CVE: CVE-2011-1777
CVE STATUS: Patched
CVE SUMMARY: Multiple buffer overflows in the (1) heap_add_entry and (2) relocate_dir functions in archive_read_support_format_iso9660.c in libarchive through 2.8.5 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted ISO9660 image.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1777

LAYER: meta
PACKAGE NAME: libarchive
PACKAGE VERSION: 3.7.4
CVE: CVE-2011-1778
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in libarchive through 2.8.5 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted TAR archive.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1778

LAYER: meta
PACKAGE NAME: libarchive
PACKAGE VERSION: 3.7.4
CVE: CVE-2011-1779
CVE STATUS: Patched
CVE SUMMARY: Multiple use-after-free vulnerabilities in libarchive 2.8.4 and 2.8.5 allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted (1) TAR archive or (2) ISO9660 image.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1779

LAYER: meta
PACKAGE NAME: libarchive
PACKAGE VERSION: 3.7.4
CVE: CVE-2013-0211
CVE STATUS: Patched
CVE SUMMARY: Integer signedness error in the archive_write_zip_data function in archive_write_set_format_zip.c in libarchive 3.1.2 and earlier, when running on 64-bit machines, allows context-dependent attackers to cause a denial of service (crash) via unspecified vectors, which triggers an improper conversion between unsigned and signed types, leading to a buffer overflow.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0211

LAYER: meta
PACKAGE NAME: libarchive
PACKAGE VERSION: 3.7.4
CVE: CVE-2015-2304
CVE STATUS: Patched
CVE SUMMARY: Absolute path traversal vulnerability in bsdcpio in libarchive 3.1.2 and earlier allows remote attackers to write to arbitrary files via a full pathname in an archive.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-2304

LAYER: meta
PACKAGE NAME: libarchive
PACKAGE VERSION: 3.7.4
CVE: CVE-2015-8915
CVE STATUS: Patched
CVE SUMMARY: bsdcpio in libarchive before 3.2.0 allows remote attackers to cause a denial of service (invalid read and crash) via crafted cpio file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8915

LAYER: meta
PACKAGE NAME: libarchive
PACKAGE VERSION: 3.7.4
CVE: CVE-2015-8916
CVE STATUS: Patched
CVE SUMMARY: bsdtar in libarchive before 3.2.0 returns a success code without filling the entry when the header is a "split file in multivolume RAR," which allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a crafted rar file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8916

LAYER: meta
PACKAGE NAME: libarchive
PACKAGE VERSION: 3.7.4
CVE: CVE-2015-8917
CVE STATUS: Patched
CVE SUMMARY: bsdtar in libarchive before 3.2.0 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via an invalid character in the name of a cab file.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8917

LAYER: meta
PACKAGE NAME: libarchive
PACKAGE VERSION: 3.7.4
CVE: CVE-2015-8918
CVE STATUS: Patched
CVE SUMMARY: The archive_string_append function in archive_string.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (crash) via a crafted cab files, related to "overlapping memcpy."
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8918

LAYER: meta
PACKAGE NAME: libarchive
PACKAGE VERSION: 3.7.4
CVE: CVE-2015-8919
CVE STATUS: Patched
CVE SUMMARY: The lha_read_file_extended_header function in archive_read_support_format_lha.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (out-of-bounds heap) via a crafted (1) lzh or (2) lha file.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8919

LAYER: meta
PACKAGE NAME: libarchive
PACKAGE VERSION: 3.7.4
CVE: CVE-2015-8920
CVE STATUS: Patched
CVE SUMMARY: The _ar_read_header function in archive_read_support_format_ar.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (out-of-bounds stack read) via a crafted ar file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8920

LAYER: meta
PACKAGE NAME: libarchive
PACKAGE VERSION: 3.7.4
CVE: CVE-2015-8921
CVE STATUS: Patched
CVE SUMMARY: The ae_strtofflags function in archive_entry.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted mtree file.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8921

LAYER: meta
PACKAGE NAME: libarchive
PACKAGE VERSION: 3.7.4
CVE: CVE-2015-8922
CVE STATUS: Patched
CVE SUMMARY: The read_CodersInfo function in archive_read_support_format_7zip.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a crafted 7z file, related to the _7z_folder struct.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8922

LAYER: meta
PACKAGE NAME: libarchive
PACKAGE VERSION: 3.7.4
CVE: CVE-2015-8923
CVE STATUS: Patched
CVE SUMMARY: The process_extra function in libarchive before 3.2.0 uses the size field and a signed number in an offset, which allows remote attackers to cause a denial of service (crash) via a crafted zip file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8923

LAYER: meta
PACKAGE NAME: libarchive
PACKAGE VERSION: 3.7.4
CVE: CVE-2015-8924
CVE STATUS: Patched
CVE SUMMARY: The archive_read_format_tar_read_header function in archive_read_support_format_tar.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted tar file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8924

LAYER: meta
PACKAGE NAME: libarchive
PACKAGE VERSION: 3.7.4
CVE: CVE-2015-8925
CVE STATUS: Patched
CVE SUMMARY: The readline function in archive_read_support_format_mtree.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (invalid read) via a crafted mtree file, related to newline parsing.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8925

LAYER: meta
PACKAGE NAME: libarchive
PACKAGE VERSION: 3.7.4
CVE: CVE-2015-8926
CVE STATUS: Patched
CVE SUMMARY: The archive_read_format_rar_read_data function in archive_read_support_format_rar.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (crash) via a crafted rar archive.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8926

LAYER: meta
PACKAGE NAME: libarchive
PACKAGE VERSION: 3.7.4
CVE: CVE-2015-8927
CVE STATUS: Patched
CVE SUMMARY: The trad_enc_decrypt_update function in archive_read_support_format_zip.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (out-of-bounds heap read and crash) via a crafted zip file, related to reading the password.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8927

LAYER: meta
PACKAGE NAME: libarchive
PACKAGE VERSION: 3.7.4
CVE: CVE-2015-8928
CVE STATUS: Patched
CVE SUMMARY: The process_add_entry function in archive_read_support_format_mtree.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted mtree file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8928

LAYER: meta
PACKAGE NAME: libarchive
PACKAGE VERSION: 3.7.4
CVE: CVE-2015-8929
CVE STATUS: Patched
CVE SUMMARY: Memory leak in the __archive_read_get_extract function in archive_read_extract2.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service via a tar file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8929

LAYER: meta
PACKAGE NAME: libarchive
PACKAGE VERSION: 3.7.4
CVE: CVE-2015-8930
CVE STATUS: Patched
CVE SUMMARY: bsdtar in libarchive before 3.2.0 allows remote attackers to cause a denial of service (infinite loop) via an ISO with a directory that is a member of itself.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8930

LAYER: meta
PACKAGE NAME: libarchive
PACKAGE VERSION: 3.7.4
CVE: CVE-2015-8931
CVE STATUS: Patched
CVE SUMMARY: Multiple integer overflows in the (1) get_time_t_max and (2) get_time_t_min functions in archive_read_support_format_mtree.c in libarchive before 3.2.0 allow remote attackers to have unspecified impact via a crafted mtree file, which triggers undefined behavior.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8931

LAYER: meta
PACKAGE NAME: libarchive
PACKAGE VERSION: 3.7.4
CVE: CVE-2015-8932
CVE STATUS: Patched
CVE SUMMARY: The compress_bidder_init function in archive_read_support_filter_compress.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (crash) via a crafted tar file, which triggers an invalid left shift.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8932

LAYER: meta
PACKAGE NAME: libarchive
PACKAGE VERSION: 3.7.4
CVE: CVE-2015-8933
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the archive_read_format_tar_skip function in archive_read_support_format_tar.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (crash) via a crafted tar file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8933

LAYER: meta
PACKAGE NAME: libarchive
PACKAGE VERSION: 3.7.4
CVE: CVE-2015-8934
CVE STATUS: Patched
CVE SUMMARY: The copy_from_lzss_window function in archive_read_support_format_rar.c in libarchive 3.2.0 and earlier allows remote attackers to cause a denial of service (out-of-bounds heap read) via a crafted rar file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8934

LAYER: meta
PACKAGE NAME: libarchive
PACKAGE VERSION: 3.7.4
CVE: CVE-2016-10209
CVE STATUS: Patched
CVE SUMMARY: The archive_wstring_append_from_mbs function in archive_string.c in libarchive 3.2.2 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted archive file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10209

LAYER: meta
PACKAGE NAME: libarchive
PACKAGE VERSION: 3.7.4
CVE: CVE-2016-10349
CVE STATUS: Patched
CVE SUMMARY: The archive_le32dec function in archive_endian.h in libarchive 3.2.2 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10349

LAYER: meta
PACKAGE NAME: libarchive
PACKAGE VERSION: 3.7.4
CVE: CVE-2016-10350
CVE STATUS: Patched
CVE SUMMARY: The archive_read_format_cab_read_header function in archive_read_support_format_cab.c in libarchive 3.2.2 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10350

LAYER: meta
PACKAGE NAME: libarchive
PACKAGE VERSION: 3.7.4
CVE: CVE-2016-1541
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the zip_read_mac_metadata function in archive_read_support_format_zip.c in libarchive before 3.2.0 allows remote attackers to execute arbitrary code via crafted entry-size values in a ZIP archive.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-1541

LAYER: meta
PACKAGE NAME: libarchive
PACKAGE VERSION: 3.7.4
CVE: CVE-2016-4300
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the read_SubStreamsInfo function in archive_read_support_format_7zip.c in libarchive before 3.2.1 allows remote attackers to execute arbitrary code via a 7zip file with a large number of substreams, which triggers a heap-based buffer overflow.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4300

LAYER: meta
PACKAGE NAME: libarchive
PACKAGE VERSION: 3.7.4
CVE: CVE-2016-4301
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in the parse_device function in archive_read_support_format_mtree.c in libarchive before 3.2.1 allows remote attackers to execute arbitrary code via a crafted mtree file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4301

LAYER: meta
PACKAGE NAME: libarchive
PACKAGE VERSION: 3.7.4
CVE: CVE-2016-4302
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the parse_codes function in archive_read_support_format_rar.c in libarchive before 3.2.1 allows remote attackers to execute arbitrary code via a RAR file with a zero-sized dictionary.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4302

LAYER: meta
PACKAGE NAME: libarchive
PACKAGE VERSION: 3.7.4
CVE: CVE-2016-4809
CVE STATUS: Patched
CVE SUMMARY: The archive_read_format_cpio_read_header function in archive_read_support_format_cpio.c in libarchive before 3.2.1 allows remote attackers to cause a denial of service (application crash) via a CPIO archive with a large symlink.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4809

LAYER: meta
PACKAGE NAME: libarchive
PACKAGE VERSION: 3.7.4
CVE: CVE-2016-5418
CVE STATUS: Patched
CVE SUMMARY: The sandboxing code in libarchive 3.2.0 and earlier mishandles hardlink archive entries of non-zero data size, which might allow remote attackers to write to arbitrary files via a crafted archive file.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5418

LAYER: meta
PACKAGE NAME: libarchive
PACKAGE VERSION: 3.7.4
CVE: CVE-2016-5844
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the ISO parser in libarchive before 3.2.1 allows remote attackers to cause a denial of service (application crash) via a crafted ISO file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5844

LAYER: meta
PACKAGE NAME: libarchive
PACKAGE VERSION: 3.7.4
CVE: CVE-2016-6250
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the ISO9660 writer in libarchive before 3.2.1 allows remote attackers to cause a denial of service (application crash) or execute arbitrary code via vectors related to verifying filename lengths when writing an ISO9660 archive, which trigger a buffer overflow.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 8.6
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6250

LAYER: meta
PACKAGE NAME: libarchive
PACKAGE VERSION: 3.7.4
CVE: CVE-2016-7166
CVE STATUS: Patched
CVE SUMMARY: libarchive before 3.2.0 does not limit the number of recursive decompressions, which allows remote attackers to cause a denial of service (memory consumption and application crash) via a crafted gzip file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7166

LAYER: meta
PACKAGE NAME: libarchive
PACKAGE VERSION: 3.7.4
CVE: CVE-2016-8687
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in the safe_fprintf function in tar/util.c in libarchive 3.2.1 allows remote attackers to cause a denial of service via a crafted non-printable multibyte character in a filename.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8687

LAYER: meta
PACKAGE NAME: libarchive
PACKAGE VERSION: 3.7.4
CVE: CVE-2016-8688
CVE STATUS: Patched
CVE SUMMARY: The mtree bidder in libarchive 3.2.1 does not keep track of line sizes when extending the read-ahead, which allows remote attackers to cause a denial of service (crash) via a crafted file, which triggers an invalid read in the (1) detect_form or (2) bid_entry function in libarchive/archive_read_support_format_mtree.c.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8688

LAYER: meta
PACKAGE NAME: libarchive
PACKAGE VERSION: 3.7.4
CVE: CVE-2016-8689
CVE STATUS: Patched
CVE SUMMARY: The read_Header function in archive_read_support_format_7zip.c in libarchive 3.2.1 allows remote attackers to cause a denial of service (out-of-bounds read) via multiple EmptyStream attributes in a header in a 7zip archive.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8689

LAYER: meta
PACKAGE NAME: libarchive
PACKAGE VERSION: 3.7.4
CVE: CVE-2017-14166
CVE STATUS: Patched
CVE SUMMARY: libarchive 3.3.2 allows remote attackers to cause a denial of service (xml_data heap-based buffer over-read and application crash) via a crafted xar archive, related to the mishandling of empty strings in the atol8 function in archive_read_support_format_xar.c.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14166

LAYER: meta
PACKAGE NAME: libarchive
PACKAGE VERSION: 3.7.4
CVE: CVE-2017-14501
CVE STATUS: Patched
CVE SUMMARY: An out-of-bounds read flaw exists in parse_file_info in archive_read_support_format_iso9660.c in libarchive 3.3.2 when extracting a specially crafted iso9660 iso file, related to archive_read_format_iso9660_read_header.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14501

LAYER: meta
PACKAGE NAME: libarchive
PACKAGE VERSION: 3.7.4
CVE: CVE-2017-14502
CVE STATUS: Patched
CVE SUMMARY: read_header in archive_read_support_format_rar.c in libarchive 3.3.2 suffers from an off-by-one error for UTF-16 names in RAR archives, leading to an out-of-bounds read in archive_read_format_rar_read_header.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14502

LAYER: meta
PACKAGE NAME: libarchive
PACKAGE VERSION: 3.7.4
CVE: CVE-2017-14503
CVE STATUS: Patched
CVE SUMMARY: libarchive 3.3.2 suffers from an out-of-bounds read within lha_read_data_none() in archive_read_support_format_lha.c when extracting a specially crafted lha archive, related to lha_crc16.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14503

LAYER: meta
PACKAGE NAME: libarchive
PACKAGE VERSION: 3.7.4
CVE: CVE-2017-5601
CVE STATUS: Patched
CVE SUMMARY: An error in the lha_read_file_header_1() function (archive_read_support_format_lha.c) in libarchive 3.2.2 allows remote attackers to trigger an out-of-bounds read memory access and subsequently cause a crash via a specially crafted archive.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5601

LAYER: meta
PACKAGE NAME: libarchive
PACKAGE VERSION: 3.7.4
CVE: CVE-2018-1000877
CVE STATUS: Patched
CVE SUMMARY: libarchive version commit 416694915449219d505531b1096384f3237dd6cc onwards (release v3.1.0 onwards) contains a CWE-415: Double Free vulnerability in RAR decoder - libarchive/archive_read_support_format_rar.c, parse_codes(), realloc(rar->lzss.window, new_size) with new_size = 0 that can result in Crash/DoS. This attack appear to be exploitable via the victim must open a specially crafted RAR archive.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1000877

LAYER: meta
PACKAGE NAME: libarchive
PACKAGE VERSION: 3.7.4
CVE: CVE-2018-1000878
CVE STATUS: Patched
CVE SUMMARY: libarchive version commit 416694915449219d505531b1096384f3237dd6cc onwards (release v3.1.0 onwards) contains a CWE-416: Use After Free vulnerability in RAR decoder - libarchive/archive_read_support_format_rar.c that can result in Crash/DoS - it is unknown if RCE is possible. This attack appear to be exploitable via the victim must open a specially crafted RAR archive.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1000878

LAYER: meta
PACKAGE NAME: libarchive
PACKAGE VERSION: 3.7.4
CVE: CVE-2018-1000879
CVE STATUS: Patched
CVE SUMMARY: libarchive version commit 379867ecb330b3a952fb7bfa7bffb7bbd5547205 onwards (release v3.3.0 onwards) contains a CWE-476: NULL Pointer Dereference vulnerability in ACL parser - libarchive/archive_acl.c, archive_acl_from_text_l() that can result in Crash/DoS. This attack appear to be exploitable via the victim must open a specially crafted archive file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1000879

LAYER: meta
PACKAGE NAME: libarchive
PACKAGE VERSION: 3.7.4
CVE: CVE-2018-1000880
CVE STATUS: Patched
CVE SUMMARY: libarchive version commit 9693801580c0cf7c70e862d305270a16b52826a7 onwards (release v3.2.0 onwards) contains a CWE-20: Improper Input Validation vulnerability in WARC parser - libarchive/archive_read_support_format_warc.c, _warc_read() that can result in DoS - quasi-infinite run time and disk usage from tiny file. This attack appear to be exploitable via the victim must open a specially crafted WARC file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1000880

LAYER: meta
PACKAGE NAME: libarchive
PACKAGE VERSION: 3.7.4
CVE: CVE-2019-1000019
CVE STATUS: Patched
CVE SUMMARY: libarchive version commit bf9aec176c6748f0ee7a678c5f9f9555b9a757c1 onwards (release v3.0.2 onwards) contains a CWE-125: Out-of-bounds Read vulnerability in 7zip decompression, archive_read_support_format_7zip.c, header_bytes() that can result in a crash (denial of service). This attack appears to be exploitable via the victim opening a specially crafted 7zip file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-1000019

LAYER: meta
PACKAGE NAME: libarchive
PACKAGE VERSION: 3.7.4
CVE: CVE-2019-1000020
CVE STATUS: Patched
CVE SUMMARY: libarchive version commit 5a98dcf8a86364b3c2c469c85b93647dfb139961 onwards (version v2.8.0 onwards) contains a CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in ISO9660 parser, archive_read_support_format_iso9660.c, read_CE()/parse_rockridge() that can result in DoS by infinite loop. This attack appears to be exploitable via the victim opening a specially crafted ISO9660 file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-1000020

LAYER: meta
PACKAGE NAME: libarchive
PACKAGE VERSION: 3.7.4
CVE: CVE-2019-11463
CVE STATUS: Patched
CVE SUMMARY: A memory leak in archive_read_format_zip_cleanup in archive_read_support_format_zip.c in libarchive 3.3.4-dev allows remote attackers to cause a denial of service via a crafted ZIP file because of a HAVE_LZMA_H typo. NOTE: this only affects users who downloaded the development code from GitHub. Users of the product's official releases are unaffected.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-11463

LAYER: meta
PACKAGE NAME: libarchive
PACKAGE VERSION: 3.7.4
CVE: CVE-2019-18408
CVE STATUS: Patched
CVE SUMMARY: archive_read_format_rar_read_data in archive_read_support_format_rar.c in libarchive before 3.4.0 has a use-after-free in a certain ARCHIVE_FAILED situation, related to Ppmd7_DecodeSymbol.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-18408

LAYER: meta
PACKAGE NAME: libarchive
PACKAGE VERSION: 3.7.4
CVE: CVE-2019-19221
CVE STATUS: Patched
CVE SUMMARY: In Libarchive 3.4.0, archive_wstring_append_from_mbs in archive_string.c has an out-of-bounds read because of an incorrect mbrtowc or mbtowc call. For example, bsdtar crashes via a crafted archive.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19221

LAYER: meta
PACKAGE NAME: libarchive
PACKAGE VERSION: 3.7.4
CVE: CVE-2020-21674
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in archive_string_append_from_wcs() (archive_string.c) in libarchive-3.4.1dev allows remote attackers to cause a denial of service (out-of-bounds write in heap memory resulting into a crash) via a crafted archive file. NOTE: this only affects users who downloaded the development code from GitHub. Users of the product's official releases are unaffected.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-21674

LAYER: meta
PACKAGE NAME: libarchive
PACKAGE VERSION: 3.7.4
CVE: CVE-2020-9308
CVE STATUS: Patched
CVE SUMMARY: archive_read_support_format_rar5.c in libarchive before 3.4.2 attempts to unpack a RAR5 file with an invalid or corrupted header (such as a header size of zero), leading to a SIGSEGV or possibly unspecified other impact.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-9308

LAYER: meta
PACKAGE NAME: libarchive
PACKAGE VERSION: 3.7.4
CVE: CVE-2021-23177
CVE STATUS: Patched
CVE SUMMARY: An improper link resolution flaw while extracting an archive can lead to changing the access control list (ACL) of the target of the link. An attacker may provide a malicious archive to a victim user, who would trigger this flaw when trying to extract the archive. A local attacker may use this flaw to change the ACL of a file on the system and gain more privileges.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-23177

LAYER: meta
PACKAGE NAME: libarchive
PACKAGE VERSION: 3.7.4
CVE: CVE-2021-31566
CVE STATUS: Patched
CVE SUMMARY: An improper link resolution flaw can occur while extracting an archive leading to changing modes, times, access control lists, and flags of a file outside of the archive. An attacker may provide a malicious archive to a victim user, who would trigger this flaw when trying to extract the archive. A local attacker may use this flaw to gain more privileges in a system.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-31566

LAYER: meta
PACKAGE NAME: libarchive
PACKAGE VERSION: 3.7.4
CVE: CVE-2021-36976
CVE STATUS: Patched
CVE SUMMARY: libarchive 3.4.1 through 3.5.1 has a use-after-free in copy_string (called from do_uncompress_block and process_block).
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-36976

LAYER: meta
PACKAGE NAME: libarchive
PACKAGE VERSION: 3.7.4
CVE: CVE-2022-26280
CVE STATUS: Patched
CVE SUMMARY: Libarchive v3.6.0 was discovered to contain an out-of-bounds read via the component zipx_lzma_alone_init.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-26280

LAYER: meta
PACKAGE NAME: libarchive
PACKAGE VERSION: 3.7.4
CVE: CVE-2022-36227
CVE STATUS: Patched
CVE SUMMARY: In libarchive before 3.6.2, the software does not check for an error after calling calloc function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference. NOTE: the discoverer cites this CWE-476 remark but third parties dispute the code-execution impact: "In rare circumstances, when NULL is equivalent to the 0x0 memory address and privileged code can access it, then writing or reading memory is possible, which may lead to code execution."
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-36227

LAYER: meta
PACKAGE NAME: libarchive
PACKAGE VERSION: 3.7.4
CVE: CVE-2023-30571
CVE STATUS: Ignored
CVE DETAIL: upstream-wontfix
CVE DESCRIPTION: upstream has documented that reported function is not thread-safe
CVE SUMMARY: Libarchive through 3.6.2 can cause directories to have world-writable permissions. The umask() call inside archive_write_disk_posix.c changes the umask of the whole process for a very short period of time; a race condition with another thread can lead to a permanent umask 0 setting. Such a race condition could lead to implicit directory creation with permissions 0777 (without the sticky bit), which means that any low-privileged local user can delete and rename files inside those directories.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 3.9
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-30571

LAYER: meta
PACKAGE NAME: libarchive
PACKAGE VERSION: 3.7.4
CVE: CVE-2024-37407
CVE STATUS: Patched
CVE SUMMARY: Libarchive before 3.7.4 allows name out-of-bounds access when a ZIP archive has an empty-name file and mac-ext is enabled. This occurs in slurp_central_directory in archive_read_support_format_zip.c.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 9.1
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-37407

LAYER: meta
PACKAGE NAME: libarchive
PACKAGE VERSION: 3.7.4
CVE: CVE-2024-48957
CVE STATUS: Unpatched
CVE SUMMARY: execute_filter_audio in archive_read_support_format_rar.c in libarchive before 3.7.5 allows out-of-bounds access via a crafted archive file because src can move beyond dst.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-48957

LAYER: meta
PACKAGE NAME: libarchive
PACKAGE VERSION: 3.7.4
CVE: CVE-2024-48958
CVE STATUS: Unpatched
CVE SUMMARY: execute_filter_delta in archive_read_support_format_rar.c in libarchive before 3.7.5 allows out-of-bounds access via a crafted archive file because src can move beyond dst.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-48958

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2005-4807
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in the as_bad function in messages.c in the GNU as (gas) assembler in Free Software Foundation GNU Binutils before 20050721 allows attackers to execute arbitrary code via a .c file with crafted inline assembly code.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-4807

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2005-4808
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in reset_vars in config/tc-crx.c in the GNU as (gas) assembler in Free Software Foundation GNU Binutils before 20050714 allows user-assisted attackers to have an unknown impact via a crafted .s file.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-4808

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2006-2362
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in getsym in tekhex.c in libbfd in Free Software Foundation GNU Binutils before 20060423, as used by GNU strings, allows context-dependent attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a file with a crafted Tektronix Hex Format (TekHex) record in which the length character is not a valid hexadecimal character.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-2362

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2012-3509
CVE STATUS: Patched
CVE SUMMARY: Multiple integer overflows in the (1) _objalloc_alloc function in objalloc.c and (2) objalloc_alloc macro in include/objalloc.h in GNU libiberty, as used by binutils 2.22, allow remote attackers to cause a denial of service (crash) via vectors related to the "addition of CHUNK_HEADER_SIZE to the length," which triggers a heap-based buffer overflow.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-3509

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2014-8484
CVE STATUS: Patched
CVE SUMMARY: The srec_scan function in bfd/srec.c in libdbfd in GNU binutils before 2.25 allows remote attackers to cause a denial of service (out-of-bounds read) via a small S-record.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8484

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2014-8485
CVE STATUS: Patched
CVE SUMMARY: The setup_group function in bfd/elf.c in libbfd in GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted section group headers in an ELF file.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8485

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2014-8501
CVE STATUS: Patched
CVE SUMMARY: The _bfd_XXi_swap_aouthdr_in function in bfd/peXXigen.c in GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (out-of-bounds write) and possibly have other unspecified impact via a crafted NumberOfRvaAndSizes field in the AOUT header in a PE executable.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8501

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2014-8502
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the pe_print_edata function in bfd/peXXigen.c in GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (crash) and possibly have other unspecified impact via a truncated export table in a PE file.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8502

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2014-8503
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in the ihex_scan function in bfd/ihex.c in GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (crash) and possibly have other unspecified impact via a crafted ihex file.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8503

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2014-8504
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in the srec_scan function in bfd/srec.c in GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (crash) and possibly have other unspecified impact via a crafted file.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8504

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2014-8737
CVE STATUS: Patched
CVE SUMMARY: Multiple directory traversal vulnerabilities in GNU binutils 2.24 and earlier allow local users to delete arbitrary files via a .. (dot dot) or full path name in an archive to (1) strip or (2) objcopy or create arbitrary files via (3) a .. (dot dot) or full path name in an archive to ar.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8737

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2014-8738
CVE STATUS: Patched
CVE SUMMARY: The _bfd_slurp_extended_name_table function in bfd/archive.c in GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (invalid write, segmentation fault, and crash) via a crafted extended name table in an archive.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8738

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2014-9939
CVE STATUS: Patched
CVE SUMMARY: ihex.c in GNU Binutils before 2.26 contains a stack buffer overflow when printing bad bytes in Intel Hex objects.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9939

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-12448
CVE STATUS: Patched
CVE SUMMARY: The bfd_cache_close function in bfd/cache.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause a heap use after free and possibly achieve code execution via a crafted nested archive file. This issue occurs because incorrect functions are called during an attempt to release memory. The issue can be addressed by better input validation in the bfd_generic_archive_p function in bfd/archive.c.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-12448

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-12449
CVE STATUS: Patched
CVE SUMMARY: The _bfd_vms_save_sized_string function in vms-misc.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds heap read via a crafted vms file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-12449

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-12450
CVE STATUS: Patched
CVE SUMMARY: The alpha_vms_object_p function in bfd/vms-alpha.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds heap write and possibly achieve code execution via a crafted vms alpha file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-12450

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-12451
CVE STATUS: Patched
CVE SUMMARY: The _bfd_xcoff_read_ar_hdr function in bfd/coff-rs6000.c and bfd/coff64-rs6000.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds stack read via a crafted COFF image file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-12451

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-12452
CVE STATUS: Patched
CVE SUMMARY: The bfd_mach_o_i386_canonicalize_one_reloc function in bfd/mach-o-i386.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds heap read via a crafted mach-o file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-12452

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-12453
CVE STATUS: Patched
CVE SUMMARY: The _bfd_vms_slurp_eeom function in libbfd.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds heap read via a crafted vms alpha file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-12453

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-12454
CVE STATUS: Patched
CVE SUMMARY: The _bfd_vms_slurp_egsd function in bfd/vms-alpha.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an arbitrary memory read via a crafted vms alpha file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-12454

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-12455
CVE STATUS: Patched
CVE SUMMARY: The evax_bfd_print_emh function in vms-alpha.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds heap read via a crafted vms alpha file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-12455

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-12456
CVE STATUS: Patched
CVE SUMMARY: The read_symbol_stabs_debugging_info function in rddbg.c in GNU Binutils 2.29 and earlier allows remote attackers to cause an out of bounds heap read via a crafted binary file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-12456

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-12457
CVE STATUS: Patched
CVE SUMMARY: The bfd_make_section_with_flags function in section.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause a NULL dereference via a crafted file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-12457

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-12458
CVE STATUS: Patched
CVE SUMMARY: The nlm_swap_auxiliary_headers_in function in bfd/nlmcode.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds heap read via a crafted nlm file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-12458

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-12459
CVE STATUS: Patched
CVE SUMMARY: The bfd_mach_o_read_symtab_strtab function in bfd/mach-o.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds heap write and possibly achieve code execution via a crafted mach-o file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-12459

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-12799
CVE STATUS: Patched
CVE SUMMARY: The elf_read_notesfunction in bfd/elf.c in GNU Binutils 2.29 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-12799

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-12967
CVE STATUS: Patched
CVE SUMMARY: The getsym function in tekhex.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (stack-based buffer over-read and application crash) via a malformed tekhex binary.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-12967

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-13710
CVE STATUS: Patched
CVE SUMMARY: The setup_group function in elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a group section that is too small.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-13710

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-13716
CVE STATUS: Patched
CVE SUMMARY: The C++ symbol demangler routine in cplus-dem.c in libiberty, as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (excessive memory allocation and application crash) via a crafted file, as demonstrated by a call from the Binary File Descriptor (BFD) library (aka libbfd).
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-13716

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-13757
CVE STATUS: Patched
CVE SUMMARY: The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, does not validate the PLT section size, which allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file, related to elf_i386_get_synthetic_symtab in elf32-i386.c and elf_x86_64_get_synthetic_symtab in elf64-x86-64.c.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-13757

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-14128
CVE STATUS: Patched
CVE SUMMARY: The decode_line_info function in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (read_1_byte heap-based buffer over-read and application crash) via a crafted ELF file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14128

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-14129
CVE STATUS: Patched
CVE SUMMARY: The read_section function in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (parse_comp_unit heap-based buffer over-read and application crash) via a crafted ELF file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14129

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-14130
CVE STATUS: Patched
CVE SUMMARY: The _bfd_elf_parse_attributes function in elf-attrs.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (_bfd_elf_attr_strdup heap-based buffer over-read and application crash) via a crafted ELF file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14130

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-14333
CVE STATUS: Patched
CVE SUMMARY: The process_version_sections function in readelf.c in GNU Binutils 2.29 allows attackers to cause a denial of service (Integer Overflow, and hang because of a time-consuming loop) or possibly have unspecified other impact via a crafted binary file with invalid values of ent.vn_next, during "readelf -a" execution.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14333

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-14529
CVE STATUS: Patched
CVE SUMMARY: The pe_print_idata function in peXXigen.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, mishandles HintName vector entries, which allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted PE file, related to the bfd_getl16 function.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14529

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-14729
CVE STATUS: Patched
CVE SUMMARY: The *_get_synthetic_symtab functions in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, do not ensure a unique PLT entry for a symbol, which allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted ELF file, related to elf32-i386.c and elf64-x86-64.c.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14729

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-14745
CVE STATUS: Patched
CVE SUMMARY: The *_get_synthetic_symtab functions in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, interpret a -1 value as a sorting count instead of an error flag, which allows remote attackers to cause a denial of service (integer overflow and application crash) or possibly have unspecified other impact via a crafted ELF file, related to elf32-i386.c and elf64-x86-64.c.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14745

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-14930
CVE STATUS: Patched
CVE SUMMARY: Memory leak in decode_line_info in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (memory consumption) via a crafted ELF file.
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14930

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-14932
CVE STATUS: Patched
CVE SUMMARY: decode_line_info in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (infinite loop) via a crafted ELF file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14932

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-14933
CVE STATUS: Patched
CVE SUMMARY: read_formatted_entries in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (infinite loop) via a crafted ELF file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14933

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-14934
CVE STATUS: Patched
CVE SUMMARY: process_debug_info in dwarf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (infinite loop) via a crafted ELF file that contains a negative size value in a CU structure.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14934

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-14938
CVE STATUS: Patched
CVE SUMMARY: _bfd_elf_slurp_version_tables in elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (excessive memory allocation and application crash) via a crafted ELF file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14938

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-14939
CVE STATUS: Patched
CVE SUMMARY: decode_line_info in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, mishandles a length calculation, which allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file, related to read_1_byte.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14939

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-14940
CVE STATUS: Patched
CVE SUMMARY: scan_unit_for_symbols in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted ELF file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14940

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-14974
CVE STATUS: Patched
CVE SUMMARY: The *_get_synthetic_symtab functions in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, mishandle the failure of a certain canonicalization step, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted ELF file, related to elf32-i386.c and elf64-x86-64.c.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14974

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-15020
CVE STATUS: Patched
CVE SUMMARY: dwarf1.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, mishandles pointers, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted ELF file, related to parse_die and parse_line_table, as demonstrated by a parse_die heap-based buffer over-read.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15020

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-15021
CVE STATUS: Patched
CVE SUMMARY: bfd_get_debug_link_info_1 in opncls.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file, related to bfd_getl32.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15021

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-15022
CVE STATUS: Patched
CVE SUMMARY: dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, does not validate the DW_AT_name data type, which allows remote attackers to cause a denial of service (bfd_hash_hash NULL pointer dereference, or out-of-bounds access, and application crash) via a crafted ELF file, related to scan_unit_for_symbols and parse_comp_unit.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15022

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-15023
CVE STATUS: Patched
CVE SUMMARY: read_formatted_entries in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, does not properly validate the format count, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted ELF file, related to concat_filename.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15023

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-15024
CVE STATUS: Patched
CVE SUMMARY: find_abstract_instance_name in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (infinite recursion and application crash) via a crafted ELF file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15024

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-15025
CVE STATUS: Patched
CVE SUMMARY: decode_line_info in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted ELF file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15025

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-15225
CVE STATUS: Patched
CVE SUMMARY: _bfd_dwarf2_cleanup_debug_info in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (memory leak) via a crafted ELF file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15225

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-15938
CVE STATUS: Patched
CVE SUMMARY: dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, miscalculates DW_FORM_ref_addr die refs in the case of a relocatable object file, which allows remote attackers to cause a denial of service (find_abstract_instance_name invalid memory read, segmentation fault, and application crash).
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15938

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-15939
CVE STATUS: Patched
CVE SUMMARY: dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, mishandles NULL files in a .debug_line file table, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted ELF file, related to concat_filename. NOTE: this issue is caused by an incomplete fix for CVE-2017-15023.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15939

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-15996
CVE STATUS: Patched
CVE SUMMARY: elfcomm.c in readelf in GNU Binutils 2.29 allows remote attackers to cause a denial of service (excessive memory allocation) or possibly have unspecified other impact via a crafted ELF file that triggers a "buffer overflow on fuzzed archive header," related to an uninitialized variable, an improper conditional jump, and the get_archive_member_name, process_archive_index_and_symbols, and setup_archive functions.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15996

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-16826
CVE STATUS: Patched
CVE SUMMARY: The coff_slurp_line_table function in coffcode.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, allows remote attackers to cause a denial of service (invalid memory access and application crash) or possibly have unspecified other impact via a crafted PE file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-16826

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-16827
CVE STATUS: Patched
CVE SUMMARY: The aout_get_external_symbols function in aoutx.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, allows remote attackers to cause a denial of service (slurp_symtab invalid free and application crash) or possibly have unspecified other impact via a crafted ELF file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-16827

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-16828
CVE STATUS: Patched
CVE SUMMARY: The display_debug_frames function in dwarf.c in GNU Binutils 2.29.1 allows remote attackers to cause a denial of service (integer overflow and heap-based buffer over-read, and application crash) or possibly have unspecified other impact via a crafted ELF file, related to print_debug_frame.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-16828

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-16829
CVE STATUS: Patched
CVE SUMMARY: The _bfd_elf_parse_gnu_properties function in elf-properties.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, does not prevent negative pointers, which allows remote attackers to cause a denial of service (out-of-bounds read and application crash) or possibly have unspecified other impact via a crafted ELF file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-16829

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-16830
CVE STATUS: Patched
CVE SUMMARY: The print_gnu_property_note function in readelf.c in GNU Binutils 2.29.1 does not have integer-overflow protection on 32-bit platforms, which allows remote attackers to cause a denial of service (segmentation violation and application crash) or possibly have unspecified other impact via a crafted ELF file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-16830

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-16831
CVE STATUS: Patched
CVE SUMMARY: coffgen.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, does not validate the symbol count, which allows remote attackers to cause a denial of service (integer overflow and application crash, or excessive memory allocation) or possibly have unspecified other impact via a crafted PE file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-16831

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-16832
CVE STATUS: Patched
CVE SUMMARY: The pe_bfd_read_buildid function in peicode.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, does not validate size and offset values in the data dictionary, which allows remote attackers to cause a denial of service (segmentation violation and application crash) or possibly have unspecified other impact via a crafted PE file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-16832

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-17080
CVE STATUS: Patched
CVE SUMMARY: elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, does not validate sizes of core notes, which allows remote attackers to cause a denial of service (bfd_getl32 heap-based buffer over-read and application crash) via a crafted object file, related to elfcore_grok_netbsd_procinfo, elfcore_grok_openbsd_procinfo, and elfcore_grok_nto_status.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17080

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-17121
CVE STATUS: Patched
CVE SUMMARY: The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, allows remote attackers to cause a denial of service (memory access violation) or possibly have unspecified other impact via a COFF binary in which a relocation refers to a location after the end of the to-be-relocated section.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17121

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-17122
CVE STATUS: Patched
CVE SUMMARY: The dump_relocs_in_section function in objdump.c in GNU Binutils 2.29.1 does not check for reloc count integer overflows, which allows remote attackers to cause a denial of service (excessive memory allocation, or heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted PE file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17122

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-17123
CVE STATUS: Patched
CVE SUMMARY: The coff_slurp_reloc_table function in coffcode.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted COFF based file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17123

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-17124
CVE STATUS: Patched
CVE SUMMARY: The _bfd_coff_read_string_table function in coffgen.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, does not properly validate the size of the external string table, which allows remote attackers to cause a denial of service (excessive memory consumption, or heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted COFF binary.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17124

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-17125
CVE STATUS: Patched
CVE SUMMARY: nm.c and objdump.c in GNU Binutils 2.29.1 mishandle certain global symbols, which allows remote attackers to cause a denial of service (_bfd_elf_get_symbol_version_string buffer over-read and application crash) or possibly have unspecified other impact via a crafted ELF file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17125

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-17126
CVE STATUS: Patched
CVE SUMMARY: The load_debug_section function in readelf.c in GNU Binutils 2.29.1 allows remote attackers to cause a denial of service (invalid memory access and application crash) or possibly have unspecified other impact via an ELF file that lacks section headers.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17126

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-6965
CVE STATUS: Patched
CVE SUMMARY: readelf in GNU Binutils 2.28 writes to illegal addresses while processing corrupt input files containing symbol-difference relocations, leading to a heap-based buffer overflow.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-6965

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-6966
CVE STATUS: Patched
CVE SUMMARY: readelf in GNU Binutils 2.28 has a use-after-free (specifically read-after-free) error while processing multiple, relocated sections in an MSP430 binary. This is caused by mishandling of an invalid symbol index, and mishandling of state across invocations.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-6966

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-6969
CVE STATUS: Patched
CVE SUMMARY: readelf in GNU Binutils 2.28 is vulnerable to a heap-based buffer over-read while processing corrupt RL78 binaries. The vulnerability can trigger program crashes. It may lead to an information leak as well.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 9.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-6969

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-7209
CVE STATUS: Patched
CVE SUMMARY: The dump_section_as_bytes function in readelf in GNU Binutils 2.28 accesses a NULL pointer while reading section contents in a corrupt binary, leading to a program crash.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7209

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-7210
CVE STATUS: Patched
CVE SUMMARY: objdump in GNU Binutils 2.28 is vulnerable to multiple heap-based buffer over-reads (of size 1 and size 8) while handling corrupt STABS enum type strings in a crafted object file, leading to program crash.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7210

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-7223
CVE STATUS: Patched
CVE SUMMARY: GNU assembler in GNU Binutils 2.28 is vulnerable to a global buffer overflow (of size 1) while attempting to unget an EOF character from the input stream, potentially leading to a program crash.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7223

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-7224
CVE STATUS: Patched
CVE SUMMARY: The find_nearest_line function in objdump in GNU Binutils 2.28 is vulnerable to an invalid write (of size 1) while disassembling a corrupt binary that contains an empty function name, leading to a program crash.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7224

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-7225
CVE STATUS: Patched
CVE SUMMARY: The find_nearest_line function in addr2line in GNU Binutils 2.28 does not handle the case where the main file name and the directory name are both empty, triggering a NULL pointer dereference and an invalid write, and leading to a program crash.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7225

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-7226
CVE STATUS: Patched
CVE SUMMARY: The pe_ILF_object_p function in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to a heap-based buffer over-read of size 4049 because it uses the strlen function instead of strnlen, leading to program crashes in several utilities such as addr2line, size, and strings. It could lead to information disclosure as well.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 9.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7226

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-7227
CVE STATUS: Patched
CVE SUMMARY: GNU linker (ld) in GNU Binutils 2.28 is vulnerable to a heap-based buffer overflow while processing a bogus input script, leading to a program crash. This relates to lack of '\0' termination of a name field in ldlex.l.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7227

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-7299
CVE STATUS: Patched
CVE SUMMARY: The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, has an invalid read (of size 8) because the code to emit relocs (bfd_elf_final_link function in bfd/elflink.c) does not check the format of the input file before trying to read the ELF reloc section header. The vulnerability leads to a GNU linker (ld) program crash.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7299

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-7300
CVE STATUS: Patched
CVE SUMMARY: The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, has an aout_link_add_symbols function in bfd/aoutx.h that is vulnerable to a heap-based buffer over-read (off-by-one) because of an incomplete check for invalid string offsets while loading symbols, leading to a GNU linker (ld) program crash.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7300

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-7301
CVE STATUS: Patched
CVE SUMMARY: The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, has an aout_link_add_symbols function in bfd/aoutx.h that has an off-by-one vulnerability because it does not carefully check the string offset. The vulnerability could lead to a GNU linker (ld) program crash.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7301

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-7302
CVE STATUS: Patched
CVE SUMMARY: The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, has a swap_std_reloc_out function in bfd/aoutx.h that is vulnerable to an invalid read (of size 4) because of missing checks for relocs that could not be recognised. This vulnerability causes Binutils utilities like strip to crash.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7302

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-7303
CVE STATUS: Patched
CVE SUMMARY: The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read (of size 4) because of missing a check (in the find_link function) for null headers before attempting to match them. This vulnerability causes Binutils utilities like strip to crash.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7303

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-7304
CVE STATUS: Patched
CVE SUMMARY: The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read (of size 8) because of missing a check (in the copy_special_section_fields function) for an invalid sh_link field before attempting to follow it. This vulnerability causes Binutils utilities like strip to crash.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7304

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-7614
CVE STATUS: Patched
CVE SUMMARY: elflink.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, has a "member access within null pointer" undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via an "int main() {return 0;}" program.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7614

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-8392
CVE STATUS: Patched
CVE SUMMARY: The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read of size 8 because of missing a check to determine whether symbols are NULL in the _bfd_dwarf2_find_nearest_line function. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objdump, to crash.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8392

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-8393
CVE STATUS: Patched
CVE SUMMARY: The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to a global buffer over-read error because of an assumption made by code that runs for objcopy and strip, that SHT_REL/SHR_RELA sections are always named starting with a .rel/.rela prefix. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objcopy and strip, to crash.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8393

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-8394
CVE STATUS: Patched
CVE SUMMARY: The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read of size 4 due to NULL pointer dereferencing of _bfd_elf_large_com_section. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objcopy, to crash.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8394

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-8395
CVE STATUS: Patched
CVE SUMMARY: The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid write of size 8 because of missing a malloc() return-value check to see if memory had actually been allocated in the _bfd_generic_get_section_contents function. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objcopy, to crash.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8395

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-8396
CVE STATUS: Patched
CVE SUMMARY: The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read of size 1 because the existing reloc offset range tests didn't catch small negative offsets less than the size of the reloc field. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objdump, to crash.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8396

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-8397
CVE STATUS: Patched
CVE SUMMARY: The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read of size 1 and an invalid write of size 1 during processing of a corrupt binary containing reloc(s) with negative addresses. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objdump, to crash.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8397

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-8398
CVE STATUS: Patched
CVE SUMMARY: dwarf.c in GNU Binutils 2.28 is vulnerable to an invalid read of size 1 during dumping of debug information from a corrupt binary. This vulnerability causes programs that conduct an analysis of binary programs, such as objdump and readelf, to crash.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8398

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-8421
CVE STATUS: Patched
CVE SUMMARY: The function coff_set_alignment_hook in coffcode.h in Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, has a memory leak vulnerability which can cause memory exhaustion in objdump via a crafted PE file. Additional validation in dump_relocs_in_section in objdump.c can resolve this.
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8421

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-9038
CVE STATUS: Patched
CVE SUMMARY: GNU Binutils 2.28 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file, related to the byte_get_little_endian function in elfcomm.c, the get_unwind_section_word function in readelf.c, and ARM unwind information that contains invalid word offsets.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9038

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-9039
CVE STATUS: Patched
CVE SUMMARY: GNU Binutils 2.28 allows remote attackers to cause a denial of service (memory consumption) via a crafted ELF file with many program headers, related to the get_program_headers function in readelf.c.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9039

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-9040
CVE STATUS: Patched
CVE SUMMARY: GNU Binutils 2017-04-03 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash), related to the process_mips_specific function in readelf.c, via a crafted ELF file that triggers a large memory-allocation attempt.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9040

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-9041
CVE STATUS: Patched
CVE SUMMARY: GNU Binutils 2.28 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file, related to MIPS GOT mishandling in the process_mips_specific function in readelf.c.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9041

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-9042
CVE STATUS: Patched
CVE SUMMARY: readelf.c in GNU Binutils 2017-04-12 has a "cannot be represented in type long" issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted ELF file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9042

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-9043
CVE STATUS: Patched
CVE SUMMARY: readelf.c in GNU Binutils 2017-04-12 has a "shift exponent too large for type unsigned long" issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted ELF file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9043

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-9044
CVE STATUS: Patched
CVE SUMMARY: The print_symbol_for_build_attribute function in readelf.c in GNU Binutils 2017-04-12 allows remote attackers to cause a denial of service (invalid read and SEGV) via a crafted ELF file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9044

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-9742
CVE STATUS: Patched
CVE SUMMARY: The score_opcodes function in opcodes/score7-dis.c in GNU Binutils 2.28 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during "objdump -D" execution.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9742

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-9743
CVE STATUS: Patched
CVE SUMMARY: The print_insn_score32 function in opcodes/score7-dis.c:552 in GNU Binutils 2.28 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during "objdump -D" execution.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9743

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-9744
CVE STATUS: Patched
CVE SUMMARY: The sh_elf_set_mach_from_flags function in bfd/elf32-sh.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during "objdump -D" execution.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9744

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-9745
CVE STATUS: Patched
CVE SUMMARY: The _bfd_vms_slurp_etir function in bfd/vms-alpha.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during "objdump -D" execution.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9745

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-9746
CVE STATUS: Patched
CVE SUMMARY: The disassemble_bytes function in objdump.c in GNU Binutils 2.28 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of rae insns printing for this file during "objdump -D" execution.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9746

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-9747
CVE STATUS: Patched
CVE SUMMARY: The ieee_archive_p function in bfd/ieee.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, might allow remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during "objdump -D" execution. NOTE: this may be related to a compiler bug.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9747

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-9748
CVE STATUS: Patched
CVE SUMMARY: The ieee_object_p function in bfd/ieee.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, might allow remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during "objdump -D" execution. NOTE: this may be related to a compiler bug.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9748

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-9749
CVE STATUS: Patched
CVE SUMMARY: The *regs* macros in opcodes/bfin-dis.c in GNU Binutils 2.28 allow remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during "objdump -D" execution.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9749

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-9750
CVE STATUS: Patched
CVE SUMMARY: opcodes/rx-decode.opc in GNU Binutils 2.28 lacks bounds checks for certain scale arrays, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during "objdump -D" execution.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9750

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-9751
CVE STATUS: Patched
CVE SUMMARY: opcodes/rl78-decode.opc in GNU Binutils 2.28 has an unbounded GETBYTE macro, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during "objdump -D" execution.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9751

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-9752
CVE STATUS: Patched
CVE SUMMARY: bfd/vms-alpha.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file in the _bfd_vms_get_value and _bfd_vms_slurp_etir functions during "objdump -D" execution.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9752

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-9753
CVE STATUS: Patched
CVE SUMMARY: The versados_mkobject function in bfd/versados.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, does not initialize a certain data structure, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during "objdump -D" execution.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9753

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-9754
CVE STATUS: Patched
CVE SUMMARY: The process_otr function in bfd/versados.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, does not validate a certain offset, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during "objdump -D" execution.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9754

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-9755
CVE STATUS: Patched
CVE SUMMARY: opcodes/i386-dis.c in GNU Binutils 2.28 does not consider the number of registers for bnd mode, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during "objdump -D" execution.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9755

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-9756
CVE STATUS: Patched
CVE SUMMARY: The aarch64_ext_ldst_reglist function in opcodes/aarch64-dis.c in GNU Binutils 2.28 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during "objdump -D" execution.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9756

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-9954
CVE STATUS: Patched
CVE SUMMARY: The getvalue function in tekhex.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, allows remote attackers to cause a denial of service (stack-based buffer over-read and application crash) via a crafted tekhex file, as demonstrated by mishandling within the nm program.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9954

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2017-9955
CVE STATUS: Patched
CVE SUMMARY: The get_build_id function in opncls.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted file in which a certain size field is larger than a corresponding data field, as demonstrated by mishandling within the objdump program.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9955

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2018-1000876
CVE STATUS: Patched
CVE SUMMARY: binutils version 2.32 and earlier contains a Integer Overflow vulnerability in objdump, bfd_get_dynamic_reloc_upper_bound,bfd_canonicalize_dynamic_reloc that can result in Integer overflow trigger heap overflow. Successful exploitation allows execution of arbitrary code.. This attack appear to be exploitable via Local. This vulnerability appears to have been fixed in after commit 3a551c7a1b80fca579461774860574eabfd7f18f.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1000876

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2018-10372
CVE STATUS: Patched
CVE SUMMARY: process_cu_tu_index in dwarf.c in GNU Binutils 2.30 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted binary file, as demonstrated by readelf.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-10372

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2018-10373
CVE STATUS: Patched
CVE SUMMARY: concat_filename in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted binary file, as demonstrated by nm-new.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-10373

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2018-10534
CVE STATUS: Patched
CVE SUMMARY: The _bfd_XX_bfd_copy_private_bfd_data_common function in peXXigen.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, processes a negative Data Directory size with an unbounded loop that increases the value of (external_IMAGE_DEBUG_DIRECTORY) *edd so that the address exceeds its own memory region, resulting in an out-of-bounds memory write, as demonstrated by objcopy copying private info with _bfd_pex64_bfd_copy_private_bfd_data_common in pex64igen.c.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-10534

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2018-10535
CVE STATUS: Patched
CVE SUMMARY: The ignore_section_sym function in elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, does not validate the output_section pointer in the case of a symtab entry with a "SECTION" type that has a "0" value, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted file, as demonstrated by objcopy.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-10535

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2018-12641
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in arm_pt in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30. Stack Exhaustion occurs in the C++ demangling functions provided by libiberty, and there are recursive stack frames: demangle_arm_hp_template, demangle_class_name, demangle_fund_type, do_type, do_arg, demangle_args, and demangle_nested_args. This can occur during execution of nm-new.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-12641

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2018-12697
CVE STATUS: Patched
CVE SUMMARY: A NULL pointer dereference (aka SEGV on unknown address 0x000000000000) was discovered in work_stuff_copy_to_from in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30. This can occur during execution of objdump.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-12697

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2018-12698
CVE STATUS: Patched
CVE SUMMARY: demangle_template in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30, allows attackers to trigger excessive memory consumption (aka OOM) during the "Create an array for saving the template argument values" XNEWVEC call. This can occur during execution of objdump.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-12698

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2018-12699
CVE STATUS: Patched
CVE SUMMARY: finish_stab in stabs.c in GNU Binutils 2.30 allows attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact, as demonstrated by an out-of-bounds write of 8 bytes. This can occur during execution of objdump.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-12699

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2018-12934
CVE STATUS: Patched
CVE SUMMARY: remember_Ktype in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30, allows attackers to trigger excessive memory consumption (aka OOM). This can occur during execution of cxxfilt.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-12934

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2018-13033
CVE STATUS: Patched
CVE SUMMARY: The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (excessive memory allocation and application crash) via a crafted ELF file, as demonstrated by _bfd_elf_parse_attributes in elf-attrs.c and bfd_malloc in libbfd.c. This can occur during execution of nm.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-13033

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2018-17358
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31. An invalid memory access exists in _bfd_stab_section_find_nearest_line in syms.c. Attackers could leverage this vulnerability to cause a denial of service (application crash) via a crafted ELF file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-17358

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2018-17359
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31. An invalid memory access exists in bfd_zalloc in opncls.c. Attackers could leverage this vulnerability to cause a denial of service (application crash) via a crafted ELF file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-17359

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2018-17360
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31. a heap-based buffer over-read in bfd_getl32 in libbfd.c allows an attacker to cause a denial of service through a crafted PE file. This vulnerability can be triggered by the executable objdump.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-17360

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2018-17794
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31. There is a NULL pointer dereference in work_stuff_copy_to_from when called from iterate_demangle_function.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-17794

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2018-17985
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31. There is a stack consumption problem caused by the cplus_demangle_type function making recursive calls to itself in certain scenarios involving many 'P' characters.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-17985

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2018-18309
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31. An invalid memory address dereference was discovered in read_reloc in reloc.c. The vulnerability causes a segmentation fault and application crash, which leads to denial of service, as demonstrated by objdump, because of missing _bfd_clear_contents bounds checking.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-18309

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2018-18483
CVE STATUS: Patched
CVE SUMMARY: The get_count function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31, allows remote attackers to cause a denial of service (malloc called with the result of an integer-overflowing calculation) or possibly have unspecified other impact via a crafted string, as demonstrated by c++filt.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-18483

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2018-18484
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31. Stack Exhaustion occurs in the C++ demangling functions provided by libiberty, and there is a stack consumption problem caused by recursive stack frames: cplus_demangle_type, d_bare_function_type, d_function_type.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-18484

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2018-18605
CVE STATUS: Patched
CVE SUMMARY: A heap-based buffer over-read issue was discovered in the function sec_merge_hash_lookup in merge.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31, because _bfd_add_merge_section mishandles section merges when size is not a multiple of entsize. A specially crafted ELF allows remote attackers to cause a denial of service, as demonstrated by ld.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-18605

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2018-18606
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the merge_strings function in merge.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31. There is a NULL pointer dereference in _bfd_add_merge_section when attempting to merge sections with large alignments. A specially crafted ELF allows remote attackers to cause a denial of service, as demonstrated by ld.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-18606

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2018-18607
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in elf_link_input_bfd in elflink.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31. There is a NULL pointer dereference in elf_link_input_bfd when used for finding STT_TLS symbols without any TLS section. A specially crafted ELF allows remote attackers to cause a denial of service, as demonstrated by ld.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-18607

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2018-18700
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31. There is a stack consumption vulnerability resulting from infinite recursion in the functions d_name(), d_encoding(), and d_local_name() in cp-demangle.c. Remote attackers could leverage this vulnerability to cause a denial-of-service via an ELF file, as demonstrated by nm.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-18700

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2018-18701
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31. There is a stack consumption vulnerability resulting from infinite recursion in the functions next_is_type_qual() and cplus_demangle_type() in cp-demangle.c. Remote attackers could leverage this vulnerability to cause a denial-of-service via an ELF file, as demonstrated by nm.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-18701

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2018-19931
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils through 2.31. There is a heap-based buffer overflow in bfd_elf32_swap_phdr_in in elfcode.h because the number of program headers is not restricted.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19931

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2018-19932
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils through 2.31. There is an integer overflow and infinite loop caused by the IS_CONTAINED_BY_LMA macro in elf.c.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19932

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2018-20002
CVE STATUS: Patched
CVE SUMMARY: The _bfd_generic_read_minisymbols function in syms.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31, has a memory leak via a crafted ELF file, leading to a denial of service (memory consumption), as demonstrated by nm.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20002

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2018-20623
CVE STATUS: Patched
CVE SUMMARY: In GNU Binutils 2.31.1, there is a use-after-free in the error function in elfcomm.c when called from the process_archive function in readelf.c via a crafted ELF file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20623

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2018-20651
CVE STATUS: Patched
CVE SUMMARY: A NULL pointer dereference was discovered in elf_link_add_object_symbols in elflink.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31.1. This occurs for a crafted ET_DYN with no program headers. A specially crafted ELF file allows remote attackers to cause a denial of service, as demonstrated by ld.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20651

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2018-20657
CVE STATUS: Patched
CVE SUMMARY: The demangle_template function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31.1, has a memory leak via a crafted string, leading to a denial of service (memory consumption), as demonstrated by cxxfilt, a related issue to CVE-2018-12698.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20657

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2018-20671
CVE STATUS: Patched
CVE SUMMARY: load_specific_debug_section in objdump.c in GNU Binutils through 2.31.1 contains an integer overflow vulnerability that can trigger a heap-based buffer overflow via a crafted section size.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20671

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2018-20673
CVE STATUS: Patched
CVE SUMMARY: The demangle_template function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31.1, contains an integer overflow vulnerability (for "Create an array for saving the template argument values") that can trigger a heap-based buffer overflow, as demonstrated by nm.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20673

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2018-20712
CVE STATUS: Patched
CVE SUMMARY: A heap-based buffer over-read exists in the function d_expression_1 in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31.1. A crafted input can cause segmentation faults, leading to denial-of-service, as demonstrated by c++filt.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20712

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2018-6323
CVE STATUS: Patched
CVE SUMMARY: The elf_object_p function in elfcode.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, has an unsigned integer overflow because bfd_size_type multiplication is not used. A crafted ELF file allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-6323

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2018-6543
CVE STATUS: Patched
CVE SUMMARY: In GNU Binutils 2.30, there's an integer overflow in the function load_specific_debug_section() in objdump.c, which results in `malloc()` with 0 size. A crafted ELF file allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-6543

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2018-6759
CVE STATUS: Patched
CVE SUMMARY: The bfd_get_debug_link_info_1 function in opncls.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, has an unchecked strnlen operation. Remote attackers could leverage this vulnerability to cause a denial of service (segmentation fault) via a crafted ELF file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-6759

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2018-6872
CVE STATUS: Patched
CVE SUMMARY: The elf_parse_notes function in elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (out-of-bounds read and segmentation violation) via a note with a large alignment.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-6872

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2018-7208
CVE STATUS: Patched
CVE SUMMARY: In the coff_pointerize_aux function in coffgen.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, an index is not validated, which allows remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted file, as demonstrated by objcopy of a COFF object.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-7208

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2018-7568
CVE STATUS: Patched
CVE SUMMARY: The parse_die function in dwarf1.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (integer overflow and application crash) via an ELF file with corrupt dwarf1 debug information, as demonstrated by nm.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-7568

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2018-7569
CVE STATUS: Patched
CVE SUMMARY: dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (integer underflow or overflow, and application crash) via an ELF file with a corrupt DWARF FORM block, as demonstrated by nm.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-7569

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2018-7570
CVE STATUS: Patched
CVE SUMMARY: The assign_file_positions_for_non_load_sections function in elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an ELF file with a RELRO segment that lacks a matching LOAD segment, as demonstrated by objcopy.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-7570

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2018-7642
CVE STATUS: Patched
CVE SUMMARY: The swap_std_reloc_in function in aoutx.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (aout_32_swap_std_reloc_out NULL pointer dereference and application crash) via a crafted ELF file, as demonstrated by objcopy.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-7642

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2018-7643
CVE STATUS: Patched
CVE SUMMARY: The display_debug_ranges function in dwarf.c in GNU Binutils 2.30 allows remote attackers to cause a denial of service (integer overflow and application crash) or possibly have unspecified other impact via a crafted ELF file, as demonstrated by objdump.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-7643

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2018-8945
CVE STATUS: Patched
CVE SUMMARY: The bfd_section_from_shdr function in elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (segmentation fault) via a large attribute section.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-8945

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2018-9138
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.29 and 2.30. Stack Exhaustion occurs in the C++ demangling functions provided by libiberty, and there are recursive stack frames: demangle_nested_args, demangle_args, do_arg, and do_type.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-9138

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2018-9996
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30. Stack Exhaustion occurs in the C++ demangling functions provided by libiberty, and there are recursive stack frames: demangle_template_value_parm, demangle_integral_value, and demangle_expression.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-9996

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2019-1010204
CVE STATUS: Patched
CVE SUMMARY: GNU binutils gold gold v1.11-v1.16 (GNU binutils v2.21-v2.31.1) is affected by: Improper Input Validation, Signed/Unsigned Comparison, Out-of-bounds Read. The impact is: Denial of service. The component is: gold/fileread.cc:497, elfcpp/elfcpp_file.h:644. The attack vector is: An ELF file with an invalid e_shoff header field must be opened.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-1010204

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2019-12972
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. There is a heap-based buffer over-read in _bfd_doprnt in bfd.c because elf_object_p in elfcode.h mishandles an e_shstrndx section of type SHT_GROUP by omitting a trailing '\0' character.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-12972

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2019-14250
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.32. simple_object_elf_match in simple-object-elf.c does not check for a zero shstrndx value, leading to an integer overflow and resultant heap-based buffer overflow.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-14250

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2019-14444
CVE STATUS: Patched
CVE SUMMARY: apply_relocations in readelf.c in GNU Binutils 2.32 contains an integer overflow that allows attackers to trigger a write access violation (in byte_put_little_endian function in elfcomm.c) via an ELF file, as demonstrated by readelf.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-14444

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2019-17450
CVE STATUS: Patched
CVE SUMMARY: find_abstract_instance in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32, allows remote attackers to cause a denial of service (infinite recursion and application crash) via a crafted ELF file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-17450

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2019-17451
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. It is an integer overflow leading to a SEGV in _bfd_dwarf2_find_nearest_line in dwarf2.c, as demonstrated by nm.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-17451

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2019-9070
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.32. It is a heap-based buffer over-read in d_expression_1 in cp-demangle.c after many recursive calls.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-9070

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2019-9071
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.32. It is a stack consumption issue in d_count_templates_scopes in cp-demangle.c after many recursive calls.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-9071

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2019-9072
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. It is an attempted excessive memory allocation in setup_group in elf.c.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-9072

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2019-9073
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. It is an attempted excessive memory allocation in _bfd_elf_slurp_version_tables in elf.c.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-9073

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2019-9074
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. It is an out-of-bounds read leading to a SEGV in bfd_getl32 in libbfd.c, when called from pex64_get_runtime_function in pei-x86_64.c.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-9074

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2019-9075
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. It is a heap-based buffer overflow in _bfd_archive_64_bit_slurp_armap in archive64.c.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-9075

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2019-9076
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. It is an attempted excessive memory allocation in elf_read_notes in elf.c.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-9076

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2019-9077
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in GNU Binutils 2.32. It is a heap-based buffer overflow in process_mips_specific in readelf.c via a malformed MIPS option section.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-9077

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2020-16590
CVE STATUS: Patched
CVE SUMMARY: A double free vulnerability exists in the Binary File Descriptor (BFD) (aka libbrd) in GNU Binutils 2.35 in the process_symbol_table, as demonstrated in readelf, via a crafted file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-16590

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2020-16591
CVE STATUS: Patched
CVE SUMMARY: A Denial of Service vulnerability exists in the Binary File Descriptor (BFD) in GNU Binutils 2.35 due to an invalid read in process_symbol_table, as demonstrated in readeif.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-16591

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2020-16592
CVE STATUS: Patched
CVE SUMMARY: A use after free issue exists in the Binary File Descriptor (BFD) library (aka libbfd) in GNU Binutils 2.34 in bfd_hash_lookup, as demonstrated in nm-new, that can cause a denial of service via a crafted file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-16592

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2020-16593
CVE STATUS: Patched
CVE SUMMARY: A Null Pointer Dereference vulnerability exists in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.35, in scan_unit_for_symbols, as demonstrated in addr2line, that can cause a denial of service via a crafted file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-16593

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2020-16599
CVE STATUS: Patched
CVE SUMMARY: A Null Pointer Dereference vulnerability exists in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.35, in _bfd_elf_get_symbol_version_string, as demonstrated in nm-new, that can cause a denial of service via a crafted file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-16599

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2020-19724
CVE STATUS: Patched
CVE SUMMARY: A memory consumption issue in get_data function in binutils/nm.c in GNU nm before 2.34 allows attackers to cause a denial of service via crafted command.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-19724

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2020-19726
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in binutils libbfd.c 2.36 relating to the auxiliary symbol data allows attackers to read or write to system memory or cause a denial of service.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-19726

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2020-21490
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in GNU Binutils 2.34. It is a memory leak when process microblaze-dis.c. This one will consume memory on each insn disassembled.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-21490

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2020-35342
CVE STATUS: Patched
CVE SUMMARY: GNU Binutils before 2.34 has an uninitialized-heap vulnerability in function tic4x_print_cond (file opcodes/tic4x-dis.c) which could allow attackers to make an information leak.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-35342

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2020-35448
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.35.1. A heap-based buffer over-read can occur in bfd_getl_signed_32 in libbfd.c because sh_entsize is not validated in _bfd_elf_slurp_secondary_reloc_section in elf.c.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 3.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-35448

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2020-35493
CVE STATUS: Patched
CVE SUMMARY: A flaw exists in binutils in bfd/pef.c. An attacker who is able to submit a crafted PEF file to be parsed by objdump could cause a heap buffer overflow -> out-of-bounds read that could lead to an impact to application availability. This flaw affects binutils versions prior to 2.34.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-35493

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2020-35494
CVE STATUS: Patched
CVE SUMMARY: There's a flaw in binutils /opcodes/tic4x-dis.c. An attacker who is able to submit a crafted input file to be processed by binutils could cause usage of uninitialized memory. The highest threat is to application availability with a lower threat to data confidentiality. This flaw affects binutils versions prior to 2.34.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 6.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-35494

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2020-35495
CVE STATUS: Patched
CVE SUMMARY: There's a flaw in binutils /bfd/pef.c. An attacker who is able to submit a crafted input file to be processed by the objdump program could cause a null pointer dereference. The greatest threat from this flaw is to application availability. This flaw affects binutils versions prior to 2.34.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-35495

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2020-35496
CVE STATUS: Patched
CVE SUMMARY: There's a flaw in bfd_pef_scan_start_address() of bfd/pef.c in binutils which could allow an attacker who is able to submit a crafted file to be processed by objdump to cause a NULL pointer dereference. The greatest threat of this flaw is to application availability. This flaw affects binutils versions prior to 2.34.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-35496

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2020-35507
CVE STATUS: Patched
CVE SUMMARY: There's a flaw in bfd_pef_parse_function_stubs of bfd/pef.c in binutils in versions prior to 2.34 which could allow an attacker who is able to submit a crafted file to be processed by objdump to cause a NULL pointer dereference. The greatest threat of this flaw is to application availability.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-35507

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2021-20197
CVE STATUS: Patched
CVE SUMMARY: There is an open race window when writing output in the following utilities in GNU binutils version 2.35 and earlier:ar, objcopy, strip, ranlib. When these utilities are run as a privileged user (presumably as part of a script updating binaries across different users), an unprivileged user can trick these utilities into getting ownership of arbitrary files through a symlink.
CVSS v2 BASE SCORE: 3.3
CVSS v3 BASE SCORE: 6.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-20197

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2021-20284
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in GNU Binutils 2.35.1, where there is a heap-based buffer overflow in _bfd_elf_slurp_secondary_reloc_section in elf.c due to the number of symbols not calculated correctly. The highest threat from this vulnerability is to system availability.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-20284

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2021-20294
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in binutils readelf 2.35 program. An attacker who is able to convince a victim using readelf to read a crafted file could trigger a stack buffer overflow, out-of-bounds write of arbitrary data supplied by the attacker. The highest impact of this flaw is to confidentiality, integrity, and availability.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-20294

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2021-32256
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.36. It is a stack-overflow issue in demangle_type in rust-demangle.c.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-32256

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2021-3530
CVE STATUS: Patched
CVE SUMMARY: A flaw was discovered in GNU libiberty within demangle_path() in rust-demangle.c, as distributed in GNU Binutils version 2.36. A crafted symbol can cause stack memory to be exhausted leading to a crash.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3530

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2021-3549
CVE STATUS: Patched
CVE SUMMARY: An out of bounds flaw was found in GNU binutils objdump utility version 2.36. An attacker could use this flaw and pass a large section to avr_elf32_load_records_from_section() probably resulting in a crash or in some cases memory corruption. The highest threat from this vulnerability is to integrity as well as system availability.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 7.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3549

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2021-37322
CVE STATUS: Patched
CVE SUMMARY: GCC c++filt v2.26 was discovered to contain a use-after-free vulnerability via the component cplus-dem.c.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-37322

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2021-45078
CVE STATUS: Patched
CVE SUMMARY: stab_xcoff_builtin_type in stabs.c in GNU Binutils through 2.37 allows attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact, as demonstrated by an out-of-bounds write. NOTE: this issue exists because of an incorrect fix for CVE-2018-12699.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-45078

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2021-46174
CVE STATUS: Patched
CVE SUMMARY: Heap-based Buffer Overflow in function bfd_getl32 in Binutils objdump 3.37.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-46174

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2022-35205
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Binutils readelf 2.38.50, reachable assertion failure in function display_debug_names allows attackers to cause a denial of service.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-35205

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2022-35206
CVE STATUS: Patched
CVE SUMMARY: Null pointer dereference vulnerability in Binutils readelf 2.38.50 via function read_and_display_attr_value in file dwarf.c.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-35206

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2022-38533
CVE STATUS: Patched
CVE SUMMARY: In GNU Binutils before 2.40, there is a heap-buffer-overflow in the error function bfd_getl32 when called from the strip_main function in strip-new via a crafted file.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-38533

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2022-4285
CVE STATUS: Patched
CVE SUMMARY: An illegal memory access flaw was found in the binutils package. Parsing an ELF file containing corrupt symbol version information may result in a denial of service. This issue is the result of an incomplete fix for CVE-2020-16599.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-4285

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2022-44840
CVE STATUS: Patched
CVE SUMMARY: Heap buffer overflow vulnerability in binutils readelf before 2.40 via function find_section_in_set in file readelf.c.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-44840

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2022-45703
CVE STATUS: Patched
CVE SUMMARY: Heap buffer overflow vulnerability in binutils readelf before 2.40 via function display_debug_section in file readelf.c.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-45703

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2022-47007
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered function stab_demangle_v3_arg in stabs.c in Binutils 2.34 thru 2.38, allows attackers to cause a denial of service due to memory leaks.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-47007

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2022-47008
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered function make_tempdir, and make_tempname in bucomm.c in Binutils 2.34 thru 2.38, allows attackers to cause a denial of service due to memory leaks.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-47008

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2022-47010
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered function pr_function_type in prdbg.c in Binutils 2.34 thru 2.38, allows attackers to cause a denial of service due to memory leaks.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-47010

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2022-47011
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered function parse_stab_struct_fields in stabs.c in Binutils 2.34 thru 2.38, allows attackers to cause a denial of service due to memory leaks.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-47011

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2022-47673
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Binutils addr2line before 2.39.3, function parse_module contains multiple out of bound reads which may cause a denial of service or other unspecified impacts.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-47673

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2022-47695
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered Binutils objdump before 2.39.3 allows attackers to cause a denial of service or other unspecified impacts via function bfd_mach_o_get_synthetic_symtab in match-o.c.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-47695

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2022-47696
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered Binutils objdump before 2.39.3 allows attackers to cause a denial of service or other unspecified impacts via function compare_symbols.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-47696

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2022-48063
CVE STATUS: Patched
CVE SUMMARY: GNU Binutils before 2.40 was discovered to contain an excessive memory consumption vulnerability via the function load_separate_debug_files at dwarf2.c. The attacker could supply a crafted ELF file and cause a DNS attack.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48063

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2022-48064
CVE STATUS: Patched
CVE SUMMARY: GNU Binutils before 2.40 was discovered to contain an excessive memory consumption vulnerability via the function bfd_dwarf2_find_nearest_line_with_alt at dwarf2.c. The attacker could supply a crafted ELF file and cause a DNS attack.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48064

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2022-48065
CVE STATUS: Patched
CVE SUMMARY: GNU Binutils before 2.40 was discovered to contain a memory leak vulnerability var the function find_abstract_instance in dwarf2.c.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48065

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2023-1579
CVE STATUS: Patched
CVE SUMMARY: Heap based buffer overflow in binutils-gdb/bfd/libbfd.c in bfd_getl64.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-1579

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2023-1972
CVE STATUS: Patched
CVE SUMMARY: A potential heap based buffer overflow was found in _bfd_elf_slurp_version_tables() in bfd/elf.c. This may lead to loss of availability.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-1972

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2023-25584
CVE STATUS: Ignored
CVE DETAIL: cpe-incorrect
CVE DESCRIPTION: Applies only for version 2.40 and earlier
CVE SUMMARY: An out-of-bounds read flaw was found in the parse_module function in bfd/vms-alpha.c in Binutils.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.3
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-25584

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2023-25585
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in Binutils. The use of an uninitialized field in the struct module *module may lead to application crash and local denial of service.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-25585

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2023-25586
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in Binutils. A logic fail in the bfd_init_section_decompress_status function may lead to the use of an uninitialized variable that can cause a crash and local denial of service.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-25586

LAYER: meta
PACKAGE NAME: binutils
PACKAGE VERSION: 2.42
CVE: CVE-2023-25588
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in Binutils. The field `the_bfd` of `asymbol`struct is uninitialized in the `bfd_mach_o_get_synthetic_symtab` function, which may lead to an application crash and local denial of service.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-25588

LAYER: meta
PACKAGE NAME: make
PACKAGE VERSION: 4.4.1
CVE: CVE-2000-0151
CVE STATUS: Patched
CVE SUMMARY: GNU make follows symlinks when it reads a Makefile from stdin, which allows other local users to execute commands.
CVSS v2 BASE SCORE: 6.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2000-0151

LAYER: meta
PACKAGE NAME: libffi-native
PACKAGE VERSION: 3.4.6
CVE: CVE-2017-1000376
CVE STATUS: Patched
CVE SUMMARY: libffi requests an executable stack allowing attackers to more easily trigger arbitrary code execution by overwriting the stack. Please note that libffi is used by a number of other libraries. It was previously stated that this affects libffi version 3.2.1 but this appears to be incorrect. libffi prior to version 3.1 on 32 bit x86 systems was vulnerable, and upstream is believed to have fixed this issue in version 3.1.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-1000376

LAYER: meta
PACKAGE NAME: findutils
PACKAGE VERSION: 4.9.0
CVE: CVE-2001-1036
CVE STATUS: Patched
CVE SUMMARY: GNU locate in findutils 4.1 on Slackware 7.1 and 8.0 allows local users to gain privileges via an old formatted filename database (locatedb) that contains an entry with an out-of-range offset, which causes locate to write to arbitrary process memory.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2001-1036

LAYER: meta
PACKAGE NAME: findutils
PACKAGE VERSION: 4.9.0
CVE: CVE-2007-2452
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the visit_old_format function in locate/locate.c in locate in GNU findutils before 4.2.31 might allow context-dependent attackers to execute arbitrary code via a long pathname in a locate database that has the old format, a different vulnerability than CVE-2001-1036.
CVSS v2 BASE SCORE: 6.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:S/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-2452

LAYER: meta
PACKAGE NAME: libtirpc-native
PACKAGE VERSION: 1.3.4
CVE: CVE-2013-1950
CVE STATUS: Patched
CVE SUMMARY: The svc_dg_getargs function in libtirpc 0.2.3 and earlier allows remote attackers to cause a denial of service (rpcbind crash) via a Sun RPC request with crafted arguments that trigger a free of an invalid pointer.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1950

LAYER: meta
PACKAGE NAME: libtirpc-native
PACKAGE VERSION: 1.3.4
CVE: CVE-2017-8779
CVE STATUS: Patched
CVE SUMMARY: rpcbind through 0.2.4, LIBTIRPC through 1.0.1 and 1.0.2-rc through 1.0.2-rc3, and NTIRPC through 1.4.3 do not consider the maximum RPC data size during memory allocation for XDR strings, which allows remote attackers to cause a denial of service (memory consumption with no subsequent free) via a crafted UDP packet to port 111, aka rpcbomb.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8779

LAYER: meta
PACKAGE NAME: libtirpc-native
PACKAGE VERSION: 1.3.4
CVE: CVE-2018-14621
CVE STATUS: Patched
CVE SUMMARY: An infinite loop vulnerability was found in libtirpc before version 1.0.2-rc2. With the port to using poll rather than select, exhaustion of file descriptors would cause the server to enter an infinite loop, consuming a large amount of CPU time and denying service to other clients until restarted.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-14621

LAYER: meta
PACKAGE NAME: libtirpc-native
PACKAGE VERSION: 1.3.4
CVE: CVE-2018-14622
CVE STATUS: Patched
CVE SUMMARY: A null-pointer dereference vulnerability was found in libtirpc before version 0.3.3-rc3. The return value of makefd_xprt() was not checked in all instances, which could lead to a crash when the server exhausted the maximum number of available file descriptors. A remote attacker could cause an rpc-based application to crash by flooding it with new connections.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-14622

LAYER: meta
PACKAGE NAME: libtirpc-native
PACKAGE VERSION: 1.3.4
CVE: CVE-2021-46828
CVE STATUS: Patched
CVE DETAIL: fixed-version
CVE DESCRIPTION: fixed in 1.3.3rc1 so not present in 1.3.3
CVE SUMMARY: In libtirpc before 1.3.3rc1, remote attackers could exhaust the file descriptors of a process that uses libtirpc because idle TCP connections are mishandled. This can, in turn, lead to an svc_run infinite loop without accepting new connections.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-46828

LAYER: meta
PACKAGE NAME: tar
PACKAGE VERSION: 1.35
CVE: CVE-2001-1267
CVE STATUS: Patched
CVE SUMMARY: Directory traversal vulnerability in GNU tar 1.13.19 and earlier allows local users to overwrite arbitrary files during archive extraction via a tar file whose filenames contain a .. (dot dot).
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2001-1267

LAYER: meta
PACKAGE NAME: tar
PACKAGE VERSION: 1.35
CVE: CVE-2002-0399
CVE STATUS: Patched
CVE SUMMARY: Directory traversal vulnerability in GNU tar 1.13.19 through 1.13.25, and possibly later versions, allows attackers to overwrite arbitrary files during archive extraction via a (1) "/.." or (2) "./.." string, which removes the leading slash but leaves the "..", a variant of CVE-2001-1267.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-0399

LAYER: meta
PACKAGE NAME: tar
PACKAGE VERSION: 1.35
CVE: CVE-2002-1216
CVE STATUS: Patched
CVE SUMMARY: GNU tar 1.13.19 and other versions before 1.13.25 allows remote attackers to overwrite arbitrary files via a symlink attack, as the result of a modification that effectively disabled the security check.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-1216

LAYER: meta
PACKAGE NAME: tar
PACKAGE VERSION: 1.35
CVE: CVE-2005-1918
CVE STATUS: Patched
CVE SUMMARY: The original patch for a GNU tar directory traversal vulnerability (CVE-2002-0399) in Red Hat Enterprise Linux 3 and 2.1 uses an "incorrect optimization" that allows user-assisted attackers to overwrite arbitrary files via a crafted tar file, probably involving "/../" sequences with a leading "/".
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-1918

LAYER: meta
PACKAGE NAME: tar
PACKAGE VERSION: 1.35
CVE: CVE-2005-2541
CVE STATUS: Patched
CVE SUMMARY: Tar 1.15.1 does not properly warn the user when extracting setuid or setgid files, which may allow local users or remote attackers to gain privileges.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-2541

LAYER: meta
PACKAGE NAME: tar
PACKAGE VERSION: 1.35
CVE: CVE-2006-0300
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in tar 1.14 through 1.15.90 allows user-assisted attackers to cause a denial of service (application crash) and possibly execute code via unspecified vectors involving PAX extended headers.
CVSS v2 BASE SCORE: 5.1
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-0300

LAYER: meta
PACKAGE NAME: tar
PACKAGE VERSION: 1.35
CVE: CVE-2006-6097
CVE STATUS: Patched
CVE SUMMARY: GNU tar 1.16 and 1.15.1, and possibly other versions, allows user-assisted attackers to overwrite arbitrary files via a tar file that contains a GNUTYPE_NAMES record with a symbolic link, which is not properly handled by the extract_archive function in extract.c and extract_mangle function in mangle.c, a variant of CVE-2002-1216.
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-6097

LAYER: meta
PACKAGE NAME: tar
PACKAGE VERSION: 1.35
CVE: CVE-2007-4131
CVE STATUS: Patched
CVE SUMMARY: Directory traversal vulnerability in the contains_dot_dot function in src/names.c in GNU tar allows user-assisted remote attackers to overwrite arbitrary files via certain //.. (slash slash dot dot) sequences in directory symlinks in a TAR archive.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-4131

LAYER: meta
PACKAGE NAME: tar
PACKAGE VERSION: 1.35
CVE: CVE-2007-4476
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the safer_name_suffix function in GNU tar has unspecified attack vectors and impact, resulting in a "crashing stack."
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-4476

LAYER: meta
PACKAGE NAME: tar
PACKAGE VERSION: 1.35
CVE: CVE-2010-0624
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the rmt_read__ function in lib/rtapelib.c in the rmt client functionality in GNU tar before 1.23 and GNU cpio before 2.11 allows remote rmt servers to cause a denial of service (memory corruption) or possibly execute arbitrary code by sending more data than was requested, related to archive filenames that contain a : (colon) character.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-0624

LAYER: meta
PACKAGE NAME: tar
PACKAGE VERSION: 1.35
CVE: CVE-2016-6321
CVE STATUS: Patched
CVE SUMMARY: Directory traversal vulnerability in the safer_name_suffix function in GNU tar 1.14 through 1.29 might allow remote attackers to bypass an intended protection mechanism and write to arbitrary files via vectors related to improper sanitization of the file_name parameter, aka POINTYFEATHER.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6321

LAYER: meta
PACKAGE NAME: tar
PACKAGE VERSION: 1.35
CVE: CVE-2018-20482
CVE STATUS: Patched
CVE SUMMARY: GNU Tar through 1.30, when --sparse is used, mishandles file shrinkage during read access, which allows local users to cause a denial of service (infinite read loop in sparse_dump_region in sparse.c) by modifying a file that is supposed to be archived by a different user's process (e.g., a system backup running as root).
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20482

LAYER: meta
PACKAGE NAME: tar
PACKAGE VERSION: 1.35
CVE: CVE-2019-9923
CVE STATUS: Patched
CVE SUMMARY: pax_decode_header in sparse.c in GNU Tar before 1.32 had a NULL pointer dereference when parsing certain archives that have malformed extended headers.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-9923

LAYER: meta
PACKAGE NAME: tar
PACKAGE VERSION: 1.35
CVE: CVE-2021-20193
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the src/list.c of tar 1.33 and earlier. This flaw allows an attacker who can submit a crafted input file to tar to cause uncontrolled consumption of memory. The highest threat from this vulnerability is to system availability.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 3.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-20193

LAYER: meta
PACKAGE NAME: tar
PACKAGE VERSION: 1.35
CVE: CVE-2022-48303
CVE STATUS: Patched
CVE SUMMARY: GNU Tar through 1.34 has a one-byte out-of-bounds read that results in use of uninitialized memory for a conditional jump. Exploitation to change the flow of control has not been demonstrated. The issue occurs in from_header in list.c via a V7 archive in which mtime has approximately 11 whitespace characters.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48303

LAYER: meta
PACKAGE NAME: bzip2
PACKAGE VERSION: 1.0.8
CVE: CVE-2002-0759
CVE STATUS: Patched
CVE SUMMARY: bzip2 before 1.0.2 in FreeBSD 4.5 and earlier, OpenLinux 3.1 and 3.1.1, and possibly other operating systems, does not use the O_EXCL flag to create files during decompression and does not warn the user if an existing file would be overwritten, which could allow attackers to overwrite files via a bzip2 archive.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-0759

LAYER: meta
PACKAGE NAME: bzip2
PACKAGE VERSION: 1.0.8
CVE: CVE-2002-0760
CVE STATUS: Patched
CVE SUMMARY: Race condition in bzip2 before 1.0.2 in FreeBSD 4.5 and earlier, OpenLinux 3.1 and 3.1.1, and possibly other operating systems, decompresses files with world-readable permissions before setting the permissions to what is specified in the bzip2 archive, which could allow local users to read the files as they are being decompressed.
CVSS v2 BASE SCORE: 1.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-0760

LAYER: meta
PACKAGE NAME: bzip2
PACKAGE VERSION: 1.0.8
CVE: CVE-2002-0761
CVE STATUS: Patched
CVE SUMMARY: bzip2 before 1.0.2 in FreeBSD 4.5 and earlier, OpenLinux 3.1 and 3.1.1, and possibly systems, uses the permissions of symbolic links instead of the actual files when creating an archive, which could cause the files to be extracted with less restrictive permissions than intended.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-0761

LAYER: meta
PACKAGE NAME: bzip2
PACKAGE VERSION: 1.0.8
CVE: CVE-2005-0953
CVE STATUS: Patched
CVE SUMMARY: Race condition in bzip2 1.0.2 and earlier allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by bzip2 after the decompression is complete.
CVSS v2 BASE SCORE: 3.7
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-0953

LAYER: meta
PACKAGE NAME: bzip2
PACKAGE VERSION: 1.0.8
CVE: CVE-2005-1260
CVE STATUS: Patched
CVE SUMMARY: bzip2 allows remote attackers to cause a denial of service (hard drive consumption) via a crafted bzip2 file that causes an infinite loop (a.k.a "decompression bomb").
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-1260

LAYER: meta
PACKAGE NAME: bzip2
PACKAGE VERSION: 1.0.8
CVE: CVE-2008-1372
CVE STATUS: Patched
CVE SUMMARY: bzlib.c in bzip2 before 1.0.5 allows user-assisted remote attackers to cause a denial of service (crash) via a crafted file that triggers a buffer over-read, as demonstrated by the PROTOS GENOME test suite for Archive Formats.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1372

LAYER: meta
PACKAGE NAME: bzip2
PACKAGE VERSION: 1.0.8
CVE: CVE-2010-0405
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the BZ2_decompress function in decompress.c in bzip2 and libbzip2 before 1.0.6 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted compressed file.
CVSS v2 BASE SCORE: 5.1
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-0405

LAYER: meta
PACKAGE NAME: bzip2
PACKAGE VERSION: 1.0.8
CVE: CVE-2011-4089
CVE STATUS: Patched
CVE SUMMARY: The bzexe command in bzip2 1.0.5 and earlier generates compressed executables that do not properly handle temporary files during extraction, which allows local users to execute arbitrary code by precreating a temporary directory.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-4089

LAYER: meta
PACKAGE NAME: bzip2
PACKAGE VERSION: 1.0.8
CVE: CVE-2016-3189
CVE STATUS: Patched
CVE SUMMARY: Use-after-free vulnerability in bzip2recover in bzip2 1.0.6 allows remote attackers to cause a denial of service (crash) via a crafted bzip2 file, related to block ends set to before the start of the block.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3189

LAYER: meta
PACKAGE NAME: bzip2
PACKAGE VERSION: 1.0.8
CVE: CVE-2019-12900
CVE STATUS: Patched
CVE SUMMARY: BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-12900

LAYER: meta
PACKAGE NAME: bzip2
PACKAGE VERSION: 1.0.8
CVE: CVE-2023-22895
CVE STATUS: Patched
CVE SUMMARY: The bzip2 crate before 0.4.4 for Rust allow attackers to cause a denial of service via a large file that triggers an integer overflow in mem.rs. NOTE: this is unrelated to the https://crates.io/crates/bzip2-rs product.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-22895

LAYER: meta
PACKAGE NAME: m4-native
PACKAGE VERSION: 1.4.19
CVE: CVE-2008-1687
CVE STATUS: Patched
CVE SUMMARY: The (1) maketemp and (2) mkstemp builtin functions in GNU m4 before 1.4.11 do not quote their output when a file is created, which might allow context-dependent attackers to trigger a macro expansion, leading to unspecified use of an incorrect filename.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1687

LAYER: meta
PACKAGE NAME: m4-native
PACKAGE VERSION: 1.4.19
CVE: CVE-2008-1688
CVE STATUS: Patched
CVE SUMMARY: Unspecified vulnerability in GNU m4 before 1.4.11 might allow context-dependent attackers to execute arbitrary code, related to improper handling of filenames specified with the -F option.  NOTE: it is not clear when this issue crosses privilege boundaries.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1688

LAYER: meta
PACKAGE NAME: initscripts
PACKAGE VERSION: 1.0
CVE: CVE-2008-3524
CVE STATUS: Patched
CVE SUMMARY: rc.sysinit in initscripts before 8.76.3-1 on Fedora 9 and other Linux platforms allows local users to delete arbitrary files via a symlink attack on a file or directory under (1) /var/lock or (2) /var/run.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-3524

LAYER: meta
PACKAGE NAME: initscripts
PACKAGE VERSION: 1.0
CVE: CVE-2008-4832
CVE STATUS: Patched
CVE SUMMARY: rc.sysinit in initscripts 8.12-8.21 and 8.56.15-0.1 on rPath allows local users to delete arbitrary files via a symlink attack on a directory under (1) /var/lock or (2) /var/run.  NOTE: this issue exists because of a race condition in an incorrect fix for CVE-2008-3524. NOTE: exploitation may require an unusual scenario in which rc.sysinit is executed other than at boot time.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-4832

LAYER: meta
PACKAGE NAME: e2fsprogs
PACKAGE VERSION: 1.47.0
CVE: CVE-2007-5497
CVE STATUS: Patched
CVE SUMMARY: Multiple integer overflows in libext2fs in e2fsprogs before 1.40.3 allow user-assisted remote attackers to execute arbitrary code via a crafted filesystem image.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-5497

LAYER: meta
PACKAGE NAME: e2fsprogs
PACKAGE VERSION: 1.47.0
CVE: CVE-2015-0247
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in openfs.c in the libext2fs library in e2fsprogs before 1.42.12 allows local users to execute arbitrary code via crafted block group descriptor data in a filesystem image.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0247

LAYER: meta
PACKAGE NAME: e2fsprogs
PACKAGE VERSION: 1.47.0
CVE: CVE-2015-1572
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in closefs.c in the libext2fs library in e2fsprogs before 1.42.12 allows local users to execute arbitrary code by causing a crafted block group descriptor to be marked as dirty. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-0247.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1572

LAYER: meta
PACKAGE NAME: e2fsprogs
PACKAGE VERSION: 1.47.0
CVE: CVE-2019-5094
CVE STATUS: Patched
CVE SUMMARY: An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-5094

LAYER: meta
PACKAGE NAME: e2fsprogs
PACKAGE VERSION: 1.47.0
CVE: CVE-2019-5188
CVE STATUS: Patched
CVE SUMMARY: A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 7.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-5188

LAYER: meta
PACKAGE NAME: e2fsprogs
PACKAGE VERSION: 1.47.0
CVE: CVE-2022-1304
CVE STATUS: Patched
CVE SUMMARY: An out-of-bounds read/write vulnerability was found in e2fsprogs 1.46.5. This issue leads to a segmentation fault and possibly arbitrary code execution via a specially crafted filesystem.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1304

LAYER: meta
PACKAGE NAME: zstd
PACKAGE VERSION: 1.5.5
CVE: CVE-2019-11922
CVE STATUS: Patched
CVE SUMMARY: A race condition in the one-pass compression functions of Zstandard prior to version 1.3.8 could allow an attacker to write bytes out of bounds if an output buffer smaller than the recommended size was used.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-11922

LAYER: meta
PACKAGE NAME: zstd
PACKAGE VERSION: 1.5.5
CVE: CVE-2021-24031
CVE STATUS: Patched
CVE SUMMARY: In the Zstandard command-line utility prior to v1.4.1, output files were created with default permissions. Correct file permissions (matching the input) would only be set at completion time. Output files could therefore be readable or writable to unintended parties.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-24031

LAYER: meta
PACKAGE NAME: zstd
PACKAGE VERSION: 1.5.5
CVE: CVE-2021-24032
CVE STATUS: Patched
CVE SUMMARY: Beginning in v1.4.1 and prior to v1.4.9, due to an incomplete fix for CVE-2021-24031, the Zstandard command-line utility created output files with default permissions and restricted those permissions immediately afterwards. Output files could therefore momentarily be readable or writable to unintended parties.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-24032

LAYER: meta
PACKAGE NAME: zstd
PACKAGE VERSION: 1.5.5
CVE: CVE-2022-4899
CVE STATUS: Patched
CVE SUMMARY: A vulnerability was found in zstd v1.4.10, where an attacker can supply empty string as an argument to the command line tool to cause buffer overrun.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-4899

LAYER: meta
PACKAGE NAME: kbd
PACKAGE VERSION: 2.6.4
CVE: CVE-2011-0460
CVE STATUS: Patched
CVE SUMMARY: The init script in kbd, possibly 1.14.1 and earlier, allows local users to overwrite arbitrary files via a symlink attack on /dev/shm/defkeymap.map.
CVSS v2 BASE SCORE: 6.3
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-0460

LAYER: meta
PACKAGE NAME: perl
PACKAGE VERSION: 5.38.2
CVE: CVE-1999-0034
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in suidperl (sperl), Perl 4.x and 5.x.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-1999-0034

LAYER: meta
PACKAGE NAME: perl
PACKAGE VERSION: 5.38.2
CVE: CVE-1999-1386
CVE STATUS: Patched
CVE SUMMARY: Perl 5.004_04 and earlier follows symbolic links when running with the -e option, which allows local users to overwrite arbitrary files via a symlink attack on the /tmp/perl-eaXXXXX file.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-1999-1386

LAYER: meta
PACKAGE NAME: perl
PACKAGE VERSION: 5.38.2
CVE: CVE-2000-0703
CVE STATUS: Patched
CVE SUMMARY: suidperl (aka sperl) does not properly cleanse the escape sequence "~!" before calling /bin/mail to send an error report, which allows local users to gain privileges by setting the "interactive" environmental variable and calling suidperl with a filename that contains the escape sequence.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2000-0703

LAYER: meta
PACKAGE NAME: perl
PACKAGE VERSION: 5.38.2
CVE: CVE-2003-0900
CVE STATUS: Patched
CVE SUMMARY: Perl 5.8.1 on Fedora Core does not properly initialize the random number generator when forking, which makes it easier for attackers to predict random numbers.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-0900

LAYER: meta
PACKAGE NAME: perl
PACKAGE VERSION: 5.38.2
CVE: CVE-2004-0377
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the win32_stat function for (1) ActiveState's ActivePerl and (2) Larry Wall's Perl before 5.8.3 allows local or remote attackers to execute arbitrary commands via filenames that end in a backslash character.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0377

LAYER: meta
PACKAGE NAME: perl
PACKAGE VERSION: 5.38.2
CVE: CVE-2004-0452
CVE STATUS: Patched
CVE SUMMARY: Race condition in the rmtree function in the File::Path module in Perl 5.6.1 and 5.8.4 sets read/write permissions for the world, which allows local users to delete arbitrary files and directories, and possibly read files and directories, via a symlink attack.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0452

LAYER: meta
PACKAGE NAME: perl
PACKAGE VERSION: 5.38.2
CVE: CVE-2004-0976
CVE STATUS: Patched
CVE SUMMARY: Multiple scripts in the perl package in Trustix Secure Linux 1.5 through 2.1 and other operating systems allows local users to overwrite files via a symlink attack on temporary files.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0976

LAYER: meta
PACKAGE NAME: perl
PACKAGE VERSION: 5.38.2
CVE: CVE-2004-2286
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the duplication operator in ActivePerl allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large multiplier, which may trigger a buffer overflow.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-2286

LAYER: meta
PACKAGE NAME: perl
PACKAGE VERSION: 5.38.2
CVE: CVE-2005-0155
CVE STATUS: Patched
CVE SUMMARY: The PerlIO implementation in Perl 5.8.0, when installed with setuid support (sperl), allows local users to create arbitrary files via the PERLIO_DEBUG variable.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-0155

LAYER: meta
PACKAGE NAME: perl
PACKAGE VERSION: 5.38.2
CVE: CVE-2005-0156
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the PerlIO implementation in Perl 5.8.0, when installed with setuid support (sperl), allows local users to execute arbitrary code by setting the PERLIO_DEBUG variable and executing a Perl script whose full pathname contains a long directory tree.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-0156

LAYER: meta
PACKAGE NAME: perl
PACKAGE VERSION: 5.38.2
CVE: CVE-2005-0448
CVE STATUS: Patched
CVE SUMMARY: Race condition in the rmtree function in File::Path.pm in Perl before 5.8.4 allows local users to create arbitrary setuid binaries in the tree being deleted, a different vulnerability than CVE-2004-0452.
CVSS v2 BASE SCORE: 1.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-0448

LAYER: meta
PACKAGE NAME: perl
PACKAGE VERSION: 5.38.2
CVE: CVE-2005-3962
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the format string functionality (Perl_sv_vcatpvfn) in Perl 5.9.2 and 5.8.6 Perl allows attackers to overwrite arbitrary memory and possibly execute arbitrary code via format string specifiers with large values, which causes an integer wrap and leads to a buffer overflow, as demonstrated using format string vulnerabilities in Perl applications.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-3962

LAYER: meta
PACKAGE NAME: perl
PACKAGE VERSION: 5.38.2
CVE: CVE-2005-4278
CVE STATUS: Patched
CVE SUMMARY: Untrusted search path vulnerability in Perl before 5.8.7-r1 on Gentoo Linux allows local users in the portage group to gain privileges via a malicious shared object in the Portage temporary build directory, which is part of the RUNPATH.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-4278

LAYER: meta
PACKAGE NAME: perl
PACKAGE VERSION: 5.38.2
CVE: CVE-2007-5116
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the polymorphic opcode support in the Regular Expression Engine (regcomp.c) in Perl 5.8 allows context-dependent attackers to execute arbitrary code by switching from byte to Unicode (UTF) characters in a regular expression.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-5116

LAYER: meta
PACKAGE NAME: perl
PACKAGE VERSION: 5.38.2
CVE: CVE-2008-1927
CVE STATUS: Patched
CVE SUMMARY: Double free vulnerability in Perl 5.8.8 allows context-dependent attackers to cause a denial of service (memory corruption and crash) via a crafted regular expression containing UTF8 characters.  NOTE: this issue might only be present on certain operating systems.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1927

LAYER: meta
PACKAGE NAME: perl
PACKAGE VERSION: 5.38.2
CVE: CVE-2008-2827
CVE STATUS: Patched
CVE SUMMARY: The rmtree function in lib/File/Path.pm in Perl 5.10 does not properly check permissions before performing a chmod, which allows local users to modify the permissions of arbitrary files via a symlink attack, a different vulnerability than CVE-2005-0448 and CVE-2004-0452.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-2827

LAYER: meta
PACKAGE NAME: perl
PACKAGE VERSION: 5.38.2
CVE: CVE-2009-3626
CVE STATUS: Patched
CVE SUMMARY: Perl 5.10.1 allows context-dependent attackers to cause a denial of service (application crash) via a UTF-8 character with a large, invalid codepoint, which is not properly handled during a regular-expression match.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-3626

LAYER: meta
PACKAGE NAME: perl
PACKAGE VERSION: 5.38.2
CVE: CVE-2010-1158
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the regular expression engine in Perl 5.8.x allows context-dependent attackers to cause a denial of service (stack consumption and application crash) by matching a crafted regular expression against a long string.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-1158

LAYER: meta
PACKAGE NAME: perl
PACKAGE VERSION: 5.38.2
CVE: CVE-2010-4777
CVE STATUS: Patched
CVE SUMMARY: The Perl_reg_numbered_buff_fetch function in Perl 5.10.0, 5.12.0, 5.14.0, and other versions, when running with debugging enabled, allows context-dependent attackers to cause a denial of service (assertion failure and application exit) via crafted input that is not properly handled when using certain regular expressions, as demonstrated by causing SpamAssassin and OCSInventory to crash.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4777

LAYER: meta
PACKAGE NAME: perl
PACKAGE VERSION: 5.38.2
CVE: CVE-2011-0761
CVE STATUS: Patched
CVE SUMMARY: Perl 5.10.x allows context-dependent attackers to cause a denial of service (NULL pointer dereference and application crash) by leveraging an ability to inject arguments into a (1) getpeername, (2) readdir, (3) closedir, (4) getsockname, (5) rewinddir, (6) tell, or (7) telldir function call.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-0761

LAYER: meta
PACKAGE NAME: perl
PACKAGE VERSION: 5.38.2
CVE: CVE-2011-1487
CVE STATUS: Patched
CVE SUMMARY: The (1) lc, (2) lcfirst, (3) uc, and (4) ucfirst functions in Perl 5.10.x, 5.11.x, and 5.12.x through 5.12.3, and 5.13.x through 5.13.11, do not apply the taint attribute to the return value upon processing tainted input, which might allow context-dependent attackers to bypass the taint protection mechanism via a crafted string.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1487

LAYER: meta
PACKAGE NAME: perl
PACKAGE VERSION: 5.38.2
CVE: CVE-2011-2728
CVE STATUS: Patched
CVE SUMMARY: The bsd_glob function in the File::Glob module for Perl before 5.14.2 allows context-dependent attackers to cause a denial of service (crash) via a glob expression with the GLOB_ALTDIRFUNC flag, which triggers an uninitialized pointer dereference.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2728

LAYER: meta
PACKAGE NAME: perl
PACKAGE VERSION: 5.38.2
CVE: CVE-2011-2939
CVE STATUS: Patched
CVE SUMMARY: Off-by-one error in the decode_xs function in Unicode/Unicode.xs in the Encode module before 2.44, as used in Perl before 5.15.6, might allow context-dependent attackers to cause a denial of service (memory corruption) via a crafted Unicode string, which triggers a heap-based buffer overflow.
CVSS v2 BASE SCORE: 5.1
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2939

LAYER: meta
PACKAGE NAME: perl
PACKAGE VERSION: 5.38.2
CVE: CVE-2012-1151
CVE STATUS: Patched
CVE SUMMARY: Multiple format string vulnerabilities in dbdimp.c in DBD::Pg (aka DBD-Pg or libdbd-pg-perl) module before 2.19.0 for Perl allow remote PostgreSQL database servers to cause a denial of service (process crash) via format string specifiers in (1) a crafted database warning to the pg_warn function or (2) a crafted DBD statement to the dbd_st_prepare function.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1151

LAYER: meta
PACKAGE NAME: perl
PACKAGE VERSION: 5.38.2
CVE: CVE-2012-5195
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the Perl_repeatcpy function in util.c in Perl 5.12.x before 5.12.5, 5.14.x before 5.14.3, and 5.15.x before 15.15.5 allows context-dependent attackers to cause a denial of service (memory consumption and crash) or possibly execute arbitrary code via the 'x' string repeat operator.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-5195

LAYER: meta
PACKAGE NAME: perl
PACKAGE VERSION: 5.38.2
CVE: CVE-2012-6329
CVE STATUS: Patched
CVE SUMMARY: The _compile function in Maketext.pm in the Locale::Maketext implementation in Perl before 5.17.7 does not properly handle backslashes and fully qualified method names during compilation of bracket notation, which allows context-dependent attackers to execute arbitrary commands via crafted input to an application that accepts translation strings from users, as demonstrated by the TWiki application before 5.1.3, and the Foswiki application 1.0.x through 1.0.10 and 1.1.x through 1.1.6.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-6329

LAYER: meta
PACKAGE NAME: perl
PACKAGE VERSION: 5.38.2
CVE: CVE-2013-1667
CVE STATUS: Patched
CVE SUMMARY: The rehash mechanism in Perl 5.8.2 through 5.16.x allows context-dependent attackers to cause a denial of service (memory consumption and crash) via a crafted hash key.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1667

LAYER: meta
PACKAGE NAME: perl
PACKAGE VERSION: 5.38.2
CVE: CVE-2013-7422
CVE STATUS: Patched
CVE SUMMARY: Integer underflow in regcomp.c in Perl before 5.20, as used in Apple OS X before 10.10.5 and other products, allows context-dependent attackers to execute arbitrary code or cause a denial of service (application crash) via a long digit string associated with an invalid backreference within a regular expression.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-7422

LAYER: meta
PACKAGE NAME: perl
PACKAGE VERSION: 5.38.2
CVE: CVE-2014-4330
CVE STATUS: Patched
CVE SUMMARY: The Dumper method in Data::Dumper before 2.154, as used in Perl 5.20.1 and earlier, allows context-dependent attackers to cause a denial of service (stack consumption and crash) via an Array-Reference with many nested Array-References, which triggers a large number of recursive calls to the DD_dump function.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-4330

LAYER: meta
PACKAGE NAME: perl
PACKAGE VERSION: 5.38.2
CVE: CVE-2015-8608
CVE STATUS: Patched
CVE SUMMARY: The VDir::MapPathA and VDir::MapPathW functions in Perl 5.22 allow remote attackers to cause a denial of service (out-of-bounds read) and possibly execute arbitrary code via a crafted (1) drive letter or (2) pInName argument.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8608

LAYER: meta
PACKAGE NAME: perl
PACKAGE VERSION: 5.38.2
CVE: CVE-2015-8853
CVE STATUS: Patched
CVE SUMMARY: The (1) S_reghop3, (2) S_reghop4, and (3) S_reghopmaybe3 functions in regexec.c in Perl before 5.24.0 allow context-dependent attackers to cause a denial of service (infinite loop) via crafted utf-8 data, as demonstrated by "a\x80."
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8853

LAYER: meta
PACKAGE NAME: perl
PACKAGE VERSION: 5.38.2
CVE: CVE-2016-1238
CVE STATUS: Patched
CVE SUMMARY: (1) cpan/Archive-Tar/bin/ptar, (2) cpan/Archive-Tar/bin/ptardiff, (3) cpan/Archive-Tar/bin/ptargrep, (4) cpan/CPAN/scripts/cpan, (5) cpan/Digest-SHA/shasum, (6) cpan/Encode/bin/enc2xs, (7) cpan/Encode/bin/encguess, (8) cpan/Encode/bin/piconv, (9) cpan/Encode/bin/ucmlint, (10) cpan/Encode/bin/unidump, (11) cpan/ExtUtils-MakeMaker/bin/instmodsh, (12) cpan/IO-Compress/bin/zipdetails, (13) cpan/JSON-PP/bin/json_pp, (14) cpan/Test-Harness/bin/prove, (15) dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp, (16) dist/Module-CoreList/corelist, (17) ext/Pod-Html/bin/pod2html, (18) utils/c2ph.PL, (19) utils/h2ph.PL, (20) utils/h2xs.PL, (21) utils/libnetcfg.PL, (22) utils/perlbug.PL, (23) utils/perldoc.PL, (24) utils/perlivp.PL, and (25) utils/splain.PL in Perl 5.x before 5.22.3-RC2 and 5.24 before 5.24.1-RC2 do not properly remove . (period) characters from the end of the includes directory array, which might allow local users to gain privileges via a Trojan horse module under the current working directory.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-1238

LAYER: meta
PACKAGE NAME: perl
PACKAGE VERSION: 5.38.2
CVE: CVE-2016-2381
CVE STATUS: Patched
CVE SUMMARY: Perl might allow context-dependent attackers to bypass the taint protection mechanism in a child process via duplicate environment variables in envp.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2381

LAYER: meta
PACKAGE NAME: perl
PACKAGE VERSION: 5.38.2
CVE: CVE-2016-6185
CVE STATUS: Patched
CVE SUMMARY: The XSLoader::load method in XSLoader in Perl does not properly locate .so files when called in a string eval, which might allow local users to execute arbitrary code via a Trojan horse library under the current working directory.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6185

LAYER: meta
PACKAGE NAME: perl
PACKAGE VERSION: 5.38.2
CVE: CVE-2017-12814
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in the CPerlHost::Add method in win32/perlhost.h in Perl before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 on Windows allows attackers to execute arbitrary code via a long environment variable.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-12814

LAYER: meta
PACKAGE NAME: perl
PACKAGE VERSION: 5.38.2
CVE: CVE-2017-12837
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the S_regatom function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to cause a denial of service (out-of-bounds write) via a regular expression with a '\N{}' escape and the case-insensitive modifier.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-12837

LAYER: meta
PACKAGE NAME: perl
PACKAGE VERSION: 5.38.2
CVE: CVE-2017-12883
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the S_grok_bslash_N function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to disclose sensitive information or cause a denial of service (application crash) via a crafted regular expression with an invalid '\N{U+...}' escape.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 9.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-12883

LAYER: meta
PACKAGE NAME: perl
PACKAGE VERSION: 5.38.2
CVE: CVE-2018-12015
CVE STATUS: Patched
CVE SUMMARY: In Perl through 5.26.2, the Archive::Tar module allows remote attackers to bypass a directory-traversal protection mechanism, and overwrite arbitrary files, via an archive file containing a symlink and a regular file with the same name.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-12015

LAYER: meta
PACKAGE NAME: perl
PACKAGE VERSION: 5.38.2
CVE: CVE-2018-18311
CVE STATUS: Patched
CVE SUMMARY: Perl before 5.26.3 and 5.28.x before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-18311

LAYER: meta
PACKAGE NAME: perl
PACKAGE VERSION: 5.38.2
CVE: CVE-2018-18312
CVE STATUS: Patched
CVE SUMMARY: Perl before 5.26.3 and 5.28.0 before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-18312

LAYER: meta
PACKAGE NAME: perl
PACKAGE VERSION: 5.38.2
CVE: CVE-2018-18313
CVE STATUS: Patched
CVE SUMMARY: Perl before 5.26.3 has a buffer over-read via a crafted regular expression that triggers disclosure of sensitive information from process memory.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 9.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-18313

LAYER: meta
PACKAGE NAME: perl
PACKAGE VERSION: 5.38.2
CVE: CVE-2018-18314
CVE STATUS: Patched
CVE SUMMARY: Perl before 5.26.3 has a buffer overflow via a crafted regular expression that triggers invalid write operations.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-18314

LAYER: meta
PACKAGE NAME: perl
PACKAGE VERSION: 5.38.2
CVE: CVE-2018-6797
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Perl 5.18 through 5.26. A crafted regular expression can cause a heap-based buffer overflow, with control over the bytes written.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-6797

LAYER: meta
PACKAGE NAME: perl
PACKAGE VERSION: 5.38.2
CVE: CVE-2018-6798
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Perl 5.22 through 5.26. Matching a crafted locale dependent regular expression can cause a heap-based buffer over-read and potentially information disclosure.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-6798

LAYER: meta
PACKAGE NAME: perl
PACKAGE VERSION: 5.38.2
CVE: CVE-2018-6913
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the pack function in Perl before 5.26.2 allows context-dependent attackers to execute arbitrary code via a large item count.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-6913

LAYER: meta
PACKAGE NAME: perl
PACKAGE VERSION: 5.38.2
CVE: CVE-2020-10543
CVE STATUS: Patched
CVE SUMMARY: Perl before 5.30.3 on 32-bit platforms allows a heap-based buffer overflow because nested regular expression quantifiers have an integer overflow.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 8.2
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-10543

LAYER: meta
PACKAGE NAME: perl
PACKAGE VERSION: 5.38.2
CVE: CVE-2020-10878
CVE STATUS: Patched
CVE SUMMARY: Perl before 5.30.3 has an integer overflow related to mishandling of a "PL_regkind[OP(n)] == NOTHING" situation. A crafted regular expression could lead to malformed bytecode with a possibility of instruction injection.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 8.6
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-10878

LAYER: meta
PACKAGE NAME: perl
PACKAGE VERSION: 5.38.2
CVE: CVE-2020-12723
CVE STATUS: Patched
CVE SUMMARY: regcomp.c in Perl before 5.30.3 allows a buffer overflow via a crafted regular expression because of recursive S_study_chunk calls.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-12723

LAYER: meta
PACKAGE NAME: perl
PACKAGE VERSION: 5.38.2
CVE: CVE-2022-48522
CVE STATUS: Patched
CVE SUMMARY: In Perl 5.34.0, function S_find_uninit_var in sv.c has a stack-based crash that can lead to remote code execution or local privilege escalation.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48522

LAYER: meta
PACKAGE NAME: perl
PACKAGE VERSION: 5.38.2
CVE: CVE-2023-31484
CVE STATUS: Patched
CVE SUMMARY: CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.1
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-31484

LAYER: meta
PACKAGE NAME: perl
PACKAGE VERSION: 5.38.2
CVE: CVE-2023-31486
CVE STATUS: Patched
CVE SUMMARY: HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.1
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-31486

LAYER: meta
PACKAGE NAME: perl
PACKAGE VERSION: 5.38.2
CVE: CVE-2023-47038
CVE STATUS: Patched
CVE SUMMARY: A vulnerability was found in perl 5.30.0 through 5.38.0. This issue occurs when a crafted regular expression is compiled by perl, which can allow an attacker controlled byte buffer overflow in a heap allocated buffer.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-47038

LAYER: meta
PACKAGE NAME: perl
PACKAGE VERSION: 5.38.2
CVE: CVE-2023-47039
CVE STATUS: Patched
CVE SUMMARY: A vulnerability was found in Perl. This security issue occurs while Perl for Windows relies on the system path environment variable to find the shell (`cmd.exe`). When running an executable that uses the Windows Perl interpreter, Perl attempts to find and execute `cmd.exe` within the operating system. However, due to path search order issues, Perl initially looks for cmd.exe in the current working directory. This flaw allows an attacker with limited privileges to place`cmd.exe` in locations with weak permissions, such as `C:\ProgramData`. By doing so, arbitrary code can be executed when an administrator attempts to use this executable from these compromised locations.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-47039

LAYER: meta
PACKAGE NAME: perl
PACKAGE VERSION: 5.38.2
CVE: CVE-2023-47100
CVE STATUS: Patched
CVE SUMMARY: In Perl before 5.38.2, S_parse_uniprop_string in regcomp.c can write to unallocated space because a property name associated with a \p{...} regular expression construct is mishandled. The earliest affected version is 5.30.0.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-47100

LAYER: meta
PACKAGE NAME: bash
PACKAGE VERSION: 5.2.21
CVE: CVE-1999-0491
CVE STATUS: Patched
CVE SUMMARY: The prompt parsing in bash allows a local user to execute commands as another user by creating a directory with the name of the command to execute.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-1999-0491

LAYER: meta
PACKAGE NAME: bash
PACKAGE VERSION: 5.2.21
CVE: CVE-1999-1383
CVE STATUS: Patched
CVE SUMMARY: (1) bash before 1.14.7, and (2) tcsh 6.05 allow local users to gain privileges via directory names that contain shell metacharacters (` back-tick), which can cause the commands enclosed in the directory name to be executed when the shell expands filenames using the \w option in the PS1 variable.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-1999-1383

LAYER: meta
PACKAGE NAME: bash
PACKAGE VERSION: 5.2.21
CVE: CVE-2010-0002
CVE STATUS: Patched
CVE SUMMARY: The /etc/profile.d/60alias.sh script in the Mandriva bash package for Bash 2.05b, 3.0, 3.2, 3.2.48, and 4.0 enables the --show-control-chars option in LS_OPTIONS, which allows local users to send escape sequences to terminal emulators, or hide the existence of a file, via a crafted filename.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-0002

LAYER: meta
PACKAGE NAME: bash
PACKAGE VERSION: 5.2.21
CVE: CVE-2012-3410
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in lib/sh/eaccess.c in GNU Bash before 4.2 patch 33 might allow local users to bypass intended restricted shell access via a long filename in /dev/fd, which is not properly handled when expanding the /dev/fd prefix.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-3410

LAYER: meta
PACKAGE NAME: bash
PACKAGE VERSION: 5.2.21
CVE: CVE-2012-6711
CVE STATUS: Patched
CVE SUMMARY: A heap-based buffer overflow exists in GNU Bash before 4.3 when wide characters, not supported by the current locale set in the LC_CTYPE environment variable, are printed through the echo built-in function. A local attacker, who can provide data to print through the "echo -e" built-in function, may use this flaw to crash a script or execute code with the privileges of the bash process. This occurs because ansicstr() in lib/sh/strtrans.c mishandles u32cconv().
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-6711

LAYER: meta
PACKAGE NAME: bash
PACKAGE VERSION: 5.2.21
CVE: CVE-2014-6271
CVE STATUS: Patched
CVE SUMMARY: GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock."  NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-6271

LAYER: meta
PACKAGE NAME: bash
PACKAGE VERSION: 5.2.21
CVE: CVE-2014-6277
CVE STATUS: Patched
CVE SUMMARY: GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized memory access, and untrusted-pointer read and write operations) via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271 and CVE-2014-7169.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-6277

LAYER: meta
PACKAGE NAME: bash
PACKAGE VERSION: 5.2.21
CVE: CVE-2014-6278
CVE STATUS: Patched
CVE SUMMARY: GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary commands via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271, CVE-2014-7169, and CVE-2014-6277.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-6278

LAYER: meta
PACKAGE NAME: bash
PACKAGE VERSION: 5.2.21
CVE: CVE-2014-7169
CVE STATUS: Patched
CVE SUMMARY: GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have unknown other impact via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-7169

LAYER: meta
PACKAGE NAME: bash
PACKAGE VERSION: 5.2.21
CVE: CVE-2014-7186
CVE STATUS: Patched
CVE SUMMARY: The redirection implementation in parse.y in GNU Bash through 4.3 bash43-026 allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) or possibly have unspecified other impact via crafted use of here documents, aka the "redir_stack" issue.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-7186

LAYER: meta
PACKAGE NAME: bash
PACKAGE VERSION: 5.2.21
CVE: CVE-2014-7187
CVE STATUS: Patched
CVE SUMMARY: Off-by-one error in the read_token_word function in parse.y in GNU Bash through 4.3 bash43-026 allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) or possibly have unspecified other impact via deeply nested for loops, aka the "word_lineno" issue.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-7187

LAYER: meta
PACKAGE NAME: bash
PACKAGE VERSION: 5.2.21
CVE: CVE-2016-0634
CVE STATUS: Patched
CVE SUMMARY: The expansion of '\h' in the prompt string in bash 4.3 allows remote authenticated users to execute arbitrary code via shell metacharacters placed in 'hostname' of a machine.
CVSS v2 BASE SCORE: 6.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:S/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-0634

LAYER: meta
PACKAGE NAME: bash
PACKAGE VERSION: 5.2.21
CVE: CVE-2016-7543
CVE STATUS: Patched
CVE SUMMARY: Bash before 4.4 allows local users to execute arbitrary commands with root privileges via crafted SHELLOPTS and PS4 environment variables.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 8.4
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7543

LAYER: meta
PACKAGE NAME: bash
PACKAGE VERSION: 5.2.21
CVE: CVE-2016-9401
CVE STATUS: Patched
CVE SUMMARY: popd in bash might allow local users to bypass the restricted shell and cause a use-after-free via a crafted address.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9401

LAYER: meta
PACKAGE NAME: bash
PACKAGE VERSION: 5.2.21
CVE: CVE-2017-5932
CVE STATUS: Patched
CVE SUMMARY: The path autocompletion feature in Bash 4.4 allows local users to gain privileges via a crafted filename starting with a " (double quote) character and a command substitution metacharacter.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5932

LAYER: meta
PACKAGE NAME: bash
PACKAGE VERSION: 5.2.21
CVE: CVE-2019-18276
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. By default, if Bash is run with its effective UID not equal to its real UID, it will drop privileges by setting its effective UID to its real UID. However, it does so incorrectly. On Linux and other systems that support "saved UID" functionality, the saved UID is not dropped. An attacker with command execution in the shell can use "enable -f" for runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore regains privileges. However, binaries running with an effective UID of 0 are unaffected.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-18276

LAYER: meta
PACKAGE NAME: bash
PACKAGE VERSION: 5.2.21
CVE: CVE-2019-9924
CVE STATUS: Patched
CVE SUMMARY: rbash in Bash before 4.4-beta2 did not prevent the shell user from modifying BASH_CMDS, thus allowing the user to execute any command with the permissions of the shell.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-9924

LAYER: meta
PACKAGE NAME: bash
PACKAGE VERSION: 5.2.21
CVE: CVE-2022-3715
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the bash package, where a heap-buffer overflow can occur in valid parameter_transform. This issue may lead to memory problems.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3715

LAYER: meta
PACKAGE NAME: procps
PACKAGE VERSION: 4.0.4
CVE: CVE-2018-1121
CVE STATUS: Patched
CVE SUMMARY: procps-ng, procps is vulnerable to a process hiding through race condition. Since the kernel's proc_pid_readdir() returns PID entries in ascending numeric order, a process occupying a high PID can use inotify events to determine when the process list is being scanned, and fork/exec to obtain a lower PID, thus avoiding enumeration. An unprivileged attacker can hide a process from procps-ng's utilities by exploiting a race condition in reading /proc/PID entries. This vulnerability affects procps and procps-ng up to version 3.3.15, newer versions might be affected also.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 3.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1121

LAYER: meta
PACKAGE NAME: procps
PACKAGE VERSION: 4.0.4
CVE: CVE-2023-4016
CVE STATUS: Patched
CVE SUMMARY: Under some circumstances, this weakness allows a user who has access to run the “ps” utility on a machine, the ability to write almost unlimited amounts of unfiltered data into the process heap.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 2.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-4016

LAYER: meta
PACKAGE NAME: grep
PACKAGE VERSION: 3.11
CVE: CVE-2012-5667
CVE STATUS: Patched
CVE SUMMARY: Multiple integer overflows in GNU Grep before 2.11 might allow context-dependent attackers to execute arbitrary code via vectors involving a long input line that triggers a heap-based buffer overflow.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-5667

LAYER: meta
PACKAGE NAME: grep
PACKAGE VERSION: 3.11
CVE: CVE-2015-1345
CVE STATUS: Patched
CVE SUMMARY: The bmexec_trans function in kwset.c in grep 2.19 through 2.21 allows local users to cause a denial of service (out-of-bounds heap read and crash) via crafted input when using the -F option.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1345

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2008-6589
CVE STATUS: Patched
CVE SUMMARY: Multiple cross-site scripting (XSS) vulnerabilities in LightNEasy "no database" (aka flat) version 1.2.2, and possibly SQLite version 1.2.2, allow remote attackers to inject arbitrary web script or HTML via the page parameter to (1) index.php and (2) LightNEasy.php.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-6589

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2008-6590
CVE STATUS: Patched
CVE SUMMARY: Multiple directory traversal vulnerabilities in LightNEasy "no database" (aka flat) version 1.2.2, and possibly SQLite version 1.2.2, allow remote attackers to read arbitrary files via a .. (dot dot) in the page parameter to (1) index.php and (2) LightNEasy.php.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-6590

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2008-6592
CVE STATUS: Patched
CVE SUMMARY: thumbsup.php in Thumbs-Up 1.12, as used in LightNEasy "no database" (aka flat) and SQLite 1.2.2 and earlier, allows remote attackers to copy, rename, and read arbitrary files via directory traversal sequences in the image parameter with a modified cache_dir parameter containing a %00 (encoded null byte).
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-6592

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2008-6593
CVE STATUS: Patched
CVE SUMMARY: SQL injection vulnerability in LightNEasy/lightneasy.php in LightNEasy SQLite 1.2.2 and earlier allows remote attackers to inject arbitrary PHP code into comments.dat via the dlid parameter to index.php.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-6593

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2013-7443
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the skip-scan optimization in SQLite 3.8.2 allows remote attackers to cause a denial of service (crash) via crafted SQL statements.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-7443

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2015-3414
CVE STATUS: Patched
CVE SUMMARY: SQLite before 3.8.9 does not properly implement the dequoting of collation-sequence names, which allows context-dependent attackers to cause a denial of service (uninitialized memory access and application crash) or possibly have unspecified other impact via a crafted COLLATE clause, as demonstrated by COLLATE"""""""" at the end of a SELECT statement.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3414

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2015-3415
CVE STATUS: Patched
CVE SUMMARY: The sqlite3VdbeExec function in vdbe.c in SQLite before 3.8.9 does not properly implement comparison operators, which allows context-dependent attackers to cause a denial of service (invalid free operation) or possibly have unspecified other impact via a crafted CHECK clause, as demonstrated by CHECK(0&O>O) in a CREATE TABLE statement.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3415

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2015-3416
CVE STATUS: Patched
CVE SUMMARY: The sqlite3VXPrintf function in printf.c in SQLite before 3.8.9 does not properly handle precision and width values during floating-point conversions, which allows context-dependent attackers to cause a denial of service (integer overflow and stack-based buffer overflow) or possibly have unspecified other impact via large integers in a crafted printf function call in a SELECT statement.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3416

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2015-3717
CVE STATUS: Patched
CVE SUMMARY: Multiple buffer overflows in the printf functionality in SQLite, as used in Apple iOS before 8.4 and OS X before 10.10.4, allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via unspecified vectors.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3717

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2015-5895
CVE STATUS: Patched
CVE SUMMARY: Multiple unspecified vulnerabilities in SQLite before 3.8.10.2, as used in Apple iOS before 9, have unknown impact and attack vectors.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-5895

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2015-6607
CVE STATUS: Patched
CVE SUMMARY: SQLite before 3.8.9, as used in Android before 5.1.1 LMY48T, allows attackers to gain privileges via a crafted application, aka internal bug 20099586.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-6607

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2016-6153
CVE STATUS: Patched
CVE SUMMARY: os_unix.c in SQLite before 3.13.0 improperly implements the temporary directory search algorithm, which might allow local users to obtain sensitive information, cause a denial of service (application crash), or have unspecified other impact by leveraging use of the current working directory for temporary files.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 5.9
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6153

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2017-10989
CVE STATUS: Patched
CVE SUMMARY: The getNodeSize function in ext/rtree/rtree.c in SQLite through 3.19.3, as used in GDAL and other products, mishandles undersized RTree blobs in a crafted database, leading to a heap-based buffer over-read or possibly unspecified other impact.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-10989

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2017-13685
CVE STATUS: Patched
CVE SUMMARY: The dump_callback function in SQLite 3.20.0 allows remote attackers to cause a denial of service (EXC_BAD_ACCESS and application crash) via a crafted file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-13685

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2017-15286
CVE STATUS: Patched
CVE SUMMARY: SQLite 3.20.1 has a NULL pointer dereference in tableColumnList in shell.c because it fails to consider certain cases where `sqlite3_step(pStmt)==SQLITE_ROW` is false and a data structure is never initialized.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15286

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2018-20346
CVE STATUS: Patched
CVE SUMMARY: SQLite before 3.25.3, when the FTS3 extension is enabled, encounters an integer overflow (and resultant buffer overflow) for FTS3 queries that occur after crafted changes to FTS3 shadow tables, allowing remote attackers to execute arbitrary code by leveraging the ability to run arbitrary SQL statements (such as in certain WebSQL use cases), aka Magellan.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20346

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2018-20505
CVE STATUS: Patched
CVE SUMMARY: SQLite 3.25.2, when queries are run on a table with a malformed PRIMARY KEY, allows remote attackers to cause a denial of service (application crash) by leveraging the ability to run arbitrary SQL statements (such as in certain WebSQL use cases).
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20505

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2018-20506
CVE STATUS: Patched
CVE SUMMARY: SQLite before 3.25.3, when the FTS3 extension is enabled, encounters an integer overflow (and resultant buffer overflow) for FTS3 queries in a "merge" operation that occurs after crafted changes to FTS3 shadow tables, allowing remote attackers to execute arbitrary code by leveraging the ability to run arbitrary SQL statements (such as in certain WebSQL use cases). This is a different vulnerability than CVE-2018-20346.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20506

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2018-8740
CVE STATUS: Patched
CVE SUMMARY: In SQLite through 3.22.0, databases whose schema is corrupted using a CREATE TABLE AS statement could cause a NULL pointer dereference, related to build.c and prepare.c.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-8740

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2019-16168
CVE STATUS: Patched
CVE SUMMARY: In SQLite through 3.29.0, whereLoopAddBtreeIndex in sqlite3.c can crash a browser or other application because of missing validation of a sqlite_stat1 sz field, aka a "severe division by zero in the query planner."
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-16168

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2019-19242
CVE STATUS: Patched
CVE SUMMARY: SQLite 3.30.1 mishandles pExpr->y.pTab, as demonstrated by the TK_COLUMN case in sqlite3ExprCodeTarget in expr.c.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19242

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2019-19244
CVE STATUS: Patched
CVE SUMMARY: sqlite3Select in select.c in SQLite 3.30.1 allows a crash if a sub-select uses both DISTINCT and window functions, and also has certain ORDER BY usage.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19244

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2019-19317
CVE STATUS: Patched
CVE SUMMARY: lookupName in resolve.c in SQLite 3.30.1 omits bits from the colUsed bitmask in the case of a generated column, which allows attackers to cause a denial of service or possibly have unspecified other impact.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19317

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2019-19603
CVE STATUS: Patched
CVE SUMMARY: SQLite 3.30.1 mishandles certain SELECT statements with a nonexistent VIEW, leading to an application crash.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19603

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2019-19645
CVE STATUS: Patched
CVE SUMMARY: alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19645

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2019-19646
CVE STATUS: Patched
CVE SUMMARY: pragma.c in SQLite through 3.30.1 mishandles NOT NULL in an integrity_check PRAGMA command in certain cases of generated columns.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19646

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2019-19880
CVE STATUS: Patched
CVE SUMMARY: exprListAppendList in window.c in SQLite 3.30.1 allows attackers to trigger an invalid pointer dereference because constant integer values in ORDER BY clauses of window definitions are mishandled.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19880

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2019-19923
CVE STATUS: Patched
CVE SUMMARY: flattenSubquery in select.c in SQLite 3.30.1 mishandles certain uses of SELECT DISTINCT involving a LEFT JOIN in which the right-hand side is a view. This can cause a NULL pointer dereference (or incorrect results).
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19923

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2019-19924
CVE STATUS: Patched
CVE SUMMARY: SQLite 3.30.1 mishandles certain parser-tree rewriting, related to expr.c, vdbeaux.c, and window.c. This is caused by incorrect sqlite3WindowRewrite() error handling.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19924

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2019-19925
CVE STATUS: Patched
CVE SUMMARY: zipfileUpdate in ext/misc/zipfile.c in SQLite 3.30.1 mishandles a NULL pathname during an update of a ZIP archive.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19925

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2019-19926
CVE STATUS: Patched
CVE SUMMARY: multiSelect in select.c in SQLite 3.30.1 mishandles certain errors during parsing, as demonstrated by errors from sqlite3WindowRewrite() calls. NOTE: this vulnerability exists because of an incomplete fix for CVE-2019-19880.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19926

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2019-19959
CVE STATUS: Patched
CVE SUMMARY: ext/misc/zipfile.c in SQLite 3.30.1 mishandles certain uses of INSERT INTO in situations involving embedded '\0' characters in filenames, leading to a memory-management error that can be detected by (for example) valgrind.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19959

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2019-20218
CVE STATUS: Patched
CVE SUMMARY: selectExpander in select.c in SQLite 3.30.1 proceeds with WITH stack unwinding even after a parsing error.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-20218

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2019-5018
CVE STATUS: Patched
CVE SUMMARY: An exploitable use after free vulnerability exists in the window function functionality of Sqlite3 3.26.0. A specially crafted SQL command can cause a use after free vulnerability, potentially resulting in remote code execution. An attacker can send a malicious SQL command to trigger this vulnerability.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-5018

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2019-8457
CVE STATUS: Patched
CVE SUMMARY: SQLite3 from 3.6.0 to and including 3.27.2 is vulnerable to heap out-of-bound read in the rtreenode() function when handling invalid rtree tables.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-8457

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2019-9936
CVE STATUS: Patched
CVE SUMMARY: In SQLite 3.27.2, running fts5 prefix queries inside a transaction could trigger a heap-based buffer over-read in fts5HashEntrySort in sqlite3.c, which may lead to an information leak. This is related to ext/fts5/fts5_hash.c.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-9936

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2019-9937
CVE STATUS: Patched
CVE SUMMARY: In SQLite 3.27.2, interleaving reads and writes in a single transaction with an fts5 virtual table will lead to a NULL Pointer Dereference in fts5ChunkIterate in sqlite3.c. This is related to ext/fts5/fts5_hash.c and ext/fts5/fts5_index.c.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-9937

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2020-11655
CVE STATUS: Patched
CVE SUMMARY: SQLite through 3.31.1 allows attackers to cause a denial of service (segmentation fault) via a malformed window-function query because the AggInfo object's initialization is mishandled.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-11655

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2020-11656
CVE STATUS: Patched
CVE SUMMARY: In SQLite through 3.31.1, the ALTER TABLE implementation has a use-after-free, as demonstrated by an ORDER BY clause that belongs to a compound SELECT statement.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-11656

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2020-13434
CVE STATUS: Patched
CVE SUMMARY: SQLite through 3.32.0 has an integer overflow in sqlite3_str_vappendf in printf.c.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-13434

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2020-13435
CVE STATUS: Patched
CVE SUMMARY: SQLite through 3.32.0 has a segmentation fault in sqlite3ExprCodeTarget in expr.c.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-13435

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2020-13630
CVE STATUS: Patched
CVE SUMMARY: ext/fts3/fts3.c in SQLite before 3.32.0 has a use-after-free in fts3EvalNextRow, related to the snippet feature.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-13630

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2020-13631
CVE STATUS: Patched
CVE SUMMARY: SQLite before 3.32.0 allows a virtual table to be renamed to the name of one of its shadow tables, related to alter.c and build.c.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-13631

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2020-13632
CVE STATUS: Patched
CVE SUMMARY: ext/fts3/fts3_snippet.c in SQLite before 3.32.0 has a NULL pointer dereference via a crafted matchinfo() query.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-13632

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2020-13871
CVE STATUS: Patched
CVE SUMMARY: SQLite 3.32.2 has a use-after-free in resetAccumulator in select.c because the parse tree rewrite for window functions is too late.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-13871

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2020-15358
CVE STATUS: Patched
CVE SUMMARY: In SQLite before 3.32.3, select.c mishandles query-flattener optimization, leading to a multiSelectOrderBy heap overflow because of misuse of transitive properties for constant propagation.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-15358

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2020-35525
CVE STATUS: Patched
CVE SUMMARY: In SQlite 3.31.1, a potential null pointer derreference was found in the INTERSEC query processing.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-35525

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2020-35527
CVE STATUS: Patched
CVE SUMMARY: In SQLite 3.31.1, there is an out of bounds access problem through ALTER TABLE for views that have a nested FROM clause.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-35527

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2020-9327
CVE STATUS: Patched
CVE SUMMARY: In SQLite 3.31.1, isAuxiliaryVtabOperator allows attackers to trigger a NULL pointer dereference and segmentation fault because of generated column optimizations.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-9327

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2021-20227
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in SQLite's SELECT query functionality (src/select.c). This flaw allows an attacker who is capable of running SQL queries locally on the SQLite database to cause a denial of service or possible code execution by triggering a use-after-free. The highest threat from this vulnerability is to system availability.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-20227

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2021-31239
CVE STATUS: Patched
CVE SUMMARY: An issue found in SQLite SQLite3 v.3.35.4 that allows a remote attacker to cause a denial of service via the appendvfs.c function.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-31239

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2021-36690
CVE STATUS: Patched
CVE SUMMARY: A segmentation fault can occur in the sqlite3.exe command-line component of SQLite 3.36.0 via the idxGetTableInfo function when there is a crafted SQL query. NOTE: the vendor disputes the relevance of this report because a sqlite3.exe user already has full privileges (e.g., is intentionally allowed to execute commands). This report does NOT imply any problem in the SQLite library.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-36690

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2021-45346
CVE STATUS: Patched
CVE SUMMARY: A Memory Leak vulnerability exists in SQLite Project SQLite3 3.35.1 and 3.37.0 via maliciously crafted SQL Queries (made via editing the Database File), it is possible to query a record, and leak subsequent bytes of memory that extend beyond the record, which could let a malicious user obtain sensitive information. NOTE: The developer disputes this as a vulnerability stating that If you give SQLite a corrupted database file and submit a query against the database, it might read parts of the database that you did not intend or expect.
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 4.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:S/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-45346

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2022-35737
CVE STATUS: Patched
CVE SUMMARY: SQLite 1.0.12 through 3.39.x before 3.39.2 sometimes allows an array-bounds overflow if billions of bytes are used in a string argument to a C API.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-35737

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2022-46908
CVE STATUS: Patched
CVE SUMMARY: SQLite through 3.40.0, when relying on --safe for execution of an untrusted CLI script, does not properly implement the azProhibitedFunctions protection mechanism, and instead allows UDF functions such as WRITEFILE.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.3
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-46908

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2023-7104
CVE STATUS: Patched
CVE SUMMARY: A vulnerability was found in SQLite SQLite3 up to 3.43.0 and classified as critical. This issue affects the function sessionReadRecord of the file ext/session/sqlite3session.c of the component make alltest Handler. The manipulation leads to heap-based buffer overflow. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-248999.
CVSS v2 BASE SCORE: 5.2
CVSS v3 BASE SCORE: 5.5
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:L/Au:S/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-7104

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2024-0232
CVE STATUS: Patched
CVE SUMMARY: A heap use-after-free issue has been identified in SQLite in the jsonParseAddNodeArray() function in sqlite3.c. This flaw allows a local attacker to leverage a victim to pass specially crafted malicious input to the application, potentially causing a crash and leading to a denial of service.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-0232

LAYER: meta
PACKAGE NAME: busybox
PACKAGE VERSION: 1.36.1
CVE: CVE-2006-1058
CVE STATUS: Patched
CVE SUMMARY: BusyBox 1.1.1 does not use a salt when generating passwords, which makes it easier for local users to guess passwords from a stolen password file using techniques such as rainbow tables.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-1058

LAYER: meta
PACKAGE NAME: busybox
PACKAGE VERSION: 1.36.1
CVE: CVE-2006-5050
CVE STATUS: Patched
CVE SUMMARY: Directory traversal vulnerability in httpd in Rob Landley BusyBox allows remote attackers to read arbitrary files via URL-encoded "%2e%2e/" sequences in the URI.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-5050

LAYER: meta
PACKAGE NAME: busybox
PACKAGE VERSION: 1.36.1
CVE: CVE-2011-2716
CVE STATUS: Patched
CVE SUMMARY: The DHCP client (udhcpc) in BusyBox before 1.20.0 allows remote DHCP servers to execute arbitrary commands via shell metacharacters in the (1) HOST_NAME, (2) DOMAIN_NAME, (3) NIS_DOMAIN, and (4) TFTP_SERVER_NAME host name options.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2716

LAYER: meta
PACKAGE NAME: busybox
PACKAGE VERSION: 1.36.1
CVE: CVE-2011-5325
CVE STATUS: Patched
CVE SUMMARY: Directory traversal vulnerability in the BusyBox implementation of tar before 1.22.0 v5 allows remote attackers to point to files outside the current working directory via a symlink.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-5325

LAYER: meta
PACKAGE NAME: busybox
PACKAGE VERSION: 1.36.1
CVE: CVE-2013-1813
CVE STATUS: Patched
CVE SUMMARY: util-linux/mdev.c in BusyBox before 1.21.0 uses 0777 permissions for parent directories when creating nested directories under /dev/, which allows local users to have unknown impact and attack vectors.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1813

LAYER: meta
PACKAGE NAME: busybox
PACKAGE VERSION: 1.36.1
CVE: CVE-2014-9645
CVE STATUS: Patched
CVE SUMMARY: The add_probe function in modutils/modprobe.c in BusyBox before 1.23.0 allows local users to bypass intended restrictions on loading kernel modules via a / (slash) character in a module name, as demonstrated by an "ifconfig /usbserial up" command or a "mount -t /snd_pcm none /" command.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9645

LAYER: meta
PACKAGE NAME: busybox
PACKAGE VERSION: 1.36.1
CVE: CVE-2015-9261
CVE STATUS: Patched
CVE SUMMARY: huft_build in archival/libarchive/decompress_gunzip.c in BusyBox before 1.27.2 misuses a pointer, causing segfaults and an application crash during an unzip operation on a specially crafted ZIP file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-9261

LAYER: meta
PACKAGE NAME: busybox
PACKAGE VERSION: 1.36.1
CVE: CVE-2016-2147
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0 allows remote attackers to cause a denial of service (crash) via a malformed RFC1035-encoded domain name, which triggers an out-of-bounds heap write.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2147

LAYER: meta
PACKAGE NAME: busybox
PACKAGE VERSION: 1.36.1
CVE: CVE-2016-2148
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0 allows remote attackers to have unspecified impact via vectors involving OPTION_6RD parsing.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2148

LAYER: meta
PACKAGE NAME: busybox
PACKAGE VERSION: 1.36.1
CVE: CVE-2016-6301
CVE STATUS: Patched
CVE SUMMARY: The recv_and_process_client_pkt function in networking/ntpd.c in busybox allows remote attackers to cause a denial of service (CPU and bandwidth consumption) via a forged NTP packet, which triggers a communication loop.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6301

LAYER: meta
PACKAGE NAME: busybox
PACKAGE VERSION: 1.36.1
CVE: CVE-2017-15873
CVE STATUS: Patched
CVE SUMMARY: The get_next_block function in archival/libarchive/decompress_bunzip2.c in BusyBox 1.27.2 has an Integer Overflow that may lead to a write access violation.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15873

LAYER: meta
PACKAGE NAME: busybox
PACKAGE VERSION: 1.36.1
CVE: CVE-2017-15874
CVE STATUS: Patched
CVE SUMMARY: archival/libarchive/decompress_unlzma.c in BusyBox 1.27.2 has an Integer Underflow that leads to a read access violation.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15874

LAYER: meta
PACKAGE NAME: busybox
PACKAGE VERSION: 1.36.1
CVE: CVE-2017-16544
CVE STATUS: Patched
CVE SUMMARY: In the add_match function in libbb/lineedit.c in BusyBox through 1.27.2, the tab autocomplete feature of the shell, used to get a list of filenames in a directory, does not sanitize filenames and results in executing any escape sequence in the terminal. This could potentially result in code execution, arbitrary file writes, or other attacks.
CVSS v2 BASE SCORE: 6.5
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:S/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-16544

LAYER: meta
PACKAGE NAME: busybox
PACKAGE VERSION: 1.36.1
CVE: CVE-2018-1000500
CVE STATUS: Patched
CVE SUMMARY: Busybox contains a Missing SSL certificate validation vulnerability in The "busybox wget" applet that can result in arbitrary code execution. This attack appear to be exploitable via Simply download any file over HTTPS using "busybox wget https://compromised-domain.com/important-file".
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1000500

LAYER: meta
PACKAGE NAME: busybox
PACKAGE VERSION: 1.36.1
CVE: CVE-2018-1000517
CVE STATUS: Patched
CVE SUMMARY: BusyBox project BusyBox wget version prior to commit 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e contains a Buffer Overflow vulnerability in Busybox wget that can result in heap buffer overflow. This attack appear to be exploitable via network connectivity. This vulnerability appears to have been fixed in after commit 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1000517

LAYER: meta
PACKAGE NAME: busybox
PACKAGE VERSION: 1.36.1
CVE: CVE-2018-20679
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in BusyBox before 1.30.0. An out of bounds read in udhcp components (consumed by the DHCP server, client, and relay) allows a remote attacker to leak sensitive information from the stack by sending a crafted DHCP message. This is related to verification in udhcp_get_option() in networking/udhcp/common.c that 4-byte options are indeed 4 bytes.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20679

LAYER: meta
PACKAGE NAME: busybox
PACKAGE VERSION: 1.36.1
CVE: CVE-2019-5747
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in BusyBox through 1.30.0. An out of bounds read in udhcp components (consumed by the DHCP client, server, and/or relay) might allow a remote attacker to leak sensitive information from the stack by sending a crafted DHCP message. This is related to assurance of a 4-byte length when decoding DHCP_SUBNET. NOTE: this issue exists because of an incomplete fix for CVE-2018-20679.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-5747

LAYER: meta
PACKAGE NAME: busybox
PACKAGE VERSION: 1.36.1
CVE: CVE-2021-28831
CVE STATUS: Patched
CVE SUMMARY: decompress_gunzip.c in BusyBox through 1.32.1 mishandles the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-28831

LAYER: meta
PACKAGE NAME: busybox
PACKAGE VERSION: 1.36.1
CVE: CVE-2021-42373
CVE STATUS: Patched
CVE SUMMARY: A NULL pointer dereference in Busybox's man applet leads to denial of service when a section name is supplied but no page argument is given
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-42373

LAYER: meta
PACKAGE NAME: busybox
PACKAGE VERSION: 1.36.1
CVE: CVE-2021-42374
CVE STATUS: Patched
CVE SUMMARY: An out-of-bounds heap read in Busybox's unlzma applet leads to information leak and denial of service when crafted LZMA-compressed input is decompressed. This can be triggered by any applet/format that
CVSS v2 BASE SCORE: 3.3
CVSS v3 BASE SCORE: 5.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-42374

LAYER: meta
PACKAGE NAME: busybox
PACKAGE VERSION: 1.36.1
CVE: CVE-2021-42375
CVE STATUS: Patched
CVE SUMMARY: An incorrect handling of a special element in Busybox's ash applet leads to denial of service when processing a crafted shell command, due to the shell mistaking specific characters for reserved characters. This may be used for DoS under rare conditions of filtered command input.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-42375

LAYER: meta
PACKAGE NAME: busybox
PACKAGE VERSION: 1.36.1
CVE: CVE-2021-42376
CVE STATUS: Patched
CVE SUMMARY: A NULL pointer dereference in Busybox's hush applet leads to denial of service when processing a crafted shell command, due to missing validation after a \x03 delimiter character. This may be used for DoS under very rare conditions of filtered command input.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-42376

LAYER: meta
PACKAGE NAME: busybox
PACKAGE VERSION: 1.36.1
CVE: CVE-2021-42377
CVE STATUS: Patched
CVE SUMMARY: An attacker-controlled pointer free in Busybox's hush applet leads to denial of service and possible code execution when processing a crafted shell command, due to the shell mishandling the &&& string. This may be used for remote code execution under rare conditions of filtered command input.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-42377

LAYER: meta
PACKAGE NAME: busybox
PACKAGE VERSION: 1.36.1
CVE: CVE-2021-42378
CVE STATUS: Patched
CVE SUMMARY: A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_i function
CVSS v2 BASE SCORE: 6.5
CVSS v3 BASE SCORE: 7.2
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:S/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-42378

LAYER: meta
PACKAGE NAME: busybox
PACKAGE VERSION: 1.36.1
CVE: CVE-2021-42379
CVE STATUS: Patched
CVE SUMMARY: A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the next_input_file function
CVSS v2 BASE SCORE: 6.5
CVSS v3 BASE SCORE: 7.2
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:S/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-42379

LAYER: meta
PACKAGE NAME: busybox
PACKAGE VERSION: 1.36.1
CVE: CVE-2021-42380
CVE STATUS: Patched
CVE SUMMARY: A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the clrvar function
CVSS v2 BASE SCORE: 6.5
CVSS v3 BASE SCORE: 7.2
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:S/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-42380

LAYER: meta
PACKAGE NAME: busybox
PACKAGE VERSION: 1.36.1
CVE: CVE-2021-42381
CVE STATUS: Patched
CVE SUMMARY: A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the hash_init function
CVSS v2 BASE SCORE: 6.5
CVSS v3 BASE SCORE: 7.2
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:S/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-42381

LAYER: meta
PACKAGE NAME: busybox
PACKAGE VERSION: 1.36.1
CVE: CVE-2021-42382
CVE STATUS: Patched
CVE SUMMARY: A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_s function
CVSS v2 BASE SCORE: 6.5
CVSS v3 BASE SCORE: 7.2
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:S/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-42382

LAYER: meta
PACKAGE NAME: busybox
PACKAGE VERSION: 1.36.1
CVE: CVE-2021-42383
CVE STATUS: Patched
CVE SUMMARY: A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function
CVSS v2 BASE SCORE: 6.5
CVSS v3 BASE SCORE: 7.2
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:S/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-42383

LAYER: meta
PACKAGE NAME: busybox
PACKAGE VERSION: 1.36.1
CVE: CVE-2021-42384
CVE STATUS: Patched
CVE SUMMARY: A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the handle_special function
CVSS v2 BASE SCORE: 6.5
CVSS v3 BASE SCORE: 7.2
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:S/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-42384

LAYER: meta
PACKAGE NAME: busybox
PACKAGE VERSION: 1.36.1
CVE: CVE-2021-42385
CVE STATUS: Patched
CVE SUMMARY: A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function
CVSS v2 BASE SCORE: 6.5
CVSS v3 BASE SCORE: 7.2
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:S/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-42385

LAYER: meta
PACKAGE NAME: busybox
PACKAGE VERSION: 1.36.1
CVE: CVE-2021-42386
CVE STATUS: Patched
CVE SUMMARY: A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the nvalloc function
CVSS v2 BASE SCORE: 6.5
CVSS v3 BASE SCORE: 7.2
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:S/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-42386

LAYER: meta
PACKAGE NAME: busybox
PACKAGE VERSION: 1.36.1
CVE: CVE-2022-28391
CVE STATUS: Patched
CVE SUMMARY: BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record's value to a VT compatible terminal. Alternatively, the attacker could choose to change the terminal's colors.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-28391

LAYER: meta
PACKAGE NAME: busybox
PACKAGE VERSION: 1.36.1
CVE: CVE-2022-30065
CVE STATUS: Patched
CVE SUMMARY: A use-after-free in Busybox 1.35-x's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the copyvar function.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-30065

LAYER: meta
PACKAGE NAME: busybox
PACKAGE VERSION: 1.36.1
CVE: CVE-2022-48174
CVE STATUS: Patched
CVE SUMMARY: There is a stack overflow vulnerability in ash.c:6030 in busybox before 1.35. In the environment of Internet of Vehicles, this vulnerability can be executed from command to arbitrary code execution.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48174

LAYER: meta
PACKAGE NAME: busybox
PACKAGE VERSION: 1.36.1
CVE: CVE-2023-39810
CVE STATUS: Patched
CVE SUMMARY: An issue in the CPIO command of Busybox v1.33.2 allows attackers to execute a directory traversal.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-39810

LAYER: meta
PACKAGE NAME: busybox
PACKAGE VERSION: 1.36.1
CVE: CVE-2023-42363
CVE STATUS: Patched
CVE SUMMARY: A use-after-free vulnerability was discovered in xasprintf function in xfuncs_printf.c:344 in BusyBox v.1.36.1.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-42363

LAYER: meta
PACKAGE NAME: busybox
PACKAGE VERSION: 1.36.1
CVE: CVE-2023-42364
CVE STATUS: Patched
CVE SUMMARY: A use-after-free vulnerability in BusyBox v.1.36.1 allows attackers to cause a denial of service via a crafted awk pattern in the awk.c evaluate function.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-42364

LAYER: meta
PACKAGE NAME: busybox
PACKAGE VERSION: 1.36.1
CVE: CVE-2023-42365
CVE STATUS: Patched
CVE SUMMARY: A use-after-free vulnerability was discovered in BusyBox v.1.36.1 via a crafted awk pattern in the awk.c copyvar function.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-42365

LAYER: meta
PACKAGE NAME: busybox
PACKAGE VERSION: 1.36.1
CVE: CVE-2023-42366
CVE STATUS: Patched
CVE SUMMARY: A heap-buffer-overflow was discovered in BusyBox v.1.36.1 in the next_token function at awk.c:1159.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-42366

LAYER: meta-selinux
PACKAGE NAME: libsepol
PACKAGE VERSION: 3.6
CVE: CVE-2020-10751
CVE STATUS: Unpatched
CVE SUMMARY: A flaw was found in the Linux kernels SELinux LSM hook implementation before version 5.7, where it incorrectly assumed that an skb would only contain a single netlink message. The hook would incorrectly only validate the first netlink message in the skb and allow or deny the rest of the messages within the skb with the granted permission without further processing.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 6.1
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-10751

LAYER: meta-oe
PACKAGE NAME: audit
PACKAGE VERSION: 4.0.1
CVE: CVE-2007-4148
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the Visionsoft Audit on Demand Service (VSAOD) in Visionsoft Audit 12.4.0.0 allows remote attackers to cause a denial of service (persistent daemon crashes) or execute arbitrary code via a long filename in a "LOG." command.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-4148

LAYER: meta-oe
PACKAGE NAME: audit
PACKAGE VERSION: 4.0.1
CVE: CVE-2007-4149
CVE STATUS: Patched
CVE SUMMARY: The Visionsoft Audit on Demand Service (VSAOD) in Visionsoft Audit 12.4.0.0 does not require authentication for (1) the "LOG." command, which allows remote attackers to create or overwrite arbitrary files; (2) the SETTINGSFILE command, which allows remote attackers to overwrite the ini file, and reconfigure VSAOD or cause a denial of service; or (3) the UNINSTALL command, which allows remote attackers to cause a denial of service (daemon shutdown).  NOTE: vector 1 can be leveraged for code execution by writing to a Startup folder.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-4149

LAYER: meta-oe
PACKAGE NAME: audit
PACKAGE VERSION: 4.0.1
CVE: CVE-2007-4150
CVE STATUS: Patched
CVE SUMMARY: The Visionsoft Audit on Demand Service (VSAOD) in Visionsoft Audit 12.4.0.0 uses weak cryptography (XOR) when (1) transmitting passwords, which allows remote attackers to obtain sensitive information by sniffing the network; and (2) storing passwords in the configuration file, which allows local users to obtain sensitive information by reading this file.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-4150

LAYER: meta-oe
PACKAGE NAME: audit
PACKAGE VERSION: 4.0.1
CVE: CVE-2007-4151
CVE STATUS: Patched
CVE SUMMARY: The Visionsoft Audit on Demand Service (VSAOD) in Visionsoft Audit 12.4.0.0 allows remote attackers to obtain sensitive information via (1) a LOG.ON command, which reveals the logging pathname in the server response; (2) a VER command, which reveals the version number in the server response; and (3) a connection, which reveals the version number in the banner.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-4151

LAYER: meta-oe
PACKAGE NAME: audit
PACKAGE VERSION: 4.0.1
CVE: CVE-2007-4152
CVE STATUS: Patched
CVE SUMMARY: The Visionsoft Audit on Demand Service (VSAOD) in Visionsoft Audit 12.4.0.0 allows remote attackers to conduct replay attacks by capturing and resending data from the DETAILS and PROCESS sections of a session that schedules an audit.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-4152

LAYER: meta-oe
PACKAGE NAME: audit
PACKAGE VERSION: 4.0.1
CVE: CVE-2008-1628
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in the audit_log_user_command function in lib/audit_logging.c in Linux Audit before 1.7 might allow remote attackers to execute arbitrary code via a long command argument. NOTE: some of these details are obtained from third party information.
CVSS v2 BASE SCORE: 4.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:S/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1628

LAYER: meta
PACKAGE NAME: zlib
PACKAGE VERSION: 1.3.1
CVE: CVE-2002-0059
CVE STATUS: Patched
CVE SUMMARY: The decompression algorithm in zlib 1.1.3 and earlier, as used in many different utilities and packages, causes inflateEnd to release certain memory more than once (a "double free"), which may allow local and remote attackers to execute arbitrary code via a block of malformed compression data.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-0059

LAYER: meta
PACKAGE NAME: zlib
PACKAGE VERSION: 1.3.1
CVE: CVE-2003-0107
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the gzprintf function in zlib 1.1.4, when zlib is compiled without vsnprintf or when long inputs are truncated using vsnprintf, allows attackers to cause a denial of service or possibly execute arbitrary code.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-0107

LAYER: meta
PACKAGE NAME: zlib
PACKAGE VERSION: 1.3.1
CVE: CVE-2004-0797
CVE STATUS: Patched
CVE SUMMARY: The error handling in the (1) inflate and (2) inflateBack functions in ZLib compression library 1.2.x allows local users to cause a denial of service (application crash).
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0797

LAYER: meta
PACKAGE NAME: zlib
PACKAGE VERSION: 1.3.1
CVE: CVE-2005-1849
CVE STATUS: Patched
CVE SUMMARY: inftrees.h in zlib 1.2.2 allows remote attackers to cause a denial of service (application crash) via an invalid file that causes a large dynamic tree to be produced.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-1849

LAYER: meta
PACKAGE NAME: zlib
PACKAGE VERSION: 1.3.1
CVE: CVE-2005-2096
CVE STATUS: Patched
CVE SUMMARY: zlib 1.2 and later versions allows remote attackers to cause a denial of service (crash) via a crafted compressed stream with an incomplete code description of a length greater than 1, which leads to a buffer overflow, as demonstrated using a crafted PNG file.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-2096

LAYER: meta
PACKAGE NAME: zlib
PACKAGE VERSION: 1.3.1
CVE: CVE-2016-9840
CVE STATUS: Patched
CVE SUMMARY: inftrees.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9840

LAYER: meta
PACKAGE NAME: zlib
PACKAGE VERSION: 1.3.1
CVE: CVE-2016-9841
CVE STATUS: Patched
CVE SUMMARY: inffast.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9841

LAYER: meta
PACKAGE NAME: zlib
PACKAGE VERSION: 1.3.1
CVE: CVE-2016-9842
CVE STATUS: Patched
CVE SUMMARY: The inflateMark function in inflate.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving left shifts of negative integers.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9842

LAYER: meta
PACKAGE NAME: zlib
PACKAGE VERSION: 1.3.1
CVE: CVE-2016-9843
CVE STATUS: Patched
CVE SUMMARY: The crc32_big function in crc32.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving big-endian CRC calculation.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9843

LAYER: meta
PACKAGE NAME: zlib
PACKAGE VERSION: 1.3.1
CVE: CVE-2018-25032
CVE STATUS: Patched
CVE SUMMARY: zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-25032

LAYER: meta
PACKAGE NAME: zlib
PACKAGE VERSION: 1.3.1
CVE: CVE-2022-37434
CVE STATUS: Patched
CVE SUMMARY: zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-37434

LAYER: meta
PACKAGE NAME: zlib
PACKAGE VERSION: 1.3.1
CVE: CVE-2023-45853
CVE STATUS: Ignored
CVE DETAIL: not-applicable-config
CVE DESCRIPTION: we don't build minizip
CVE SUMMARY: MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product. NOTE: pyminizip through 0.2.6 is also vulnerable because it bundles an affected zlib version, and exposes the applicable MiniZip code through its compress API.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-45853

LAYER: meta
PACKAGE NAME: zlib
PACKAGE VERSION: 1.3.1
CVE: CVE-2023-6992
CVE STATUS: Ignored
CVE DETAIL: cpe-incorrect
CVE DESCRIPTION: this CVE is for cloudflare zlib
CVE SUMMARY: Cloudflare version of zlib library was found to be vulnerable to memory corruption issues affecting the deflation algorithm implementation (deflate.c). The issues resulted from improper input validation and heap-based buffer overflow.
A local attacker could exploit the problem during compression using a crafted malicious file potentially leading to denial of service of the software.
Patches: The issue has been patched in commit  8352d10 https://github.com/cloudflare/zlib/commit/8352d108c05db1bdc5ac3bdf834dad641694c13c . The upstream repository is not affected.

CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-6992

LAYER: meta
PACKAGE NAME: file
PACKAGE VERSION: 5.45
CVE: CVE-2003-0102
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in tryelf() in readelf.c of the file command allows attackers to execute arbitrary code as the user running file, possibly via a large entity size value in an ELF header (elfhdr.e_shentsize).
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-0102

LAYER: meta
PACKAGE NAME: file
PACKAGE VERSION: 5.45
CVE: CVE-2004-1304
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in the ELF header parsing code in file before 4.12 allows attackers to execute arbitrary code via a crafted ELF file.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-1304

LAYER: meta
PACKAGE NAME: file
PACKAGE VERSION: 5.45
CVE: CVE-2007-1536
CVE STATUS: Patched
CVE SUMMARY: Integer underflow in the file_printf function in the "file" program before 4.20 allows user-assisted attackers to execute arbitrary code via a file that triggers a heap-based buffer overflow.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-1536

LAYER: meta
PACKAGE NAME: file
PACKAGE VERSION: 5.45
CVE: CVE-2007-2026
CVE STATUS: Patched
CVE SUMMARY: The gnu regular expression code in file 4.20 allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted document with a large number of line feed characters, which is not well handled by OS/2 REXX regular expressions that use wildcards, as originally reported for AMaViS.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-2026

LAYER: meta
PACKAGE NAME: file
PACKAGE VERSION: 5.45
CVE: CVE-2007-2799
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the "file" program 4.20, when running on 32-bit systems, as used in products including The Sleuth Kit, might allow user-assisted attackers to execute arbitrary code via a large file that triggers an overflow that bypasses an assert() statement.  NOTE: this issue is due to an incorrect patch for CVE-2007-1536.
CVSS v2 BASE SCORE: 5.1
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-2799

LAYER: meta
PACKAGE NAME: file
PACKAGE VERSION: 5.45
CVE: CVE-2009-1515
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the cdf_read_sat function in src/cdf.c in Christos Zoulas file 5.00 allows user-assisted remote attackers to execute arbitrary code via a crafted compound document file, as demonstrated by a .msi, .doc, or .mpp file.  NOTE: some of these details are obtained from third party information.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-1515

LAYER: meta
PACKAGE NAME: file
PACKAGE VERSION: 5.45
CVE: CVE-2009-3930
CVE STATUS: Patched
CVE SUMMARY: Multiple integer overflows in Christos Zoulas file before 5.02 allow user-assisted remote attackers to have an unspecified impact via a malformed compound document (aka cdf) file that triggers a buffer overflow.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-3930

LAYER: meta
PACKAGE NAME: file
PACKAGE VERSION: 5.45
CVE: CVE-2012-1571
CVE STATUS: Patched
CVE SUMMARY: file before 5.11 and libmagic allow remote attackers to cause a denial of service (crash) via a crafted Composite Document File (CDF) file that triggers (1) an out-of-bounds read or (2) an invalid pointer dereference.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1571

LAYER: meta
PACKAGE NAME: file
PACKAGE VERSION: 5.45
CVE: CVE-2013-7345
CVE STATUS: Patched
CVE SUMMARY: The BEGIN regular expression in the awk script detector in magic/Magdir/commands in file before 5.15 uses multiple wildcards with unlimited repetitions, which allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted ASCII file that triggers a large amount of backtracking, as demonstrated via a file with many newline characters.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-7345

LAYER: meta
PACKAGE NAME: file
PACKAGE VERSION: 5.45
CVE: CVE-2014-0207
CVE STATUS: Patched
CVE SUMMARY: The cdf_read_short_sector function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, allows remote attackers to cause a denial of service (assertion failure and application exit) via a crafted CDF file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0207

LAYER: meta
PACKAGE NAME: file
PACKAGE VERSION: 5.45
CVE: CVE-2014-2270
CVE STATUS: Patched
CVE SUMMARY: softmagic.c in file before 5.17 and libmagic allows context-dependent attackers to cause a denial of service (out-of-bounds memory access and crash) via crafted offsets in the softmagic of a PE executable.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-2270

LAYER: meta
PACKAGE NAME: file
PACKAGE VERSION: 5.45
CVE: CVE-2014-3478
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the mconvert function in softmagic.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, allows remote attackers to cause a denial of service (application crash) via a crafted Pascal string in a FILE_PSTRING conversion.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3478

LAYER: meta
PACKAGE NAME: file
PACKAGE VERSION: 5.45
CVE: CVE-2014-3479
CVE STATUS: Patched
CVE SUMMARY: The cdf_check_stream_offset function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, relies on incorrect sector-size data, which allows remote attackers to cause a denial of service (application crash) via a crafted stream offset in a CDF file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3479

LAYER: meta
PACKAGE NAME: file
PACKAGE VERSION: 5.45
CVE: CVE-2014-3480
CVE STATUS: Patched
CVE SUMMARY: The cdf_count_chain function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, does not properly validate sector-count data, which allows remote attackers to cause a denial of service (application crash) via a crafted CDF file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3480

LAYER: meta
PACKAGE NAME: file
PACKAGE VERSION: 5.45
CVE: CVE-2014-3487
CVE STATUS: Patched
CVE SUMMARY: The cdf_read_property_info function in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, does not properly validate a stream offset, which allows remote attackers to cause a denial of service (application crash) via a crafted CDF file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3487

LAYER: meta
PACKAGE NAME: file
PACKAGE VERSION: 5.45
CVE: CVE-2014-3538
CVE STATUS: Patched
CVE SUMMARY: file before 5.19 does not properly restrict the amount of data read during a regex search, which allows remote attackers to cause a denial of service (CPU consumption) via a crafted file that triggers backtracking during processing of an awk rule.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7345.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3538

LAYER: meta
PACKAGE NAME: file
PACKAGE VERSION: 5.45
CVE: CVE-2014-3587
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the cdf_read_property_info function in cdf.c in file through 5.19, as used in the Fileinfo component in PHP before 5.4.32 and 5.5.x before 5.5.16, allows remote attackers to cause a denial of service (application crash) via a crafted CDF file.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1571.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3587

LAYER: meta
PACKAGE NAME: file
PACKAGE VERSION: 5.45
CVE: CVE-2014-8116
CVE STATUS: Patched
CVE SUMMARY: The ELF parser (readelf.c) in file before 5.21 allows remote attackers to cause a denial of service (CPU consumption or crash) via a large number of (1) program or (2) section headers or (3) invalid capabilities.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8116

LAYER: meta
PACKAGE NAME: file
PACKAGE VERSION: 5.45
CVE: CVE-2014-8117
CVE STATUS: Patched
CVE SUMMARY: softmagic.c in file before 5.21 does not properly limit recursion, which allows remote attackers to cause a denial of service (CPU consumption or crash) via unspecified vectors.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8117

LAYER: meta
PACKAGE NAME: file
PACKAGE VERSION: 5.45
CVE: CVE-2014-9620
CVE STATUS: Patched
CVE SUMMARY: The ELF parser in file 5.08 through 5.21 allows remote attackers to cause a denial of service via a large number of notes.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9620

LAYER: meta
PACKAGE NAME: file
PACKAGE VERSION: 5.45
CVE: CVE-2014-9621
CVE STATUS: Patched
CVE SUMMARY: The ELF parser in file 5.16 through 5.21 allows remote attackers to cause a denial of service via a long string.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9621

LAYER: meta
PACKAGE NAME: file
PACKAGE VERSION: 5.45
CVE: CVE-2014-9652
CVE STATUS: Patched
CVE SUMMARY: The mconvert function in softmagic.c in file before 5.21, as used in the Fileinfo component in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5, does not properly handle a certain string-length field during a copy of a truncated version of a Pascal string, which might allow remote attackers to cause a denial of service (out-of-bounds memory access and application crash) via a crafted file.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9652

LAYER: meta
PACKAGE NAME: file
PACKAGE VERSION: 5.45
CVE: CVE-2014-9653
CVE STATUS: Patched
CVE SUMMARY: readelf.c in file before 5.22, as used in the Fileinfo component in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5, does not consider that pread calls sometimes read only a subset of the available data, which allows remote attackers to cause a denial of service (uninitialized memory access) or possibly have unspecified other impact via a crafted ELF file.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9653

LAYER: meta
PACKAGE NAME: file
PACKAGE VERSION: 5.45
CVE: CVE-2017-1000249
CVE STATUS: Patched
CVE SUMMARY: An issue in file() was introduced in commit 9611f31313a93aa036389c5f3b15eea53510d4d1 (Oct 2016) lets an attacker overwrite a fixed 20 bytes stack buffer with a specially crafted .notes section in an ELF binary. This was fixed in commit 35c94dc6acc418f1ad7f6241a6680e5327495793 (Aug 2017).
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-1000249

LAYER: meta
PACKAGE NAME: file
PACKAGE VERSION: 5.45
CVE: CVE-2018-10360
CVE STATUS: Patched
CVE SUMMARY: The do_core_note function in readelf.c in libmagic.a in file 5.33 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted ELF file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-10360

LAYER: meta
PACKAGE NAME: file
PACKAGE VERSION: 5.45
CVE: CVE-2019-18218
CVE STATUS: Patched
CVE SUMMARY: cdf_read_property_info in cdf.c in file through 5.37 does not restrict the number of CDF_VECTOR elements, which allows a heap-based buffer overflow (4-byte out-of-bounds write).
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-18218

LAYER: meta
PACKAGE NAME: file
PACKAGE VERSION: 5.45
CVE: CVE-2019-8904
CVE STATUS: Patched
CVE SUMMARY: do_bid_note in readelf.c in libmagic.a in file 5.35 has a stack-based buffer over-read, related to file_printf and file_vprintf.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-8904

LAYER: meta
PACKAGE NAME: file
PACKAGE VERSION: 5.45
CVE: CVE-2019-8905
CVE STATUS: Patched
CVE SUMMARY: do_core_note in readelf.c in libmagic.a in file 5.35 has a stack-based buffer over-read, related to file_printable, a different vulnerability than CVE-2018-10360.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 4.4
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-8905

LAYER: meta
PACKAGE NAME: file
PACKAGE VERSION: 5.45
CVE: CVE-2019-8906
CVE STATUS: Patched
CVE SUMMARY: do_core_note in readelf.c in libmagic.a in file 5.35 has an out-of-bounds read because memcpy is misused.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 4.4
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-8906

LAYER: meta
PACKAGE NAME: file
PACKAGE VERSION: 5.45
CVE: CVE-2019-8907
CVE STATUS: Patched
CVE SUMMARY: do_core_note in readelf.c in libmagic.a in file 5.35 allows remote attackers to cause a denial of service (stack corruption and application crash) or possibly have unspecified other impact.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-8907

LAYER: meta
PACKAGE NAME: file
PACKAGE VERSION: 5.45
CVE: CVE-2022-48554
CVE STATUS: Patched
CVE SUMMARY: File before 5.43 has an stack-based buffer over-read in file_copystr in funcs.c. NOTE: "File" is the name of an Open Source project.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48554

LAYER: meta
PACKAGE NAME: libgcrypt
PACKAGE VERSION: 1.10.3
CVE: CVE-2013-4242
CVE STATUS: Patched
CVE SUMMARY: GnuPG before 1.4.14, and Libgcrypt before 1.5.3 as used in GnuPG 2.0.x and possibly other products, allows local users to obtain private RSA keys via a cache side-channel attack involving the L3 cache, aka Flush+Reload.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4242

LAYER: meta
PACKAGE NAME: libgcrypt
PACKAGE VERSION: 1.10.3
CVE: CVE-2014-3591
CVE STATUS: Patched
CVE SUMMARY: Libgcrypt before 1.6.3 and GnuPG before 1.4.19 does not implement ciphertext blinding for Elgamal decryption, which allows physically proximate attackers to obtain the server's private key by determining factors using crafted ciphertext and the fluctuations in the electromagnetic field during multiplication.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 4.2
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3591

LAYER: meta
PACKAGE NAME: libgcrypt
PACKAGE VERSION: 1.10.3
CVE: CVE-2014-5270
CVE STATUS: Patched
CVE SUMMARY: Libgcrypt before 1.5.4, as used in GnuPG and other products, does not properly perform ciphertext normalization and ciphertext randomization, which makes it easier for physically proximate attackers to conduct key-extraction attacks by leveraging the ability to collect voltage data from exposed metal, a different vector than CVE-2013-4576.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-5270

LAYER: meta
PACKAGE NAME: libgcrypt
PACKAGE VERSION: 1.10.3
CVE: CVE-2015-0837
CVE STATUS: Patched
CVE SUMMARY: The mpi_powm function in Libgcrypt before 1.6.3 and GnuPG before 1.4.19 allows attackers to obtain sensitive information by leveraging timing differences when accessing a pre-computed table during modular exponentiation, related to a "Last-Level Cache Side-Channel Attack."
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0837

LAYER: meta
PACKAGE NAME: libgcrypt
PACKAGE VERSION: 1.10.3
CVE: CVE-2015-7511
CVE STATUS: Patched
CVE SUMMARY: Libgcrypt before 1.6.5 does not properly perform elliptic-point curve multiplication during decryption, which makes it easier for physically proximate attackers to extract ECDH keys by measuring electromagnetic emanations.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 2.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7511

LAYER: meta
PACKAGE NAME: libgcrypt
PACKAGE VERSION: 1.10.3
CVE: CVE-2016-6313
CVE STATUS: Patched
CVE SUMMARY: The mixing functions in the random number generator in Libgcrypt before 1.5.6, 1.6.x before 1.6.6, and 1.7.x before 1.7.3 and GnuPG before 1.4.21 make it easier for attackers to obtain the values of 160 bits by leveraging knowledge of the previous 4640 bits.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6313

LAYER: meta
PACKAGE NAME: libgcrypt
PACKAGE VERSION: 1.10.3
CVE: CVE-2017-0379
CVE STATUS: Patched
CVE SUMMARY: Libgcrypt before 1.8.1 does not properly consider Curve25519 side-channel attacks, which makes it easier for attackers to discover a secret key, related to cipher/ecc.c and mpi/ec.c.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0379

LAYER: meta
PACKAGE NAME: libgcrypt
PACKAGE VERSION: 1.10.3
CVE: CVE-2017-7526
CVE STATUS: Patched
CVE SUMMARY: libgcrypt before version 1.7.8 is vulnerable to a cache side-channel attack resulting into a complete break of RSA-1024 while using the left-to-right method for computing the sliding-window expansion. The same attack is believed to work on RSA-2048 with moderately more computation. This side-channel requires that attacker can run arbitrary software on the hardware where the private RSA key is used.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7526

LAYER: meta
PACKAGE NAME: libgcrypt
PACKAGE VERSION: 1.10.3
CVE: CVE-2017-9526
CVE STATUS: Patched
CVE SUMMARY: In Libgcrypt before 1.7.7, an attacker who learns the EdDSA session key (from side-channel observation during the signing process) can easily recover the long-term secret key. 1.7.7 makes a cipher/ecc-eddsa.c change to store this session key in secure memory, to ensure that constant-time point operations are used in the MPI library.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9526

LAYER: meta
PACKAGE NAME: libgcrypt
PACKAGE VERSION: 1.10.3
CVE: CVE-2018-0495
CVE STATUS: Patched
CVE SUMMARY: Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-0495

LAYER: meta
PACKAGE NAME: libgcrypt
PACKAGE VERSION: 1.10.3
CVE: CVE-2018-6829
CVE STATUS: Patched
CVE SUMMARY: cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-6829

LAYER: meta
PACKAGE NAME: libgcrypt
PACKAGE VERSION: 1.10.3
CVE: CVE-2019-12904
CVE STATUS: Patched
CVE SUMMARY: In Libgcrypt 1.8.4, the C implementation of AES is vulnerable to a flush-and-reload side-channel attack because physical addresses are available to other processes. (The C implementation is used on platforms where an assembly-language implementation is unavailable.) NOTE: the vendor's position is that the issue report cannot be validated because there is no description of an attack
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-12904

LAYER: meta
PACKAGE NAME: libgcrypt
PACKAGE VERSION: 1.10.3
CVE: CVE-2021-3345
CVE STATUS: Patched
CVE SUMMARY: _gcry_md_block_write in cipher/hash-common.c in Libgcrypt version 1.9.0 has a heap-based buffer overflow when the digest final function sets a large count value. It is recommended to upgrade to 1.9.1 or later.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3345

LAYER: meta
PACKAGE NAME: libgcrypt
PACKAGE VERSION: 1.10.3
CVE: CVE-2021-33560
CVE STATUS: Patched
CVE SUMMARY: Libgcrypt before 1.8.8 and 1.9.x before 1.9.3 mishandles ElGamal encryption because it lacks exponent blinding to address a side-channel attack against mpi_powm, and the window size is not chosen appropriately. This, for example, affects use of ElGamal in OpenPGP.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-33560

LAYER: meta
PACKAGE NAME: libgcrypt
PACKAGE VERSION: 1.10.3
CVE: CVE-2021-40528
CVE STATUS: Patched
CVE SUMMARY: The ElGamal implementation in Libgcrypt before 1.9.4 allows plaintext recovery because, during interaction between two cryptographic libraries, a certain dangerous combination of the prime defined by the receiver's public key, the generator defined by the receiver's public key, and the sender's ephemeral exponents can lead to a cross-configuration attack against OpenPGP.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-40528

LAYER: meta
PACKAGE NAME: libidn2
PACKAGE VERSION: 2.3.7
CVE: CVE-2017-14061
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the _isBidi function in bidi.c in Libidn2 before 2.0.4 allows remote attackers to cause a denial of service or possibly have unspecified other impact.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14061

LAYER: meta
PACKAGE NAME: libidn2
PACKAGE VERSION: 2.3.7
CVE: CVE-2017-14062
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the decode_digit function in puny_decode.c in Libidn2 before 2.0.4 allows remote attackers to cause a denial of service or possibly have unspecified other impact.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14062

LAYER: meta
PACKAGE NAME: libidn2
PACKAGE VERSION: 2.3.7
CVE: CVE-2019-12290
CVE STATUS: Patched
CVE SUMMARY: GNU libidn2 before 2.2.0 fails to perform the roundtrip checks specified in RFC3490 Section 4.2 when converting A-labels to U-labels. This makes it possible in some circumstances for one domain to impersonate another. By creating a malicious domain that matches a target domain except for the inclusion of certain punycoded Unicode characters (that would be discarded when converted first to a Unicode label and then back to an ASCII label), arbitrary domains can be impersonated.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-12290

LAYER: meta
PACKAGE NAME: libidn2
PACKAGE VERSION: 2.3.7
CVE: CVE-2019-18224
CVE STATUS: Patched
CVE SUMMARY: idn2_to_ascii_4i in lib/lookup.c in GNU libidn2 before 2.1.1 has a heap-based buffer overflow via a long domain string.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-18224

LAYER: meta
PACKAGE NAME: xz
PACKAGE VERSION: 5.4.6
CVE: CVE-2015-4035
CVE STATUS: Patched
CVE SUMMARY: scripts/xzgrep.in in xzgrep 5.2.x before 5.2.0, before 5.0.0 does not properly process file names containing semicolons, which allows remote attackers to execute arbitrary code by having a user run xzgrep on a crafted file name.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-4035

LAYER: meta
PACKAGE NAME: xz
PACKAGE VERSION: 5.4.6
CVE: CVE-2020-22916
CVE STATUS: Patched
CVE SUMMARY: An issue discovered in XZ 5.2.5 allows attackers to cause a denial of service via decompression of a crafted file. NOTE: the vendor disputes the claims of "endless output" and "denial of service" because decompression of the 17,486 bytes always results in 114,881,179 bytes, which is often a reasonable size increase.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-22916

LAYER: meta
PACKAGE NAME: xz
PACKAGE VERSION: 5.4.6
CVE: CVE-2021-29482
CVE STATUS: Patched
CVE SUMMARY: xz is a compression and decompression library focusing on the xz format completely written in Go. The function readUvarint used to read the xz container format may not terminate a loop provide malicous input. The problem has been fixed in release v0.5.8. As a workaround users can limit the size of the compressed file input to a reasonable size for their use case. The standard library had recently the same issue and got the CVE-2020-16845 allocated.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-29482

LAYER: meta
PACKAGE NAME: xz
PACKAGE VERSION: 5.4.6
CVE: CVE-2022-1271
CVE STATUS: Patched
CVE SUMMARY: An arbitrary file write vulnerability was found in GNU gzip's zgrep utility. When zgrep is applied on the attacker's chosen file name (for example, a crafted file name), this can overwrite an attacker's content to an arbitrary attacker-selected file. This flaw occurs due to insufficient validation when processing filenames with two or more newlines where selected content and the target file names are embedded in crafted multi-line file names. This flaw allows a remote, low privileged attacker to force zgrep to write arbitrary files on the system.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1271

LAYER: meta
PACKAGE NAME: xz
PACKAGE VERSION: 5.4.6
CVE: CVE-2024-3094
CVE STATUS: Patched
CVE SUMMARY: Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. 
Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 10.0
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-3094

LAYER: meta
PACKAGE NAME: gnutls
PACKAGE VERSION: 3.8.4
CVE: CVE-2004-2531
CVE STATUS: Patched
CVE SUMMARY: X.509 Certificate Signature Verification in Gnu transport layer security library (GnuTLS) 1.0.16 allows remote attackers to cause a denial of service (CPU consumption) via certificates containing long chains and signed with large RSA keys.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-2531

LAYER: meta
PACKAGE NAME: gnutls
PACKAGE VERSION: 3.8.4
CVE: CVE-2005-1431
CVE STATUS: Patched
CVE SUMMARY: The "record packet parsing" in GnuTLS 1.2 before 1.2.3 and 1.0 before 1.0.25 allows remote attackers to cause a denial of service, possibly related to padding bytes in gnutils_cipher.c.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-1431

LAYER: meta
PACKAGE NAME: gnutls
PACKAGE VERSION: 3.8.4
CVE: CVE-2006-4790
CVE STATUS: Patched
CVE SUMMARY: verify.c in GnuTLS before 1.4.4, when using an RSA key with exponent 3, does not properly handle excess data in the digestAlgorithm.parameters field when generating a hash, which allows remote attackers to forge a PKCS #1 v1.5 signature that is signed by that RSA key and prevents GnuTLS from correctly verifying X.509 and other certificates that use PKCS, a variant of CVE-2006-4339.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-4790

LAYER: meta
PACKAGE NAME: gnutls
PACKAGE VERSION: 3.8.4
CVE: CVE-2006-7239
CVE STATUS: Patched
CVE SUMMARY: The _gnutls_x509_oid2mac_algorithm function in lib/gnutls_algorithms.c in GnuTLS before 1.4.2 allows remote attackers to cause a denial of service (crash) via a crafted X.509 certificate that uses a hash algorithm that is not supported by GnuTLS, which triggers a NULL pointer dereference.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-7239

LAYER: meta
PACKAGE NAME: gnutls
PACKAGE VERSION: 3.8.4
CVE: CVE-2008-1948
CVE STATUS: Patched
CVE SUMMARY: The _gnutls_server_name_recv_params function in lib/ext_server_name.c in libgnutls in gnutls-serv in GnuTLS before 2.2.4 does not properly calculate the number of Server Names in a TLS 1.0 Client Hello message during extension handling, which allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a zero value for the length of Server Names, which leads to a buffer overflow in session resumption data in the pack_security_parameters function, aka GNUTLS-SA-2008-1-1.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1948

LAYER: meta
PACKAGE NAME: gnutls
PACKAGE VERSION: 3.8.4
CVE: CVE-2008-1949
CVE STATUS: Patched
CVE SUMMARY: The _gnutls_recv_client_kx_message function in lib/gnutls_kx.c in libgnutls in gnutls-serv in GnuTLS before 2.2.4 continues to process Client Hello messages within a TLS message after one has already been processed, which allows remote attackers to cause a denial of service (NULL dereference and crash) via a TLS message containing multiple Client Hello messages, aka GNUTLS-SA-2008-1-2.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1949

LAYER: meta
PACKAGE NAME: gnutls
PACKAGE VERSION: 3.8.4
CVE: CVE-2008-1950
CVE STATUS: Patched
CVE SUMMARY: Integer signedness error in the _gnutls_ciphertext2compressed function in lib/gnutls_cipher.c in libgnutls in GnuTLS before 2.2.4 allows remote attackers to cause a denial of service (buffer over-read and crash) via a certain integer value in the Random field in an encrypted Client Hello message within a TLS record with an invalid Record Length, which leads to an invalid cipher padding length, aka GNUTLS-SA-2008-1-3.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1950

LAYER: meta
PACKAGE NAME: gnutls
PACKAGE VERSION: 3.8.4
CVE: CVE-2008-2377
CVE STATUS: Patched
CVE SUMMARY: Use-after-free vulnerability in the _gnutls_handshake_hash_buffers_clear function in lib/gnutls_handshake.c in libgnutls in GnuTLS 2.3.5 through 2.4.0 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via TLS transmission of data that is improperly used when the peer calls gnutls_handshake within a normal session, leading to attempted access to a deallocated libgcrypt handle.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-2377

LAYER: meta
PACKAGE NAME: gnutls
PACKAGE VERSION: 3.8.4
CVE: CVE-2008-4989
CVE STATUS: Patched
CVE SUMMARY: The _gnutls_x509_verify_certificate function in lib/x509/verify.c in libgnutls in GnuTLS before 2.6.1 trusts certificate chains in which the last certificate is an arbitrary trusted, self-signed certificate, which allows man-in-the-middle attackers to insert a spoofed certificate for any Distinguished Name (DN).
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-4989

LAYER: meta
PACKAGE NAME: gnutls
PACKAGE VERSION: 3.8.4
CVE: CVE-2009-1415
CVE STATUS: Patched
CVE SUMMARY: lib/pk-libgcrypt.c in libgnutls in GnuTLS before 2.6.6 does not properly handle invalid DSA signatures, which allows remote attackers to cause a denial of service (application crash) and possibly have unspecified other impact via a malformed DSA key that triggers a (1) free of an uninitialized pointer or (2) double free.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-1415

LAYER: meta
PACKAGE NAME: gnutls
PACKAGE VERSION: 3.8.4
CVE: CVE-2009-1416
CVE STATUS: Patched
CVE SUMMARY: lib/gnutls_pk.c in libgnutls in GnuTLS 2.5.0 through 2.6.5 generates RSA keys stored in DSA structures, instead of the intended DSA keys, which might allow remote attackers to spoof signatures on certificates or have unspecified other impact by leveraging an invalid DSA key.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-1416

LAYER: meta
PACKAGE NAME: gnutls
PACKAGE VERSION: 3.8.4
CVE: CVE-2009-1417
CVE STATUS: Patched
CVE SUMMARY: gnutls-cli in GnuTLS before 2.6.6 does not verify the activation and expiration times of X.509 certificates, which allows remote attackers to successfully present a certificate that is (1) not yet valid or (2) no longer valid, related to lack of time checks in the _gnutls_x509_verify_certificate function in lib/x509/verify.c in libgnutls_x509, as used by (a) Exim, (b) OpenLDAP, and (c) libsoup.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-1417

LAYER: meta
PACKAGE NAME: gnutls
PACKAGE VERSION: 3.8.4
CVE: CVE-2009-2409
CVE STATUS: Patched
CVE SUMMARY: The Network Security Services (NSS) library before 3.12.3, as used in Firefox; GnuTLS before 2.6.4 and 2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other products support MD2 with X.509 certificates, which might allow remote attackers to spoof certificates by using MD2 design flaws to generate a hash collision in less than brute-force time.  NOTE: the scope of this issue is currently limited because the amount of computation required is still large.
CVSS v2 BASE SCORE: 5.1
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-2409

LAYER: meta
PACKAGE NAME: gnutls
PACKAGE VERSION: 3.8.4
CVE: CVE-2009-2730
CVE STATUS: Patched
CVE SUMMARY: libgnutls in GnuTLS before 2.8.2 does not properly handle a '\0' character in a domain name in the subject's (1) Common Name (CN) or (2) Subject Alternative Name (SAN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-2730

LAYER: meta
PACKAGE NAME: gnutls
PACKAGE VERSION: 3.8.4
CVE: CVE-2009-3555
CVE STATUS: Patched
CVE SUMMARY: The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a "plaintext injection" attack, aka the "Project Mogul" issue.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-3555

LAYER: meta
PACKAGE NAME: gnutls
PACKAGE VERSION: 3.8.4
CVE: CVE-2009-5138
CVE STATUS: Patched
CVE SUMMARY: GnuTLS before 2.7.6, when the GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT flag is not enabled, treats version 1 X.509 certificates as intermediate CAs, which allows remote attackers to bypass intended restrictions by leveraging a X.509 V1 certificate from a trusted CA to issue new certificates, a different vulnerability than CVE-2014-1959.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-5138

LAYER: meta
PACKAGE NAME: gnutls
PACKAGE VERSION: 3.8.4
CVE: CVE-2010-0731
CVE STATUS: Patched
CVE SUMMARY: The gnutls_x509_crt_get_serial function in the GnuTLS library before 1.2.1, when running on big-endian, 64-bit platforms, calls the asn1_read_value with a pointer to the wrong data type and the wrong length value, which allows remote attackers to bypass the certificate revocation list (CRL) check and cause a stack-based buffer overflow via a crafted X.509 certificate, related to extraction of a serial number.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-0731

LAYER: meta
PACKAGE NAME: gnutls
PACKAGE VERSION: 3.8.4
CVE: CVE-2011-4128
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the gnutls_session_get_data function in lib/gnutls_session.c in GnuTLS 2.12.x before 2.12.14 and 3.x before 3.0.7, when used on a client that performs nonstandard session resumption, allows remote TLS servers to cause a denial of service (application crash) via a large SessionTicket.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-4128

LAYER: meta
PACKAGE NAME: gnutls
PACKAGE VERSION: 3.8.4
CVE: CVE-2012-0390
CVE STATUS: Patched
CVE SUMMARY: The DTLS implementation in GnuTLS 3.0.10 and earlier executes certain error-handling code only if there is a specific relationship between a padding length and the ciphertext size, which makes it easier for remote attackers to recover partial plaintext via a timing side-channel attack, a related issue to CVE-2011-4108.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-0390

LAYER: meta
PACKAGE NAME: gnutls
PACKAGE VERSION: 3.8.4
CVE: CVE-2012-1569
CVE STATUS: Patched
CVE SUMMARY: The asn1_get_length_der function in decoding.c in GNU Libtasn1 before 2.12, as used in GnuTLS before 3.0.16 and other products, does not properly handle certain large length values, which allows remote attackers to cause a denial of service (heap memory corruption and application crash) or possibly have unspecified other impact via a crafted ASN.1 structure.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1569

LAYER: meta
PACKAGE NAME: gnutls
PACKAGE VERSION: 3.8.4
CVE: CVE-2012-1573
CVE STATUS: Patched
CVE SUMMARY: gnutls_cipher.c in libgnutls in GnuTLS before 2.12.17 and 3.x before 3.0.15 does not properly handle data encrypted with a block cipher, which allows remote attackers to cause a denial of service (heap memory corruption and application crash) via a crafted record, as demonstrated by a crafted GenericBlockCipher structure.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1573

LAYER: meta
PACKAGE NAME: gnutls
PACKAGE VERSION: 3.8.4
CVE: CVE-2012-1663
CVE STATUS: Patched
CVE SUMMARY: Double free vulnerability in libgnutls in GnuTLS before 3.0.14 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted certificate list.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1663

LAYER: meta
PACKAGE NAME: gnutls
PACKAGE VERSION: 3.8.4
CVE: CVE-2013-1619
CVE STATUS: Patched
CVE SUMMARY: The TLS implementation in GnuTLS before 2.12.23, 3.0.x before 3.0.28, and 3.1.x before 3.1.7 does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169.
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1619

LAYER: meta
PACKAGE NAME: gnutls
PACKAGE VERSION: 3.8.4
CVE: CVE-2013-2116
CVE STATUS: Patched
CVE SUMMARY: The _gnutls_ciphertext2compressed function in lib/gnutls_cipher.c in GnuTLS 2.12.23 allows remote attackers to cause a denial of service (buffer over-read and crash) via a crafted padding length.  NOTE: this might be due to an incorrect fix for CVE-2013-0169.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2116

LAYER: meta
PACKAGE NAME: gnutls
PACKAGE VERSION: 3.8.4
CVE: CVE-2013-4466
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the dane_query_tlsa function in the DANE library (libdane) in GnuTLS 3.1.x before 3.1.15 and 3.2.x before 3.2.5 allows remote servers to cause a denial of service (memory corruption) via a response with more than four DANE entries.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4466

LAYER: meta
PACKAGE NAME: gnutls
PACKAGE VERSION: 3.8.4
CVE: CVE-2013-4487
CVE STATUS: Patched
CVE SUMMARY: Off-by-one error in the dane_raw_tlsa in the DANE library (libdane) in GnuTLS 3.1.x before 3.1.16 and 3.2.x before 3.2.6 allows remote servers to cause a denial of service (memory corruption) via a response with more than four DANE entries.  NOTE: this issue is due to an incomplete fix for CVE-2013-4466.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4487

LAYER: meta
PACKAGE NAME: gnutls
PACKAGE VERSION: 3.8.4
CVE: CVE-2014-0092
CVE STATUS: Patched
CVE SUMMARY: lib/x509/verify.c in GnuTLS before 3.1.22 and 3.2.x before 3.2.12 does not properly handle unspecified errors when verifying X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers via a crafted certificate.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0092

LAYER: meta
PACKAGE NAME: gnutls
PACKAGE VERSION: 3.8.4
CVE: CVE-2014-1959
CVE STATUS: Patched
CVE SUMMARY: lib/x509/verify.c in GnuTLS before 3.1.21 and 3.2.x before 3.2.11 treats version 1 X.509 certificates as intermediate CAs, which allows remote attackers to bypass intended restrictions by leveraging a X.509 V1 certificate from a trusted CA to issue new certificates.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-1959

LAYER: meta
PACKAGE NAME: gnutls
PACKAGE VERSION: 3.8.4
CVE: CVE-2014-3465
CVE STATUS: Patched
CVE SUMMARY: The gnutls_x509_dn_oid_name function in lib/x509/common.c in GnuTLS 3.0 before 3.1.20 and 3.2.x before 3.2.10 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted X.509 certificate, related to a missing LDAP description for an OID when printing the DN.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3465

LAYER: meta
PACKAGE NAME: gnutls
PACKAGE VERSION: 3.8.4
CVE: CVE-2014-3466
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the read_server_hello function in lib/gnutls_handshake.c in GnuTLS before 3.1.25, 3.2.x before 3.2.15, and 3.3.x before 3.3.4 allows remote servers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a long session id in a ServerHello message.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3466

LAYER: meta
PACKAGE NAME: gnutls
PACKAGE VERSION: 3.8.4
CVE: CVE-2014-3467
CVE STATUS: Patched
CVE SUMMARY: Multiple unspecified vulnerabilities in the DER decoder in GNU Libtasn1 before 3.6, as used in GnuTLS, allow remote attackers to cause a denial of service (out-of-bounds read) via crafted ASN.1 data.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3467

LAYER: meta
PACKAGE NAME: gnutls
PACKAGE VERSION: 3.8.4
CVE: CVE-2014-3468
CVE STATUS: Patched
CVE SUMMARY: The asn1_get_bit_der function in GNU Libtasn1 before 3.6 does not properly report an error when a negative bit length is identified, which allows context-dependent attackers to cause out-of-bounds access via crafted ASN.1 data.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3468

LAYER: meta
PACKAGE NAME: gnutls
PACKAGE VERSION: 3.8.4
CVE: CVE-2014-3469
CVE STATUS: Patched
CVE SUMMARY: The (1) asn1_read_value_type and (2) asn1_read_value functions in GNU Libtasn1 before 3.6 allows context-dependent attackers to cause a denial of service (NULL pointer dereference and crash) via a NULL value in an ivalue argument.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3469

LAYER: meta
PACKAGE NAME: gnutls
PACKAGE VERSION: 3.8.4
CVE: CVE-2014-8155
CVE STATUS: Patched
CVE SUMMARY: GnuTLS before 2.9.10 does not verify the activation and expiration dates of CA certificates, which allows man-in-the-middle attackers to spoof servers via a certificate issued by a CA certificate that is (1) not yet valid or (2) no longer valid.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8155

LAYER: meta
PACKAGE NAME: gnutls
PACKAGE VERSION: 3.8.4
CVE: CVE-2014-8564
CVE STATUS: Patched
CVE SUMMARY: The _gnutls_ecc_ansi_x963_export function in gnutls_ecc.c in GnuTLS 3.x before 3.1.28, 3.2.x before 3.2.20, and 3.3.x before 3.3.10 allows remote attackers to cause a denial of service (out-of-bounds write) via a crafted (1) Elliptic Curve Cryptography (ECC) certificate or (2) certificate signing requests (CSR), related to generating key IDs.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8564

LAYER: meta
PACKAGE NAME: gnutls
PACKAGE VERSION: 3.8.4
CVE: CVE-2015-0282
CVE STATUS: Patched
CVE SUMMARY: GnuTLS before 3.1.0 does not verify that the RSA PKCS #1 signature algorithm matches the signature algorithm in the certificate, which allows remote attackers to conduct downgrade attacks via unspecified vectors.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0282

LAYER: meta
PACKAGE NAME: gnutls
PACKAGE VERSION: 3.8.4
CVE: CVE-2015-0294
CVE STATUS: Patched
CVE SUMMARY: GnuTLS before 3.3.13 does not validate that the signature algorithms match when importing a certificate.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0294

LAYER: meta
PACKAGE NAME: gnutls
PACKAGE VERSION: 3.8.4
CVE: CVE-2015-3308
CVE STATUS: Patched
CVE SUMMARY: Double free vulnerability in lib/x509/x509_ext.c in GnuTLS before 3.3.14 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted CRL distribution point.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3308

LAYER: meta
PACKAGE NAME: gnutls
PACKAGE VERSION: 3.8.4
CVE: CVE-2015-6251
CVE STATUS: Patched
CVE SUMMARY: Double free vulnerability in GnuTLS before 3.3.17 and 3.4.x before 3.4.4 allows remote attackers to cause a denial of service via a long DistinguishedName (DN) entry in a certificate.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-6251

LAYER: meta
PACKAGE NAME: gnutls
PACKAGE VERSION: 3.8.4
CVE: CVE-2015-8313
CVE STATUS: Patched
CVE SUMMARY: GnuTLS incorrectly validates the first byte of padding in CBC modes
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8313

LAYER: meta
PACKAGE NAME: gnutls
PACKAGE VERSION: 3.8.4
CVE: CVE-2016-4456
CVE STATUS: Patched
CVE SUMMARY: The "GNUTLS_KEYLOGFILE" environment variable in gnutls 3.4.12 allows remote attackers to overwrite and corrupt arbitrary files in the filesystem.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4456

LAYER: meta
PACKAGE NAME: gnutls
PACKAGE VERSION: 3.8.4
CVE: CVE-2016-7444
CVE STATUS: Patched
CVE SUMMARY: The gnutls_ocsp_resp_check_crt function in lib/x509/ocsp.c in GnuTLS before 3.4.15 and 3.5.x before 3.5.4 does not verify the serial length of an OCSP response, which might allow remote attackers to bypass an intended certificate validation mechanism via vectors involving trailing bytes left by gnutls_malloc.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7444

LAYER: meta
PACKAGE NAME: gnutls
PACKAGE VERSION: 3.8.4
CVE: CVE-2017-5334
CVE STATUS: Patched
CVE SUMMARY: Double free vulnerability in the gnutls_x509_ext_import_proxy function in GnuTLS before 3.3.26 and 3.5.x before 3.5.8 allows remote attackers to have unspecified impact via crafted policy language information in an X.509 certificate with a Proxy Certificate Information extension.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5334

LAYER: meta
PACKAGE NAME: gnutls
PACKAGE VERSION: 3.8.4
CVE: CVE-2017-5335
CVE STATUS: Patched
CVE SUMMARY: The stream reading functions in lib/opencdk/read-packet.c in GnuTLS before 3.3.26 and 3.5.x before 3.5.8 allow remote attackers to cause a denial of service (out-of-memory error and crash) via a crafted OpenPGP certificate.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5335

LAYER: meta
PACKAGE NAME: gnutls
PACKAGE VERSION: 3.8.4
CVE: CVE-2017-5336
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in the cdk_pk_get_keyid function in lib/opencdk/pubkey.c in GnuTLS before 3.3.26 and 3.5.x before 3.5.8 allows remote attackers to have unspecified impact via a crafted OpenPGP certificate.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5336

LAYER: meta
PACKAGE NAME: gnutls
PACKAGE VERSION: 3.8.4
CVE: CVE-2017-5337
CVE STATUS: Patched
CVE SUMMARY: Multiple heap-based buffer overflows in the read_attribute function in GnuTLS before 3.3.26 and 3.5.x before 3.5.8 allow remote attackers to have unspecified impact via a crafted OpenPGP certificate.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5337

LAYER: meta
PACKAGE NAME: gnutls
PACKAGE VERSION: 3.8.4
CVE: CVE-2017-7507
CVE STATUS: Patched
CVE SUMMARY: GnuTLS version 3.5.12 and earlier is vulnerable to a NULL pointer dereference while decoding a status response TLS extension with valid contents. This could lead to a crash of the GnuTLS server application.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7507

LAYER: meta
PACKAGE NAME: gnutls
PACKAGE VERSION: 3.8.4
CVE: CVE-2017-7869
CVE STATUS: Patched
CVE SUMMARY: GnuTLS before 2017-02-20 has an out-of-bounds write caused by an integer overflow and heap-based buffer overflow related to the cdk_pkt_read function in opencdk/read-packet.c. This issue (which is a subset of the vendor's GNUTLS-SA-2017-3 report) is fixed in 3.5.10.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7869

LAYER: meta
PACKAGE NAME: gnutls
PACKAGE VERSION: 3.8.4
CVE: CVE-2018-10844
CVE STATUS: Patched
CVE SUMMARY: It was found that the GnuTLS implementation of HMAC-SHA-256 was vulnerable to a Lucky thirteen style attack. Remote attackers could use this flaw to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data using crafted packets.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-10844

LAYER: meta
PACKAGE NAME: gnutls
PACKAGE VERSION: 3.8.4
CVE: CVE-2018-10845
CVE STATUS: Patched
CVE SUMMARY: It was found that the GnuTLS implementation of HMAC-SHA-384 was vulnerable to a Lucky thirteen style attack. Remote attackers could use this flaw to conduct distinguishing attacks and plain text recovery attacks via statistical analysis of timing data using crafted packets.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-10845

LAYER: meta
PACKAGE NAME: gnutls
PACKAGE VERSION: 3.8.4
CVE: CVE-2018-10846
CVE STATUS: Patched
CVE SUMMARY: A cache-based side channel in GnuTLS implementation that leads to plain text recovery in cross-VM attack setting was found. An attacker could use a combination of "Just in Time" Prime+probe attack in combination with Lucky-13 attack to recover plain text using crafted packets.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 5.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-10846

LAYER: meta
PACKAGE NAME: gnutls
PACKAGE VERSION: 3.8.4
CVE: CVE-2018-16868
CVE STATUS: Patched
CVE SUMMARY: A Bleichenbacher type side-channel based padding oracle attack was found in the way gnutls handles verification of RSA decrypted PKCS#1 v1.5 data. An attacker who is able to run process on the same physical core as the victim process, could use this to extract plaintext or in some cases downgrade any TLS connections to a vulnerable server.
CVSS v2 BASE SCORE: 3.3
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-16868

LAYER: meta
PACKAGE NAME: gnutls
PACKAGE VERSION: 3.8.4
CVE: CVE-2019-3829
CVE STATUS: Patched
CVE SUMMARY: A vulnerability was found in gnutls versions from 3.5.8 before 3.6.7. A memory corruption (double free) vulnerability in the certificate verification API. Any client or server application that verifies X.509 certificates with GnuTLS 3.5.8 or later is affected.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-3829

LAYER: meta
PACKAGE NAME: gnutls
PACKAGE VERSION: 3.8.4
CVE: CVE-2019-3836
CVE STATUS: Patched
CVE SUMMARY: It was discovered in gnutls before version 3.6.7 upstream that there is an uninitialized pointer access in gnutls versions 3.6.3 or later which can be triggered by certain post-handshake messages.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-3836

LAYER: meta
PACKAGE NAME: gnutls
PACKAGE VERSION: 3.8.4
CVE: CVE-2020-11501
CVE STATUS: Patched
CVE SUMMARY: GnuTLS 3.6.x before 3.6.13 uses incorrect cryptography for DTLS. The earliest affected version is 3.6.3 (2018-07-16) because of an error in a 2017-10-06 commit. The DTLS client always uses 32 '\0' bytes instead of a random value, and thus contributes no randomness to a DTLS negotiation. This breaks the security guarantees of the DTLS protocol.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 7.4
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-11501

LAYER: meta
PACKAGE NAME: gnutls
PACKAGE VERSION: 3.8.4
CVE: CVE-2020-13777
CVE STATUS: Patched
CVE SUMMARY: GnuTLS 3.6.x before 3.6.14 uses incorrect cryptography for encrypting a session ticket (a loss of confidentiality in TLS 1.2, and an authentication bypass in TLS 1.3). The earliest affected version is 3.6.4 (2018-09-24) because of an error in a 2018-09-18 commit. Until the first key rotation, the TLS server always uses wrong data in place of an encryption key derived from an application.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 7.4
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-13777

LAYER: meta
PACKAGE NAME: gnutls
PACKAGE VERSION: 3.8.4
CVE: CVE-2020-24659
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in GnuTLS before 3.6.15. A server can trigger a NULL pointer dereference in a TLS 1.3 client if a no_renegotiation alert is sent with unexpected timing, and then an invalid second handshake occurs. The crash happens in the application's error handling path, where the gnutls_deinit function is called after detecting a handshake failure.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-24659

LAYER: meta
PACKAGE NAME: gnutls
PACKAGE VERSION: 3.8.4
CVE: CVE-2021-20231
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in gnutls. A use after free issue in client sending key_share extension may lead to memory corruption and other consequences.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-20231

LAYER: meta
PACKAGE NAME: gnutls
PACKAGE VERSION: 3.8.4
CVE: CVE-2021-20232
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in gnutls. A use after free issue in client_send_params in lib/ext/pre_shared_key.c may lead to memory corruption and other potential consequences.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-20232

LAYER: meta
PACKAGE NAME: gnutls
PACKAGE VERSION: 3.8.4
CVE: CVE-2021-4209
CVE STATUS: Patched
CVE SUMMARY: A NULL pointer dereference flaw was found in GnuTLS. As Nettle's hash update functions internally call memcpy, providing zero-length input may cause undefined behavior. This flaw leads to a denial of service after authentication in rare circumstances.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-4209

LAYER: meta
PACKAGE NAME: gnutls
PACKAGE VERSION: 3.8.4
CVE: CVE-2022-2509
CVE STATUS: Patched
CVE SUMMARY: A vulnerability found in gnutls. This security flaw happens because of a double free error occurs during verification of pkcs7 signatures in gnutls_pkcs7_verify function.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2509

LAYER: meta
PACKAGE NAME: gnutls
PACKAGE VERSION: 3.8.4
CVE: CVE-2023-0361
CVE STATUS: Patched
CVE SUMMARY: A timing side-channel in the handling of RSA ClientKeyExchange messages was discovered in GnuTLS. This side-channel can be sufficient to recover the key encrypted in the RSA ciphertext across a network in a Bleichenbacher style attack. To achieve a successful decryption the attacker would need to send a large amount of specially crafted messages to the vulnerable server. By recovering the secret from the ClientKeyExchange message, the attacker would be able to decrypt the application data exchanged over that connection.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.4
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-0361

LAYER: meta
PACKAGE NAME: gnutls
PACKAGE VERSION: 3.8.4
CVE: CVE-2023-5981
CVE STATUS: Patched
CVE SUMMARY: A vulnerability was found that the response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from response times of ciphertexts with correct PKCS#1 v1.5 padding.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-5981

LAYER: meta
PACKAGE NAME: gnutls
PACKAGE VERSION: 3.8.4
CVE: CVE-2024-0553
CVE STATUS: Patched
CVE SUMMARY: A vulnerability was found in GnuTLS. The response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from the response times of ciphertexts with correct PKCS#1 v1.5 padding. This issue may allow a remote attacker to perform a timing side-channel attack in the RSA-PSK key exchange, potentially leading to the leakage of sensitive data. CVE-2024-0553 is designated as an incomplete resolution for CVE-2023-5981.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-0553

LAYER: meta
PACKAGE NAME: gnutls
PACKAGE VERSION: 3.8.4
CVE: CVE-2024-0567
CVE STATUS: Patched
CVE SUMMARY: A vulnerability was found in GnuTLS, where a cockpit (which uses gnuTLS) rejects a certificate chain with distributed trust. This issue occurs when validating a certificate chain with cockpit-certificate-ensure. This flaw allows an unauthenticated, remote client or attacker to initiate a denial of service attack.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-0567

LAYER: meta-selinux
PACKAGE NAME: libsemanage
PACKAGE VERSION: 3.6
CVE: CVE-2020-10751
CVE STATUS: Unpatched
CVE SUMMARY: A flaw was found in the Linux kernels SELinux LSM hook implementation before version 5.7, where it incorrectly assumed that an skb would only contain a single netlink message. The hook would incorrectly only validate the first netlink message in the skb and allow or deny the rest of the messages within the skb with the granted permission without further processing.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 6.1
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-10751

LAYER: meta
PACKAGE NAME: readline
PACKAGE VERSION: 8.2
CVE: CVE-2014-2524
CVE STATUS: Patched
CVE SUMMARY: The _rl_tropen function in util.c in GNU readline before 6.3 patch 3 allows local users to create or overwrite arbitrary files via a symlink attack on a /var/tmp/rltrace.[PID] file.
CVSS v2 BASE SCORE: 3.3
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-2524

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-1999-0428
CVE STATUS: Patched
CVE SUMMARY: OpenSSL and SSLeay allow remote attackers to reuse SSL sessions and bypass access controls.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-1999-0428

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2000-0535
CVE STATUS: Patched
CVE SUMMARY: OpenSSL 0.9.4 and OpenSSH for FreeBSD do not properly check for the existence of the /dev/random or /dev/urandom devices, which are absent on FreeBSD Alpha systems, which causes them to produce weak keys which may be more easily broken.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2000-0535

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2000-1254
CVE STATUS: Patched
CVE SUMMARY: crypto/rsa/rsa_gen.c in OpenSSL before 0.9.6 mishandles C bitwise-shift operations that exceed the size of an expression, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by leveraging improper RSA key generation on 64-bit HP-UX platforms.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2000-1254

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2001-1141
CVE STATUS: Patched
CVE SUMMARY: The Pseudo-Random Number Generator (PRNG) in SSLeay and OpenSSL before 0.9.6b allows attackers to use the output of small PRNG requests to determine the internal state information, which could be used by attackers to predict future pseudo-random numbers.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2001-1141

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2002-0655
CVE STATUS: Patched
CVE SUMMARY: OpenSSL 0.9.6d and earlier, and 0.9.7-beta2 and earlier, does not properly handle ASCII representations of integers on 64 bit platforms, which could allow attackers to cause a denial of service and possibly execute arbitrary code.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-0655

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2002-0656
CVE STATUS: Patched
CVE SUMMARY: Buffer overflows in OpenSSL 0.9.6d and earlier, and 0.9.7-beta2 and earlier, allow remote attackers to execute arbitrary code via (1) a large client master key in SSL2 or (2) a large session ID in SSL3.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-0656

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2002-0657
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in OpenSSL 0.9.7 before 0.9.7-beta3, with Kerberos enabled, allows attackers to execute arbitrary code via a long master key.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-0657

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2002-0659
CVE STATUS: Patched
CVE SUMMARY: The ASN1 library in OpenSSL 0.9.6d and earlier, and 0.9.7-beta2 and earlier, allows remote attackers to cause a denial of service via invalid encodings.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-0659

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2002-1568
CVE STATUS: Patched
CVE SUMMARY: OpenSSL 0.9.6e uses assertions when detecting buffer overflow attacks instead of less severe mechanisms, which allows remote attackers to cause a denial of service (crash) via certain messages that cause OpenSSL to abort from a failed assertion, as demonstrated using SSLv2 CLIENT_MASTER_KEY messages, which are not properly handled in s2_srvr.c.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-1568

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2003-0078
CVE STATUS: Patched
CVE SUMMARY: ssl3_get_record in s3_pkt.c for OpenSSL before 0.9.7a and 0.9.6 before 0.9.6i does not perform a MAC computation if an incorrect block cipher padding is used, which causes an information leak (timing discrepancy) that may make it easier to launch cryptographic attacks that rely on distinguishing between padding and MAC verification errors, possibly leading to extraction of the original plaintext, aka the "Vaudenay timing attack."
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-0078

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2003-0131
CVE STATUS: Patched
CVE SUMMARY: The SSL and TLS components for OpenSSL 0.9.6i and earlier, 0.9.7, and 0.9.7a allow remote attackers to perform an unauthorized RSA private key operation via a modified Bleichenbacher attack that uses a large number of SSL or TLS connections using PKCS #1 v1.5 padding that cause OpenSSL to leak information regarding the relationship between ciphertext and the associated plaintext, aka the "Klima-Pokorny-Rosa attack."
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-0131

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2003-0147
CVE STATUS: Patched
CVE SUMMARY: OpenSSL does not use RSA blinding by default, which allows local and remote attackers to obtain the server's private key by determining factors using timing differences on (1) the number of extra reductions during Montgomery reduction, and (2) the use of different integer multiplication algorithms ("Karatsuba" and normal).
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-0147

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2003-0543
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in OpenSSL 0.9.6 and 0.9.7 allows remote attackers to cause a denial of service (crash) via an SSL client certificate with certain ASN.1 tag values.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-0543

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2003-0544
CVE STATUS: Patched
CVE SUMMARY: OpenSSL 0.9.6 and 0.9.7 does not properly track the number of characters in certain ASN.1 inputs, which allows remote attackers to cause a denial of service (crash) via an SSL client certificate that causes OpenSSL to read past the end of a buffer when the long form is used.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-0544

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2003-0545
CVE STATUS: Patched
CVE SUMMARY: Double free vulnerability in OpenSSL 0.9.7 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via an SSL client certificate with a certain invalid ASN.1 encoding.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-0545

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2003-0851
CVE STATUS: Patched
CVE SUMMARY: OpenSSL 0.9.6k allows remote attackers to cause a denial of service (crash via large recursion) via malformed ASN.1 sequences.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-0851

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2004-0079
CVE STATUS: Patched
CVE SUMMARY: The do_change_cipher_spec function in OpenSSL 0.9.6c to 0.9.6k, and 0.9.7a to 0.9.7c, allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that triggers a null dereference.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0079

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2004-0081
CVE STATUS: Patched
CVE SUMMARY: OpenSSL 0.9.6 before 0.9.6d does not properly handle unknown message types, which allows remote attackers to cause a denial of service (infinite loop), as demonstrated using the Codenomicon TLS Test Tool.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0081

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2004-0975
CVE STATUS: Patched
CVE SUMMARY: The der_chop script in the openssl package in Trustix Secure Linux 1.5 through 2.1 and other operating systems allows local users to overwrite files via a symlink attack on temporary files.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0975

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2005-1797
CVE STATUS: Patched
CVE SUMMARY: The design of Advanced Encryption Standard (AES), aka Rijndael, allows remote attackers to recover AES keys via timing attacks on S-box lookups, which are difficult to perform in constant time in AES implementations.
CVSS v2 BASE SCORE: 5.1
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-1797

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2005-2946
CVE STATUS: Patched
CVE SUMMARY: The default configuration on OpenSSL before 0.9.8 uses MD5 for creating message digests instead of a more cryptographically strong algorithm, which makes it easier for remote attackers to forge certificates with a valid certificate authority signature.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-2946

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2005-2969
CVE STATUS: Patched
CVE SUMMARY: The SSL/TLS server implementation in OpenSSL 0.9.7 before 0.9.7h and 0.9.8 before 0.9.8a, when using the SSL_OP_MSIE_SSLV2_RSA_PADDING option, disables a verification step that is required for preventing protocol version rollback attacks, which allows remote attackers to force a client and server to use a weaker protocol than needed via a man-in-the-middle attack.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-2969

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2006-2937
CVE STATUS: Patched
CVE SUMMARY: OpenSSL 0.9.7 before 0.9.7l and 0.9.8 before 0.9.8d allows remote attackers to cause a denial of service (infinite loop and memory consumption) via malformed ASN.1 structures that trigger an improperly handled error condition.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-2937

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2006-2940
CVE STATUS: Patched
CVE SUMMARY: OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier versions allows attackers to cause a denial of service (CPU consumption) via parasitic public keys with large (1) "public exponent" or (2) "public modulus" values in X.509 certificates that require extra time to process when using RSA signature verification.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-2940

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2006-3738
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the SSL_get_shared_ciphers function in OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier versions has unspecified impact and remote attack vectors involving a long list of ciphers.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-3738

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2006-4339
CVE STATUS: Patched
CVE SUMMARY: OpenSSL before 0.9.7, 0.9.7 before 0.9.7k, and 0.9.8 before 0.9.8c, when using an RSA key with exponent 3, removes PKCS-1 padding before generating a hash, which allows remote attackers to forge a PKCS #1 v1.5 signature that is signed by that RSA key and prevents OpenSSL from correctly verifying X.509 and other certificates that use PKCS #1.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-4339

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2006-4343
CVE STATUS: Patched
CVE SUMMARY: The get_server_hello function in the SSLv2 client code in OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier versions allows remote servers to cause a denial of service (client crash) via unknown vectors that trigger a null pointer dereference.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-4343

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2006-7250
CVE STATUS: Patched
CVE SUMMARY: The mime_hdr_cmp function in crypto/asn1/asn_mime.c in OpenSSL 0.9.8t and earlier allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted S/MIME message.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-7250

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2007-3108
CVE STATUS: Patched
CVE SUMMARY: The BN_from_montgomery function in crypto/bn/bn_mont.c in OpenSSL 0.9.8e and earlier does not properly perform Montgomery multiplication, which might allow local users to conduct a side-channel attack and retrieve RSA private keys.
CVSS v2 BASE SCORE: 1.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-3108

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2007-4995
CVE STATUS: Patched
CVE SUMMARY: Off-by-one error in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8f allows remote attackers to execute arbitrary code via unspecified vectors.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-4995

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2007-5135
CVE STATUS: Patched
CVE SUMMARY: Off-by-one error in the SSL_get_shared_ciphers function in OpenSSL 0.9.7 up to 0.9.7l, and 0.9.8 up to 0.9.8f, might allow remote attackers to execute arbitrary code via a crafted packet that triggers a one-byte buffer underflow.  NOTE: this issue was introduced as a result of a fix for CVE-2006-3738.  As of 20071012, it is unknown whether code execution is possible.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-5135

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2008-0166
CVE STATUS: Patched
CVE SUMMARY: OpenSSL 0.9.8c-1 up to versions before 0.9.8g-9 on Debian-based operating systems uses a random number generator that generates predictable numbers, which makes it easier for remote attackers to conduct brute force guessing attacks against cryptographic keys.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-0166

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2008-0891
CVE STATUS: Patched
CVE SUMMARY: Double free vulnerability in OpenSSL 0.9.8f and 0.9.8g, when the TLS server name extensions are enabled, allows remote attackers to cause a denial of service (crash) via a malformed Client Hello packet.  NOTE: some of these details are obtained from third party information.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-0891

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2008-1672
CVE STATUS: Patched
CVE SUMMARY: OpenSSL 0.9.8f and 0.9.8g allows remote attackers to cause a denial of service (crash) via a TLS handshake that omits the Server Key Exchange message and uses "particular cipher suites," which triggers a NULL pointer dereference.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1672

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2008-1678
CVE STATUS: Patched
CVE SUMMARY: Memory leak in the zlib_stateful_init function in crypto/comp/c_zlib.c in libssl in OpenSSL 0.9.8f through 0.9.8h allows remote attackers to cause a denial of service (memory consumption) via multiple calls, as demonstrated by initial SSL client handshakes to the Apache HTTP Server mod_ssl that specify a compression algorithm.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1678

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2008-5077
CVE STATUS: Patched
CVE SUMMARY: OpenSSL 0.9.8i and earlier does not properly check the return value from the EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature for DSA and ECDSA keys.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-5077

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2008-7270
CVE STATUS: Patched
CVE SUMMARY: OpenSSL before 0.9.8j, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not prevent modification of the ciphersuite in the session cache, which allows remote attackers to force the use of a disabled cipher via vectors involving sniffing network traffic to discover a session identifier, a different vulnerability than CVE-2010-4180.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-7270

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2009-0590
CVE STATUS: Patched
CVE SUMMARY: The ASN1_STRING_print_ex function in OpenSSL before 0.9.8k allows remote attackers to cause a denial of service (invalid memory access and application crash) via vectors that trigger printing of a (1) BMPString or (2) UniversalString with an invalid encoded length.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-0590

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2009-0591
CVE STATUS: Patched
CVE SUMMARY: The CMS_verify function in OpenSSL 0.9.8h through 0.9.8j, when CMS is enabled, does not properly handle errors associated with malformed signed attributes, which allows remote attackers to repudiate a signature that originally appeared to be valid but was actually invalid.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-0591

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2009-0653
CVE STATUS: Patched
CVE SUMMARY: OpenSSL, probably 0.9.6, does not verify the Basic Constraints for an intermediate CA-signed certificate, which allows remote attackers to spoof the certificates of trusted sites via a man-in-the-middle attack, a related issue to CVE-2002-0970.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-0653

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2009-0789
CVE STATUS: Patched
CVE SUMMARY: OpenSSL before 0.9.8k on WIN64 and certain other platforms does not properly handle a malformed ASN.1 structure, which allows remote attackers to cause a denial of service (invalid memory access and application crash) by placing this structure in the public key of a certificate, as demonstrated by an RSA public key.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-0789

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2009-1377
CVE STATUS: Patched
CVE SUMMARY: The dtls1_buffer_record function in ssl/d1_pkt.c in OpenSSL 0.9.8k and earlier 0.9.8 versions allows remote attackers to cause a denial of service (memory consumption) via a large series of "future epoch" DTLS records that are buffered in a queue, aka "DTLS record buffer limitation bug."
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-1377

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2009-1378
CVE STATUS: Patched
CVE SUMMARY: Multiple memory leaks in the dtls1_process_out_of_seq_message function in ssl/d1_both.c in OpenSSL 0.9.8k and earlier 0.9.8 versions allow remote attackers to cause a denial of service (memory consumption) via DTLS records that (1) are duplicates or (2) have sequence numbers much greater than current sequence numbers, aka "DTLS fragment handling memory leak."
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-1378

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2009-1379
CVE STATUS: Patched
CVE SUMMARY: Use-after-free vulnerability in the dtls1_retrieve_buffered_fragment function in ssl/d1_both.c in OpenSSL 1.0.0 Beta 2 allows remote attackers to cause a denial of service (openssl s_client crash) and possibly have unspecified other impact via a DTLS packet, as demonstrated by a packet from a server that uses a crafted server certificate.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-1379

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2009-1386
CVE STATUS: Patched
CVE SUMMARY: ssl/s3_pkt.c in OpenSSL before 0.9.8i allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a DTLS ChangeCipherSpec packet that occurs before ClientHello.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-1386

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2009-1387
CVE STATUS: Patched
CVE SUMMARY: The dtls1_retrieve_buffered_fragment function in ssl/d1_both.c in OpenSSL before 1.0.0 Beta 2 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an out-of-sequence DTLS handshake message, related to a "fragment bug."
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-1387

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2009-2409
CVE STATUS: Patched
CVE SUMMARY: The Network Security Services (NSS) library before 3.12.3, as used in Firefox; GnuTLS before 2.6.4 and 2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other products support MD2 with X.509 certificates, which might allow remote attackers to spoof certificates by using MD2 design flaws to generate a hash collision in less than brute-force time.  NOTE: the scope of this issue is currently limited because the amount of computation required is still large.
CVSS v2 BASE SCORE: 5.1
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-2409

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2009-3245
CVE STATUS: Patched
CVE SUMMARY: OpenSSL before 0.9.8m does not check for a NULL return value from bn_wexpand function calls in (1) crypto/bn/bn_div.c, (2) crypto/bn/bn_gf2m.c, (3) crypto/ec/ec2_smpl.c, and (4) engines/e_ubsec.c, which has unspecified impact and context-dependent attack vectors.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-3245

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2009-3555
CVE STATUS: Patched
CVE SUMMARY: The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a "plaintext injection" attack, aka the "Project Mogul" issue.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-3555

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2009-4355
CVE STATUS: Patched
CVE SUMMARY: Memory leak in the zlib_stateful_finish function in crypto/comp/c_zlib.c in OpenSSL 0.9.8l and earlier and 1.0.0 Beta through Beta 4 allows remote attackers to cause a denial of service (memory consumption) via vectors that trigger incorrect calls to the CRYPTO_cleanup_all_ex_data function, as demonstrated by use of SSLv3 and PHP with the Apache HTTP Server, a related issue to CVE-2008-1678.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-4355

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2010-0433
CVE STATUS: Patched
CVE SUMMARY: The kssl_keytab_is_available function in ssl/kssl.c in OpenSSL before 0.9.8n, when Kerberos is enabled but Kerberos configuration files cannot be opened, does not check a certain return value, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via SSL cipher negotiation, as demonstrated by a chroot installation of Dovecot or stunnel without Kerberos configuration files inside the chroot.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-0433

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2010-0740
CVE STATUS: Patched
CVE SUMMARY: The ssl3_get_record function in ssl/s3_pkt.c in OpenSSL 0.9.8f through 0.9.8m allows remote attackers to cause a denial of service (crash) via a malformed record in a TLS connection that triggers a NULL pointer dereference, related to the minor version number.  NOTE: some of these details are obtained from third party information.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-0740

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2010-0742
CVE STATUS: Patched
CVE SUMMARY: The Cryptographic Message Syntax (CMS) implementation in crypto/cms/cms_asn1.c in OpenSSL before 0.9.8o and 1.x before 1.0.0a does not properly handle structures that contain OriginatorInfo, which allows context-dependent attackers to modify invalid memory locations or conduct double-free attacks, and possibly execute arbitrary code, via unspecified vectors.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-0742

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2010-0928
CVE STATUS: Patched
CVE SUMMARY: OpenSSL 0.9.8i on the Gaisler Research LEON3 SoC on the Xilinx Virtex-II Pro FPGA uses a Fixed Width Exponentiation (FWE) algorithm for certain signature calculations, and does not verify the signature before providing it to a caller, which makes it easier for physically proximate attackers to determine the private key via a modified supply voltage for the microprocessor, related to a "fault-based attack."
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:C/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-0928

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2010-1633
CVE STATUS: Patched
CVE SUMMARY: RSA verification recovery in the EVP_PKEY_verify_recover function in OpenSSL 1.x before 1.0.0a, as used by pkeyutl and possibly other applications, returns uninitialized memory upon failure, which might allow context-dependent attackers to bypass intended key requirements or obtain sensitive information via unspecified vectors.  NOTE: some of these details are obtained from third party information.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-1633

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2010-2939
CVE STATUS: Patched
CVE SUMMARY: Double free vulnerability in the ssl3_get_key_exchange function in the OpenSSL client (ssl/s3_clnt.c) in OpenSSL 1.0.0a, 0.9.8, 0.9.7, and possibly other versions, when using ECDH, allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted private key with an invalid prime.  NOTE: some sources refer to this as a use-after-free issue.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2939

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2010-3864
CVE STATUS: Patched
CVE SUMMARY: Multiple race conditions in ssl/t1_lib.c in OpenSSL 0.9.8f through 0.9.8o, 1.0.0, and 1.0.0a, when multi-threading and internal caching are enabled on a TLS server, might allow remote attackers to execute arbitrary code via client data that triggers a heap-based buffer overflow, related to (1) the TLS server name extension and (2) elliptic curve cryptography.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-3864

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2010-4180
CVE STATUS: Patched
CVE SUMMARY: OpenSSL before 0.9.8q, and 1.0.x before 1.0.0c, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not properly prevent modification of the ciphersuite in the session cache, which allows remote attackers to force the downgrade to an unintended cipher via vectors involving sniffing network traffic to discover a session identifier.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4180

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2010-4252
CVE STATUS: Patched
CVE SUMMARY: OpenSSL before 1.0.0c, when J-PAKE is enabled, does not properly validate the public parameters in the J-PAKE protocol, which allows remote attackers to bypass the need for knowledge of the shared secret, and successfully authenticate, by sending crafted values in each round of the protocol.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4252

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2010-5298
CVE STATUS: Patched
CVE SUMMARY: Race condition in the ssl3_read_bytes function in s3_pkt.c in OpenSSL through 1.0.1g, when SSL_MODE_RELEASE_BUFFERS is enabled, allows remote attackers to inject data across sessions or cause a denial of service (use-after-free and parsing error) via an SSL connection in a multithreaded environment.
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-5298

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2011-0014
CVE STATUS: Patched
CVE SUMMARY: ssl/t1_lib.c in OpenSSL 0.9.8h through 0.9.8q and 1.0.0 through 1.0.0c allows remote attackers to cause a denial of service (crash), and possibly obtain sensitive information in applications that use OpenSSL, via a malformed ClientHello handshake message that triggers an out-of-bounds memory access, aka "OCSP stapling vulnerability."
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-0014

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2011-1473
CVE STATUS: Patched
CVE SUMMARY: OpenSSL before 0.9.8l, and 0.9.8m through 1.x, does not properly restrict client-initiated renegotiation within the SSL and TLS protocols, which might make it easier for remote attackers to cause a denial of service (CPU consumption) by performing many renegotiations within a single connection, a different vulnerability than CVE-2011-5094.  NOTE: it can also be argued that it is the responsibility of server deployments, not a security library, to prevent or limit renegotiation when it is inappropriate within a specific environment
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1473

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2011-1945
CVE STATUS: Patched
CVE SUMMARY: The elliptic curve cryptography (ECC) subsystem in OpenSSL 1.0.0d and earlier, when the Elliptic Curve Digital Signature Algorithm (ECDSA) is used for the ECDHE_ECDSA cipher suite, does not properly implement curves over binary fields, which makes it easier for context-dependent attackers to determine private keys via a timing attack and a lattice calculation.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1945

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2011-3207
CVE STATUS: Patched
CVE SUMMARY: crypto/x509/x509_vfy.c in OpenSSL 1.0.x before 1.0.0e does not initialize certain structure members, which makes it easier for remote attackers to bypass CRL validation by using a nextUpdate value corresponding to a time in the past.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3207

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2011-3210
CVE STATUS: Patched
CVE SUMMARY: The ephemeral ECDH ciphersuite functionality in OpenSSL 0.9.8 through 0.9.8r and 1.0.x before 1.0.0e does not ensure thread safety during processing of handshake messages from clients, which allows remote attackers to cause a denial of service (daemon crash) via out-of-order messages that violate the TLS protocol.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3210

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2011-4108
CVE STATUS: Patched
CVE SUMMARY: The DTLS implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f performs a MAC check only if certain padding is valid, which makes it easier for remote attackers to recover plaintext via a padding oracle attack.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-4108

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2011-4109
CVE STATUS: Patched
CVE SUMMARY: Double free vulnerability in OpenSSL 0.9.8 before 0.9.8s, when X509_V_FLAG_POLICY_CHECK is enabled, allows remote attackers to have an unspecified impact by triggering failure of a policy check.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-4109

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2011-4354
CVE STATUS: Patched
CVE SUMMARY: crypto/bn/bn_nist.c in OpenSSL before 0.9.8h on 32-bit platforms, as used in stunnel and other products, in certain circumstances involving ECDH or ECDHE cipher suites, uses an incorrect modular reduction algorithm in its implementation of the P-256 and P-384 NIST elliptic curves, which allows remote attackers to obtain the private key of a TLS server via multiple handshake attempts.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-4354

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2011-4576
CVE STATUS: Patched
CVE SUMMARY: The SSL 3.0 implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f does not properly initialize data structures for block cipher padding, which might allow remote attackers to obtain sensitive information by decrypting the padding data sent by an SSL peer.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-4576

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2011-4577
CVE STATUS: Patched
CVE SUMMARY: OpenSSL before 0.9.8s and 1.x before 1.0.0f, when RFC 3779 support is enabled, allows remote attackers to cause a denial of service (assertion failure) via an X.509 certificate containing certificate-extension data associated with (1) IP address blocks or (2) Autonomous System (AS) identifiers.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-4577

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2011-4619
CVE STATUS: Patched
CVE SUMMARY: The Server Gated Cryptography (SGC) implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f does not properly handle handshake restarts, which allows remote attackers to cause a denial of service (CPU consumption) via unspecified vectors.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-4619

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2011-5095
CVE STATUS: Patched
CVE SUMMARY: The Diffie-Hellman key-exchange implementation in OpenSSL 0.9.8, when FIPS mode is enabled, does not properly validate a public parameter, which makes it easier for man-in-the-middle attackers to obtain the shared secret key by modifying network traffic, a related issue to CVE-2011-1923.
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-5095

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2012-0027
CVE STATUS: Patched
CVE SUMMARY: The GOST ENGINE in OpenSSL before 1.0.0f does not properly handle invalid parameters for the GOST block cipher, which allows remote attackers to cause a denial of service (daemon crash) via crafted data from a TLS client.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-0027

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2012-0050
CVE STATUS: Patched
CVE SUMMARY: OpenSSL 0.9.8s and 1.0.0f does not properly support DTLS applications, which allows remote attackers to cause a denial of service (crash) via unspecified vectors related to an out-of-bounds read.  NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-4108.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-0050

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2012-0884
CVE STATUS: Patched
CVE SUMMARY: The implementation of Cryptographic Message Syntax (CMS) and PKCS #7 in OpenSSL before 0.9.8u and 1.x before 1.0.0h does not properly restrict certain oracle behavior, which makes it easier for context-dependent attackers to decrypt data via a Million Message Attack (MMA) adaptive chosen ciphertext attack.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-0884

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2012-1165
CVE STATUS: Patched
CVE SUMMARY: The mime_param_cmp function in crypto/asn1/asn_mime.c in OpenSSL before 0.9.8u and 1.x before 1.0.0h allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted S/MIME message, a different vulnerability than CVE-2006-7250.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1165

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2012-2110
CVE STATUS: Patched
CVE SUMMARY: The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in OpenSSL before 0.9.8v, 1.0.0 before 1.0.0i, and 1.0.1 before 1.0.1a does not properly interpret integer data, which allows remote attackers to conduct buffer overflow attacks, and cause a denial of service (memory corruption) or possibly have unspecified other impact, via crafted DER data, as demonstrated by an X.509 certificate or an RSA public key.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2110

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2012-2131
CVE STATUS: Patched
CVE SUMMARY: Multiple integer signedness errors in crypto/buffer/buffer.c in OpenSSL 0.9.8v allow remote attackers to conduct buffer overflow attacks, and cause a denial of service (memory corruption) or possibly have unspecified other impact, via crafted DER data, as demonstrated by an X.509 certificate or an RSA public key.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-2110.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2131

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2012-2333
CVE STATUS: Patched
CVE SUMMARY: Integer underflow in OpenSSL before 0.9.8x, 1.0.0 before 1.0.0j, and 1.0.1 before 1.0.1c, when TLS 1.1, TLS 1.2, or DTLS is used with CBC encryption, allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via a crafted TLS packet that is not properly handled during a certain explicit IV calculation.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2333

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2012-2686
CVE STATUS: Patched
CVE SUMMARY: crypto/evp/e_aes_cbc_hmac_sha1.c in the AES-NI functionality in the TLS 1.1 and 1.2 implementations in OpenSSL 1.0.1 before 1.0.1d allows remote attackers to cause a denial of service (application crash) via crafted CBC data.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2686

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2013-0166
CVE STATUS: Patched
CVE SUMMARY: OpenSSL before 0.9.8y, 1.0.0 before 1.0.0k, and 1.0.1 before 1.0.1d does not properly perform signature verification for OCSP responses, which allows remote OCSP servers to cause a denial of service (NULL pointer dereference and application crash) via an invalid key.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0166

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2013-0169
CVE STATUS: Patched
CVE SUMMARY: The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0169

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2013-4353
CVE STATUS: Patched
CVE SUMMARY: The ssl3_take_mac function in ssl/s3_both.c in OpenSSL 1.0.1 before 1.0.1f allows remote TLS servers to cause a denial of service (NULL pointer dereference and application crash) via a crafted Next Protocol Negotiation record in a TLS handshake.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4353

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2013-6449
CVE STATUS: Patched
CVE SUMMARY: The ssl_get_algorithm2 function in ssl/s3_lib.c in OpenSSL before 1.0.2 obtains a certain version number from an incorrect data structure, which allows remote attackers to cause a denial of service (daemon crash) via crafted traffic from a TLS 1.2 client.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-6449

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2013-6450
CVE STATUS: Patched
CVE SUMMARY: The DTLS retransmission implementation in OpenSSL 1.0.0 before 1.0.0l and 1.0.1 before 1.0.1f does not properly maintain data structures for digest and encryption contexts, which might allow man-in-the-middle attackers to trigger the use of a different context and cause a denial of service (application crash) by interfering with packet delivery, related to ssl/d1_both.c and ssl/t1_enc.c.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-6450

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2014-0076
CVE STATUS: Patched
CVE SUMMARY: The Montgomery ladder implementation in OpenSSL through 1.0.0l does not ensure that certain swap operations have a constant-time behavior, which makes it easier for local users to obtain ECDSA nonces via a FLUSH+RELOAD cache side-channel attack.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0076

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2014-0160
CVE STATUS: Patched
CVE SUMMARY: The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0160

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2014-0195
CVE STATUS: Patched
CVE SUMMARY: The dtls1_reassemble_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly validate fragment lengths in DTLS ClientHello messages, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) via a long non-initial fragment.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0195

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2014-0198
CVE STATUS: Patched
CVE SUMMARY: The do_ssl3_write function in s3_pkt.c in OpenSSL 1.x through 1.0.1g, when SSL_MODE_RELEASE_BUFFERS is enabled, does not properly manage a buffer pointer during certain recursive calls, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via vectors that trigger an alert condition.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0198

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2014-0221
CVE STATUS: Patched
CVE SUMMARY: The dtls1_get_message_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h allows remote attackers to cause a denial of service (recursion and client crash) via a DTLS hello message in an invalid DTLS handshake.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0221

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2014-0224
CVE STATUS: Patched
CVE SUMMARY: OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the "CCS Injection" vulnerability.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 7.4
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0224

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2014-3470
CVE STATUS: Patched
CVE SUMMARY: The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h, when an anonymous ECDH cipher suite is used, allows remote attackers to cause a denial of service (NULL pointer dereference and client crash) by triggering a NULL certificate value.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3470

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2014-3505
CVE STATUS: Patched
CVE SUMMARY: Double free vulnerability in d1_both.c in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i allows remote attackers to cause a denial of service (application crash) via crafted DTLS packets that trigger an error condition.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3505

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2014-3506
CVE STATUS: Patched
CVE SUMMARY: d1_both.c in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i allows remote attackers to cause a denial of service (memory consumption) via crafted DTLS handshake messages that trigger memory allocations corresponding to large length values.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3506

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2014-3507
CVE STATUS: Patched
CVE SUMMARY: Memory leak in d1_both.c in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i allows remote attackers to cause a denial of service (memory consumption) via zero-length DTLS fragments that trigger improper handling of the return value of a certain insert function.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3507

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2014-3508
CVE STATUS: Patched
CVE SUMMARY: The OBJ_obj2txt function in crypto/objects/obj_dat.c in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i, when pretty printing is used, does not ensure the presence of '\0' characters, which allows context-dependent attackers to obtain sensitive information from process stack memory by reading output from X509_name_oneline, X509_name_print_ex, and unspecified other functions.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3508

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2014-3509
CVE STATUS: Patched
CVE SUMMARY: Race condition in the ssl_parse_serverhello_tlsext function in t1_lib.c in OpenSSL 1.0.0 before 1.0.0n and 1.0.1 before 1.0.1i, when multithreading and session resumption are used, allows remote SSL servers to cause a denial of service (memory overwrite and client application crash) or possibly have unspecified other impact by sending Elliptic Curve (EC) Supported Point Formats Extension data.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3509

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2014-3510
CVE STATUS: Patched
CVE SUMMARY: The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i allows remote DTLS servers to cause a denial of service (NULL pointer dereference and client application crash) via a crafted handshake message in conjunction with a (1) anonymous DH or (2) anonymous ECDH ciphersuite.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3510

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2014-3511
CVE STATUS: Patched
CVE SUMMARY: The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 1.0.1 before 1.0.1i allows man-in-the-middle attackers to force the use of TLS 1.0 by triggering ClientHello message fragmentation in communication between a client and server that both support later TLS versions, related to a "protocol downgrade" issue.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3511

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2014-3512
CVE STATUS: Patched
CVE SUMMARY: Multiple buffer overflows in crypto/srp/srp_lib.c in the SRP implementation in OpenSSL 1.0.1 before 1.0.1i allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via an invalid SRP (1) g, (2) A, or (3) B parameter.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3512

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2014-3513
CVE STATUS: Patched
CVE SUMMARY: Memory leak in d1_srtp.c in the DTLS SRTP extension in OpenSSL 1.0.1 before 1.0.1j allows remote attackers to cause a denial of service (memory consumption) via a crafted handshake message.
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3513

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2014-3566
CVE STATUS: Patched
CVE SUMMARY: The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 3.4
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3566

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2014-3567
CVE STATUS: Patched
CVE SUMMARY: Memory leak in the tls_decrypt_ticket function in t1_lib.c in OpenSSL before 0.9.8zc, 1.0.0 before 1.0.0o, and 1.0.1 before 1.0.1j allows remote attackers to cause a denial of service (memory consumption) via a crafted session ticket that triggers an integrity-check failure.
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3567

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2014-3568
CVE STATUS: Patched
CVE SUMMARY: OpenSSL before 0.9.8zc, 1.0.0 before 1.0.0o, and 1.0.1 before 1.0.1j does not properly enforce the no-ssl3 build option, which allows remote attackers to bypass intended access restrictions via an SSL 3.0 handshake, related to s23_clnt.c and s23_srvr.c.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3568

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2014-3569
CVE STATUS: Patched
CVE SUMMARY: The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 0.9.8zc, 1.0.0o, and 1.0.1j does not properly handle attempts to use unsupported protocols, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an unexpected handshake, as demonstrated by an SSLv3 handshake to a no-ssl3 application with certain error handling.  NOTE: this issue became relevant after the CVE-2014-3568 fix.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3569

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2014-3570
CVE STATUS: Patched
CVE SUMMARY: The BN_sqr implementation in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k does not properly calculate the square of a BIGNUM value, which might make it easier for remote attackers to defeat cryptographic protection mechanisms via unspecified vectors, related to crypto/bn/asm/mips.pl, crypto/bn/asm/x86_64-gcc.c, and crypto/bn/bn_asm.c.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3570

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2014-3571
CVE STATUS: Patched
CVE SUMMARY: OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted DTLS message that is processed with a different read operation for the handshake header than for the handshake body, related to the dtls1_get_record function in d1_pkt.c and the ssl3_read_n function in s3_pkt.c.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3571

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2014-3572
CVE STATUS: Patched
CVE SUMMARY: The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL servers to conduct ECDHE-to-ECDH downgrade attacks and trigger a loss of forward secrecy by omitting the ServerKeyExchange message.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3572

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2014-5139
CVE STATUS: Patched
CVE SUMMARY: The ssl_set_client_disabled function in t1_lib.c in OpenSSL 1.0.1 before 1.0.1i allows remote SSL servers to cause a denial of service (NULL pointer dereference and client application crash) via a ServerHello message that includes an SRP ciphersuite without the required negotiation of that ciphersuite with the client.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-5139

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2014-8176
CVE STATUS: Patched
CVE SUMMARY: The dtls1_clear_queues function in ssl/d1_lib.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h frees data structures without considering that application data can arrive between a ChangeCipherSpec message and a Finished message, which allows remote DTLS peers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via unexpected application data.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8176

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2014-8275
CVE STATUS: Patched
CVE SUMMARY: OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k does not enforce certain constraints on certificate data, which allows remote attackers to defeat a fingerprint-based certificate-blacklist protection mechanism by including crafted data within a certificate's unsigned portion, related to crypto/asn1/a_verify.c, crypto/dsa/dsa_asn1.c, crypto/ecdsa/ecs_vrf.c, and crypto/x509/x_all.c.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8275

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2015-0204
CVE STATUS: Patched
CVE SUMMARY: The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL servers to conduct RSA-to-EXPORT_RSA downgrade attacks and facilitate brute-force decryption by offering a weak ephemeral RSA key in a noncompliant role, related to the "FREAK" issue.  NOTE: the scope of this CVE is only client code based on OpenSSL, not EXPORT_RSA issues associated with servers or other TLS implementations.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0204

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2015-0205
CVE STATUS: Patched
CVE SUMMARY: The ssl3_get_cert_verify function in s3_srvr.c in OpenSSL 1.0.0 before 1.0.0p and 1.0.1 before 1.0.1k accepts client authentication with a Diffie-Hellman (DH) certificate without requiring a CertificateVerify message, which allows remote attackers to obtain access without knowledge of a private key via crafted TLS Handshake Protocol traffic to a server that recognizes a Certification Authority with DH support.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0205

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2015-0206
CVE STATUS: Patched
CVE SUMMARY: Memory leak in the dtls1_buffer_record function in d1_pkt.c in OpenSSL 1.0.0 before 1.0.0p and 1.0.1 before 1.0.1k allows remote attackers to cause a denial of service (memory consumption) by sending many duplicate records for the next epoch, leading to failure of replay detection.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0206

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2015-0207
CVE STATUS: Patched
CVE SUMMARY: The dtls1_listen function in d1_lib.c in OpenSSL 1.0.2 before 1.0.2a does not properly isolate the state information of independent data streams, which allows remote attackers to cause a denial of service (application crash) via crafted DTLS traffic, as demonstrated by DTLS 1.0 traffic to a DTLS 1.2 server.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0207

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2015-0208
CVE STATUS: Patched
CVE SUMMARY: The ASN.1 signature-verification implementation in the rsa_item_verify function in crypto/rsa/rsa_ameth.c in OpenSSL 1.0.2 before 1.0.2a allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via crafted RSA PSS parameters to an endpoint that uses the certificate-verification feature.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0208

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2015-0209
CVE STATUS: Patched
CVE SUMMARY: Use-after-free vulnerability in the d2i_ECPrivateKey function in crypto/ec/ec_asn1.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a might allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a malformed Elliptic Curve (EC) private-key file that is improperly handled during import.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0209

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2015-0285
CVE STATUS: Patched
CVE SUMMARY: The ssl3_client_hello function in s3_clnt.c in OpenSSL 1.0.2 before 1.0.2a does not ensure that the PRNG is seeded before proceeding with a handshake, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by sniffing the network and then conducting a brute-force attack.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0285

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2015-0286
CVE STATUS: Patched
CVE SUMMARY: The ASN1_TYPE_cmp function in crypto/asn1/a_type.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a does not properly perform boolean-type comparisons, which allows remote attackers to cause a denial of service (invalid read operation and application crash) via a crafted X.509 certificate to an endpoint that uses the certificate-verification feature.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0286

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2015-0287
CVE STATUS: Patched
CVE SUMMARY: The ASN1_item_ex_d2i function in crypto/asn1/tasn_dec.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a does not reinitialize CHOICE and ADB data structures, which might allow attackers to cause a denial of service (invalid write operation and memory corruption) by leveraging an application that relies on ASN.1 structure reuse.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0287

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2015-0288
CVE STATUS: Patched
CVE SUMMARY: The X509_to_X509_REQ function in crypto/x509/x509_req.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a might allow attackers to cause a denial of service (NULL pointer dereference and application crash) via an invalid certificate key.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0288

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2015-0289
CVE STATUS: Patched
CVE SUMMARY: The PKCS#7 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a does not properly handle a lack of outer ContentInfo, which allows attackers to cause a denial of service (NULL pointer dereference and application crash) by leveraging an application that processes arbitrary PKCS#7 data and providing malformed data with ASN.1 encoding, related to crypto/pkcs7/pk7_doit.c and crypto/pkcs7/pk7_lib.c.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0289

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2015-0290
CVE STATUS: Patched
CVE SUMMARY: The multi-block feature in the ssl3_write_bytes function in s3_pkt.c in OpenSSL 1.0.2 before 1.0.2a on 64-bit x86 platforms with AES NI support does not properly handle certain non-blocking I/O cases, which allows remote attackers to cause a denial of service (pointer corruption and application crash) via unspecified vectors.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0290

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2015-0291
CVE STATUS: Patched
CVE SUMMARY: The sigalgs implementation in t1_lib.c in OpenSSL 1.0.2 before 1.0.2a allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) by using an invalid signature_algorithms extension in the ClientHello message during a renegotiation.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0291

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2015-0292
CVE STATUS: Patched
CVE SUMMARY: Integer underflow in the EVP_DecodeUpdate function in crypto/evp/encode.c in the base64-decoding implementation in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via crafted base64 data that triggers a buffer overflow.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0292

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2015-0293
CVE STATUS: Patched
CVE SUMMARY: The SSLv2 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a allows remote attackers to cause a denial of service (s2_lib.c assertion failure and daemon exit) via a crafted CLIENT-MASTER-KEY message.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0293

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2015-1787
CVE STATUS: Patched
CVE SUMMARY: The ssl3_get_client_key_exchange function in s3_srvr.c in OpenSSL 1.0.2 before 1.0.2a, when client authentication and an ephemeral Diffie-Hellman ciphersuite are enabled, allows remote attackers to cause a denial of service (daemon crash) via a ClientKeyExchange message with a length of zero.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1787

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2015-1788
CVE STATUS: Patched
CVE SUMMARY: The BN_GF2m_mod_inv function in crypto/bn/bn_gf2m.c in OpenSSL before 0.9.8s, 1.0.0 before 1.0.0e, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b does not properly handle ECParameters structures in which the curve is over a malformed binary polynomial field, which allows remote attackers to cause a denial of service (infinite loop) via a session that uses an Elliptic Curve algorithm, as demonstrated by an attack against a server that supports client authentication.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1788

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2015-1789
CVE STATUS: Patched
CVE SUMMARY: The X509_cmp_time function in crypto/x509/x509_vfy.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted length field in ASN1_TIME data, as demonstrated by an attack against a server that supports client authentication with a custom verification callback.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1789

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2015-1790
CVE STATUS: Patched
CVE SUMMARY: The PKCS7_dataDecodefunction in crypto/pkcs7/pk7_doit.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a PKCS#7 blob that uses ASN.1 encoding and lacks inner EncryptedContent data.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1790

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2015-1791
CVE STATUS: Patched
CVE SUMMARY: Race condition in the ssl3_get_new_session_ticket function in ssl/s3_clnt.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b, when used for a multi-threaded client, allows remote attackers to cause a denial of service (double free and application crash) or possibly have unspecified other impact by providing a NewSessionTicket during an attempt to reuse a ticket that had been obtained earlier.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1791

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2015-1792
CVE STATUS: Patched
CVE SUMMARY: The do_free_upto function in crypto/cms/cms_smime.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b allows remote attackers to cause a denial of service (infinite loop) via vectors that trigger a NULL value of a BIO data structure, as demonstrated by an unrecognized X.660 OID for a hash function.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1792

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2015-1793
CVE STATUS: Patched
CVE SUMMARY: The X509_verify_cert function in crypto/x509/x509_vfy.c in OpenSSL 1.0.1n, 1.0.1o, 1.0.2b, and 1.0.2c does not properly process X.509 Basic Constraints cA values during identification of alternative certificate chains, which allows remote attackers to spoof a Certification Authority role and trigger unintended certificate verifications via a valid leaf certificate.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1793

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2015-1794
CVE STATUS: Patched
CVE SUMMARY: The ssl3_get_key_exchange function in ssl/s3_clnt.c in OpenSSL 1.0.2 before 1.0.2e allows remote servers to cause a denial of service (segmentation fault) via a zero p value in an anonymous Diffie-Hellman (DH) ServerKeyExchange message.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1794

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2015-3193
CVE STATUS: Patched
CVE SUMMARY: The Montgomery squaring implementation in crypto/bn/asm/x86_64-mont5.pl in OpenSSL 1.0.2 before 1.0.2e on the x86_64 platform, as used by the BN_mod_exp function, mishandles carry propagation and produces incorrect output, which makes it easier for remote attackers to obtain sensitive private-key information via an attack against use of a (1) Diffie-Hellman (DH) or (2) Diffie-Hellman Ephemeral (DHE) ciphersuite.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3193

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2015-3194
CVE STATUS: Patched
CVE SUMMARY: crypto/rsa/rsa_ameth.c in OpenSSL 1.0.1 before 1.0.1q and 1.0.2 before 1.0.2e allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an RSA PSS ASN.1 signature that lacks a mask generation function parameter.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3194

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2015-3195
CVE STATUS: Patched
CVE SUMMARY: The ASN1_TFLG_COMBINE implementation in crypto/asn1/tasn_dec.c in OpenSSL before 0.9.8zh, 1.0.0 before 1.0.0t, 1.0.1 before 1.0.1q, and 1.0.2 before 1.0.2e mishandles errors caused by malformed X509_ATTRIBUTE data, which allows remote attackers to obtain sensitive information from process memory by triggering a decoding failure in a PKCS#7 or CMS application.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3195

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2015-3196
CVE STATUS: Patched
CVE SUMMARY: ssl/s3_clnt.c in OpenSSL 1.0.0 before 1.0.0t, 1.0.1 before 1.0.1p, and 1.0.2 before 1.0.2d, when used for a multi-threaded client, writes the PSK identity hint to an incorrect data structure, which allows remote servers to cause a denial of service (race condition and double free) via a crafted ServerKeyExchange message.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3196

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2015-3197
CVE STATUS: Patched
CVE SUMMARY: ssl/s2_srvr.c in OpenSSL 1.0.1 before 1.0.1r and 1.0.2 before 1.0.2f does not prevent use of disabled ciphers, which makes it easier for man-in-the-middle attackers to defeat cryptographic protection mechanisms by performing computations on SSLv2 traffic, related to the get_client_master_key and get_client_hello functions.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3197

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2015-3216
CVE STATUS: Patched
CVE SUMMARY: Race condition in a certain Red Hat patch to the PRNG lock implementation in the ssleay_rand_bytes function in OpenSSL, as distributed in openssl-1.0.1e-25.el7 in Red Hat Enterprise Linux (RHEL) 7 and other products, allows remote attackers to cause a denial of service (application crash) by establishing many TLS sessions to a multithreaded server, leading to use of a negative value for a certain length field.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3216

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2015-4000
CVE STATUS: Patched
CVE SUMMARY: The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, does not properly convey a DHE_EXPORT choice, which allows man-in-the-middle attackers to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by DHE_EXPORT and then rewriting a ServerHello with DHE_EXPORT replaced by DHE, aka the "Logjam" issue.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 3.7
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-4000

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2016-0701
CVE STATUS: Patched
CVE SUMMARY: The DH_check_pub_key function in crypto/dh/dh_check.c in OpenSSL 1.0.2 before 1.0.2f does not ensure that prime numbers are appropriate for Diffie-Hellman (DH) key exchange, which makes it easier for remote attackers to discover a private DH exponent by making multiple handshakes with a peer that chose an inappropriate number, as demonstrated by a number in an X9.42 file.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 3.7
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-0701

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2016-0702
CVE STATUS: Patched
CVE SUMMARY: The MOD_EXP_CTIME_COPY_FROM_PREBUF function in crypto/bn/bn_exp.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g does not properly consider cache-bank access times during modular exponentiation, which makes it easier for local users to discover RSA keys by running a crafted application on the same Intel Sandy Bridge CPU core as a victim and leveraging cache-bank conflicts, aka a "CacheBleed" attack.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 5.1
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-0702

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2016-0703
CVE STATUS: Patched
CVE SUMMARY: The get_client_master_key function in s2_srvr.c in the SSLv2 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a accepts a nonzero CLIENT-MASTER-KEY CLEAR-KEY-LENGTH value for an arbitrary cipher, which allows man-in-the-middle attackers to determine the MASTER-KEY value and decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, a related issue to CVE-2016-0800.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-0703

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2016-0704
CVE STATUS: Patched
CVE SUMMARY: An oracle protection mechanism in the get_client_master_key function in s2_srvr.c in the SSLv2 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a overwrites incorrect MASTER-KEY bytes during use of export cipher suites, which makes it easier for remote attackers to decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, a related issue to CVE-2016-0800.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-0704

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2016-0705
CVE STATUS: Patched
CVE SUMMARY: Double free vulnerability in the dsa_priv_decode function in crypto/dsa/dsa_ameth.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a malformed DSA private key.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-0705

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2016-0797
CVE STATUS: Patched
CVE SUMMARY: Multiple integer overflows in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g allow remote attackers to cause a denial of service (heap memory corruption or NULL pointer dereference) or possibly have unspecified other impact via a long digit string that is mishandled by the (1) BN_dec2bn or (2) BN_hex2bn function, related to crypto/bn/bn.h and crypto/bn/bn_print.c.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-0797

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2016-0798
CVE STATUS: Patched
CVE SUMMARY: Memory leak in the SRP_VBASE_get_by_user implementation in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g allows remote attackers to cause a denial of service (memory consumption) by providing an invalid username in a connection attempt, related to apps/s_server.c and crypto/srp/srp_vfy.c.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-0798

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2016-0799
CVE STATUS: Patched
CVE SUMMARY: The fmtstr function in crypto/bio/b_print.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g improperly calculates string lengths, which allows remote attackers to cause a denial of service (overflow and out-of-bounds read) or possibly have unspecified other impact via a long string, as demonstrated by a large amount of ASN.1 data, a different vulnerability than CVE-2016-2842.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-0799

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2016-0800
CVE STATUS: Patched
CVE SUMMARY: The SSLv2 protocol, as used in OpenSSL before 1.0.1s and 1.0.2 before 1.0.2g and other products, requires a server to send a ServerVerify message before establishing that a client possesses certain plaintext RSA data, which makes it easier for remote attackers to decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, aka a "DROWN" attack.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-0800

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2016-2105
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the EVP_EncodeUpdate function in crypto/evp/encode.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (heap memory corruption) via a large amount of binary data.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2105

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2016-2106
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the EVP_EncryptUpdate function in crypto/evp/evp_enc.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (heap memory corruption) via a large amount of data.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2106

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2016-2107
CVE STATUS: Patched
CVE SUMMARY: The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h does not consider memory allocation during a certain padding check, which allows remote attackers to obtain sensitive cleartext information via a padding-oracle attack against an AES CBC session. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-0169.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2107

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2016-2108
CVE STATUS: Patched
CVE SUMMARY: The ASN.1 implementation in OpenSSL before 1.0.1o and 1.0.2 before 1.0.2c allows remote attackers to execute arbitrary code or cause a denial of service (buffer underflow and memory corruption) via an ANY field in crafted serialized data, aka the "negative zero" issue.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2108

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2016-2109
CVE STATUS: Patched
CVE SUMMARY: The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in the ASN.1 BIO implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (memory consumption) via a short invalid encoding.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2109

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2016-2176
CVE STATUS: Patched
CVE SUMMARY: The X509_NAME_oneline function in crypto/x509/x509_obj.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to obtain sensitive information from process stack memory or cause a denial of service (buffer over-read) via crafted EBCDIC ASN.1 data.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 8.2
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2176

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2016-2177
CVE STATUS: Patched
CVE SUMMARY: OpenSSL through 1.0.2h incorrectly uses pointer arithmetic for heap-buffer boundary checks, which might allow remote attackers to cause a denial of service (integer overflow and application crash) or possibly have unspecified other impact by leveraging unexpected malloc behavior, related to s3_srvr.c, ssl_sess.c, and t1_lib.c.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2177

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2016-2178
CVE STATUS: Patched
CVE SUMMARY: The dsa_sign_setup function in crypto/dsa/dsa_ossl.c in OpenSSL through 1.0.2h does not properly ensure the use of constant-time operations, which makes it easier for local users to discover a DSA private key via a timing side-channel attack.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2178

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2016-2179
CVE STATUS: Patched
CVE SUMMARY: The DTLS implementation in OpenSSL before 1.1.0 does not properly restrict the lifetime of queue entries associated with unused out-of-order messages, which allows remote attackers to cause a denial of service (memory consumption) by maintaining many crafted DTLS sessions simultaneously, related to d1_lib.c, statem_dtls.c, statem_lib.c, and statem_srvr.c.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2179

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2016-2180
CVE STATUS: Patched
CVE SUMMARY: The TS_OBJ_print_bio function in crypto/ts/ts_lib.c in the X.509 Public Key Infrastructure Time-Stamp Protocol (TSP) implementation in OpenSSL through 1.0.2h allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted time-stamp file that is mishandled by the "openssl ts" command.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2180

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2016-2181
CVE STATUS: Patched
CVE SUMMARY: The Anti-Replay feature in the DTLS implementation in OpenSSL before 1.1.0 mishandles early use of a new epoch number in conjunction with a large sequence number, which allows remote attackers to cause a denial of service (false-positive packet drops) via spoofed DTLS records, related to rec_layer_d1.c and ssl3_record.c.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2181

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2016-2182
CVE STATUS: Patched
CVE SUMMARY: The BN_bn2dec function in crypto/bn/bn_print.c in OpenSSL before 1.1.0 does not properly validate division results, which allows remote attackers to cause a denial of service (out-of-bounds write and application crash) or possibly have unspecified other impact via unknown vectors.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2182

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2016-2183
CVE STATUS: Patched
CVE SUMMARY: The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a "Sweet32" attack.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2183

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2016-2842
CVE STATUS: Patched
CVE SUMMARY: The doapr_outch function in crypto/bio/b_print.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g does not verify that a certain memory allocation succeeds, which allows remote attackers to cause a denial of service (out-of-bounds write or memory consumption) or possibly have unspecified other impact via a long string, as demonstrated by a large amount of ASN.1 data, a different vulnerability than CVE-2016-0799.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2842

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2016-6302
CVE STATUS: Patched
CVE SUMMARY: The tls_decrypt_ticket function in ssl/t1_lib.c in OpenSSL before 1.1.0 does not consider the HMAC size during validation of the ticket length, which allows remote attackers to cause a denial of service via a ticket that is too short.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6302

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2016-6303
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the MDC2_Update function in crypto/mdc2/mdc2dgst.c in OpenSSL before 1.1.0 allows remote attackers to cause a denial of service (out-of-bounds write and application crash) or possibly have unspecified other impact via unknown vectors.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6303

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2016-6304
CVE STATUS: Patched
CVE SUMMARY: Multiple memory leaks in t1_lib.c in OpenSSL before 1.0.1u, 1.0.2 before 1.0.2i, and 1.1.0 before 1.1.0a allow remote attackers to cause a denial of service (memory consumption) via large OCSP Status Request extensions.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6304

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2016-6305
CVE STATUS: Patched
CVE SUMMARY: The ssl3_read_bytes function in record/rec_layer_s3.c in OpenSSL 1.1.0 before 1.1.0a allows remote attackers to cause a denial of service (infinite loop) by triggering a zero-length record in an SSL_peek call.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6305

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2016-6306
CVE STATUS: Patched
CVE SUMMARY: The certificate parser in OpenSSL before 1.0.1u and 1.0.2 before 1.0.2i might allow remote attackers to cause a denial of service (out-of-bounds read) via crafted certificate operations, related to s3_clnt.c and s3_srvr.c.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6306

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2016-6307
CVE STATUS: Patched
CVE SUMMARY: The state-machine implementation in OpenSSL 1.1.0 before 1.1.0a allocates memory before checking for an excessive length, which might allow remote attackers to cause a denial of service (memory consumption) via crafted TLS messages, related to statem/statem.c and statem/statem_lib.c.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6307

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2016-6308
CVE STATUS: Patched
CVE SUMMARY: statem/statem_dtls.c in the DTLS implementation in OpenSSL 1.1.0 before 1.1.0a allocates memory before checking for an excessive length, which might allow remote attackers to cause a denial of service (memory consumption) via crafted DTLS messages.
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6308

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2016-6309
CVE STATUS: Patched
CVE SUMMARY: statem/statem.c in OpenSSL 1.1.0a does not consider memory-block movement after a realloc call, which allows remote attackers to cause a denial of service (use-after-free) or possibly execute arbitrary code via a crafted TLS session.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6309

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2016-7052
CVE STATUS: Patched
CVE SUMMARY: crypto/x509/x509_vfy.c in OpenSSL 1.0.2i allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) by triggering a CRL operation.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7052

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2016-7053
CVE STATUS: Patched
CVE SUMMARY: In OpenSSL 1.1.0 before 1.1.0c, applications parsing invalid CMS structures can crash with a NULL pointer dereference. This is caused by a bug in the handling of the ASN.1 CHOICE type in OpenSSL 1.1.0 which can result in a NULL value being passed to the structure callback if an attempt is made to free certain invalid encodings. Only CHOICE structures using a callback which do not handle NULL value are affected.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7053

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2016-7054
CVE STATUS: Patched
CVE SUMMARY: In OpenSSL 1.1.0 before 1.1.0c, TLS connections using *-CHACHA20-POLY1305 ciphersuites are susceptible to a DoS attack by corrupting larger payloads. This can result in an OpenSSL crash. This issue is not considered to be exploitable beyond a DoS.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7054

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2016-7055
CVE STATUS: Patched
CVE SUMMARY: There is a carry propagating bug in the Broadwell-specific Montgomery multiplication procedure in OpenSSL 1.0.2 and 1.1.0 before 1.1.0c that handles input lengths divisible by, but longer than 256 bits. Analysis suggests that attacks against RSA, DSA and DH private keys are impossible. This is because the subroutine in question is not used in operations with the private key itself and an input of the attacker's direct choice. Otherwise the bug can manifest itself as transient authentication and key negotiation failures or reproducible erroneous outcome of public-key operations with specially crafted input. Among EC algorithms only Brainpool P-512 curves are affected and one presumably can attack ECDH key negotiation. Impact was not analyzed in detail, because pre-requisites for attack are considered unlikely. Namely multiple clients have to choose the curve in question and the server has to share the private key among them, neither of which is default behaviour. Even then only clients that chose the curve will be affected.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7055

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2016-7056
CVE STATUS: Patched
CVE SUMMARY: A timing attack flaw was found in OpenSSL 1.0.1u and before that could allow a malicious user with local access to recover ECDSA P-256 private keys.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7056

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2016-8610
CVE STATUS: Patched
CVE SUMMARY: A denial of service flaw was found in OpenSSL 0.9.8, 1.0.1, 1.0.2 through 1.0.2h, and 1.1.0 in the way the TLS/SSL protocol defined processing of ALERT packets during a connection handshake. A remote attacker could use this flaw to make a TLS/SSL server consume an excessive amount of CPU and fail to accept connections from other clients.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8610

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2017-3730
CVE STATUS: Patched
CVE SUMMARY: In OpenSSL 1.1.0 before 1.1.0d, if a malicious server supplies bad parameters for a DHE or ECDHE key exchange then this can result in the client attempting to dereference a NULL pointer leading to a client crash. This could be exploited in a Denial of Service attack.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-3730

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2017-3731
CVE STATUS: Patched
CVE SUMMARY: If an SSL/TLS server or client is running on a 32-bit host, and a specific cipher is being used, then a truncated packet can cause that server or client to perform an out-of-bounds read, usually resulting in a crash. For OpenSSL 1.1.0, the crash can be triggered when using CHACHA20/POLY1305; users should upgrade to 1.1.0d. For Openssl 1.0.2, the crash can be triggered when using RC4-MD5; users who have not disabled that algorithm should update to 1.0.2k.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-3731

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2017-3732
CVE STATUS: Patched
CVE SUMMARY: There is a carry propagating bug in the x86_64 Montgomery squaring procedure in OpenSSL 1.0.2 before 1.0.2k and 1.1.0 before 1.1.0d. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be very significant and likely only accessible to a limited number of attackers. An attacker would additionally need online access to an unpatched system using the target private key in a scenario with persistent DH parameters and a private key that is shared between multiple clients. For example this can occur by default in OpenSSL DHE based SSL/TLS ciphersuites. Note: This issue is very similar to CVE-2015-3193 but must be treated as a separate problem.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-3732

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2017-3733
CVE STATUS: Patched
CVE SUMMARY: During a renegotiation handshake if the Encrypt-Then-Mac extension is negotiated where it was not in the original handshake (or vice-versa) then this can cause OpenSSL 1.1.0 before 1.1.0e to crash (dependent on ciphersuite). Both clients and servers are affected.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-3733

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2017-3735
CVE STATUS: Patched
CVE SUMMARY: While parsing an IPAddressFamily extension in an X.509 certificate, it is possible to do a one-byte overread. This would result in an incorrect text display of the certificate. This bug has been present since 2006 and is present in all versions of OpenSSL before 1.0.2m and 1.1.0g.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-3735

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2017-3736
CVE STATUS: Patched
CVE SUMMARY: There is a carry propagating bug in the x86_64 Montgomery squaring procedure in OpenSSL before 1.0.2m and 1.1.0 before 1.1.0g. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be very significant and likely only accessible to a limited number of attackers. An attacker would additionally need online access to an unpatched system using the target private key in a scenario with persistent DH parameters and a private key that is shared between multiple clients. This only affects processors that support the BMI1, BMI2 and ADX extensions like Intel Broadwell (5th generation) and later or AMD Ryzen.
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:S/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-3736

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2017-3737
CVE STATUS: Patched
CVE SUMMARY: OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an "error state" mechanism. The intent was that if a fatal error occurred during a handshake then OpenSSL would move into the error state and would immediately fail if you attempted to continue the handshake. This works as designed for the explicit handshake functions (SSL_do_handshake(), SSL_accept() and SSL_connect()), however due to a bug it does not work correctly if SSL_read() or SSL_write() is called directly. In that scenario, if the handshake fails then a fatal error will be returned in the initial function call. If SSL_read()/SSL_write() is subsequently called by the application for the same SSL object then it will succeed and the data is passed without being decrypted/encrypted directly from the SSL/TLS record layer. In order to exploit this issue an application bug would have to be present that resulted in a call to SSL_read()/SSL_write() being issued after having already received a fatal error. OpenSSL version 1.0.2b-1.0.2m are affected. Fixed in OpenSSL 1.0.2n. OpenSSL 1.1.0 is not affected.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-3737

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2017-3738
CVE STATUS: Patched
CVE SUMMARY: There is an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH1024 are considered just feasible, because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH1024 private key among multiple clients, which is no longer an option since CVE-2016-0701. This only affects processors that support the AVX2 but not ADX extensions like Intel Haswell (4th generation). Note: The impact from this issue is similar to CVE-2017-3736, CVE-2017-3732 and CVE-2015-3193. OpenSSL version 1.0.2-1.0.2m and 1.1.0-1.1.0g are affected. Fixed in OpenSSL 1.0.2n. Due to the low severity of this issue we are not issuing a new release of OpenSSL 1.1.0 at this time. The fix will be included in OpenSSL 1.1.0h when it becomes available. The fix is also available in commit e502cc86d in the OpenSSL git repository.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-3738

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2018-0732
CVE STATUS: Patched
CVE SUMMARY: During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack. Fixed in OpenSSL 1.1.0i-dev (Affected 1.1.0-1.1.0h). Fixed in OpenSSL 1.0.2p-dev (Affected 1.0.2-1.0.2o).
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-0732

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2018-0733
CVE STATUS: Patched
CVE SUMMARY: Because of an implementation bug the PA-RISC CRYPTO_memcmp function is effectively reduced to only comparing the least significant bit of each byte. This allows an attacker to forge messages that would be considered as authenticated in an amount of tries lower than that guaranteed by the security claims of the scheme. The module can only be compiled by the HP-UX assembler, so that only HP-UX PA-RISC targets are affected. Fixed in OpenSSL 1.1.0h (Affected 1.1.0-1.1.0g).
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-0733

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2018-0734
CVE STATUS: Patched
CVE SUMMARY: The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.1a (Affected 1.1.1). Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.0.2q (Affected 1.0.2-1.0.2p).
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-0734

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2018-0735
CVE STATUS: Patched
CVE SUMMARY: The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.1.1a (Affected 1.1.1).
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-0735

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2018-0737
CVE STATUS: Patched
CVE SUMMARY: The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to a cache timing side channel attack. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover the private key. Fixed in OpenSSL 1.1.0i-dev (Affected 1.1.0-1.1.0h). Fixed in OpenSSL 1.0.2p-dev (Affected 1.0.2b-1.0.2o).
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-0737

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2018-0739
CVE STATUS: Patched
CVE SUMMARY: Constructed ASN.1 types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malicious input with excessive recursion. This could result in a Denial Of Service attack. There are no such structures used within SSL/TLS that come from untrusted sources so this is considered safe. Fixed in OpenSSL 1.1.0h (Affected 1.1.0-1.1.0g). Fixed in OpenSSL 1.0.2o (Affected 1.0.2b-1.0.2n).
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-0739

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2018-5407
CVE STATUS: Patched
CVE SUMMARY: Simultaneous Multi-threading (SMT) in processors can enable local users to exploit software vulnerable to timing attacks via a side-channel timing attack on 'port contention'.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-5407

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2019-1543
CVE STATUS: Patched
CVE SUMMARY: ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input for every encryption operation. RFC 7539 specifies that the nonce value (IV) should be 96 bits (12 bytes). OpenSSL allows a variable nonce length and front pads the nonce with 0 bytes if it is less than 12 bytes. However it also incorrectly allows a nonce to be set of up to 16 bytes. In this case only the last 12 bytes are significant and any additional leading bytes are ignored. It is a requirement of using this cipher that nonce values are unique. Messages encrypted using a reused nonce value are susceptible to serious confidentiality and integrity attacks. If an application changes the default nonce length to be longer than 12 bytes and then makes a change to the leading bytes of the nonce expecting the new value to be a new unique nonce then such an application could inadvertently encrypt messages with a reused nonce. Additionally the ignored bytes in a long nonce are not covered by the integrity guarantee of this cipher. Any application that relies on the integrity of these ignored leading bytes of a long nonce may be further affected. Any OpenSSL internal use of this cipher, including in SSL/TLS, is safe because no such use sets such a long nonce value. However user applications that use this cipher directly and set a non-default nonce length to be longer than 12 bytes may be vulnerable. OpenSSL versions 1.1.1 and 1.1.0 are affected by this issue. Due to the limited scope of affected deployments this has been assessed as low severity and therefore we are not creating new releases at this time. Fixed in OpenSSL 1.1.1c (Affected 1.1.1-1.1.1b). Fixed in OpenSSL 1.1.0k (Affected 1.1.0-1.1.0j).
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 7.4
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-1543

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2019-1547
CVE STATUS: Patched
CVE SUMMARY: Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-1547

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2019-1549
CVE STATUS: Patched
CVE SUMMARY: OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-1549

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2019-1551
CVE STATUS: Patched
CVE SUMMARY: There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-1551

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2019-1552
CVE STATUS: Patched
CVE SUMMARY: OpenSSL has internal defaults for a directory tree where it can find a configuration file as well as certificates used for verification in TLS. This directory is most commonly referred to as OPENSSLDIR, and is configurable with the --prefix / --openssldir configuration options. For OpenSSL versions 1.1.0 and 1.1.1, the mingw configuration targets assume that resulting programs and libraries are installed in a Unix-like environment and the default prefix for program installation as well as for OPENSSLDIR should be '/usr/local'. However, mingw programs are Windows programs, and as such, find themselves looking at sub-directories of 'C:/usr/local', which may be world writable, which enables untrusted users to modify OpenSSL's default configuration, insert CA certificates, modify (or even replace) existing engine modules, etc. For OpenSSL 1.0.2, '/usr/local/ssl' is used as default for OPENSSLDIR on all Unix and Windows targets, including Visual C builds. However, some build instructions for the diverse Windows targets on 1.0.2 encourage you to specify your own --prefix. OpenSSL versions 1.1.1, 1.1.0 and 1.0.2 are affected by this issue. Due to the limited scope of affected deployments this has been assessed as low severity and therefore we are not creating new releases at this time. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 3.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-1552

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2019-1559
CVE STATUS: Patched
CVE SUMMARY: If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable "non-stitched" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q).
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-1559

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2019-1563
CVE STATUS: Patched
CVE SUMMARY: In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 3.7
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-1563

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2020-1967
CVE STATUS: Patched
CVE SUMMARY: Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the "signature_algorithms_cert" TLS extension. The crash occurs if an invalid or unrecognised signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack. OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this issue. This issue did not affect OpenSSL versions prior to 1.1.1d. Fixed in OpenSSL 1.1.1g (Affected 1.1.1d-1.1.1f).
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-1967

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2020-1968
CVE STATUS: Patched
CVE SUMMARY: The Raccoon attack exploits a flaw in the TLS specification which can lead to an attacker being able to compute the pre-master secret in connections which have used a Diffie-Hellman (DH) based ciphersuite. In such a case this would result in the attacker being able to eavesdrop on all encrypted communications sent over that TLS connection. The attack can only be exploited if an implementation re-uses a DH secret across multiple TLS connections. Note that this issue only impacts DH ciphersuites and not ECDH ciphersuites. This issue affects OpenSSL 1.0.2 which is out of support and no longer receiving public updates. OpenSSL 1.1.1 is not vulnerable to this issue. Fixed in OpenSSL 1.0.2w (Affected 1.0.2-1.0.2v).
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 3.7
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-1968

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2020-1971
CVE STATUS: Patched
CVE SUMMARY: The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This function behaves incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash may occur leading to a possible denial of service attack. OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes: 1) Comparing CRL distribution point names between an available CRL and a CRL distribution point embedded in an X509 certificate 2) When verifying that a timestamp response token signer matches the timestamp authority name (exposed via the API functions TS_RESP_verify_response and TS_RESP_verify_token) If an attacker can control both items being compared then that attacker could trigger a crash. For example if the attacker can trick a client or server into checking a malicious certificate against a malicious CRL then this may occur. Note that some applications automatically download CRLs based on a URL embedded in a certificate. This checking happens prior to the signatures on the certificate and CRL being verified. OpenSSL's s_server, s_client and verify tools have support for the "-crl_download" option which implements automatic CRL downloading and this attack has been demonstrated to work against those tools. Note that an unrelated bug means that affected versions of OpenSSL cannot parse or construct correct encodings of EDIPARTYNAME. However it is possible to construct a malformed EDIPARTYNAME that OpenSSL's parser will accept and hence trigger this attack. All OpenSSL 1.1.1 and 1.0.2 versions are affected by this issue. Other OpenSSL releases are out of support and have not been checked. Fixed in OpenSSL 1.1.1i (Affected 1.1.1-1.1.1h). Fixed in OpenSSL 1.0.2x (Affected 1.0.2-1.0.2w).
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-1971

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2021-23839
CVE STATUS: Patched
CVE SUMMARY: OpenSSL 1.0.2 supports SSLv2. If a client attempts to negotiate SSLv2 with a server that is configured to support both SSLv2 and more recent SSL and TLS versions then a check is made for a version rollback attack when unpadding an RSA signature. Clients that support SSL or TLS versions greater than SSLv2 are supposed to use a special form of padding. A server that supports greater than SSLv2 is supposed to reject connection attempts from a client where this special form of padding is present, because this indicates that a version rollback has occurred (i.e. both client and server support greater than SSLv2, and yet this is the version that is being requested). The implementation of this padding check inverted the logic so that the connection attempt is accepted if the padding is present, and rejected if it is absent. This means that such as server will accept a connection if a version rollback attack has occurred. Further the server will erroneously reject a connection if a normal SSLv2 connection attempt is made. Only OpenSSL 1.0.2 servers from version 1.0.2s to 1.0.2x are affected by this issue. In order to be vulnerable a 1.0.2 server must: 1) have configured SSLv2 support at compile time (this is off by default), 2) have configured SSLv2 support at runtime (this is off by default), 3) have configured SSLv2 ciphersuites (these are not in the default ciphersuite list) OpenSSL 1.1.1 does not have SSLv2 support and therefore is not vulnerable to this issue. The underlying error is in the implementation of the RSA_padding_check_SSLv23() function. This also affects the RSA_SSLV23_PADDING padding mode used by various other functions. Although 1.1.1 does not support SSLv2 the RSA_padding_check_SSLv23() function still exists, as does the RSA_SSLV23_PADDING padding mode. Applications that directly call that function or use that padding mode will encounter this issue. However since there is no support for the SSLv2 protocol in 1.1.1 this is considered a bug and not a security issue in that version. OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.0.2y (Affected 1.0.2s-1.0.2x).
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 3.7
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-23839

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2021-23840
CVE STATUS: Patched
CVE SUMMARY: Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-23840

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2021-23841
CVE STATUS: Patched
CVE SUMMARY: The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. The function X509_issuer_and_serial_hash() is never directly called by OpenSSL itself so applications are only vulnerable if they use this function directly and they use it on certificates that may have been obtained from untrusted sources. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-23841

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2021-3449
CVE STATUS: Patched
CVE SUMMARY: An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1-1.1.1j).
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3449

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2021-3450
CVE STATUS: Patched
CVE SUMMARY: The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check. An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates. If a "purpose" has been configured then there is a subsequent opportunity for checks that the certificate is a valid CA. All of the named "purpose" values implemented in libcrypto perform this check. Therefore, where a purpose is set the certificate chain will still be rejected even when the strict flag has been used. A purpose is set by default in libssl client and server certificate verification routines, but it can be overridden or removed by an application. In order to be affected, an application must explicitly set the X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose. OpenSSL versions 1.1.1h and newer are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1h-1.1.1j).
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 7.4
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3450

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2021-3711
CVE STATUS: Patched
CVE SUMMARY: In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the "out" parameter can be NULL and, on exit, the "outlen" parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the "out" parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3711

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2021-3712
CVE STATUS: Patched
CVE SUMMARY: ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own "d2i" functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the "data" and "length" fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the "data" field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack). It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y).
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 7.4
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3712

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2021-4044
CVE STATUS: Patched
CVE SUMMARY: Internally libssl in OpenSSL calls X509_verify_cert() on the client side to verify a certificate supplied by a server. That function may return a negative return value to indicate an internal error (for example out of memory). Such a negative return value is mishandled by OpenSSL and will cause an IO function (such as SSL_connect() or SSL_do_handshake()) to not indicate success and a subsequent call to SSL_get_error() to return the value SSL_ERROR_WANT_RETRY_VERIFY. This return value is only supposed to be returned by OpenSSL if the application has previously called SSL_CTX_set_cert_verify_callback(). Since most applications do not do this the SSL_ERROR_WANT_RETRY_VERIFY return value from SSL_get_error() will be totally unexpected and applications may not behave correctly as a result. The exact behaviour will depend on the application but it could result in crashes, infinite loops or other similar incorrect responses. This issue is made more serious in combination with a separate bug in OpenSSL 3.0 that will cause X509_verify_cert() to indicate an internal error when processing a certificate chain. This will occur where a certificate does not include the Subject Alternative Name extension but where a Certificate Authority has enforced name constraints. This issue can occur even with valid chains. By combining the two issues an attacker could induce incorrect, application dependent behaviour. Fixed in OpenSSL 3.0.1 (Affected 3.0.0).
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-4044

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2021-4160
CVE STATUS: Patched
CVE SUMMARY: There is a carry propagation bug in the MIPS32 and MIPS64 squaring procedure. Many EC algorithms are affected, including some of the TLS 1.3 default curves. Impact was not analyzed in detail, because the pre-requisites for attack are considered unlikely and include reusing private keys. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH private key among multiple clients, which is no longer an option since CVE-2016-0701. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0.0. It was addressed in the releases of 1.1.1m and 3.0.1 on the 15th of December 2021. For the 1.0.2 release it is addressed in git commit 6fc1aaaf3 that is available to premium support customers only. It will be made available in 1.0.2zc when it is released. The issue only affects OpenSSL on MIPS platforms. Fixed in OpenSSL 3.0.1 (Affected 3.0.0). Fixed in OpenSSL 1.1.1m (Affected 1.1.1-1.1.1l). Fixed in OpenSSL 1.0.2zc-dev (Affected 1.0.2-1.0.2zb).
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-4160

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2022-0778
CVE STATUS: Patched
CVE SUMMARY: The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters. Thus vulnerable situations include: - TLS clients consuming server certificates - TLS servers consuming client certificates - Hosting providers taking certificates or private keys from customers - Certificate authorities parsing certification requests from subscribers - Anything else which parses ASN.1 elliptic curve parameters Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue. In the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate which makes it slightly harder to trigger the infinite loop. However any operation which requires the public key from the certificate will trigger the infinite loop. In particular the attacker can use a self-signed certificate to trigger the loop during verification of the certificate signature. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022. Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1). Fixed in OpenSSL 1.1.1n (Affected 1.1.1-1.1.1m). Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc).
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0778

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2022-1292
CVE STATUS: Patched
CVE SUMMARY: The c_rehash script does not properly sanitise shell metacharacters to prevent command injection. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2). Fixed in OpenSSL 1.1.1o (Affected 1.1.1-1.1.1n). Fixed in OpenSSL 1.0.2ze (Affected 1.0.2-1.0.2zd).
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1292

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2022-1343
CVE STATUS: Patched
CVE SUMMARY: The function `OCSP_basic_verify` verifies the signer certificate on an OCSP response. In the case where the (non-default) flag OCSP_NOCHECKS is used then the response will be positive (meaning a successful verification) even in the case where the response signing certificate fails to verify. It is anticipated that most users of `OCSP_basic_verify` will not use the OCSP_NOCHECKS flag. In this case the `OCSP_basic_verify` function will return a negative value (indicating a fatal error) in the case of a certificate verification failure. The normal expected return value in this case would be 0. This issue also impacts the command line OpenSSL "ocsp" application. When verifying an ocsp response with the "-no_cert_checks" option the command line application will report that the verification is successful even though it has in fact failed. In this case the incorrect successful response will also be accompanied by error messages showing the failure and contradicting the apparently successful result. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2).
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1343

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2022-1434
CVE STATUS: Patched
CVE SUMMARY: The OpenSSL 3.0 implementation of the RC4-MD5 ciphersuite incorrectly uses the AAD data as the MAC key. This makes the MAC key trivially predictable. An attacker could exploit this issue by performing a man-in-the-middle attack to modify data being sent from one endpoint to an OpenSSL 3.0 recipient such that the modified data would still pass the MAC integrity check. Note that data sent from an OpenSSL 3.0 endpoint to a non-OpenSSL 3.0 endpoint will always be rejected by the recipient and the connection will fail at that point. Many application protocols require data to be sent from the client to the server first. Therefore, in such a case, only an OpenSSL 3.0 server would be impacted when talking to a non-OpenSSL 3.0 client. If both endpoints are OpenSSL 3.0 then the attacker could modify data being sent in both directions. In this case both clients and servers could be affected, regardless of the application protocol. Note that in the absence of an attacker this bug means that an OpenSSL 3.0 endpoint communicating with a non-OpenSSL 3.0 endpoint will fail to complete the handshake when using this ciphersuite. The confidentiality of data is not impacted by this issue, i.e. an attacker cannot decrypt data that has been encrypted using this ciphersuite - they can only modify it. In order for this attack to work both endpoints must legitimately negotiate the RC4-MD5 ciphersuite. This ciphersuite is not compiled by default in OpenSSL 3.0, and is not available within the default provider or the default ciphersuite list. This ciphersuite will never be used if TLSv1.3 has been negotiated. In order for an OpenSSL 3.0 endpoint to use this ciphersuite the following must have occurred: 1) OpenSSL must have been compiled with the (non-default) compile time option enable-weak-ssl-ciphers 2) OpenSSL must have had the legacy provider explicitly loaded (either through application code or via configuration) 3) The ciphersuite must have been explicitly added to the ciphersuite list 4) The libssl security level must have been set to 0 (default is 1) 5) A version of SSL/TLS below TLSv1.3 must have been negotiated 6) Both endpoints must negotiate the RC4-MD5 ciphersuite in preference to any others that both endpoints have in common Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2).
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1434

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2022-1473
CVE STATUS: Patched
CVE SUMMARY: The OPENSSL_LH_flush() function, which empties a hash table, contains a bug that breaks reuse of the memory occuppied by the removed hash table entries. This function is used when decoding certificates or keys. If a long lived process periodically decodes certificates or keys its memory usage will expand without bounds and the process might be terminated by the operating system causing a denial of service. Also traversing the empty hash table entries will take increasingly more time. Typically such long lived processes might be TLS clients or TLS servers configured to accept client certificate authentication. The function was added in the OpenSSL 3.0 version thus older releases are not affected by the issue. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2).
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1473

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2022-2068
CVE STATUS: Patched
CVE SUMMARY: In addition to the c_rehash shell command injection identified in CVE-2022-1292, further circumstances where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection were found by code review. When the CVE-2022-1292 was fixed it was not discovered that there are other places in the script where the file names of certificates being hashed were possibly passed to a command executed through the shell. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.4 (Affected 3.0.0,3.0.1,3.0.2,3.0.3). Fixed in OpenSSL 1.1.1p (Affected 1.1.1-1.1.1o). Fixed in OpenSSL 1.0.2zf (Affected 1.0.2-1.0.2ze).
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2068

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2022-2097
CVE STATUS: Patched
CVE SUMMARY: AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn't written. In the special case of "in place" encryption, sixteen bytes of the plaintext would be revealed. Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, they are both unaffected. Fixed in OpenSSL 3.0.5 (Affected 3.0.0-3.0.4). Fixed in OpenSSL 1.1.1q (Affected 1.1.1-1.1.1p).
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2097

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2022-2274
CVE STATUS: Patched
CVE SUMMARY: The OpenSSL 3.0.4 release introduced a serious bug in the RSA implementation for X86_64 CPUs supporting the AVX512IFMA instructions. This issue makes the RSA implementation with 2048 bit private keys incorrect on such machines and memory corruption will happen during the computation. As a consequence of the memory corruption an attacker may be able to trigger a remote code execution on the machine performing the computation. SSL/TLS servers or other servers using 2048 bit RSA private keys running on machines supporting AVX512IFMA instructions of the X86_64 architecture are affected by this issue.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2274

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2022-3358
CVE STATUS: Patched
CVE SUMMARY: OpenSSL supports creating a custom cipher via the legacy EVP_CIPHER_meth_new() function and associated function calls. This function was deprecated in OpenSSL 3.0 and application authors are instead encouraged to use the new provider mechanism in order to implement custom ciphers. OpenSSL versions 3.0.0 to 3.0.5 incorrectly handle legacy custom ciphers passed to the EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() and EVP_CipherInit_ex2() functions (as well as other similarly named encryption and decryption initialisation functions). Instead of using the custom cipher directly it incorrectly tries to fetch an equivalent cipher from the available providers. An equivalent cipher is found based on the NID passed to EVP_CIPHER_meth_new(). This NID is supposed to represent the unique NID for a given cipher. However it is possible for an application to incorrectly pass NID_undef as this value in the call to EVP_CIPHER_meth_new(). When NID_undef is used in this way the OpenSSL encryption/decryption initialisation function will match the NULL cipher as being equivalent and will fetch this from the available providers. This will succeed if the default provider has been loaded (or if a third party provider has been loaded that offers this cipher). Using the NULL cipher means that the plaintext is emitted as the ciphertext. Applications are only affected by this issue if they call EVP_CIPHER_meth_new() using NID_undef and subsequently use it in a call to an encryption/decryption initialisation function. Applications that only use SSL/TLS are not impacted by this issue. Fixed in OpenSSL 3.0.6 (Affected 3.0.0-3.0.5).
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3358

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2022-3602
CVE STATUS: Patched
CVE SUMMARY: A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution. Many platforms implement stack overflow protections which would mitigate against the risk of remote code execution. The risk may be further mitigated based on stack layout for any given platform/compiler. Pre-announcements of CVE-2022-3602 described this issue as CRITICAL. Further analysis based on some of the mitigating factors described above have led this to be downgraded to HIGH. Users are still encouraged to upgrade to a new version as soon as possible. In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects. Fixed in OpenSSL 3.0.7 (Affected 3.0.0,3.0.1,3.0.2,3.0.3,3.0.4,3.0.5,3.0.6).
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3602

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2022-3786
CVE STATUS: Patched
CVE SUMMARY: A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed a malicious certificate or for an application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address in a certificate to overflow an arbitrary number of bytes containing the `.' character (decimal 46) on the stack. This buffer overflow could result in a crash (causing a denial of service). In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects.


CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3786

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2022-3996
CVE STATUS: Patched
CVE SUMMARY: If an X.509 certificate contains a malformed policy constraint and
policy processing is enabled, then a write lock will be taken twice
recursively.  On some operating systems (most widely: Windows) this
results in a denial of service when the affected process hangs.  Policy
processing being enabled on a publicly facing server is not considered
to be a common setup.

Policy processing is enabled by passing the `-policy'
argument to the command line utilities or by calling the
`X509_VERIFY_PARAM_set1_policies()' function.

Update (31 March 2023): The description of the policy processing enablement
was corrected based on CVE-2023-0466.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3996

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2022-4203
CVE STATUS: Patched
CVE SUMMARY: A read buffer overrun can be triggered in X.509 certificate verification,
specifically in name constraint checking. Note that this occurs
after certificate chain signature verification and requires either a
CA to have signed the malicious certificate or for the application to
continue certificate verification despite failure to construct a path
to a trusted issuer.

The read buffer overrun might result in a crash which could lead to
a denial of service attack. In theory it could also result in the disclosure
of private memory contents (such as private keys, or sensitive plaintext)
although we are not aware of any working exploit leading to memory
contents disclosure as of the time of release of this advisory.

In a TLS client, this can be triggered by connecting to a malicious
server. In a TLS server, this can be triggered if the server requests
client authentication and a malicious client connects.


CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.9
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-4203

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2022-4304
CVE STATUS: Patched
CVE SUMMARY: A timing based side channel exists in the OpenSSL RSA Decryption implementation
which could be sufficient to recover a plaintext across a network in a
Bleichenbacher style attack. To achieve a successful decryption an attacker
would have to be able to send a very large number of trial messages for
decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5,
RSA-OEAP and RSASVE.

For example, in a TLS connection, RSA is commonly used by a client to send an
encrypted pre-master secret to the server. An attacker that had observed a
genuine connection between a client and a server could use this flaw to send
trial messages to the server and record the time taken to process them. After a
sufficiently large number of messages the attacker could recover the pre-master
secret used for the original connection and thus be able to decrypt the
application data sent over that connection.


CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-4304

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2022-4450
CVE STATUS: Patched
CVE SUMMARY: The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and
decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload data.
If the function succeeds then the "name_out", "header" and "data" arguments are
populated with pointers to buffers containing the relevant decoded data. The
caller is responsible for freeing those buffers. It is possible to construct a
PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex()
will return a failure code but will populate the header argument with a pointer
to a buffer that has already been freed. If the caller also frees this buffer
then a double free will occur. This will most likely lead to a crash. This
could be exploited by an attacker who has the ability to supply malicious PEM
files for parsing to achieve a denial of service attack.

The functions PEM_read_bio() and PEM_read() are simple wrappers around
PEM_read_bio_ex() and therefore these functions are also directly affected.

These functions are also called indirectly by a number of other OpenSSL
functions including PEM_X509_INFO_read_bio_ex() and
SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internal
uses of these functions are not vulnerable because the caller does not free the
header argument if PEM_read_bio_ex() returns a failure code. These locations
include the PEM_read_bio_TYPE() functions as well as the decoders introduced in
OpenSSL 3.0.

The OpenSSL asn1parse command line application is also impacted by this issue.



CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-4450

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2023-0215
CVE STATUS: Patched
CVE SUMMARY: The public API function BIO_new_NDEF is a helper function used for streaming
ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the
SMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by
end user applications.

The function receives a BIO from the caller, prepends a new BIO_f_asn1 filter
BIO onto the front of it to form a BIO chain, and then returns the new head of
the BIO chain to the caller. Under certain conditions, for example if a CMS
recipient public key is invalid, the new filter BIO is freed and the function
returns a NULL result indicating a failure. However, in this case, the BIO chain
is not properly cleaned up and the BIO passed by the caller still retains
internal pointers to the previously freed filter BIO. If the caller then goes on
to call BIO_pop() on the BIO then a use-after-free will occur. This will most
likely result in a crash.



This scenario occurs directly in the internal function B64_write_ASN1() which
may cause BIO_new_NDEF() to be called and will subsequently call BIO_pop() on
the BIO. This internal function is in turn called by the public API functions
PEM_write_bio_ASN1_stream, PEM_write_bio_CMS_stream, PEM_write_bio_PKCS7_stream,
SMIME_write_ASN1, SMIME_write_CMS and SMIME_write_PKCS7.

Other public API functions that may be impacted by this include
i2d_ASN1_bio_stream, BIO_new_CMS, BIO_new_PKCS7, i2d_CMS_bio_stream and
i2d_PKCS7_bio_stream.

The OpenSSL cms and smime command line applications are similarly affected.




CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-0215

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2023-0216
CVE STATUS: Patched
CVE SUMMARY: An invalid pointer dereference on read can be triggered when an
application tries to load malformed PKCS7 data with the
d2i_PKCS7(), d2i_PKCS7_bio() or d2i_PKCS7_fp() functions.

The result of the dereference is an application crash which could
lead to a denial of service attack. The TLS implementation in OpenSSL
does not call this function however third party applications might
call these functions on untrusted data.


CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-0216

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2023-0217
CVE STATUS: Patched
CVE SUMMARY: An invalid pointer dereference on read can be triggered when an
application tries to check a malformed DSA public key by the
EVP_PKEY_public_check() function. This will most likely lead
to an application crash. This function can be called on public
keys supplied from untrusted sources which could allow an attacker
to cause a denial of service attack.

The TLS implementation in OpenSSL does not call this function
but applications might call the function if there are additional
security requirements imposed by standards such as FIPS 140-3.


CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-0217

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2023-0286
CVE STATUS: Patched
CVE SUMMARY: There is a type confusion vulnerability relating to X.400 address processing
inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but
the public structure definition for GENERAL_NAME incorrectly specified the type
of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by
the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an
ASN1_STRING.

When CRL checking is enabled (i.e. the application sets the
X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass
arbitrary pointers to a memcmp call, enabling them to read memory contents or
enact a denial of service. In most cases, the attack requires the attacker to
provide both the certificate chain and CRL, neither of which need to have a
valid signature. If the attacker only controls one of these inputs, the other
input must already contain an X.400 address as a CRL distribution point, which
is uncommon. As such, this vulnerability is most likely to only affect
applications which have implemented their own functionality for retrieving CRLs
over a network.


CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.4
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-0286

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2023-0401
CVE STATUS: Patched
CVE SUMMARY: A NULL pointer can be dereferenced when signatures are being
verified on PKCS7 signed or signedAndEnveloped data. In case the hash
algorithm used for the signature is known to the OpenSSL library but
the implementation of the hash algorithm is not available the digest
initialization will fail. There is a missing check for the return
value from the initialization function which later leads to invalid
usage of the digest API most likely leading to a crash.

The unavailability of an algorithm can be caused by using FIPS
enabled configuration of providers or more commonly by not loading
the legacy provider.

PKCS7 data is processed by the SMIME library calls and also by the
time stamp (TS) library calls. The TLS implementation in OpenSSL does
not call these functions however third party applications would be
affected if they call these functions to verify signatures on untrusted
data.


CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-0401

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2023-0464
CVE STATUS: Patched
CVE SUMMARY: A security vulnerability has been identified in all supported versions

of OpenSSL related to the verification of X.509 certificate chains
that include policy constraints.  Attackers may be able to exploit this
vulnerability by creating a malicious certificate chain that triggers
exponential use of computational resources, leading to a denial-of-service
(DoS) attack on affected systems.

Policy processing is disabled by default but can be enabled by passing
the `-policy' argument to the command line utilities or by calling the
`X509_VERIFY_PARAM_set1_policies()' function.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-0464

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2023-0465
CVE STATUS: Patched
CVE SUMMARY: Applications that use a non-default option when verifying certificates may be
vulnerable to an attack from a malicious CA to circumvent certain checks.

Invalid certificate policies in leaf certificates are silently ignored by
OpenSSL and other certificate policy checks are skipped for that certificate.
A malicious CA could use this to deliberately assert invalid certificate policies
in order to circumvent policy checking on the certificate altogether.

Policy processing is disabled by default but can be enabled by passing
the `-policy' argument to the command line utilities or by calling the
`X509_VERIFY_PARAM_set1_policies()' function.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-0465

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2023-0466
CVE STATUS: Patched
CVE SUMMARY: The function X509_VERIFY_PARAM_add0_policy() is documented to
implicitly enable the certificate policy check when doing certificate
verification. However the implementation of the function does not
enable the check which allows certificates with invalid or incorrect
policies to pass the certificate verification.

As suddenly enabling the policy check could break existing deployments it was
decided to keep the existing behavior of the X509_VERIFY_PARAM_add0_policy()
function.

Instead the applications that require OpenSSL to perform certificate
policy check need to use X509_VERIFY_PARAM_set1_policies() or explicitly
enable the policy check by calling X509_VERIFY_PARAM_set_flags() with
the X509_V_FLAG_POLICY_CHECK flag argument.

Certificate policy checks are disabled by default in OpenSSL and are not
commonly used by applications.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-0466

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2023-1255
CVE STATUS: Patched
CVE SUMMARY: Issue summary: The AES-XTS cipher decryption implementation for 64 bit ARM
platform contains a bug that could cause it to read past the input buffer,
leading to a crash.

Impact summary: Applications that use the AES-XTS algorithm on the 64 bit ARM
platform can crash in rare circumstances. The AES-XTS algorithm is usually
used for disk encryption.

The AES-XTS cipher decryption implementation for 64 bit ARM platform will read
past the end of the ciphertext buffer if the ciphertext size is 4 mod 5 in 16
byte blocks, e.g. 144 bytes or 1024 bytes. If the memory after the ciphertext
buffer is unmapped, this will trigger a crash which results in a denial of
service.

If an attacker can control the size and location of the ciphertext buffer
being decrypted by an application using AES-XTS on 64 bit ARM, the
application is affected. This is fairly unlikely making this issue
a Low severity one.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-1255

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2023-2650
CVE STATUS: Patched
CVE SUMMARY: Issue summary: Processing some specially crafted ASN.1 object identifiers or
data containing them may be very slow.

Impact summary: Applications that use OBJ_obj2txt() directly, or use any of
the OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS with no message
size limit may experience notable to very long delays when processing those
messages, which may lead to a Denial of Service.

An OBJECT IDENTIFIER is composed of a series of numbers - sub-identifiers -
most of which have no size limit.  OBJ_obj2txt() may be used to translate
an ASN.1 OBJECT IDENTIFIER given in DER encoding form (using the OpenSSL
type ASN1_OBJECT) to its canonical numeric text form, which are the
sub-identifiers of the OBJECT IDENTIFIER in decimal form, separated by
periods.

When one of the sub-identifiers in the OBJECT IDENTIFIER is very large
(these are sizes that are seen as absurdly large, taking up tens or hundreds
of KiBs), the translation to a decimal number in text may take a very long
time.  The time complexity is O(n^2) with 'n' being the size of the
sub-identifiers in bytes (*).

With OpenSSL 3.0, support to fetch cryptographic algorithms using names /
identifiers in string form was introduced.  This includes using OBJECT
IDENTIFIERs in canonical numeric text form as identifiers for fetching
algorithms.

Such OBJECT IDENTIFIERs may be received through the ASN.1 structure
AlgorithmIdentifier, which is commonly used in multiple protocols to specify
what cryptographic algorithm should be used to sign or verify, encrypt or
decrypt, or digest passed data.

Applications that call OBJ_obj2txt() directly with untrusted data are
affected, with any version of OpenSSL.  If the use is for the mere purpose
of display, the severity is considered low.

In OpenSSL 3.0 and newer, this affects the subsystems OCSP, PKCS7/SMIME,
CMS, CMP/CRMF or TS.  It also impacts anything that processes X.509
certificates, including simple things like verifying its signature.

The impact on TLS is relatively low, because all versions of OpenSSL have a
100KiB limit on the peer's certificate chain.  Additionally, this only
impacts clients, or servers that have explicitly enabled client
authentication.

In OpenSSL 1.1.1 and 1.0.2, this only affects displaying diverse objects,
such as X.509 certificates.  This is assumed to not happen in such a way
that it would cause a Denial of Service, so these versions are considered
not affected by this issue in such a way that it would be cause for concern,
and the severity is therefore considered low.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-2650

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2023-2975
CVE STATUS: Patched
CVE SUMMARY: Issue summary: The AES-SIV cipher implementation contains a bug that causes
it to ignore empty associated data entries which are unauthenticated as
a consequence.

Impact summary: Applications that use the AES-SIV algorithm and want to
authenticate empty data entries as associated data can be misled by removing,
adding or reordering such empty entries as these are ignored by the OpenSSL
implementation. We are currently unaware of any such applications.

The AES-SIV algorithm allows for authentication of multiple associated
data entries along with the encryption. To authenticate empty data the
application has to call EVP_EncryptUpdate() (or EVP_CipherUpdate()) with
NULL pointer as the output buffer and 0 as the input buffer length.
The AES-SIV implementation in OpenSSL just returns success for such a call
instead of performing the associated data authentication operation.
The empty data thus will not be authenticated.

As this issue does not affect non-empty associated data authentication and
we expect it to be rare for an application to use empty associated data
entries this is qualified as Low severity issue.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-2975

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2023-3446
CVE STATUS: Patched
CVE SUMMARY: Issue summary: Checking excessively long DH keys or parameters may be very slow.

Impact summary: Applications that use the functions DH_check(), DH_check_ex()
or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long
delays. Where the key or parameters that are being checked have been obtained
from an untrusted source this may lead to a Denial of Service.

The function DH_check() performs various checks on DH parameters. One of those
checks confirms that the modulus ('p' parameter) is not too large. Trying to use
a very large modulus is slow and OpenSSL will not normally use a modulus which
is over 10,000 bits in length.

However the DH_check() function checks numerous aspects of the key or parameters
that have been supplied. Some of those checks use the supplied modulus value
even if it has already been found to be too large.

An application that calls DH_check() and supplies a key or parameters obtained
from an untrusted source could be vulernable to a Denial of Service attack.

The function DH_check() is itself called by a number of other OpenSSL functions.
An application calling any of those other functions may similarly be affected.
The other functions affected by this are DH_check_ex() and
EVP_PKEY_param_check().

Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications
when using the '-check' option.

The OpenSSL SSL/TLS implementation is not affected by this issue.
The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-3446

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2023-3817
CVE STATUS: Patched
CVE SUMMARY: Issue summary: Checking excessively long DH keys or parameters may be very slow.

Impact summary: Applications that use the functions DH_check(), DH_check_ex()
or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long
delays. Where the key or parameters that are being checked have been obtained
from an untrusted source this may lead to a Denial of Service.

The function DH_check() performs various checks on DH parameters. After fixing
CVE-2023-3446 it was discovered that a large q parameter value can also trigger
an overly long computation during some of these checks. A correct q value,
if present, cannot be larger than the modulus p parameter, thus it is
unnecessary to perform these checks if q is larger than p.

An application that calls DH_check() and supplies a key or parameters obtained
from an untrusted source could be vulnerable to a Denial of Service attack.

The function DH_check() is itself called by a number of other OpenSSL functions.
An application calling any of those other functions may similarly be affected.
The other functions affected by this are DH_check_ex() and
EVP_PKEY_param_check().

Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications
when using the "-check" option.

The OpenSSL SSL/TLS implementation is not affected by this issue.

The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-3817

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2023-4807
CVE STATUS: Patched
CVE SUMMARY: Issue summary: The POLY1305 MAC (message authentication code) implementation
contains a bug that might corrupt the internal state of applications on the
Windows 64 platform when running on newer X86_64 processors supporting the
AVX512-IFMA instructions.

Impact summary: If in an application that uses the OpenSSL library an attacker
can influence whether the POLY1305 MAC algorithm is used, the application
state might be corrupted with various application dependent consequences.

The POLY1305 MAC (message authentication code) implementation in OpenSSL does
not save the contents of non-volatile XMM registers on Windows 64 platform
when calculating the MAC of data larger than 64 bytes. Before returning to
the caller all the XMM registers are set to zero rather than restoring their
previous content. The vulnerable code is used only on newer x86_64 processors
supporting the AVX512-IFMA instructions.

The consequences of this kind of internal application state corruption can
be various - from no consequences, if the calling application does not
depend on the contents of non-volatile XMM registers at all, to the worst
consequences, where the attacker could get complete control of the application
process. However given the contents of the registers are just zeroized so
the attacker cannot put arbitrary values inside, the most likely consequence,
if any, would be an incorrect result of some application dependent
calculations or a crash leading to a denial of service.

The POLY1305 MAC algorithm is most frequently used as part of the
CHACHA20-POLY1305 AEAD (authenticated encryption with associated data)
algorithm. The most common usage of this AEAD cipher is with TLS protocol
versions 1.2 and 1.3 and a malicious client can influence whether this AEAD
cipher is used by the server. This implies that server applications using
OpenSSL can be potentially impacted. However we are currently not aware of
any concrete application that would be affected by this issue therefore we
consider this a Low severity security issue.

As a workaround the AVX512-IFMA instructions support can be disabled at
runtime by setting the environment variable OPENSSL_ia32cap:

   OPENSSL_ia32cap=:~0x200000

The FIPS provider is not affected by this issue.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-4807

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2023-5363
CVE STATUS: Patched
CVE SUMMARY: Issue summary: A bug has been identified in the processing of key and
initialisation vector (IV) lengths.  This can lead to potential truncation
or overruns during the initialisation of some symmetric ciphers.

Impact summary: A truncation in the IV can result in non-uniqueness,
which could result in loss of confidentiality for some cipher modes.

When calling EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() or
EVP_CipherInit_ex2() the provided OSSL_PARAM array is processed after
the key and IV have been established.  Any alterations to the key length,
via the "keylen" parameter or the IV length, via the "ivlen" parameter,
within the OSSL_PARAM array will not take effect as intended, potentially
causing truncation or overreading of these values.  The following ciphers
and cipher modes are impacted: RC2, RC4, RC5, CCM, GCM and OCB.

For the CCM, GCM and OCB cipher modes, truncation of the IV can result in
loss of confidentiality.  For example, when following NIST's SP 800-38D
section 8.2.1 guidance for constructing a deterministic IV for AES in
GCM mode, truncation of the counter portion could lead to IV reuse.

Both truncations and overruns of the key and overruns of the IV will
produce incorrect results and could, in some cases, trigger a memory
exception.  However, these issues are not currently assessed as security
critical.

Changing the key and/or IV lengths is not considered to be a common operation
and the vulnerable API was recently introduced. Furthermore it is likely that
application developers will have spotted this problem during testing since
decryption would fail unless both peers in the communication were similarly
vulnerable. For these reasons we expect the probability of an application being
vulnerable to this to be quite low. However if an application is vulnerable then
this issue is considered very serious. For these reasons we have assessed this
issue as Moderate severity overall.

The OpenSSL SSL/TLS implementation is not affected by this issue.

The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this because
the issue lies outside of the FIPS provider boundary.

OpenSSL 3.1 and 3.0 are vulnerable to this issue.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-5363

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2023-5678
CVE STATUS: Patched
CVE SUMMARY: Issue summary: Generating excessively long X9.42 DH keys or checking
excessively long X9.42 DH keys or parameters may be very slow.

Impact summary: Applications that use the functions DH_generate_key() to
generate an X9.42 DH key may experience long delays.  Likewise, applications
that use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check()
to check an X9.42 DH key or X9.42 DH parameters may experience long delays.
Where the key or parameters that are being checked have been obtained from
an untrusted source this may lead to a Denial of Service.

While DH_check() performs all the necessary checks (as of CVE-2023-3817),
DH_check_pub_key() doesn't make any of these checks, and is therefore
vulnerable for excessively large P and Q parameters.

Likewise, while DH_generate_key() performs a check for an excessively large
P, it doesn't check for an excessively large Q.

An application that calls DH_generate_key() or DH_check_pub_key() and
supplies a key or parameters obtained from an untrusted source could be
vulnerable to a Denial of Service attack.

DH_generate_key() and DH_check_pub_key() are also called by a number of
other OpenSSL functions.  An application calling any of those other
functions may similarly be affected.  The other functions affected by this
are DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate().

Also vulnerable are the OpenSSL pkey command line application when using the
"-pubcheck" option, as well as the OpenSSL genpkey command line application.

The OpenSSL SSL/TLS implementation is not affected by this issue.

The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-5678

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2023-6129
CVE STATUS: Patched
CVE SUMMARY: Issue summary: The POLY1305 MAC (message authentication code) implementation
contains a bug that might corrupt the internal state of applications running
on PowerPC CPU based platforms if the CPU provides vector instructions.

Impact summary: If an attacker can influence whether the POLY1305 MAC
algorithm is used, the application state might be corrupted with various
application dependent consequences.

The POLY1305 MAC (message authentication code) implementation in OpenSSL for
PowerPC CPUs restores the contents of vector registers in a different order
than they are saved. Thus the contents of some of these vector registers
are corrupted when returning to the caller. The vulnerable code is used only
on newer PowerPC processors supporting the PowerISA 2.07 instructions.

The consequences of this kind of internal application state corruption can
be various - from no consequences, if the calling application does not
depend on the contents of non-volatile XMM registers at all, to the worst
consequences, where the attacker could get complete control of the application
process. However unless the compiler uses the vector registers for storing
pointers, the most likely consequence, if any, would be an incorrect result
of some application dependent calculations or a crash leading to a denial of
service.

The POLY1305 MAC algorithm is most frequently used as part of the
CHACHA20-POLY1305 AEAD (authenticated encryption with associated data)
algorithm. The most common usage of this AEAD cipher is with TLS protocol
versions 1.2 and 1.3. If this cipher is enabled on the server a malicious
client can influence whether this AEAD cipher is used. This implies that
TLS server applications using OpenSSL can be potentially impacted. However
we are currently not aware of any concrete application that would be affected
by this issue therefore we consider this a Low severity security issue.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-6129

LAYER: meta
PACKAGE NAME: openssl
PACKAGE VERSION: 3.2.3
CVE: CVE-2024-0727
CVE STATUS: Patched
CVE SUMMARY: Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL
to crash leading to a potential Denial of Service attack

Impact summary: Applications loading files in the PKCS12 format from untrusted
sources might terminate abruptly.

A file in PKCS12 format can contain certificates and keys and may come from an
untrusted source. The PKCS12 specification allows certain fields to be NULL, but
OpenSSL does not correctly check for this case. This can lead to a NULL pointer
dereference that results in OpenSSL crashing. If an application processes PKCS12
files from an untrusted source using the OpenSSL APIs then that application will
be vulnerable to this issue.

OpenSSL APIs that are vulnerable to this are: PKCS12_parse(),
PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()
and PKCS12_newpass().

We have also fixed a similar issue in SMIME_write_PKCS7(). However since this
function is related to writing data we do not consider it security significant.

The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-0727

LAYER: meta
PACKAGE NAME: libcap
PACKAGE VERSION: 2.69
CVE: CVE-2011-4099
CVE STATUS: Patched
CVE SUMMARY: The capsh program in libcap before 2.22 does not change the current working directory when the --chroot option is specified, which allows local users to bypass the chroot restrictions via unspecified vectors.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-4099

LAYER: meta
PACKAGE NAME: libcap
PACKAGE VERSION: 2.69
CVE: CVE-2023-2602
CVE STATUS: Patched
CVE SUMMARY: A vulnerability was found in the pthread_create() function in libcap. This issue may allow a malicious actor to use cause __real_pthread_create() to return an error, which can exhaust the process memory.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 3.3
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-2602

LAYER: meta
PACKAGE NAME: libcap
PACKAGE VERSION: 2.69
CVE: CVE-2023-2603
CVE STATUS: Patched
CVE SUMMARY: A vulnerability was found in libcap. This issue occurs in the _libcap_strdup() function and can lead to an integer overflow if the input string is close to 4GiB.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-2603

LAYER: meta
PACKAGE NAME: pixman
PACKAGE VERSION: 1_0.42.2
CVE: CVE-2013-6424
CVE STATUS: Patched
CVE SUMMARY: Integer underflow in the xTrapezoidValid macro in render/picture.h in X.Org allows context-dependent attackers to cause a denial of service (crash) via a negative bottom value.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-6424

LAYER: meta
PACKAGE NAME: pixman
PACKAGE VERSION: 1_0.42.2
CVE: CVE-2013-6425
CVE STATUS: Patched
CVE SUMMARY: Integer underflow in the pixman_trapezoid_valid macro in pixman.h in Pixman before 0.32.0, as used in X.Org server and cairo, allows context-dependent attackers to cause a denial of service (crash) via a negative bottom value.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-6425

LAYER: meta
PACKAGE NAME: pixman
PACKAGE VERSION: 1_0.42.2
CVE: CVE-2014-9766
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the create_bits function in pixman-bits-image.c in Pixman before 0.32.6 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via large height and stride values.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9766

LAYER: meta
PACKAGE NAME: pixman
PACKAGE VERSION: 1_0.42.2
CVE: CVE-2015-5297
CVE STATUS: Patched
CVE SUMMARY: An integer overflow issue has been reported in the general_composite_rect() function in pixman prior to version 0.32.8. An attacker could exploit this issue to cause an application using pixman to crash or, potentially, execute arbitrary code.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 6.7
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-5297

LAYER: meta
PACKAGE NAME: pixman
PACKAGE VERSION: 1_0.42.2
CVE: CVE-2022-44638
CVE STATUS: Patched
CVE SUMMARY: In libpixman in Pixman before 0.42.2, there is an out-of-bounds write (aka heap-based buffer overflow) in rasterize_edges_8 due to an integer overflow in pixman_sample_floor_y.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-44638

LAYER: meta
PACKAGE NAME: pixman
PACKAGE VERSION: 1_0.42.2
CVE: CVE-2023-37769
CVE STATUS: Ignored
CVE DETAIL: not-applicable-config
CVE DESCRIPTION: stress-test is an uninstalled test
CVE SUMMARY: stress-test master commit e4c878 was discovered to contain a FPE vulnerability via the component combine_inner at /pixman-combine-float.c.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-37769

LAYER: meta
PACKAGE NAME: swig-native
PACKAGE VERSION: 4.2.1
CVE: CVE-2023-25344
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in swig-templates thru 2.0.4 and swig thru 1.4.2, allows attackers to execute arbitrary code via crafted Object.prototype anonymous function.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-25344

LAYER: meta
PACKAGE NAME: swig-native
PACKAGE VERSION: 4.2.1
CVE: CVE-2023-25345
CVE STATUS: Patched
CVE SUMMARY: Directory traversal vulnerability in swig-templates thru 2.0.4 and swig thru 1.4.2, allows attackers to read arbitrary files via the include or extends tags.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-25345

LAYER: meta
PACKAGE NAME: gcc-runtime
PACKAGE VERSION: 13.3.0
CVE: CVE-1999-1439
CVE STATUS: Patched
CVE SUMMARY: gcc 2.7.2 allows local users to overwrite arbitrary files via a symlink attack on temporary .i, .s, or .o files.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-1999-1439

LAYER: meta
PACKAGE NAME: gcc-runtime
PACKAGE VERSION: 13.3.0
CVE: CVE-2000-1219
CVE STATUS: Patched
CVE SUMMARY: The -ftrapv compiler option in gcc and g++ 3.3.3 and earlier does not handle all types of integer overflows, which may leave applications vulnerable to vulnerabilities related to overflows.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2000-1219

LAYER: meta
PACKAGE NAME: gcc-runtime
PACKAGE VERSION: 13.3.0
CVE: CVE-2002-2439
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the new[] operator in gcc before 4.8.0 allows attackers to have unspecified impacts.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-2439

LAYER: meta
PACKAGE NAME: gcc-runtime
PACKAGE VERSION: 13.3.0
CVE: CVE-2006-1902
CVE STATUS: Patched
CVE SUMMARY: fold_binary in fold-const.c in GNU Compiler Collection (gcc) 4.1 improperly handles pointer overflow when folding a certain expr comparison to a corresponding offset comparison in cases other than EQ_EXPR and NE_EXPR, which might introduce buffer overflow vulnerabilities into applications that could be exploited by context-dependent attackers.NOTE: the vendor states that the essence of the issue is "not correctly interpreting an offset to a pointer as a signed value."
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-1902

LAYER: meta
PACKAGE NAME: gcc-runtime
PACKAGE VERSION: 13.3.0
CVE: CVE-2008-1367
CVE STATUS: Patched
CVE SUMMARY: gcc 4.3.x does not generate a cld instruction while compiling functions used for string manipulation such as memcpy and memmove on x86 and i386, which can prevent the direction flag (DF) from being reset in violation of ABI conventions and cause data to be copied in the wrong direction during signal handling in the Linux kernel, which might allow context-dependent attackers to trigger memory corruption. NOTE: this issue was originally reported for CPU consumption in SBCL.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1367

LAYER: meta
PACKAGE NAME: gcc-runtime
PACKAGE VERSION: 13.3.0
CVE: CVE-2008-1685
CVE STATUS: Patched
CVE SUMMARY: gcc 4.2.0 through 4.3.0 in GNU Compiler Collection, when casts are not used, considers the sum of a pointer and an int to be greater than or equal to the pointer, which might lead to removal of length testing code that was intended as a protection mechanism against integer overflow and buffer overflow attacks, and provide no diagnostic message about this removal. NOTE: the vendor has determined that this compiler behavior is correct according to section 6.5.6 of the C99 standard (aka ISO/IEC 9899:1999)
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1685

LAYER: meta
PACKAGE NAME: gcc-runtime
PACKAGE VERSION: 13.3.0
CVE: CVE-2013-4598
CVE STATUS: Patched
CVE SUMMARY: The Groups, Communities and Co (GCC) module 7.x-1.x before 7.x-1.1 for Drupal does not properly check permission, which allows remote attackers to access the configuration pages via unspecified vectors.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4598

LAYER: meta
PACKAGE NAME: gcc-runtime
PACKAGE VERSION: 13.3.0
CVE: CVE-2015-5276
CVE STATUS: Patched
CVE SUMMARY: The std::random_device class in libstdc++ in the GNU Compiler Collection (aka GCC) before 4.9.4 does not properly handle short reads from blocking sources, which makes it easier for context-dependent attackers to predict the random values via unspecified vectors.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-5276

LAYER: meta
PACKAGE NAME: gcc-runtime
PACKAGE VERSION: 13.3.0
CVE: CVE-2017-11671
CVE STATUS: Patched
CVE SUMMARY: Under certain circumstances, the ix86_expand_builtin function in i386.c in GNU Compiler Collection (GCC) version 4.6, 4.7, 4.8, 4.9, 5 before 5.5, and 6 before 6.4 will generate instruction sequences that clobber the status flag of the RDRAND and RDSEED intrinsics before it can be read, potentially causing failures of these instructions to go unreported. This could potentially lead to less randomness in random number generation.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 4.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-11671

LAYER: meta
PACKAGE NAME: gcc-runtime
PACKAGE VERSION: 13.3.0
CVE: CVE-2018-12886
CVE STATUS: Patched
CVE SUMMARY: stack_protect_prologue in cfgexpand.c and stack_protect_epilogue in function.c in GNU Compiler Collection (GCC) 4.1 through 8 (under certain circumstances) generate instruction sequences when targeting ARM targets that spill the address of the stack protector guard, which allows an attacker to bypass the protection of -fstack-protector, -fstack-protector-all, -fstack-protector-strong, and -fstack-protector-explicit against stack overflow by controlling what the stack canary is compared against.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-12886

LAYER: meta
PACKAGE NAME: gcc-runtime
PACKAGE VERSION: 13.3.0
CVE: CVE-2019-15847
CVE STATUS: Patched
CVE SUMMARY: The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This occurred because a volatile operation was not specified. For example, within a single execution of a program, the output of every __builtin_darn() call may be the same.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-15847

LAYER: meta
PACKAGE NAME: gcc-runtime
PACKAGE VERSION: 13.3.0
CVE: CVE-2021-37322
CVE STATUS: Ignored
CVE DETAIL: cpe-incorrect
CVE DESCRIPTION: Is a binutils 2.26 issue, not gcc
CVE SUMMARY: GCC c++filt v2.26 was discovered to contain a use-after-free vulnerability via the component cplus-dem.c.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-37322

LAYER: meta
PACKAGE NAME: gcc-runtime
PACKAGE VERSION: 13.3.0
CVE: CVE-2021-3826
CVE STATUS: Patched
CVE SUMMARY: Heap/stack buffer overflow in the dlang_lname function in d-demangle.c in libiberty allows attackers to potentially cause a denial of service (segmentation fault and crash) via a crafted mangled symbol.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3826

LAYER: meta
PACKAGE NAME: gcc-runtime
PACKAGE VERSION: 13.3.0
CVE: CVE-2021-46195
CVE STATUS: Patched
CVE SUMMARY: GCC v12.0 was discovered to contain an uncontrolled recursion via the component libiberty/rust-demangle.c. This vulnerability allows attackers to cause a Denial of Service (DoS) by consuming excessive CPU and memory resources.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-46195

LAYER: meta
PACKAGE NAME: gcc-runtime
PACKAGE VERSION: 13.3.0
CVE: CVE-2022-27943
CVE STATUS: Patched
CVE SUMMARY: libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-27943

LAYER: meta
PACKAGE NAME: gcc-runtime
PACKAGE VERSION: 13.3.0
CVE: CVE-2023-4039
CVE STATUS: Patched
CVE DETAIL: fixed-version
CVE DESCRIPTION: Fixed via CVE-2023-4039.patch included here. Set the status explictly to deal with all recipes that share the gcc-source
CVE SUMMARY: 

**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains 
that target AArch64 allows an attacker to exploit an existing buffer 
overflow in dynamically-sized local variables in your application 
without this being detected. This stack-protector failure only applies 
to C99-style dynamically-sized local variables or those created using 
alloca(). The stack-protector operates as intended for statically-sized 
local variables.

The default behavior when the stack-protector 
detects an overflow is to terminate your application, resulting in 
controlled loss of availability. An attacker who can exploit a buffer 
overflow without triggering the stack-protector might be able to change 
program flow control to cause an uncontrolled loss of availability or to
 go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.






CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-4039

LAYER: meta-selinux
PACKAGE NAME: libselinux
PACKAGE VERSION: 3.6
CVE: CVE-2020-10751
CVE STATUS: Unpatched
CVE SUMMARY: A flaw was found in the Linux kernels SELinux LSM hook implementation before version 5.7, where it incorrectly assumed that an skb would only contain a single netlink message. The hook would incorrectly only validate the first netlink message in the skb and allow or deny the rest of the messages within the skb with the granted permission without further processing.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 6.1
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-10751

LAYER: meta
PACKAGE NAME: ncurses
PACKAGE VERSION: 6.4
CVE: CVE-2000-0963
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in ncurses library allows local users to execute arbitrary commands via long environmental information such as TERM or TERMINFO_DIRS.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2000-0963

LAYER: meta
PACKAGE NAME: ncurses
PACKAGE VERSION: 6.4
CVE: CVE-2002-0062
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in ncurses 5.0, and the ncurses4 compatibility package as used in Red Hat Linux, allows local users to gain privileges, related to "routines for moving the physical cursor and scrolling."
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-0062

LAYER: meta
PACKAGE NAME: ncurses
PACKAGE VERSION: 6.4
CVE: CVE-2017-10684
CVE STATUS: Patched
CVE SUMMARY: In ncurses 6.0, there is a stack-based buffer overflow in the fmt_entry function. A crafted input will lead to a remote arbitrary code execution attack.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-10684

LAYER: meta
PACKAGE NAME: ncurses
PACKAGE VERSION: 6.4
CVE: CVE-2017-10685
CVE STATUS: Patched
CVE SUMMARY: In ncurses 6.0, there is a format string vulnerability in the fmt_entry function. A crafted input will lead to a remote arbitrary code execution attack.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-10685

LAYER: meta
PACKAGE NAME: ncurses
PACKAGE VERSION: 6.4
CVE: CVE-2017-11112
CVE STATUS: Patched
CVE SUMMARY: In ncurses 6.0, there is an attempted 0xffffffffffffffff access in the append_acs function of tinfo/parse_entry.c. It could lead to a remote denial of service attack if the terminfo library code is used to process untrusted terminfo data.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-11112

LAYER: meta
PACKAGE NAME: ncurses
PACKAGE VERSION: 6.4
CVE: CVE-2017-11113
CVE STATUS: Patched
CVE SUMMARY: In ncurses 6.0, there is a NULL Pointer Dereference in the _nc_parse_entry function of tinfo/parse_entry.c. It could lead to a remote denial of service attack if the terminfo library code is used to process untrusted terminfo data.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-11113

LAYER: meta
PACKAGE NAME: ncurses
PACKAGE VERSION: 6.4
CVE: CVE-2017-13728
CVE STATUS: Patched
CVE SUMMARY: There is an infinite loop in the next_char function in comp_scan.c in ncurses 6.0, related to libtic. A crafted input will lead to a remote denial of service attack.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-13728

LAYER: meta
PACKAGE NAME: ncurses
PACKAGE VERSION: 6.4
CVE: CVE-2017-13729
CVE STATUS: Patched
CVE SUMMARY: There is an illegal address access in the _nc_save_str function in alloc_entry.c in ncurses 6.0. It will lead to a remote denial of service attack.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-13729

LAYER: meta
PACKAGE NAME: ncurses
PACKAGE VERSION: 6.4
CVE: CVE-2017-13730
CVE STATUS: Patched
CVE SUMMARY: There is an illegal address access in the function _nc_read_entry_source() in progs/tic.c in ncurses 6.0 that might lead to a remote denial of service attack.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-13730

LAYER: meta
PACKAGE NAME: ncurses
PACKAGE VERSION: 6.4
CVE: CVE-2017-13731
CVE STATUS: Patched
CVE SUMMARY: There is an illegal address access in the function postprocess_termcap() in parse_entry.c in ncurses 6.0 that will lead to a remote denial of service attack.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-13731

LAYER: meta
PACKAGE NAME: ncurses
PACKAGE VERSION: 6.4
CVE: CVE-2017-13732
CVE STATUS: Patched
CVE SUMMARY: There is an illegal address access in the function dump_uses() in progs/dump_entry.c in ncurses 6.0 that might lead to a remote denial of service attack.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-13732

LAYER: meta
PACKAGE NAME: ncurses
PACKAGE VERSION: 6.4
CVE: CVE-2017-13733
CVE STATUS: Patched
CVE SUMMARY: There is an illegal address access in the fmt_entry function in progs/dump_entry.c in ncurses 6.0 that might lead to a remote denial of service attack.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-13733

LAYER: meta
PACKAGE NAME: ncurses
PACKAGE VERSION: 6.4
CVE: CVE-2017-13734
CVE STATUS: Patched
CVE SUMMARY: There is an illegal address access in the _nc_safe_strcat function in strings.c in ncurses 6.0 that will lead to a remote denial of service attack.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-13734

LAYER: meta
PACKAGE NAME: ncurses
PACKAGE VERSION: 6.4
CVE: CVE-2017-16879
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in the _nc_write_entry function in tinfo/write_entry.c in ncurses 6.0 allows attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted terminfo file, as demonstrated by tic.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-16879

LAYER: meta
PACKAGE NAME: ncurses
PACKAGE VERSION: 6.4
CVE: CVE-2018-19211
CVE STATUS: Patched
CVE SUMMARY: In ncurses 6.1, there is a NULL pointer dereference at function _nc_parse_entry in parse_entry.c that will lead to a denial of service attack. The product proceeds to the dereference code path even after a "dubious character `*' in name or alias field" detection.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19211

LAYER: meta
PACKAGE NAME: ncurses
PACKAGE VERSION: 6.4
CVE: CVE-2018-19217
CVE STATUS: Patched
CVE SUMMARY: In ncurses, possibly a 6.x version, there is a NULL pointer dereference at the function _nc_name_match that will lead to a denial of service attack. NOTE: the original report stated version 6.1, but the issue did not reproduce for that version according to the maintainer or a reliable third-party
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19217

LAYER: meta
PACKAGE NAME: ncurses
PACKAGE VERSION: 6.4
CVE: CVE-2019-15547
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the ncurses crate through 5.99.0 for Rust. There are format string issues in printw functions because C format arguments are mishandled.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-15547

LAYER: meta
PACKAGE NAME: ncurses
PACKAGE VERSION: 6.4
CVE: CVE-2019-15548
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the ncurses crate through 5.99.0 for Rust. There are instr and mvwinstr buffer overflows because interaction with C functions is mishandled.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-15548

LAYER: meta
PACKAGE NAME: ncurses
PACKAGE VERSION: 6.4
CVE: CVE-2019-17594
CVE STATUS: Patched
CVE SUMMARY: There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 5.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-17594

LAYER: meta
PACKAGE NAME: ncurses
PACKAGE VERSION: 6.4
CVE: CVE-2019-17595
CVE STATUS: Patched
CVE SUMMARY: There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 5.4
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-17595

LAYER: meta
PACKAGE NAME: ncurses
PACKAGE VERSION: 6.4
CVE: CVE-2020-19185
CVE STATUS: Patched
CVE SUMMARY: Buffer Overflow vulnerability in one_one_mapping function in progs/dump_entry.c:1373 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-19185

LAYER: meta
PACKAGE NAME: ncurses
PACKAGE VERSION: 6.4
CVE: CVE-2020-19186
CVE STATUS: Patched
CVE SUMMARY: Buffer Overflow vulnerability in _nc_find_entry function in tinfo/comp_hash.c:66 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-19186

LAYER: meta
PACKAGE NAME: ncurses
PACKAGE VERSION: 6.4
CVE: CVE-2020-19187
CVE STATUS: Patched
CVE SUMMARY: Buffer Overflow vulnerability in fmt_entry function in progs/dump_entry.c:1100 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-19187

LAYER: meta
PACKAGE NAME: ncurses
PACKAGE VERSION: 6.4
CVE: CVE-2020-19188
CVE STATUS: Patched
CVE SUMMARY: Buffer Overflow vulnerability in fmt_entry function in progs/dump_entry.c:1116 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-19188

LAYER: meta
PACKAGE NAME: ncurses
PACKAGE VERSION: 6.4
CVE: CVE-2020-19189
CVE STATUS: Patched
CVE SUMMARY: Buffer Overflow vulnerability in postprocess_terminfo function in tinfo/parse_entry.c:997 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-19189

LAYER: meta
PACKAGE NAME: ncurses
PACKAGE VERSION: 6.4
CVE: CVE-2020-19190
CVE STATUS: Patched
CVE SUMMARY: Buffer Overflow vulnerability in _nc_find_entry in tinfo/comp_hash.c:70 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-19190

LAYER: meta
PACKAGE NAME: ncurses
PACKAGE VERSION: 6.4
CVE: CVE-2021-39537
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in ncurses through v6.2-1. _nc_captoinfo in captoinfo.c has a heap-based buffer overflow.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-39537

LAYER: meta
PACKAGE NAME: ncurses
PACKAGE VERSION: 6.4
CVE: CVE-2022-29458
CVE STATUS: Patched
CVE SUMMARY: ncurses 6.3 before patch 20220416 has an out-of-bounds read and segmentation violation in convert_strings in tinfo/read_entry.c in the terminfo library.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 7.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-29458

LAYER: meta
PACKAGE NAME: ncurses
PACKAGE VERSION: 6.4
CVE: CVE-2023-29491
CVE STATUS: Patched
CVE SUMMARY: ncurses before 6.4 20230408, when used by a setuid application, allows local users to trigger security-relevant memory corruption via malformed data in a terminfo database file that is found in $HOME/.terminfo or reached via the TERMINFO or TERM environment variable.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-29491

LAYER: meta
PACKAGE NAME: ncurses
PACKAGE VERSION: 6.4
CVE: CVE-2023-50495
CVE STATUS: Patched
CVE SUMMARY: NCurse v6.4-20230418 was discovered to contain a segmentation fault via the component _nc_wrap_entry().
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-50495

LAYER: meta
PACKAGE NAME: readline-native
PACKAGE VERSION: 8.2
CVE: CVE-2014-2524
CVE STATUS: Patched
CVE SUMMARY: The _rl_tropen function in util.c in GNU readline before 6.3 patch 3 allows local users to create or overwrite arbitrary files via a symlink attack on a /var/tmp/rltrace.[PID] file.
CVSS v2 BASE SCORE: 3.3
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-2524

LAYER: meta
PACKAGE NAME: elfutils
PACKAGE VERSION: 0.191
CVE: CVE-2014-0172
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the check_section function in dwarf_begin_elf.c in the libdw library, as used in elfutils 0.153 and possibly through 0.158 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a malformed compressed debug section in an ELF file, which triggers a heap-based buffer overflow.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0172

LAYER: meta
PACKAGE NAME: elfutils
PACKAGE VERSION: 0.191
CVE: CVE-2014-9447
CVE STATUS: Patched
CVE SUMMARY: Directory traversal vulnerability in the read_long_names function in libelf/elf_begin.c in elfutils 0.152 and 0.161 allows remote attackers to write to arbitrary files to the root directory via a / (slash) in a crafted archive, as demonstrated using the ar program.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9447

LAYER: meta
PACKAGE NAME: elfutils
PACKAGE VERSION: 0.191
CVE: CVE-2016-10254
CVE STATUS: Patched
CVE SUMMARY: The allocate_elf function in common.h in elfutils before 0.168 allows remote attackers to cause a denial of service (crash) via a crafted ELF file, which triggers a memory allocation failure.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10254

LAYER: meta
PACKAGE NAME: elfutils
PACKAGE VERSION: 0.191
CVE: CVE-2016-10255
CVE STATUS: Patched
CVE SUMMARY: The __libelf_set_rawdata_wrlock function in elf_getdata.c in elfutils before 0.168 allows remote attackers to cause a denial of service (crash) via a crafted (1) sh_off or (2) sh_size ELF header value, which triggers a memory allocation failure.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10255

LAYER: meta
PACKAGE NAME: elfutils
PACKAGE VERSION: 0.191
CVE: CVE-2017-7607
CVE STATUS: Patched
CVE SUMMARY: The handle_gnu_hash function in readelf.c in elfutils 0.168 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7607

LAYER: meta
PACKAGE NAME: elfutils
PACKAGE VERSION: 0.191
CVE: CVE-2017-7608
CVE STATUS: Patched
CVE SUMMARY: The ebl_object_note_type_name function in eblobjnotetypename.c in elfutils 0.168 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7608

LAYER: meta
PACKAGE NAME: elfutils
PACKAGE VERSION: 0.191
CVE: CVE-2017-7609
CVE STATUS: Patched
CVE SUMMARY: elf_compress.c in elfutils 0.168 does not validate the zlib compression factor, which allows remote attackers to cause a denial of service (memory consumption) via a crafted ELF file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7609

LAYER: meta
PACKAGE NAME: elfutils
PACKAGE VERSION: 0.191
CVE: CVE-2017-7610
CVE STATUS: Patched
CVE SUMMARY: The check_group function in elflint.c in elfutils 0.168 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7610

LAYER: meta
PACKAGE NAME: elfutils
PACKAGE VERSION: 0.191
CVE: CVE-2017-7611
CVE STATUS: Patched
CVE SUMMARY: The check_symtab_shndx function in elflint.c in elfutils 0.168 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7611

LAYER: meta
PACKAGE NAME: elfutils
PACKAGE VERSION: 0.191
CVE: CVE-2017-7612
CVE STATUS: Patched
CVE SUMMARY: The check_sysv_hash function in elflint.c in elfutils 0.168 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7612

LAYER: meta
PACKAGE NAME: elfutils
PACKAGE VERSION: 0.191
CVE: CVE-2017-7613
CVE STATUS: Patched
CVE SUMMARY: elflint.c in elfutils 0.168 does not validate the number of sections and the number of segments, which allows remote attackers to cause a denial of service (memory consumption) via a crafted ELF file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7613

LAYER: meta
PACKAGE NAME: elfutils
PACKAGE VERSION: 0.191
CVE: CVE-2018-16062
CVE STATUS: Patched
CVE SUMMARY: dwarf_getaranges in dwarf_getaranges.c in libdw in elfutils before 2018-08-18 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-16062

LAYER: meta
PACKAGE NAME: elfutils
PACKAGE VERSION: 0.191
CVE: CVE-2018-16402
CVE STATUS: Patched
CVE SUMMARY: libelf/elf_end.c in elfutils 0.173 allows remote attackers to cause a denial of service (double free and application crash) or possibly have unspecified other impact because it tries to decompress twice.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-16402

LAYER: meta
PACKAGE NAME: elfutils
PACKAGE VERSION: 0.191
CVE: CVE-2018-16403
CVE STATUS: Patched
CVE SUMMARY: libdw in elfutils 0.173 checks the end of the attributes list incorrectly in dwarf_getabbrev in dwarf_getabbrev.c and dwarf_hasattr in dwarf_hasattr.c, leading to a heap-based buffer over-read and an application crash.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-16403

LAYER: meta
PACKAGE NAME: elfutils
PACKAGE VERSION: 0.191
CVE: CVE-2018-18310
CVE STATUS: Patched
CVE SUMMARY: An invalid memory address dereference was discovered in dwfl_segment_report_module.c in libdwfl in elfutils through v0.174. The vulnerability allows attackers to cause a denial of service (application crash) with a crafted ELF file, as demonstrated by consider_notes.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-18310

LAYER: meta
PACKAGE NAME: elfutils
PACKAGE VERSION: 0.191
CVE: CVE-2018-18520
CVE STATUS: Patched
CVE SUMMARY: An Invalid Memory Address Dereference exists in the function elf_end in libelf in elfutils through v0.174. Although eu-size is intended to support ar files inside ar files, handle_ar in size.c closes the outer ar file before handling all inner entries. The vulnerability allows attackers to cause a denial of service (application crash) with a crafted ELF file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-18520

LAYER: meta
PACKAGE NAME: elfutils
PACKAGE VERSION: 0.191
CVE: CVE-2018-18521
CVE STATUS: Patched
CVE SUMMARY: Divide-by-zero vulnerabilities in the function arlib_add_symbols() in arlib.c in elfutils 0.174 allow remote attackers to cause a denial of service (application crash) with a crafted ELF file, as demonstrated by eu-ranlib, because a zero sh_entsize is mishandled.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-18521

LAYER: meta
PACKAGE NAME: elfutils
PACKAGE VERSION: 0.191
CVE: CVE-2018-8769
CVE STATUS: Patched
CVE SUMMARY: elfutils 0.170 has a buffer over-read in the ebl_dynamic_tag_name function of libebl/ebldynamictagname.c because SYMTAB_SHNDX is unsupported.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-8769

LAYER: meta
PACKAGE NAME: elfutils
PACKAGE VERSION: 0.191
CVE: CVE-2019-7146
CVE STATUS: Patched
CVE SUMMARY: In elfutils 0.175, there is a buffer over-read in the ebl_object_note function in eblobjnote.c in libebl. Remote attackers could leverage this vulnerability to cause a denial-of-service via a crafted elf file, as demonstrated by eu-readelf.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-7146

LAYER: meta
PACKAGE NAME: elfutils
PACKAGE VERSION: 0.191
CVE: CVE-2019-7148
CVE STATUS: Patched
CVE SUMMARY: An attempted excessive memory allocation was discovered in the function read_long_names in elf_begin.c in libelf in elfutils 0.174. Remote attackers could leverage this vulnerability to cause a denial-of-service via crafted elf input, which leads to an out-of-memory exception. NOTE: The maintainers believe this is not a real issue, but instead a "warning caused by ASAN because the allocation is big. By setting ASAN_OPTIONS=allocator_may_return_null=1 and running the reproducer, nothing happens."
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-7148

LAYER: meta
PACKAGE NAME: elfutils
PACKAGE VERSION: 0.191
CVE: CVE-2019-7149
CVE STATUS: Patched
CVE SUMMARY: A heap-based buffer over-read was discovered in the function read_srclines in dwarf_getsrclines.c in libdw in elfutils 0.175. A crafted input can cause segmentation faults, leading to denial-of-service, as demonstrated by eu-nm.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-7149

LAYER: meta
PACKAGE NAME: elfutils
PACKAGE VERSION: 0.191
CVE: CVE-2019-7150
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in elfutils 0.175. A segmentation fault can occur in the function elf64_xlatetom in libelf/elf32_xlatetom.c, due to dwfl_segment_report_module not checking whether the dyn data read from a core file is truncated. A crafted input can cause a program crash, leading to denial-of-service, as demonstrated by eu-stack.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-7150

LAYER: meta
PACKAGE NAME: elfutils
PACKAGE VERSION: 0.191
CVE: CVE-2019-7664
CVE STATUS: Patched
CVE SUMMARY: In elfutils 0.175, a negative-sized memcpy is attempted in elf_cvt_note in libelf/note_xlate.h because of an incorrect overflow check. Crafted elf input causes a segmentation fault, leading to denial of service (program crash).
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-7664

LAYER: meta
PACKAGE NAME: elfutils
PACKAGE VERSION: 0.191
CVE: CVE-2019-7665
CVE STATUS: Patched
CVE SUMMARY: In elfutils 0.175, a heap-based buffer over-read was discovered in the function elf32_xlatetom in elf32_xlatetom.c in libelf. A crafted ELF input can cause a segmentation fault leading to denial of service (program crash) because ebl_core_note does not reject malformed core file notes.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-7665

LAYER: meta
PACKAGE NAME: elfutils
PACKAGE VERSION: 0.191
CVE: CVE-2020-21047
CVE STATUS: Patched
CVE SUMMARY: The libcpu component which is used by libasm of elfutils version 0.177 (git 47780c9e), suffers from denial-of-service vulnerability caused by application crashes due to out-of-bounds write (CWE-787), off-by-one error (CWE-193) and reachable assertion (CWE-617); to exploit the vulnerability, the attackers need to craft certain ELF files which bypass the missing bound checks.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-21047

LAYER: meta
PACKAGE NAME: elfutils
PACKAGE VERSION: 0.191
CVE: CVE-2021-33294
CVE STATUS: Patched
CVE SUMMARY: In elfutils 0.183, an infinite loop was found in the function handle_symtab in readelf.c .Which allows attackers to cause a denial of service (infinite loop) via crafted file.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-33294

LAYER: meta
PACKAGE NAME: glib-2.0
PACKAGE VERSION: 1_2.78.6
CVE: CVE-2008-4316
CVE STATUS: Patched
CVE SUMMARY: Multiple integer overflows in glib/gbase64.c in GLib before 2.20 allow context-dependent attackers to execute arbitrary code via a long string that is converted either (1) from or (2) to a base64 representation.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-4316

LAYER: meta
PACKAGE NAME: glib-2.0
PACKAGE VERSION: 1_2.78.6
CVE: CVE-2009-3289
CVE STATUS: Patched
CVE SUMMARY: The g_file_copy function in glib 2.0 sets the permissions of a target file to the permissions of a symbolic link (777), which allows user-assisted local users to modify files of other users, as demonstrated by using Nautilus to modify the permissions of the user home directory.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-3289

LAYER: meta
PACKAGE NAME: glib-2.0
PACKAGE VERSION: 1_2.78.6
CVE: CVE-2012-0039
CVE STATUS: Patched
CVE SUMMARY: GLib 2.31.8 and earlier, when the g_str_hash function is used, computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. NOTE: this issue may be disputed by the vendor; the existence of the g_str_hash function is not a vulnerability in the library, because callers of g_hash_table_new and g_hash_table_new_full can specify an arbitrary hash function that is appropriate for the application.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-0039

LAYER: meta
PACKAGE NAME: glib-2.0
PACKAGE VERSION: 1_2.78.6
CVE: CVE-2018-16428
CVE STATUS: Patched
CVE SUMMARY: In GNOME GLib 2.56.1, g_markup_parse_context_end_parse() in gmarkup.c has a NULL pointer dereference.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-16428

LAYER: meta
PACKAGE NAME: glib-2.0
PACKAGE VERSION: 1_2.78.6
CVE: CVE-2018-16429
CVE STATUS: Patched
CVE SUMMARY: GNOME GLib 2.56.1 has an out-of-bounds read vulnerability in g_markup_parse_context_parse() in gmarkup.c, related to utf8_str().
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-16429

LAYER: meta
PACKAGE NAME: glib-2.0
PACKAGE VERSION: 1_2.78.6
CVE: CVE-2019-12450
CVE STATUS: Patched
CVE SUMMARY: file_copy_fallback in gio/gfile.c in GNOME GLib 2.15.0 through 2.61.1 does not properly restrict file permissions while a copy operation is in progress. Instead, default permissions are used.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-12450

LAYER: meta
PACKAGE NAME: glib-2.0
PACKAGE VERSION: 1_2.78.6
CVE: CVE-2019-13012
CVE STATUS: Patched
CVE SUMMARY: The keyfile settings backend in GNOME GLib (aka glib2.0) before 2.60.0 creates directories using g_file_make_directory_with_parents (kfsb->dir, NULL, NULL) and files using g_file_replace_contents (kfsb->file, contents, length, NULL, FALSE, G_FILE_CREATE_REPLACE_DESTINATION, NULL, NULL, NULL). Consequently, it does not properly restrict directory (and file) permissions. Instead, for directories, 0777 permissions are used; for files, default file permissions are used. This is similar to CVE-2019-12450.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-13012

LAYER: meta
PACKAGE NAME: glib-2.0
PACKAGE VERSION: 1_2.78.6
CVE: CVE-2019-9633
CVE STATUS: Patched
CVE SUMMARY: gio/gsocketclient.c in GNOME GLib 2.59.2 does not ensure that a parent GTask remains alive during the execution of a connection-attempting enumeration, which allows remote attackers to cause a denial of service (g_socket_client_connected_callback mishandling and application crash) via a crafted web site, as demonstrated by GNOME Web (aka Epiphany).
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-9633

LAYER: meta
PACKAGE NAME: glib-2.0
PACKAGE VERSION: 1_2.78.6
CVE: CVE-2020-35457
CVE STATUS: Patched
CVE SUMMARY: GNOME GLib before 2.65.3 has an integer overflow, that might lead to an out-of-bounds write, in g_option_group_add_entries. NOTE: the vendor's position is "Realistically this is not a security issue. The standard pattern is for callers to provide a static list of option entries in a fixed number of calls to g_option_group_add_entries()." The researcher states that this pattern is undocumented
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-35457

LAYER: meta
PACKAGE NAME: glib-2.0
PACKAGE VERSION: 1_2.78.6
CVE: CVE-2020-6750
CVE STATUS: Patched
CVE SUMMARY: GSocketClient in GNOME GLib through 2.62.4 may occasionally connect directly to a target address instead of connecting via a proxy server when configured to do so, because the proxy_addr field is mishandled. This bug is timing-dependent and may occur only sporadically depending on network delays. The greatest security relevance is in use cases where a proxy is used to help with privacy/anonymity, even though there is no technical barrier to a direct connection. NOTE: versions before 2.60 are unaffected.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-6750

LAYER: meta
PACKAGE NAME: glib-2.0
PACKAGE VERSION: 1_2.78.6
CVE: CVE-2021-27218
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in GNOME GLib before 2.66.7 and 2.67.x before 2.67.4. If g_byte_array_new_take() was called with a buffer of 4GB or more on a 64-bit platform, the length would be truncated modulo 2**32, causing unintended length truncation.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-27218

LAYER: meta
PACKAGE NAME: glib-2.0
PACKAGE VERSION: 1_2.78.6
CVE: CVE-2021-27219
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in GNOME GLib before 2.66.6 and 2.67.x before 2.67.3. The function g_bytes_new has an integer overflow on 64-bit platforms due to an implicit cast from 64 bits to 32 bits. The overflow could potentially lead to memory corruption.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-27219

LAYER: meta
PACKAGE NAME: glib-2.0
PACKAGE VERSION: 1_2.78.6
CVE: CVE-2021-28153
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in GNOME GLib before 2.66.8. When g_file_replace() is used with G_FILE_CREATE_REPLACE_DESTINATION to replace a path that is a dangling symlink, it incorrectly also creates the target of the symlink as an empty file, which could conceivably have security relevance if the symlink is attacker-controlled. (If the path is a symlink to a file that already exists, then the contents of that file correctly remain unchanged.)
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-28153

LAYER: meta
PACKAGE NAME: glib-2.0
PACKAGE VERSION: 1_2.78.6
CVE: CVE-2021-3800
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in glib before version 2.63.6. Due to random charset alias, pkexec can leak content from files owned by privileged users to unprivileged ones under the right condition.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3800

LAYER: meta
PACKAGE NAME: glib-2.0
PACKAGE VERSION: 1_2.78.6
CVE: CVE-2023-29499
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in GLib. GVariant deserialization fails to validate that the input conforms to the expected format, leading to denial of service.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-29499

LAYER: meta
PACKAGE NAME: glib-2.0
PACKAGE VERSION: 1_2.78.6
CVE: CVE-2023-32611
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in GLib. GVariant deserialization is vulnerable to a slowdown issue where a crafted GVariant can cause excessive processing, leading to denial of service.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-32611

LAYER: meta
PACKAGE NAME: glib-2.0
PACKAGE VERSION: 1_2.78.6
CVE: CVE-2023-32636
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in glib, where the gvariant deserialization code is vulnerable to a denial of service introduced by additional input validation added to resolve CVE-2023-29499. The offset table validation may be very slow. This bug does not affect any released version of glib but does affect glib distributors who followed the guidance of glib developers to backport the initial fix for CVE-2023-29499.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-32636

LAYER: meta
PACKAGE NAME: glib-2.0
PACKAGE VERSION: 1_2.78.6
CVE: CVE-2023-32643
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in GLib. The GVariant deserialization code is vulnerable to a heap buffer overflow introduced by the fix for CVE-2023-32665. This bug does not affect any released version of GLib, but does affect GLib distributors who followed the guidance of GLib developers to backport the initial fix for CVE-2023-32665.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.3
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-32643

LAYER: meta
PACKAGE NAME: glib-2.0
PACKAGE VERSION: 1_2.78.6
CVE: CVE-2023-32665
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in GLib. GVariant deserialization is vulnerable to an exponential blowup issue where a crafted GVariant can cause excessive processing, leading to denial of service.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-32665

LAYER: meta
PACKAGE NAME: iptables
PACKAGE VERSION: 1.8.10
CVE: CVE-2001-1387
CVE STATUS: Patched
CVE SUMMARY: iptables-save in iptables before 1.2.4 records the "--reject-with icmp-host-prohibited" rule as "--reject-with tcp-reset," which causes iptables to generate different responses than specified by the administrator, possibly leading to an information leak.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2001-1387

LAYER: meta
PACKAGE NAME: iptables
PACKAGE VERSION: 1.8.10
CVE: CVE-2001-1388
CVE STATUS: Patched
CVE SUMMARY: iptables before 1.2.4 does not accurately convert rate limits that are specified on the command line, which could allow attackers or users to generate more or less traffic than intended by the administrator.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2001-1388

LAYER: meta
PACKAGE NAME: iptables
PACKAGE VERSION: 1.8.10
CVE: CVE-2012-2663
CVE STATUS: Patched
CVE SUMMARY: extensions/libxt_tcp.c in iptables through 1.4.21 does not match TCP SYN+FIN packets in --syn rules, which might allow remote attackers to bypass intended firewall restrictions via crafted packets.  NOTE: the CVE-2012-6638 fix makes this issue less relevant.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2663

LAYER: meta
PACKAGE NAME: iptables
PACKAGE VERSION: 1.8.10
CVE: CVE-2019-11360
CVE STATUS: Patched
CVE SUMMARY: A buffer overflow in iptables-restore in netfilter iptables 1.8.2 allows an attacker to (at least) crash the program or potentially gain code execution via a specially crafted iptables-save file. This is related to add_param_to_argv in xshared.c.
CVSS v2 BASE SCORE: 3.5
CVSS v3 BASE SCORE: 4.2
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:S/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-11360

LAYER: meta
PACKAGE NAME: base-files
PACKAGE VERSION: 3.0.14
CVE: CVE-2018-6557
CVE STATUS: Patched
CVE SUMMARY: The MOTD update script in the base-files package in Ubuntu 18.04 LTS before 10.1ubuntu2.2, and Ubuntu 18.10 before 10.1ubuntu6 incorrectly handled temporary files. A local attacker could use this issue to cause a denial of service, or possibly escalate privileges if kernel symlink restrictions were disabled.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-6557

LAYER: meta
PACKAGE NAME: libpam
PACKAGE VERSION: 1.5.3
CVE: CVE-2009-0579
CVE STATUS: Patched
CVE SUMMARY: Linux-PAM before 1.0.4 does not enforce the minimum password age (MINDAYS) as specified in /etc/shadow, which allows local users to bypass intended security policy and change their passwords sooner than specified.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-0579

LAYER: meta
PACKAGE NAME: libpam
PACKAGE VERSION: 1.5.3
CVE: CVE-2009-0887
CVE STATUS: Patched
CVE SUMMARY: Integer signedness error in the _pam_StrTok function in libpam/pam_misc.c in Linux-PAM (aka pam) 1.0.3 and earlier, when a configuration file contains non-ASCII usernames, might allow remote attackers to cause a denial of service, and might allow remote authenticated users to obtain login access with a different user's non-ASCII username, via a login attempt.
CVSS v2 BASE SCORE: 6.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:S/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-0887

LAYER: meta
PACKAGE NAME: libpam
PACKAGE VERSION: 1.5.3
CVE: CVE-2010-3316
CVE STATUS: Patched
CVE SUMMARY: The run_coprocess function in pam_xauth.c in the pam_xauth module in Linux-PAM (aka pam) before 1.1.2 does not check the return values of the setuid, setgid, and setgroups system calls, which might allow local users to read arbitrary files by executing a program that relies on the pam_xauth PAM check.
CVSS v2 BASE SCORE: 3.3
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-3316

LAYER: meta
PACKAGE NAME: libpam
PACKAGE VERSION: 1.5.3
CVE: CVE-2010-3430
CVE STATUS: Patched
CVE SUMMARY: The privilege-dropping implementation in the (1) pam_env and (2) pam_mail modules in Linux-PAM (aka pam) 1.1.2 does not perform the required setfsgid and setgroups system calls, which might allow local users to obtain sensitive information by leveraging unintended group permissions, as demonstrated by a symlink attack on the .pam_environment file in a user's home directory.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2010-3435.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-3430

LAYER: meta
PACKAGE NAME: libpam
PACKAGE VERSION: 1.5.3
CVE: CVE-2010-3431
CVE STATUS: Patched
CVE SUMMARY: The privilege-dropping implementation in the (1) pam_env and (2) pam_mail modules in Linux-PAM (aka pam) 1.1.2 does not check the return value of the setfsuid system call, which might allow local users to obtain sensitive information by leveraging an unintended uid, as demonstrated by a symlink attack on the .pam_environment file in a user's home directory.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2010-3435.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-3431

LAYER: meta
PACKAGE NAME: libpam
PACKAGE VERSION: 1.5.3
CVE: CVE-2010-3435
CVE STATUS: Patched
CVE SUMMARY: The (1) pam_env and (2) pam_mail modules in Linux-PAM (aka pam) before 1.1.2 use root privileges during read access to files and directories that belong to arbitrary user accounts, which might allow local users to obtain sensitive information by leveraging this filesystem activity, as demonstrated by a symlink attack on the .pam_environment file in a user's home directory.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-3435

LAYER: meta
PACKAGE NAME: libpam
PACKAGE VERSION: 1.5.3
CVE: CVE-2010-3853
CVE STATUS: Patched
CVE SUMMARY: pam_namespace.c in the pam_namespace module in Linux-PAM (aka pam) before 1.1.3 uses the environment of the invoking application or service during execution of the namespace.init script, which might allow local users to gain privileges by running a setuid program that relies on the pam_namespace PAM check, as demonstrated by the sudo program.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-3853

LAYER: meta
PACKAGE NAME: libpam
PACKAGE VERSION: 1.5.3
CVE: CVE-2010-4706
CVE STATUS: Patched
CVE SUMMARY: The pam_sm_close_session function in pam_xauth.c in the pam_xauth module in Linux-PAM (aka pam) 1.1.2 and earlier does not properly handle a failure to determine a certain target uid, which might allow local users to delete unintended files by executing a program that relies on the pam_xauth PAM check.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4706

LAYER: meta
PACKAGE NAME: libpam
PACKAGE VERSION: 1.5.3
CVE: CVE-2010-4707
CVE STATUS: Patched
CVE SUMMARY: The check_acl function in pam_xauth.c in the pam_xauth module in Linux-PAM (aka pam) 1.1.2 and earlier does not verify that a certain ACL file is a regular file, which might allow local users to cause a denial of service (resource consumption) via a special file.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4707

LAYER: meta
PACKAGE NAME: libpam
PACKAGE VERSION: 1.5.3
CVE: CVE-2010-4708
CVE STATUS: Patched
CVE SUMMARY: The pam_env module in Linux-PAM (aka pam) 1.1.2 and earlier reads the .pam_environment file in a user's home directory, which might allow local users to run programs with an unintended environment by executing a program that relies on the pam_env PAM check.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4708

LAYER: meta
PACKAGE NAME: libpam
PACKAGE VERSION: 1.5.3
CVE: CVE-2011-3148
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in the _assemble_line function in modules/pam_env/pam_env.c in Linux-PAM (aka pam) before 1.1.5 allows local users to cause a denial of service (crash) and possibly execute arbitrary code via a long string of white spaces at the beginning of the ~/.pam_environment file.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3148

LAYER: meta
PACKAGE NAME: libpam
PACKAGE VERSION: 1.5.3
CVE: CVE-2011-3149
CVE STATUS: Patched
CVE SUMMARY: The _expand_arg function in the pam_env module (modules/pam_env/pam_env.c) in Linux-PAM (aka pam) before 1.1.5 does not properly handle when environment variable expansion can overflow, which allows local users to cause a denial of service (CPU consumption).
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3149

LAYER: meta
PACKAGE NAME: libpam
PACKAGE VERSION: 1.5.3
CVE: CVE-2014-2583
CVE STATUS: Patched
CVE SUMMARY: Multiple directory traversal vulnerabilities in pam_timestamp.c in the pam_timestamp module for Linux-PAM (aka pam) 1.1.8 allow local users to create arbitrary files or possibly bypass authentication via a .. (dot dot) in the (1) PAM_RUSER value to the get_ruser function or (2) PAM_TTY value to the check_tty function, which is used by the format_timestamp_name function.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-2583

LAYER: meta
PACKAGE NAME: libpam
PACKAGE VERSION: 1.5.3
CVE: CVE-2015-3238
CVE STATUS: Patched
CVE SUMMARY: The _unix_run_helper_binary function in the pam_unix module in Linux-PAM (aka pam) before 1.2.1, when unable to directly access passwords, allows local users to enumerate usernames or cause a denial of service (hang) via a large password.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3238

LAYER: meta
PACKAGE NAME: libpam
PACKAGE VERSION: 1.5.3
CVE: CVE-2018-17953
CVE STATUS: Patched
CVE SUMMARY: A incorrect variable in a SUSE specific patch for pam_access rule matching in PAM 1.3.0 in openSUSE Leap 15.0 and SUSE Linux Enterprise 15 could lead to pam_access rules not being applied (fail open).
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-17953

LAYER: meta
PACKAGE NAME: libpam
PACKAGE VERSION: 1.5.3
CVE: CVE-2020-27780
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in Linux-Pam in versions prior to 1.5.1 in the way it handle empty passwords for non-existing users. When the user doesn't exist PAM try to authenticate with root and in the case of an empty password it successfully authenticate.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-27780

LAYER: meta
PACKAGE NAME: libpam
PACKAGE VERSION: 1.5.3
CVE: CVE-2022-28321
CVE STATUS: Patched
CVE SUMMARY: The Linux-PAM package before 1.5.2-6.1 for openSUSE Tumbleweed allows authentication bypass for SSH logins. The pam_access.so module doesn't correctly restrict login if a user tries to connect from an IP address that is not resolvable via DNS. In such conditions, a user with denied access to a machine can still get access. NOTE: the relevance of this issue is largely limited to openSUSE Tumbleweed and openSUSE Factory; it does not affect Linux-PAM upstream.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-28321

LAYER: meta
PACKAGE NAME: libpam
PACKAGE VERSION: 1.5.3
CVE: CVE-2024-10041
CVE STATUS: Unpatched
CVE SUMMARY: A vulnerability was found in PAM. The secret information is stored in memory, where the attacker can trigger the victim program to execute by sending characters to its standard input (stdin). As this occurs, the attacker can train the branch predictor to execute an ROP chain speculatively. This flaw could result in leaked passwords, such as those found in /etc/shadow while performing authentications.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-10041

LAYER: meta
PACKAGE NAME: libpam
PACKAGE VERSION: 1.5.3
CVE: CVE-2024-22365
CVE STATUS: Patched
CVE SUMMARY: linux-pam (aka Linux PAM) before 1.6.0 allows attackers to cause a denial of service (blocked login process) via mkfifo because the openat call (for protect_dir) lacks O_DIRECTORY.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-22365

LAYER: meta
PACKAGE NAME: shadow
PACKAGE VERSION: 4.14.2
CVE: CVE-2004-1001
CVE STATUS: Patched
CVE SUMMARY: Unknown vulnerability in the passwd_check function in Shadow 4.0.4.1, and possibly other versions before 4.0.5, allows local users to conduct unauthorized activities when an error from a pam_chauthtok function call is not properly handled.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-1001

LAYER: meta
PACKAGE NAME: shadow
PACKAGE VERSION: 4.14.2
CVE: CVE-2005-4890
CVE STATUS: Patched
CVE SUMMARY: There is a possible tty hijacking in shadow 4.x before 4.1.5 and sudo 1.x before 1.7.4 via "su - user -c program". The user session can be escaped to the parent session by using the TIOCSTI ioctl to push characters into the input buffer to be read by the next process.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-4890

LAYER: meta
PACKAGE NAME: shadow
PACKAGE VERSION: 4.14.2
CVE: CVE-2006-1174
CVE STATUS: Patched
CVE SUMMARY: useradd in shadow-utils before 4.0.3, and possibly other versions before 4.0.8, does not provide a required argument to the open function when creating a new user mailbox, which causes the mailbox to be created with unpredictable permissions and possibly allows attackers to read or modify the mailbox.
CVSS v2 BASE SCORE: 3.7
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-1174

LAYER: meta
PACKAGE NAME: shadow
PACKAGE VERSION: 4.14.2
CVE: CVE-2006-1844
CVE STATUS: Patched
CVE SUMMARY: The Debian installer for the (1) shadow 4.0.14 and (2) base-config 2.53.10 packages includes sensitive information in world-readable log files, including preseeded passwords and pppoeconf passwords, which might allow local users to gain privileges.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-1844

LAYER: meta
PACKAGE NAME: shadow
PACKAGE VERSION: 4.14.2
CVE: CVE-2008-5394
CVE STATUS: Patched
CVE SUMMARY: /bin/login in shadow 4.0.18.1 in Debian GNU/Linux, and probably other Linux distributions, allows local users in the utmp group to overwrite arbitrary files via a symlink attack on a temporary file referenced in a line (aka ut_line) field in a utmp entry.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-5394

LAYER: meta
PACKAGE NAME: shadow
PACKAGE VERSION: 4.14.2
CVE: CVE-2011-0721
CVE STATUS: Patched
CVE SUMMARY: Multiple CRLF injection vulnerabilities in (1) chfn and (2) chsh in shadow 1:4.1.4 allow local users to add new users or groups to /etc/passwd via the GECOS field.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-0721

LAYER: meta
PACKAGE NAME: shadow
PACKAGE VERSION: 4.14.2
CVE: CVE-2013-4235
CVE STATUS: Ignored
CVE DETAIL: upstream-wontfix
CVE DESCRIPTION: Severity is low and marked as closed and won't fix.
CVE SUMMARY: shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees
CVSS v2 BASE SCORE: 3.3
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4235

LAYER: meta
PACKAGE NAME: shadow
PACKAGE VERSION: 4.14.2
CVE: CVE-2016-6252
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in shadow 4.2.1 allows local users to gain privileges via crafted input to newuidmap.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6252

LAYER: meta
PACKAGE NAME: shadow
PACKAGE VERSION: 4.14.2
CVE: CVE-2017-12424
CVE STATUS: Patched
CVE SUMMARY: In shadow before 4.5, the newusers tool could be made to manipulate internal data structures in ways unintended by the authors. Malformed input may lead to crashes (with a buffer overflow or other memory corruption) or other unspecified behaviors. This crosses a privilege boundary in, for example, certain web-hosting environments in which a Control Panel allows an unprivileged user account to create subaccounts.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-12424

LAYER: meta
PACKAGE NAME: shadow
PACKAGE VERSION: 4.14.2
CVE: CVE-2017-20002
CVE STATUS: Patched
CVE SUMMARY: The Debian shadow package before 1:4.5-1 for Shadow incorrectly lists pts/0 and pts/1 as physical terminals in /etc/securetty. This allows local users to login as password-less users even if they are connected by non-physical means such as SSH (hence bypassing PAM's nullok_secure configuration). This notably affects environments such as virtual machines automatically generated with a default blank root password, allowing all local users to escalate privileges.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-20002

LAYER: meta
PACKAGE NAME: shadow
PACKAGE VERSION: 4.14.2
CVE: CVE-2018-16588
CVE STATUS: Patched
CVE SUMMARY: Privilege escalation can occur in the SUSE useradd.c code in useradd, as distributed in the SUSE shadow package through 4.2.1-27.9.1 for SUSE Linux Enterprise 12 (SLE-12) and through 4.5-5.39 for SUSE Linux Enterprise 15 (SLE-15). Non-existing intermediate directories are created with mode 0777 during user creation. Given that they are world-writable, local attackers might use this for privilege escalation and other unspecified attacks.  NOTE: this would affect non-SUSE users who took useradd.c code from a 2014-04-02 upstream pull request; however, no non-SUSE distribution is known to be affected.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-16588

LAYER: meta
PACKAGE NAME: shadow
PACKAGE VERSION: 4.14.2
CVE: CVE-2018-7169
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in shadow 4.5. newgidmap (in shadow-utils) is setuid and allows an unprivileged user to be placed in a user namespace where setgroups(2) is permitted. This allows an attacker to remove themselves from a supplementary group, which may allow access to certain filesystem paths if the administrator has used "group blacklisting" (e.g., chmod g-rwx) to restrict access to paths. This flaw effectively reverts a security feature in the kernel (in particular, the /proc/self/setgroups knob) to prevent this sort of privilege escalation.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-7169

LAYER: meta
PACKAGE NAME: shadow
PACKAGE VERSION: 4.14.2
CVE: CVE-2019-16110
CVE STATUS: Patched
CVE SUMMARY: The network protocol of Blade Shadow though 2.13.3 allows remote attackers to take control of a Shadow instance and execute arbitrary code by only knowing the victim's IP address, because packet data can be injected into the unencrypted UDP packet stream.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-16110

LAYER: meta
PACKAGE NAME: shadow
PACKAGE VERSION: 4.14.2
CVE: CVE-2019-19882
CVE STATUS: Patched
CVE SUMMARY: shadow 4.8, in certain circumstances affecting at least Gentoo, Arch Linux, and Void Linux, allows local users to obtain root access because setuid programs are misconfigured. Specifically, this affects shadow 4.8 when compiled using --with-libpam but without explicitly passing --disable-account-tools-setuid, and without a PAM configuration suitable for use with setuid account management tools. This combination leads to account management tools (groupadd, groupdel, groupmod, useradd, userdel, usermod) that can easily be used by unprivileged local users to escalate privileges to root in multiple ways. This issue became much more relevant in approximately December 2019 when an unrelated bug was fixed (i.e., the chmod calls to suidusbins were fixed in the upstream Makefile which is now included in the release version 4.8).
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19882

LAYER: meta
PACKAGE NAME: shadow
PACKAGE VERSION: 4.14.2
CVE: CVE-2023-29383
CVE STATUS: Patched
CVE SUMMARY: In Shadow 4.13, it is possible to inject control characters into fields provided to the SUID program chfn (change finger). Although it is not possible to exploit this directly (e.g., adding a new user fails because \n is in the block list), it is possible to misrepresent the /etc/passwd file when viewed. Use of \r manipulations and Unicode characters to work around blocking of the : character make it possible to give the impression that a new user has been added. In other words, an adversary may be able to convince a system administrator to take the system offline (an indirect, social-engineered denial of service) by demonstrating that "cat /etc/passwd" shows a rogue user account.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 3.3
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-29383

LAYER: meta
PACKAGE NAME: cairo
PACKAGE VERSION: 1.18.0
CVE: CVE-2007-5503
CVE STATUS: Patched
CVE SUMMARY: Multiple integer overflows in Cairo before 1.4.12 might allow remote attackers to execute arbitrary code, as demonstrated using a crafted PNG image with large width and height values, which is not properly handled by the read_png function.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-5503

LAYER: meta
PACKAGE NAME: cairo
PACKAGE VERSION: 1.18.0
CVE: CVE-2014-5116
CVE STATUS: Patched
CVE SUMMARY: The cairo_image_surface_get_data function in Cairo 1.10.2, as used in GTK+ and Wireshark, allows context-dependent attackers to cause a denial of service (NULL pointer dereference) via a large string.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-5116

LAYER: meta
PACKAGE NAME: cairo
PACKAGE VERSION: 1.18.0
CVE: CVE-2016-3190
CVE STATUS: Patched
CVE SUMMARY: The fill_xrgb32_lerp_opaque_spans function in cairo-image-compositor.c in cairo before 1.14.2 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a negative span length.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3190

LAYER: meta
PACKAGE NAME: cairo
PACKAGE VERSION: 1.18.0
CVE: CVE-2016-9082
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the write_png function in cairo 1.14.6 allows remote attackers to cause a denial of service (invalid pointer dereference) via a large svg file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9082

LAYER: meta
PACKAGE NAME: cairo
PACKAGE VERSION: 1.18.0
CVE: CVE-2017-7475
CVE STATUS: Patched
CVE SUMMARY: Cairo version 1.15.4 is vulnerable to a NULL pointer dereference related to the FT_Load_Glyph and FT_Render_Glyph resulting in an application crash.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7475

LAYER: meta
PACKAGE NAME: cairo
PACKAGE VERSION: 1.18.0
CVE: CVE-2017-9814
CVE STATUS: Patched
CVE SUMMARY: cairo-truetype-subset.c in cairo 1.15.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds read) because of mishandling of an unexpected malloc(0) call.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9814

LAYER: meta
PACKAGE NAME: cairo
PACKAGE VERSION: 1.18.0
CVE: CVE-2018-18064
CVE STATUS: Patched
CVE SUMMARY: cairo through 1.15.14 has an out-of-bounds stack-memory write during processing of a crafted document by WebKitGTK+ because of the interaction between cairo-rectangular-scan-converter.c (the generate and render_rows functions) and cairo-image-compositor.c (the _cairo_image_spans_and_zero function).
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-18064

LAYER: meta
PACKAGE NAME: cairo
PACKAGE VERSION: 1.18.0
CVE: CVE-2018-19876
CVE STATUS: Patched
CVE SUMMARY: cairo 1.16.0, in cairo_ft_apply_variations() in cairo-ft-font.c, would free memory using a free function incompatible with WebKit's fastMalloc, leading to an application crash with a "free(): invalid pointer" error.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19876

LAYER: meta
PACKAGE NAME: cairo
PACKAGE VERSION: 1.18.0
CVE: CVE-2019-6461
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in cairo 1.16.0. There is an assertion problem in the function _cairo_arc_in_direction in the file cairo-arc.c.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-6461

LAYER: meta
PACKAGE NAME: cairo
PACKAGE VERSION: 1.18.0
CVE: CVE-2019-6462
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in cairo 1.16.0. There is an infinite loop in the function _arc_error_normalized in the file cairo-arc.c, related to _arc_max_angle_for_tolerance_normalized.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-6462

LAYER: meta
PACKAGE NAME: cairo
PACKAGE VERSION: 1.18.0
CVE: CVE-2020-35492
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in cairo's image-compositor.c in all versions prior to 1.17.4. This flaw allows an attacker who can provide a crafted input file to cairo's image-compositor (for example, by convincing a user to open a file in an application using cairo, or if an application uses cairo on untrusted input) to cause a stack buffer overflow -> out-of-bounds WRITE. The highest impact from this vulnerability is to confidentiality, integrity, as well as system availability.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-35492

LAYER: meta
PACKAGE NAME: shadow-native
PACKAGE VERSION: 4.14.2
CVE: CVE-2004-1001
CVE STATUS: Patched
CVE SUMMARY: Unknown vulnerability in the passwd_check function in Shadow 4.0.4.1, and possibly other versions before 4.0.5, allows local users to conduct unauthorized activities when an error from a pam_chauthtok function call is not properly handled.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-1001

LAYER: meta
PACKAGE NAME: shadow-native
PACKAGE VERSION: 4.14.2
CVE: CVE-2005-4890
CVE STATUS: Patched
CVE SUMMARY: There is a possible tty hijacking in shadow 4.x before 4.1.5 and sudo 1.x before 1.7.4 via "su - user -c program". The user session can be escaped to the parent session by using the TIOCSTI ioctl to push characters into the input buffer to be read by the next process.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-4890

LAYER: meta
PACKAGE NAME: shadow-native
PACKAGE VERSION: 4.14.2
CVE: CVE-2006-1174
CVE STATUS: Patched
CVE SUMMARY: useradd in shadow-utils before 4.0.3, and possibly other versions before 4.0.8, does not provide a required argument to the open function when creating a new user mailbox, which causes the mailbox to be created with unpredictable permissions and possibly allows attackers to read or modify the mailbox.
CVSS v2 BASE SCORE: 3.7
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-1174

LAYER: meta
PACKAGE NAME: shadow-native
PACKAGE VERSION: 4.14.2
CVE: CVE-2006-1844
CVE STATUS: Patched
CVE SUMMARY: The Debian installer for the (1) shadow 4.0.14 and (2) base-config 2.53.10 packages includes sensitive information in world-readable log files, including preseeded passwords and pppoeconf passwords, which might allow local users to gain privileges.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-1844

LAYER: meta
PACKAGE NAME: shadow-native
PACKAGE VERSION: 4.14.2
CVE: CVE-2008-5394
CVE STATUS: Patched
CVE SUMMARY: /bin/login in shadow 4.0.18.1 in Debian GNU/Linux, and probably other Linux distributions, allows local users in the utmp group to overwrite arbitrary files via a symlink attack on a temporary file referenced in a line (aka ut_line) field in a utmp entry.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-5394

LAYER: meta
PACKAGE NAME: shadow-native
PACKAGE VERSION: 4.14.2
CVE: CVE-2011-0721
CVE STATUS: Patched
CVE SUMMARY: Multiple CRLF injection vulnerabilities in (1) chfn and (2) chsh in shadow 1:4.1.4 allow local users to add new users or groups to /etc/passwd via the GECOS field.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-0721

LAYER: meta
PACKAGE NAME: shadow-native
PACKAGE VERSION: 4.14.2
CVE: CVE-2013-4235
CVE STATUS: Ignored
CVE DETAIL: upstream-wontfix
CVE DESCRIPTION: Severity is low and marked as closed and won't fix.
CVE SUMMARY: shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees
CVSS v2 BASE SCORE: 3.3
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4235

LAYER: meta
PACKAGE NAME: shadow-native
PACKAGE VERSION: 4.14.2
CVE: CVE-2016-6252
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in shadow 4.2.1 allows local users to gain privileges via crafted input to newuidmap.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6252

LAYER: meta
PACKAGE NAME: shadow-native
PACKAGE VERSION: 4.14.2
CVE: CVE-2017-12424
CVE STATUS: Patched
CVE SUMMARY: In shadow before 4.5, the newusers tool could be made to manipulate internal data structures in ways unintended by the authors. Malformed input may lead to crashes (with a buffer overflow or other memory corruption) or other unspecified behaviors. This crosses a privilege boundary in, for example, certain web-hosting environments in which a Control Panel allows an unprivileged user account to create subaccounts.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-12424

LAYER: meta
PACKAGE NAME: shadow-native
PACKAGE VERSION: 4.14.2
CVE: CVE-2017-20002
CVE STATUS: Patched
CVE SUMMARY: The Debian shadow package before 1:4.5-1 for Shadow incorrectly lists pts/0 and pts/1 as physical terminals in /etc/securetty. This allows local users to login as password-less users even if they are connected by non-physical means such as SSH (hence bypassing PAM's nullok_secure configuration). This notably affects environments such as virtual machines automatically generated with a default blank root password, allowing all local users to escalate privileges.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-20002

LAYER: meta
PACKAGE NAME: shadow-native
PACKAGE VERSION: 4.14.2
CVE: CVE-2018-16588
CVE STATUS: Patched
CVE SUMMARY: Privilege escalation can occur in the SUSE useradd.c code in useradd, as distributed in the SUSE shadow package through 4.2.1-27.9.1 for SUSE Linux Enterprise 12 (SLE-12) and through 4.5-5.39 for SUSE Linux Enterprise 15 (SLE-15). Non-existing intermediate directories are created with mode 0777 during user creation. Given that they are world-writable, local attackers might use this for privilege escalation and other unspecified attacks.  NOTE: this would affect non-SUSE users who took useradd.c code from a 2014-04-02 upstream pull request; however, no non-SUSE distribution is known to be affected.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-16588

LAYER: meta
PACKAGE NAME: shadow-native
PACKAGE VERSION: 4.14.2
CVE: CVE-2018-7169
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in shadow 4.5. newgidmap (in shadow-utils) is setuid and allows an unprivileged user to be placed in a user namespace where setgroups(2) is permitted. This allows an attacker to remove themselves from a supplementary group, which may allow access to certain filesystem paths if the administrator has used "group blacklisting" (e.g., chmod g-rwx) to restrict access to paths. This flaw effectively reverts a security feature in the kernel (in particular, the /proc/self/setgroups knob) to prevent this sort of privilege escalation.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-7169

LAYER: meta
PACKAGE NAME: shadow-native
PACKAGE VERSION: 4.14.2
CVE: CVE-2019-16110
CVE STATUS: Patched
CVE SUMMARY: The network protocol of Blade Shadow though 2.13.3 allows remote attackers to take control of a Shadow instance and execute arbitrary code by only knowing the victim's IP address, because packet data can be injected into the unencrypted UDP packet stream.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-16110

LAYER: meta
PACKAGE NAME: shadow-native
PACKAGE VERSION: 4.14.2
CVE: CVE-2019-19882
CVE STATUS: Patched
CVE SUMMARY: shadow 4.8, in certain circumstances affecting at least Gentoo, Arch Linux, and Void Linux, allows local users to obtain root access because setuid programs are misconfigured. Specifically, this affects shadow 4.8 when compiled using --with-libpam but without explicitly passing --disable-account-tools-setuid, and without a PAM configuration suitable for use with setuid account management tools. This combination leads to account management tools (groupadd, groupdel, groupmod, useradd, userdel, usermod) that can easily be used by unprivileged local users to escalate privileges to root in multiple ways. This issue became much more relevant in approximately December 2019 when an unrelated bug was fixed (i.e., the chmod calls to suidusbins were fixed in the upstream Makefile which is now included in the release version 4.8).
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19882

LAYER: meta
PACKAGE NAME: shadow-native
PACKAGE VERSION: 4.14.2
CVE: CVE-2023-29383
CVE STATUS: Patched
CVE SUMMARY: In Shadow 4.13, it is possible to inject control characters into fields provided to the SUID program chfn (change finger). Although it is not possible to exploit this directly (e.g., adding a new user fails because \n is in the block list), it is possible to misrepresent the /etc/passwd file when viewed. Use of \r manipulations and Unicode characters to work around blocking of the : character make it possible to give the impression that a new user has been added. In other words, an adversary may be able to convince a system administrator to take the system offline (an indirect, social-engineered denial of service) by demonstrating that "cat /etc/passwd" shows a rogue user account.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 3.3
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-29383

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-1999-0199
CVE STATUS: Patched
CVE SUMMARY: manual/search.texi in the GNU C Library (aka glibc) before 2.2 lacks a statement about the unspecified tdelete return value upon deletion of a tree's root, which might allow attackers to access a dangling pointer in an application whose developer was unaware of a documentation update from 1999.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-1999-0199

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2000-0335
CVE STATUS: Patched
CVE SUMMARY: The resolver in glibc 2.1.3 uses predictable IDs, which allows a local attacker to spoof DNS query results.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2000-0335

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2000-0824
CVE STATUS: Patched
CVE SUMMARY: The unsetenv function in glibc 2.1.1 does not properly unset an environmental variable if the variable is provided twice to a program, which could allow local users to execute arbitrary commands in setuid programs by specifying their own duplicate environmental variables such as LD_PRELOAD or LD_LIBRARY_PATH.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2000-0824

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2000-0959
CVE STATUS: Patched
CVE SUMMARY: glibc2 does not properly clear the LD_DEBUG_OUTPUT and LD_DEBUG environmental variables when a program is spawned from a setuid program, which could allow local users to overwrite files via a symlink attack.
CVSS v2 BASE SCORE: 1.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2000-0959

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2002-0684
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in DNS resolver functions that perform lookup of network names and addresses, as used in BIND 4.9.8 and ported to glibc 2.2.5 and earlier, allows remote malicious DNS servers to execute arbitrary code through a subroutine used by functions such as getnetbyname and getnetbyaddr.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-0684

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2002-1146
CVE STATUS: Patched
CVE SUMMARY: The BIND 4 and BIND 8.2.x stub resolver libraries, and other libraries such as glibc 2.2.5 and earlier, libc, and libresolv, use the maximum buffer size instead of the actual size when processing a DNS response, which causes the stub resolvers to read past the actual boundary ("read buffer overflow"), allowing remote attackers to cause a denial of service (crash).
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-1146

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2002-1265
CVE STATUS: Patched
CVE SUMMARY: The Sun RPC functionality in multiple libc implementations does not provide a time-out mechanism when reading data from TCP connections, which allows remote attackers to cause a denial of service (hang).
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-1265

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2003-0028
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the xdrmem_getbytes() function, and possibly other functions, of XDR (external data representation) libraries derived from SunRPC, including libnsl, libc, glibc, and dietlibc, allows remote attackers to execute arbitrary code via certain integer values in length fields, a different vulnerability than CVE-2002-0391.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-0028

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2003-0859
CVE STATUS: Patched
CVE SUMMARY: The getifaddrs function in GNU libc (glibc) 2.2.4 and earlier allows local users to cause a denial of service by sending spoofed messages as other users to the kernel netlink interface.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-0859

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2004-0968
CVE STATUS: Patched
CVE SUMMARY: The catchsegv script in glibc 2.3.2 and earlier allows local users to overwrite files via a symlink attack on temporary files.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0968

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2004-1382
CVE STATUS: Patched
CVE SUMMARY: The glibcbug script in glibc 2.3.4 and earlier allows local users to overwrite arbitrary files via a symlink attack on temporary files, a different vulnerability than CVE-2004-0968.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-1382

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2004-1453
CVE STATUS: Patched
CVE SUMMARY: GNU glibc 2.3.4 before 2.3.4.20040619, 2.3.3 before 2.3.3.20040420, and 2.3.2 before 2.3.2-r10 does not restrict the use of LD_DEBUG for a setuid program, which allows local users to gain sensitive information, such as the list of symbols used by the program.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-1453

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2005-3590
CVE STATUS: Patched
CVE SUMMARY: The getgrouplist function in the GNU C library (glibc) before version 2.3.5, when invoked with a zero argument, writes to the passed pointer even if the specified array size is zero, leading to a buffer overflow and potentially allowing attackers to corrupt memory.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-3590

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2006-7254
CVE STATUS: Patched
CVE SUMMARY: The nscd daemon in the GNU C Library (glibc) before version 2.5 does not close incoming client sockets if they cannot be handled by the daemon, allowing local users to carry out a denial of service attack on the daemon.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-7254

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2007-3508
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the process_envvars function in elf/rtld.c in glibc before 2.5-rc4 might allow local users to execute arbitrary code via a large LD_HWCAP_MASK environment variable value.  NOTE: the glibc maintainers state that they do not believe that this issue is exploitable for code execution
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-3508

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2009-4880
CVE STATUS: Patched
CVE SUMMARY: Multiple integer overflows in the strfmon implementation in the GNU C Library (aka glibc or libc6) 2.10.1 and earlier allow context-dependent attackers to cause a denial of service (memory consumption or application crash) via a crafted format string, as demonstrated by a crafted first argument to the money_format function in PHP, a related issue to CVE-2008-1391.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-4880

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2009-4881
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the __vstrfmon_l function in stdlib/strfmon_l.c in the strfmon implementation in the GNU C Library (aka glibc or libc6) before 2.10.1 allows context-dependent attackers to cause a denial of service (application crash) via a crafted format string, as demonstrated by the %99999999999999999999n string, a related issue to CVE-2008-1391.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-4881

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2009-5029
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the __tzfile_read function in glibc before 2.15 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted timezone (TZ) file, as demonstrated using vsftpd.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-5029

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2009-5064
CVE STATUS: Patched
CVE SUMMARY: ldd in the GNU C Library (aka glibc or libc6) 2.13 and earlier allows local users to gain privileges via a Trojan horse executable file linked with a modified loader that omits certain LD_TRACE_LOADED_OBJECTS checks.  NOTE: the GNU C Library vendor states "This is just nonsense. There are a gazillion other ways to introduce code if people are downloading arbitrary binaries and install them in appropriate directories or set LD_LIBRARY_PATH etc.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-5064

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2009-5155
CVE STATUS: Patched
CVE SUMMARY: In the GNU C Library (aka glibc or libc6) before 2.28, parse_reg_exp in posix/regcomp.c misparses alternatives, which allows attackers to cause a denial of service (assertion failure and application exit) or trigger an incorrect result by attempting a regular-expression match.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-5155

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2010-0015
CVE STATUS: Patched
CVE SUMMARY: nis/nss_nis/nis-pwd.c in the GNU C Library (aka glibc or libc6) 2.7 and Embedded GLIBC (EGLIBC) 2.10.2 adds information from the passwd.adjunct.byname map to entries in the passwd map, which allows remote attackers to obtain the encrypted passwords of NIS accounts by calling the getpwnam function.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-0015

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2010-0296
CVE STATUS: Patched
CVE SUMMARY: The encode_name macro in misc/mntent_r.c in the GNU C Library (aka glibc or libc6) 2.11.1 and earlier, as used by ncpmount and mount.cifs, does not properly handle newline characters in mountpoint names, which allows local users to cause a denial of service (mtab corruption), or possibly modify mount options and gain privileges, via a crafted mount request.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-0296

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2010-0830
CVE STATUS: Patched
CVE SUMMARY: Integer signedness error in the elf_get_dynamic_info function in elf/dynamic-link.h in ld.so in the GNU C Library (aka glibc or libc6) 2.0.1 through 2.11.1, when the --verify option is used, allows user-assisted remote attackers to execute arbitrary code via a crafted ELF program with a negative value for a certain d_tag structure member in the ELF header.
CVSS v2 BASE SCORE: 5.1
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-0830

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2010-3192
CVE STATUS: Patched
CVE SUMMARY: Certain run-time memory protection mechanisms in the GNU C Library (aka glibc or libc6) print argv[0] and backtrace information, which might allow context-dependent attackers to obtain sensitive information from process memory by executing an incorrect program, as demonstrated by a setuid program that contains a stack-based buffer overflow error, related to the __fortify_fail function in debug/fortify_fail.c, and the __stack_chk_fail (aka stack protection) and __chk_fail (aka FORTIFY_SOURCE) implementations.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-3192

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2010-3847
CVE STATUS: Patched
CVE SUMMARY: elf/dl-load.c in ld.so in the GNU C Library (aka glibc or libc6) through 2.11.2, and 2.12.x through 2.12.1, does not properly handle a value of $ORIGIN for the LD_AUDIT environment variable, which allows local users to gain privileges via a crafted dynamic shared object (DSO) located in an arbitrary directory.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-3847

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2010-3856
CVE STATUS: Patched
CVE SUMMARY: ld.so in the GNU C Library (aka glibc or libc6) before 2.11.3, and 2.12.x before 2.12.2, does not properly restrict use of the LD_AUDIT environment variable to reference dynamic shared objects (DSOs) as audit objects, which allows local users to gain privileges by leveraging an unsafe DSO located in a trusted library directory, as demonstrated by libpcprofile.so.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-3856

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2010-4051
CVE STATUS: Patched
CVE SUMMARY: The regcomp implementation in the GNU C Library (aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2, allows context-dependent attackers to cause a denial of service (application crash) via a regular expression containing adjacent bounded repetitions that bypass the intended RE_DUP_MAX limitation, as demonstrated by a {10,}{10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c exploit for ProFTPD, related to a "RE_DUP_MAX overflow."
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4051

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2010-4052
CVE STATUS: Patched
CVE SUMMARY: Stack consumption vulnerability in the regcomp implementation in the GNU C Library (aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2, allows context-dependent attackers to cause a denial of service (resource exhaustion) via a regular expression containing adjacent repetition operators, as demonstrated by a {10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c exploit for ProFTPD.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4052

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2010-4756
CVE STATUS: Unpatched
CVE SUMMARY: The glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632.
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:S/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4756

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2011-0536
CVE STATUS: Patched
CVE SUMMARY: Multiple untrusted search path vulnerabilities in elf/dl-object.c in certain modified versions of the GNU C Library (aka glibc or libc6), including glibc-2.5-49.el5_5.6 and glibc-2.12-1.7.el6_0.3 in Red Hat Enterprise Linux, allow local users to gain privileges via a crafted dynamic shared object (DSO) in a subdirectory of the current working directory during execution of a (1) setuid or (2) setgid program that has $ORIGIN in (a) RPATH or (b) RUNPATH within the program itself or a referenced library. NOTE: this issue exists because of an incorrect fix for CVE-2010-3847.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-0536

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2011-1071
CVE STATUS: Patched
CVE SUMMARY: The GNU C Library (aka glibc or libc6) before 2.12.2 and Embedded GLIBC (EGLIBC) allow context-dependent attackers to execute arbitrary code or cause a denial of service (memory consumption) via a long UTF8 string that is used in an fnmatch call, aka a "stack extension attack," a related issue to CVE-2010-2898, CVE-2010-1917, and CVE-2007-4782, as originally reported for use of this library by Google Chrome.
CVSS v2 BASE SCORE: 5.1
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1071

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2011-1089
CVE STATUS: Patched
CVE SUMMARY: The addmntent function in the GNU C Library (aka glibc or libc6) 2.13 and earlier does not report an error status for failed attempts to write to the /etc/mtab file, which makes it easier for local users to trigger corruption of this file, as demonstrated by writes from a process with a small RLIMIT_FSIZE value, a different vulnerability than CVE-2010-0296.
CVSS v2 BASE SCORE: 3.3
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1089

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2011-1095
CVE STATUS: Patched
CVE SUMMARY: locale/programs/locale.c in locale in the GNU C Library (aka glibc or libc6) before 2.13 does not quote its output, which might allow local users to gain privileges via a crafted localization environment variable, in conjunction with a program that executes a script that uses the eval function.
CVSS v2 BASE SCORE: 6.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1095

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2011-1658
CVE STATUS: Patched
CVE SUMMARY: ld.so in the GNU C Library (aka glibc or libc6) 2.13 and earlier expands the $ORIGIN dynamic string token when RPATH is composed entirely of this token, which might allow local users to gain privileges by creating a hard link in an arbitrary directory to a (1) setuid or (2) setgid program with this RPATH value, and then executing the program with a crafted value for the LD_PRELOAD environment variable, a different vulnerability than CVE-2010-3847 and CVE-2011-0536.  NOTE: it is not expected that any standard operating-system distribution would ship an applicable setuid or setgid program.
CVSS v2 BASE SCORE: 3.7
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1658

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2011-1659
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in posix/fnmatch.c in the GNU C Library (aka glibc or libc6) 2.13 and earlier allows context-dependent attackers to cause a denial of service (application crash) via a long UTF8 string that is used in an fnmatch call with a crafted pattern argument, a different vulnerability than CVE-2011-1071.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1659

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2011-2702
CVE STATUS: Patched
CVE SUMMARY: Integer signedness error in Glibc before 2.13 and eglibc before 2.13, when using Supplemental Streaming SIMD Extensions 3 (SSSE3) optimization, allows context-dependent attackers to execute arbitrary code via a negative length parameter to (1) memcpy-ssse3-rep.S, (2) memcpy-ssse3.S, or (3) memset-sse2.S in sysdeps/i386/i686/multiarch/, which triggers an out-of-bounds read, as demonstrated using the memcpy function.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2702

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2011-4609
CVE STATUS: Patched
CVE SUMMARY: The svc_run function in the RPC implementation in glibc before 2.15 allows remote attackers to cause a denial of service (CPU consumption) via a large number of RPC connections.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-4609

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2011-5320
CVE STATUS: Patched
CVE SUMMARY: scanf and related functions in glibc before 2.15 allow local users to cause a denial of service (segmentation fault) via a large string of 0s.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 6.2
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-5320

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2012-0864
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the vfprintf function in stdio-common/vfprintf.c in glibc 2.14 and other versions allows context-dependent attackers to bypass the FORTIFY_SOURCE protection mechanism, conduct format string attacks, and write to arbitrary memory via a large number of arguments.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-0864

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2012-3404
CVE STATUS: Patched
CVE SUMMARY: The vfprintf function in stdio-common/vfprintf.c in libc in GNU C Library (aka glibc) 2.12 and other versions does not properly calculate a buffer length, which allows context-dependent attackers to bypass the FORTIFY_SOURCE format-string protection mechanism and cause a denial of service (stack corruption and crash) via a format string that uses positional parameters and many format specifiers.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-3404

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2012-3405
CVE STATUS: Patched
CVE SUMMARY: The vfprintf function in stdio-common/vfprintf.c in libc in GNU C Library (aka glibc) 2.14 and other versions does not properly calculate a buffer length, which allows context-dependent attackers to bypass the FORTIFY_SOURCE format-string protection mechanism and cause a denial of service (segmentation fault and crash) via a format string with a large number of format specifiers that triggers "desynchronization within the buffer size handling," a different vulnerability than CVE-2012-3404.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-3405

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2012-3406
CVE STATUS: Patched
CVE SUMMARY: The vfprintf function in stdio-common/vfprintf.c in GNU C Library (aka glibc) 2.5, 2.12, and probably other versions does not "properly restrict the use of" the alloca function when allocating the SPECS array, which allows context-dependent attackers to bypass the FORTIFY_SOURCE format-string protection mechanism and cause a denial of service (crash) or possibly execute arbitrary code via a crafted format string using positional parameters and a large number of format specifiers, a different vulnerability than CVE-2012-3404 and CVE-2012-3405.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-3406

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2012-3480
CVE STATUS: Patched
CVE SUMMARY: Multiple integer overflows in the (1) strtod, (2) strtof, (3) strtold, (4) strtod_l, and other unspecified "related functions" in stdlib in GNU C Library (aka glibc or libc6) 2.16 allow local users to cause a denial of service (application crash) and possibly execute arbitrary code via a long string, which triggers a stack-based buffer overflow.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-3480

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2012-4412
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in string/strcoll_l.c in the GNU C Library (aka glibc or libc6) 2.17 and earlier allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a long string, which triggers a heap-based buffer overflow.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-4412

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2012-4424
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in string/strcoll_l.c in the GNU C Library (aka glibc or libc6) 2.17 and earlier allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a long string that triggers a malloc failure and use of the alloca function.
CVSS v2 BASE SCORE: 5.1
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-4424

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2012-6656
CVE STATUS: Patched
CVE SUMMARY: iconvdata/ibm930.c in GNU C Library (aka glibc) before 2.16 allows context-dependent attackers to cause a denial of service (out-of-bounds read) via a multibyte character value of "0xffff" to the iconv function when converting IBM930 encoded data to UTF-8.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-6656

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2013-0242
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the extend_buffers function in the regular expression matcher (posix/regexec.c) in glibc, possibly 2.17 and earlier, allows context-dependent attackers to cause a denial of service (memory corruption and crash) via crafted multibyte characters.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0242

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2013-1914
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in the getaddrinfo function in sysdeps/posix/getaddrinfo.c in GNU C Library (aka glibc or libc6) 2.17 and earlier allows remote attackers to cause a denial of service (crash) via a (1) hostname or (2) IP address that triggers a large number of domain conversion results.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1914

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2013-2207
CVE STATUS: Patched
CVE SUMMARY: pt_chown in GNU C Library (aka glibc or libc6) before 2.18 does not properly check permissions for tty files, which allows local users to change the permission on the files and obtain access to arbitrary pseudo-terminals by leveraging a FUSE file system.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2207

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2013-4237
CVE STATUS: Patched
CVE SUMMARY: sysdeps/posix/readdir_r.c in the GNU C Library (aka glibc or libc6) 2.18 and earlier allows context-dependent attackers to cause a denial of service (out-of-bounds write and crash) or possibly execute arbitrary code via a crafted (1) NTFS or (2) CIFS image.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4237

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2013-4332
CVE STATUS: Patched
CVE SUMMARY: Multiple integer overflows in malloc/malloc.c in the GNU C Library (aka glibc or libc6) 2.18 and earlier allow context-dependent attackers to cause a denial of service (heap corruption) via a large value to the (1) pvalloc, (2) valloc, (3) posix_memalign, (4) memalign, or (5) aligned_alloc functions.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4332

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2013-4458
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in the getaddrinfo function in sysdeps/posix/getaddrinfo.c in GNU C Library (aka glibc or libc6) 2.18 and earlier allows remote attackers to cause a denial of service (crash) via a (1) hostname or (2) IP address that triggers a large number of AF_INET6 address results.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-1914.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4458

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2013-4788
CVE STATUS: Patched
CVE SUMMARY: The PTR_MANGLE implementation in the GNU C Library (aka glibc or libc6) 2.4, 2.17, and earlier, and Embedded GLIBC (EGLIBC) does not initialize the random value for the pointer guard, which makes it easier for context-dependent attackers to control execution flow by leveraging a buffer-overflow vulnerability in an application and using the known zero value pointer guard to calculate a pointer address.
CVSS v2 BASE SCORE: 5.1
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4788

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2013-7423
CVE STATUS: Patched
CVE SUMMARY: The send_dg function in resolv/res_send.c in GNU C Library (aka glibc or libc6) before 2.20 does not properly reuse file descriptors, which allows remote attackers to send DNS queries to unintended locations via a large number of requests that trigger a call to the getaddrinfo function.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-7423

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2013-7424
CVE STATUS: Patched
CVE SUMMARY: The getaddrinfo function in glibc before 2.15, when compiled with libidn and the AI_IDN flag is used, allows context-dependent attackers to cause a denial of service (invalid free) and possibly execute arbitrary code via unspecified vectors, as demonstrated by an internationalized domain name to ping6.
CVSS v2 BASE SCORE: 5.1
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-7424

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2014-0475
CVE STATUS: Patched
CVE SUMMARY: Multiple directory traversal vulnerabilities in GNU C Library (aka glibc or libc6) before 2.20 allow context-dependent attackers to bypass ForceCommand restrictions and possibly have other unspecified impact via a .. (dot dot) in a (1) LC_*, (2) LANG, or other locale environment variable.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0475

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2014-4043
CVE STATUS: Patched
CVE SUMMARY: The posix_spawn_file_actions_addopen function in glibc before 2.20 does not copy its path argument in accordance with the POSIX specification, which allows context-dependent attackers to trigger use-after-free vulnerabilities.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-4043

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2014-5119
CVE STATUS: Patched
CVE SUMMARY: Off-by-one error in the __gconv_translit_find function in gconv_trans.c in GNU C Library (aka glibc) allows context-dependent attackers to cause a denial of service (crash) or execute arbitrary code via vectors related to the CHARSET environment variable and gconv transliteration modules.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-5119

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2014-6040
CVE STATUS: Patched
CVE SUMMARY: GNU C Library (aka glibc) before 2.20 allows context-dependent attackers to cause a denial of service (out-of-bounds read and crash) via a multibyte character value of "0xffff" to the iconv function when converting (1) IBM933, (2) IBM935, (3) IBM937, (4) IBM939, or (5) IBM1364 encoded data to UTF-8.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-6040

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2014-7817
CVE STATUS: Patched
CVE SUMMARY: The wordexp function in GNU C Library (aka glibc) 2.21 does not enforce the WRDE_NOCMD flag, which allows context-dependent attackers to execute arbitrary commands, as demonstrated by input containing "$((`...`))".
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-7817

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2014-8121
CVE STATUS: Patched
CVE SUMMARY: DB_LOOKUP in nss_files/files-XXX.c in the Name Service Switch (NSS) in GNU C Library (aka glibc or libc6) 2.21 and earlier does not properly check if a file is open, which allows remote attackers to cause a denial of service (infinite loop) by performing a look-up on a database while iterating over it, which triggers the file pointer to be reset.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8121

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2014-9402
CVE STATUS: Patched
CVE SUMMARY: The nss_dns implementation of getnetbyname in GNU C Library (aka glibc) before 2.21, when the DNS backend in the Name Service Switch configuration is enabled, allows remote attackers to cause a denial of service (infinite loop) by sending a positive answer while a network name is being process.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9402

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2014-9761
CVE STATUS: Patched
CVE SUMMARY: Multiple stack-based buffer overflows in the GNU C Library (aka glibc or libc6) before 2.23 allow context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long argument to the (1) nan, (2) nanf, or (3) nanl function.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9761

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2014-9984
CVE STATUS: Patched
CVE SUMMARY: nscd in the GNU C Library (aka glibc or libc6) before version 2.20 does not correctly compute the size of an internal buffer when processing netgroup requests, possibly leading to an nscd daemon crash or code execution as the user running nscd.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9984

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2015-0235
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the __nss_hostname_digits_dots function in glibc 2.2, and other 2.x versions before 2.18, allows context-dependent attackers to execute arbitrary code via vectors related to the (1) gethostbyname or (2) gethostbyname2 function, aka "GHOST."
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0235

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2015-1472
CVE STATUS: Patched
CVE SUMMARY: The ADDW macro in stdio-common/vfscanf.c in the GNU C Library (aka glibc or libc6) before 2.21 does not properly consider data-type size during memory allocation, which allows context-dependent attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a long line containing wide characters that are improperly handled in a wscanf call.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1472

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2015-1473
CVE STATUS: Patched
CVE SUMMARY: The ADDW macro in stdio-common/vfscanf.c in the GNU C Library (aka glibc or libc6) before 2.21 does not properly consider data-type size during a risk-management decision for use of the alloca function, which might allow context-dependent attackers to cause a denial of service (segmentation violation) or overwrite memory locations beyond the stack boundary via a long line containing wide characters that are improperly handled in a wscanf call.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1473

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2015-1781
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the gethostbyname_r and other unspecified NSS functions in the GNU C Library (aka glibc or libc6) before 2.22 allows context-dependent attackers to cause a denial of service (crash) or execute arbitrary code via a crafted DNS response, which triggers a call with a misaligned buffer.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1781

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2015-20109
CVE STATUS: Patched
CVE SUMMARY: end_pattern (called from internal_fnmatch) in the GNU C Library (aka glibc or libc6) before 2.22 might allow context-dependent attackers to cause a denial of service (application crash), as demonstrated by use of the fnmatch library function with the **(!() pattern. NOTE: this is not the same as CVE-2015-8984; also, some Linux distributions have fixed CVE-2015-8984 but have not fixed this additional fnmatch issue.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-20109

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2015-5180
CVE STATUS: Patched
CVE SUMMARY: res_query in libresolv in glibc before 2.25 allows remote attackers to cause a denial of service (NULL pointer dereference and process crash).
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-5180

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2015-5277
CVE STATUS: Patched
CVE SUMMARY: The get_contents function in nss_files/files-XXX.c in the Name Service Switch (NSS) in GNU C Library (aka glibc or libc6) before 2.20 might allow local users to cause a denial of service (heap corruption) or gain privileges via a long line in the NSS files database.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-5277

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2015-7547
CVE STATUS: Patched
CVE SUMMARY: Multiple stack-based buffer overflows in the (1) send_dg and (2) send_vc functions in the libresolv library in the GNU C Library (aka glibc or libc6) before 2.23 allow remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted DNS response that triggers a call to the getaddrinfo function with the AF_UNSPEC or AF_INET6 address family, related to performing "dual A/AAAA DNS queries" and the libnss_dns.so.2 NSS module.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7547

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2015-8776
CVE STATUS: Patched
CVE SUMMARY: The strftime function in the GNU C Library (aka glibc or libc6) before 2.23 allows context-dependent attackers to cause a denial of service (application crash) or possibly obtain sensitive information via an out-of-range time value.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 9.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8776

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2015-8777
CVE STATUS: Patched
CVE SUMMARY: The process_envvars function in elf/rtld.c in the GNU C Library (aka glibc or libc6) before 2.23 allows local users to bypass a pointer-guarding protection mechanism via a zero value of the LD_POINTER_GUARD environment variable.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8777

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2015-8778
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the GNU C Library (aka glibc or libc6) before 2.23 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via the size argument to the __hcreate_r function, which triggers out-of-bounds heap-memory access.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8778

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2015-8779
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in the catopen function in the GNU C Library (aka glibc or libc6) before 2.23 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long catalog name.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8779

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2015-8982
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the strxfrm function in the GNU C Library (aka glibc or libc6) before 2.21 allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a long string, which triggers a stack-based buffer overflow.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8982

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2015-8983
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the _IO_wstr_overflow function in libio/wstrops.c in the GNU C Library (aka glibc or libc6) before 2.22 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via vectors related to computing a size in bytes, which triggers a heap-based buffer overflow.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8983

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2015-8984
CVE STATUS: Patched
CVE SUMMARY: The fnmatch function in the GNU C Library (aka glibc or libc6) before 2.22 might allow context-dependent attackers to cause a denial of service (application crash) via a malformed pattern, which triggers an out-of-bounds read.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8984

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2015-8985
CVE STATUS: Patched
CVE SUMMARY: The pop_fail_stack function in the GNU C Library (aka glibc or libc6) allows context-dependent attackers to cause a denial of service (assertion failure and application crash) via vectors related to extended regular expression processing.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8985

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2016-10228
CVE STATUS: Patched
CVE SUMMARY: The iconv program in the GNU C Library (aka glibc or libc6) 2.31 and earlier, when invoked with multiple suffixes in the destination encoding (TRANSLATE or IGNORE) along with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10228

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2016-10739
CVE STATUS: Patched
CVE SUMMARY: In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 5.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10739

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2016-1234
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in the glob implementation in GNU C Library (aka glibc) before 2.24, when GLOB_ALTDIRFUNC is used, allows context-dependent attackers to cause a denial of service (crash) via a long name.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-1234

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2016-3075
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in the nss_dns implementation of the getnetbyname function in GNU C Library (aka glibc) before 2.24 allows context-dependent attackers to cause a denial of service (stack consumption and application crash) via a long name.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3075

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2016-3706
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in the getaddrinfo function in sysdeps/posix/getaddrinfo.c in the GNU C Library (aka glibc or libc6) allows remote attackers to cause a denial of service (crash) via vectors involving hostent conversion. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4458.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3706

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2016-4429
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in the clntudp_call function in sunrpc/clnt_udp.c in the GNU C Library (aka glibc or libc6) allows remote servers to cause a denial of service (crash) or possibly unspecified other impact via a flood of crafted ICMP and UDP packets.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4429

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2016-5417
CVE STATUS: Patched
CVE SUMMARY: Memory leak in the __res_vinit function in the IPv6 name server management code in libresolv in GNU C Library (aka glibc or libc6) before 2.24 allows remote attackers to cause a denial of service (memory consumption) by leveraging partial initialization of internal resolver data structures.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5417

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2016-6323
CVE STATUS: Patched
CVE SUMMARY: The makecontext function in the GNU C Library (aka glibc or libc6) before 2.25 creates execution contexts incompatible with the unwinder on ARM EABI (32-bit) platforms, which might allow context-dependent attackers to cause a denial of service (hang), as demonstrated by applications compiled using gccgo, related to backtrace generation.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6323

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2017-1000366
CVE STATUS: Patched
CVE SUMMARY: glibc contains a vulnerability that allows specially crafted LD_LIBRARY_PATH values to manipulate the heap/stack, causing them to alias, potentially resulting in arbitrary code execution. Please note that additional hardening changes have been made to glibc to prevent manipulation of stack and heap memory but these issues are not directly exploitable, as such they have not been given a CVE. This affects glibc 2.25 and earlier.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-1000366

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2017-1000408
CVE STATUS: Patched
CVE SUMMARY: A memory leak in glibc 2.1.1 (released on May 24, 1999) can be reached and amplified through the LD_HWCAP_MASK environment variable. Please note that many versions of glibc are not vulnerable to this issue if patched for CVE-2017-1000366.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-1000408

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2017-1000409
CVE STATUS: Patched
CVE SUMMARY: A buffer overflow in glibc 2.5 (released on September 29, 2006) and can be triggered through the LD_LIBRARY_PATH environment variable. Please note that many versions of glibc are not vulnerable to this issue if patched for CVE-2017-1000366.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-1000409

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2017-12132
CVE STATUS: Patched
CVE SUMMARY: The DNS stub resolver in the GNU C Library (aka glibc or libc6) before version 2.26, when EDNS support is enabled, will solicit large UDP responses from name servers, potentially simplifying off-path DNS spoofing attacks due to IP fragmentation.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-12132

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2017-12133
CVE STATUS: Patched
CVE SUMMARY: Use-after-free vulnerability in the clntudp_call function in sunrpc/clnt_udp.c in the GNU C Library (aka glibc or libc6) before 2.26 allows remote attackers to have unspecified impact via vectors related to error path.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-12133

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2017-15670
CVE STATUS: Patched
CVE SUMMARY: The GNU C Library (aka glibc or libc6) before 2.27 contains an off-by-one error leading to a heap-based buffer overflow in the glob function in glob.c, related to the processing of home directories using the ~ operator followed by a long string.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15670

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2017-15671
CVE STATUS: Patched
CVE SUMMARY: The glob function in glob.c in the GNU C Library (aka glibc or libc6) before 2.27, when invoked with GLOB_TILDE, could skip freeing allocated memory when processing the ~ operator with a long user name, potentially leading to a denial of service (memory leak).
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15671

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2017-15804
CVE STATUS: Patched
CVE SUMMARY: The glob function in glob.c in the GNU C Library (aka glibc or libc6) before 2.27 contains a buffer overflow during unescaping of user names with the ~ operator.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15804

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2017-16997
CVE STATUS: Patched
CVE SUMMARY: elf/dl-load.c in the GNU C Library (aka glibc or libc6) 2.19 through 2.26 mishandles RPATH and RUNPATH containing $ORIGIN for a privileged (setuid or AT_SECURE) program, which allows local users to gain privileges via a Trojan horse library in the current working directory, related to the fillin_rpath and decompose_rpath functions. This is associated with misinterpretion of an empty RPATH/RUNPATH token as the "./" directory. NOTE: this configuration of RPATH/RUNPATH for a privileged program is apparently very uncommon; most likely, no such program is shipped with any common Linux distribution.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-16997

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2017-17426
CVE STATUS: Patched
CVE SUMMARY: The malloc function in the GNU C Library (aka glibc or libc6) 2.26 could return a memory block that is too small if an attempt is made to allocate an object whose size is close to SIZE_MAX, potentially leading to a subsequent heap overflow. This occurs because the per-thread cache (aka tcache) feature enables a code path that lacks an integer overflow check.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17426

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2017-18269
CVE STATUS: Patched
CVE SUMMARY: An SSE2-optimized memmove implementation for i386 in sysdeps/i386/i686/multiarch/memcpy-sse2-unaligned.S in the GNU C Library (aka glibc or libc6) 2.21 through 2.27 does not correctly perform the overlapping memory check if the source memory range spans the middle of the address space, resulting in corrupt data being produced by the copy operation. This may disclose information to context-dependent attackers, or result in a denial of service, or, possibly, code execution.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-18269

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2017-8804
CVE STATUS: Patched
CVE SUMMARY: The xdr_bytes and xdr_string functions in the GNU C Library (aka glibc or libc6) 2.25 mishandle failures of buffer deserialization, which allows remote attackers to cause a denial of service (virtual memory allocation, or memory consumption if an overcommit setting is not used) via a crafted UDP packet to port 111, a related issue to CVE-2017-8779. NOTE: [Information provided from upstream and references
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8804

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2018-1000001
CVE STATUS: Patched
CVE SUMMARY: In glibc 2.26 and earlier there is confusion in the usage of getcwd() by realpath() which can be used to write before the destination buffer leading to a buffer underflow and potential code execution.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1000001

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2018-11236
CVE STATUS: Patched
CVE SUMMARY: stdlib/canonicalize.c in the GNU C Library (aka glibc or libc6) 2.27 and earlier, when processing very long pathname arguments to the realpath function, could encounter an integer overflow on 32-bit architectures, leading to a stack-based buffer overflow and, potentially, arbitrary code execution.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-11236

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2018-11237
CVE STATUS: Patched
CVE SUMMARY: An AVX-512-optimized implementation of the mempcpy function in the GNU C Library (aka glibc or libc6) 2.27 and earlier may write data beyond the target buffer, leading to a buffer overflow in __mempcpy_avx512_no_vzeroupper.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-11237

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2018-19591
CVE STATUS: Patched
CVE SUMMARY: In the GNU C Library (aka glibc or libc6) through 2.28, attempting to resolve a crafted hostname via getaddrinfo() leads to the allocation of a socket descriptor that is not closed. This is related to the if_nametoindex() function.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19591

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2018-20796
CVE STATUS: Patched
CVE SUMMARY: In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\227|)(\\1\\1|t1|\\\2537)+' in grep.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20796

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2018-6485
CVE STATUS: Patched
CVE SUMMARY: An integer overflow in the implementation of the posix_memalign in memalign functions in the GNU C Library (aka glibc or libc6) 2.26 and earlier could cause these functions to return a pointer to a heap area that is too small, potentially leading to heap corruption.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-6485

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2018-6551
CVE STATUS: Patched
CVE SUMMARY: The malloc implementation in the GNU C Library (aka glibc or libc6), from version 2.24 to 2.26 on powerpc, and only in version 2.26 on i386, did not properly handle malloc calls with arguments close to SIZE_MAX and could return a pointer to a heap region that is smaller than requested, eventually leading to heap corruption.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-6551

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2019-1010022
CVE STATUS: Ignored
CVE DETAIL: disputed
CVE DESCRIPTION: Upstream glibc maintainers dispute there is any issue and have no plans to address it further. this is being treated as a non-security bug and no real threat.
CVE SUMMARY: GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-1010022

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2019-1010023
CVE STATUS: Ignored
CVE DETAIL: disputed
CVE DESCRIPTION: Upstream glibc maintainers dispute there is any issue and have no plans to address it further. this is being treated as a non-security bug and no real threat.
CVE SUMMARY: GNU Libc current is affected by: Re-mapping current loaded library with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-1010023

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2019-1010024
CVE STATUS: Ignored
CVE DETAIL: disputed
CVE DESCRIPTION: Upstream glibc maintainers dispute there is any issue and have no plans to address it further. this is being treated as a non-security bug and no real threat.
CVE SUMMARY: GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-1010024

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2019-1010025
CVE STATUS: Ignored
CVE DETAIL: disputed
CVE DESCRIPTION: Allows for ASLR bypass so can bypass some hardening, not an exploit in itself, may allow easier access for another. 'ASLR bypass itself is not a vulnerability.'
CVE SUMMARY: GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor's position is "ASLR bypass itself is not a vulnerability.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-1010025

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2019-19126
CVE STATUS: Patched
CVE SUMMARY: On the x86-64 architecture, the GNU C Library (aka glibc) before 2.31 fails to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition, allowing local attackers to restrict the possible mapping addresses for loaded libraries and thus bypass ASLR for a setuid program.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 3.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19126

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2019-25013
CVE STATUS: Patched
CVE SUMMARY: The iconv feature in the GNU C Library (aka glibc or libc6) through 2.32, when processing invalid multi-byte input sequences in the EUC-KR encoding, may have a buffer over-read.
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-25013

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2019-6488
CVE STATUS: Patched
CVE SUMMARY: The string component in the GNU C Library (aka glibc or libc6) through 2.28, when running on the x32 architecture, incorrectly attempts to use a 64-bit register for size_t in assembly codes, which can lead to a segmentation fault or possibly unspecified other impact, as demonstrated by a crash in __memmove_avx_unaligned_erms in sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S during a memcpy.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-6488

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2019-7309
CVE STATUS: Patched
CVE SUMMARY: In the GNU C Library (aka glibc or libc6) through 2.29, the memcmp function for the x32 architecture can incorrectly return zero (indicating that the inputs are equal) because the RDX most significant bit is mishandled.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-7309

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2019-9169
CVE STATUS: Patched
CVE SUMMARY: In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-9169

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2019-9192
CVE STATUS: Patched
CVE SUMMARY: In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\\1\\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-9192

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2020-10029
CVE STATUS: Patched
CVE SUMMARY: The GNU C Library (aka glibc or libc6) before 2.32 could overflow an on-stack buffer during range reduction if an input to an 80-bit long double function contains a non-canonical bit pattern, a seen when passing a 0x5d414141414141410000 value to sinl on x86 targets. This is related to sysdeps/ieee754/ldbl-96/e_rem_pio2l.c.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-10029

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2020-1751
CVE STATUS: Patched
CVE SUMMARY: An out-of-bounds write vulnerability was found in glibc before 2.31 when handling signal trampolines on PowerPC. Specifically, the backtrace function did not properly check the array bounds when storing the frame address, resulting in a denial of service or potential code execution. The highest threat from this vulnerability is to system availability.
CVSS v2 BASE SCORE: 5.9
CVSS v3 BASE SCORE: 5.1
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-1751

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2020-1752
CVE STATUS: Patched
CVE SUMMARY: A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32.
CVSS v2 BASE SCORE: 3.7
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-1752

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2020-27618
CVE STATUS: Patched
CVE SUMMARY: The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and earlier, when processing invalid multi-byte input sequences in IBM1364, IBM1371, IBM1388, IBM1390, and IBM1399 encodings, fails to advance the input state, which could lead to an infinite loop in applications, resulting in a denial of service, a different vulnerability from CVE-2016-10228.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-27618

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2020-29562
CVE STATUS: Patched
CVE SUMMARY: The iconv function in the GNU C Library (aka glibc or libc6) 2.30 to 2.32, when converting UCS4 text containing an irreversible character, fails an assertion in the code path and aborts the program, potentially resulting in a denial of service.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 4.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:S/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-29562

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2020-29573
CVE STATUS: Patched
CVE SUMMARY: sysdeps/i386/ldbl2mpn.c in the GNU C Library (aka glibc or libc6) before 2.23 on x86 targets has a stack-based buffer overflow if the input to any of the printf family of functions is an 80-bit long double with a non-canonical bit pattern, as seen when passing a \x00\x04\x00\x00\x00\x00\x00\x00\x00\x04 value to sprintf. NOTE: the issue does not affect glibc by default in 2016 or later (i.e., 2.23 or later) because of commits made in 2015 for inlining of C99 math functions through use of GCC built-ins. In other words, the reference to 2.23 is intentional despite the mention of "Fixed for glibc 2.33" in the 26649 reference.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-29573

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2020-6096
CVE STATUS: Patched
CVE SUMMARY: An exploitable signed comparison vulnerability exists in the ARMv7 memcpy() implementation of GNU glibc 2.30.9000. Calling memcpy() (on ARMv7 targets that utilize the GNU glibc implementation) with a negative value for the 'num' parameter results in a signed comparison vulnerability. If an attacker underflows the 'num' parameter to memcpy(), this vulnerability could lead to undefined behavior such as writing to out-of-bounds memory and potentially remote code execution. Furthermore, this memcpy() implementation allows for program execution to continue in scenarios where a segmentation fault or crash should have occurred. The dangers occur in that subsequent execution and iterations of this code will be executed with this corrupted data.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-6096

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2021-27645
CVE STATUS: Patched
CVE SUMMARY: The nameserver caching daemon (nscd) in the GNU C Library (aka glibc or libc6) 2.29 through 2.33, when processing a request for netgroup lookup, may crash due to a double-free, potentially resulting in degraded service or Denial of Service on the local system. This is related to netgroupcache.c.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 2.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-27645

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2021-3326
CVE STATUS: Patched
CVE SUMMARY: The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and earlier, when processing invalid input sequences in the ISO-2022-JP-3 encoding, fails an assertion in the code path and aborts the program, potentially resulting in a denial of service.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3326

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2021-33574
CVE STATUS: Patched
CVE SUMMARY: The mq_notify function in the GNU C Library (aka glibc) versions 2.32 and 2.33 has a use-after-free. It may use the notification thread attributes object (passed through its struct sigevent parameter) after it has been freed by the caller, leading to a denial of service (application crash) or possibly unspecified other impact.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-33574

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2021-35942
CVE STATUS: Patched
CVE SUMMARY: The wordexp function in the GNU C Library (aka glibc) through 2.33 may crash or read arbitrary memory in parse_param (in posix/wordexp.c) when called with an untrusted, crafted pattern, potentially resulting in a denial of service or disclosure of information. This occurs because atoi was used but strtoul should have been used to ensure correct calculations.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 9.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-35942

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2021-38604
CVE STATUS: Patched
CVE SUMMARY: In librt in the GNU C Library (aka glibc) through 2.34, sysdeps/unix/sysv/linux/mq_notify.c mishandles certain NOTIFY_REMOVED data, leading to a NULL pointer dereference. NOTE: this vulnerability was introduced as a side effect of the CVE-2021-33574 fix.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-38604

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2021-3998
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in glibc. The realpath() function can mistakenly return an unexpected value, potentially leading to information leakage and disclosure of sensitive data.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3998

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2021-3999
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in glibc. An off-by-one buffer overflow and underflow in getcwd() may lead to memory corruption when the size of the buffer is exactly 1. A local attacker who can control the input buffer and size passed to getcwd() in a setuid program could use this flaw to potentially execute arbitrary code and escalate their privileges on the system.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3999

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2021-43396
CVE STATUS: Patched
CVE SUMMARY: In iconvdata/iso-2022-jp-3.c in the GNU C Library (aka glibc) 2.34, remote attackers can force iconv() to emit a spurious '\0' character via crafted ISO-2022-JP-3 data that is accompanied by an internal state reset. This may affect data integrity in certain iconv() use cases. NOTE: the vendor states "the bug cannot be invoked through user input and requires iconv to be invoked with a NULL inbuf, which ought to require a separate application bug to do so unintentionally. Hence there's no security impact to the bug.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-43396

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2022-23218
CVE STATUS: Patched
CVE SUMMARY: The deprecated compatibility function svcunix_create in the sunrpc module of the GNU C Library (aka glibc) through 2.34 copies its path argument on the stack without validating its length, which may result in a buffer overflow, potentially resulting in a denial of service or (if an application is not built with a stack protector enabled) arbitrary code execution.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-23218

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2022-23219
CVE STATUS: Patched
CVE SUMMARY: The deprecated compatibility function clnt_create in the sunrpc module of the GNU C Library (aka glibc) through 2.34 copies its hostname argument on the stack without validating its length, which may result in a buffer overflow, potentially resulting in a denial of service or (if an application is not built with a stack protector enabled) arbitrary code execution.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-23219

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2022-39046
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the GNU C Library (glibc) 2.36. When the syslog function is passed a crafted input string larger than 1024 bytes, it reads uninitialized memory from the heap and prints it to the target log file, potentially revealing a portion of the contents of the heap.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-39046

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2023-0687
CVE STATUS: Patched
CVE SUMMARY: A vulnerability was found in GNU C Library 2.38. It has been declared as critical. This vulnerability affects the function __monstartup of the file gmon.c of the component Call Graph Monitor. The manipulation leads to buffer overflow. It is recommended to apply a patch to fix this issue. VDB-220246 is the identifier assigned to this vulnerability. NOTE: The real existence of this vulnerability is still doubted at the moment. The inputs that induce this vulnerability are basically addresses of the running application that is built with gmon enabled. It's basically trusted input or input that needs an actual security flaw to be compromised or controlled.
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 4.6
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:H/Au:S/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-0687

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2023-25139
CVE STATUS: Patched
CVE SUMMARY: sprintf in the GNU C Library (glibc) 2.37 has a buffer overflow (out-of-bounds write) in some situations with a correct buffer size. This is unrelated to CWE-676. It may write beyond the bounds of the destination buffer when attempting to write a padded, thousands-separated string representation of a number, if the buffer is allocated the exact size required to represent that number as a string. For example, 1,234,567 (with padding to 13) overflows by two bytes.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-25139

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2023-4527
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in glibc. When the getaddrinfo function is called with the AF_UNSPEC address family and the system is configured with no-aaaa mode via /etc/resolv.conf, a DNS response via TCP larger than 2048 bytes can potentially disclose stack contents through the function returned address data, and may cause a crash.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-4527

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2023-4806
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in glibc. In an extremely rare situation, the getaddrinfo function may access memory that has been freed, resulting in an application crash. This issue is only exploitable when a NSS module implements only the _nss_*_gethostbyname2_r and _nss_*_getcanonname_r hooks without implementing the _nss_*_gethostbyname3_r hook. The resolved name should return a large number of IPv6 and IPv4, and the call to the getaddrinfo function should have the AF_INET6 address family with AI_CANONNAME, AI_ALL and AI_V4MAPPED as flags.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-4806

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2023-4813
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in glibc. In an uncommon situation, the gaih_inet function may use memory that has been freed, resulting in an application crash. This issue is only exploitable when the getaddrinfo function is called and the hosts database in /etc/nsswitch.conf is configured with SUCCESS=continue or SUCCESS=merge.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-4813

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2023-4911
CVE STATUS: Patched
CVE SUMMARY: A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-4911

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2023-5156
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the GNU C Library. A recent fix for CVE-2023-4806 introduced the potential for a memory leak, which may result in an application crash.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-5156

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2023-6246
CVE STATUS: Patched
CVE SUMMARY: A heap-based buffer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when the openlog function was not called, or called with the ident argument set to NULL, and the program name (the basename of argv[0]) is bigger than 1024 bytes, resulting in an application crash or local privilege escalation. This issue affects glibc 2.36 and newer.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.4
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-6246

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2023-6779
CVE STATUS: Patched
CVE SUMMARY: An off-by-one heap-based buffer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when these functions are called with a message bigger than INT_MAX bytes, leading to an incorrect calculation of the buffer size to store the message, resulting in an application crash. This issue affects glibc 2.37 and newer.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.2
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-6779

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2023-6780
CVE STATUS: Patched
CVE SUMMARY: An integer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when these functions are called with a very long message, leading to an incorrect calculation of the buffer size to store the message, resulting in undefined behavior. This issue affects glibc 2.37 and newer.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-6780

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2024-2961
CVE STATUS: Patched
CVE DETAIL: cpe-stable-backport
CVE DESCRIPTION: fix available in used git hash
CVE SUMMARY: The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.

CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.3
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-2961

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2024-33599
CVE STATUS: Patched
CVE DETAIL: cpe-stable-backport
CVE DESCRIPTION: fix available in used git hash
CVE SUMMARY: nscd: Stack-based buffer overflow in netgroup cache

If the Name Service Cache Daemon's (nscd) fixed size cache is exhausted
by client requests then a subsequent client request for netgroup data
may result in a stack-based buffer overflow.  This flaw was introduced
in glibc 2.15 when the cache was added to nscd.

This vulnerability is only present in the nscd binary.

CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 0.0
VECTOR: UNKNOWN
VECTORSTRING: UNKNOWN
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-33599

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2024-33600
CVE STATUS: Patched
CVE DETAIL: cpe-stable-backport
CVE DESCRIPTION: fix available in used git hash
CVE SUMMARY: nscd: Null pointer crashes after notfound response

If the Name Service Cache Daemon's (nscd) cache fails to add a not-found
netgroup response to the cache, the client request can result in a null
pointer dereference.  This flaw was introduced in glibc 2.15 when the
cache was added to nscd.

This vulnerability is only present in the nscd binary.


CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 0.0
VECTOR: UNKNOWN
VECTORSTRING: UNKNOWN
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-33600

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2024-33601
CVE STATUS: Patched
CVE DETAIL: cpe-stable-backport
CVE DESCRIPTION: fix available in used git hash
CVE SUMMARY: nscd: netgroup cache may terminate daemon on memory allocation failure

The Name Service Cache Daemon's (nscd) netgroup cache uses xmalloc or
xrealloc and these functions may terminate the process due to a memory
allocation failure resulting in a denial of service to the clients.  The
flaw was introduced in glibc 2.15 when the cache was added to nscd.

This vulnerability is only present in the nscd binary.


CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-33601

LAYER: meta
PACKAGE NAME: glibc
PACKAGE VERSION: 2.39+git
CVE: CVE-2024-33602
CVE STATUS: Patched
CVE DETAIL: cpe-stable-backport
CVE DESCRIPTION: fix available in used git hash
CVE SUMMARY: nscd: netgroup cache assumes NSS callback uses in-buffer strings

The Name Service Cache Daemon's (nscd) netgroup cache can corrupt memory
when the NSS callback does not store all strings in the provided buffer.
The flaw was introduced in glibc 2.15 when the cache was added to nscd.

This vulnerability is only present in the nscd binary.


CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.4
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-33602

LAYER: meta
PACKAGE NAME: libtool-cross
PACKAGE VERSION: 2.4.7
CVE: CVE-2004-0256
CVE STATUS: Patched
CVE SUMMARY: GNU libtool before 1.5.2, during compile time, allows local users to overwrite arbitrary files via a symlink attack on libtool directories in /tmp.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0256

LAYER: meta
PACKAGE NAME: libtool-cross
PACKAGE VERSION: 2.4.7
CVE: CVE-2009-3736
CVE STATUS: Patched
CVE SUMMARY: ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b, as used in Ham Radio Control Libraries, Q, and possibly other products, attempts to open a .la file in the current working directory, which allows local users to gain privileges via a Trojan horse file.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-3736

LAYER: meta
PACKAGE NAME: util-linux
PACKAGE VERSION: 2.39.3
CVE: CVE-2001-1147
CVE STATUS: Patched
CVE SUMMARY: The PAM implementation in /bin/login of the util-linux package before 2.11 causes a password entry to be rewritten across multiple PAM calls, which could provide the credentials of one user to a different user, when used in certain PAM modules such as pam_limits.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2001-1147

LAYER: meta
PACKAGE NAME: util-linux
PACKAGE VERSION: 2.39.3
CVE: CVE-2001-1175
CVE STATUS: Patched
CVE SUMMARY: vipw in the util-linux package before 2.10 causes /etc/shadow to be world-readable in some cases, which would make it easier for local users to perform brute force password guessing.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2001-1175

LAYER: meta
PACKAGE NAME: util-linux
PACKAGE VERSION: 2.39.3
CVE: CVE-2001-1494
CVE STATUS: Patched
CVE SUMMARY: script command in the util-linux package before 2.11n allows local users to overwrite arbitrary files by setting a hardlink from the typescript log file to any file on the system, then having root execute the script command.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2001-1494

LAYER: meta
PACKAGE NAME: util-linux
PACKAGE VERSION: 2.39.3
CVE: CVE-2003-0094
CVE STATUS: Patched
CVE SUMMARY: A patch for mcookie in the util-linux package for Mandrake Linux 8.2 and 9.0 uses /dev/urandom instead of /dev/random, which causes mcookie to use an entropy source that is more predictable than expected, which may make it easier for certain types of attacks to succeed.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-0094

LAYER: meta
PACKAGE NAME: util-linux
PACKAGE VERSION: 2.39.3
CVE: CVE-2004-0080
CVE STATUS: Patched
CVE SUMMARY: The login program in util-linux 2.11 and earlier uses a pointer after it has been freed and reallocated, which could cause login to leak sensitive data.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0080

LAYER: meta
PACKAGE NAME: util-linux
PACKAGE VERSION: 2.39.3
CVE: CVE-2005-2876
CVE STATUS: Patched
CVE SUMMARY: umount in util-linux 2.8 to 2.12q, 2.13-pre1, and 2.13-pre2, and other packages such as loop-aes-utils, allows local users with unmount permissions to gain privileges via the -r (remount) option, which causes the file system to be remounted with just the read-only flag, which effectively clears the nosuid, nodev, and other flags.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-2876

LAYER: meta
PACKAGE NAME: util-linux
PACKAGE VERSION: 2.39.3
CVE: CVE-2006-7108
CVE STATUS: Patched
CVE SUMMARY: login in util-linux-2.12a skips pam_acct_mgmt and chauth_tok when authentication is skipped, such as when a Kerberos krlogin session has been established, which might allow users to bypass intended access policies that would be enforced by pam_acct_mgmt and chauth_tok.
CVSS v2 BASE SCORE: 4.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:S/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-7108

LAYER: meta
PACKAGE NAME: util-linux
PACKAGE VERSION: 2.39.3
CVE: CVE-2007-5191
CVE STATUS: Patched
CVE SUMMARY: mount and umount in util-linux and loop-aes-utils call the setuid and setgid functions in the wrong order and do not check the return values, which might allow attackers to gain privileges via helpers such as mount.nfs.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-5191

LAYER: meta
PACKAGE NAME: util-linux
PACKAGE VERSION: 2.39.3
CVE: CVE-2008-1926
CVE STATUS: Patched
CVE SUMMARY: Argument injection vulnerability in login (login-utils/login.c) in util-linux-ng 2.14 and earlier makes it easier for remote attackers to hide activities by modifying portions of log events, as demonstrated by appending an "addr=" statement to the login name, aka "audit log injection."
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1926

LAYER: meta
PACKAGE NAME: util-linux
PACKAGE VERSION: 2.39.3
CVE: CVE-2011-1675
CVE STATUS: Patched
CVE SUMMARY: mount in util-linux 2.19 and earlier attempts to append to the /etc/mtab.tmp file without first checking whether resource limits would interfere, which allows local users to trigger corruption of the /etc/mtab file via a process with a small RLIMIT_FSIZE value, a related issue to CVE-2011-1089.
CVSS v2 BASE SCORE: 3.3
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1675

LAYER: meta
PACKAGE NAME: util-linux
PACKAGE VERSION: 2.39.3
CVE: CVE-2011-1676
CVE STATUS: Patched
CVE SUMMARY: mount in util-linux 2.19 and earlier does not remove the /etc/mtab.tmp file after a failed attempt to add a mount entry, which allows local users to trigger corruption of the /etc/mtab file via multiple invocations.
CVSS v2 BASE SCORE: 3.3
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1676

LAYER: meta
PACKAGE NAME: util-linux
PACKAGE VERSION: 2.39.3
CVE: CVE-2011-1677
CVE STATUS: Patched
CVE SUMMARY: mount in util-linux 2.19 and earlier does not remove the /etc/mtab~ lock file after a failed attempt to add a mount entry, which has unspecified impact and local attack vectors.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1677

LAYER: meta
PACKAGE NAME: util-linux
PACKAGE VERSION: 2.39.3
CVE: CVE-2013-0157
CVE STATUS: Patched
CVE SUMMARY: (a) mount and (b) umount in util-linux 2.14.1, 2.17.2, and probably other versions allow local users to determine the existence of restricted directories by (1) using the --guess-fstype command-line option or (2) attempting to mount a non-existent device, which generates different error messages depending on whether the directory exists.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0157

LAYER: meta
PACKAGE NAME: util-linux
PACKAGE VERSION: 2.39.3
CVE: CVE-2014-9114
CVE STATUS: Patched
CVE SUMMARY: Blkid in util-linux before 2.26rc-1 allows local users to execute arbitrary code.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9114

LAYER: meta
PACKAGE NAME: util-linux
PACKAGE VERSION: 2.39.3
CVE: CVE-2015-5218
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in text-utils/colcrt.c in colcrt in util-linux before 2.27 allows local users to cause a denial of service (crash) via a crafted file, related to the page global variable.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-5218

LAYER: meta
PACKAGE NAME: util-linux
PACKAGE VERSION: 2.39.3
CVE: CVE-2015-5224
CVE STATUS: Patched
CVE SUMMARY: The mkostemp function in login-utils in util-linux when used incorrectly allows remote attackers to cause file name collision and possibly other attacks.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-5224

LAYER: meta
PACKAGE NAME: util-linux
PACKAGE VERSION: 2.39.3
CVE: CVE-2016-2779
CVE STATUS: Patched
CVE SUMMARY: runuser in util-linux allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2779

LAYER: meta
PACKAGE NAME: util-linux
PACKAGE VERSION: 2.39.3
CVE: CVE-2016-5011
CVE STATUS: Patched
CVE SUMMARY: The parse_dos_extended function in partitions/dos.c in the libblkid library in util-linux allows physically proximate attackers to cause a denial of service (memory consumption) via a crafted MSDOS partition table with an extended partition boot record at zero offset.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 4.6
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5011

LAYER: meta
PACKAGE NAME: util-linux
PACKAGE VERSION: 2.39.3
CVE: CVE-2017-2616
CVE STATUS: Patched
CVE SUMMARY: A race condition was found in util-linux before 2.32.1 in the way su handled the management of child processes. A local authenticated attacker could use this flaw to kill other processes with root privileges under specific conditions.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-2616

LAYER: meta
PACKAGE NAME: util-linux
PACKAGE VERSION: 2.39.3
CVE: CVE-2018-7738
CVE STATUS: Patched
CVE SUMMARY: In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-7738

LAYER: meta
PACKAGE NAME: util-linux
PACKAGE VERSION: 2.39.3
CVE: CVE-2020-21583
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in hwclock.13-v2.27 allows attackers to gain escalated privlidges or execute arbitrary commands via the path parameter when setting the date.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-21583

LAYER: meta
PACKAGE NAME: util-linux
PACKAGE VERSION: 2.39.3
CVE: CVE-2021-37600
CVE STATUS: Patched
CVE SUMMARY: An integer overflow in util-linux through 2.37.1 can potentially cause a buffer overflow if an attacker were able to use system resources in a way that leads to a large number in the /proc/sysvipc/sem file. NOTE: this is unexploitable in GNU C Library environments, and possibly in all realistic environments.
CVSS v2 BASE SCORE: 1.2
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-37600

LAYER: meta
PACKAGE NAME: util-linux
PACKAGE VERSION: 2.39.3
CVE: CVE-2021-3995
CVE STATUS: Patched
CVE SUMMARY: A logic error was found in the libmount library of util-linux in the function that allows an unprivileged user to unmount a FUSE filesystem. This flaw allows an unprivileged local attacker to unmount FUSE filesystems that belong to certain other users who have a UID that is a prefix of the UID of the attacker in its string form. An attacker may use this flaw to cause a denial of service to applications that use the affected filesystems.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3995

LAYER: meta
PACKAGE NAME: util-linux
PACKAGE VERSION: 2.39.3
CVE: CVE-2021-3996
CVE STATUS: Patched
CVE SUMMARY: A logic error was found in the libmount library of util-linux in the function that allows an unprivileged user to unmount a FUSE filesystem. This flaw allows a local user on a vulnerable system to unmount other users' filesystems that are either world-writable themselves (like /tmp) or mounted in a world-writable directory. An attacker may use this flaw to cause a denial of service to applications that use the affected filesystems.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3996

LAYER: meta
PACKAGE NAME: util-linux
PACKAGE VERSION: 2.39.3
CVE: CVE-2022-0563
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an "INPUTRC" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0563

LAYER: meta
PACKAGE NAME: util-linux
PACKAGE VERSION: 2.39.3
CVE: CVE-2024-28085
CVE STATUS: Patched
CVE SUMMARY: wall in util-linux through 2.40, often installed with setgid tty permissions, allows escape sequences to be sent to other users' terminals through argv. (Specifically, escape sequences received from stdin are blocked, but escape sequences received from argv are not blocked.) There may be plausible scenarios where this leads to account takeover.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 3.3
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-28085

LAYER: meta
PACKAGE NAME: util-linux-libuuid-native
PACKAGE VERSION: 2.39.3
CVE: CVE-2024-28085
CVE STATUS: Patched
CVE SUMMARY: wall in util-linux through 2.40, often installed with setgid tty permissions, allows escape sequences to be sent to other users' terminals through argv. (Specifically, escape sequences received from stdin are blocked, but escape sequences received from argv are not blocked.) There may be plausible scenarios where this leads to account takeover.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 3.3
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-28085

LAYER: meta
PACKAGE NAME: systemd
PACKAGE VERSION: 1_255.4
CVE: CVE-2012-0871
CVE STATUS: Patched
CVE SUMMARY: The session_link_x11_socket function in login/logind-session.c in systemd-logind in systemd, possibly 37 and earlier, allows local users to create or overwrite arbitrary files via a symlink attack on the X11 user directory in /run/user/.
CVSS v2 BASE SCORE: 6.3
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-0871

LAYER: meta
PACKAGE NAME: systemd
PACKAGE VERSION: 1_255.4
CVE: CVE-2012-1101
CVE STATUS: Patched
CVE SUMMARY: systemd 37-1 does not properly handle non-existent services, which causes a denial of service (failure of login procedure).
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1101

LAYER: meta
PACKAGE NAME: systemd
PACKAGE VERSION: 1_255.4
CVE: CVE-2012-1174
CVE STATUS: Patched
CVE SUMMARY: The rm_rf_children function in util.c in the systemd-logind login manager in systemd before 44, when logging out, allows local users to delete arbitrary files via a symlink attack on unspecified files, related to "particular records related with user session."
CVSS v2 BASE SCORE: 3.3
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1174

LAYER: meta
PACKAGE NAME: systemd
PACKAGE VERSION: 1_255.4
CVE: CVE-2013-4327
CVE STATUS: Patched
CVE SUMMARY: systemd does not properly use D-Bus for communication with a polkit authority, which allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition via a (1) setuid process or (2) pkexec process, a related issue to CVE-2013-4288.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4327

LAYER: meta
PACKAGE NAME: systemd
PACKAGE VERSION: 1_255.4
CVE: CVE-2013-4391
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the valid_user_field function in journal/journald-native.c in systemd allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large journal data field, which triggers a heap-based buffer overflow.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4391

LAYER: meta
PACKAGE NAME: systemd
PACKAGE VERSION: 1_255.4
CVE: CVE-2013-4392
CVE STATUS: Patched
CVE SUMMARY: systemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files.
CVSS v2 BASE SCORE: 3.3
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4392

LAYER: meta
PACKAGE NAME: systemd
PACKAGE VERSION: 1_255.4
CVE: CVE-2013-4393
CVE STATUS: Patched
CVE SUMMARY: journald in systemd, when the origin of native messages is set to file, allows local users to cause a denial of service (logging service blocking) via a crafted file descriptor.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4393

LAYER: meta
PACKAGE NAME: systemd
PACKAGE VERSION: 1_255.4
CVE: CVE-2013-4394
CVE STATUS: Patched
CVE SUMMARY: The SetX11Keyboard function in systemd, when PolicyKit Local Authority (PKLA) is used to change the group permissions on the X Keyboard Extension (XKB) layouts description, allows local users in the group to modify the Xorg X11 Server configuration file and possibly gain privileges via vectors involving "special and control characters."
CVSS v2 BASE SCORE: 5.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:C/I:C/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4394

LAYER: meta
PACKAGE NAME: systemd
PACKAGE VERSION: 1_255.4
CVE: CVE-2015-7510
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in the getpwnam and getgrnam functions of the NSS module nss-mymachines in systemd.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7510

LAYER: meta
PACKAGE NAME: systemd
PACKAGE VERSION: 1_255.4
CVE: CVE-2016-10156
CVE STATUS: Patched
CVE SUMMARY: A flaw in systemd v228 in /src/basic/fs-util.c caused world writable suid files to be created when using the systemd timers features, allowing local attackers to escalate their privileges to root. This is fixed in v229.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10156

LAYER: meta
PACKAGE NAME: systemd
PACKAGE VERSION: 1_255.4
CVE: CVE-2016-7795
CVE STATUS: Patched
CVE SUMMARY: The manager_invoke_notify_message function in systemd 231 and earlier allows local users to cause a denial of service (assertion failure and PID 1 hang) via a zero-length message received over a notify socket.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7795

LAYER: meta
PACKAGE NAME: systemd
PACKAGE VERSION: 1_255.4
CVE: CVE-2016-7796
CVE STATUS: Patched
CVE SUMMARY: The manager_dispatch_notify_fd function in systemd allows local users to cause a denial of service (system hang) via a zero-length message received over a notify socket, which causes an error to be returned and the notification handler to be disabled.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7796

LAYER: meta
PACKAGE NAME: systemd
PACKAGE VERSION: 1_255.4
CVE: CVE-2017-1000082
CVE STATUS: Patched
CVE SUMMARY: systemd v233 and earlier fails to safely parse usernames starting with a numeric digit (e.g. "0day"), running the service in question with root privileges rather than the user intended.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-1000082

LAYER: meta
PACKAGE NAME: systemd
PACKAGE VERSION: 1_255.4
CVE: CVE-2017-15908
CVE STATUS: Patched
CVE SUMMARY: In systemd 223 through 235, a remote DNS server can respond with a custom crafted DNS NSEC resource record to trigger an infinite loop in the dns_packet_read_type_window() function of the 'systemd-resolved' service and cause a DoS of the affected service.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15908

LAYER: meta
PACKAGE NAME: systemd
PACKAGE VERSION: 1_255.4
CVE: CVE-2017-18078
CVE STATUS: Patched
CVE SUMMARY: systemd-tmpfiles in systemd before 237 attempts to support ownership/permission changes on hardlinked files even if the fs.protected_hardlinks sysctl is turned off, which allows local users to bypass intended access restrictions via vectors involving a hard link to a file for which the user lacks write access, as demonstrated by changing the ownership of the /etc/passwd file.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-18078

LAYER: meta
PACKAGE NAME: systemd
PACKAGE VERSION: 1_255.4
CVE: CVE-2017-9217
CVE STATUS: Patched
CVE SUMMARY: systemd-resolved through 233 allows remote attackers to cause a denial of service (daemon crash) via a crafted DNS response with an empty question section.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9217

LAYER: meta
PACKAGE NAME: systemd
PACKAGE VERSION: 1_255.4
CVE: CVE-2017-9445
CVE STATUS: Patched
CVE SUMMARY: In systemd through 233, certain sizes passed to dns_packet_new in systemd-resolved can cause it to allocate a buffer that's too small. A malicious DNS server can exploit this via a response with a specially crafted TCP payload to trick systemd-resolved into allocating a buffer that's too small, and subsequently write arbitrary data beyond the end of it.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9445

LAYER: meta
PACKAGE NAME: systemd
PACKAGE VERSION: 1_255.4
CVE: CVE-2018-1049
CVE STATUS: Patched
CVE SUMMARY: In systemd prior to 234 a race condition exists between .mount and .automount units such that automount requests from kernel may not be serviced by systemd resulting in kernel holding the mountpoint and any processes that try to use said mount will hang. A race condition like this may lead to denial of service, until mount points are unmounted.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1049

LAYER: meta
PACKAGE NAME: systemd
PACKAGE VERSION: 1_255.4
CVE: CVE-2018-15686
CVE STATUS: Patched
CVE SUMMARY: A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. Affected releases are systemd versions up to and including 239.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-15686

LAYER: meta
PACKAGE NAME: systemd
PACKAGE VERSION: 1_255.4
CVE: CVE-2018-15687
CVE STATUS: Patched
CVE SUMMARY: A race condition in chown_one() of systemd allows an attacker to cause systemd to set arbitrary permissions on arbitrary files. Affected releases are systemd versions up to and including 239.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-15687

LAYER: meta
PACKAGE NAME: systemd
PACKAGE VERSION: 1_255.4
CVE: CVE-2018-15688
CVE STATUS: Patched
CVE SUMMARY: A buffer overflow vulnerability in the dhcp6 client of systemd allows a malicious dhcp6 server to overwrite heap memory in systemd-networkd. Affected releases are systemd: versions up to and including 239.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 8.8
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-15688

LAYER: meta
PACKAGE NAME: systemd
PACKAGE VERSION: 1_255.4
CVE: CVE-2018-16864
CVE STATUS: Patched
CVE SUMMARY: An allocation of memory without limits, that could result in the stack clashing with another memory region, was discovered in systemd-journald when a program with long command line arguments calls syslog. A local attacker may use this flaw to crash systemd-journald or escalate his privileges. Versions through v240 are vulnerable.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.4
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-16864

LAYER: meta
PACKAGE NAME: systemd
PACKAGE VERSION: 1_255.4
CVE: CVE-2018-16865
CVE STATUS: Patched
CVE SUMMARY: An allocation of memory without limits, that could result in the stack clashing with another memory region, was discovered in systemd-journald when many entries are sent to the journal socket. A local attacker, or a remote one if systemd-journal-remote is used, may use this flaw to crash systemd-journald or execute code with journald privileges. Versions through v240 are vulnerable.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-16865

LAYER: meta
PACKAGE NAME: systemd
PACKAGE VERSION: 1_255.4
CVE: CVE-2018-16866
CVE STATUS: Patched
CVE SUMMARY: An out of bounds read was discovered in systemd-journald in the way it parses log messages that terminate with a colon ':'. A local attacker can use this flaw to disclose process memory data. Versions from v221 to v239 are vulnerable.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 4.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-16866

LAYER: meta
PACKAGE NAME: systemd
PACKAGE VERSION: 1_255.4
CVE: CVE-2018-16888
CVE STATUS: Patched
CVE SUMMARY: It was discovered systemd does not correctly check the content of PIDFile files before using it to kill processes. When a service is run from an unprivileged user (e.g. User field set in the service file), a local attacker who is able to write to the PIDFile of the mentioned service may use this flaw to trick systemd into killing other services and/or privileged processes. Versions before v237 are vulnerable.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 4.4
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-16888

LAYER: meta
PACKAGE NAME: systemd
PACKAGE VERSION: 1_255.4
CVE: CVE-2018-20839
CVE STATUS: Patched
CVE SUMMARY: systemd 242 changes the VT1 mode upon a logout, which allows attackers to read cleartext passwords in certain circumstances, such as watching a shutdown, or using Ctrl-Alt-F1 and Ctrl-Alt-F2. This occurs because the KDGKBMODE (aka current keyboard mode) check is mishandled.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 4.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20839

LAYER: meta
PACKAGE NAME: systemd
PACKAGE VERSION: 1_255.4
CVE: CVE-2018-21029
CVE STATUS: Patched
CVE SUMMARY: systemd 239 through 245 accepts any certificate signed by a trusted certificate authority for DNS Over TLS. Server Name Indication (SNI) is not sent, and there is no hostname validation with the GnuTLS backend. NOTE: This has been disputed by the developer as not a vulnerability since hostname validation does not have anything to do with this issue (i.e. there is no hostname to be sent)
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-21029

LAYER: meta
PACKAGE NAME: systemd
PACKAGE VERSION: 1_255.4
CVE: CVE-2018-6954
CVE STATUS: Patched
CVE SUMMARY: systemd-tmpfiles in systemd through 237 mishandles symlinks present in non-terminal path components, which allows local users to obtain ownership of arbitrary files via vectors involving creation of a directory and a file under that directory, and later replacing that directory with a symlink. This occurs even if the fs.protected_symlinks sysctl is turned on.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-6954

LAYER: meta
PACKAGE NAME: systemd
PACKAGE VERSION: 1_255.4
CVE: CVE-2019-15718
CVE STATUS: Patched
CVE SUMMARY: In systemd 240, bus_open_system_watch_bind_with_description in shared/bus-util.c (as used by systemd-resolved to connect to the system D-Bus instance), calls sd_bus_set_trusted, which disables access controls for incoming D-Bus messages. An unprivileged user can exploit this by executing D-Bus methods that should be restricted to privileged users, in order to change the system's DNS resolver settings.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 4.4
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-15718

LAYER: meta
PACKAGE NAME: systemd
PACKAGE VERSION: 1_255.4
CVE: CVE-2019-20386
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in button_open in login/logind-button.c in systemd before 243. When executing the udevadm trigger command, a memory leak may occur.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 2.4
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-20386

LAYER: meta
PACKAGE NAME: systemd
PACKAGE VERSION: 1_255.4
CVE: CVE-2019-3842
CVE STATUS: Patched
CVE SUMMARY: In systemd before v242-rc4, it was discovered that pam_systemd does not properly sanitize the environment before using the XDG_SEAT variable. It is possible for an attacker, in some particular configurations, to set a XDG_SEAT environment variable which allows for commands to be checked against polkit policies using the "allow_active" element rather than "allow_any".
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 4.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-3842

LAYER: meta
PACKAGE NAME: systemd
PACKAGE VERSION: 1_255.4
CVE: CVE-2019-3843
CVE STATUS: Patched
CVE SUMMARY: It was discovered that a systemd service that uses DynamicUser property can create a SUID/SGID binary that would be allowed to run as the transient service UID/GID even after the service is terminated. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the UID/GID will be recycled.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 4.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-3843

LAYER: meta
PACKAGE NAME: systemd
PACKAGE VERSION: 1_255.4
CVE: CVE-2019-3844
CVE STATUS: Patched
CVE SUMMARY: It was discovered that a systemd service that uses DynamicUser property can get new privileges through the execution of SUID binaries, which would allow to create binaries owned by the service transient group with the setgid bit set. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the GID will be recycled.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 4.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-3844

LAYER: meta
PACKAGE NAME: systemd
PACKAGE VERSION: 1_255.4
CVE: CVE-2019-6454
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in sd-bus in systemd 239. bus_process_object() in libsystemd/sd-bus/bus-objects.c allocates a variable-length stack buffer for temporarily storing the object path of incoming D-Bus messages. An unprivileged local user can exploit this by sending a specially crafted message to PID1, causing the stack pointer to jump over the stack guard pages into an unmapped memory region and trigger a denial of service (systemd PID1 crash and kernel panic).
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-6454

LAYER: meta
PACKAGE NAME: systemd
PACKAGE VERSION: 1_255.4
CVE: CVE-2020-13529
CVE STATUS: Patched
CVE SUMMARY: An exploitable denial-of-service vulnerability exists in Systemd 245. A specially crafted DHCP FORCERENEW packet can cause a server running the DHCP client to be vulnerable to a DHCP ACK spoofing attack. An attacker can forge a pair of FORCERENEW and DCHP ACK packets to reconfigure the server.
CVSS v2 BASE SCORE: 2.9
CVSS v3 BASE SCORE: 6.1
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-13529

LAYER: meta
PACKAGE NAME: systemd
PACKAGE VERSION: 1_255.4
CVE: CVE-2020-13776
CVE STATUS: Patched
CVE SUMMARY: systemd through v245 mishandles numerical usernames such as ones composed of decimal digits or 0x followed by hex digits, as demonstrated by use of root privileges when privileges of the 0x0 user account were intended. NOTE: this issue exists because of an incomplete fix for CVE-2017-1000082.
CVSS v2 BASE SCORE: 6.2
CVSS v3 BASE SCORE: 6.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-13776

LAYER: meta
PACKAGE NAME: systemd
PACKAGE VERSION: 1_255.4
CVE: CVE-2020-1712
CVE STATUS: Patched
CVE SUMMARY: A heap use-after-free vulnerability was found in systemd before version v245-rc1, where asynchronous Polkit queries are performed while handling dbus messages. A local unprivileged attacker can abuse this flaw to crash systemd services or potentially execute code and elevate their privileges, by sending specially crafted dbus messages.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-1712

LAYER: meta
PACKAGE NAME: systemd
PACKAGE VERSION: 1_255.4
CVE: CVE-2021-33910
CVE STATUS: Patched
CVE SUMMARY: basic/unit-name.c in systemd prior to 246.15, 247.8, 248.5, and 249.1 has a Memory Allocation with an Excessive Size Value (involving strdupa and alloca for a pathname controlled by a local attacker) that results in an operating system crash.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-33910

LAYER: meta
PACKAGE NAME: systemd
PACKAGE VERSION: 1_255.4
CVE: CVE-2021-3997
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in systemd. An uncontrolled recursion in systemd-tmpfiles may lead to a denial of service at boot time when too many nested directories are created in /tmp.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3997

LAYER: meta
PACKAGE NAME: systemd
PACKAGE VERSION: 1_255.4
CVE: CVE-2022-2526
CVE STATUS: Patched
CVE SUMMARY: A use-after-free vulnerability was found in systemd. This issue occurs due to the on_stream_io() function and dns_stream_complete() function in 'resolved-dns-stream.c' not incrementing the reference counting for the DnsStream object. Therefore, other functions and callbacks called can dereference the DNSStream object, causing the use-after-free when the reference is still used later.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2526

LAYER: meta
PACKAGE NAME: systemd
PACKAGE VERSION: 1_255.4
CVE: CVE-2022-3821
CVE STATUS: Patched
CVE SUMMARY: An off-by-one Error issue was discovered in Systemd in format_timespan() function of time-util.c. An attacker could supply specific values for time and accuracy that leads to buffer overrun in format_timespan(), leading to a Denial of Service.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3821

LAYER: meta
PACKAGE NAME: systemd
PACKAGE VERSION: 1_255.4
CVE: CVE-2022-4415
CVE STATUS: Patched
CVE SUMMARY: A vulnerability was found in systemd. This security flaw can cause a local information leak due to systemd-coredump not respecting the fs.suid_dumpable kernel setting.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-4415

LAYER: meta
PACKAGE NAME: systemd
PACKAGE VERSION: 1_255.4
CVE: CVE-2022-45873
CVE STATUS: Patched
CVE SUMMARY: systemd 250 and 251 allows local users to achieve a systemd-coredump deadlock by triggering a crash that has a long backtrace. This occurs in parse_elf_object in shared/elf-util.c. The exploitation methodology is to crash a binary calling the same function recursively, and put it in a deeply nested directory to make its backtrace large enough to cause the deadlock. This must be done 16 times when MaxConnections=16 is set for the systemd/units/systemd-coredump.socket file.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-45873

LAYER: meta
PACKAGE NAME: systemd
PACKAGE VERSION: 1_255.4
CVE: CVE-2023-26604
CVE STATUS: Patched
CVE SUMMARY: systemd before 247 does not adequately block local privilege escalation for some Sudo configurations, e.g., plausible sudoers files in which the "systemctl status" command may be executed. Specifically, systemd does not set LESSSECURE to 1, and thus other programs may be launched from the less program. This presents a substantial security risk when running systemctl from Sudo, because less executes as root when the terminal size is too small to show the complete systemctl output.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-26604

LAYER: meta
PACKAGE NAME: systemd
PACKAGE VERSION: 1_255.4
CVE: CVE-2023-31437
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in systemd 253. An attacker can modify a sealed log file such that, in some views, not all existing and sealed log messages are displayed. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability."
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-31437

LAYER: meta
PACKAGE NAME: systemd
PACKAGE VERSION: 1_255.4
CVE: CVE-2023-31438
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in systemd 253. An attacker can truncate a sealed log file and then resume log sealing such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability."
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-31438

LAYER: meta
PACKAGE NAME: systemd
PACKAGE VERSION: 1_255.4
CVE: CVE-2023-31439
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in systemd 253. An attacker can modify the contents of past events in a sealed log file and then adjust the file such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability."
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-31439

LAYER: meta
PACKAGE NAME: systemd
PACKAGE VERSION: 1_255.4
CVE: CVE-2023-7008
CVE STATUS: Patched
CVE SUMMARY: A vulnerability was found in systemd-resolved. This issue may allow systemd-resolved to accept records of DNSSEC-signed domains even when they have no signature, allowing man-in-the-middles (or the upstream DNS resolver) to manipulate records.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-7008

LAYER: meta
PACKAGE NAME: unzip-native
PACKAGE VERSION: 1_6.0
CVE: CVE-2001-1268
CVE STATUS: Patched
CVE SUMMARY: Directory traversal vulnerability in Info-ZIP UnZip 5.42 and earlier allows attackers to overwrite arbitrary files during archive extraction via a .. (dot dot) in an extracted filename.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2001-1268

LAYER: meta
PACKAGE NAME: unzip-native
PACKAGE VERSION: 1_6.0
CVE: CVE-2001-1269
CVE STATUS: Patched
CVE SUMMARY: Info-ZIP UnZip 5.42 and earlier allows attackers to overwrite arbitrary files during archive extraction via filenames in the archive that begin with the '/' (slash) character.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2001-1269

LAYER: meta
PACKAGE NAME: unzip-native
PACKAGE VERSION: 1_6.0
CVE: CVE-2003-0282
CVE STATUS: Patched
CVE SUMMARY: Directory traversal vulnerability in UnZip 5.50 allows attackers to overwrite arbitrary files via invalid characters between two . (dot) characters, which are filtered and result in a ".." sequence.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-0282

LAYER: meta
PACKAGE NAME: unzip-native
PACKAGE VERSION: 1_6.0
CVE: CVE-2005-0602
CVE STATUS: Patched
CVE SUMMARY: Unzip 5.51 and earlier does not properly warn the user when extracting setuid or setgid files, which may allow local users to gain privileges.
CVSS v2 BASE SCORE: 6.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-0602

LAYER: meta
PACKAGE NAME: unzip-native
PACKAGE VERSION: 1_6.0
CVE: CVE-2005-2475
CVE STATUS: Patched
CVE SUMMARY: Race condition in Unzip 5.52 allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by Unzip after the decompression is complete.
CVSS v2 BASE SCORE: 1.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-2475

LAYER: meta
PACKAGE NAME: unzip-native
PACKAGE VERSION: 1_6.0
CVE: CVE-2005-4667
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in UnZip 5.50 and earlier allows user-assisted attackers to execute arbitrary code via a long filename command line argument.  NOTE: since the overflow occurs in a non-setuid program, there are not many scenarios under which it poses a vulnerability, unless unzip is passed long arguments when it is invoked from other programs.
CVSS v2 BASE SCORE: 3.7
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-4667

LAYER: meta
PACKAGE NAME: unzip-native
PACKAGE VERSION: 1_6.0
CVE: CVE-2008-0888
CVE STATUS: Patched
CVE DETAIL: fixed-version
CVE DESCRIPTION: Patch from https://bugzilla.redhat.com/attachment.cgi?id=293893&action=diff applied to 6.0 source
CVE SUMMARY: The NEEDBITS macro in the inflate_dynamic function in inflate.c for unzip can be invoked using invalid buffers, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown vectors that trigger a free of uninitialized or previously-freed data.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-0888

LAYER: meta
PACKAGE NAME: unzip-native
PACKAGE VERSION: 1_6.0
CVE: CVE-2014-8139
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the CRC32 verification in Info-ZIP UnZip 6.0 and earlier allows remote attackers to execute arbitrary code via a crafted zip file in the -t command argument to the unzip command.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8139

LAYER: meta
PACKAGE NAME: unzip-native
PACKAGE VERSION: 1_6.0
CVE: CVE-2014-8140
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the test_compr_eb function in Info-ZIP UnZip 6.0 and earlier allows remote attackers to execute arbitrary code via a crafted zip file in the -t command argument to the unzip command.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8140

LAYER: meta
PACKAGE NAME: unzip-native
PACKAGE VERSION: 1_6.0
CVE: CVE-2014-8141
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the getZip64Data function in Info-ZIP UnZip 6.0 and earlier allows remote attackers to execute arbitrary code via a crafted zip file in the -t command argument to the unzip command.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8141

LAYER: meta
PACKAGE NAME: unzip-native
PACKAGE VERSION: 1_6.0
CVE: CVE-2014-9636
CVE STATUS: Patched
CVE SUMMARY: unzip 6.0 allows remote attackers to cause a denial of service (out-of-bounds read or write and crash) via an extra field with an uncompressed size smaller than the compressed field size in a zip archive that advertises STORED method compression.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9636

LAYER: meta
PACKAGE NAME: unzip-native
PACKAGE VERSION: 1_6.0
CVE: CVE-2014-9913
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the list_files function in list.c in Info-Zip UnZip 6.0 allows remote attackers to cause a denial of service (crash) via vectors related to the compression method.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 4.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9913

LAYER: meta
PACKAGE NAME: unzip-native
PACKAGE VERSION: 1_6.0
CVE: CVE-2015-1315
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the charset_to_intern function in unix/unix.c in Info-Zip UnZip 6.10b allows remote attackers to execute arbitrary code via a crafted string, as demonstrated by converting a string from CP866 to UTF-8.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1315

LAYER: meta
PACKAGE NAME: unzip-native
PACKAGE VERSION: 1_6.0
CVE: CVE-2015-7696
CVE STATUS: Patched
CVE SUMMARY: Info-ZIP UnZip 6.0 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) or possibly execute arbitrary code via a crafted password-protected ZIP archive, possibly related to an Extra-Field size value.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7696

LAYER: meta
PACKAGE NAME: unzip-native
PACKAGE VERSION: 1_6.0
CVE: CVE-2015-7697
CVE STATUS: Patched
CVE SUMMARY: Info-ZIP UnZip 6.0 allows remote attackers to cause a denial of service (infinite loop) via empty bzip2 data in a ZIP archive.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7697

LAYER: meta
PACKAGE NAME: unzip-native
PACKAGE VERSION: 1_6.0
CVE: CVE-2016-9844
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the zi_short function in zipinfo.c in Info-Zip UnZip 6.0 allows remote attackers to cause a denial of service (crash) via a large compression method value in the central directory file header.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 4.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9844

LAYER: meta
PACKAGE NAME: unzip-native
PACKAGE VERSION: 1_6.0
CVE: CVE-2018-1000031
CVE STATUS: Patched
CVE SUMMARY: A heap-based buffer overflow exists in Info-Zip UnZip version 6.10c22 that allows an attacker to perform a denial of service or to possibly achieve code execution.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1000031

LAYER: meta
PACKAGE NAME: unzip-native
PACKAGE VERSION: 1_6.0
CVE: CVE-2018-1000032
CVE STATUS: Patched
CVE SUMMARY: A heap-based buffer overflow exists in Info-Zip UnZip version 6.10c22 that allows an attacker to perform a denial of service or to possibly achieve code execution.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1000032

LAYER: meta
PACKAGE NAME: unzip-native
PACKAGE VERSION: 1_6.0
CVE: CVE-2018-1000033
CVE STATUS: Patched
CVE SUMMARY: An out-of-bounds read exists in Info-Zip UnZip version 6.10c22 that allows an attacker to perform a denial of service and read sensitive memory.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 9.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1000033

LAYER: meta
PACKAGE NAME: unzip-native
PACKAGE VERSION: 1_6.0
CVE: CVE-2018-1000034
CVE STATUS: Patched
CVE SUMMARY: An out-of-bounds read exists in Info-Zip UnZip version 6.10c22 that allows an attacker to perform a denial of service and read sensitive memory.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 9.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1000034

LAYER: meta
PACKAGE NAME: unzip-native
PACKAGE VERSION: 1_6.0
CVE: CVE-2018-1000035
CVE STATUS: Patched
CVE SUMMARY: A heap-based buffer overflow exists in Info-Zip UnZip version <= 6.00 in the processing of password-protected archives that allows an attacker to perform a denial of service or to possibly achieve code execution.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1000035

LAYER: meta
PACKAGE NAME: unzip-native
PACKAGE VERSION: 1_6.0
CVE: CVE-2018-18384
CVE STATUS: Patched
CVE SUMMARY: Info-ZIP UnZip 6.0 has a buffer overflow in list.c, when a ZIP archive has a crafted relationship between the compressed-size value and the uncompressed-size value, because a buffer size is 10 and is supposed to be 12.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-18384

LAYER: meta
PACKAGE NAME: unzip-native
PACKAGE VERSION: 1_6.0
CVE: CVE-2019-13232
CVE STATUS: Patched
CVE SUMMARY: Info-ZIP UnZip 6.0 mishandles the overlapping of files inside a ZIP container, leading to denial of service (resource consumption), aka a "better zip bomb" issue.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 3.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-13232

LAYER: meta
PACKAGE NAME: unzip-native
PACKAGE VERSION: 1_6.0
CVE: CVE-2020-36561
CVE STATUS: Patched
CVE SUMMARY: Due to improper path sanitization, archives containing relative file paths can cause files to be written (or overwritten) outside of the target directory.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 9.1
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-36561

LAYER: meta
PACKAGE NAME: unzip-native
PACKAGE VERSION: 1_6.0
CVE: CVE-2021-4217
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in unzip. The vulnerability occurs due to improper handling of Unicode strings, which can lead to a null pointer dereference. This flaw allows an attacker to input a specially crafted zip file, leading to a crash or code execution.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 3.3
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-4217

LAYER: meta
PACKAGE NAME: unzip-native
PACKAGE VERSION: 1_6.0
CVE: CVE-2022-0529
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in Unzip. The vulnerability occurs during the conversion of a wide string to a local string that leads to a heap of out-of-bound write. This flaw allows an attacker to input a specially crafted zip file, leading to a crash or code execution.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0529

LAYER: meta
PACKAGE NAME: unzip-native
PACKAGE VERSION: 1_6.0
CVE: CVE-2022-0530
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in Unzip. The vulnerability occurs during the conversion of a wide string to a local string that leads to a heap of out-of-bound write. This flaw allows an attacker to input a specially crafted zip file, leading to a crash or code execution.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0530

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2002-1119
CVE STATUS: Patched
CVE SUMMARY: os._execvpe from os.py in Python 2.2.1 and earlier creates temporary files with predictable names, which could allow local users to execute arbitrary code via a symlink attack.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-1119

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2004-0150
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the getaddrinfo function in Python 2.2 before 2.2.2, when IPv6 support is disabled, allows remote attackers to execute arbitrary code via an IPv6 address that is obtained using DNS.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0150

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2005-0089
CVE STATUS: Patched
CVE SUMMARY: The SimpleXMLRPCServer library module in Python 2.2, 2.3 before 2.3.5, and 2.4, when used by XML-RPC servers that use the register_instance method to register an object without a _dispatch method, allows remote attackers to read or modify globals of the associated module, and possibly execute arbitrary code, via dotted attributes.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-0089

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2006-1542
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in Python 2.4.2 and earlier, running on Linux 2.6.12.5 under gcc 4.0.3 with libc 2.3.5, allows local users to cause a "stack overflow," and possibly gain privileges, by running a script from a current working directory that has a long name, related to the realpath function.  NOTE: this might not be a vulnerability. However, the fact that it appears in a programming language interpreter could mean that some applications are affected, although attack scenarios might be limited because the attacker might already need to cross privilege boundaries to cause an exploitable program to be placed in a directory with a long name; or, depending on the method that Python uses to determine the current working directory, setuid applications might be affected.
CVSS v2 BASE SCORE: 3.7
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-1542

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2006-4980
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the repr function in Python 2.3 through 2.6 before 20060822 allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via crafted wide character UTF-32/UCS-4 strings to certain scripts.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-4980

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2007-1657
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in the file_compress function in minigzip (Modules/zlib) in Python 2.5 allows context-dependent attackers to execute arbitrary code via a long file argument.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-1657

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2007-2052
CVE STATUS: Patched
CVE SUMMARY: Off-by-one error in the PyLocale_strxfrm function in Modules/_localemodule.c for Python 2.4 and 2.5 causes an incorrect buffer size to be used for the strxfrm function, which allows context-dependent attackers to read portions of memory via unknown manipulations that trigger a buffer over-read due to missing null termination.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-2052

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2007-4559
CVE STATUS: Ignored
CVE DETAIL: disputed
CVE DESCRIPTION: Upstream consider this expected behaviour
CVE SUMMARY: Directory traversal vulnerability in the (1) extract and (2) extractall functions in the tarfile module in Python allows user-assisted remote attackers to overwrite arbitrary files via a .. (dot dot) sequence in filenames in a TAR archive, a related issue to CVE-2001-1267.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-4559

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2007-4965
CVE STATUS: Patched
CVE SUMMARY: Multiple integer overflows in the imageop module in Python 2.5.1 and earlier allow context-dependent attackers to cause a denial of service (application crash) and possibly obtain sensitive information (memory contents) via crafted arguments to (1) the tovideo method, and unspecified other vectors related to (2) imageop.c, (3) rbgimgmodule.c, and other files, which trigger heap-based buffer overflows.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-4965

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2008-1679
CVE STATUS: Patched
CVE SUMMARY: Multiple integer overflows in imageop.c in Python before 2.5.3 allow context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted images that trigger heap-based buffer overflows.  NOTE: this issue is due to an incomplete fix for CVE-2007-4965.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1679

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2008-1721
CVE STATUS: Patched
CVE SUMMARY: Integer signedness error in the zlib extension module in Python 2.5.2 and earlier allows remote attackers to execute arbitrary code via a negative signed integer, which triggers insufficient memory allocation and a buffer overflow.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1721

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2008-1887
CVE STATUS: Patched
CVE SUMMARY: Python 2.5.2 and earlier allows context-dependent attackers to execute arbitrary code via multiple vectors that cause a negative size value to be provided to the PyString_FromStringAndSize function, which allocates less memory than expected when assert() is disabled and triggers a buffer overflow.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1887

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2008-2315
CVE STATUS: Patched
CVE SUMMARY: Multiple integer overflows in Python 2.5.2 and earlier allow context-dependent attackers to have an unknown impact via vectors related to the (1) stringobject, (2) unicodeobject, (3) bufferobject, (4) longobject, (5) tupleobject, (6) stropmodule, (7) gcmodule, and (8) mmapmodule modules.  NOTE: The expandtabs integer overflows in stringobject and unicodeobject in 2.5.2 are covered by CVE-2008-5031.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-2315

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2008-2316
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in _hashopenssl.c in the hashlib module in Python 2.5.2 and earlier might allow context-dependent attackers to defeat cryptographic digests, related to "partial hashlib hashing of data exceeding 4GB."
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-2316

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2008-3142
CVE STATUS: Patched
CVE SUMMARY: Multiple buffer overflows in Python 2.5.2 and earlier on 32bit platforms allow context-dependent attackers to cause a denial of service (crash) or have unspecified other impact via a long string that leads to incorrect memory allocation during Unicode string processing, related to the unicode_resize function and the PyMem_RESIZE macro.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-3142

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2008-3143
CVE STATUS: Patched
CVE SUMMARY: Multiple integer overflows in Python before 2.5.2 might allow context-dependent attackers to have an unknown impact via vectors related to (1) Include/pymem.h; (2) _csv.c, (3) _struct.c, (4) arraymodule.c, (5) audioop.c, (6) binascii.c, (7) cPickle.c, (8) cStringIO.c, (9) cjkcodecs/multibytecodec.c, (10) datetimemodule.c, (11) md5.c, (12) rgbimgmodule.c, and (13) stropmodule.c in Modules/; (14) bufferobject.c, (15) listobject.c, and (16) obmalloc.c in Objects/; (17) Parser/node.c; and (18) asdl.c, (19) ast.c, (20) bltinmodule.c, and (21) compile.c in Python/, as addressed by "checks for integer overflows, contributed by Google."
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-3143

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2008-3144
CVE STATUS: Patched
CVE SUMMARY: Multiple integer overflows in the PyOS_vsnprintf function in Python/mysnprintf.c in Python 2.5.2 and earlier allow context-dependent attackers to cause a denial of service (memory corruption) or have unspecified other impact via crafted input to string formatting operations.  NOTE: the handling of certain integer values is also affected by related integer underflows and an off-by-one error.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-3144

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2008-4108
CVE STATUS: Patched
CVE SUMMARY: Tools/faqwiz/move-faqwiz.sh (aka the generic FAQ wizard moving tool) in Python 2.4.5 might allow local users to overwrite arbitrary files via a symlink attack on a tmp$RANDOM.tmp temporary file.  NOTE: there may not be common usage scenarios in which tmp$RANDOM.tmp is located in an untrusted directory.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-4108

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2008-4864
CVE STATUS: Patched
CVE SUMMARY: Multiple integer overflows in imageop.c in the imageop module in Python 1.5.2 through 2.5.1 allow context-dependent attackers to break out of the Python VM and execute arbitrary code via large integer values in certain arguments to the crop function, leading to a buffer overflow, a different vulnerability than CVE-2007-4965 and CVE-2008-1679.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-4864

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2008-5031
CVE STATUS: Patched
CVE SUMMARY: Multiple integer overflows in Python 2.2.3 through 2.5.1, and 2.6, allow context-dependent attackers to have an unknown impact via a large integer value in the tabsize argument to the expandtabs method, as implemented by (1) the string_expandtabs function in Objects/stringobject.c and (2) the unicode_expandtabs function in Objects/unicodeobject.c.  NOTE: this vulnerability reportedly exists because of an incomplete fix for CVE-2008-2315.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-5031

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2008-5983
CVE STATUS: Patched
CVE SUMMARY: Untrusted search path vulnerability in the PySys_SetArgv API function in Python 2.6 and earlier, and possibly later versions, prepends an empty string to sys.path when the argv[0] argument does not contain a path separator, which might allow local users to execute arbitrary code via a Trojan horse Python file in the current working directory.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-5983

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2009-4134
CVE STATUS: Patched
CVE SUMMARY: Buffer underflow in the rgbimg module in Python 2.5 allows remote attackers to cause a denial of service (application crash) via a large ZSIZE value in a black-and-white (aka B/W) RGB image that triggers an invalid pointer dereference.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-4134

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2010-1449
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in rgbimgmodule.c in the rgbimg module in Python 2.5 allows remote attackers to have an unspecified impact via a large image that triggers a buffer overflow.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2008-3143.12.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-1449

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2010-1450
CVE STATUS: Patched
CVE SUMMARY: Multiple buffer overflows in the RLE decoder in the rgbimg module in Python 2.5 allow remote attackers to have an unspecified impact via an image file containing crafted data that triggers improper processing within the (1) longimagedata or (2) expandrow function.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-1450

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2010-1634
CVE STATUS: Patched
CVE SUMMARY: Multiple integer overflows in audioop.c in the audioop module in Python 2.6, 2.7, 3.1, and 3.2 allow context-dependent attackers to cause a denial of service (application crash) via a large fragment, as demonstrated by a call to audioop.lin2lin with a long string in the first argument, leading to a buffer overflow.  NOTE: this vulnerability exists because of an incorrect fix for CVE-2008-3143.5.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-1634

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2010-2089
CVE STATUS: Patched
CVE SUMMARY: The audioop module in Python 2.7 and 3.2 does not verify the relationships between size arguments and byte string lengths, which allows context-dependent attackers to cause a denial of service (memory corruption and application crash) via crafted arguments, as demonstrated by a call to audioop.reverse with a one-byte string, a different vulnerability than CVE-2010-1634.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2089

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2010-3492
CVE STATUS: Patched
CVE SUMMARY: The asyncore module in Python before 3.2 does not properly handle unsuccessful calls to the accept function, and does not have accompanying documentation describing how daemon applications should handle unsuccessful calls to the accept function, which makes it easier for remote attackers to conduct denial of service attacks that terminate these applications via network connections.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-3492

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2010-3493
CVE STATUS: Patched
CVE SUMMARY: Multiple race conditions in smtpd.py in the smtpd module in Python 2.6, 2.7, 3.1, and 3.2 alpha allow remote attackers to cause a denial of service (daemon outage) by establishing and then immediately closing a TCP connection, leading to the accept function having an unexpected return value of None, an unexpected value of None for the address, or an ECONNABORTED, EAGAIN, or EWOULDBLOCK error, or the getpeername function having an ENOTCONN error, a related issue to CVE-2010-3492.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-3493

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2011-1015
CVE STATUS: Patched
CVE SUMMARY: The is_cgi method in CGIHTTPServer.py in the CGIHTTPServer module in Python 2.5, 2.6, and 3.0 allows remote attackers to read script source code via an HTTP GET request that lacks a / (slash) character at the beginning of the URI.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1015

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2011-1521
CVE STATUS: Patched
CVE SUMMARY: The urllib and urllib2 modules in Python 2.x before 2.7.2 and 3.x before 3.2.1 process Location headers that specify redirection to file: URLs, which makes it easier for remote attackers to obtain sensitive information or cause a denial of service (resource consumption) via a crafted URL, as demonstrated by the file:///etc/passwd and file:///dev/zero URLs.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1521

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2011-4940
CVE STATUS: Patched
CVE SUMMARY: The list_directory function in Lib/SimpleHTTPServer.py in SimpleHTTPServer in Python before 2.5.6c1, 2.6.x before 2.6.7 rc2, and 2.7.x before 2.7.2 does not place a charset parameter in the Content-Type HTTP header, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks against Internet Explorer 7 via UTF-7 encoding.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-4940

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2011-4944
CVE STATUS: Patched
CVE SUMMARY: Python 2.6 through 3.2 creates ~/.pypirc with world-readable permissions before changing them after data has been written, which introduces a race condition that allows local users to obtain a username and password by reading this file.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-4944

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2012-0845
CVE STATUS: Patched
CVE SUMMARY: SimpleXMLRPCServer.py in SimpleXMLRPCServer in Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via an XML-RPC POST request that contains a smaller amount of data than specified by the Content-Length header.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-0845

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2012-0876
CVE STATUS: Patched
CVE SUMMARY: The XML parser (xmlparse.c) in expat before 2.1.0 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via an XML file with many identifiers with the same value.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-0876

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2012-1150
CVE STATUS: Patched
CVE SUMMARY: Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1150

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2012-2135
CVE STATUS: Patched
CVE SUMMARY: The utf-16 decoder in Python 3.1 through 3.3 does not update the aligned_end variable after calling the unicode_decode_call_errorhandler function, which allows remote attackers to obtain sensitive information (process memory) or cause a denial of service (memory corruption and crash) via unspecified vectors.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2135

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2013-0340
CVE STATUS: Patched
CVE SUMMARY: expat 2.1.0 and earlier does not properly handle entities expansion unless an application developer uses the XML_SetEntityDeclHandler function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue.  NOTE: it could be argued that because expat already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be REJECTed, and each affected application would need its own CVE.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0340

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2013-1753
CVE STATUS: Patched
CVE SUMMARY: The gzip_decode function in the xmlrpc client library in Python 3.4 and earlier allows remote attackers to cause a denial of service (memory consumption) via a crafted HTTP request.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1753

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2013-2099
CVE STATUS: Patched
CVE SUMMARY: Algorithmic complexity vulnerability in the ssl.match_hostname function in Python 3.2.x, 3.3.x, and earlier, and unspecified versions of python-backports-ssl_match_hostname as used for older Python versions, allows remote attackers to cause a denial of service (CPU consumption) via multiple wildcard characters in the common name in a certificate.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2099

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2013-4238
CVE STATUS: Patched
CVE SUMMARY: The ssl.match_hostname function in the SSL module in Python 2.6 through 3.4 does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4238

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2013-7040
CVE STATUS: Patched
CVE SUMMARY: Python 2.7 before 3.4 only uses the last eight bits of the prefix to randomize hash values, which causes it to compute hash values without restricting the ability to trigger hash collisions predictably and makes it easier for context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1150.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-7040

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2013-7338
CVE STATUS: Patched
CVE SUMMARY: Python before 3.3.4 RC1 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a file size value larger than the size of the zip file to the (1) ZipExtFile.read, (2) ZipExtFile.read(n), (3) ZipExtFile.readlines, (4) ZipFile.extract, or (5) ZipFile.extractall function.
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-7338

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2013-7440
CVE STATUS: Patched
CVE SUMMARY: The ssl.match_hostname function in CPython (aka Python) before 2.7.9 and 3.x before 3.3.3 does not properly handle wildcards in hostnames, which might allow man-in-the-middle attackers to spoof servers via a crafted certificate.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-7440

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2014-0224
CVE STATUS: Patched
CVE SUMMARY: OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the "CCS Injection" vulnerability.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 7.4
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0224

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2014-1912
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the socket.recvfrom_into function in Modules/socketmodule.c in Python 2.5 before 2.7.7, 3.x before 3.3.4, and 3.4.x before 3.4rc1 allows remote attackers to execute arbitrary code via a crafted string.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-1912

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2014-2667
CVE STATUS: Patched
CVE SUMMARY: Race condition in the _get_masked_mode function in Lib/os.py in Python 3.2 through 3.5, when exist_ok is set to true and multiple threads are used, might allow local users to bypass intended file permissions by leveraging a separate application vulnerability before the umask has been set to the expected value.
CVSS v2 BASE SCORE: 3.3
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-2667

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2014-4616
CVE STATUS: Patched
CVE SUMMARY: Array index error in the scanstring function in the _json module in Python 2.7 through 3.5 and simplejson before 2.6.1 allows context-dependent attackers to read arbitrary process memory via a negative index value in the idx argument to the raw_decode function.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-4616

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2014-4650
CVE STATUS: Patched
CVE SUMMARY: The CGIHTTPServer module in Python 2.7.5 and 3.3.4 does not properly handle URLs in which URL encoding is used for path separators, which allows remote attackers to read script source code or conduct directory traversal attacks and execute unintended code via a crafted character sequence, as demonstrated by a %2f separator.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-4650

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2014-7185
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in bufferobject.c in Python before 2.7.8 allows context-dependent attackers to obtain sensitive information from process memory via a large size and offset in a "buffer" function.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-7185

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2014-9365
CVE STATUS: Patched
CVE SUMMARY: The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9365

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2015-1283
CVE STATUS: Patched
CVE SUMMARY: Multiple integer overflows in the XML_GetBuffer function in Expat through 2.1.0, as used in Google Chrome before 44.0.2403.89 and other products, allow remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via crafted XML data, a related issue to CVE-2015-2716.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1283

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2015-20107
CVE STATUS: Ignored
CVE DETAIL: upstream-wontfix
CVE DESCRIPTION: The mailcap module is insecure by design, so this can't be fixed in a meaningful way
CVE SUMMARY: In Python (aka CPython) up to 3.10.8, the mailcap module does not add escape characters into commands discovered in the system mailcap file. This may allow attackers to inject shell commands into applications that call mailcap.findmatch with untrusted input (if they lack validation of user-provided filenames or arguments). The fix is also back-ported to 3.7, 3.8, 3.9
CVSS v2 BASE SCORE: 8.0
CVSS v3 BASE SCORE: 7.6
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:S/C:P/I:C/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-20107

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2015-5652
CVE STATUS: Patched
CVE SUMMARY: Untrusted search path vulnerability in python.exe in Python through 3.5.0 on Windows allows local users to gain privileges via a Trojan horse readline.pyd file in the current working directory.  NOTE: the vendor says "It was determined that this is a longtime behavior of Python that cannot really be altered at this point."
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-5652

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2016-0718
CVE STATUS: Patched
CVE SUMMARY: Expat allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a malformed input document, which triggers a buffer overflow.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-0718

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2016-0772
CVE STATUS: Patched
CVE SUMMARY: The smtplib library in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 does not return an error when StartTLS fails, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a "StartTLS stripping attack."
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-0772

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2016-1000110
CVE STATUS: Patched
CVE SUMMARY: The CGIHandler class in Python before 2.7.12 does not protect against the HTTP_PROXY variable name clash in a CGI script, which could allow a remote attacker to redirect HTTP requests.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 6.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-1000110

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2016-2183
CVE STATUS: Patched
CVE SUMMARY: The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a "Sweet32" attack.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2183

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2016-3189
CVE STATUS: Patched
CVE SUMMARY: Use-after-free vulnerability in bzip2recover in bzip2 1.0.6 allows remote attackers to cause a denial of service (crash) via a crafted bzip2 file, related to block ends set to before the start of the block.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3189

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2016-4472
CVE STATUS: Patched
CVE SUMMARY: The overflow protection in Expat is removed by compilers with certain optimization settings, which allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via crafted XML data.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-1283 and CVE-2015-2716.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4472

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2016-5636
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the get_data function in zipimport.c in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows remote attackers to have unspecified impact via a negative data size value, which triggers a heap-based buffer overflow.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5636

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2016-5699
CVE STATUS: Patched
CVE SUMMARY: CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2 and urllib in CPython (aka Python) before 2.7.10 and 3.x before 3.4.4 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in a URL.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5699

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2016-9063
CVE STATUS: Patched
CVE SUMMARY: An integer overflow during the parsing of XML using the Expat library. This vulnerability affects Firefox < 50.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9063

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2017-1000158
CVE STATUS: Patched
CVE SUMMARY: CPython (aka Python) up to 2.7.13 is vulnerable to an integer overflow in the PyString_DecodeEscape function in stringobject.c, resulting in heap-based buffer overflow (and possible arbitrary code execution)
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-1000158

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2017-17522
CVE STATUS: Patched
CVE SUMMARY: Lib/webbrowser.py in Python through 3.6.3 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. NOTE: a software maintainer indicates that exploitation is impossible because the code relies on subprocess.Popen and the default shell=False setting
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17522

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2017-18207
CVE STATUS: Patched
CVE SUMMARY: The Wave_read._read_fmt_chunk function in Lib/wave.py in Python through 3.6.4 does not ensure a nonzero channel value, which allows attackers to cause a denial of service (divide-by-zero and exception) via a crafted wav format audio file. NOTE: the vendor disputes this issue because Python applications "need to be prepared to handle a wide variety of exceptions.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-18207

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2017-20052
CVE STATUS: Patched
CVE SUMMARY: A vulnerability classified as problematic was found in Python 2.7.13. This vulnerability affects unknown code of the component pgAdmin4. The manipulation leads to uncontrolled search path. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 5.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-20052

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2017-9233
CVE STATUS: Patched
CVE SUMMARY: XML External Entity vulnerability in libexpat 2.2.0 and earlier (Expat XML Parser Library) allows attackers to put the parser in an infinite loop using a malformed external entity definition from an external DTD.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9233

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2018-1000030
CVE STATUS: Patched
CVE SUMMARY: Python 2.7.14 is vulnerable to a Heap-Buffer-Overflow as well as a Heap-Use-After-Free. Python versions prior to 2.7.14 may also be vulnerable and it appears that Python 2.7.17 and prior may also be vulnerable however this has not been confirmed. The vulnerability lies when multiply threads are handling large amounts of data. In both cases there is essentially a race condition that occurs. For the Heap-Buffer-Overflow, Thread 2 is creating the size for a buffer, but Thread1 is already writing to the buffer without knowing how much to write. So when a large amount of data is being processed, it is very easy to cause memory corruption using a Heap-Buffer-Overflow. As for the Use-After-Free, Thread3->Malloc->Thread1->Free's->Thread2-Re-uses-Free'd Memory. The PSRT has stated that this is not a security vulnerability due to the fact that the attacker must be able to run code, however in some situations, such as function as a service, this vulnerability can potentially be used by an attacker to violate a trust boundary, as such the DWF feels this issue deserves a CVE.
CVSS v2 BASE SCORE: 3.3
CVSS v3 BASE SCORE: 3.6
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1000030

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2018-1000117
CVE STATUS: Patched
CVE SUMMARY: Python Software Foundation CPython version From 3.2 until 3.6.4 on Windows contains a Buffer Overflow vulnerability in os.symlink() function on Windows that can result in Arbitrary code execution, likely escalation of privilege. This attack appears to be exploitable via a python script that creates a symlink with an attacker controlled name or location. This vulnerability appears to have been fixed in 3.7.0 and 3.6.5.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 6.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1000117

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2018-1000802
CVE STATUS: Patched
CVE SUMMARY: Python Software Foundation Python (CPython) version 2.7 contains a CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in shutil module (make_archive function) that can result in Denial of service, Information gain via injection of arbitrary files on the system or entire drive. This attack appear to be exploitable via Passage of unfiltered user input to the function. This vulnerability appears to have been fixed in after commit add531a1e55b0a739b0f42582f1c9747e5649ace.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1000802

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2018-1060
CVE STATUS: Patched
CVE SUMMARY: python before versions 2.7.15, 3.4.9, 3.5.6rc1, 3.6.5rc1 and 3.7.0 is vulnerable to catastrophic backtracking in pop3lib's apop() method. An attacker could use this flaw to cause denial of service.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 4.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1060

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2018-1061
CVE STATUS: Patched
CVE SUMMARY: python before versions 2.7.15, 3.4.9, 3.5.6rc1, 3.6.5rc1 and 3.7.0 is vulnerable to catastrophic backtracking in the difflib.IS_LINE_JUNK method.  An attacker could use this flaw to cause denial of service.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1061

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2018-14647
CVE STATUS: Patched
CVE SUMMARY: Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by constructing an XML document that would cause pathological hash collisions in Expat's internal data structures, consuming large amounts CPU and RAM. The vulnerability exists in Python versions 3.7.0, 3.6.0 through 3.6.6, 3.5.0 through 3.5.6, 3.4.0 through 3.4.9, 2.7.0 through 2.7.15.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-14647

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2018-20406
CVE STATUS: Patched
CVE SUMMARY: Modules/_pickle.c in Python before 3.7.1 has an integer overflow via a large LONG_BINPUT value that is mishandled during a "resize to twice the size" attempt. This issue might cause memory exhaustion, but is only relevant if the pickle format is used for serializing tens or hundreds of gigabytes of data. This issue is fixed in: v3.4.10, v3.4.10rc1; v3.5.10, v3.5.10rc1, v3.5.7, v3.5.7rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.7, v3.6.7rc1, v3.6.7rc2, v3.6.8, v3.6.8rc1, v3.6.9, v3.6.9rc1; v3.7.1, v3.7.1rc1, v3.7.1rc2, v3.7.2, v3.7.2rc1, v3.7.3, v3.7.3rc1, v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20406

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2018-20852
CVE STATUS: Patched
CVE SUMMARY: http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix (e.g., pythonicexample.com to steal cookies for example.com). When a program uses http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing cookies can be leaked to the attacker. This affects 2.x through 2.7.16, 3.x before 3.4.10, 3.5.x before 3.5.7, 3.6.x before 3.6.9, and 3.7.x before 3.7.3.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20852

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2018-25032
CVE STATUS: Patched
CVE SUMMARY: zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-25032

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2019-10160
CVE STATUS: Patched
CVE SUMMARY: A security regression of CVE-2019-9636 was discovered in python since commit d537ab0ff9767ef024f26246899728f0116b1ec3 affecting versions 2.7, 3.5, 3.6, 3.7 and from v3.8.0a4 through v3.8.0b1, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-10160

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2019-12900
CVE STATUS: Patched
CVE SUMMARY: BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-12900

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2019-13404
CVE STATUS: Patched
CVE SUMMARY: The MSI installer for Python through 2.7.16 on Windows defaults to the C:\Python27 directory, which makes it easier for local users to deploy Trojan horse code. (This also affects old 3.x releases before 3.5.) NOTE: the vendor's position is that it is the user's responsibility to ensure C:\Python27 access control or choose a different directory, because backwards compatibility requires that C:\Python27 remain the default for 2.7.x
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-13404

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2019-15903
CVE STATUS: Patched
CVE SUMMARY: In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a heap-based buffer over-read.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-15903

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2019-16056
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340; however, this CVE applies to Python more generally.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-16056

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2019-16935
CVE STATUS: Patched
CVE SUMMARY: The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-16935

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2019-17514
CVE STATUS: Patched
CVE SUMMARY: library/glob.html in the Python 2 and 3 documentation before 2016 has potentially misleading information about whether sorting occurs, as demonstrated by irreproducible cancer-research results. NOTE: the effects of this documentation cross application domains, and thus it is likely that security-relevant code elsewhere is affected. This issue is not a Python implementation bug, and there are no reports that NMR researchers were specifically relying on library/glob.html. In other words, because the older documentation stated "finds all the pathnames matching a specified pattern according to the rules used by the Unix shell," one might have incorrectly inferred that the sorting that occurs in a Unix shell also occurred for glob.glob. There is a workaround in newer versions of Willoughby nmr-data_compilation-p2.py and nmr-data_compilation-p3.py, which call sort() directly.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-17514

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2019-18348
CVE STATUS: Ignored
CVE DETAIL: not-applicable-config
CVE DESCRIPTION: This is not exploitable when glibc has CVE-2016-10739 fixed
CVE SUMMARY: An issue was discovered in urllib2 in Python 2.x through 2.7.17 and urllib in Python 3.x through 3.8.0. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the host component of a URL) followed by an HTTP header. This is similar to the CVE-2019-9740 query string issue and the CVE-2019-9947 path string issue. (This is not exploitable when glibc has CVE-2016-10739 fixed.). This is fixed in: v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1; v3.6.11, v3.6.11rc1, v3.6.12; v3.7.8, v3.7.8rc1, v3.7.9; v3.8.3, v3.8.3rc1, v3.8.4, v3.8.4rc1, v3.8.5, v3.8.6, v3.8.6rc1.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-18348

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2019-20907
CVE STATUS: Patched
CVE SUMMARY: In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-20907

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2019-5010
CVE STATUS: Patched
CVE SUMMARY: An exploitable denial-of-service vulnerability exists in the X509 certificate parser of Python.org Python 2.7.11 / 3.6.6. A specially crafted X509 certificate can cause a NULL pointer dereference, resulting in a denial of service. An attacker can initiate or accept TLS connections using crafted certificates to trigger this vulnerability.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-5010

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2019-9636
CVE STATUS: Patched
CVE SUMMARY: Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.7, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.3, v3.7.3rc1, v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-9636

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2019-9674
CVE STATUS: Patched
CVE SUMMARY: Lib/zipfile.py in Python through 3.7.2 allows remote attackers to cause a denial of service (resource consumption) via a ZIP bomb.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-9674

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2019-9740
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-9740

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2019-9947
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the path component of a URL that lacks a ? character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-9947

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2019-9948
CVE STATUS: Patched
CVE SUMMARY: urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 9.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-9948

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2020-10735
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in python. In algorithms with quadratic time complexity using non-binary bases, when using int("text"), a system could take 50ms to parse an int string with 100,000 digits and 5s for 1,000,000 digits (float, decimal, int.from_bytes(), and int() for binary bases 2, 4, 8, 16, and 32 are not affected). The highest threat from this vulnerability is to system availability.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-10735

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2020-14422
CVE STATUS: Patched
CVE SUMMARY: Lib/ipaddress.py in Python through 3.8.3 improperly computes hash values in the IPv4Interface and IPv6Interface classes, which might allow a remote attacker to cause a denial of service if an application is affected by the performance of a dictionary containing IPv4Interface or IPv6Interface objects, and this attacker can cause many dictionary entries to be created. This is fixed in: v3.5.10, v3.5.10rc1; v3.6.12; v3.7.9; v3.8.4, v3.8.4rc1, v3.8.5, v3.8.6, v3.8.6rc1; v3.9.0, v3.9.0b4, v3.9.0b5, v3.9.0rc1, v3.9.0rc2.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-14422

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2020-15523
CVE STATUS: Ignored
CVE DETAIL: not-applicable-platform
CVE DESCRIPTION: Issue only applies on Windows
CVE SUMMARY: In Python 3.6 through 3.6.10, 3.7 through 3.7.8, 3.8 through 3.8.4rc1, and 3.9 through 3.9.0b4 on Windows, a Trojan horse python3.dll might be used in cases where CPython is embedded in a native application. This occurs because python3X.dll may use an invalid search path for python3.dll loading (after Py_SetPath has been used). NOTE: this issue CANNOT occur when using python.exe from a standard (non-embedded) Python installation on Windows.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-15523

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2020-15801
CVE STATUS: Patched
CVE SUMMARY: In Python 3.8.4, sys.path restrictions specified in a python38._pth file are ignored, allowing code to be loaded from arbitrary locations. The <executable-name>._pth file (e.g., the python._pth file) is not affected.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-15801

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2020-26116
CVE STATUS: Patched
CVE SUMMARY: http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.request.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 7.2
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-26116

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2020-27619
CVE STATUS: Patched
CVE SUMMARY: In Python 3 through 3.9.0, the Lib/test/multibytecodec_support.py CJK codec tests call eval() on content retrieved via HTTP.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-27619

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2020-8315
CVE STATUS: Patched
CVE SUMMARY: In Python (CPython) 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1, an insecure dependency load upon launch on Windows 7 may result in an attacker's copy of api-ms-win-core-path-l1-1-0.dll being loaded and used instead of the system's copy. Windows 8 and later are unaffected.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-8315

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2020-8492
CVE STATUS: Patched
CVE SUMMARY: Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-8492

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2021-23336
CVE STATUS: Patched
CVE SUMMARY: The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter.
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-23336

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2021-28861
CVE STATUS: Patched
CVE SUMMARY: Python 3.x through 3.10 has an open redirection vulnerability in lib/http/server.py due to no protection against multiple (/) at the beginning of URI path which may leads to information disclosure. NOTE: this is disputed by a third party because the http.server.html documentation page states "Warning: http.server is not recommended for production. It only implements basic security checks."
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.4
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-28861

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2021-29921
CVE STATUS: Patched
CVE SUMMARY: In Python before 3,9,5, the ipaddress library mishandles leading zero characters in the octets of an IP address string. This (in some situations) allows attackers to bypass access control that is based on IP addresses.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-29921

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2021-3177
CVE STATUS: Patched
CVE SUMMARY: Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to c_double.from_param. This occurs because sprintf is used unsafely.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3177

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2021-3426
CVE STATUS: Patched
CVE SUMMARY: There's a flaw in Python 3's pydoc. A local or adjacent attacker who discovers or is able to convince another local or adjacent user to start a pydoc server could access the server and use it to disclose sensitive information belonging to the other user that they would not normally be able to access. The highest risk of this flaw is to data confidentiality. This flaw affects Python versions before 3.8.9, Python versions before 3.9.3 and Python versions before 3.10.0a7.
CVSS v2 BASE SCORE: 2.7
CVSS v3 BASE SCORE: 5.7
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:L/Au:S/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3426

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2021-3733
CVE STATUS: Patched
CVE SUMMARY: There's a flaw in urllib's AbstractBasicAuthHandler class. An attacker who controls a malicious HTTP server that an HTTP client (such as web browser) connects to, could trigger a Regular Expression Denial of Service (ReDOS) during an authentication request with a specially crafted payload that is sent by the server to the client. The greatest threat that this flaw poses is to application availability.
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:S/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3733

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2021-3737
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in python. An improperly handled HTTP response in the HTTP client code of python may allow a remote attacker, who controls the HTTP server, to make the client script enter an infinite loop, consuming CPU time. The highest threat from this vulnerability is to system availability.
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3737

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2021-4189
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library in PASV (passive) mode. The issue is how the FTP client trusts the host from the PASV response by default. This flaw allows an attacker to set up a malicious FTP server that can trick FTP clients into connecting back to a given IP address and port. This vulnerability could lead to FTP client scanning ports, which otherwise would not have been possible.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-4189

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2022-0391
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in Python, specifically within the urllib.parse module. This module helps break Uniform Resource Locator (URL) strings into components. The issue involves how the urlparse method does not sanitize input and allows characters like '\r' and '\n' in the URL path. This flaw allows an attacker to input a crafted URL, leading to injection attacks. This flaw affects Python versions prior to 3.10.0b1, 3.9.5, 3.8.11, 3.7.11 and 3.6.14.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0391

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2022-26488
CVE STATUS: Ignored
CVE DETAIL: not-applicable-platform
CVE DESCRIPTION: Issue only applies on Windows
CVE SUMMARY: In Python before 3.10.3 on Windows, local users can gain privileges because the search path is inadequately secured. The installer may allow a local attacker to add user-writable directories to the system search path. To exploit, an administrator must have installed Python for all users and enabled PATH entries. A non-administrative user can trigger a repair that incorrectly adds user-writable paths into PATH, enabling search-path hijacking of other users and system services. This affects Python (CPython) through 3.7.12, 3.8.x through 3.8.12, 3.9.x through 3.9.10, and 3.10.x through 3.10.2.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-26488

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2022-37454
CVE STATUS: Patched
CVE SUMMARY: The Keccak XKCP SHA-3 reference implementation before fdc6fef has an integer overflow and resultant buffer overflow that allows attackers to execute arbitrary code or eliminate expected cryptographic properties. This occurs in the sponge function interface.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-37454

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2022-42919
CVE STATUS: Patched
CVE SUMMARY: Python 3.9.x before 3.9.16 and 3.10.x before 3.10.9 on Linux allows local privilege escalation in a non-default configuration. The Python multiprocessing library, when used with the forkserver start method on Linux, allows pickles to be deserialized from any user in the same machine local network namespace, which in many system configurations means any user on the same machine. Pickles can execute arbitrary code. Thus, this allows for local user privilege escalation to the user that any forkserver process is running as. Setting multiprocessing.util.abstract_sockets_supported to False is a workaround. The forkserver start method for multiprocessing is not the default start method. This issue is Linux specific because only Linux supports abstract namespace sockets. CPython before 3.9 does not make use of Linux abstract namespace sockets by default. Support for users manually specifying an abstract namespace socket was added as a bugfix in 3.7.8 and 3.8.3, but users would need to make specific uncommon API calls in order to do that in CPython before 3.9.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-42919

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2022-45061
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name being presented to the decoder could lead to a CPU denial of service. Hostnames are often supplied by remote servers that could be controlled by a malicious actor; in such a scenario, they could trigger excessive CPU consumption on the client attempting to make use of an attacker-supplied supposed hostname. For example, the attack payload could be placed in the Location header of an HTTP response with status code 302. A fix is planned in 3.11.1, 3.10.9, 3.9.16, 3.8.16, and 3.7.16.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-45061

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2022-48560
CVE STATUS: Patched
CVE SUMMARY: A use-after-free exists in Python through 3.9 via heappushpop in heapq.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48560

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2022-48564
CVE STATUS: Patched
CVE SUMMARY: read_ints in plistlib.py in Python through 3.9.1 is vulnerable to a potential DoS attack via CPU and RAM exhaustion when processing malformed Apple Property List files in binary format.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48564

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2022-48565
CVE STATUS: Patched
CVE SUMMARY: An XML External Entity (XXE) issue was discovered in Python through 3.9.1. The plistlib module no longer accepts entity declarations in XML plist files to avoid XML vulnerabilities.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48565

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2022-48566
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in compare_digest in Lib/hmac.py in Python through 3.9.1. Constant-time-defeating optimisations were possible in the accumulator variable in hmac.compare_digest.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48566

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2023-24329
CVE STATUS: Patched
CVE SUMMARY: An issue in the urllib.parse component of Python before 3.11.4 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-24329

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2023-27043
CVE STATUS: Patched
CVE SUMMARY: The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-27043

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2023-33595
CVE STATUS: Patched
CVE SUMMARY: CPython v3.12.0 alpha 7 was discovered to contain a heap use-after-free via the function ascii_decode at /Objects/unicodeobject.c.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-33595

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2023-36632
CVE STATUS: Ignored
CVE DETAIL: disputed
CVE DESCRIPTION: Not an issue, in fact expected behaviour
CVE SUMMARY: The legacy email.utils.parseaddr function in Python through 3.11.4 allows attackers to trigger "RecursionError: maximum recursion depth exceeded while calling a Python object" via a crafted argument. This argument is plausibly an untrusted value from an application's input data that was supposed to contain a name and an e-mail address. NOTE: email.utils.parseaddr is categorized as a Legacy API in the documentation of the Python email package. Applications should instead use the email.parser.BytesParser or email.parser.Parser class. NOTE: the vendor's perspective is that this is neither a vulnerability nor a bug. The email package is intended to have size limits and to throw an exception when limits are exceeded; they were exceeded by the example demonstration code.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-36632

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2023-38898
CVE STATUS: Patched
CVE SUMMARY: An issue in Python cpython v.3.7 allows an attacker to obtain sensitive information via the _asyncio._swap_current_task component. NOTE: this is disputed by the vendor because (1) neither 3.7 nor any other release is affected (it is a bug in some 3.12 pre-releases); (2) there are no common scenarios in which an adversary can call _asyncio._swap_current_task but does not already have the ability to call arbitrary functions; and (3) there are no common scenarios in which sensitive information, which is not already accessible to an adversary, becomes accessible through this bug.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-38898

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2023-40217
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as "not connected" and won't initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not be authenticated if the server-side TLS peer is expecting client certificate authentication, and is indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the buffer. (The TLS connection cannot directly be used for data exfiltration because the vulnerable code path requires that the connection be closed on initialization of the SSLSocket.)
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-40217

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2023-41105
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Python 3.11 through 3.11.4. If a path containing '\0' bytes is passed to os.path.normpath(), the path will be truncated unexpectedly at the first '\0' byte. There are plausible cases in which an application would have rejected a filename for security reasons in Python 3.10.x or earlier, but that filename is no longer rejected in Python 3.11.x.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-41105

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2023-6507
CVE STATUS: Patched
CVE SUMMARY: An issue was found in CPython 3.12.0 `subprocess` module on POSIX platforms. The issue was fixed in CPython 3.12.1 and does not affect other stable releases.

When using the `extra_groups=` parameter with an empty list as a value (ie `extra_groups=[]`) the logic regressed to not call `setgroups(0, NULL)` before calling `exec()`, thus not dropping the original processes' groups before starting the new process. There is no issue when the parameter isn't used or when any value is used besides an empty list.

This issue only impacts CPython processes run with sufficient privilege to make the `setgroups` system call (typically `root`).


CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.1
VECTOR: ADJACENT_NETWORK
VECTORSTRING: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-6507

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2024-6232
CVE STATUS: Patched
CVE SUMMARY: There is a MEDIUM severity vulnerability affecting CPython.





Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-6232

LAYER: meta
PACKAGE NAME: python3
PACKAGE VERSION: 3.12.6
CVE: CVE-2024-7592
CVE STATUS: Patched
CVE SUMMARY: There is a LOW severity vulnerability affecting CPython, specifically the
'http.cookies' standard library module.


When parsing cookies that contained backslashes for quoted characters in
the cookie value, the parser would use an algorithm with quadratic
complexity, resulting in excess CPU resources being used while parsing the
value.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-7592

LAYER: meta
PACKAGE NAME: ninja-native
PACKAGE VERSION: 1.11.1
CVE: CVE-2014-4550
CVE STATUS: Patched
CVE SUMMARY: Cross-site scripting (XSS) vulnerability in preview-shortcode-external.php in the Shortcode Ninja plugin 1.4 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the shortcode parameter.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-4550

LAYER: meta
PACKAGE NAME: ninja-native
PACKAGE VERSION: 1.11.1
CVE: CVE-2021-4336
CVE STATUS: Ignored
CVE DETAIL: cpe-incorrect
CVE DESCRIPTION: This is a different Ninja
CVE SUMMARY: A vulnerability was found in ITRS Group monitor-ninja up to 2021.11.1. It has been rated as critical. Affected by this issue is some unknown functionality of the file modules/reports/models/scheduled_reports.php. The manipulation leads to sql injection. Upgrading to version 2021.11.30 is able to address this issue. The name of the patch is 6da9080faec9bca1ca5342386c0421dca0a6c0cc. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-230084.
CVSS v2 BASE SCORE: 5.2
CVSS v3 BASE SCORE: 5.5
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:L/Au:S/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-4336

LAYER: meta
PACKAGE NAME: ninja-native
PACKAGE VERSION: 1.11.1
CVE: CVE-2024-36823
CVE STATUS: Patched
CVE SUMMARY: The encrypt() function of Ninja Core v7.0.0 was discovered to use a weak cryptographic algorithm, leading to a possible leakage of sensitive information.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-36823

LAYER: meta
PACKAGE NAME: libcomps-native
PACKAGE VERSION: 0.1.20
CVE: CVE-2019-3817
CVE STATUS: Patched
CVE SUMMARY: A use-after-free flaw has been discovered in libcomps before version 0.1.10 in the way ObjMRTrees are merged. An attacker, who is able to make an application read a crafted comps XML file, may be able to crash the application or execute malicious code.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-3817

LAYER: meta
PACKAGE NAME: zlib-native
PACKAGE VERSION: 1.3.1
CVE: CVE-2002-0059
CVE STATUS: Patched
CVE SUMMARY: The decompression algorithm in zlib 1.1.3 and earlier, as used in many different utilities and packages, causes inflateEnd to release certain memory more than once (a "double free"), which may allow local and remote attackers to execute arbitrary code via a block of malformed compression data.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-0059

LAYER: meta
PACKAGE NAME: zlib-native
PACKAGE VERSION: 1.3.1
CVE: CVE-2003-0107
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the gzprintf function in zlib 1.1.4, when zlib is compiled without vsnprintf or when long inputs are truncated using vsnprintf, allows attackers to cause a denial of service or possibly execute arbitrary code.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-0107

LAYER: meta
PACKAGE NAME: zlib-native
PACKAGE VERSION: 1.3.1
CVE: CVE-2004-0797
CVE STATUS: Patched
CVE SUMMARY: The error handling in the (1) inflate and (2) inflateBack functions in ZLib compression library 1.2.x allows local users to cause a denial of service (application crash).
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0797

LAYER: meta
PACKAGE NAME: zlib-native
PACKAGE VERSION: 1.3.1
CVE: CVE-2005-1849
CVE STATUS: Patched
CVE SUMMARY: inftrees.h in zlib 1.2.2 allows remote attackers to cause a denial of service (application crash) via an invalid file that causes a large dynamic tree to be produced.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-1849

LAYER: meta
PACKAGE NAME: zlib-native
PACKAGE VERSION: 1.3.1
CVE: CVE-2005-2096
CVE STATUS: Patched
CVE SUMMARY: zlib 1.2 and later versions allows remote attackers to cause a denial of service (crash) via a crafted compressed stream with an incomplete code description of a length greater than 1, which leads to a buffer overflow, as demonstrated using a crafted PNG file.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-2096

LAYER: meta
PACKAGE NAME: zlib-native
PACKAGE VERSION: 1.3.1
CVE: CVE-2016-9840
CVE STATUS: Patched
CVE SUMMARY: inftrees.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9840

LAYER: meta
PACKAGE NAME: zlib-native
PACKAGE VERSION: 1.3.1
CVE: CVE-2016-9841
CVE STATUS: Patched
CVE SUMMARY: inffast.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9841

LAYER: meta
PACKAGE NAME: zlib-native
PACKAGE VERSION: 1.3.1
CVE: CVE-2016-9842
CVE STATUS: Patched
CVE SUMMARY: The inflateMark function in inflate.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving left shifts of negative integers.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9842

LAYER: meta
PACKAGE NAME: zlib-native
PACKAGE VERSION: 1.3.1
CVE: CVE-2016-9843
CVE STATUS: Patched
CVE SUMMARY: The crc32_big function in crc32.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving big-endian CRC calculation.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9843

LAYER: meta
PACKAGE NAME: zlib-native
PACKAGE VERSION: 1.3.1
CVE: CVE-2018-25032
CVE STATUS: Patched
CVE SUMMARY: zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-25032

LAYER: meta
PACKAGE NAME: zlib-native
PACKAGE VERSION: 1.3.1
CVE: CVE-2022-37434
CVE STATUS: Patched
CVE SUMMARY: zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-37434

LAYER: meta
PACKAGE NAME: zlib-native
PACKAGE VERSION: 1.3.1
CVE: CVE-2023-45853
CVE STATUS: Ignored
CVE DETAIL: not-applicable-config
CVE DESCRIPTION: we don't build minizip
CVE SUMMARY: MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product. NOTE: pyminizip through 0.2.6 is also vulnerable because it bundles an affected zlib version, and exposes the applicable MiniZip code through its compress API.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-45853

LAYER: meta
PACKAGE NAME: zlib-native
PACKAGE VERSION: 1.3.1
CVE: CVE-2023-6992
CVE STATUS: Ignored
CVE DETAIL: cpe-incorrect
CVE DESCRIPTION: this CVE is for cloudflare zlib
CVE SUMMARY: Cloudflare version of zlib library was found to be vulnerable to memory corruption issues affecting the deflation algorithm implementation (deflate.c). The issues resulted from improper input validation and heap-based buffer overflow.
A local attacker could exploit the problem during compression using a crafted malicious file potentially leading to denial of service of the software.
Patches: The issue has been patched in commit  8352d10 https://github.com/cloudflare/zlib/commit/8352d108c05db1bdc5ac3bdf834dad641694c13c . The upstream repository is not affected.

CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-6992

LAYER: meta
PACKAGE NAME: glib-2.0-native
PACKAGE VERSION: 1_2.78.6
CVE: CVE-2008-4316
CVE STATUS: Patched
CVE SUMMARY: Multiple integer overflows in glib/gbase64.c in GLib before 2.20 allow context-dependent attackers to execute arbitrary code via a long string that is converted either (1) from or (2) to a base64 representation.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-4316

LAYER: meta
PACKAGE NAME: glib-2.0-native
PACKAGE VERSION: 1_2.78.6
CVE: CVE-2009-3289
CVE STATUS: Patched
CVE SUMMARY: The g_file_copy function in glib 2.0 sets the permissions of a target file to the permissions of a symbolic link (777), which allows user-assisted local users to modify files of other users, as demonstrated by using Nautilus to modify the permissions of the user home directory.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-3289

LAYER: meta
PACKAGE NAME: glib-2.0-native
PACKAGE VERSION: 1_2.78.6
CVE: CVE-2012-0039
CVE STATUS: Patched
CVE SUMMARY: GLib 2.31.8 and earlier, when the g_str_hash function is used, computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. NOTE: this issue may be disputed by the vendor; the existence of the g_str_hash function is not a vulnerability in the library, because callers of g_hash_table_new and g_hash_table_new_full can specify an arbitrary hash function that is appropriate for the application.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-0039

LAYER: meta
PACKAGE NAME: glib-2.0-native
PACKAGE VERSION: 1_2.78.6
CVE: CVE-2018-16428
CVE STATUS: Patched
CVE SUMMARY: In GNOME GLib 2.56.1, g_markup_parse_context_end_parse() in gmarkup.c has a NULL pointer dereference.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-16428

LAYER: meta
PACKAGE NAME: glib-2.0-native
PACKAGE VERSION: 1_2.78.6
CVE: CVE-2018-16429
CVE STATUS: Patched
CVE SUMMARY: GNOME GLib 2.56.1 has an out-of-bounds read vulnerability in g_markup_parse_context_parse() in gmarkup.c, related to utf8_str().
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-16429

LAYER: meta
PACKAGE NAME: glib-2.0-native
PACKAGE VERSION: 1_2.78.6
CVE: CVE-2019-12450
CVE STATUS: Patched
CVE SUMMARY: file_copy_fallback in gio/gfile.c in GNOME GLib 2.15.0 through 2.61.1 does not properly restrict file permissions while a copy operation is in progress. Instead, default permissions are used.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-12450

LAYER: meta
PACKAGE NAME: glib-2.0-native
PACKAGE VERSION: 1_2.78.6
CVE: CVE-2019-13012
CVE STATUS: Patched
CVE SUMMARY: The keyfile settings backend in GNOME GLib (aka glib2.0) before 2.60.0 creates directories using g_file_make_directory_with_parents (kfsb->dir, NULL, NULL) and files using g_file_replace_contents (kfsb->file, contents, length, NULL, FALSE, G_FILE_CREATE_REPLACE_DESTINATION, NULL, NULL, NULL). Consequently, it does not properly restrict directory (and file) permissions. Instead, for directories, 0777 permissions are used; for files, default file permissions are used. This is similar to CVE-2019-12450.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-13012

LAYER: meta
PACKAGE NAME: glib-2.0-native
PACKAGE VERSION: 1_2.78.6
CVE: CVE-2019-9633
CVE STATUS: Patched
CVE SUMMARY: gio/gsocketclient.c in GNOME GLib 2.59.2 does not ensure that a parent GTask remains alive during the execution of a connection-attempting enumeration, which allows remote attackers to cause a denial of service (g_socket_client_connected_callback mishandling and application crash) via a crafted web site, as demonstrated by GNOME Web (aka Epiphany).
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-9633

LAYER: meta
PACKAGE NAME: glib-2.0-native
PACKAGE VERSION: 1_2.78.6
CVE: CVE-2020-35457
CVE STATUS: Patched
CVE SUMMARY: GNOME GLib before 2.65.3 has an integer overflow, that might lead to an out-of-bounds write, in g_option_group_add_entries. NOTE: the vendor's position is "Realistically this is not a security issue. The standard pattern is for callers to provide a static list of option entries in a fixed number of calls to g_option_group_add_entries()." The researcher states that this pattern is undocumented
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-35457

LAYER: meta
PACKAGE NAME: glib-2.0-native
PACKAGE VERSION: 1_2.78.6
CVE: CVE-2020-6750
CVE STATUS: Patched
CVE SUMMARY: GSocketClient in GNOME GLib through 2.62.4 may occasionally connect directly to a target address instead of connecting via a proxy server when configured to do so, because the proxy_addr field is mishandled. This bug is timing-dependent and may occur only sporadically depending on network delays. The greatest security relevance is in use cases where a proxy is used to help with privacy/anonymity, even though there is no technical barrier to a direct connection. NOTE: versions before 2.60 are unaffected.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-6750

LAYER: meta
PACKAGE NAME: glib-2.0-native
PACKAGE VERSION: 1_2.78.6
CVE: CVE-2021-27218
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in GNOME GLib before 2.66.7 and 2.67.x before 2.67.4. If g_byte_array_new_take() was called with a buffer of 4GB or more on a 64-bit platform, the length would be truncated modulo 2**32, causing unintended length truncation.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-27218

LAYER: meta
PACKAGE NAME: glib-2.0-native
PACKAGE VERSION: 1_2.78.6
CVE: CVE-2021-27219
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in GNOME GLib before 2.66.6 and 2.67.x before 2.67.3. The function g_bytes_new has an integer overflow on 64-bit platforms due to an implicit cast from 64 bits to 32 bits. The overflow could potentially lead to memory corruption.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-27219

LAYER: meta
PACKAGE NAME: glib-2.0-native
PACKAGE VERSION: 1_2.78.6
CVE: CVE-2021-28153
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in GNOME GLib before 2.66.8. When g_file_replace() is used with G_FILE_CREATE_REPLACE_DESTINATION to replace a path that is a dangling symlink, it incorrectly also creates the target of the symlink as an empty file, which could conceivably have security relevance if the symlink is attacker-controlled. (If the path is a symlink to a file that already exists, then the contents of that file correctly remain unchanged.)
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-28153

LAYER: meta
PACKAGE NAME: glib-2.0-native
PACKAGE VERSION: 1_2.78.6
CVE: CVE-2021-3800
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in glib before version 2.63.6. Due to random charset alias, pkexec can leak content from files owned by privileged users to unprivileged ones under the right condition.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3800

LAYER: meta
PACKAGE NAME: glib-2.0-native
PACKAGE VERSION: 1_2.78.6
CVE: CVE-2023-29499
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in GLib. GVariant deserialization fails to validate that the input conforms to the expected format, leading to denial of service.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-29499

LAYER: meta
PACKAGE NAME: glib-2.0-native
PACKAGE VERSION: 1_2.78.6
CVE: CVE-2023-32611
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in GLib. GVariant deserialization is vulnerable to a slowdown issue where a crafted GVariant can cause excessive processing, leading to denial of service.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-32611

LAYER: meta
PACKAGE NAME: glib-2.0-native
PACKAGE VERSION: 1_2.78.6
CVE: CVE-2023-32636
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in glib, where the gvariant deserialization code is vulnerable to a denial of service introduced by additional input validation added to resolve CVE-2023-29499. The offset table validation may be very slow. This bug does not affect any released version of glib but does affect glib distributors who followed the guidance of glib developers to backport the initial fix for CVE-2023-29499.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-32636

LAYER: meta
PACKAGE NAME: glib-2.0-native
PACKAGE VERSION: 1_2.78.6
CVE: CVE-2023-32643
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in GLib. The GVariant deserialization code is vulnerable to a heap buffer overflow introduced by the fix for CVE-2023-32665. This bug does not affect any released version of GLib, but does affect GLib distributors who followed the guidance of GLib developers to backport the initial fix for CVE-2023-32665.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.3
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-32643

LAYER: meta
PACKAGE NAME: glib-2.0-native
PACKAGE VERSION: 1_2.78.6
CVE: CVE-2023-32665
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in GLib. GVariant deserialization is vulnerable to an exponential blowup issue where a crafted GVariant can cause excessive processing, leading to denial of service.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-32665

LAYER: meta
PACKAGE NAME: gettext-native
PACKAGE VERSION: 0.22.5
CVE: CVE-2004-0966
CVE STATUS: Patched
CVE SUMMARY: The (1) autopoint and (2) gettextize scripts in the GNU gettext package 1.14 and later versions, as used in Trustix Secure Linux 1.5 through 2.1 and other operating systems, allows local users to overwrite files via a symlink attack on temporary files.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0966

LAYER: meta
PACKAGE NAME: gettext-native
PACKAGE VERSION: 0.22.5
CVE: CVE-2018-18751
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in GNU gettext 0.19.8. There is a double free in default_add_message in read-catalog.c, related to an invalid free in po_gram_parse in po-gram-gen.y, as demonstrated by lt-msgfmt.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-18751

LAYER: meta
PACKAGE NAME: libxml2-native
PACKAGE VERSION: 2.12.8
CVE: CVE-2003-1564
CVE STATUS: Patched
CVE SUMMARY: libxml2, possibly before 2.5.0, does not properly detect recursion during entity expansion, which allows context-dependent attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, aka the "billion laughs attack."
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-1564

LAYER: meta
PACKAGE NAME: libxml2-native
PACKAGE VERSION: 2.12.8
CVE: CVE-2004-0110
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the (1) nanohttp or (2) nanoftp modules in XMLSoft Libxml 2 (Libxml2) 2.6.0 through 2.6.5 allow remote attackers to execute arbitrary code via a long URL.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0110

LAYER: meta
PACKAGE NAME: libxml2-native
PACKAGE VERSION: 2.12.8
CVE: CVE-2004-0989
CVE STATUS: Patched
CVE SUMMARY: Multiple buffer overflows in libXML 2.6.12 and 2.6.13 (libxml2), and possibly other versions, may allow remote attackers to execute arbitrary code via (1) a long FTP URL that is not properly handled by the xmlNanoFTPScanURL function, (2) a long proxy URL containing FTP data that is not properly handled by the xmlNanoFTPScanProxy function, and other overflows related to manipulation of DNS length values, including (3) xmlNanoFTPConnect, (4) xmlNanoHTTPConnectHost, and (5) xmlNanoHTTPConnectHost.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0989

LAYER: meta
PACKAGE NAME: libxml2-native
PACKAGE VERSION: 2.12.8
CVE: CVE-2008-3281
CVE STATUS: Patched
CVE SUMMARY: libxml2 2.6.32 and earlier does not properly detect recursion during entity expansion in an attribute value, which allows context-dependent attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-3281

LAYER: meta
PACKAGE NAME: libxml2-native
PACKAGE VERSION: 2.12.8
CVE: CVE-2008-3529
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the xmlParseAttValueComplex function in parser.c in libxml2 before 2.7.0 allows context-dependent attackers to cause a denial of service (crash) or execute arbitrary code via a long XML entity name.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-3529

LAYER: meta
PACKAGE NAME: libxml2-native
PACKAGE VERSION: 2.12.8
CVE: CVE-2008-4409
CVE STATUS: Patched
CVE SUMMARY: libxml2 2.7.0 and 2.7.1 does not properly handle "predefined entities definitions" in entities, which allows context-dependent attackers to cause a denial of service (memory consumption and application crash), as demonstrated by use of xmllint on a certain XML document, a different vulnerability than CVE-2003-1564 and CVE-2008-3281.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-4409

LAYER: meta
PACKAGE NAME: libxml2-native
PACKAGE VERSION: 2.12.8
CVE: CVE-2009-2414
CVE STATUS: Patched
CVE SUMMARY: Stack consumption vulnerability in libxml2 2.5.10, 2.6.16, 2.6.26, 2.6.27, and 2.6.32, and libxml 1.8.17, allows context-dependent attackers to cause a denial of service (application crash) via a large depth of element declarations in a DTD, related to a function recursion, as demonstrated by the Codenomicon XML fuzzing framework.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-2414

LAYER: meta
PACKAGE NAME: libxml2-native
PACKAGE VERSION: 2.12.8
CVE: CVE-2009-2416
CVE STATUS: Patched
CVE SUMMARY: Multiple use-after-free vulnerabilities in libxml2 2.5.10, 2.6.16, 2.6.26, 2.6.27, and 2.6.32, and libxml 1.8.17, allow context-dependent attackers to cause a denial of service (application crash) via crafted (1) Notation or (2) Enumeration attribute types in an XML file, as demonstrated by the Codenomicon XML fuzzing framework.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-2416

LAYER: meta
PACKAGE NAME: libxml2-native
PACKAGE VERSION: 2.12.8
CVE: CVE-2010-4008
CVE STATUS: Patched
CVE SUMMARY: libxml2 before 2.7.8, as used in Google Chrome before 7.0.517.44, Apple Safari 5.0.2 and earlier, and other products, reads from invalid memory locations during processing of malformed XPath expressions, which allows context-dependent attackers to cause a denial of service (application crash) via a crafted XML document.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4008

LAYER: meta
PACKAGE NAME: libxml2-native
PACKAGE VERSION: 2.12.8
CVE: CVE-2010-4494
CVE STATUS: Patched
CVE SUMMARY: Double free vulnerability in libxml2 2.7.8 and other versions, as used in Google Chrome before 8.0.552.215 and other products, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to XPath handling.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4494

LAYER: meta
PACKAGE NAME: libxml2-native
PACKAGE VERSION: 2.12.8
CVE: CVE-2011-1944
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in xpath.c in libxml2 2.6.x through 2.6.32 and 2.7.x through 2.7.8, and libxml 1.8.16 and earlier, allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted XML file that triggers a heap-based buffer overflow when adding a new namespace node, related to handling of XPath expressions.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1944

LAYER: meta
PACKAGE NAME: libxml2-native
PACKAGE VERSION: 2.12.8
CVE: CVE-2012-0841
CVE STATUS: Patched
CVE SUMMARY: libxml2 before 2.8.0 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted XML data.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-0841

LAYER: meta
PACKAGE NAME: libxml2-native
PACKAGE VERSION: 2.12.8
CVE: CVE-2012-2871
CVE STATUS: Patched
CVE SUMMARY: libxml2 2.9.0-rc1 and earlier, as used in Google Chrome before 21.0.1180.89, does not properly support a cast of an unspecified variable during handling of XSL transforms, which allows remote attackers to cause a denial of service or possibly have unknown other impact via a crafted document, related to the _xmlNs data structure in include/libxml/tree.h.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2871

LAYER: meta
PACKAGE NAME: libxml2-native
PACKAGE VERSION: 2.12.8
CVE: CVE-2012-5134
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer underflow in the xmlParseAttValueComplex function in parser.c in libxml2 2.9.0 and earlier, as used in Google Chrome before 23.0.1271.91 and other products, allows remote attackers to cause a denial of service or possibly execute arbitrary code via crafted entities in an XML document.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-5134

LAYER: meta
PACKAGE NAME: libxml2-native
PACKAGE VERSION: 2.12.8
CVE: CVE-2013-0338
CVE STATUS: Patched
CVE SUMMARY: libxml2 2.9.0 and earlier allows context-dependent attackers to cause a denial of service (CPU and memory consumption) via an XML file containing an entity declaration with long replacement text and many references to this entity, aka "internal entity expansion" with linear complexity.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0338

LAYER: meta
PACKAGE NAME: libxml2-native
PACKAGE VERSION: 2.12.8
CVE: CVE-2013-0339
CVE STATUS: Patched
CVE SUMMARY: libxml2 through 2.9.1 does not properly handle external entities expansion unless an application developer uses the xmlSAX2ResolveEntity or xmlSetExternalEntityLoader function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue.  NOTE: it could be argued that because libxml2 already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be REJECTed and each affected application would need its own CVE.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0339

LAYER: meta
PACKAGE NAME: libxml2-native
PACKAGE VERSION: 2.12.8
CVE: CVE-2013-1969
CVE STATUS: Patched
CVE SUMMARY: Multiple use-after-free vulnerabilities in libxml2 2.9.0 and possibly other versions might allow context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via vectors related to the (1) htmlParseChunk and (2) xmldecl_done functions, as demonstrated by a buffer overflow in the xmlBufGetInputBase function.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1969

LAYER: meta
PACKAGE NAME: libxml2-native
PACKAGE VERSION: 2.12.8
CVE: CVE-2013-2877
CVE STATUS: Patched
CVE SUMMARY: parser.c in libxml2 before 2.9.0, as used in Google Chrome before 28.0.1500.71 and other products, allows remote attackers to cause a denial of service (out-of-bounds read) via a document that ends abruptly, related to the lack of certain checks for the XML_PARSER_EOF state.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2877

LAYER: meta
PACKAGE NAME: libxml2-native
PACKAGE VERSION: 2.12.8
CVE: CVE-2014-3660
CVE STATUS: Patched
CVE SUMMARY: parser.c in libxml2 before 2.9.2 does not properly prevent entity expansion even when entity substitution has been disabled, which allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted XML document containing a large number of nested entity references, a variant of the "billion laughs" attack.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3660

LAYER: meta
PACKAGE NAME: libxml2-native
PACKAGE VERSION: 2.12.8
CVE: CVE-2015-5312
CVE STATUS: Patched
CVE SUMMARY: The xmlStringLenDecodeEntities function in parser.c in libxml2 before 2.9.3 does not properly prevent entity expansion, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted XML data, a different vulnerability than CVE-2014-3660.
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-5312

LAYER: meta
PACKAGE NAME: libxml2-native
PACKAGE VERSION: 2.12.8
CVE: CVE-2015-6837
CVE STATUS: Patched
CVE SUMMARY: The xsl_ext_function_php function in ext/xsl/xsltprocessor.c in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13, when libxml2 before 2.9.2 is used, does not consider the possibility of a NULL valuePop return value before proceeding with a free operation during initial error checking, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted XML document, a different vulnerability than CVE-2015-6838.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-6837

LAYER: meta
PACKAGE NAME: libxml2-native
PACKAGE VERSION: 2.12.8
CVE: CVE-2015-6838
CVE STATUS: Patched
CVE SUMMARY: The xsl_ext_function_php function in ext/xsl/xsltprocessor.c in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13, when libxml2 before 2.9.2 is used, does not consider the possibility of a NULL valuePop return value before proceeding with a free operation after the principal argument loop, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted XML document, a different vulnerability than CVE-2015-6837.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-6838

LAYER: meta
PACKAGE NAME: libxml2-native
PACKAGE VERSION: 2.12.8
CVE: CVE-2015-7497
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the xmlDictComputeFastQKey function in dict.c in libxml2 before 2.9.3 allows context-dependent attackers to cause a denial of service via unspecified vectors.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7497

LAYER: meta
PACKAGE NAME: libxml2-native
PACKAGE VERSION: 2.12.8
CVE: CVE-2015-7498
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the xmlParseXmlDecl function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to cause a denial of service via unspecified vectors related to extracting errors after an encoding conversion failure.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7498

LAYER: meta
PACKAGE NAME: libxml2-native
PACKAGE VERSION: 2.12.8
CVE: CVE-2015-7499
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the xmlGROW function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to obtain sensitive process memory information via unspecified vectors.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7499

LAYER: meta
PACKAGE NAME: libxml2-native
PACKAGE VERSION: 2.12.8
CVE: CVE-2015-7500
CVE STATUS: Patched
CVE SUMMARY: The xmlParseMisc function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to cause a denial of service (out-of-bounds heap read) via unspecified vectors related to incorrect entities boundaries and start tags.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7500

LAYER: meta
PACKAGE NAME: libxml2-native
PACKAGE VERSION: 2.12.8
CVE: CVE-2015-7941
CVE STATUS: Patched
CVE SUMMARY: libxml2 2.9.2 does not properly stop parsing invalid input, which allows context-dependent attackers to cause a denial of service (out-of-bounds read and libxml2 crash) via crafted XML data to the (1) xmlParseEntityDecl or (2) xmlParseConditionalSections function in parser.c, as demonstrated by non-terminated entities.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7941

LAYER: meta
PACKAGE NAME: libxml2-native
PACKAGE VERSION: 2.12.8
CVE: CVE-2015-7942
CVE STATUS: Patched
CVE SUMMARY: The xmlParseConditionalSections function in parser.c in libxml2 does not properly skip intermediary entities when it stops parsing invalid input, which allows context-dependent attackers to cause a denial of service (out-of-bounds read and crash) via crafted XML data, a different vulnerability than CVE-2015-7941.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7942

LAYER: meta
PACKAGE NAME: libxml2-native
PACKAGE VERSION: 2.12.8
CVE: CVE-2015-8035
CVE STATUS: Patched
CVE SUMMARY: The xz_decomp function in xzlib.c in libxml2 2.9.1 does not properly detect compression errors, which allows context-dependent attackers to cause a denial of service (process hang) via crafted XML data.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8035

LAYER: meta
PACKAGE NAME: libxml2-native
PACKAGE VERSION: 2.12.8
CVE: CVE-2015-8241
CVE STATUS: Patched
CVE SUMMARY: The xmlNextChar function in libxml2 2.9.2 does not properly check the state, which allows context-dependent attackers to cause a denial of service (heap-based buffer over-read and application crash) or obtain sensitive information via crafted XML data.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8241

LAYER: meta
PACKAGE NAME: libxml2-native
PACKAGE VERSION: 2.12.8
CVE: CVE-2015-8242
CVE STATUS: Patched
CVE SUMMARY: The xmlSAX2TextNode function in SAX2.c in the push interface in the HTML parser in libxml2 before 2.9.3 allows context-dependent attackers to cause a denial of service (stack-based buffer over-read and application crash) or obtain sensitive information via crafted XML data.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8242

LAYER: meta
PACKAGE NAME: libxml2-native
PACKAGE VERSION: 2.12.8
CVE: CVE-2015-8317
CVE STATUS: Patched
CVE SUMMARY: The xmlParseXMLDecl function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to obtain sensitive information via an (1) unterminated encoding value or (2) incomplete XML declaration in XML data, which triggers an out-of-bounds heap read.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8317

LAYER: meta
PACKAGE NAME: libxml2-native
PACKAGE VERSION: 2.12.8
CVE: CVE-2015-8710
CVE STATUS: Patched
CVE SUMMARY: The htmlParseComment function in HTMLparser.c in libxml2 allows attackers to obtain sensitive information, cause a denial of service (out-of-bounds heap memory access and application crash), or possibly have unspecified other impact via an unclosed HTML comment.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8710

LAYER: meta
PACKAGE NAME: libxml2-native
PACKAGE VERSION: 2.12.8
CVE: CVE-2015-8806
CVE STATUS: Patched
CVE SUMMARY: dict.c in libxml2 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via an unexpected character immediately after the "<!DOCTYPE html" substring in a crafted HTML document.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8806

LAYER: meta
PACKAGE NAME: libxml2-native
PACKAGE VERSION: 2.12.8
CVE: CVE-2016-1762
CVE STATUS: Patched
CVE SUMMARY: The xmlNextChar function in libxml2 before 2.9.4 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted XML document.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 8.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-1762

LAYER: meta
PACKAGE NAME: libxml2-native
PACKAGE VERSION: 2.12.8
CVE: CVE-2016-1833
CVE STATUS: Patched
CVE SUMMARY: The htmlCurrentChar function in libxml2 before 2.9.4, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted XML document.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-1833

LAYER: meta
PACKAGE NAME: libxml2-native
PACKAGE VERSION: 2.12.8
CVE: CVE-2016-1834
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the xmlStrncat function in libxml2 before 2.9.4, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-1834

LAYER: meta
PACKAGE NAME: libxml2-native
PACKAGE VERSION: 2.12.8
CVE: CVE-2016-1836
CVE STATUS: Patched
CVE SUMMARY: Use-after-free vulnerability in the xmlDictComputeFastKey function in libxml2 before 2.9.4, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote attackers to cause a denial of service via a crafted XML document.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-1836

LAYER: meta
PACKAGE NAME: libxml2-native
PACKAGE VERSION: 2.12.8
CVE: CVE-2016-1837
CVE STATUS: Patched
CVE SUMMARY: Multiple use-after-free vulnerabilities in the (1) htmlPArsePubidLiteral and (2) htmlParseSystemiteral functions in libxml2 before 2.9.4, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allow remote attackers to cause a denial of service via a crafted XML document.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-1837

LAYER: meta
PACKAGE NAME: libxml2-native
PACKAGE VERSION: 2.12.8
CVE: CVE-2016-1838
CVE STATUS: Patched
CVE SUMMARY: The xmlPArserPrintFileContextInternal function in libxml2 before 2.9.4, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted XML document.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-1838

LAYER: meta
PACKAGE NAME: libxml2-native
PACKAGE VERSION: 2.12.8
CVE: CVE-2016-1839
CVE STATUS: Patched
CVE SUMMARY: The xmlDictAddString function in libxml2 before 2.9.4, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted XML document.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-1839

LAYER: meta
PACKAGE NAME: libxml2-native
PACKAGE VERSION: 2.12.8
CVE: CVE-2016-1840
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the xmlFAParsePosCharGroup function in libxml2 before 2.9.4, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-1840

LAYER: meta
PACKAGE NAME: libxml2-native
PACKAGE VERSION: 2.12.8
CVE: CVE-2016-2073
CVE STATUS: Patched
CVE SUMMARY: The htmlParseNameComplex function in HTMLparser.c in libxml2 allows attackers to cause a denial of service (out-of-bounds read) via a crafted XML document.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2073

LAYER: meta
PACKAGE NAME: libxml2-native
PACKAGE VERSION: 2.12.8
CVE: CVE-2016-3627
CVE STATUS: Patched
CVE SUMMARY: The xmlStringGetNodeList function in tree.c in libxml2 2.9.3 and earlier, when used in recovery mode, allows context-dependent attackers to cause a denial of service (infinite recursion, stack consumption, and application crash) via a crafted XML document.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3627

LAYER: meta
PACKAGE NAME: libxml2-native
PACKAGE VERSION: 2.12.8
CVE: CVE-2016-3705
CVE STATUS: Patched
CVE SUMMARY: The (1) xmlParserEntityCheck and (2) xmlParseAttValueComplex functions in parser.c in libxml2 2.9.3 do not properly keep track of the recursion depth, which allows context-dependent attackers to cause a denial of service (stack consumption and application crash) via a crafted XML document containing a large number of nested entity references.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3705

LAYER: meta
PACKAGE NAME: libxml2-native
PACKAGE VERSION: 2.12.8
CVE: CVE-2016-3709
CVE STATUS: Patched
CVE SUMMARY: Possible cross-site scripting vulnerability in libxml after commit 960f0e2.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.1
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3709

LAYER: meta
PACKAGE NAME: libxml2-native
PACKAGE VERSION: 2.12.8
CVE: CVE-2016-4447
CVE STATUS: Patched
CVE SUMMARY: The xmlParseElementDecl function in parser.c in libxml2 before 2.9.4 allows context-dependent attackers to cause a denial of service (heap-based buffer underread and application crash) via a crafted file, involving xmlParseName.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4447

LAYER: meta
PACKAGE NAME: libxml2-native
PACKAGE VERSION: 2.12.8
CVE: CVE-2016-4448
CVE STATUS: Patched
CVE SUMMARY: Format string vulnerability in libxml2 before 2.9.4 allows attackers to have unspecified impact via format string specifiers in unknown vectors.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4448

LAYER: meta
PACKAGE NAME: libxml2-native
PACKAGE VERSION: 2.12.8
CVE: CVE-2016-4449
CVE STATUS: Patched
CVE SUMMARY: XML external entity (XXE) vulnerability in the xmlStringLenDecodeEntities function in parser.c in libxml2 before 2.9.4, when not in validating mode, allows context-dependent attackers to read arbitrary files or cause a denial of service (resource consumption) via unspecified vectors.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 7.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4449

LAYER: meta
PACKAGE NAME: libxml2-native
PACKAGE VERSION: 2.12.8
CVE: CVE-2016-4483
CVE STATUS: Patched
CVE SUMMARY: The xmlBufAttrSerializeTxtContent function in xmlsave.c in libxml2 allows context-dependent attackers to cause a denial of service (out-of-bounds read and application crash) via a non-UTF-8 attribute value, related to serialization.  NOTE: this vulnerability may be a duplicate of CVE-2016-3627.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4483

LAYER: meta
PACKAGE NAME: libxml2-native
PACKAGE VERSION: 2.12.8
CVE: CVE-2016-4658
CVE STATUS: Patched
CVE SUMMARY: xpointer.c in libxml2 before 2.9.5 (as used in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS before 3, and other products) does not forbid namespace nodes in XPointer ranges, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and memory corruption) via a crafted XML document.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4658

LAYER: meta
PACKAGE NAME: libxml2-native
PACKAGE VERSION: 2.12.8
CVE: CVE-2016-5131
CVE STATUS: Patched
CVE SUMMARY: Use-after-free vulnerability in libxml2 through 2.9.4, as used in Google Chrome before 52.0.2743.82, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the XPointer range-to function.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5131

LAYER: meta
PACKAGE NAME: libxml2-native
PACKAGE VERSION: 2.12.8
CVE: CVE-2016-9318
CVE STATUS: Patched
CVE SUMMARY: libxml2 2.9.4 and earlier, as used in XMLSec 1.2.23 and earlier and other products, does not offer a flag directly indicating that the current document may be read but other files may not be opened, which makes it easier for remote attackers to conduct XML External Entity (XXE) attacks via a crafted document.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9318

LAYER: meta
PACKAGE NAME: libxml2-native
PACKAGE VERSION: 2.12.8
CVE: CVE-2016-9596
CVE STATUS: Patched
CVE SUMMARY: libxml2, as used in Red Hat JBoss Core Services and when in recovery mode, allows context-dependent attackers to cause a denial of service (stack consumption) via a crafted XML document.  NOTE: this vulnerability exists because of an incorrect fix for CVE-2016-3627.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9596

LAYER: meta
PACKAGE NAME: libxml2-native
PACKAGE VERSION: 2.12.8
CVE: CVE-2016-9597
CVE STATUS: Patched
CVE SUMMARY: It was found that Red Hat JBoss Core Services erratum RHSA-2016:2957 for CVE-2016-3705 did not actually include the fix for the issue found in libxml2, making it vulnerable to a Denial of Service attack due to a Stack Overflow. This is a regression CVE for the same issue as CVE-2016-3705.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9597

LAYER: meta
PACKAGE NAME: libxml2-native
PACKAGE VERSION: 2.12.8
CVE: CVE-2016-9598
CVE STATUS: Patched
CVE SUMMARY: libxml2, as used in Red Hat JBoss Core Services, allows context-dependent attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted XML document. NOTE: this vulnerability exists because of a missing fix for CVE-2016-4483.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9598

LAYER: meta
PACKAGE NAME: libxml2-native
PACKAGE VERSION: 2.12.8
CVE: CVE-2017-15412
CVE STATUS: Patched
CVE SUMMARY: Use after free in libxml2 before 2.9.5, as used in Google Chrome prior to 63.0.3239.84 and other products, allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15412

LAYER: meta
PACKAGE NAME: libxml2-native
PACKAGE VERSION: 2.12.8
CVE: CVE-2017-16931
CVE STATUS: Patched
CVE SUMMARY: parser.c in libxml2 before 2.9.5 mishandles parameter-entity references because the NEXTL macro calls the xmlParserHandlePEReference function in the case of a '%' character in a DTD name.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-16931

LAYER: meta
PACKAGE NAME: libxml2-native
PACKAGE VERSION: 2.12.8
CVE: CVE-2017-16932
CVE STATUS: Patched
CVE SUMMARY: parser.c in libxml2 before 2.9.5 does not prevent infinite recursion in parameter entities.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-16932

LAYER: meta
PACKAGE NAME: libxml2-native
PACKAGE VERSION: 2.12.8
CVE: CVE-2017-18258
CVE STATUS: Patched
CVE SUMMARY: The xz_head function in xzlib.c in libxml2 before 2.9.6 allows remote attackers to cause a denial of service (memory consumption) via a crafted LZMA file, because the decoder functionality does not restrict memory usage to what is required for a legitimate file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-18258

LAYER: meta
PACKAGE NAME: libxml2-native
PACKAGE VERSION: 2.12.8
CVE: CVE-2017-5130
CVE STATUS: Patched
CVE SUMMARY: An integer overflow in xmlmemory.c in libxml2 before 2.9.5, as used in Google Chrome prior to 62.0.3202.62 and other products, allowed a remote attacker to potentially exploit heap corruption via a crafted XML file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5130

LAYER: meta
PACKAGE NAME: libxml2-native
PACKAGE VERSION: 2.12.8
CVE: CVE-2017-5969
CVE STATUS: Patched
CVE SUMMARY: libxml2 2.9.4, when used in recover mode, allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted XML document.  NOTE: The maintainer states "I would disagree of a CVE with the Recover parsing option which should only be used for manual recovery at least for XML parser.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 4.7
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5969

LAYER: meta
PACKAGE NAME: libxml2-native
PACKAGE VERSION: 2.12.8
CVE: CVE-2017-7375
CVE STATUS: Patched
CVE SUMMARY: A flaw in libxml2 allows remote XML entity inclusion with default parser flags (i.e., when the caller did not request entity substitution, DTD validation, external DTD subset loading, or default DTD attributes). Depending on the context, this may expose a higher-risk attack surface in libxml2 not usually reachable with default parser flags, and expose content from local files, HTTP, or FTP servers (which might be otherwise unreachable).
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7375

LAYER: meta
PACKAGE NAME: libxml2-native
PACKAGE VERSION: 2.12.8
CVE: CVE-2017-7376
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in libxml2 allows remote attackers to execute arbitrary code by leveraging an incorrect limit for port values when handling redirects.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7376

LAYER: meta
PACKAGE NAME: libxml2-native
PACKAGE VERSION: 2.12.8
CVE: CVE-2017-8872
CVE STATUS: Patched
CVE SUMMARY: The htmlParseTryOrFinish function in HTMLparser.c in libxml2 2.9.4 allows attackers to cause a denial of service (buffer over-read) or information disclosure.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 9.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8872

LAYER: meta
PACKAGE NAME: libxml2-native
PACKAGE VERSION: 2.12.8
CVE: CVE-2017-9047
CVE STATUS: Patched
CVE SUMMARY: A buffer overflow was discovered in libxml2 20904-GITv2.9.4-16-g0741801. The function xmlSnprintfElementContent in valid.c is supposed to recursively dump the element content definition into a char buffer 'buf' of size 'size'. The variable len is assigned strlen(buf). If the content->type is XML_ELEMENT_CONTENT_ELEMENT, then (i) the content->prefix is appended to buf (if it actually fits) whereupon (ii) content->name is written to the buffer. However, the check for whether the content->name actually fits also uses 'len' rather than the updated buffer length strlen(buf). This allows us to write about "size" many bytes beyond the allocated memory. This vulnerability causes programs that use libxml2, such as PHP, to crash.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9047

LAYER: meta
PACKAGE NAME: libxml2-native
PACKAGE VERSION: 2.12.8
CVE: CVE-2017-9048
CVE STATUS: Patched
CVE SUMMARY: libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a stack-based buffer overflow. The function xmlSnprintfElementContent in valid.c is supposed to recursively dump the element content definition into a char buffer 'buf' of size 'size'. At the end of the routine, the function may strcat two more characters without checking whether the current strlen(buf) + 2 < size. This vulnerability causes programs that use libxml2, such as PHP, to crash.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9048

LAYER: meta
PACKAGE NAME: libxml2-native
PACKAGE VERSION: 2.12.8
CVE: CVE-2017-9049
CVE STATUS: Patched
CVE SUMMARY: libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a heap-based buffer over-read in the xmlDictComputeFastKey function in dict.c. This vulnerability causes programs that use libxml2, such as PHP, to crash. This vulnerability exists because of an incomplete fix for libxml2 Bug 759398.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9049

LAYER: meta
PACKAGE NAME: libxml2-native
PACKAGE VERSION: 2.12.8
CVE: CVE-2017-9050
CVE STATUS: Patched
CVE SUMMARY: libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a heap-based buffer over-read in the xmlDictAddString function in dict.c. This vulnerability causes programs that use libxml2, such as PHP, to crash. This vulnerability exists because of an incomplete fix for CVE-2016-1839.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9050

LAYER: meta
PACKAGE NAME: libxml2-native
PACKAGE VERSION: 2.12.8
CVE: CVE-2018-14404
CVE STATUS: Patched
CVE SUMMARY: A NULL pointer dereference vulnerability exists in the xpath.c:xmlXPathCompOpEval() function of libxml2 through 2.9.8 when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case. Applications processing untrusted XSL format inputs with the use of the libxml2 library may be vulnerable to a denial of service attack due to a crash of the application.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-14404

LAYER: meta
PACKAGE NAME: libxml2-native
PACKAGE VERSION: 2.12.8
CVE: CVE-2018-14567
CVE STATUS: Patched
CVE SUMMARY: libxml2 2.9.8, if --with-lzma is used, allows remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint, a different vulnerability than CVE-2015-8035 and CVE-2018-9251.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-14567

LAYER: meta
PACKAGE NAME: libxml2-native
PACKAGE VERSION: 2.12.8
CVE: CVE-2018-9251
CVE STATUS: Patched
CVE SUMMARY: The xz_decomp function in xzlib.c in libxml2 2.9.8, if --with-lzma is used, allows remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint, a different vulnerability than CVE-2015-8035.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-9251

LAYER: meta
PACKAGE NAME: libxml2-native
PACKAGE VERSION: 2.12.8
CVE: CVE-2019-19956
CVE STATUS: Patched
CVE SUMMARY: xmlParseBalancedChunkMemoryRecover in parser.c in libxml2 before 2.9.10 has a memory leak related to newDoc->oldNs.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19956

LAYER: meta
PACKAGE NAME: libxml2-native
PACKAGE VERSION: 2.12.8
CVE: CVE-2019-20388
CVE STATUS: Patched
CVE SUMMARY: xmlSchemaPreRun in xmlschemas.c in libxml2 2.9.10 allows an xmlSchemaValidateStream memory leak.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-20388

LAYER: meta
PACKAGE NAME: libxml2-native
PACKAGE VERSION: 2.12.8
CVE: CVE-2020-24977
CVE STATUS: Patched
CVE SUMMARY: GNOME project libxml2 v2.9.10 has a global buffer over-read vulnerability in xmlEncodeEntitiesInternal at libxml2/entities.c. The issue has been fixed in commit 50f06b3e.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-24977

LAYER: meta
PACKAGE NAME: libxml2-native
PACKAGE VERSION: 2.12.8
CVE: CVE-2020-7595
CVE STATUS: Patched
CVE SUMMARY: xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-7595

LAYER: meta
PACKAGE NAME: libxml2-native
PACKAGE VERSION: 2.12.8
CVE: CVE-2021-3517
CVE STATUS: Patched
CVE SUMMARY: There is a flaw in the xml entity encoding functionality of libxml2 in versions before 2.9.11. An attacker who is able to supply a crafted file to be processed by an application linked with the affected functionality of libxml2 could trigger an out-of-bounds read. The most likely impact of this flaw is to application availability, with some potential impact to confidentiality and integrity if an attacker is able to use memory information to further exploit the application.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 8.6
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3517

LAYER: meta
PACKAGE NAME: libxml2-native
PACKAGE VERSION: 2.12.8
CVE: CVE-2021-3518
CVE STATUS: Patched
CVE SUMMARY: There's a flaw in libxml2 in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by an application linked with libxml2 could trigger a use-after-free. The greatest impact from this flaw is to confidentiality, integrity, and availability.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3518

LAYER: meta
PACKAGE NAME: libxml2-native
PACKAGE VERSION: 2.12.8
CVE: CVE-2021-3537
CVE STATUS: Patched
CVE SUMMARY: A vulnerability found in libxml2 in versions before 2.9.11 shows that it did not propagate errors while parsing XML mixed content, causing a NULL dereference. If an untrusted XML document was parsed in recovery mode and post-validated, the flaw could be used to crash the application. The highest threat from this vulnerability is to system availability.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3537

LAYER: meta
PACKAGE NAME: libxml2-native
PACKAGE VERSION: 2.12.8
CVE: CVE-2021-3541
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in libxml2. Exponential entity expansion attack its possible bypassing all existing protection mechanisms and leading to denial of service.
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:S/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3541

LAYER: meta
PACKAGE NAME: libxml2-native
PACKAGE VERSION: 2.12.8
CVE: CVE-2022-23308
CVE STATUS: Patched
CVE SUMMARY: valid.c in libxml2 before 2.9.13 has a use-after-free of ID and IDREF attributes.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-23308

LAYER: meta
PACKAGE NAME: libxml2-native
PACKAGE VERSION: 2.12.8
CVE: CVE-2022-29824
CVE STATUS: Patched
CVE SUMMARY: In libxml2 before 2.9.14, several buffer handling functions in buf.c (xmlBuf*) and tree.c (xmlBuffer*) don't check for integer overflows. This can result in out-of-bounds memory writes. Exploitation requires a victim to open a crafted, multi-gigabyte XML file. Other software using libxml2's buffer functions, for example libxslt through 1.1.35, is affected as well.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-29824

LAYER: meta
PACKAGE NAME: libxml2-native
PACKAGE VERSION: 2.12.8
CVE: CVE-2022-40303
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in libxml2 before 2.10.3. When parsing a multi-gigabyte XML document with the XML_PARSE_HUGE parser option enabled, several integer counters can overflow. This results in an attempt to access an array at a negative 2GB offset, typically leading to a segmentation fault.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-40303

LAYER: meta
PACKAGE NAME: libxml2-native
PACKAGE VERSION: 2.12.8
CVE: CVE-2022-40304
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in libxml2 before 2.10.3. Certain invalid XML entity definitions can corrupt a hash table key, potentially leading to subsequent logic errors. In one case, a double-free can be provoked.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-40304

LAYER: meta
PACKAGE NAME: libxml2-native
PACKAGE VERSION: 2.12.8
CVE: CVE-2023-28484
CVE STATUS: Patched
CVE SUMMARY: In libxml2 before 2.10.4, parsing of certain invalid XSD schemas can lead to a NULL pointer dereference and subsequently a segfault. This occurs in xmlSchemaFixupComplexType in xmlschemas.c.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-28484

LAYER: meta
PACKAGE NAME: libxml2-native
PACKAGE VERSION: 2.12.8
CVE: CVE-2023-29469
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in libxml2 before 2.10.4. When hashing empty dict strings in a crafted XML document, xmlDictComputeFastKey in dict.c can produce non-deterministic values, leading to various logic and memory errors, such as a double free. This behavior occurs because there is an attempt to use the first byte of an empty string, and any value is possible (not solely the '\0' value).
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-29469

LAYER: meta
PACKAGE NAME: libxml2-native
PACKAGE VERSION: 2.12.8
CVE: CVE-2023-39615
CVE STATUS: Patched
CVE SUMMARY: Xmlsoft Libxml2 v2.11.0 was discovered to contain an out-of-bounds read via the xmlSAX2StartElement() function at /libxml2/SAX2.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via supplying a crafted XML file. NOTE: the vendor's position is that the product does not support the legacy SAX1 interface with custom callbacks; there is a crash even without crafted input.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-39615

LAYER: meta
PACKAGE NAME: libxml2-native
PACKAGE VERSION: 2.12.8
CVE: CVE-2023-45322
CVE STATUS: Ignored
CVE DETAIL: disputed
CVE DESCRIPTION: issue requires memory allocation to fail
CVE SUMMARY: libxml2 through 2.11.5 has a use-after-free that can only occur after a certain memory allocation fails. This occurs in xmlUnlinkNode in tree.c. NOTE: the vendor's position is "I don't think these issues are critical enough to warrant a CVE ID ... because an attacker typically can't control when memory allocations fail."
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-45322

LAYER: meta
PACKAGE NAME: libxml2-native
PACKAGE VERSION: 2.12.8
CVE: CVE-2024-25062
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.12.5. When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-25062

LAYER: meta
PACKAGE NAME: dbus
PACKAGE VERSION: 1.14.10
CVE: CVE-2008-0595
CVE STATUS: Patched
CVE SUMMARY: dbus-daemon in D-Bus before 1.0.3, and 1.1.x before 1.1.20, recognizes send_interface attributes in allow directives in the security policy only for fully qualified method calls, which allows local users to bypass intended access restrictions via a method call with a NULL interface.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-0595

LAYER: meta
PACKAGE NAME: dbus
PACKAGE VERSION: 1.14.10
CVE: CVE-2008-3834
CVE STATUS: Patched
CVE SUMMARY: The dbus_signature_validate function in the D-bus library (libdbus) before 1.2.4 allows remote attackers to cause a denial of service (application abort) via a message containing a malformed signature, which triggers a failed assertion error.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-3834

LAYER: meta
PACKAGE NAME: dbus
PACKAGE VERSION: 1.14.10
CVE: CVE-2008-4311
CVE STATUS: Patched
CVE SUMMARY: The default configuration of system.conf in D-Bus (aka DBus) before 1.2.6 omits the send_type attribute in certain rules, which allows local users to bypass intended access restrictions by (1) sending messages, related to send_requested_reply; and possibly (2) receiving messages, related to receive_requested_reply.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-4311

LAYER: meta
PACKAGE NAME: dbus
PACKAGE VERSION: 1.14.10
CVE: CVE-2009-1189
CVE STATUS: Patched
CVE SUMMARY: The _dbus_validate_signature_with_reason function (dbus-marshal-validate.c) in D-Bus (aka DBus) before 1.2.14 uses incorrect logic to validate a basic type, which allows remote attackers to spoof a signature via a crafted key.  NOTE: this is due to an incorrect fix for CVE-2008-3834.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-1189

LAYER: meta
PACKAGE NAME: dbus
PACKAGE VERSION: 1.14.10
CVE: CVE-2010-4352
CVE STATUS: Patched
CVE SUMMARY: Stack consumption vulnerability in D-Bus (aka DBus) before 1.4.1 allows local users to cause a denial of service (daemon crash) via a message containing many nested variants.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4352

LAYER: meta
PACKAGE NAME: dbus
PACKAGE VERSION: 1.14.10
CVE: CVE-2011-2200
CVE STATUS: Patched
CVE SUMMARY: The _dbus_header_byteswap function in dbus-marshal-header.c in D-Bus (aka DBus) 1.2.x before 1.2.28, 1.4.x before 1.4.12, and 1.5.x before 1.5.4 does not properly handle a non-native byte order, which allows local users to cause a denial of service (connection loss), obtain potentially sensitive information, or conduct unspecified state-modification attacks via crafted messages.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2200

LAYER: meta
PACKAGE NAME: dbus
PACKAGE VERSION: 1.14.10
CVE: CVE-2011-2533
CVE STATUS: Patched
CVE SUMMARY: The configure script in D-Bus (aka DBus) 1.2.x before 1.2.28 allows local users to overwrite arbitrary files via a symlink attack on an unspecified file in /tmp/.
CVSS v2 BASE SCORE: 3.3
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2533

LAYER: meta
PACKAGE NAME: dbus
PACKAGE VERSION: 1.14.10
CVE: CVE-2012-3524
CVE STATUS: Patched
CVE SUMMARY: libdbus 1.5.x and earlier, when used in setuid or other privileged programs in X.org and possibly other products, allows local users to gain privileges and execute arbitrary code via the DBUS_SYSTEM_BUS_ADDRESS environment variable.  NOTE: libdbus maintainers state that this is a vulnerability in the applications that do not cleanse environment variables, not in libdbus itself: "we do not support use of libdbus in setuid binaries that do not sanitize their environment before their first call into libdbus."
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-3524

LAYER: meta
PACKAGE NAME: dbus
PACKAGE VERSION: 1.14.10
CVE: CVE-2013-2168
CVE STATUS: Patched
CVE SUMMARY: The _dbus_printf_string_upper_bound function in dbus/dbus-sysdeps-unix.c in D-Bus (aka DBus) 1.4.x before 1.4.26, 1.6.x before 1.6.12, and 1.7.x before 1.7.4 allows local users to cause a denial of service (service crash) via a crafted message.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2168

LAYER: meta
PACKAGE NAME: dbus
PACKAGE VERSION: 1.14.10
CVE: CVE-2014-3477
CVE STATUS: Patched
CVE SUMMARY: The dbus-daemon in D-Bus 1.2.x through 1.4.x, 1.6.x before 1.6.20, and 1.8.x before 1.8.4, sends an AccessDenied error to the service instead of a client when the client is prohibited from accessing the service, which allows local users to cause a denial of service (initialization failure and exit) or possibly conduct a side-channel attack via a D-Bus message to an inactive service.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3477

LAYER: meta
PACKAGE NAME: dbus
PACKAGE VERSION: 1.14.10
CVE: CVE-2014-3532
CVE STATUS: Patched
CVE SUMMARY: dbus 1.3.0 before 1.6.22 and 1.8.x before 1.8.6, when running on Linux 2.6.37-rc4 or later, allows local users to cause a denial of service (system-bus disconnect of other services or applications) by sending a message containing a file descriptor, then exceeding the maximum recursion depth before the initial message is forwarded.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3532

LAYER: meta
PACKAGE NAME: dbus
PACKAGE VERSION: 1.14.10
CVE: CVE-2014-3533
CVE STATUS: Patched
CVE SUMMARY: dbus 1.3.0 before 1.6.22 and 1.8.x before 1.8.6 allows local users to cause a denial of service (disconnect) via a certain sequence of crafted messages that cause the dbus-daemon to forward a message containing an invalid file descriptor.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3533

LAYER: meta
PACKAGE NAME: dbus
PACKAGE VERSION: 1.14.10
CVE: CVE-2014-3635
CVE STATUS: Patched
CVE SUMMARY: Off-by-one error in D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8, when running on a 64-bit system and the max_message_unix_fds limit is set to an odd number, allows local users to cause a denial of service (dbus-daemon crash) or possibly execute arbitrary code by sending one more file descriptor than the limit, which triggers a heap-based buffer overflow or an assertion failure.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3635

LAYER: meta
PACKAGE NAME: dbus
PACKAGE VERSION: 1.14.10
CVE: CVE-2014-3636
CVE STATUS: Patched
CVE SUMMARY: D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8 allows local users to (1) cause a denial of service (prevention of new connections and connection drop) by queuing the maximum number of file descriptors or (2) cause a denial of service (disconnect) via multiple messages that combine to have more than the allowed number of file descriptors for a single sendmsg call.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3636

LAYER: meta
PACKAGE NAME: dbus
PACKAGE VERSION: 1.14.10
CVE: CVE-2014-3637
CVE STATUS: Patched
CVE SUMMARY: D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8 does not properly close connections for processes that have terminated, which allows local users to cause a denial of service via a D-bus message containing a D-Bus connection file descriptor.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3637

LAYER: meta
PACKAGE NAME: dbus
PACKAGE VERSION: 1.14.10
CVE: CVE-2014-3638
CVE STATUS: Patched
CVE SUMMARY: The bus_connections_check_reply function in config-parser.c in D-Bus before 1.6.24 and 1.8.x before 1.8.8 allows local users to cause a denial of service (CPU consumption) via a large number of method calls.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3638

LAYER: meta
PACKAGE NAME: dbus
PACKAGE VERSION: 1.14.10
CVE: CVE-2014-3639
CVE STATUS: Patched
CVE SUMMARY: The dbus-daemon in D-Bus before 1.6.24 and 1.8.x before 1.8.8 does not properly close old connections, which allows local users to cause a denial of service (incomplete connection consumption and prevention of new connections) via a large number of incomplete connections.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3639

LAYER: meta
PACKAGE NAME: dbus
PACKAGE VERSION: 1.14.10
CVE: CVE-2014-7824
CVE STATUS: Patched
CVE SUMMARY: D-Bus 1.3.0 through 1.6.x before 1.6.26, 1.8.x before 1.8.10, and 1.9.x before 1.9.2 allows local users to cause a denial of service (prevention of new connections and connection drop) by queuing the maximum number of file descriptors.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-3636.1.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-7824

LAYER: meta
PACKAGE NAME: dbus
PACKAGE VERSION: 1.14.10
CVE: CVE-2015-0245
CVE STATUS: Patched
CVE SUMMARY: D-Bus 1.4.x through 1.6.x before 1.6.30, 1.8.x before 1.8.16, and 1.9.x before 1.9.10 does not validate the source of ActivationFailure signals, which allows local users to cause a denial of service (activation failure error returned) by leveraging a race condition involving sending an ActivationFailure signal before systemd responds.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0245

LAYER: meta
PACKAGE NAME: dbus
PACKAGE VERSION: 1.14.10
CVE: CVE-2019-12749
CVE STATUS: Patched
CVE SUMMARY: dbus before 1.10.28, 1.12.x before 1.12.16, and 1.13.x before 1.13.12, as used in DBusServer in Canonical Upstart in Ubuntu 14.04 (and in some, less common, uses of dbus-daemon), allows cookie spoofing because of symlink mishandling in the reference implementation of DBUS_COOKIE_SHA1 in the libdbus library. (This only affects the DBUS_COOKIE_SHA1 authentication mechanism.) A malicious client with write access to its own home directory could manipulate a ~/.dbus-keyrings symlink to cause a DBusServer with a different uid to read and write in unintended locations. In the worst case, this could result in the DBusServer reusing a cookie that is known to the malicious client, and treating that cookie as evidence that a subsequent client connection came from an attacker-chosen uid, allowing authentication bypass.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-12749

LAYER: meta
PACKAGE NAME: dbus
PACKAGE VERSION: 1.14.10
CVE: CVE-2020-12049
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in dbus >= 1.3.0 before 1.12.18. The DBusServer in libdbus, as used in dbus-daemon, leaks file descriptors when a message exceeds the per-message file descriptor limit. A local attacker with access to the D-Bus system bus or another system service's private AF_UNIX socket could use this to make the system service reach its file descriptor limit, denying service to subsequent D-Bus clients.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-12049

LAYER: meta
PACKAGE NAME: dbus
PACKAGE VERSION: 1.14.10
CVE: CVE-2020-35512
CVE STATUS: Patched
CVE SUMMARY: A use-after-free flaw was found in D-Bus Development branch <= 1.13.16, dbus-1.12.x stable branch <= 1.12.18, and dbus-1.10.x and older branches <= 1.10.30 when a system has multiple usernames sharing the same UID. When a set of policy rules references these usernames, D-Bus may free some memory in the heap, which is still used by data structures necessary for the other usernames sharing the UID, possibly leading to a crash or other undefined behaviors
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-35512

LAYER: meta
PACKAGE NAME: dbus
PACKAGE VERSION: 1.14.10
CVE: CVE-2022-42010
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in D-Bus before 1.12.24, 1.13.x and 1.14.x before 1.14.4, and 1.15.x before 1.15.2. An authenticated attacker can cause dbus-daemon and other programs that use libdbus to crash when receiving a message with certain invalid type signatures.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-42010

LAYER: meta
PACKAGE NAME: dbus
PACKAGE VERSION: 1.14.10
CVE: CVE-2022-42011
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in D-Bus before 1.12.24, 1.13.x and 1.14.x before 1.14.4, and 1.15.x before 1.15.2. An authenticated attacker can cause dbus-daemon and other programs that use libdbus to crash when receiving a message where an array length is inconsistent with the size of the element type.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-42011

LAYER: meta
PACKAGE NAME: dbus
PACKAGE VERSION: 1.14.10
CVE: CVE-2022-42012
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in D-Bus before 1.12.24, 1.13.x and 1.14.x before 1.14.4, and 1.15.x before 1.15.2. An authenticated attacker can cause dbus-daemon and other programs that use libdbus to crash by sending a message with attached file descriptors in an unexpected format.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-42012

LAYER: meta
PACKAGE NAME: dbus
PACKAGE VERSION: 1.14.10
CVE: CVE-2023-34969
CVE STATUS: Patched
CVE SUMMARY: D-Bus before 1.15.6 sometimes allows unprivileged users to crash dbus-daemon. If a privileged user with control over the dbus-daemon is using the org.freedesktop.DBus.Monitoring interface to monitor message bus traffic, then an unprivileged user with the ability to connect to the same dbus-daemon can cause a dbus-daemon crash under some circumstances via an unreplyable message. When done on the well-known system bus, this is a denial-of-service vulnerability. The fixed versions are 1.12.28, 1.14.8, and 1.15.6.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-34969

LAYER: meta
PACKAGE NAME: cmake-native
PACKAGE VERSION: 3.28.3
CVE: CVE-2016-10642
CVE STATUS: Ignored
CVE DETAIL: cpe-incorrect
CVE DESCRIPTION: This is specific to the npm package that installs cmake, so isn't relevant to OpenEmbedded
CVE SUMMARY: cmake installs the cmake x86 linux binaries. cmake downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 8.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10642

LAYER: meta
PACKAGE NAME: bzip2-native
PACKAGE VERSION: 1.0.8
CVE: CVE-2002-0759
CVE STATUS: Patched
CVE SUMMARY: bzip2 before 1.0.2 in FreeBSD 4.5 and earlier, OpenLinux 3.1 and 3.1.1, and possibly other operating systems, does not use the O_EXCL flag to create files during decompression and does not warn the user if an existing file would be overwritten, which could allow attackers to overwrite files via a bzip2 archive.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-0759

LAYER: meta
PACKAGE NAME: bzip2-native
PACKAGE VERSION: 1.0.8
CVE: CVE-2002-0760
CVE STATUS: Patched
CVE SUMMARY: Race condition in bzip2 before 1.0.2 in FreeBSD 4.5 and earlier, OpenLinux 3.1 and 3.1.1, and possibly other operating systems, decompresses files with world-readable permissions before setting the permissions to what is specified in the bzip2 archive, which could allow local users to read the files as they are being decompressed.
CVSS v2 BASE SCORE: 1.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-0760

LAYER: meta
PACKAGE NAME: bzip2-native
PACKAGE VERSION: 1.0.8
CVE: CVE-2002-0761
CVE STATUS: Patched
CVE SUMMARY: bzip2 before 1.0.2 in FreeBSD 4.5 and earlier, OpenLinux 3.1 and 3.1.1, and possibly systems, uses the permissions of symbolic links instead of the actual files when creating an archive, which could cause the files to be extracted with less restrictive permissions than intended.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-0761

LAYER: meta
PACKAGE NAME: bzip2-native
PACKAGE VERSION: 1.0.8
CVE: CVE-2005-0953
CVE STATUS: Patched
CVE SUMMARY: Race condition in bzip2 1.0.2 and earlier allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by bzip2 after the decompression is complete.
CVSS v2 BASE SCORE: 3.7
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-0953

LAYER: meta
PACKAGE NAME: bzip2-native
PACKAGE VERSION: 1.0.8
CVE: CVE-2005-1260
CVE STATUS: Patched
CVE SUMMARY: bzip2 allows remote attackers to cause a denial of service (hard drive consumption) via a crafted bzip2 file that causes an infinite loop (a.k.a "decompression bomb").
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-1260

LAYER: meta
PACKAGE NAME: bzip2-native
PACKAGE VERSION: 1.0.8
CVE: CVE-2008-1372
CVE STATUS: Patched
CVE SUMMARY: bzlib.c in bzip2 before 1.0.5 allows user-assisted remote attackers to cause a denial of service (crash) via a crafted file that triggers a buffer over-read, as demonstrated by the PROTOS GENOME test suite for Archive Formats.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1372

LAYER: meta
PACKAGE NAME: bzip2-native
PACKAGE VERSION: 1.0.8
CVE: CVE-2010-0405
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the BZ2_decompress function in decompress.c in bzip2 and libbzip2 before 1.0.6 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted compressed file.
CVSS v2 BASE SCORE: 5.1
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-0405

LAYER: meta
PACKAGE NAME: bzip2-native
PACKAGE VERSION: 1.0.8
CVE: CVE-2011-4089
CVE STATUS: Patched
CVE SUMMARY: The bzexe command in bzip2 1.0.5 and earlier generates compressed executables that do not properly handle temporary files during extraction, which allows local users to execute arbitrary code by precreating a temporary directory.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-4089

LAYER: meta
PACKAGE NAME: bzip2-native
PACKAGE VERSION: 1.0.8
CVE: CVE-2016-3189
CVE STATUS: Patched
CVE SUMMARY: Use-after-free vulnerability in bzip2recover in bzip2 1.0.6 allows remote attackers to cause a denial of service (crash) via a crafted bzip2 file, related to block ends set to before the start of the block.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3189

LAYER: meta
PACKAGE NAME: bzip2-native
PACKAGE VERSION: 1.0.8
CVE: CVE-2019-12900
CVE STATUS: Patched
CVE SUMMARY: BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-12900

LAYER: meta
PACKAGE NAME: bzip2-native
PACKAGE VERSION: 1.0.8
CVE: CVE-2023-22895
CVE STATUS: Patched
CVE SUMMARY: The bzip2 crate before 0.4.4 for Rust allow attackers to cause a denial of service via a large file that triggers an integer overflow in mem.rs. NOTE: this is unrelated to the https://crates.io/crates/bzip2-rs product.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-22895

LAYER: meta
PACKAGE NAME: file-native
PACKAGE VERSION: 5.45
CVE: CVE-2003-0102
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in tryelf() in readelf.c of the file command allows attackers to execute arbitrary code as the user running file, possibly via a large entity size value in an ELF header (elfhdr.e_shentsize).
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-0102

LAYER: meta
PACKAGE NAME: file-native
PACKAGE VERSION: 5.45
CVE: CVE-2004-1304
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in the ELF header parsing code in file before 4.12 allows attackers to execute arbitrary code via a crafted ELF file.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-1304

LAYER: meta
PACKAGE NAME: file-native
PACKAGE VERSION: 5.45
CVE: CVE-2007-1536
CVE STATUS: Patched
CVE SUMMARY: Integer underflow in the file_printf function in the "file" program before 4.20 allows user-assisted attackers to execute arbitrary code via a file that triggers a heap-based buffer overflow.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-1536

LAYER: meta
PACKAGE NAME: file-native
PACKAGE VERSION: 5.45
CVE: CVE-2007-2026
CVE STATUS: Patched
CVE SUMMARY: The gnu regular expression code in file 4.20 allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted document with a large number of line feed characters, which is not well handled by OS/2 REXX regular expressions that use wildcards, as originally reported for AMaViS.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-2026

LAYER: meta
PACKAGE NAME: file-native
PACKAGE VERSION: 5.45
CVE: CVE-2007-2799
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the "file" program 4.20, when running on 32-bit systems, as used in products including The Sleuth Kit, might allow user-assisted attackers to execute arbitrary code via a large file that triggers an overflow that bypasses an assert() statement.  NOTE: this issue is due to an incorrect patch for CVE-2007-1536.
CVSS v2 BASE SCORE: 5.1
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-2799

LAYER: meta
PACKAGE NAME: file-native
PACKAGE VERSION: 5.45
CVE: CVE-2009-1515
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the cdf_read_sat function in src/cdf.c in Christos Zoulas file 5.00 allows user-assisted remote attackers to execute arbitrary code via a crafted compound document file, as demonstrated by a .msi, .doc, or .mpp file.  NOTE: some of these details are obtained from third party information.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-1515

LAYER: meta
PACKAGE NAME: file-native
PACKAGE VERSION: 5.45
CVE: CVE-2009-3930
CVE STATUS: Patched
CVE SUMMARY: Multiple integer overflows in Christos Zoulas file before 5.02 allow user-assisted remote attackers to have an unspecified impact via a malformed compound document (aka cdf) file that triggers a buffer overflow.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-3930

LAYER: meta
PACKAGE NAME: file-native
PACKAGE VERSION: 5.45
CVE: CVE-2012-1571
CVE STATUS: Patched
CVE SUMMARY: file before 5.11 and libmagic allow remote attackers to cause a denial of service (crash) via a crafted Composite Document File (CDF) file that triggers (1) an out-of-bounds read or (2) an invalid pointer dereference.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1571

LAYER: meta
PACKAGE NAME: file-native
PACKAGE VERSION: 5.45
CVE: CVE-2013-7345
CVE STATUS: Patched
CVE SUMMARY: The BEGIN regular expression in the awk script detector in magic/Magdir/commands in file before 5.15 uses multiple wildcards with unlimited repetitions, which allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted ASCII file that triggers a large amount of backtracking, as demonstrated via a file with many newline characters.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-7345

LAYER: meta
PACKAGE NAME: file-native
PACKAGE VERSION: 5.45
CVE: CVE-2014-0207
CVE STATUS: Patched
CVE SUMMARY: The cdf_read_short_sector function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, allows remote attackers to cause a denial of service (assertion failure and application exit) via a crafted CDF file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0207

LAYER: meta
PACKAGE NAME: file-native
PACKAGE VERSION: 5.45
CVE: CVE-2014-2270
CVE STATUS: Patched
CVE SUMMARY: softmagic.c in file before 5.17 and libmagic allows context-dependent attackers to cause a denial of service (out-of-bounds memory access and crash) via crafted offsets in the softmagic of a PE executable.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-2270

LAYER: meta
PACKAGE NAME: file-native
PACKAGE VERSION: 5.45
CVE: CVE-2014-3478
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the mconvert function in softmagic.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, allows remote attackers to cause a denial of service (application crash) via a crafted Pascal string in a FILE_PSTRING conversion.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3478

LAYER: meta
PACKAGE NAME: file-native
PACKAGE VERSION: 5.45
CVE: CVE-2014-3479
CVE STATUS: Patched
CVE SUMMARY: The cdf_check_stream_offset function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, relies on incorrect sector-size data, which allows remote attackers to cause a denial of service (application crash) via a crafted stream offset in a CDF file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3479

LAYER: meta
PACKAGE NAME: file-native
PACKAGE VERSION: 5.45
CVE: CVE-2014-3480
CVE STATUS: Patched
CVE SUMMARY: The cdf_count_chain function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, does not properly validate sector-count data, which allows remote attackers to cause a denial of service (application crash) via a crafted CDF file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3480

LAYER: meta
PACKAGE NAME: file-native
PACKAGE VERSION: 5.45
CVE: CVE-2014-3487
CVE STATUS: Patched
CVE SUMMARY: The cdf_read_property_info function in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, does not properly validate a stream offset, which allows remote attackers to cause a denial of service (application crash) via a crafted CDF file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3487

LAYER: meta
PACKAGE NAME: file-native
PACKAGE VERSION: 5.45
CVE: CVE-2014-3538
CVE STATUS: Patched
CVE SUMMARY: file before 5.19 does not properly restrict the amount of data read during a regex search, which allows remote attackers to cause a denial of service (CPU consumption) via a crafted file that triggers backtracking during processing of an awk rule.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7345.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3538

LAYER: meta
PACKAGE NAME: file-native
PACKAGE VERSION: 5.45
CVE: CVE-2014-3587
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the cdf_read_property_info function in cdf.c in file through 5.19, as used in the Fileinfo component in PHP before 5.4.32 and 5.5.x before 5.5.16, allows remote attackers to cause a denial of service (application crash) via a crafted CDF file.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1571.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3587

LAYER: meta
PACKAGE NAME: file-native
PACKAGE VERSION: 5.45
CVE: CVE-2014-8116
CVE STATUS: Patched
CVE SUMMARY: The ELF parser (readelf.c) in file before 5.21 allows remote attackers to cause a denial of service (CPU consumption or crash) via a large number of (1) program or (2) section headers or (3) invalid capabilities.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8116

LAYER: meta
PACKAGE NAME: file-native
PACKAGE VERSION: 5.45
CVE: CVE-2014-8117
CVE STATUS: Patched
CVE SUMMARY: softmagic.c in file before 5.21 does not properly limit recursion, which allows remote attackers to cause a denial of service (CPU consumption or crash) via unspecified vectors.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8117

LAYER: meta
PACKAGE NAME: file-native
PACKAGE VERSION: 5.45
CVE: CVE-2014-9620
CVE STATUS: Patched
CVE SUMMARY: The ELF parser in file 5.08 through 5.21 allows remote attackers to cause a denial of service via a large number of notes.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9620

LAYER: meta
PACKAGE NAME: file-native
PACKAGE VERSION: 5.45
CVE: CVE-2014-9621
CVE STATUS: Patched
CVE SUMMARY: The ELF parser in file 5.16 through 5.21 allows remote attackers to cause a denial of service via a long string.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9621

LAYER: meta
PACKAGE NAME: file-native
PACKAGE VERSION: 5.45
CVE: CVE-2014-9652
CVE STATUS: Patched
CVE SUMMARY: The mconvert function in softmagic.c in file before 5.21, as used in the Fileinfo component in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5, does not properly handle a certain string-length field during a copy of a truncated version of a Pascal string, which might allow remote attackers to cause a denial of service (out-of-bounds memory access and application crash) via a crafted file.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9652

LAYER: meta
PACKAGE NAME: file-native
PACKAGE VERSION: 5.45
CVE: CVE-2014-9653
CVE STATUS: Patched
CVE SUMMARY: readelf.c in file before 5.22, as used in the Fileinfo component in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5, does not consider that pread calls sometimes read only a subset of the available data, which allows remote attackers to cause a denial of service (uninitialized memory access) or possibly have unspecified other impact via a crafted ELF file.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9653

LAYER: meta
PACKAGE NAME: file-native
PACKAGE VERSION: 5.45
CVE: CVE-2017-1000249
CVE STATUS: Patched
CVE SUMMARY: An issue in file() was introduced in commit 9611f31313a93aa036389c5f3b15eea53510d4d1 (Oct 2016) lets an attacker overwrite a fixed 20 bytes stack buffer with a specially crafted .notes section in an ELF binary. This was fixed in commit 35c94dc6acc418f1ad7f6241a6680e5327495793 (Aug 2017).
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-1000249

LAYER: meta
PACKAGE NAME: file-native
PACKAGE VERSION: 5.45
CVE: CVE-2018-10360
CVE STATUS: Patched
CVE SUMMARY: The do_core_note function in readelf.c in libmagic.a in file 5.33 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted ELF file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-10360

LAYER: meta
PACKAGE NAME: file-native
PACKAGE VERSION: 5.45
CVE: CVE-2019-18218
CVE STATUS: Patched
CVE SUMMARY: cdf_read_property_info in cdf.c in file through 5.37 does not restrict the number of CDF_VECTOR elements, which allows a heap-based buffer overflow (4-byte out-of-bounds write).
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-18218

LAYER: meta
PACKAGE NAME: file-native
PACKAGE VERSION: 5.45
CVE: CVE-2019-8904
CVE STATUS: Patched
CVE SUMMARY: do_bid_note in readelf.c in libmagic.a in file 5.35 has a stack-based buffer over-read, related to file_printf and file_vprintf.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-8904

LAYER: meta
PACKAGE NAME: file-native
PACKAGE VERSION: 5.45
CVE: CVE-2019-8905
CVE STATUS: Patched
CVE SUMMARY: do_core_note in readelf.c in libmagic.a in file 5.35 has a stack-based buffer over-read, related to file_printable, a different vulnerability than CVE-2018-10360.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 4.4
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-8905

LAYER: meta
PACKAGE NAME: file-native
PACKAGE VERSION: 5.45
CVE: CVE-2019-8906
CVE STATUS: Patched
CVE SUMMARY: do_core_note in readelf.c in libmagic.a in file 5.35 has an out-of-bounds read because memcpy is misused.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 4.4
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-8906

LAYER: meta
PACKAGE NAME: file-native
PACKAGE VERSION: 5.45
CVE: CVE-2019-8907
CVE STATUS: Patched
CVE SUMMARY: do_core_note in readelf.c in libmagic.a in file 5.35 allows remote attackers to cause a denial of service (stack corruption and application crash) or possibly have unspecified other impact.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-8907

LAYER: meta
PACKAGE NAME: file-native
PACKAGE VERSION: 5.45
CVE: CVE-2022-48554
CVE STATUS: Patched
CVE SUMMARY: File before 5.43 has an stack-based buffer over-read in file_copystr in funcs.c. NOTE: "File" is the name of an Open Source project.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48554

LAYER: meta
PACKAGE NAME: zstd-native
PACKAGE VERSION: 1.5.5
CVE: CVE-2019-11922
CVE STATUS: Patched
CVE SUMMARY: A race condition in the one-pass compression functions of Zstandard prior to version 1.3.8 could allow an attacker to write bytes out of bounds if an output buffer smaller than the recommended size was used.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-11922

LAYER: meta
PACKAGE NAME: zstd-native
PACKAGE VERSION: 1.5.5
CVE: CVE-2021-24031
CVE STATUS: Patched
CVE SUMMARY: In the Zstandard command-line utility prior to v1.4.1, output files were created with default permissions. Correct file permissions (matching the input) would only be set at completion time. Output files could therefore be readable or writable to unintended parties.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-24031

LAYER: meta
PACKAGE NAME: zstd-native
PACKAGE VERSION: 1.5.5
CVE: CVE-2021-24032
CVE STATUS: Patched
CVE SUMMARY: Beginning in v1.4.1 and prior to v1.4.9, due to an incomplete fix for CVE-2021-24031, the Zstandard command-line utility created output files with default permissions and restricted those permissions immediately afterwards. Output files could therefore momentarily be readable or writable to unintended parties.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-24032

LAYER: meta
PACKAGE NAME: zstd-native
PACKAGE VERSION: 1.5.5
CVE: CVE-2022-4899
CVE STATUS: Patched
CVE SUMMARY: A vulnerability was found in zstd v1.4.10, where an attacker can supply empty string as an argument to the command line tool to cause buffer overrun.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-4899

LAYER: meta
PACKAGE NAME: libgcrypt-native
PACKAGE VERSION: 1.10.3
CVE: CVE-2013-4242
CVE STATUS: Patched
CVE SUMMARY: GnuPG before 1.4.14, and Libgcrypt before 1.5.3 as used in GnuPG 2.0.x and possibly other products, allows local users to obtain private RSA keys via a cache side-channel attack involving the L3 cache, aka Flush+Reload.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4242

LAYER: meta
PACKAGE NAME: libgcrypt-native
PACKAGE VERSION: 1.10.3
CVE: CVE-2014-3591
CVE STATUS: Patched
CVE SUMMARY: Libgcrypt before 1.6.3 and GnuPG before 1.4.19 does not implement ciphertext blinding for Elgamal decryption, which allows physically proximate attackers to obtain the server's private key by determining factors using crafted ciphertext and the fluctuations in the electromagnetic field during multiplication.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 4.2
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3591

LAYER: meta
PACKAGE NAME: libgcrypt-native
PACKAGE VERSION: 1.10.3
CVE: CVE-2014-5270
CVE STATUS: Patched
CVE SUMMARY: Libgcrypt before 1.5.4, as used in GnuPG and other products, does not properly perform ciphertext normalization and ciphertext randomization, which makes it easier for physically proximate attackers to conduct key-extraction attacks by leveraging the ability to collect voltage data from exposed metal, a different vector than CVE-2013-4576.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-5270

LAYER: meta
PACKAGE NAME: libgcrypt-native
PACKAGE VERSION: 1.10.3
CVE: CVE-2015-0837
CVE STATUS: Patched
CVE SUMMARY: The mpi_powm function in Libgcrypt before 1.6.3 and GnuPG before 1.4.19 allows attackers to obtain sensitive information by leveraging timing differences when accessing a pre-computed table during modular exponentiation, related to a "Last-Level Cache Side-Channel Attack."
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0837

LAYER: meta
PACKAGE NAME: libgcrypt-native
PACKAGE VERSION: 1.10.3
CVE: CVE-2015-7511
CVE STATUS: Patched
CVE SUMMARY: Libgcrypt before 1.6.5 does not properly perform elliptic-point curve multiplication during decryption, which makes it easier for physically proximate attackers to extract ECDH keys by measuring electromagnetic emanations.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 2.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7511

LAYER: meta
PACKAGE NAME: libgcrypt-native
PACKAGE VERSION: 1.10.3
CVE: CVE-2016-6313
CVE STATUS: Patched
CVE SUMMARY: The mixing functions in the random number generator in Libgcrypt before 1.5.6, 1.6.x before 1.6.6, and 1.7.x before 1.7.3 and GnuPG before 1.4.21 make it easier for attackers to obtain the values of 160 bits by leveraging knowledge of the previous 4640 bits.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6313

LAYER: meta
PACKAGE NAME: libgcrypt-native
PACKAGE VERSION: 1.10.3
CVE: CVE-2017-0379
CVE STATUS: Patched
CVE SUMMARY: Libgcrypt before 1.8.1 does not properly consider Curve25519 side-channel attacks, which makes it easier for attackers to discover a secret key, related to cipher/ecc.c and mpi/ec.c.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0379

LAYER: meta
PACKAGE NAME: libgcrypt-native
PACKAGE VERSION: 1.10.3
CVE: CVE-2017-7526
CVE STATUS: Patched
CVE SUMMARY: libgcrypt before version 1.7.8 is vulnerable to a cache side-channel attack resulting into a complete break of RSA-1024 while using the left-to-right method for computing the sliding-window expansion. The same attack is believed to work on RSA-2048 with moderately more computation. This side-channel requires that attacker can run arbitrary software on the hardware where the private RSA key is used.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7526

LAYER: meta
PACKAGE NAME: libgcrypt-native
PACKAGE VERSION: 1.10.3
CVE: CVE-2017-9526
CVE STATUS: Patched
CVE SUMMARY: In Libgcrypt before 1.7.7, an attacker who learns the EdDSA session key (from side-channel observation during the signing process) can easily recover the long-term secret key. 1.7.7 makes a cipher/ecc-eddsa.c change to store this session key in secure memory, to ensure that constant-time point operations are used in the MPI library.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9526

LAYER: meta
PACKAGE NAME: libgcrypt-native
PACKAGE VERSION: 1.10.3
CVE: CVE-2018-0495
CVE STATUS: Patched
CVE SUMMARY: Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-0495

LAYER: meta
PACKAGE NAME: libgcrypt-native
PACKAGE VERSION: 1.10.3
CVE: CVE-2018-6829
CVE STATUS: Patched
CVE SUMMARY: cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-6829

LAYER: meta
PACKAGE NAME: libgcrypt-native
PACKAGE VERSION: 1.10.3
CVE: CVE-2019-12904
CVE STATUS: Patched
CVE SUMMARY: In Libgcrypt 1.8.4, the C implementation of AES is vulnerable to a flush-and-reload side-channel attack because physical addresses are available to other processes. (The C implementation is used on platforms where an assembly-language implementation is unavailable.) NOTE: the vendor's position is that the issue report cannot be validated because there is no description of an attack
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-12904

LAYER: meta
PACKAGE NAME: libgcrypt-native
PACKAGE VERSION: 1.10.3
CVE: CVE-2021-3345
CVE STATUS: Patched
CVE SUMMARY: _gcry_md_block_write in cipher/hash-common.c in Libgcrypt version 1.9.0 has a heap-based buffer overflow when the digest final function sets a large count value. It is recommended to upgrade to 1.9.1 or later.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3345

LAYER: meta
PACKAGE NAME: libgcrypt-native
PACKAGE VERSION: 1.10.3
CVE: CVE-2021-33560
CVE STATUS: Patched
CVE SUMMARY: Libgcrypt before 1.8.8 and 1.9.x before 1.9.3 mishandles ElGamal encryption because it lacks exponent blinding to address a side-channel attack against mpi_powm, and the window size is not chosen appropriately. This, for example, affects use of ElGamal in OpenPGP.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-33560

LAYER: meta
PACKAGE NAME: libgcrypt-native
PACKAGE VERSION: 1.10.3
CVE: CVE-2021-40528
CVE STATUS: Patched
CVE SUMMARY: The ElGamal implementation in Libgcrypt before 1.9.4 allows plaintext recovery because, during interaction between two cryptographic libraries, a certain dangerous combination of the prime defined by the receiver's public key, the generator defined by the receiver's public key, and the sender's ephemeral exponents can lead to a cross-configuration attack against OpenPGP.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-40528

LAYER: meta
PACKAGE NAME: librepo-native
PACKAGE VERSION: 1.17.0
CVE: CVE-2020-14352
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in librepo in versions before 1.12.1. A directory traversal vulnerability was found where it failed to sanitize paths in remote repository metadata. An attacker controlling a remote repository may be able to copy files outside of the destination directory on the targeted system via path traversal. This flaw could potentially result in system compromise via the overwriting of critical system files. The highest threat from this flaw is to users that make use of untrusted third-party repositories.
CVSS v2 BASE SCORE: 8.5
CVSS v3 BASE SCORE: 8.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:S/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-14352

LAYER: meta
PACKAGE NAME: lua-native
PACKAGE VERSION: 5.4.6
CVE: CVE-2014-5461
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the vararg functions in ldo.c in Lua 5.1 through 5.2.x before 5.2.3 allows context-dependent attackers to cause a denial of service (crash) via a small number of arguments to a function with a large number of fixed arguments.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-5461

LAYER: meta
PACKAGE NAME: lua-native
PACKAGE VERSION: 5.4.6
CVE: CVE-2019-6706
CVE STATUS: Patched
CVE SUMMARY: Lua 5.3.5 has a use-after-free in lua_upvaluejoin in lapi.c. For example, a crash outcome might be achieved by an attacker who is able to trigger a debug.upvaluejoin call in which the arguments have certain relationships.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-6706

LAYER: meta
PACKAGE NAME: lua-native
PACKAGE VERSION: 5.4.6
CVE: CVE-2020-15888
CVE STATUS: Patched
CVE SUMMARY: Lua through 5.4.0 mishandles the interaction between stack resizes and garbage collection, leading to a heap-based buffer overflow, heap-based buffer over-read, or use-after-free.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-15888

LAYER: meta
PACKAGE NAME: lua-native
PACKAGE VERSION: 5.4.6
CVE: CVE-2020-15889
CVE STATUS: Patched
CVE SUMMARY: Lua 5.4.0 has a getobjname heap-based buffer over-read because youngcollection in lgc.c uses markold for an insufficient number of list members.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-15889

LAYER: meta
PACKAGE NAME: lua-native
PACKAGE VERSION: 5.4.6
CVE: CVE-2020-15945
CVE STATUS: Patched
CVE SUMMARY: Lua through 5.4.0 has a segmentation fault in changedline in ldebug.c (e.g., when called by luaG_traceexec) because it incorrectly expects that an oldpc value is always updated upon a return of the flow of control to a function.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-15945

LAYER: meta
PACKAGE NAME: lua-native
PACKAGE VERSION: 5.4.6
CVE: CVE-2020-24342
CVE STATUS: Patched
CVE SUMMARY: Lua through 5.4.0 allows a stack redzone cross in luaO_pushvfstring because a protection mechanism wrongly calls luaD_callnoyield twice in a row.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-24342

LAYER: meta
PACKAGE NAME: lua-native
PACKAGE VERSION: 5.4.6
CVE: CVE-2020-24369
CVE STATUS: Patched
CVE SUMMARY: ldebug.c in Lua 5.4.0 attempts to access debug information via the line hook of a stripped function, leading to a NULL pointer dereference.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-24369

LAYER: meta
PACKAGE NAME: lua-native
PACKAGE VERSION: 5.4.6
CVE: CVE-2020-24370
CVE STATUS: Patched
CVE SUMMARY: ldebug.c in Lua 5.4.0 allows a negation overflow and segmentation fault in getlocal and setlocal, as demonstrated by getlocal(3,2^31).
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-24370

LAYER: meta
PACKAGE NAME: lua-native
PACKAGE VERSION: 5.4.6
CVE: CVE-2020-24371
CVE STATUS: Patched
CVE SUMMARY: lgc.c in Lua 5.4.0 mishandles the interaction between barriers and the sweep phase, leading to a memory access violation involving collectgarbage.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-24371

LAYER: meta
PACKAGE NAME: lua-native
PACKAGE VERSION: 5.4.6
CVE: CVE-2021-43519
CVE STATUS: Patched
CVE SUMMARY: Stack overflow in lua_resume of ldo.c in Lua Interpreter 5.1.0~5.4.4 allows attackers to perform a Denial of Service via a crafted script file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-43519

LAYER: meta
PACKAGE NAME: lua-native
PACKAGE VERSION: 5.4.6
CVE: CVE-2021-44647
CVE STATUS: Patched
CVE SUMMARY: Lua v5.4.3 and above are affected by SEGV by type confusion in funcnamefromcode function in ldebug.c which can cause a local denial of service.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-44647

LAYER: meta
PACKAGE NAME: lua-native
PACKAGE VERSION: 5.4.6
CVE: CVE-2021-44964
CVE STATUS: Patched
CVE SUMMARY: Use after free in garbage collector and finalizer of lgc.c in Lua interpreter 5.4.0~5.4.3 allows attackers to perform Sandbox Escape via a crafted script file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-44964

LAYER: meta
PACKAGE NAME: lua-native
PACKAGE VERSION: 5.4.6
CVE: CVE-2021-45985
CVE STATUS: Patched
CVE SUMMARY: In Lua 5.4.3, an erroneous finalizer called during a tail call leads to a heap-based buffer over-read.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-45985

LAYER: meta
PACKAGE NAME: lua-native
PACKAGE VERSION: 5.4.6
CVE: CVE-2022-28805
CVE STATUS: Patched
CVE SUMMARY: singlevar in lparser.c in Lua from (including) 5.4.0 up to (excluding) 5.4.4 lacks a certain luaK_exp2anyregup call, leading to a heap-based buffer over-read that might affect a system that compiles untrusted Lua code.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 9.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-28805

LAYER: meta
PACKAGE NAME: lua-native
PACKAGE VERSION: 5.4.6
CVE: CVE-2022-33099
CVE STATUS: Patched
CVE SUMMARY: An issue in the component luaG_runerror of Lua v5.4.4 and below leads to a heap-buffer overflow when a recursive error occurs.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-33099

LAYER: meta
PACKAGE NAME: gcc-cross-aarch64
PACKAGE VERSION: 13.3.0
CVE: CVE-1999-1439
CVE STATUS: Patched
CVE SUMMARY: gcc 2.7.2 allows local users to overwrite arbitrary files via a symlink attack on temporary .i, .s, or .o files.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-1999-1439

LAYER: meta
PACKAGE NAME: gcc-cross-aarch64
PACKAGE VERSION: 13.3.0
CVE: CVE-2000-1219
CVE STATUS: Patched
CVE SUMMARY: The -ftrapv compiler option in gcc and g++ 3.3.3 and earlier does not handle all types of integer overflows, which may leave applications vulnerable to vulnerabilities related to overflows.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2000-1219

LAYER: meta
PACKAGE NAME: gcc-cross-aarch64
PACKAGE VERSION: 13.3.0
CVE: CVE-2002-2439
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the new[] operator in gcc before 4.8.0 allows attackers to have unspecified impacts.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-2439

LAYER: meta
PACKAGE NAME: gcc-cross-aarch64
PACKAGE VERSION: 13.3.0
CVE: CVE-2006-1902
CVE STATUS: Patched
CVE SUMMARY: fold_binary in fold-const.c in GNU Compiler Collection (gcc) 4.1 improperly handles pointer overflow when folding a certain expr comparison to a corresponding offset comparison in cases other than EQ_EXPR and NE_EXPR, which might introduce buffer overflow vulnerabilities into applications that could be exploited by context-dependent attackers.NOTE: the vendor states that the essence of the issue is "not correctly interpreting an offset to a pointer as a signed value."
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-1902

LAYER: meta
PACKAGE NAME: gcc-cross-aarch64
PACKAGE VERSION: 13.3.0
CVE: CVE-2008-1367
CVE STATUS: Patched
CVE SUMMARY: gcc 4.3.x does not generate a cld instruction while compiling functions used for string manipulation such as memcpy and memmove on x86 and i386, which can prevent the direction flag (DF) from being reset in violation of ABI conventions and cause data to be copied in the wrong direction during signal handling in the Linux kernel, which might allow context-dependent attackers to trigger memory corruption. NOTE: this issue was originally reported for CPU consumption in SBCL.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1367

LAYER: meta
PACKAGE NAME: gcc-cross-aarch64
PACKAGE VERSION: 13.3.0
CVE: CVE-2008-1685
CVE STATUS: Patched
CVE SUMMARY: gcc 4.2.0 through 4.3.0 in GNU Compiler Collection, when casts are not used, considers the sum of a pointer and an int to be greater than or equal to the pointer, which might lead to removal of length testing code that was intended as a protection mechanism against integer overflow and buffer overflow attacks, and provide no diagnostic message about this removal. NOTE: the vendor has determined that this compiler behavior is correct according to section 6.5.6 of the C99 standard (aka ISO/IEC 9899:1999)
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1685

LAYER: meta
PACKAGE NAME: gcc-cross-aarch64
PACKAGE VERSION: 13.3.0
CVE: CVE-2013-4598
CVE STATUS: Patched
CVE SUMMARY: The Groups, Communities and Co (GCC) module 7.x-1.x before 7.x-1.1 for Drupal does not properly check permission, which allows remote attackers to access the configuration pages via unspecified vectors.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4598

LAYER: meta
PACKAGE NAME: gcc-cross-aarch64
PACKAGE VERSION: 13.3.0
CVE: CVE-2015-5276
CVE STATUS: Patched
CVE SUMMARY: The std::random_device class in libstdc++ in the GNU Compiler Collection (aka GCC) before 4.9.4 does not properly handle short reads from blocking sources, which makes it easier for context-dependent attackers to predict the random values via unspecified vectors.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-5276

LAYER: meta
PACKAGE NAME: gcc-cross-aarch64
PACKAGE VERSION: 13.3.0
CVE: CVE-2017-11671
CVE STATUS: Patched
CVE SUMMARY: Under certain circumstances, the ix86_expand_builtin function in i386.c in GNU Compiler Collection (GCC) version 4.6, 4.7, 4.8, 4.9, 5 before 5.5, and 6 before 6.4 will generate instruction sequences that clobber the status flag of the RDRAND and RDSEED intrinsics before it can be read, potentially causing failures of these instructions to go unreported. This could potentially lead to less randomness in random number generation.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 4.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-11671

LAYER: meta
PACKAGE NAME: gcc-cross-aarch64
PACKAGE VERSION: 13.3.0
CVE: CVE-2018-12886
CVE STATUS: Patched
CVE SUMMARY: stack_protect_prologue in cfgexpand.c and stack_protect_epilogue in function.c in GNU Compiler Collection (GCC) 4.1 through 8 (under certain circumstances) generate instruction sequences when targeting ARM targets that spill the address of the stack protector guard, which allows an attacker to bypass the protection of -fstack-protector, -fstack-protector-all, -fstack-protector-strong, and -fstack-protector-explicit against stack overflow by controlling what the stack canary is compared against.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-12886

LAYER: meta
PACKAGE NAME: gcc-cross-aarch64
PACKAGE VERSION: 13.3.0
CVE: CVE-2019-15847
CVE STATUS: Patched
CVE SUMMARY: The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This occurred because a volatile operation was not specified. For example, within a single execution of a program, the output of every __builtin_darn() call may be the same.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-15847

LAYER: meta
PACKAGE NAME: gcc-cross-aarch64
PACKAGE VERSION: 13.3.0
CVE: CVE-2021-37322
CVE STATUS: Ignored
CVE DETAIL: cpe-incorrect
CVE DESCRIPTION: Is a binutils 2.26 issue, not gcc
CVE SUMMARY: GCC c++filt v2.26 was discovered to contain a use-after-free vulnerability via the component cplus-dem.c.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-37322

LAYER: meta
PACKAGE NAME: gcc-cross-aarch64
PACKAGE VERSION: 13.3.0
CVE: CVE-2021-3826
CVE STATUS: Patched
CVE SUMMARY: Heap/stack buffer overflow in the dlang_lname function in d-demangle.c in libiberty allows attackers to potentially cause a denial of service (segmentation fault and crash) via a crafted mangled symbol.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3826

LAYER: meta
PACKAGE NAME: gcc-cross-aarch64
PACKAGE VERSION: 13.3.0
CVE: CVE-2021-46195
CVE STATUS: Patched
CVE SUMMARY: GCC v12.0 was discovered to contain an uncontrolled recursion via the component libiberty/rust-demangle.c. This vulnerability allows attackers to cause a Denial of Service (DoS) by consuming excessive CPU and memory resources.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-46195

LAYER: meta
PACKAGE NAME: gcc-cross-aarch64
PACKAGE VERSION: 13.3.0
CVE: CVE-2022-27943
CVE STATUS: Patched
CVE SUMMARY: libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-27943

LAYER: meta
PACKAGE NAME: gcc-cross-aarch64
PACKAGE VERSION: 13.3.0
CVE: CVE-2023-4039
CVE STATUS: Patched
CVE DETAIL: fixed-version
CVE DESCRIPTION: Fixed via CVE-2023-4039.patch included here. Set the status explictly to deal with all recipes that share the gcc-source
CVE SUMMARY: 

**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains 
that target AArch64 allows an attacker to exploit an existing buffer 
overflow in dynamically-sized local variables in your application 
without this being detected. This stack-protector failure only applies 
to C99-style dynamically-sized local variables or those created using 
alloca(). The stack-protector operates as intended for statically-sized 
local variables.

The default behavior when the stack-protector 
detects an overflow is to terminate your application, resulting in 
controlled loss of availability. An attacker who can exploit a buffer 
overflow without triggering the stack-protector might be able to change 
program flow control to cause an uncontrolled loss of availability or to
 go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.






CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-4039

LAYER: meta
PACKAGE NAME: perl-native
PACKAGE VERSION: 5.38.2
CVE: CVE-1999-0034
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in suidperl (sperl), Perl 4.x and 5.x.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-1999-0034

LAYER: meta
PACKAGE NAME: perl-native
PACKAGE VERSION: 5.38.2
CVE: CVE-1999-1386
CVE STATUS: Patched
CVE SUMMARY: Perl 5.004_04 and earlier follows symbolic links when running with the -e option, which allows local users to overwrite arbitrary files via a symlink attack on the /tmp/perl-eaXXXXX file.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-1999-1386

LAYER: meta
PACKAGE NAME: perl-native
PACKAGE VERSION: 5.38.2
CVE: CVE-2000-0703
CVE STATUS: Patched
CVE SUMMARY: suidperl (aka sperl) does not properly cleanse the escape sequence "~!" before calling /bin/mail to send an error report, which allows local users to gain privileges by setting the "interactive" environmental variable and calling suidperl with a filename that contains the escape sequence.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2000-0703

LAYER: meta
PACKAGE NAME: perl-native
PACKAGE VERSION: 5.38.2
CVE: CVE-2003-0900
CVE STATUS: Patched
CVE SUMMARY: Perl 5.8.1 on Fedora Core does not properly initialize the random number generator when forking, which makes it easier for attackers to predict random numbers.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-0900

LAYER: meta
PACKAGE NAME: perl-native
PACKAGE VERSION: 5.38.2
CVE: CVE-2004-0377
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the win32_stat function for (1) ActiveState's ActivePerl and (2) Larry Wall's Perl before 5.8.3 allows local or remote attackers to execute arbitrary commands via filenames that end in a backslash character.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0377

LAYER: meta
PACKAGE NAME: perl-native
PACKAGE VERSION: 5.38.2
CVE: CVE-2004-0452
CVE STATUS: Patched
CVE SUMMARY: Race condition in the rmtree function in the File::Path module in Perl 5.6.1 and 5.8.4 sets read/write permissions for the world, which allows local users to delete arbitrary files and directories, and possibly read files and directories, via a symlink attack.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0452

LAYER: meta
PACKAGE NAME: perl-native
PACKAGE VERSION: 5.38.2
CVE: CVE-2004-0976
CVE STATUS: Patched
CVE SUMMARY: Multiple scripts in the perl package in Trustix Secure Linux 1.5 through 2.1 and other operating systems allows local users to overwrite files via a symlink attack on temporary files.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0976

LAYER: meta
PACKAGE NAME: perl-native
PACKAGE VERSION: 5.38.2
CVE: CVE-2004-2286
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the duplication operator in ActivePerl allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large multiplier, which may trigger a buffer overflow.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-2286

LAYER: meta
PACKAGE NAME: perl-native
PACKAGE VERSION: 5.38.2
CVE: CVE-2005-0155
CVE STATUS: Patched
CVE SUMMARY: The PerlIO implementation in Perl 5.8.0, when installed with setuid support (sperl), allows local users to create arbitrary files via the PERLIO_DEBUG variable.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-0155

LAYER: meta
PACKAGE NAME: perl-native
PACKAGE VERSION: 5.38.2
CVE: CVE-2005-0156
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the PerlIO implementation in Perl 5.8.0, when installed with setuid support (sperl), allows local users to execute arbitrary code by setting the PERLIO_DEBUG variable and executing a Perl script whose full pathname contains a long directory tree.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-0156

LAYER: meta
PACKAGE NAME: perl-native
PACKAGE VERSION: 5.38.2
CVE: CVE-2005-0448
CVE STATUS: Patched
CVE SUMMARY: Race condition in the rmtree function in File::Path.pm in Perl before 5.8.4 allows local users to create arbitrary setuid binaries in the tree being deleted, a different vulnerability than CVE-2004-0452.
CVSS v2 BASE SCORE: 1.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-0448

LAYER: meta
PACKAGE NAME: perl-native
PACKAGE VERSION: 5.38.2
CVE: CVE-2005-3962
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the format string functionality (Perl_sv_vcatpvfn) in Perl 5.9.2 and 5.8.6 Perl allows attackers to overwrite arbitrary memory and possibly execute arbitrary code via format string specifiers with large values, which causes an integer wrap and leads to a buffer overflow, as demonstrated using format string vulnerabilities in Perl applications.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-3962

LAYER: meta
PACKAGE NAME: perl-native
PACKAGE VERSION: 5.38.2
CVE: CVE-2005-4278
CVE STATUS: Patched
CVE SUMMARY: Untrusted search path vulnerability in Perl before 5.8.7-r1 on Gentoo Linux allows local users in the portage group to gain privileges via a malicious shared object in the Portage temporary build directory, which is part of the RUNPATH.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-4278

LAYER: meta
PACKAGE NAME: perl-native
PACKAGE VERSION: 5.38.2
CVE: CVE-2007-5116
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the polymorphic opcode support in the Regular Expression Engine (regcomp.c) in Perl 5.8 allows context-dependent attackers to execute arbitrary code by switching from byte to Unicode (UTF) characters in a regular expression.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-5116

LAYER: meta
PACKAGE NAME: perl-native
PACKAGE VERSION: 5.38.2
CVE: CVE-2008-1927
CVE STATUS: Patched
CVE SUMMARY: Double free vulnerability in Perl 5.8.8 allows context-dependent attackers to cause a denial of service (memory corruption and crash) via a crafted regular expression containing UTF8 characters.  NOTE: this issue might only be present on certain operating systems.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1927

LAYER: meta
PACKAGE NAME: perl-native
PACKAGE VERSION: 5.38.2
CVE: CVE-2008-2827
CVE STATUS: Patched
CVE SUMMARY: The rmtree function in lib/File/Path.pm in Perl 5.10 does not properly check permissions before performing a chmod, which allows local users to modify the permissions of arbitrary files via a symlink attack, a different vulnerability than CVE-2005-0448 and CVE-2004-0452.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-2827

LAYER: meta
PACKAGE NAME: perl-native
PACKAGE VERSION: 5.38.2
CVE: CVE-2009-3626
CVE STATUS: Patched
CVE SUMMARY: Perl 5.10.1 allows context-dependent attackers to cause a denial of service (application crash) via a UTF-8 character with a large, invalid codepoint, which is not properly handled during a regular-expression match.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-3626

LAYER: meta
PACKAGE NAME: perl-native
PACKAGE VERSION: 5.38.2
CVE: CVE-2010-1158
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the regular expression engine in Perl 5.8.x allows context-dependent attackers to cause a denial of service (stack consumption and application crash) by matching a crafted regular expression against a long string.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-1158

LAYER: meta
PACKAGE NAME: perl-native
PACKAGE VERSION: 5.38.2
CVE: CVE-2010-4777
CVE STATUS: Patched
CVE SUMMARY: The Perl_reg_numbered_buff_fetch function in Perl 5.10.0, 5.12.0, 5.14.0, and other versions, when running with debugging enabled, allows context-dependent attackers to cause a denial of service (assertion failure and application exit) via crafted input that is not properly handled when using certain regular expressions, as demonstrated by causing SpamAssassin and OCSInventory to crash.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4777

LAYER: meta
PACKAGE NAME: perl-native
PACKAGE VERSION: 5.38.2
CVE: CVE-2011-0761
CVE STATUS: Patched
CVE SUMMARY: Perl 5.10.x allows context-dependent attackers to cause a denial of service (NULL pointer dereference and application crash) by leveraging an ability to inject arguments into a (1) getpeername, (2) readdir, (3) closedir, (4) getsockname, (5) rewinddir, (6) tell, or (7) telldir function call.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-0761

LAYER: meta
PACKAGE NAME: perl-native
PACKAGE VERSION: 5.38.2
CVE: CVE-2011-1487
CVE STATUS: Patched
CVE SUMMARY: The (1) lc, (2) lcfirst, (3) uc, and (4) ucfirst functions in Perl 5.10.x, 5.11.x, and 5.12.x through 5.12.3, and 5.13.x through 5.13.11, do not apply the taint attribute to the return value upon processing tainted input, which might allow context-dependent attackers to bypass the taint protection mechanism via a crafted string.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1487

LAYER: meta
PACKAGE NAME: perl-native
PACKAGE VERSION: 5.38.2
CVE: CVE-2011-2728
CVE STATUS: Patched
CVE SUMMARY: The bsd_glob function in the File::Glob module for Perl before 5.14.2 allows context-dependent attackers to cause a denial of service (crash) via a glob expression with the GLOB_ALTDIRFUNC flag, which triggers an uninitialized pointer dereference.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2728

LAYER: meta
PACKAGE NAME: perl-native
PACKAGE VERSION: 5.38.2
CVE: CVE-2011-2939
CVE STATUS: Patched
CVE SUMMARY: Off-by-one error in the decode_xs function in Unicode/Unicode.xs in the Encode module before 2.44, as used in Perl before 5.15.6, might allow context-dependent attackers to cause a denial of service (memory corruption) via a crafted Unicode string, which triggers a heap-based buffer overflow.
CVSS v2 BASE SCORE: 5.1
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2939

LAYER: meta
PACKAGE NAME: perl-native
PACKAGE VERSION: 5.38.2
CVE: CVE-2012-1151
CVE STATUS: Patched
CVE SUMMARY: Multiple format string vulnerabilities in dbdimp.c in DBD::Pg (aka DBD-Pg or libdbd-pg-perl) module before 2.19.0 for Perl allow remote PostgreSQL database servers to cause a denial of service (process crash) via format string specifiers in (1) a crafted database warning to the pg_warn function or (2) a crafted DBD statement to the dbd_st_prepare function.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1151

LAYER: meta
PACKAGE NAME: perl-native
PACKAGE VERSION: 5.38.2
CVE: CVE-2012-5195
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the Perl_repeatcpy function in util.c in Perl 5.12.x before 5.12.5, 5.14.x before 5.14.3, and 5.15.x before 15.15.5 allows context-dependent attackers to cause a denial of service (memory consumption and crash) or possibly execute arbitrary code via the 'x' string repeat operator.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-5195

LAYER: meta
PACKAGE NAME: perl-native
PACKAGE VERSION: 5.38.2
CVE: CVE-2012-6329
CVE STATUS: Patched
CVE SUMMARY: The _compile function in Maketext.pm in the Locale::Maketext implementation in Perl before 5.17.7 does not properly handle backslashes and fully qualified method names during compilation of bracket notation, which allows context-dependent attackers to execute arbitrary commands via crafted input to an application that accepts translation strings from users, as demonstrated by the TWiki application before 5.1.3, and the Foswiki application 1.0.x through 1.0.10 and 1.1.x through 1.1.6.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-6329

LAYER: meta
PACKAGE NAME: perl-native
PACKAGE VERSION: 5.38.2
CVE: CVE-2013-1667
CVE STATUS: Patched
CVE SUMMARY: The rehash mechanism in Perl 5.8.2 through 5.16.x allows context-dependent attackers to cause a denial of service (memory consumption and crash) via a crafted hash key.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1667

LAYER: meta
PACKAGE NAME: perl-native
PACKAGE VERSION: 5.38.2
CVE: CVE-2013-7422
CVE STATUS: Patched
CVE SUMMARY: Integer underflow in regcomp.c in Perl before 5.20, as used in Apple OS X before 10.10.5 and other products, allows context-dependent attackers to execute arbitrary code or cause a denial of service (application crash) via a long digit string associated with an invalid backreference within a regular expression.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-7422

LAYER: meta
PACKAGE NAME: perl-native
PACKAGE VERSION: 5.38.2
CVE: CVE-2014-4330
CVE STATUS: Patched
CVE SUMMARY: The Dumper method in Data::Dumper before 2.154, as used in Perl 5.20.1 and earlier, allows context-dependent attackers to cause a denial of service (stack consumption and crash) via an Array-Reference with many nested Array-References, which triggers a large number of recursive calls to the DD_dump function.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-4330

LAYER: meta
PACKAGE NAME: perl-native
PACKAGE VERSION: 5.38.2
CVE: CVE-2015-8608
CVE STATUS: Patched
CVE SUMMARY: The VDir::MapPathA and VDir::MapPathW functions in Perl 5.22 allow remote attackers to cause a denial of service (out-of-bounds read) and possibly execute arbitrary code via a crafted (1) drive letter or (2) pInName argument.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8608

LAYER: meta
PACKAGE NAME: perl-native
PACKAGE VERSION: 5.38.2
CVE: CVE-2015-8853
CVE STATUS: Patched
CVE SUMMARY: The (1) S_reghop3, (2) S_reghop4, and (3) S_reghopmaybe3 functions in regexec.c in Perl before 5.24.0 allow context-dependent attackers to cause a denial of service (infinite loop) via crafted utf-8 data, as demonstrated by "a\x80."
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8853

LAYER: meta
PACKAGE NAME: perl-native
PACKAGE VERSION: 5.38.2
CVE: CVE-2016-1238
CVE STATUS: Patched
CVE SUMMARY: (1) cpan/Archive-Tar/bin/ptar, (2) cpan/Archive-Tar/bin/ptardiff, (3) cpan/Archive-Tar/bin/ptargrep, (4) cpan/CPAN/scripts/cpan, (5) cpan/Digest-SHA/shasum, (6) cpan/Encode/bin/enc2xs, (7) cpan/Encode/bin/encguess, (8) cpan/Encode/bin/piconv, (9) cpan/Encode/bin/ucmlint, (10) cpan/Encode/bin/unidump, (11) cpan/ExtUtils-MakeMaker/bin/instmodsh, (12) cpan/IO-Compress/bin/zipdetails, (13) cpan/JSON-PP/bin/json_pp, (14) cpan/Test-Harness/bin/prove, (15) dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp, (16) dist/Module-CoreList/corelist, (17) ext/Pod-Html/bin/pod2html, (18) utils/c2ph.PL, (19) utils/h2ph.PL, (20) utils/h2xs.PL, (21) utils/libnetcfg.PL, (22) utils/perlbug.PL, (23) utils/perldoc.PL, (24) utils/perlivp.PL, and (25) utils/splain.PL in Perl 5.x before 5.22.3-RC2 and 5.24 before 5.24.1-RC2 do not properly remove . (period) characters from the end of the includes directory array, which might allow local users to gain privileges via a Trojan horse module under the current working directory.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-1238

LAYER: meta
PACKAGE NAME: perl-native
PACKAGE VERSION: 5.38.2
CVE: CVE-2016-2381
CVE STATUS: Patched
CVE SUMMARY: Perl might allow context-dependent attackers to bypass the taint protection mechanism in a child process via duplicate environment variables in envp.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2381

LAYER: meta
PACKAGE NAME: perl-native
PACKAGE VERSION: 5.38.2
CVE: CVE-2016-6185
CVE STATUS: Patched
CVE SUMMARY: The XSLoader::load method in XSLoader in Perl does not properly locate .so files when called in a string eval, which might allow local users to execute arbitrary code via a Trojan horse library under the current working directory.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6185

LAYER: meta
PACKAGE NAME: perl-native
PACKAGE VERSION: 5.38.2
CVE: CVE-2017-12814
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in the CPerlHost::Add method in win32/perlhost.h in Perl before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 on Windows allows attackers to execute arbitrary code via a long environment variable.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-12814

LAYER: meta
PACKAGE NAME: perl-native
PACKAGE VERSION: 5.38.2
CVE: CVE-2017-12837
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the S_regatom function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to cause a denial of service (out-of-bounds write) via a regular expression with a '\N{}' escape and the case-insensitive modifier.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-12837

LAYER: meta
PACKAGE NAME: perl-native
PACKAGE VERSION: 5.38.2
CVE: CVE-2017-12883
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the S_grok_bslash_N function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to disclose sensitive information or cause a denial of service (application crash) via a crafted regular expression with an invalid '\N{U+...}' escape.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 9.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-12883

LAYER: meta
PACKAGE NAME: perl-native
PACKAGE VERSION: 5.38.2
CVE: CVE-2018-12015
CVE STATUS: Patched
CVE SUMMARY: In Perl through 5.26.2, the Archive::Tar module allows remote attackers to bypass a directory-traversal protection mechanism, and overwrite arbitrary files, via an archive file containing a symlink and a regular file with the same name.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-12015

LAYER: meta
PACKAGE NAME: perl-native
PACKAGE VERSION: 5.38.2
CVE: CVE-2018-18311
CVE STATUS: Patched
CVE SUMMARY: Perl before 5.26.3 and 5.28.x before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-18311

LAYER: meta
PACKAGE NAME: perl-native
PACKAGE VERSION: 5.38.2
CVE: CVE-2018-18312
CVE STATUS: Patched
CVE SUMMARY: Perl before 5.26.3 and 5.28.0 before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-18312

LAYER: meta
PACKAGE NAME: perl-native
PACKAGE VERSION: 5.38.2
CVE: CVE-2018-18313
CVE STATUS: Patched
CVE SUMMARY: Perl before 5.26.3 has a buffer over-read via a crafted regular expression that triggers disclosure of sensitive information from process memory.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 9.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-18313

LAYER: meta
PACKAGE NAME: perl-native
PACKAGE VERSION: 5.38.2
CVE: CVE-2018-18314
CVE STATUS: Patched
CVE SUMMARY: Perl before 5.26.3 has a buffer overflow via a crafted regular expression that triggers invalid write operations.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-18314

LAYER: meta
PACKAGE NAME: perl-native
PACKAGE VERSION: 5.38.2
CVE: CVE-2018-6797
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Perl 5.18 through 5.26. A crafted regular expression can cause a heap-based buffer overflow, with control over the bytes written.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-6797

LAYER: meta
PACKAGE NAME: perl-native
PACKAGE VERSION: 5.38.2
CVE: CVE-2018-6798
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Perl 5.22 through 5.26. Matching a crafted locale dependent regular expression can cause a heap-based buffer over-read and potentially information disclosure.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-6798

LAYER: meta
PACKAGE NAME: perl-native
PACKAGE VERSION: 5.38.2
CVE: CVE-2018-6913
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the pack function in Perl before 5.26.2 allows context-dependent attackers to execute arbitrary code via a large item count.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-6913

LAYER: meta
PACKAGE NAME: perl-native
PACKAGE VERSION: 5.38.2
CVE: CVE-2020-10543
CVE STATUS: Patched
CVE SUMMARY: Perl before 5.30.3 on 32-bit platforms allows a heap-based buffer overflow because nested regular expression quantifiers have an integer overflow.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 8.2
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-10543

LAYER: meta
PACKAGE NAME: perl-native
PACKAGE VERSION: 5.38.2
CVE: CVE-2020-10878
CVE STATUS: Patched
CVE SUMMARY: Perl before 5.30.3 has an integer overflow related to mishandling of a "PL_regkind[OP(n)] == NOTHING" situation. A crafted regular expression could lead to malformed bytecode with a possibility of instruction injection.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 8.6
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-10878

LAYER: meta
PACKAGE NAME: perl-native
PACKAGE VERSION: 5.38.2
CVE: CVE-2020-12723
CVE STATUS: Patched
CVE SUMMARY: regcomp.c in Perl before 5.30.3 allows a buffer overflow via a crafted regular expression because of recursive S_study_chunk calls.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-12723

LAYER: meta
PACKAGE NAME: perl-native
PACKAGE VERSION: 5.38.2
CVE: CVE-2022-48522
CVE STATUS: Patched
CVE SUMMARY: In Perl 5.34.0, function S_find_uninit_var in sv.c has a stack-based crash that can lead to remote code execution or local privilege escalation.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48522

LAYER: meta
PACKAGE NAME: perl-native
PACKAGE VERSION: 5.38.2
CVE: CVE-2023-31484
CVE STATUS: Patched
CVE SUMMARY: CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.1
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-31484

LAYER: meta
PACKAGE NAME: perl-native
PACKAGE VERSION: 5.38.2
CVE: CVE-2023-31486
CVE STATUS: Patched
CVE SUMMARY: HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.1
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-31486

LAYER: meta
PACKAGE NAME: perl-native
PACKAGE VERSION: 5.38.2
CVE: CVE-2023-47038
CVE STATUS: Patched
CVE SUMMARY: A vulnerability was found in perl 5.30.0 through 5.38.0. This issue occurs when a crafted regular expression is compiled by perl, which can allow an attacker controlled byte buffer overflow in a heap allocated buffer.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-47038

LAYER: meta
PACKAGE NAME: perl-native
PACKAGE VERSION: 5.38.2
CVE: CVE-2023-47039
CVE STATUS: Patched
CVE SUMMARY: A vulnerability was found in Perl. This security issue occurs while Perl for Windows relies on the system path environment variable to find the shell (`cmd.exe`). When running an executable that uses the Windows Perl interpreter, Perl attempts to find and execute `cmd.exe` within the operating system. However, due to path search order issues, Perl initially looks for cmd.exe in the current working directory. This flaw allows an attacker with limited privileges to place`cmd.exe` in locations with weak permissions, such as `C:\ProgramData`. By doing so, arbitrary code can be executed when an administrator attempts to use this executable from these compromised locations.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-47039

LAYER: meta
PACKAGE NAME: perl-native
PACKAGE VERSION: 5.38.2
CVE: CVE-2023-47100
CVE STATUS: Patched
CVE SUMMARY: In Perl before 5.38.2, S_parse_uniprop_string in regcomp.c can write to unallocated space because a property name associated with a \p{...} regular expression construct is mishandled. The earliest affected version is 5.30.0.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-47100

LAYER: meta
PACKAGE NAME: expat-native
PACKAGE VERSION: 2.6.3
CVE: CVE-2009-3560
CVE STATUS: Patched
CVE SUMMARY: The big2_toUtf8 function in lib/xmltok.c in libexpat in Expat 2.0.1, as used in the XML-Twig module for Perl, allows context-dependent attackers to cause a denial of service (application crash) via an XML document with malformed UTF-8 sequences that trigger a buffer over-read, related to the doProlog function in lib/xmlparse.c, a different vulnerability than CVE-2009-2625 and CVE-2009-3720.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-3560

LAYER: meta
PACKAGE NAME: expat-native
PACKAGE VERSION: 2.6.3
CVE: CVE-2009-3720
CVE STATUS: Patched
CVE SUMMARY: The updatePosition function in lib/xmltok_impl.c in libexpat in Expat 2.0.1, as used in Python, PyXML, w3c-libwww, and other software, allows context-dependent attackers to cause a denial of service (application crash) via an XML document with crafted UTF-8 sequences that trigger a buffer over-read, a different vulnerability than CVE-2009-2625.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-3720

LAYER: meta
PACKAGE NAME: expat-native
PACKAGE VERSION: 2.6.3
CVE: CVE-2012-0876
CVE STATUS: Patched
CVE SUMMARY: The XML parser (xmlparse.c) in expat before 2.1.0 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via an XML file with many identifiers with the same value.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-0876

LAYER: meta
PACKAGE NAME: expat-native
PACKAGE VERSION: 2.6.3
CVE: CVE-2012-1147
CVE STATUS: Patched
CVE SUMMARY: readfilemap.c in expat before 2.1.0 allows context-dependent attackers to cause a denial of service (file descriptor consumption) via a large number of crafted XML files.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1147

LAYER: meta
PACKAGE NAME: expat-native
PACKAGE VERSION: 2.6.3
CVE: CVE-2012-1148
CVE STATUS: Patched
CVE SUMMARY: Memory leak in the poolGrow function in expat/lib/xmlparse.c in expat before 2.1.0 allows context-dependent attackers to cause a denial of service (memory consumption) via a large number of crafted XML files that cause improperly-handled reallocation failures when expanding entities.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1148

LAYER: meta
PACKAGE NAME: expat-native
PACKAGE VERSION: 2.6.3
CVE: CVE-2012-6702
CVE STATUS: Patched
CVE SUMMARY: Expat, when used in a parser that has not called XML_SetHashSalt or passed it a seed of 0, makes it easier for context-dependent attackers to defeat cryptographic protection mechanisms via vectors involving use of the srand function.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-6702

LAYER: meta
PACKAGE NAME: expat-native
PACKAGE VERSION: 2.6.3
CVE: CVE-2013-0340
CVE STATUS: Patched
CVE SUMMARY: expat 2.1.0 and earlier does not properly handle entities expansion unless an application developer uses the XML_SetEntityDeclHandler function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue.  NOTE: it could be argued that because expat already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be REJECTed, and each affected application would need its own CVE.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0340

LAYER: meta
PACKAGE NAME: expat-native
PACKAGE VERSION: 2.6.3
CVE: CVE-2015-1283
CVE STATUS: Patched
CVE SUMMARY: Multiple integer overflows in the XML_GetBuffer function in Expat through 2.1.0, as used in Google Chrome before 44.0.2403.89 and other products, allow remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via crafted XML data, a related issue to CVE-2015-2716.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1283

LAYER: meta
PACKAGE NAME: expat-native
PACKAGE VERSION: 2.6.3
CVE: CVE-2016-0718
CVE STATUS: Patched
CVE SUMMARY: Expat allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a malformed input document, which triggers a buffer overflow.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-0718

LAYER: meta
PACKAGE NAME: expat-native
PACKAGE VERSION: 2.6.3
CVE: CVE-2016-4472
CVE STATUS: Patched
CVE SUMMARY: The overflow protection in Expat is removed by compilers with certain optimization settings, which allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via crafted XML data.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-1283 and CVE-2015-2716.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4472

LAYER: meta
PACKAGE NAME: expat-native
PACKAGE VERSION: 2.6.3
CVE: CVE-2016-5300
CVE STATUS: Patched
CVE SUMMARY: The XML parser in Expat does not use sufficient entropy for hash initialization, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted identifiers in an XML document.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0876.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5300

LAYER: meta
PACKAGE NAME: expat-native
PACKAGE VERSION: 2.6.3
CVE: CVE-2017-11742
CVE STATUS: Patched
CVE SUMMARY: The writeRandomBytes_RtlGenRandom function in xmlparse.c in libexpat in Expat 2.2.1 and 2.2.2 on Windows allows local users to gain privileges via a Trojan horse ADVAPI32.DLL in the current working directory because of an untrusted search path, aka DLL hijacking.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-11742

LAYER: meta
PACKAGE NAME: expat-native
PACKAGE VERSION: 2.6.3
CVE: CVE-2017-9233
CVE STATUS: Patched
CVE SUMMARY: XML External Entity vulnerability in libexpat 2.2.0 and earlier (Expat XML Parser Library) allows attackers to put the parser in an infinite loop using a malformed external entity definition from an external DTD.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9233

LAYER: meta
PACKAGE NAME: expat-native
PACKAGE VERSION: 2.6.3
CVE: CVE-2018-20843
CVE STATUS: Patched
CVE SUMMARY: In libexpat in Expat before 2.2.7, XML input including XML names that contain a large number of colons could make the XML parser consume a high amount of RAM and CPU resources while processing (enough to be usable for denial-of-service attacks).
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20843

LAYER: meta
PACKAGE NAME: expat-native
PACKAGE VERSION: 2.6.3
CVE: CVE-2019-15903
CVE STATUS: Patched
CVE SUMMARY: In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a heap-based buffer over-read.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-15903

LAYER: meta
PACKAGE NAME: expat-native
PACKAGE VERSION: 2.6.3
CVE: CVE-2021-45960
CVE STATUS: Patched
CVE SUMMARY: In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) places in the storeAtts function in xmlparse.c can lead to realloc misbehavior (e.g., allocating too few bytes, or only freeing memory).
CVSS v2 BASE SCORE: 9.0
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:S/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-45960

LAYER: meta
PACKAGE NAME: expat-native
PACKAGE VERSION: 2.6.3
CVE: CVE-2021-46143
CVE STATUS: Patched
CVE SUMMARY: In doProlog in xmlparse.c in Expat (aka libexpat) before 2.4.3, an integer overflow exists for m_groupSize.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-46143

LAYER: meta
PACKAGE NAME: expat-native
PACKAGE VERSION: 2.6.3
CVE: CVE-2022-22822
CVE STATUS: Patched
CVE SUMMARY: addBinding in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-22822

LAYER: meta
PACKAGE NAME: expat-native
PACKAGE VERSION: 2.6.3
CVE: CVE-2022-22823
CVE STATUS: Patched
CVE SUMMARY: build_model in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-22823

LAYER: meta
PACKAGE NAME: expat-native
PACKAGE VERSION: 2.6.3
CVE: CVE-2022-22824
CVE STATUS: Patched
CVE SUMMARY: defineAttribute in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-22824

LAYER: meta
PACKAGE NAME: expat-native
PACKAGE VERSION: 2.6.3
CVE: CVE-2022-22825
CVE STATUS: Patched
CVE SUMMARY: lookup in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-22825

LAYER: meta
PACKAGE NAME: expat-native
PACKAGE VERSION: 2.6.3
CVE: CVE-2022-22826
CVE STATUS: Patched
CVE SUMMARY: nextScaffoldPart in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-22826

LAYER: meta
PACKAGE NAME: expat-native
PACKAGE VERSION: 2.6.3
CVE: CVE-2022-22827
CVE STATUS: Patched
CVE SUMMARY: storeAtts in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-22827

LAYER: meta
PACKAGE NAME: expat-native
PACKAGE VERSION: 2.6.3
CVE: CVE-2022-23852
CVE STATUS: Patched
CVE SUMMARY: Expat (aka libexpat) before 2.4.4 has a signed integer overflow in XML_GetBuffer, for configurations with a nonzero XML_CONTEXT_BYTES.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-23852

LAYER: meta
PACKAGE NAME: expat-native
PACKAGE VERSION: 2.6.3
CVE: CVE-2022-23990
CVE STATUS: Patched
CVE SUMMARY: Expat (aka libexpat) before 2.4.4 has an integer overflow in the doProlog function.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-23990

LAYER: meta
PACKAGE NAME: expat-native
PACKAGE VERSION: 2.6.3
CVE: CVE-2022-25235
CVE STATUS: Patched
CVE SUMMARY: xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-25235

LAYER: meta
PACKAGE NAME: expat-native
PACKAGE VERSION: 2.6.3
CVE: CVE-2022-25236
CVE STATUS: Patched
CVE SUMMARY: xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator characters into namespace URIs.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-25236

LAYER: meta
PACKAGE NAME: expat-native
PACKAGE VERSION: 2.6.3
CVE: CVE-2022-25313
CVE STATUS: Patched
CVE SUMMARY: In Expat (aka libexpat) before 2.4.5, an attacker can trigger stack exhaustion in build_model via a large nesting depth in the DTD element.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-25313

LAYER: meta
PACKAGE NAME: expat-native
PACKAGE VERSION: 2.6.3
CVE: CVE-2022-25314
CVE STATUS: Patched
CVE SUMMARY: In Expat (aka libexpat) before 2.4.5, there is an integer overflow in copyString.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-25314

LAYER: meta
PACKAGE NAME: expat-native
PACKAGE VERSION: 2.6.3
CVE: CVE-2022-25315
CVE STATUS: Patched
CVE SUMMARY: In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-25315

LAYER: meta
PACKAGE NAME: expat-native
PACKAGE VERSION: 2.6.3
CVE: CVE-2022-40674
CVE STATUS: Patched
CVE SUMMARY: libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.1
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-40674

LAYER: meta
PACKAGE NAME: expat-native
PACKAGE VERSION: 2.6.3
CVE: CVE-2022-43680
CVE STATUS: Patched
CVE SUMMARY: In libexpat through 2.4.9, there is a use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate in out-of-memory situations.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-43680

LAYER: meta
PACKAGE NAME: expat-native
PACKAGE VERSION: 2.6.3
CVE: CVE-2023-52425
CVE STATUS: Patched
CVE SUMMARY: libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-52425

LAYER: meta
PACKAGE NAME: expat-native
PACKAGE VERSION: 2.6.3
CVE: CVE-2023-52426
CVE STATUS: Patched
CVE SUMMARY: libexpat through 2.5.0 allows recursive XML Entity Expansion if XML_DTD is undefined at compile time.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-52426

LAYER: meta
PACKAGE NAME: expat-native
PACKAGE VERSION: 2.6.3
CVE: CVE-2024-45490
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-45490

LAYER: meta
PACKAGE NAME: expat-native
PACKAGE VERSION: 2.6.3
CVE: CVE-2024-45491
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in libexpat before 2.6.3. dtdCopy in xmlparse.c can have an integer overflow for nDefaultAtts on 32-bit platforms (where UINT_MAX equals SIZE_MAX).
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-45491

LAYER: meta
PACKAGE NAME: expat-native
PACKAGE VERSION: 2.6.3
CVE: CVE-2024-45492
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in libexpat before 2.6.3. nextScaffoldPart in xmlparse.c can have an integer overflow for m_groupSize on 32-bit platforms (where UINT_MAX equals SIZE_MAX).
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-45492

LAYER: meta
PACKAGE NAME: libtool-native
PACKAGE VERSION: 2.4.7
CVE: CVE-2004-0256
CVE STATUS: Patched
CVE SUMMARY: GNU libtool before 1.5.2, during compile time, allows local users to overwrite arbitrary files via a symlink attack on libtool directories in /tmp.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0256

LAYER: meta
PACKAGE NAME: libtool-native
PACKAGE VERSION: 2.4.7
CVE: CVE-2009-3736
CVE STATUS: Patched
CVE SUMMARY: ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b, as used in Ham Radio Control Libraries, Q, and possibly other products, attempts to open a .la file in the current working directory, which allows local users to gain privileges via a Trojan horse file.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-3736

LAYER: meta
PACKAGE NAME: bison-native
PACKAGE VERSION: 3.8.2
CVE: CVE-2020-14150
CVE STATUS: Patched
CVE SUMMARY: GNU Bison before 3.5.4 allows attackers to cause a denial of service (application crash). NOTE: there is a risk only if Bison is used with untrusted input, and an observed bug happens to cause unsafe behavior with a specific compiler/architecture. The bug reports were intended to show that a crash may occur in Bison itself, not that a crash may occur in code that is generated by Bison.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-14150

LAYER: meta
PACKAGE NAME: bison-native
PACKAGE VERSION: 3.8.2
CVE: CVE-2020-24240
CVE STATUS: Patched
CVE SUMMARY: GNU Bison before 3.7.1 has a use-after-free in _obstack_free in lib/obstack.c (called from gram_lex) when a '\0' byte is encountered. NOTE: there is a risk only if Bison is used with untrusted input, and the observed bug happens to cause unsafe behavior with a specific compiler/architecture. The bug report was intended to show that a crash may occur in Bison itself, not that a crash may occur in code that is generated by Bison.
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-24240

LAYER: meta
PACKAGE NAME: libdnf-native
PACKAGE VERSION: 0.73.2
CVE: CVE-2021-3445
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in libdnf's signature verification functionality in versions before 0.60.1. This flaw allows an attacker to achieve code execution if they can alter the header information of an RPM package and then trick a user or system into installing it. The highest risk of this vulnerability is to confidentiality, integrity, as well as system availability.
CVSS v2 BASE SCORE: 5.1
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3445

LAYER: meta
PACKAGE NAME: elfutils-native
PACKAGE VERSION: 0.191
CVE: CVE-2014-0172
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the check_section function in dwarf_begin_elf.c in the libdw library, as used in elfutils 0.153 and possibly through 0.158 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a malformed compressed debug section in an ELF file, which triggers a heap-based buffer overflow.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0172

LAYER: meta
PACKAGE NAME: elfutils-native
PACKAGE VERSION: 0.191
CVE: CVE-2014-9447
CVE STATUS: Patched
CVE SUMMARY: Directory traversal vulnerability in the read_long_names function in libelf/elf_begin.c in elfutils 0.152 and 0.161 allows remote attackers to write to arbitrary files to the root directory via a / (slash) in a crafted archive, as demonstrated using the ar program.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9447

LAYER: meta
PACKAGE NAME: elfutils-native
PACKAGE VERSION: 0.191
CVE: CVE-2016-10254
CVE STATUS: Patched
CVE SUMMARY: The allocate_elf function in common.h in elfutils before 0.168 allows remote attackers to cause a denial of service (crash) via a crafted ELF file, which triggers a memory allocation failure.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10254

LAYER: meta
PACKAGE NAME: elfutils-native
PACKAGE VERSION: 0.191
CVE: CVE-2016-10255
CVE STATUS: Patched
CVE SUMMARY: The __libelf_set_rawdata_wrlock function in elf_getdata.c in elfutils before 0.168 allows remote attackers to cause a denial of service (crash) via a crafted (1) sh_off or (2) sh_size ELF header value, which triggers a memory allocation failure.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10255

LAYER: meta
PACKAGE NAME: elfutils-native
PACKAGE VERSION: 0.191
CVE: CVE-2017-7607
CVE STATUS: Patched
CVE SUMMARY: The handle_gnu_hash function in readelf.c in elfutils 0.168 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7607

LAYER: meta
PACKAGE NAME: elfutils-native
PACKAGE VERSION: 0.191
CVE: CVE-2017-7608
CVE STATUS: Patched
CVE SUMMARY: The ebl_object_note_type_name function in eblobjnotetypename.c in elfutils 0.168 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7608

LAYER: meta
PACKAGE NAME: elfutils-native
PACKAGE VERSION: 0.191
CVE: CVE-2017-7609
CVE STATUS: Patched
CVE SUMMARY: elf_compress.c in elfutils 0.168 does not validate the zlib compression factor, which allows remote attackers to cause a denial of service (memory consumption) via a crafted ELF file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7609

LAYER: meta
PACKAGE NAME: elfutils-native
PACKAGE VERSION: 0.191
CVE: CVE-2017-7610
CVE STATUS: Patched
CVE SUMMARY: The check_group function in elflint.c in elfutils 0.168 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7610

LAYER: meta
PACKAGE NAME: elfutils-native
PACKAGE VERSION: 0.191
CVE: CVE-2017-7611
CVE STATUS: Patched
CVE SUMMARY: The check_symtab_shndx function in elflint.c in elfutils 0.168 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7611

LAYER: meta
PACKAGE NAME: elfutils-native
PACKAGE VERSION: 0.191
CVE: CVE-2017-7612
CVE STATUS: Patched
CVE SUMMARY: The check_sysv_hash function in elflint.c in elfutils 0.168 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7612

LAYER: meta
PACKAGE NAME: elfutils-native
PACKAGE VERSION: 0.191
CVE: CVE-2017-7613
CVE STATUS: Patched
CVE SUMMARY: elflint.c in elfutils 0.168 does not validate the number of sections and the number of segments, which allows remote attackers to cause a denial of service (memory consumption) via a crafted ELF file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7613

LAYER: meta
PACKAGE NAME: elfutils-native
PACKAGE VERSION: 0.191
CVE: CVE-2018-16062
CVE STATUS: Patched
CVE SUMMARY: dwarf_getaranges in dwarf_getaranges.c in libdw in elfutils before 2018-08-18 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-16062

LAYER: meta
PACKAGE NAME: elfutils-native
PACKAGE VERSION: 0.191
CVE: CVE-2018-16402
CVE STATUS: Patched
CVE SUMMARY: libelf/elf_end.c in elfutils 0.173 allows remote attackers to cause a denial of service (double free and application crash) or possibly have unspecified other impact because it tries to decompress twice.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-16402

LAYER: meta
PACKAGE NAME: elfutils-native
PACKAGE VERSION: 0.191
CVE: CVE-2018-16403
CVE STATUS: Patched
CVE SUMMARY: libdw in elfutils 0.173 checks the end of the attributes list incorrectly in dwarf_getabbrev in dwarf_getabbrev.c and dwarf_hasattr in dwarf_hasattr.c, leading to a heap-based buffer over-read and an application crash.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-16403

LAYER: meta
PACKAGE NAME: elfutils-native
PACKAGE VERSION: 0.191
CVE: CVE-2018-18310
CVE STATUS: Patched
CVE SUMMARY: An invalid memory address dereference was discovered in dwfl_segment_report_module.c in libdwfl in elfutils through v0.174. The vulnerability allows attackers to cause a denial of service (application crash) with a crafted ELF file, as demonstrated by consider_notes.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-18310

LAYER: meta
PACKAGE NAME: elfutils-native
PACKAGE VERSION: 0.191
CVE: CVE-2018-18520
CVE STATUS: Patched
CVE SUMMARY: An Invalid Memory Address Dereference exists in the function elf_end in libelf in elfutils through v0.174. Although eu-size is intended to support ar files inside ar files, handle_ar in size.c closes the outer ar file before handling all inner entries. The vulnerability allows attackers to cause a denial of service (application crash) with a crafted ELF file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-18520

LAYER: meta
PACKAGE NAME: elfutils-native
PACKAGE VERSION: 0.191
CVE: CVE-2018-18521
CVE STATUS: Patched
CVE SUMMARY: Divide-by-zero vulnerabilities in the function arlib_add_symbols() in arlib.c in elfutils 0.174 allow remote attackers to cause a denial of service (application crash) with a crafted ELF file, as demonstrated by eu-ranlib, because a zero sh_entsize is mishandled.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-18521

LAYER: meta
PACKAGE NAME: elfutils-native
PACKAGE VERSION: 0.191
CVE: CVE-2018-8769
CVE STATUS: Patched
CVE SUMMARY: elfutils 0.170 has a buffer over-read in the ebl_dynamic_tag_name function of libebl/ebldynamictagname.c because SYMTAB_SHNDX is unsupported.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-8769

LAYER: meta
PACKAGE NAME: elfutils-native
PACKAGE VERSION: 0.191
CVE: CVE-2019-7146
CVE STATUS: Patched
CVE SUMMARY: In elfutils 0.175, there is a buffer over-read in the ebl_object_note function in eblobjnote.c in libebl. Remote attackers could leverage this vulnerability to cause a denial-of-service via a crafted elf file, as demonstrated by eu-readelf.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-7146

LAYER: meta
PACKAGE NAME: elfutils-native
PACKAGE VERSION: 0.191
CVE: CVE-2019-7148
CVE STATUS: Patched
CVE SUMMARY: An attempted excessive memory allocation was discovered in the function read_long_names in elf_begin.c in libelf in elfutils 0.174. Remote attackers could leverage this vulnerability to cause a denial-of-service via crafted elf input, which leads to an out-of-memory exception. NOTE: The maintainers believe this is not a real issue, but instead a "warning caused by ASAN because the allocation is big. By setting ASAN_OPTIONS=allocator_may_return_null=1 and running the reproducer, nothing happens."
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-7148

LAYER: meta
PACKAGE NAME: elfutils-native
PACKAGE VERSION: 0.191
CVE: CVE-2019-7149
CVE STATUS: Patched
CVE SUMMARY: A heap-based buffer over-read was discovered in the function read_srclines in dwarf_getsrclines.c in libdw in elfutils 0.175. A crafted input can cause segmentation faults, leading to denial-of-service, as demonstrated by eu-nm.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-7149

LAYER: meta
PACKAGE NAME: elfutils-native
PACKAGE VERSION: 0.191
CVE: CVE-2019-7150
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in elfutils 0.175. A segmentation fault can occur in the function elf64_xlatetom in libelf/elf32_xlatetom.c, due to dwfl_segment_report_module not checking whether the dyn data read from a core file is truncated. A crafted input can cause a program crash, leading to denial-of-service, as demonstrated by eu-stack.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-7150

LAYER: meta
PACKAGE NAME: elfutils-native
PACKAGE VERSION: 0.191
CVE: CVE-2019-7664
CVE STATUS: Patched
CVE SUMMARY: In elfutils 0.175, a negative-sized memcpy is attempted in elf_cvt_note in libelf/note_xlate.h because of an incorrect overflow check. Crafted elf input causes a segmentation fault, leading to denial of service (program crash).
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-7664

LAYER: meta
PACKAGE NAME: elfutils-native
PACKAGE VERSION: 0.191
CVE: CVE-2019-7665
CVE STATUS: Patched
CVE SUMMARY: In elfutils 0.175, a heap-based buffer over-read was discovered in the function elf32_xlatetom in elf32_xlatetom.c in libelf. A crafted ELF input can cause a segmentation fault leading to denial of service (program crash) because ebl_core_note does not reject malformed core file notes.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-7665

LAYER: meta
PACKAGE NAME: elfutils-native
PACKAGE VERSION: 0.191
CVE: CVE-2020-21047
CVE STATUS: Patched
CVE SUMMARY: The libcpu component which is used by libasm of elfutils version 0.177 (git 47780c9e), suffers from denial-of-service vulnerability caused by application crashes due to out-of-bounds write (CWE-787), off-by-one error (CWE-193) and reachable assertion (CWE-617); to exploit the vulnerability, the attackers need to craft certain ELF files which bypass the missing bound checks.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-21047

LAYER: meta
PACKAGE NAME: elfutils-native
PACKAGE VERSION: 0.191
CVE: CVE-2021-33294
CVE STATUS: Patched
CVE SUMMARY: In elfutils 0.183, an infinite loop was found in the function handle_symtab in readelf.c .Which allows attackers to cause a denial of service (infinite loop) via crafted file.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-33294

LAYER: meta
PACKAGE NAME: libgcc
PACKAGE VERSION: 13.3.0
CVE: CVE-1999-1439
CVE STATUS: Patched
CVE SUMMARY: gcc 2.7.2 allows local users to overwrite arbitrary files via a symlink attack on temporary .i, .s, or .o files.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-1999-1439

LAYER: meta
PACKAGE NAME: libgcc
PACKAGE VERSION: 13.3.0
CVE: CVE-2000-1219
CVE STATUS: Patched
CVE SUMMARY: The -ftrapv compiler option in gcc and g++ 3.3.3 and earlier does not handle all types of integer overflows, which may leave applications vulnerable to vulnerabilities related to overflows.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2000-1219

LAYER: meta
PACKAGE NAME: libgcc
PACKAGE VERSION: 13.3.0
CVE: CVE-2002-2439
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the new[] operator in gcc before 4.8.0 allows attackers to have unspecified impacts.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-2439

LAYER: meta
PACKAGE NAME: libgcc
PACKAGE VERSION: 13.3.0
CVE: CVE-2006-1902
CVE STATUS: Patched
CVE SUMMARY: fold_binary in fold-const.c in GNU Compiler Collection (gcc) 4.1 improperly handles pointer overflow when folding a certain expr comparison to a corresponding offset comparison in cases other than EQ_EXPR and NE_EXPR, which might introduce buffer overflow vulnerabilities into applications that could be exploited by context-dependent attackers.NOTE: the vendor states that the essence of the issue is "not correctly interpreting an offset to a pointer as a signed value."
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-1902

LAYER: meta
PACKAGE NAME: libgcc
PACKAGE VERSION: 13.3.0
CVE: CVE-2008-1367
CVE STATUS: Patched
CVE SUMMARY: gcc 4.3.x does not generate a cld instruction while compiling functions used for string manipulation such as memcpy and memmove on x86 and i386, which can prevent the direction flag (DF) from being reset in violation of ABI conventions and cause data to be copied in the wrong direction during signal handling in the Linux kernel, which might allow context-dependent attackers to trigger memory corruption. NOTE: this issue was originally reported for CPU consumption in SBCL.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1367

LAYER: meta
PACKAGE NAME: libgcc
PACKAGE VERSION: 13.3.0
CVE: CVE-2008-1685
CVE STATUS: Patched
CVE SUMMARY: gcc 4.2.0 through 4.3.0 in GNU Compiler Collection, when casts are not used, considers the sum of a pointer and an int to be greater than or equal to the pointer, which might lead to removal of length testing code that was intended as a protection mechanism against integer overflow and buffer overflow attacks, and provide no diagnostic message about this removal. NOTE: the vendor has determined that this compiler behavior is correct according to section 6.5.6 of the C99 standard (aka ISO/IEC 9899:1999)
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1685

LAYER: meta
PACKAGE NAME: libgcc
PACKAGE VERSION: 13.3.0
CVE: CVE-2013-4598
CVE STATUS: Patched
CVE SUMMARY: The Groups, Communities and Co (GCC) module 7.x-1.x before 7.x-1.1 for Drupal does not properly check permission, which allows remote attackers to access the configuration pages via unspecified vectors.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4598

LAYER: meta
PACKAGE NAME: libgcc
PACKAGE VERSION: 13.3.0
CVE: CVE-2015-5276
CVE STATUS: Patched
CVE SUMMARY: The std::random_device class in libstdc++ in the GNU Compiler Collection (aka GCC) before 4.9.4 does not properly handle short reads from blocking sources, which makes it easier for context-dependent attackers to predict the random values via unspecified vectors.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-5276

LAYER: meta
PACKAGE NAME: libgcc
PACKAGE VERSION: 13.3.0
CVE: CVE-2017-11671
CVE STATUS: Patched
CVE SUMMARY: Under certain circumstances, the ix86_expand_builtin function in i386.c in GNU Compiler Collection (GCC) version 4.6, 4.7, 4.8, 4.9, 5 before 5.5, and 6 before 6.4 will generate instruction sequences that clobber the status flag of the RDRAND and RDSEED intrinsics before it can be read, potentially causing failures of these instructions to go unreported. This could potentially lead to less randomness in random number generation.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 4.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-11671

LAYER: meta
PACKAGE NAME: libgcc
PACKAGE VERSION: 13.3.0
CVE: CVE-2018-12886
CVE STATUS: Patched
CVE SUMMARY: stack_protect_prologue in cfgexpand.c and stack_protect_epilogue in function.c in GNU Compiler Collection (GCC) 4.1 through 8 (under certain circumstances) generate instruction sequences when targeting ARM targets that spill the address of the stack protector guard, which allows an attacker to bypass the protection of -fstack-protector, -fstack-protector-all, -fstack-protector-strong, and -fstack-protector-explicit against stack overflow by controlling what the stack canary is compared against.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-12886

LAYER: meta
PACKAGE NAME: libgcc
PACKAGE VERSION: 13.3.0
CVE: CVE-2019-15847
CVE STATUS: Patched
CVE SUMMARY: The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This occurred because a volatile operation was not specified. For example, within a single execution of a program, the output of every __builtin_darn() call may be the same.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-15847

LAYER: meta
PACKAGE NAME: libgcc
PACKAGE VERSION: 13.3.0
CVE: CVE-2021-37322
CVE STATUS: Ignored
CVE DETAIL: cpe-incorrect
CVE DESCRIPTION: Is a binutils 2.26 issue, not gcc
CVE SUMMARY: GCC c++filt v2.26 was discovered to contain a use-after-free vulnerability via the component cplus-dem.c.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-37322

LAYER: meta
PACKAGE NAME: libgcc
PACKAGE VERSION: 13.3.0
CVE: CVE-2021-3826
CVE STATUS: Patched
CVE SUMMARY: Heap/stack buffer overflow in the dlang_lname function in d-demangle.c in libiberty allows attackers to potentially cause a denial of service (segmentation fault and crash) via a crafted mangled symbol.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3826

LAYER: meta
PACKAGE NAME: libgcc
PACKAGE VERSION: 13.3.0
CVE: CVE-2021-46195
CVE STATUS: Patched
CVE SUMMARY: GCC v12.0 was discovered to contain an uncontrolled recursion via the component libiberty/rust-demangle.c. This vulnerability allows attackers to cause a Denial of Service (DoS) by consuming excessive CPU and memory resources.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-46195

LAYER: meta
PACKAGE NAME: libgcc
PACKAGE VERSION: 13.3.0
CVE: CVE-2022-27943
CVE STATUS: Patched
CVE SUMMARY: libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-27943

LAYER: meta
PACKAGE NAME: libgcc
PACKAGE VERSION: 13.3.0
CVE: CVE-2023-4039
CVE STATUS: Patched
CVE DETAIL: fixed-version
CVE DESCRIPTION: Fixed via CVE-2023-4039.patch included here. Set the status explictly to deal with all recipes that share the gcc-source
CVE SUMMARY: 

**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains 
that target AArch64 allows an attacker to exploit an existing buffer 
overflow in dynamically-sized local variables in your application 
without this being detected. This stack-protector failure only applies 
to C99-style dynamically-sized local variables or those created using 
alloca(). The stack-protector operates as intended for statically-sized 
local variables.

The default behavior when the stack-protector 
detects an overflow is to terminate your application, resulting in 
controlled loss of availability. An attacker who can exploit a buffer 
overflow without triggering the stack-protector might be able to change 
program flow control to cause an uncontrolled loss of availability or to
 go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.






CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-4039

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-1999-0428
CVE STATUS: Patched
CVE SUMMARY: OpenSSL and SSLeay allow remote attackers to reuse SSL sessions and bypass access controls.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-1999-0428

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2000-0535
CVE STATUS: Patched
CVE SUMMARY: OpenSSL 0.9.4 and OpenSSH for FreeBSD do not properly check for the existence of the /dev/random or /dev/urandom devices, which are absent on FreeBSD Alpha systems, which causes them to produce weak keys which may be more easily broken.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2000-0535

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2000-1254
CVE STATUS: Patched
CVE SUMMARY: crypto/rsa/rsa_gen.c in OpenSSL before 0.9.6 mishandles C bitwise-shift operations that exceed the size of an expression, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by leveraging improper RSA key generation on 64-bit HP-UX platforms.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2000-1254

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2001-1141
CVE STATUS: Patched
CVE SUMMARY: The Pseudo-Random Number Generator (PRNG) in SSLeay and OpenSSL before 0.9.6b allows attackers to use the output of small PRNG requests to determine the internal state information, which could be used by attackers to predict future pseudo-random numbers.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2001-1141

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2002-0655
CVE STATUS: Patched
CVE SUMMARY: OpenSSL 0.9.6d and earlier, and 0.9.7-beta2 and earlier, does not properly handle ASCII representations of integers on 64 bit platforms, which could allow attackers to cause a denial of service and possibly execute arbitrary code.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-0655

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2002-0656
CVE STATUS: Patched
CVE SUMMARY: Buffer overflows in OpenSSL 0.9.6d and earlier, and 0.9.7-beta2 and earlier, allow remote attackers to execute arbitrary code via (1) a large client master key in SSL2 or (2) a large session ID in SSL3.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-0656

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2002-0657
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in OpenSSL 0.9.7 before 0.9.7-beta3, with Kerberos enabled, allows attackers to execute arbitrary code via a long master key.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-0657

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2002-0659
CVE STATUS: Patched
CVE SUMMARY: The ASN1 library in OpenSSL 0.9.6d and earlier, and 0.9.7-beta2 and earlier, allows remote attackers to cause a denial of service via invalid encodings.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-0659

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2002-1568
CVE STATUS: Patched
CVE SUMMARY: OpenSSL 0.9.6e uses assertions when detecting buffer overflow attacks instead of less severe mechanisms, which allows remote attackers to cause a denial of service (crash) via certain messages that cause OpenSSL to abort from a failed assertion, as demonstrated using SSLv2 CLIENT_MASTER_KEY messages, which are not properly handled in s2_srvr.c.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-1568

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2003-0078
CVE STATUS: Patched
CVE SUMMARY: ssl3_get_record in s3_pkt.c for OpenSSL before 0.9.7a and 0.9.6 before 0.9.6i does not perform a MAC computation if an incorrect block cipher padding is used, which causes an information leak (timing discrepancy) that may make it easier to launch cryptographic attacks that rely on distinguishing between padding and MAC verification errors, possibly leading to extraction of the original plaintext, aka the "Vaudenay timing attack."
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-0078

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2003-0131
CVE STATUS: Patched
CVE SUMMARY: The SSL and TLS components for OpenSSL 0.9.6i and earlier, 0.9.7, and 0.9.7a allow remote attackers to perform an unauthorized RSA private key operation via a modified Bleichenbacher attack that uses a large number of SSL or TLS connections using PKCS #1 v1.5 padding that cause OpenSSL to leak information regarding the relationship between ciphertext and the associated plaintext, aka the "Klima-Pokorny-Rosa attack."
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-0131

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2003-0147
CVE STATUS: Patched
CVE SUMMARY: OpenSSL does not use RSA blinding by default, which allows local and remote attackers to obtain the server's private key by determining factors using timing differences on (1) the number of extra reductions during Montgomery reduction, and (2) the use of different integer multiplication algorithms ("Karatsuba" and normal).
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-0147

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2003-0543
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in OpenSSL 0.9.6 and 0.9.7 allows remote attackers to cause a denial of service (crash) via an SSL client certificate with certain ASN.1 tag values.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-0543

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2003-0544
CVE STATUS: Patched
CVE SUMMARY: OpenSSL 0.9.6 and 0.9.7 does not properly track the number of characters in certain ASN.1 inputs, which allows remote attackers to cause a denial of service (crash) via an SSL client certificate that causes OpenSSL to read past the end of a buffer when the long form is used.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-0544

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2003-0545
CVE STATUS: Patched
CVE SUMMARY: Double free vulnerability in OpenSSL 0.9.7 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via an SSL client certificate with a certain invalid ASN.1 encoding.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-0545

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2003-0851
CVE STATUS: Patched
CVE SUMMARY: OpenSSL 0.9.6k allows remote attackers to cause a denial of service (crash via large recursion) via malformed ASN.1 sequences.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-0851

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2004-0079
CVE STATUS: Patched
CVE SUMMARY: The do_change_cipher_spec function in OpenSSL 0.9.6c to 0.9.6k, and 0.9.7a to 0.9.7c, allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that triggers a null dereference.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0079

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2004-0081
CVE STATUS: Patched
CVE SUMMARY: OpenSSL 0.9.6 before 0.9.6d does not properly handle unknown message types, which allows remote attackers to cause a denial of service (infinite loop), as demonstrated using the Codenomicon TLS Test Tool.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0081

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2004-0975
CVE STATUS: Patched
CVE SUMMARY: The der_chop script in the openssl package in Trustix Secure Linux 1.5 through 2.1 and other operating systems allows local users to overwrite files via a symlink attack on temporary files.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0975

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2005-1797
CVE STATUS: Patched
CVE SUMMARY: The design of Advanced Encryption Standard (AES), aka Rijndael, allows remote attackers to recover AES keys via timing attacks on S-box lookups, which are difficult to perform in constant time in AES implementations.
CVSS v2 BASE SCORE: 5.1
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-1797

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2005-2946
CVE STATUS: Patched
CVE SUMMARY: The default configuration on OpenSSL before 0.9.8 uses MD5 for creating message digests instead of a more cryptographically strong algorithm, which makes it easier for remote attackers to forge certificates with a valid certificate authority signature.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-2946

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2005-2969
CVE STATUS: Patched
CVE SUMMARY: The SSL/TLS server implementation in OpenSSL 0.9.7 before 0.9.7h and 0.9.8 before 0.9.8a, when using the SSL_OP_MSIE_SSLV2_RSA_PADDING option, disables a verification step that is required for preventing protocol version rollback attacks, which allows remote attackers to force a client and server to use a weaker protocol than needed via a man-in-the-middle attack.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-2969

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2006-2937
CVE STATUS: Patched
CVE SUMMARY: OpenSSL 0.9.7 before 0.9.7l and 0.9.8 before 0.9.8d allows remote attackers to cause a denial of service (infinite loop and memory consumption) via malformed ASN.1 structures that trigger an improperly handled error condition.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-2937

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2006-2940
CVE STATUS: Patched
CVE SUMMARY: OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier versions allows attackers to cause a denial of service (CPU consumption) via parasitic public keys with large (1) "public exponent" or (2) "public modulus" values in X.509 certificates that require extra time to process when using RSA signature verification.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-2940

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2006-3738
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the SSL_get_shared_ciphers function in OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier versions has unspecified impact and remote attack vectors involving a long list of ciphers.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-3738

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2006-4339
CVE STATUS: Patched
CVE SUMMARY: OpenSSL before 0.9.7, 0.9.7 before 0.9.7k, and 0.9.8 before 0.9.8c, when using an RSA key with exponent 3, removes PKCS-1 padding before generating a hash, which allows remote attackers to forge a PKCS #1 v1.5 signature that is signed by that RSA key and prevents OpenSSL from correctly verifying X.509 and other certificates that use PKCS #1.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-4339

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2006-4343
CVE STATUS: Patched
CVE SUMMARY: The get_server_hello function in the SSLv2 client code in OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier versions allows remote servers to cause a denial of service (client crash) via unknown vectors that trigger a null pointer dereference.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-4343

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2006-7250
CVE STATUS: Patched
CVE SUMMARY: The mime_hdr_cmp function in crypto/asn1/asn_mime.c in OpenSSL 0.9.8t and earlier allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted S/MIME message.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-7250

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2007-3108
CVE STATUS: Patched
CVE SUMMARY: The BN_from_montgomery function in crypto/bn/bn_mont.c in OpenSSL 0.9.8e and earlier does not properly perform Montgomery multiplication, which might allow local users to conduct a side-channel attack and retrieve RSA private keys.
CVSS v2 BASE SCORE: 1.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-3108

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2007-4995
CVE STATUS: Patched
CVE SUMMARY: Off-by-one error in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8f allows remote attackers to execute arbitrary code via unspecified vectors.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-4995

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2007-5135
CVE STATUS: Patched
CVE SUMMARY: Off-by-one error in the SSL_get_shared_ciphers function in OpenSSL 0.9.7 up to 0.9.7l, and 0.9.8 up to 0.9.8f, might allow remote attackers to execute arbitrary code via a crafted packet that triggers a one-byte buffer underflow.  NOTE: this issue was introduced as a result of a fix for CVE-2006-3738.  As of 20071012, it is unknown whether code execution is possible.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-5135

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2008-0166
CVE STATUS: Patched
CVE SUMMARY: OpenSSL 0.9.8c-1 up to versions before 0.9.8g-9 on Debian-based operating systems uses a random number generator that generates predictable numbers, which makes it easier for remote attackers to conduct brute force guessing attacks against cryptographic keys.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-0166

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2008-0891
CVE STATUS: Patched
CVE SUMMARY: Double free vulnerability in OpenSSL 0.9.8f and 0.9.8g, when the TLS server name extensions are enabled, allows remote attackers to cause a denial of service (crash) via a malformed Client Hello packet.  NOTE: some of these details are obtained from third party information.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-0891

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2008-1672
CVE STATUS: Patched
CVE SUMMARY: OpenSSL 0.9.8f and 0.9.8g allows remote attackers to cause a denial of service (crash) via a TLS handshake that omits the Server Key Exchange message and uses "particular cipher suites," which triggers a NULL pointer dereference.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1672

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2008-1678
CVE STATUS: Patched
CVE SUMMARY: Memory leak in the zlib_stateful_init function in crypto/comp/c_zlib.c in libssl in OpenSSL 0.9.8f through 0.9.8h allows remote attackers to cause a denial of service (memory consumption) via multiple calls, as demonstrated by initial SSL client handshakes to the Apache HTTP Server mod_ssl that specify a compression algorithm.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1678

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2008-5077
CVE STATUS: Patched
CVE SUMMARY: OpenSSL 0.9.8i and earlier does not properly check the return value from the EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature for DSA and ECDSA keys.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-5077

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2008-7270
CVE STATUS: Patched
CVE SUMMARY: OpenSSL before 0.9.8j, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not prevent modification of the ciphersuite in the session cache, which allows remote attackers to force the use of a disabled cipher via vectors involving sniffing network traffic to discover a session identifier, a different vulnerability than CVE-2010-4180.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-7270

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2009-0590
CVE STATUS: Patched
CVE SUMMARY: The ASN1_STRING_print_ex function in OpenSSL before 0.9.8k allows remote attackers to cause a denial of service (invalid memory access and application crash) via vectors that trigger printing of a (1) BMPString or (2) UniversalString with an invalid encoded length.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-0590

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2009-0591
CVE STATUS: Patched
CVE SUMMARY: The CMS_verify function in OpenSSL 0.9.8h through 0.9.8j, when CMS is enabled, does not properly handle errors associated with malformed signed attributes, which allows remote attackers to repudiate a signature that originally appeared to be valid but was actually invalid.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-0591

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2009-0653
CVE STATUS: Patched
CVE SUMMARY: OpenSSL, probably 0.9.6, does not verify the Basic Constraints for an intermediate CA-signed certificate, which allows remote attackers to spoof the certificates of trusted sites via a man-in-the-middle attack, a related issue to CVE-2002-0970.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-0653

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2009-0789
CVE STATUS: Patched
CVE SUMMARY: OpenSSL before 0.9.8k on WIN64 and certain other platforms does not properly handle a malformed ASN.1 structure, which allows remote attackers to cause a denial of service (invalid memory access and application crash) by placing this structure in the public key of a certificate, as demonstrated by an RSA public key.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-0789

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2009-1377
CVE STATUS: Patched
CVE SUMMARY: The dtls1_buffer_record function in ssl/d1_pkt.c in OpenSSL 0.9.8k and earlier 0.9.8 versions allows remote attackers to cause a denial of service (memory consumption) via a large series of "future epoch" DTLS records that are buffered in a queue, aka "DTLS record buffer limitation bug."
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-1377

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2009-1378
CVE STATUS: Patched
CVE SUMMARY: Multiple memory leaks in the dtls1_process_out_of_seq_message function in ssl/d1_both.c in OpenSSL 0.9.8k and earlier 0.9.8 versions allow remote attackers to cause a denial of service (memory consumption) via DTLS records that (1) are duplicates or (2) have sequence numbers much greater than current sequence numbers, aka "DTLS fragment handling memory leak."
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-1378

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2009-1379
CVE STATUS: Patched
CVE SUMMARY: Use-after-free vulnerability in the dtls1_retrieve_buffered_fragment function in ssl/d1_both.c in OpenSSL 1.0.0 Beta 2 allows remote attackers to cause a denial of service (openssl s_client crash) and possibly have unspecified other impact via a DTLS packet, as demonstrated by a packet from a server that uses a crafted server certificate.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-1379

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2009-1386
CVE STATUS: Patched
CVE SUMMARY: ssl/s3_pkt.c in OpenSSL before 0.9.8i allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a DTLS ChangeCipherSpec packet that occurs before ClientHello.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-1386

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2009-1387
CVE STATUS: Patched
CVE SUMMARY: The dtls1_retrieve_buffered_fragment function in ssl/d1_both.c in OpenSSL before 1.0.0 Beta 2 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an out-of-sequence DTLS handshake message, related to a "fragment bug."
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-1387

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2009-2409
CVE STATUS: Patched
CVE SUMMARY: The Network Security Services (NSS) library before 3.12.3, as used in Firefox; GnuTLS before 2.6.4 and 2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other products support MD2 with X.509 certificates, which might allow remote attackers to spoof certificates by using MD2 design flaws to generate a hash collision in less than brute-force time.  NOTE: the scope of this issue is currently limited because the amount of computation required is still large.
CVSS v2 BASE SCORE: 5.1
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-2409

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2009-3245
CVE STATUS: Patched
CVE SUMMARY: OpenSSL before 0.9.8m does not check for a NULL return value from bn_wexpand function calls in (1) crypto/bn/bn_div.c, (2) crypto/bn/bn_gf2m.c, (3) crypto/ec/ec2_smpl.c, and (4) engines/e_ubsec.c, which has unspecified impact and context-dependent attack vectors.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-3245

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2009-3555
CVE STATUS: Patched
CVE SUMMARY: The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a "plaintext injection" attack, aka the "Project Mogul" issue.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-3555

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2009-4355
CVE STATUS: Patched
CVE SUMMARY: Memory leak in the zlib_stateful_finish function in crypto/comp/c_zlib.c in OpenSSL 0.9.8l and earlier and 1.0.0 Beta through Beta 4 allows remote attackers to cause a denial of service (memory consumption) via vectors that trigger incorrect calls to the CRYPTO_cleanup_all_ex_data function, as demonstrated by use of SSLv3 and PHP with the Apache HTTP Server, a related issue to CVE-2008-1678.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-4355

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2010-0433
CVE STATUS: Patched
CVE SUMMARY: The kssl_keytab_is_available function in ssl/kssl.c in OpenSSL before 0.9.8n, when Kerberos is enabled but Kerberos configuration files cannot be opened, does not check a certain return value, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via SSL cipher negotiation, as demonstrated by a chroot installation of Dovecot or stunnel without Kerberos configuration files inside the chroot.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-0433

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2010-0740
CVE STATUS: Patched
CVE SUMMARY: The ssl3_get_record function in ssl/s3_pkt.c in OpenSSL 0.9.8f through 0.9.8m allows remote attackers to cause a denial of service (crash) via a malformed record in a TLS connection that triggers a NULL pointer dereference, related to the minor version number.  NOTE: some of these details are obtained from third party information.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-0740

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2010-0742
CVE STATUS: Patched
CVE SUMMARY: The Cryptographic Message Syntax (CMS) implementation in crypto/cms/cms_asn1.c in OpenSSL before 0.9.8o and 1.x before 1.0.0a does not properly handle structures that contain OriginatorInfo, which allows context-dependent attackers to modify invalid memory locations or conduct double-free attacks, and possibly execute arbitrary code, via unspecified vectors.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-0742

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2010-0928
CVE STATUS: Patched
CVE SUMMARY: OpenSSL 0.9.8i on the Gaisler Research LEON3 SoC on the Xilinx Virtex-II Pro FPGA uses a Fixed Width Exponentiation (FWE) algorithm for certain signature calculations, and does not verify the signature before providing it to a caller, which makes it easier for physically proximate attackers to determine the private key via a modified supply voltage for the microprocessor, related to a "fault-based attack."
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:C/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-0928

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2010-1633
CVE STATUS: Patched
CVE SUMMARY: RSA verification recovery in the EVP_PKEY_verify_recover function in OpenSSL 1.x before 1.0.0a, as used by pkeyutl and possibly other applications, returns uninitialized memory upon failure, which might allow context-dependent attackers to bypass intended key requirements or obtain sensitive information via unspecified vectors.  NOTE: some of these details are obtained from third party information.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-1633

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2010-2939
CVE STATUS: Patched
CVE SUMMARY: Double free vulnerability in the ssl3_get_key_exchange function in the OpenSSL client (ssl/s3_clnt.c) in OpenSSL 1.0.0a, 0.9.8, 0.9.7, and possibly other versions, when using ECDH, allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted private key with an invalid prime.  NOTE: some sources refer to this as a use-after-free issue.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2939

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2010-3864
CVE STATUS: Patched
CVE SUMMARY: Multiple race conditions in ssl/t1_lib.c in OpenSSL 0.9.8f through 0.9.8o, 1.0.0, and 1.0.0a, when multi-threading and internal caching are enabled on a TLS server, might allow remote attackers to execute arbitrary code via client data that triggers a heap-based buffer overflow, related to (1) the TLS server name extension and (2) elliptic curve cryptography.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-3864

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2010-4180
CVE STATUS: Patched
CVE SUMMARY: OpenSSL before 0.9.8q, and 1.0.x before 1.0.0c, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not properly prevent modification of the ciphersuite in the session cache, which allows remote attackers to force the downgrade to an unintended cipher via vectors involving sniffing network traffic to discover a session identifier.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4180

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2010-4252
CVE STATUS: Patched
CVE SUMMARY: OpenSSL before 1.0.0c, when J-PAKE is enabled, does not properly validate the public parameters in the J-PAKE protocol, which allows remote attackers to bypass the need for knowledge of the shared secret, and successfully authenticate, by sending crafted values in each round of the protocol.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4252

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2010-5298
CVE STATUS: Patched
CVE SUMMARY: Race condition in the ssl3_read_bytes function in s3_pkt.c in OpenSSL through 1.0.1g, when SSL_MODE_RELEASE_BUFFERS is enabled, allows remote attackers to inject data across sessions or cause a denial of service (use-after-free and parsing error) via an SSL connection in a multithreaded environment.
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-5298

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2011-0014
CVE STATUS: Patched
CVE SUMMARY: ssl/t1_lib.c in OpenSSL 0.9.8h through 0.9.8q and 1.0.0 through 1.0.0c allows remote attackers to cause a denial of service (crash), and possibly obtain sensitive information in applications that use OpenSSL, via a malformed ClientHello handshake message that triggers an out-of-bounds memory access, aka "OCSP stapling vulnerability."
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-0014

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2011-1473
CVE STATUS: Patched
CVE SUMMARY: OpenSSL before 0.9.8l, and 0.9.8m through 1.x, does not properly restrict client-initiated renegotiation within the SSL and TLS protocols, which might make it easier for remote attackers to cause a denial of service (CPU consumption) by performing many renegotiations within a single connection, a different vulnerability than CVE-2011-5094.  NOTE: it can also be argued that it is the responsibility of server deployments, not a security library, to prevent or limit renegotiation when it is inappropriate within a specific environment
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1473

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2011-1945
CVE STATUS: Patched
CVE SUMMARY: The elliptic curve cryptography (ECC) subsystem in OpenSSL 1.0.0d and earlier, when the Elliptic Curve Digital Signature Algorithm (ECDSA) is used for the ECDHE_ECDSA cipher suite, does not properly implement curves over binary fields, which makes it easier for context-dependent attackers to determine private keys via a timing attack and a lattice calculation.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1945

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2011-3207
CVE STATUS: Patched
CVE SUMMARY: crypto/x509/x509_vfy.c in OpenSSL 1.0.x before 1.0.0e does not initialize certain structure members, which makes it easier for remote attackers to bypass CRL validation by using a nextUpdate value corresponding to a time in the past.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3207

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2011-3210
CVE STATUS: Patched
CVE SUMMARY: The ephemeral ECDH ciphersuite functionality in OpenSSL 0.9.8 through 0.9.8r and 1.0.x before 1.0.0e does not ensure thread safety during processing of handshake messages from clients, which allows remote attackers to cause a denial of service (daemon crash) via out-of-order messages that violate the TLS protocol.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3210

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2011-4108
CVE STATUS: Patched
CVE SUMMARY: The DTLS implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f performs a MAC check only if certain padding is valid, which makes it easier for remote attackers to recover plaintext via a padding oracle attack.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-4108

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2011-4109
CVE STATUS: Patched
CVE SUMMARY: Double free vulnerability in OpenSSL 0.9.8 before 0.9.8s, when X509_V_FLAG_POLICY_CHECK is enabled, allows remote attackers to have an unspecified impact by triggering failure of a policy check.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-4109

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2011-4354
CVE STATUS: Patched
CVE SUMMARY: crypto/bn/bn_nist.c in OpenSSL before 0.9.8h on 32-bit platforms, as used in stunnel and other products, in certain circumstances involving ECDH or ECDHE cipher suites, uses an incorrect modular reduction algorithm in its implementation of the P-256 and P-384 NIST elliptic curves, which allows remote attackers to obtain the private key of a TLS server via multiple handshake attempts.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-4354

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2011-4576
CVE STATUS: Patched
CVE SUMMARY: The SSL 3.0 implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f does not properly initialize data structures for block cipher padding, which might allow remote attackers to obtain sensitive information by decrypting the padding data sent by an SSL peer.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-4576

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2011-4577
CVE STATUS: Patched
CVE SUMMARY: OpenSSL before 0.9.8s and 1.x before 1.0.0f, when RFC 3779 support is enabled, allows remote attackers to cause a denial of service (assertion failure) via an X.509 certificate containing certificate-extension data associated with (1) IP address blocks or (2) Autonomous System (AS) identifiers.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-4577

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2011-4619
CVE STATUS: Patched
CVE SUMMARY: The Server Gated Cryptography (SGC) implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f does not properly handle handshake restarts, which allows remote attackers to cause a denial of service (CPU consumption) via unspecified vectors.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-4619

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2011-5095
CVE STATUS: Patched
CVE SUMMARY: The Diffie-Hellman key-exchange implementation in OpenSSL 0.9.8, when FIPS mode is enabled, does not properly validate a public parameter, which makes it easier for man-in-the-middle attackers to obtain the shared secret key by modifying network traffic, a related issue to CVE-2011-1923.
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-5095

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2012-0027
CVE STATUS: Patched
CVE SUMMARY: The GOST ENGINE in OpenSSL before 1.0.0f does not properly handle invalid parameters for the GOST block cipher, which allows remote attackers to cause a denial of service (daemon crash) via crafted data from a TLS client.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-0027

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2012-0050
CVE STATUS: Patched
CVE SUMMARY: OpenSSL 0.9.8s and 1.0.0f does not properly support DTLS applications, which allows remote attackers to cause a denial of service (crash) via unspecified vectors related to an out-of-bounds read.  NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-4108.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-0050

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2012-0884
CVE STATUS: Patched
CVE SUMMARY: The implementation of Cryptographic Message Syntax (CMS) and PKCS #7 in OpenSSL before 0.9.8u and 1.x before 1.0.0h does not properly restrict certain oracle behavior, which makes it easier for context-dependent attackers to decrypt data via a Million Message Attack (MMA) adaptive chosen ciphertext attack.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-0884

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2012-1165
CVE STATUS: Patched
CVE SUMMARY: The mime_param_cmp function in crypto/asn1/asn_mime.c in OpenSSL before 0.9.8u and 1.x before 1.0.0h allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted S/MIME message, a different vulnerability than CVE-2006-7250.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1165

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2012-2110
CVE STATUS: Patched
CVE SUMMARY: The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in OpenSSL before 0.9.8v, 1.0.0 before 1.0.0i, and 1.0.1 before 1.0.1a does not properly interpret integer data, which allows remote attackers to conduct buffer overflow attacks, and cause a denial of service (memory corruption) or possibly have unspecified other impact, via crafted DER data, as demonstrated by an X.509 certificate or an RSA public key.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2110

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2012-2131
CVE STATUS: Patched
CVE SUMMARY: Multiple integer signedness errors in crypto/buffer/buffer.c in OpenSSL 0.9.8v allow remote attackers to conduct buffer overflow attacks, and cause a denial of service (memory corruption) or possibly have unspecified other impact, via crafted DER data, as demonstrated by an X.509 certificate or an RSA public key.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-2110.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2131

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2012-2333
CVE STATUS: Patched
CVE SUMMARY: Integer underflow in OpenSSL before 0.9.8x, 1.0.0 before 1.0.0j, and 1.0.1 before 1.0.1c, when TLS 1.1, TLS 1.2, or DTLS is used with CBC encryption, allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via a crafted TLS packet that is not properly handled during a certain explicit IV calculation.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2333

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2012-2686
CVE STATUS: Patched
CVE SUMMARY: crypto/evp/e_aes_cbc_hmac_sha1.c in the AES-NI functionality in the TLS 1.1 and 1.2 implementations in OpenSSL 1.0.1 before 1.0.1d allows remote attackers to cause a denial of service (application crash) via crafted CBC data.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2686

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2013-0166
CVE STATUS: Patched
CVE SUMMARY: OpenSSL before 0.9.8y, 1.0.0 before 1.0.0k, and 1.0.1 before 1.0.1d does not properly perform signature verification for OCSP responses, which allows remote OCSP servers to cause a denial of service (NULL pointer dereference and application crash) via an invalid key.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0166

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2013-0169
CVE STATUS: Patched
CVE SUMMARY: The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0169

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2013-4353
CVE STATUS: Patched
CVE SUMMARY: The ssl3_take_mac function in ssl/s3_both.c in OpenSSL 1.0.1 before 1.0.1f allows remote TLS servers to cause a denial of service (NULL pointer dereference and application crash) via a crafted Next Protocol Negotiation record in a TLS handshake.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4353

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2013-6449
CVE STATUS: Patched
CVE SUMMARY: The ssl_get_algorithm2 function in ssl/s3_lib.c in OpenSSL before 1.0.2 obtains a certain version number from an incorrect data structure, which allows remote attackers to cause a denial of service (daemon crash) via crafted traffic from a TLS 1.2 client.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-6449

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2013-6450
CVE STATUS: Patched
CVE SUMMARY: The DTLS retransmission implementation in OpenSSL 1.0.0 before 1.0.0l and 1.0.1 before 1.0.1f does not properly maintain data structures for digest and encryption contexts, which might allow man-in-the-middle attackers to trigger the use of a different context and cause a denial of service (application crash) by interfering with packet delivery, related to ssl/d1_both.c and ssl/t1_enc.c.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-6450

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2014-0076
CVE STATUS: Patched
CVE SUMMARY: The Montgomery ladder implementation in OpenSSL through 1.0.0l does not ensure that certain swap operations have a constant-time behavior, which makes it easier for local users to obtain ECDSA nonces via a FLUSH+RELOAD cache side-channel attack.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0076

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2014-0160
CVE STATUS: Patched
CVE SUMMARY: The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0160

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2014-0195
CVE STATUS: Patched
CVE SUMMARY: The dtls1_reassemble_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly validate fragment lengths in DTLS ClientHello messages, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) via a long non-initial fragment.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0195

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2014-0198
CVE STATUS: Patched
CVE SUMMARY: The do_ssl3_write function in s3_pkt.c in OpenSSL 1.x through 1.0.1g, when SSL_MODE_RELEASE_BUFFERS is enabled, does not properly manage a buffer pointer during certain recursive calls, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via vectors that trigger an alert condition.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0198

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2014-0221
CVE STATUS: Patched
CVE SUMMARY: The dtls1_get_message_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h allows remote attackers to cause a denial of service (recursion and client crash) via a DTLS hello message in an invalid DTLS handshake.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0221

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2014-0224
CVE STATUS: Patched
CVE SUMMARY: OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the "CCS Injection" vulnerability.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 7.4
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0224

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2014-3470
CVE STATUS: Patched
CVE SUMMARY: The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h, when an anonymous ECDH cipher suite is used, allows remote attackers to cause a denial of service (NULL pointer dereference and client crash) by triggering a NULL certificate value.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3470

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2014-3505
CVE STATUS: Patched
CVE SUMMARY: Double free vulnerability in d1_both.c in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i allows remote attackers to cause a denial of service (application crash) via crafted DTLS packets that trigger an error condition.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3505

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2014-3506
CVE STATUS: Patched
CVE SUMMARY: d1_both.c in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i allows remote attackers to cause a denial of service (memory consumption) via crafted DTLS handshake messages that trigger memory allocations corresponding to large length values.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3506

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2014-3507
CVE STATUS: Patched
CVE SUMMARY: Memory leak in d1_both.c in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i allows remote attackers to cause a denial of service (memory consumption) via zero-length DTLS fragments that trigger improper handling of the return value of a certain insert function.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3507

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2014-3508
CVE STATUS: Patched
CVE SUMMARY: The OBJ_obj2txt function in crypto/objects/obj_dat.c in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i, when pretty printing is used, does not ensure the presence of '\0' characters, which allows context-dependent attackers to obtain sensitive information from process stack memory by reading output from X509_name_oneline, X509_name_print_ex, and unspecified other functions.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3508

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2014-3509
CVE STATUS: Patched
CVE SUMMARY: Race condition in the ssl_parse_serverhello_tlsext function in t1_lib.c in OpenSSL 1.0.0 before 1.0.0n and 1.0.1 before 1.0.1i, when multithreading and session resumption are used, allows remote SSL servers to cause a denial of service (memory overwrite and client application crash) or possibly have unspecified other impact by sending Elliptic Curve (EC) Supported Point Formats Extension data.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3509

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2014-3510
CVE STATUS: Patched
CVE SUMMARY: The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i allows remote DTLS servers to cause a denial of service (NULL pointer dereference and client application crash) via a crafted handshake message in conjunction with a (1) anonymous DH or (2) anonymous ECDH ciphersuite.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3510

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2014-3511
CVE STATUS: Patched
CVE SUMMARY: The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 1.0.1 before 1.0.1i allows man-in-the-middle attackers to force the use of TLS 1.0 by triggering ClientHello message fragmentation in communication between a client and server that both support later TLS versions, related to a "protocol downgrade" issue.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3511

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2014-3512
CVE STATUS: Patched
CVE SUMMARY: Multiple buffer overflows in crypto/srp/srp_lib.c in the SRP implementation in OpenSSL 1.0.1 before 1.0.1i allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via an invalid SRP (1) g, (2) A, or (3) B parameter.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3512

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2014-3513
CVE STATUS: Patched
CVE SUMMARY: Memory leak in d1_srtp.c in the DTLS SRTP extension in OpenSSL 1.0.1 before 1.0.1j allows remote attackers to cause a denial of service (memory consumption) via a crafted handshake message.
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3513

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2014-3566
CVE STATUS: Patched
CVE SUMMARY: The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 3.4
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3566

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2014-3567
CVE STATUS: Patched
CVE SUMMARY: Memory leak in the tls_decrypt_ticket function in t1_lib.c in OpenSSL before 0.9.8zc, 1.0.0 before 1.0.0o, and 1.0.1 before 1.0.1j allows remote attackers to cause a denial of service (memory consumption) via a crafted session ticket that triggers an integrity-check failure.
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3567

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2014-3568
CVE STATUS: Patched
CVE SUMMARY: OpenSSL before 0.9.8zc, 1.0.0 before 1.0.0o, and 1.0.1 before 1.0.1j does not properly enforce the no-ssl3 build option, which allows remote attackers to bypass intended access restrictions via an SSL 3.0 handshake, related to s23_clnt.c and s23_srvr.c.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3568

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2014-3569
CVE STATUS: Patched
CVE SUMMARY: The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 0.9.8zc, 1.0.0o, and 1.0.1j does not properly handle attempts to use unsupported protocols, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an unexpected handshake, as demonstrated by an SSLv3 handshake to a no-ssl3 application with certain error handling.  NOTE: this issue became relevant after the CVE-2014-3568 fix.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3569

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2014-3570
CVE STATUS: Patched
CVE SUMMARY: The BN_sqr implementation in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k does not properly calculate the square of a BIGNUM value, which might make it easier for remote attackers to defeat cryptographic protection mechanisms via unspecified vectors, related to crypto/bn/asm/mips.pl, crypto/bn/asm/x86_64-gcc.c, and crypto/bn/bn_asm.c.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3570

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2014-3571
CVE STATUS: Patched
CVE SUMMARY: OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted DTLS message that is processed with a different read operation for the handshake header than for the handshake body, related to the dtls1_get_record function in d1_pkt.c and the ssl3_read_n function in s3_pkt.c.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3571

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2014-3572
CVE STATUS: Patched
CVE SUMMARY: The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL servers to conduct ECDHE-to-ECDH downgrade attacks and trigger a loss of forward secrecy by omitting the ServerKeyExchange message.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3572

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2014-5139
CVE STATUS: Patched
CVE SUMMARY: The ssl_set_client_disabled function in t1_lib.c in OpenSSL 1.0.1 before 1.0.1i allows remote SSL servers to cause a denial of service (NULL pointer dereference and client application crash) via a ServerHello message that includes an SRP ciphersuite without the required negotiation of that ciphersuite with the client.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-5139

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2014-8176
CVE STATUS: Patched
CVE SUMMARY: The dtls1_clear_queues function in ssl/d1_lib.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h frees data structures without considering that application data can arrive between a ChangeCipherSpec message and a Finished message, which allows remote DTLS peers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via unexpected application data.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8176

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2014-8275
CVE STATUS: Patched
CVE SUMMARY: OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k does not enforce certain constraints on certificate data, which allows remote attackers to defeat a fingerprint-based certificate-blacklist protection mechanism by including crafted data within a certificate's unsigned portion, related to crypto/asn1/a_verify.c, crypto/dsa/dsa_asn1.c, crypto/ecdsa/ecs_vrf.c, and crypto/x509/x_all.c.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8275

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2015-0204
CVE STATUS: Patched
CVE SUMMARY: The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL servers to conduct RSA-to-EXPORT_RSA downgrade attacks and facilitate brute-force decryption by offering a weak ephemeral RSA key in a noncompliant role, related to the "FREAK" issue.  NOTE: the scope of this CVE is only client code based on OpenSSL, not EXPORT_RSA issues associated with servers or other TLS implementations.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0204

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2015-0205
CVE STATUS: Patched
CVE SUMMARY: The ssl3_get_cert_verify function in s3_srvr.c in OpenSSL 1.0.0 before 1.0.0p and 1.0.1 before 1.0.1k accepts client authentication with a Diffie-Hellman (DH) certificate without requiring a CertificateVerify message, which allows remote attackers to obtain access without knowledge of a private key via crafted TLS Handshake Protocol traffic to a server that recognizes a Certification Authority with DH support.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0205

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2015-0206
CVE STATUS: Patched
CVE SUMMARY: Memory leak in the dtls1_buffer_record function in d1_pkt.c in OpenSSL 1.0.0 before 1.0.0p and 1.0.1 before 1.0.1k allows remote attackers to cause a denial of service (memory consumption) by sending many duplicate records for the next epoch, leading to failure of replay detection.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0206

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2015-0207
CVE STATUS: Patched
CVE SUMMARY: The dtls1_listen function in d1_lib.c in OpenSSL 1.0.2 before 1.0.2a does not properly isolate the state information of independent data streams, which allows remote attackers to cause a denial of service (application crash) via crafted DTLS traffic, as demonstrated by DTLS 1.0 traffic to a DTLS 1.2 server.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0207

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2015-0208
CVE STATUS: Patched
CVE SUMMARY: The ASN.1 signature-verification implementation in the rsa_item_verify function in crypto/rsa/rsa_ameth.c in OpenSSL 1.0.2 before 1.0.2a allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via crafted RSA PSS parameters to an endpoint that uses the certificate-verification feature.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0208

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2015-0209
CVE STATUS: Patched
CVE SUMMARY: Use-after-free vulnerability in the d2i_ECPrivateKey function in crypto/ec/ec_asn1.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a might allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a malformed Elliptic Curve (EC) private-key file that is improperly handled during import.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0209

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2015-0285
CVE STATUS: Patched
CVE SUMMARY: The ssl3_client_hello function in s3_clnt.c in OpenSSL 1.0.2 before 1.0.2a does not ensure that the PRNG is seeded before proceeding with a handshake, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by sniffing the network and then conducting a brute-force attack.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0285

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2015-0286
CVE STATUS: Patched
CVE SUMMARY: The ASN1_TYPE_cmp function in crypto/asn1/a_type.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a does not properly perform boolean-type comparisons, which allows remote attackers to cause a denial of service (invalid read operation and application crash) via a crafted X.509 certificate to an endpoint that uses the certificate-verification feature.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0286

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2015-0287
CVE STATUS: Patched
CVE SUMMARY: The ASN1_item_ex_d2i function in crypto/asn1/tasn_dec.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a does not reinitialize CHOICE and ADB data structures, which might allow attackers to cause a denial of service (invalid write operation and memory corruption) by leveraging an application that relies on ASN.1 structure reuse.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0287

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2015-0288
CVE STATUS: Patched
CVE SUMMARY: The X509_to_X509_REQ function in crypto/x509/x509_req.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a might allow attackers to cause a denial of service (NULL pointer dereference and application crash) via an invalid certificate key.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0288

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2015-0289
CVE STATUS: Patched
CVE SUMMARY: The PKCS#7 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a does not properly handle a lack of outer ContentInfo, which allows attackers to cause a denial of service (NULL pointer dereference and application crash) by leveraging an application that processes arbitrary PKCS#7 data and providing malformed data with ASN.1 encoding, related to crypto/pkcs7/pk7_doit.c and crypto/pkcs7/pk7_lib.c.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0289

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2015-0290
CVE STATUS: Patched
CVE SUMMARY: The multi-block feature in the ssl3_write_bytes function in s3_pkt.c in OpenSSL 1.0.2 before 1.0.2a on 64-bit x86 platforms with AES NI support does not properly handle certain non-blocking I/O cases, which allows remote attackers to cause a denial of service (pointer corruption and application crash) via unspecified vectors.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0290

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2015-0291
CVE STATUS: Patched
CVE SUMMARY: The sigalgs implementation in t1_lib.c in OpenSSL 1.0.2 before 1.0.2a allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) by using an invalid signature_algorithms extension in the ClientHello message during a renegotiation.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0291

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2015-0292
CVE STATUS: Patched
CVE SUMMARY: Integer underflow in the EVP_DecodeUpdate function in crypto/evp/encode.c in the base64-decoding implementation in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via crafted base64 data that triggers a buffer overflow.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0292

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2015-0293
CVE STATUS: Patched
CVE SUMMARY: The SSLv2 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a allows remote attackers to cause a denial of service (s2_lib.c assertion failure and daemon exit) via a crafted CLIENT-MASTER-KEY message.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0293

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2015-1787
CVE STATUS: Patched
CVE SUMMARY: The ssl3_get_client_key_exchange function in s3_srvr.c in OpenSSL 1.0.2 before 1.0.2a, when client authentication and an ephemeral Diffie-Hellman ciphersuite are enabled, allows remote attackers to cause a denial of service (daemon crash) via a ClientKeyExchange message with a length of zero.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1787

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2015-1788
CVE STATUS: Patched
CVE SUMMARY: The BN_GF2m_mod_inv function in crypto/bn/bn_gf2m.c in OpenSSL before 0.9.8s, 1.0.0 before 1.0.0e, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b does not properly handle ECParameters structures in which the curve is over a malformed binary polynomial field, which allows remote attackers to cause a denial of service (infinite loop) via a session that uses an Elliptic Curve algorithm, as demonstrated by an attack against a server that supports client authentication.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1788

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2015-1789
CVE STATUS: Patched
CVE SUMMARY: The X509_cmp_time function in crypto/x509/x509_vfy.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted length field in ASN1_TIME data, as demonstrated by an attack against a server that supports client authentication with a custom verification callback.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1789

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2015-1790
CVE STATUS: Patched
CVE SUMMARY: The PKCS7_dataDecodefunction in crypto/pkcs7/pk7_doit.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a PKCS#7 blob that uses ASN.1 encoding and lacks inner EncryptedContent data.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1790

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2015-1791
CVE STATUS: Patched
CVE SUMMARY: Race condition in the ssl3_get_new_session_ticket function in ssl/s3_clnt.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b, when used for a multi-threaded client, allows remote attackers to cause a denial of service (double free and application crash) or possibly have unspecified other impact by providing a NewSessionTicket during an attempt to reuse a ticket that had been obtained earlier.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1791

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2015-1792
CVE STATUS: Patched
CVE SUMMARY: The do_free_upto function in crypto/cms/cms_smime.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b allows remote attackers to cause a denial of service (infinite loop) via vectors that trigger a NULL value of a BIO data structure, as demonstrated by an unrecognized X.660 OID for a hash function.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1792

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2015-1793
CVE STATUS: Patched
CVE SUMMARY: The X509_verify_cert function in crypto/x509/x509_vfy.c in OpenSSL 1.0.1n, 1.0.1o, 1.0.2b, and 1.0.2c does not properly process X.509 Basic Constraints cA values during identification of alternative certificate chains, which allows remote attackers to spoof a Certification Authority role and trigger unintended certificate verifications via a valid leaf certificate.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1793

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2015-1794
CVE STATUS: Patched
CVE SUMMARY: The ssl3_get_key_exchange function in ssl/s3_clnt.c in OpenSSL 1.0.2 before 1.0.2e allows remote servers to cause a denial of service (segmentation fault) via a zero p value in an anonymous Diffie-Hellman (DH) ServerKeyExchange message.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1794

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2015-3193
CVE STATUS: Patched
CVE SUMMARY: The Montgomery squaring implementation in crypto/bn/asm/x86_64-mont5.pl in OpenSSL 1.0.2 before 1.0.2e on the x86_64 platform, as used by the BN_mod_exp function, mishandles carry propagation and produces incorrect output, which makes it easier for remote attackers to obtain sensitive private-key information via an attack against use of a (1) Diffie-Hellman (DH) or (2) Diffie-Hellman Ephemeral (DHE) ciphersuite.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3193

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2015-3194
CVE STATUS: Patched
CVE SUMMARY: crypto/rsa/rsa_ameth.c in OpenSSL 1.0.1 before 1.0.1q and 1.0.2 before 1.0.2e allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an RSA PSS ASN.1 signature that lacks a mask generation function parameter.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3194

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2015-3195
CVE STATUS: Patched
CVE SUMMARY: The ASN1_TFLG_COMBINE implementation in crypto/asn1/tasn_dec.c in OpenSSL before 0.9.8zh, 1.0.0 before 1.0.0t, 1.0.1 before 1.0.1q, and 1.0.2 before 1.0.2e mishandles errors caused by malformed X509_ATTRIBUTE data, which allows remote attackers to obtain sensitive information from process memory by triggering a decoding failure in a PKCS#7 or CMS application.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3195

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2015-3196
CVE STATUS: Patched
CVE SUMMARY: ssl/s3_clnt.c in OpenSSL 1.0.0 before 1.0.0t, 1.0.1 before 1.0.1p, and 1.0.2 before 1.0.2d, when used for a multi-threaded client, writes the PSK identity hint to an incorrect data structure, which allows remote servers to cause a denial of service (race condition and double free) via a crafted ServerKeyExchange message.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3196

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2015-3197
CVE STATUS: Patched
CVE SUMMARY: ssl/s2_srvr.c in OpenSSL 1.0.1 before 1.0.1r and 1.0.2 before 1.0.2f does not prevent use of disabled ciphers, which makes it easier for man-in-the-middle attackers to defeat cryptographic protection mechanisms by performing computations on SSLv2 traffic, related to the get_client_master_key and get_client_hello functions.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3197

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2015-3216
CVE STATUS: Patched
CVE SUMMARY: Race condition in a certain Red Hat patch to the PRNG lock implementation in the ssleay_rand_bytes function in OpenSSL, as distributed in openssl-1.0.1e-25.el7 in Red Hat Enterprise Linux (RHEL) 7 and other products, allows remote attackers to cause a denial of service (application crash) by establishing many TLS sessions to a multithreaded server, leading to use of a negative value for a certain length field.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3216

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2015-4000
CVE STATUS: Patched
CVE SUMMARY: The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, does not properly convey a DHE_EXPORT choice, which allows man-in-the-middle attackers to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by DHE_EXPORT and then rewriting a ServerHello with DHE_EXPORT replaced by DHE, aka the "Logjam" issue.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 3.7
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-4000

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2016-0701
CVE STATUS: Patched
CVE SUMMARY: The DH_check_pub_key function in crypto/dh/dh_check.c in OpenSSL 1.0.2 before 1.0.2f does not ensure that prime numbers are appropriate for Diffie-Hellman (DH) key exchange, which makes it easier for remote attackers to discover a private DH exponent by making multiple handshakes with a peer that chose an inappropriate number, as demonstrated by a number in an X9.42 file.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 3.7
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-0701

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2016-0702
CVE STATUS: Patched
CVE SUMMARY: The MOD_EXP_CTIME_COPY_FROM_PREBUF function in crypto/bn/bn_exp.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g does not properly consider cache-bank access times during modular exponentiation, which makes it easier for local users to discover RSA keys by running a crafted application on the same Intel Sandy Bridge CPU core as a victim and leveraging cache-bank conflicts, aka a "CacheBleed" attack.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 5.1
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-0702

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2016-0703
CVE STATUS: Patched
CVE SUMMARY: The get_client_master_key function in s2_srvr.c in the SSLv2 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a accepts a nonzero CLIENT-MASTER-KEY CLEAR-KEY-LENGTH value for an arbitrary cipher, which allows man-in-the-middle attackers to determine the MASTER-KEY value and decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, a related issue to CVE-2016-0800.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-0703

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2016-0704
CVE STATUS: Patched
CVE SUMMARY: An oracle protection mechanism in the get_client_master_key function in s2_srvr.c in the SSLv2 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a overwrites incorrect MASTER-KEY bytes during use of export cipher suites, which makes it easier for remote attackers to decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, a related issue to CVE-2016-0800.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-0704

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2016-0705
CVE STATUS: Patched
CVE SUMMARY: Double free vulnerability in the dsa_priv_decode function in crypto/dsa/dsa_ameth.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a malformed DSA private key.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-0705

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2016-0797
CVE STATUS: Patched
CVE SUMMARY: Multiple integer overflows in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g allow remote attackers to cause a denial of service (heap memory corruption or NULL pointer dereference) or possibly have unspecified other impact via a long digit string that is mishandled by the (1) BN_dec2bn or (2) BN_hex2bn function, related to crypto/bn/bn.h and crypto/bn/bn_print.c.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-0797

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2016-0798
CVE STATUS: Patched
CVE SUMMARY: Memory leak in the SRP_VBASE_get_by_user implementation in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g allows remote attackers to cause a denial of service (memory consumption) by providing an invalid username in a connection attempt, related to apps/s_server.c and crypto/srp/srp_vfy.c.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-0798

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2016-0799
CVE STATUS: Patched
CVE SUMMARY: The fmtstr function in crypto/bio/b_print.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g improperly calculates string lengths, which allows remote attackers to cause a denial of service (overflow and out-of-bounds read) or possibly have unspecified other impact via a long string, as demonstrated by a large amount of ASN.1 data, a different vulnerability than CVE-2016-2842.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-0799

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2016-0800
CVE STATUS: Patched
CVE SUMMARY: The SSLv2 protocol, as used in OpenSSL before 1.0.1s and 1.0.2 before 1.0.2g and other products, requires a server to send a ServerVerify message before establishing that a client possesses certain plaintext RSA data, which makes it easier for remote attackers to decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, aka a "DROWN" attack.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-0800

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2016-2105
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the EVP_EncodeUpdate function in crypto/evp/encode.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (heap memory corruption) via a large amount of binary data.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2105

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2016-2106
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the EVP_EncryptUpdate function in crypto/evp/evp_enc.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (heap memory corruption) via a large amount of data.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2106

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2016-2107
CVE STATUS: Patched
CVE SUMMARY: The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h does not consider memory allocation during a certain padding check, which allows remote attackers to obtain sensitive cleartext information via a padding-oracle attack against an AES CBC session. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-0169.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2107

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2016-2108
CVE STATUS: Patched
CVE SUMMARY: The ASN.1 implementation in OpenSSL before 1.0.1o and 1.0.2 before 1.0.2c allows remote attackers to execute arbitrary code or cause a denial of service (buffer underflow and memory corruption) via an ANY field in crafted serialized data, aka the "negative zero" issue.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2108

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2016-2109
CVE STATUS: Patched
CVE SUMMARY: The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in the ASN.1 BIO implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (memory consumption) via a short invalid encoding.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2109

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2016-2176
CVE STATUS: Patched
CVE SUMMARY: The X509_NAME_oneline function in crypto/x509/x509_obj.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to obtain sensitive information from process stack memory or cause a denial of service (buffer over-read) via crafted EBCDIC ASN.1 data.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 8.2
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2176

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2016-2177
CVE STATUS: Patched
CVE SUMMARY: OpenSSL through 1.0.2h incorrectly uses pointer arithmetic for heap-buffer boundary checks, which might allow remote attackers to cause a denial of service (integer overflow and application crash) or possibly have unspecified other impact by leveraging unexpected malloc behavior, related to s3_srvr.c, ssl_sess.c, and t1_lib.c.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2177

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2016-2178
CVE STATUS: Patched
CVE SUMMARY: The dsa_sign_setup function in crypto/dsa/dsa_ossl.c in OpenSSL through 1.0.2h does not properly ensure the use of constant-time operations, which makes it easier for local users to discover a DSA private key via a timing side-channel attack.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2178

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2016-2179
CVE STATUS: Patched
CVE SUMMARY: The DTLS implementation in OpenSSL before 1.1.0 does not properly restrict the lifetime of queue entries associated with unused out-of-order messages, which allows remote attackers to cause a denial of service (memory consumption) by maintaining many crafted DTLS sessions simultaneously, related to d1_lib.c, statem_dtls.c, statem_lib.c, and statem_srvr.c.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2179

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2016-2180
CVE STATUS: Patched
CVE SUMMARY: The TS_OBJ_print_bio function in crypto/ts/ts_lib.c in the X.509 Public Key Infrastructure Time-Stamp Protocol (TSP) implementation in OpenSSL through 1.0.2h allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted time-stamp file that is mishandled by the "openssl ts" command.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2180

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2016-2181
CVE STATUS: Patched
CVE SUMMARY: The Anti-Replay feature in the DTLS implementation in OpenSSL before 1.1.0 mishandles early use of a new epoch number in conjunction with a large sequence number, which allows remote attackers to cause a denial of service (false-positive packet drops) via spoofed DTLS records, related to rec_layer_d1.c and ssl3_record.c.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2181

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2016-2182
CVE STATUS: Patched
CVE SUMMARY: The BN_bn2dec function in crypto/bn/bn_print.c in OpenSSL before 1.1.0 does not properly validate division results, which allows remote attackers to cause a denial of service (out-of-bounds write and application crash) or possibly have unspecified other impact via unknown vectors.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2182

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2016-2183
CVE STATUS: Patched
CVE SUMMARY: The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a "Sweet32" attack.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2183

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2016-2842
CVE STATUS: Patched
CVE SUMMARY: The doapr_outch function in crypto/bio/b_print.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g does not verify that a certain memory allocation succeeds, which allows remote attackers to cause a denial of service (out-of-bounds write or memory consumption) or possibly have unspecified other impact via a long string, as demonstrated by a large amount of ASN.1 data, a different vulnerability than CVE-2016-0799.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2842

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2016-6302
CVE STATUS: Patched
CVE SUMMARY: The tls_decrypt_ticket function in ssl/t1_lib.c in OpenSSL before 1.1.0 does not consider the HMAC size during validation of the ticket length, which allows remote attackers to cause a denial of service via a ticket that is too short.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6302

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2016-6303
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the MDC2_Update function in crypto/mdc2/mdc2dgst.c in OpenSSL before 1.1.0 allows remote attackers to cause a denial of service (out-of-bounds write and application crash) or possibly have unspecified other impact via unknown vectors.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6303

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2016-6304
CVE STATUS: Patched
CVE SUMMARY: Multiple memory leaks in t1_lib.c in OpenSSL before 1.0.1u, 1.0.2 before 1.0.2i, and 1.1.0 before 1.1.0a allow remote attackers to cause a denial of service (memory consumption) via large OCSP Status Request extensions.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6304

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2016-6305
CVE STATUS: Patched
CVE SUMMARY: The ssl3_read_bytes function in record/rec_layer_s3.c in OpenSSL 1.1.0 before 1.1.0a allows remote attackers to cause a denial of service (infinite loop) by triggering a zero-length record in an SSL_peek call.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6305

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2016-6306
CVE STATUS: Patched
CVE SUMMARY: The certificate parser in OpenSSL before 1.0.1u and 1.0.2 before 1.0.2i might allow remote attackers to cause a denial of service (out-of-bounds read) via crafted certificate operations, related to s3_clnt.c and s3_srvr.c.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6306

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2016-6307
CVE STATUS: Patched
CVE SUMMARY: The state-machine implementation in OpenSSL 1.1.0 before 1.1.0a allocates memory before checking for an excessive length, which might allow remote attackers to cause a denial of service (memory consumption) via crafted TLS messages, related to statem/statem.c and statem/statem_lib.c.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6307

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2016-6308
CVE STATUS: Patched
CVE SUMMARY: statem/statem_dtls.c in the DTLS implementation in OpenSSL 1.1.0 before 1.1.0a allocates memory before checking for an excessive length, which might allow remote attackers to cause a denial of service (memory consumption) via crafted DTLS messages.
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6308

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2016-6309
CVE STATUS: Patched
CVE SUMMARY: statem/statem.c in OpenSSL 1.1.0a does not consider memory-block movement after a realloc call, which allows remote attackers to cause a denial of service (use-after-free) or possibly execute arbitrary code via a crafted TLS session.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6309

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2016-7052
CVE STATUS: Patched
CVE SUMMARY: crypto/x509/x509_vfy.c in OpenSSL 1.0.2i allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) by triggering a CRL operation.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7052

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2016-7053
CVE STATUS: Patched
CVE SUMMARY: In OpenSSL 1.1.0 before 1.1.0c, applications parsing invalid CMS structures can crash with a NULL pointer dereference. This is caused by a bug in the handling of the ASN.1 CHOICE type in OpenSSL 1.1.0 which can result in a NULL value being passed to the structure callback if an attempt is made to free certain invalid encodings. Only CHOICE structures using a callback which do not handle NULL value are affected.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7053

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2016-7054
CVE STATUS: Patched
CVE SUMMARY: In OpenSSL 1.1.0 before 1.1.0c, TLS connections using *-CHACHA20-POLY1305 ciphersuites are susceptible to a DoS attack by corrupting larger payloads. This can result in an OpenSSL crash. This issue is not considered to be exploitable beyond a DoS.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7054

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2016-7055
CVE STATUS: Patched
CVE SUMMARY: There is a carry propagating bug in the Broadwell-specific Montgomery multiplication procedure in OpenSSL 1.0.2 and 1.1.0 before 1.1.0c that handles input lengths divisible by, but longer than 256 bits. Analysis suggests that attacks against RSA, DSA and DH private keys are impossible. This is because the subroutine in question is not used in operations with the private key itself and an input of the attacker's direct choice. Otherwise the bug can manifest itself as transient authentication and key negotiation failures or reproducible erroneous outcome of public-key operations with specially crafted input. Among EC algorithms only Brainpool P-512 curves are affected and one presumably can attack ECDH key negotiation. Impact was not analyzed in detail, because pre-requisites for attack are considered unlikely. Namely multiple clients have to choose the curve in question and the server has to share the private key among them, neither of which is default behaviour. Even then only clients that chose the curve will be affected.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7055

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2016-7056
CVE STATUS: Patched
CVE SUMMARY: A timing attack flaw was found in OpenSSL 1.0.1u and before that could allow a malicious user with local access to recover ECDSA P-256 private keys.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7056

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2016-8610
CVE STATUS: Patched
CVE SUMMARY: A denial of service flaw was found in OpenSSL 0.9.8, 1.0.1, 1.0.2 through 1.0.2h, and 1.1.0 in the way the TLS/SSL protocol defined processing of ALERT packets during a connection handshake. A remote attacker could use this flaw to make a TLS/SSL server consume an excessive amount of CPU and fail to accept connections from other clients.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8610

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2017-3730
CVE STATUS: Patched
CVE SUMMARY: In OpenSSL 1.1.0 before 1.1.0d, if a malicious server supplies bad parameters for a DHE or ECDHE key exchange then this can result in the client attempting to dereference a NULL pointer leading to a client crash. This could be exploited in a Denial of Service attack.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-3730

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2017-3731
CVE STATUS: Patched
CVE SUMMARY: If an SSL/TLS server or client is running on a 32-bit host, and a specific cipher is being used, then a truncated packet can cause that server or client to perform an out-of-bounds read, usually resulting in a crash. For OpenSSL 1.1.0, the crash can be triggered when using CHACHA20/POLY1305; users should upgrade to 1.1.0d. For Openssl 1.0.2, the crash can be triggered when using RC4-MD5; users who have not disabled that algorithm should update to 1.0.2k.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-3731

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2017-3732
CVE STATUS: Patched
CVE SUMMARY: There is a carry propagating bug in the x86_64 Montgomery squaring procedure in OpenSSL 1.0.2 before 1.0.2k and 1.1.0 before 1.1.0d. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be very significant and likely only accessible to a limited number of attackers. An attacker would additionally need online access to an unpatched system using the target private key in a scenario with persistent DH parameters and a private key that is shared between multiple clients. For example this can occur by default in OpenSSL DHE based SSL/TLS ciphersuites. Note: This issue is very similar to CVE-2015-3193 but must be treated as a separate problem.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-3732

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2017-3733
CVE STATUS: Patched
CVE SUMMARY: During a renegotiation handshake if the Encrypt-Then-Mac extension is negotiated where it was not in the original handshake (or vice-versa) then this can cause OpenSSL 1.1.0 before 1.1.0e to crash (dependent on ciphersuite). Both clients and servers are affected.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-3733

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2017-3735
CVE STATUS: Patched
CVE SUMMARY: While parsing an IPAddressFamily extension in an X.509 certificate, it is possible to do a one-byte overread. This would result in an incorrect text display of the certificate. This bug has been present since 2006 and is present in all versions of OpenSSL before 1.0.2m and 1.1.0g.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-3735

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2017-3736
CVE STATUS: Patched
CVE SUMMARY: There is a carry propagating bug in the x86_64 Montgomery squaring procedure in OpenSSL before 1.0.2m and 1.1.0 before 1.1.0g. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be very significant and likely only accessible to a limited number of attackers. An attacker would additionally need online access to an unpatched system using the target private key in a scenario with persistent DH parameters and a private key that is shared between multiple clients. This only affects processors that support the BMI1, BMI2 and ADX extensions like Intel Broadwell (5th generation) and later or AMD Ryzen.
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:S/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-3736

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2017-3737
CVE STATUS: Patched
CVE SUMMARY: OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an "error state" mechanism. The intent was that if a fatal error occurred during a handshake then OpenSSL would move into the error state and would immediately fail if you attempted to continue the handshake. This works as designed for the explicit handshake functions (SSL_do_handshake(), SSL_accept() and SSL_connect()), however due to a bug it does not work correctly if SSL_read() or SSL_write() is called directly. In that scenario, if the handshake fails then a fatal error will be returned in the initial function call. If SSL_read()/SSL_write() is subsequently called by the application for the same SSL object then it will succeed and the data is passed without being decrypted/encrypted directly from the SSL/TLS record layer. In order to exploit this issue an application bug would have to be present that resulted in a call to SSL_read()/SSL_write() being issued after having already received a fatal error. OpenSSL version 1.0.2b-1.0.2m are affected. Fixed in OpenSSL 1.0.2n. OpenSSL 1.1.0 is not affected.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-3737

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2017-3738
CVE STATUS: Patched
CVE SUMMARY: There is an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH1024 are considered just feasible, because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH1024 private key among multiple clients, which is no longer an option since CVE-2016-0701. This only affects processors that support the AVX2 but not ADX extensions like Intel Haswell (4th generation). Note: The impact from this issue is similar to CVE-2017-3736, CVE-2017-3732 and CVE-2015-3193. OpenSSL version 1.0.2-1.0.2m and 1.1.0-1.1.0g are affected. Fixed in OpenSSL 1.0.2n. Due to the low severity of this issue we are not issuing a new release of OpenSSL 1.1.0 at this time. The fix will be included in OpenSSL 1.1.0h when it becomes available. The fix is also available in commit e502cc86d in the OpenSSL git repository.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-3738

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2018-0732
CVE STATUS: Patched
CVE SUMMARY: During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack. Fixed in OpenSSL 1.1.0i-dev (Affected 1.1.0-1.1.0h). Fixed in OpenSSL 1.0.2p-dev (Affected 1.0.2-1.0.2o).
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-0732

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2018-0733
CVE STATUS: Patched
CVE SUMMARY: Because of an implementation bug the PA-RISC CRYPTO_memcmp function is effectively reduced to only comparing the least significant bit of each byte. This allows an attacker to forge messages that would be considered as authenticated in an amount of tries lower than that guaranteed by the security claims of the scheme. The module can only be compiled by the HP-UX assembler, so that only HP-UX PA-RISC targets are affected. Fixed in OpenSSL 1.1.0h (Affected 1.1.0-1.1.0g).
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-0733

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2018-0734
CVE STATUS: Patched
CVE SUMMARY: The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.1a (Affected 1.1.1). Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.0.2q (Affected 1.0.2-1.0.2p).
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-0734

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2018-0735
CVE STATUS: Patched
CVE SUMMARY: The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.1.1a (Affected 1.1.1).
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-0735

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2018-0737
CVE STATUS: Patched
CVE SUMMARY: The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to a cache timing side channel attack. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover the private key. Fixed in OpenSSL 1.1.0i-dev (Affected 1.1.0-1.1.0h). Fixed in OpenSSL 1.0.2p-dev (Affected 1.0.2b-1.0.2o).
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-0737

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2018-0739
CVE STATUS: Patched
CVE SUMMARY: Constructed ASN.1 types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malicious input with excessive recursion. This could result in a Denial Of Service attack. There are no such structures used within SSL/TLS that come from untrusted sources so this is considered safe. Fixed in OpenSSL 1.1.0h (Affected 1.1.0-1.1.0g). Fixed in OpenSSL 1.0.2o (Affected 1.0.2b-1.0.2n).
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-0739

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2018-5407
CVE STATUS: Patched
CVE SUMMARY: Simultaneous Multi-threading (SMT) in processors can enable local users to exploit software vulnerable to timing attacks via a side-channel timing attack on 'port contention'.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-5407

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2019-1543
CVE STATUS: Patched
CVE SUMMARY: ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input for every encryption operation. RFC 7539 specifies that the nonce value (IV) should be 96 bits (12 bytes). OpenSSL allows a variable nonce length and front pads the nonce with 0 bytes if it is less than 12 bytes. However it also incorrectly allows a nonce to be set of up to 16 bytes. In this case only the last 12 bytes are significant and any additional leading bytes are ignored. It is a requirement of using this cipher that nonce values are unique. Messages encrypted using a reused nonce value are susceptible to serious confidentiality and integrity attacks. If an application changes the default nonce length to be longer than 12 bytes and then makes a change to the leading bytes of the nonce expecting the new value to be a new unique nonce then such an application could inadvertently encrypt messages with a reused nonce. Additionally the ignored bytes in a long nonce are not covered by the integrity guarantee of this cipher. Any application that relies on the integrity of these ignored leading bytes of a long nonce may be further affected. Any OpenSSL internal use of this cipher, including in SSL/TLS, is safe because no such use sets such a long nonce value. However user applications that use this cipher directly and set a non-default nonce length to be longer than 12 bytes may be vulnerable. OpenSSL versions 1.1.1 and 1.1.0 are affected by this issue. Due to the limited scope of affected deployments this has been assessed as low severity and therefore we are not creating new releases at this time. Fixed in OpenSSL 1.1.1c (Affected 1.1.1-1.1.1b). Fixed in OpenSSL 1.1.0k (Affected 1.1.0-1.1.0j).
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 7.4
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-1543

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2019-1547
CVE STATUS: Patched
CVE SUMMARY: Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-1547

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2019-1549
CVE STATUS: Patched
CVE SUMMARY: OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-1549

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2019-1551
CVE STATUS: Patched
CVE SUMMARY: There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-1551

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2019-1552
CVE STATUS: Patched
CVE SUMMARY: OpenSSL has internal defaults for a directory tree where it can find a configuration file as well as certificates used for verification in TLS. This directory is most commonly referred to as OPENSSLDIR, and is configurable with the --prefix / --openssldir configuration options. For OpenSSL versions 1.1.0 and 1.1.1, the mingw configuration targets assume that resulting programs and libraries are installed in a Unix-like environment and the default prefix for program installation as well as for OPENSSLDIR should be '/usr/local'. However, mingw programs are Windows programs, and as such, find themselves looking at sub-directories of 'C:/usr/local', which may be world writable, which enables untrusted users to modify OpenSSL's default configuration, insert CA certificates, modify (or even replace) existing engine modules, etc. For OpenSSL 1.0.2, '/usr/local/ssl' is used as default for OPENSSLDIR on all Unix and Windows targets, including Visual C builds. However, some build instructions for the diverse Windows targets on 1.0.2 encourage you to specify your own --prefix. OpenSSL versions 1.1.1, 1.1.0 and 1.0.2 are affected by this issue. Due to the limited scope of affected deployments this has been assessed as low severity and therefore we are not creating new releases at this time. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 3.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-1552

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2019-1559
CVE STATUS: Patched
CVE SUMMARY: If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable "non-stitched" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q).
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-1559

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2019-1563
CVE STATUS: Patched
CVE SUMMARY: In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 3.7
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-1563

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2020-1967
CVE STATUS: Patched
CVE SUMMARY: Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the "signature_algorithms_cert" TLS extension. The crash occurs if an invalid or unrecognised signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack. OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this issue. This issue did not affect OpenSSL versions prior to 1.1.1d. Fixed in OpenSSL 1.1.1g (Affected 1.1.1d-1.1.1f).
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-1967

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2020-1968
CVE STATUS: Patched
CVE SUMMARY: The Raccoon attack exploits a flaw in the TLS specification which can lead to an attacker being able to compute the pre-master secret in connections which have used a Diffie-Hellman (DH) based ciphersuite. In such a case this would result in the attacker being able to eavesdrop on all encrypted communications sent over that TLS connection. The attack can only be exploited if an implementation re-uses a DH secret across multiple TLS connections. Note that this issue only impacts DH ciphersuites and not ECDH ciphersuites. This issue affects OpenSSL 1.0.2 which is out of support and no longer receiving public updates. OpenSSL 1.1.1 is not vulnerable to this issue. Fixed in OpenSSL 1.0.2w (Affected 1.0.2-1.0.2v).
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 3.7
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-1968

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2020-1971
CVE STATUS: Patched
CVE SUMMARY: The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This function behaves incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash may occur leading to a possible denial of service attack. OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes: 1) Comparing CRL distribution point names between an available CRL and a CRL distribution point embedded in an X509 certificate 2) When verifying that a timestamp response token signer matches the timestamp authority name (exposed via the API functions TS_RESP_verify_response and TS_RESP_verify_token) If an attacker can control both items being compared then that attacker could trigger a crash. For example if the attacker can trick a client or server into checking a malicious certificate against a malicious CRL then this may occur. Note that some applications automatically download CRLs based on a URL embedded in a certificate. This checking happens prior to the signatures on the certificate and CRL being verified. OpenSSL's s_server, s_client and verify tools have support for the "-crl_download" option which implements automatic CRL downloading and this attack has been demonstrated to work against those tools. Note that an unrelated bug means that affected versions of OpenSSL cannot parse or construct correct encodings of EDIPARTYNAME. However it is possible to construct a malformed EDIPARTYNAME that OpenSSL's parser will accept and hence trigger this attack. All OpenSSL 1.1.1 and 1.0.2 versions are affected by this issue. Other OpenSSL releases are out of support and have not been checked. Fixed in OpenSSL 1.1.1i (Affected 1.1.1-1.1.1h). Fixed in OpenSSL 1.0.2x (Affected 1.0.2-1.0.2w).
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-1971

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2021-23839
CVE STATUS: Patched
CVE SUMMARY: OpenSSL 1.0.2 supports SSLv2. If a client attempts to negotiate SSLv2 with a server that is configured to support both SSLv2 and more recent SSL and TLS versions then a check is made for a version rollback attack when unpadding an RSA signature. Clients that support SSL or TLS versions greater than SSLv2 are supposed to use a special form of padding. A server that supports greater than SSLv2 is supposed to reject connection attempts from a client where this special form of padding is present, because this indicates that a version rollback has occurred (i.e. both client and server support greater than SSLv2, and yet this is the version that is being requested). The implementation of this padding check inverted the logic so that the connection attempt is accepted if the padding is present, and rejected if it is absent. This means that such as server will accept a connection if a version rollback attack has occurred. Further the server will erroneously reject a connection if a normal SSLv2 connection attempt is made. Only OpenSSL 1.0.2 servers from version 1.0.2s to 1.0.2x are affected by this issue. In order to be vulnerable a 1.0.2 server must: 1) have configured SSLv2 support at compile time (this is off by default), 2) have configured SSLv2 support at runtime (this is off by default), 3) have configured SSLv2 ciphersuites (these are not in the default ciphersuite list) OpenSSL 1.1.1 does not have SSLv2 support and therefore is not vulnerable to this issue. The underlying error is in the implementation of the RSA_padding_check_SSLv23() function. This also affects the RSA_SSLV23_PADDING padding mode used by various other functions. Although 1.1.1 does not support SSLv2 the RSA_padding_check_SSLv23() function still exists, as does the RSA_SSLV23_PADDING padding mode. Applications that directly call that function or use that padding mode will encounter this issue. However since there is no support for the SSLv2 protocol in 1.1.1 this is considered a bug and not a security issue in that version. OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.0.2y (Affected 1.0.2s-1.0.2x).
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 3.7
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-23839

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2021-23840
CVE STATUS: Patched
CVE SUMMARY: Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-23840

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2021-23841
CVE STATUS: Patched
CVE SUMMARY: The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. The function X509_issuer_and_serial_hash() is never directly called by OpenSSL itself so applications are only vulnerable if they use this function directly and they use it on certificates that may have been obtained from untrusted sources. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-23841

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2021-3449
CVE STATUS: Patched
CVE SUMMARY: An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1-1.1.1j).
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3449

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2021-3450
CVE STATUS: Patched
CVE SUMMARY: The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check. An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates. If a "purpose" has been configured then there is a subsequent opportunity for checks that the certificate is a valid CA. All of the named "purpose" values implemented in libcrypto perform this check. Therefore, where a purpose is set the certificate chain will still be rejected even when the strict flag has been used. A purpose is set by default in libssl client and server certificate verification routines, but it can be overridden or removed by an application. In order to be affected, an application must explicitly set the X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose. OpenSSL versions 1.1.1h and newer are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1h-1.1.1j).
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 7.4
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3450

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2021-3711
CVE STATUS: Patched
CVE SUMMARY: In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the "out" parameter can be NULL and, on exit, the "outlen" parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the "out" parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3711

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2021-3712
CVE STATUS: Patched
CVE SUMMARY: ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own "d2i" functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the "data" and "length" fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the "data" field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack). It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y).
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 7.4
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3712

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2021-4044
CVE STATUS: Patched
CVE SUMMARY: Internally libssl in OpenSSL calls X509_verify_cert() on the client side to verify a certificate supplied by a server. That function may return a negative return value to indicate an internal error (for example out of memory). Such a negative return value is mishandled by OpenSSL and will cause an IO function (such as SSL_connect() or SSL_do_handshake()) to not indicate success and a subsequent call to SSL_get_error() to return the value SSL_ERROR_WANT_RETRY_VERIFY. This return value is only supposed to be returned by OpenSSL if the application has previously called SSL_CTX_set_cert_verify_callback(). Since most applications do not do this the SSL_ERROR_WANT_RETRY_VERIFY return value from SSL_get_error() will be totally unexpected and applications may not behave correctly as a result. The exact behaviour will depend on the application but it could result in crashes, infinite loops or other similar incorrect responses. This issue is made more serious in combination with a separate bug in OpenSSL 3.0 that will cause X509_verify_cert() to indicate an internal error when processing a certificate chain. This will occur where a certificate does not include the Subject Alternative Name extension but where a Certificate Authority has enforced name constraints. This issue can occur even with valid chains. By combining the two issues an attacker could induce incorrect, application dependent behaviour. Fixed in OpenSSL 3.0.1 (Affected 3.0.0).
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-4044

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2021-4160
CVE STATUS: Patched
CVE SUMMARY: There is a carry propagation bug in the MIPS32 and MIPS64 squaring procedure. Many EC algorithms are affected, including some of the TLS 1.3 default curves. Impact was not analyzed in detail, because the pre-requisites for attack are considered unlikely and include reusing private keys. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH private key among multiple clients, which is no longer an option since CVE-2016-0701. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0.0. It was addressed in the releases of 1.1.1m and 3.0.1 on the 15th of December 2021. For the 1.0.2 release it is addressed in git commit 6fc1aaaf3 that is available to premium support customers only. It will be made available in 1.0.2zc when it is released. The issue only affects OpenSSL on MIPS platforms. Fixed in OpenSSL 3.0.1 (Affected 3.0.0). Fixed in OpenSSL 1.1.1m (Affected 1.1.1-1.1.1l). Fixed in OpenSSL 1.0.2zc-dev (Affected 1.0.2-1.0.2zb).
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-4160

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2022-0778
CVE STATUS: Patched
CVE SUMMARY: The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters. Thus vulnerable situations include: - TLS clients consuming server certificates - TLS servers consuming client certificates - Hosting providers taking certificates or private keys from customers - Certificate authorities parsing certification requests from subscribers - Anything else which parses ASN.1 elliptic curve parameters Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue. In the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate which makes it slightly harder to trigger the infinite loop. However any operation which requires the public key from the certificate will trigger the infinite loop. In particular the attacker can use a self-signed certificate to trigger the loop during verification of the certificate signature. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022. Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1). Fixed in OpenSSL 1.1.1n (Affected 1.1.1-1.1.1m). Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc).
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0778

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2022-1292
CVE STATUS: Patched
CVE SUMMARY: The c_rehash script does not properly sanitise shell metacharacters to prevent command injection. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2). Fixed in OpenSSL 1.1.1o (Affected 1.1.1-1.1.1n). Fixed in OpenSSL 1.0.2ze (Affected 1.0.2-1.0.2zd).
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1292

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2022-1343
CVE STATUS: Patched
CVE SUMMARY: The function `OCSP_basic_verify` verifies the signer certificate on an OCSP response. In the case where the (non-default) flag OCSP_NOCHECKS is used then the response will be positive (meaning a successful verification) even in the case where the response signing certificate fails to verify. It is anticipated that most users of `OCSP_basic_verify` will not use the OCSP_NOCHECKS flag. In this case the `OCSP_basic_verify` function will return a negative value (indicating a fatal error) in the case of a certificate verification failure. The normal expected return value in this case would be 0. This issue also impacts the command line OpenSSL "ocsp" application. When verifying an ocsp response with the "-no_cert_checks" option the command line application will report that the verification is successful even though it has in fact failed. In this case the incorrect successful response will also be accompanied by error messages showing the failure and contradicting the apparently successful result. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2).
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1343

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2022-1434
CVE STATUS: Patched
CVE SUMMARY: The OpenSSL 3.0 implementation of the RC4-MD5 ciphersuite incorrectly uses the AAD data as the MAC key. This makes the MAC key trivially predictable. An attacker could exploit this issue by performing a man-in-the-middle attack to modify data being sent from one endpoint to an OpenSSL 3.0 recipient such that the modified data would still pass the MAC integrity check. Note that data sent from an OpenSSL 3.0 endpoint to a non-OpenSSL 3.0 endpoint will always be rejected by the recipient and the connection will fail at that point. Many application protocols require data to be sent from the client to the server first. Therefore, in such a case, only an OpenSSL 3.0 server would be impacted when talking to a non-OpenSSL 3.0 client. If both endpoints are OpenSSL 3.0 then the attacker could modify data being sent in both directions. In this case both clients and servers could be affected, regardless of the application protocol. Note that in the absence of an attacker this bug means that an OpenSSL 3.0 endpoint communicating with a non-OpenSSL 3.0 endpoint will fail to complete the handshake when using this ciphersuite. The confidentiality of data is not impacted by this issue, i.e. an attacker cannot decrypt data that has been encrypted using this ciphersuite - they can only modify it. In order for this attack to work both endpoints must legitimately negotiate the RC4-MD5 ciphersuite. This ciphersuite is not compiled by default in OpenSSL 3.0, and is not available within the default provider or the default ciphersuite list. This ciphersuite will never be used if TLSv1.3 has been negotiated. In order for an OpenSSL 3.0 endpoint to use this ciphersuite the following must have occurred: 1) OpenSSL must have been compiled with the (non-default) compile time option enable-weak-ssl-ciphers 2) OpenSSL must have had the legacy provider explicitly loaded (either through application code or via configuration) 3) The ciphersuite must have been explicitly added to the ciphersuite list 4) The libssl security level must have been set to 0 (default is 1) 5) A version of SSL/TLS below TLSv1.3 must have been negotiated 6) Both endpoints must negotiate the RC4-MD5 ciphersuite in preference to any others that both endpoints have in common Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2).
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1434

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2022-1473
CVE STATUS: Patched
CVE SUMMARY: The OPENSSL_LH_flush() function, which empties a hash table, contains a bug that breaks reuse of the memory occuppied by the removed hash table entries. This function is used when decoding certificates or keys. If a long lived process periodically decodes certificates or keys its memory usage will expand without bounds and the process might be terminated by the operating system causing a denial of service. Also traversing the empty hash table entries will take increasingly more time. Typically such long lived processes might be TLS clients or TLS servers configured to accept client certificate authentication. The function was added in the OpenSSL 3.0 version thus older releases are not affected by the issue. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2).
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1473

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2022-2068
CVE STATUS: Patched
CVE SUMMARY: In addition to the c_rehash shell command injection identified in CVE-2022-1292, further circumstances where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection were found by code review. When the CVE-2022-1292 was fixed it was not discovered that there are other places in the script where the file names of certificates being hashed were possibly passed to a command executed through the shell. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.4 (Affected 3.0.0,3.0.1,3.0.2,3.0.3). Fixed in OpenSSL 1.1.1p (Affected 1.1.1-1.1.1o). Fixed in OpenSSL 1.0.2zf (Affected 1.0.2-1.0.2ze).
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2068

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2022-2097
CVE STATUS: Patched
CVE SUMMARY: AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn't written. In the special case of "in place" encryption, sixteen bytes of the plaintext would be revealed. Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, they are both unaffected. Fixed in OpenSSL 3.0.5 (Affected 3.0.0-3.0.4). Fixed in OpenSSL 1.1.1q (Affected 1.1.1-1.1.1p).
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2097

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2022-2274
CVE STATUS: Patched
CVE SUMMARY: The OpenSSL 3.0.4 release introduced a serious bug in the RSA implementation for X86_64 CPUs supporting the AVX512IFMA instructions. This issue makes the RSA implementation with 2048 bit private keys incorrect on such machines and memory corruption will happen during the computation. As a consequence of the memory corruption an attacker may be able to trigger a remote code execution on the machine performing the computation. SSL/TLS servers or other servers using 2048 bit RSA private keys running on machines supporting AVX512IFMA instructions of the X86_64 architecture are affected by this issue.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2274

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2022-3358
CVE STATUS: Patched
CVE SUMMARY: OpenSSL supports creating a custom cipher via the legacy EVP_CIPHER_meth_new() function and associated function calls. This function was deprecated in OpenSSL 3.0 and application authors are instead encouraged to use the new provider mechanism in order to implement custom ciphers. OpenSSL versions 3.0.0 to 3.0.5 incorrectly handle legacy custom ciphers passed to the EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() and EVP_CipherInit_ex2() functions (as well as other similarly named encryption and decryption initialisation functions). Instead of using the custom cipher directly it incorrectly tries to fetch an equivalent cipher from the available providers. An equivalent cipher is found based on the NID passed to EVP_CIPHER_meth_new(). This NID is supposed to represent the unique NID for a given cipher. However it is possible for an application to incorrectly pass NID_undef as this value in the call to EVP_CIPHER_meth_new(). When NID_undef is used in this way the OpenSSL encryption/decryption initialisation function will match the NULL cipher as being equivalent and will fetch this from the available providers. This will succeed if the default provider has been loaded (or if a third party provider has been loaded that offers this cipher). Using the NULL cipher means that the plaintext is emitted as the ciphertext. Applications are only affected by this issue if they call EVP_CIPHER_meth_new() using NID_undef and subsequently use it in a call to an encryption/decryption initialisation function. Applications that only use SSL/TLS are not impacted by this issue. Fixed in OpenSSL 3.0.6 (Affected 3.0.0-3.0.5).
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3358

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2022-3602
CVE STATUS: Patched
CVE SUMMARY: A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution. Many platforms implement stack overflow protections which would mitigate against the risk of remote code execution. The risk may be further mitigated based on stack layout for any given platform/compiler. Pre-announcements of CVE-2022-3602 described this issue as CRITICAL. Further analysis based on some of the mitigating factors described above have led this to be downgraded to HIGH. Users are still encouraged to upgrade to a new version as soon as possible. In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects. Fixed in OpenSSL 3.0.7 (Affected 3.0.0,3.0.1,3.0.2,3.0.3,3.0.4,3.0.5,3.0.6).
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3602

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2022-3786
CVE STATUS: Patched
CVE SUMMARY: A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed a malicious certificate or for an application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address in a certificate to overflow an arbitrary number of bytes containing the `.' character (decimal 46) on the stack. This buffer overflow could result in a crash (causing a denial of service). In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects.


CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3786

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2022-3996
CVE STATUS: Patched
CVE SUMMARY: If an X.509 certificate contains a malformed policy constraint and
policy processing is enabled, then a write lock will be taken twice
recursively.  On some operating systems (most widely: Windows) this
results in a denial of service when the affected process hangs.  Policy
processing being enabled on a publicly facing server is not considered
to be a common setup.

Policy processing is enabled by passing the `-policy'
argument to the command line utilities or by calling the
`X509_VERIFY_PARAM_set1_policies()' function.

Update (31 March 2023): The description of the policy processing enablement
was corrected based on CVE-2023-0466.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3996

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2022-4203
CVE STATUS: Patched
CVE SUMMARY: A read buffer overrun can be triggered in X.509 certificate verification,
specifically in name constraint checking. Note that this occurs
after certificate chain signature verification and requires either a
CA to have signed the malicious certificate or for the application to
continue certificate verification despite failure to construct a path
to a trusted issuer.

The read buffer overrun might result in a crash which could lead to
a denial of service attack. In theory it could also result in the disclosure
of private memory contents (such as private keys, or sensitive plaintext)
although we are not aware of any working exploit leading to memory
contents disclosure as of the time of release of this advisory.

In a TLS client, this can be triggered by connecting to a malicious
server. In a TLS server, this can be triggered if the server requests
client authentication and a malicious client connects.


CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.9
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-4203

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2022-4304
CVE STATUS: Patched
CVE SUMMARY: A timing based side channel exists in the OpenSSL RSA Decryption implementation
which could be sufficient to recover a plaintext across a network in a
Bleichenbacher style attack. To achieve a successful decryption an attacker
would have to be able to send a very large number of trial messages for
decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5,
RSA-OEAP and RSASVE.

For example, in a TLS connection, RSA is commonly used by a client to send an
encrypted pre-master secret to the server. An attacker that had observed a
genuine connection between a client and a server could use this flaw to send
trial messages to the server and record the time taken to process them. After a
sufficiently large number of messages the attacker could recover the pre-master
secret used for the original connection and thus be able to decrypt the
application data sent over that connection.


CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-4304

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2022-4450
CVE STATUS: Patched
CVE SUMMARY: The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and
decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload data.
If the function succeeds then the "name_out", "header" and "data" arguments are
populated with pointers to buffers containing the relevant decoded data. The
caller is responsible for freeing those buffers. It is possible to construct a
PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex()
will return a failure code but will populate the header argument with a pointer
to a buffer that has already been freed. If the caller also frees this buffer
then a double free will occur. This will most likely lead to a crash. This
could be exploited by an attacker who has the ability to supply malicious PEM
files for parsing to achieve a denial of service attack.

The functions PEM_read_bio() and PEM_read() are simple wrappers around
PEM_read_bio_ex() and therefore these functions are also directly affected.

These functions are also called indirectly by a number of other OpenSSL
functions including PEM_X509_INFO_read_bio_ex() and
SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internal
uses of these functions are not vulnerable because the caller does not free the
header argument if PEM_read_bio_ex() returns a failure code. These locations
include the PEM_read_bio_TYPE() functions as well as the decoders introduced in
OpenSSL 3.0.

The OpenSSL asn1parse command line application is also impacted by this issue.



CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-4450

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2023-0215
CVE STATUS: Patched
CVE SUMMARY: The public API function BIO_new_NDEF is a helper function used for streaming
ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the
SMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by
end user applications.

The function receives a BIO from the caller, prepends a new BIO_f_asn1 filter
BIO onto the front of it to form a BIO chain, and then returns the new head of
the BIO chain to the caller. Under certain conditions, for example if a CMS
recipient public key is invalid, the new filter BIO is freed and the function
returns a NULL result indicating a failure. However, in this case, the BIO chain
is not properly cleaned up and the BIO passed by the caller still retains
internal pointers to the previously freed filter BIO. If the caller then goes on
to call BIO_pop() on the BIO then a use-after-free will occur. This will most
likely result in a crash.



This scenario occurs directly in the internal function B64_write_ASN1() which
may cause BIO_new_NDEF() to be called and will subsequently call BIO_pop() on
the BIO. This internal function is in turn called by the public API functions
PEM_write_bio_ASN1_stream, PEM_write_bio_CMS_stream, PEM_write_bio_PKCS7_stream,
SMIME_write_ASN1, SMIME_write_CMS and SMIME_write_PKCS7.

Other public API functions that may be impacted by this include
i2d_ASN1_bio_stream, BIO_new_CMS, BIO_new_PKCS7, i2d_CMS_bio_stream and
i2d_PKCS7_bio_stream.

The OpenSSL cms and smime command line applications are similarly affected.




CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-0215

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2023-0216
CVE STATUS: Patched
CVE SUMMARY: An invalid pointer dereference on read can be triggered when an
application tries to load malformed PKCS7 data with the
d2i_PKCS7(), d2i_PKCS7_bio() or d2i_PKCS7_fp() functions.

The result of the dereference is an application crash which could
lead to a denial of service attack. The TLS implementation in OpenSSL
does not call this function however third party applications might
call these functions on untrusted data.


CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-0216

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2023-0217
CVE STATUS: Patched
CVE SUMMARY: An invalid pointer dereference on read can be triggered when an
application tries to check a malformed DSA public key by the
EVP_PKEY_public_check() function. This will most likely lead
to an application crash. This function can be called on public
keys supplied from untrusted sources which could allow an attacker
to cause a denial of service attack.

The TLS implementation in OpenSSL does not call this function
but applications might call the function if there are additional
security requirements imposed by standards such as FIPS 140-3.


CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-0217

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2023-0286
CVE STATUS: Patched
CVE SUMMARY: There is a type confusion vulnerability relating to X.400 address processing
inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but
the public structure definition for GENERAL_NAME incorrectly specified the type
of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by
the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an
ASN1_STRING.

When CRL checking is enabled (i.e. the application sets the
X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass
arbitrary pointers to a memcmp call, enabling them to read memory contents or
enact a denial of service. In most cases, the attack requires the attacker to
provide both the certificate chain and CRL, neither of which need to have a
valid signature. If the attacker only controls one of these inputs, the other
input must already contain an X.400 address as a CRL distribution point, which
is uncommon. As such, this vulnerability is most likely to only affect
applications which have implemented their own functionality for retrieving CRLs
over a network.


CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.4
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-0286

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2023-0401
CVE STATUS: Patched
CVE SUMMARY: A NULL pointer can be dereferenced when signatures are being
verified on PKCS7 signed or signedAndEnveloped data. In case the hash
algorithm used for the signature is known to the OpenSSL library but
the implementation of the hash algorithm is not available the digest
initialization will fail. There is a missing check for the return
value from the initialization function which later leads to invalid
usage of the digest API most likely leading to a crash.

The unavailability of an algorithm can be caused by using FIPS
enabled configuration of providers or more commonly by not loading
the legacy provider.

PKCS7 data is processed by the SMIME library calls and also by the
time stamp (TS) library calls. The TLS implementation in OpenSSL does
not call these functions however third party applications would be
affected if they call these functions to verify signatures on untrusted
data.


CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-0401

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2023-0464
CVE STATUS: Patched
CVE SUMMARY: A security vulnerability has been identified in all supported versions

of OpenSSL related to the verification of X.509 certificate chains
that include policy constraints.  Attackers may be able to exploit this
vulnerability by creating a malicious certificate chain that triggers
exponential use of computational resources, leading to a denial-of-service
(DoS) attack on affected systems.

Policy processing is disabled by default but can be enabled by passing
the `-policy' argument to the command line utilities or by calling the
`X509_VERIFY_PARAM_set1_policies()' function.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-0464

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2023-0465
CVE STATUS: Patched
CVE SUMMARY: Applications that use a non-default option when verifying certificates may be
vulnerable to an attack from a malicious CA to circumvent certain checks.

Invalid certificate policies in leaf certificates are silently ignored by
OpenSSL and other certificate policy checks are skipped for that certificate.
A malicious CA could use this to deliberately assert invalid certificate policies
in order to circumvent policy checking on the certificate altogether.

Policy processing is disabled by default but can be enabled by passing
the `-policy' argument to the command line utilities or by calling the
`X509_VERIFY_PARAM_set1_policies()' function.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-0465

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2023-0466
CVE STATUS: Patched
CVE SUMMARY: The function X509_VERIFY_PARAM_add0_policy() is documented to
implicitly enable the certificate policy check when doing certificate
verification. However the implementation of the function does not
enable the check which allows certificates with invalid or incorrect
policies to pass the certificate verification.

As suddenly enabling the policy check could break existing deployments it was
decided to keep the existing behavior of the X509_VERIFY_PARAM_add0_policy()
function.

Instead the applications that require OpenSSL to perform certificate
policy check need to use X509_VERIFY_PARAM_set1_policies() or explicitly
enable the policy check by calling X509_VERIFY_PARAM_set_flags() with
the X509_V_FLAG_POLICY_CHECK flag argument.

Certificate policy checks are disabled by default in OpenSSL and are not
commonly used by applications.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-0466

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2023-1255
CVE STATUS: Patched
CVE SUMMARY: Issue summary: The AES-XTS cipher decryption implementation for 64 bit ARM
platform contains a bug that could cause it to read past the input buffer,
leading to a crash.

Impact summary: Applications that use the AES-XTS algorithm on the 64 bit ARM
platform can crash in rare circumstances. The AES-XTS algorithm is usually
used for disk encryption.

The AES-XTS cipher decryption implementation for 64 bit ARM platform will read
past the end of the ciphertext buffer if the ciphertext size is 4 mod 5 in 16
byte blocks, e.g. 144 bytes or 1024 bytes. If the memory after the ciphertext
buffer is unmapped, this will trigger a crash which results in a denial of
service.

If an attacker can control the size and location of the ciphertext buffer
being decrypted by an application using AES-XTS on 64 bit ARM, the
application is affected. This is fairly unlikely making this issue
a Low severity one.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-1255

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2023-2650
CVE STATUS: Patched
CVE SUMMARY: Issue summary: Processing some specially crafted ASN.1 object identifiers or
data containing them may be very slow.

Impact summary: Applications that use OBJ_obj2txt() directly, or use any of
the OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS with no message
size limit may experience notable to very long delays when processing those
messages, which may lead to a Denial of Service.

An OBJECT IDENTIFIER is composed of a series of numbers - sub-identifiers -
most of which have no size limit.  OBJ_obj2txt() may be used to translate
an ASN.1 OBJECT IDENTIFIER given in DER encoding form (using the OpenSSL
type ASN1_OBJECT) to its canonical numeric text form, which are the
sub-identifiers of the OBJECT IDENTIFIER in decimal form, separated by
periods.

When one of the sub-identifiers in the OBJECT IDENTIFIER is very large
(these are sizes that are seen as absurdly large, taking up tens or hundreds
of KiBs), the translation to a decimal number in text may take a very long
time.  The time complexity is O(n^2) with 'n' being the size of the
sub-identifiers in bytes (*).

With OpenSSL 3.0, support to fetch cryptographic algorithms using names /
identifiers in string form was introduced.  This includes using OBJECT
IDENTIFIERs in canonical numeric text form as identifiers for fetching
algorithms.

Such OBJECT IDENTIFIERs may be received through the ASN.1 structure
AlgorithmIdentifier, which is commonly used in multiple protocols to specify
what cryptographic algorithm should be used to sign or verify, encrypt or
decrypt, or digest passed data.

Applications that call OBJ_obj2txt() directly with untrusted data are
affected, with any version of OpenSSL.  If the use is for the mere purpose
of display, the severity is considered low.

In OpenSSL 3.0 and newer, this affects the subsystems OCSP, PKCS7/SMIME,
CMS, CMP/CRMF or TS.  It also impacts anything that processes X.509
certificates, including simple things like verifying its signature.

The impact on TLS is relatively low, because all versions of OpenSSL have a
100KiB limit on the peer's certificate chain.  Additionally, this only
impacts clients, or servers that have explicitly enabled client
authentication.

In OpenSSL 1.1.1 and 1.0.2, this only affects displaying diverse objects,
such as X.509 certificates.  This is assumed to not happen in such a way
that it would cause a Denial of Service, so these versions are considered
not affected by this issue in such a way that it would be cause for concern,
and the severity is therefore considered low.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-2650

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2023-2975
CVE STATUS: Patched
CVE SUMMARY: Issue summary: The AES-SIV cipher implementation contains a bug that causes
it to ignore empty associated data entries which are unauthenticated as
a consequence.

Impact summary: Applications that use the AES-SIV algorithm and want to
authenticate empty data entries as associated data can be misled by removing,
adding or reordering such empty entries as these are ignored by the OpenSSL
implementation. We are currently unaware of any such applications.

The AES-SIV algorithm allows for authentication of multiple associated
data entries along with the encryption. To authenticate empty data the
application has to call EVP_EncryptUpdate() (or EVP_CipherUpdate()) with
NULL pointer as the output buffer and 0 as the input buffer length.
The AES-SIV implementation in OpenSSL just returns success for such a call
instead of performing the associated data authentication operation.
The empty data thus will not be authenticated.

As this issue does not affect non-empty associated data authentication and
we expect it to be rare for an application to use empty associated data
entries this is qualified as Low severity issue.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-2975

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2023-3446
CVE STATUS: Patched
CVE SUMMARY: Issue summary: Checking excessively long DH keys or parameters may be very slow.

Impact summary: Applications that use the functions DH_check(), DH_check_ex()
or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long
delays. Where the key or parameters that are being checked have been obtained
from an untrusted source this may lead to a Denial of Service.

The function DH_check() performs various checks on DH parameters. One of those
checks confirms that the modulus ('p' parameter) is not too large. Trying to use
a very large modulus is slow and OpenSSL will not normally use a modulus which
is over 10,000 bits in length.

However the DH_check() function checks numerous aspects of the key or parameters
that have been supplied. Some of those checks use the supplied modulus value
even if it has already been found to be too large.

An application that calls DH_check() and supplies a key or parameters obtained
from an untrusted source could be vulernable to a Denial of Service attack.

The function DH_check() is itself called by a number of other OpenSSL functions.
An application calling any of those other functions may similarly be affected.
The other functions affected by this are DH_check_ex() and
EVP_PKEY_param_check().

Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications
when using the '-check' option.

The OpenSSL SSL/TLS implementation is not affected by this issue.
The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-3446

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2023-3817
CVE STATUS: Patched
CVE SUMMARY: Issue summary: Checking excessively long DH keys or parameters may be very slow.

Impact summary: Applications that use the functions DH_check(), DH_check_ex()
or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long
delays. Where the key or parameters that are being checked have been obtained
from an untrusted source this may lead to a Denial of Service.

The function DH_check() performs various checks on DH parameters. After fixing
CVE-2023-3446 it was discovered that a large q parameter value can also trigger
an overly long computation during some of these checks. A correct q value,
if present, cannot be larger than the modulus p parameter, thus it is
unnecessary to perform these checks if q is larger than p.

An application that calls DH_check() and supplies a key or parameters obtained
from an untrusted source could be vulnerable to a Denial of Service attack.

The function DH_check() is itself called by a number of other OpenSSL functions.
An application calling any of those other functions may similarly be affected.
The other functions affected by this are DH_check_ex() and
EVP_PKEY_param_check().

Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications
when using the "-check" option.

The OpenSSL SSL/TLS implementation is not affected by this issue.

The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-3817

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2023-4807
CVE STATUS: Patched
CVE SUMMARY: Issue summary: The POLY1305 MAC (message authentication code) implementation
contains a bug that might corrupt the internal state of applications on the
Windows 64 platform when running on newer X86_64 processors supporting the
AVX512-IFMA instructions.

Impact summary: If in an application that uses the OpenSSL library an attacker
can influence whether the POLY1305 MAC algorithm is used, the application
state might be corrupted with various application dependent consequences.

The POLY1305 MAC (message authentication code) implementation in OpenSSL does
not save the contents of non-volatile XMM registers on Windows 64 platform
when calculating the MAC of data larger than 64 bytes. Before returning to
the caller all the XMM registers are set to zero rather than restoring their
previous content. The vulnerable code is used only on newer x86_64 processors
supporting the AVX512-IFMA instructions.

The consequences of this kind of internal application state corruption can
be various - from no consequences, if the calling application does not
depend on the contents of non-volatile XMM registers at all, to the worst
consequences, where the attacker could get complete control of the application
process. However given the contents of the registers are just zeroized so
the attacker cannot put arbitrary values inside, the most likely consequence,
if any, would be an incorrect result of some application dependent
calculations or a crash leading to a denial of service.

The POLY1305 MAC algorithm is most frequently used as part of the
CHACHA20-POLY1305 AEAD (authenticated encryption with associated data)
algorithm. The most common usage of this AEAD cipher is with TLS protocol
versions 1.2 and 1.3 and a malicious client can influence whether this AEAD
cipher is used by the server. This implies that server applications using
OpenSSL can be potentially impacted. However we are currently not aware of
any concrete application that would be affected by this issue therefore we
consider this a Low severity security issue.

As a workaround the AVX512-IFMA instructions support can be disabled at
runtime by setting the environment variable OPENSSL_ia32cap:

   OPENSSL_ia32cap=:~0x200000

The FIPS provider is not affected by this issue.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-4807

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2023-5363
CVE STATUS: Patched
CVE SUMMARY: Issue summary: A bug has been identified in the processing of key and
initialisation vector (IV) lengths.  This can lead to potential truncation
or overruns during the initialisation of some symmetric ciphers.

Impact summary: A truncation in the IV can result in non-uniqueness,
which could result in loss of confidentiality for some cipher modes.

When calling EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() or
EVP_CipherInit_ex2() the provided OSSL_PARAM array is processed after
the key and IV have been established.  Any alterations to the key length,
via the "keylen" parameter or the IV length, via the "ivlen" parameter,
within the OSSL_PARAM array will not take effect as intended, potentially
causing truncation or overreading of these values.  The following ciphers
and cipher modes are impacted: RC2, RC4, RC5, CCM, GCM and OCB.

For the CCM, GCM and OCB cipher modes, truncation of the IV can result in
loss of confidentiality.  For example, when following NIST's SP 800-38D
section 8.2.1 guidance for constructing a deterministic IV for AES in
GCM mode, truncation of the counter portion could lead to IV reuse.

Both truncations and overruns of the key and overruns of the IV will
produce incorrect results and could, in some cases, trigger a memory
exception.  However, these issues are not currently assessed as security
critical.

Changing the key and/or IV lengths is not considered to be a common operation
and the vulnerable API was recently introduced. Furthermore it is likely that
application developers will have spotted this problem during testing since
decryption would fail unless both peers in the communication were similarly
vulnerable. For these reasons we expect the probability of an application being
vulnerable to this to be quite low. However if an application is vulnerable then
this issue is considered very serious. For these reasons we have assessed this
issue as Moderate severity overall.

The OpenSSL SSL/TLS implementation is not affected by this issue.

The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this because
the issue lies outside of the FIPS provider boundary.

OpenSSL 3.1 and 3.0 are vulnerable to this issue.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-5363

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2023-5678
CVE STATUS: Patched
CVE SUMMARY: Issue summary: Generating excessively long X9.42 DH keys or checking
excessively long X9.42 DH keys or parameters may be very slow.

Impact summary: Applications that use the functions DH_generate_key() to
generate an X9.42 DH key may experience long delays.  Likewise, applications
that use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check()
to check an X9.42 DH key or X9.42 DH parameters may experience long delays.
Where the key or parameters that are being checked have been obtained from
an untrusted source this may lead to a Denial of Service.

While DH_check() performs all the necessary checks (as of CVE-2023-3817),
DH_check_pub_key() doesn't make any of these checks, and is therefore
vulnerable for excessively large P and Q parameters.

Likewise, while DH_generate_key() performs a check for an excessively large
P, it doesn't check for an excessively large Q.

An application that calls DH_generate_key() or DH_check_pub_key() and
supplies a key or parameters obtained from an untrusted source could be
vulnerable to a Denial of Service attack.

DH_generate_key() and DH_check_pub_key() are also called by a number of
other OpenSSL functions.  An application calling any of those other
functions may similarly be affected.  The other functions affected by this
are DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate().

Also vulnerable are the OpenSSL pkey command line application when using the
"-pubcheck" option, as well as the OpenSSL genpkey command line application.

The OpenSSL SSL/TLS implementation is not affected by this issue.

The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-5678

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2023-6129
CVE STATUS: Patched
CVE SUMMARY: Issue summary: The POLY1305 MAC (message authentication code) implementation
contains a bug that might corrupt the internal state of applications running
on PowerPC CPU based platforms if the CPU provides vector instructions.

Impact summary: If an attacker can influence whether the POLY1305 MAC
algorithm is used, the application state might be corrupted with various
application dependent consequences.

The POLY1305 MAC (message authentication code) implementation in OpenSSL for
PowerPC CPUs restores the contents of vector registers in a different order
than they are saved. Thus the contents of some of these vector registers
are corrupted when returning to the caller. The vulnerable code is used only
on newer PowerPC processors supporting the PowerISA 2.07 instructions.

The consequences of this kind of internal application state corruption can
be various - from no consequences, if the calling application does not
depend on the contents of non-volatile XMM registers at all, to the worst
consequences, where the attacker could get complete control of the application
process. However unless the compiler uses the vector registers for storing
pointers, the most likely consequence, if any, would be an incorrect result
of some application dependent calculations or a crash leading to a denial of
service.

The POLY1305 MAC algorithm is most frequently used as part of the
CHACHA20-POLY1305 AEAD (authenticated encryption with associated data)
algorithm. The most common usage of this AEAD cipher is with TLS protocol
versions 1.2 and 1.3. If this cipher is enabled on the server a malicious
client can influence whether this AEAD cipher is used. This implies that
TLS server applications using OpenSSL can be potentially impacted. However
we are currently not aware of any concrete application that would be affected
by this issue therefore we consider this a Low severity security issue.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-6129

LAYER: meta
PACKAGE NAME: openssl-native
PACKAGE VERSION: 3.2.3
CVE: CVE-2024-0727
CVE STATUS: Patched
CVE SUMMARY: Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL
to crash leading to a potential Denial of Service attack

Impact summary: Applications loading files in the PKCS12 format from untrusted
sources might terminate abruptly.

A file in PKCS12 format can contain certificates and keys and may come from an
untrusted source. The PKCS12 specification allows certain fields to be NULL, but
OpenSSL does not correctly check for this case. This can lead to a NULL pointer
dereference that results in OpenSSL crashing. If an application processes PKCS12
files from an untrusted source using the OpenSSL APIs then that application will
be vulnerable to this issue.

OpenSSL APIs that are vulnerable to this are: PKCS12_parse(),
PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()
and PKCS12_newpass().

We have also fixed a similar issue in SMIME_write_PKCS7(). However since this
function is related to writing data we do not consider it security significant.

The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-0727

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2007-0998
CVE STATUS: Ignored
CVE DETAIL: not-applicable-config
CVE DESCRIPTION: The VNC server can expose host files uder some circumstances. We don't enable it by default.
CVE SUMMARY: The VNC server implementation in QEMU, as used by Xen and possibly other environments, allows local users of a guest operating system to read arbitrary files on the host operating system via unspecified vectors related to QEMU monitor mode, as demonstrated by mapping files to a CDROM device.  NOTE: some of these details are obtained from third party information.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-0998

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2007-1320
CVE STATUS: Patched
CVE SUMMARY: Multiple heap-based buffer overflows in the cirrus_invalidate_region function in the Cirrus VGA extension in QEMU 0.8.2, as used in Xen and possibly other products, might allow local users to execute arbitrary code via unspecified vectors related to "attempting to mark non-existent regions as dirty," aka the "bitblt" heap overflow.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-1320

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2007-1321
CVE STATUS: Patched
CVE SUMMARY: Integer signedness error in the NE2000 emulator in QEMU 0.8.2, as used in Xen and possibly other products, allows local users to trigger a heap-based buffer overflow via certain register values that bypass sanity checks, aka QEMU NE2000 "receive" integer signedness error. NOTE: this identifier was inadvertently used by some sources to cover multiple issues that were labeled "NE2000 network driver and the socket code," but separate identifiers have been created for the individual vulnerabilities since there are sometimes different fixes; see CVE-2007-5729 and CVE-2007-5730.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-1321

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2007-1322
CVE STATUS: Patched
CVE SUMMARY: QEMU 0.8.2 allows local users to halt a virtual machine by executing the icebp instruction.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-1322

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2007-1366
CVE STATUS: Patched
CVE SUMMARY: QEMU 0.8.2 allows local users to crash a virtual machine via the divisor operand to the aam instruction, as demonstrated by "aam 0x0," which triggers a divide-by-zero error.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-1366

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2007-5729
CVE STATUS: Patched
CVE SUMMARY: The NE2000 emulator in QEMU 0.8.2 allows local users to execute arbitrary code by writing Ethernet frames with a size larger than the MTU to the EN0_TCNT register, which triggers a heap-based buffer overflow in the slirp library, aka NE2000 "mtu" heap overflow.  NOTE: some sources have used CVE-2007-1321 to refer to this issue as part of "NE2000 network driver and the socket code," but this is the correct identifier for the mtu overflow vulnerability.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-5729

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2007-5730
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in QEMU 0.8.2, as used in Xen and possibly other products, allows local users to execute arbitrary code via crafted data in the "net socket listen" option, aka QEMU "net socket" heap overflow.  NOTE: some sources have used CVE-2007-1321 to refer to this issue as part of "NE2000 network driver and the socket code," but this is the correct identifier for the individual net socket listen vulnerability.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-5730

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2007-6227
CVE STATUS: Patched
CVE SUMMARY: QEMU 0.9.0 allows local users of a Windows XP SP2 guest operating system to overwrite the TranslationBlock (code_gen_buffer) buffer, and probably have unspecified other impacts related to an "overflow," via certain Windows executable programs, as demonstrated by qemu-dos.com.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-6227

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2008-0928
CVE STATUS: Patched
CVE SUMMARY: Qemu 0.9.1 and earlier does not perform range checks for block device read or write requests, which allows guest host users with root privileges to access arbitrary memory and escape the virtual machine.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-0928

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2008-1945
CVE STATUS: Patched
CVE SUMMARY: QEMU 0.9.0 does not properly handle changes to removable media, which allows guest OS users to read arbitrary files on the host OS by using the diskformat: parameter in the -usbdevice option to modify the disk-image header to identify a different format, a related issue to CVE-2008-2004.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1945

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2008-2004
CVE STATUS: Patched
CVE SUMMARY: The drive_init function in QEMU 0.9.1 determines the format of a raw disk image based on the header, which allows local guest users to read arbitrary files on the host by modifying the header to identify a different format, which is used when the guest is restarted.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-2004

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2008-2382
CVE STATUS: Patched
CVE SUMMARY: The protocol_client_msg function in vnc.c in the VNC server in (1) Qemu 0.9.1 and earlier and (2) KVM kvm-79 and earlier allows remote attackers to cause a denial of service (infinite loop) via a certain message.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-2382

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2008-4539
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the Cirrus VGA implementation in (1) KVM before kvm-82 and (2) QEMU on Debian GNU/Linux and Ubuntu might allow local users to gain privileges by using the VNC console for a connection, aka the LGD-54XX "bitblt" heap overflow.  NOTE: this issue exists because of an incorrect fix for CVE-2007-1320.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-4539

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2008-4553
CVE STATUS: Patched
CVE SUMMARY: qemu-make-debian-root in qemu 0.9.1-5 on Debian GNU/Linux allows local users to overwrite arbitrary files via a symlink attack on temporary files and directories.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-4553

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2008-5714
CVE STATUS: Patched
CVE SUMMARY: Off-by-one error in monitor.c in Qemu 0.9.1 might make it easier for remote attackers to guess the VNC password, which is limited to seven characters where eight was intended.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-5714

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2009-3616
CVE STATUS: Patched
CVE SUMMARY: Multiple use-after-free vulnerabilities in vnc.c in the VNC server in QEMU 0.10.6 and earlier might allow guest OS users to execute arbitrary code on the host OS by establishing a connection from a VNC client and then (1) disconnecting during data transfer, (2) sending a message using incorrect integer data types, or (3) using the Fuzzy Screen Mode protocol, related to double free vulnerabilities.
CVSS v2 BASE SCORE: 8.5
CVSS v3 BASE SCORE: 9.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:S/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-3616

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2010-0297
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the usb_host_handle_control function in the USB passthrough handling implementation in usb-linux.c in QEMU before 0.11.1 allows guest OS users to cause a denial of service (guest OS crash or hang) or possibly execute arbitrary code on the host OS via a crafted USB packet.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-0297

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2011-0011
CVE STATUS: Patched
CVE SUMMARY: qemu-kvm before 0.11.0 disables VNC authentication when the password is cleared, which allows remote attackers to bypass authentication and establish VNC sessions.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:H/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-0011

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2011-1750
CVE STATUS: Patched
CVE SUMMARY: Multiple heap-based buffer overflows in the virtio-blk driver (hw/virtio-blk.c) in qemu-kvm 0.14.0 allow local guest users to cause a denial of service (guest crash) and possibly gain privileges via a (1) write request to the virtio_blk_handle_write function or (2) read request to the virtio_blk_handle_read function that is not properly aligned.
CVSS v2 BASE SCORE: 7.4
CVSS v3 BASE SCORE: 0.0
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:M/Au:S/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1750

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2011-1751
CVE STATUS: Patched
CVE SUMMARY: The pciej_write function in hw/acpi_piix4.c in the PIIX4 Power Management emulation in qemu-kvm does not check if a device is hotpluggable before unplugging the PCI-ISA bridge, which allows privileged guest users to cause a denial of service (guest crash) and possibly execute arbitrary code by sending a crafted value to the 0xae08 (PCI_EJ_BASE) I/O port, which leads to a use-after-free related to "active qemu timers."
CVSS v2 BASE SCORE: 7.4
CVSS v3 BASE SCORE: 0.0
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:M/Au:S/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1751

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2011-2212
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the virtio subsystem in qemu-kvm 0.14.0 and earlier allows privileged guest users to cause a denial of service (guest crash) or gain privileges via a crafted indirect descriptor related to "virtqueue in and out requests."
CVSS v2 BASE SCORE: 7.4
CVSS v3 BASE SCORE: 0.0
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:M/Au:S/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2212

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2011-2527
CVE STATUS: Patched
CVE SUMMARY: The change_process_uid function in os-posix.c in Qemu 0.14.0 and earlier does not properly drop group privileges when the -runas option is used, which allows local guest users to access restricted files on the host.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2527

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2011-3346
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in hw/scsi-disk.c in the SCSI subsystem in QEMU before 0.15.2, as used by Xen, might allow local guest users with permission to access the CD-ROM to cause a denial of service (guest crash) via a crafted SAI READ CAPACITY SCSI command.  NOTE: this is only a vulnerability when root has manually modified certain permissions or ACLs.
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3346

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2011-4111
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the ccid_card_vscard_handle_message function in hw/ccid-card-passthru.c in QEMU before 0.15.2 and 1.x before 1.0-rc4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted VSC_ATR message.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-4111

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2012-2652
CVE STATUS: Patched
CVE SUMMARY: The bdrv_open function in Qemu 1.0 does not properly handle the failure of the mkstemp function, when in snapshot node, which allows local users to overwrite or read arbitrary files via a symlink attack on an unspecified temporary file.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2652

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2012-3515
CVE STATUS: Patched
CVE SUMMARY: Qemu, as used in Xen 4.0, 4.1 and possibly other products, when emulating certain devices with a virtual console backend, allows local OS guest users to gain privileges via a crafted escape VT100 sequence that triggers the overwrite of a "device model's address space."
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-3515

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2012-6075
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the e1000_receive function in the e1000 device driver (hw/e1000.c) in QEMU 1.3.0-rc2 and other versions, when the SBP and LPE flags are disabled, allows remote attackers to cause a denial of service (guest OS crash) and possibly execute arbitrary guest code via a large packet.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-6075

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2013-2007
CVE STATUS: Patched
CVE SUMMARY: The qemu guest agent in Qemu 1.4.1 and earlier, as used by Xen, when started in daemon mode, uses weak permissions for certain files, which allows local users to read and write to these files.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2007

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2013-2016
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the way qemu v1.3.0 and later (virtio-rng) validates addresses when guest accesses the config space of a virtio device. If the virtio device has zero/small sized config space, such as virtio-rng, a privileged guest user could use this flaw to access the matching host's qemu address space and thus increase their privileges on the host.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2016

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2013-4148
CVE STATUS: Patched
CVE SUMMARY: Integer signedness error in the virtio_net_load function in hw/net/virtio-net.c in QEMU 1.x before 1.7.2 allows remote attackers to execute arbitrary code via a crafted savevm image, which triggers a buffer overflow.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4148

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2013-4149
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in virtio_net_load function in net/virtio-net.c in QEMU 1.3.0 through 1.7.x before 1.7.2 might allow remote attackers to execute arbitrary code via a large MAC table.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4149

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2013-4150
CVE STATUS: Patched
CVE SUMMARY: The virtio_net_load function in hw/net/virtio-net.c in QEMU 1.5.0 through 1.7.x before 1.7.2 allows remote attackers to cause a denial of service or possibly execute arbitrary code via vectors in which the value of curr_queues is greater than max_queues, which triggers an out-of-bounds write.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4150

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2013-4151
CVE STATUS: Patched
CVE SUMMARY: The virtio_load function in virtio/virtio.c in QEMU 1.x before 1.7.2 allows remote attackers to execute arbitrary code via a crafted savevm image, which triggers an out-of-bounds write.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4151

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2013-4344
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the SCSI implementation in QEMU, as used in Xen, when a SCSI controller has more than 256 attached devices, allows local users to gain privileges via a small transfer buffer in a REPORT LUNS command.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4344

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2013-4375
CVE STATUS: Patched
CVE SUMMARY: The qdisk PV disk backend in qemu-xen in Xen 4.2.x and 4.3.x before 4.3.1, and qemu 1.1 and other versions, allows local HVM guests to cause a denial of service (domain grant reference consumption) via unspecified vectors.
CVSS v2 BASE SCORE: 2.7
CVSS v3 BASE SCORE: 0.0
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:L/Au:S/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4375

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2013-4377
CVE STATUS: Patched
CVE SUMMARY: Use-after-free vulnerability in the virtio-pci implementation in Qemu 1.4.0 through 1.6.0 allows local users to cause a denial of service (daemon crash) by "hot-unplugging" a virtio device.
CVSS v2 BASE SCORE: 2.3
CVSS v3 BASE SCORE: 0.0
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:M/Au:S/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4377

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2013-4526
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in hw/ide/ahci.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service and possibly execute arbitrary code via vectors related to migrating ports.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4526

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2013-4527
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in hw/timer/hpet.c in QEMU before 1.7.2 might allow remote attackers to execute arbitrary code via vectors related to the number of timers.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4527

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2013-4529
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in hw/pci/pcie_aer.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a large log_num value in a savevm image.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4529

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2013-4530
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in hw/ssi/pl022.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service or possibly execute arbitrary code via crafted tx_fifo_head and rx_fifo_head values in a savevm image.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4530

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2013-4531
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in target-arm/machine.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a negative value in cpreg_vmstate_array_len in a savevm image.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4531

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2013-4532
CVE STATUS: Patched
CVE SUMMARY: Qemu 1.1.2+dfsg to 2.1+dfsg suffers from a buffer overrun which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4532

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2013-4533
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the pxa2xx_ssp_load function in hw/arm/pxa2xx.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service or possibly execute arbitrary code via a crafted s->rx_level value in a savevm image.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4533

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2013-4534
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in hw/intc/openpic.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service or possibly execute arbitrary code via vectors related to IRQDest elements.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4534

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2013-4535
CVE STATUS: Patched
CVE SUMMARY: The virtqueue_map_sg function in hw/virtio/virtio.c in QEMU before 1.7.2 allows remote attackers to execute arbitrary files via a crafted savevm image, related to virtio-block or virtio-serial read.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 8.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4535

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2013-4536
CVE STATUS: Patched
CVE SUMMARY: An user able to alter the savevm data (either on the disk or over the wire during migration) could use this flaw to to corrupt QEMU process memory on the (destination) host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4536

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2013-4537
CVE STATUS: Patched
CVE SUMMARY: The ssi_sd_transfer function in hw/sd/ssi-sd.c in QEMU before 1.7.2 allows remote attackers to execute arbitrary code via a crafted arglen value in a savevm image.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4537

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2013-4538
CVE STATUS: Patched
CVE SUMMARY: Multiple buffer overflows in the ssd0323_load function in hw/display/ssd0323.c in QEMU before 1.7.2 allow remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via crafted (1) cmd_len, (2) row, or (3) col values; (4) row_start and row_end values; or (5) col_star and col_end values in a savevm image.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4538

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2013-4539
CVE STATUS: Patched
CVE SUMMARY: Multiple buffer overflows in the tsc210x_load function in hw/input/tsc210x.c in QEMU before 1.7.2 might allow remote attackers to execute arbitrary code via a crafted (1) precision, (2) nextprecision, (3) function, or (4) nextfunction value in a savevm image.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4539

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2013-4540
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in scoop_gpio_handler_update in QEMU before 1.7.2 might allow remote attackers to execute arbitrary code via a large (1) prev_level, (2) gpio_level, or (3) gpio_dir value in a savevm image.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4540

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2013-4541
CVE STATUS: Patched
CVE SUMMARY: The usb_device_post_load function in hw/usb/bus.c in QEMU before 1.7.2 might allow remote attackers to execute arbitrary code via a crafted savevm image, related to a negative setup_len or setup_index value.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4541

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2013-4542
CVE STATUS: Patched
CVE SUMMARY: The virtio_scsi_load_request function in hw/scsi/scsi-bus.c in QEMU before 1.7.2 might allow remote attackers to execute arbitrary code via a crafted savevm image, which triggers an out-of-bounds array access.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4542

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2013-4544
CVE STATUS: Patched
CVE SUMMARY: hw/net/vmxnet3.c in QEMU 2.0.0-rc0, 1.7.1, and earlier allows local guest users to cause a denial of service or possibly execute arbitrary code via vectors related to (1) RX or (2) TX queue numbers or (3) interrupt indices.  NOTE: some of these details are obtained from third party information.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:M/Au:S/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4544

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2013-6399
CVE STATUS: Patched
CVE SUMMARY: Array index error in the virtio_load function in hw/virtio/virtio.c in QEMU before 1.7.2 allows remote attackers to execute arbitrary code via a crafted savevm image.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-6399

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2014-0142
CVE STATUS: Patched
CVE SUMMARY: QEMU, possibly before 2.0.0, allows local users to cause a denial of service (divide-by-zero error and crash) via a zero value in the (1) tracks field to the seek_to_sector function in block/parallels.c or (2) extent_size field in the bochs function in block/bochs.c.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0142

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2014-0143
CVE STATUS: Patched
CVE SUMMARY: Multiple integer overflows in the block drivers in QEMU, possibly before 2.0.0, allow local users to cause a denial of service (crash) via a crafted catalog size in (1) the parallels_open function in block/parallels.c or (2) bochs_open function in bochs.c, a large L1 table in the (3) qcow2_snapshot_load_tmp in qcow2-snapshot.c or (4) qcow2_grow_l1_table function in qcow2-cluster.c, (5) a large request in the bdrv_check_byte_request function in block.c and other block drivers, (6) crafted cluster indexes in the get_refcount function in qcow2-refcount.c, or (7) a large number of blocks in the cloop_open function in cloop.c, which trigger buffer overflows, memory corruption, large memory allocations and out-of-bounds read and writes.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0143

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2014-0144
CVE STATUS: Patched
CVE SUMMARY: QEMU before 2.0.0 block drivers for CLOOP, QCOW2 version 2 and various other image formats are vulnerable to potential memory corruptions, integer/buffer overflows or crash caused by missing input validations which could allow a remote user to execute arbitrary code on the host with the privileges of the QEMU process.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.6
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0144

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2014-0145
CVE STATUS: Patched
CVE SUMMARY: Multiple buffer overflows in QEMU before 1.7.2 and 2.x before 2.0.0, allow local users to cause a denial of service (crash) or possibly execute arbitrary code via a large (1) L1 table in the qcow2_snapshot_load_tmp in the QCOW 2 block driver (block/qcow2-snapshot.c) or (2) uncompressed chunk, (3) chunk length, or (4) number of sectors in the DMG block driver (block/dmg.c).
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0145

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2014-0146
CVE STATUS: Patched
CVE SUMMARY: The qcow2_open function in the (block/qcow2.c) in QEMU before 1.7.2 and 2.x before 2.0.0 allows local users to cause a denial of service (NULL pointer dereference) via a crafted image which causes an error, related to the initialization of the snapshot_offset and nb_snapshots fields.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0146

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2014-0147
CVE STATUS: Patched
CVE SUMMARY: Qemu before 1.6.2 block diver for the various disk image formats used by Bochs and for the QCOW version 2 format, are vulnerable to a possible crash caused by signed data types or a logic error while creating QCOW2 snapshots, which leads to incorrectly calling update_refcount() routine.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.2
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0147

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2014-0148
CVE STATUS: Patched
CVE SUMMARY: Qemu before 2.0 block driver for Hyper-V VHDX Images is vulnerable to infinite loops and other potential issues when calculating BAT entries, due to missing bounds checks for block_size and logical_sector_size variables. These are used to derive other fields like 'sectors_per_block' etc. A user able to alter the Qemu disk image could ise this flaw to crash the Qemu instance resulting in DoS.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0148

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2014-0150
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the virtio_net_handle_mac function in hw/net/virtio-net.c in QEMU 2.0 and earlier allows local guest users to execute arbitrary code via a MAC addresses table update request, which triggers a heap-based buffer overflow.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:M/Au:S/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0150

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2014-0182
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the virtio_load function in hw/virtio/virtio.c in QEMU before 1.7.2 might allow remote attackers to execute arbitrary code via a crafted config length in a savevm image.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0182

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2014-0222
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the qcow_open function in block/qcow.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service (crash) via a large L2 table in a QCOW version 1 image.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0222

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2014-0223
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the qcow_open function in block/qcow.c in QEMU before 1.7.2 allows local users to cause a denial of service (crash) and possibly execute arbitrary code via a large image size, which triggers a buffer overflow or out-of-bounds read.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0223

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2014-2894
CVE STATUS: Patched
CVE SUMMARY: Off-by-one error in the cmd_smart function in the smart self test in hw/ide/core.c in QEMU before 2.0 allows local users to have unspecified impact via a SMART EXECUTE OFFLINE command that triggers a buffer underflow and memory corruption.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-2894

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2014-3461
CVE STATUS: Patched
CVE SUMMARY: hw/usb/bus.c in QEMU 1.6.2 allows remote attackers to execute arbitrary code via crafted savevm data, which triggers a heap-based buffer overflow, related to "USB post load checks."
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3461

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2014-3471
CVE STATUS: Patched
CVE SUMMARY: Use-after-free vulnerability in hw/pci/pcie.c in QEMU (aka Quick Emulator) allows local guest OS users to cause a denial of service (QEMU instance crash) via hotplug and hotunplug operations of Virtio block devices.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3471

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2014-3615
CVE STATUS: Patched
CVE SUMMARY: The VGA emulator in QEMU allows local guest users to read host memory by setting the display to a high resolution.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3615

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2014-3640
CVE STATUS: Patched
CVE SUMMARY: The sosendto function in slirp/udp.c in QEMU before 2.1.2 allows local users to cause a denial of service (NULL pointer dereference) by sending a udp packet with a value of 0 in the source port and address, which triggers access of an uninitialized socket.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3640

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2014-3689
CVE STATUS: Patched
CVE SUMMARY: The vmware-vga driver (hw/display/vmware_vga.c) in QEMU allows local guest users to write to qemu memory locations and gain privileges via unspecified parameters related to rectangle handling.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3689

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2014-5263
CVE STATUS: Patched
CVE SUMMARY: vmstate_xhci_event in hw/usb/hcd-xhci.c in QEMU 1.6.0 does not terminate the list with the VMSTATE_END_OF_LIST macro, which allows attackers to cause a denial of service (out-of-bounds access, infinite loop, and memory corruption) and possibly gain privileges via unspecified vectors.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-5263

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2014-5388
CVE STATUS: Patched
CVE SUMMARY: Off-by-one error in the pci_read function in the ACPI PCI hotplug interface (hw/acpi/pcihp.c) in QEMU allows local guest users to obtain sensitive information and have other unspecified impact related to a crafted PCI device that triggers memory corruption.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-5388

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2014-7815
CVE STATUS: Patched
CVE SUMMARY: The set_pixel_format function in ui/vnc.c in QEMU allows remote attackers to cause a denial of service (crash) via a small bytes_per_pixel value.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-7815

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2014-7840
CVE STATUS: Patched
CVE SUMMARY: The host_from_stream_offset function in arch_init.c in QEMU, when loading RAM during migration, allows remote attackers to execute arbitrary code via a crafted (1) offset or (2) length value in savevm data.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-7840

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2014-8106
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the Cirrus VGA emulator (hw/display/cirrus_vga.c) in QEMU before 2.2.0 allows local guest users to execute arbitrary code via vectors related to blit regions. NOTE: this vulnerability exists because an incomplete fix for CVE-2007-1320.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8106

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2014-9718
CVE STATUS: Patched
CVE SUMMARY: The (1) BMDMA and (2) AHCI HBA interfaces in the IDE functionality in QEMU 1.0 through 2.1.3 have multiple interpretations of a function's return value, which allows guest OS users to cause a host OS denial of service (memory consumption or infinite loop, and system crash) via a PRDT with zero complete sectors, related to the bmdma_prepare_buf and ahci_dma_prepare_buf functions.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9718

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2015-1779
CVE STATUS: Patched
CVE SUMMARY: The VNC websocket frame decoder in QEMU allows remote attackers to cause a denial of service (memory and CPU consumption) via a large (1) websocket payload or (2) HTTP headers section.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 8.6
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1779

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2015-3209
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the PCNET controller in QEMU allows remote attackers to execute arbitrary code by sending a packet with TXSTATUS_STARTPACKET set and then a crafted packet with TXSTATUS_DEVICEOWNS set.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3209

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2015-3214
CVE STATUS: Patched
CVE SUMMARY: The pit_ioport_read in i8254.c in the Linux kernel before 2.6.33 and QEMU before 2.3.1 does not distinguish between read lengths and write lengths, which might allow guest OS users to execute arbitrary code on the host OS by triggering use of an invalid index.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3214

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2015-3456
CVE STATUS: Patched
CVE SUMMARY: The Floppy Disk Controller (FDC) in QEMU, as used in Xen 4.5.x and earlier and KVM, allows local guest users to cause a denial of service (out-of-bounds write and guest crash) or possibly execute arbitrary code via the (1) FD_CMD_READ_ID, (2) FD_CMD_DRIVE_SPECIFICATION_COMMAND, or other unspecified commands, aka VENOM.
CVSS v2 BASE SCORE: 7.7
CVSS v3 BASE SCORE: 0.0
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:L/Au:S/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3456

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2015-4037
CVE STATUS: Patched
CVE SUMMARY: The slirp_smb function in net/slirp.c in QEMU 2.3.0 and earlier creates temporary files with predictable names, which allows local users to cause a denial of service (instantiation failure) by creating /tmp/qemu-smb.*-* files before the program.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-4037

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2015-4106
CVE STATUS: Patched
CVE SUMMARY: QEMU does not properly restrict write access to the PCI config space for certain PCI pass-through devices, which might allow local x86 HVM guests to gain privileges, cause a denial of service (host crash), obtain sensitive information, or possibly have other unspecified impact via unknown vectors.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-4106

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2015-5154
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the IDE subsystem in QEMU, as used in Xen 4.5.x and earlier, when the container has a CDROM drive enabled, allows local guest users to execute arbitrary code on the host via unspecified ATAPI commands.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-5154

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2015-5158
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in hw/scsi/scsi-bus.c in QEMU, when built with SCSI-device emulation support, allows guest OS users with CAP_SYS_RAWIO permissions to cause a denial of service (instance crash) via an invalid opcode in a SCSI command descriptor block.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-5158

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2015-5225
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the vnc_refresh_server_surface function in the VNC display driver in QEMU before 2.4.0.1 allows guest users to cause a denial of service (heap memory corruption and process crash) or possibly execute arbitrary code on the host via unspecified vectors, related to refreshing the server display surface.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-5225

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2015-5239
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the VNC display driver in QEMU before 2.1.0 allows attachers to cause a denial of service (process crash) via a CLIENT_CUT_TEXT message, which triggers an infinite loop.
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:S/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-5239

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2015-5278
CVE STATUS: Patched
CVE SUMMARY: The ne2000_receive function in hw/net/ne2000.c in QEMU before 2.4.0.1 allows attackers to cause a denial of service (infinite loop and instance crash) or possibly execute arbitrary code via vectors related to receiving packets.
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:S/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-5278

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2015-5279
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the ne2000_receive function in hw/net/ne2000.c in QEMU before 2.4.0.1 allows guest OS users to cause a denial of service (instance crash) or possibly execute arbitrary code via vectors related to receiving packets.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-5279

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2015-5745
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the send_control_msg function in hw/char/virtio-serial-bus.c in QEMU before 2.4.0 allows guest users to cause a denial of service (QEMU process crash) via a crafted virtio control message.
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:S/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-5745

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2015-6815
CVE STATUS: Patched
CVE SUMMARY: The process_tx_desc function in hw/net/e1000.c in QEMU before 2.4.0.1 does not properly process transmit descriptor data when sending a network packet, which allows attackers to cause a denial of service (infinite loop and guest crash) via unspecified vectors.
CVSS v2 BASE SCORE: 2.7
CVSS v3 BASE SCORE: 3.5
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:L/Au:S/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-6815

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2015-6855
CVE STATUS: Patched
CVE SUMMARY: hw/ide/core.c in QEMU does not properly restrict the commands accepted by an ATAPI device, which allows guest users to cause a denial of service or possibly have unspecified other impact via certain IDE commands, as demonstrated by a WIN_READ_NATIVE_MAX command to an empty drive, which triggers a divide-by-zero error and instance crash.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-6855

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2015-7295
CVE STATUS: Patched
CVE SUMMARY: hw/virtio/virtio.c in the Virtual Network Device (virtio-net) support in QEMU, when big or mergeable receive buffers are not supported, allows remote attackers to cause a denial of service (guest network consumption) via a flood of jumbo frames on the (1) tuntap or (2) macvtap interface.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7295

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2015-7504
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the pcnet_receive function in hw/net/pcnet.c in QEMU allows guest OS administrators to cause a denial of service (instance crash) or possibly execute arbitrary code via a series of packets in loopback mode.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 8.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7504

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2015-7512
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the pcnet_receive function in hw/net/pcnet.c in QEMU, when a guest NIC has a larger MTU, allows remote attackers to cause a denial of service (guest OS crash) or execute arbitrary code via a large packet.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 9.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7512

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2015-7549
CVE STATUS: Patched
CVE SUMMARY: The MSI-X MMIO support in hw/pci/msix.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (NULL pointer dereference and QEMU process crash) by leveraging failure to define the .write method.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 6.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7549

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2015-8345
CVE STATUS: Patched
CVE SUMMARY: The eepro100 emulator in QEMU qemu-kvm blank allows local guest users to cause a denial of service (application crash and infinite loop) via vectors involving the command block list.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 6.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8345

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2015-8504
CVE STATUS: Patched
CVE SUMMARY: Qemu, when built with VNC display driver support, allows remote attackers to cause a denial of service (arithmetic exception and application crash) via crafted SetPixelFormat messages from a client.
CVSS v2 BASE SCORE: 3.5
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:S/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8504

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2015-8556
CVE STATUS: Patched
CVE SUMMARY: Local privilege escalation vulnerability in the Gentoo QEMU package before 2.5.0-r1.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 10.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8556

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2015-8558
CVE STATUS: Patched
CVE SUMMARY: The ehci_process_itd function in hw/usb/hcd-ehci.c in QEMU allows local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) via a circular isochronous transfer descriptor (iTD) list.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8558

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2015-8567
CVE STATUS: Patched
CVE SUMMARY: Memory leak in net/vmxnet3.c in QEMU allows remote attackers to cause a denial of service (memory consumption).
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.7
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:S/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8567

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2015-8568
CVE STATUS: Patched
CVE SUMMARY: Memory leak in QEMU, when built with a VMWARE VMXNET3 paravirtual NIC emulator support, allows local guest users to cause a denial of service (host memory consumption) by trying to activate the vmxnet3 device repeatedly.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 6.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8568

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2015-8613
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in the megasas_ctrl_get_info function in QEMU, when built with SCSI MegaRAID SAS HBA emulation support, allows local guest users to cause a denial of service (QEMU instance crash) via a crafted SCSI controller CTRL_GET_INFO command.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 6.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8613

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2015-8619
CVE STATUS: Patched
CVE SUMMARY: The Human Monitor Interface support in QEMU allows remote attackers to cause a denial of service (out-of-bounds write and application crash).
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8619

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2015-8666
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in QEMU, when built with the Q35-chipset-based PC system emulator.
CVSS v2 BASE SCORE: 3.3
CVSS v3 BASE SCORE: 7.9
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8666

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2015-8701
CVE STATUS: Patched
CVE SUMMARY: QEMU (aka Quick Emulator) built with the Rocker switch emulation support is vulnerable to an off-by-one error. It happens while processing transmit (tx) descriptors in 'tx_consume' routine, if a descriptor was to have more than allowed (ROCKER_TX_FRAGS_MAX=16) fragments. A privileged user inside guest could use this flaw to cause memory leakage on the host or crash the QEMU process instance resulting in DoS issue.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 6.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8701

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2015-8743
CVE STATUS: Patched
CVE SUMMARY: QEMU (aka Quick Emulator) built with the NE2000 device emulation support is vulnerable to an OOB r/w access issue. It could occur while performing 'ioport' r/w operations. A privileged (CAP_SYS_RAWIO) user/process could use this flaw to leak or corrupt QEMU memory bytes.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8743

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2015-8744
CVE STATUS: Patched
CVE SUMMARY: QEMU (aka Quick Emulator) built with a VMWARE VMXNET3 paravirtual NIC emulator support is vulnerable to crash issue. It occurs when a guest sends a Layer-2 packet smaller than 22 bytes. A privileged (CAP_SYS_RAWIO) guest user could use this flaw to crash the QEMU process instance resulting in DoS.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8744

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2015-8745
CVE STATUS: Patched
CVE SUMMARY: QEMU (aka Quick Emulator) built with a VMWARE VMXNET3 paravirtual NIC emulator support is vulnerable to crash issue. It could occur while reading Interrupt Mask Registers (IMR). A privileged (CAP_SYS_RAWIO) guest user could use this flaw to crash the QEMU process instance resulting in DoS.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8745

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2015-8817
CVE STATUS: Patched
CVE SUMMARY: QEMU (aka Quick Emulator) built to use 'address_space_translate' to map an address to a MemoryRegionSection is vulnerable to an OOB r/w access issue. It could occur while doing pci_dma_read/write calls. Affects QEMU versions >= 1.6.0 and <= 2.3.1. A privileged user inside guest could use this flaw to crash the guest instance resulting in DoS.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8817

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2015-8818
CVE STATUS: Patched
CVE SUMMARY: The cpu_physical_memory_write_rom_internal function in exec.c in QEMU (aka Quick Emulator) does not properly skip MMIO regions, which allows local privileged guest users to cause a denial of service (guest crash) via unspecified vectors.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8818

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2016-10028
CVE STATUS: Patched
CVE SUMMARY: The virgl_cmd_get_capset function in hw/display/virtio-gpu-3d.c in QEMU (aka Quick Emulator) built with Virtio GPU Device emulator support allows local guest OS users to cause a denial of service (out-of-bounds read and process crash) via a VIRTIO_GPU_CMD_GET_CAPSET command with a maximum capabilities size with a value of 0.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10028

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2016-10029
CVE STATUS: Patched
CVE SUMMARY: The virtio_gpu_set_scanout function in QEMU (aka Quick Emulator) built with Virtio GPU Device emulator support allows local guest OS users to cause a denial of service (out-of-bounds read and process crash) via a scanout id in a VIRTIO_GPU_CMD_SET_SCANOUT command larger than num_scanouts.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10029

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2016-10155
CVE STATUS: Patched
CVE SUMMARY: Memory leak in hw/watchdog/wdt_i6300esb.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (host memory consumption and QEMU process crash) via a large number of device unplug operations.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 6.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10155

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2016-1568
CVE STATUS: Patched
CVE SUMMARY: Use-after-free vulnerability in hw/ide/ahci.c in QEMU, when built with IDE AHCI Emulation support, allows guest OS users to cause a denial of service (instance crash) or possibly execute arbitrary code via an invalid AHCI Native Command Queuing (NCQ) AIO command.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 8.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-1568

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2016-1714
CVE STATUS: Patched
CVE SUMMARY: The (1) fw_cfg_write and (2) fw_cfg_read functions in hw/nvram/fw_cfg.c in QEMU before 2.4, when built with the Firmware Configuration device emulation support, allow guest OS users with the CAP_SYS_RAWIO privilege to cause a denial of service (out-of-bounds read or write access and process crash) or possibly execute arbitrary code via an invalid current entry value in a firmware configuration.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 8.1
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-1714

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2016-1922
CVE STATUS: Patched
CVE SUMMARY: QEMU (aka Quick Emulator) built with the TPR optimization for 32-bit Windows guests support is vulnerable to a null pointer dereference flaw. It occurs while doing I/O port write operations via hmp interface. In that, 'current_cpu' remains null, which leads to the null pointer dereference. A user or process could use this flaw to crash the QEMU instance, resulting in DoS issue.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-1922

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2016-1981
CVE STATUS: Patched
CVE SUMMARY: QEMU (aka Quick Emulator) built with the e1000 NIC emulation support is vulnerable to an infinite loop issue. It could occur while processing data via transmit or receive descriptors, provided the initial receive/transmit descriptor head (TDH/RDH) is set outside the allocated descriptor buffer. A privileged user inside guest could use this flaw to crash the QEMU instance resulting in DoS.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-1981

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2016-2197
CVE STATUS: Patched
CVE SUMMARY: QEMU (aka Quick Emulator) built with an IDE AHCI emulation support is vulnerable to a null pointer dereference flaw. It occurs while unmapping the Frame Information Structure (FIS) and Command List Block (CLB) entries. A privileged user inside guest could use this flaw to crash the QEMU process instance resulting in DoS.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2197

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2016-2198
CVE STATUS: Patched
CVE SUMMARY: QEMU (aka Quick Emulator) built with the USB EHCI emulation support is vulnerable to a null pointer dereference flaw. It could occur when an application attempts to write to EHCI capabilities registers. A privileged user inside quest could use this flaw to crash the QEMU process instance resulting in DoS.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2198

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2016-2391
CVE STATUS: Patched
CVE SUMMARY: The ohci_bus_start function in the USB OHCI emulation support (hw/usb/hcd-ohci.c) in QEMU allows local guest OS administrators to cause a denial of service (NULL pointer dereference and QEMU process crash) via vectors related to multiple eof_timers.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2391

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2016-2392
CVE STATUS: Patched
CVE SUMMARY: The is_rndis function in the USB Net device emulator (hw/usb/dev-network.c) in QEMU before 2.5.1 does not properly validate USB configuration descriptor objects, which allows local guest OS administrators to cause a denial of service (NULL pointer dereference and QEMU process crash) via vectors involving a remote NDIS control message packet.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 6.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2392

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2016-2538
CVE STATUS: Patched
CVE SUMMARY: Multiple integer overflows in the USB Net device emulator (hw/usb/dev-network.c) in QEMU before 2.5.1 allow local guest OS administrators to cause a denial of service (QEMU process crash) or obtain sensitive host memory information via a remote NDIS control message packet that is mishandled in the (1) rndis_query_response, (2) rndis_set_response, or (3) usb_net_handle_dataout function.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2538

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2016-2841
CVE STATUS: Patched
CVE SUMMARY: The ne2000_receive function in the NE2000 NIC emulation support (hw/net/ne2000.c) in QEMU before 2.5.1 allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via crafted values for the PSTART and PSTOP registers, involving ring buffer control.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 6.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2841

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2016-2857
CVE STATUS: Patched
CVE SUMMARY: The net_checksum_calculate function in net/checksum.c in QEMU allows local guest OS users to cause a denial of service (out-of-bounds heap read and crash) via the payload length in a crafted packet.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 8.4
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2857

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2016-2858
CVE STATUS: Patched
CVE SUMMARY: QEMU, when built with the Pseudo Random Number Generator (PRNG) back-end support, allows local guest OS users to cause a denial of service (process crash) via an entropy request, which triggers arbitrary stack based allocation and memory corruption.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 6.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2858

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2016-3710
CVE STATUS: Patched
CVE SUMMARY: The VGA module in QEMU improperly performs bounds checking on banked access to video memory, which allows local guest OS administrators to execute arbitrary code on the host by changing access modes after setting the bank register, aka the "Dark Portal" issue.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 8.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3710

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2016-3712
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the VGA module in QEMU allows local guest OS users to cause a denial of service (out-of-bounds read and QEMU process crash) by editing VGA registers in VBE mode.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3712

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2016-4001
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the stellaris_enet_receive function in hw/net/stellaris_enet.c in QEMU, when the Stellaris ethernet controller is configured to accept large packets, allows remote attackers to cause a denial of service (QEMU crash) via a large packet.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 8.6
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4001

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2016-4002
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the mipsnet_receive function in hw/net/mipsnet.c in QEMU, when the guest NIC is configured to accept large packets, allows remote attackers to cause a denial of service (memory corruption and QEMU crash) or possibly execute arbitrary code via a packet larger than 1514 bytes.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4002

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2016-4020
CVE STATUS: Patched
CVE SUMMARY: The patch_instruction function in hw/i386/kvmvapic.c in QEMU does not initialize the imm32 variable, which allows local guest OS administrators to obtain sensitive information from host stack memory by accessing the Task Priority Register (TPR).
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 6.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4020

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2016-4037
CVE STATUS: Patched
CVE SUMMARY: The ehci_advance_state function in hw/usb/hcd-ehci.c in QEMU allows local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) via a circular split isochronous transfer descriptor (siTD) list, a related issue to CVE-2015-8558.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 6.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4037

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2016-4439
CVE STATUS: Patched
CVE SUMMARY: The esp_reg_write function in hw/scsi/esp.c in the 53C9X Fast SCSI Controller (FSC) support in QEMU does not properly check command buffer length, which allows local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) or potentially execute arbitrary code on the QEMU host via unspecified vectors.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 6.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4439

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2016-4441
CVE STATUS: Patched
CVE SUMMARY: The get_cmd function in hw/scsi/esp.c in the 53C9X Fast SCSI Controller (FSC) support in QEMU does not properly check DMA length, which allows local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) via unspecified vectors, involving an SCSI command.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 6.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4441

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2016-4453
CVE STATUS: Patched
CVE SUMMARY: The vmsvga_fifo_run function in hw/display/vmware_vga.c in QEMU allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via a VGA command.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 4.4
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4453

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2016-4454
CVE STATUS: Patched
CVE SUMMARY: The vmsvga_fifo_read_raw function in hw/display/vmware_vga.c in QEMU allows local guest OS administrators to obtain sensitive host memory information or cause a denial of service (QEMU process crash) by changing FIFO registers and issuing a VGA command, which triggers an out-of-bounds read.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 6.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4454

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2016-4952
CVE STATUS: Patched
CVE SUMMARY: QEMU (aka Quick Emulator), when built with VMWARE PVSCSI paravirtual SCSI bus emulation support, allows local guest OS administrators to cause a denial of service (out-of-bounds array access) via vectors related to the (1) PVSCSI_CMD_SETUP_RINGS or (2) PVSCSI_CMD_SETUP_MSG_RING SCSI command.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 6.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4952

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2016-4964
CVE STATUS: Patched
CVE SUMMARY: The mptsas_fetch_requests function in hw/scsi/mptsas.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop, and CPU consumption or QEMU process crash) via vectors involving s->state.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 6.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4964

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2016-5105
CVE STATUS: Patched
CVE SUMMARY: The megasas_dcmd_cfg_read function in hw/scsi/megasas.c in QEMU, when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, uses an uninitialized variable, which allows local guest administrators to read host memory via vectors involving a MegaRAID Firmware Interface (MFI) command.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 4.4
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5105

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2016-5106
CVE STATUS: Patched
CVE SUMMARY: The megasas_dcmd_set_properties function in hw/scsi/megasas.c in QEMU, when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, allows local guest administrators to cause a denial of service (out-of-bounds write access) via vectors involving a MegaRAID Firmware Interface (MFI) command.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 6.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5106

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2016-5107
CVE STATUS: Patched
CVE SUMMARY: The megasas_lookup_frame function in QEMU, when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, allows local guest OS administrators to cause a denial of service (out-of-bounds read and crash) via unspecified vectors.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 6.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5107

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2016-5126
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the iscsi_aio_ioctl function in block/iscsi.c in QEMU allows local guest OS users to cause a denial of service (QEMU process crash) or possibly execute arbitrary code via a crafted iSCSI asynchronous I/O ioctl call.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5126

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2016-5238
CVE STATUS: Patched
CVE SUMMARY: The get_cmd function in hw/scsi/esp.c in QEMU might allow local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) via vectors related to reading from the information transfer buffer in non-DMA mode.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 4.4
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5238

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2016-5337
CVE STATUS: Patched
CVE SUMMARY: The megasas_ctrl_get_info function in hw/scsi/megasas.c in QEMU allows local guest OS administrators to obtain sensitive host memory information via vectors related to reading device control information.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5337

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2016-5338
CVE STATUS: Patched
CVE SUMMARY: The (1) esp_reg_read and (2) esp_reg_write functions in hw/scsi/esp.c in QEMU allow local guest OS administrators to cause a denial of service (QEMU process crash) or execute arbitrary code on the QEMU host via vectors related to the information transfer buffer.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5338

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2016-5403
CVE STATUS: Patched
CVE SUMMARY: The virtqueue_pop function in hw/virtio/virtio.c in QEMU allows local guest OS administrators to cause a denial of service (memory consumption and QEMU process crash) by submitting requests without waiting for completion.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5403

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2016-6351
CVE STATUS: Patched
CVE SUMMARY: The esp_do_dma function in hw/scsi/esp.c in QEMU (aka Quick Emulator), when built with ESP/NCR53C9x controller emulation support, allows local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) or execute arbitrary code on the QEMU host via vectors involving DMA read into ESP command buffer.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 6.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6351

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2016-6490
CVE STATUS: Patched
CVE SUMMARY: The virtqueue_map_desc function in hw/virtio/virtio.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via a zero length for the descriptor buffer.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 4.4
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6490

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2016-6833
CVE STATUS: Patched
CVE SUMMARY: Use-after-free vulnerability in the vmxnet3_io_bar0_write function in hw/net/vmxnet3.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (QEMU instance crash) by leveraging failure to check if the device is active.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 4.4
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6833

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2016-6834
CVE STATUS: Patched
CVE SUMMARY: The net_tx_pkt_do_sw_fragmentation function in hw/net/net_tx_pkt.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via a zero length for the current fragment length.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 4.4
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6834

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2016-6835
CVE STATUS: Patched
CVE SUMMARY: The vmxnet_tx_pkt_parse_headers function in hw/net/vmxnet_tx_pkt.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (buffer over-read) by leveraging failure to check IP header length.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 6.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6835

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2016-6836
CVE STATUS: Patched
CVE SUMMARY: The vmxnet3_complete_packet function in hw/net/vmxnet3.c in QEMU (aka Quick Emulator) allows local guest OS administrators to obtain sensitive host memory information by leveraging failure to initialize the txcq_descr object.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 6.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6836

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2016-6888
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the net_tx_pkt_init function in hw/net/net_tx_pkt.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (QEMU process crash) via the maximum fragmentation count, which triggers an unchecked multiplication and NULL pointer dereference.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 4.4
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6888

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2016-7116
CVE STATUS: Patched
CVE SUMMARY: Directory traversal vulnerability in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to access host files outside the export path via a .. (dot dot) in an unspecified string.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 6.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7116

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2016-7155
CVE STATUS: Patched
CVE SUMMARY: hw/scsi/vmw_pvscsi.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (out-of-bounds access or infinite loop, and QEMU process crash) via a crafted page count for descriptor rings.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 4.4
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7155

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2016-7156
CVE STATUS: Patched
CVE SUMMARY: The pvscsi_convert_sglist function in hw/scsi/vmw_pvscsi.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) by leveraging an incorrect cast.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 4.4
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7156

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2016-7157
CVE STATUS: Patched
CVE SUMMARY: The (1) mptsas_config_manufacturing_1 and (2) mptsas_config_ioc_0 functions in hw/scsi/mptconfig.c in QEMU (aka Quick Emulator) allow local guest OS administrators to cause a denial of service (QEMU process crash) via vectors involving MPTSAS_CONFIG_PACK.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 4.4
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7157

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2016-7161
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the .receive callback of xlnx.xps-ethernetlite in QEMU (aka Quick Emulator) allows attackers to execute arbitrary code on the QEMU host via a large ethlite packet.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7161

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2016-7170
CVE STATUS: Patched
CVE SUMMARY: The vmsvga_fifo_run function in hw/display/vmware_vga.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) via vectors related to cursor.mask[] and cursor.image[] array sizes when processing a DEFINE_CURSOR svga command.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 4.4
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7170

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2016-7421
CVE STATUS: Patched
CVE SUMMARY: The pvscsi_ring_pop_req_descr function in hw/scsi/vmw_pvscsi.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) by leveraging failure to limit process IO loop to the ring size.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 4.4
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7421

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2016-7422
CVE STATUS: Patched
CVE SUMMARY: The virtqueue_map_desc function in hw/virtio/virtio.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (NULL pointer dereference and QEMU process crash) via a large I/O descriptor buffer length value.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 6.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7422

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2016-7423
CVE STATUS: Patched
CVE SUMMARY: The mptsas_process_scsi_io_request function in QEMU (aka Quick Emulator), when built with LSI SAS1068 Host Bus emulation support, allows local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) via vectors involving MPTSASRequest objects.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 4.4
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7423

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2016-7466
CVE STATUS: Patched
CVE SUMMARY: Memory leak in the usb_xhci_exit function in hw/usb/hcd-xhci.c in QEMU (aka Quick Emulator), when the xhci uses msix, allows local guest OS administrators to cause a denial of service (memory consumption and possibly QEMU process crash) by repeatedly unplugging a USB device.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 6.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7466

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2016-7907
CVE STATUS: Patched
CVE SUMMARY: The imx_fec_do_tx function in hw/net/imx_fec.c in QEMU (aka Quick Emulator) does not properly limit the buffer descriptor count when transmitting packets, which allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via vectors involving a buffer descriptor with a length of 0 and crafted values in bd.flags.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 4.4
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7907

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2016-7908
CVE STATUS: Patched
CVE SUMMARY: The mcf_fec_do_tx function in hw/net/mcf_fec.c in QEMU (aka Quick Emulator) does not properly limit the buffer descriptor count when transmitting packets, which allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via vectors involving a buffer descriptor with a length of 0 and crafted values in bd.flags.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 4.4
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7908

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2016-7909
CVE STATUS: Patched
CVE SUMMARY: The pcnet_rdra_addr function in hw/net/pcnet.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) by setting the (1) receive or (2) transmit descriptor ring length to 0.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 4.4
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7909

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2016-7994
CVE STATUS: Patched
CVE SUMMARY: Memory leak in the virtio_gpu_resource_create_2d function in hw/display/virtio-gpu.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption) via a large number of VIRTIO_GPU_CMD_RESOURCE_CREATE_2D commands.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 6.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7994

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2016-7995
CVE STATUS: Patched
CVE SUMMARY: Memory leak in the ehci_process_itd function in hw/usb/hcd-ehci.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption) via a large number of crafted buffer page select (PG) indexes.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 6.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7995

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2016-8576
CVE STATUS: Patched
CVE SUMMARY: The xhci_ring_fetch function in hw/usb/hcd-xhci.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) by leveraging failure to limit the number of link Transfer Request Blocks (TRB) to process.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 6.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8576

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2016-8577
CVE STATUS: Patched
CVE SUMMARY: Memory leak in the v9fs_read function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption) via vectors related to an I/O read operation.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 6.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8577

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2016-8578
CVE STATUS: Patched
CVE SUMMARY: The v9fs_iov_vunmarshal function in fsdev/9p-iov-marshal.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (NULL pointer dereference and QEMU process crash) by sending an empty string parameter to a 9P operation.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 6.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8578

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2016-8667
CVE STATUS: Patched
CVE SUMMARY: The rc4030_write function in hw/dma/rc4030.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (divide-by-zero error and QEMU process crash) via a large interval timer reload value.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 6.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8667

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2016-8668
CVE STATUS: Patched
CVE SUMMARY: The rocker_io_writel function in hw/net/rocker/rocker.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (out-of-bounds read and QEMU process crash) by leveraging failure to limit DMA buffer size.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 6.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8668

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2016-8669
CVE STATUS: Patched
CVE SUMMARY: The serial_update_parameters function in hw/char/serial.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (divide-by-zero error and QEMU process crash) via vectors involving a value of divider greater than baud base.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 6.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8669

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2016-8909
CVE STATUS: Patched
CVE SUMMARY: The intel_hda_xfer function in hw/audio/intel-hda.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) via an entry with the same value for buffer length and pointer position.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 6.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8909

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2016-8910
CVE STATUS: Patched
CVE SUMMARY: The rtl8139_cplus_transmit function in hw/net/rtl8139.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) by leveraging failure to limit the ring descriptor count.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 6.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8910

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2016-9101
CVE STATUS: Patched
CVE SUMMARY: Memory leak in hw/net/eepro100.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption and QEMU process crash) by repeatedly unplugging an i8255x (PRO100) NIC device.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 6.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9101

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2016-9102
CVE STATUS: Patched
CVE SUMMARY: Memory leak in the v9fs_xattrcreate function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption and QEMU process crash) via a large number of Txattrcreate messages with the same fid number.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 6.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9102

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2016-9103
CVE STATUS: Patched
CVE SUMMARY: The v9fs_xattrcreate function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to obtain sensitive host heap memory information by reading xattribute values before writing to them.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 6.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9103

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2016-9104
CVE STATUS: Patched
CVE SUMMARY: Multiple integer overflows in the (1) v9fs_xattr_read and (2) v9fs_xattr_write functions in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allow local guest OS administrators to cause a denial of service (QEMU process crash) via a crafted offset, which triggers an out-of-bounds access.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 4.4
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9104

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2016-9105
CVE STATUS: Patched
CVE SUMMARY: Memory leak in the v9fs_link function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption) via vectors involving a reference to the source fid object.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 6.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9105

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2016-9106
CVE STATUS: Patched
CVE SUMMARY: Memory leak in the v9fs_write function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption) by leveraging failure to free an IO vector.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 6.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9106

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2016-9381
CVE STATUS: Patched
CVE SUMMARY: Race condition in QEMU in Xen allows local x86 HVM guest OS administrators to gain privileges by changing certain data on shared rings, aka a "double fetch" vulnerability.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 7.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9381

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2016-9602
CVE STATUS: Patched
CVE SUMMARY: Qemu before version 2.9 is vulnerable to an improper link following when built with the VirtFS. A privileged user inside guest could use this flaw to access host file system beyond the shared folder and potentially escalating their privileges on a host.
CVSS v2 BASE SCORE: 9.0
CVSS v3 BASE SCORE: 7.6
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:S/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9602

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2016-9603
CVE STATUS: Patched
CVE SUMMARY: A heap buffer overflow flaw was found in QEMU's Cirrus CLGD 54xx VGA emulator's VNC display driver support before 2.9; the issue could occur when a VNC client attempted to update its display after a VGA operation is performed by a guest. A privileged user/process inside a guest could use this flaw to crash the QEMU process or, potentially, execute arbitrary code on the host with privileges of the QEMU process.
CVSS v2 BASE SCORE: 9.0
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:S/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9603

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2016-9776
CVE STATUS: Patched
CVE SUMMARY: QEMU (aka Quick Emulator) built with the ColdFire Fast Ethernet Controller emulator support is vulnerable to an infinite loop issue. It could occur while receiving packets in 'mcf_fec_receive'. A privileged user/process inside guest could use this issue to crash the QEMU process on the host leading to DoS.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9776

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2016-9845
CVE STATUS: Patched
CVE SUMMARY: QEMU (aka Quick Emulator) built with the Virtio GPU Device emulator support is vulnerable to an information leakage issue. It could occur while processing 'VIRTIO_GPU_CMD_GET_CAPSET_INFO' command. A guest user/process could use this flaw to leak contents of the host memory bytes.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 6.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9845

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2016-9846
CVE STATUS: Patched
CVE SUMMARY: QEMU (aka Quick Emulator) built with the Virtio GPU Device emulator support is vulnerable to a memory leakage issue. It could occur while updating the cursor data in update_cursor_data_virgl. A guest user/process could use this flaw to leak host memory bytes, resulting in DoS for a host.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 6.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9846

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2016-9907
CVE STATUS: Patched
CVE SUMMARY: Quick Emulator (Qemu) built with the USB redirector usb-guest support is vulnerable to a memory leakage flaw. It could occur while destroying the USB redirector in 'usbredir_handle_destroy'. A guest user/process could use this issue to leak host memory, resulting in DoS for a host.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 6.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9907

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2016-9908
CVE STATUS: Patched
CVE SUMMARY: Quick Emulator (Qemu) built with the Virtio GPU Device emulator support is vulnerable to an information leakage issue. It could occur while processing 'VIRTIO_GPU_CMD_GET_CAPSET' command. A guest user/process could use this flaw to leak contents of the host memory bytes.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 3.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9908

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2016-9911
CVE STATUS: Patched
CVE SUMMARY: Quick Emulator (Qemu) built with the USB EHCI Emulation support is vulnerable to a memory leakage issue. It could occur while processing packet data in 'ehci_init_transfer'. A guest user/process could use this issue to leak host memory, resulting in DoS for a host.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 6.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9911

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2016-9912
CVE STATUS: Patched
CVE SUMMARY: Quick Emulator (Qemu) built with the Virtio GPU Device emulator support is vulnerable to a memory leakage issue. It could occur while destroying gpu resource object in 'virtio_gpu_resource_destroy'. A guest user/process could use this flaw to leak host memory bytes, resulting in DoS for a host.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 6.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9912

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2016-9913
CVE STATUS: Patched
CVE SUMMARY: Memory leak in the v9fs_device_unrealize_common function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local privileged guest OS users to cause a denial of service (host memory consumption and possibly QEMU process crash) via vectors involving the order of resource cleanup.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 6.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9913

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2016-9914
CVE STATUS: Patched
CVE SUMMARY: Memory leak in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local privileged guest OS users to cause a denial of service (host memory consumption and possibly QEMU process crash) by leveraging a missing cleanup operation in FileOperations.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 6.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9914

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2016-9915
CVE STATUS: Patched
CVE SUMMARY: Memory leak in hw/9pfs/9p-handle.c in QEMU (aka Quick Emulator) allows local privileged guest OS users to cause a denial of service (host memory consumption and possibly QEMU process crash) by leveraging a missing cleanup operation in the handle backend.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 6.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9915

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2016-9916
CVE STATUS: Patched
CVE SUMMARY: Memory leak in hw/9pfs/9p-proxy.c in QEMU (aka Quick Emulator) allows local privileged guest OS users to cause a denial of service (host memory consumption and possibly QEMU process crash) by leveraging a missing cleanup operation in the proxy backend.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 6.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9916

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2016-9921
CVE STATUS: Patched
CVE SUMMARY: Quick emulator (Qemu) built with the Cirrus CLGD 54xx VGA Emulator support is vulnerable to a divide by zero issue. It could occur while copying VGA data when cirrus graphics mode was set to be VGA. A privileged user inside guest could use this flaw to crash the Qemu process instance on the host, resulting in DoS.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 6.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9921

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2016-9922
CVE STATUS: Patched
CVE SUMMARY: The cirrus_do_copy function in hw/display/cirrus_vga.c in QEMU (aka Quick Emulator), when cirrus graphics mode is VGA, allows local guest OS privileged users to cause a denial of service (divide-by-zero error and QEMU process crash) via vectors involving blit pitch values.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9922

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2016-9923
CVE STATUS: Patched
CVE SUMMARY: Quick Emulator (Qemu) built with the 'chardev' backend support is vulnerable to a use after free issue. It could occur while hotplug and unplugging the device in the guest. A guest user/process could use this flaw to crash a Qemu process on the host resulting in DoS.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9923

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2017-10664
CVE STATUS: Patched
CVE SUMMARY: qemu-nbd in QEMU (aka Quick Emulator) does not ignore SIGPIPE, which allows remote attackers to cause a denial of service (daemon crash) by disconnecting during a server-to-client reply attempt.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-10664

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2017-10806
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in hw/usb/redirect.c in QEMU (aka Quick Emulator) allows local guest OS users to cause a denial of service (QEMU process crash) via vectors related to logging debug messages.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-10806

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2017-11334
CVE STATUS: Patched
CVE SUMMARY: The address_space_write_continue function in exec.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (out-of-bounds access and guest instance crash) by leveraging use of qemu_map_ram_ptr to access guest ram block area.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 4.4
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-11334

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2017-11434
CVE STATUS: Patched
CVE SUMMARY: The dhcp_decode function in slirp/bootp.c in QEMU (aka Quick Emulator) allows local guest OS users to cause a denial of service (out-of-bounds read and QEMU process crash) via a crafted DHCP options string.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-11434

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2017-12809
CVE STATUS: Patched
CVE SUMMARY: QEMU (aka Quick Emulator), when built with the IDE disk and CD/DVD-ROM Emulator support, allows local guest OS privileged users to cause a denial of service (NULL pointer dereference and QEMU process crash) by flushing an empty CDROM device drive.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 6.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-12809

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2017-13672
CVE STATUS: Patched
CVE SUMMARY: QEMU (aka Quick Emulator), when built with the VGA display emulator support, allows local guest OS privileged users to cause a denial of service (out-of-bounds read and QEMU process crash) via vectors involving display update.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-13672

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2017-13673
CVE STATUS: Patched
CVE SUMMARY: The vga display update in mis-calculated the region for the dirty bitmap snapshot in case split screen mode is used causing a denial of service (assertion failure) in the cpu_physical_memory_snapshot_get_dirty function.
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:S/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-13673

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2017-13711
CVE STATUS: Patched
CVE SUMMARY: Use-after-free vulnerability in the sofree function in slirp/socket.c in QEMU (aka Quick Emulator) allows attackers to cause a denial of service (QEMU instance crash) by leveraging failure to properly clear ifq_so from pending packets.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-13711

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2017-14167
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the load_multiboot function in hw/i386/multiboot.c in QEMU (aka Quick Emulator) allows local guest OS users to execute arbitrary code on the host via crafted multiboot header address values, which trigger an out-of-bounds write.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 8.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14167

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2017-15038
CVE STATUS: Patched
CVE SUMMARY: Race condition in the v9fs_xattrwalk function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS users to obtain sensitive information from host heap memory via vectors related to reading extended attributes.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 5.6
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15038

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2017-15118
CVE STATUS: Patched
CVE SUMMARY: A stack-based buffer overflow vulnerability was found in NBD server implementation in qemu before 2.11 allowing a client to request an export name of size up to 4096 bytes, which in fact should be limited to 256 bytes, causing an out-of-bounds stack write in the qemu process. If NBD server requires TLS, the attacker cannot trigger the buffer overflow without first successfully negotiating TLS.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 8.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15118

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2017-15119
CVE STATUS: Patched
CVE SUMMARY: The Network Block Device (NBD) server in Quick Emulator (QEMU) before 2.11 is vulnerable to a denial of service issue. It could occur if a client sent large option requests, making the server waste CPU time on reading up to 4GB per request. A client could use this flaw to keep the NBD server from serving other requests, resulting in DoS.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15119

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2017-15124
CVE STATUS: Patched
CVE SUMMARY: VNC server implementation in Quick Emulator (QEMU) 2.11.0 and older was found to be vulnerable to an unbounded memory allocation issue, as it did not throttle the framebuffer updates sent to its client. If the client did not consume these updates, VNC server allocates growing memory to hold onto this data. A malicious remote VNC client could use this flaw to cause DoS to the server host.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15124

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2017-15268
CVE STATUS: Patched
CVE SUMMARY: Qemu through 2.10.0 allows remote attackers to cause a memory leak by triggering slow data-channel read operations, related to io/channel-websock.c.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15268

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2017-15289
CVE STATUS: Patched
CVE SUMMARY: The mode4and5 write functions in hw/display/cirrus_vga.c in Qemu allow local OS guest privileged users to cause a denial of service (out-of-bounds write access and Qemu process crash) via vectors related to dst calculation.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 6.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15289

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2017-16845
CVE STATUS: Patched
CVE SUMMARY: hw/input/ps2.c in Qemu does not validate 'rptr' and 'count' values during guest migration, leading to out-of-bounds access.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 10.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-16845

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2017-17381
CVE STATUS: Patched
CVE SUMMARY: The Virtio Vring implementation in QEMU allows local OS guest users to cause a denial of service (divide-by-zero error and QEMU process crash) by unsetting vring alignment while updating Virtio rings.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 6.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17381

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2017-18030
CVE STATUS: Patched
CVE SUMMARY: The cirrus_invalidate_region function in hw/display/cirrus_vga.c in Qemu allows local OS guest privileged users to cause a denial of service (out-of-bounds array access and QEMU process crash) via vectors related to negative pitch.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 4.4
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-18030

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2017-18043
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the macro ROUND_UP (n, d) in Quick Emulator (Qemu) allows a user to cause a denial of service (Qemu process crash).
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-18043

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2017-2615
CVE STATUS: Patched
CVE SUMMARY: Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA emulator support is vulnerable to an out-of-bounds access issue. It could occur while copying VGA data via bitblt copy in backward mode. A privileged user inside a guest could use this flaw to crash the QEMU process resulting in DoS or potentially execute arbitrary code on the host with privileges of QEMU process on the host.
CVSS v2 BASE SCORE: 9.0
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:S/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-2615

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2017-2620
CVE STATUS: Patched
CVE SUMMARY: Quick emulator (QEMU) before 2.8 built with the Cirrus CLGD 54xx VGA Emulator support is vulnerable to an out-of-bounds access issue. The issue could occur while copying VGA data in cirrus_bitblt_cputovideo. A privileged user inside guest could use this flaw to crash the QEMU process OR potentially execute arbitrary code on host with privileges of the QEMU process.
CVSS v2 BASE SCORE: 9.0
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:S/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-2620

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2017-2630
CVE STATUS: Patched
CVE SUMMARY: A stack buffer overflow flaw was found in the Quick Emulator (QEMU) before 2.9 built with the Network Block Device (NBD) client support. The flaw could occur while processing server's response to a 'NBD_OPT_LIST' request. A malicious NBD server could use this issue to crash a remote NBD client resulting in DoS or potentially execute arbitrary code on client host with privileges of the QEMU process.
CVSS v2 BASE SCORE: 6.5
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:S/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-2630

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2017-2633
CVE STATUS: Patched
CVE SUMMARY: An out-of-bounds memory access issue was found in Quick Emulator (QEMU) before 1.7.2 in the VNC display driver. This flaw could occur while refreshing the VNC display surface area in the 'vnc_refresh_server_surface'. A user inside a guest could use this flaw to crash the QEMU process.
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 5.4
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:S/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-2633

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2017-5525
CVE STATUS: Patched
CVE SUMMARY: Memory leak in hw/audio/ac97.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (host memory consumption and QEMU process crash) via a large number of device unplug operations.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 6.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5525

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2017-5526
CVE STATUS: Patched
CVE SUMMARY: Memory leak in hw/audio/es1370.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (host memory consumption and QEMU process crash) via a large number of device unplug operations.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 6.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5526

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2017-5552
CVE STATUS: Patched
CVE SUMMARY: Memory leak in the virgl_resource_attach_backing function in hw/display/virtio-gpu-3d.c in QEMU (aka Quick Emulator) allows local guest OS users to cause a denial of service (host memory consumption) via a large number of VIRTIO_GPU_CMD_RESOURCE_ATTACH_BACKING commands.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 6.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5552

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2017-5578
CVE STATUS: Patched
CVE SUMMARY: Memory leak in the virtio_gpu_resource_attach_backing function in hw/display/virtio-gpu.c in QEMU (aka Quick Emulator) allows local guest OS users to cause a denial of service (host memory consumption) via a large number of VIRTIO_GPU_CMD_RESOURCE_ATTACH_BACKING commands.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 6.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5578

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2017-5579
CVE STATUS: Patched
CVE SUMMARY: Memory leak in the serial_exit_core function in hw/char/serial.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (host memory consumption and QEMU process crash) via a large number of device unplug operations.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 6.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5579

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2017-5667
CVE STATUS: Patched
CVE SUMMARY: The sdhci_sdma_transfer_multi_blocks function in hw/sd/sdhci.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (out-of-bounds heap access and crash) or execute arbitrary code on the QEMU host via vectors involving the data transfer length.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 6.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5667

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2017-5856
CVE STATUS: Patched
CVE SUMMARY: Memory leak in the megasas_handle_dcmd function in hw/scsi/megasas.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (host memory consumption) via MegaRAID Firmware Interface (MFI) commands with the sglist size set to a value over 2 Gb.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 6.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5856

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2017-5857
CVE STATUS: Patched
CVE SUMMARY: Memory leak in the virgl_cmd_resource_unref function in hw/display/virtio-gpu-3d.c in QEMU (aka Quick Emulator) allows local guest OS users to cause a denial of service (host memory consumption) via a large number of VIRTIO_GPU_CMD_RESOURCE_UNREF commands sent without detaching the backing storage beforehand.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 6.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5857

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2017-5898
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the emulated_apdu_from_guest function in usb/dev-smartcard-reader.c in Quick Emulator (Qemu), when built with the CCID Card device emulator support, allows local users to cause a denial of service (application crash) via a large Application Protocol Data Units (APDU) unit.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5898

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2017-5931
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in hw/virtio/virtio-crypto.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (QEMU process crash) or possibly execute arbitrary code on the host via a crafted virtio-crypto request, which triggers a heap-based buffer overflow.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 8.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5931

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2017-5973
CVE STATUS: Patched
CVE SUMMARY: The xhci_kick_epctx function in hw/usb/hcd-xhci.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (infinite loop and QEMU process crash) via vectors related to control transfer descriptor sequence.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5973

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2017-5987
CVE STATUS: Patched
CVE SUMMARY: The sdhci_sdma_transfer_multi_blocks function in hw/sd/sdhci.c in QEMU (aka Quick Emulator) allows local OS guest privileged users to cause a denial of service (infinite loop and QEMU process crash) via vectors involving the transfer mode register during multi block transfer.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5987

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2017-6058
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in NetRxPkt::ehdr_buf in hw/net/net_rx_pkt.c in QEMU (aka Quick Emulator), when the VLANSTRIP feature is enabled on the vmxnet3 device, allows remote attackers to cause a denial of service (out-of-bounds access and QEMU process crash) via vectors related to VLAN stripping.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-6058

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2017-6505
CVE STATUS: Patched
CVE SUMMARY: The ohci_service_ed_list function in hw/usb/hcd-ohci.c in QEMU (aka Quick Emulator) before 2.9.0 allows local guest OS users to cause a denial of service (infinite loop) via vectors involving the number of link endpoint list descriptors, a different vulnerability than CVE-2017-9330.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 6.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-6505

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2017-7377
CVE STATUS: Patched
CVE SUMMARY: The (1) v9fs_create and (2) v9fs_lcreate functions in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allow local guest OS privileged users to cause a denial of service (file descriptor or memory consumption) via vectors related to an already in-use fid.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 6.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7377

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2017-7471
CVE STATUS: Patched
CVE SUMMARY: Quick Emulator (Qemu) built with the VirtFS, host directory sharing via Plan 9 File System (9pfs) support, is vulnerable to an improper access control issue. It could occur while accessing files on a shared host directory. A privileged user inside guest could use this flaw to access host file system beyond the shared folder and potentially escalating their privileges on a host.
CVSS v2 BASE SCORE: 7.7
CVSS v3 BASE SCORE: 9.0
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:L/Au:S/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7471

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2017-7493
CVE STATUS: Patched
CVE SUMMARY: Quick Emulator (Qemu) built with the VirtFS, host directory sharing via Plan 9 File System(9pfs) support, is vulnerable to an improper access control issue. It could occur while accessing virtfs metadata files in mapped-file security mode. A guest user could use this flaw to escalate their privileges inside guest.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7493

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2017-7539
CVE STATUS: Patched
CVE SUMMARY: An assertion-failure flaw was found in Qemu before 2.10.1, in the Network Block Device (NBD) server's initial connection negotiation, where the I/O coroutine was undefined. This could crash the qemu-nbd server if a client sent unexpected data during connection negotiation. A remote user or process could use this flaw to crash the qemu-nbd server resulting in denial of service.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7539

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2017-7718
CVE STATUS: Patched
CVE SUMMARY: hw/display/cirrus_vga_rop.h in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (out-of-bounds read and QEMU process crash) via vectors related to copying VGA data via the cirrus_bitblt_rop_fwd_transp_ and cirrus_bitblt_rop_fwd_ functions.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7718

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2017-7980
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in Cirrus CLGD 54xx VGA Emulator in Quick Emulator (Qemu) 2.8 and earlier allows local guest OS users to execute arbitrary code or cause a denial of service (crash) via vectors related to a VNC client updating its display after a VGA operation.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7980

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2017-8086
CVE STATUS: Patched
CVE SUMMARY: Memory leak in the v9fs_list_xattr function in hw/9pfs/9p-xattr.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (memory consumption) via vectors involving the orig_value variable.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 6.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8086

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2017-8112
CVE STATUS: Patched
CVE SUMMARY: hw/scsi/vmw_pvscsi.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (infinite loop and CPU consumption) via the message ring page count.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 6.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8112

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2017-8284
CVE STATUS: Patched
CVE SUMMARY: The disas_insn function in target/i386/translate.c in QEMU before 2.9.0, when TCG mode without hardware acceleration is used, does not limit the instruction size, which allows local users to gain privileges by creating a modified basic block that injects code into a setuid program, as demonstrated by procmail. NOTE: the vendor has stated "this bug does not violate any security guarantees QEMU makes.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8284

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2017-8309
CVE STATUS: Patched
CVE SUMMARY: Memory leak in the audio/audio.c in QEMU (aka Quick Emulator) allows remote attackers to cause a denial of service (memory consumption) by repeatedly starting and stopping audio capture.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8309

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2017-8379
CVE STATUS: Patched
CVE SUMMARY: Memory leak in the keyboard input event handlers support in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (host memory consumption) by rapidly generating large keyboard events.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 6.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8379

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2017-8380
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the "megasas_mmio_write" function in Qemu 2.9.0 allows remote attackers to have unspecified impact via unknown vectors.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8380

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2017-9060
CVE STATUS: Patched
CVE SUMMARY: Memory leak in the virtio_gpu_set_scanout function in hw/display/virtio-gpu.c in QEMU (aka Quick Emulator) allows local guest OS users to cause a denial of service (memory consumption) via a large number of "VIRTIO_GPU_CMD_SET_SCANOUT:" commands.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9060

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2017-9310
CVE STATUS: Patched
CVE SUMMARY: QEMU (aka Quick Emulator), when built with the e1000e NIC emulation support, allows local guest OS privileged users to cause a denial of service (infinite loop) via vectors related to setting the initial receive / transmit descriptor head (TDH/RDH) outside the allocated descriptor buffer.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 5.6
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9310

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2017-9330
CVE STATUS: Patched
CVE SUMMARY: QEMU (aka Quick Emulator) before 2.9.0, when built with the USB OHCI Emulation support, allows local guest OS users to cause a denial of service (infinite loop) by leveraging an incorrect return value, a different vulnerability than CVE-2017-6505.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 5.6
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9330

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2017-9373
CVE STATUS: Patched
CVE SUMMARY: Memory leak in QEMU (aka Quick Emulator), when built with IDE AHCI Emulation support, allows local guest OS privileged users to cause a denial of service (memory consumption) by repeatedly hot-unplugging the AHCI device.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9373

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2017-9374
CVE STATUS: Patched
CVE SUMMARY: Memory leak in QEMU (aka Quick Emulator), when built with USB EHCI Emulation support, allows local guest OS privileged users to cause a denial of service (memory consumption) by repeatedly hot-unplugging the device.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9374

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2017-9375
CVE STATUS: Patched
CVE SUMMARY: QEMU (aka Quick Emulator), when built with USB xHCI controller emulator support, allows local guest OS privileged users to cause a denial of service (infinite recursive call) via vectors involving control transfer descriptors sequencing.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9375

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2017-9503
CVE STATUS: Patched
CVE SUMMARY: QEMU (aka Quick Emulator), when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, allows local guest OS privileged users to cause a denial of service (NULL pointer dereference and QEMU process crash) via vectors involving megasas command processing.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9503

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2017-9524
CVE STATUS: Patched
CVE SUMMARY: The qemu-nbd server in QEMU (aka Quick Emulator), when built with the Network Block Device (NBD) Server support, allows remote attackers to cause a denial of service (segmentation fault and server crash) by leveraging failure to ensure that all initialization occurs before talking to a client in the nbd_negotiate function.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9524

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2018-10839
CVE STATUS: Patched
CVE SUMMARY: Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:S/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-10839

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2018-11806
CVE STATUS: Patched
CVE SUMMARY: m_cat in slirp/mbuf.c in Qemu has a heap-based buffer overflow via incoming fragmented datagrams.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 8.2
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-11806

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2018-12617
CVE STATUS: Patched
CVE SUMMARY: qmp_guest_file_read in qga/commands-posix.c and qga/commands-win32.c in qemu-ga (aka QEMU Guest Agent) in QEMU 2.12.50 has an integer overflow causing a g_malloc0() call to trigger a segmentation fault when trying to allocate a large memory chunk. The vulnerability can be exploited by sending a crafted QMP command (including guest-file-read with a large count value) to the agent via the listening socket.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-12617

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2018-15746
CVE STATUS: Patched
CVE SUMMARY: qemu-seccomp.c in QEMU might allow local OS guest users to cause a denial of service (guest crash) by leveraging mishandling of the seccomp policy for threads other than the main thread.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-15746

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2018-16847
CVE STATUS: Patched
CVE SUMMARY: An OOB heap buffer r/w access issue was found in the NVM Express Controller emulation in QEMU. It could occur in nvme_cmb_ops routines in nvme device. A guest user/process could use this flaw to crash the QEMU process resulting in DoS or potentially run arbitrary code with privileges of the QEMU process.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-16847

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2018-16867
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in qemu Media Transfer Protocol (MTP) before version 3.1.0. A path traversal in the in usb_mtp_write_data function in hw/usb/dev-mtp.c due to an improper filename sanitization. When the guest device is mounted in read-write mode, this allows to read/write arbitrary files which may lead do DoS scenario OR possibly lead to code execution on the host.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-16867

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2018-16872
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in qemu Media Transfer Protocol (MTP). The code opening files in usb_mtp_get_object and usb_mtp_get_partial_object and directories in usb_mtp_object_readdir doesn't consider that the underlying filesystem may have changed since the time lstat(2) was called in usb_mtp_object_alloc, a classical TOCTTOU problem. An attacker with write access to the host filesystem shared with a guest can use this property to navigate the host filesystem in the context of the QEMU process and read any file the QEMU process has access to. Access to the filesystem may be local or via a network share protocol such as CIFS.
CVSS v2 BASE SCORE: 3.5
CVSS v3 BASE SCORE: 5.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:S/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-16872

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2018-17958
CVE STATUS: Patched
CVE SUMMARY: Qemu has a Buffer Overflow in rtl8139_do_receive in hw/net/rtl8139.c because an incorrect integer data type is used.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-17958

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2018-17962
CVE STATUS: Patched
CVE SUMMARY: Qemu has a Buffer Overflow in pcnet_receive in hw/net/pcnet.c because an incorrect integer data type is used.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-17962

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2018-17963
CVE STATUS: Patched
CVE SUMMARY: qemu_deliver_packet_iov in net/net.c in Qemu accepts packet sizes greater than INT_MAX, which allows attackers to cause a denial of service or possibly have unspecified other impact.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-17963

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2018-18438
CVE STATUS: Ignored
CVE DETAIL: disputed
CVE DESCRIPTION: The issues identified by this CVE were determined to not constitute a vulnerability.
CVE SUMMARY: Qemu has integer overflows because IOReadHandler and its associated functions use a signed integer data type for a size value.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-18438

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2018-18849
CVE STATUS: Patched
CVE SUMMARY: In Qemu 3.0.0, lsi_do_msgin in hw/scsi/lsi53c895a.c allows out-of-bounds access by triggering an invalid msg_len value.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-18849

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2018-18954
CVE STATUS: Patched
CVE SUMMARY: The pnv_lpc_do_eccb function in hw/ppc/pnv_lpc.c in Qemu before 3.1 allows out-of-bounds write or read access to PowerNV memory.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-18954

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2018-19364
CVE STATUS: Patched
CVE SUMMARY: hw/9pfs/cofile.c and hw/9pfs/9p.c in QEMU can modify an fid path while it is being accessed by a second thread, leading to (for example) a use-after-free outcome.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19364

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2018-19489
CVE STATUS: Patched
CVE SUMMARY: v9fs_wstat in hw/9pfs/9p.c in QEMU allows guest OS users to cause a denial of service (crash) because of a race condition during file renaming.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19489

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2018-19665
CVE STATUS: Patched
CVE SUMMARY: The Bluetooth subsystem in QEMU mishandles negative values for length variables, leading to memory corruption.
CVSS v2 BASE SCORE: 2.7
CVSS v3 BASE SCORE: 5.7
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:L/Au:S/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19665

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2018-20123
CVE STATUS: Patched
CVE SUMMARY: pvrdma_realize in hw/rdma/vmw/pvrdma_main.c in QEMU has a Memory leak after an initialisation error.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20123

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2018-20124
CVE STATUS: Patched
CVE SUMMARY: hw/rdma/rdma_backend.c in QEMU allows guest OS users to trigger out-of-bounds access via a PvrdmaSqWqe ring element with a large num_sge value.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20124

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2018-20125
CVE STATUS: Patched
CVE SUMMARY: hw/rdma/vmw/pvrdma_cmd.c in QEMU allows attackers to cause a denial of service (NULL pointer dereference or excessive memory allocation) in create_cq_ring or create_qp_rings.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20125

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2018-20126
CVE STATUS: Patched
CVE SUMMARY: hw/rdma/vmw/pvrdma_cmd.c in QEMU allows create_cq and create_qp memory leaks because errors are mishandled.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20126

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2018-20191
CVE STATUS: Patched
CVE SUMMARY: hw/rdma/vmw/pvrdma_main.c in QEMU does not implement a read operation (such as uar_read by analogy to uar_write), which allows attackers to cause a denial of service (NULL pointer dereference).
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20191

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2018-20216
CVE STATUS: Patched
CVE SUMMARY: QEMU can have an infinite loop in hw/rdma/vmw/pvrdma_dev_ring.c because return values are not checked (and -1 is mishandled).
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20216

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2018-20815
CVE STATUS: Patched
CVE SUMMARY: In QEMU 3.1.0, load_device_tree in device_tree.c calls the deprecated load_image function, which has a buffer overflow risk.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20815

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2018-5683
CVE STATUS: Patched
CVE SUMMARY: The vga_draw_text function in Qemu allows local OS guest privileged users to cause a denial of service (out-of-bounds read and QEMU process crash) by leveraging improper memory address validation.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 6.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-5683

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2018-7550
CVE STATUS: Patched
CVE SUMMARY: The load_multiboot function in hw/i386/multiboot.c in Quick Emulator (aka QEMU) allows local guest OS users to execute arbitrary code on the QEMU host via a mh_load_end_addr value greater than mh_bss_end_addr, which triggers an out-of-bounds read or write memory access.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 8.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-7550

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2018-7858
CVE STATUS: Patched
CVE SUMMARY: Quick Emulator (aka QEMU), when built with the Cirrus CLGD 54xx VGA Emulator support, allows local guest OS privileged users to cause a denial of service (out-of-bounds access and QEMU process crash) by leveraging incorrect region calculation when updating VGA display.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-7858

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2019-12067
CVE STATUS: Unpatched
CVE SUMMARY: The ahci_commit_buf function in ide/ahci.c in QEMU allows attackers to cause a denial of service (NULL dereference) when the command header 'ad->cur_cmd' is null.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 6.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-12067

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2019-12068
CVE STATUS: Patched
CVE SUMMARY: In QEMU 1:4.1-1, 1:2.1+dfsg-12+deb8u6, 1:2.8+dfsg-6+deb9u8, 1:3.1+dfsg-8~deb10u1, 1:3.1+dfsg-8+deb10u2, and 1:2.1+dfsg-12+deb8u12 (fixed), when executing script in lsi_execute_script(), the LSI scsi adapter emulator advances 's->dsp' index to read next opcode. This can lead to an infinite loop if the next opcode is empty. Move the existing loop exit after 10k iterations so that it covers no-op opcodes as well.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 3.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-12068

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2019-12155
CVE STATUS: Patched
CVE SUMMARY: interface_release_resource in hw/display/qxl.c in QEMU 3.1.x through 4.0.0 has a NULL pointer dereference.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-12155

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2019-12247
CVE STATUS: Patched
CVE SUMMARY: QEMU 3.0.0 has an Integer Overflow because the qga/commands*.c files do not check the length of the argument list or the number of environment variables. NOTE: This has been disputed as not exploitable
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-12247

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2019-12928
CVE STATUS: Patched
CVE SUMMARY: The QMP migrate command in QEMU version 4.0.0 and earlier is vulnerable to OS command injection, which allows the remote attacker to achieve code execution, denial of service, or information disclosure by sending a crafted QMP command to the listening server. Note: This has been disputed as a non-issue since QEMU's -qmp interface is meant to be used by trusted users. If one is able to access this interface via a tcp socket open to the internet, then it is an insecure configuration issue
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-12928

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2019-12929
CVE STATUS: Patched
CVE SUMMARY: The QMP guest_exec command in QEMU 4.0.0 and earlier is prone to OS command injection, which allows the attacker to achieve code execution, denial of service, or information disclosure by sending a crafted QMP command to the listening server. Note: This has been disputed as a non-issue since QEMU's -qmp interface is meant to be used by trusted users. If one is able to access this interface via a tcp socket open to the internet, then it is an insecure configuration issue
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-12929

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2019-13164
CVE STATUS: Patched
CVE SUMMARY: qemu-bridge-helper.c in QEMU 3.1 and 4.0.0 does not ensure that a network interface name (obtained from bridge.conf or a --br=bridge option) is limited to the IFNAMSIZ size, which can lead to an ACL bypass.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-13164

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2019-15034
CVE STATUS: Patched
CVE SUMMARY: hw/display/bochs-display.c in QEMU 4.0.0 does not ensure a sufficient PCI config space allocation, leading to a buffer overflow involving the PCIe extended config space.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 5.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-15034

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2019-15890
CVE STATUS: Patched
CVE SUMMARY: libslirp 4.0.0, as used in QEMU 4.1.0, has a use-after-free in ip_reass in ip_input.c.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-15890

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2019-20175
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in ide_dma_cb() in hw/ide/core.c in QEMU 2.4.0 through 4.2.0. The guest system can crash the QEMU process in the host system via a special SCSI_IOCTL_SEND_COMMAND. It hits an assertion that implies that the size of successful DMA transfers there must be a multiple of 512 (the size of a sector). NOTE: a member of the QEMU security team disputes the significance of this issue because a "privileged guest user has many ways to cause similar DoS effect, without triggering this assert.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-20175

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2019-20382
CVE STATUS: Patched
CVE SUMMARY: QEMU 4.1.0 has a memory leak in zrle_compress_data in ui/vnc-enc-zrle.c during a VNC disconnect operation because libz is misused, resulting in a situation where memory allocated in deflateInit2 is not freed in deflateEnd.
CVSS v2 BASE SCORE: 2.7
CVSS v3 BASE SCORE: 3.5
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:L/Au:S/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-20382

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2019-20808
CVE STATUS: Patched
CVE SUMMARY: In QEMU 4.1.0, an out-of-bounds read flaw was found in the ATI VGA implementation. It occurs in the ati_cursor_define() routine while handling MMIO write operations through the ati_mm_write() callback. A malicious guest could abuse this flaw to crash the QEMU process, resulting in a denial of service.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 6.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-20808

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2019-3812
CVE STATUS: Patched
CVE SUMMARY: QEMU, through version 2.10 and through version 3.1.0, is vulnerable to an out-of-bounds read of up to 128 bytes in the hw/i2c/i2c-ddc.c:i2c_ddc() function. A local attacker with permission to execute i2c commands could exploit this to read stack memory of the qemu process on the host.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 4.4
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-3812

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2019-5008
CVE STATUS: Patched
CVE SUMMARY: hw/sparc64/sun4u.c in QEMU 3.1.50 is vulnerable to a NULL pointer dereference, which allows the attacker to cause a denial of service via a device driver.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-5008

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2019-6501
CVE STATUS: Patched
CVE SUMMARY: In QEMU 3.1, scsi_handle_inquiry_reply in hw/scsi/scsi-generic.c allows out-of-bounds write and read operations.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-6501

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2019-6778
CVE STATUS: Patched
CVE SUMMARY: In QEMU 3.0.0, tcp_emu in slirp/tcp_subr.c has a heap-based buffer overflow.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-6778

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2019-8934
CVE STATUS: Patched
CVE SUMMARY: hw/ppc/spapr.c in QEMU through 3.1.0 allows Information Exposure because the hypervisor shares the /proc/device-tree/system-id and /proc/device-tree/model system attributes with a guest.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 3.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-8934

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2019-9824
CVE STATUS: Patched
CVE SUMMARY: tcp_emu in slirp/tcp_subr.c (aka slirp/src/tcp_subr.c) in QEMU 3.0.0 uses uninitialized data in an snprintf call, leading to Information disclosure.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-9824

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2020-10702
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in QEMU in the implementation of the Pointer Authentication (PAuth) support for ARM introduced in version 4.0 and fixed in version 5.0.0. A general failure of the signature generation process caused every PAuth-enforced pointer to be signed with the same signature. A local attacker could obtain the signature of a protected pointer and abuse this flaw to bypass PAuth protection for all programs running on QEMU.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-10702

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2020-10717
CVE STATUS: Patched
CVE SUMMARY: A potential DoS flaw was found in the virtio-fs shared file system daemon (virtiofsd) implementation of the QEMU version >= v5.0. Virtio-fs is meant to share a host file system directory with a guest via virtio-fs device. If the guest opens the maximum number of file descriptors under the shared directory, a denial of service may occur. This flaw allows a guest user/process to cause this denial of service on the host.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 3.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-10717

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2020-10761
CVE STATUS: Patched
CVE SUMMARY: An assertion failure issue was found in the Network Block Device(NBD) Server in all QEMU versions before QEMU 5.0.1. This flaw occurs when an nbd-client sends a spec-compliant request that is near the boundary of maximum permitted request length. A remote nbd-client could use this flaw to crash the qemu-nbd server resulting in a denial of service.
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 5.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:S/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-10761

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2020-11102
CVE STATUS: Patched
CVE SUMMARY: hw/net/tulip.c in QEMU 4.2.0 has a buffer overflow during the copying of tx/rx buffers because the frame size is not validated against the r/w data length.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 5.6
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-11102

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2020-11869
CVE STATUS: Patched
CVE SUMMARY: An integer overflow was found in QEMU 4.0.1 through 4.2.0 in the way it implemented ATI VGA emulation. This flaw occurs in the ati_2d_blt() routine in hw/display/ati-2d.c while handling MMIO write operations through the ati_mm_write() callback. A malicious guest could abuse this flaw to crash the QEMU process, resulting in a denial of service.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 3.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-11869

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2020-11947
CVE STATUS: Patched
CVE SUMMARY: iscsi_aio_ioctl_cb in block/iscsi.c in QEMU 4.1.0 has a heap-based buffer over-read that may disclose unrelated information from process memory to an attacker.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 3.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-11947

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2020-12829
CVE STATUS: Patched
CVE SUMMARY: In QEMU through 5.0.0, an integer overflow was found in the SM501 display driver implementation. This flaw occurs in the COPY_AREA macro while handling MMIO write operations through the sm501_2d_engine_write() callback. A local attacker could abuse this flaw to crash the QEMU process in sm501_2d_operation() in hw/display/sm501.c on the host, resulting in a denial of service.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 3.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-12829

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2020-13253
CVE STATUS: Patched
CVE SUMMARY: sd_wp_addr in hw/sd/sd.c in QEMU 4.2.0 uses an unvalidated address, which leads to an out-of-bounds read during sdhci_write() operations. A guest OS user can crash the QEMU process.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-13253

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2020-13361
CVE STATUS: Patched
CVE SUMMARY: In QEMU 5.0.0 and earlier, es1370_transfer_audio in hw/audio/es1370.c does not properly validate the frame count, which allows guest OS users to trigger an out-of-bounds access during an es1370_write() operation.
CVSS v2 BASE SCORE: 3.3
CVSS v3 BASE SCORE: 3.9
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-13361

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2020-13362
CVE STATUS: Patched
CVE SUMMARY: In QEMU 5.0.0 and earlier, megasas_lookup_frame in hw/scsi/megasas.c has an out-of-bounds read via a crafted reply_queue_head field from a guest OS user.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 3.2
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-13362

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2020-13659
CVE STATUS: Patched
CVE SUMMARY: address_space_map in exec.c in QEMU 4.2.0 can trigger a NULL pointer dereference related to BounceBuffer.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 2.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-13659

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2020-13754
CVE STATUS: Patched
CVE SUMMARY: hw/pci/msix.c in QEMU 4.2.0 allows guest OS users to trigger an out-of-bounds access via a crafted address in an msi-x mmio operation.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 6.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-13754

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2020-13765
CVE STATUS: Patched
CVE SUMMARY: rom_copy() in hw/core/loader.c in QEMU 4.0 and 4.1.0 does not validate the relationship between two addresses, which allows attackers to trigger an invalid memory copy operation.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 5.6
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-13765

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2020-13791
CVE STATUS: Patched
CVE SUMMARY: hw/pci/pci.c in QEMU 4.2.0 allows guest OS users to trigger an out-of-bounds access by providing an address near the end of the PCI configuration space.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-13791

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2020-13800
CVE STATUS: Patched
CVE SUMMARY: ati-vga in hw/display/ati.c in QEMU 4.2.0 allows guest OS users to trigger infinite recursion via a crafted mm_index value during an ati_mm_read or ati_mm_write call.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 6.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-13800

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2020-14364
CVE STATUS: Patched
CVE SUMMARY: An out-of-bounds read/write access flaw was found in the USB emulator of the QEMU in versions before 5.2.0. This issue occurs while processing USB packets from a guest when USBDevice 'setup_len' exceeds its 'data_buf[4096]' in the do_token_in, do_token_out routines. This flaw allows a guest user to crash the QEMU process, resulting in a denial of service, or the potential execution of arbitrary code with the privileges of the QEMU process on the host.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 5.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-14364

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2020-14394
CVE STATUS: Patched
CVE SUMMARY: An infinite loop flaw was found in the USB xHCI controller emulation of QEMU while computing the length of the Transfer Request Block (TRB) Ring. This flaw allows a privileged guest user to hang the QEMU process on the host, resulting in a denial of service.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 3.2
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-14394

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2020-14415
CVE STATUS: Patched
CVE SUMMARY: oss_write in audio/ossaudio.c in QEMU before 5.0.0 mishandles a buffer position.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 3.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-14415

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2020-15469
CVE STATUS: Patched
CVE SUMMARY: In QEMU 4.2.0, a MemoryRegionOps object may lack read/write callback methods, leading to a NULL pointer dereference.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 2.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-15469

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2020-15859
CVE STATUS: Patched
CVE SUMMARY: QEMU 4.2.0 has a use-after-free in hw/net/e1000e_core.c because a guest OS user can trigger an e1000e packet with the data's address set to the e1000e's MMIO address.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 3.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-15859

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2020-15863
CVE STATUS: Patched
CVE SUMMARY: hw/net/xgmac.c in the XGMAC Ethernet controller in QEMU before 07-20-2020 has a buffer overflow. This occurs during packet transmission and affects the highbank and midway emulated machines. A guest user or process could use this flaw to crash the QEMU process on the host, resulting in a denial of service or potential privileged code execution. This was fixed in commit 5519724a13664b43e225ca05351c60b4468e4555.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 5.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-15863

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2020-16092
CVE STATUS: Patched
CVE SUMMARY: In QEMU through 5.0.0, an assertion failure can occur in the network packet processing. This issue affects the e1000e and vmxnet3 network devices. A malicious guest user/process could use this flaw to abort the QEMU process on the host, resulting in a denial of service condition in net_tx_pkt_add_raw_fragment in hw/net/net_tx_pkt.c.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 3.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-16092

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2020-1711
CVE STATUS: Patched
CVE SUMMARY: An out-of-bounds heap buffer access flaw was found in the way the iSCSI Block driver in QEMU versions 2.12.0 before 4.2.1 handled a response coming from an iSCSI server while checking the status of a Logical Address Block (LBA) in an iscsi_co_block_status() routine. A remote user could use this flaw to crash the QEMU process, resulting in a denial of service or potential execution of arbitrary code with privileges of the QEMU process on the host.
CVSS v2 BASE SCORE: 6.0
CVSS v3 BASE SCORE: 7.7
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:S/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-1711

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2020-17380
CVE STATUS: Patched
CVE SUMMARY: A heap-based buffer overflow was found in QEMU through 5.0.0 in the SDHCI device emulation support. It could occur while doing a multi block SDMA transfer via the sdhci_sdma_transfer_multi_blocks() routine in hw/sd/sdhci.c. A guest user or process could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition, or potentially execute arbitrary code with privileges of the QEMU process on the host.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 6.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-17380

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2020-24165
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in TCG Accelerator in QEMU 4.2.0, allows local attackers to execute arbitrary code, escalate privileges, and cause a denial of service (DoS). Note: This is disputed as a bug and not a valid security issue by multiple third parties.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-24165

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2020-24352
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in QEMU through 5.1.0. An out-of-bounds memory access was found in the ATI VGA device implementation. This flaw occurs in the ati_2d_blt() routine in hw/display/ati_2d.c while handling MMIO write operations through the ati_mm_write() callback. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-24352

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2020-25084
CVE STATUS: Patched
CVE SUMMARY: QEMU 5.0.0 has a use-after-free in hw/usb/hcd-xhci.c because the usb_packet_map return value is not checked.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 3.2
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-25084

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2020-25085
CVE STATUS: Patched
CVE SUMMARY: QEMU 5.0.0 has a heap-based Buffer Overflow in flatview_read_continue in exec.c because hw/sd/sdhci.c mishandles a write operation in the SDHC_BLKSIZE case.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 5.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-25085

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2020-25624
CVE STATUS: Patched
CVE SUMMARY: hw/usb/hcd-ohci.c in QEMU 5.0.0 has a stack-based buffer over-read via values obtained from the host controller driver.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 5.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-25624

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2020-25625
CVE STATUS: Patched
CVE SUMMARY: hw/usb/hcd-ohci.c in QEMU 5.0.0 has an infinite loop when a TD list has a loop.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 5.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-25625

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2020-25723
CVE STATUS: Patched
CVE SUMMARY: A reachable assertion issue was found in the USB EHCI emulation code of QEMU. It could occur while processing USB requests due to missing handling of DMA memory map failure. A malicious privileged user within the guest may abuse this flaw to send bogus USB requests and crash the QEMU process on the host, resulting in a denial of service.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 3.2
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-25723

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2020-25741
CVE STATUS: Patched
CVE SUMMARY: fdctrl_write_data in hw/block/fdc.c in QEMU 5.0.0 has a NULL pointer dereference via a NULL block pointer for the current drive.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 3.2
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-25741

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2020-25742
CVE STATUS: Patched
CVE SUMMARY: pci_change_irq_level in hw/pci/pci.c in QEMU before 5.1.1 has a NULL pointer dereference because pci_get_bus() might not return a valid pointer.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 3.2
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-25742

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2020-25743
CVE STATUS: Patched
CVE SUMMARY: hw/ide/pci.c in QEMU before 5.1.1 can trigger a NULL pointer dereference because it lacks a pointer check before an ide_cancel_dma_sync call.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 3.2
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-25743

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2020-27616
CVE STATUS: Patched
CVE SUMMARY: ati_2d_blt in hw/display/ati_2d.c in QEMU 4.2.1 can encounter an outside-limits situation in a calculation. A guest can crash the QEMU process.
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:S/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-27616

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2020-27617
CVE STATUS: Patched
CVE SUMMARY: eth_get_gso_type in net/eth.c in QEMU 4.2.1 allows guest OS users to trigger an assertion failure. A guest can crash the QEMU process via packet data that lacks a valid Layer 3 protocol.
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:S/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-27617

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2020-27661
CVE STATUS: Patched
CVE SUMMARY: A divide-by-zero issue was found in dwc2_handle_packet in hw/usb/hcd-dwc2.c in the hcd-dwc2 USB host controller emulation of QEMU. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 6.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-27661

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2020-27821
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the memory management API of QEMU during the initialization of a memory region cache. This issue could lead to an out-of-bounds write access to the MSI-X table while performing MMIO operations. A guest user may abuse this flaw to crash the QEMU process on the host, resulting in a denial of service. This flaw affects QEMU versions prior to 5.2.0.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 6.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-27821

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2020-28916
CVE STATUS: Patched
CVE SUMMARY: hw/net/e1000e_core.c in QEMU 5.0.0 has an infinite loop via an RX descriptor with a NULL buffer address.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-28916

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2020-29443
CVE STATUS: Patched
CVE SUMMARY: ide_atapi_cmd_reply_end in hw/ide/atapi.c in QEMU 5.1.0 allows out-of-bounds read access because a buffer index is not validated.
CVSS v2 BASE SCORE: 3.3
CVSS v3 BASE SCORE: 3.9
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-29443

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2020-35503
CVE STATUS: Patched
CVE SUMMARY: A NULL pointer dereference flaw was found in the megasas-gen2 SCSI host bus adapter emulation of QEMU in versions before and including 6.0. This issue occurs in the megasas_command_cancelled() callback function while dropping a SCSI request. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 6.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-35503

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2020-35504
CVE STATUS: Patched
CVE SUMMARY: A NULL pointer dereference flaw was found in the SCSI emulation support of QEMU in versions before 6.0.0. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 6.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-35504

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2020-35505
CVE STATUS: Patched
CVE SUMMARY: A NULL pointer dereference flaw was found in the am53c974 SCSI host bus adapter emulation of QEMU in versions before 6.0.0. This issue occurs while handling the 'Information Transfer' command. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 4.4
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-35505

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2020-35506
CVE STATUS: Patched
CVE SUMMARY: A use-after-free vulnerability was found in the am53c974 SCSI host bus adapter emulation of QEMU in versions before 6.0.0 during the handling of the 'Information Transfer' command (CMD_TI). This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service or potential code execution with the privileges of the QEMU process.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 6.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-35506

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2020-35517
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in qemu. A host privilege escalation issue was found in the virtio-fs shared file system daemon where a privileged guest user is able to create a device special file in the shared directory and use it to r/w access host devices.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 8.2
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-35517

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2020-7039
CVE STATUS: Patched
CVE SUMMARY: tcp_emu in tcp_subr.c in libslirp 4.1.0, as used in QEMU 4.2.0, mismanages memory, as demonstrated by IRC DCC commands in EMU_IRC. This can cause a heap-based buffer overflow or other out-of-bounds access which can lead to a DoS or potential execute arbitrary code.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 5.6
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-7039

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2020-7211
CVE STATUS: Patched
CVE SUMMARY: tftp.c in libslirp 4.1.0, as used in QEMU 4.2.0, does not prevent ..\ directory traversal on Windows.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-7211

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2021-20181
CVE STATUS: Patched
CVE SUMMARY: A race condition flaw was found in the 9pfs server implementation of QEMU up to and including 5.2.0. This flaw allows a malicious 9p client to cause a use-after-free error, potentially escalating their privileges on the system. The highest threat from this vulnerability is to confidentiality, integrity as well as system availability.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 7.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-20181

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2021-20196
CVE STATUS: Patched
CVE SUMMARY: A NULL pointer dereference flaw was found in the floppy disk emulator of QEMU. This issue occurs while processing read/write ioport commands if the selected floppy drive is not initialized with a block device. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 6.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-20196

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2021-20203
CVE STATUS: Patched
CVE SUMMARY: An integer overflow issue was found in the vmxnet3 NIC emulator of the QEMU for versions up to v5.2.0. It may occur if a guest was to supply invalid values for rx/tx queue size or other NIC parameters. A privileged guest user may use this flaw to crash the QEMU process on the host resulting in DoS scenario.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 3.2
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-20203

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2021-20221
CVE STATUS: Patched
CVE SUMMARY: An out-of-bounds heap buffer access issue was found in the ARM Generic Interrupt Controller emulator of QEMU up to and including qemu 4.2.0on aarch64 platform. The issue occurs because while writing an interrupt ID to the controller memory area, it is not masked to be 4 bits wide. It may lead to the said issue while updating controller state fields and their subsequent processing. A privileged guest user may use this flaw to crash the QEMU process on the host resulting in DoS scenario.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 6.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-20221

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2021-20255
CVE STATUS: Unpatched
CVE SUMMARY: A stack overflow via an infinite recursion vulnerability was found in the eepro100 i8255x device emulator of QEMU. This issue occurs while processing controller commands due to a DMA reentry issue. This flaw allows a guest user or process to consume CPU cycles or crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-20255

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2021-20257
CVE STATUS: Patched
CVE SUMMARY: An infinite loop flaw was found in the e1000 NIC emulator of the QEMU. This issue occurs while processing transmits (tx) descriptors in process_tx_desc if various descriptor fields are initialized with invalid values. This flaw allows a guest to consume CPU cycles on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 6.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-20257

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2021-20263
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the virtio-fs shared file system daemon (virtiofsd) of QEMU. The new 'xattrmap' option may cause the 'security.capability' xattr in the guest to not drop on file write, potentially leading to a modified, privileged executable in the guest. In rare circumstances, this flaw could be used by a malicious user to elevate their privileges within the guest.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 3.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-20263

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2021-20295
CVE STATUS: Patched
CVE SUMMARY: It was discovered that the update for the virt:rhel module in the RHSA-2020:4676 (https://access.redhat.com/errata/RHSA-2020:4676) erratum released as part of Red Hat Enterprise Linux 8.3 failed to include the fix for the qemu-kvm component issue CVE-2020-10756, which was previously corrected in virt:rhel/qemu-kvm via erratum RHSA-2020:4059 (https://access.redhat.com/errata/RHSA-2020:4059). CVE-2021-20295 was assigned to that Red Hat specific security regression. For more details about the original security issue CVE-2020-10756, refer to bug 1835986 or the CVE page: https://access.redhat.com/security/cve/CVE-2020-10756.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 6.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-20295

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2021-3392
CVE STATUS: Patched
CVE SUMMARY: A use-after-free flaw was found in the MegaRAID emulator of QEMU. This issue occurs while processing SCSI I/O requests in the case of an error mptsas_free_request() that does not dequeue the request object 'req' from a pending requests queue. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. Versions between 2.10.0 and 5.2.0 are potentially affected.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 3.2
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3392

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2021-3409
CVE STATUS: Patched
CVE SUMMARY: The patch for CVE-2020-17380/CVE-2020-25085 was found to be ineffective, thus making QEMU vulnerable to the out-of-bounds read/write access issues previously found in the SDHCI controller emulation code. This flaw allows a malicious privileged guest to crash the QEMU process on the host, resulting in a denial of service or potential code execution. QEMU up to (including) 5.2.0 is affected by this.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 5.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3409

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2021-3416
CVE STATUS: Patched
CVE SUMMARY: A potential stack overflow via infinite loop issue was found in various NIC emulators of QEMU in versions up to and including 5.2.0. The issue occurs in loopback mode of a NIC wherein reentrant DMA checks get bypassed. A guest user/process may use this flaw to consume CPU cycles or crash the QEMU process on the host resulting in DoS scenario.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 6.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3416

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2021-3507
CVE STATUS: Patched
CVE SUMMARY: A heap buffer overflow was found in the floppy disk emulator of QEMU up to 6.0.0 (including). It could occur in fdctrl_transfer_handler() in hw/block/fdc.c while processing DMA read data transfers from the floppy drive to the guest system. A privileged guest user could use this flaw to crash the QEMU process on the host resulting in DoS scenario, or potential information leakage from the host memory.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 6.1
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3507

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2021-3527
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the USB redirector device (usb-redir) of QEMU. Small USB packets are combined into a single, large transfer request, to reduce the overhead and improve performance. The combined size of the bulk transfer is used to dynamically allocate a variable length array (VLA) on the stack without proper validation. Since the total size is not bounded, a malicious guest could use this flaw to influence the array length and cause the QEMU process to perform an excessive allocation on the stack, resulting in a denial of service.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3527

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2021-3544
CVE STATUS: Patched
CVE SUMMARY: Several memory leaks were found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU in versions up to and including 6.0. They exist in contrib/vhost-user-gpu/vhost-user-gpu.c and contrib/vhost-user-gpu/virgl.c due to improper release of memory (i.e., free) after effective lifetime.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 6.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3544

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2021-3545
CVE STATUS: Patched
CVE SUMMARY: An information disclosure vulnerability was found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU in versions up to and including 6.0. The flaw exists in virgl_cmd_get_capset_info() in contrib/vhost-user-gpu/virgl.c and could occur due to the read of uninitialized memory. A malicious guest could exploit this issue to leak memory from the host.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 6.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3545

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2021-3546
CVE STATUS: Patched
CVE SUMMARY: An out-of-bounds write vulnerability was found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU in versions up to and including 6.0. The flaw occurs while processing the 'VIRTIO_GPU_CMD_GET_CAPSET' command from the guest. It could allow a privileged guest user to crash the QEMU process on the host, resulting in a denial of service condition, or potential code execution with the privileges of the QEMU process.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 8.2
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3546

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2021-3582
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. The issue occurs while handling a "PVRDMA_CMD_CREATE_MR" command due to improper memory remapping (mremap). This flaw allows a malicious guest to crash the QEMU process on the host. The highest threat from this vulnerability is to system availability.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 6.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3582

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2021-3607
CVE STATUS: Patched
CVE SUMMARY: An integer overflow was found in the QEMU implementation of VMWare's paravirtual RDMA device in versions prior to 6.1.0. The issue occurs while handling a "PVRDMA_REG_DSRHIGH" write from the guest due to improper input validation. This flaw allows a privileged guest user to make QEMU allocate a large amount of memory, resulting in a denial of service. The highest threat from this vulnerability is to system availability.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 6.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3607

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2021-3608
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device in versions prior to 6.1.0. The issue occurs while handling a "PVRDMA_REG_DSRHIGH" write from the guest and may result in a crash of QEMU or cause undefined behavior due to the access of an uninitialized pointer. The highest threat from this vulnerability is to system availability.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 6.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3608

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2021-3611
CVE STATUS: Patched
CVE SUMMARY: A stack overflow vulnerability was found in the Intel HD Audio device (intel-hda) of QEMU. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition. The highest threat from this vulnerability is to system availability. This flaw affects QEMU versions prior to 7.0.0.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 6.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3611

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2021-3638
CVE STATUS: Patched
CVE SUMMARY: An out-of-bounds memory access flaw was found in the ATI VGA device emulation of QEMU. This flaw occurs in the ati_2d_blt() routine while handling MMIO write operations when the guest provides invalid values for the destination display parameters. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 6.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3638

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2021-3682
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the USB redirector device emulation of QEMU in versions prior to 6.1.0-rc2. It occurs when dropping packets during a bulk transfer from a SPICE client due to the packet queue being full. A malicious SPICE client could use this flaw to make QEMU call free() with faked heap chunk metadata, resulting in a crash of QEMU or potential code execution with the privileges of the QEMU process on the host.
CVSS v2 BASE SCORE: 6.0
CVSS v3 BASE SCORE: 8.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:S/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3682

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2021-3713
CVE STATUS: Patched
CVE SUMMARY: An out-of-bounds write flaw was found in the UAS (USB Attached SCSI) device emulation of QEMU in versions prior to 6.2.0-rc0. The device uses the guest supplied stream number unchecked, which can lead to out-of-bounds access to the UASDevice->data3 and UASDevice->status3 fields. A malicious guest user could use this flaw to crash QEMU or potentially achieve code execution with the privileges of the QEMU process on the host.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.4
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3713

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2021-3735
CVE STATUS: Patched
CVE SUMMARY: A deadlock issue was found in the AHCI controller device of QEMU. It occurs on a software reset (ahci_reset_port) while handling a host-to-device Register FIS (Frame Information Structure) packet from the guest. A privileged user inside the guest could use this flaw to hang the QEMU process on the host, resulting in a denial of service condition. The highest threat from this vulnerability is to system availability.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.4
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3735

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2021-3748
CVE STATUS: Patched
CVE SUMMARY: A use-after-free vulnerability was found in the virtio-net device of QEMU. It could occur when the descriptor's address belongs to the non direct access region, due to num_buffers being set after the virtqueue elem has been unmapped. A malicious guest could use this flaw to crash QEMU, resulting in a denial of service condition, or potentially execute code on the host with the privileges of the QEMU process.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 7.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3748

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2021-3750
CVE STATUS: Patched
CVE SUMMARY: A DMA reentrancy issue was found in the USB EHCI controller emulation of QEMU. EHCI does not verify if the Buffer Pointer overlaps with its MMIO region when it transfers the USB packets. Crafted content may be written to the controller's registers and trigger undesirable actions (such as reset) while the device is still transferring packets. This can ultimately lead to a use-after-free issue. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition, or potentially execute arbitrary code within the context of the QEMU process on the host. This flaw affects QEMU versions before 7.0.0.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 8.2
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3750

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2021-3929
CVE STATUS: Patched
CVE SUMMARY: A DMA reentrancy issue was found in the NVM Express Controller (NVME) emulation in QEMU. This CVE is similar to CVE-2021-3750 and, just like it, when the reentrancy write triggers the reset function nvme_ctrl_reset(), data structs will be freed leading to a use-after-free issue. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition or, potentially, executing arbitrary code within the context of the QEMU process on the host.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.2
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3929

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2021-3930
CVE STATUS: Patched
CVE SUMMARY: An off-by-one error was found in the SCSI device emulation in QEMU. It could occur while processing MODE SELECT commands in mode_sense_page() if the 'page' argument was set to MODE_PAGE_ALLS (0x3f). A malicious guest could use this flaw to potentially crash QEMU, resulting in a denial of service condition.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 6.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3930

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2021-3947
CVE STATUS: Patched
CVE SUMMARY: A stack-buffer-overflow was found in QEMU in the NVME component. The flaw lies in nvme_changed_nslist() where a malicious guest controlling certain input can read out of bounds memory. A malicious user could use this flaw leading to disclosure of sensitive information.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3947

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2021-4145
CVE STATUS: Patched
CVE SUMMARY: A NULL pointer dereference issue was found in the block mirror layer of QEMU in versions prior to 6.2.0. The `self` pointer is dereferenced in mirror_wait_on_conflicts() without ensuring that it's not NULL. A malicious unprivileged user within the guest could use this flaw to crash the QEMU process on the host when writing data reaches the threshold of mirroring node.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 6.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-4145

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2021-4158
CVE STATUS: Patched
CVE SUMMARY: A NULL pointer dereference issue was found in the ACPI code of QEMU. A malicious, privileged user within the guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-4158

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2021-4206
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the QXL display device emulation in QEMU. An integer overflow in the cursor_alloc() function can lead to the allocation of a small cursor object followed by a subsequent heap-based buffer overflow. This flaw allows a malicious privileged guest user to crash the QEMU process on the host or potentially execute arbitrary code within the context of the QEMU process.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 8.2
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-4206

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2021-4207
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the QXL display device emulation in QEMU. A double fetch of guest controlled values `cursor->header.width` and `cursor->header.height` can lead to the allocation of a small cursor object followed by a subsequent heap-based buffer overflow. A malicious privileged guest user could use this flaw to crash the QEMU process on the host or potentially execute arbitrary code within the context of the QEMU process.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 8.2
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-4207

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2022-0216
CVE STATUS: Patched
CVE SUMMARY: A use-after-free vulnerability was found in the LSI53C895A SCSI Host Bus Adapter emulation of QEMU. The flaw occurs while processing repeated messages to cancel the current SCSI request via the lsi_do_msgout function. This flaw allows a malicious privileged user within the guest to crash the QEMU process on the host, resulting in a denial of service.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.4
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0216

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2022-0358
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the QEMU virtio-fs shared file system daemon (virtiofsd) implementation. This flaw is strictly related to CVE-2018-13405. A local guest user can create files in the directories shared by virtio-fs with unintended group ownership in a scenario where a directory is SGID to a certain group and is writable by a user who is not a member of the group. This could allow a malicious unprivileged user inside the guest to gain access to resources accessible to the root group, potentially escalating their privileges within the guest. A malicious local user in the host might also leverage this unexpected executable file created by the guest to escalate their privileges on the host system.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0358

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2022-1050
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. This flaw allows a crafted guest driver to execute HW commands when shared buffers are not yet allocated, potentially leading to a use-after-free condition.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 8.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1050

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2022-26353
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the virtio-net device of QEMU. This flaw was inadvertently introduced with the fix for CVE-2021-3748, which forgot to unmap the cached virtqueue elements on error, leading to memory leakage and other unexpected results. Affected QEMU version: 6.2.0.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-26353

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2022-26354
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the vhost-vsock device of QEMU. In case of error, an invalid element was not detached from the virtqueue before freeing its memory, leading to memory leakage and other unexpected results. Affected QEMU versions <= 6.2.0.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 3.2
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-26354

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2022-2962
CVE STATUS: Patched
CVE SUMMARY: A DMA reentrancy issue was found in the Tulip device emulation in QEMU. When Tulip reads or writes to the rx/tx descriptor or copies the rx/tx frame, it doesn't check whether the destination address is its own MMIO address. This can cause the device to trigger MMIO handlers multiple times, possibly leading to a stack or heap overflow. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2962

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2022-3165
CVE STATUS: Patched
CVE SUMMARY: An integer underflow issue was found in the QEMU VNC server while processing ClientCutText messages in the extended format. A malicious client could use this flaw to make QEMU unresponsive by sending a specially crafted payload message, resulting in a denial of service.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3165

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2022-35414
CVE STATUS: Patched
CVE SUMMARY: softmmu/physmem.c in QEMU through 7.0.0 can perform an uninitialized read on the translate_fail path, leading to an io_readx or io_writex crash. NOTE: a third party states that the Non-virtualization Use Case in the qemu.org reference applies here, i.e., "Bugs affecting the non-virtualization use case are not considered security bugs at this time.
CVSS v2 BASE SCORE: 6.1
CVSS v3 BASE SCORE: 8.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-35414

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2022-36648
CVE STATUS: Patched
CVE SUMMARY: The hardware emulation in the of_dpa_cmd_add_l2_flood of rocker device model in QEMU, as used in 7.0.0 and earlier, allows remote attackers to crash the host qemu and potentially execute code on the host via execute a malformed program in the guest OS. Note: This has been disputed by multiple third parties as not a valid vulnerability due to the rocker device not falling within the virtualization use case.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 10.0
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-36648

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2022-3872
CVE STATUS: Patched
CVE SUMMARY: An off-by-one read/write issue was found in the SDHCI device of QEMU. It occurs when reading/writing the Buffer Data Port Register in sdhci_read_dataport and sdhci_write_dataport, respectively, if data_count == block_size. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.6
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3872

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2022-4144
CVE STATUS: Patched
CVE SUMMARY: An out-of-bounds read flaw was found in the QXL display device emulation in QEMU. The qxl_phys2virt() function does not check the size of the structure pointed to by the guest physical address, potentially reading past the end of the bar space into adjacent pages. A malicious guest user could use this flaw to crash the QEMU process on the host causing a denial of service condition.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-4144

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2022-4172
CVE STATUS: Patched
CVE SUMMARY: An integer overflow and buffer overflow issues were found in the ACPI Error Record Serialization Table (ERST) device of QEMU in the read_erst_record() and write_erst_record() functions. Both issues may allow the guest to overrun the host buffer allocated for the ERST memory device. A malicious guest could use these flaws to crash the QEMU process on the host.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-4172

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2023-0330
CVE STATUS: Patched
CVE SUMMARY: A vulnerability in the lsi53c895a device affects the latest version of qemu. A DMA-MMIO reentrancy problem may lead to memory corruption bugs like stack overflow or use-after-free.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.3
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-0330

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2023-0664
CVE STATUS: Ignored
CVE DETAIL: not-applicable-platform
CVE DESCRIPTION: Issue only applies on Windows
CVE SUMMARY: A flaw was found in the QEMU Guest Agent service for Windows. A local unprivileged user may be able to manipulate the QEMU Guest Agent's Windows installer via repair custom actions to elevate their privileges on the system.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-0664

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2023-1386
CVE STATUS: Unpatched
CVE SUMMARY: A flaw was found in the 9p passthrough filesystem (9pfs) implementation in QEMU. When a local user in the guest writes an executable file with SUID or SGID, none of these privileged bits are correctly dropped. As a result, in rare circumstances, this flaw could be used by malicious users in the guest to elevate their privileges within the guest and help a host local user to elevate privileges on the host.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 3.3
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-1386

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2023-1544
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. This flaw allows a crafted guest driver to allocate and initialize a huge number of page tables to be used as a ring of descriptors for CQ and async events, potentially leading to an out-of-bounds read and crash of QEMU.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-1544

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2023-2680
CVE STATUS: Ignored
CVE DETAIL: not-applicable-platform
CVE DESCRIPTION: RHEL specific issue.
CVE SUMMARY: This CVE exists because of an incomplete fix for CVE-2021-3750. More specifically, the qemu-kvm package as released for Red Hat Enterprise Linux 9.1 via RHSA-2022:7967 included a version of qemu-kvm that was actually missing the fix for CVE-2021-3750.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-2680

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2023-2861
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the 9p passthrough filesystem (9pfs) implementation in QEMU. The 9pfs server did not prohibit opening special files on the host side, potentially allowing a malicious client to escape from the exported 9p tree by creating and opening a device file in the shared folder.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-2861

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2023-3019
CVE STATUS: Ignored
CVE DETAIL: cpe-incorrect
CVE DESCRIPTION: Applies only against versions before 8.2.0
CVE SUMMARY: A DMA reentrancy issue leading to a use-after-free error was found in the e1000e NIC emulation code in QEMU. This issue could allow a privileged guest user to crash the QEMU process on the host, resulting in a denial of service.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-3019

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2023-3180
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the QEMU virtual crypto device while handling data encryption/decryption requests in virtio_crypto_handle_sym_req. There is no check for the value of `src_len` and `dst_len` in virtio_crypto_sym_op_helper, potentially leading to a heap buffer overflow when the two values differ.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-3180

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2023-3255
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the QEMU built-in VNC server while processing ClientCutText messages. A wrong exit condition may lead to an infinite loop when inflating an attacker controlled zlib buffer in the `inflate_buffer` function. This could allow a remote authenticated client who is able to send a clipboard to the VNC server to trigger a denial of service.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-3255

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2023-3301
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in QEMU. The async nature of hot-unplug enables a race scenario where the net device backend is cleared before the virtio-net pci frontend has been unplugged. A malicious guest could use this time window to trigger an assertion and cause a denial of service.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.6
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-3301

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2023-3354
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the QEMU built-in VNC server. When a client connects to the VNC server, QEMU checks whether the current number of connections crosses a certain threshold and if so, cleans up the previous connection. If the previous connection happens to be in the handshake phase and fails, QEMU cleans up the connection again, resulting in a NULL pointer dereference issue. This could allow a remote unauthenticated client to cause a denial of service.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-3354

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2023-40360
CVE STATUS: Patched
CVE SUMMARY: QEMU through 8.0.4 accesses a NULL pointer in nvme_directive_receive in hw/nvme/ctrl.c because there is no check for whether an endurance group is configured before checking whether Flexible Data Placement is enabled.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-40360

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2023-4135
CVE STATUS: Patched
CVE SUMMARY: A heap out-of-bounds memory read flaw was found in the virtual nvme device in QEMU. The QEMU process does not validate an offset provided by the guest before computing a host heap pointer, which is used for copying data back to the guest. Arbitrary heap memory relative to an allocated buffer can be disclosed.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-4135

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2023-42467
CVE STATUS: Patched
CVE SUMMARY: QEMU through 8.0.0 could trigger a division by zero in scsi_disk_reset in hw/scsi/scsi-disk.c because scsi_disk_emulate_mode_select does not prevent s->qdev.blocksize from being 256. This stops QEMU and the guest immediately.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-42467

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2023-5088
CVE STATUS: Ignored
CVE DETAIL: cpe-incorrect
CVE DESCRIPTION: Applies only against version 8.2.0 and earlier
CVE SUMMARY: A bug in QEMU could cause a guest I/O operation otherwise addressed to an arbitrary disk offset to be targeted to offset 0 instead (potentially overwriting the VM's boot code). This could be used, for example, by L2 guests with a virtual disk (vdiskL2) stored on a virtual disk of an L1 (vdiskL1) hypervisor to read and/or write data to LBA 0 of vdiskL1, potentially gaining control of L1 at its next reboot.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.4
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-5088

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2023-6683
CVE STATUS: Ignored
CVE DETAIL: cpe-incorrect
CVE DESCRIPTION: Applies only against version 8.2.1 and earlier
CVE SUMMARY: A flaw was found in the QEMU built-in VNC server while processing ClientCutText messages. The qemu_clipboard_request() function can be reached before vnc_server_cut_text_caps() was called and had the chance to initialize the clipboard peer, leading to a NULL pointer dereference. This could allow a malicious authenticated VNC client to crash QEMU and trigger a denial of service.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-6683

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2023-6693
CVE STATUS: Ignored
CVE DETAIL: cpe-incorrect
CVE DESCRIPTION: Applies only against version 8.2.0 and earlier
CVE SUMMARY: A stack based buffer overflow was found in the virtio-net device of QEMU. This issue occurs when flushing TX in the virtio_net_flush_tx function if guest features VIRTIO_NET_F_HASH_REPORT, VIRTIO_F_VERSION_1 and VIRTIO_NET_F_MRG_RXBUF are enabled. This could allow a malicious user to overwrite local variables allocated on the stack. Specifically, the `out_sg` variable could be used to read a part of process memory and send it to the wire, causing an information leak.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.9
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-6693

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2024-3567
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in QEMU. An assertion failure was present in the update_sctp_checksum() function in hw/net/net_tx_pkt.c when trying to calculate the checksum of a short-sized fragmented packet. This flaw allows a malicious guest to crash QEMU and cause a denial of service condition.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-3567

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2024-4467
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the QEMU disk image utility (qemu-img) 'info' command. A specially crafted image file containing a `json:{}` value describing block devices in QMP could cause the qemu-img process on the host to consume large amounts of memory or CPU time, leading to denial of service or read/write to an existing external file.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-4467

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2024-4667
CVE STATUS: Patched
CVE SUMMARY: The Blog, Posts and Category Filter for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Post and Category Filter widget in all versions up to, and including, 1.0.3 due to insufficient input sanitization and output escaping on user supplied 'post_types' attribute. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.4
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-4667

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2024-6505
CVE STATUS: Unpatched
CVE SUMMARY: A flaw was found in the virtio-net device in QEMU. When enabling the RSS feature on the virtio-net network card, the indirections_table data within RSS becomes controllable. Setting excessively large values may cause an index out-of-bounds issue, potentially resulting in heap overflow access. This flaw allows a privileged user in the guest to crash the QEMU process on the host.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-6505

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2024-7409
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the QEMU NBD Server. This vulnerability allows a denial of service (DoS) attack via improper synchronization during socket closure when a client keeps a socket open as the server is taken offline.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-7409

LAYER: meta
PACKAGE NAME: qemu-native
PACKAGE VERSION: 8.2.3
CVE: CVE-2024-8354
CVE STATUS: Unpatched
CVE SUMMARY: A flaw was found in QEMU. An assertion failure was present in the usb_ep_get() function in hw/net/core.c when trying to get the USB endpoint from a USB device. This flaw may allow a malicious unprivileged guest user to crash the QEMU process on the host and cause a denial of service condition.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-8354

LAYER: meta
PACKAGE NAME: ncurses-native
PACKAGE VERSION: 6.4
CVE: CVE-2000-0963
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in ncurses library allows local users to execute arbitrary commands via long environmental information such as TERM or TERMINFO_DIRS.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2000-0963

LAYER: meta
PACKAGE NAME: ncurses-native
PACKAGE VERSION: 6.4
CVE: CVE-2002-0062
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in ncurses 5.0, and the ncurses4 compatibility package as used in Red Hat Linux, allows local users to gain privileges, related to "routines for moving the physical cursor and scrolling."
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-0062

LAYER: meta
PACKAGE NAME: ncurses-native
PACKAGE VERSION: 6.4
CVE: CVE-2017-10684
CVE STATUS: Patched
CVE SUMMARY: In ncurses 6.0, there is a stack-based buffer overflow in the fmt_entry function. A crafted input will lead to a remote arbitrary code execution attack.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-10684

LAYER: meta
PACKAGE NAME: ncurses-native
PACKAGE VERSION: 6.4
CVE: CVE-2017-10685
CVE STATUS: Patched
CVE SUMMARY: In ncurses 6.0, there is a format string vulnerability in the fmt_entry function. A crafted input will lead to a remote arbitrary code execution attack.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-10685

LAYER: meta
PACKAGE NAME: ncurses-native
PACKAGE VERSION: 6.4
CVE: CVE-2017-11112
CVE STATUS: Patched
CVE SUMMARY: In ncurses 6.0, there is an attempted 0xffffffffffffffff access in the append_acs function of tinfo/parse_entry.c. It could lead to a remote denial of service attack if the terminfo library code is used to process untrusted terminfo data.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-11112

LAYER: meta
PACKAGE NAME: ncurses-native
PACKAGE VERSION: 6.4
CVE: CVE-2017-11113
CVE STATUS: Patched
CVE SUMMARY: In ncurses 6.0, there is a NULL Pointer Dereference in the _nc_parse_entry function of tinfo/parse_entry.c. It could lead to a remote denial of service attack if the terminfo library code is used to process untrusted terminfo data.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-11113

LAYER: meta
PACKAGE NAME: ncurses-native
PACKAGE VERSION: 6.4
CVE: CVE-2017-13728
CVE STATUS: Patched
CVE SUMMARY: There is an infinite loop in the next_char function in comp_scan.c in ncurses 6.0, related to libtic. A crafted input will lead to a remote denial of service attack.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-13728

LAYER: meta
PACKAGE NAME: ncurses-native
PACKAGE VERSION: 6.4
CVE: CVE-2017-13729
CVE STATUS: Patched
CVE SUMMARY: There is an illegal address access in the _nc_save_str function in alloc_entry.c in ncurses 6.0. It will lead to a remote denial of service attack.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-13729

LAYER: meta
PACKAGE NAME: ncurses-native
PACKAGE VERSION: 6.4
CVE: CVE-2017-13730
CVE STATUS: Patched
CVE SUMMARY: There is an illegal address access in the function _nc_read_entry_source() in progs/tic.c in ncurses 6.0 that might lead to a remote denial of service attack.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-13730

LAYER: meta
PACKAGE NAME: ncurses-native
PACKAGE VERSION: 6.4
CVE: CVE-2017-13731
CVE STATUS: Patched
CVE SUMMARY: There is an illegal address access in the function postprocess_termcap() in parse_entry.c in ncurses 6.0 that will lead to a remote denial of service attack.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-13731

LAYER: meta
PACKAGE NAME: ncurses-native
PACKAGE VERSION: 6.4
CVE: CVE-2017-13732
CVE STATUS: Patched
CVE SUMMARY: There is an illegal address access in the function dump_uses() in progs/dump_entry.c in ncurses 6.0 that might lead to a remote denial of service attack.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-13732

LAYER: meta
PACKAGE NAME: ncurses-native
PACKAGE VERSION: 6.4
CVE: CVE-2017-13733
CVE STATUS: Patched
CVE SUMMARY: There is an illegal address access in the fmt_entry function in progs/dump_entry.c in ncurses 6.0 that might lead to a remote denial of service attack.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-13733

LAYER: meta
PACKAGE NAME: ncurses-native
PACKAGE VERSION: 6.4
CVE: CVE-2017-13734
CVE STATUS: Patched
CVE SUMMARY: There is an illegal address access in the _nc_safe_strcat function in strings.c in ncurses 6.0 that will lead to a remote denial of service attack.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-13734

LAYER: meta
PACKAGE NAME: ncurses-native
PACKAGE VERSION: 6.4
CVE: CVE-2017-16879
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in the _nc_write_entry function in tinfo/write_entry.c in ncurses 6.0 allows attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted terminfo file, as demonstrated by tic.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-16879

LAYER: meta
PACKAGE NAME: ncurses-native
PACKAGE VERSION: 6.4
CVE: CVE-2018-19211
CVE STATUS: Patched
CVE SUMMARY: In ncurses 6.1, there is a NULL pointer dereference at function _nc_parse_entry in parse_entry.c that will lead to a denial of service attack. The product proceeds to the dereference code path even after a "dubious character `*' in name or alias field" detection.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19211

LAYER: meta
PACKAGE NAME: ncurses-native
PACKAGE VERSION: 6.4
CVE: CVE-2018-19217
CVE STATUS: Patched
CVE SUMMARY: In ncurses, possibly a 6.x version, there is a NULL pointer dereference at the function _nc_name_match that will lead to a denial of service attack. NOTE: the original report stated version 6.1, but the issue did not reproduce for that version according to the maintainer or a reliable third-party
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19217

LAYER: meta
PACKAGE NAME: ncurses-native
PACKAGE VERSION: 6.4
CVE: CVE-2019-15547
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the ncurses crate through 5.99.0 for Rust. There are format string issues in printw functions because C format arguments are mishandled.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-15547

LAYER: meta
PACKAGE NAME: ncurses-native
PACKAGE VERSION: 6.4
CVE: CVE-2019-15548
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the ncurses crate through 5.99.0 for Rust. There are instr and mvwinstr buffer overflows because interaction with C functions is mishandled.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-15548

LAYER: meta
PACKAGE NAME: ncurses-native
PACKAGE VERSION: 6.4
CVE: CVE-2019-17594
CVE STATUS: Patched
CVE SUMMARY: There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 5.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-17594

LAYER: meta
PACKAGE NAME: ncurses-native
PACKAGE VERSION: 6.4
CVE: CVE-2019-17595
CVE STATUS: Patched
CVE SUMMARY: There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 5.4
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-17595

LAYER: meta
PACKAGE NAME: ncurses-native
PACKAGE VERSION: 6.4
CVE: CVE-2020-19185
CVE STATUS: Patched
CVE SUMMARY: Buffer Overflow vulnerability in one_one_mapping function in progs/dump_entry.c:1373 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-19185

LAYER: meta
PACKAGE NAME: ncurses-native
PACKAGE VERSION: 6.4
CVE: CVE-2020-19186
CVE STATUS: Patched
CVE SUMMARY: Buffer Overflow vulnerability in _nc_find_entry function in tinfo/comp_hash.c:66 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-19186

LAYER: meta
PACKAGE NAME: ncurses-native
PACKAGE VERSION: 6.4
CVE: CVE-2020-19187
CVE STATUS: Patched
CVE SUMMARY: Buffer Overflow vulnerability in fmt_entry function in progs/dump_entry.c:1100 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-19187

LAYER: meta
PACKAGE NAME: ncurses-native
PACKAGE VERSION: 6.4
CVE: CVE-2020-19188
CVE STATUS: Patched
CVE SUMMARY: Buffer Overflow vulnerability in fmt_entry function in progs/dump_entry.c:1116 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-19188

LAYER: meta
PACKAGE NAME: ncurses-native
PACKAGE VERSION: 6.4
CVE: CVE-2020-19189
CVE STATUS: Patched
CVE SUMMARY: Buffer Overflow vulnerability in postprocess_terminfo function in tinfo/parse_entry.c:997 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-19189

LAYER: meta
PACKAGE NAME: ncurses-native
PACKAGE VERSION: 6.4
CVE: CVE-2020-19190
CVE STATUS: Patched
CVE SUMMARY: Buffer Overflow vulnerability in _nc_find_entry in tinfo/comp_hash.c:70 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-19190

LAYER: meta
PACKAGE NAME: ncurses-native
PACKAGE VERSION: 6.4
CVE: CVE-2021-39537
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in ncurses through v6.2-1. _nc_captoinfo in captoinfo.c has a heap-based buffer overflow.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-39537

LAYER: meta
PACKAGE NAME: ncurses-native
PACKAGE VERSION: 6.4
CVE: CVE-2022-29458
CVE STATUS: Patched
CVE SUMMARY: ncurses 6.3 before patch 20220416 has an out-of-bounds read and segmentation violation in convert_strings in tinfo/read_entry.c in the terminfo library.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 7.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-29458

LAYER: meta
PACKAGE NAME: ncurses-native
PACKAGE VERSION: 6.4
CVE: CVE-2023-29491
CVE STATUS: Patched
CVE SUMMARY: ncurses before 6.4 20230408, when used by a setuid application, allows local users to trigger security-relevant memory corruption via malformed data in a terminfo database file that is found in $HOME/.terminfo or reached via the TERMINFO or TERM environment variable.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-29491

LAYER: meta
PACKAGE NAME: ncurses-native
PACKAGE VERSION: 6.4
CVE: CVE-2023-50495
CVE STATUS: Patched
CVE SUMMARY: NCurse v6.4-20230418 was discovered to contain a segmentation fault via the component _nc_wrap_entry().
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-50495

LAYER: meta
PACKAGE NAME: coreutils-native
PACKAGE VERSION: 9.4
CVE: CVE-2005-1039
CVE STATUS: Patched
CVE SUMMARY: Race condition in Core Utilities (coreutils) 5.2.1, when (1) mkdir, (2) mknod, or (3) mkfifo is running with the -m switch, allows local users to modify permissions of other files.
CVSS v2 BASE SCORE: 3.7
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-1039

LAYER: meta
PACKAGE NAME: coreutils-native
PACKAGE VERSION: 9.4
CVE: CVE-2008-1946
CVE STATUS: Patched
CVE SUMMARY: The default configuration of su in /etc/pam.d/su in GNU coreutils 5.2.1 allows local users to gain the privileges of a (1) locked or (2) expired account by entering the account name on the command line, related to improper use of the pam_succeed_if.so module.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1946

LAYER: meta
PACKAGE NAME: coreutils-native
PACKAGE VERSION: 9.4
CVE: CVE-2009-4135
CVE STATUS: Patched
CVE SUMMARY: The distcheck rule in dist-check.mk in GNU coreutils 5.2.1 through 8.1 allows local users to gain privileges via a symlink attack on a file in a directory tree under /tmp.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-4135

LAYER: meta
PACKAGE NAME: coreutils-native
PACKAGE VERSION: 9.4
CVE: CVE-2014-9471
CVE STATUS: Patched
CVE SUMMARY: The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted date string, as demonstrated by the "--date=TZ="123"345" @1" string to the touch or date command.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9471

LAYER: meta
PACKAGE NAME: coreutils-native
PACKAGE VERSION: 9.4
CVE: CVE-2015-1865
CVE STATUS: Patched
CVE SUMMARY: fts.c in coreutils 8.4 allows local users to delete arbitrary files.
CVSS v2 BASE SCORE: 3.3
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1865

LAYER: meta
PACKAGE NAME: coreutils-native
PACKAGE VERSION: 9.4
CVE: CVE-2015-4041
CVE STATUS: Patched
CVE SUMMARY: The keycompare_mb function in sort.c in sort in GNU Coreutils through 8.23 on 64-bit platforms performs a size calculation without considering the number of bytes occupied by multibyte characters, which allows attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via long UTF-8 strings.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-4041

LAYER: meta
PACKAGE NAME: coreutils-native
PACKAGE VERSION: 9.4
CVE: CVE-2015-4042
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the keycompare_mb function in sort.c in sort in GNU Coreutils through 8.23 might allow attackers to cause a denial of service (application crash) or possibly have unspecified other impact via long strings.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-4042

LAYER: meta
PACKAGE NAME: coreutils-native
PACKAGE VERSION: 9.4
CVE: CVE-2016-2781
CVE STATUS: Ignored
CVE DETAIL: disputed
CVE DESCRIPTION: runcon is not really a sandbox command, use `runcon ... setsid ...` to avoid this particular issue.
CVE SUMMARY: chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 6.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2781

LAYER: meta
PACKAGE NAME: coreutils-native
PACKAGE VERSION: 9.4
CVE: CVE-2017-18018
CVE STATUS: Patched
CVE SUMMARY: In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX "-R -L" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-18018

LAYER: meta
PACKAGE NAME: coreutils-native
PACKAGE VERSION: 9.4
CVE: CVE-2024-0684
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the GNU coreutils "split" program. A heap overflow with user-controlled data of multiple hundred bytes in length could occur in the line_bytes_split() function, potentially leading to an application crash and denial of service.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-0684

LAYER: meta
PACKAGE NAME: util-linux-native
PACKAGE VERSION: 2.39.3
CVE: CVE-2001-1147
CVE STATUS: Patched
CVE SUMMARY: The PAM implementation in /bin/login of the util-linux package before 2.11 causes a password entry to be rewritten across multiple PAM calls, which could provide the credentials of one user to a different user, when used in certain PAM modules such as pam_limits.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2001-1147

LAYER: meta
PACKAGE NAME: util-linux-native
PACKAGE VERSION: 2.39.3
CVE: CVE-2001-1175
CVE STATUS: Patched
CVE SUMMARY: vipw in the util-linux package before 2.10 causes /etc/shadow to be world-readable in some cases, which would make it easier for local users to perform brute force password guessing.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2001-1175

LAYER: meta
PACKAGE NAME: util-linux-native
PACKAGE VERSION: 2.39.3
CVE: CVE-2001-1494
CVE STATUS: Patched
CVE SUMMARY: script command in the util-linux package before 2.11n allows local users to overwrite arbitrary files by setting a hardlink from the typescript log file to any file on the system, then having root execute the script command.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2001-1494

LAYER: meta
PACKAGE NAME: util-linux-native
PACKAGE VERSION: 2.39.3
CVE: CVE-2003-0094
CVE STATUS: Patched
CVE SUMMARY: A patch for mcookie in the util-linux package for Mandrake Linux 8.2 and 9.0 uses /dev/urandom instead of /dev/random, which causes mcookie to use an entropy source that is more predictable than expected, which may make it easier for certain types of attacks to succeed.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-0094

LAYER: meta
PACKAGE NAME: util-linux-native
PACKAGE VERSION: 2.39.3
CVE: CVE-2004-0080
CVE STATUS: Patched
CVE SUMMARY: The login program in util-linux 2.11 and earlier uses a pointer after it has been freed and reallocated, which could cause login to leak sensitive data.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0080

LAYER: meta
PACKAGE NAME: util-linux-native
PACKAGE VERSION: 2.39.3
CVE: CVE-2005-2876
CVE STATUS: Patched
CVE SUMMARY: umount in util-linux 2.8 to 2.12q, 2.13-pre1, and 2.13-pre2, and other packages such as loop-aes-utils, allows local users with unmount permissions to gain privileges via the -r (remount) option, which causes the file system to be remounted with just the read-only flag, which effectively clears the nosuid, nodev, and other flags.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-2876

LAYER: meta
PACKAGE NAME: util-linux-native
PACKAGE VERSION: 2.39.3
CVE: CVE-2006-7108
CVE STATUS: Patched
CVE SUMMARY: login in util-linux-2.12a skips pam_acct_mgmt and chauth_tok when authentication is skipped, such as when a Kerberos krlogin session has been established, which might allow users to bypass intended access policies that would be enforced by pam_acct_mgmt and chauth_tok.
CVSS v2 BASE SCORE: 4.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:S/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-7108

LAYER: meta
PACKAGE NAME: util-linux-native
PACKAGE VERSION: 2.39.3
CVE: CVE-2007-5191
CVE STATUS: Patched
CVE SUMMARY: mount and umount in util-linux and loop-aes-utils call the setuid and setgid functions in the wrong order and do not check the return values, which might allow attackers to gain privileges via helpers such as mount.nfs.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-5191

LAYER: meta
PACKAGE NAME: util-linux-native
PACKAGE VERSION: 2.39.3
CVE: CVE-2008-1926
CVE STATUS: Patched
CVE SUMMARY: Argument injection vulnerability in login (login-utils/login.c) in util-linux-ng 2.14 and earlier makes it easier for remote attackers to hide activities by modifying portions of log events, as demonstrated by appending an "addr=" statement to the login name, aka "audit log injection."
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1926

LAYER: meta
PACKAGE NAME: util-linux-native
PACKAGE VERSION: 2.39.3
CVE: CVE-2011-1675
CVE STATUS: Patched
CVE SUMMARY: mount in util-linux 2.19 and earlier attempts to append to the /etc/mtab.tmp file without first checking whether resource limits would interfere, which allows local users to trigger corruption of the /etc/mtab file via a process with a small RLIMIT_FSIZE value, a related issue to CVE-2011-1089.
CVSS v2 BASE SCORE: 3.3
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1675

LAYER: meta
PACKAGE NAME: util-linux-native
PACKAGE VERSION: 2.39.3
CVE: CVE-2011-1676
CVE STATUS: Patched
CVE SUMMARY: mount in util-linux 2.19 and earlier does not remove the /etc/mtab.tmp file after a failed attempt to add a mount entry, which allows local users to trigger corruption of the /etc/mtab file via multiple invocations.
CVSS v2 BASE SCORE: 3.3
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1676

LAYER: meta
PACKAGE NAME: util-linux-native
PACKAGE VERSION: 2.39.3
CVE: CVE-2011-1677
CVE STATUS: Patched
CVE SUMMARY: mount in util-linux 2.19 and earlier does not remove the /etc/mtab~ lock file after a failed attempt to add a mount entry, which has unspecified impact and local attack vectors.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1677

LAYER: meta
PACKAGE NAME: util-linux-native
PACKAGE VERSION: 2.39.3
CVE: CVE-2013-0157
CVE STATUS: Patched
CVE SUMMARY: (a) mount and (b) umount in util-linux 2.14.1, 2.17.2, and probably other versions allow local users to determine the existence of restricted directories by (1) using the --guess-fstype command-line option or (2) attempting to mount a non-existent device, which generates different error messages depending on whether the directory exists.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0157

LAYER: meta
PACKAGE NAME: util-linux-native
PACKAGE VERSION: 2.39.3
CVE: CVE-2014-9114
CVE STATUS: Patched
CVE SUMMARY: Blkid in util-linux before 2.26rc-1 allows local users to execute arbitrary code.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9114

LAYER: meta
PACKAGE NAME: util-linux-native
PACKAGE VERSION: 2.39.3
CVE: CVE-2015-5218
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in text-utils/colcrt.c in colcrt in util-linux before 2.27 allows local users to cause a denial of service (crash) via a crafted file, related to the page global variable.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-5218

LAYER: meta
PACKAGE NAME: util-linux-native
PACKAGE VERSION: 2.39.3
CVE: CVE-2015-5224
CVE STATUS: Patched
CVE SUMMARY: The mkostemp function in login-utils in util-linux when used incorrectly allows remote attackers to cause file name collision and possibly other attacks.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-5224

LAYER: meta
PACKAGE NAME: util-linux-native
PACKAGE VERSION: 2.39.3
CVE: CVE-2016-2779
CVE STATUS: Patched
CVE SUMMARY: runuser in util-linux allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2779

LAYER: meta
PACKAGE NAME: util-linux-native
PACKAGE VERSION: 2.39.3
CVE: CVE-2016-5011
CVE STATUS: Patched
CVE SUMMARY: The parse_dos_extended function in partitions/dos.c in the libblkid library in util-linux allows physically proximate attackers to cause a denial of service (memory consumption) via a crafted MSDOS partition table with an extended partition boot record at zero offset.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 4.6
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5011

LAYER: meta
PACKAGE NAME: util-linux-native
PACKAGE VERSION: 2.39.3
CVE: CVE-2017-2616
CVE STATUS: Patched
CVE SUMMARY: A race condition was found in util-linux before 2.32.1 in the way su handled the management of child processes. A local authenticated attacker could use this flaw to kill other processes with root privileges under specific conditions.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-2616

LAYER: meta
PACKAGE NAME: util-linux-native
PACKAGE VERSION: 2.39.3
CVE: CVE-2018-7738
CVE STATUS: Patched
CVE SUMMARY: In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-7738

LAYER: meta
PACKAGE NAME: util-linux-native
PACKAGE VERSION: 2.39.3
CVE: CVE-2020-21583
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in hwclock.13-v2.27 allows attackers to gain escalated privlidges or execute arbitrary commands via the path parameter when setting the date.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-21583

LAYER: meta
PACKAGE NAME: util-linux-native
PACKAGE VERSION: 2.39.3
CVE: CVE-2021-37600
CVE STATUS: Patched
CVE SUMMARY: An integer overflow in util-linux through 2.37.1 can potentially cause a buffer overflow if an attacker were able to use system resources in a way that leads to a large number in the /proc/sysvipc/sem file. NOTE: this is unexploitable in GNU C Library environments, and possibly in all realistic environments.
CVSS v2 BASE SCORE: 1.2
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-37600

LAYER: meta
PACKAGE NAME: util-linux-native
PACKAGE VERSION: 2.39.3
CVE: CVE-2021-3995
CVE STATUS: Patched
CVE SUMMARY: A logic error was found in the libmount library of util-linux in the function that allows an unprivileged user to unmount a FUSE filesystem. This flaw allows an unprivileged local attacker to unmount FUSE filesystems that belong to certain other users who have a UID that is a prefix of the UID of the attacker in its string form. An attacker may use this flaw to cause a denial of service to applications that use the affected filesystems.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3995

LAYER: meta
PACKAGE NAME: util-linux-native
PACKAGE VERSION: 2.39.3
CVE: CVE-2021-3996
CVE STATUS: Patched
CVE SUMMARY: A logic error was found in the libmount library of util-linux in the function that allows an unprivileged user to unmount a FUSE filesystem. This flaw allows a local user on a vulnerable system to unmount other users' filesystems that are either world-writable themselves (like /tmp) or mounted in a world-writable directory. An attacker may use this flaw to cause a denial of service to applications that use the affected filesystems.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3996

LAYER: meta
PACKAGE NAME: util-linux-native
PACKAGE VERSION: 2.39.3
CVE: CVE-2022-0563
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an "INPUTRC" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0563

LAYER: meta
PACKAGE NAME: util-linux-native
PACKAGE VERSION: 2.39.3
CVE: CVE-2024-28085
CVE STATUS: Patched
CVE SUMMARY: wall in util-linux through 2.40, often installed with setgid tty permissions, allows escape sequences to be sent to other users' terminals through argv. (Specifically, escape sequences received from stdin are blocked, but escape sequences received from argv are not blocked.) There may be plausible scenarios where this leads to account takeover.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 3.3
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-28085

LAYER: meta
PACKAGE NAME: sqlite3-native
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2008-6589
CVE STATUS: Patched
CVE SUMMARY: Multiple cross-site scripting (XSS) vulnerabilities in LightNEasy "no database" (aka flat) version 1.2.2, and possibly SQLite version 1.2.2, allow remote attackers to inject arbitrary web script or HTML via the page parameter to (1) index.php and (2) LightNEasy.php.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-6589

LAYER: meta
PACKAGE NAME: sqlite3-native
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2008-6590
CVE STATUS: Patched
CVE SUMMARY: Multiple directory traversal vulnerabilities in LightNEasy "no database" (aka flat) version 1.2.2, and possibly SQLite version 1.2.2, allow remote attackers to read arbitrary files via a .. (dot dot) in the page parameter to (1) index.php and (2) LightNEasy.php.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-6590

LAYER: meta
PACKAGE NAME: sqlite3-native
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2008-6592
CVE STATUS: Patched
CVE SUMMARY: thumbsup.php in Thumbs-Up 1.12, as used in LightNEasy "no database" (aka flat) and SQLite 1.2.2 and earlier, allows remote attackers to copy, rename, and read arbitrary files via directory traversal sequences in the image parameter with a modified cache_dir parameter containing a %00 (encoded null byte).
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-6592

LAYER: meta
PACKAGE NAME: sqlite3-native
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2008-6593
CVE STATUS: Patched
CVE SUMMARY: SQL injection vulnerability in LightNEasy/lightneasy.php in LightNEasy SQLite 1.2.2 and earlier allows remote attackers to inject arbitrary PHP code into comments.dat via the dlid parameter to index.php.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-6593

LAYER: meta
PACKAGE NAME: sqlite3-native
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2013-7443
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the skip-scan optimization in SQLite 3.8.2 allows remote attackers to cause a denial of service (crash) via crafted SQL statements.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-7443

LAYER: meta
PACKAGE NAME: sqlite3-native
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2015-3414
CVE STATUS: Patched
CVE SUMMARY: SQLite before 3.8.9 does not properly implement the dequoting of collation-sequence names, which allows context-dependent attackers to cause a denial of service (uninitialized memory access and application crash) or possibly have unspecified other impact via a crafted COLLATE clause, as demonstrated by COLLATE"""""""" at the end of a SELECT statement.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3414

LAYER: meta
PACKAGE NAME: sqlite3-native
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2015-3415
CVE STATUS: Patched
CVE SUMMARY: The sqlite3VdbeExec function in vdbe.c in SQLite before 3.8.9 does not properly implement comparison operators, which allows context-dependent attackers to cause a denial of service (invalid free operation) or possibly have unspecified other impact via a crafted CHECK clause, as demonstrated by CHECK(0&O>O) in a CREATE TABLE statement.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3415

LAYER: meta
PACKAGE NAME: sqlite3-native
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2015-3416
CVE STATUS: Patched
CVE SUMMARY: The sqlite3VXPrintf function in printf.c in SQLite before 3.8.9 does not properly handle precision and width values during floating-point conversions, which allows context-dependent attackers to cause a denial of service (integer overflow and stack-based buffer overflow) or possibly have unspecified other impact via large integers in a crafted printf function call in a SELECT statement.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3416

LAYER: meta
PACKAGE NAME: sqlite3-native
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2015-3717
CVE STATUS: Patched
CVE SUMMARY: Multiple buffer overflows in the printf functionality in SQLite, as used in Apple iOS before 8.4 and OS X before 10.10.4, allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via unspecified vectors.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3717

LAYER: meta
PACKAGE NAME: sqlite3-native
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2015-5895
CVE STATUS: Patched
CVE SUMMARY: Multiple unspecified vulnerabilities in SQLite before 3.8.10.2, as used in Apple iOS before 9, have unknown impact and attack vectors.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-5895

LAYER: meta
PACKAGE NAME: sqlite3-native
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2015-6607
CVE STATUS: Patched
CVE SUMMARY: SQLite before 3.8.9, as used in Android before 5.1.1 LMY48T, allows attackers to gain privileges via a crafted application, aka internal bug 20099586.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-6607

LAYER: meta
PACKAGE NAME: sqlite3-native
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2016-6153
CVE STATUS: Patched
CVE SUMMARY: os_unix.c in SQLite before 3.13.0 improperly implements the temporary directory search algorithm, which might allow local users to obtain sensitive information, cause a denial of service (application crash), or have unspecified other impact by leveraging use of the current working directory for temporary files.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 5.9
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6153

LAYER: meta
PACKAGE NAME: sqlite3-native
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2017-10989
CVE STATUS: Patched
CVE SUMMARY: The getNodeSize function in ext/rtree/rtree.c in SQLite through 3.19.3, as used in GDAL and other products, mishandles undersized RTree blobs in a crafted database, leading to a heap-based buffer over-read or possibly unspecified other impact.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-10989

LAYER: meta
PACKAGE NAME: sqlite3-native
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2017-13685
CVE STATUS: Patched
CVE SUMMARY: The dump_callback function in SQLite 3.20.0 allows remote attackers to cause a denial of service (EXC_BAD_ACCESS and application crash) via a crafted file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-13685

LAYER: meta
PACKAGE NAME: sqlite3-native
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2017-15286
CVE STATUS: Patched
CVE SUMMARY: SQLite 3.20.1 has a NULL pointer dereference in tableColumnList in shell.c because it fails to consider certain cases where `sqlite3_step(pStmt)==SQLITE_ROW` is false and a data structure is never initialized.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15286

LAYER: meta
PACKAGE NAME: sqlite3-native
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2018-20346
CVE STATUS: Patched
CVE SUMMARY: SQLite before 3.25.3, when the FTS3 extension is enabled, encounters an integer overflow (and resultant buffer overflow) for FTS3 queries that occur after crafted changes to FTS3 shadow tables, allowing remote attackers to execute arbitrary code by leveraging the ability to run arbitrary SQL statements (such as in certain WebSQL use cases), aka Magellan.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20346

LAYER: meta
PACKAGE NAME: sqlite3-native
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2018-20505
CVE STATUS: Patched
CVE SUMMARY: SQLite 3.25.2, when queries are run on a table with a malformed PRIMARY KEY, allows remote attackers to cause a denial of service (application crash) by leveraging the ability to run arbitrary SQL statements (such as in certain WebSQL use cases).
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20505

LAYER: meta
PACKAGE NAME: sqlite3-native
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2018-20506
CVE STATUS: Patched
CVE SUMMARY: SQLite before 3.25.3, when the FTS3 extension is enabled, encounters an integer overflow (and resultant buffer overflow) for FTS3 queries in a "merge" operation that occurs after crafted changes to FTS3 shadow tables, allowing remote attackers to execute arbitrary code by leveraging the ability to run arbitrary SQL statements (such as in certain WebSQL use cases). This is a different vulnerability than CVE-2018-20346.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20506

LAYER: meta
PACKAGE NAME: sqlite3-native
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2018-8740
CVE STATUS: Patched
CVE SUMMARY: In SQLite through 3.22.0, databases whose schema is corrupted using a CREATE TABLE AS statement could cause a NULL pointer dereference, related to build.c and prepare.c.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-8740

LAYER: meta
PACKAGE NAME: sqlite3-native
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2019-16168
CVE STATUS: Patched
CVE SUMMARY: In SQLite through 3.29.0, whereLoopAddBtreeIndex in sqlite3.c can crash a browser or other application because of missing validation of a sqlite_stat1 sz field, aka a "severe division by zero in the query planner."
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-16168

LAYER: meta
PACKAGE NAME: sqlite3-native
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2019-19242
CVE STATUS: Patched
CVE SUMMARY: SQLite 3.30.1 mishandles pExpr->y.pTab, as demonstrated by the TK_COLUMN case in sqlite3ExprCodeTarget in expr.c.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19242

LAYER: meta
PACKAGE NAME: sqlite3-native
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2019-19244
CVE STATUS: Patched
CVE SUMMARY: sqlite3Select in select.c in SQLite 3.30.1 allows a crash if a sub-select uses both DISTINCT and window functions, and also has certain ORDER BY usage.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19244

LAYER: meta
PACKAGE NAME: sqlite3-native
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2019-19317
CVE STATUS: Patched
CVE SUMMARY: lookupName in resolve.c in SQLite 3.30.1 omits bits from the colUsed bitmask in the case of a generated column, which allows attackers to cause a denial of service or possibly have unspecified other impact.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19317

LAYER: meta
PACKAGE NAME: sqlite3-native
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2019-19603
CVE STATUS: Patched
CVE SUMMARY: SQLite 3.30.1 mishandles certain SELECT statements with a nonexistent VIEW, leading to an application crash.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19603

LAYER: meta
PACKAGE NAME: sqlite3-native
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2019-19645
CVE STATUS: Patched
CVE SUMMARY: alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19645

LAYER: meta
PACKAGE NAME: sqlite3-native
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2019-19646
CVE STATUS: Patched
CVE SUMMARY: pragma.c in SQLite through 3.30.1 mishandles NOT NULL in an integrity_check PRAGMA command in certain cases of generated columns.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19646

LAYER: meta
PACKAGE NAME: sqlite3-native
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2019-19880
CVE STATUS: Patched
CVE SUMMARY: exprListAppendList in window.c in SQLite 3.30.1 allows attackers to trigger an invalid pointer dereference because constant integer values in ORDER BY clauses of window definitions are mishandled.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19880

LAYER: meta
PACKAGE NAME: sqlite3-native
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2019-19923
CVE STATUS: Patched
CVE SUMMARY: flattenSubquery in select.c in SQLite 3.30.1 mishandles certain uses of SELECT DISTINCT involving a LEFT JOIN in which the right-hand side is a view. This can cause a NULL pointer dereference (or incorrect results).
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19923

LAYER: meta
PACKAGE NAME: sqlite3-native
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2019-19924
CVE STATUS: Patched
CVE SUMMARY: SQLite 3.30.1 mishandles certain parser-tree rewriting, related to expr.c, vdbeaux.c, and window.c. This is caused by incorrect sqlite3WindowRewrite() error handling.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19924

LAYER: meta
PACKAGE NAME: sqlite3-native
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2019-19925
CVE STATUS: Patched
CVE SUMMARY: zipfileUpdate in ext/misc/zipfile.c in SQLite 3.30.1 mishandles a NULL pathname during an update of a ZIP archive.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19925

LAYER: meta
PACKAGE NAME: sqlite3-native
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2019-19926
CVE STATUS: Patched
CVE SUMMARY: multiSelect in select.c in SQLite 3.30.1 mishandles certain errors during parsing, as demonstrated by errors from sqlite3WindowRewrite() calls. NOTE: this vulnerability exists because of an incomplete fix for CVE-2019-19880.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19926

LAYER: meta
PACKAGE NAME: sqlite3-native
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2019-19959
CVE STATUS: Patched
CVE SUMMARY: ext/misc/zipfile.c in SQLite 3.30.1 mishandles certain uses of INSERT INTO in situations involving embedded '\0' characters in filenames, leading to a memory-management error that can be detected by (for example) valgrind.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19959

LAYER: meta
PACKAGE NAME: sqlite3-native
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2019-20218
CVE STATUS: Patched
CVE SUMMARY: selectExpander in select.c in SQLite 3.30.1 proceeds with WITH stack unwinding even after a parsing error.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-20218

LAYER: meta
PACKAGE NAME: sqlite3-native
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2019-5018
CVE STATUS: Patched
CVE SUMMARY: An exploitable use after free vulnerability exists in the window function functionality of Sqlite3 3.26.0. A specially crafted SQL command can cause a use after free vulnerability, potentially resulting in remote code execution. An attacker can send a malicious SQL command to trigger this vulnerability.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-5018

LAYER: meta
PACKAGE NAME: sqlite3-native
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2019-8457
CVE STATUS: Patched
CVE SUMMARY: SQLite3 from 3.6.0 to and including 3.27.2 is vulnerable to heap out-of-bound read in the rtreenode() function when handling invalid rtree tables.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-8457

LAYER: meta
PACKAGE NAME: sqlite3-native
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2019-9936
CVE STATUS: Patched
CVE SUMMARY: In SQLite 3.27.2, running fts5 prefix queries inside a transaction could trigger a heap-based buffer over-read in fts5HashEntrySort in sqlite3.c, which may lead to an information leak. This is related to ext/fts5/fts5_hash.c.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-9936

LAYER: meta
PACKAGE NAME: sqlite3-native
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2019-9937
CVE STATUS: Patched
CVE SUMMARY: In SQLite 3.27.2, interleaving reads and writes in a single transaction with an fts5 virtual table will lead to a NULL Pointer Dereference in fts5ChunkIterate in sqlite3.c. This is related to ext/fts5/fts5_hash.c and ext/fts5/fts5_index.c.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-9937

LAYER: meta
PACKAGE NAME: sqlite3-native
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2020-11655
CVE STATUS: Patched
CVE SUMMARY: SQLite through 3.31.1 allows attackers to cause a denial of service (segmentation fault) via a malformed window-function query because the AggInfo object's initialization is mishandled.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-11655

LAYER: meta
PACKAGE NAME: sqlite3-native
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2020-11656
CVE STATUS: Patched
CVE SUMMARY: In SQLite through 3.31.1, the ALTER TABLE implementation has a use-after-free, as demonstrated by an ORDER BY clause that belongs to a compound SELECT statement.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-11656

LAYER: meta
PACKAGE NAME: sqlite3-native
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2020-13434
CVE STATUS: Patched
CVE SUMMARY: SQLite through 3.32.0 has an integer overflow in sqlite3_str_vappendf in printf.c.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-13434

LAYER: meta
PACKAGE NAME: sqlite3-native
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2020-13435
CVE STATUS: Patched
CVE SUMMARY: SQLite through 3.32.0 has a segmentation fault in sqlite3ExprCodeTarget in expr.c.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-13435

LAYER: meta
PACKAGE NAME: sqlite3-native
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2020-13630
CVE STATUS: Patched
CVE SUMMARY: ext/fts3/fts3.c in SQLite before 3.32.0 has a use-after-free in fts3EvalNextRow, related to the snippet feature.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-13630

LAYER: meta
PACKAGE NAME: sqlite3-native
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2020-13631
CVE STATUS: Patched
CVE SUMMARY: SQLite before 3.32.0 allows a virtual table to be renamed to the name of one of its shadow tables, related to alter.c and build.c.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-13631

LAYER: meta
PACKAGE NAME: sqlite3-native
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2020-13632
CVE STATUS: Patched
CVE SUMMARY: ext/fts3/fts3_snippet.c in SQLite before 3.32.0 has a NULL pointer dereference via a crafted matchinfo() query.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-13632

LAYER: meta
PACKAGE NAME: sqlite3-native
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2020-13871
CVE STATUS: Patched
CVE SUMMARY: SQLite 3.32.2 has a use-after-free in resetAccumulator in select.c because the parse tree rewrite for window functions is too late.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-13871

LAYER: meta
PACKAGE NAME: sqlite3-native
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2020-15358
CVE STATUS: Patched
CVE SUMMARY: In SQLite before 3.32.3, select.c mishandles query-flattener optimization, leading to a multiSelectOrderBy heap overflow because of misuse of transitive properties for constant propagation.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-15358

LAYER: meta
PACKAGE NAME: sqlite3-native
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2020-35525
CVE STATUS: Patched
CVE SUMMARY: In SQlite 3.31.1, a potential null pointer derreference was found in the INTERSEC query processing.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-35525

LAYER: meta
PACKAGE NAME: sqlite3-native
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2020-35527
CVE STATUS: Patched
CVE SUMMARY: In SQLite 3.31.1, there is an out of bounds access problem through ALTER TABLE for views that have a nested FROM clause.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-35527

LAYER: meta
PACKAGE NAME: sqlite3-native
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2020-9327
CVE STATUS: Patched
CVE SUMMARY: In SQLite 3.31.1, isAuxiliaryVtabOperator allows attackers to trigger a NULL pointer dereference and segmentation fault because of generated column optimizations.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-9327

LAYER: meta
PACKAGE NAME: sqlite3-native
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2021-20227
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in SQLite's SELECT query functionality (src/select.c). This flaw allows an attacker who is capable of running SQL queries locally on the SQLite database to cause a denial of service or possible code execution by triggering a use-after-free. The highest threat from this vulnerability is to system availability.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-20227

LAYER: meta
PACKAGE NAME: sqlite3-native
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2021-31239
CVE STATUS: Patched
CVE SUMMARY: An issue found in SQLite SQLite3 v.3.35.4 that allows a remote attacker to cause a denial of service via the appendvfs.c function.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-31239

LAYER: meta
PACKAGE NAME: sqlite3-native
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2021-36690
CVE STATUS: Patched
CVE SUMMARY: A segmentation fault can occur in the sqlite3.exe command-line component of SQLite 3.36.0 via the idxGetTableInfo function when there is a crafted SQL query. NOTE: the vendor disputes the relevance of this report because a sqlite3.exe user already has full privileges (e.g., is intentionally allowed to execute commands). This report does NOT imply any problem in the SQLite library.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-36690

LAYER: meta
PACKAGE NAME: sqlite3-native
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2021-45346
CVE STATUS: Patched
CVE SUMMARY: A Memory Leak vulnerability exists in SQLite Project SQLite3 3.35.1 and 3.37.0 via maliciously crafted SQL Queries (made via editing the Database File), it is possible to query a record, and leak subsequent bytes of memory that extend beyond the record, which could let a malicious user obtain sensitive information. NOTE: The developer disputes this as a vulnerability stating that If you give SQLite a corrupted database file and submit a query against the database, it might read parts of the database that you did not intend or expect.
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 4.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:S/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-45346

LAYER: meta
PACKAGE NAME: sqlite3-native
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2022-35737
CVE STATUS: Patched
CVE SUMMARY: SQLite 1.0.12 through 3.39.x before 3.39.2 sometimes allows an array-bounds overflow if billions of bytes are used in a string argument to a C API.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-35737

LAYER: meta
PACKAGE NAME: sqlite3-native
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2022-46908
CVE STATUS: Patched
CVE SUMMARY: SQLite through 3.40.0, when relying on --safe for execution of an untrusted CLI script, does not properly implement the azProhibitedFunctions protection mechanism, and instead allows UDF functions such as WRITEFILE.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.3
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-46908

LAYER: meta
PACKAGE NAME: sqlite3-native
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2023-7104
CVE STATUS: Patched
CVE SUMMARY: A vulnerability was found in SQLite SQLite3 up to 3.43.0 and classified as critical. This issue affects the function sessionReadRecord of the file ext/session/sqlite3session.c of the component make alltest Handler. The manipulation leads to heap-based buffer overflow. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-248999.
CVSS v2 BASE SCORE: 5.2
CVSS v3 BASE SCORE: 5.5
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:L/Au:S/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-7104

LAYER: meta
PACKAGE NAME: sqlite3-native
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2024-0232
CVE STATUS: Patched
CVE SUMMARY: A heap use-after-free issue has been identified in SQLite in the jsonParseAddNodeArray() function in sqlite3.c. This flaw allows a local attacker to leverage a victim to pass specially crafted malicious input to the application, potentially causing a crash and leading to a denial of service.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-0232

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2005-4807
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in the as_bad function in messages.c in the GNU as (gas) assembler in Free Software Foundation GNU Binutils before 20050721 allows attackers to execute arbitrary code via a .c file with crafted inline assembly code.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-4807

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2005-4808
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in reset_vars in config/tc-crx.c in the GNU as (gas) assembler in Free Software Foundation GNU Binutils before 20050714 allows user-assisted attackers to have an unknown impact via a crafted .s file.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-4808

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2006-2362
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in getsym in tekhex.c in libbfd in Free Software Foundation GNU Binutils before 20060423, as used by GNU strings, allows context-dependent attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a file with a crafted Tektronix Hex Format (TekHex) record in which the length character is not a valid hexadecimal character.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-2362

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2012-3509
CVE STATUS: Patched
CVE SUMMARY: Multiple integer overflows in the (1) _objalloc_alloc function in objalloc.c and (2) objalloc_alloc macro in include/objalloc.h in GNU libiberty, as used by binutils 2.22, allow remote attackers to cause a denial of service (crash) via vectors related to the "addition of CHUNK_HEADER_SIZE to the length," which triggers a heap-based buffer overflow.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-3509

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2014-8484
CVE STATUS: Patched
CVE SUMMARY: The srec_scan function in bfd/srec.c in libdbfd in GNU binutils before 2.25 allows remote attackers to cause a denial of service (out-of-bounds read) via a small S-record.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8484

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2014-8485
CVE STATUS: Patched
CVE SUMMARY: The setup_group function in bfd/elf.c in libbfd in GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted section group headers in an ELF file.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8485

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2014-8501
CVE STATUS: Patched
CVE SUMMARY: The _bfd_XXi_swap_aouthdr_in function in bfd/peXXigen.c in GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (out-of-bounds write) and possibly have other unspecified impact via a crafted NumberOfRvaAndSizes field in the AOUT header in a PE executable.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8501

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2014-8502
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the pe_print_edata function in bfd/peXXigen.c in GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (crash) and possibly have other unspecified impact via a truncated export table in a PE file.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8502

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2014-8503
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in the ihex_scan function in bfd/ihex.c in GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (crash) and possibly have other unspecified impact via a crafted ihex file.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8503

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2014-8504
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in the srec_scan function in bfd/srec.c in GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (crash) and possibly have other unspecified impact via a crafted file.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8504

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2014-8737
CVE STATUS: Patched
CVE SUMMARY: Multiple directory traversal vulnerabilities in GNU binutils 2.24 and earlier allow local users to delete arbitrary files via a .. (dot dot) or full path name in an archive to (1) strip or (2) objcopy or create arbitrary files via (3) a .. (dot dot) or full path name in an archive to ar.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8737

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2014-8738
CVE STATUS: Patched
CVE SUMMARY: The _bfd_slurp_extended_name_table function in bfd/archive.c in GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (invalid write, segmentation fault, and crash) via a crafted extended name table in an archive.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8738

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2014-9939
CVE STATUS: Patched
CVE SUMMARY: ihex.c in GNU Binutils before 2.26 contains a stack buffer overflow when printing bad bytes in Intel Hex objects.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9939

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-12448
CVE STATUS: Patched
CVE SUMMARY: The bfd_cache_close function in bfd/cache.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause a heap use after free and possibly achieve code execution via a crafted nested archive file. This issue occurs because incorrect functions are called during an attempt to release memory. The issue can be addressed by better input validation in the bfd_generic_archive_p function in bfd/archive.c.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-12448

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-12449
CVE STATUS: Patched
CVE SUMMARY: The _bfd_vms_save_sized_string function in vms-misc.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds heap read via a crafted vms file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-12449

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-12450
CVE STATUS: Patched
CVE SUMMARY: The alpha_vms_object_p function in bfd/vms-alpha.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds heap write and possibly achieve code execution via a crafted vms alpha file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-12450

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-12451
CVE STATUS: Patched
CVE SUMMARY: The _bfd_xcoff_read_ar_hdr function in bfd/coff-rs6000.c and bfd/coff64-rs6000.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds stack read via a crafted COFF image file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-12451

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-12452
CVE STATUS: Patched
CVE SUMMARY: The bfd_mach_o_i386_canonicalize_one_reloc function in bfd/mach-o-i386.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds heap read via a crafted mach-o file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-12452

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-12453
CVE STATUS: Patched
CVE SUMMARY: The _bfd_vms_slurp_eeom function in libbfd.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds heap read via a crafted vms alpha file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-12453

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-12454
CVE STATUS: Patched
CVE SUMMARY: The _bfd_vms_slurp_egsd function in bfd/vms-alpha.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an arbitrary memory read via a crafted vms alpha file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-12454

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-12455
CVE STATUS: Patched
CVE SUMMARY: The evax_bfd_print_emh function in vms-alpha.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds heap read via a crafted vms alpha file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-12455

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-12456
CVE STATUS: Patched
CVE SUMMARY: The read_symbol_stabs_debugging_info function in rddbg.c in GNU Binutils 2.29 and earlier allows remote attackers to cause an out of bounds heap read via a crafted binary file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-12456

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-12457
CVE STATUS: Patched
CVE SUMMARY: The bfd_make_section_with_flags function in section.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause a NULL dereference via a crafted file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-12457

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-12458
CVE STATUS: Patched
CVE SUMMARY: The nlm_swap_auxiliary_headers_in function in bfd/nlmcode.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds heap read via a crafted nlm file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-12458

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-12459
CVE STATUS: Patched
CVE SUMMARY: The bfd_mach_o_read_symtab_strtab function in bfd/mach-o.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds heap write and possibly achieve code execution via a crafted mach-o file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-12459

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-12799
CVE STATUS: Patched
CVE SUMMARY: The elf_read_notesfunction in bfd/elf.c in GNU Binutils 2.29 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-12799

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-12967
CVE STATUS: Patched
CVE SUMMARY: The getsym function in tekhex.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (stack-based buffer over-read and application crash) via a malformed tekhex binary.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-12967

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-13710
CVE STATUS: Patched
CVE SUMMARY: The setup_group function in elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a group section that is too small.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-13710

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-13716
CVE STATUS: Patched
CVE SUMMARY: The C++ symbol demangler routine in cplus-dem.c in libiberty, as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (excessive memory allocation and application crash) via a crafted file, as demonstrated by a call from the Binary File Descriptor (BFD) library (aka libbfd).
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-13716

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-13757
CVE STATUS: Patched
CVE SUMMARY: The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, does not validate the PLT section size, which allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file, related to elf_i386_get_synthetic_symtab in elf32-i386.c and elf_x86_64_get_synthetic_symtab in elf64-x86-64.c.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-13757

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-14128
CVE STATUS: Patched
CVE SUMMARY: The decode_line_info function in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (read_1_byte heap-based buffer over-read and application crash) via a crafted ELF file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14128

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-14129
CVE STATUS: Patched
CVE SUMMARY: The read_section function in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (parse_comp_unit heap-based buffer over-read and application crash) via a crafted ELF file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14129

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-14130
CVE STATUS: Patched
CVE SUMMARY: The _bfd_elf_parse_attributes function in elf-attrs.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (_bfd_elf_attr_strdup heap-based buffer over-read and application crash) via a crafted ELF file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14130

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-14333
CVE STATUS: Patched
CVE SUMMARY: The process_version_sections function in readelf.c in GNU Binutils 2.29 allows attackers to cause a denial of service (Integer Overflow, and hang because of a time-consuming loop) or possibly have unspecified other impact via a crafted binary file with invalid values of ent.vn_next, during "readelf -a" execution.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14333

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-14529
CVE STATUS: Patched
CVE SUMMARY: The pe_print_idata function in peXXigen.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, mishandles HintName vector entries, which allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted PE file, related to the bfd_getl16 function.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14529

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-14729
CVE STATUS: Patched
CVE SUMMARY: The *_get_synthetic_symtab functions in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, do not ensure a unique PLT entry for a symbol, which allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted ELF file, related to elf32-i386.c and elf64-x86-64.c.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14729

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-14745
CVE STATUS: Patched
CVE SUMMARY: The *_get_synthetic_symtab functions in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, interpret a -1 value as a sorting count instead of an error flag, which allows remote attackers to cause a denial of service (integer overflow and application crash) or possibly have unspecified other impact via a crafted ELF file, related to elf32-i386.c and elf64-x86-64.c.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14745

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-14930
CVE STATUS: Patched
CVE SUMMARY: Memory leak in decode_line_info in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (memory consumption) via a crafted ELF file.
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14930

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-14932
CVE STATUS: Patched
CVE SUMMARY: decode_line_info in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (infinite loop) via a crafted ELF file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14932

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-14933
CVE STATUS: Patched
CVE SUMMARY: read_formatted_entries in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (infinite loop) via a crafted ELF file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14933

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-14934
CVE STATUS: Patched
CVE SUMMARY: process_debug_info in dwarf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (infinite loop) via a crafted ELF file that contains a negative size value in a CU structure.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14934

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-14938
CVE STATUS: Patched
CVE SUMMARY: _bfd_elf_slurp_version_tables in elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (excessive memory allocation and application crash) via a crafted ELF file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14938

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-14939
CVE STATUS: Patched
CVE SUMMARY: decode_line_info in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, mishandles a length calculation, which allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file, related to read_1_byte.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14939

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-14940
CVE STATUS: Patched
CVE SUMMARY: scan_unit_for_symbols in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted ELF file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14940

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-14974
CVE STATUS: Patched
CVE SUMMARY: The *_get_synthetic_symtab functions in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, mishandle the failure of a certain canonicalization step, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted ELF file, related to elf32-i386.c and elf64-x86-64.c.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14974

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-15020
CVE STATUS: Patched
CVE SUMMARY: dwarf1.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, mishandles pointers, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted ELF file, related to parse_die and parse_line_table, as demonstrated by a parse_die heap-based buffer over-read.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15020

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-15021
CVE STATUS: Patched
CVE SUMMARY: bfd_get_debug_link_info_1 in opncls.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file, related to bfd_getl32.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15021

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-15022
CVE STATUS: Patched
CVE SUMMARY: dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, does not validate the DW_AT_name data type, which allows remote attackers to cause a denial of service (bfd_hash_hash NULL pointer dereference, or out-of-bounds access, and application crash) via a crafted ELF file, related to scan_unit_for_symbols and parse_comp_unit.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15022

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-15023
CVE STATUS: Patched
CVE SUMMARY: read_formatted_entries in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, does not properly validate the format count, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted ELF file, related to concat_filename.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15023

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-15024
CVE STATUS: Patched
CVE SUMMARY: find_abstract_instance_name in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (infinite recursion and application crash) via a crafted ELF file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15024

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-15025
CVE STATUS: Patched
CVE SUMMARY: decode_line_info in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted ELF file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15025

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-15225
CVE STATUS: Patched
CVE SUMMARY: _bfd_dwarf2_cleanup_debug_info in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (memory leak) via a crafted ELF file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15225

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-15938
CVE STATUS: Patched
CVE SUMMARY: dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, miscalculates DW_FORM_ref_addr die refs in the case of a relocatable object file, which allows remote attackers to cause a denial of service (find_abstract_instance_name invalid memory read, segmentation fault, and application crash).
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15938

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-15939
CVE STATUS: Patched
CVE SUMMARY: dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, mishandles NULL files in a .debug_line file table, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted ELF file, related to concat_filename. NOTE: this issue is caused by an incomplete fix for CVE-2017-15023.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15939

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-15996
CVE STATUS: Patched
CVE SUMMARY: elfcomm.c in readelf in GNU Binutils 2.29 allows remote attackers to cause a denial of service (excessive memory allocation) or possibly have unspecified other impact via a crafted ELF file that triggers a "buffer overflow on fuzzed archive header," related to an uninitialized variable, an improper conditional jump, and the get_archive_member_name, process_archive_index_and_symbols, and setup_archive functions.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15996

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-16826
CVE STATUS: Patched
CVE SUMMARY: The coff_slurp_line_table function in coffcode.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, allows remote attackers to cause a denial of service (invalid memory access and application crash) or possibly have unspecified other impact via a crafted PE file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-16826

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-16827
CVE STATUS: Patched
CVE SUMMARY: The aout_get_external_symbols function in aoutx.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, allows remote attackers to cause a denial of service (slurp_symtab invalid free and application crash) or possibly have unspecified other impact via a crafted ELF file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-16827

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-16828
CVE STATUS: Patched
CVE SUMMARY: The display_debug_frames function in dwarf.c in GNU Binutils 2.29.1 allows remote attackers to cause a denial of service (integer overflow and heap-based buffer over-read, and application crash) or possibly have unspecified other impact via a crafted ELF file, related to print_debug_frame.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-16828

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-16829
CVE STATUS: Patched
CVE SUMMARY: The _bfd_elf_parse_gnu_properties function in elf-properties.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, does not prevent negative pointers, which allows remote attackers to cause a denial of service (out-of-bounds read and application crash) or possibly have unspecified other impact via a crafted ELF file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-16829

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-16830
CVE STATUS: Patched
CVE SUMMARY: The print_gnu_property_note function in readelf.c in GNU Binutils 2.29.1 does not have integer-overflow protection on 32-bit platforms, which allows remote attackers to cause a denial of service (segmentation violation and application crash) or possibly have unspecified other impact via a crafted ELF file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-16830

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-16831
CVE STATUS: Patched
CVE SUMMARY: coffgen.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, does not validate the symbol count, which allows remote attackers to cause a denial of service (integer overflow and application crash, or excessive memory allocation) or possibly have unspecified other impact via a crafted PE file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-16831

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-16832
CVE STATUS: Patched
CVE SUMMARY: The pe_bfd_read_buildid function in peicode.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, does not validate size and offset values in the data dictionary, which allows remote attackers to cause a denial of service (segmentation violation and application crash) or possibly have unspecified other impact via a crafted PE file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-16832

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-17080
CVE STATUS: Patched
CVE SUMMARY: elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, does not validate sizes of core notes, which allows remote attackers to cause a denial of service (bfd_getl32 heap-based buffer over-read and application crash) via a crafted object file, related to elfcore_grok_netbsd_procinfo, elfcore_grok_openbsd_procinfo, and elfcore_grok_nto_status.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17080

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-17121
CVE STATUS: Patched
CVE SUMMARY: The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, allows remote attackers to cause a denial of service (memory access violation) or possibly have unspecified other impact via a COFF binary in which a relocation refers to a location after the end of the to-be-relocated section.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17121

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-17122
CVE STATUS: Patched
CVE SUMMARY: The dump_relocs_in_section function in objdump.c in GNU Binutils 2.29.1 does not check for reloc count integer overflows, which allows remote attackers to cause a denial of service (excessive memory allocation, or heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted PE file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17122

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-17123
CVE STATUS: Patched
CVE SUMMARY: The coff_slurp_reloc_table function in coffcode.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted COFF based file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17123

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-17124
CVE STATUS: Patched
CVE SUMMARY: The _bfd_coff_read_string_table function in coffgen.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, does not properly validate the size of the external string table, which allows remote attackers to cause a denial of service (excessive memory consumption, or heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted COFF binary.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17124

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-17125
CVE STATUS: Patched
CVE SUMMARY: nm.c and objdump.c in GNU Binutils 2.29.1 mishandle certain global symbols, which allows remote attackers to cause a denial of service (_bfd_elf_get_symbol_version_string buffer over-read and application crash) or possibly have unspecified other impact via a crafted ELF file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17125

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-17126
CVE STATUS: Patched
CVE SUMMARY: The load_debug_section function in readelf.c in GNU Binutils 2.29.1 allows remote attackers to cause a denial of service (invalid memory access and application crash) or possibly have unspecified other impact via an ELF file that lacks section headers.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17126

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-6965
CVE STATUS: Patched
CVE SUMMARY: readelf in GNU Binutils 2.28 writes to illegal addresses while processing corrupt input files containing symbol-difference relocations, leading to a heap-based buffer overflow.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-6965

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-6966
CVE STATUS: Patched
CVE SUMMARY: readelf in GNU Binutils 2.28 has a use-after-free (specifically read-after-free) error while processing multiple, relocated sections in an MSP430 binary. This is caused by mishandling of an invalid symbol index, and mishandling of state across invocations.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-6966

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-6969
CVE STATUS: Patched
CVE SUMMARY: readelf in GNU Binutils 2.28 is vulnerable to a heap-based buffer over-read while processing corrupt RL78 binaries. The vulnerability can trigger program crashes. It may lead to an information leak as well.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 9.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-6969

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-7209
CVE STATUS: Patched
CVE SUMMARY: The dump_section_as_bytes function in readelf in GNU Binutils 2.28 accesses a NULL pointer while reading section contents in a corrupt binary, leading to a program crash.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7209

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-7210
CVE STATUS: Patched
CVE SUMMARY: objdump in GNU Binutils 2.28 is vulnerable to multiple heap-based buffer over-reads (of size 1 and size 8) while handling corrupt STABS enum type strings in a crafted object file, leading to program crash.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7210

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-7223
CVE STATUS: Patched
CVE SUMMARY: GNU assembler in GNU Binutils 2.28 is vulnerable to a global buffer overflow (of size 1) while attempting to unget an EOF character from the input stream, potentially leading to a program crash.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7223

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-7224
CVE STATUS: Patched
CVE SUMMARY: The find_nearest_line function in objdump in GNU Binutils 2.28 is vulnerable to an invalid write (of size 1) while disassembling a corrupt binary that contains an empty function name, leading to a program crash.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7224

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-7225
CVE STATUS: Patched
CVE SUMMARY: The find_nearest_line function in addr2line in GNU Binutils 2.28 does not handle the case where the main file name and the directory name are both empty, triggering a NULL pointer dereference and an invalid write, and leading to a program crash.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7225

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-7226
CVE STATUS: Patched
CVE SUMMARY: The pe_ILF_object_p function in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to a heap-based buffer over-read of size 4049 because it uses the strlen function instead of strnlen, leading to program crashes in several utilities such as addr2line, size, and strings. It could lead to information disclosure as well.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 9.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7226

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-7227
CVE STATUS: Patched
CVE SUMMARY: GNU linker (ld) in GNU Binutils 2.28 is vulnerable to a heap-based buffer overflow while processing a bogus input script, leading to a program crash. This relates to lack of '\0' termination of a name field in ldlex.l.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7227

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-7299
CVE STATUS: Patched
CVE SUMMARY: The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, has an invalid read (of size 8) because the code to emit relocs (bfd_elf_final_link function in bfd/elflink.c) does not check the format of the input file before trying to read the ELF reloc section header. The vulnerability leads to a GNU linker (ld) program crash.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7299

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-7300
CVE STATUS: Patched
CVE SUMMARY: The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, has an aout_link_add_symbols function in bfd/aoutx.h that is vulnerable to a heap-based buffer over-read (off-by-one) because of an incomplete check for invalid string offsets while loading symbols, leading to a GNU linker (ld) program crash.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7300

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-7301
CVE STATUS: Patched
CVE SUMMARY: The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, has an aout_link_add_symbols function in bfd/aoutx.h that has an off-by-one vulnerability because it does not carefully check the string offset. The vulnerability could lead to a GNU linker (ld) program crash.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7301

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-7302
CVE STATUS: Patched
CVE SUMMARY: The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, has a swap_std_reloc_out function in bfd/aoutx.h that is vulnerable to an invalid read (of size 4) because of missing checks for relocs that could not be recognised. This vulnerability causes Binutils utilities like strip to crash.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7302

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-7303
CVE STATUS: Patched
CVE SUMMARY: The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read (of size 4) because of missing a check (in the find_link function) for null headers before attempting to match them. This vulnerability causes Binutils utilities like strip to crash.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7303

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-7304
CVE STATUS: Patched
CVE SUMMARY: The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read (of size 8) because of missing a check (in the copy_special_section_fields function) for an invalid sh_link field before attempting to follow it. This vulnerability causes Binutils utilities like strip to crash.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7304

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-7614
CVE STATUS: Patched
CVE SUMMARY: elflink.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, has a "member access within null pointer" undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via an "int main() {return 0;}" program.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7614

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-8392
CVE STATUS: Patched
CVE SUMMARY: The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read of size 8 because of missing a check to determine whether symbols are NULL in the _bfd_dwarf2_find_nearest_line function. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objdump, to crash.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8392

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-8393
CVE STATUS: Patched
CVE SUMMARY: The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to a global buffer over-read error because of an assumption made by code that runs for objcopy and strip, that SHT_REL/SHR_RELA sections are always named starting with a .rel/.rela prefix. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objcopy and strip, to crash.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8393

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-8394
CVE STATUS: Patched
CVE SUMMARY: The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read of size 4 due to NULL pointer dereferencing of _bfd_elf_large_com_section. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objcopy, to crash.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8394

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-8395
CVE STATUS: Patched
CVE SUMMARY: The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid write of size 8 because of missing a malloc() return-value check to see if memory had actually been allocated in the _bfd_generic_get_section_contents function. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objcopy, to crash.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8395

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-8396
CVE STATUS: Patched
CVE SUMMARY: The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read of size 1 because the existing reloc offset range tests didn't catch small negative offsets less than the size of the reloc field. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objdump, to crash.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8396

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-8397
CVE STATUS: Patched
CVE SUMMARY: The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read of size 1 and an invalid write of size 1 during processing of a corrupt binary containing reloc(s) with negative addresses. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objdump, to crash.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8397

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-8398
CVE STATUS: Patched
CVE SUMMARY: dwarf.c in GNU Binutils 2.28 is vulnerable to an invalid read of size 1 during dumping of debug information from a corrupt binary. This vulnerability causes programs that conduct an analysis of binary programs, such as objdump and readelf, to crash.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8398

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-8421
CVE STATUS: Patched
CVE SUMMARY: The function coff_set_alignment_hook in coffcode.h in Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, has a memory leak vulnerability which can cause memory exhaustion in objdump via a crafted PE file. Additional validation in dump_relocs_in_section in objdump.c can resolve this.
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8421

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-9038
CVE STATUS: Patched
CVE SUMMARY: GNU Binutils 2.28 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file, related to the byte_get_little_endian function in elfcomm.c, the get_unwind_section_word function in readelf.c, and ARM unwind information that contains invalid word offsets.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9038

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-9039
CVE STATUS: Patched
CVE SUMMARY: GNU Binutils 2.28 allows remote attackers to cause a denial of service (memory consumption) via a crafted ELF file with many program headers, related to the get_program_headers function in readelf.c.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9039

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-9040
CVE STATUS: Patched
CVE SUMMARY: GNU Binutils 2017-04-03 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash), related to the process_mips_specific function in readelf.c, via a crafted ELF file that triggers a large memory-allocation attempt.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9040

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-9041
CVE STATUS: Patched
CVE SUMMARY: GNU Binutils 2.28 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file, related to MIPS GOT mishandling in the process_mips_specific function in readelf.c.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9041

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-9042
CVE STATUS: Patched
CVE SUMMARY: readelf.c in GNU Binutils 2017-04-12 has a "cannot be represented in type long" issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted ELF file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9042

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-9043
CVE STATUS: Patched
CVE SUMMARY: readelf.c in GNU Binutils 2017-04-12 has a "shift exponent too large for type unsigned long" issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted ELF file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9043

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-9044
CVE STATUS: Patched
CVE SUMMARY: The print_symbol_for_build_attribute function in readelf.c in GNU Binutils 2017-04-12 allows remote attackers to cause a denial of service (invalid read and SEGV) via a crafted ELF file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9044

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-9742
CVE STATUS: Patched
CVE SUMMARY: The score_opcodes function in opcodes/score7-dis.c in GNU Binutils 2.28 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during "objdump -D" execution.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9742

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-9743
CVE STATUS: Patched
CVE SUMMARY: The print_insn_score32 function in opcodes/score7-dis.c:552 in GNU Binutils 2.28 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during "objdump -D" execution.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9743

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-9744
CVE STATUS: Patched
CVE SUMMARY: The sh_elf_set_mach_from_flags function in bfd/elf32-sh.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during "objdump -D" execution.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9744

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-9745
CVE STATUS: Patched
CVE SUMMARY: The _bfd_vms_slurp_etir function in bfd/vms-alpha.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during "objdump -D" execution.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9745

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-9746
CVE STATUS: Patched
CVE SUMMARY: The disassemble_bytes function in objdump.c in GNU Binutils 2.28 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of rae insns printing for this file during "objdump -D" execution.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9746

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-9747
CVE STATUS: Patched
CVE SUMMARY: The ieee_archive_p function in bfd/ieee.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, might allow remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during "objdump -D" execution. NOTE: this may be related to a compiler bug.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9747

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-9748
CVE STATUS: Patched
CVE SUMMARY: The ieee_object_p function in bfd/ieee.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, might allow remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during "objdump -D" execution. NOTE: this may be related to a compiler bug.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9748

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-9749
CVE STATUS: Patched
CVE SUMMARY: The *regs* macros in opcodes/bfin-dis.c in GNU Binutils 2.28 allow remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during "objdump -D" execution.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9749

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-9750
CVE STATUS: Patched
CVE SUMMARY: opcodes/rx-decode.opc in GNU Binutils 2.28 lacks bounds checks for certain scale arrays, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during "objdump -D" execution.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9750

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-9751
CVE STATUS: Patched
CVE SUMMARY: opcodes/rl78-decode.opc in GNU Binutils 2.28 has an unbounded GETBYTE macro, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during "objdump -D" execution.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9751

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-9752
CVE STATUS: Patched
CVE SUMMARY: bfd/vms-alpha.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file in the _bfd_vms_get_value and _bfd_vms_slurp_etir functions during "objdump -D" execution.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9752

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-9753
CVE STATUS: Patched
CVE SUMMARY: The versados_mkobject function in bfd/versados.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, does not initialize a certain data structure, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during "objdump -D" execution.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9753

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-9754
CVE STATUS: Patched
CVE SUMMARY: The process_otr function in bfd/versados.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, does not validate a certain offset, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during "objdump -D" execution.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9754

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-9755
CVE STATUS: Patched
CVE SUMMARY: opcodes/i386-dis.c in GNU Binutils 2.28 does not consider the number of registers for bnd mode, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during "objdump -D" execution.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9755

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-9756
CVE STATUS: Patched
CVE SUMMARY: The aarch64_ext_ldst_reglist function in opcodes/aarch64-dis.c in GNU Binutils 2.28 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during "objdump -D" execution.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9756

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-9954
CVE STATUS: Patched
CVE SUMMARY: The getvalue function in tekhex.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, allows remote attackers to cause a denial of service (stack-based buffer over-read and application crash) via a crafted tekhex file, as demonstrated by mishandling within the nm program.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9954

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2017-9955
CVE STATUS: Patched
CVE SUMMARY: The get_build_id function in opncls.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted file in which a certain size field is larger than a corresponding data field, as demonstrated by mishandling within the objdump program.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9955

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2018-1000876
CVE STATUS: Patched
CVE SUMMARY: binutils version 2.32 and earlier contains a Integer Overflow vulnerability in objdump, bfd_get_dynamic_reloc_upper_bound,bfd_canonicalize_dynamic_reloc that can result in Integer overflow trigger heap overflow. Successful exploitation allows execution of arbitrary code.. This attack appear to be exploitable via Local. This vulnerability appears to have been fixed in after commit 3a551c7a1b80fca579461774860574eabfd7f18f.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1000876

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2018-10372
CVE STATUS: Patched
CVE SUMMARY: process_cu_tu_index in dwarf.c in GNU Binutils 2.30 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted binary file, as demonstrated by readelf.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-10372

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2018-10373
CVE STATUS: Patched
CVE SUMMARY: concat_filename in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted binary file, as demonstrated by nm-new.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-10373

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2018-10534
CVE STATUS: Patched
CVE SUMMARY: The _bfd_XX_bfd_copy_private_bfd_data_common function in peXXigen.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, processes a negative Data Directory size with an unbounded loop that increases the value of (external_IMAGE_DEBUG_DIRECTORY) *edd so that the address exceeds its own memory region, resulting in an out-of-bounds memory write, as demonstrated by objcopy copying private info with _bfd_pex64_bfd_copy_private_bfd_data_common in pex64igen.c.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-10534

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2018-10535
CVE STATUS: Patched
CVE SUMMARY: The ignore_section_sym function in elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, does not validate the output_section pointer in the case of a symtab entry with a "SECTION" type that has a "0" value, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted file, as demonstrated by objcopy.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-10535

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2018-12641
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in arm_pt in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30. Stack Exhaustion occurs in the C++ demangling functions provided by libiberty, and there are recursive stack frames: demangle_arm_hp_template, demangle_class_name, demangle_fund_type, do_type, do_arg, demangle_args, and demangle_nested_args. This can occur during execution of nm-new.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-12641

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2018-12697
CVE STATUS: Patched
CVE SUMMARY: A NULL pointer dereference (aka SEGV on unknown address 0x000000000000) was discovered in work_stuff_copy_to_from in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30. This can occur during execution of objdump.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-12697

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2018-12698
CVE STATUS: Patched
CVE SUMMARY: demangle_template in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30, allows attackers to trigger excessive memory consumption (aka OOM) during the "Create an array for saving the template argument values" XNEWVEC call. This can occur during execution of objdump.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-12698

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2018-12699
CVE STATUS: Patched
CVE SUMMARY: finish_stab in stabs.c in GNU Binutils 2.30 allows attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact, as demonstrated by an out-of-bounds write of 8 bytes. This can occur during execution of objdump.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-12699

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2018-12934
CVE STATUS: Patched
CVE SUMMARY: remember_Ktype in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30, allows attackers to trigger excessive memory consumption (aka OOM). This can occur during execution of cxxfilt.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-12934

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2018-13033
CVE STATUS: Patched
CVE SUMMARY: The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (excessive memory allocation and application crash) via a crafted ELF file, as demonstrated by _bfd_elf_parse_attributes in elf-attrs.c and bfd_malloc in libbfd.c. This can occur during execution of nm.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-13033

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2018-17358
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31. An invalid memory access exists in _bfd_stab_section_find_nearest_line in syms.c. Attackers could leverage this vulnerability to cause a denial of service (application crash) via a crafted ELF file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-17358

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2018-17359
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31. An invalid memory access exists in bfd_zalloc in opncls.c. Attackers could leverage this vulnerability to cause a denial of service (application crash) via a crafted ELF file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-17359

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2018-17360
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31. a heap-based buffer over-read in bfd_getl32 in libbfd.c allows an attacker to cause a denial of service through a crafted PE file. This vulnerability can be triggered by the executable objdump.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-17360

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2018-17794
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31. There is a NULL pointer dereference in work_stuff_copy_to_from when called from iterate_demangle_function.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-17794

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2018-17985
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31. There is a stack consumption problem caused by the cplus_demangle_type function making recursive calls to itself in certain scenarios involving many 'P' characters.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-17985

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2018-18309
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31. An invalid memory address dereference was discovered in read_reloc in reloc.c. The vulnerability causes a segmentation fault and application crash, which leads to denial of service, as demonstrated by objdump, because of missing _bfd_clear_contents bounds checking.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-18309

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2018-18483
CVE STATUS: Patched
CVE SUMMARY: The get_count function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31, allows remote attackers to cause a denial of service (malloc called with the result of an integer-overflowing calculation) or possibly have unspecified other impact via a crafted string, as demonstrated by c++filt.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-18483

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2018-18484
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31. Stack Exhaustion occurs in the C++ demangling functions provided by libiberty, and there is a stack consumption problem caused by recursive stack frames: cplus_demangle_type, d_bare_function_type, d_function_type.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-18484

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2018-18605
CVE STATUS: Patched
CVE SUMMARY: A heap-based buffer over-read issue was discovered in the function sec_merge_hash_lookup in merge.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31, because _bfd_add_merge_section mishandles section merges when size is not a multiple of entsize. A specially crafted ELF allows remote attackers to cause a denial of service, as demonstrated by ld.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-18605

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2018-18606
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the merge_strings function in merge.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31. There is a NULL pointer dereference in _bfd_add_merge_section when attempting to merge sections with large alignments. A specially crafted ELF allows remote attackers to cause a denial of service, as demonstrated by ld.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-18606

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2018-18607
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in elf_link_input_bfd in elflink.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31. There is a NULL pointer dereference in elf_link_input_bfd when used for finding STT_TLS symbols without any TLS section. A specially crafted ELF allows remote attackers to cause a denial of service, as demonstrated by ld.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-18607

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2018-18700
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31. There is a stack consumption vulnerability resulting from infinite recursion in the functions d_name(), d_encoding(), and d_local_name() in cp-demangle.c. Remote attackers could leverage this vulnerability to cause a denial-of-service via an ELF file, as demonstrated by nm.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-18700

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2018-18701
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31. There is a stack consumption vulnerability resulting from infinite recursion in the functions next_is_type_qual() and cplus_demangle_type() in cp-demangle.c. Remote attackers could leverage this vulnerability to cause a denial-of-service via an ELF file, as demonstrated by nm.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-18701

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2018-19931
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils through 2.31. There is a heap-based buffer overflow in bfd_elf32_swap_phdr_in in elfcode.h because the number of program headers is not restricted.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19931

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2018-19932
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils through 2.31. There is an integer overflow and infinite loop caused by the IS_CONTAINED_BY_LMA macro in elf.c.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19932

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2018-20002
CVE STATUS: Patched
CVE SUMMARY: The _bfd_generic_read_minisymbols function in syms.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31, has a memory leak via a crafted ELF file, leading to a denial of service (memory consumption), as demonstrated by nm.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20002

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2018-20623
CVE STATUS: Patched
CVE SUMMARY: In GNU Binutils 2.31.1, there is a use-after-free in the error function in elfcomm.c when called from the process_archive function in readelf.c via a crafted ELF file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20623

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2018-20651
CVE STATUS: Patched
CVE SUMMARY: A NULL pointer dereference was discovered in elf_link_add_object_symbols in elflink.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31.1. This occurs for a crafted ET_DYN with no program headers. A specially crafted ELF file allows remote attackers to cause a denial of service, as demonstrated by ld.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20651

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2018-20657
CVE STATUS: Patched
CVE SUMMARY: The demangle_template function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31.1, has a memory leak via a crafted string, leading to a denial of service (memory consumption), as demonstrated by cxxfilt, a related issue to CVE-2018-12698.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20657

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2018-20671
CVE STATUS: Patched
CVE SUMMARY: load_specific_debug_section in objdump.c in GNU Binutils through 2.31.1 contains an integer overflow vulnerability that can trigger a heap-based buffer overflow via a crafted section size.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20671

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2018-20673
CVE STATUS: Patched
CVE SUMMARY: The demangle_template function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31.1, contains an integer overflow vulnerability (for "Create an array for saving the template argument values") that can trigger a heap-based buffer overflow, as demonstrated by nm.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20673

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2018-20712
CVE STATUS: Patched
CVE SUMMARY: A heap-based buffer over-read exists in the function d_expression_1 in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31.1. A crafted input can cause segmentation faults, leading to denial-of-service, as demonstrated by c++filt.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20712

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2018-6323
CVE STATUS: Patched
CVE SUMMARY: The elf_object_p function in elfcode.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, has an unsigned integer overflow because bfd_size_type multiplication is not used. A crafted ELF file allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-6323

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2018-6543
CVE STATUS: Patched
CVE SUMMARY: In GNU Binutils 2.30, there's an integer overflow in the function load_specific_debug_section() in objdump.c, which results in `malloc()` with 0 size. A crafted ELF file allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-6543

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2018-6759
CVE STATUS: Patched
CVE SUMMARY: The bfd_get_debug_link_info_1 function in opncls.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, has an unchecked strnlen operation. Remote attackers could leverage this vulnerability to cause a denial of service (segmentation fault) via a crafted ELF file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-6759

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2018-6872
CVE STATUS: Patched
CVE SUMMARY: The elf_parse_notes function in elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (out-of-bounds read and segmentation violation) via a note with a large alignment.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-6872

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2018-7208
CVE STATUS: Patched
CVE SUMMARY: In the coff_pointerize_aux function in coffgen.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, an index is not validated, which allows remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted file, as demonstrated by objcopy of a COFF object.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-7208

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2018-7568
CVE STATUS: Patched
CVE SUMMARY: The parse_die function in dwarf1.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (integer overflow and application crash) via an ELF file with corrupt dwarf1 debug information, as demonstrated by nm.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-7568

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2018-7569
CVE STATUS: Patched
CVE SUMMARY: dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (integer underflow or overflow, and application crash) via an ELF file with a corrupt DWARF FORM block, as demonstrated by nm.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-7569

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2018-7570
CVE STATUS: Patched
CVE SUMMARY: The assign_file_positions_for_non_load_sections function in elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an ELF file with a RELRO segment that lacks a matching LOAD segment, as demonstrated by objcopy.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-7570

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2018-7642
CVE STATUS: Patched
CVE SUMMARY: The swap_std_reloc_in function in aoutx.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (aout_32_swap_std_reloc_out NULL pointer dereference and application crash) via a crafted ELF file, as demonstrated by objcopy.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-7642

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2018-7643
CVE STATUS: Patched
CVE SUMMARY: The display_debug_ranges function in dwarf.c in GNU Binutils 2.30 allows remote attackers to cause a denial of service (integer overflow and application crash) or possibly have unspecified other impact via a crafted ELF file, as demonstrated by objdump.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-7643

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2018-8945
CVE STATUS: Patched
CVE SUMMARY: The bfd_section_from_shdr function in elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (segmentation fault) via a large attribute section.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-8945

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2018-9138
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.29 and 2.30. Stack Exhaustion occurs in the C++ demangling functions provided by libiberty, and there are recursive stack frames: demangle_nested_args, demangle_args, do_arg, and do_type.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-9138

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2018-9996
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30. Stack Exhaustion occurs in the C++ demangling functions provided by libiberty, and there are recursive stack frames: demangle_template_value_parm, demangle_integral_value, and demangle_expression.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-9996

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2019-1010204
CVE STATUS: Patched
CVE SUMMARY: GNU binutils gold gold v1.11-v1.16 (GNU binutils v2.21-v2.31.1) is affected by: Improper Input Validation, Signed/Unsigned Comparison, Out-of-bounds Read. The impact is: Denial of service. The component is: gold/fileread.cc:497, elfcpp/elfcpp_file.h:644. The attack vector is: An ELF file with an invalid e_shoff header field must be opened.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-1010204

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2019-12972
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. There is a heap-based buffer over-read in _bfd_doprnt in bfd.c because elf_object_p in elfcode.h mishandles an e_shstrndx section of type SHT_GROUP by omitting a trailing '\0' character.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-12972

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2019-14250
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.32. simple_object_elf_match in simple-object-elf.c does not check for a zero shstrndx value, leading to an integer overflow and resultant heap-based buffer overflow.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-14250

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2019-14444
CVE STATUS: Patched
CVE SUMMARY: apply_relocations in readelf.c in GNU Binutils 2.32 contains an integer overflow that allows attackers to trigger a write access violation (in byte_put_little_endian function in elfcomm.c) via an ELF file, as demonstrated by readelf.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-14444

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2019-17450
CVE STATUS: Patched
CVE SUMMARY: find_abstract_instance in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32, allows remote attackers to cause a denial of service (infinite recursion and application crash) via a crafted ELF file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-17450

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2019-17451
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. It is an integer overflow leading to a SEGV in _bfd_dwarf2_find_nearest_line in dwarf2.c, as demonstrated by nm.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-17451

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2019-9070
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.32. It is a heap-based buffer over-read in d_expression_1 in cp-demangle.c after many recursive calls.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-9070

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2019-9071
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.32. It is a stack consumption issue in d_count_templates_scopes in cp-demangle.c after many recursive calls.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-9071

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2019-9072
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. It is an attempted excessive memory allocation in setup_group in elf.c.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-9072

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2019-9073
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. It is an attempted excessive memory allocation in _bfd_elf_slurp_version_tables in elf.c.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-9073

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2019-9074
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. It is an out-of-bounds read leading to a SEGV in bfd_getl32 in libbfd.c, when called from pex64_get_runtime_function in pei-x86_64.c.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-9074

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2019-9075
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. It is a heap-based buffer overflow in _bfd_archive_64_bit_slurp_armap in archive64.c.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-9075

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2019-9076
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. It is an attempted excessive memory allocation in elf_read_notes in elf.c.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-9076

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2019-9077
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in GNU Binutils 2.32. It is a heap-based buffer overflow in process_mips_specific in readelf.c via a malformed MIPS option section.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-9077

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2020-16590
CVE STATUS: Patched
CVE SUMMARY: A double free vulnerability exists in the Binary File Descriptor (BFD) (aka libbrd) in GNU Binutils 2.35 in the process_symbol_table, as demonstrated in readelf, via a crafted file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-16590

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2020-16591
CVE STATUS: Patched
CVE SUMMARY: A Denial of Service vulnerability exists in the Binary File Descriptor (BFD) in GNU Binutils 2.35 due to an invalid read in process_symbol_table, as demonstrated in readeif.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-16591

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2020-16592
CVE STATUS: Patched
CVE SUMMARY: A use after free issue exists in the Binary File Descriptor (BFD) library (aka libbfd) in GNU Binutils 2.34 in bfd_hash_lookup, as demonstrated in nm-new, that can cause a denial of service via a crafted file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-16592

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2020-16593
CVE STATUS: Patched
CVE SUMMARY: A Null Pointer Dereference vulnerability exists in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.35, in scan_unit_for_symbols, as demonstrated in addr2line, that can cause a denial of service via a crafted file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-16593

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2020-16599
CVE STATUS: Patched
CVE SUMMARY: A Null Pointer Dereference vulnerability exists in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.35, in _bfd_elf_get_symbol_version_string, as demonstrated in nm-new, that can cause a denial of service via a crafted file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-16599

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2020-19724
CVE STATUS: Patched
CVE SUMMARY: A memory consumption issue in get_data function in binutils/nm.c in GNU nm before 2.34 allows attackers to cause a denial of service via crafted command.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-19724

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2020-19726
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in binutils libbfd.c 2.36 relating to the auxiliary symbol data allows attackers to read or write to system memory or cause a denial of service.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-19726

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2020-21490
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in GNU Binutils 2.34. It is a memory leak when process microblaze-dis.c. This one will consume memory on each insn disassembled.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-21490

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2020-35342
CVE STATUS: Patched
CVE SUMMARY: GNU Binutils before 2.34 has an uninitialized-heap vulnerability in function tic4x_print_cond (file opcodes/tic4x-dis.c) which could allow attackers to make an information leak.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-35342

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2020-35448
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.35.1. A heap-based buffer over-read can occur in bfd_getl_signed_32 in libbfd.c because sh_entsize is not validated in _bfd_elf_slurp_secondary_reloc_section in elf.c.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 3.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-35448

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2020-35493
CVE STATUS: Patched
CVE SUMMARY: A flaw exists in binutils in bfd/pef.c. An attacker who is able to submit a crafted PEF file to be parsed by objdump could cause a heap buffer overflow -> out-of-bounds read that could lead to an impact to application availability. This flaw affects binutils versions prior to 2.34.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-35493

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2020-35494
CVE STATUS: Patched
CVE SUMMARY: There's a flaw in binutils /opcodes/tic4x-dis.c. An attacker who is able to submit a crafted input file to be processed by binutils could cause usage of uninitialized memory. The highest threat is to application availability with a lower threat to data confidentiality. This flaw affects binutils versions prior to 2.34.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 6.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-35494

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2020-35495
CVE STATUS: Patched
CVE SUMMARY: There's a flaw in binutils /bfd/pef.c. An attacker who is able to submit a crafted input file to be processed by the objdump program could cause a null pointer dereference. The greatest threat from this flaw is to application availability. This flaw affects binutils versions prior to 2.34.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-35495

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2020-35496
CVE STATUS: Patched
CVE SUMMARY: There's a flaw in bfd_pef_scan_start_address() of bfd/pef.c in binutils which could allow an attacker who is able to submit a crafted file to be processed by objdump to cause a NULL pointer dereference. The greatest threat of this flaw is to application availability. This flaw affects binutils versions prior to 2.34.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-35496

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2020-35507
CVE STATUS: Patched
CVE SUMMARY: There's a flaw in bfd_pef_parse_function_stubs of bfd/pef.c in binutils in versions prior to 2.34 which could allow an attacker who is able to submit a crafted file to be processed by objdump to cause a NULL pointer dereference. The greatest threat of this flaw is to application availability.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-35507

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2021-20197
CVE STATUS: Patched
CVE SUMMARY: There is an open race window when writing output in the following utilities in GNU binutils version 2.35 and earlier:ar, objcopy, strip, ranlib. When these utilities are run as a privileged user (presumably as part of a script updating binaries across different users), an unprivileged user can trick these utilities into getting ownership of arbitrary files through a symlink.
CVSS v2 BASE SCORE: 3.3
CVSS v3 BASE SCORE: 6.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-20197

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2021-20284
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in GNU Binutils 2.35.1, where there is a heap-based buffer overflow in _bfd_elf_slurp_secondary_reloc_section in elf.c due to the number of symbols not calculated correctly. The highest threat from this vulnerability is to system availability.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-20284

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2021-20294
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in binutils readelf 2.35 program. An attacker who is able to convince a victim using readelf to read a crafted file could trigger a stack buffer overflow, out-of-bounds write of arbitrary data supplied by the attacker. The highest impact of this flaw is to confidentiality, integrity, and availability.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-20294

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2021-32256
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.36. It is a stack-overflow issue in demangle_type in rust-demangle.c.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-32256

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2021-3530
CVE STATUS: Patched
CVE SUMMARY: A flaw was discovered in GNU libiberty within demangle_path() in rust-demangle.c, as distributed in GNU Binutils version 2.36. A crafted symbol can cause stack memory to be exhausted leading to a crash.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3530

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2021-3549
CVE STATUS: Patched
CVE SUMMARY: An out of bounds flaw was found in GNU binutils objdump utility version 2.36. An attacker could use this flaw and pass a large section to avr_elf32_load_records_from_section() probably resulting in a crash or in some cases memory corruption. The highest threat from this vulnerability is to integrity as well as system availability.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 7.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3549

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2021-37322
CVE STATUS: Patched
CVE SUMMARY: GCC c++filt v2.26 was discovered to contain a use-after-free vulnerability via the component cplus-dem.c.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-37322

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2021-45078
CVE STATUS: Patched
CVE SUMMARY: stab_xcoff_builtin_type in stabs.c in GNU Binutils through 2.37 allows attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact, as demonstrated by an out-of-bounds write. NOTE: this issue exists because of an incorrect fix for CVE-2018-12699.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-45078

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2021-46174
CVE STATUS: Patched
CVE SUMMARY: Heap-based Buffer Overflow in function bfd_getl32 in Binutils objdump 3.37.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-46174

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2022-35205
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Binutils readelf 2.38.50, reachable assertion failure in function display_debug_names allows attackers to cause a denial of service.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-35205

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2022-35206
CVE STATUS: Patched
CVE SUMMARY: Null pointer dereference vulnerability in Binutils readelf 2.38.50 via function read_and_display_attr_value in file dwarf.c.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-35206

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2022-38533
CVE STATUS: Patched
CVE SUMMARY: In GNU Binutils before 2.40, there is a heap-buffer-overflow in the error function bfd_getl32 when called from the strip_main function in strip-new via a crafted file.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-38533

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2022-4285
CVE STATUS: Patched
CVE SUMMARY: An illegal memory access flaw was found in the binutils package. Parsing an ELF file containing corrupt symbol version information may result in a denial of service. This issue is the result of an incomplete fix for CVE-2020-16599.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-4285

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2022-44840
CVE STATUS: Patched
CVE SUMMARY: Heap buffer overflow vulnerability in binutils readelf before 2.40 via function find_section_in_set in file readelf.c.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-44840

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2022-45703
CVE STATUS: Patched
CVE SUMMARY: Heap buffer overflow vulnerability in binutils readelf before 2.40 via function display_debug_section in file readelf.c.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-45703

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2022-47007
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered function stab_demangle_v3_arg in stabs.c in Binutils 2.34 thru 2.38, allows attackers to cause a denial of service due to memory leaks.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-47007

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2022-47008
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered function make_tempdir, and make_tempname in bucomm.c in Binutils 2.34 thru 2.38, allows attackers to cause a denial of service due to memory leaks.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-47008

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2022-47010
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered function pr_function_type in prdbg.c in Binutils 2.34 thru 2.38, allows attackers to cause a denial of service due to memory leaks.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-47010

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2022-47011
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered function parse_stab_struct_fields in stabs.c in Binutils 2.34 thru 2.38, allows attackers to cause a denial of service due to memory leaks.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-47011

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2022-47673
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Binutils addr2line before 2.39.3, function parse_module contains multiple out of bound reads which may cause a denial of service or other unspecified impacts.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-47673

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2022-47695
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered Binutils objdump before 2.39.3 allows attackers to cause a denial of service or other unspecified impacts via function bfd_mach_o_get_synthetic_symtab in match-o.c.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-47695

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2022-47696
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered Binutils objdump before 2.39.3 allows attackers to cause a denial of service or other unspecified impacts via function compare_symbols.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-47696

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2022-48063
CVE STATUS: Patched
CVE SUMMARY: GNU Binutils before 2.40 was discovered to contain an excessive memory consumption vulnerability via the function load_separate_debug_files at dwarf2.c. The attacker could supply a crafted ELF file and cause a DNS attack.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48063

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2022-48064
CVE STATUS: Patched
CVE SUMMARY: GNU Binutils before 2.40 was discovered to contain an excessive memory consumption vulnerability via the function bfd_dwarf2_find_nearest_line_with_alt at dwarf2.c. The attacker could supply a crafted ELF file and cause a DNS attack.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48064

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2022-48065
CVE STATUS: Patched
CVE SUMMARY: GNU Binutils before 2.40 was discovered to contain a memory leak vulnerability var the function find_abstract_instance in dwarf2.c.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48065

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2023-1579
CVE STATUS: Patched
CVE SUMMARY: Heap based buffer overflow in binutils-gdb/bfd/libbfd.c in bfd_getl64.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-1579

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2023-1972
CVE STATUS: Patched
CVE SUMMARY: A potential heap based buffer overflow was found in _bfd_elf_slurp_version_tables() in bfd/elf.c. This may lead to loss of availability.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-1972

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2023-25584
CVE STATUS: Ignored
CVE DETAIL: cpe-incorrect
CVE DESCRIPTION: Applies only for version 2.40 and earlier
CVE SUMMARY: An out-of-bounds read flaw was found in the parse_module function in bfd/vms-alpha.c in Binutils.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.3
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-25584

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2023-25585
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in Binutils. The use of an uninitialized field in the struct module *module may lead to application crash and local denial of service.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-25585

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2023-25586
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in Binutils. A logic fail in the bfd_init_section_decompress_status function may lead to the use of an uninitialized variable that can cause a crash and local denial of service.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-25586

LAYER: meta
PACKAGE NAME: binutils-cross-aarch64
PACKAGE VERSION: 2.42
CVE: CVE-2023-25588
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in Binutils. The field `the_bfd` of `asymbol`struct is uninitialized in the `bfd_mach_o_get_synthetic_symtab` function, which may lead to an application crash and local denial of service.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-25588

LAYER: meta
PACKAGE NAME: iproute2
PACKAGE VERSION: 6.7.0
CVE: CVE-2012-1088
CVE STATUS: Patched
CVE SUMMARY: iproute2 before 3.3.0 allows local users to overwrite arbitrary files via a symlink attack on a temporary file used by (1) configure or (2) examples/dhcp-client-script.
CVSS v2 BASE SCORE: 3.3
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1088

LAYER: meta
PACKAGE NAME: iproute2
PACKAGE VERSION: 6.7.0
CVE: CVE-2019-20795
CVE STATUS: Patched
CVE SUMMARY: iproute2 before 5.1.0 has a use-after-free in get_netnsid_from_name in ip/ipnetns.c. NOTE: security relevance may be limited to certain uses of setuid that, although not a default, are sometimes a configuration option offered to end users. Even when setuid is used, other factors (such as C library configuration) may block exploitability.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 4.4
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-20795

LAYER: meta
PACKAGE NAME: automake-native
PACKAGE VERSION: 1.16.5
CVE: CVE-2009-4029
CVE STATUS: Patched
CVE SUMMARY: The (1) dist or (2) distcheck rules in GNU Automake 1.11.1, 1.10.3, and release branches branch-1-4 through branch-1-9, when producing a distribution tarball for a package that uses Automake, assign insecure permissions (777) to directories in the build tree, which introduces a race condition that allows local users to modify the contents of package files, introduce Trojan horse programs, or conduct other attacks before the build is complete.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-4029

LAYER: meta
PACKAGE NAME: automake-native
PACKAGE VERSION: 1.16.5
CVE: CVE-2012-3386
CVE STATUS: Patched
CVE SUMMARY: The "make distcheck" rule in GNU Automake before 1.11.6 and 1.12.x before 1.12.2 grants world-writable permissions to the extraction directory, which introduces a race condition that allows local users to execute arbitrary code via unspecified vectors.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-3386

LAYER: meta
PACKAGE NAME: libxml2
PACKAGE VERSION: 2.12.8
CVE: CVE-2003-1564
CVE STATUS: Patched
CVE SUMMARY: libxml2, possibly before 2.5.0, does not properly detect recursion during entity expansion, which allows context-dependent attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, aka the "billion laughs attack."
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-1564

LAYER: meta
PACKAGE NAME: libxml2
PACKAGE VERSION: 2.12.8
CVE: CVE-2004-0110
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the (1) nanohttp or (2) nanoftp modules in XMLSoft Libxml 2 (Libxml2) 2.6.0 through 2.6.5 allow remote attackers to execute arbitrary code via a long URL.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0110

LAYER: meta
PACKAGE NAME: libxml2
PACKAGE VERSION: 2.12.8
CVE: CVE-2004-0989
CVE STATUS: Patched
CVE SUMMARY: Multiple buffer overflows in libXML 2.6.12 and 2.6.13 (libxml2), and possibly other versions, may allow remote attackers to execute arbitrary code via (1) a long FTP URL that is not properly handled by the xmlNanoFTPScanURL function, (2) a long proxy URL containing FTP data that is not properly handled by the xmlNanoFTPScanProxy function, and other overflows related to manipulation of DNS length values, including (3) xmlNanoFTPConnect, (4) xmlNanoHTTPConnectHost, and (5) xmlNanoHTTPConnectHost.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0989

LAYER: meta
PACKAGE NAME: libxml2
PACKAGE VERSION: 2.12.8
CVE: CVE-2008-3281
CVE STATUS: Patched
CVE SUMMARY: libxml2 2.6.32 and earlier does not properly detect recursion during entity expansion in an attribute value, which allows context-dependent attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-3281

LAYER: meta
PACKAGE NAME: libxml2
PACKAGE VERSION: 2.12.8
CVE: CVE-2008-3529
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the xmlParseAttValueComplex function in parser.c in libxml2 before 2.7.0 allows context-dependent attackers to cause a denial of service (crash) or execute arbitrary code via a long XML entity name.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-3529

LAYER: meta
PACKAGE NAME: libxml2
PACKAGE VERSION: 2.12.8
CVE: CVE-2008-4409
CVE STATUS: Patched
CVE SUMMARY: libxml2 2.7.0 and 2.7.1 does not properly handle "predefined entities definitions" in entities, which allows context-dependent attackers to cause a denial of service (memory consumption and application crash), as demonstrated by use of xmllint on a certain XML document, a different vulnerability than CVE-2003-1564 and CVE-2008-3281.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-4409

LAYER: meta
PACKAGE NAME: libxml2
PACKAGE VERSION: 2.12.8
CVE: CVE-2009-2414
CVE STATUS: Patched
CVE SUMMARY: Stack consumption vulnerability in libxml2 2.5.10, 2.6.16, 2.6.26, 2.6.27, and 2.6.32, and libxml 1.8.17, allows context-dependent attackers to cause a denial of service (application crash) via a large depth of element declarations in a DTD, related to a function recursion, as demonstrated by the Codenomicon XML fuzzing framework.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-2414

LAYER: meta
PACKAGE NAME: libxml2
PACKAGE VERSION: 2.12.8
CVE: CVE-2009-2416
CVE STATUS: Patched
CVE SUMMARY: Multiple use-after-free vulnerabilities in libxml2 2.5.10, 2.6.16, 2.6.26, 2.6.27, and 2.6.32, and libxml 1.8.17, allow context-dependent attackers to cause a denial of service (application crash) via crafted (1) Notation or (2) Enumeration attribute types in an XML file, as demonstrated by the Codenomicon XML fuzzing framework.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-2416

LAYER: meta
PACKAGE NAME: libxml2
PACKAGE VERSION: 2.12.8
CVE: CVE-2010-4008
CVE STATUS: Patched
CVE SUMMARY: libxml2 before 2.7.8, as used in Google Chrome before 7.0.517.44, Apple Safari 5.0.2 and earlier, and other products, reads from invalid memory locations during processing of malformed XPath expressions, which allows context-dependent attackers to cause a denial of service (application crash) via a crafted XML document.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4008

LAYER: meta
PACKAGE NAME: libxml2
PACKAGE VERSION: 2.12.8
CVE: CVE-2010-4494
CVE STATUS: Patched
CVE SUMMARY: Double free vulnerability in libxml2 2.7.8 and other versions, as used in Google Chrome before 8.0.552.215 and other products, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to XPath handling.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4494

LAYER: meta
PACKAGE NAME: libxml2
PACKAGE VERSION: 2.12.8
CVE: CVE-2011-1944
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in xpath.c in libxml2 2.6.x through 2.6.32 and 2.7.x through 2.7.8, and libxml 1.8.16 and earlier, allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted XML file that triggers a heap-based buffer overflow when adding a new namespace node, related to handling of XPath expressions.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1944

LAYER: meta
PACKAGE NAME: libxml2
PACKAGE VERSION: 2.12.8
CVE: CVE-2012-0841
CVE STATUS: Patched
CVE SUMMARY: libxml2 before 2.8.0 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted XML data.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-0841

LAYER: meta
PACKAGE NAME: libxml2
PACKAGE VERSION: 2.12.8
CVE: CVE-2012-2871
CVE STATUS: Patched
CVE SUMMARY: libxml2 2.9.0-rc1 and earlier, as used in Google Chrome before 21.0.1180.89, does not properly support a cast of an unspecified variable during handling of XSL transforms, which allows remote attackers to cause a denial of service or possibly have unknown other impact via a crafted document, related to the _xmlNs data structure in include/libxml/tree.h.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2871

LAYER: meta
PACKAGE NAME: libxml2
PACKAGE VERSION: 2.12.8
CVE: CVE-2012-5134
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer underflow in the xmlParseAttValueComplex function in parser.c in libxml2 2.9.0 and earlier, as used in Google Chrome before 23.0.1271.91 and other products, allows remote attackers to cause a denial of service or possibly execute arbitrary code via crafted entities in an XML document.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-5134

LAYER: meta
PACKAGE NAME: libxml2
PACKAGE VERSION: 2.12.8
CVE: CVE-2013-0338
CVE STATUS: Patched
CVE SUMMARY: libxml2 2.9.0 and earlier allows context-dependent attackers to cause a denial of service (CPU and memory consumption) via an XML file containing an entity declaration with long replacement text and many references to this entity, aka "internal entity expansion" with linear complexity.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0338

LAYER: meta
PACKAGE NAME: libxml2
PACKAGE VERSION: 2.12.8
CVE: CVE-2013-0339
CVE STATUS: Patched
CVE SUMMARY: libxml2 through 2.9.1 does not properly handle external entities expansion unless an application developer uses the xmlSAX2ResolveEntity or xmlSetExternalEntityLoader function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue.  NOTE: it could be argued that because libxml2 already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be REJECTed and each affected application would need its own CVE.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0339

LAYER: meta
PACKAGE NAME: libxml2
PACKAGE VERSION: 2.12.8
CVE: CVE-2013-1969
CVE STATUS: Patched
CVE SUMMARY: Multiple use-after-free vulnerabilities in libxml2 2.9.0 and possibly other versions might allow context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via vectors related to the (1) htmlParseChunk and (2) xmldecl_done functions, as demonstrated by a buffer overflow in the xmlBufGetInputBase function.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1969

LAYER: meta
PACKAGE NAME: libxml2
PACKAGE VERSION: 2.12.8
CVE: CVE-2013-2877
CVE STATUS: Patched
CVE SUMMARY: parser.c in libxml2 before 2.9.0, as used in Google Chrome before 28.0.1500.71 and other products, allows remote attackers to cause a denial of service (out-of-bounds read) via a document that ends abruptly, related to the lack of certain checks for the XML_PARSER_EOF state.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2877

LAYER: meta
PACKAGE NAME: libxml2
PACKAGE VERSION: 2.12.8
CVE: CVE-2014-3660
CVE STATUS: Patched
CVE SUMMARY: parser.c in libxml2 before 2.9.2 does not properly prevent entity expansion even when entity substitution has been disabled, which allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted XML document containing a large number of nested entity references, a variant of the "billion laughs" attack.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3660

LAYER: meta
PACKAGE NAME: libxml2
PACKAGE VERSION: 2.12.8
CVE: CVE-2015-5312
CVE STATUS: Patched
CVE SUMMARY: The xmlStringLenDecodeEntities function in parser.c in libxml2 before 2.9.3 does not properly prevent entity expansion, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted XML data, a different vulnerability than CVE-2014-3660.
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-5312

LAYER: meta
PACKAGE NAME: libxml2
PACKAGE VERSION: 2.12.8
CVE: CVE-2015-6837
CVE STATUS: Patched
CVE SUMMARY: The xsl_ext_function_php function in ext/xsl/xsltprocessor.c in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13, when libxml2 before 2.9.2 is used, does not consider the possibility of a NULL valuePop return value before proceeding with a free operation during initial error checking, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted XML document, a different vulnerability than CVE-2015-6838.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-6837

LAYER: meta
PACKAGE NAME: libxml2
PACKAGE VERSION: 2.12.8
CVE: CVE-2015-6838
CVE STATUS: Patched
CVE SUMMARY: The xsl_ext_function_php function in ext/xsl/xsltprocessor.c in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13, when libxml2 before 2.9.2 is used, does not consider the possibility of a NULL valuePop return value before proceeding with a free operation after the principal argument loop, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted XML document, a different vulnerability than CVE-2015-6837.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-6838

LAYER: meta
PACKAGE NAME: libxml2
PACKAGE VERSION: 2.12.8
CVE: CVE-2015-7497
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the xmlDictComputeFastQKey function in dict.c in libxml2 before 2.9.3 allows context-dependent attackers to cause a denial of service via unspecified vectors.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7497

LAYER: meta
PACKAGE NAME: libxml2
PACKAGE VERSION: 2.12.8
CVE: CVE-2015-7498
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the xmlParseXmlDecl function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to cause a denial of service via unspecified vectors related to extracting errors after an encoding conversion failure.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7498

LAYER: meta
PACKAGE NAME: libxml2
PACKAGE VERSION: 2.12.8
CVE: CVE-2015-7499
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the xmlGROW function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to obtain sensitive process memory information via unspecified vectors.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7499

LAYER: meta
PACKAGE NAME: libxml2
PACKAGE VERSION: 2.12.8
CVE: CVE-2015-7500
CVE STATUS: Patched
CVE SUMMARY: The xmlParseMisc function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to cause a denial of service (out-of-bounds heap read) via unspecified vectors related to incorrect entities boundaries and start tags.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7500

LAYER: meta
PACKAGE NAME: libxml2
PACKAGE VERSION: 2.12.8
CVE: CVE-2015-7941
CVE STATUS: Patched
CVE SUMMARY: libxml2 2.9.2 does not properly stop parsing invalid input, which allows context-dependent attackers to cause a denial of service (out-of-bounds read and libxml2 crash) via crafted XML data to the (1) xmlParseEntityDecl or (2) xmlParseConditionalSections function in parser.c, as demonstrated by non-terminated entities.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7941

LAYER: meta
PACKAGE NAME: libxml2
PACKAGE VERSION: 2.12.8
CVE: CVE-2015-7942
CVE STATUS: Patched
CVE SUMMARY: The xmlParseConditionalSections function in parser.c in libxml2 does not properly skip intermediary entities when it stops parsing invalid input, which allows context-dependent attackers to cause a denial of service (out-of-bounds read and crash) via crafted XML data, a different vulnerability than CVE-2015-7941.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7942

LAYER: meta
PACKAGE NAME: libxml2
PACKAGE VERSION: 2.12.8
CVE: CVE-2015-8035
CVE STATUS: Patched
CVE SUMMARY: The xz_decomp function in xzlib.c in libxml2 2.9.1 does not properly detect compression errors, which allows context-dependent attackers to cause a denial of service (process hang) via crafted XML data.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8035

LAYER: meta
PACKAGE NAME: libxml2
PACKAGE VERSION: 2.12.8
CVE: CVE-2015-8241
CVE STATUS: Patched
CVE SUMMARY: The xmlNextChar function in libxml2 2.9.2 does not properly check the state, which allows context-dependent attackers to cause a denial of service (heap-based buffer over-read and application crash) or obtain sensitive information via crafted XML data.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8241

LAYER: meta
PACKAGE NAME: libxml2
PACKAGE VERSION: 2.12.8
CVE: CVE-2015-8242
CVE STATUS: Patched
CVE SUMMARY: The xmlSAX2TextNode function in SAX2.c in the push interface in the HTML parser in libxml2 before 2.9.3 allows context-dependent attackers to cause a denial of service (stack-based buffer over-read and application crash) or obtain sensitive information via crafted XML data.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8242

LAYER: meta
PACKAGE NAME: libxml2
PACKAGE VERSION: 2.12.8
CVE: CVE-2015-8317
CVE STATUS: Patched
CVE SUMMARY: The xmlParseXMLDecl function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to obtain sensitive information via an (1) unterminated encoding value or (2) incomplete XML declaration in XML data, which triggers an out-of-bounds heap read.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8317

LAYER: meta
PACKAGE NAME: libxml2
PACKAGE VERSION: 2.12.8
CVE: CVE-2015-8710
CVE STATUS: Patched
CVE SUMMARY: The htmlParseComment function in HTMLparser.c in libxml2 allows attackers to obtain sensitive information, cause a denial of service (out-of-bounds heap memory access and application crash), or possibly have unspecified other impact via an unclosed HTML comment.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8710

LAYER: meta
PACKAGE NAME: libxml2
PACKAGE VERSION: 2.12.8
CVE: CVE-2015-8806
CVE STATUS: Patched
CVE SUMMARY: dict.c in libxml2 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via an unexpected character immediately after the "<!DOCTYPE html" substring in a crafted HTML document.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8806

LAYER: meta
PACKAGE NAME: libxml2
PACKAGE VERSION: 2.12.8
CVE: CVE-2016-1762
CVE STATUS: Patched
CVE SUMMARY: The xmlNextChar function in libxml2 before 2.9.4 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted XML document.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 8.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-1762

LAYER: meta
PACKAGE NAME: libxml2
PACKAGE VERSION: 2.12.8
CVE: CVE-2016-1833
CVE STATUS: Patched
CVE SUMMARY: The htmlCurrentChar function in libxml2 before 2.9.4, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted XML document.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-1833

LAYER: meta
PACKAGE NAME: libxml2
PACKAGE VERSION: 2.12.8
CVE: CVE-2016-1834
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the xmlStrncat function in libxml2 before 2.9.4, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-1834

LAYER: meta
PACKAGE NAME: libxml2
PACKAGE VERSION: 2.12.8
CVE: CVE-2016-1836
CVE STATUS: Patched
CVE SUMMARY: Use-after-free vulnerability in the xmlDictComputeFastKey function in libxml2 before 2.9.4, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote attackers to cause a denial of service via a crafted XML document.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-1836

LAYER: meta
PACKAGE NAME: libxml2
PACKAGE VERSION: 2.12.8
CVE: CVE-2016-1837
CVE STATUS: Patched
CVE SUMMARY: Multiple use-after-free vulnerabilities in the (1) htmlPArsePubidLiteral and (2) htmlParseSystemiteral functions in libxml2 before 2.9.4, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allow remote attackers to cause a denial of service via a crafted XML document.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-1837

LAYER: meta
PACKAGE NAME: libxml2
PACKAGE VERSION: 2.12.8
CVE: CVE-2016-1838
CVE STATUS: Patched
CVE SUMMARY: The xmlPArserPrintFileContextInternal function in libxml2 before 2.9.4, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted XML document.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-1838

LAYER: meta
PACKAGE NAME: libxml2
PACKAGE VERSION: 2.12.8
CVE: CVE-2016-1839
CVE STATUS: Patched
CVE SUMMARY: The xmlDictAddString function in libxml2 before 2.9.4, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted XML document.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-1839

LAYER: meta
PACKAGE NAME: libxml2
PACKAGE VERSION: 2.12.8
CVE: CVE-2016-1840
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the xmlFAParsePosCharGroup function in libxml2 before 2.9.4, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-1840

LAYER: meta
PACKAGE NAME: libxml2
PACKAGE VERSION: 2.12.8
CVE: CVE-2016-2073
CVE STATUS: Patched
CVE SUMMARY: The htmlParseNameComplex function in HTMLparser.c in libxml2 allows attackers to cause a denial of service (out-of-bounds read) via a crafted XML document.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2073

LAYER: meta
PACKAGE NAME: libxml2
PACKAGE VERSION: 2.12.8
CVE: CVE-2016-3627
CVE STATUS: Patched
CVE SUMMARY: The xmlStringGetNodeList function in tree.c in libxml2 2.9.3 and earlier, when used in recovery mode, allows context-dependent attackers to cause a denial of service (infinite recursion, stack consumption, and application crash) via a crafted XML document.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3627

LAYER: meta
PACKAGE NAME: libxml2
PACKAGE VERSION: 2.12.8
CVE: CVE-2016-3705
CVE STATUS: Patched
CVE SUMMARY: The (1) xmlParserEntityCheck and (2) xmlParseAttValueComplex functions in parser.c in libxml2 2.9.3 do not properly keep track of the recursion depth, which allows context-dependent attackers to cause a denial of service (stack consumption and application crash) via a crafted XML document containing a large number of nested entity references.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3705

LAYER: meta
PACKAGE NAME: libxml2
PACKAGE VERSION: 2.12.8
CVE: CVE-2016-3709
CVE STATUS: Patched
CVE SUMMARY: Possible cross-site scripting vulnerability in libxml after commit 960f0e2.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.1
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3709

LAYER: meta
PACKAGE NAME: libxml2
PACKAGE VERSION: 2.12.8
CVE: CVE-2016-4447
CVE STATUS: Patched
CVE SUMMARY: The xmlParseElementDecl function in parser.c in libxml2 before 2.9.4 allows context-dependent attackers to cause a denial of service (heap-based buffer underread and application crash) via a crafted file, involving xmlParseName.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4447

LAYER: meta
PACKAGE NAME: libxml2
PACKAGE VERSION: 2.12.8
CVE: CVE-2016-4448
CVE STATUS: Patched
CVE SUMMARY: Format string vulnerability in libxml2 before 2.9.4 allows attackers to have unspecified impact via format string specifiers in unknown vectors.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4448

LAYER: meta
PACKAGE NAME: libxml2
PACKAGE VERSION: 2.12.8
CVE: CVE-2016-4449
CVE STATUS: Patched
CVE SUMMARY: XML external entity (XXE) vulnerability in the xmlStringLenDecodeEntities function in parser.c in libxml2 before 2.9.4, when not in validating mode, allows context-dependent attackers to read arbitrary files or cause a denial of service (resource consumption) via unspecified vectors.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 7.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4449

LAYER: meta
PACKAGE NAME: libxml2
PACKAGE VERSION: 2.12.8
CVE: CVE-2016-4483
CVE STATUS: Patched
CVE SUMMARY: The xmlBufAttrSerializeTxtContent function in xmlsave.c in libxml2 allows context-dependent attackers to cause a denial of service (out-of-bounds read and application crash) via a non-UTF-8 attribute value, related to serialization.  NOTE: this vulnerability may be a duplicate of CVE-2016-3627.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4483

LAYER: meta
PACKAGE NAME: libxml2
PACKAGE VERSION: 2.12.8
CVE: CVE-2016-4658
CVE STATUS: Patched
CVE SUMMARY: xpointer.c in libxml2 before 2.9.5 (as used in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS before 3, and other products) does not forbid namespace nodes in XPointer ranges, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and memory corruption) via a crafted XML document.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4658

LAYER: meta
PACKAGE NAME: libxml2
PACKAGE VERSION: 2.12.8
CVE: CVE-2016-5131
CVE STATUS: Patched
CVE SUMMARY: Use-after-free vulnerability in libxml2 through 2.9.4, as used in Google Chrome before 52.0.2743.82, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the XPointer range-to function.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5131

LAYER: meta
PACKAGE NAME: libxml2
PACKAGE VERSION: 2.12.8
CVE: CVE-2016-9318
CVE STATUS: Patched
CVE SUMMARY: libxml2 2.9.4 and earlier, as used in XMLSec 1.2.23 and earlier and other products, does not offer a flag directly indicating that the current document may be read but other files may not be opened, which makes it easier for remote attackers to conduct XML External Entity (XXE) attacks via a crafted document.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9318

LAYER: meta
PACKAGE NAME: libxml2
PACKAGE VERSION: 2.12.8
CVE: CVE-2016-9596
CVE STATUS: Patched
CVE SUMMARY: libxml2, as used in Red Hat JBoss Core Services and when in recovery mode, allows context-dependent attackers to cause a denial of service (stack consumption) via a crafted XML document.  NOTE: this vulnerability exists because of an incorrect fix for CVE-2016-3627.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9596

LAYER: meta
PACKAGE NAME: libxml2
PACKAGE VERSION: 2.12.8
CVE: CVE-2016-9597
CVE STATUS: Patched
CVE SUMMARY: It was found that Red Hat JBoss Core Services erratum RHSA-2016:2957 for CVE-2016-3705 did not actually include the fix for the issue found in libxml2, making it vulnerable to a Denial of Service attack due to a Stack Overflow. This is a regression CVE for the same issue as CVE-2016-3705.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9597

LAYER: meta
PACKAGE NAME: libxml2
PACKAGE VERSION: 2.12.8
CVE: CVE-2016-9598
CVE STATUS: Patched
CVE SUMMARY: libxml2, as used in Red Hat JBoss Core Services, allows context-dependent attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted XML document. NOTE: this vulnerability exists because of a missing fix for CVE-2016-4483.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9598

LAYER: meta
PACKAGE NAME: libxml2
PACKAGE VERSION: 2.12.8
CVE: CVE-2017-15412
CVE STATUS: Patched
CVE SUMMARY: Use after free in libxml2 before 2.9.5, as used in Google Chrome prior to 63.0.3239.84 and other products, allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15412

LAYER: meta
PACKAGE NAME: libxml2
PACKAGE VERSION: 2.12.8
CVE: CVE-2017-16931
CVE STATUS: Patched
CVE SUMMARY: parser.c in libxml2 before 2.9.5 mishandles parameter-entity references because the NEXTL macro calls the xmlParserHandlePEReference function in the case of a '%' character in a DTD name.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-16931

LAYER: meta
PACKAGE NAME: libxml2
PACKAGE VERSION: 2.12.8
CVE: CVE-2017-16932
CVE STATUS: Patched
CVE SUMMARY: parser.c in libxml2 before 2.9.5 does not prevent infinite recursion in parameter entities.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-16932

LAYER: meta
PACKAGE NAME: libxml2
PACKAGE VERSION: 2.12.8
CVE: CVE-2017-18258
CVE STATUS: Patched
CVE SUMMARY: The xz_head function in xzlib.c in libxml2 before 2.9.6 allows remote attackers to cause a denial of service (memory consumption) via a crafted LZMA file, because the decoder functionality does not restrict memory usage to what is required for a legitimate file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-18258

LAYER: meta
PACKAGE NAME: libxml2
PACKAGE VERSION: 2.12.8
CVE: CVE-2017-5130
CVE STATUS: Patched
CVE SUMMARY: An integer overflow in xmlmemory.c in libxml2 before 2.9.5, as used in Google Chrome prior to 62.0.3202.62 and other products, allowed a remote attacker to potentially exploit heap corruption via a crafted XML file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5130

LAYER: meta
PACKAGE NAME: libxml2
PACKAGE VERSION: 2.12.8
CVE: CVE-2017-5969
CVE STATUS: Patched
CVE SUMMARY: libxml2 2.9.4, when used in recover mode, allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted XML document.  NOTE: The maintainer states "I would disagree of a CVE with the Recover parsing option which should only be used for manual recovery at least for XML parser.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 4.7
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5969

LAYER: meta
PACKAGE NAME: libxml2
PACKAGE VERSION: 2.12.8
CVE: CVE-2017-7375
CVE STATUS: Patched
CVE SUMMARY: A flaw in libxml2 allows remote XML entity inclusion with default parser flags (i.e., when the caller did not request entity substitution, DTD validation, external DTD subset loading, or default DTD attributes). Depending on the context, this may expose a higher-risk attack surface in libxml2 not usually reachable with default parser flags, and expose content from local files, HTTP, or FTP servers (which might be otherwise unreachable).
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7375

LAYER: meta
PACKAGE NAME: libxml2
PACKAGE VERSION: 2.12.8
CVE: CVE-2017-7376
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in libxml2 allows remote attackers to execute arbitrary code by leveraging an incorrect limit for port values when handling redirects.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7376

LAYER: meta
PACKAGE NAME: libxml2
PACKAGE VERSION: 2.12.8
CVE: CVE-2017-8872
CVE STATUS: Patched
CVE SUMMARY: The htmlParseTryOrFinish function in HTMLparser.c in libxml2 2.9.4 allows attackers to cause a denial of service (buffer over-read) or information disclosure.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 9.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8872

LAYER: meta
PACKAGE NAME: libxml2
PACKAGE VERSION: 2.12.8
CVE: CVE-2017-9047
CVE STATUS: Patched
CVE SUMMARY: A buffer overflow was discovered in libxml2 20904-GITv2.9.4-16-g0741801. The function xmlSnprintfElementContent in valid.c is supposed to recursively dump the element content definition into a char buffer 'buf' of size 'size'. The variable len is assigned strlen(buf). If the content->type is XML_ELEMENT_CONTENT_ELEMENT, then (i) the content->prefix is appended to buf (if it actually fits) whereupon (ii) content->name is written to the buffer. However, the check for whether the content->name actually fits also uses 'len' rather than the updated buffer length strlen(buf). This allows us to write about "size" many bytes beyond the allocated memory. This vulnerability causes programs that use libxml2, such as PHP, to crash.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9047

LAYER: meta
PACKAGE NAME: libxml2
PACKAGE VERSION: 2.12.8
CVE: CVE-2017-9048
CVE STATUS: Patched
CVE SUMMARY: libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a stack-based buffer overflow. The function xmlSnprintfElementContent in valid.c is supposed to recursively dump the element content definition into a char buffer 'buf' of size 'size'. At the end of the routine, the function may strcat two more characters without checking whether the current strlen(buf) + 2 < size. This vulnerability causes programs that use libxml2, such as PHP, to crash.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9048

LAYER: meta
PACKAGE NAME: libxml2
PACKAGE VERSION: 2.12.8
CVE: CVE-2017-9049
CVE STATUS: Patched
CVE SUMMARY: libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a heap-based buffer over-read in the xmlDictComputeFastKey function in dict.c. This vulnerability causes programs that use libxml2, such as PHP, to crash. This vulnerability exists because of an incomplete fix for libxml2 Bug 759398.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9049

LAYER: meta
PACKAGE NAME: libxml2
PACKAGE VERSION: 2.12.8
CVE: CVE-2017-9050
CVE STATUS: Patched
CVE SUMMARY: libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a heap-based buffer over-read in the xmlDictAddString function in dict.c. This vulnerability causes programs that use libxml2, such as PHP, to crash. This vulnerability exists because of an incomplete fix for CVE-2016-1839.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9050

LAYER: meta
PACKAGE NAME: libxml2
PACKAGE VERSION: 2.12.8
CVE: CVE-2018-14404
CVE STATUS: Patched
CVE SUMMARY: A NULL pointer dereference vulnerability exists in the xpath.c:xmlXPathCompOpEval() function of libxml2 through 2.9.8 when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case. Applications processing untrusted XSL format inputs with the use of the libxml2 library may be vulnerable to a denial of service attack due to a crash of the application.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-14404

LAYER: meta
PACKAGE NAME: libxml2
PACKAGE VERSION: 2.12.8
CVE: CVE-2018-14567
CVE STATUS: Patched
CVE SUMMARY: libxml2 2.9.8, if --with-lzma is used, allows remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint, a different vulnerability than CVE-2015-8035 and CVE-2018-9251.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-14567

LAYER: meta
PACKAGE NAME: libxml2
PACKAGE VERSION: 2.12.8
CVE: CVE-2018-9251
CVE STATUS: Patched
CVE SUMMARY: The xz_decomp function in xzlib.c in libxml2 2.9.8, if --with-lzma is used, allows remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint, a different vulnerability than CVE-2015-8035.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-9251

LAYER: meta
PACKAGE NAME: libxml2
PACKAGE VERSION: 2.12.8
CVE: CVE-2019-19956
CVE STATUS: Patched
CVE SUMMARY: xmlParseBalancedChunkMemoryRecover in parser.c in libxml2 before 2.9.10 has a memory leak related to newDoc->oldNs.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19956

LAYER: meta
PACKAGE NAME: libxml2
PACKAGE VERSION: 2.12.8
CVE: CVE-2019-20388
CVE STATUS: Patched
CVE SUMMARY: xmlSchemaPreRun in xmlschemas.c in libxml2 2.9.10 allows an xmlSchemaValidateStream memory leak.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-20388

LAYER: meta
PACKAGE NAME: libxml2
PACKAGE VERSION: 2.12.8
CVE: CVE-2020-24977
CVE STATUS: Patched
CVE SUMMARY: GNOME project libxml2 v2.9.10 has a global buffer over-read vulnerability in xmlEncodeEntitiesInternal at libxml2/entities.c. The issue has been fixed in commit 50f06b3e.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-24977

LAYER: meta
PACKAGE NAME: libxml2
PACKAGE VERSION: 2.12.8
CVE: CVE-2020-7595
CVE STATUS: Patched
CVE SUMMARY: xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-7595

LAYER: meta
PACKAGE NAME: libxml2
PACKAGE VERSION: 2.12.8
CVE: CVE-2021-3517
CVE STATUS: Patched
CVE SUMMARY: There is a flaw in the xml entity encoding functionality of libxml2 in versions before 2.9.11. An attacker who is able to supply a crafted file to be processed by an application linked with the affected functionality of libxml2 could trigger an out-of-bounds read. The most likely impact of this flaw is to application availability, with some potential impact to confidentiality and integrity if an attacker is able to use memory information to further exploit the application.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 8.6
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3517

LAYER: meta
PACKAGE NAME: libxml2
PACKAGE VERSION: 2.12.8
CVE: CVE-2021-3518
CVE STATUS: Patched
CVE SUMMARY: There's a flaw in libxml2 in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by an application linked with libxml2 could trigger a use-after-free. The greatest impact from this flaw is to confidentiality, integrity, and availability.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3518

LAYER: meta
PACKAGE NAME: libxml2
PACKAGE VERSION: 2.12.8
CVE: CVE-2021-3537
CVE STATUS: Patched
CVE SUMMARY: A vulnerability found in libxml2 in versions before 2.9.11 shows that it did not propagate errors while parsing XML mixed content, causing a NULL dereference. If an untrusted XML document was parsed in recovery mode and post-validated, the flaw could be used to crash the application. The highest threat from this vulnerability is to system availability.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3537

LAYER: meta
PACKAGE NAME: libxml2
PACKAGE VERSION: 2.12.8
CVE: CVE-2021-3541
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in libxml2. Exponential entity expansion attack its possible bypassing all existing protection mechanisms and leading to denial of service.
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:S/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3541

LAYER: meta
PACKAGE NAME: libxml2
PACKAGE VERSION: 2.12.8
CVE: CVE-2022-23308
CVE STATUS: Patched
CVE SUMMARY: valid.c in libxml2 before 2.9.13 has a use-after-free of ID and IDREF attributes.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-23308

LAYER: meta
PACKAGE NAME: libxml2
PACKAGE VERSION: 2.12.8
CVE: CVE-2022-29824
CVE STATUS: Patched
CVE SUMMARY: In libxml2 before 2.9.14, several buffer handling functions in buf.c (xmlBuf*) and tree.c (xmlBuffer*) don't check for integer overflows. This can result in out-of-bounds memory writes. Exploitation requires a victim to open a crafted, multi-gigabyte XML file. Other software using libxml2's buffer functions, for example libxslt through 1.1.35, is affected as well.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-29824

LAYER: meta
PACKAGE NAME: libxml2
PACKAGE VERSION: 2.12.8
CVE: CVE-2022-40303
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in libxml2 before 2.10.3. When parsing a multi-gigabyte XML document with the XML_PARSE_HUGE parser option enabled, several integer counters can overflow. This results in an attempt to access an array at a negative 2GB offset, typically leading to a segmentation fault.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-40303

LAYER: meta
PACKAGE NAME: libxml2
PACKAGE VERSION: 2.12.8
CVE: CVE-2022-40304
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in libxml2 before 2.10.3. Certain invalid XML entity definitions can corrupt a hash table key, potentially leading to subsequent logic errors. In one case, a double-free can be provoked.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-40304

LAYER: meta
PACKAGE NAME: libxml2
PACKAGE VERSION: 2.12.8
CVE: CVE-2023-28484
CVE STATUS: Patched
CVE SUMMARY: In libxml2 before 2.10.4, parsing of certain invalid XSD schemas can lead to a NULL pointer dereference and subsequently a segfault. This occurs in xmlSchemaFixupComplexType in xmlschemas.c.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-28484

LAYER: meta
PACKAGE NAME: libxml2
PACKAGE VERSION: 2.12.8
CVE: CVE-2023-29469
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in libxml2 before 2.10.4. When hashing empty dict strings in a crafted XML document, xmlDictComputeFastKey in dict.c can produce non-deterministic values, leading to various logic and memory errors, such as a double free. This behavior occurs because there is an attempt to use the first byte of an empty string, and any value is possible (not solely the '\0' value).
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-29469

LAYER: meta
PACKAGE NAME: libxml2
PACKAGE VERSION: 2.12.8
CVE: CVE-2023-39615
CVE STATUS: Patched
CVE SUMMARY: Xmlsoft Libxml2 v2.11.0 was discovered to contain an out-of-bounds read via the xmlSAX2StartElement() function at /libxml2/SAX2.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via supplying a crafted XML file. NOTE: the vendor's position is that the product does not support the legacy SAX1 interface with custom callbacks; there is a crash even without crafted input.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-39615

LAYER: meta
PACKAGE NAME: libxml2
PACKAGE VERSION: 2.12.8
CVE: CVE-2023-45322
CVE STATUS: Ignored
CVE DETAIL: disputed
CVE DESCRIPTION: issue requires memory allocation to fail
CVE SUMMARY: libxml2 through 2.11.5 has a use-after-free that can only occur after a certain memory allocation fails. This occurs in xmlUnlinkNode in tree.c. NOTE: the vendor's position is "I don't think these issues are critical enough to warrant a CVE ID ... because an attacker typically can't control when memory allocations fail."
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-45322

LAYER: meta
PACKAGE NAME: libxml2
PACKAGE VERSION: 2.12.8
CVE: CVE-2024-25062
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.12.5. When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-25062

LAYER: meta
PACKAGE NAME: python3-setuptools-native
PACKAGE VERSION: 69.1.1
CVE: CVE-2013-1633
CVE STATUS: Patched
CVE SUMMARY: easy_install in setuptools before 0.7 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to the default use of the product.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1633

LAYER: meta
PACKAGE NAME: python3-setuptools-native
PACKAGE VERSION: 69.1.1
CVE: CVE-2022-40897
CVE STATUS: Patched
CVE SUMMARY: Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-40897

LAYER: meta
PACKAGE NAME: python3-setuptools-native
PACKAGE VERSION: 69.1.1
CVE: CVE-2024-6345
CVE STATUS: Patched
CVE SUMMARY: A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-6345

LAYER: meta
PACKAGE NAME: unzip
PACKAGE VERSION: 1_6.0
CVE: CVE-2001-1268
CVE STATUS: Patched
CVE SUMMARY: Directory traversal vulnerability in Info-ZIP UnZip 5.42 and earlier allows attackers to overwrite arbitrary files during archive extraction via a .. (dot dot) in an extracted filename.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2001-1268

LAYER: meta
PACKAGE NAME: unzip
PACKAGE VERSION: 1_6.0
CVE: CVE-2001-1269
CVE STATUS: Patched
CVE SUMMARY: Info-ZIP UnZip 5.42 and earlier allows attackers to overwrite arbitrary files during archive extraction via filenames in the archive that begin with the '/' (slash) character.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2001-1269

LAYER: meta
PACKAGE NAME: unzip
PACKAGE VERSION: 1_6.0
CVE: CVE-2003-0282
CVE STATUS: Patched
CVE SUMMARY: Directory traversal vulnerability in UnZip 5.50 allows attackers to overwrite arbitrary files via invalid characters between two . (dot) characters, which are filtered and result in a ".." sequence.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-0282

LAYER: meta
PACKAGE NAME: unzip
PACKAGE VERSION: 1_6.0
CVE: CVE-2005-0602
CVE STATUS: Patched
CVE SUMMARY: Unzip 5.51 and earlier does not properly warn the user when extracting setuid or setgid files, which may allow local users to gain privileges.
CVSS v2 BASE SCORE: 6.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-0602

LAYER: meta
PACKAGE NAME: unzip
PACKAGE VERSION: 1_6.0
CVE: CVE-2005-2475
CVE STATUS: Patched
CVE SUMMARY: Race condition in Unzip 5.52 allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by Unzip after the decompression is complete.
CVSS v2 BASE SCORE: 1.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-2475

LAYER: meta
PACKAGE NAME: unzip
PACKAGE VERSION: 1_6.0
CVE: CVE-2005-4667
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in UnZip 5.50 and earlier allows user-assisted attackers to execute arbitrary code via a long filename command line argument.  NOTE: since the overflow occurs in a non-setuid program, there are not many scenarios under which it poses a vulnerability, unless unzip is passed long arguments when it is invoked from other programs.
CVSS v2 BASE SCORE: 3.7
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-4667

LAYER: meta
PACKAGE NAME: unzip
PACKAGE VERSION: 1_6.0
CVE: CVE-2008-0888
CVE STATUS: Patched
CVE DETAIL: fixed-version
CVE DESCRIPTION: Patch from https://bugzilla.redhat.com/attachment.cgi?id=293893&action=diff applied to 6.0 source
CVE SUMMARY: The NEEDBITS macro in the inflate_dynamic function in inflate.c for unzip can be invoked using invalid buffers, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown vectors that trigger a free of uninitialized or previously-freed data.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-0888

LAYER: meta
PACKAGE NAME: unzip
PACKAGE VERSION: 1_6.0
CVE: CVE-2014-8139
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the CRC32 verification in Info-ZIP UnZip 6.0 and earlier allows remote attackers to execute arbitrary code via a crafted zip file in the -t command argument to the unzip command.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8139

LAYER: meta
PACKAGE NAME: unzip
PACKAGE VERSION: 1_6.0
CVE: CVE-2014-8140
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the test_compr_eb function in Info-ZIP UnZip 6.0 and earlier allows remote attackers to execute arbitrary code via a crafted zip file in the -t command argument to the unzip command.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8140

LAYER: meta
PACKAGE NAME: unzip
PACKAGE VERSION: 1_6.0
CVE: CVE-2014-8141
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the getZip64Data function in Info-ZIP UnZip 6.0 and earlier allows remote attackers to execute arbitrary code via a crafted zip file in the -t command argument to the unzip command.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8141

LAYER: meta
PACKAGE NAME: unzip
PACKAGE VERSION: 1_6.0
CVE: CVE-2014-9636
CVE STATUS: Patched
CVE SUMMARY: unzip 6.0 allows remote attackers to cause a denial of service (out-of-bounds read or write and crash) via an extra field with an uncompressed size smaller than the compressed field size in a zip archive that advertises STORED method compression.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9636

LAYER: meta
PACKAGE NAME: unzip
PACKAGE VERSION: 1_6.0
CVE: CVE-2014-9913
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the list_files function in list.c in Info-Zip UnZip 6.0 allows remote attackers to cause a denial of service (crash) via vectors related to the compression method.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 4.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9913

LAYER: meta
PACKAGE NAME: unzip
PACKAGE VERSION: 1_6.0
CVE: CVE-2015-1315
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the charset_to_intern function in unix/unix.c in Info-Zip UnZip 6.10b allows remote attackers to execute arbitrary code via a crafted string, as demonstrated by converting a string from CP866 to UTF-8.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1315

LAYER: meta
PACKAGE NAME: unzip
PACKAGE VERSION: 1_6.0
CVE: CVE-2015-7696
CVE STATUS: Patched
CVE SUMMARY: Info-ZIP UnZip 6.0 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) or possibly execute arbitrary code via a crafted password-protected ZIP archive, possibly related to an Extra-Field size value.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7696

LAYER: meta
PACKAGE NAME: unzip
PACKAGE VERSION: 1_6.0
CVE: CVE-2015-7697
CVE STATUS: Patched
CVE SUMMARY: Info-ZIP UnZip 6.0 allows remote attackers to cause a denial of service (infinite loop) via empty bzip2 data in a ZIP archive.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7697

LAYER: meta
PACKAGE NAME: unzip
PACKAGE VERSION: 1_6.0
CVE: CVE-2016-9844
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the zi_short function in zipinfo.c in Info-Zip UnZip 6.0 allows remote attackers to cause a denial of service (crash) via a large compression method value in the central directory file header.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 4.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9844

LAYER: meta
PACKAGE NAME: unzip
PACKAGE VERSION: 1_6.0
CVE: CVE-2018-1000031
CVE STATUS: Patched
CVE SUMMARY: A heap-based buffer overflow exists in Info-Zip UnZip version 6.10c22 that allows an attacker to perform a denial of service or to possibly achieve code execution.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1000031

LAYER: meta
PACKAGE NAME: unzip
PACKAGE VERSION: 1_6.0
CVE: CVE-2018-1000032
CVE STATUS: Patched
CVE SUMMARY: A heap-based buffer overflow exists in Info-Zip UnZip version 6.10c22 that allows an attacker to perform a denial of service or to possibly achieve code execution.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1000032

LAYER: meta
PACKAGE NAME: unzip
PACKAGE VERSION: 1_6.0
CVE: CVE-2018-1000033
CVE STATUS: Patched
CVE SUMMARY: An out-of-bounds read exists in Info-Zip UnZip version 6.10c22 that allows an attacker to perform a denial of service and read sensitive memory.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 9.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1000033

LAYER: meta
PACKAGE NAME: unzip
PACKAGE VERSION: 1_6.0
CVE: CVE-2018-1000034
CVE STATUS: Patched
CVE SUMMARY: An out-of-bounds read exists in Info-Zip UnZip version 6.10c22 that allows an attacker to perform a denial of service and read sensitive memory.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 9.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1000034

LAYER: meta
PACKAGE NAME: unzip
PACKAGE VERSION: 1_6.0
CVE: CVE-2018-1000035
CVE STATUS: Patched
CVE SUMMARY: A heap-based buffer overflow exists in Info-Zip UnZip version <= 6.00 in the processing of password-protected archives that allows an attacker to perform a denial of service or to possibly achieve code execution.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1000035

LAYER: meta
PACKAGE NAME: unzip
PACKAGE VERSION: 1_6.0
CVE: CVE-2018-18384
CVE STATUS: Patched
CVE SUMMARY: Info-ZIP UnZip 6.0 has a buffer overflow in list.c, when a ZIP archive has a crafted relationship between the compressed-size value and the uncompressed-size value, because a buffer size is 10 and is supposed to be 12.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-18384

LAYER: meta
PACKAGE NAME: unzip
PACKAGE VERSION: 1_6.0
CVE: CVE-2019-13232
CVE STATUS: Patched
CVE SUMMARY: Info-ZIP UnZip 6.0 mishandles the overlapping of files inside a ZIP container, leading to denial of service (resource consumption), aka a "better zip bomb" issue.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 3.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-13232

LAYER: meta
PACKAGE NAME: unzip
PACKAGE VERSION: 1_6.0
CVE: CVE-2020-36561
CVE STATUS: Patched
CVE SUMMARY: Due to improper path sanitization, archives containing relative file paths can cause files to be written (or overwritten) outside of the target directory.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 9.1
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-36561

LAYER: meta
PACKAGE NAME: unzip
PACKAGE VERSION: 1_6.0
CVE: CVE-2021-4217
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in unzip. The vulnerability occurs due to improper handling of Unicode strings, which can lead to a null pointer dereference. This flaw allows an attacker to input a specially crafted zip file, leading to a crash or code execution.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 3.3
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-4217

LAYER: meta
PACKAGE NAME: unzip
PACKAGE VERSION: 1_6.0
CVE: CVE-2022-0529
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in Unzip. The vulnerability occurs during the conversion of a wide string to a local string that leads to a heap of out-of-bound write. This flaw allows an attacker to input a specially crafted zip file, leading to a crash or code execution.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0529

LAYER: meta
PACKAGE NAME: unzip
PACKAGE VERSION: 1_6.0
CVE: CVE-2022-0530
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in Unzip. The vulnerability occurs during the conversion of a wide string to a local string that leads to a heap of out-of-bound write. This flaw allows an attacker to input a specially crafted zip file, leading to a crash or code execution.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0530

LAYER: meta
PACKAGE NAME: gmp-native
PACKAGE VERSION: 6.3.0
CVE: CVE-2021-43618
CVE STATUS: Patched
CVE SUMMARY: GNU Multiple Precision Arithmetic Library (GMP) through 6.2.1 has an mpz/inp_raw.c integer overflow and resultant buffer overflow via crafted input, leading to a segmentation fault on 32-bit platforms.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-43618

LAYER: meta
PACKAGE NAME: pigz-native
PACKAGE VERSION: 2.8
CVE: CVE-2013-0296
CVE STATUS: Patched
CVE SUMMARY: Race condition in pigz before 2.2.5 uses permissions derived from the umask when compressing a file before setting that file's permissions to match those of the original file, which might allow local users to bypass intended access permissions while compression is occurring.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0296

LAYER: meta
PACKAGE NAME: pigz-native
PACKAGE VERSION: 2.8
CVE: CVE-2015-1191
CVE STATUS: Patched
CVE SUMMARY: Multiple directory traversal vulnerabilities in pigz 2.3.1 allow remote attackers to write to arbitrary files via a (1) full pathname or (2) .. (dot dot) in an archive.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1191

LAYER: meta
PACKAGE NAME: e2fsprogs-native
PACKAGE VERSION: 1.47.0
CVE: CVE-2007-5497
CVE STATUS: Patched
CVE SUMMARY: Multiple integer overflows in libext2fs in e2fsprogs before 1.40.3 allow user-assisted remote attackers to execute arbitrary code via a crafted filesystem image.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-5497

LAYER: meta
PACKAGE NAME: e2fsprogs-native
PACKAGE VERSION: 1.47.0
CVE: CVE-2015-0247
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in openfs.c in the libext2fs library in e2fsprogs before 1.42.12 allows local users to execute arbitrary code via crafted block group descriptor data in a filesystem image.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0247

LAYER: meta
PACKAGE NAME: e2fsprogs-native
PACKAGE VERSION: 1.47.0
CVE: CVE-2015-1572
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in closefs.c in the libext2fs library in e2fsprogs before 1.42.12 allows local users to execute arbitrary code by causing a crafted block group descriptor to be marked as dirty. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-0247.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1572

LAYER: meta
PACKAGE NAME: e2fsprogs-native
PACKAGE VERSION: 1.47.0
CVE: CVE-2019-5094
CVE STATUS: Patched
CVE SUMMARY: An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-5094

LAYER: meta
PACKAGE NAME: e2fsprogs-native
PACKAGE VERSION: 1.47.0
CVE: CVE-2019-5188
CVE STATUS: Patched
CVE SUMMARY: A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 7.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-5188

LAYER: meta
PACKAGE NAME: e2fsprogs-native
PACKAGE VERSION: 1.47.0
CVE: CVE-2022-1304
CVE STATUS: Patched
CVE SUMMARY: An out-of-bounds read/write vulnerability was found in e2fsprogs 1.46.5. This issue leads to a segmentation fault and possibly arbitrary code execution via a specially crafted filesystem.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1304

LAYER: meta
PACKAGE NAME: xz-native
PACKAGE VERSION: 5.4.6
CVE: CVE-2015-4035
CVE STATUS: Patched
CVE SUMMARY: scripts/xzgrep.in in xzgrep 5.2.x before 5.2.0, before 5.0.0 does not properly process file names containing semicolons, which allows remote attackers to execute arbitrary code by having a user run xzgrep on a crafted file name.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-4035

LAYER: meta
PACKAGE NAME: xz-native
PACKAGE VERSION: 5.4.6
CVE: CVE-2020-22916
CVE STATUS: Patched
CVE SUMMARY: An issue discovered in XZ 5.2.5 allows attackers to cause a denial of service via decompression of a crafted file. NOTE: the vendor disputes the claims of "endless output" and "denial of service" because decompression of the 17,486 bytes always results in 114,881,179 bytes, which is often a reasonable size increase.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-22916

LAYER: meta
PACKAGE NAME: xz-native
PACKAGE VERSION: 5.4.6
CVE: CVE-2021-29482
CVE STATUS: Patched
CVE SUMMARY: xz is a compression and decompression library focusing on the xz format completely written in Go. The function readUvarint used to read the xz container format may not terminate a loop provide malicous input. The problem has been fixed in release v0.5.8. As a workaround users can limit the size of the compressed file input to a reasonable size for their use case. The standard library had recently the same issue and got the CVE-2020-16845 allocated.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-29482

LAYER: meta
PACKAGE NAME: xz-native
PACKAGE VERSION: 5.4.6
CVE: CVE-2022-1271
CVE STATUS: Patched
CVE SUMMARY: An arbitrary file write vulnerability was found in GNU gzip's zgrep utility. When zgrep is applied on the attacker's chosen file name (for example, a crafted file name), this can overwrite an attacker's content to an arbitrary attacker-selected file. This flaw occurs due to insufficient validation when processing filenames with two or more newlines where selected content and the target file names are embedded in crafted multi-line file names. This flaw allows a remote, low privileged attacker to force zgrep to write arbitrary files on the system.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1271

LAYER: meta
PACKAGE NAME: xz-native
PACKAGE VERSION: 5.4.6
CVE: CVE-2024-3094
CVE STATUS: Patched
CVE SUMMARY: Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. 
Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 10.0
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-3094

LAYER: meta
PACKAGE NAME: patch-native
PACKAGE VERSION: 2.7.6
CVE: CVE-2014-9637
CVE STATUS: Patched
CVE SUMMARY: GNU patch 2.7.2 and earlier allows remote attackers to cause a denial of service (memory consumption and segmentation fault) via a crafted diff file.
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9637

LAYER: meta
PACKAGE NAME: patch-native
PACKAGE VERSION: 2.7.6
CVE: CVE-2015-1196
CVE STATUS: Patched
CVE SUMMARY: GNU patch 2.7.1 allows remote attackers to write to arbitrary files via a symlink attack in a patch file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1196

LAYER: meta
PACKAGE NAME: patch-native
PACKAGE VERSION: 2.7.6
CVE: CVE-2015-1395
CVE STATUS: Patched
CVE SUMMARY: Directory traversal vulnerability in GNU patch versions which support Git-style patching before 2.7.3 allows remote attackers to write to arbitrary files with the permissions of the target user via a .. (dot dot) in a diff file name.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:C/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1395

LAYER: meta
PACKAGE NAME: patch-native
PACKAGE VERSION: 2.7.6
CVE: CVE-2015-1396
CVE STATUS: Patched
CVE SUMMARY: A Directory Traversal vulnerability exists in the GNU patch before 2.7.4. A remote attacker can write to arbitrary files via a symlink attack in a patch file. NOTE: this issue exists because of an incomplete fix for CVE-2015-1196.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1396

LAYER: meta
PACKAGE NAME: patch-native
PACKAGE VERSION: 2.7.6
CVE: CVE-2016-10713
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in GNU patch before 2.7.6. Out-of-bounds access within pch_write_line() in pch.c can possibly lead to DoS via a crafted input file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10713

LAYER: meta
PACKAGE NAME: patch-native
PACKAGE VERSION: 2.7.6
CVE: CVE-2018-1000156
CVE STATUS: Patched
CVE SUMMARY: GNU Patch version 2.7.6 contains an input validation vulnerability when processing patch files, specifically the EDITOR_PROGRAM invocation (using ed) can result in code execution. This attack appear to be exploitable via a patch file processed via the patch utility. This is similar to FreeBSD's CVE-2015-1418 however although they share a common ancestry the code bases have diverged over time.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1000156

LAYER: meta
PACKAGE NAME: patch-native
PACKAGE VERSION: 2.7.6
CVE: CVE-2018-20969
CVE STATUS: Patched
CVE SUMMARY: do_ed_script in pch.c in GNU patch through 2.7.6 does not block strings beginning with a ! character. NOTE: this is the same commit as for CVE-2019-13638, but the ! syntax is specific to ed, and is unrelated to a shell metacharacter.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20969

LAYER: meta
PACKAGE NAME: patch-native
PACKAGE VERSION: 2.7.6
CVE: CVE-2018-6951
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in GNU patch through 2.7.6. There is a segmentation fault, associated with a NULL pointer dereference, leading to a denial of service in the intuit_diff_type function in pch.c, aka a "mangled rename" issue.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-6951

LAYER: meta
PACKAGE NAME: patch-native
PACKAGE VERSION: 2.7.6
CVE: CVE-2018-6952
CVE STATUS: Patched
CVE SUMMARY: A double free exists in the another_hunk function in pch.c in GNU patch through 2.7.6.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-6952

LAYER: meta
PACKAGE NAME: patch-native
PACKAGE VERSION: 2.7.6
CVE: CVE-2019-13636
CVE STATUS: Patched
CVE SUMMARY: In GNU patch through 2.7.6, the following of symlinks is mishandled in certain cases other than input files. This affects inp.c and util.c.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-13636

LAYER: meta
PACKAGE NAME: patch-native
PACKAGE VERSION: 2.7.6
CVE: CVE-2019-13638
CVE STATUS: Patched
CVE SUMMARY: GNU patch through 2.7.6 is vulnerable to OS shell command injection that can be exploited by opening a crafted patch file that contains an ed style diff payload with shell metacharacters. The ed editor does not need to be present on the vulnerable system. This is different from CVE-2018-1000156.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-13638

LAYER: meta
PACKAGE NAME: patch-native
PACKAGE VERSION: 2.7.6
CVE: CVE-2019-20633
CVE STATUS: Patched
CVE SUMMARY: GNU patch through 2.7.6 contains a free(p_line[p_end]) Double Free vulnerability in the function another_hunk in pch.c that can cause a denial of service via a crafted patch file. NOTE: this issue exists because of an incomplete fix for CVE-2018-6952.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-20633

LAYER: meta
PACKAGE NAME: patch-native
PACKAGE VERSION: 2.7.6
CVE: CVE-2021-45261
CVE STATUS: Patched
CVE SUMMARY: An Invalid Pointer vulnerability exists in GNU patch 2.7 via the another_hunk function, which causes a Denial of Service.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-45261

LAYER: meta
PACKAGE NAME: rpm-native
PACKAGE VERSION: 1_4.19.1.1
CVE: CVE-2005-4889
CVE STATUS: Patched
CVE SUMMARY: lib/fsm.c in RPM before 4.4.3 does not properly reset the metadata of an executable file during deletion of the file in an RPM package removal, which might allow local users to gain privileges by creating a hard link to a vulnerable (1) setuid or (2) setgid file, a related issue to CVE-2010-2059.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-4889

LAYER: meta
PACKAGE NAME: rpm-native
PACKAGE VERSION: 1_4.19.1.1
CVE: CVE-2010-2059
CVE STATUS: Patched
CVE SUMMARY: lib/fsm.c in RPM 4.8.0 and unspecified 4.7.x and 4.6.x versions, and RPM before 4.4.3, does not properly reset the metadata of an executable file during replacement of the file in an RPM package upgrade, which might allow local users to gain privileges by creating a hard link to a vulnerable (1) setuid or (2) setgid file.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2059

LAYER: meta
PACKAGE NAME: rpm-native
PACKAGE VERSION: 1_4.19.1.1
CVE: CVE-2010-2197
CVE STATUS: Patched
CVE SUMMARY: rpmbuild in RPM 4.8.0 and earlier does not properly parse the syntax of spec files, which allows user-assisted remote attackers to remove home directories via vectors involving a ;~ (semicolon tilde) sequence in a Name tag.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2197

LAYER: meta
PACKAGE NAME: rpm-native
PACKAGE VERSION: 1_4.19.1.1
CVE: CVE-2010-2198
CVE STATUS: Patched
CVE SUMMARY: lib/fsm.c in RPM 4.8.0 and earlier does not properly reset the metadata of an executable file during replacement of the file in an RPM package upgrade or deletion of the file in an RPM package removal, which might allow local users to gain privileges or bypass intended access restrictions by creating a hard link to a vulnerable file that has (1) POSIX file capabilities or (2) SELinux context information, a related issue to CVE-2010-2059.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2198

LAYER: meta
PACKAGE NAME: rpm-native
PACKAGE VERSION: 1_4.19.1.1
CVE: CVE-2010-2199
CVE STATUS: Patched
CVE SUMMARY: lib/fsm.c in RPM 4.8.0 and earlier does not properly reset the metadata of an executable file during replacement of the file in an RPM package upgrade or deletion of the file in an RPM package removal, which might allow local users to bypass intended access restrictions by creating a hard link to a vulnerable file that has a POSIX ACL, a related issue to CVE-2010-2059.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2199

LAYER: meta
PACKAGE NAME: rpm-native
PACKAGE VERSION: 1_4.19.1.1
CVE: CVE-2011-3378
CVE STATUS: Patched
CVE SUMMARY: RPM 4.4.x through 4.9.x, probably before 4.9.1.2, allows remote attackers to cause a denial of service (memory corruption) and possibly execute arbitrary code via an rpm package with crafted headers and offsets that are not properly handled when a package is queried or installed, related to (1) the regionSwab function, (2) the headerLoad function, and (3) multiple functions in rpmio/rpmpgp.c.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3378

LAYER: meta
PACKAGE NAME: rpm-native
PACKAGE VERSION: 1_4.19.1.1
CVE: CVE-2012-0060
CVE STATUS: Patched
CVE SUMMARY: RPM before 4.9.1.3 does not properly validate region tags, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via an invalid region tag in a package header to the (1) headerLoad, (2) rpmReadSignature, or (3) headerVerify function.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-0060

LAYER: meta
PACKAGE NAME: rpm-native
PACKAGE VERSION: 1_4.19.1.1
CVE: CVE-2012-0061
CVE STATUS: Patched
CVE SUMMARY: The headerLoad function in lib/header.c in RPM before 4.9.1.3 does not properly validate region tags, which allows user-assisted remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large region size in a package header.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-0061

LAYER: meta
PACKAGE NAME: rpm-native
PACKAGE VERSION: 1_4.19.1.1
CVE: CVE-2012-0815
CVE STATUS: Patched
CVE SUMMARY: The headerVerifyInfo function in lib/header.c in RPM before 4.9.1.3 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a negative value in a region offset of a package header, which is not properly handled in a numeric range comparison.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-0815

LAYER: meta
PACKAGE NAME: rpm-native
PACKAGE VERSION: 1_4.19.1.1
CVE: CVE-2012-6088
CVE STATUS: Patched
CVE SUMMARY: The rpmpkgRead function in lib/package.c in RPM 4.10.x before 4.10.2 does not return an error code in certain situations involving an "unparseable signature," which allows remote attackers to bypass RPM signature checks via a crafted package.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-6088

LAYER: meta
PACKAGE NAME: rpm-native
PACKAGE VERSION: 1_4.19.1.1
CVE: CVE-2013-6435
CVE STATUS: Patched
CVE SUMMARY: Race condition in RPM 4.11.1 and earlier allows remote attackers to execute arbitrary code via a crafted RPM file whose installation extracts the contents to temporary files before validating the signature, as demonstrated by installing a file in the /etc/cron.d directory.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-6435

LAYER: meta
PACKAGE NAME: rpm-native
PACKAGE VERSION: 1_4.19.1.1
CVE: CVE-2014-8118
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in RPM 4.12 and earlier allows remote attackers to execute arbitrary code via a crafted CPIO header in the payload section of an RPM file, which triggers a stack-based buffer overflow.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8118

LAYER: meta
PACKAGE NAME: rpm-native
PACKAGE VERSION: 1_4.19.1.1
CVE: CVE-2017-7500
CVE STATUS: Patched
CVE SUMMARY: It was found that rpm did not properly handle RPM installations when a destination path was a symbolic link to a directory, possibly changing ownership and permissions of an arbitrary directory, and RPM files being placed in an arbitrary destination. An attacker, with write access to a directory in which a subdirectory will be installed, could redirect that directory to an arbitrary location and gain root privilege.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7500

LAYER: meta
PACKAGE NAME: rpm-native
PACKAGE VERSION: 1_4.19.1.1
CVE: CVE-2017-7501
CVE STATUS: Patched
CVE SUMMARY: It was found that versions of rpm before 4.13.0.2 use temporary files with predictable names when installing an RPM. An attacker with ability to write in a directory where files will be installed could create symbolic links to an arbitrary location and modify content, and possibly permissions to arbitrary files, which could be used for denial of service or possibly privilege escalation.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7501

LAYER: meta
PACKAGE NAME: rpm-native
PACKAGE VERSION: 1_4.19.1.1
CVE: CVE-2021-20266
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in RPM's hdrblobInit() in lib/header.c. This flaw allows an attacker who can modify the rpmdb to cause an out-of-bounds read. The highest threat from this vulnerability is to system availability.
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 4.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:S/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-20266

LAYER: meta
PACKAGE NAME: rpm-native
PACKAGE VERSION: 1_4.19.1.1
CVE: CVE-2021-20271
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in RPM's signature check functionality when reading a package file. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package, whose signature header was modified, to cause RPM database corruption and execute code. The highest threat from this vulnerability is to data integrity, confidentiality, and system availability.
CVSS v2 BASE SCORE: 5.1
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-20271

LAYER: meta
PACKAGE NAME: rpm-native
PACKAGE VERSION: 1_4.19.1.1
CVE: CVE-2021-3421
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the RPM package in the read functionality. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package or compromise an RPM repository, to cause RPM database corruption. The highest threat from this vulnerability is to data integrity. This flaw affects RPM versions before 4.17.0-alpha.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3421

LAYER: meta
PACKAGE NAME: rpm-native
PACKAGE VERSION: 1_4.19.1.1
CVE: CVE-2021-3521
CVE STATUS: Patched
CVE SUMMARY: There is a flaw in RPM's signature functionality. OpenPGP subkeys are associated with a primary key via a "binding signature." RPM does not check the binding signature of subkeys prior to importing them. If an attacker is able to add or socially engineer another party to add a malicious subkey to a legitimate public key, RPM could wrongly trust a malicious signature. The greatest impact of this flaw is to data integrity. To exploit this flaw, an attacker must either compromise an RPM repository or convince an administrator to install an untrusted RPM or public key. It is strongly recommended to only use RPMs and public keys from trusted sources.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3521

LAYER: meta
PACKAGE NAME: rpm-native
PACKAGE VERSION: 1_4.19.1.1
CVE: CVE-2021-35937
CVE STATUS: Patched
CVE SUMMARY: A race condition vulnerability was found in rpm. A local unprivileged user could use this flaw to bypass the checks that were introduced in response to CVE-2017-7500 and CVE-2017-7501, potentially gaining root privileges. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.4
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-35937

LAYER: meta
PACKAGE NAME: rpm-native
PACKAGE VERSION: 1_4.19.1.1
CVE: CVE-2021-35938
CVE STATUS: Patched
CVE SUMMARY: A symbolic link issue was found in rpm. It occurs when rpm sets the desired permissions and credentials after installing a file. A local unprivileged user could use this flaw to exchange the original file with a symbolic link to a security-critical file and escalate their privileges on the system. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-35938

LAYER: meta
PACKAGE NAME: rpm-native
PACKAGE VERSION: 1_4.19.1.1
CVE: CVE-2021-35939
CVE STATUS: Patched
CVE SUMMARY: It was found that the fix for CVE-2017-7500 and CVE-2017-7501 was incomplete: the check was only implemented for the parent directory of the file to be created. A local unprivileged user who owns another ancestor directory could potentially use this flaw to gain root privileges. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-35939

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2002-1119
CVE STATUS: Patched
CVE SUMMARY: os._execvpe from os.py in Python 2.2.1 and earlier creates temporary files with predictable names, which could allow local users to execute arbitrary code via a symlink attack.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-1119

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2004-0150
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the getaddrinfo function in Python 2.2 before 2.2.2, when IPv6 support is disabled, allows remote attackers to execute arbitrary code via an IPv6 address that is obtained using DNS.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0150

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2005-0089
CVE STATUS: Patched
CVE SUMMARY: The SimpleXMLRPCServer library module in Python 2.2, 2.3 before 2.3.5, and 2.4, when used by XML-RPC servers that use the register_instance method to register an object without a _dispatch method, allows remote attackers to read or modify globals of the associated module, and possibly execute arbitrary code, via dotted attributes.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-0089

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2006-1542
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in Python 2.4.2 and earlier, running on Linux 2.6.12.5 under gcc 4.0.3 with libc 2.3.5, allows local users to cause a "stack overflow," and possibly gain privileges, by running a script from a current working directory that has a long name, related to the realpath function.  NOTE: this might not be a vulnerability. However, the fact that it appears in a programming language interpreter could mean that some applications are affected, although attack scenarios might be limited because the attacker might already need to cross privilege boundaries to cause an exploitable program to be placed in a directory with a long name; or, depending on the method that Python uses to determine the current working directory, setuid applications might be affected.
CVSS v2 BASE SCORE: 3.7
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-1542

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2006-4980
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the repr function in Python 2.3 through 2.6 before 20060822 allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via crafted wide character UTF-32/UCS-4 strings to certain scripts.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-4980

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2007-1657
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in the file_compress function in minigzip (Modules/zlib) in Python 2.5 allows context-dependent attackers to execute arbitrary code via a long file argument.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-1657

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2007-2052
CVE STATUS: Patched
CVE SUMMARY: Off-by-one error in the PyLocale_strxfrm function in Modules/_localemodule.c for Python 2.4 and 2.5 causes an incorrect buffer size to be used for the strxfrm function, which allows context-dependent attackers to read portions of memory via unknown manipulations that trigger a buffer over-read due to missing null termination.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-2052

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2007-4559
CVE STATUS: Ignored
CVE DETAIL: disputed
CVE DESCRIPTION: Upstream consider this expected behaviour
CVE SUMMARY: Directory traversal vulnerability in the (1) extract and (2) extractall functions in the tarfile module in Python allows user-assisted remote attackers to overwrite arbitrary files via a .. (dot dot) sequence in filenames in a TAR archive, a related issue to CVE-2001-1267.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-4559

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2007-4965
CVE STATUS: Patched
CVE SUMMARY: Multiple integer overflows in the imageop module in Python 2.5.1 and earlier allow context-dependent attackers to cause a denial of service (application crash) and possibly obtain sensitive information (memory contents) via crafted arguments to (1) the tovideo method, and unspecified other vectors related to (2) imageop.c, (3) rbgimgmodule.c, and other files, which trigger heap-based buffer overflows.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-4965

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2008-1679
CVE STATUS: Patched
CVE SUMMARY: Multiple integer overflows in imageop.c in Python before 2.5.3 allow context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted images that trigger heap-based buffer overflows.  NOTE: this issue is due to an incomplete fix for CVE-2007-4965.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1679

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2008-1721
CVE STATUS: Patched
CVE SUMMARY: Integer signedness error in the zlib extension module in Python 2.5.2 and earlier allows remote attackers to execute arbitrary code via a negative signed integer, which triggers insufficient memory allocation and a buffer overflow.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1721

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2008-1887
CVE STATUS: Patched
CVE SUMMARY: Python 2.5.2 and earlier allows context-dependent attackers to execute arbitrary code via multiple vectors that cause a negative size value to be provided to the PyString_FromStringAndSize function, which allocates less memory than expected when assert() is disabled and triggers a buffer overflow.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1887

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2008-2315
CVE STATUS: Patched
CVE SUMMARY: Multiple integer overflows in Python 2.5.2 and earlier allow context-dependent attackers to have an unknown impact via vectors related to the (1) stringobject, (2) unicodeobject, (3) bufferobject, (4) longobject, (5) tupleobject, (6) stropmodule, (7) gcmodule, and (8) mmapmodule modules.  NOTE: The expandtabs integer overflows in stringobject and unicodeobject in 2.5.2 are covered by CVE-2008-5031.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-2315

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2008-2316
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in _hashopenssl.c in the hashlib module in Python 2.5.2 and earlier might allow context-dependent attackers to defeat cryptographic digests, related to "partial hashlib hashing of data exceeding 4GB."
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-2316

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2008-3142
CVE STATUS: Patched
CVE SUMMARY: Multiple buffer overflows in Python 2.5.2 and earlier on 32bit platforms allow context-dependent attackers to cause a denial of service (crash) or have unspecified other impact via a long string that leads to incorrect memory allocation during Unicode string processing, related to the unicode_resize function and the PyMem_RESIZE macro.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-3142

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2008-3143
CVE STATUS: Patched
CVE SUMMARY: Multiple integer overflows in Python before 2.5.2 might allow context-dependent attackers to have an unknown impact via vectors related to (1) Include/pymem.h; (2) _csv.c, (3) _struct.c, (4) arraymodule.c, (5) audioop.c, (6) binascii.c, (7) cPickle.c, (8) cStringIO.c, (9) cjkcodecs/multibytecodec.c, (10) datetimemodule.c, (11) md5.c, (12) rgbimgmodule.c, and (13) stropmodule.c in Modules/; (14) bufferobject.c, (15) listobject.c, and (16) obmalloc.c in Objects/; (17) Parser/node.c; and (18) asdl.c, (19) ast.c, (20) bltinmodule.c, and (21) compile.c in Python/, as addressed by "checks for integer overflows, contributed by Google."
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-3143

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2008-3144
CVE STATUS: Patched
CVE SUMMARY: Multiple integer overflows in the PyOS_vsnprintf function in Python/mysnprintf.c in Python 2.5.2 and earlier allow context-dependent attackers to cause a denial of service (memory corruption) or have unspecified other impact via crafted input to string formatting operations.  NOTE: the handling of certain integer values is also affected by related integer underflows and an off-by-one error.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-3144

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2008-4108
CVE STATUS: Patched
CVE SUMMARY: Tools/faqwiz/move-faqwiz.sh (aka the generic FAQ wizard moving tool) in Python 2.4.5 might allow local users to overwrite arbitrary files via a symlink attack on a tmp$RANDOM.tmp temporary file.  NOTE: there may not be common usage scenarios in which tmp$RANDOM.tmp is located in an untrusted directory.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-4108

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2008-4864
CVE STATUS: Patched
CVE SUMMARY: Multiple integer overflows in imageop.c in the imageop module in Python 1.5.2 through 2.5.1 allow context-dependent attackers to break out of the Python VM and execute arbitrary code via large integer values in certain arguments to the crop function, leading to a buffer overflow, a different vulnerability than CVE-2007-4965 and CVE-2008-1679.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-4864

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2008-5031
CVE STATUS: Patched
CVE SUMMARY: Multiple integer overflows in Python 2.2.3 through 2.5.1, and 2.6, allow context-dependent attackers to have an unknown impact via a large integer value in the tabsize argument to the expandtabs method, as implemented by (1) the string_expandtabs function in Objects/stringobject.c and (2) the unicode_expandtabs function in Objects/unicodeobject.c.  NOTE: this vulnerability reportedly exists because of an incomplete fix for CVE-2008-2315.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-5031

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2008-5983
CVE STATUS: Patched
CVE SUMMARY: Untrusted search path vulnerability in the PySys_SetArgv API function in Python 2.6 and earlier, and possibly later versions, prepends an empty string to sys.path when the argv[0] argument does not contain a path separator, which might allow local users to execute arbitrary code via a Trojan horse Python file in the current working directory.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-5983

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2009-4134
CVE STATUS: Patched
CVE SUMMARY: Buffer underflow in the rgbimg module in Python 2.5 allows remote attackers to cause a denial of service (application crash) via a large ZSIZE value in a black-and-white (aka B/W) RGB image that triggers an invalid pointer dereference.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-4134

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2010-1449
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in rgbimgmodule.c in the rgbimg module in Python 2.5 allows remote attackers to have an unspecified impact via a large image that triggers a buffer overflow.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2008-3143.12.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-1449

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2010-1450
CVE STATUS: Patched
CVE SUMMARY: Multiple buffer overflows in the RLE decoder in the rgbimg module in Python 2.5 allow remote attackers to have an unspecified impact via an image file containing crafted data that triggers improper processing within the (1) longimagedata or (2) expandrow function.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-1450

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2010-1634
CVE STATUS: Patched
CVE SUMMARY: Multiple integer overflows in audioop.c in the audioop module in Python 2.6, 2.7, 3.1, and 3.2 allow context-dependent attackers to cause a denial of service (application crash) via a large fragment, as demonstrated by a call to audioop.lin2lin with a long string in the first argument, leading to a buffer overflow.  NOTE: this vulnerability exists because of an incorrect fix for CVE-2008-3143.5.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-1634

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2010-2089
CVE STATUS: Patched
CVE SUMMARY: The audioop module in Python 2.7 and 3.2 does not verify the relationships between size arguments and byte string lengths, which allows context-dependent attackers to cause a denial of service (memory corruption and application crash) via crafted arguments, as demonstrated by a call to audioop.reverse with a one-byte string, a different vulnerability than CVE-2010-1634.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2089

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2010-3492
CVE STATUS: Patched
CVE SUMMARY: The asyncore module in Python before 3.2 does not properly handle unsuccessful calls to the accept function, and does not have accompanying documentation describing how daemon applications should handle unsuccessful calls to the accept function, which makes it easier for remote attackers to conduct denial of service attacks that terminate these applications via network connections.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-3492

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2010-3493
CVE STATUS: Patched
CVE SUMMARY: Multiple race conditions in smtpd.py in the smtpd module in Python 2.6, 2.7, 3.1, and 3.2 alpha allow remote attackers to cause a denial of service (daemon outage) by establishing and then immediately closing a TCP connection, leading to the accept function having an unexpected return value of None, an unexpected value of None for the address, or an ECONNABORTED, EAGAIN, or EWOULDBLOCK error, or the getpeername function having an ENOTCONN error, a related issue to CVE-2010-3492.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-3493

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2011-1015
CVE STATUS: Patched
CVE SUMMARY: The is_cgi method in CGIHTTPServer.py in the CGIHTTPServer module in Python 2.5, 2.6, and 3.0 allows remote attackers to read script source code via an HTTP GET request that lacks a / (slash) character at the beginning of the URI.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1015

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2011-1521
CVE STATUS: Patched
CVE SUMMARY: The urllib and urllib2 modules in Python 2.x before 2.7.2 and 3.x before 3.2.1 process Location headers that specify redirection to file: URLs, which makes it easier for remote attackers to obtain sensitive information or cause a denial of service (resource consumption) via a crafted URL, as demonstrated by the file:///etc/passwd and file:///dev/zero URLs.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1521

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2011-4940
CVE STATUS: Patched
CVE SUMMARY: The list_directory function in Lib/SimpleHTTPServer.py in SimpleHTTPServer in Python before 2.5.6c1, 2.6.x before 2.6.7 rc2, and 2.7.x before 2.7.2 does not place a charset parameter in the Content-Type HTTP header, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks against Internet Explorer 7 via UTF-7 encoding.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-4940

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2011-4944
CVE STATUS: Patched
CVE SUMMARY: Python 2.6 through 3.2 creates ~/.pypirc with world-readable permissions before changing them after data has been written, which introduces a race condition that allows local users to obtain a username and password by reading this file.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-4944

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2012-0845
CVE STATUS: Patched
CVE SUMMARY: SimpleXMLRPCServer.py in SimpleXMLRPCServer in Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via an XML-RPC POST request that contains a smaller amount of data than specified by the Content-Length header.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-0845

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2012-0876
CVE STATUS: Patched
CVE SUMMARY: The XML parser (xmlparse.c) in expat before 2.1.0 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via an XML file with many identifiers with the same value.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-0876

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2012-1150
CVE STATUS: Patched
CVE SUMMARY: Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1150

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2012-2135
CVE STATUS: Patched
CVE SUMMARY: The utf-16 decoder in Python 3.1 through 3.3 does not update the aligned_end variable after calling the unicode_decode_call_errorhandler function, which allows remote attackers to obtain sensitive information (process memory) or cause a denial of service (memory corruption and crash) via unspecified vectors.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2135

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2013-0340
CVE STATUS: Patched
CVE SUMMARY: expat 2.1.0 and earlier does not properly handle entities expansion unless an application developer uses the XML_SetEntityDeclHandler function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue.  NOTE: it could be argued that because expat already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be REJECTed, and each affected application would need its own CVE.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0340

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2013-1753
CVE STATUS: Patched
CVE SUMMARY: The gzip_decode function in the xmlrpc client library in Python 3.4 and earlier allows remote attackers to cause a denial of service (memory consumption) via a crafted HTTP request.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1753

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2013-2099
CVE STATUS: Patched
CVE SUMMARY: Algorithmic complexity vulnerability in the ssl.match_hostname function in Python 3.2.x, 3.3.x, and earlier, and unspecified versions of python-backports-ssl_match_hostname as used for older Python versions, allows remote attackers to cause a denial of service (CPU consumption) via multiple wildcard characters in the common name in a certificate.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2099

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2013-4238
CVE STATUS: Patched
CVE SUMMARY: The ssl.match_hostname function in the SSL module in Python 2.6 through 3.4 does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4238

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2013-7040
CVE STATUS: Patched
CVE SUMMARY: Python 2.7 before 3.4 only uses the last eight bits of the prefix to randomize hash values, which causes it to compute hash values without restricting the ability to trigger hash collisions predictably and makes it easier for context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1150.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-7040

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2013-7338
CVE STATUS: Patched
CVE SUMMARY: Python before 3.3.4 RC1 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a file size value larger than the size of the zip file to the (1) ZipExtFile.read, (2) ZipExtFile.read(n), (3) ZipExtFile.readlines, (4) ZipFile.extract, or (5) ZipFile.extractall function.
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-7338

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2013-7440
CVE STATUS: Patched
CVE SUMMARY: The ssl.match_hostname function in CPython (aka Python) before 2.7.9 and 3.x before 3.3.3 does not properly handle wildcards in hostnames, which might allow man-in-the-middle attackers to spoof servers via a crafted certificate.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-7440

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2014-0224
CVE STATUS: Patched
CVE SUMMARY: OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the "CCS Injection" vulnerability.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 7.4
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0224

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2014-1912
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the socket.recvfrom_into function in Modules/socketmodule.c in Python 2.5 before 2.7.7, 3.x before 3.3.4, and 3.4.x before 3.4rc1 allows remote attackers to execute arbitrary code via a crafted string.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-1912

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2014-2667
CVE STATUS: Patched
CVE SUMMARY: Race condition in the _get_masked_mode function in Lib/os.py in Python 3.2 through 3.5, when exist_ok is set to true and multiple threads are used, might allow local users to bypass intended file permissions by leveraging a separate application vulnerability before the umask has been set to the expected value.
CVSS v2 BASE SCORE: 3.3
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-2667

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2014-4616
CVE STATUS: Patched
CVE SUMMARY: Array index error in the scanstring function in the _json module in Python 2.7 through 3.5 and simplejson before 2.6.1 allows context-dependent attackers to read arbitrary process memory via a negative index value in the idx argument to the raw_decode function.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-4616

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2014-4650
CVE STATUS: Patched
CVE SUMMARY: The CGIHTTPServer module in Python 2.7.5 and 3.3.4 does not properly handle URLs in which URL encoding is used for path separators, which allows remote attackers to read script source code or conduct directory traversal attacks and execute unintended code via a crafted character sequence, as demonstrated by a %2f separator.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-4650

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2014-7185
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in bufferobject.c in Python before 2.7.8 allows context-dependent attackers to obtain sensitive information from process memory via a large size and offset in a "buffer" function.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-7185

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2014-9365
CVE STATUS: Patched
CVE SUMMARY: The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9365

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2015-1283
CVE STATUS: Patched
CVE SUMMARY: Multiple integer overflows in the XML_GetBuffer function in Expat through 2.1.0, as used in Google Chrome before 44.0.2403.89 and other products, allow remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via crafted XML data, a related issue to CVE-2015-2716.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1283

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2015-20107
CVE STATUS: Ignored
CVE DETAIL: upstream-wontfix
CVE DESCRIPTION: The mailcap module is insecure by design, so this can't be fixed in a meaningful way
CVE SUMMARY: In Python (aka CPython) up to 3.10.8, the mailcap module does not add escape characters into commands discovered in the system mailcap file. This may allow attackers to inject shell commands into applications that call mailcap.findmatch with untrusted input (if they lack validation of user-provided filenames or arguments). The fix is also back-ported to 3.7, 3.8, 3.9
CVSS v2 BASE SCORE: 8.0
CVSS v3 BASE SCORE: 7.6
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:S/C:P/I:C/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-20107

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2015-5652
CVE STATUS: Patched
CVE SUMMARY: Untrusted search path vulnerability in python.exe in Python through 3.5.0 on Windows allows local users to gain privileges via a Trojan horse readline.pyd file in the current working directory.  NOTE: the vendor says "It was determined that this is a longtime behavior of Python that cannot really be altered at this point."
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-5652

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2016-0718
CVE STATUS: Patched
CVE SUMMARY: Expat allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a malformed input document, which triggers a buffer overflow.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-0718

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2016-0772
CVE STATUS: Patched
CVE SUMMARY: The smtplib library in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 does not return an error when StartTLS fails, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a "StartTLS stripping attack."
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-0772

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2016-1000110
CVE STATUS: Patched
CVE SUMMARY: The CGIHandler class in Python before 2.7.12 does not protect against the HTTP_PROXY variable name clash in a CGI script, which could allow a remote attacker to redirect HTTP requests.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 6.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-1000110

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2016-2183
CVE STATUS: Patched
CVE SUMMARY: The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a "Sweet32" attack.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2183

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2016-3189
CVE STATUS: Patched
CVE SUMMARY: Use-after-free vulnerability in bzip2recover in bzip2 1.0.6 allows remote attackers to cause a denial of service (crash) via a crafted bzip2 file, related to block ends set to before the start of the block.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3189

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2016-4472
CVE STATUS: Patched
CVE SUMMARY: The overflow protection in Expat is removed by compilers with certain optimization settings, which allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via crafted XML data.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-1283 and CVE-2015-2716.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4472

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2016-5636
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the get_data function in zipimport.c in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows remote attackers to have unspecified impact via a negative data size value, which triggers a heap-based buffer overflow.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5636

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2016-5699
CVE STATUS: Patched
CVE SUMMARY: CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2 and urllib in CPython (aka Python) before 2.7.10 and 3.x before 3.4.4 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in a URL.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5699

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2016-9063
CVE STATUS: Patched
CVE SUMMARY: An integer overflow during the parsing of XML using the Expat library. This vulnerability affects Firefox < 50.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9063

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2017-1000158
CVE STATUS: Patched
CVE SUMMARY: CPython (aka Python) up to 2.7.13 is vulnerable to an integer overflow in the PyString_DecodeEscape function in stringobject.c, resulting in heap-based buffer overflow (and possible arbitrary code execution)
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-1000158

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2017-17522
CVE STATUS: Patched
CVE SUMMARY: Lib/webbrowser.py in Python through 3.6.3 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. NOTE: a software maintainer indicates that exploitation is impossible because the code relies on subprocess.Popen and the default shell=False setting
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17522

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2017-18207
CVE STATUS: Patched
CVE SUMMARY: The Wave_read._read_fmt_chunk function in Lib/wave.py in Python through 3.6.4 does not ensure a nonzero channel value, which allows attackers to cause a denial of service (divide-by-zero and exception) via a crafted wav format audio file. NOTE: the vendor disputes this issue because Python applications "need to be prepared to handle a wide variety of exceptions.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-18207

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2017-20052
CVE STATUS: Patched
CVE SUMMARY: A vulnerability classified as problematic was found in Python 2.7.13. This vulnerability affects unknown code of the component pgAdmin4. The manipulation leads to uncontrolled search path. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 5.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-20052

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2017-9233
CVE STATUS: Patched
CVE SUMMARY: XML External Entity vulnerability in libexpat 2.2.0 and earlier (Expat XML Parser Library) allows attackers to put the parser in an infinite loop using a malformed external entity definition from an external DTD.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9233

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2018-1000030
CVE STATUS: Patched
CVE SUMMARY: Python 2.7.14 is vulnerable to a Heap-Buffer-Overflow as well as a Heap-Use-After-Free. Python versions prior to 2.7.14 may also be vulnerable and it appears that Python 2.7.17 and prior may also be vulnerable however this has not been confirmed. The vulnerability lies when multiply threads are handling large amounts of data. In both cases there is essentially a race condition that occurs. For the Heap-Buffer-Overflow, Thread 2 is creating the size for a buffer, but Thread1 is already writing to the buffer without knowing how much to write. So when a large amount of data is being processed, it is very easy to cause memory corruption using a Heap-Buffer-Overflow. As for the Use-After-Free, Thread3->Malloc->Thread1->Free's->Thread2-Re-uses-Free'd Memory. The PSRT has stated that this is not a security vulnerability due to the fact that the attacker must be able to run code, however in some situations, such as function as a service, this vulnerability can potentially be used by an attacker to violate a trust boundary, as such the DWF feels this issue deserves a CVE.
CVSS v2 BASE SCORE: 3.3
CVSS v3 BASE SCORE: 3.6
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1000030

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2018-1000117
CVE STATUS: Patched
CVE SUMMARY: Python Software Foundation CPython version From 3.2 until 3.6.4 on Windows contains a Buffer Overflow vulnerability in os.symlink() function on Windows that can result in Arbitrary code execution, likely escalation of privilege. This attack appears to be exploitable via a python script that creates a symlink with an attacker controlled name or location. This vulnerability appears to have been fixed in 3.7.0 and 3.6.5.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 6.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1000117

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2018-1000802
CVE STATUS: Patched
CVE SUMMARY: Python Software Foundation Python (CPython) version 2.7 contains a CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in shutil module (make_archive function) that can result in Denial of service, Information gain via injection of arbitrary files on the system or entire drive. This attack appear to be exploitable via Passage of unfiltered user input to the function. This vulnerability appears to have been fixed in after commit add531a1e55b0a739b0f42582f1c9747e5649ace.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1000802

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2018-1060
CVE STATUS: Patched
CVE SUMMARY: python before versions 2.7.15, 3.4.9, 3.5.6rc1, 3.6.5rc1 and 3.7.0 is vulnerable to catastrophic backtracking in pop3lib's apop() method. An attacker could use this flaw to cause denial of service.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 4.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1060

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2018-1061
CVE STATUS: Patched
CVE SUMMARY: python before versions 2.7.15, 3.4.9, 3.5.6rc1, 3.6.5rc1 and 3.7.0 is vulnerable to catastrophic backtracking in the difflib.IS_LINE_JUNK method.  An attacker could use this flaw to cause denial of service.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1061

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2018-14647
CVE STATUS: Patched
CVE SUMMARY: Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by constructing an XML document that would cause pathological hash collisions in Expat's internal data structures, consuming large amounts CPU and RAM. The vulnerability exists in Python versions 3.7.0, 3.6.0 through 3.6.6, 3.5.0 through 3.5.6, 3.4.0 through 3.4.9, 2.7.0 through 2.7.15.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-14647

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2018-20406
CVE STATUS: Patched
CVE SUMMARY: Modules/_pickle.c in Python before 3.7.1 has an integer overflow via a large LONG_BINPUT value that is mishandled during a "resize to twice the size" attempt. This issue might cause memory exhaustion, but is only relevant if the pickle format is used for serializing tens or hundreds of gigabytes of data. This issue is fixed in: v3.4.10, v3.4.10rc1; v3.5.10, v3.5.10rc1, v3.5.7, v3.5.7rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.7, v3.6.7rc1, v3.6.7rc2, v3.6.8, v3.6.8rc1, v3.6.9, v3.6.9rc1; v3.7.1, v3.7.1rc1, v3.7.1rc2, v3.7.2, v3.7.2rc1, v3.7.3, v3.7.3rc1, v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20406

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2018-20852
CVE STATUS: Patched
CVE SUMMARY: http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix (e.g., pythonicexample.com to steal cookies for example.com). When a program uses http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing cookies can be leaked to the attacker. This affects 2.x through 2.7.16, 3.x before 3.4.10, 3.5.x before 3.5.7, 3.6.x before 3.6.9, and 3.7.x before 3.7.3.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20852

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2018-25032
CVE STATUS: Patched
CVE SUMMARY: zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-25032

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2019-10160
CVE STATUS: Patched
CVE SUMMARY: A security regression of CVE-2019-9636 was discovered in python since commit d537ab0ff9767ef024f26246899728f0116b1ec3 affecting versions 2.7, 3.5, 3.6, 3.7 and from v3.8.0a4 through v3.8.0b1, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-10160

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2019-12900
CVE STATUS: Patched
CVE SUMMARY: BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-12900

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2019-13404
CVE STATUS: Patched
CVE SUMMARY: The MSI installer for Python through 2.7.16 on Windows defaults to the C:\Python27 directory, which makes it easier for local users to deploy Trojan horse code. (This also affects old 3.x releases before 3.5.) NOTE: the vendor's position is that it is the user's responsibility to ensure C:\Python27 access control or choose a different directory, because backwards compatibility requires that C:\Python27 remain the default for 2.7.x
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-13404

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2019-15903
CVE STATUS: Patched
CVE SUMMARY: In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a heap-based buffer over-read.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-15903

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2019-16056
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340; however, this CVE applies to Python more generally.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-16056

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2019-16935
CVE STATUS: Patched
CVE SUMMARY: The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-16935

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2019-17514
CVE STATUS: Patched
CVE SUMMARY: library/glob.html in the Python 2 and 3 documentation before 2016 has potentially misleading information about whether sorting occurs, as demonstrated by irreproducible cancer-research results. NOTE: the effects of this documentation cross application domains, and thus it is likely that security-relevant code elsewhere is affected. This issue is not a Python implementation bug, and there are no reports that NMR researchers were specifically relying on library/glob.html. In other words, because the older documentation stated "finds all the pathnames matching a specified pattern according to the rules used by the Unix shell," one might have incorrectly inferred that the sorting that occurs in a Unix shell also occurred for glob.glob. There is a workaround in newer versions of Willoughby nmr-data_compilation-p2.py and nmr-data_compilation-p3.py, which call sort() directly.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-17514

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2019-18348
CVE STATUS: Ignored
CVE DETAIL: not-applicable-config
CVE DESCRIPTION: This is not exploitable when glibc has CVE-2016-10739 fixed
CVE SUMMARY: An issue was discovered in urllib2 in Python 2.x through 2.7.17 and urllib in Python 3.x through 3.8.0. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the host component of a URL) followed by an HTTP header. This is similar to the CVE-2019-9740 query string issue and the CVE-2019-9947 path string issue. (This is not exploitable when glibc has CVE-2016-10739 fixed.). This is fixed in: v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1; v3.6.11, v3.6.11rc1, v3.6.12; v3.7.8, v3.7.8rc1, v3.7.9; v3.8.3, v3.8.3rc1, v3.8.4, v3.8.4rc1, v3.8.5, v3.8.6, v3.8.6rc1.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-18348

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2019-20907
CVE STATUS: Patched
CVE SUMMARY: In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-20907

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2019-5010
CVE STATUS: Patched
CVE SUMMARY: An exploitable denial-of-service vulnerability exists in the X509 certificate parser of Python.org Python 2.7.11 / 3.6.6. A specially crafted X509 certificate can cause a NULL pointer dereference, resulting in a denial of service. An attacker can initiate or accept TLS connections using crafted certificates to trigger this vulnerability.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-5010

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2019-9636
CVE STATUS: Patched
CVE SUMMARY: Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.7, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.3, v3.7.3rc1, v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-9636

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2019-9674
CVE STATUS: Patched
CVE SUMMARY: Lib/zipfile.py in Python through 3.7.2 allows remote attackers to cause a denial of service (resource consumption) via a ZIP bomb.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-9674

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2019-9740
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-9740

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2019-9947
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the path component of a URL that lacks a ? character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-9947

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2019-9948
CVE STATUS: Patched
CVE SUMMARY: urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 9.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-9948

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2020-10735
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in python. In algorithms with quadratic time complexity using non-binary bases, when using int("text"), a system could take 50ms to parse an int string with 100,000 digits and 5s for 1,000,000 digits (float, decimal, int.from_bytes(), and int() for binary bases 2, 4, 8, 16, and 32 are not affected). The highest threat from this vulnerability is to system availability.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-10735

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2020-14422
CVE STATUS: Patched
CVE SUMMARY: Lib/ipaddress.py in Python through 3.8.3 improperly computes hash values in the IPv4Interface and IPv6Interface classes, which might allow a remote attacker to cause a denial of service if an application is affected by the performance of a dictionary containing IPv4Interface or IPv6Interface objects, and this attacker can cause many dictionary entries to be created. This is fixed in: v3.5.10, v3.5.10rc1; v3.6.12; v3.7.9; v3.8.4, v3.8.4rc1, v3.8.5, v3.8.6, v3.8.6rc1; v3.9.0, v3.9.0b4, v3.9.0b5, v3.9.0rc1, v3.9.0rc2.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-14422

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2020-15523
CVE STATUS: Ignored
CVE DETAIL: not-applicable-platform
CVE DESCRIPTION: Issue only applies on Windows
CVE SUMMARY: In Python 3.6 through 3.6.10, 3.7 through 3.7.8, 3.8 through 3.8.4rc1, and 3.9 through 3.9.0b4 on Windows, a Trojan horse python3.dll might be used in cases where CPython is embedded in a native application. This occurs because python3X.dll may use an invalid search path for python3.dll loading (after Py_SetPath has been used). NOTE: this issue CANNOT occur when using python.exe from a standard (non-embedded) Python installation on Windows.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-15523

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2020-15801
CVE STATUS: Patched
CVE SUMMARY: In Python 3.8.4, sys.path restrictions specified in a python38._pth file are ignored, allowing code to be loaded from arbitrary locations. The <executable-name>._pth file (e.g., the python._pth file) is not affected.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-15801

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2020-26116
CVE STATUS: Patched
CVE SUMMARY: http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.request.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 7.2
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-26116

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2020-27619
CVE STATUS: Patched
CVE SUMMARY: In Python 3 through 3.9.0, the Lib/test/multibytecodec_support.py CJK codec tests call eval() on content retrieved via HTTP.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-27619

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2020-8315
CVE STATUS: Patched
CVE SUMMARY: In Python (CPython) 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1, an insecure dependency load upon launch on Windows 7 may result in an attacker's copy of api-ms-win-core-path-l1-1-0.dll being loaded and used instead of the system's copy. Windows 8 and later are unaffected.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-8315

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2020-8492
CVE STATUS: Patched
CVE SUMMARY: Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-8492

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2021-23336
CVE STATUS: Patched
CVE SUMMARY: The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter.
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-23336

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2021-28861
CVE STATUS: Patched
CVE SUMMARY: Python 3.x through 3.10 has an open redirection vulnerability in lib/http/server.py due to no protection against multiple (/) at the beginning of URI path which may leads to information disclosure. NOTE: this is disputed by a third party because the http.server.html documentation page states "Warning: http.server is not recommended for production. It only implements basic security checks."
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.4
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-28861

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2021-29921
CVE STATUS: Patched
CVE SUMMARY: In Python before 3,9,5, the ipaddress library mishandles leading zero characters in the octets of an IP address string. This (in some situations) allows attackers to bypass access control that is based on IP addresses.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-29921

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2021-3177
CVE STATUS: Patched
CVE SUMMARY: Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to c_double.from_param. This occurs because sprintf is used unsafely.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3177

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2021-3426
CVE STATUS: Patched
CVE SUMMARY: There's a flaw in Python 3's pydoc. A local or adjacent attacker who discovers or is able to convince another local or adjacent user to start a pydoc server could access the server and use it to disclose sensitive information belonging to the other user that they would not normally be able to access. The highest risk of this flaw is to data confidentiality. This flaw affects Python versions before 3.8.9, Python versions before 3.9.3 and Python versions before 3.10.0a7.
CVSS v2 BASE SCORE: 2.7
CVSS v3 BASE SCORE: 5.7
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:L/Au:S/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3426

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2021-3733
CVE STATUS: Patched
CVE SUMMARY: There's a flaw in urllib's AbstractBasicAuthHandler class. An attacker who controls a malicious HTTP server that an HTTP client (such as web browser) connects to, could trigger a Regular Expression Denial of Service (ReDOS) during an authentication request with a specially crafted payload that is sent by the server to the client. The greatest threat that this flaw poses is to application availability.
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:S/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3733

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2021-3737
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in python. An improperly handled HTTP response in the HTTP client code of python may allow a remote attacker, who controls the HTTP server, to make the client script enter an infinite loop, consuming CPU time. The highest threat from this vulnerability is to system availability.
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3737

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2021-4189
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library in PASV (passive) mode. The issue is how the FTP client trusts the host from the PASV response by default. This flaw allows an attacker to set up a malicious FTP server that can trick FTP clients into connecting back to a given IP address and port. This vulnerability could lead to FTP client scanning ports, which otherwise would not have been possible.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-4189

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2022-0391
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in Python, specifically within the urllib.parse module. This module helps break Uniform Resource Locator (URL) strings into components. The issue involves how the urlparse method does not sanitize input and allows characters like '\r' and '\n' in the URL path. This flaw allows an attacker to input a crafted URL, leading to injection attacks. This flaw affects Python versions prior to 3.10.0b1, 3.9.5, 3.8.11, 3.7.11 and 3.6.14.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0391

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2022-26488
CVE STATUS: Ignored
CVE DETAIL: not-applicable-platform
CVE DESCRIPTION: Issue only applies on Windows
CVE SUMMARY: In Python before 3.10.3 on Windows, local users can gain privileges because the search path is inadequately secured. The installer may allow a local attacker to add user-writable directories to the system search path. To exploit, an administrator must have installed Python for all users and enabled PATH entries. A non-administrative user can trigger a repair that incorrectly adds user-writable paths into PATH, enabling search-path hijacking of other users and system services. This affects Python (CPython) through 3.7.12, 3.8.x through 3.8.12, 3.9.x through 3.9.10, and 3.10.x through 3.10.2.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-26488

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2022-37454
CVE STATUS: Patched
CVE SUMMARY: The Keccak XKCP SHA-3 reference implementation before fdc6fef has an integer overflow and resultant buffer overflow that allows attackers to execute arbitrary code or eliminate expected cryptographic properties. This occurs in the sponge function interface.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-37454

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2022-42919
CVE STATUS: Patched
CVE SUMMARY: Python 3.9.x before 3.9.16 and 3.10.x before 3.10.9 on Linux allows local privilege escalation in a non-default configuration. The Python multiprocessing library, when used with the forkserver start method on Linux, allows pickles to be deserialized from any user in the same machine local network namespace, which in many system configurations means any user on the same machine. Pickles can execute arbitrary code. Thus, this allows for local user privilege escalation to the user that any forkserver process is running as. Setting multiprocessing.util.abstract_sockets_supported to False is a workaround. The forkserver start method for multiprocessing is not the default start method. This issue is Linux specific because only Linux supports abstract namespace sockets. CPython before 3.9 does not make use of Linux abstract namespace sockets by default. Support for users manually specifying an abstract namespace socket was added as a bugfix in 3.7.8 and 3.8.3, but users would need to make specific uncommon API calls in order to do that in CPython before 3.9.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-42919

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2022-45061
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name being presented to the decoder could lead to a CPU denial of service. Hostnames are often supplied by remote servers that could be controlled by a malicious actor; in such a scenario, they could trigger excessive CPU consumption on the client attempting to make use of an attacker-supplied supposed hostname. For example, the attack payload could be placed in the Location header of an HTTP response with status code 302. A fix is planned in 3.11.1, 3.10.9, 3.9.16, 3.8.16, and 3.7.16.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-45061

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2022-48560
CVE STATUS: Patched
CVE SUMMARY: A use-after-free exists in Python through 3.9 via heappushpop in heapq.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48560

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2022-48564
CVE STATUS: Patched
CVE SUMMARY: read_ints in plistlib.py in Python through 3.9.1 is vulnerable to a potential DoS attack via CPU and RAM exhaustion when processing malformed Apple Property List files in binary format.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48564

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2022-48565
CVE STATUS: Patched
CVE SUMMARY: An XML External Entity (XXE) issue was discovered in Python through 3.9.1. The plistlib module no longer accepts entity declarations in XML plist files to avoid XML vulnerabilities.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48565

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2022-48566
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in compare_digest in Lib/hmac.py in Python through 3.9.1. Constant-time-defeating optimisations were possible in the accumulator variable in hmac.compare_digest.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48566

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2023-24329
CVE STATUS: Patched
CVE SUMMARY: An issue in the urllib.parse component of Python before 3.11.4 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-24329

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2023-27043
CVE STATUS: Patched
CVE SUMMARY: The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-27043

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2023-33595
CVE STATUS: Patched
CVE SUMMARY: CPython v3.12.0 alpha 7 was discovered to contain a heap use-after-free via the function ascii_decode at /Objects/unicodeobject.c.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-33595

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2023-36632
CVE STATUS: Ignored
CVE DETAIL: disputed
CVE DESCRIPTION: Not an issue, in fact expected behaviour
CVE SUMMARY: The legacy email.utils.parseaddr function in Python through 3.11.4 allows attackers to trigger "RecursionError: maximum recursion depth exceeded while calling a Python object" via a crafted argument. This argument is plausibly an untrusted value from an application's input data that was supposed to contain a name and an e-mail address. NOTE: email.utils.parseaddr is categorized as a Legacy API in the documentation of the Python email package. Applications should instead use the email.parser.BytesParser or email.parser.Parser class. NOTE: the vendor's perspective is that this is neither a vulnerability nor a bug. The email package is intended to have size limits and to throw an exception when limits are exceeded; they were exceeded by the example demonstration code.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-36632

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2023-38898
CVE STATUS: Patched
CVE SUMMARY: An issue in Python cpython v.3.7 allows an attacker to obtain sensitive information via the _asyncio._swap_current_task component. NOTE: this is disputed by the vendor because (1) neither 3.7 nor any other release is affected (it is a bug in some 3.12 pre-releases); (2) there are no common scenarios in which an adversary can call _asyncio._swap_current_task but does not already have the ability to call arbitrary functions; and (3) there are no common scenarios in which sensitive information, which is not already accessible to an adversary, becomes accessible through this bug.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-38898

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2023-40217
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as "not connected" and won't initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not be authenticated if the server-side TLS peer is expecting client certificate authentication, and is indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the buffer. (The TLS connection cannot directly be used for data exfiltration because the vulnerable code path requires that the connection be closed on initialization of the SSLSocket.)
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-40217

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2023-41105
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Python 3.11 through 3.11.4. If a path containing '\0' bytes is passed to os.path.normpath(), the path will be truncated unexpectedly at the first '\0' byte. There are plausible cases in which an application would have rejected a filename for security reasons in Python 3.10.x or earlier, but that filename is no longer rejected in Python 3.11.x.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-41105

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2023-6507
CVE STATUS: Patched
CVE SUMMARY: An issue was found in CPython 3.12.0 `subprocess` module on POSIX platforms. The issue was fixed in CPython 3.12.1 and does not affect other stable releases.

When using the `extra_groups=` parameter with an empty list as a value (ie `extra_groups=[]`) the logic regressed to not call `setgroups(0, NULL)` before calling `exec()`, thus not dropping the original processes' groups before starting the new process. There is no issue when the parameter isn't used or when any value is used besides an empty list.

This issue only impacts CPython processes run with sufficient privilege to make the `setgroups` system call (typically `root`).


CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.1
VECTOR: ADJACENT_NETWORK
VECTORSTRING: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-6507

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2024-6232
CVE STATUS: Patched
CVE SUMMARY: There is a MEDIUM severity vulnerability affecting CPython.





Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-6232

LAYER: meta
PACKAGE NAME: python3-native
PACKAGE VERSION: 3.12.6
CVE: CVE-2024-7592
CVE STATUS: Patched
CVE SUMMARY: There is a LOW severity vulnerability affecting CPython, specifically the
'http.cookies' standard library module.


When parsing cookies that contained backslashes for quoted characters in
the cookie value, the parser would use an algorithm with quadratic
complexity, resulting in excess CPU resources being used while parsing the
value.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-7592

LAYER: meta-oe
PACKAGE NAME: iniparser
PACKAGE VERSION: 4.1+git
CVE: CVE-2023-33461
CVE STATUS: Patched
CVE SUMMARY: iniparser v4.1 is vulnerable to NULL Pointer Dereference in function iniparser_getlongint which misses check NULL for function iniparser_getstring's return.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-33461

LAYER: meta-oe
PACKAGE NAME: libssh
PACKAGE VERSION: 0.10.6
CVE: CVE-2012-4559
CVE STATUS: Patched
CVE SUMMARY: Multiple double free vulnerabilities in the (1) agent_sign_data function in agent.c, (2) channel_request function in channels.c, (3) ssh_userauth_pubkey function in auth.c, (4) sftp_parse_attr_3 function in sftp.c, and (5) try_publickey_from_file function in keyfiles.c in libssh before 0.5.3 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unspecified vectors.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-4559

LAYER: meta-oe
PACKAGE NAME: libssh
PACKAGE VERSION: 0.10.6
CVE: CVE-2012-4560
CVE STATUS: Patched
CVE SUMMARY: Multiple buffer overflows in libssh before 0.5.3 allow remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via unspecified vectors.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-4560

LAYER: meta-oe
PACKAGE NAME: libssh
PACKAGE VERSION: 0.10.6
CVE: CVE-2012-4561
CVE STATUS: Patched
CVE SUMMARY: The (1) publickey_make_dss, (2) publickey_make_rsa, (3) signature_from_string, (4) ssh_do_sign, and (5) ssh_sign_session_id functions in keys.c in libssh before 0.5.3 free "an invalid pointer on an error path," which might allow remote attackers to cause a denial of service (crash) via unspecified vectors.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-4561

LAYER: meta-oe
PACKAGE NAME: libssh
PACKAGE VERSION: 0.10.6
CVE: CVE-2012-4562
CVE STATUS: Patched
CVE SUMMARY: Multiple integer overflows in libssh before 0.5.3 allow remote attackers to cause a denial of service (infinite loop or crash) and possibly execute arbitrary code via unspecified vectors, which triggers a buffer overflow, infinite loop, or possibly some other unspecified vulnerabilities.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-4562

LAYER: meta-oe
PACKAGE NAME: libssh
PACKAGE VERSION: 0.10.6
CVE: CVE-2012-6063
CVE STATUS: Patched
CVE SUMMARY: Double free vulnerability in the sftp_mkdir function in sftp.c in libssh before 0.5.3 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unspecified vectors, a different vector than CVE-2012-4559.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-6063

LAYER: meta-oe
PACKAGE NAME: libssh
PACKAGE VERSION: 0.10.6
CVE: CVE-2013-0176
CVE STATUS: Patched
CVE SUMMARY: The publickey_from_privatekey function in libssh before 0.5.4, when no algorithm is matched during negotiations, allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a "Client: Diffie-Hellman Key Exchange Init" packet.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0176

LAYER: meta-oe
PACKAGE NAME: libssh
PACKAGE VERSION: 0.10.6
CVE: CVE-2014-0017
CVE STATUS: Patched
CVE SUMMARY: The RAND_bytes function in libssh before 0.6.3, when forking is enabled, does not properly reset the state of the OpenSSL pseudo-random number generator (PRNG), which causes the state to be shared between children processes and allows local users to obtain sensitive information by leveraging a pid collision.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0017

LAYER: meta-oe
PACKAGE NAME: libssh
PACKAGE VERSION: 0.10.6
CVE: CVE-2014-8132
CVE STATUS: Patched
CVE SUMMARY: Double free vulnerability in the ssh_packet_kexinit function in kex.c in libssh 0.5.x and 0.6.x before 0.6.4 allows remote attackers to cause a denial of service via a crafted kexinit packet.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8132

LAYER: meta-oe
PACKAGE NAME: libssh
PACKAGE VERSION: 0.10.6
CVE: CVE-2015-3146
CVE STATUS: Patched
CVE SUMMARY: The (1) SSH_MSG_NEWKEYS and (2) SSH_MSG_KEXDH_REPLY packet handlers in package_cb.c in libssh before 0.6.5 do not properly validate state, which allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a crafted SSH packet.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3146

LAYER: meta-oe
PACKAGE NAME: libssh
PACKAGE VERSION: 0.10.6
CVE: CVE-2016-0739
CVE STATUS: Patched
CVE SUMMARY: libssh before 0.7.3 improperly truncates ephemeral secrets generated for the (1) diffie-hellman-group1 and (2) diffie-hellman-group14 key exchange methods to 128 bits, which makes it easier for man-in-the-middle attackers to decrypt or intercept SSH sessions via unspecified vectors, aka a "bits/bytes confusion bug."
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-0739

LAYER: meta-oe
PACKAGE NAME: libssh
PACKAGE VERSION: 0.10.6
CVE: CVE-2018-10933
CVE STATUS: Patched
CVE SUMMARY: A vulnerability was found in libssh's server-side state machine before versions 0.7.6 and 0.8.4. A malicious client could create channels without first performing authentication, resulting in unauthorized access.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 9.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-10933

LAYER: meta-oe
PACKAGE NAME: libssh
PACKAGE VERSION: 0.10.6
CVE: CVE-2019-14889
CVE STATUS: Patched
CVE SUMMARY: A flaw was found with the libssh API function ssh_scp_new() in versions before 0.9.3 and before 0.8.8. When the libssh SCP client connects to a server, the scp command, which includes a user-provided path, is executed on the server-side. In case the library is used in a way where users can influence the third parameter of the function, it would become possible for an attacker to inject arbitrary commands, leading to a compromise of the remote target.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 7.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-14889

LAYER: meta-oe
PACKAGE NAME: libssh
PACKAGE VERSION: 0.10.6
CVE: CVE-2020-16135
CVE STATUS: Patched
CVE SUMMARY: libssh 0.9.4 has a NULL pointer dereference in tftpserver.c if ssh_buffer_new returns NULL.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-16135

LAYER: meta-oe
PACKAGE NAME: libssh
PACKAGE VERSION: 0.10.6
CVE: CVE-2020-1730
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in libssh versions before 0.8.9 and before 0.9.4 in the way it handled AES-CTR (or DES ciphers if enabled) ciphers. The server or client could crash when the connection hasn't been fully initialized and the system tries to cleanup the ciphers when closing the connection. The biggest threat from this vulnerability is system availability.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-1730

LAYER: meta-oe
PACKAGE NAME: libssh
PACKAGE VERSION: 0.10.6
CVE: CVE-2021-3634
CVE STATUS: Patched
CVE SUMMARY: A flaw has been found in libssh in versions prior to 0.9.6. The SSH protocol keeps track of two shared secrets during the lifetime of the session. One of them is called secret_hash and the other session_id. Initially, both of them are the same, but after key re-exchange, previous session_id is kept and used as an input to new secret_hash. Historically, both of these buffers had shared length variable, which worked as long as these buffers were same. But the key re-exchange operation can also change the key exchange method, which can be based on hash of different size, eventually creating "secret_hash" of different size than the session_id has. This becomes an issue when the session_id memory is zeroed or when it is used again during second key re-exchange.
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:S/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3634

LAYER: meta-oe
PACKAGE NAME: libssh
PACKAGE VERSION: 0.10.6
CVE: CVE-2023-1667
CVE STATUS: Patched
CVE SUMMARY: A NULL pointer dereference was found In libssh during re-keying with algorithm guessing. This issue may allow an authenticated client to cause a denial of service.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-1667

LAYER: meta-oe
PACKAGE NAME: libssh
PACKAGE VERSION: 0.10.6
CVE: CVE-2023-2283
CVE STATUS: Patched
CVE SUMMARY: A vulnerability was found in libssh, where the authentication check of the connecting client can be bypassed in the`pki_verify_data_signature` function in memory allocation problems. This issue may happen if there is insufficient memory or the memory usage is limited. The problem is caused by the return value `rc,` which is initialized to SSH_ERROR and later rewritten to save the return value of the function call `pki_key_check_hash_compatible.` The value of the variable is not changed between this point and the cryptographic verification. Therefore any error between them calls `goto error` returning SSH_OK.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-2283

LAYER: meta-oe
PACKAGE NAME: libssh
PACKAGE VERSION: 0.10.6
CVE: CVE-2023-3603
CVE STATUS: Patched
CVE SUMMARY: A missing allocation check in sftp server processing read requests may cause a NULL dereference on low-memory conditions. The malicious client can request up to 4GB SFTP reads, causing allocation of up to 4GB buffers, which was not being checked for failure. This will likely crash the authenticated user's sftp server connection (if implemented as forking as recommended). For thread-based servers, this might also cause DoS for legitimate users.

Given this code is not in any released versions, no security releases have been issued.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 3.1
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-3603

LAYER: meta-oe
PACKAGE NAME: libssh
PACKAGE VERSION: 0.10.6
CVE: CVE-2023-48795
CVE STATUS: Patched
CVE SUMMARY: The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-48795

LAYER: meta-oe
PACKAGE NAME: libssh
PACKAGE VERSION: 0.10.6
CVE: CVE-2023-6004
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in libssh. By utilizing the ProxyCommand or ProxyJump feature, users can exploit unchecked hostname syntax on the client. This issue may allow an attacker to inject malicious code into the command of the features mentioned through the hostname parameter.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-6004

LAYER: meta-oe
PACKAGE NAME: libssh
PACKAGE VERSION: 0.10.6
CVE: CVE-2023-6918
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the libssh implements abstract layer for message digest (MD) operations implemented by different supported crypto backends. The return values from these were not properly checked, which could cause low-memory situations failures, NULL dereferences, crashes, or usage of the uninitialized memory as an input for the KDF. In this case, non-matching keys will result in decryption/integrity failures, terminating the connection.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 3.7
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-6918

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2000-0973
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in curl earlier than 6.0-1.1, and curl-ssl earlier than 6.0-1.2, allows remote attackers to execute arbitrary commands by forcing a long error message to be generated.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2000-0973

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2003-1605
CVE STATUS: Patched
CVE SUMMARY: curl 7.x before 7.10.7 sends CONNECT proxy credentials to the remote server.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-1605

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2005-0490
CVE STATUS: Patched
CVE SUMMARY: Multiple stack-based buffer overflows in libcURL and cURL 7.12.1, and possibly other versions, allow remote malicious web servers to execute arbitrary code via base64 encoded replies that exceed the intended buffer lengths when decoded, which is not properly handled by (1) the Curl_input_ntlm function in http_ntlm.c during NTLM authentication or (2) the Curl_krb_kauth and krb4_auth functions in krb4.c during Kerberos authentication.
CVSS v2 BASE SCORE: 5.1
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-0490

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2005-3185
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in the ntlm_output function in http-ntlm.c for (1) wget 1.10, (2) curl 7.13.2, and (3) libcurl 7.13.2, and other products that use libcurl, when NTLM authentication is enabled, allows remote servers to execute arbitrary code via a long NTLM username.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-3185

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2005-4077
CVE STATUS: Patched
CVE SUMMARY: Multiple off-by-one errors in the cURL library (libcurl) 7.11.2 through 7.15.0 allow local users to trigger a buffer overflow and cause a denial of service or bypass PHP security restrictions via certain URLs that (1) are malformed in a way that prevents a terminating null byte from being added to either a hostname or path buffer, or (2) contain a "?"  separator in the hostname portion, which causes a "/" to be prepended to the resulting string.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-4077

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2006-1061
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in cURL and libcURL 7.15.0 through 7.15.2 allows remote attackers to execute arbitrary commands via a TFTP URL (tftp://) with a valid hostname and a long path.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-1061

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2007-3564
CVE STATUS: Patched
CVE SUMMARY: libcurl 7.14.0 through 7.16.3, when built with GnuTLS support, does not check SSL/TLS certificate expiration or activation dates, which allows remote attackers to bypass certain access restrictions.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-3564

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2009-0037
CVE STATUS: Patched
CVE SUMMARY: The redirect implementation in curl and libcurl 5.11 through 7.19.3, when CURLOPT_FOLLOWLOCATION is enabled, accepts arbitrary Location values, which might allow remote HTTP servers to (1) trigger arbitrary requests to intranet servers, (2) read or overwrite arbitrary files via a redirect to a file: URL, or (3) execute arbitrary commands via a redirect to an scp: URL.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-0037

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2009-2417
CVE STATUS: Patched
CVE SUMMARY: lib/ssluse.c in cURL and libcurl 7.4 through 7.19.5, when OpenSSL is used, does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-2417

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2010-0734
CVE STATUS: Patched
CVE SUMMARY: content_encoding.c in libcurl 7.10.5 through 7.19.7, when zlib is enabled, does not properly restrict the amount of callback data sent to an application that requests automatic decompression, which might allow remote attackers to cause a denial of service (application crash) or have unspecified other impact by sending crafted compressed data to an application that relies on the intended data-length limit.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-0734

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2010-3842
CVE STATUS: Patched
CVE SUMMARY: Absolute path traversal vulnerability in curl 7.20.0 through 7.21.1, when the --remote-header-name or -J option is used, allows remote servers to create or overwrite arbitrary files by using \ (backslash) as a separator of path components within the Content-disposition HTTP header.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-3842

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2011-2192
CVE STATUS: Patched
CVE SUMMARY: The Curl_input_negotiate function in http_negotiate.c in libcurl 7.10.6 through 7.21.6, as used in curl and other products, always performs credential delegation during GSSAPI authentication, which allows remote servers to impersonate clients via GSSAPI requests.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2192

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2011-3389
CVE STATUS: Patched
CVE SUMMARY: The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3389

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2012-0036
CVE STATUS: Patched
CVE SUMMARY: curl and libcurl 7.2x before 7.24.0 do not properly consider special characters during extraction of a pathname from a URL, which allows remote attackers to conduct data-injection attacks via a crafted URL, as demonstrated by a CRLF injection attack on the (1) IMAP, (2) POP3, or (3) SMTP protocol.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-0036

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2013-0249
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in the Curl_sasl_create_digest_md5_message function in lib/curl_sasl.c in curl and libcurl 7.26.0 through 7.28.1, when negotiating SASL DIGEST-MD5 authentication, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long string in the realm parameter in a (1) POP3, (2) SMTP or (3) IMAP message.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0249

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2013-1944
CVE STATUS: Patched
CVE SUMMARY: The tailMatch function in cookie.c in cURL and libcurl before 7.30.0 does not properly match the path domain when sending cookies, which allows remote attackers to steal cookies via a matching suffix in the domain of a URL.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1944

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2013-2174
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the curl_easy_unescape function in lib/escape.c in cURL and libcurl 7.7 through 7.30.0 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted string ending in a "%" (percent) character.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2174

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2013-4545
CVE STATUS: Patched
CVE SUMMARY: cURL and libcurl 7.18.0 through 7.32.0, when built with OpenSSL, disables the certificate CN and SAN name field verification (CURLOPT_SSL_VERIFYHOST) when the digital signature verification (CURLOPT_SSL_VERIFYPEER) is disabled, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4545

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2013-6422
CVE STATUS: Patched
CVE SUMMARY: The GnuTLS backend in libcurl 7.21.4 through 7.33.0, when disabling digital signature verification (CURLOPT_SSL_VERIFYPEER), also disables the CURLOPT_SSL_VERIFYHOST check for CN or SAN host name fields, which makes it easier for remote attackers to spoof servers and conduct man-in-the-middle (MITM) attacks.
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-6422

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2014-0015
CVE STATUS: Patched
CVE SUMMARY: cURL and libcurl 7.10.6 through 7.34.0, when more than one authentication method is enabled, re-uses NTLM connections, which might allow context-dependent attackers to authenticate as other users via a request.
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0015

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2014-0138
CVE STATUS: Patched
CVE SUMMARY: The default configuration in cURL and libcurl 7.10.6 before 7.36.0 re-uses (1) SCP, (2) SFTP, (3) POP3, (4) POP3S, (5) IMAP, (6) IMAPS, (7) SMTP, (8) SMTPS, (9) LDAP, and (10) LDAPS connections, which might allow context-dependent attackers to connect as other users via a request, a similar issue to CVE-2014-0015.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0138

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2014-0139
CVE STATUS: Patched
CVE SUMMARY: cURL and libcurl 7.1 before 7.36.0, when using the OpenSSL, axtls, qsossl or gskit libraries for TLS, recognize a wildcard IP address in the subject's Common Name (CN) field of an X.509 certificate, which might allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0139

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2014-2522
CVE STATUS: Patched
CVE SUMMARY: curl and libcurl 7.27.0 through 7.35.0, when running on Windows and using the SChannel/Winssl TLS backend, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate when accessing a URL that uses a numerical IP address, which allows man-in-the-middle attackers to spoof servers via an arbitrary valid certificate.
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-2522

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2014-3613
CVE STATUS: Patched
CVE SUMMARY: cURL and libcurl before 7.38.0 does not properly handle IP addresses in cookie domain names, which allows remote attackers to set cookies for or send arbitrary cookies to certain sites, as demonstrated by a site at 192.168.0.1 setting cookies for a site at 127.168.0.1.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3613

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2014-3620
CVE STATUS: Patched
CVE SUMMARY: cURL and libcurl before 7.38.0 allow remote attackers to bypass the Same Origin Policy and set cookies for arbitrary sites by setting a cookie for a top-level domain.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3620

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2014-3707
CVE STATUS: Patched
CVE SUMMARY: The curl_easy_duphandle function in libcurl 7.17.1 through 7.38.0, when running with the CURLOPT_COPYPOSTFIELDS option, does not properly copy HTTP POST data for an easy handle, which triggers an out-of-bounds read that allows remote web servers to read sensitive memory information.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3707

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2014-8150
CVE STATUS: Patched
CVE SUMMARY: CRLF injection vulnerability in libcurl 6.0 through 7.x before 7.40.0, when using an HTTP proxy, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in a URL.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8150

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2014-8151
CVE STATUS: Patched
CVE SUMMARY: The darwinssl_connect_step1 function in lib/vtls/curl_darwinssl.c in libcurl 7.31.0 through 7.39.0, when using the DarwinSSL (aka SecureTransport) back-end for TLS, does not check if a cached TLS session validated the certificate when reusing the session, which allows man-in-the-middle attackers to spoof servers via a crafted certificate.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8151

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2015-3143
CVE STATUS: Patched
CVE SUMMARY: cURL and libcurl 7.10.6 through 7.41.0 does not properly re-use NTLM connections, which allows remote attackers to connect as other users via an unauthenticated request, a similar issue to CVE-2014-0015.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3143

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2015-3144
CVE STATUS: Patched
CVE SUMMARY: The fix_hostname function in cURL and libcurl 7.37.0 through 7.41.0 does not properly calculate an index, which allows remote attackers to cause a denial of service (out-of-bounds read or write and crash) or possibly have other unspecified impact via a zero-length host name, as demonstrated by "http://:80" and ":80."
CVSS v2 BASE SCORE: 9.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:S/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3144

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2015-3145
CVE STATUS: Patched
CVE SUMMARY: The sanitize_cookie_path function in cURL and libcurl 7.31.0 through 7.41.0 does not properly calculate an index, which allows remote attackers to cause a denial of service (out-of-bounds write and crash) or possibly have other unspecified impact via a cookie path containing only a double-quote character.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3145

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2015-3148
CVE STATUS: Patched
CVE SUMMARY: cURL and libcurl 7.10.6 through 7.41.0 do not properly re-use authenticated Negotiate connections, which allows remote attackers to connect as other users via a request.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3148

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2015-3153
CVE STATUS: Patched
CVE SUMMARY: The default configuration for cURL and libcurl before 7.42.1 sends custom HTTP headers to both the proxy and destination server, which might allow remote proxy servers to obtain sensitive information by reading the header contents.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3153

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2015-3236
CVE STATUS: Patched
CVE SUMMARY: cURL and libcurl 7.40.0 through 7.42.1 send the HTTP Basic authentication credentials for a previous connection when reusing a reset (curl_easy_reset) connection handle to send a request to the same host name, which allows remote attackers to obtain sensitive information via unspecified vectors.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3236

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2015-3237
CVE STATUS: Patched
CVE SUMMARY: The smb_request_state function in cURL and libcurl 7.40.0 through 7.42.1 allows remote SMB servers to obtain sensitive information from memory or cause a denial of service (out-of-bounds read and crash) via crafted length and offset values.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3237

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2016-0754
CVE STATUS: Patched
CVE SUMMARY: cURL before 7.47.0 on Windows allows attackers to write to arbitrary files in the current working directory on a different drive via a colon in a remote file name.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-0754

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2016-0755
CVE STATUS: Patched
CVE SUMMARY: The ConnectionExists function in lib/url.c in libcurl before 7.47.0 does not properly re-use NTLM-authenticated proxy connections, which might allow remote attackers to authenticate as other users via a request, a similar issue to CVE-2014-0015.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-0755

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2016-3739
CVE STATUS: Patched
CVE SUMMARY: The (1) mbed_connect_step1 function in lib/vtls/mbedtls.c and (2) polarssl_connect_step1 function in lib/vtls/polarssl.c in cURL and libcurl before 7.49.0, when using SSLv3 or making a TLS connection to a URL that uses a numerical IP address, allow remote attackers to spoof servers via an arbitrary valid certificate.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3739

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2016-4606
CVE STATUS: Patched
CVE SUMMARY: Curl before 7.49.1 in Apple OS X before macOS Sierra prior to 10.12 allows remote or local attackers to execute arbitrary code, gain sensitive information, cause denial-of-service conditions, bypass security restrictions, and perform unauthorized actions. This may aid in other attacks.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4606

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2016-4802
CVE STATUS: Patched
CVE SUMMARY: Multiple untrusted search path vulnerabilities in cURL and libcurl before 7.49.1, when built with SSPI or telnet is enabled, allow local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse (1) security.dll, (2) secur32.dll, or (3) ws2_32.dll in the application or current working directory.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4802

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2016-5419
CVE STATUS: Patched
CVE SUMMARY: curl and libcurl before 7.50.1 do not prevent TLS session resumption when the client certificate has changed, which allows remote attackers to bypass intended restrictions by resuming a session.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5419

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2016-5420
CVE STATUS: Patched
CVE SUMMARY: curl and libcurl before 7.50.1 do not check the client certificate when choosing the TLS connection to reuse, which might allow remote attackers to hijack the authentication of the connection by leveraging a previously created connection with a different client certificate.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5420

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2016-5421
CVE STATUS: Patched
CVE SUMMARY: Use-after-free vulnerability in libcurl before 7.50.1 allows attackers to control which connection is used or possibly have unspecified other impact via unknown vectors.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5421

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2016-7141
CVE STATUS: Patched
CVE SUMMARY: curl and libcurl before 7.50.2, when built with NSS and the libnsspem.so library is available at runtime, allow remote attackers to hijack the authentication of a TLS connection by leveraging reuse of a previously loaded client certificate from file for a connection for which no certificate has been set, a different vulnerability than CVE-2016-5420.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7141

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2016-7167
CVE STATUS: Patched
CVE SUMMARY: Multiple integer overflows in the (1) curl_escape, (2) curl_easy_escape, (3) curl_unescape, and (4) curl_easy_unescape functions in libcurl before 7.50.3 allow attackers to have unspecified impact via a string of length 0xffffffff, which triggers a heap-based buffer overflow.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7167

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2016-8615
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in curl before version 7.51. If cookie state is written into a cookie jar file that is later read back and used for subsequent requests, a malicious HTTP server can inject new cookies for arbitrary domains into said cookie jar.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8615

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2016-8616
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in curl before version 7.51.0 When re-using a connection, curl was doing case insensitive comparisons of user name and password with the existing connections. This means that if an unused connection with proper credentials exists for a protocol that has connection-scoped credentials, an attacker can cause that connection to be reused if s/he knows the case-insensitive version of the correct password.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 3.7
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8616

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2016-8617
CVE STATUS: Patched
CVE SUMMARY: The base64 encode function in curl before version 7.51.0 is prone to a buffer being under allocated in 32bit systems if it receives at least 1Gb as input via `CURLOPT_USERNAME`.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 3.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8617

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2016-8618
CVE STATUS: Patched
CVE SUMMARY: The libcurl API function called `curl_maprintf()` before version 7.51.0 can be tricked into doing a double-free due to an unsafe `size_t` multiplication, on systems using 32 bit `size_t` variables.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8618

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2016-8619
CVE STATUS: Patched
CVE SUMMARY: The function `read_data()` in security.c in curl before version 7.51.0 is vulnerable to memory double free.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8619

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2016-8620
CVE STATUS: Patched
CVE SUMMARY: The 'globbing' feature in curl before version 7.51.0 has a flaw that leads to integer overflow and out-of-bounds read via user controlled input.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8620

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2016-8621
CVE STATUS: Patched
CVE SUMMARY: The `curl_getdate` function in curl before version 7.51.0 is vulnerable to an out of bounds read if it receives an input with one digit short.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8621

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2016-8622
CVE STATUS: Patched
CVE SUMMARY: The URL percent-encoding decode function in libcurl before 7.51.0 is called `curl_easy_unescape`. Internally, even if this function would be made to allocate a unscape destination buffer larger than 2GB, it would return that new length in a signed 32 bit integer variable, thus the length would get either just truncated or both truncated and turned negative. That could then lead to libcurl writing outside of its heap based buffer.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 3.7
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8622

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2016-8623
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in curl before version 7.51.0. The way curl handles cookies permits other threads to trigger a use-after-free leading to information disclosure.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 3.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8623

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2016-8624
CVE STATUS: Patched
CVE SUMMARY: curl before version 7.51.0 doesn't parse the authority component of the URL correctly when the host name part ends with a '#' character, and could instead be tricked into connecting to a different host. This may have security implications if you for example use an URL parser that follows the RFC to check for allowed domains before using curl to request them.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8624

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2016-8625
CVE STATUS: Patched
CVE SUMMARY: curl before version 7.51.0 uses outdated IDNA 2003 standard to handle International Domain Names and this may lead users to potentially and unknowingly issue network transfer requests to the wrong host.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8625

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2016-9586
CVE STATUS: Patched
CVE SUMMARY: curl before version 7.52.0 is vulnerable to a buffer overflow when doing a large floating point output in libcurl's implementation of the printf() functions. If there are any application that accepts a format string from the outside without necessary input filtering, it could allow remote attacks.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9586

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2016-9594
CVE STATUS: Patched
CVE SUMMARY: curl before version 7.52.1 is vulnerable to an uninitialized random in libcurl's internal function that returns a good 32bit random value.  Having a weak or virtually non-existent random value makes the operations that use it vulnerable.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9594

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2016-9952
CVE STATUS: Patched
CVE SUMMARY: The verify_certificate function in lib/vtls/schannel.c in libcurl 7.30.0 through 7.51.0, when built for Windows CE using the schannel TLS backend, makes it easier for remote attackers to conduct man-in-the-middle attacks via a crafted wildcard SAN in a server certificate, as demonstrated by "*.com."
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9952

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2016-9953
CVE STATUS: Patched
CVE SUMMARY: The verify_certificate function in lib/vtls/schannel.c in libcurl 7.30.0 through 7.51.0, when built for Windows CE using the schannel TLS backend, allows remote attackers to obtain sensitive information, cause a denial of service (crash), or possibly have unspecified other impact via a wildcard certificate name, which triggers an out-of-bounds read.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9953

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2017-1000099
CVE STATUS: Patched
CVE SUMMARY: When asking to get a file from a file:// URL, libcurl provides a feature that outputs meta-data about the file using HTTP-like headers. The code doing this would send the wrong buffer to the user (stdout or the application's provide callback), which could lead to other private data from the heap to get inadvertently displayed. The wrong buffer was an uninitialized memory area allocated on the heap and if it turned out to not contain any zero byte, it would continue and display the data following that buffer in memory.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-1000099

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2017-1000100
CVE STATUS: Patched
CVE SUMMARY: When doing a TFTP transfer and curl/libcurl is given a URL that contains a very long file name (longer than about 515 bytes), the file name is truncated to fit within the buffer boundaries, but the buffer size is still wrongly updated to use the untruncated length. This too large value is then used in the sendto() call, making curl attempt to send more data than what is actually put into the buffer. The endto() function will then read beyond the end of the heap based buffer. A malicious HTTP(S) server could redirect a vulnerable libcurl-using client to a crafted TFTP URL (if the client hasn't restricted which protocols it allows redirects to) and trick it to send private memory contents to a remote server over UDP. Limit curl's redirect protocols with --proto-redir and libcurl's with CURLOPT_REDIR_PROTOCOLS.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-1000100

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2017-1000101
CVE STATUS: Patched
CVE SUMMARY: curl supports "globbing" of URLs, in which a user can pass a numerical range to have the tool iterate over those numbers to do a sequence of transfers. In the globbing function that parses the numerical range, there was an omission that made curl read a byte beyond the end of the URL if given a carefully crafted, or just wrongly written, URL. The URL is stored in a heap based buffer, so it could then be made to wrongly read something else instead of crashing. An example of a URL that triggers the flaw would be `http://ur%20[0-60000000000000000000`.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-1000101

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2017-1000254
CVE STATUS: Patched
CVE SUMMARY: libcurl may read outside of a heap allocated buffer when doing FTP. When libcurl connects to an FTP server and successfully logs in (anonymous or not), it asks the server for the current directory with the `PWD` command. The server then responds with a 257 response containing the path, inside double quotes. The returned path name is then kept by libcurl for subsequent uses. Due to a flaw in the string parser for this directory name, a directory name passed like this but without a closing double quote would lead to libcurl not adding a trailing NUL byte to the buffer holding the name. When libcurl would then later access the string, it could read beyond the allocated heap buffer and crash or wrongly access data beyond the buffer, thinking it was part of the path. A malicious server could abuse this fact and effectively prevent libcurl-based clients to work with it - the PWD command is always issued on new FTP connections and the mistake has a high chance of causing a segfault. The simple fact that this has issue remained undiscovered for this long could suggest that malformed PWD responses are rare in benign servers. We are not aware of any exploit of this flaw. This bug was introduced in commit [415d2e7cb7](https://github.com/curl/curl/commit/415d2e7cb7), March 2005. In libcurl version 7.56.0, the parser always zero terminates the string but also rejects it if not terminated properly with a final double quote.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-1000254

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2017-1000257
CVE STATUS: Patched
CVE SUMMARY: An IMAP FETCH response line indicates the size of the returned data, in number of bytes. When that response says the data is zero bytes, libcurl would pass on that (non-existing) data with a pointer and the size (zero) to the deliver-data function. libcurl's deliver-data function treats zero as a magic number and invokes strlen() on the data to figure out the length. The strlen() is called on a heap based buffer that might not be zero terminated so libcurl might read beyond the end of it into whatever memory lies after (or just crash) and then deliver that to the application as if it was actually downloaded.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 9.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-1000257

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2017-2628
CVE STATUS: Patched
CVE SUMMARY: curl, as shipped in Red Hat Enterprise Linux 6 before version 7.19.7-53, did not correctly backport the fix for CVE-2015-3148 because it did not reflect the fact that the HAVE_GSSAPI define was meanwhile substituted by USE_HTTP_NEGOTIATE. This issue was introduced in RHEL 6.7 and affects RHEL 6 curl only.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-2628

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2017-2629
CVE STATUS: Patched
CVE SUMMARY: curl before 7.53.0 has an incorrect TLS Certificate Status Request extension feature that asks for a fresh proof of the server's certificate's validity in the code that checks for a test success or failure. It ends up always thinking there's valid proof, even when there is none or if the server doesn't support the TLS extension in question. This could lead to users not detecting when a server's certificate goes invalid or otherwise be mislead that the server is in a better shape than it is in reality. This flaw also exists in the command line tool (--cert-status).
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 4.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:S/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-2629

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2017-7407
CVE STATUS: Patched
CVE SUMMARY: The ourWriteOut function in tool_writeout.c in curl 7.53.1 might allow physically proximate attackers to obtain sensitive information from process memory in opportunistic circumstances by reading a workstation screen during use of a --write-out argument ending in a '%' character, which leads to a heap-based buffer over-read.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 2.4
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7407

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2017-7468
CVE STATUS: Patched
CVE SUMMARY: In curl and libcurl 7.52.0 to and including 7.53.1, libcurl would attempt to resume a TLS session even if the client certificate had changed. That is unacceptable since a server by specification is allowed to skip the client certificate check on resume, and may instead use the old identity which was established by the previous certificate (or no certificate). libcurl supports by default the use of TLS session id/ticket to resume previous TLS sessions to speed up subsequent TLS handshakes. They are used when for any reason an existing TLS connection couldn't be kept alive to make the next handshake faster. This flaw is a regression and identical to CVE-2016-5419 reported on August 3rd 2016, but affecting a different version range.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 4.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7468

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2017-8816
CVE STATUS: Patched
CVE SUMMARY: The NTLM authentication feature in curl and libcurl before 7.57.0 on 32-bit platforms allows attackers to cause a denial of service (integer overflow and resultant buffer overflow, and application crash) or possibly have unspecified other impact via vectors involving long user and password fields.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8816

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2017-8817
CVE STATUS: Patched
CVE SUMMARY: The FTP wildcard function in curl and libcurl before 7.57.0 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) or possibly have unspecified other impact via a string that ends with an '[' character.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8817

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2017-8818
CVE STATUS: Patched
CVE SUMMARY: curl and libcurl before 7.57.0 on 32-bit platforms allow attackers to cause a denial of service (out-of-bounds access and application crash) or possibly have unspecified other impact because too little memory is allocated for interfacing to an SSL library.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8818

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2017-9502
CVE STATUS: Patched
CVE SUMMARY: In curl before 7.54.1 on Windows and DOS, libcurl's default protocol function, which is the logic that allows an application to set which protocol libcurl should attempt to use when given a URL without a scheme part, had a flaw that could lead to it overwriting a heap based memory buffer with seven bytes. If the default protocol is specified to be FILE or a file: URL lacks two slashes, the given "URL" starts with a drive letter, and libcurl is built for Windows or DOS, then libcurl would copy the path 7 bytes off, so that the end of the given path would write beyond the malloc buffer (7 bytes being the length in bytes of the ascii string "file://").
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9502

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2018-0500
CVE STATUS: Patched
CVE SUMMARY: Curl_smtp_escape_eob in lib/smtp.c in curl 7.54.1 to and including curl 7.60.0 has a heap-based buffer overflow that might be exploitable by an attacker who can control the data that curl transmits over SMTP with certain settings (i.e., use of a nonstandard --limit-rate argument or CURLOPT_BUFFERSIZE value).
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-0500

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2018-1000005
CVE STATUS: Patched
CVE SUMMARY: libcurl 7.49.0 to and including 7.57.0 contains an out bounds read in code handling HTTP/2 trailers. It was reported (https://github.com/curl/curl/pull/2231) that reading an HTTP/2 trailer could mess up future trailers since the stored size was one byte less than required. The problem is that the code that creates HTTP/1-like headers from the HTTP/2 trailer data once appended a string like `:` to the target buffer, while this was recently changed to `: ` (a space was added after the colon) but the following math wasn't updated correspondingly. When accessed, the data is read out of bounds and causes either a crash or that the (too large) data gets passed to client write. This could lead to a denial-of-service situation or an information disclosure if someone has a service that echoes back or uses the trailers for something.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 9.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1000005

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2018-1000007
CVE STATUS: Patched
CVE SUMMARY: libcurl 7.1 through 7.57.0 might accidentally leak authentication data to third parties. When asked to send custom headers in its HTTP requests, libcurl will send that set of headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP response code is returned, to the host mentioned in URL in the `Location:` response header value. Sending the same set of headers to subsequent hosts is in particular a problem for applications that pass on custom `Authorization:` headers, as this header often contains privacy sensitive information or data that could allow others to impersonate the libcurl-using client's request.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1000007

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2018-1000120
CVE STATUS: Patched
CVE SUMMARY: A buffer overflow exists in curl 7.12.3 to and including curl 7.58.0 in the FTP URL handling that allows an attacker to cause a denial of service or worse.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1000120

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2018-1000121
CVE STATUS: Patched
CVE SUMMARY: A NULL pointer dereference exists in curl 7.21.0 to and including curl 7.58.0 in the LDAP code that allows an attacker to cause a denial of service
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1000121

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2018-1000122
CVE STATUS: Patched
CVE SUMMARY: A buffer over-read exists in curl 7.20.0 to and including curl 7.58.0 in the RTSP+RTP handling code that allows an attacker to cause a denial of service or information leakage
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 9.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1000122

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2018-1000300
CVE STATUS: Patched
CVE SUMMARY: curl version curl 7.54.1 to and including curl 7.59.0 contains a CWE-122: Heap-based Buffer Overflow vulnerability in denial of service and more that can result in curl might overflow a heap based memory buffer when closing down an FTP connection with very long server command replies.. This vulnerability appears to have been fixed in curl < 7.54.1 and curl >= 7.60.0.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1000300

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2018-1000301
CVE STATUS: Patched
CVE SUMMARY: curl version curl 7.20.0 to and including curl 7.59.0 contains a CWE-126: Buffer Over-read vulnerability in denial of service that can result in curl can be tricked into reading data beyond the end of a heap based buffer used to store downloaded RTSP content.. This vulnerability appears to have been fixed in curl < 7.20.0 and curl >= 7.60.0.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 9.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1000301

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2018-14618
CVE STATUS: Patched
CVE SUMMARY: curl before version 7.61.1 is vulnerable to a buffer overrun in the NTLM authentication code. The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two (SUM) to figure out how large temporary storage area to allocate from the heap. The length value is then subsequently used to iterate over the password and generate output into the allocated storage buffer. On systems with a 32 bit size_t, the math to calculate SUM triggers an integer overflow when the password length exceeds 2GB (2^31 bytes). This integer overflow usually causes a very small buffer to actually get allocated instead of the intended very huge one, making the use of that buffer end up in a heap buffer overflow. (This bug is almost identical to CVE-2017-8816.)
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-14618

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2018-16839
CVE STATUS: Patched
CVE SUMMARY: Curl versions 7.33.0 through 7.61.1 are vulnerable to a buffer overrun in the SASL authentication code that may lead to denial of service.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 4.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-16839

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2018-16840
CVE STATUS: Patched
CVE SUMMARY: A heap use-after-free flaw was found in curl versions from 7.59.0 through 7.61.1 in the code related to closing an easy handle. When closing and cleaning up an 'easy' handle in the `Curl_close()` function, the library code first frees a struct (without nulling the pointer) and might then subsequently erroneously write to a struct field within that already freed struct.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 4.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-16840

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2018-16842
CVE STATUS: Patched
CVE SUMMARY: Curl versions 7.14.1 through 7.61.1 are vulnerable to a heap-based buffer over-read in the tool_msgs.c:voutf() function that may result in information exposure and denial of service.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 4.4
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-16842

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2018-16890
CVE STATUS: Patched
CVE SUMMARY: libcurl versions from 7.36.0 to before 7.64.0 is vulnerable to a heap buffer out-of-bounds read. The function handling incoming NTLM type-2 messages (`lib/vauth/ntlm.c:ntlm_decode_type2_target`) does not validate incoming data correctly and is subject to an integer overflow vulnerability. Using that overflow, a malicious or broken NTLM server could trick libcurl to accept a bad length + offset combination that would lead to a buffer read out-of-bounds.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.4
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-16890

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2019-3822
CVE STATUS: Patched
CVE SUMMARY: libcurl versions from 7.36.0 to before 7.64.0 are vulnerable to a stack-based buffer overflow. The function creating an outgoing NTLM type-3 header (`lib/vauth/ntlm.c:Curl_auth_create_ntlm_type3_message()`), generates the request HTTP header contents based on previously received data. The check that exists to prevent the local buffer from getting overflowed is implemented wrongly (using unsigned math) and as such it does not prevent the overflow from happening. This output data can grow larger than the local buffer if very large 'nt response' data is extracted from a previous NTLMv2 header provided by the malicious or broken HTTP server. Such a 'large value' needs to be around 1000 bytes or more. The actual payload data copied to the target buffer comes from the NTLMv2 type-2 response header.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 7.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-3822

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2019-3823
CVE STATUS: Patched
CVE SUMMARY: libcurl versions from 7.34.0 to before 7.64.0 are vulnerable to a heap out-of-bounds read in the code handling the end-of-response for SMTP. If the buffer passed to `smtp_endofresp()` isn't NUL terminated and contains no character ending the parsed number, and `len` is set to 5, then the `strtol()` call reads beyond the allocated buffer. The read contents will not be returned to the caller.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 4.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-3823

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2019-5435
CVE STATUS: Patched
CVE SUMMARY: An integer overflow in curl's URL API results in a buffer overflow in libcurl 7.62.0 to and including 7.64.1.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 3.7
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-5435

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2019-5436
CVE STATUS: Patched
CVE SUMMARY: A heap buffer overflow in the TFTP receiving code allows for DoS or arbitrary code execution in libcurl versions 7.19.4 through 7.64.1.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-5436

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2019-5443
CVE STATUS: Patched
CVE SUMMARY: A non-privileged user or program can put code and a config file in a known non-privileged path (under C:/usr/local/) that will make curl <= 7.65.1 automatically run the code (as an openssl "engine") on invocation. If that curl is invoked by a privileged user it can do anything it wants.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-5443

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2019-5481
CVE STATUS: Patched
CVE SUMMARY: Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-5481

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2019-5482
CVE STATUS: Patched
CVE SUMMARY: Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-5482

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2020-19909
CVE STATUS: Patched
CVE SUMMARY: Integer overflow vulnerability in tool_operate.c in curl 7.65.2 via a large value as the retry delay. NOTE: many parties report that this has no direct security impact on the curl user; however, it may (in theory) cause a denial of service to associated systems or networks if, for example, --retry-delay is misinterpreted as a value much smaller than what was intended. This is not especially plausible because the overflow only happens if the user was trying to specify that curl should wait weeks (or longer) before trying to recover from a transient error.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 3.3
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-19909

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2020-8169
CVE STATUS: Patched
CVE SUMMARY: curl 7.62.0 through 7.70.0 is vulnerable to an information disclosure vulnerability that can lead to a partial password being leaked over the network and to the DNS server(s).
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-8169

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2020-8177
CVE STATUS: Patched
CVE SUMMARY: curl 7.20.0 through 7.70.0 is vulnerable to improper restriction of names for files and other resources that can lead too overwriting a local file when the -J flag is used.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-8177

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2020-8231
CVE STATUS: Patched
CVE SUMMARY: Due to use of a dangling pointer, libcurl 7.29.0 through 7.71.1 can use the wrong connection when sending data.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-8231

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2020-8284
CVE STATUS: Patched
CVE SUMMARY: A malicious server can use the FTP PASV response to trick curl 7.73.0 and earlier into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port scanning and service banner extractions.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 3.7
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-8284

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2020-8285
CVE STATUS: Patched
CVE SUMMARY: curl 7.21.0 to and including 7.73.0 is vulnerable to uncontrolled recursion due to a stack overflow issue in FTP wildcard match parsing.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-8285

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2020-8286
CVE STATUS: Patched
CVE SUMMARY: curl 7.41.0 through 7.73.0 is vulnerable to an improper check for certificate revocation due to insufficient verification of the OCSP response.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-8286

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2021-22876
CVE STATUS: Patched
CVE SUMMARY: curl 7.1.1 to and including 7.75.0 is vulnerable to an "Exposure of Private Personal Information to an Unauthorized Actor" by leaking credentials in the HTTP Referer: header. libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-22876

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2021-22890
CVE STATUS: Patched
CVE SUMMARY: curl 7.63.0 to and including 7.75.0 includes vulnerability that allows a malicious HTTPS proxy to MITM a connection due to bad handling of TLS 1.3 session tickets. When using a HTTPS proxy and TLS 1.3, libcurl can confuse session tickets arriving from the HTTPS proxy but work as if they arrived from the remote server and then wrongly "short-cut" the host handshake. When confusing the tickets, a HTTPS proxy can trick libcurl to use the wrong session ticket resume for the host and thereby circumvent the server TLS certificate check and make a MITM attack to be possible to perform unnoticed. Note that such a malicious HTTPS proxy needs to provide a certificate that curl will accept for the MITMed server for an attack to work - unless curl has been told to ignore the server certificate check.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 3.7
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-22890

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2021-22897
CVE STATUS: Patched
CVE SUMMARY: curl 7.61.0 through 7.76.1 suffers from exposure of data element to wrong session due to a mistake in the code for CURLOPT_SSL_CIPHER_LIST when libcurl is built to use the Schannel TLS library. The selected cipher set was stored in a single "static" variable in the library, which has the surprising side-effect that if an application sets up multiple concurrent transfers, the last one that sets the ciphers will accidentally control the set used by all transfers. In a worst-case scenario, this weakens transport security significantly.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-22897

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2021-22898
CVE STATUS: Patched
CVE SUMMARY: curl 7.7 through 7.76.1 suffers from an information disclosure when the `-t` command line option, known as `CURLOPT_TELNETOPTIONS` in libcurl, is used to send variable=content pairs to TELNET servers. Due to a flaw in the option parser for sending NEW_ENV variables, libcurl could be made to pass on uninitialized data from a stack based buffer to the server, resulting in potentially revealing sensitive internal information to the server using a clear-text network protocol.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 3.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-22898

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2021-22901
CVE STATUS: Patched
CVE SUMMARY: curl 7.75.0 through 7.76.1 suffers from a use-after-free vulnerability resulting in already freed memory being used when a TLS 1.3 session ticket arrives over a connection. A malicious server can use this in rare unfortunate circumstances to potentially reach remote code execution in the client. When libcurl at run-time sets up support for TLS 1.3 session tickets on a connection using OpenSSL, it stores pointers to the transfer in-memory object for later retrieval when a session ticket arrives. If the connection is used by multiple transfers (like with a reused HTTP/1.1 connection or multiplexed HTTP/2 connection) that first transfer object might be freed before the new session is established on that connection and then the function will access a memory buffer that might be freed. When using that memory, libcurl might even call a function pointer in the object, making it possible for a remote code execution if the server could somehow manage to get crafted memory content into the correct place in memory.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-22901

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2021-22922
CVE STATUS: Patched
CVE SUMMARY: When curl is instructed to download content using the metalink feature, thecontents is verified against a hash provided in the metalink XML file.The metalink XML file points out to the client how to get the same contentfrom a set of different URLs, potentially hosted by different servers and theclient can then download the file from one or several of them. In a serial orparallel manner.If one of the servers hosting the contents has been breached and the contentsof the specific file on that server is replaced with a modified payload, curlshould detect this when the hash of the file mismatches after a completeddownload. It should remove the contents and instead try getting the contentsfrom another URL. This is not done, and instead such a hash mismatch is onlymentioned in text and the potentially malicious content is kept in the file ondisk.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-22922

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2021-22923
CVE STATUS: Patched
CVE SUMMARY: When curl is instructed to get content using the metalink feature, and a user name and password are used to download the metalink XML file, those same credentials are then subsequently passed on to each of the servers from which curl will download or try to download the contents from. Often contrary to the user's expectations and intentions and without telling the user it happened.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-22923

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2021-22924
CVE STATUS: Patched
CVE SUMMARY: libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse, if one of them matches the setup.Due to errors in the logic, the config matching function did not take 'issuercert' into account and it compared the involved paths *case insensitively*,which could lead to libcurl reusing wrong connections.File paths are, or can be, case sensitive on many systems but not all, and caneven vary depending on used file systems.The comparison also didn't include the 'issuer cert' which a transfer can setto qualify how to verify the server certificate.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 3.7
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-22924

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2021-22925
CVE STATUS: Patched
CVE SUMMARY: curl supports the `-t` command line option, known as `CURLOPT_TELNETOPTIONS`in libcurl. This rarely used option is used to send variable=content pairs toTELNET servers.Due to flaw in the option parser for sending `NEW_ENV` variables, libcurlcould be made to pass on uninitialized data from a stack based buffer to theserver. Therefore potentially revealing sensitive internal information to theserver using a clear-text network protocol.This could happen because curl did not call and use sscanf() correctly whenparsing the string provided by the application.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-22925

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2021-22926
CVE STATUS: Patched
CVE SUMMARY: libcurl-using applications can ask for a specific client certificate to be used in a transfer. This is done with the `CURLOPT_SSLCERT` option (`--cert` with the command line tool).When libcurl is built to use the macOS native TLS library Secure Transport, an application can ask for the client certificate by name or with a file name - using the same option. If the name exists as a file, it will be used instead of by name.If the appliction runs with a current working directory that is writable by other users (like `/tmp`), a malicious user can create a file name with the same name as the app wants to use by name, and thereby trick the application to use the file based cert instead of the one referred to by name making libcurl send the wrong client certificate in the TLS connection handshake.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-22926

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2021-22945
CVE STATUS: Patched
CVE SUMMARY: When sending data to an MQTT server, libcurl <= 7.73.0 and 7.78.0 could in some circumstances erroneously keep a pointer to an already freed memory area and both use that again in a subsequent call to send data and also free it *again*.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 9.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-22945

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2021-22946
CVE STATUS: Patched
CVE SUMMARY: A user can tell curl >= 7.20.0 and <= 7.78.0 to require a successful upgrade to TLS when speaking to an IMAP, POP3 or FTP server (`--ssl-reqd` on the command line or`CURLOPT_USE_SSL` set to `CURLUSESSL_CONTROL` or `CURLUSESSL_ALL` withlibcurl). This requirement could be bypassed if the server would return a properly crafted but perfectly legitimate response.This flaw would then make curl silently continue its operations **withoutTLS** contrary to the instructions and expectations, exposing possibly sensitive data in clear text over the network.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-22946

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2021-22947
CVE STATUS: Patched
CVE SUMMARY: When curl >= 7.20.0 and <= 7.78.0 connects to an IMAP or POP3 server to retrieve data using STARTTLS to upgrade to TLS security, the server can respond and send back multiple responses at once that curl caches. curl would then upgrade to TLS but not flush the in-queue of cached responses but instead continue using and trustingthe responses it got *before* the TLS handshake as if they were authenticated.Using this flaw, it allows a Man-In-The-Middle attacker to first inject the fake responses, then pass-through the TLS traffic from the legitimate server and trick curl into sending data back to the user thinking the attacker's injected data comes from the TLS-protected server.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-22947

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2022-22576
CVE STATUS: Patched
CVE SUMMARY: An improper authentication vulnerability exists in curl 7.33.0 to and including 7.82.0 which might allow reuse OAUTH2-authenticated connections without properly making sure that the connection was authenticated with the same credentials as set for this transfer. This affects SASL-enabled protocols: SMPTP(S), IMAP(S), POP3(S) and LDAP(S) (openldap only).
CVSS v2 BASE SCORE: 5.5
CVSS v3 BASE SCORE: 8.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:S/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-22576

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2022-27774
CVE STATUS: Patched
CVE SUMMARY: An insufficiently protected credentials vulnerability exists in curl 4.9 to and include curl 7.82.0 are affected that could allow an attacker to extract credentials when follows HTTP(S) redirects is used with authentication could leak credentials to other services that exist on different protocols or port numbers.
CVSS v2 BASE SCORE: 3.5
CVSS v3 BASE SCORE: 5.7
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:S/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-27774

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2022-27775
CVE STATUS: Patched
CVE SUMMARY: An information disclosure vulnerability exists in curl 7.65.0 to 7.82.0 are vulnerable that by using an IPv6 address that was in the connection pool but with a different zone id it could reuse a connection instead.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-27775

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2022-27776
CVE STATUS: Patched
CVE SUMMARY: A insufficiently protected credentials vulnerability in fixed in curl 7.83.0 might leak authentication or cookie header data on HTTP redirects to the same host but another port number.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-27776

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2022-27778
CVE STATUS: Patched
CVE SUMMARY: A use of incorrectly resolved name vulnerability fixed in 7.83.1 might remove the wrong file when `--no-clobber` is used together with `--remove-on-error`.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 8.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-27778

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2022-27779
CVE STATUS: Patched
CVE SUMMARY: libcurl wrongly allows cookies to be set for Top Level Domains (TLDs) if thehost name is provided with a trailing dot.curl can be told to receive and send cookies. curl's "cookie engine" can bebuilt with or without [Public Suffix List](https://publicsuffix.org/)awareness. If PSL support not provided, a more rudimentary check exists to atleast prevent cookies from being set on TLDs. This check was broken if thehost name in the URL uses a trailing dot.This can allow arbitrary sites to set cookies that then would get sent to adifferent and unrelated site or domain.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-27779

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2022-27780
CVE STATUS: Patched
CVE SUMMARY: The curl URL parser wrongly accepts percent-encoded URL separators like '/'when decoding the host name part of a URL, making it a *different* URL usingthe wrong host name when it is later retrieved.For example, a URL like `http://example.com%2F127.0.0.1/`, would be allowed bythe parser and get transposed into `http://example.com/127.0.0.1/`. This flawcan be used to circumvent filters, checks and more.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-27780

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2022-27781
CVE STATUS: Patched
CVE SUMMARY: libcurl provides the `CURLOPT_CERTINFO` option to allow applications torequest details to be returned about a server's certificate chain.Due to an erroneous function, a malicious server could make libcurl built withNSS get stuck in a never-ending busy-loop when trying to retrieve thatinformation.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-27781

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2022-27782
CVE STATUS: Patched
CVE SUMMARY: libcurl would reuse a previously created connection even when a TLS or SSHrelated option had been changed that should have prohibited reuse.libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse if one of them matches the setup. However, several TLS andSSH settings were left out from the configuration match checks, making themmatch too easily.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-27782

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2022-30115
CVE STATUS: Patched
CVE SUMMARY: Using its HSTS support, curl can be instructed to use HTTPS directly insteadof using an insecure clear-text HTTP step even when HTTP is provided in theURL. This mechanism could be bypassed if the host name in the given URL used atrailing dot while not using one when it built the HSTS cache. Or the otherway around - by having the trailing dot in the HSTS cache and *not* using thetrailing dot in the URL.
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 4.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:S/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-30115

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2022-32205
CVE STATUS: Patched
CVE SUMMARY: A malicious server can serve excessive amounts of `Set-Cookie:` headers in a HTTP response to curl and curl < 7.84.0 stores all of them. A sufficiently large amount of (big) cookies make subsequent HTTP requests to this, or other servers to which the cookies match, create requests that become larger than the threshold that curl uses internally to avoid sending crazy large requests (1048576 bytes) and instead returns an error.This denial state might remain for as long as the same cookies are kept, match and haven't expired. Due to cookie matching rules, a server on `foo.example.com` can set cookies that also would match for `bar.example.com`, making it it possible for a "sister server" to effectively cause a denial of service for a sibling site on the same second level domain using this method.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 4.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-32205

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2022-32206
CVE STATUS: Patched
CVE SUMMARY: curl < 7.84.0 supports "chained" HTTP compression algorithms, meaning that a serverresponse can be compressed multiple times and potentially with different algorithms. The number of acceptable "links" in this "decompression chain" was unbounded, allowing a malicious server to insert a virtually unlimited number of compression steps.The use of such a decompression chain could result in a "malloc bomb", makingcurl end up spending enormous amounts of allocated heap memory, or trying toand returning out of memory errors.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-32206

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2022-32207
CVE STATUS: Patched
CVE SUMMARY: When curl < 7.84.0 saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by finalizing the operation with a rename from a temporary name to the final target file name.In that rename operation, it might accidentally *widen* the permissions for the target file, leaving the updated file accessible to more users than intended.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-32207

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2022-32208
CVE STATUS: Patched
CVE SUMMARY: When curl < 7.84.0 does FTP transfers secured by krb5, it handles message verification failures wrongly. This flaw makes it possible for a Man-In-The-Middle attack to go unnoticed and even allows it to inject data to the client.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-32208

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2022-32221
CVE STATUS: Patched
CVE SUMMARY: When doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously was used to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the subsequent `POST` request. The problem exists in the logic for a reused handle when it is changed from a PUT to a POST.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-32221

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2022-35252
CVE STATUS: Patched
CVE SUMMARY: When curl is used to retrieve and parse cookies from a HTTP(S) server, itaccepts cookies using control codes that when later are sent back to a HTTPserver might make the server return 400 responses. Effectively allowing a"sister site" to deny service to all siblings.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 3.7
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-35252

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2022-35260
CVE STATUS: Patched
CVE SUMMARY: curl can be told to parse a `.netrc` file for credentials. If that file endsin a line with 4095 consecutive non-white space letters and no newline, curlwould first read past the end of the stack-based buffer, and if the readworks, write a zero byte beyond its boundary.This will in most cases cause a segfault or similar, but circumstances might also cause different outcomes.If a malicious user can provide a custom netrc file to an application or otherwise affect its contents, this flaw could be used as denial-of-service.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-35260

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2022-42915
CVE STATUS: Patched
CVE SUMMARY: curl before 7.86.0 has a double free. If curl is told to use an HTTP proxy for a transfer with a non-HTTP(S) URL, it sets up the connection to the remote server by issuing a CONNECT request to the proxy, and then tunnels the rest of the protocol through. An HTTP proxy might refuse this request (HTTP proxies often only allow outgoing connections to specific port numbers, like 443 for HTTPS) and instead return a non-200 status code to the client. Due to flaws in the error/cleanup handling, this could trigger a double free in curl if one of the following schemes were used in the URL for the transfer: dict, gopher, gophers, ldap, ldaps, rtmp, rtmps, or telnet. The earliest affected version is 7.77.0.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.1
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-42915

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2022-42916
CVE STATUS: Patched
CVE SUMMARY: In curl before 7.86.0, the HSTS check could be bypassed to trick it into staying with HTTP. Using its HSTS support, curl can be instructed to use HTTPS directly (instead of using an insecure cleartext HTTP step) even when HTTP is provided in the URL. This mechanism could be bypassed if the host name in the given URL uses IDN characters that get replaced with ASCII counterparts as part of the IDN conversion, e.g., using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop of U+002E (.). The earliest affected version is 7.77.0 2021-05-26.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-42916

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2022-43551
CVE STATUS: Patched
CVE SUMMARY: A vulnerability exists in curl <7.87.0 HSTS check that could be bypassed to trick it to keep using HTTP. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. However, the HSTS mechanism could be bypassed if the host name in the given URL first uses IDN characters that get replaced to ASCII counterparts as part of the IDN conversion. Like using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop (U+002E) `.`. Then in a subsequent request, it does not detect the HSTS state and makes a clear text transfer. Because it would store the info IDN encoded but look for it IDN decoded.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-43551

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2022-43552
CVE STATUS: Patched
CVE SUMMARY: A use after free vulnerability exists in curl <7.87.0. Curl can be asked to *tunnel* virtually all protocols it supports through an HTTP proxy. HTTP proxies can (and often do) deny such tunnel operations. When getting denied to tunnel the specific protocols SMB or TELNET, curl would use a heap-allocated struct after it had been freed, in its transfer shutdown code path.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-43552

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2023-23914
CVE STATUS: Patched
CVE SUMMARY: A cleartext transmission of sensitive information vulnerability exists in curl <v7.88.0 that could cause HSTS functionality fail when multiple URLs are requested serially. Using its HSTS support, curl can be instructed to use HTTPS instead of usingan insecure clear-text HTTP step even when HTTP is provided in the URL. ThisHSTS mechanism would however surprisingly be ignored by subsequent transferswhen done on the same command line because the state would not be properlycarried on.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 9.1
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-23914

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2023-23915
CVE STATUS: Patched
CVE SUMMARY: A cleartext transmission of sensitive information vulnerability exists in curl <v7.88.0 that could cause HSTS functionality to behave incorrectly when multiple URLs are requested in parallel. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. This HSTS mechanism would however surprisingly fail when multiple transfers are done in parallel as the HSTS cache file gets overwritten by the most recentlycompleted transfer. A later HTTP-only transfer to the earlier host name would then *not* get upgraded properly to HSTS.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-23915

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2023-23916
CVE STATUS: Patched
CVE SUMMARY: An allocation of resources without limits or throttling vulnerability exists in curl <v7.88.0 based on the "chained" HTTP compression algorithms, meaning that a server response can be compressed multiple times and potentially with differentalgorithms. The number of acceptable "links" in this "decompression chain" wascapped, but the cap was implemented on a per-header basis allowing a maliciousserver to insert a virtually unlimited number of compression steps simply byusing many headers. The use of such a decompression chain could result in a "malloc bomb", making curl end up spending enormous amounts of allocated heap memory, or trying to and returning out of memory errors.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-23916

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2023-27533
CVE STATUS: Patched
CVE SUMMARY: A vulnerability in input validation exists in curl <8.0 during communication using the TELNET protocol may allow an attacker to pass on maliciously crafted user name and "telnet options" during server negotiation. The lack of proper input scrubbing allows an attacker to send content or perform option negotiation without the application's intent. This vulnerability could be exploited if an application allows user input, thereby enabling attackers to execute arbitrary code on the system.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-27533

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2023-27534
CVE STATUS: Patched
CVE SUMMARY: A path traversal vulnerability exists in curl <8.0.0 SFTP implementation causes the tilde (~) character to be wrongly replaced when used as a prefix in the first path element, in addition to its intended use as the first element to indicate a path relative to the user's home directory. Attackers can exploit this flaw to bypass filtering or execute arbitrary code by crafting a path like /~2/foo while accessing a server with a specific user.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-27534

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2023-27535
CVE STATUS: Patched
CVE SUMMARY: An authentication bypass vulnerability exists in libcurl <8.0.0 in the FTP connection reuse feature that can result in wrong credentials being used during subsequent transfers. Previously created connections are kept in a connection pool for reuse if they match the current setup. However, certain FTP settings such as CURLOPT_FTP_ACCOUNT, CURLOPT_FTP_ALTERNATIVE_TO_USER, CURLOPT_FTP_SSL_CCC, and CURLOPT_USE_SSL were not included in the configuration match checks, causing them to match too easily. This could lead to libcurl using the wrong credentials when performing a transfer, potentially allowing unauthorized access to sensitive information.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-27535

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2023-27536
CVE STATUS: Patched
CVE SUMMARY: An authentication bypass vulnerability exists libcurl <8.0.0 in the connection reuse feature which can reuse previously established connections with incorrect user permissions due to a failure to check for changes in the CURLOPT_GSSAPI_DELEGATION option. This vulnerability affects krb5/kerberos/negotiate/GSSAPI transfers and could potentially result in unauthorized access to sensitive information. The safest option is to not reuse connections if the CURLOPT_GSSAPI_DELEGATION option has been changed.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-27536

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2023-27537
CVE STATUS: Patched
CVE SUMMARY: A double free vulnerability exists in libcurl <8.0.0 when sharing HSTS data between separate "handles". This sharing was introduced without considerations for do this sharing across separate threads but there was no indication of this fact in the documentation. Due to missing mutexes or thread locks, two threads sharing the same HSTS data could end up doing a double-free or use-after-free.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-27537

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2023-27538
CVE STATUS: Patched
CVE SUMMARY: An authentication bypass vulnerability exists in libcurl prior to v8.0.0 where it reuses a previously established SSH connection despite the fact that an SSH option was modified, which should have prevented reuse. libcurl maintains a pool of previously used connections to reuse them for subsequent transfers if the configurations match. However, two SSH settings were omitted from the configuration check, allowing them to match easily, potentially leading to the reuse of an inappropriate connection.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-27538

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2023-28319
CVE STATUS: Patched
CVE SUMMARY: A use after free vulnerability exists in curl <v8.1.0 in the way libcurl offers a feature to verify an SSH server's public key using a SHA 256 hash. When this check fails, libcurl would free the memory for the fingerprint before it returns an error message containing the (now freed) hash. This flaw risks inserting sensitive heap-based data into the error message that might be shown to users or otherwise get leaked and revealed.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-28319

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2023-28320
CVE STATUS: Patched
CVE SUMMARY: A denial of service vulnerability exists in curl <v8.1.0 in the way libcurl provides several different backends for resolving host names, selected at build time. If it is built to use the synchronous resolver, it allows name resolves to time-out slow operations using `alarm()` and `siglongjmp()`. When doing this, libcurl used a global buffer that was not mutex protected and a multi-threaded application might therefore crash or otherwise misbehave.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-28320

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2023-28321
CVE STATUS: Patched
CVE SUMMARY: An improper certificate validation vulnerability exists in curl <v8.1.0 in the way it supports matching of wildcard patterns when listed as "Subject Alternative Name" in TLS server certificates. curl can be built to use its own name matching function for TLS rather than one provided by a TLS library. This private wildcard matching function would match IDN (International Domain Name) hosts incorrectly and could as a result accept patterns that otherwise should mismatch. IDN hostnames are converted to puny code before used for certificate checks. Puny coded names always start with `xn--` and should not be allowed to pattern match, but the wildcard check in curl could still check for `x*`, which would match even though the IDN name most likely contained nothing even resembling an `x`.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-28321

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2023-28322
CVE STATUS: Patched
CVE SUMMARY: An information disclosure vulnerability exists in curl <v8.1.0 when doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously wasused to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the second transfer. The problem exists in the logic for a reused handle when it is (expected to be) changed from a PUT to a POST.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 3.7
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-28322

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2023-38039
CVE STATUS: Patched
CVE SUMMARY: When curl retrieves an HTTP response, it stores the incoming headers so that
they can be accessed later via the libcurl headers API.

However, curl did not have a limit in how many or how large headers it would
accept in a response, allowing a malicious server to stream an endless series
of headers and eventually cause curl to run out of heap memory.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-38039

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2023-38545
CVE STATUS: Patched
CVE SUMMARY: This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy
handshake.

When curl is asked to pass along the host name to the SOCKS5 proxy to allow
that to resolve the address instead of it getting done by curl itself, the
maximum length that host name can be is 255 bytes.

If the host name is detected to be longer, curl switches to local name
resolving and instead passes on the resolved address only. Due to this bug,
the local variable that means "let the host resolve the name" could get the
wrong value during a slow SOCKS5 handshake, and contrary to the intention,
copy the too long host name to the target buffer instead of copying just the
resolved address there.

The target buffer being a heap based buffer, and the host name coming from the
URL that curl has been told to operate with.

CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-38545

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2023-38546
CVE STATUS: Patched
CVE SUMMARY: This flaw allows an attacker to insert cookies at will into a running program
using libcurl, if the specific series of conditions are met.

libcurl performs transfers. In its API, an application creates "easy handles"
that are the individual handles for single transfers.

libcurl provides a function call that duplicates en easy handle called
[curl_easy_duphandle](https://curl.se/libcurl/c/curl_easy_duphandle.html).

If a transfer has cookies enabled when the handle is duplicated, the
cookie-enable state is also cloned - but without cloning the actual
cookies. If the source handle did not read any cookies from a specific file on
disk, the cloned version of the handle would instead store the file name as
`none` (using the four ASCII letters, no quotes).

Subsequent use of the cloned handle that does not explicitly set a source to
load cookies from would then inadvertently load cookies from a file named
`none` - if such a file exists and is readable in the current directory of the
program using libcurl. And if using the correct file format of course.

CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 3.7
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-38546

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2023-46218
CVE STATUS: Patched
CVE SUMMARY: This flaw allows a malicious HTTP server to set "super cookies" in curl that
are then passed back to more origins than what is otherwise allowed or
possible. This allows a site to set cookies that then would get sent to
different and unrelated sites and domains.

It could do this by exploiting a mixed case flaw in curl's function that
verifies a given cookie domain against the Public Suffix List (PSL). For
example a cookie could be set with `domain=co.UK` when the URL used a lower
case hostname `curl.co.uk`, even though `co.uk` is listed as a PSL domain.

CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-46218

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2023-46219
CVE STATUS: Patched
CVE SUMMARY: When saving HSTS data to an excessively long file name, curl could end up
removing all contents, making subsequent requests using that file unaware of
the HSTS status they should otherwise use.

CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-46219

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2024-0853
CVE STATUS: Patched
CVE SUMMARY: curl inadvertently kept the SSL session ID for connections in its cache even when the verify status (*OCSP stapling*) test failed. A subsequent transfer to
the same hostname could then succeed if the session ID cache was still fresh, which then skipped the verify status check.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-0853

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2024-32928
CVE STATUS: Ignored
CVE DETAIL: ignored
CVE DESCRIPTION: CURLOPT_SSL_VERIFYPEER was disabled on google cloud services causing a potential man in the middle attack
CVE SUMMARY: The libcurl CURLOPT_SSL_VERIFYPEER option was disabled on a subset of requests made by Nest production devices which enabled a potential man-in-the-middle attack on requests to Google cloud services by any host the traffic was routed through.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-32928

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2024-6197
CVE STATUS: Patched
CVE SUMMARY: libcurl's ASN1 parser has this utf8asn1str() function used for parsing an ASN.1 UTF-8 string. Itcan detect an invalid field and return error. Unfortunately, when doing so it also invokes `free()` on a 4 byte localstack buffer.  Most modern malloc implementations detect this error and immediately abort. Some however accept the input pointer and add that memory to its list of available chunks. This leads to the overwriting of nearby stack memory. The content of the overwrite is decided by the `free()` implementation; likely to be memory pointers and a set of flags.  The most likely outcome of exploting this flaw is a crash, although it cannot be ruled out that more serious results can be had in special circumstances.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-6197

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2024-6874
CVE STATUS: Patched
CVE SUMMARY: libcurl's URL API function
[curl_url_get()](https://curl.se/libcurl/c/curl_url_get.html) offers punycode
conversions, to and from IDN. Asking to convert a name that is exactly 256
bytes, libcurl ends up reading outside of a stack based buffer when built to
use the *macidn* IDN backend. The conversion function then fills up the
provided buffer exactly - but does not null terminate the string.

This flaw can lead to stack contents accidently getting returned as part of
the converted string.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.3
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-6874

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2024-7264
CVE STATUS: Patched
CVE SUMMARY: libcurl's ASN1 parser code has the `GTime2str()` function, used for parsing an
ASN.1 Generalized Time field. If given an syntactically incorrect field, the
parser might end up using -1 for the length of the *time fraction*, leading to
a `strlen()` getting performed on a pointer to a heap buffer area that is not
(purposely) null terminated.

This flaw most likely leads to a crash, but can also lead to heap contents
getting returned to the application when
[CURLINFO_CERTINFO](https://curl.se/libcurl/c/CURLINFO_CERTINFO.html) is used.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-7264

LAYER: meta
PACKAGE NAME: curl-native
PACKAGE VERSION: 8.7.1
CVE: CVE-2024-9681
CVE STATUS: Unpatched
CVE SUMMARY: When curl is asked to use HSTS, the expiry time for a subdomain might
overwrite a parent domain's cache entry, making it end sooner or later than
otherwise intended.

This affects curl using applications that enable HSTS and use URLs with the
insecure `HTTP://` scheme and perform transfers with hosts like
`x.example.com` as well as `example.com` where the first host is a subdomain
of the second host.

(The HSTS cache either needs to have been populated manually or there needs to
have been previous HTTPS accesses done as the cache needs to have entries for
the domains involved to trigger this problem.)

When `x.example.com` responds with `Strict-Transport-Security:` headers, this
bug can make the subdomain's expiry timeout *bleed over* and get set for the
parent domain `example.com` in curl's HSTS cache.

The result of a triggered bug is that HTTP accesses to `example.com` get
converted to HTTPS for a different period of time than what was asked for by
the origin server. If `example.com` for example stops supporting HTTPS at its
expiry time, curl might then fail to access `http://example.com` until the
(wrongly set) timeout expires. This bug can also expire the parent's entry
*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier
than otherwise intended.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-9681

LAYER: meta-oe
PACKAGE NAME: giflib-native
PACKAGE VERSION: 5.2.2
CVE: CVE-2015-7555
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in giffix.c in giffix in giflib 5.1.1 allows attackers to cause a denial of service (program crash) via crafted image and logical screen width fields in a GIF file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7555

LAYER: meta-oe
PACKAGE NAME: giflib-native
PACKAGE VERSION: 5.2.2
CVE: CVE-2016-3177
CVE STATUS: Patched
CVE SUMMARY: Multiple use-after-free and double-free vulnerabilities in gifcolor.c in GIFLIB 5.1.2 have unspecified impact and attack vectors.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3177

LAYER: meta-oe
PACKAGE NAME: giflib-native
PACKAGE VERSION: 5.2.2
CVE: CVE-2016-3977
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in util/gif2rgb.c in gif2rgb in giflib 5.1.2 allows remote attackers to cause a denial of service (application crash) via the background color index in a GIF file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3977

LAYER: meta-oe
PACKAGE NAME: giflib-native
PACKAGE VERSION: 5.2.2
CVE: CVE-2018-11489
CVE STATUS: Patched
CVE SUMMARY: The DGifDecompressLine function in dgif_lib.c in GIFLIB (possibly version 3.0.x), as later shipped in cgif.c in sam2p 0.49.4, has a heap-based buffer overflow because a certain CrntCode array index is not checked. This will lead to a denial of service or possibly unspecified other impact.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-11489

LAYER: meta-oe
PACKAGE NAME: giflib-native
PACKAGE VERSION: 5.2.2
CVE: CVE-2018-11490
CVE STATUS: Patched
CVE SUMMARY: The DGifDecompressLine function in dgif_lib.c in GIFLIB (possibly version 3.0.x), as later shipped in cgif.c in sam2p 0.49.4, has a heap-based buffer overflow because a certain "Private->RunningCode - 2" array index is not checked. This will lead to a denial of service or possibly unspecified other impact.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-11490

LAYER: meta-oe
PACKAGE NAME: giflib-native
PACKAGE VERSION: 5.2.2
CVE: CVE-2019-15133
CVE STATUS: Patched
CVE SUMMARY: In GIFLIB before 2019-02-16, a malformed GIF file triggers a divide-by-zero exception in the decoder function DGifSlurp in dgif_lib.c if the height field of the ImageSize data structure is equal to zero.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-15133

LAYER: meta-oe
PACKAGE NAME: giflib-native
PACKAGE VERSION: 5.2.2
CVE: CVE-2020-23922
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in giflib through 5.1.4. DumpScreen2RGB in gif2rgb.c has a heap-based buffer over-read.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 7.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-23922

LAYER: meta-oe
PACKAGE NAME: giflib-native
PACKAGE VERSION: 5.2.2
CVE: CVE-2021-40633
CVE STATUS: Patched
CVE SUMMARY: A memory leak (out-of-memory) in gif2rgb in util/gif2rgb.c in giflib 5.1.4 allows remote attackers trigger an out of memory exception or denial of service via a gif format file.
CVSS v2 BASE SCORE: 5.1
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-40633

LAYER: meta-oe
PACKAGE NAME: giflib-native
PACKAGE VERSION: 5.2.2
CVE: CVE-2022-28506
CVE STATUS: Patched
CVE SUMMARY: There is a heap-buffer-overflow in GIFLIB 5.2.1 function DumpScreen2RGB() in gif2rgb.c:298:45.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-28506

LAYER: meta-oe
PACKAGE NAME: giflib-native
PACKAGE VERSION: 5.2.2
CVE: CVE-2023-39742
CVE STATUS: Patched
CVE SUMMARY: giflib v5.2.1 was discovered to contain a segmentation fault via the component getarg.c.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-39742

LAYER: meta-oe
PACKAGE NAME: giflib-native
PACKAGE VERSION: 5.2.2
CVE: CVE-2023-48161
CVE STATUS: Patched
CVE SUMMARY: Buffer Overflow vulnerability in GifLib Project GifLib v.5.2.1 allows a local attacker to obtain sensitive information via the DumpSCreen2RGB function in gif2rgb.c
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-48161

LAYER: meta
PACKAGE NAME: dbus-glib-native
PACKAGE VERSION: 0.112
CVE: CVE-2010-1172
CVE STATUS: Patched
CVE SUMMARY: DBus-GLib 0.73 disregards the access flag of exported GObject properties, which allows local users to bypass intended access restrictions and possibly cause a denial of service by modifying properties, as demonstrated by properties of the (1) DeviceKit-Power, (2) NetworkManager, and (3) ModemManager services.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-1172

LAYER: meta
PACKAGE NAME: dbus-glib-native
PACKAGE VERSION: 0.112
CVE: CVE-2013-0292
CVE STATUS: Patched
CVE SUMMARY: The dbus_g_proxy_manager_filter function in dbus-gproxy in Dbus-glib before 0.100.1 does not properly verify the sender of NameOwnerChanged signals, which allows local users to gain privileges via a spoofed signal.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0292

LAYER: meta
PACKAGE NAME: quota
PACKAGE VERSION: 4.09
CVE: CVE-2012-3417
CVE STATUS: Patched
CVE SUMMARY: The good_client function in rquotad (rquota_svc.c) in Linux DiskQuota (aka quota) before 3.17 invokes the hosts_ctl function the first time without a host name, which might allow remote attackers to bypass TCP Wrappers rules in hosts.deny.
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-3417

LAYER: meta-oe
PACKAGE NAME: cryptsetup
PACKAGE VERSION: 2.7.2
CVE: CVE-2016-4484
CVE STATUS: Patched
CVE SUMMARY: The Debian initrd script for the cryptsetup package 2:1.7.3-2 and earlier allows physically proximate attackers to gain shell access via many log in attempts with an invalid password.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 6.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4484

LAYER: meta-oe
PACKAGE NAME: cryptsetup
PACKAGE VERSION: 2.7.2
CVE: CVE-2020-14382
CVE STATUS: Patched
CVE SUMMARY: A vulnerability was found in upstream release cryptsetup-2.2.0 where, there's a bug in LUKS2 format validation code, that is effectively invoked on every device/image presenting itself as LUKS2 container. The bug is in segments validation code in file 'lib/luks2/luks2_json_metadata.c' in function hdr_validate_segments(struct crypt_device *cd, json_object *hdr_jobj) where the code does not check for possible overflow on memory allocation used for intervals array (see statement "intervals = malloc(first_backup * sizeof(*intervals));"). Due to the bug, library can be *tricked* to expect such allocation was successful but for far less memory then originally expected. Later it may read data FROM image crafted by an attacker and actually write such data BEYOND allocated memory.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-14382

LAYER: meta-oe
PACKAGE NAME: cryptsetup
PACKAGE VERSION: 2.7.2
CVE: CVE-2021-4122
CVE STATUS: Patched
CVE SUMMARY: It was found that a specially crafted LUKS header could trick cryptsetup into disabling encryption during the recovery of the device. An attacker with physical access to the medium, such as a flash disk, could use this flaw to force a user into permanently disabling the encryption layer of that medium.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.3
VECTOR: PHYSICAL
VECTORSTRING: CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-4122

LAYER: meta
PACKAGE NAME: libxdmcp-native
PACKAGE VERSION: 1_1.1.4
CVE: CVE-2017-2625
CVE STATUS: Patched
CVE SUMMARY: It was discovered that libXdmcp before 1.1.2 including used weak entropy to generate session keys. On a multi-user system using xdmcp, a local attacker could potentially use information available from the process list to brute force the key, allowing them to hijack other users' sessions.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 6.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-2625

LAYER: meta-oe
PACKAGE NAME: libspiro-native
PACKAGE VERSION: 20221101
CVE: CVE-2019-19847
CVE STATUS: Patched
CVE SUMMARY: Libspiro through 20190731 has a stack-based buffer overflow in the spiro_to_bpath0() function in spiro.c.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19847

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2004-0803
CVE STATUS: Patched
CVE SUMMARY: Multiple vulnerabilities in the RLE (run length encoding) decoders for libtiff 3.6.1 and earlier, related to buffer overflows and integer overflows, allow remote attackers to execute arbitrary code via TIFF files.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0803

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2004-0804
CVE STATUS: Patched
CVE SUMMARY: Vulnerability in tif_dirread.c for libtiff allows remote attackers to cause a denial of service (application crash) via a TIFF image that causes a divide-by-zero error when the number of row bytes is zero, a different vulnerability than CVE-2005-2452.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0804

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2004-0886
CVE STATUS: Patched
CVE SUMMARY: Multiple integer overflows in libtiff 3.6.1 and earlier allow remote attackers to cause a denial of service (crash or memory corruption) via TIFF images that lead to incorrect malloc calls.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0886

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2004-0929
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the OJPEGVSetField function in tif_ojpeg.c for libtiff 3.6.1 and earlier, when compiled with the OJPEG_SUPPORT (old JPEG support) option, allows remote attackers to execute arbitrary code via a malformed TIFF image.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0929

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2004-1183
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the tiffdump utility for libtiff 3.7.1 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted TIFF file.
CVSS v2 BASE SCORE: 5.1
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-1183

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2004-1307
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the TIFFFetchStripThing function in tif_dirread.c for libtiff 3.6.1 allows remote attackers to execute arbitrary code via a TIFF file with the STRIPOFFSETS flag and a large number of strips, which causes a zero byte buffer to be allocated and leads to a heap-based buffer overflow.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-1307

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2004-1308
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in (1) tif_dirread.c and (2) tif_fax3.c for libtiff 3.5.7 and 3.7.0 allows remote attackers to execute arbitrary code via a TIFF file containing a TIFF_ASCII or TIFF_UNDEFINED directory entry with a -1 entry count, which leads to a heap-based buffer overflow.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-1308

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2005-1544
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in libTIFF before 3.7.2 allows remote attackers to execute arbitrary code via a TIFF file with a malformed BitsPerSample tag.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-1544

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2005-2452
CVE STATUS: Patched
CVE SUMMARY: libtiff up to 3.7.0 allows remote attackers to cause a denial of service (application crash) via a TIFF image header with a zero "YCbCr subsampling" value, which causes a divide-by-zero error in (1) tif_strip.c and (2) tif_tile.c, a different vulnerability than CVE-2004-0804.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-2452

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2006-0405
CVE STATUS: Patched
CVE SUMMARY: The TIFFFetchShortPair function in tif_dirread.c in libtiff 3.8.0 allows remote attackers to cause a denial of service (application crash) via a crafted TIFF image that triggers a NULL pointer dereference, possibly due to changes in type declarations and/or the TIFFVSetField function.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-0405

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2006-2024
CVE STATUS: Patched
CVE SUMMARY: Multiple vulnerabilities in libtiff before 3.8.1 allow context-dependent attackers to cause a denial of service via a TIFF image that triggers errors in (1) the TIFFFetchAnyArray function in (a) tif_dirread.c; (2) certain "codec cleanup methods" in (b) tif_lzw.c, (c) tif_pixarlog.c, and (d) tif_zip.c; (3) and improper restoration of setfield and getfield methods in cleanup functions within (e) tif_jpeg.c, tif_pixarlog.c, (f) tif_fax3.c, and tif_zip.c.
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:S/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-2024

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2006-2025
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the TIFFFetchData function in tif_dirread.c for libtiff before 3.8.1 allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via a crafted TIFF image.
CVSS v2 BASE SCORE: 6.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:S/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-2025

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2006-2026
CVE STATUS: Patched
CVE SUMMARY: Double free vulnerability in tif_jpeg.c in libtiff before 3.8.1 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted TIFF image that triggers errors related to "setfield/getfield methods in cleanup functions."
CVSS v2 BASE SCORE: 6.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:S/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-2026

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2006-2120
CVE STATUS: Patched
CVE SUMMARY: The TIFFToRGB function in libtiff before 3.8.1 allows remote attackers to cause a denial of service (crash) via a crafted TIFF image with Yr/Yg/Yb values that exceed the YCR/YCG/YCB values, which triggers an out-of-bounds read.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-2120

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2006-2193
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the t2p_write_pdf_string function in tiff2pdf in libtiff 3.8.2 and earlier allows attackers to cause a denial of service (crash) and possibly execute arbitrary code via a TIFF file with a DocumentName tag that contains UTF-8 characters, which triggers the overflow when a character is sign extended to an integer that produces more digits than expected in an sprintf call.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-2193

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2006-2656
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in the tiffsplit command in libtiff 3.8.2 and earlier might might allow attackers to execute arbitrary code via a long filename.  NOTE: tiffsplit is not setuid.  If there is not a common scenario under which tiffsplit is called with attacker-controlled command line arguments, then perhaps this issue should not be included in CVE.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-2656

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2006-3459
CVE STATUS: Patched
CVE SUMMARY: Multiple stack-based buffer overflows in the TIFF library (libtiff) before 3.8.2, as used in Adobe Reader 9.3.0 and other products, allow context-dependent attackers to execute arbitrary code or cause a denial of service via unspecified vectors, including a large tdir_count value in the TIFFFetchShortPair function in tif_dirread.c.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-3459

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2006-3460
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the JPEG decoder in the TIFF library (libtiff) before 3.8.2 allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via an encoded JPEG stream that is longer than the scan line size (TiffScanLineSize).
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-3460

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2006-3461
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the PixarLog decoder in the TIFF library (libtiff) before 3.8.2 might allow context-dependent attackers to execute arbitrary code via unknown vectors.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-3461

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2006-3462
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the NeXT RLE decoder in the TIFF library (libtiff) before 3.8.2 might allow context-dependent attackers to execute arbitrary code via unknown vectors involving decoding large RLE images.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-3462

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2006-3463
CVE STATUS: Patched
CVE SUMMARY: The EstimateStripByteCounts function in TIFF library (libtiff) before 3.8.2 uses a 16-bit unsigned short when iterating over an unsigned 32-bit value, which allows context-dependent attackers to cause a denial of service via a large td_nstrips value, which triggers an infinite loop.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-3463

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2006-3464
CVE STATUS: Patched
CVE SUMMARY: TIFF library (libtiff) before 3.8.2 allows context-dependent attackers to pass numeric range checks and possibly execute code, and trigger assert errors, via large offset values in a TIFF directory that lead to an integer overflow and other unspecified vectors involving "unchecked arithmetic operations".
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-3464

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2006-3465
CVE STATUS: Patched
CVE SUMMARY: Unspecified vulnerability in the custom tag support for the TIFF library (libtiff) before 3.8.2 allows remote attackers to cause a denial of service (instability or crash) and execute arbitrary code via unknown vectors.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-3465

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2008-2327
CVE STATUS: Patched
CVE SUMMARY: Multiple buffer underflows in the (1) LZWDecode, (2) LZWDecodeCompat, and (3) LZWDecodeVector functions in tif_lzw.c in the LZW decoder in LibTIFF 3.8.2 and earlier allow context-dependent attackers to execute arbitrary code via a crafted TIFF file, related to improper handling of the CODE_CLEAR code.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-2327

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2009-2285
CVE STATUS: Patched
CVE SUMMARY: Buffer underflow in the LZWDecodeCompat function in libtiff 3.8.2 allows context-dependent attackers to cause a denial of service (crash) via a crafted TIFF image, a different vulnerability than CVE-2008-2327.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-2285

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2009-2347
CVE STATUS: Patched
CVE SUMMARY: Multiple integer overflows in inter-color spaces conversion tools in libtiff 3.8 through 3.8.2, 3.9, and 4.0 allow context-dependent attackers to execute arbitrary code via a TIFF image with large (1) width and (2) height values, which triggers a heap-based buffer overflow in the (a) cvt_whole_image function in tiff2rgba and (b) tiffcvt function in rgb2ycbcr.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-2347

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2009-5022
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in tif_ojpeg.c in the OJPEG decoder in LibTIFF before 3.9.5 allows remote attackers to execute arbitrary code via a crafted TIFF file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-5022

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2010-2065
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the TIFFroundup macro in LibTIFF before 3.9.3 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted TIFF file that triggers a buffer overflow.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2065

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2010-2067
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in the TIFFFetchSubjectDistance function in tif_dirread.c in LibTIFF before 3.9.4 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long EXIF SubjectDistance field in a TIFF file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2067

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2010-2233
CVE STATUS: Patched
CVE SUMMARY: tif_getimage.c in LibTIFF 3.9.0 and 3.9.2 on 64-bit platforms, as used in ImageMagick, does not properly perform vertical flips, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted TIFF image, related to "downsampled OJPEG input."
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2233

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2010-2443
CVE STATUS: Patched
CVE SUMMARY: The OJPEGReadBufferFill function in tif_ojpeg.c in LibTIFF before 3.9.3 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an OJPEG image with undefined strip offsets, related to the TIFFVGetField function.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2443

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2010-2481
CVE STATUS: Patched
CVE SUMMARY: The TIFFExtractData macro in LibTIFF before 3.9.4 does not properly handle unknown tag types in TIFF directory entries, which allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted TIFF file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2481

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2010-2482
CVE STATUS: Patched
CVE SUMMARY: LibTIFF 3.9.4 and earlier does not properly handle an invalid td_stripbytecount field, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted TIFF file, a different vulnerability than CVE-2010-2443.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2482

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2010-2483
CVE STATUS: Patched
CVE SUMMARY: The TIFFRGBAImageGet function in LibTIFF 3.9.0 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a TIFF file with an invalid combination of SamplesPerPixel and Photometric values.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2483

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2010-2595
CVE STATUS: Patched
CVE SUMMARY: The TIFFYCbCrtoRGB function in LibTIFF 3.9.0 and 3.9.2, as used in ImageMagick, does not properly handle invalid ReferenceBlackWhite values, which allows remote attackers to cause a denial of service (application crash) via a crafted TIFF image that triggers an array index error, related to "downsampled OJPEG input."
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2595

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2010-2596
CVE STATUS: Patched
CVE SUMMARY: The OJPEGPostDecode function in tif_ojpeg.c in LibTIFF 3.9.0 and 3.9.2, as used in tiff2ps, allows remote attackers to cause a denial of service (assertion failure and application exit) via a crafted TIFF image, related to "downsampled OJPEG input."
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2596

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2010-2597
CVE STATUS: Patched
CVE SUMMARY: The TIFFVStripSize function in tif_strip.c in LibTIFF 3.9.0 and 3.9.2 makes incorrect calls to the TIFFGetField function, which allows remote attackers to cause a denial of service (application crash) via a crafted TIFF image, related to "downsampled OJPEG input" and possibly related to a compiler optimization that triggers a divide-by-zero error.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2597

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2010-2630
CVE STATUS: Patched
CVE SUMMARY: The TIFFReadDirectory function in LibTIFF 3.9.0 does not properly validate the data types of codec-specific tags that have an out-of-order position in a TIFF file, which allows remote attackers to cause a denial of service (application crash) via a crafted file, a different vulnerability than CVE-2010-2481.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2630

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2010-2631
CVE STATUS: Patched
CVE SUMMARY: LibTIFF 3.9.0 ignores tags in certain situations during the first stage of TIFF file processing and does not properly handle this during the second stage, which allows remote attackers to cause a denial of service (application crash) via a crafted file, a different vulnerability than CVE-2010-2481.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2631

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2010-3087
CVE STATUS: Patched
CVE SUMMARY: LibTIFF before 3.9.2-5.2.1 in SUSE openSUSE 11.3 allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a crafted TIFF image.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-3087

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2010-4665
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the ReadDirectory function in tiffdump.c in tiffdump in LibTIFF before 3.9.5 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted TIFF file containing a directory data structure with many directory entries.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4665

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2011-1167
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the thunder (aka ThunderScan) decoder in tif_thunder.c in LibTIFF 3.9.4 and earlier allows remote attackers to execute arbitrary code via crafted THUNDER_2BITDELTAS data in a .tiff file that has an unexpected BitsPerSample value.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1167

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2012-1173
CVE STATUS: Patched
CVE SUMMARY: Multiple integer overflows in tiff_getimage.c in LibTIFF 3.9.4 allow remote attackers to execute arbitrary code via a crafted tile size in a TIFF file, which is not properly handled by the (1) gtTileSeparate or (2) gtStripSeparate function, leading to a heap-based buffer overflow.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1173

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2012-2088
CVE STATUS: Patched
CVE SUMMARY: Integer signedness error in the TIFFReadDirectory function in tif_dirread.c in libtiff 3.9.4 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a negative tile depth in a tiff image, which triggers an improper conversion between signed and unsigned types, leading to a heap-based buffer overflow.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2088

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2012-2113
CVE STATUS: Patched
CVE SUMMARY: Multiple integer overflows in tiff2pdf in libtiff before 4.0.2 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted tiff image, which triggers a heap-based buffer overflow.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2113

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2012-3401
CVE STATUS: Patched
CVE SUMMARY: The t2p_read_tiff_init function in tiff2pdf (tools/tiff2pdf.c) in LibTIFF 4.0.2 and earlier does not properly initialize the T2P context struct pointer in certain error conditions, which allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted TIFF image that triggers a heap-based buffer overflow.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-3401

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2012-4447
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in tif_pixarlog.c in LibTIFF before 4.0.3 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted TIFF image using the PixarLog Compression format.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-4447

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2012-4564
CVE STATUS: Patched
CVE SUMMARY: ppm2tiff does not check the return value of the TIFFScanlineSize function, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted PPM image that triggers an integer overflow, a zero-memory allocation, and a heap-based buffer overflow.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-4564

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2012-5581
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in tif_dir.c in LibTIFF before 4.0.2 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted DOTRANGE tag in a TIFF image.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-5581

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2013-1960
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the t2p_process_jpeg_strip function in tiff2pdf in libtiff 4.0.3 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted TIFF image file.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1960

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2013-1961
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in the t2p_write_pdf_page function in tiff2pdf in libtiff before 4.0.3 allows remote attackers to cause a denial of service (application crash) via a crafted image length and resolution in a TIFF image file.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1961

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2013-4231
CVE STATUS: Patched
CVE SUMMARY: Multiple buffer overflows in libtiff before 4.0.3 allow remote attackers to cause a denial of service (out-of-bounds write) via a crafted (1) extension block in a GIF image or (2) GIF raster image to tools/gif2tiff.c or (3) a long filename for a TIFF image to tools/rgb2ycbcr.c.  NOTE: vectors 1 and 3 are disputed by Red Hat, which states that the input cannot exceed the allocated buffer size.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4231

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2013-4232
CVE STATUS: Patched
CVE SUMMARY: Use-after-free vulnerability in the t2p_readwrite_pdf_image function in tools/tiff2pdf.c in libtiff 4.0.3 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted TIFF image.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4232

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2013-4243
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the readgifimage function in the gif2tiff tool in libtiff 4.0.3 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted height and width values in a GIF image.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4243

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2013-4244
CVE STATUS: Patched
CVE SUMMARY: The LZW decompressor in the gif2tiff tool in libtiff 4.0.3 and earlier allows context-dependent attackers to cause a denial of service (out-of-bounds write and crash) or possibly execute arbitrary code via a crafted GIF image.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4244

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2014-8127
CVE STATUS: Patched
CVE SUMMARY: LibTIFF 4.0.3 allows remote attackers to cause a denial of service (out-of-bounds read and crash) via a crafted TIFF image to the (1) checkInkNamesString function in tif_dir.c in the thumbnail tool, (2) compresscontig function in tiff2bw.c in the tiff2bw tool, (3) putcontig8bitCIELab function in tif_getimage.c in the tiff2rgba tool, LZWPreDecode function in tif_lzw.c in the (4) tiff2ps or (5) tiffdither tool, (6) NeXTDecode function in tif_next.c in the tiffmedian tool, or (7) TIFFWriteDirectoryTagLongLong8Array function in tif_dirwrite.c in the tiffset tool.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8127

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2014-8128
CVE STATUS: Patched
CVE SUMMARY: LibTIFF prior to 4.0.4, as used in Apple iOS before 8.4 and OS X before 10.10.4 and other products, allows remote attackers to cause a denial of service (out-of-bounds write) via a crafted TIFF image.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8128

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2014-8129
CVE STATUS: Patched
CVE SUMMARY: LibTIFF 4.0.3 allows remote attackers to cause a denial of service (out-of-bounds write) or possibly have unspecified other impact via a crafted TIFF image, as demonstrated by failure of tif_next.c to verify that the BitsPerSample value is 2, and the t2p_sample_lab_signed_to_unsigned function in tiff2pdf.c.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8129

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2014-8130
CVE STATUS: Patched
CVE SUMMARY: The _TIFFmalloc function in tif_unix.c in LibTIFF 4.0.3 does not reject a zero size, which allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted TIFF image that is mishandled by the TIFFWriteScanline function in tif_write.c, as demonstrated by tiffdither.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8130

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2014-9330
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in tif_packbits.c in bmp2tif in libtiff 4.0.3 allows remote attackers to cause a denial of service (crash) via crafted BMP image, related to dimensions, which triggers an out-of-bounds read.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9330

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2014-9655
CVE STATUS: Patched
CVE SUMMARY: The (1) putcontig8bitYCbCr21tile function in tif_getimage.c or (2) NeXTDecode function in tif_next.c in LibTIFF allows remote attackers to cause a denial of service (uninitialized memory access) via a crafted TIFF image, as demonstrated by libtiff-cvs-1.tif and libtiff-cvs-2.tif.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9655

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2015-1547
CVE STATUS: Patched
CVE SUMMARY: The NeXTDecode function in tif_next.c in LibTIFF allows remote attackers to cause a denial of service (uninitialized memory access) via a crafted TIFF image, as demonstrated by libtiff5.tif.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1547

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2015-7313
CVE STATUS: Patched
CVE DETAIL: fixed-version
CVE DESCRIPTION: Tested with check from https://security-tracker.debian.org/tracker/CVE-2015-7313 and already 4.3.0 doesn't have the issue
CVE SUMMARY: LibTIFF allows remote attackers to cause a denial of service (memory consumption and crash) via a crafted tiff file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7313

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2015-7554
CVE STATUS: Patched
CVE SUMMARY: The _TIFFVGetField function in tif_dir.c in libtiff 4.0.6 allows attackers to cause a denial of service (invalid memory write and crash) or possibly have unspecified other impact via crafted field data in an extension tag in a TIFF image.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7554

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2015-8665
CVE STATUS: Patched
CVE SUMMARY: tif_getimage.c in LibTIFF 4.0.6 allows remote attackers to cause a denial of service (out-of-bounds read) via the SamplesPerPixel tag in a TIFF image.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8665

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2015-8668
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the PackBitsPreEncode function in tif_packbits.c in bmp2tiff in libtiff 4.0.6 and earlier allows remote attackers to execute arbitrary code or cause a denial of service via a large width field in a BMP image.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8668

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2015-8683
CVE STATUS: Patched
CVE SUMMARY: The putcontig8bitCIELab function in tif_getimage.c in LibTIFF 4.0.6 allows remote attackers to cause a denial of service (out-of-bounds read) via a packed TIFF image.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8683

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2015-8781
CVE STATUS: Patched
CVE SUMMARY: tif_luv.c in libtiff allows attackers to cause a denial of service (out-of-bounds write) via an invalid number of samples per pixel in a LogL compressed TIFF image, a different vulnerability than CVE-2015-8782.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8781

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2015-8782
CVE STATUS: Patched
CVE SUMMARY: tif_luv.c in libtiff allows attackers to cause a denial of service (out-of-bounds writes) via a crafted TIFF image, a different vulnerability than CVE-2015-8781.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8782

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2015-8783
CVE STATUS: Patched
CVE SUMMARY: tif_luv.c in libtiff allows attackers to cause a denial of service (out-of-bounds reads) via a crafted TIFF image.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8783

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2015-8784
CVE STATUS: Patched
CVE SUMMARY: The NeXTDecode function in tif_next.c in LibTIFF allows remote attackers to cause a denial of service (out-of-bounds write) via a crafted TIFF image, as demonstrated by libtiff5.tif.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8784

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2015-8870
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in tools/bmp2tiff.c in LibTIFF before 4.0.4 allows remote attackers to cause a denial of service (heap-based buffer over-read), or possibly obtain sensitive information from process memory, via crafted width and length values in RLE4 or RLE8 data in a BMP file.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 7.4
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8870

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2016-10092
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the readContigStripsIntoBuffer function in tif_unix.c in LibTIFF 4.0.7, 3.9.3, 3.9.4, 3.9.5, 3.9.6, 3.9.7, 4.0.0alpha4, 4.0.0alpha5, 4.0.0alpha6, 4.0.0beta7, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.4beta, 4.0.5 and 4.0.6 allows remote attackers to have unspecified impact via a crafted image.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10092

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2016-10093
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in tools/tiffcp.c in LibTIFF 4.0.7, 3.9.3, 3.9.4, 3.9.5, 3.9.6, 3.9.7, 4.0.0alpha4, 4.0.0alpha5, 4.0.0alpha6, 4.0.0beta7, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.4beta, 4.0.5 and 4.0.6 allows remote attackers to have unspecified impact via a crafted image, which triggers a heap-based buffer overflow.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10093

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2016-10094
CVE STATUS: Patched
CVE SUMMARY: Off-by-one error in the t2p_readwrite_pdf_image_tile function in tools/tiff2pdf.c in LibTIFF 4.0.7 allows remote attackers to have unspecified impact via a crafted image.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10094

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2016-10095
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in the _TIFFVGetField function in tif_dir.c in LibTIFF 4.0.0alpha4, 4.0.0alpha5, 4.0.0alpha6, 4.0.0beta7, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.4beta, 4.0.5, 4.0.6, 4.0.7 and 4.0.8 allows remote attackers to cause a denial of service (crash) via a crafted TIFF file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10095

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2016-10266
CVE STATUS: Patched
CVE SUMMARY: LibTIFF 4.0.7 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted TIFF image, related to libtiff/tif_read.c:351:22.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10266

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2016-10267
CVE STATUS: Patched
CVE SUMMARY: LibTIFF 4.0.7 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted TIFF image, related to libtiff/tif_ojpeg.c:816:8.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10267

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2016-10268
CVE STATUS: Patched
CVE SUMMARY: tools/tiffcp.c in LibTIFF 4.0.7 allows remote attackers to cause a denial of service (integer underflow and heap-based buffer under-read) or possibly have unspecified other impact via a crafted TIFF image, related to "READ of size 78490" and libtiff/tif_unix.c:115:23.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10268

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2016-10269
CVE STATUS: Patched
CVE SUMMARY: LibTIFF 4.0.0alpha4, 4.0.0alpha5, 4.0.0alpha6, 4.0.0beta7, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.4beta, 4.0.5, 4.0.6 and 4.0.7 allows remote attackers to cause a denial of service (heap-based buffer over-read) or possibly have unspecified other impact via a crafted TIFF image, related to "READ of size 512" and libtiff/tif_unix.c:340:2.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10269

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2016-10270
CVE STATUS: Patched
CVE SUMMARY: LibTIFF 4.0.7 allows remote attackers to cause a denial of service (heap-based buffer over-read) or possibly have unspecified other impact via a crafted TIFF image, related to "READ of size 8" and libtiff/tif_read.c:523:22.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10270

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2016-10271
CVE STATUS: Patched
CVE SUMMARY: tools/tiffcrop.c in LibTIFF 4.0.7 allows remote attackers to cause a denial of service (heap-based buffer over-read and buffer overflow) or possibly have unspecified other impact via a crafted TIFF image, related to "READ of size 1" and libtiff/tif_fax3.c:413:13.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10271

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2016-10272
CVE STATUS: Patched
CVE SUMMARY: LibTIFF 4.0.7 allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted TIFF image, related to "WRITE of size 2048" and libtiff/tif_next.c:64:9.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10272

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2016-10371
CVE STATUS: Patched
CVE SUMMARY: The TIFFWriteDirectoryTagCheckedRational function in tif_dirwrite.c in LibTIFF 4.0.6 allows remote attackers to cause a denial of service (assertion failure and application exit) via a crafted TIFF file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10371

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2016-3186
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the readextension function in gif2tiff.c in LibTIFF 4.0.6 allows remote attackers to cause a denial of service (application crash) via a crafted GIF file.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 6.2
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3186

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2016-3619
CVE STATUS: Patched
CVE SUMMARY: The DumpModeEncode function in tif_dumpmode.c in the bmp2tiff tool in LibTIFF 4.0.6 and earlier, when the "-c none" option is used, allows remote attackers to cause a denial of service (buffer over-read) via a crafted BMP image.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3619

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2016-3620
CVE STATUS: Patched
CVE SUMMARY: The ZIPEncode function in tif_zip.c in the bmp2tiff tool in LibTIFF 4.0.6 and earlier, when the "-c zip" option is used, allows remote attackers to cause a denial of service (buffer over-read) via a crafted BMP image.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3620

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2016-3621
CVE STATUS: Patched
CVE SUMMARY: The LZWEncode function in tif_lzw.c in the bmp2tiff tool in LibTIFF 4.0.6 and earlier, when the "-c lzw" option is used, allows remote attackers to cause a denial of service (buffer over-read) via a crafted BMP image.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3621

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2016-3622
CVE STATUS: Patched
CVE SUMMARY: The fpAcc function in tif_predict.c in the tiff2rgba tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (divide-by-zero error) via a crafted TIFF image.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3622

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2016-3623
CVE STATUS: Patched
CVE SUMMARY: The rgb2ycbcr tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (divide-by-zero) by setting the (1) v or (2) h parameter to 0.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3623

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2016-3624
CVE STATUS: Patched
CVE SUMMARY: The cvtClump function in the rgb2ycbcr tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds write) by setting the "-v" option to -1.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3624

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2016-3625
CVE STATUS: Patched
CVE SUMMARY: tif_read.c in the tiff2bw tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted TIFF image.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3625

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2016-3631
CVE STATUS: Patched
CVE SUMMARY: The (1) cpStrips and (2) cpTiles functions in the thumbnail tool in LibTIFF 4.0.6 and earlier allow remote attackers to cause a denial of service (out-of-bounds read) via vectors related to the bytecounts[] array variable.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3631

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2016-3632
CVE STATUS: Patched
CVE SUMMARY: The _TIFFVGetField function in tif_dirinfo.c in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds write) or execute arbitrary code via a crafted TIFF image.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3632

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2016-3633
CVE STATUS: Patched
CVE SUMMARY: The setrow function in the thumbnail tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds read) via vectors related to the src variable.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3633

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2016-3634
CVE STATUS: Patched
CVE SUMMARY: The tagCompare function in tif_dirinfo.c in the thumbnail tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds read) via vectors related to field_tag matching.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3634

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2016-3658
CVE STATUS: Patched
CVE SUMMARY: The TIFFWriteDirectoryTagLongLong8Array function in tif_dirwrite.c in the tiffset tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds read) via vectors involving the ma variable.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3658

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2016-3945
CVE STATUS: Patched
CVE SUMMARY: Multiple integer overflows in the (1) cvt_by_strip and (2) cvt_by_tile functions in the tiff2rgba tool in LibTIFF 4.0.6 and earlier, when -b mode is enabled, allow remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted TIFF image, which triggers an out-of-bounds write.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3945

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2016-3990
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the horizontalDifference8 function in tif_pixarlog.c in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted TIFF image to tiffcp.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3990

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2016-3991
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the loadImage function in the tiffcrop tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds write) or execute arbitrary code via a crafted TIFF image with zero tiles.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3991

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2016-5102
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the readgifimage function in gif2tiff.c in the gif2tiff tool in LibTIFF 4.0.6 allows remote attackers to cause a denial of service (segmentation fault) via a crafted gif file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5102

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2016-5314
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the PixarLogDecode function in tif_pixarlog.c in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted TIFF image, as demonstrated by overwriting the vgetparent function pointer with rgb2ycbcr.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5314

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2016-5315
CVE STATUS: Patched
CVE SUMMARY: The setByteArray function in tif_dir.c in libtiff 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted tiff image.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5315

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2016-5316
CVE STATUS: Patched
CVE SUMMARY: Out-of-bounds read in the PixarLogCleanup function in tif_pixarlog.c in libtiff 4.0.6 and earlier allows remote attackers to crash the application by sending a crafted TIFF image to the rgb2ycbcr tool.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5316

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2016-5317
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the PixarLogDecode function in libtiff.so in the PixarLogDecode function in libtiff 4.0.6 and earlier, as used in GNOME nautilus, allows attackers to cause a denial of service attack (crash) via a crafted TIFF file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5317

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2016-5318
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in the _TIFFVGetField function in libtiff 4.0.6 and earlier allows remote attackers to crash the application via a crafted tiff.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5318

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2016-5319
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in tif_packbits.c in libtiff 4.0.6 and earlier allows remote attackers to crash the application via a crafted bmp file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5319

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2016-5321
CVE STATUS: Patched
CVE SUMMARY: The DumpModeDecode function in libtiff 4.0.6 and earlier allows attackers to cause a denial of service (invalid read and crash) via a crafted tiff image.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5321

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2016-5322
CVE STATUS: Patched
CVE SUMMARY: The setByteArray function in tif_dir.c in libtiff 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted tiff image.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5322

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2016-5323
CVE STATUS: Patched
CVE SUMMARY: The _TIFFFax3fillruns function in libtiff before 4.0.6 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted Tiff image.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5323

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2016-5652
CVE STATUS: Patched
CVE SUMMARY: An exploitable heap-based buffer overflow exists in the handling of TIFF images in LibTIFF's TIFF2PDF tool. A crafted TIFF document can lead to a heap-based buffer overflow resulting in remote code execution. Vulnerability can be triggered via a saved TIFF file delivered by other means.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5652

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2016-6223
CVE STATUS: Patched
CVE SUMMARY: The TIFFReadRawStrip1 and TIFFReadRawTile1 functions in tif_read.c in libtiff before 4.0.7 allows remote attackers to cause a denial of service (crash) or possibly obtain sensitive information via a negative index in a file-content buffer.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 9.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6223

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2016-8331
CVE STATUS: Patched
CVE SUMMARY: An exploitable remote code execution vulnerability exists in the handling of TIFF images in LibTIFF version 4.0.6. A crafted TIFF document can lead to a type confusion vulnerability resulting in remote code execution. This vulnerability can be triggered via a TIFF file delivered to the application using LibTIFF's tag extension functionality.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8331

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2016-9273
CVE STATUS: Patched
CVE SUMMARY: tiffsplit in libtiff 4.0.6 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted file, related to changing td_nstrips in TIFF_STRIPCHOP mode.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9273

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2016-9297
CVE STATUS: Patched
CVE SUMMARY: The TIFFFetchNormalTag function in LibTiff 4.0.6 allows remote attackers to cause a denial of service (out-of-bounds read) via crafted TIFF_SETGET_C16ASCII or TIFF_SETGET_C32_ASCII tag values.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9297

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2016-9448
CVE STATUS: Patched
CVE SUMMARY: The TIFFFetchNormalTag function in LibTiff 4.0.6 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) by setting the tags TIFF_SETGET_C16ASCII or TIFF_SETGET_C32_ASCII to values that access 0-byte arrays.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-9297.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9448

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2016-9453
CVE STATUS: Patched
CVE SUMMARY: The t2p_readwrite_pdf_image_tile function in LibTIFF allows remote attackers to cause a denial of service (out-of-bounds write and crash) or possibly execute arbitrary code via a JPEG file with a TIFFTAG_JPEGTABLES of length one.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9453

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2016-9532
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the writeBufferToSeparateStrips function in tiffcrop.c in LibTIFF before 4.0.7 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted tif file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9532

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2016-9533
CVE STATUS: Patched
CVE SUMMARY: tif_pixarlog.c in libtiff 4.0.6 has out-of-bounds write vulnerabilities in heap allocated buffers. Reported as MSVR 35094, aka "PixarLog horizontalDifference heap-buffer-overflow."
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9533

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2016-9534
CVE STATUS: Patched
CVE SUMMARY: tif_write.c in libtiff 4.0.6 has an issue in the error code path of TIFFFlushData1() that didn't reset the tif_rawcc and tif_rawcp members. Reported as MSVR 35095, aka "TIFFFlushData1 heap-buffer-overflow."
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9534

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2016-9535
CVE STATUS: Patched
CVE SUMMARY: tif_predict.h and tif_predict.c in libtiff 4.0.6 have assertions that can lead to assertion failures in debug mode, or buffer overflows in release mode, when dealing with unusual tile size like YCbCr with subsampling. Reported as MSVR 35105, aka "Predictor heap-buffer-overflow."
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9535

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2016-9536
CVE STATUS: Patched
CVE SUMMARY: tools/tiff2pdf.c in libtiff 4.0.6 has out-of-bounds write vulnerabilities in heap allocated buffers in t2p_process_jpeg_strip(). Reported as MSVR 35098, aka "t2p_process_jpeg_strip heap-buffer-overflow."
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9536

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2016-9537
CVE STATUS: Patched
CVE SUMMARY: tools/tiffcrop.c in libtiff 4.0.6 has out-of-bounds write vulnerabilities in buffers. Reported as MSVR 35093, MSVR 35096, and MSVR 35097.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9537

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2016-9538
CVE STATUS: Patched
CVE SUMMARY: tools/tiffcrop.c in libtiff 4.0.6 reads an undefined buffer in readContigStripsIntoBuffer() because of a uint16 integer overflow. Reported as MSVR 35100.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9538

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2016-9539
CVE STATUS: Patched
CVE SUMMARY: tools/tiffcrop.c in libtiff 4.0.6 has an out-of-bounds read in readContigTilesIntoBuffer(). Reported as MSVR 35092.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9539

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2016-9540
CVE STATUS: Patched
CVE SUMMARY: tools/tiffcp.c in libtiff 4.0.6 has an out-of-bounds write on tiled images with odd tile width versus image width. Reported as MSVR 35103, aka "cpStripToTile heap-buffer-overflow."
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9540

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2017-10688
CVE STATUS: Patched
CVE SUMMARY: In LibTIFF 4.0.8, there is a assertion abort in the TIFFWriteDirectoryTagCheckedLong8Array function in tif_dirwrite.c. A crafted input will lead to a remote denial of service attack.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-10688

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2017-11335
CVE STATUS: Patched
CVE SUMMARY: There is a heap based buffer overflow in tools/tiff2pdf.c of LibTIFF 4.0.8 via a PlanarConfig=Contig image, which causes a more than one hundred bytes out-of-bounds write (related to the ZIPDecode function in tif_zip.c). A crafted input may lead to a remote denial of service attack or an arbitrary code execution attack.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-11335

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2017-11613
CVE STATUS: Patched
CVE SUMMARY: In LibTIFF 4.0.8, there is a denial of service vulnerability in the TIFFOpen function. A crafted input will lead to a denial of service attack. During the TIFFOpen process, td_imagelength is not checked. The value of td_imagelength can be directly controlled by an input file. In the ChopUpSingleUncompressedStrip function, the _TIFFCheckMalloc function is called based on td_imagelength. If we set the value of td_imagelength close to the amount of system memory, it will hang the system or trigger the OOM killer.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-11613

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2017-12944
CVE STATUS: Patched
CVE SUMMARY: The TIFFReadDirEntryArray function in tif_read.c in LibTIFF 4.0.8 mishandles memory allocation for short files, which allows remote attackers to cause a denial of service (allocation failure and application crash) in the TIFFFetchStripThing function in tif_dirread.c during a tiff2pdf invocation.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-12944

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2017-13726
CVE STATUS: Patched
CVE SUMMARY: There is a reachable assertion abort in the function TIFFWriteDirectorySec() in LibTIFF 4.0.8, related to tif_dirwrite.c and a SubIFD tag. A crafted input will lead to a remote denial of service attack.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-13726

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2017-13727
CVE STATUS: Patched
CVE SUMMARY: There is a reachable assertion abort in the function TIFFWriteDirectoryTagSubifd() in LibTIFF 4.0.8, related to tif_dirwrite.c and a SubIFD tag. A crafted input will lead to a remote denial of service attack.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-13727

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2017-16232
CVE STATUS: Patched
CVE SUMMARY: LibTIFF 4.0.8 has multiple memory leak vulnerabilities, which allow attackers to cause a denial of service (memory consumption), as demonstrated by tif_open.c, tif_lzw.c, and tif_aux.c. NOTE: Third parties were unable to reproduce the issue
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-16232

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2017-17095
CVE STATUS: Patched
CVE SUMMARY: tools/pal2rgb.c in pal2rgb in LibTIFF 4.0.9 allows remote attackers to cause a denial of service (TIFFSetupStrips heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted TIFF file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17095

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2017-17942
CVE STATUS: Patched
CVE SUMMARY: In LibTIFF 4.0.9, there is a heap-based buffer over-read in the function PackBitsEncode in tif_packbits.c.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17942

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2017-17973
CVE STATUS: Patched
CVE SUMMARY: In LibTIFF 4.0.8, there is a heap-based use-after-free in the t2p_writeproc function in tiff2pdf.c. NOTE: there is a third-party report of inability to reproduce this issue
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17973

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2017-18013
CVE STATUS: Patched
CVE SUMMARY: In LibTIFF 4.0.9, there is a Null-Pointer Dereference in the tif_print.c TIFFPrintDirectory function, as demonstrated by a tiffinfo crash.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-18013

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2017-5225
CVE STATUS: Patched
CVE SUMMARY: LibTIFF version 4.0.7 is vulnerable to a heap buffer overflow in the tools/tiffcp resulting in DoS or code execution via a crafted BitsPerSample value.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5225

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2017-5563
CVE STATUS: Patched
CVE SUMMARY: LibTIFF version 4.0.7 is vulnerable to a heap-based buffer over-read in tif_lzw.c resulting in DoS or code execution via a crafted bmp image to tools/bmp2tiff.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5563

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2017-7592
CVE STATUS: Patched
CVE SUMMARY: The putagreytile function in tif_getimage.c in LibTIFF 4.0.7 has a left-shift undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7592

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2017-7593
CVE STATUS: Patched
CVE SUMMARY: tif_read.c in LibTIFF 4.0.7 does not ensure that tif_rawdata is properly initialized, which might allow remote attackers to obtain sensitive information from process memory via a crafted image.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7593

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2017-7594
CVE STATUS: Patched
CVE SUMMARY: The OJPEGReadHeaderInfoSecTablesDcTable function in tif_ojpeg.c in LibTIFF 4.0.7 allows remote attackers to cause a denial of service (memory leak) via a crafted image.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7594

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2017-7595
CVE STATUS: Patched
CVE SUMMARY: The JPEGSetupEncode function in tiff_jpeg.c in LibTIFF 4.0.7 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted image.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7595

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2017-7596
CVE STATUS: Patched
CVE SUMMARY: LibTIFF 4.0.7 has an "outside the range of representable values of type float" undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7596

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2017-7597
CVE STATUS: Patched
CVE SUMMARY: tif_dirread.c in LibTIFF 4.0.7 has an "outside the range of representable values of type float" undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7597

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2017-7598
CVE STATUS: Patched
CVE SUMMARY: tif_dirread.c in LibTIFF 4.0.7 might allow remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted image.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7598

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2017-7599
CVE STATUS: Patched
CVE SUMMARY: LibTIFF 4.0.7 has an "outside the range of representable values of type short" undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7599

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2017-7600
CVE STATUS: Patched
CVE SUMMARY: LibTIFF 4.0.7 has an "outside the range of representable values of type unsigned char" undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7600

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2017-7601
CVE STATUS: Patched
CVE SUMMARY: LibTIFF 4.0.7 has a "shift exponent too large for 64-bit type long" undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7601

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2017-7602
CVE STATUS: Patched
CVE SUMMARY: LibTIFF 4.0.7 has a signed integer overflow, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7602

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2017-9117
CVE STATUS: Patched
CVE SUMMARY: In LibTIFF 4.0.7, the program processes BMP images without verifying that biWidth and biHeight in the bitmap-information header match the actual input, leading to a heap-based buffer over-read in bmp2tiff.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9117

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2017-9147
CVE STATUS: Patched
CVE SUMMARY: LibTIFF 4.0.7 has an invalid read in the _TIFFVGetField function in tif_dir.c, which might allow remote attackers to cause a denial of service (crash) via a crafted TIFF file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9147

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2017-9403
CVE STATUS: Patched
CVE SUMMARY: In LibTIFF 4.0.7, a memory leak vulnerability was found in the function TIFFReadDirEntryLong8Array in tif_dirread.c, which allows attackers to cause a denial of service via a crafted file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9403

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2017-9404
CVE STATUS: Patched
CVE SUMMARY: In LibTIFF 4.0.7, a memory leak vulnerability was found in the function OJPEGReadHeaderInfoSecTablesQTable in tif_ojpeg.c, which allows attackers to cause a denial of service via a crafted file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9404

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2017-9815
CVE STATUS: Patched
CVE SUMMARY: In LibTIFF 4.0.7, the TIFFReadDirEntryLong8Array function in libtiff/tif_dirread.c mishandles a malloc operation, which allows attackers to cause a denial of service (memory leak within the function _TIFFmalloc in tif_unix.c) via a crafted file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9815

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2017-9935
CVE STATUS: Patched
CVE SUMMARY: In LibTIFF 4.0.8, there is a heap-based buffer overflow in the t2p_write_pdf function in tools/tiff2pdf.c. This heap overflow could lead to different damages. For example, a crafted TIFF document can lead to an out-of-bounds read in TIFFCleanup, an invalid free in TIFFClose or t2p_free, memory corruption in t2p_readwrite_pdf_image, or a double free in t2p_free. Given these possibilities, it probably could cause arbitrary code execution.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9935

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2017-9936
CVE STATUS: Patched
CVE SUMMARY: In LibTIFF 4.0.8, there is a memory leak in tif_jbig.c. A crafted TIFF document can lead to a memory leak resulting in a remote denial of service attack.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9936

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2017-9937
CVE STATUS: Patched
CVE SUMMARY: In LibTIFF 4.0.8, there is a memory malloc failure in tif_jbig.c. A crafted TIFF document can lead to an abort resulting in a remote denial of service attack.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9937

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2018-10126
CVE STATUS: Patched
CVE SUMMARY: ijg-libjpeg before 9d, as used in tiff2pdf (from LibTIFF) and other products, does not check for a NULL pointer at a certain place in jpeg_fdct_16x16 in jfdctint.c.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-10126

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2018-10779
CVE STATUS: Patched
CVE SUMMARY: TIFFWriteScanline in tif_write.c in LibTIFF 3.8.2 has a heap-based buffer over-read, as demonstrated by bmp2tiff.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-10779

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2018-10801
CVE STATUS: Patched
CVE SUMMARY: TIFFClientOpen in tif_unix.c in LibTIFF 3.8.2 has memory leaks, as demonstrated by bmp2tiff.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-10801

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2018-10963
CVE STATUS: Patched
CVE SUMMARY: The TIFFWriteDirectorySec() function in tif_dirwrite.c in LibTIFF through 4.0.9 allows remote attackers to cause a denial of service (assertion failure and application crash) via a crafted file, a different vulnerability than CVE-2017-13726.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-10963

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2018-12900
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the cpSeparateBufToContigBuf function in tiffcp.c in LibTIFF 3.9.3, 3.9.4, 3.9.5, 3.9.6, 3.9.7, 4.0.0beta7, 4.0.0alpha4, 4.0.0alpha5, 4.0.0alpha6, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.4beta, 4.0.5, 4.0.6, 4.0.7, 4.0.8 and 4.0.9 allows remote attackers to cause a denial of service (crash) or possibly have unspecified other impact via a crafted TIFF file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-12900

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2018-15209
CVE STATUS: Patched
CVE SUMMARY: ChopUpSingleUncompressedStrip in tif_dirread.c in LibTIFF 4.0.9 allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted TIFF file, as demonstrated by tiff2pdf.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-15209

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2018-16335
CVE STATUS: Patched
CVE SUMMARY: newoffsets handling in ChopUpSingleUncompressedStrip in tif_dirread.c in LibTIFF 4.0.9 allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted TIFF file, as demonstrated by tiff2pdf. This is a different vulnerability than CVE-2018-15209.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-16335

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2018-17000
CVE STATUS: Patched
CVE SUMMARY: A NULL pointer dereference in the function _TIFFmemcmp at tif_unix.c (called from TIFFWriteDirectoryTagTransferfunction) in LibTIFF 4.0.9 allows an attacker to cause a denial-of-service through a crafted tiff file. This vulnerability can be triggered by the executable tiffcp.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-17000

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2018-17100
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in LibTIFF 4.0.9. There is a int32 overflow in multiply_ms in tools/ppm2tiff.c, which can cause a denial of service (crash) or possibly have unspecified other impact via a crafted image file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-17100

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2018-17101
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in LibTIFF 4.0.9. There are two out-of-bounds writes in cpTags in tools/tiff2bw.c and tools/pal2rgb.c, which can cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-17101

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2018-17795
CVE STATUS: Patched
CVE SUMMARY: The function t2p_write_pdf in tiff2pdf.c in LibTIFF 4.0.9 and earlier allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted TIFF file, a similar issue to CVE-2017-9935.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-17795

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2018-18557
CVE STATUS: Patched
CVE SUMMARY: LibTIFF 3.9.3, 3.9.4, 3.9.5, 3.9.6, 3.9.7, 4.0.0alpha4, 4.0.0alpha5, 4.0.0alpha6, 4.0.0beta7, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.4beta, 4.0.5, 4.0.6, 4.0.7, 4.0.8 and 4.0.9 (with JBIG enabled) decodes arbitrarily-sized JBIG into a buffer, ignoring the buffer size, which leads to a tif_jbig.c JBIGDecode out-of-bounds write.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-18557

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2018-18661
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in LibTIFF 4.0.9. There is a NULL pointer dereference in the function LZWDecode in the file tif_lzw.c.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-18661

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2018-19210
CVE STATUS: Patched
CVE SUMMARY: In LibTIFF 4.0.9, there is a NULL pointer dereference in the TIFFWriteDirectorySec function in tif_dirwrite.c that will lead to a denial of service attack, as demonstrated by tiffset.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19210

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2018-5360
CVE STATUS: Patched
CVE SUMMARY: LibTIFF before 4.0.6 mishandles the reading of TIFF files, as demonstrated by a heap-based buffer over-read in the ReadTIFFImage function in coders/tiff.c in GraphicsMagick 1.3.27.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-5360

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2018-5784
CVE STATUS: Patched
CVE SUMMARY: In LibTIFF 4.0.9, there is an uncontrolled resource consumption in the TIFFSetDirectory function of tif_dir.c. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted tif file. This occurs because the declared number of directory entries is not validated against the actual number of directory entries.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-5784

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2018-7456
CVE STATUS: Patched
CVE SUMMARY: A NULL Pointer Dereference occurs in the function TIFFPrintDirectory in tif_print.c in LibTIFF 3.9.3, 3.9.4, 3.9.5, 3.9.6, 3.9.7, 4.0.0alpha4, 4.0.0alpha5, 4.0.0alpha6, 4.0.0beta7, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.4beta, 4.0.5, 4.0.6, 4.0.7, 4.0.8 and 4.0.9 when using the tiffinfo tool to print crafted TIFF information, a different vulnerability than CVE-2017-18013. (This affects an earlier part of the TIFFPrintDirectory function that was not addressed by the CVE-2017-18013 patch.)
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-7456

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2018-8905
CVE STATUS: Patched
CVE SUMMARY: In LibTIFF 4.0.9, a heap-based buffer overflow occurs in the function LZWDecodeCompat in tif_lzw.c via a crafted TIFF file, as demonstrated by tiff2ps.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-8905

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2019-14973
CVE STATUS: Patched
CVE SUMMARY: _TIFFCheckMalloc and _TIFFCheckRealloc in tif_aux.c in LibTIFF through 4.0.10 mishandle Integer Overflow checks because they rely on compiler behavior that is undefined by the applicable C standards. This can, for example, lead to an application crash.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-14973

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2019-17546
CVE STATUS: Patched
CVE SUMMARY: tif_getimage.c in LibTIFF through 4.0.10, as used in GDAL through 3.0.1 and other products, has an integer overflow that potentially causes a heap-based buffer overflow via a crafted RGBA image, related to a "Negative-size-param" condition.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-17546

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2019-6128
CVE STATUS: Patched
CVE SUMMARY: The TIFFFdOpen function in tif_unix.c in LibTIFF 4.0.10 has a memory leak, as demonstrated by pal2rgb.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-6128

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2019-7663
CVE STATUS: Patched
CVE SUMMARY: An Invalid Address dereference was discovered in TIFFWriteDirectoryTagTransferfunction in libtiff/tif_dirwrite.c in LibTIFF 4.0.10, affecting the cpSeparateBufToContigBuf function in tiffcp.c. Remote attackers could leverage this vulnerability to cause a denial-of-service via a crafted tiff file. This is different from CVE-2018-12900.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-7663

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2020-18768
CVE STATUS: Patched
CVE SUMMARY: There exists one heap buffer overflow in _TIFFmemcpy in tif_unix.c in libtiff 4.0.10, which allows an attacker to cause a denial-of-service through a crafted tiff file.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-18768

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2020-19131
CVE STATUS: Patched
CVE SUMMARY: Buffer Overflow in LibTiff v4.0.10 allows attackers to cause a denial of service via the "invertImage()" function in the component "tiffcrop".
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-19131

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2020-19143
CVE STATUS: Patched
CVE SUMMARY: Buffer Overflow in LibTiff v4.0.10 allows attackers to cause a denial of service via the "TIFFVGetField" funtion in the component 'libtiff/tif_dir.c'.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-19143

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2020-19144
CVE STATUS: Patched
CVE SUMMARY: Buffer Overflow in LibTiff v4.0.10 allows attackers to cause a denial of service via the 'in _TIFFmemcpy' funtion in the component 'tif_unix.c'.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-19144

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2020-35521
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in libtiff. Due to a memory allocation failure in tif_read.c, a crafted TIFF file can lead to an abort, resulting in denial of service.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-35521

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2020-35522
CVE STATUS: Patched
CVE SUMMARY: In LibTIFF, there is a memory malloc failure in tif_pixarlog.c. A crafted TIFF document can lead to an abort, resulting in a remote denial of service attack.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-35522

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2020-35523
CVE STATUS: Patched
CVE SUMMARY: An integer overflow flaw was found in libtiff that exists in the tif_getimage.c file. This flaw allows an attacker to inject and execute arbitrary code when a user opens a crafted TIFF file. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-35523

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2020-35524
CVE STATUS: Patched
CVE SUMMARY: A heap-based buffer overflow flaw was found in libtiff in the handling of TIFF images in libtiff's TIFF2PDF tool. A specially crafted TIFF file can lead to arbitrary code execution. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-35524

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2022-0561
CVE STATUS: Patched
CVE SUMMARY: Null source pointer passed as an argument to memcpy() function within TIFFFetchStripThing() in tif_dirread.c in libtiff versions from 3.9.0 to 4.3.0 could lead to Denial of Service via crafted TIFF file. For users that compile libtiff from sources, the fix is available with commit eecb0712.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0561

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2022-0562
CVE STATUS: Patched
CVE SUMMARY: Null source pointer passed as an argument to memcpy() function within TIFFReadDirectory() in tif_dirread.c in libtiff versions from 4.0 to 4.3.0 could lead to Denial of Service via crafted TIFF file. For users that compile libtiff from sources, a fix is available with commit 561599c.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0562

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2022-0865
CVE STATUS: Patched
CVE SUMMARY: Reachable Assertion in tiffcp in libtiff 4.3.0 allows attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 5e180045.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0865

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2022-0891
CVE STATUS: Patched
CVE SUMMARY: A heap buffer overflow in ExtractImageSection function in tiffcrop.c in libtiff library Version 4.3.0 allows attacker to trigger unsafe or out of bounds memory access via crafted TIFF image file which could result into application crash, potential information disclosure or any other context-dependent impact
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 6.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0891

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2022-0907
CVE STATUS: Patched
CVE SUMMARY: Unchecked Return Value to NULL Pointer Dereference in tiffcrop in libtiff 4.3.0 allows attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit f2b656e2.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0907

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2022-0908
CVE STATUS: Patched
CVE SUMMARY: Null source pointer passed as an argument to memcpy() function within TIFFFetchNormalTag () in tif_dirread.c in libtiff versions up to 4.3.0 could lead to Denial of Service via crafted TIFF file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 7.7
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0908

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2022-0909
CVE STATUS: Patched
CVE SUMMARY: Divide By Zero error in tiffcrop in libtiff 4.3.0 allows attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit f8d0f9aa.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0909

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2022-0924
CVE STATUS: Patched
CVE SUMMARY: Out-of-bounds Read error in tiffcp in libtiff 4.3.0 allows attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 408976c4.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0924

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2022-1056
CVE STATUS: Patched
CVE SUMMARY: Out-of-bounds Read error in tiffcrop in libtiff 4.3.0 allows attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 46dc8fcd.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1056

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2022-1210
CVE STATUS: Patched
CVE SUMMARY: A vulnerability classified as problematic was found in LibTIFF 4.3.0. Affected by this vulnerability is the TIFF File Handler of tiff2ps. Opening a malicious file leads to a denial of service. The attack can be launched remotely but requires user interaction. The exploit has been disclosed to the public and may be used.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 4.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1210

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2022-1354
CVE STATUS: Patched
CVE SUMMARY: A heap buffer overflow flaw was found in Libtiffs' tiffinfo.c in TIFFReadRawDataStriped() function. This flaw allows an attacker to pass a crafted TIFF file to the tiffinfo tool, triggering a heap buffer overflow issue and causing a crash that leads to a denial of service.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1354

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2022-1355
CVE STATUS: Patched
CVE SUMMARY: A stack buffer overflow flaw was found in Libtiffs' tiffcp.c in main() function. This flaw allows an attacker to pass a crafted TIFF file to the tiffcp tool, triggering a stack buffer overflow issue, possibly corrupting the memory, and causing a crash that leads to a denial of service.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1355

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2022-1622
CVE STATUS: Patched
CVE SUMMARY: LibTIFF master branch has an out-of-bounds read in LZWDecode in libtiff/tif_lzw.c:619, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit b4e79bfa.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1622

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2022-1623
CVE STATUS: Patched
CVE SUMMARY: LibTIFF master branch has an out-of-bounds read in LZWDecode in libtiff/tif_lzw.c:624, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit b4e79bfa.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1623

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2022-2056
CVE STATUS: Patched
CVE SUMMARY: Divide By Zero error in tiffcrop in libtiff 4.4.0 allows attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit f3a5e010.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2056

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2022-2057
CVE STATUS: Patched
CVE SUMMARY: Divide By Zero error in tiffcrop in libtiff 4.4.0 allows attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit f3a5e010.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2057

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2022-2058
CVE STATUS: Patched
CVE SUMMARY: Divide By Zero error in tiffcrop in libtiff 4.4.0 allows attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit f3a5e010.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2058

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2022-22844
CVE STATUS: Patched
CVE SUMMARY: LibTIFF 4.3.0 has an out-of-bounds read in _TIFFmemcpy in tif_unix.c in certain situations involving a custom tag and 0x0200 as the second word of the DE field.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-22844

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2022-2519
CVE STATUS: Patched
CVE SUMMARY: There is a double free or corruption in rotateImage() at tiffcrop.c:8839 found in libtiff 4.4.0rc1
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2519

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2022-2520
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in libtiff 4.4.0rc1. There is a sysmalloc assertion fail in rotateImage() at tiffcrop.c:8621 that can cause program crash when reading a crafted input.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2520

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2022-2521
CVE STATUS: Patched
CVE SUMMARY: It was found in libtiff 4.4.0rc1 that there is an invalid pointer free operation in TIFFClose() at tif_close.c:131 called by tiffcrop.c:2522 that can cause a program crash and denial of service while processing crafted input.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2521

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2022-2867
CVE STATUS: Patched
CVE SUMMARY: libtiff's tiffcrop utility has a uint32_t underflow that can lead to out of bounds read and write. An attacker who supplies a crafted file to tiffcrop (likely via tricking a user to run tiffcrop on it with certain parameters) could cause a crash or in some cases, further exploitation.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2867

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2022-2868
CVE STATUS: Patched
CVE SUMMARY: libtiff's tiffcrop utility has a improper input validation flaw that can lead to out of bounds read and ultimately cause a crash if an attacker is able to supply a crafted file to tiffcrop.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2868

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2022-2869
CVE STATUS: Patched
CVE SUMMARY: libtiff's tiffcrop tool has a uint32_t underflow which leads to out of bounds read and write in the extractContigSamples8bits routine. An attacker who supplies a crafted file to tiffcrop could trigger this flaw, most likely by tricking a user into opening the crafted file with tiffcrop. Triggering this flaw could cause a crash or potentially further exploitation.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2869

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2022-2953
CVE STATUS: Patched
CVE SUMMARY: LibTIFF 4.4.0 has an out-of-bounds read in extractImageSection in tools/tiffcrop.c:6905, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 48d6ece8.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2953

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2022-34266
CVE STATUS: Patched
CVE SUMMARY: The libtiff-4.0.3-35.amzn2.0.1 package for LibTIFF on Amazon Linux 2 allows attackers to cause a denial of service (application crash), a different vulnerability than CVE-2022-0562. When processing a malicious TIFF file, an invalid range may be passed as an argument to the memset() function within TIFFFetchStripThing() in tif_dirread.c. This will cause TIFFFetchStripThing() to segfault after use of an uninitialized resource.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-34266

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2022-34526
CVE STATUS: Patched
CVE SUMMARY: A stack overflow was discovered in the _TIFFVGetField function of Tiffsplit v4.4.0. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted TIFF file parsed by the "tiffsplit" or "tiffcrop" utilities.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-34526

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2022-3570
CVE STATUS: Patched
CVE SUMMARY: Multiple heap buffer overflows in tiffcrop.c utility in libtiff library Version 4.4.0 allows attacker to trigger unsafe or out of bounds memory access via crafted TIFF image file which could result into application crash, potential information disclosure or any other context-dependent impact
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3570

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2022-3597
CVE STATUS: Patched
CVE SUMMARY: LibTIFF 4.4.0 has an out-of-bounds write in _TIFFmemcpy in libtiff/tif_unix.c:346 when called from extractImageSection, tools/tiffcrop.c:6826, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 236b7191.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3597

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2022-3598
CVE STATUS: Patched
CVE SUMMARY: LibTIFF 4.4.0 has an out-of-bounds write in extractContigSamplesShifted24bits in tools/tiffcrop.c:3604, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit cfbb883b.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3598

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2022-3599
CVE STATUS: Patched
CVE SUMMARY: LibTIFF 4.4.0 has an out-of-bounds read in writeSingleSection in tools/tiffcrop.c:7345, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit e8131125.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3599

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2022-3626
CVE STATUS: Patched
CVE SUMMARY: LibTIFF 4.4.0 has an out-of-bounds write in _TIFFmemset in libtiff/tif_unix.c:340 when called from processCropSelections, tools/tiffcrop.c:7619, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 236b7191.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3626

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2022-3627
CVE STATUS: Patched
CVE SUMMARY: LibTIFF 4.4.0 has an out-of-bounds write in _TIFFmemcpy in libtiff/tif_unix.c:346 when called from extractImageSection, tools/tiffcrop.c:6860, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 236b7191.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3627

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2022-3970
CVE STATUS: Patched
CVE SUMMARY: A vulnerability was found in LibTIFF. It has been classified as critical. This affects the function TIFFReadRGBATileExt of the file libtiff/tif_getimage.c. The manipulation leads to integer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The name of the patch is 227500897dfb07fb7d27f7aa570050e62617e3be. It is recommended to apply a patch to fix this issue. The identifier VDB-213549 was assigned to this vulnerability.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.3
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3970

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2022-40090
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in function TIFFReadDirectory libtiff before 4.4.0 allows attackers to cause a denial of service via crafted TIFF file.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-40090

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2022-4645
CVE STATUS: Patched
CVE SUMMARY: LibTIFF 4.4.0 has an out-of-bounds read in tiffcp in tools/tiffcp.c:948, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit e8131125.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-4645

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2022-48281
CVE STATUS: Patched
CVE SUMMARY: processCropSelections in tools/tiffcrop.c in LibTIFF through 4.5.0 has a heap-based buffer overflow (e.g., "WRITE of size 307203") via a crafted TIFF image.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48281

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2023-0795
CVE STATUS: Patched
CVE SUMMARY: LibTIFF 4.4.0 has an out-of-bounds read in tiffcrop in tools/tiffcrop.c:3488, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit afaabc3e.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-0795

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2023-0796
CVE STATUS: Patched
CVE SUMMARY: LibTIFF 4.4.0 has an out-of-bounds read in tiffcrop in tools/tiffcrop.c:3592, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit afaabc3e.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-0796

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2023-0797
CVE STATUS: Patched
CVE SUMMARY: LibTIFF 4.4.0 has an out-of-bounds read in tiffcrop in libtiff/tif_unix.c:368, invoked by tools/tiffcrop.c:2903 and tools/tiffcrop.c:6921, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit afaabc3e.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-0797

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2023-0798
CVE STATUS: Patched
CVE SUMMARY: LibTIFF 4.4.0 has an out-of-bounds read in tiffcrop in tools/tiffcrop.c:3400, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit afaabc3e.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-0798

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2023-0799
CVE STATUS: Patched
CVE SUMMARY: LibTIFF 4.4.0 has an out-of-bounds read in tiffcrop in tools/tiffcrop.c:3701, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit afaabc3e.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-0799

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2023-0800
CVE STATUS: Patched
CVE SUMMARY: LibTIFF 4.4.0 has an out-of-bounds write in tiffcrop in tools/tiffcrop.c:3502, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 33aee127.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-0800

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2023-0801
CVE STATUS: Patched
CVE SUMMARY: LibTIFF 4.4.0 has an out-of-bounds write in tiffcrop in libtiff/tif_unix.c:368, invoked by tools/tiffcrop.c:2903 and tools/tiffcrop.c:6778, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 33aee127.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-0801

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2023-0802
CVE STATUS: Patched
CVE SUMMARY: LibTIFF 4.4.0 has an out-of-bounds write in tiffcrop in tools/tiffcrop.c:3724, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 33aee127.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-0802

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2023-0803
CVE STATUS: Patched
CVE SUMMARY: LibTIFF 4.4.0 has an out-of-bounds write in tiffcrop in tools/tiffcrop.c:3516, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 33aee127.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-0803

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2023-0804
CVE STATUS: Patched
CVE SUMMARY: LibTIFF 4.4.0 has an out-of-bounds write in tiffcrop in tools/tiffcrop.c:3609, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 33aee127.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-0804

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2023-1916
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in tiffcrop, a program distributed by the libtiff package. A specially crafted tiff file can lead to an out-of-bounds read in the extractImageSection function in tools/tiffcrop.c, resulting in a denial of service and limited information disclosure. This issue affects libtiff versions 4.x.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-1916

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2023-25433
CVE STATUS: Patched
CVE SUMMARY: libtiff 4.5.0 is vulnerable to Buffer Overflow via /libtiff/tools/tiffcrop.c:8499. Incorrect updating of buffer size after rotateImage() in tiffcrop cause heap-buffer-overflow and SEGV.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-25433

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2023-25434
CVE STATUS: Patched
CVE SUMMARY: libtiff 4.5.0 is vulnerable to Buffer Overflow via extractContigSamplesBytes() at /libtiff/tools/tiffcrop.c:3215.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-25434

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2023-25435
CVE STATUS: Patched
CVE SUMMARY: libtiff 4.5.0 is vulnerable to Buffer Overflow via extractContigSamplesShifted8bits() at /libtiff/tools/tiffcrop.c:3753.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-25435

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2023-26965
CVE STATUS: Patched
CVE SUMMARY: loadImage() in tools/tiffcrop.c in LibTIFF through 4.5.0 has a heap-based use after free via a crafted TIFF image.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-26965

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2023-26966
CVE STATUS: Patched
CVE SUMMARY: libtiff 4.5.0 is vulnerable to Buffer Overflow in uv_encode() when libtiff reads a corrupted little-endian TIFF file and specifies the output to be big-endian.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-26966

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2023-2731
CVE STATUS: Patched
CVE SUMMARY: A NULL pointer dereference flaw was found in Libtiff's LZWDecode() function in the libtiff/tif_lzw.c file. This flaw allows a local attacker to craft specific input data that can cause the program to dereference a NULL pointer when decompressing a TIFF format file, resulting in a program crash or denial of service.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-2731

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2023-2908
CVE STATUS: Patched
CVE SUMMARY: A null pointer dereference issue was found in Libtiff's tif_dir.c file. This issue may allow an attacker to pass a crafted TIFF image file to the tiffcp utility which triggers a runtime error that causes undefined behavior. This will result in an application crash, eventually leading to a denial of service.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-2908

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2023-30086
CVE STATUS: Patched
CVE SUMMARY: Buffer Overflow vulnerability found in Libtiff V.4.0.7 allows a local attacker to cause a denial of service via the tiffcp function in tiffcp.c.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-30086

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2023-30774
CVE STATUS: Patched
CVE SUMMARY: A vulnerability was found in the libtiff library. This flaw causes a heap buffer overflow issue via the TIFFTAG_INKNAMES and TIFFTAG_NUMBEROFINKS values.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-30774

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2023-30775
CVE STATUS: Patched
CVE SUMMARY: A vulnerability was found in the libtiff library. This security flaw causes a heap buffer overflow in extractContigSamples32bits, tiffcrop.c.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-30775

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2023-3164
CVE STATUS: Ignored
CVE DETAIL: cpe-incorrect
CVE DESCRIPTION: Issue only affects the tiffcrop tool not compiled by default since 4.6.0
CVE SUMMARY: A heap-buffer-overflow vulnerability was found in LibTIFF, in extractImageSection() at tools/tiffcrop.c:7916 and tools/tiffcrop.c:7801. This flaw allows attackers to cause a denial of service via a crafted tiff file.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-3164

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2023-3316
CVE STATUS: Patched
CVE SUMMARY: A NULL pointer dereference in TIFFClose() is caused by a failure to open an output file (non-existent path or a path that requires permissions like /dev/null) while specifying zones.


CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-3316

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2023-3576
CVE STATUS: Patched
CVE SUMMARY: A memory leak flaw was found in Libtiff's tiffcrop utility. This issue occurs when tiffcrop operates on a TIFF image file, allowing an attacker to pass a crafted TIFF image file to tiffcrop utility, which causes this memory leak issue, resulting an application crash, eventually leading to a denial of service.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-3576

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2023-3618
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in libtiff. A specially crafted tiff file can lead to a segmentation fault due to a buffer overflow in the Fax3Encode function in libtiff/tif_fax3.c, resulting in a denial of service.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-3618

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2023-40745
CVE STATUS: Patched
CVE SUMMARY: LibTIFF is vulnerable to an integer overflow. This flaw allows remote attackers to cause a denial of service (application crash) or possibly execute an arbitrary code via a crafted tiff image, which triggers a heap-based buffer overflow.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-40745

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2023-41175
CVE STATUS: Patched
CVE SUMMARY: A vulnerability was found in libtiff due to multiple potential integer overflows in raw2tiff.c. This flaw allows remote attackers to cause a denial of service or possibly execute an arbitrary code via a crafted tiff image, which triggers a heap-based buffer overflow.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-41175

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2023-52355
CVE STATUS: Patched
CVE SUMMARY: An out-of-memory flaw was found in libtiff that could be triggered by passing a crafted tiff file to the TIFFRasterScanlineSize64() API. This flaw allows a remote attacker to cause a denial of service via a crafted input with a size smaller than 379 KB.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-52355

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2023-52356
CVE STATUS: Patched
CVE SUMMARY: A segment fault (SEGV) flaw was found in libtiff that could be triggered by passing a crafted tiff file to the TIFFReadRGBATileExt() API. This flaw allows a remote attacker to cause a heap-buffer overflow, leading to a denial of service.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-52356

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2023-6228
CVE STATUS: Patched
CVE SUMMARY: An issue was found in the tiffcp utility distributed by the libtiff package where a crafted TIFF file on processing may cause a heap-based buffer overflow leads to an application crash.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 3.3
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-6228

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2023-6277
CVE STATUS: Patched
CVE SUMMARY: An out-of-memory flaw was found in libtiff. Passing a crafted tiff file to TIFFOpen() API may allow a remote attacker to cause a denial of service via a craft input with size smaller than 379 KB.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-6277

LAYER: meta
PACKAGE NAME: tiff-native
PACKAGE VERSION: 4.6.0
CVE: CVE-2024-7006
CVE STATUS: Patched
CVE SUMMARY: A null pointer dereference flaw was found in Libtiff via `tif_dirinfo.c`. This issue may allow an attacker to trigger memory allocation failures through certain means, such as restricting the heap space size or injecting faults, causing a segmentation fault. This can cause an application crash, eventually leading to a denial of service.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-7006

LAYER: meta-oe
PACKAGE NAME: multipath-tools
PACKAGE VERSION: 0.9.8
CVE: CVE-2009-0115
CVE STATUS: Patched
CVE SUMMARY: The Device Mapper multipathing driver (aka multipath-tools or device-mapper-multipath) 0.4.8, as used in SUSE openSUSE, SUSE Linux Enterprise Server (SLES), Fedora, and possibly other operating systems, uses world-writable permissions for the socket file (aka /var/run/multipathd.sock), which allows local users to send arbitrary commands to the multipath daemon.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-0115

LAYER: meta-oe
PACKAGE NAME: multipath-tools
PACKAGE VERSION: 0.9.8
CVE: CVE-2022-41973
CVE STATUS: Patched
CVE SUMMARY: multipath-tools 0.7.7 through 0.9.x before 0.9.2 allows local users to obtain root access, as exploited in conjunction with CVE-2022-41974. Local users able to access /dev/shm can change symlinks in multipathd due to incorrect symlink handling, which could lead to controlled file writes outside of the /dev/shm directory. This could be used indirectly for local privilege escalation to root.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-41973

LAYER: meta-oe
PACKAGE NAME: multipath-tools
PACKAGE VERSION: 0.9.8
CVE: CVE-2022-41974
CVE STATUS: Patched
CVE SUMMARY: multipath-tools 0.7.0 through 0.9.x before 0.9.2 allows local users to obtain root access, as exploited alone or in conjunction with CVE-2022-41973. Local users able to write to UNIX domain sockets can bypass access controls and manipulate the multipath setup. This can lead to local privilege escalation to root. This occurs because an attacker can repeat a keyword, which is mishandled because arithmetic ADD is used instead of bitwise OR.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-41974

LAYER: meta-oe
PACKAGE NAME: lvm2
PACKAGE VERSION: 2.03.22
CVE: CVE-2010-2526
CVE STATUS: Patched
CVE SUMMARY: The cluster logical volume manager daemon (clvmd) in lvm2-cluster in LVM2 before 2.02.72, as used in Red Hat Global File System (GFS) and other products, does not verify client credentials upon a socket connection, which allows local users to cause a denial of service (daemon exit or logical-volume change) or possibly have unspecified other impact via crafted control commands.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2526

LAYER: meta-oe
PACKAGE NAME: lvm2
PACKAGE VERSION: 2.03.22
CVE: CVE-2020-8991
CVE STATUS: Patched
CVE SUMMARY: vg_lookup in daemons/lvmetad/lvmetad-core.c in LVM2 2.02 mismanages memory, leading to an lvmetad memory leak, as demonstrated by running pvs. NOTE: RedHat disputes CVE-2020-8991 as not being a vulnerability since there’s no apparent route to either privilege escalation or to denial of service through the bug
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 2.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-8991

LAYER: meta
PACKAGE NAME: serf-native
PACKAGE VERSION: 1.3.10
CVE: CVE-2014-3504
CVE STATUS: Patched
CVE SUMMARY: The (1) serf_ssl_cert_issuer, (2) serf_ssl_cert_subject, and (3) serf_ssl_cert_certificate functions in Serf 0.2.0 through 1.3.x before 1.3.7 does not properly handle a NUL byte in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3504

LAYER: meta
PACKAGE NAME: apr-util-native
PACKAGE VERSION: 1.6.3
CVE: CVE-2009-0023
CVE STATUS: Patched
CVE SUMMARY: The apr_strmatch_precompile function in strmatch/apr_strmatch.c in Apache APR-util before 1.3.5 allows remote attackers to cause a denial of service (daemon crash) via crafted input involving (1) a .htaccess file used with the Apache HTTP Server, (2) the SVNMasterURI directive in the mod_dav_svn module in the Apache HTTP Server, (3) the mod_apreq2 module for the Apache HTTP Server, or (4) an application that uses the libapreq2 library, which triggers a heap-based buffer underflow.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-0023

LAYER: meta
PACKAGE NAME: apr-util-native
PACKAGE VERSION: 1.6.3
CVE: CVE-2009-1955
CVE STATUS: Patched
CVE SUMMARY: The expat XML parser in the apr_xml_* interface in xml/apr_xml.c in Apache APR-util before 1.3.7, as used in the mod_dav and mod_dav_svn modules in the Apache HTTP Server, allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document containing a large number of nested entity references, as demonstrated by a PROPFIND request, a similar issue to CVE-2003-1564.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-1955

LAYER: meta
PACKAGE NAME: apr-util-native
PACKAGE VERSION: 1.6.3
CVE: CVE-2009-1956
CVE STATUS: Patched
CVE SUMMARY: Off-by-one error in the apr_brigade_vprintf function in Apache APR-util before 1.3.5 on big-endian platforms allows remote attackers to obtain sensitive information or cause a denial of service (application crash) via crafted input.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-1956

LAYER: meta
PACKAGE NAME: apr-util-native
PACKAGE VERSION: 1.6.3
CVE: CVE-2009-2412
CVE STATUS: Patched
CVE SUMMARY: Multiple integer overflows in the Apache Portable Runtime (APR) library and the Apache Portable Utility library (aka APR-util) 0.9.x and 1.3.x allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via vectors that trigger crafted calls to the (1) allocator_alloc or (2) apr_palloc function in memory/unix/apr_pools.c in APR; or crafted calls to the (3) apr_rmm_malloc, (4) apr_rmm_calloc, or (5) apr_rmm_realloc function in misc/apr_rmm.c in APR-util; leading to buffer overflows.  NOTE: some of these details are obtained from third party information.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-2412

LAYER: meta
PACKAGE NAME: apr-util-native
PACKAGE VERSION: 1.6.3
CVE: CVE-2010-1623
CVE STATUS: Patched
CVE SUMMARY: Memory leak in the apr_brigade_split_line function in buckets/apr_brigade.c in the Apache Portable Runtime Utility library (aka APR-util) before 1.3.10, as used in the mod_reqtimeout module in the Apache HTTP Server and other software, allows remote attackers to cause a denial of service (memory consumption) via unspecified vectors related to the destruction of an APR bucket.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-1623

LAYER: meta
PACKAGE NAME: apr-util-native
PACKAGE VERSION: 1.6.3
CVE: CVE-2011-1928
CVE STATUS: Patched
CVE SUMMARY: The fnmatch implementation in apr_fnmatch.c in the Apache Portable Runtime (APR) library 1.4.3 and 1.4.4, and the Apache HTTP Server 2.2.18, allows remote attackers to cause a denial of service (infinite loop) via a URI that does not match unspecified types of wildcard patterns, as demonstrated by attacks against mod_autoindex in httpd when a /*/WEB-INF/ configuration pattern is used.  NOTE: this issue exists because of an incorrect fix for CVE-2011-0419.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1928

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2000-0973
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in curl earlier than 6.0-1.1, and curl-ssl earlier than 6.0-1.2, allows remote attackers to execute arbitrary commands by forcing a long error message to be generated.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2000-0973

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2003-1605
CVE STATUS: Patched
CVE SUMMARY: curl 7.x before 7.10.7 sends CONNECT proxy credentials to the remote server.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-1605

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2005-0490
CVE STATUS: Patched
CVE SUMMARY: Multiple stack-based buffer overflows in libcURL and cURL 7.12.1, and possibly other versions, allow remote malicious web servers to execute arbitrary code via base64 encoded replies that exceed the intended buffer lengths when decoded, which is not properly handled by (1) the Curl_input_ntlm function in http_ntlm.c during NTLM authentication or (2) the Curl_krb_kauth and krb4_auth functions in krb4.c during Kerberos authentication.
CVSS v2 BASE SCORE: 5.1
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-0490

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2005-3185
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in the ntlm_output function in http-ntlm.c for (1) wget 1.10, (2) curl 7.13.2, and (3) libcurl 7.13.2, and other products that use libcurl, when NTLM authentication is enabled, allows remote servers to execute arbitrary code via a long NTLM username.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-3185

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2005-4077
CVE STATUS: Patched
CVE SUMMARY: Multiple off-by-one errors in the cURL library (libcurl) 7.11.2 through 7.15.0 allow local users to trigger a buffer overflow and cause a denial of service or bypass PHP security restrictions via certain URLs that (1) are malformed in a way that prevents a terminating null byte from being added to either a hostname or path buffer, or (2) contain a "?"  separator in the hostname portion, which causes a "/" to be prepended to the resulting string.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-4077

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2006-1061
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in cURL and libcURL 7.15.0 through 7.15.2 allows remote attackers to execute arbitrary commands via a TFTP URL (tftp://) with a valid hostname and a long path.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-1061

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2007-3564
CVE STATUS: Patched
CVE SUMMARY: libcurl 7.14.0 through 7.16.3, when built with GnuTLS support, does not check SSL/TLS certificate expiration or activation dates, which allows remote attackers to bypass certain access restrictions.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-3564

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2009-0037
CVE STATUS: Patched
CVE SUMMARY: The redirect implementation in curl and libcurl 5.11 through 7.19.3, when CURLOPT_FOLLOWLOCATION is enabled, accepts arbitrary Location values, which might allow remote HTTP servers to (1) trigger arbitrary requests to intranet servers, (2) read or overwrite arbitrary files via a redirect to a file: URL, or (3) execute arbitrary commands via a redirect to an scp: URL.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-0037

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2009-2417
CVE STATUS: Patched
CVE SUMMARY: lib/ssluse.c in cURL and libcurl 7.4 through 7.19.5, when OpenSSL is used, does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-2417

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2010-0734
CVE STATUS: Patched
CVE SUMMARY: content_encoding.c in libcurl 7.10.5 through 7.19.7, when zlib is enabled, does not properly restrict the amount of callback data sent to an application that requests automatic decompression, which might allow remote attackers to cause a denial of service (application crash) or have unspecified other impact by sending crafted compressed data to an application that relies on the intended data-length limit.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-0734

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2010-3842
CVE STATUS: Patched
CVE SUMMARY: Absolute path traversal vulnerability in curl 7.20.0 through 7.21.1, when the --remote-header-name or -J option is used, allows remote servers to create or overwrite arbitrary files by using \ (backslash) as a separator of path components within the Content-disposition HTTP header.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-3842

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2011-2192
CVE STATUS: Patched
CVE SUMMARY: The Curl_input_negotiate function in http_negotiate.c in libcurl 7.10.6 through 7.21.6, as used in curl and other products, always performs credential delegation during GSSAPI authentication, which allows remote servers to impersonate clients via GSSAPI requests.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2192

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2011-3389
CVE STATUS: Patched
CVE SUMMARY: The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3389

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2012-0036
CVE STATUS: Patched
CVE SUMMARY: curl and libcurl 7.2x before 7.24.0 do not properly consider special characters during extraction of a pathname from a URL, which allows remote attackers to conduct data-injection attacks via a crafted URL, as demonstrated by a CRLF injection attack on the (1) IMAP, (2) POP3, or (3) SMTP protocol.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-0036

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2013-0249
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in the Curl_sasl_create_digest_md5_message function in lib/curl_sasl.c in curl and libcurl 7.26.0 through 7.28.1, when negotiating SASL DIGEST-MD5 authentication, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long string in the realm parameter in a (1) POP3, (2) SMTP or (3) IMAP message.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0249

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2013-1944
CVE STATUS: Patched
CVE SUMMARY: The tailMatch function in cookie.c in cURL and libcurl before 7.30.0 does not properly match the path domain when sending cookies, which allows remote attackers to steal cookies via a matching suffix in the domain of a URL.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1944

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2013-2174
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the curl_easy_unescape function in lib/escape.c in cURL and libcurl 7.7 through 7.30.0 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted string ending in a "%" (percent) character.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2174

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2013-4545
CVE STATUS: Patched
CVE SUMMARY: cURL and libcurl 7.18.0 through 7.32.0, when built with OpenSSL, disables the certificate CN and SAN name field verification (CURLOPT_SSL_VERIFYHOST) when the digital signature verification (CURLOPT_SSL_VERIFYPEER) is disabled, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4545

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2013-6422
CVE STATUS: Patched
CVE SUMMARY: The GnuTLS backend in libcurl 7.21.4 through 7.33.0, when disabling digital signature verification (CURLOPT_SSL_VERIFYPEER), also disables the CURLOPT_SSL_VERIFYHOST check for CN or SAN host name fields, which makes it easier for remote attackers to spoof servers and conduct man-in-the-middle (MITM) attacks.
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-6422

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2014-0015
CVE STATUS: Patched
CVE SUMMARY: cURL and libcurl 7.10.6 through 7.34.0, when more than one authentication method is enabled, re-uses NTLM connections, which might allow context-dependent attackers to authenticate as other users via a request.
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0015

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2014-0138
CVE STATUS: Patched
CVE SUMMARY: The default configuration in cURL and libcurl 7.10.6 before 7.36.0 re-uses (1) SCP, (2) SFTP, (3) POP3, (4) POP3S, (5) IMAP, (6) IMAPS, (7) SMTP, (8) SMTPS, (9) LDAP, and (10) LDAPS connections, which might allow context-dependent attackers to connect as other users via a request, a similar issue to CVE-2014-0015.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0138

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2014-0139
CVE STATUS: Patched
CVE SUMMARY: cURL and libcurl 7.1 before 7.36.0, when using the OpenSSL, axtls, qsossl or gskit libraries for TLS, recognize a wildcard IP address in the subject's Common Name (CN) field of an X.509 certificate, which might allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0139

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2014-2522
CVE STATUS: Patched
CVE SUMMARY: curl and libcurl 7.27.0 through 7.35.0, when running on Windows and using the SChannel/Winssl TLS backend, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate when accessing a URL that uses a numerical IP address, which allows man-in-the-middle attackers to spoof servers via an arbitrary valid certificate.
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-2522

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2014-3613
CVE STATUS: Patched
CVE SUMMARY: cURL and libcurl before 7.38.0 does not properly handle IP addresses in cookie domain names, which allows remote attackers to set cookies for or send arbitrary cookies to certain sites, as demonstrated by a site at 192.168.0.1 setting cookies for a site at 127.168.0.1.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3613

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2014-3620
CVE STATUS: Patched
CVE SUMMARY: cURL and libcurl before 7.38.0 allow remote attackers to bypass the Same Origin Policy and set cookies for arbitrary sites by setting a cookie for a top-level domain.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3620

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2014-3707
CVE STATUS: Patched
CVE SUMMARY: The curl_easy_duphandle function in libcurl 7.17.1 through 7.38.0, when running with the CURLOPT_COPYPOSTFIELDS option, does not properly copy HTTP POST data for an easy handle, which triggers an out-of-bounds read that allows remote web servers to read sensitive memory information.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3707

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2014-8150
CVE STATUS: Patched
CVE SUMMARY: CRLF injection vulnerability in libcurl 6.0 through 7.x before 7.40.0, when using an HTTP proxy, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in a URL.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8150

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2014-8151
CVE STATUS: Patched
CVE SUMMARY: The darwinssl_connect_step1 function in lib/vtls/curl_darwinssl.c in libcurl 7.31.0 through 7.39.0, when using the DarwinSSL (aka SecureTransport) back-end for TLS, does not check if a cached TLS session validated the certificate when reusing the session, which allows man-in-the-middle attackers to spoof servers via a crafted certificate.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8151

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2015-3143
CVE STATUS: Patched
CVE SUMMARY: cURL and libcurl 7.10.6 through 7.41.0 does not properly re-use NTLM connections, which allows remote attackers to connect as other users via an unauthenticated request, a similar issue to CVE-2014-0015.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3143

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2015-3144
CVE STATUS: Patched
CVE SUMMARY: The fix_hostname function in cURL and libcurl 7.37.0 through 7.41.0 does not properly calculate an index, which allows remote attackers to cause a denial of service (out-of-bounds read or write and crash) or possibly have other unspecified impact via a zero-length host name, as demonstrated by "http://:80" and ":80."
CVSS v2 BASE SCORE: 9.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:S/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3144

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2015-3145
CVE STATUS: Patched
CVE SUMMARY: The sanitize_cookie_path function in cURL and libcurl 7.31.0 through 7.41.0 does not properly calculate an index, which allows remote attackers to cause a denial of service (out-of-bounds write and crash) or possibly have other unspecified impact via a cookie path containing only a double-quote character.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3145

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2015-3148
CVE STATUS: Patched
CVE SUMMARY: cURL and libcurl 7.10.6 through 7.41.0 do not properly re-use authenticated Negotiate connections, which allows remote attackers to connect as other users via a request.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3148

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2015-3153
CVE STATUS: Patched
CVE SUMMARY: The default configuration for cURL and libcurl before 7.42.1 sends custom HTTP headers to both the proxy and destination server, which might allow remote proxy servers to obtain sensitive information by reading the header contents.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3153

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2015-3236
CVE STATUS: Patched
CVE SUMMARY: cURL and libcurl 7.40.0 through 7.42.1 send the HTTP Basic authentication credentials for a previous connection when reusing a reset (curl_easy_reset) connection handle to send a request to the same host name, which allows remote attackers to obtain sensitive information via unspecified vectors.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3236

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2015-3237
CVE STATUS: Patched
CVE SUMMARY: The smb_request_state function in cURL and libcurl 7.40.0 through 7.42.1 allows remote SMB servers to obtain sensitive information from memory or cause a denial of service (out-of-bounds read and crash) via crafted length and offset values.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3237

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2016-0754
CVE STATUS: Patched
CVE SUMMARY: cURL before 7.47.0 on Windows allows attackers to write to arbitrary files in the current working directory on a different drive via a colon in a remote file name.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-0754

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2016-0755
CVE STATUS: Patched
CVE SUMMARY: The ConnectionExists function in lib/url.c in libcurl before 7.47.0 does not properly re-use NTLM-authenticated proxy connections, which might allow remote attackers to authenticate as other users via a request, a similar issue to CVE-2014-0015.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-0755

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2016-3739
CVE STATUS: Patched
CVE SUMMARY: The (1) mbed_connect_step1 function in lib/vtls/mbedtls.c and (2) polarssl_connect_step1 function in lib/vtls/polarssl.c in cURL and libcurl before 7.49.0, when using SSLv3 or making a TLS connection to a URL that uses a numerical IP address, allow remote attackers to spoof servers via an arbitrary valid certificate.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3739

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2016-4606
CVE STATUS: Patched
CVE SUMMARY: Curl before 7.49.1 in Apple OS X before macOS Sierra prior to 10.12 allows remote or local attackers to execute arbitrary code, gain sensitive information, cause denial-of-service conditions, bypass security restrictions, and perform unauthorized actions. This may aid in other attacks.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4606

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2016-4802
CVE STATUS: Patched
CVE SUMMARY: Multiple untrusted search path vulnerabilities in cURL and libcurl before 7.49.1, when built with SSPI or telnet is enabled, allow local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse (1) security.dll, (2) secur32.dll, or (3) ws2_32.dll in the application or current working directory.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4802

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2016-5419
CVE STATUS: Patched
CVE SUMMARY: curl and libcurl before 7.50.1 do not prevent TLS session resumption when the client certificate has changed, which allows remote attackers to bypass intended restrictions by resuming a session.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5419

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2016-5420
CVE STATUS: Patched
CVE SUMMARY: curl and libcurl before 7.50.1 do not check the client certificate when choosing the TLS connection to reuse, which might allow remote attackers to hijack the authentication of the connection by leveraging a previously created connection with a different client certificate.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5420

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2016-5421
CVE STATUS: Patched
CVE SUMMARY: Use-after-free vulnerability in libcurl before 7.50.1 allows attackers to control which connection is used or possibly have unspecified other impact via unknown vectors.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5421

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2016-7141
CVE STATUS: Patched
CVE SUMMARY: curl and libcurl before 7.50.2, when built with NSS and the libnsspem.so library is available at runtime, allow remote attackers to hijack the authentication of a TLS connection by leveraging reuse of a previously loaded client certificate from file for a connection for which no certificate has been set, a different vulnerability than CVE-2016-5420.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7141

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2016-7167
CVE STATUS: Patched
CVE SUMMARY: Multiple integer overflows in the (1) curl_escape, (2) curl_easy_escape, (3) curl_unescape, and (4) curl_easy_unescape functions in libcurl before 7.50.3 allow attackers to have unspecified impact via a string of length 0xffffffff, which triggers a heap-based buffer overflow.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7167

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2016-8615
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in curl before version 7.51. If cookie state is written into a cookie jar file that is later read back and used for subsequent requests, a malicious HTTP server can inject new cookies for arbitrary domains into said cookie jar.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8615

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2016-8616
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in curl before version 7.51.0 When re-using a connection, curl was doing case insensitive comparisons of user name and password with the existing connections. This means that if an unused connection with proper credentials exists for a protocol that has connection-scoped credentials, an attacker can cause that connection to be reused if s/he knows the case-insensitive version of the correct password.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 3.7
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8616

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2016-8617
CVE STATUS: Patched
CVE SUMMARY: The base64 encode function in curl before version 7.51.0 is prone to a buffer being under allocated in 32bit systems if it receives at least 1Gb as input via `CURLOPT_USERNAME`.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 3.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8617

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2016-8618
CVE STATUS: Patched
CVE SUMMARY: The libcurl API function called `curl_maprintf()` before version 7.51.0 can be tricked into doing a double-free due to an unsafe `size_t` multiplication, on systems using 32 bit `size_t` variables.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8618

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2016-8619
CVE STATUS: Patched
CVE SUMMARY: The function `read_data()` in security.c in curl before version 7.51.0 is vulnerable to memory double free.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8619

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2016-8620
CVE STATUS: Patched
CVE SUMMARY: The 'globbing' feature in curl before version 7.51.0 has a flaw that leads to integer overflow and out-of-bounds read via user controlled input.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8620

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2016-8621
CVE STATUS: Patched
CVE SUMMARY: The `curl_getdate` function in curl before version 7.51.0 is vulnerable to an out of bounds read if it receives an input with one digit short.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8621

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2016-8622
CVE STATUS: Patched
CVE SUMMARY: The URL percent-encoding decode function in libcurl before 7.51.0 is called `curl_easy_unescape`. Internally, even if this function would be made to allocate a unscape destination buffer larger than 2GB, it would return that new length in a signed 32 bit integer variable, thus the length would get either just truncated or both truncated and turned negative. That could then lead to libcurl writing outside of its heap based buffer.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 3.7
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8622

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2016-8623
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in curl before version 7.51.0. The way curl handles cookies permits other threads to trigger a use-after-free leading to information disclosure.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 3.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8623

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2016-8624
CVE STATUS: Patched
CVE SUMMARY: curl before version 7.51.0 doesn't parse the authority component of the URL correctly when the host name part ends with a '#' character, and could instead be tricked into connecting to a different host. This may have security implications if you for example use an URL parser that follows the RFC to check for allowed domains before using curl to request them.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8624

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2016-8625
CVE STATUS: Patched
CVE SUMMARY: curl before version 7.51.0 uses outdated IDNA 2003 standard to handle International Domain Names and this may lead users to potentially and unknowingly issue network transfer requests to the wrong host.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8625

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2016-9586
CVE STATUS: Patched
CVE SUMMARY: curl before version 7.52.0 is vulnerable to a buffer overflow when doing a large floating point output in libcurl's implementation of the printf() functions. If there are any application that accepts a format string from the outside without necessary input filtering, it could allow remote attacks.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9586

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2016-9594
CVE STATUS: Patched
CVE SUMMARY: curl before version 7.52.1 is vulnerable to an uninitialized random in libcurl's internal function that returns a good 32bit random value.  Having a weak or virtually non-existent random value makes the operations that use it vulnerable.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9594

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2016-9952
CVE STATUS: Patched
CVE SUMMARY: The verify_certificate function in lib/vtls/schannel.c in libcurl 7.30.0 through 7.51.0, when built for Windows CE using the schannel TLS backend, makes it easier for remote attackers to conduct man-in-the-middle attacks via a crafted wildcard SAN in a server certificate, as demonstrated by "*.com."
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9952

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2016-9953
CVE STATUS: Patched
CVE SUMMARY: The verify_certificate function in lib/vtls/schannel.c in libcurl 7.30.0 through 7.51.0, when built for Windows CE using the schannel TLS backend, allows remote attackers to obtain sensitive information, cause a denial of service (crash), or possibly have unspecified other impact via a wildcard certificate name, which triggers an out-of-bounds read.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9953

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2017-1000099
CVE STATUS: Patched
CVE SUMMARY: When asking to get a file from a file:// URL, libcurl provides a feature that outputs meta-data about the file using HTTP-like headers. The code doing this would send the wrong buffer to the user (stdout or the application's provide callback), which could lead to other private data from the heap to get inadvertently displayed. The wrong buffer was an uninitialized memory area allocated on the heap and if it turned out to not contain any zero byte, it would continue and display the data following that buffer in memory.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-1000099

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2017-1000100
CVE STATUS: Patched
CVE SUMMARY: When doing a TFTP transfer and curl/libcurl is given a URL that contains a very long file name (longer than about 515 bytes), the file name is truncated to fit within the buffer boundaries, but the buffer size is still wrongly updated to use the untruncated length. This too large value is then used in the sendto() call, making curl attempt to send more data than what is actually put into the buffer. The endto() function will then read beyond the end of the heap based buffer. A malicious HTTP(S) server could redirect a vulnerable libcurl-using client to a crafted TFTP URL (if the client hasn't restricted which protocols it allows redirects to) and trick it to send private memory contents to a remote server over UDP. Limit curl's redirect protocols with --proto-redir and libcurl's with CURLOPT_REDIR_PROTOCOLS.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-1000100

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2017-1000101
CVE STATUS: Patched
CVE SUMMARY: curl supports "globbing" of URLs, in which a user can pass a numerical range to have the tool iterate over those numbers to do a sequence of transfers. In the globbing function that parses the numerical range, there was an omission that made curl read a byte beyond the end of the URL if given a carefully crafted, or just wrongly written, URL. The URL is stored in a heap based buffer, so it could then be made to wrongly read something else instead of crashing. An example of a URL that triggers the flaw would be `http://ur%20[0-60000000000000000000`.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-1000101

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2017-1000254
CVE STATUS: Patched
CVE SUMMARY: libcurl may read outside of a heap allocated buffer when doing FTP. When libcurl connects to an FTP server and successfully logs in (anonymous or not), it asks the server for the current directory with the `PWD` command. The server then responds with a 257 response containing the path, inside double quotes. The returned path name is then kept by libcurl for subsequent uses. Due to a flaw in the string parser for this directory name, a directory name passed like this but without a closing double quote would lead to libcurl not adding a trailing NUL byte to the buffer holding the name. When libcurl would then later access the string, it could read beyond the allocated heap buffer and crash or wrongly access data beyond the buffer, thinking it was part of the path. A malicious server could abuse this fact and effectively prevent libcurl-based clients to work with it - the PWD command is always issued on new FTP connections and the mistake has a high chance of causing a segfault. The simple fact that this has issue remained undiscovered for this long could suggest that malformed PWD responses are rare in benign servers. We are not aware of any exploit of this flaw. This bug was introduced in commit [415d2e7cb7](https://github.com/curl/curl/commit/415d2e7cb7), March 2005. In libcurl version 7.56.0, the parser always zero terminates the string but also rejects it if not terminated properly with a final double quote.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-1000254

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2017-1000257
CVE STATUS: Patched
CVE SUMMARY: An IMAP FETCH response line indicates the size of the returned data, in number of bytes. When that response says the data is zero bytes, libcurl would pass on that (non-existing) data with a pointer and the size (zero) to the deliver-data function. libcurl's deliver-data function treats zero as a magic number and invokes strlen() on the data to figure out the length. The strlen() is called on a heap based buffer that might not be zero terminated so libcurl might read beyond the end of it into whatever memory lies after (or just crash) and then deliver that to the application as if it was actually downloaded.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 9.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-1000257

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2017-2628
CVE STATUS: Patched
CVE SUMMARY: curl, as shipped in Red Hat Enterprise Linux 6 before version 7.19.7-53, did not correctly backport the fix for CVE-2015-3148 because it did not reflect the fact that the HAVE_GSSAPI define was meanwhile substituted by USE_HTTP_NEGOTIATE. This issue was introduced in RHEL 6.7 and affects RHEL 6 curl only.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-2628

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2017-2629
CVE STATUS: Patched
CVE SUMMARY: curl before 7.53.0 has an incorrect TLS Certificate Status Request extension feature that asks for a fresh proof of the server's certificate's validity in the code that checks for a test success or failure. It ends up always thinking there's valid proof, even when there is none or if the server doesn't support the TLS extension in question. This could lead to users not detecting when a server's certificate goes invalid or otherwise be mislead that the server is in a better shape than it is in reality. This flaw also exists in the command line tool (--cert-status).
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 4.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:S/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-2629

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2017-7407
CVE STATUS: Patched
CVE SUMMARY: The ourWriteOut function in tool_writeout.c in curl 7.53.1 might allow physically proximate attackers to obtain sensitive information from process memory in opportunistic circumstances by reading a workstation screen during use of a --write-out argument ending in a '%' character, which leads to a heap-based buffer over-read.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 2.4
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7407

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2017-7468
CVE STATUS: Patched
CVE SUMMARY: In curl and libcurl 7.52.0 to and including 7.53.1, libcurl would attempt to resume a TLS session even if the client certificate had changed. That is unacceptable since a server by specification is allowed to skip the client certificate check on resume, and may instead use the old identity which was established by the previous certificate (or no certificate). libcurl supports by default the use of TLS session id/ticket to resume previous TLS sessions to speed up subsequent TLS handshakes. They are used when for any reason an existing TLS connection couldn't be kept alive to make the next handshake faster. This flaw is a regression and identical to CVE-2016-5419 reported on August 3rd 2016, but affecting a different version range.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 4.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7468

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2017-8816
CVE STATUS: Patched
CVE SUMMARY: The NTLM authentication feature in curl and libcurl before 7.57.0 on 32-bit platforms allows attackers to cause a denial of service (integer overflow and resultant buffer overflow, and application crash) or possibly have unspecified other impact via vectors involving long user and password fields.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8816

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2017-8817
CVE STATUS: Patched
CVE SUMMARY: The FTP wildcard function in curl and libcurl before 7.57.0 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) or possibly have unspecified other impact via a string that ends with an '[' character.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8817

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2017-8818
CVE STATUS: Patched
CVE SUMMARY: curl and libcurl before 7.57.0 on 32-bit platforms allow attackers to cause a denial of service (out-of-bounds access and application crash) or possibly have unspecified other impact because too little memory is allocated for interfacing to an SSL library.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8818

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2017-9502
CVE STATUS: Patched
CVE SUMMARY: In curl before 7.54.1 on Windows and DOS, libcurl's default protocol function, which is the logic that allows an application to set which protocol libcurl should attempt to use when given a URL without a scheme part, had a flaw that could lead to it overwriting a heap based memory buffer with seven bytes. If the default protocol is specified to be FILE or a file: URL lacks two slashes, the given "URL" starts with a drive letter, and libcurl is built for Windows or DOS, then libcurl would copy the path 7 bytes off, so that the end of the given path would write beyond the malloc buffer (7 bytes being the length in bytes of the ascii string "file://").
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9502

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2018-0500
CVE STATUS: Patched
CVE SUMMARY: Curl_smtp_escape_eob in lib/smtp.c in curl 7.54.1 to and including curl 7.60.0 has a heap-based buffer overflow that might be exploitable by an attacker who can control the data that curl transmits over SMTP with certain settings (i.e., use of a nonstandard --limit-rate argument or CURLOPT_BUFFERSIZE value).
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-0500

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2018-1000005
CVE STATUS: Patched
CVE SUMMARY: libcurl 7.49.0 to and including 7.57.0 contains an out bounds read in code handling HTTP/2 trailers. It was reported (https://github.com/curl/curl/pull/2231) that reading an HTTP/2 trailer could mess up future trailers since the stored size was one byte less than required. The problem is that the code that creates HTTP/1-like headers from the HTTP/2 trailer data once appended a string like `:` to the target buffer, while this was recently changed to `: ` (a space was added after the colon) but the following math wasn't updated correspondingly. When accessed, the data is read out of bounds and causes either a crash or that the (too large) data gets passed to client write. This could lead to a denial-of-service situation or an information disclosure if someone has a service that echoes back or uses the trailers for something.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 9.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1000005

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2018-1000007
CVE STATUS: Patched
CVE SUMMARY: libcurl 7.1 through 7.57.0 might accidentally leak authentication data to third parties. When asked to send custom headers in its HTTP requests, libcurl will send that set of headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP response code is returned, to the host mentioned in URL in the `Location:` response header value. Sending the same set of headers to subsequent hosts is in particular a problem for applications that pass on custom `Authorization:` headers, as this header often contains privacy sensitive information or data that could allow others to impersonate the libcurl-using client's request.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1000007

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2018-1000120
CVE STATUS: Patched
CVE SUMMARY: A buffer overflow exists in curl 7.12.3 to and including curl 7.58.0 in the FTP URL handling that allows an attacker to cause a denial of service or worse.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1000120

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2018-1000121
CVE STATUS: Patched
CVE SUMMARY: A NULL pointer dereference exists in curl 7.21.0 to and including curl 7.58.0 in the LDAP code that allows an attacker to cause a denial of service
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1000121

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2018-1000122
CVE STATUS: Patched
CVE SUMMARY: A buffer over-read exists in curl 7.20.0 to and including curl 7.58.0 in the RTSP+RTP handling code that allows an attacker to cause a denial of service or information leakage
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 9.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1000122

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2018-1000300
CVE STATUS: Patched
CVE SUMMARY: curl version curl 7.54.1 to and including curl 7.59.0 contains a CWE-122: Heap-based Buffer Overflow vulnerability in denial of service and more that can result in curl might overflow a heap based memory buffer when closing down an FTP connection with very long server command replies.. This vulnerability appears to have been fixed in curl < 7.54.1 and curl >= 7.60.0.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1000300

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2018-1000301
CVE STATUS: Patched
CVE SUMMARY: curl version curl 7.20.0 to and including curl 7.59.0 contains a CWE-126: Buffer Over-read vulnerability in denial of service that can result in curl can be tricked into reading data beyond the end of a heap based buffer used to store downloaded RTSP content.. This vulnerability appears to have been fixed in curl < 7.20.0 and curl >= 7.60.0.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 9.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1000301

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2018-14618
CVE STATUS: Patched
CVE SUMMARY: curl before version 7.61.1 is vulnerable to a buffer overrun in the NTLM authentication code. The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two (SUM) to figure out how large temporary storage area to allocate from the heap. The length value is then subsequently used to iterate over the password and generate output into the allocated storage buffer. On systems with a 32 bit size_t, the math to calculate SUM triggers an integer overflow when the password length exceeds 2GB (2^31 bytes). This integer overflow usually causes a very small buffer to actually get allocated instead of the intended very huge one, making the use of that buffer end up in a heap buffer overflow. (This bug is almost identical to CVE-2017-8816.)
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-14618

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2018-16839
CVE STATUS: Patched
CVE SUMMARY: Curl versions 7.33.0 through 7.61.1 are vulnerable to a buffer overrun in the SASL authentication code that may lead to denial of service.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 4.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-16839

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2018-16840
CVE STATUS: Patched
CVE SUMMARY: A heap use-after-free flaw was found in curl versions from 7.59.0 through 7.61.1 in the code related to closing an easy handle. When closing and cleaning up an 'easy' handle in the `Curl_close()` function, the library code first frees a struct (without nulling the pointer) and might then subsequently erroneously write to a struct field within that already freed struct.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 4.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-16840

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2018-16842
CVE STATUS: Patched
CVE SUMMARY: Curl versions 7.14.1 through 7.61.1 are vulnerable to a heap-based buffer over-read in the tool_msgs.c:voutf() function that may result in information exposure and denial of service.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 4.4
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-16842

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2018-16890
CVE STATUS: Patched
CVE SUMMARY: libcurl versions from 7.36.0 to before 7.64.0 is vulnerable to a heap buffer out-of-bounds read. The function handling incoming NTLM type-2 messages (`lib/vauth/ntlm.c:ntlm_decode_type2_target`) does not validate incoming data correctly and is subject to an integer overflow vulnerability. Using that overflow, a malicious or broken NTLM server could trick libcurl to accept a bad length + offset combination that would lead to a buffer read out-of-bounds.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.4
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-16890

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2019-3822
CVE STATUS: Patched
CVE SUMMARY: libcurl versions from 7.36.0 to before 7.64.0 are vulnerable to a stack-based buffer overflow. The function creating an outgoing NTLM type-3 header (`lib/vauth/ntlm.c:Curl_auth_create_ntlm_type3_message()`), generates the request HTTP header contents based on previously received data. The check that exists to prevent the local buffer from getting overflowed is implemented wrongly (using unsigned math) and as such it does not prevent the overflow from happening. This output data can grow larger than the local buffer if very large 'nt response' data is extracted from a previous NTLMv2 header provided by the malicious or broken HTTP server. Such a 'large value' needs to be around 1000 bytes or more. The actual payload data copied to the target buffer comes from the NTLMv2 type-2 response header.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 7.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-3822

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2019-3823
CVE STATUS: Patched
CVE SUMMARY: libcurl versions from 7.34.0 to before 7.64.0 are vulnerable to a heap out-of-bounds read in the code handling the end-of-response for SMTP. If the buffer passed to `smtp_endofresp()` isn't NUL terminated and contains no character ending the parsed number, and `len` is set to 5, then the `strtol()` call reads beyond the allocated buffer. The read contents will not be returned to the caller.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 4.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-3823

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2019-5435
CVE STATUS: Patched
CVE SUMMARY: An integer overflow in curl's URL API results in a buffer overflow in libcurl 7.62.0 to and including 7.64.1.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 3.7
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-5435

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2019-5436
CVE STATUS: Patched
CVE SUMMARY: A heap buffer overflow in the TFTP receiving code allows for DoS or arbitrary code execution in libcurl versions 7.19.4 through 7.64.1.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-5436

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2019-5443
CVE STATUS: Patched
CVE SUMMARY: A non-privileged user or program can put code and a config file in a known non-privileged path (under C:/usr/local/) that will make curl <= 7.65.1 automatically run the code (as an openssl "engine") on invocation. If that curl is invoked by a privileged user it can do anything it wants.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-5443

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2019-5481
CVE STATUS: Patched
CVE SUMMARY: Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-5481

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2019-5482
CVE STATUS: Patched
CVE SUMMARY: Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-5482

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2020-19909
CVE STATUS: Patched
CVE SUMMARY: Integer overflow vulnerability in tool_operate.c in curl 7.65.2 via a large value as the retry delay. NOTE: many parties report that this has no direct security impact on the curl user; however, it may (in theory) cause a denial of service to associated systems or networks if, for example, --retry-delay is misinterpreted as a value much smaller than what was intended. This is not especially plausible because the overflow only happens if the user was trying to specify that curl should wait weeks (or longer) before trying to recover from a transient error.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 3.3
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-19909

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2020-8169
CVE STATUS: Patched
CVE SUMMARY: curl 7.62.0 through 7.70.0 is vulnerable to an information disclosure vulnerability that can lead to a partial password being leaked over the network and to the DNS server(s).
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-8169

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2020-8177
CVE STATUS: Patched
CVE SUMMARY: curl 7.20.0 through 7.70.0 is vulnerable to improper restriction of names for files and other resources that can lead too overwriting a local file when the -J flag is used.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-8177

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2020-8231
CVE STATUS: Patched
CVE SUMMARY: Due to use of a dangling pointer, libcurl 7.29.0 through 7.71.1 can use the wrong connection when sending data.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-8231

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2020-8284
CVE STATUS: Patched
CVE SUMMARY: A malicious server can use the FTP PASV response to trick curl 7.73.0 and earlier into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port scanning and service banner extractions.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 3.7
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-8284

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2020-8285
CVE STATUS: Patched
CVE SUMMARY: curl 7.21.0 to and including 7.73.0 is vulnerable to uncontrolled recursion due to a stack overflow issue in FTP wildcard match parsing.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-8285

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2020-8286
CVE STATUS: Patched
CVE SUMMARY: curl 7.41.0 through 7.73.0 is vulnerable to an improper check for certificate revocation due to insufficient verification of the OCSP response.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-8286

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2021-22876
CVE STATUS: Patched
CVE SUMMARY: curl 7.1.1 to and including 7.75.0 is vulnerable to an "Exposure of Private Personal Information to an Unauthorized Actor" by leaking credentials in the HTTP Referer: header. libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-22876

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2021-22890
CVE STATUS: Patched
CVE SUMMARY: curl 7.63.0 to and including 7.75.0 includes vulnerability that allows a malicious HTTPS proxy to MITM a connection due to bad handling of TLS 1.3 session tickets. When using a HTTPS proxy and TLS 1.3, libcurl can confuse session tickets arriving from the HTTPS proxy but work as if they arrived from the remote server and then wrongly "short-cut" the host handshake. When confusing the tickets, a HTTPS proxy can trick libcurl to use the wrong session ticket resume for the host and thereby circumvent the server TLS certificate check and make a MITM attack to be possible to perform unnoticed. Note that such a malicious HTTPS proxy needs to provide a certificate that curl will accept for the MITMed server for an attack to work - unless curl has been told to ignore the server certificate check.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 3.7
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-22890

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2021-22897
CVE STATUS: Patched
CVE SUMMARY: curl 7.61.0 through 7.76.1 suffers from exposure of data element to wrong session due to a mistake in the code for CURLOPT_SSL_CIPHER_LIST when libcurl is built to use the Schannel TLS library. The selected cipher set was stored in a single "static" variable in the library, which has the surprising side-effect that if an application sets up multiple concurrent transfers, the last one that sets the ciphers will accidentally control the set used by all transfers. In a worst-case scenario, this weakens transport security significantly.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-22897

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2021-22898
CVE STATUS: Patched
CVE SUMMARY: curl 7.7 through 7.76.1 suffers from an information disclosure when the `-t` command line option, known as `CURLOPT_TELNETOPTIONS` in libcurl, is used to send variable=content pairs to TELNET servers. Due to a flaw in the option parser for sending NEW_ENV variables, libcurl could be made to pass on uninitialized data from a stack based buffer to the server, resulting in potentially revealing sensitive internal information to the server using a clear-text network protocol.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 3.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-22898

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2021-22901
CVE STATUS: Patched
CVE SUMMARY: curl 7.75.0 through 7.76.1 suffers from a use-after-free vulnerability resulting in already freed memory being used when a TLS 1.3 session ticket arrives over a connection. A malicious server can use this in rare unfortunate circumstances to potentially reach remote code execution in the client. When libcurl at run-time sets up support for TLS 1.3 session tickets on a connection using OpenSSL, it stores pointers to the transfer in-memory object for later retrieval when a session ticket arrives. If the connection is used by multiple transfers (like with a reused HTTP/1.1 connection or multiplexed HTTP/2 connection) that first transfer object might be freed before the new session is established on that connection and then the function will access a memory buffer that might be freed. When using that memory, libcurl might even call a function pointer in the object, making it possible for a remote code execution if the server could somehow manage to get crafted memory content into the correct place in memory.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-22901

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2021-22922
CVE STATUS: Patched
CVE SUMMARY: When curl is instructed to download content using the metalink feature, thecontents is verified against a hash provided in the metalink XML file.The metalink XML file points out to the client how to get the same contentfrom a set of different URLs, potentially hosted by different servers and theclient can then download the file from one or several of them. In a serial orparallel manner.If one of the servers hosting the contents has been breached and the contentsof the specific file on that server is replaced with a modified payload, curlshould detect this when the hash of the file mismatches after a completeddownload. It should remove the contents and instead try getting the contentsfrom another URL. This is not done, and instead such a hash mismatch is onlymentioned in text and the potentially malicious content is kept in the file ondisk.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-22922

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2021-22923
CVE STATUS: Patched
CVE SUMMARY: When curl is instructed to get content using the metalink feature, and a user name and password are used to download the metalink XML file, those same credentials are then subsequently passed on to each of the servers from which curl will download or try to download the contents from. Often contrary to the user's expectations and intentions and without telling the user it happened.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-22923

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2021-22924
CVE STATUS: Patched
CVE SUMMARY: libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse, if one of them matches the setup.Due to errors in the logic, the config matching function did not take 'issuercert' into account and it compared the involved paths *case insensitively*,which could lead to libcurl reusing wrong connections.File paths are, or can be, case sensitive on many systems but not all, and caneven vary depending on used file systems.The comparison also didn't include the 'issuer cert' which a transfer can setto qualify how to verify the server certificate.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 3.7
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-22924

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2021-22925
CVE STATUS: Patched
CVE SUMMARY: curl supports the `-t` command line option, known as `CURLOPT_TELNETOPTIONS`in libcurl. This rarely used option is used to send variable=content pairs toTELNET servers.Due to flaw in the option parser for sending `NEW_ENV` variables, libcurlcould be made to pass on uninitialized data from a stack based buffer to theserver. Therefore potentially revealing sensitive internal information to theserver using a clear-text network protocol.This could happen because curl did not call and use sscanf() correctly whenparsing the string provided by the application.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-22925

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2021-22926
CVE STATUS: Patched
CVE SUMMARY: libcurl-using applications can ask for a specific client certificate to be used in a transfer. This is done with the `CURLOPT_SSLCERT` option (`--cert` with the command line tool).When libcurl is built to use the macOS native TLS library Secure Transport, an application can ask for the client certificate by name or with a file name - using the same option. If the name exists as a file, it will be used instead of by name.If the appliction runs with a current working directory that is writable by other users (like `/tmp`), a malicious user can create a file name with the same name as the app wants to use by name, and thereby trick the application to use the file based cert instead of the one referred to by name making libcurl send the wrong client certificate in the TLS connection handshake.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-22926

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2021-22945
CVE STATUS: Patched
CVE SUMMARY: When sending data to an MQTT server, libcurl <= 7.73.0 and 7.78.0 could in some circumstances erroneously keep a pointer to an already freed memory area and both use that again in a subsequent call to send data and also free it *again*.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 9.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-22945

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2021-22946
CVE STATUS: Patched
CVE SUMMARY: A user can tell curl >= 7.20.0 and <= 7.78.0 to require a successful upgrade to TLS when speaking to an IMAP, POP3 or FTP server (`--ssl-reqd` on the command line or`CURLOPT_USE_SSL` set to `CURLUSESSL_CONTROL` or `CURLUSESSL_ALL` withlibcurl). This requirement could be bypassed if the server would return a properly crafted but perfectly legitimate response.This flaw would then make curl silently continue its operations **withoutTLS** contrary to the instructions and expectations, exposing possibly sensitive data in clear text over the network.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-22946

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2021-22947
CVE STATUS: Patched
CVE SUMMARY: When curl >= 7.20.0 and <= 7.78.0 connects to an IMAP or POP3 server to retrieve data using STARTTLS to upgrade to TLS security, the server can respond and send back multiple responses at once that curl caches. curl would then upgrade to TLS but not flush the in-queue of cached responses but instead continue using and trustingthe responses it got *before* the TLS handshake as if they were authenticated.Using this flaw, it allows a Man-In-The-Middle attacker to first inject the fake responses, then pass-through the TLS traffic from the legitimate server and trick curl into sending data back to the user thinking the attacker's injected data comes from the TLS-protected server.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-22947

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2022-22576
CVE STATUS: Patched
CVE SUMMARY: An improper authentication vulnerability exists in curl 7.33.0 to and including 7.82.0 which might allow reuse OAUTH2-authenticated connections without properly making sure that the connection was authenticated with the same credentials as set for this transfer. This affects SASL-enabled protocols: SMPTP(S), IMAP(S), POP3(S) and LDAP(S) (openldap only).
CVSS v2 BASE SCORE: 5.5
CVSS v3 BASE SCORE: 8.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:S/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-22576

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2022-27774
CVE STATUS: Patched
CVE SUMMARY: An insufficiently protected credentials vulnerability exists in curl 4.9 to and include curl 7.82.0 are affected that could allow an attacker to extract credentials when follows HTTP(S) redirects is used with authentication could leak credentials to other services that exist on different protocols or port numbers.
CVSS v2 BASE SCORE: 3.5
CVSS v3 BASE SCORE: 5.7
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:S/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-27774

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2022-27775
CVE STATUS: Patched
CVE SUMMARY: An information disclosure vulnerability exists in curl 7.65.0 to 7.82.0 are vulnerable that by using an IPv6 address that was in the connection pool but with a different zone id it could reuse a connection instead.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-27775

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2022-27776
CVE STATUS: Patched
CVE SUMMARY: A insufficiently protected credentials vulnerability in fixed in curl 7.83.0 might leak authentication or cookie header data on HTTP redirects to the same host but another port number.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-27776

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2022-27778
CVE STATUS: Patched
CVE SUMMARY: A use of incorrectly resolved name vulnerability fixed in 7.83.1 might remove the wrong file when `--no-clobber` is used together with `--remove-on-error`.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 8.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-27778

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2022-27779
CVE STATUS: Patched
CVE SUMMARY: libcurl wrongly allows cookies to be set for Top Level Domains (TLDs) if thehost name is provided with a trailing dot.curl can be told to receive and send cookies. curl's "cookie engine" can bebuilt with or without [Public Suffix List](https://publicsuffix.org/)awareness. If PSL support not provided, a more rudimentary check exists to atleast prevent cookies from being set on TLDs. This check was broken if thehost name in the URL uses a trailing dot.This can allow arbitrary sites to set cookies that then would get sent to adifferent and unrelated site or domain.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-27779

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2022-27780
CVE STATUS: Patched
CVE SUMMARY: The curl URL parser wrongly accepts percent-encoded URL separators like '/'when decoding the host name part of a URL, making it a *different* URL usingthe wrong host name when it is later retrieved.For example, a URL like `http://example.com%2F127.0.0.1/`, would be allowed bythe parser and get transposed into `http://example.com/127.0.0.1/`. This flawcan be used to circumvent filters, checks and more.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-27780

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2022-27781
CVE STATUS: Patched
CVE SUMMARY: libcurl provides the `CURLOPT_CERTINFO` option to allow applications torequest details to be returned about a server's certificate chain.Due to an erroneous function, a malicious server could make libcurl built withNSS get stuck in a never-ending busy-loop when trying to retrieve thatinformation.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-27781

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2022-27782
CVE STATUS: Patched
CVE SUMMARY: libcurl would reuse a previously created connection even when a TLS or SSHrelated option had been changed that should have prohibited reuse.libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse if one of them matches the setup. However, several TLS andSSH settings were left out from the configuration match checks, making themmatch too easily.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-27782

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2022-30115
CVE STATUS: Patched
CVE SUMMARY: Using its HSTS support, curl can be instructed to use HTTPS directly insteadof using an insecure clear-text HTTP step even when HTTP is provided in theURL. This mechanism could be bypassed if the host name in the given URL used atrailing dot while not using one when it built the HSTS cache. Or the otherway around - by having the trailing dot in the HSTS cache and *not* using thetrailing dot in the URL.
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 4.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:S/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-30115

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2022-32205
CVE STATUS: Patched
CVE SUMMARY: A malicious server can serve excessive amounts of `Set-Cookie:` headers in a HTTP response to curl and curl < 7.84.0 stores all of them. A sufficiently large amount of (big) cookies make subsequent HTTP requests to this, or other servers to which the cookies match, create requests that become larger than the threshold that curl uses internally to avoid sending crazy large requests (1048576 bytes) and instead returns an error.This denial state might remain for as long as the same cookies are kept, match and haven't expired. Due to cookie matching rules, a server on `foo.example.com` can set cookies that also would match for `bar.example.com`, making it it possible for a "sister server" to effectively cause a denial of service for a sibling site on the same second level domain using this method.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 4.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-32205

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2022-32206
CVE STATUS: Patched
CVE SUMMARY: curl < 7.84.0 supports "chained" HTTP compression algorithms, meaning that a serverresponse can be compressed multiple times and potentially with different algorithms. The number of acceptable "links" in this "decompression chain" was unbounded, allowing a malicious server to insert a virtually unlimited number of compression steps.The use of such a decompression chain could result in a "malloc bomb", makingcurl end up spending enormous amounts of allocated heap memory, or trying toand returning out of memory errors.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-32206

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2022-32207
CVE STATUS: Patched
CVE SUMMARY: When curl < 7.84.0 saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by finalizing the operation with a rename from a temporary name to the final target file name.In that rename operation, it might accidentally *widen* the permissions for the target file, leaving the updated file accessible to more users than intended.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-32207

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2022-32208
CVE STATUS: Patched
CVE SUMMARY: When curl < 7.84.0 does FTP transfers secured by krb5, it handles message verification failures wrongly. This flaw makes it possible for a Man-In-The-Middle attack to go unnoticed and even allows it to inject data to the client.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-32208

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2022-32221
CVE STATUS: Patched
CVE SUMMARY: When doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously was used to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the subsequent `POST` request. The problem exists in the logic for a reused handle when it is changed from a PUT to a POST.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-32221

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2022-35252
CVE STATUS: Patched
CVE SUMMARY: When curl is used to retrieve and parse cookies from a HTTP(S) server, itaccepts cookies using control codes that when later are sent back to a HTTPserver might make the server return 400 responses. Effectively allowing a"sister site" to deny service to all siblings.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 3.7
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-35252

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2022-35260
CVE STATUS: Patched
CVE SUMMARY: curl can be told to parse a `.netrc` file for credentials. If that file endsin a line with 4095 consecutive non-white space letters and no newline, curlwould first read past the end of the stack-based buffer, and if the readworks, write a zero byte beyond its boundary.This will in most cases cause a segfault or similar, but circumstances might also cause different outcomes.If a malicious user can provide a custom netrc file to an application or otherwise affect its contents, this flaw could be used as denial-of-service.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-35260

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2022-42915
CVE STATUS: Patched
CVE SUMMARY: curl before 7.86.0 has a double free. If curl is told to use an HTTP proxy for a transfer with a non-HTTP(S) URL, it sets up the connection to the remote server by issuing a CONNECT request to the proxy, and then tunnels the rest of the protocol through. An HTTP proxy might refuse this request (HTTP proxies often only allow outgoing connections to specific port numbers, like 443 for HTTPS) and instead return a non-200 status code to the client. Due to flaws in the error/cleanup handling, this could trigger a double free in curl if one of the following schemes were used in the URL for the transfer: dict, gopher, gophers, ldap, ldaps, rtmp, rtmps, or telnet. The earliest affected version is 7.77.0.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.1
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-42915

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2022-42916
CVE STATUS: Patched
CVE SUMMARY: In curl before 7.86.0, the HSTS check could be bypassed to trick it into staying with HTTP. Using its HSTS support, curl can be instructed to use HTTPS directly (instead of using an insecure cleartext HTTP step) even when HTTP is provided in the URL. This mechanism could be bypassed if the host name in the given URL uses IDN characters that get replaced with ASCII counterparts as part of the IDN conversion, e.g., using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop of U+002E (.). The earliest affected version is 7.77.0 2021-05-26.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-42916

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2022-43551
CVE STATUS: Patched
CVE SUMMARY: A vulnerability exists in curl <7.87.0 HSTS check that could be bypassed to trick it to keep using HTTP. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. However, the HSTS mechanism could be bypassed if the host name in the given URL first uses IDN characters that get replaced to ASCII counterparts as part of the IDN conversion. Like using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop (U+002E) `.`. Then in a subsequent request, it does not detect the HSTS state and makes a clear text transfer. Because it would store the info IDN encoded but look for it IDN decoded.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-43551

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2022-43552
CVE STATUS: Patched
CVE SUMMARY: A use after free vulnerability exists in curl <7.87.0. Curl can be asked to *tunnel* virtually all protocols it supports through an HTTP proxy. HTTP proxies can (and often do) deny such tunnel operations. When getting denied to tunnel the specific protocols SMB or TELNET, curl would use a heap-allocated struct after it had been freed, in its transfer shutdown code path.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-43552

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2023-23914
CVE STATUS: Patched
CVE SUMMARY: A cleartext transmission of sensitive information vulnerability exists in curl <v7.88.0 that could cause HSTS functionality fail when multiple URLs are requested serially. Using its HSTS support, curl can be instructed to use HTTPS instead of usingan insecure clear-text HTTP step even when HTTP is provided in the URL. ThisHSTS mechanism would however surprisingly be ignored by subsequent transferswhen done on the same command line because the state would not be properlycarried on.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 9.1
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-23914

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2023-23915
CVE STATUS: Patched
CVE SUMMARY: A cleartext transmission of sensitive information vulnerability exists in curl <v7.88.0 that could cause HSTS functionality to behave incorrectly when multiple URLs are requested in parallel. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. This HSTS mechanism would however surprisingly fail when multiple transfers are done in parallel as the HSTS cache file gets overwritten by the most recentlycompleted transfer. A later HTTP-only transfer to the earlier host name would then *not* get upgraded properly to HSTS.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-23915

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2023-23916
CVE STATUS: Patched
CVE SUMMARY: An allocation of resources without limits or throttling vulnerability exists in curl <v7.88.0 based on the "chained" HTTP compression algorithms, meaning that a server response can be compressed multiple times and potentially with differentalgorithms. The number of acceptable "links" in this "decompression chain" wascapped, but the cap was implemented on a per-header basis allowing a maliciousserver to insert a virtually unlimited number of compression steps simply byusing many headers. The use of such a decompression chain could result in a "malloc bomb", making curl end up spending enormous amounts of allocated heap memory, or trying to and returning out of memory errors.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-23916

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2023-27533
CVE STATUS: Patched
CVE SUMMARY: A vulnerability in input validation exists in curl <8.0 during communication using the TELNET protocol may allow an attacker to pass on maliciously crafted user name and "telnet options" during server negotiation. The lack of proper input scrubbing allows an attacker to send content or perform option negotiation without the application's intent. This vulnerability could be exploited if an application allows user input, thereby enabling attackers to execute arbitrary code on the system.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-27533

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2023-27534
CVE STATUS: Patched
CVE SUMMARY: A path traversal vulnerability exists in curl <8.0.0 SFTP implementation causes the tilde (~) character to be wrongly replaced when used as a prefix in the first path element, in addition to its intended use as the first element to indicate a path relative to the user's home directory. Attackers can exploit this flaw to bypass filtering or execute arbitrary code by crafting a path like /~2/foo while accessing a server with a specific user.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-27534

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2023-27535
CVE STATUS: Patched
CVE SUMMARY: An authentication bypass vulnerability exists in libcurl <8.0.0 in the FTP connection reuse feature that can result in wrong credentials being used during subsequent transfers. Previously created connections are kept in a connection pool for reuse if they match the current setup. However, certain FTP settings such as CURLOPT_FTP_ACCOUNT, CURLOPT_FTP_ALTERNATIVE_TO_USER, CURLOPT_FTP_SSL_CCC, and CURLOPT_USE_SSL were not included in the configuration match checks, causing them to match too easily. This could lead to libcurl using the wrong credentials when performing a transfer, potentially allowing unauthorized access to sensitive information.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-27535

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2023-27536
CVE STATUS: Patched
CVE SUMMARY: An authentication bypass vulnerability exists libcurl <8.0.0 in the connection reuse feature which can reuse previously established connections with incorrect user permissions due to a failure to check for changes in the CURLOPT_GSSAPI_DELEGATION option. This vulnerability affects krb5/kerberos/negotiate/GSSAPI transfers and could potentially result in unauthorized access to sensitive information. The safest option is to not reuse connections if the CURLOPT_GSSAPI_DELEGATION option has been changed.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-27536

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2023-27537
CVE STATUS: Patched
CVE SUMMARY: A double free vulnerability exists in libcurl <8.0.0 when sharing HSTS data between separate "handles". This sharing was introduced without considerations for do this sharing across separate threads but there was no indication of this fact in the documentation. Due to missing mutexes or thread locks, two threads sharing the same HSTS data could end up doing a double-free or use-after-free.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-27537

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2023-27538
CVE STATUS: Patched
CVE SUMMARY: An authentication bypass vulnerability exists in libcurl prior to v8.0.0 where it reuses a previously established SSH connection despite the fact that an SSH option was modified, which should have prevented reuse. libcurl maintains a pool of previously used connections to reuse them for subsequent transfers if the configurations match. However, two SSH settings were omitted from the configuration check, allowing them to match easily, potentially leading to the reuse of an inappropriate connection.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-27538

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2023-28319
CVE STATUS: Patched
CVE SUMMARY: A use after free vulnerability exists in curl <v8.1.0 in the way libcurl offers a feature to verify an SSH server's public key using a SHA 256 hash. When this check fails, libcurl would free the memory for the fingerprint before it returns an error message containing the (now freed) hash. This flaw risks inserting sensitive heap-based data into the error message that might be shown to users or otherwise get leaked and revealed.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-28319

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2023-28320
CVE STATUS: Patched
CVE SUMMARY: A denial of service vulnerability exists in curl <v8.1.0 in the way libcurl provides several different backends for resolving host names, selected at build time. If it is built to use the synchronous resolver, it allows name resolves to time-out slow operations using `alarm()` and `siglongjmp()`. When doing this, libcurl used a global buffer that was not mutex protected and a multi-threaded application might therefore crash or otherwise misbehave.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-28320

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2023-28321
CVE STATUS: Patched
CVE SUMMARY: An improper certificate validation vulnerability exists in curl <v8.1.0 in the way it supports matching of wildcard patterns when listed as "Subject Alternative Name" in TLS server certificates. curl can be built to use its own name matching function for TLS rather than one provided by a TLS library. This private wildcard matching function would match IDN (International Domain Name) hosts incorrectly and could as a result accept patterns that otherwise should mismatch. IDN hostnames are converted to puny code before used for certificate checks. Puny coded names always start with `xn--` and should not be allowed to pattern match, but the wildcard check in curl could still check for `x*`, which would match even though the IDN name most likely contained nothing even resembling an `x`.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-28321

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2023-28322
CVE STATUS: Patched
CVE SUMMARY: An information disclosure vulnerability exists in curl <v8.1.0 when doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously wasused to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the second transfer. The problem exists in the logic for a reused handle when it is (expected to be) changed from a PUT to a POST.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 3.7
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-28322

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2023-38039
CVE STATUS: Patched
CVE SUMMARY: When curl retrieves an HTTP response, it stores the incoming headers so that
they can be accessed later via the libcurl headers API.

However, curl did not have a limit in how many or how large headers it would
accept in a response, allowing a malicious server to stream an endless series
of headers and eventually cause curl to run out of heap memory.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-38039

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2023-38545
CVE STATUS: Patched
CVE SUMMARY: This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy
handshake.

When curl is asked to pass along the host name to the SOCKS5 proxy to allow
that to resolve the address instead of it getting done by curl itself, the
maximum length that host name can be is 255 bytes.

If the host name is detected to be longer, curl switches to local name
resolving and instead passes on the resolved address only. Due to this bug,
the local variable that means "let the host resolve the name" could get the
wrong value during a slow SOCKS5 handshake, and contrary to the intention,
copy the too long host name to the target buffer instead of copying just the
resolved address there.

The target buffer being a heap based buffer, and the host name coming from the
URL that curl has been told to operate with.

CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-38545

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2023-38546
CVE STATUS: Patched
CVE SUMMARY: This flaw allows an attacker to insert cookies at will into a running program
using libcurl, if the specific series of conditions are met.

libcurl performs transfers. In its API, an application creates "easy handles"
that are the individual handles for single transfers.

libcurl provides a function call that duplicates en easy handle called
[curl_easy_duphandle](https://curl.se/libcurl/c/curl_easy_duphandle.html).

If a transfer has cookies enabled when the handle is duplicated, the
cookie-enable state is also cloned - but without cloning the actual
cookies. If the source handle did not read any cookies from a specific file on
disk, the cloned version of the handle would instead store the file name as
`none` (using the four ASCII letters, no quotes).

Subsequent use of the cloned handle that does not explicitly set a source to
load cookies from would then inadvertently load cookies from a file named
`none` - if such a file exists and is readable in the current directory of the
program using libcurl. And if using the correct file format of course.

CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 3.7
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-38546

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2023-46218
CVE STATUS: Patched
CVE SUMMARY: This flaw allows a malicious HTTP server to set "super cookies" in curl that
are then passed back to more origins than what is otherwise allowed or
possible. This allows a site to set cookies that then would get sent to
different and unrelated sites and domains.

It could do this by exploiting a mixed case flaw in curl's function that
verifies a given cookie domain against the Public Suffix List (PSL). For
example a cookie could be set with `domain=co.UK` when the URL used a lower
case hostname `curl.co.uk`, even though `co.uk` is listed as a PSL domain.

CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-46218

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2023-46219
CVE STATUS: Patched
CVE SUMMARY: When saving HSTS data to an excessively long file name, curl could end up
removing all contents, making subsequent requests using that file unaware of
the HSTS status they should otherwise use.

CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-46219

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2024-0853
CVE STATUS: Patched
CVE SUMMARY: curl inadvertently kept the SSL session ID for connections in its cache even when the verify status (*OCSP stapling*) test failed. A subsequent transfer to
the same hostname could then succeed if the session ID cache was still fresh, which then skipped the verify status check.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-0853

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2024-32928
CVE STATUS: Ignored
CVE DETAIL: ignored
CVE DESCRIPTION: CURLOPT_SSL_VERIFYPEER was disabled on google cloud services causing a potential man in the middle attack
CVE SUMMARY: The libcurl CURLOPT_SSL_VERIFYPEER option was disabled on a subset of requests made by Nest production devices which enabled a potential man-in-the-middle attack on requests to Google cloud services by any host the traffic was routed through.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-32928

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2024-6197
CVE STATUS: Patched
CVE SUMMARY: libcurl's ASN1 parser has this utf8asn1str() function used for parsing an ASN.1 UTF-8 string. Itcan detect an invalid field and return error. Unfortunately, when doing so it also invokes `free()` on a 4 byte localstack buffer.  Most modern malloc implementations detect this error and immediately abort. Some however accept the input pointer and add that memory to its list of available chunks. This leads to the overwriting of nearby stack memory. The content of the overwrite is decided by the `free()` implementation; likely to be memory pointers and a set of flags.  The most likely outcome of exploting this flaw is a crash, although it cannot be ruled out that more serious results can be had in special circumstances.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-6197

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2024-6874
CVE STATUS: Patched
CVE SUMMARY: libcurl's URL API function
[curl_url_get()](https://curl.se/libcurl/c/curl_url_get.html) offers punycode
conversions, to and from IDN. Asking to convert a name that is exactly 256
bytes, libcurl ends up reading outside of a stack based buffer when built to
use the *macidn* IDN backend. The conversion function then fills up the
provided buffer exactly - but does not null terminate the string.

This flaw can lead to stack contents accidently getting returned as part of
the converted string.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.3
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-6874

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2024-7264
CVE STATUS: Patched
CVE SUMMARY: libcurl's ASN1 parser code has the `GTime2str()` function, used for parsing an
ASN.1 Generalized Time field. If given an syntactically incorrect field, the
parser might end up using -1 for the length of the *time fraction*, leading to
a `strlen()` getting performed on a pointer to a heap buffer area that is not
(purposely) null terminated.

This flaw most likely leads to a crash, but can also lead to heap contents
getting returned to the application when
[CURLINFO_CERTINFO](https://curl.se/libcurl/c/CURLINFO_CERTINFO.html) is used.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-7264

LAYER: meta
PACKAGE NAME: curl
PACKAGE VERSION: 8.7.1
CVE: CVE-2024-9681
CVE STATUS: Unpatched
CVE SUMMARY: When curl is asked to use HSTS, the expiry time for a subdomain might
overwrite a parent domain's cache entry, making it end sooner or later than
otherwise intended.

This affects curl using applications that enable HSTS and use URLs with the
insecure `HTTP://` scheme and perform transfers with hosts like
`x.example.com` as well as `example.com` where the first host is a subdomain
of the second host.

(The HSTS cache either needs to have been populated manually or there needs to
have been previous HTTPS accesses done as the cache needs to have entries for
the domains involved to trigger this problem.)

When `x.example.com` responds with `Strict-Transport-Security:` headers, this
bug can make the subdomain's expiry timeout *bleed over* and get set for the
parent domain `example.com` in curl's HSTS cache.

The result of a triggered bug is that HTTP accesses to `example.com` get
converted to HTTPS for a different period of time than what was asked for by
the origin server. If `example.com` for example stops supporting HTTPS at its
expiry time, curl might then fail to access `http://example.com` until the
(wrongly set) timeout expires. This bug can also expire the parent's entry
*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier
than otherwise intended.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-9681

LAYER: meta
PACKAGE NAME: rpcbind
PACKAGE VERSION: 1.2.6
CVE: CVE-2010-2061
CVE STATUS: Patched
CVE SUMMARY: rpcbind 0.2.0 does not properly validate (1) /tmp/portmap.xdr and (2) /tmp/rpcbind.xdr, which can be created by an attacker before the daemon is started.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2061

LAYER: meta
PACKAGE NAME: rpcbind
PACKAGE VERSION: 1.2.6
CVE: CVE-2010-2064
CVE STATUS: Patched
CVE SUMMARY: rpcbind 0.2.0 allows local users to write to arbitrary files or gain privileges via a symlink attack on (1) /tmp/portmap.xdr and (2) /tmp/rpcbind.xdr.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2064

LAYER: meta
PACKAGE NAME: rpcbind
PACKAGE VERSION: 1.2.6
CVE: CVE-2015-7236
CVE STATUS: Patched
CVE SUMMARY: Use-after-free vulnerability in xprt_set_caller in rpcb_svc_com.c in rpcbind 0.2.1 and earlier allows remote attackers to cause a denial of service (daemon crash) via crafted packets, involving a PMAP_CALLIT code.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7236

LAYER: meta
PACKAGE NAME: rpcbind
PACKAGE VERSION: 1.2.6
CVE: CVE-2017-8779
CVE STATUS: Patched
CVE SUMMARY: rpcbind through 0.2.4, LIBTIRPC through 1.0.1 and 1.0.2-rc through 1.0.2-rc3, and NTIRPC through 1.4.3 do not consider the maximum RPC data size during memory allocation for XDR strings, which allows remote attackers to cause a denial of service (memory consumption with no subsequent free) via a crafted UDP packet to port 111, aka rpcbomb.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8779

LAYER: meta-selinux
PACKAGE NAME: semodule-utils-native
PACKAGE VERSION: 3.6
CVE: CVE-2020-10751
CVE STATUS: Unpatched
CVE SUMMARY: A flaw was found in the Linux kernels SELinux LSM hook implementation before version 5.7, where it incorrectly assumed that an skb would only contain a single netlink message. The hook would incorrectly only validate the first netlink message in the skb and allow or deny the rest of the messages within the skb with the granted permission without further processing.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 6.1
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-10751

LAYER: meta-selinux
PACKAGE NAME: checkpolicy-native
PACKAGE VERSION: 3.6
CVE: CVE-2020-10751
CVE STATUS: Unpatched
CVE SUMMARY: A flaw was found in the Linux kernels SELinux LSM hook implementation before version 5.7, where it incorrectly assumed that an skb would only contain a single netlink message. The hook would incorrectly only validate the first netlink message in the skb and allow or deny the rest of the messages within the skb with the granted permission without further processing.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 6.1
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-10751

LAYER: meta
PACKAGE NAME: dosfstools
PACKAGE VERSION: 4.2
CVE: CVE-2015-8872
CVE STATUS: Patched
CVE SUMMARY: The set_fat function in fat.c in dosfstools before 4.0 might allow attackers to corrupt a FAT12 filesystem or cause a denial of service (invalid memory read and crash) by writing an odd number of clusters to the third to last entry on a FAT12 filesystem, which triggers an "off-by-two error."
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 6.2
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8872

LAYER: meta
PACKAGE NAME: dosfstools
PACKAGE VERSION: 4.2
CVE: CVE-2016-4804
CVE STATUS: Patched
CVE SUMMARY: The read_boot function in boot.c in dosfstools before 4.0 allows attackers to cause a denial of service (crash) via a crafted filesystem, which triggers a heap-based buffer overflow in the (1) read_fat function or an out-of-bounds heap read in (2) get_fat function.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 6.2
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4804

LAYER: meta-oe
PACKAGE NAME: fontforge-native
PACKAGE VERSION: 20230101
CVE: CVE-2010-4259
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in FontForge 20100501 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long CHARSET_REGISTRY header in a BDF font file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4259

LAYER: meta-oe
PACKAGE NAME: fontforge-native
PACKAGE VERSION: 20230101
CVE: CVE-2017-11568
CVE STATUS: Patched
CVE SUMMARY: FontForge 20161012 is vulnerable to a heap-based buffer over-read in PSCharStringToSplines (psread.c) resulting in DoS or code execution via a crafted otf file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-11568

LAYER: meta-oe
PACKAGE NAME: fontforge-native
PACKAGE VERSION: 20230101
CVE: CVE-2017-11569
CVE STATUS: Patched
CVE SUMMARY: FontForge 20161012 is vulnerable to a heap-based buffer over-read in readttfcopyrights (parsettf.c) resulting in DoS or code execution via a crafted otf file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-11569

LAYER: meta-oe
PACKAGE NAME: fontforge-native
PACKAGE VERSION: 20230101
CVE: CVE-2017-11570
CVE STATUS: Patched
CVE SUMMARY: FontForge 20161012 is vulnerable to a buffer over-read in umodenc (parsettf.c) resulting in DoS or code execution via a crafted otf file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-11570

LAYER: meta-oe
PACKAGE NAME: fontforge-native
PACKAGE VERSION: 20230101
CVE: CVE-2017-11571
CVE STATUS: Patched
CVE SUMMARY: FontForge 20161012 is vulnerable to a stack-based buffer overflow in addnibble (parsettf.c) resulting in DoS or code execution via a crafted otf file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-11571

LAYER: meta-oe
PACKAGE NAME: fontforge-native
PACKAGE VERSION: 20230101
CVE: CVE-2017-11572
CVE STATUS: Patched
CVE SUMMARY: FontForge 20161012 is vulnerable to a heap-based buffer over-read in readcfftopdicts (parsettf.c) resulting in DoS or code execution via a crafted otf file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-11572

LAYER: meta-oe
PACKAGE NAME: fontforge-native
PACKAGE VERSION: 20230101
CVE: CVE-2017-11573
CVE STATUS: Patched
CVE SUMMARY: FontForge 20161012 is vulnerable to a buffer over-read in ValidatePostScriptFontName (parsettf.c) resulting in DoS or code execution via a crafted otf file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-11573

LAYER: meta-oe
PACKAGE NAME: fontforge-native
PACKAGE VERSION: 20230101
CVE: CVE-2017-11574
CVE STATUS: Patched
CVE SUMMARY: FontForge 20161012 is vulnerable to a heap-based buffer overflow in readcffset (parsettf.c) resulting in DoS or code execution via a crafted otf file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-11574

LAYER: meta-oe
PACKAGE NAME: fontforge-native
PACKAGE VERSION: 20230101
CVE: CVE-2017-11575
CVE STATUS: Patched
CVE SUMMARY: FontForge 20161012 is vulnerable to a buffer over-read in strnmatch (char.c) resulting in DoS or code execution via a crafted otf file, related to a call from the readttfcopyrights function in parsettf.c.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-11575

LAYER: meta-oe
PACKAGE NAME: fontforge-native
PACKAGE VERSION: 20230101
CVE: CVE-2017-11576
CVE STATUS: Patched
CVE SUMMARY: FontForge 20161012 does not ensure a positive size in a weight vector memcpy call in readcfftopdict (parsettf.c) resulting in DoS via a crafted otf file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-11576

LAYER: meta-oe
PACKAGE NAME: fontforge-native
PACKAGE VERSION: 20230101
CVE: CVE-2017-11577
CVE STATUS: Patched
CVE SUMMARY: FontForge 20161012 is vulnerable to a buffer over-read in getsid (parsettf.c) resulting in DoS or code execution via a crafted otf file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-11577

LAYER: meta-oe
PACKAGE NAME: fontforge-native
PACKAGE VERSION: 20230101
CVE: CVE-2017-17521
CVE STATUS: Patched
CVE SUMMARY: uiutil.c in FontForge through 20170731 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL, a different vulnerability than CVE-2017-17534.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17521

LAYER: meta-oe
PACKAGE NAME: fontforge-native
PACKAGE VERSION: 20230101
CVE: CVE-2019-15785
CVE STATUS: Patched
CVE SUMMARY: FontForge 20190813 through 20190820 has a buffer overflow in PrefsUI_LoadPrefs in prefs.c.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-15785

LAYER: meta-oe
PACKAGE NAME: fontforge-native
PACKAGE VERSION: 20230101
CVE: CVE-2020-25690
CVE STATUS: Patched
CVE SUMMARY: An out-of-bounds write flaw was found in FontForge in versions before 20200314 while parsing SFD files containing certain LayerCount tokens. This flaw allows an attacker to manipulate the memory allocated on the heap, causing the application to crash or execute arbitrary code. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-25690

LAYER: meta-oe
PACKAGE NAME: fontforge-native
PACKAGE VERSION: 20230101
CVE: CVE-2020-5395
CVE STATUS: Patched
CVE SUMMARY: FontForge 20190801 has a use-after-free in SFD_GetFontMetaData in sfd.c.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-5395

LAYER: meta-oe
PACKAGE NAME: fontforge-native
PACKAGE VERSION: 20230101
CVE: CVE-2020-5496
CVE STATUS: Patched
CVE SUMMARY: FontForge 20190801 has a heap-based buffer overflow in the Type2NotDefSplines() function in splinesave.c.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-5496

LAYER: meta
PACKAGE NAME: dbus-glib
PACKAGE VERSION: 0.112
CVE: CVE-2010-1172
CVE STATUS: Patched
CVE SUMMARY: DBus-GLib 0.73 disregards the access flag of exported GObject properties, which allows local users to bypass intended access restrictions and possibly cause a denial of service by modifying properties, as demonstrated by properties of the (1) DeviceKit-Power, (2) NetworkManager, and (3) ModemManager services.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-1172

LAYER: meta
PACKAGE NAME: dbus-glib
PACKAGE VERSION: 0.112
CVE: CVE-2013-0292
CVE STATUS: Patched
CVE SUMMARY: The dbus_g_proxy_manager_filter function in dbus-gproxy in Dbus-glib before 0.100.1 does not properly verify the sender of NameOwnerChanged signals, which allows local users to gain privileges via a spoofed signal.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0292

LAYER: meta-oe
PACKAGE NAME: doxygen-native
PACKAGE VERSION: 1.9.3
CVE: CVE-2016-10245
CVE STATUS: Patched
CVE SUMMARY: Insufficient sanitization of the query parameter in templates/html/search_opensearch.php could lead to reflected cross-site scripting or iframe injection.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10245

LAYER: meta
PACKAGE NAME: libxcb-native
PACKAGE VERSION: 1.16
CVE: CVE-2013-2064
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in X.org libxcb 1.9 and earlier allows X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the read_packet function.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2064

LAYER: meta
PACKAGE NAME: icu-native
PACKAGE VERSION: 74-2
CVE: CVE-2007-4770
CVE STATUS: Patched
CVE SUMMARY: libicu in International Components for Unicode (ICU) 3.8.1 and earlier attempts to process backreferences to the nonexistent capture group zero (aka \0), which might allow context-dependent attackers to read from, or write to, out-of-bounds memory locations, related to corruption of REStackFrames.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-4770

LAYER: meta
PACKAGE NAME: icu-native
PACKAGE VERSION: 74-2
CVE: CVE-2007-4771
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the doInterval function in regexcmp.cpp in libicu in International Components for Unicode (ICU) 3.8.1 and earlier allows context-dependent attackers to cause a denial of service (memory consumption) and possibly have unspecified other impact via a regular expression that writes a large amount of data to the backtracking stack.  NOTE: some of these details are obtained from third party information.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-4771

LAYER: meta
PACKAGE NAME: icu-native
PACKAGE VERSION: 74-2
CVE: CVE-2011-4599
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in the _canonicalize function in common/uloc.c in International Components for Unicode (ICU) before 49.1 allows remote attackers to execute arbitrary code via a crafted locale ID that is not properly handled during variant canonicalization.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-4599

LAYER: meta
PACKAGE NAME: icu-native
PACKAGE VERSION: 74-2
CVE: CVE-2014-7923
CVE STATUS: Patched
CVE SUMMARY: The Regular Expressions package in International Components for Unicode (ICU) 52 before SVN revision 292944, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via vectors related to a look-behind expression.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-7923

LAYER: meta
PACKAGE NAME: icu-native
PACKAGE VERSION: 74-2
CVE: CVE-2014-7926
CVE STATUS: Patched
CVE SUMMARY: The Regular Expressions package in International Components for Unicode (ICU) 52 before SVN revision 292944, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via vectors related to a zero-length quantifier.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-7926

LAYER: meta
PACKAGE NAME: icu-native
PACKAGE VERSION: 74-2
CVE: CVE-2014-7940
CVE STATUS: Patched
CVE SUMMARY: The collator implementation in i18n/ucol.cpp in International Components for Unicode (ICU) 52 through SVN revision 293126, as used in Google Chrome before 40.0.2214.91, does not initialize memory for a data structure, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted character sequence.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-7940

LAYER: meta
PACKAGE NAME: icu-native
PACKAGE VERSION: 74-2
CVE: CVE-2014-8146
CVE STATUS: Patched
CVE SUMMARY: The resolveImplicitLevels function in common/ubidi.c in the Unicode Bidirectional Algorithm implementation in ICU4C in International Components for Unicode (ICU) before 55.1 does not properly track directionally isolated pieces of text, which allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly execute arbitrary code via crafted text.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8146

LAYER: meta
PACKAGE NAME: icu-native
PACKAGE VERSION: 74-2
CVE: CVE-2014-8147
CVE STATUS: Patched
CVE SUMMARY: The resolveImplicitLevels function in common/ubidi.c in the Unicode Bidirectional Algorithm implementation in ICU4C in International Components for Unicode (ICU) before 55.1 uses an integer data type that is inconsistent with a header file, which allows remote attackers to cause a denial of service (incorrect malloc followed by invalid free) or possibly execute arbitrary code via crafted text.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8147

LAYER: meta
PACKAGE NAME: icu-native
PACKAGE VERSION: 74-2
CVE: CVE-2014-9654
CVE STATUS: Patched
CVE SUMMARY: The Regular Expressions package in International Components for Unicode (ICU) for C/C++ before 2014-12-03, as used in Google Chrome before 40.0.2214.91, calculates certain values without ensuring that they can be represented in a 24-bit field, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted string, a related issue to CVE-2014-7923.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9654

LAYER: meta
PACKAGE NAME: icu-native
PACKAGE VERSION: 74-2
CVE: CVE-2014-9911
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in the ures_getByKeyWithFallback function in common/uresbund.cpp in International Components for Unicode (ICU) before 54.1 for C/C++ allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted uloc_getDisplayName call.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9911

LAYER: meta
PACKAGE NAME: icu-native
PACKAGE VERSION: 74-2
CVE: CVE-2015-5922
CVE STATUS: Patched
CVE SUMMARY: Unspecified vulnerability in International Components for Unicode (ICU) before 53.1.0, as used in Apple OS X before 10.11 and watchOS before 2, has unknown impact and attack vectors.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-5922

LAYER: meta
PACKAGE NAME: icu-native
PACKAGE VERSION: 74-2
CVE: CVE-2016-6293
CVE STATUS: Patched
CVE SUMMARY: The uloc_acceptLanguageFromHTTP function in common/uloc.cpp in International Components for Unicode (ICU) through 57.1 for C/C++ does not ensure that there is a '\0' character at the end of a certain temporary array, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a call with a long httpAcceptLanguage argument.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6293

LAYER: meta
PACKAGE NAME: icu-native
PACKAGE VERSION: 74-2
CVE: CVE-2016-7415
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in the Locale class in common/locid.cpp in International Components for Unicode (ICU) through 57.1 for C/C++ allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a long locale string.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7415

LAYER: meta
PACKAGE NAME: icu-native
PACKAGE VERSION: 74-2
CVE: CVE-2017-14952
CVE STATUS: Patched
CVE SUMMARY: Double free in i18n/zonemeta.cpp in International Components for Unicode (ICU) for C/C++ through 59.1 allows remote attackers to execute arbitrary code via a crafted string, aka a "redundant UVector entry clean up function call" issue.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14952

LAYER: meta
PACKAGE NAME: icu-native
PACKAGE VERSION: 74-2
CVE: CVE-2017-15396
CVE STATUS: Patched
CVE SUMMARY: A stack buffer overflow in NumberingSystem in International Components for Unicode (ICU) for C/C++ before 60.2, as used in V8 in Google Chrome prior to 62.0.3202.75 and other products, allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15396

LAYER: meta
PACKAGE NAME: icu-native
PACKAGE VERSION: 74-2
CVE: CVE-2017-15422
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in international date handling in International Components for Unicode (ICU) for C/C++ before 60.1, as used in V8 in Google Chrome prior to 63.0.3239.84 and other products, allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15422

LAYER: meta
PACKAGE NAME: icu-native
PACKAGE VERSION: 74-2
CVE: CVE-2017-17484
CVE STATUS: Patched
CVE SUMMARY: The ucnv_UTF8FromUTF8 function in ucnv_u8.cpp in International Components for Unicode (ICU) for C/C++ through 60.1 mishandles ucnv_convertEx calls for UTF-8 to UTF-8 conversion, which allows remote attackers to cause a denial of service (stack-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted string, as demonstrated by ZNC.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17484

LAYER: meta
PACKAGE NAME: icu-native
PACKAGE VERSION: 74-2
CVE: CVE-2017-7867
CVE STATUS: Patched
CVE SUMMARY: International Components for Unicode (ICU) for C/C++ before 2017-02-13 has an out-of-bounds write caused by a heap-based buffer overflow related to the utf8TextAccess function in common/utext.cpp and the utext_setNativeIndex* function.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7867

LAYER: meta
PACKAGE NAME: icu-native
PACKAGE VERSION: 74-2
CVE: CVE-2017-7868
CVE STATUS: Patched
CVE SUMMARY: International Components for Unicode (ICU) for C/C++ before 2017-02-13 has an out-of-bounds write caused by a heap-based buffer overflow related to the utf8TextAccess function in common/utext.cpp and the utext_moveIndex32* function.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7868

LAYER: meta
PACKAGE NAME: icu-native
PACKAGE VERSION: 74-2
CVE: CVE-2018-18928
CVE STATUS: Patched
CVE SUMMARY: International Components for Unicode (ICU) for C/C++ 63.1 has an integer overflow in number::impl::DecimalQuantity::toScientificString() in i18n/number_decimalquantity.cpp.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-18928

LAYER: meta
PACKAGE NAME: icu-native
PACKAGE VERSION: 74-2
CVE: CVE-2020-10531
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in International Components for Unicode (ICU) for C/C++ through 66.1. An integer overflow, leading to a heap-based buffer overflow, exists in the UnicodeString::doAppend() function in common/unistr.cpp.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-10531

LAYER: meta
PACKAGE NAME: icu-native
PACKAGE VERSION: 74-2
CVE: CVE-2020-21913
CVE STATUS: Patched
CVE SUMMARY: International Components for Unicode (ICU-20850) v66.1 was discovered to contain a use after free bug in the pkg_createWithAssemblyCode function in the file tools/pkgdata/pkgdata.cpp.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-21913

LAYER: meta
PACKAGE NAME: nghttp2
PACKAGE VERSION: 1.61.0
CVE: CVE-2015-8659
CVE STATUS: Patched
CVE SUMMARY: The idle stream handling in nghttp2 before 1.6.0 allows attackers to have unspecified impact via unknown vectors, aka a heap-use-after-free bug.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 10.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8659

LAYER: meta
PACKAGE NAME: nghttp2
PACKAGE VERSION: 1.61.0
CVE: CVE-2016-1544
CVE STATUS: Patched
CVE SUMMARY: nghttp2 before 1.7.1 allows remote attackers to cause a denial of service (memory exhaustion).
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 3.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-1544

LAYER: meta
PACKAGE NAME: nghttp2
PACKAGE VERSION: 1.61.0
CVE: CVE-2018-1000168
CVE STATUS: Patched
CVE SUMMARY: nghttp2 version >= 1.10.0 and nghttp2 <= v1.31.0 contains an Improper Input Validation CWE-20 vulnerability in ALTSVC frame handling that can result in segmentation fault leading to denial of service. This attack appears to be exploitable via network client. This vulnerability appears to have been fixed in >= 1.31.1.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1000168

LAYER: meta
PACKAGE NAME: nghttp2
PACKAGE VERSION: 1.61.0
CVE: CVE-2020-11080
CVE STATUS: Patched
CVE SUMMARY: In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%. nghttp2 v1.41.0 fixes this vulnerability. There is a workaround to this vulnerability. Implement nghttp2_on_frame_recv_callback callback, and if received frame is SETTINGS frame and the number of settings entries are large (e.g., > 32), then drop the connection.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 3.7
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-11080

LAYER: meta
PACKAGE NAME: nghttp2
PACKAGE VERSION: 1.61.0
CVE: CVE-2023-35945
CVE STATUS: Patched
CVE SUMMARY: Envoy is a cloud-native high-performance edge/middle/service proxy. Envoy’s HTTP/2 codec may leak a header map and bookkeeping structures upon receiving `RST_STREAM` immediately followed by the `GOAWAY` frames from an upstream server. In nghttp2, cleanup of pending requests due to receipt of the `GOAWAY` frame skips de-allocation of the bookkeeping structure and pending compressed header. The error return [code path] is taken if connection is already marked for not sending more requests due to `GOAWAY` frame. The clean-up code is right after the return statement, causing memory leak. Denial of service through memory exhaustion. This vulnerability was patched in versions(s) 1.26.3, 1.25.8, 1.24.9, 1.23.11.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-35945

LAYER: meta
PACKAGE NAME: nghttp2
PACKAGE VERSION: 1.61.0
CVE: CVE-2023-44487
CVE STATUS: Patched
CVE SUMMARY: The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-44487

LAYER: meta
PACKAGE NAME: libevent
PACKAGE VERSION: 2.1.12
CVE: CVE-2007-1030
CVE STATUS: Patched
CVE SUMMARY: Niels Provos libevent 1.2 and 1.2a allows remote attackers to cause a denial of service (infinite loop) via a DNS response containing a label pointer that references its own offset.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-1030

LAYER: meta
PACKAGE NAME: libevent
PACKAGE VERSION: 2.1.12
CVE: CVE-2014-6272
CVE STATUS: Patched
CVE SUMMARY: Multiple integer overflows in the evbuffer API in Libevent 1.4.x before 1.4.15, 2.0.x before 2.0.22, and 2.1.x before 2.1.5-beta allow context-dependent attackers to cause a denial of service or possibly have other unspecified impact via "insanely large inputs" to the (1) evbuffer_add, (2) evbuffer_expand, or (3) bufferevent_write function, which triggers a heap-based buffer overflow or an infinite loop.  NOTE: this identifier has been SPLIT per ADT3 due to different affected versions. See CVE-2015-6525 for the functions that are only affected in 2.0 and later.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-6272

LAYER: meta
PACKAGE NAME: libevent
PACKAGE VERSION: 2.1.12
CVE: CVE-2015-6525
CVE STATUS: Patched
CVE SUMMARY: Multiple integer overflows in the evbuffer API in Libevent 2.0.x before 2.0.22 and 2.1.x before 2.1.5-beta allow context-dependent attackers to cause a denial of service or possibly have other unspecified impact via "insanely large inputs" to the (1) evbuffer_add, (2) evbuffer_prepend, (3) evbuffer_expand, (4) exbuffer_reserve_space, or (5) evbuffer_read function, which triggers a heap-based buffer overflow or an infinite loop.  NOTE: this identifier was SPLIT from CVE-2014-6272 per ADT3 due to different affected versions.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-6525

LAYER: meta
PACKAGE NAME: libevent
PACKAGE VERSION: 2.1.12
CVE: CVE-2016-10195
CVE STATUS: Patched
CVE SUMMARY: The name_parse function in evdns.c in libevent before 2.1.6-beta allows remote attackers to have unspecified impact via vectors involving the label_len variable, which triggers an out-of-bounds stack read.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10195

LAYER: meta
PACKAGE NAME: libevent
PACKAGE VERSION: 2.1.12
CVE: CVE-2016-10196
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in the evutil_parse_sockaddr_port function in evutil.c in libevent before 2.1.6-beta allows attackers to cause a denial of service (segmentation fault) via vectors involving a long string in brackets in the ip_as_string argument.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10196

LAYER: meta
PACKAGE NAME: libevent
PACKAGE VERSION: 2.1.12
CVE: CVE-2016-10197
CVE STATUS: Patched
CVE SUMMARY: The search_make_new function in evdns.c in libevent before 2.1.6-beta allows attackers to cause a denial of service (out-of-bounds read) via an empty hostname.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10197

LAYER: meta
PACKAGE NAME: subversion-native
PACKAGE VERSION: 1.14.3
CVE: CVE-2010-3315
CVE STATUS: Patched
CVE SUMMARY: authz.c in the mod_dav_svn module for the Apache HTTP Server, as distributed in Apache Subversion 1.5.x before 1.5.8 and 1.6.x before 1.6.13, when SVNPathAuthz short_circuit is enabled, does not properly handle a named repository as a rule scope, which allows remote authenticated users to bypass intended access restrictions via svn commands.
CVSS v2 BASE SCORE: 6.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:S/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-3315

LAYER: meta
PACKAGE NAME: subversion-native
PACKAGE VERSION: 1.14.3
CVE: CVE-2010-4539
CVE STATUS: Patched
CVE SUMMARY: The walk function in repos.c in the mod_dav_svn module for the Apache HTTP Server, as distributed in Apache Subversion before 1.6.15, allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via vectors that trigger the walking of SVNParentPath collections.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:S/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4539

LAYER: meta
PACKAGE NAME: subversion-native
PACKAGE VERSION: 1.14.3
CVE: CVE-2010-4644
CVE STATUS: Patched
CVE SUMMARY: Multiple memory leaks in rev_hunt.c in Apache Subversion before 1.6.15 allow remote authenticated users to cause a denial of service (memory consumption and daemon crash) via the -g option to the blame command.
CVSS v2 BASE SCORE: 3.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:S/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4644

LAYER: meta
PACKAGE NAME: subversion-native
PACKAGE VERSION: 1.14.3
CVE: CVE-2011-0715
CVE STATUS: Patched
CVE SUMMARY: The mod_dav_svn module for the Apache HTTP Server, as distributed in Apache Subversion before 1.6.16, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a request that contains a lock token.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-0715

LAYER: meta
PACKAGE NAME: subversion-native
PACKAGE VERSION: 1.14.3
CVE: CVE-2011-1752
CVE STATUS: Patched
CVE SUMMARY: The mod_dav_svn module for the Apache HTTP Server, as distributed in Apache Subversion before 1.6.17, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a request for a baselined WebDAV resource, as exploited in the wild in May 2011.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1752

LAYER: meta
PACKAGE NAME: subversion-native
PACKAGE VERSION: 1.14.3
CVE: CVE-2011-1783
CVE STATUS: Patched
CVE SUMMARY: The mod_dav_svn module for the Apache HTTP Server, as distributed in Apache Subversion 1.5.x and 1.6.x before 1.6.17, when the SVNPathAuthz short_circuit option is enabled, allows remote attackers to cause a denial of service (infinite loop and memory consumption) in opportunistic circumstances by requesting data.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1783

LAYER: meta
PACKAGE NAME: subversion-native
PACKAGE VERSION: 1.14.3
CVE: CVE-2011-1921
CVE STATUS: Patched
CVE SUMMARY: The mod_dav_svn module for the Apache HTTP Server, as distributed in Apache Subversion 1.5.x and 1.6.x before 1.6.17, when the SVNPathAuthz short_circuit option is disabled, does not properly enforce permissions for files that had been publicly readable in the past, which allows remote attackers to obtain sensitive information via a replay REPORT operation.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1921

LAYER: meta
PACKAGE NAME: subversion-native
PACKAGE VERSION: 1.14.3
CVE: CVE-2013-1845
CVE STATUS: Patched
CVE SUMMARY: The mod_dav_svn Apache HTTPD server module in Subversion 1.6.x before 1.6.21 and 1.7.0 through 1.7.8 allows remote authenticated users to cause a denial of service (memory consumption) by (1) setting or (2) deleting a large number of properties for a file or directory.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:S/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1845

LAYER: meta
PACKAGE NAME: subversion-native
PACKAGE VERSION: 1.14.3
CVE: CVE-2013-1846
CVE STATUS: Patched
CVE SUMMARY: The mod_dav_svn Apache HTTPD server module in Subversion 1.6.x before 1.6.21 and 1.7.0 through 1.7.8 allows remote authenticated users to cause a denial of service (NULL pointer dereference and crash) via a LOCK on an activity URL.
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:S/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1846

LAYER: meta
PACKAGE NAME: subversion-native
PACKAGE VERSION: 1.14.3
CVE: CVE-2013-1847
CVE STATUS: Patched
CVE SUMMARY: The mod_dav_svn Apache HTTPD server module in Subversion 1.6.0 through 1.6.20 and 1.7.0 through 1.7.8 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via an anonymous LOCK for a URL that does not exist.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1847

LAYER: meta
PACKAGE NAME: subversion-native
PACKAGE VERSION: 1.14.3
CVE: CVE-2013-1849
CVE STATUS: Patched
CVE SUMMARY: The mod_dav_svn Apache HTTPD server module in Subversion 1.6.x through 1.6.20 and 1.7.0 through 1.7.8 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a PROPFIND request for an activity URL.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1849

LAYER: meta
PACKAGE NAME: subversion-native
PACKAGE VERSION: 1.14.3
CVE: CVE-2013-1884
CVE STATUS: Patched
CVE SUMMARY: The mod_dav_svn Apache HTTPD server module in Subversion 1.7.0 through 1.7.8 allows remote attackers to cause a denial of service (segmentation fault and crash) via a log REPORT request with an invalid limit, which triggers an access of an uninitialized variable.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1884

LAYER: meta
PACKAGE NAME: subversion-native
PACKAGE VERSION: 1.14.3
CVE: CVE-2013-1968
CVE STATUS: Patched
CVE SUMMARY: Subversion before 1.6.23 and 1.7.x before 1.7.10 allows remote authenticated users to cause a denial of service (FSFS repository corruption) via a newline character in a file name.
CVSS v2 BASE SCORE: 5.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:S/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1968

LAYER: meta
PACKAGE NAME: subversion-native
PACKAGE VERSION: 1.14.3
CVE: CVE-2013-2088
CVE STATUS: Patched
CVE SUMMARY: contrib/hook-scripts/svn-keyword-check.pl in Subversion before 1.6.23 allows remote authenticated users with commit permissions to execute arbitrary commands via shell metacharacters in a filename.
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:S/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2088

LAYER: meta
PACKAGE NAME: subversion-native
PACKAGE VERSION: 1.14.3
CVE: CVE-2013-2112
CVE STATUS: Patched
CVE SUMMARY: The svnserve server in Subversion before 1.6.23 and 1.7.x before 1.7.10 allows remote attackers to cause a denial of service (exit) by aborting a connection.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2112

LAYER: meta
PACKAGE NAME: subversion-native
PACKAGE VERSION: 1.14.3
CVE: CVE-2013-4131
CVE STATUS: Patched
CVE SUMMARY: The mod_dav_svn Apache HTTPD server module in Subversion 1.7.0 through 1.7.10 and 1.8.x before 1.8.1 allows remote authenticated users to cause a denial of service (assertion failure or out-of-bounds read) via a certain (1) COPY, (2) DELETE, or (3) MOVE request against a revision root.
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:S/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4131

LAYER: meta
PACKAGE NAME: subversion-native
PACKAGE VERSION: 1.14.3
CVE: CVE-2013-4246
CVE STATUS: Patched
CVE SUMMARY: libsvn_fs_fs/fs_fs.c in Apache Subversion 1.8.x before 1.8.2 might allow remote authenticated users with commit access to corrupt FSFS repositories and cause a denial of service or obtain sensitive information by editing packed revision properties.
CVSS v2 BASE SCORE: 6.5
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:S/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4246

LAYER: meta
PACKAGE NAME: subversion-native
PACKAGE VERSION: 1.14.3
CVE: CVE-2013-4262
CVE STATUS: Patched
CVE SUMMARY: svnwcsub.py in Subversion 1.8.0 before 1.8.3, when using the --pidfile option and running in foreground mode, allows local users to gain privileges via a symlink attack on the pid file.  NOTE: this issue was SPLIT due to different affected versions (ADT3). The irkerbridge.py issue is covered by CVE-2013-7393.
CVSS v2 BASE SCORE: 2.4
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:S/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4262

LAYER: meta
PACKAGE NAME: subversion-native
PACKAGE VERSION: 1.14.3
CVE: CVE-2013-4277
CVE STATUS: Patched
CVE SUMMARY: Svnserve in Apache Subversion 1.4.0 through 1.7.12 and 1.8.0 through 1.8.1 allows local users to overwrite arbitrary files or kill arbitrary processes via a symlink attack on the file specified by the --pid-file option.
CVSS v2 BASE SCORE: 3.3
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4277

LAYER: meta
PACKAGE NAME: subversion-native
PACKAGE VERSION: 1.14.3
CVE: CVE-2013-4505
CVE STATUS: Patched
CVE SUMMARY: The is_this_legal function in mod_dontdothat for Apache Subversion 1.4.0 through 1.7.13 and 1.8.0 through 1.8.4 allows remote attackers to bypass intended access restrictions and possibly cause a denial of service (resource consumption) via a relative URL in a REPORT request.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4505

LAYER: meta
PACKAGE NAME: subversion-native
PACKAGE VERSION: 1.14.3
CVE: CVE-2013-4558
CVE STATUS: Patched
CVE SUMMARY: The get_parent_resource function in repos.c in mod_dav_svn Apache HTTPD server module in Subversion 1.7.11 through 1.7.13 and 1.8.1 through 1.8.4, when built with assertions enabled and SVNAutoversioning is enabled, allows remote attackers to cause a denial of service (assertion failure and Apache process abort) via a non-canonical URL in a request, as demonstrated using a trailing /.
CVSS v2 BASE SCORE: 3.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:S/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4558

LAYER: meta
PACKAGE NAME: subversion-native
PACKAGE VERSION: 1.14.3
CVE: CVE-2013-7393
CVE STATUS: Patched
CVE SUMMARY: The daemonize.py module in Subversion 1.8.0 before 1.8.2 allows local users to gain privileges via a symlink attack on the pid file created for (1) svnwcsub.py or (2) irkerbridge.py when the --pidfile option is used.  NOTE: this issue was SPLIT from CVE-2013-4262 based on different affected versions (ADT3).
CVSS v2 BASE SCORE: 2.4
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:S/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-7393

LAYER: meta
PACKAGE NAME: subversion-native
PACKAGE VERSION: 1.14.3
CVE: CVE-2014-0032
CVE STATUS: Patched
CVE SUMMARY: The get_resource function in repos.c in the mod_dav_svn module in Apache Subversion before 1.7.15 and 1.8.x before 1.8.6, when SVNListParentPath is enabled, allows remote attackers to cause a denial of service (crash) via vectors related to the server root and request methods other than GET, as demonstrated by the "svn ls http://svn.example.com" command.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0032

LAYER: meta
PACKAGE NAME: subversion-native
PACKAGE VERSION: 1.14.3
CVE: CVE-2014-3504
CVE STATUS: Patched
CVE SUMMARY: The (1) serf_ssl_cert_issuer, (2) serf_ssl_cert_subject, and (3) serf_ssl_cert_certificate functions in Serf 0.2.0 through 1.3.x before 1.3.7 does not properly handle a NUL byte in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3504

LAYER: meta
PACKAGE NAME: subversion-native
PACKAGE VERSION: 1.14.3
CVE: CVE-2014-3522
CVE STATUS: Patched
CVE SUMMARY: The Serf RA layer in Apache Subversion 1.4.0 through 1.7.x before 1.7.18 and 1.8.x before 1.8.10 does not properly handle wildcards in the Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof servers via a crafted certificate.
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3522

LAYER: meta
PACKAGE NAME: subversion-native
PACKAGE VERSION: 1.14.3
CVE: CVE-2014-3528
CVE STATUS: Patched
CVE SUMMARY: Apache Subversion 1.0.0 through 1.7.x before 1.7.17 and 1.8.x before 1.8.10 uses an MD5 hash of the URL and authentication realm to store cached credentials, which makes it easier for remote servers to obtain the credentials via a crafted authentication realm.
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3528

LAYER: meta
PACKAGE NAME: subversion-native
PACKAGE VERSION: 1.14.3
CVE: CVE-2014-3580
CVE STATUS: Patched
CVE SUMMARY: The mod_dav_svn Apache HTTPD server module in Apache Subversion 1.x before 1.7.19 and 1.8.x before 1.8.11 allows remote attackers to cause a denial of service (NULL pointer dereference and server crash) via a REPORT request for a resource that does not exist.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3580

LAYER: meta
PACKAGE NAME: subversion-native
PACKAGE VERSION: 1.14.3
CVE: CVE-2014-8108
CVE STATUS: Patched
CVE SUMMARY: The mod_dav_svn Apache HTTPD server module in Apache Subversion 1.7.x before 1.7.19 and 1.8.x before 1.8.11 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a request for a URI that triggers a lookup for a virtual transaction name that does not exist.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8108

LAYER: meta
PACKAGE NAME: subversion-native
PACKAGE VERSION: 1.14.3
CVE: CVE-2015-0202
CVE STATUS: Patched
CVE SUMMARY: The mod_dav_svn server in Subversion 1.8.0 through 1.8.11 allows remote attackers to cause a denial of service (memory consumption) via a large number of REPORT requests, which trigger the traversal of FSFS repository nodes.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0202

LAYER: meta
PACKAGE NAME: subversion-native
PACKAGE VERSION: 1.14.3
CVE: CVE-2015-0248
CVE STATUS: Patched
CVE SUMMARY: The (1) mod_dav_svn and (2) svnserve servers in Subversion 1.6.0 through 1.7.19 and 1.8.0 through 1.8.11 allow remote attackers to cause a denial of service (assertion failure and abort) via crafted parameter combinations related to dynamically evaluated revision numbers.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0248

LAYER: meta
PACKAGE NAME: subversion-native
PACKAGE VERSION: 1.14.3
CVE: CVE-2015-0251
CVE STATUS: Patched
CVE SUMMARY: The mod_dav_svn server in Subversion 1.5.0 through 1.7.19 and 1.8.0 through 1.8.11 allows remote authenticated users to spoof the svn:author property via a crafted v1 HTTP protocol request sequences.
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:S/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0251

LAYER: meta
PACKAGE NAME: subversion-native
PACKAGE VERSION: 1.14.3
CVE: CVE-2015-3184
CVE STATUS: Patched
CVE SUMMARY: mod_authz_svn in Apache Subversion 1.7.x before 1.7.21 and 1.8.x before 1.8.14, when using Apache httpd 2.4.x, does not properly restrict anonymous access, which allows remote anonymous users to read hidden files via the path name.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3184

LAYER: meta
PACKAGE NAME: subversion-native
PACKAGE VERSION: 1.14.3
CVE: CVE-2015-3187
CVE STATUS: Patched
CVE SUMMARY: The svn_repos_trace_node_locations function in Apache Subversion before 1.7.21 and 1.8.x before 1.8.14, when path-based authorization is used, allows remote authenticated users to obtain sensitive path information by reading the history of a node that has been moved from a hidden path.
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:S/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3187

LAYER: meta
PACKAGE NAME: subversion-native
PACKAGE VERSION: 1.14.3
CVE: CVE-2015-5259
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the read_string function in libsvn_ra_svn/marshal.c in Apache Subversion 1.9.x before 1.9.3 allows remote attackers to execute arbitrary code via an svn:// protocol string, which triggers a heap-based buffer overflow and an out-of-bounds read.
CVSS v2 BASE SCORE: 9.0
CVSS v3 BASE SCORE: 8.6
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-5259

LAYER: meta
PACKAGE NAME: subversion-native
PACKAGE VERSION: 1.14.3
CVE: CVE-2015-5343
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in util.c in mod_dav_svn in Apache Subversion 1.7.x, 1.8.x before 1.8.15, and 1.9.x before 1.9.3 allows remote authenticated users to cause a denial of service (subversion server crash or memory consumption) and possibly execute arbitrary code via a skel-encoded request body, which triggers an out-of-bounds read and heap-based buffer overflow.
CVSS v2 BASE SCORE: 8.0
CVSS v3 BASE SCORE: 7.6
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:S/C:P/I:P/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-5343

LAYER: meta
PACKAGE NAME: subversion-native
PACKAGE VERSION: 1.14.3
CVE: CVE-2016-2167
CVE STATUS: Patched
CVE SUMMARY: The canonicalize_username function in svnserve/cyrus_auth.c in Apache Subversion before 1.8.16 and 1.9.x before 1.9.4, when Cyrus SASL authentication is used, allows remote attackers to authenticate and bypass intended access restrictions via a realm string that is a prefix of an expected repository realm string.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 6.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:S/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2167

LAYER: meta
PACKAGE NAME: subversion-native
PACKAGE VERSION: 1.14.3
CVE: CVE-2016-2168
CVE STATUS: Patched
CVE SUMMARY: The req_check_access function in the mod_authz_svn module in the httpd server in Apache Subversion before 1.8.16 and 1.9.x before 1.9.4 allows remote authenticated users to cause a denial of service (NULL pointer dereference and crash) via a crafted header in a (1) MOVE or (2) COPY request, involving an authorization check.
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:S/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2168

LAYER: meta
PACKAGE NAME: subversion-native
PACKAGE VERSION: 1.14.3
CVE: CVE-2016-8734
CVE STATUS: Patched
CVE SUMMARY: Apache Subversion's mod_dontdothat module and HTTP clients 1.4.0 through 1.8.16, and 1.9.0 through 1.9.4 are vulnerable to a denial-of-service attack caused by exponential XML entity expansion. The attack can cause the targeted process to consume an excessive amount of CPU resources or memory.
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:S/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8734

LAYER: meta
PACKAGE NAME: subversion-native
PACKAGE VERSION: 1.14.3
CVE: CVE-2017-9800
CVE STATUS: Patched
CVE SUMMARY: A maliciously constructed svn+ssh:// URL would cause Subversion clients before 1.8.19, 1.9.x before 1.9.7, and 1.10.0.x through 1.10.0-alpha3 to run an arbitrary shell command. Such a URL could be generated by a malicious server, by a malicious user committing to a honest server (to attack another user of that server's repositories), or by a proxy server. The vulnerability affects all clients, including those that use file://, http://, and plain (untunneled) svn://.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9800

LAYER: meta
PACKAGE NAME: subversion-native
PACKAGE VERSION: 1.14.3
CVE: CVE-2018-11782
CVE STATUS: Patched
CVE SUMMARY: In Apache Subversion versions up to and including 1.9.10, 1.10.4, 1.12.0, Subversion's svnserve server process may exit when a well-formed read-only request produces a particular answer. This can lead to disruption for users of the server.
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:S/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-11782

LAYER: meta
PACKAGE NAME: subversion-native
PACKAGE VERSION: 1.14.3
CVE: CVE-2018-11803
CVE STATUS: Patched
CVE SUMMARY: Subversion's mod_dav_svn Apache HTTPD module versions 1.11.0 and 1.10.0 to 1.10.3 will crash after dereferencing an uninitialized pointer if the client omits the root path in a recursive directory listing operation.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-11803

LAYER: meta
PACKAGE NAME: subversion-native
PACKAGE VERSION: 1.14.3
CVE: CVE-2019-0203
CVE STATUS: Patched
CVE SUMMARY: In Apache Subversion versions up to and including 1.9.10, 1.10.4, 1.12.0, Subversion's svnserve server process may exit when a client sends certain sequences of protocol commands. This can lead to disruption for users of the server.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-0203

LAYER: meta
PACKAGE NAME: subversion-native
PACKAGE VERSION: 1.14.3
CVE: CVE-2020-17525
CVE STATUS: Patched
CVE SUMMARY: Subversion's mod_authz_svn module will crash if the server is using in-repository authz rules with the AuthzSVNReposRelativeAccessFile option and a client sends a request for a non-existing repository URL. This can lead to disruption for users of the service. This issue was fixed in mod_dav_svn+mod_authz_svn servers 1.14.1 and mod_dav_svn+mod_authz_svn servers 1.10.7
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-17525

LAYER: meta
PACKAGE NAME: subversion-native
PACKAGE VERSION: 1.14.3
CVE: CVE-2021-28544
CVE STATUS: Patched
CVE SUMMARY: Apache Subversion SVN authz protected copyfrom paths regression Subversion servers reveal 'copyfrom' paths that should be hidden according to configured path-based authorization (authz) rules. When a node has been copied from a protected location, users with access to the copy can see the 'copyfrom' path of the original. This also reveals the fact that the node was copied. Only the 'copyfrom' path is revealed; not its contents. Both httpd and svnserve servers are vulnerable.
CVSS v2 BASE SCORE: 3.5
CVSS v3 BASE SCORE: 4.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:S/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-28544

LAYER: meta
PACKAGE NAME: subversion-native
PACKAGE VERSION: 1.14.3
CVE: CVE-2022-24070
CVE STATUS: Patched
CVE SUMMARY: Subversion's mod_dav_svn is vulnerable to memory corruption. While looking up path-based authorization rules, mod_dav_svn servers may attempt to use memory which has already been freed. Affected Subversion mod_dav_svn servers 1.10.0 through 1.14.1 (inclusive). Servers that do not use mod_dav_svn are not affected.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-24070

LAYER: meta
PACKAGE NAME: librsvg-native
PACKAGE VERSION: 2.57.1
CVE: CVE-2011-3146
CVE STATUS: Patched
CVE SUMMARY: librsvg before 2.34.1 uses the node name to identify the type of node, which allows context-dependent attackers to cause a denial of service (NULL pointer dereference) and possibly execute arbitrary code via a SVG file with a node with the element name starting with "fe," which is misidentified as a RsvgFilterPrimitive.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3146

LAYER: meta
PACKAGE NAME: librsvg-native
PACKAGE VERSION: 2.57.1
CVE: CVE-2013-1881
CVE STATUS: Patched
CVE SUMMARY: GNOME libsvg before 2.39.0 allows remote attackers to read arbitrary files via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1881

LAYER: meta
PACKAGE NAME: librsvg-native
PACKAGE VERSION: 2.57.1
CVE: CVE-2015-7557
CVE STATUS: Patched
CVE SUMMARY: The _rsvg_node_poly_build_path function in rsvg-shapes.c in librsvg before 2.40.7 allows context-dependent attackers to cause a denial of service (out-of-bounds heap read) via an odd number of elements in a coordinate pair in an SVG document.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7557

LAYER: meta
PACKAGE NAME: librsvg-native
PACKAGE VERSION: 2.57.1
CVE: CVE-2015-7558
CVE STATUS: Patched
CVE SUMMARY: librsvg before 2.40.12 allows context-dependent attackers to cause a denial of service (infinite loop, stack consumption, and application crash) via cyclic references in an SVG document.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7558

LAYER: meta
PACKAGE NAME: librsvg-native
PACKAGE VERSION: 2.57.1
CVE: CVE-2016-4348
CVE STATUS: Patched
CVE SUMMARY: The _rsvg_css_normalize_font_size function in librsvg 2.40.2 allows context-dependent attackers to cause a denial of service (stack consumption and application crash) via circular definitions in an SVG document.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4348

LAYER: meta
PACKAGE NAME: librsvg-native
PACKAGE VERSION: 2.57.1
CVE: CVE-2016-6163
CVE STATUS: Patched
CVE SUMMARY: The rsvg_pattern_fix_fallback function in rsvg-paint_server.c in librsvg2 2.40.2 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted svg file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6163

LAYER: meta
PACKAGE NAME: librsvg-native
PACKAGE VERSION: 2.57.1
CVE: CVE-2017-11464
CVE STATUS: Patched
CVE SUMMARY: A SIGFPE is raised in the function box_blur_line of rsvg-filter.c in GNOME librsvg 2.40.17 during an attempted parse of a crafted SVG file, because of incorrect protection against division by zero.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-11464

LAYER: meta
PACKAGE NAME: librsvg-native
PACKAGE VERSION: 2.57.1
CVE: CVE-2018-1000041
CVE STATUS: Ignored
CVE DETAIL: not-applicable-platform
CVE DESCRIPTION: Issue only applies on Windows
CVE SUMMARY: GNOME librsvg version before commit c6ddf2ed4d768fd88adbea2b63f575cd523022ea contains a Improper input validation vulnerability in rsvg-io.c that can result in the victim's Windows username and NTLM password hash being leaked to remote attackers through SMB. This attack appear to be exploitable via The victim must process a specially crafted SVG file containing an UNC path on Windows.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1000041

LAYER: meta
PACKAGE NAME: librsvg-native
PACKAGE VERSION: 2.57.1
CVE: CVE-2019-20446
CVE STATUS: Patched
CVE SUMMARY: In xml.rs in GNOME librsvg before 2.46.2, a crafted SVG file with nested patterns can cause denial of service when passed to the library for processing. The attacker constructs pattern elements so that the number of final rendered objects grows exponentially.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-20446

LAYER: meta
PACKAGE NAME: librsvg-native
PACKAGE VERSION: 2.57.1
CVE: CVE-2023-38633
CVE STATUS: Patched
CVE SUMMARY: A directory traversal problem in the URL decoder of librsvg before 2.56.3 could be used by local or remote attackers to disclose files (on the local filesystem outside of the expected area), as demonstrated by href=".?../../../../../../../../../../etc/passwd" in an xi:include element.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-38633

LAYER: meta
PACKAGE NAME: libssh2-native
PACKAGE VERSION: 1.11.0
CVE: CVE-2015-1782
CVE STATUS: Patched
CVE SUMMARY: The kex_agree_methods function in libssh2 before 1.5.0 allows remote servers to cause a denial of service (crash) or have other unspecified impact via crafted length values in an SSH_MSG_KEXINIT packet.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1782

LAYER: meta
PACKAGE NAME: libssh2-native
PACKAGE VERSION: 1.11.0
CVE: CVE-2016-0787
CVE STATUS: Patched
CVE SUMMARY: The diffie_hellman_sha256 function in kex.c in libssh2 before 1.7.0 improperly truncates secrets to 128 or 256 bits, which makes it easier for man-in-the-middle attackers to decrypt or intercept SSH sessions via unspecified vectors, aka a "bits/bytes confusion bug."
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-0787

LAYER: meta
PACKAGE NAME: libssh2-native
PACKAGE VERSION: 1.11.0
CVE: CVE-2019-13115
CVE STATUS: Patched
CVE SUMMARY: In libssh2 before 1.9.0, kex_method_diffie_hellman_group_exchange_sha256_key_exchange in kex.c has an integer overflow that could lead to an out-of-bounds read in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server. This is related to an _libssh2_check_length mistake, and is different from the various issues fixed in 1.8.1, such as CVE-2019-3855.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 8.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-13115

LAYER: meta
PACKAGE NAME: libssh2-native
PACKAGE VERSION: 1.11.0
CVE: CVE-2019-17498
CVE STATUS: Patched
CVE SUMMARY: In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in packet.c has an integer overflow in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds) offset for a subsequent memory read. A crafted SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 8.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-17498

LAYER: meta
PACKAGE NAME: libssh2-native
PACKAGE VERSION: 1.11.0
CVE: CVE-2019-3855
CVE STATUS: Patched
CVE SUMMARY: An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-3855

LAYER: meta
PACKAGE NAME: libssh2-native
PACKAGE VERSION: 1.11.0
CVE: CVE-2019-3856
CVE STATUS: Patched
CVE SUMMARY: An integer overflow flaw, which could lead to an out of bounds write, was discovered in libssh2 before 1.8.1 in the way keyboard prompt requests are parsed. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-3856

LAYER: meta
PACKAGE NAME: libssh2-native
PACKAGE VERSION: 1.11.0
CVE: CVE-2019-3857
CVE STATUS: Patched
CVE SUMMARY: An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way SSH_MSG_CHANNEL_REQUEST packets with an exit signal are parsed. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-3857

LAYER: meta
PACKAGE NAME: libssh2-native
PACKAGE VERSION: 1.11.0
CVE: CVE-2019-3858
CVE STATUS: Patched
CVE SUMMARY: An out of bounds read flaw was discovered in libssh2 before 1.8.1 when a specially crafted SFTP packet is received from the server. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 5.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-3858

LAYER: meta
PACKAGE NAME: libssh2-native
PACKAGE VERSION: 1.11.0
CVE: CVE-2019-3859
CVE STATUS: Patched
CVE SUMMARY: An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the _libssh2_packet_require and _libssh2_packet_requirev functions. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 5.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-3859

LAYER: meta
PACKAGE NAME: libssh2-native
PACKAGE VERSION: 1.11.0
CVE: CVE-2019-3860
CVE STATUS: Patched
CVE SUMMARY: An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the way SFTP packets with empty payloads are parsed. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 5.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-3860

LAYER: meta
PACKAGE NAME: libssh2-native
PACKAGE VERSION: 1.11.0
CVE: CVE-2019-3861
CVE STATUS: Patched
CVE SUMMARY: An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the way SSH packets with a padding length value greater than the packet length are parsed. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 5.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-3861

LAYER: meta
PACKAGE NAME: libssh2-native
PACKAGE VERSION: 1.11.0
CVE: CVE-2019-3862
CVE STATUS: Patched
CVE SUMMARY: An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the way SSH_MSG_CHANNEL_REQUEST packets with an exit status message and no payload are parsed. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 7.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-3862

LAYER: meta
PACKAGE NAME: libssh2-native
PACKAGE VERSION: 1.11.0
CVE: CVE-2019-3863
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in libssh2 before 1.8.1. A server could send a multiple keyboard interactive response messages whose total length are greater than unsigned char max characters. This value is used as an index to copy memory causing in an out of bounds memory write error.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-3863

LAYER: meta
PACKAGE NAME: libssh2-native
PACKAGE VERSION: 1.11.0
CVE: CVE-2020-22218
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in function _libssh2_packet_add in libssh2 1.10.0 allows attackers to access out of bounds memory.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-22218

LAYER: meta
PACKAGE NAME: libssh2-native
PACKAGE VERSION: 1.11.0
CVE: CVE-2023-48795
CVE STATUS: Patched
CVE SUMMARY: The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-48795

LAYER: meta
PACKAGE NAME: libpcap
PACKAGE VERSION: 1.10.4
CVE: CVE-2011-1935
CVE STATUS: Patched
CVE SUMMARY: pcap-linux.c in libpcap 1.1.1 before commit ea9432fabdf4b33cbc76d9437200e028f1c47c93 when snaplen is set may truncate packets, which might allow remote attackers to send arbitrary data while avoiding detection via crafted packets.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1935

LAYER: meta
PACKAGE NAME: libpcap
PACKAGE VERSION: 1.10.4
CVE: CVE-2019-15161
CVE STATUS: Patched
CVE SUMMARY: rpcapd/daemon.c in libpcap before 1.9.1 mishandles certain length values because of reuse of a variable. This may open up an attack vector involving extra data at the end of a request.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-15161

LAYER: meta
PACKAGE NAME: libpcap
PACKAGE VERSION: 1.10.4
CVE: CVE-2019-15162
CVE STATUS: Patched
CVE SUMMARY: rpcapd/daemon.c in libpcap before 1.9.1 on non-Windows platforms provides details about why authentication failed, which might make it easier for attackers to enumerate valid usernames.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-15162

LAYER: meta
PACKAGE NAME: libpcap
PACKAGE VERSION: 1.10.4
CVE: CVE-2019-15163
CVE STATUS: Patched
CVE SUMMARY: rpcapd/daemon.c in libpcap before 1.9.1 allows attackers to cause a denial of service (NULL pointer dereference and daemon crash) if a crypt() call fails.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-15163

LAYER: meta
PACKAGE NAME: libpcap
PACKAGE VERSION: 1.10.4
CVE: CVE-2019-15164
CVE STATUS: Patched
CVE SUMMARY: rpcapd/daemon.c in libpcap before 1.9.1 allows SSRF because a URL may be provided as a capture source.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-15164

LAYER: meta
PACKAGE NAME: libpcap
PACKAGE VERSION: 1.10.4
CVE: CVE-2019-15165
CVE STATUS: Patched
CVE SUMMARY: sf-pcapng.c in libpcap before 1.9.1 does not properly validate the PHB header length before allocating memory.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-15165

LAYER: meta
PACKAGE NAME: libpcap
PACKAGE VERSION: 1.10.4
CVE: CVE-2023-7256
CVE STATUS: Patched
CVE SUMMARY: In affected libpcap versions during the setup of a remote packet capture the internal function sock_initaddress() calls getaddrinfo() and possibly freeaddrinfo(), but does not clearly indicate to the caller function whether freeaddrinfo() still remains to be called after the function returns.  This makes it possible in some scenarios that both the function and its caller call freeaddrinfo() for the same allocated memory block.  A similar problem was reported in Apple libpcap, to which Apple assigned CVE-2023-40400.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.4
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-7256

LAYER: meta
PACKAGE NAME: libpcap
PACKAGE VERSION: 1.10.4
CVE: CVE-2024-8006
CVE STATUS: Patched
CVE SUMMARY: Remote packet capture support is disabled by default in libpcap.  When a user builds libpcap with remote packet capture support enabled, one of the functions that become available is pcap_findalldevs_ex().  One of the function arguments can be a filesystem path, which normally means a directory with input data files.  When the specified path cannot be used as a directory, the function receives NULL from opendir(), but does not check the return value and passes the NULL value to readdir(), which causes a NULL pointer derefence.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.4
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-8006

LAYER: meta
PACKAGE NAME: libical-native
PACKAGE VERSION: 3.0.17
CVE: CVE-2016-5823
CVE STATUS: Patched
CVE SUMMARY: The icalproperty_new_clone function in libical 0.47 and 1.0 allows remote attackers to cause a denial of service (use-after-free) via a crafted ics file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5823

LAYER: meta
PACKAGE NAME: libical-native
PACKAGE VERSION: 3.0.17
CVE: CVE-2016-5824
CVE STATUS: Patched
CVE SUMMARY: libical 1.0 allows remote attackers to cause a denial of service (use-after-free) via a crafted ics file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5824

LAYER: meta
PACKAGE NAME: libical-native
PACKAGE VERSION: 3.0.17
CVE: CVE-2016-5825
CVE STATUS: Patched
CVE SUMMARY: The icalparser_parse_string function in libical 0.47 and 1.0 allows remote attackers to cause a denial of service (out-of-bounds heap read) via a crafted ics file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5825

LAYER: meta
PACKAGE NAME: libical-native
PACKAGE VERSION: 3.0.17
CVE: CVE-2016-5826
CVE STATUS: Patched
CVE SUMMARY: The parser_get_next_char function in libical 0.47 and 1.0 allows remote attackers to cause a denial of service (out-of-bounds heap read) by crafting a string to the icalparser_parse_string function.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5826

LAYER: meta
PACKAGE NAME: libical-native
PACKAGE VERSION: 3.0.17
CVE: CVE-2016-5827
CVE STATUS: Patched
CVE SUMMARY: The icaltime_from_string function in libical 0.47 and 1.0 allows remote attackers to cause a denial of service (out-of-bounds heap read) via a crafted string to the icalparser_parse_string function.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5827

LAYER: meta
PACKAGE NAME: libical-native
PACKAGE VERSION: 3.0.17
CVE: CVE-2016-9584
CVE STATUS: Patched
CVE SUMMARY: libical allows remote attackers to cause a denial of service (use-after-free) and possibly read heap memory via a crafted ics file.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 9.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9584

LAYER: meta-oe
PACKAGE NAME: nspr-native
PACKAGE VERSION: 4.35
CVE: CVE-2013-5607
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the PL_ArenaAllocate function in Mozilla Netscape Portable Runtime (NSPR) before 4.10.2, as used in Firefox before 25.0.1, Firefox ESR 17.x before 17.0.11 and 24.x before 24.1.1, and SeaMonkey before 2.22.1, allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted X.509 certificate, a related issue to CVE-2013-1741.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-5607

LAYER: meta-oe
PACKAGE NAME: nspr-native
PACKAGE VERSION: 4.35
CVE: CVE-2014-1545
CVE STATUS: Patched
CVE SUMMARY: Mozilla Netscape Portable Runtime (NSPR) before 4.10.6 allows remote attackers to execute arbitrary code or cause a denial of service (out-of-bounds write) via vectors involving the sprintf and console functions.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-1545

LAYER: meta-oe
PACKAGE NAME: nspr-native
PACKAGE VERSION: 4.35
CVE: CVE-2016-1951
CVE STATUS: Patched
CVE SUMMARY: Multiple integer overflows in io/prprf.c in Mozilla Netscape Portable Runtime (NSPR) before 4.12 allow remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a long string to a PR_*printf function.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 8.6
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-1951

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2005-4807
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in the as_bad function in messages.c in the GNU as (gas) assembler in Free Software Foundation GNU Binutils before 20050721 allows attackers to execute arbitrary code via a .c file with crafted inline assembly code.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-4807

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2005-4808
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in reset_vars in config/tc-crx.c in the GNU as (gas) assembler in Free Software Foundation GNU Binutils before 20050714 allows user-assisted attackers to have an unknown impact via a crafted .s file.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-4808

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2006-2362
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in getsym in tekhex.c in libbfd in Free Software Foundation GNU Binutils before 20060423, as used by GNU strings, allows context-dependent attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a file with a crafted Tektronix Hex Format (TekHex) record in which the length character is not a valid hexadecimal character.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-2362

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2012-3509
CVE STATUS: Patched
CVE SUMMARY: Multiple integer overflows in the (1) _objalloc_alloc function in objalloc.c and (2) objalloc_alloc macro in include/objalloc.h in GNU libiberty, as used by binutils 2.22, allow remote attackers to cause a denial of service (crash) via vectors related to the "addition of CHUNK_HEADER_SIZE to the length," which triggers a heap-based buffer overflow.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-3509

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2014-8484
CVE STATUS: Patched
CVE SUMMARY: The srec_scan function in bfd/srec.c in libdbfd in GNU binutils before 2.25 allows remote attackers to cause a denial of service (out-of-bounds read) via a small S-record.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8484

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2014-8485
CVE STATUS: Patched
CVE SUMMARY: The setup_group function in bfd/elf.c in libbfd in GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted section group headers in an ELF file.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8485

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2014-8501
CVE STATUS: Patched
CVE SUMMARY: The _bfd_XXi_swap_aouthdr_in function in bfd/peXXigen.c in GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (out-of-bounds write) and possibly have other unspecified impact via a crafted NumberOfRvaAndSizes field in the AOUT header in a PE executable.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8501

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2014-8502
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the pe_print_edata function in bfd/peXXigen.c in GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (crash) and possibly have other unspecified impact via a truncated export table in a PE file.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8502

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2014-8503
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in the ihex_scan function in bfd/ihex.c in GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (crash) and possibly have other unspecified impact via a crafted ihex file.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8503

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2014-8504
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in the srec_scan function in bfd/srec.c in GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (crash) and possibly have other unspecified impact via a crafted file.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8504

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2014-8737
CVE STATUS: Patched
CVE SUMMARY: Multiple directory traversal vulnerabilities in GNU binutils 2.24 and earlier allow local users to delete arbitrary files via a .. (dot dot) or full path name in an archive to (1) strip or (2) objcopy or create arbitrary files via (3) a .. (dot dot) or full path name in an archive to ar.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8737

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2014-8738
CVE STATUS: Patched
CVE SUMMARY: The _bfd_slurp_extended_name_table function in bfd/archive.c in GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (invalid write, segmentation fault, and crash) via a crafted extended name table in an archive.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8738

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2014-9939
CVE STATUS: Patched
CVE SUMMARY: ihex.c in GNU Binutils before 2.26 contains a stack buffer overflow when printing bad bytes in Intel Hex objects.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9939

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-12448
CVE STATUS: Patched
CVE SUMMARY: The bfd_cache_close function in bfd/cache.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause a heap use after free and possibly achieve code execution via a crafted nested archive file. This issue occurs because incorrect functions are called during an attempt to release memory. The issue can be addressed by better input validation in the bfd_generic_archive_p function in bfd/archive.c.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-12448

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-12449
CVE STATUS: Patched
CVE SUMMARY: The _bfd_vms_save_sized_string function in vms-misc.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds heap read via a crafted vms file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-12449

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-12450
CVE STATUS: Patched
CVE SUMMARY: The alpha_vms_object_p function in bfd/vms-alpha.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds heap write and possibly achieve code execution via a crafted vms alpha file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-12450

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-12451
CVE STATUS: Patched
CVE SUMMARY: The _bfd_xcoff_read_ar_hdr function in bfd/coff-rs6000.c and bfd/coff64-rs6000.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds stack read via a crafted COFF image file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-12451

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-12452
CVE STATUS: Patched
CVE SUMMARY: The bfd_mach_o_i386_canonicalize_one_reloc function in bfd/mach-o-i386.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds heap read via a crafted mach-o file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-12452

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-12453
CVE STATUS: Patched
CVE SUMMARY: The _bfd_vms_slurp_eeom function in libbfd.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds heap read via a crafted vms alpha file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-12453

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-12454
CVE STATUS: Patched
CVE SUMMARY: The _bfd_vms_slurp_egsd function in bfd/vms-alpha.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an arbitrary memory read via a crafted vms alpha file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-12454

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-12455
CVE STATUS: Patched
CVE SUMMARY: The evax_bfd_print_emh function in vms-alpha.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds heap read via a crafted vms alpha file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-12455

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-12456
CVE STATUS: Patched
CVE SUMMARY: The read_symbol_stabs_debugging_info function in rddbg.c in GNU Binutils 2.29 and earlier allows remote attackers to cause an out of bounds heap read via a crafted binary file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-12456

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-12457
CVE STATUS: Patched
CVE SUMMARY: The bfd_make_section_with_flags function in section.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause a NULL dereference via a crafted file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-12457

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-12458
CVE STATUS: Patched
CVE SUMMARY: The nlm_swap_auxiliary_headers_in function in bfd/nlmcode.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds heap read via a crafted nlm file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-12458

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-12459
CVE STATUS: Patched
CVE SUMMARY: The bfd_mach_o_read_symtab_strtab function in bfd/mach-o.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds heap write and possibly achieve code execution via a crafted mach-o file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-12459

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-12799
CVE STATUS: Patched
CVE SUMMARY: The elf_read_notesfunction in bfd/elf.c in GNU Binutils 2.29 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-12799

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-12967
CVE STATUS: Patched
CVE SUMMARY: The getsym function in tekhex.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (stack-based buffer over-read and application crash) via a malformed tekhex binary.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-12967

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-13710
CVE STATUS: Patched
CVE SUMMARY: The setup_group function in elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a group section that is too small.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-13710

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-13716
CVE STATUS: Patched
CVE SUMMARY: The C++ symbol demangler routine in cplus-dem.c in libiberty, as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (excessive memory allocation and application crash) via a crafted file, as demonstrated by a call from the Binary File Descriptor (BFD) library (aka libbfd).
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-13716

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-13757
CVE STATUS: Patched
CVE SUMMARY: The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, does not validate the PLT section size, which allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file, related to elf_i386_get_synthetic_symtab in elf32-i386.c and elf_x86_64_get_synthetic_symtab in elf64-x86-64.c.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-13757

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-14128
CVE STATUS: Patched
CVE SUMMARY: The decode_line_info function in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (read_1_byte heap-based buffer over-read and application crash) via a crafted ELF file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14128

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-14129
CVE STATUS: Patched
CVE SUMMARY: The read_section function in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (parse_comp_unit heap-based buffer over-read and application crash) via a crafted ELF file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14129

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-14130
CVE STATUS: Patched
CVE SUMMARY: The _bfd_elf_parse_attributes function in elf-attrs.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (_bfd_elf_attr_strdup heap-based buffer over-read and application crash) via a crafted ELF file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14130

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-14333
CVE STATUS: Patched
CVE SUMMARY: The process_version_sections function in readelf.c in GNU Binutils 2.29 allows attackers to cause a denial of service (Integer Overflow, and hang because of a time-consuming loop) or possibly have unspecified other impact via a crafted binary file with invalid values of ent.vn_next, during "readelf -a" execution.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14333

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-14529
CVE STATUS: Patched
CVE SUMMARY: The pe_print_idata function in peXXigen.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, mishandles HintName vector entries, which allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted PE file, related to the bfd_getl16 function.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14529

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-14729
CVE STATUS: Patched
CVE SUMMARY: The *_get_synthetic_symtab functions in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, do not ensure a unique PLT entry for a symbol, which allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted ELF file, related to elf32-i386.c and elf64-x86-64.c.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14729

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-14745
CVE STATUS: Patched
CVE SUMMARY: The *_get_synthetic_symtab functions in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, interpret a -1 value as a sorting count instead of an error flag, which allows remote attackers to cause a denial of service (integer overflow and application crash) or possibly have unspecified other impact via a crafted ELF file, related to elf32-i386.c and elf64-x86-64.c.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14745

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-14930
CVE STATUS: Patched
CVE SUMMARY: Memory leak in decode_line_info in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (memory consumption) via a crafted ELF file.
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14930

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-14932
CVE STATUS: Patched
CVE SUMMARY: decode_line_info in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (infinite loop) via a crafted ELF file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14932

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-14933
CVE STATUS: Patched
CVE SUMMARY: read_formatted_entries in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (infinite loop) via a crafted ELF file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14933

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-14934
CVE STATUS: Patched
CVE SUMMARY: process_debug_info in dwarf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (infinite loop) via a crafted ELF file that contains a negative size value in a CU structure.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14934

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-14938
CVE STATUS: Patched
CVE SUMMARY: _bfd_elf_slurp_version_tables in elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (excessive memory allocation and application crash) via a crafted ELF file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14938

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-14939
CVE STATUS: Patched
CVE SUMMARY: decode_line_info in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, mishandles a length calculation, which allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file, related to read_1_byte.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14939

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-14940
CVE STATUS: Patched
CVE SUMMARY: scan_unit_for_symbols in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted ELF file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14940

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-14974
CVE STATUS: Patched
CVE SUMMARY: The *_get_synthetic_symtab functions in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, mishandle the failure of a certain canonicalization step, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted ELF file, related to elf32-i386.c and elf64-x86-64.c.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14974

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-15020
CVE STATUS: Patched
CVE SUMMARY: dwarf1.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, mishandles pointers, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted ELF file, related to parse_die and parse_line_table, as demonstrated by a parse_die heap-based buffer over-read.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15020

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-15021
CVE STATUS: Patched
CVE SUMMARY: bfd_get_debug_link_info_1 in opncls.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file, related to bfd_getl32.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15021

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-15022
CVE STATUS: Patched
CVE SUMMARY: dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, does not validate the DW_AT_name data type, which allows remote attackers to cause a denial of service (bfd_hash_hash NULL pointer dereference, or out-of-bounds access, and application crash) via a crafted ELF file, related to scan_unit_for_symbols and parse_comp_unit.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15022

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-15023
CVE STATUS: Patched
CVE SUMMARY: read_formatted_entries in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, does not properly validate the format count, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted ELF file, related to concat_filename.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15023

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-15024
CVE STATUS: Patched
CVE SUMMARY: find_abstract_instance_name in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (infinite recursion and application crash) via a crafted ELF file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15024

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-15025
CVE STATUS: Patched
CVE SUMMARY: decode_line_info in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted ELF file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15025

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-15225
CVE STATUS: Patched
CVE SUMMARY: _bfd_dwarf2_cleanup_debug_info in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (memory leak) via a crafted ELF file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15225

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-15938
CVE STATUS: Patched
CVE SUMMARY: dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, miscalculates DW_FORM_ref_addr die refs in the case of a relocatable object file, which allows remote attackers to cause a denial of service (find_abstract_instance_name invalid memory read, segmentation fault, and application crash).
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15938

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-15939
CVE STATUS: Patched
CVE SUMMARY: dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, mishandles NULL files in a .debug_line file table, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted ELF file, related to concat_filename. NOTE: this issue is caused by an incomplete fix for CVE-2017-15023.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15939

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-15996
CVE STATUS: Patched
CVE SUMMARY: elfcomm.c in readelf in GNU Binutils 2.29 allows remote attackers to cause a denial of service (excessive memory allocation) or possibly have unspecified other impact via a crafted ELF file that triggers a "buffer overflow on fuzzed archive header," related to an uninitialized variable, an improper conditional jump, and the get_archive_member_name, process_archive_index_and_symbols, and setup_archive functions.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15996

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-16826
CVE STATUS: Patched
CVE SUMMARY: The coff_slurp_line_table function in coffcode.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, allows remote attackers to cause a denial of service (invalid memory access and application crash) or possibly have unspecified other impact via a crafted PE file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-16826

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-16827
CVE STATUS: Patched
CVE SUMMARY: The aout_get_external_symbols function in aoutx.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, allows remote attackers to cause a denial of service (slurp_symtab invalid free and application crash) or possibly have unspecified other impact via a crafted ELF file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-16827

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-16828
CVE STATUS: Patched
CVE SUMMARY: The display_debug_frames function in dwarf.c in GNU Binutils 2.29.1 allows remote attackers to cause a denial of service (integer overflow and heap-based buffer over-read, and application crash) or possibly have unspecified other impact via a crafted ELF file, related to print_debug_frame.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-16828

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-16829
CVE STATUS: Patched
CVE SUMMARY: The _bfd_elf_parse_gnu_properties function in elf-properties.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, does not prevent negative pointers, which allows remote attackers to cause a denial of service (out-of-bounds read and application crash) or possibly have unspecified other impact via a crafted ELF file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-16829

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-16830
CVE STATUS: Patched
CVE SUMMARY: The print_gnu_property_note function in readelf.c in GNU Binutils 2.29.1 does not have integer-overflow protection on 32-bit platforms, which allows remote attackers to cause a denial of service (segmentation violation and application crash) or possibly have unspecified other impact via a crafted ELF file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-16830

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-16831
CVE STATUS: Patched
CVE SUMMARY: coffgen.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, does not validate the symbol count, which allows remote attackers to cause a denial of service (integer overflow and application crash, or excessive memory allocation) or possibly have unspecified other impact via a crafted PE file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-16831

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-16832
CVE STATUS: Patched
CVE SUMMARY: The pe_bfd_read_buildid function in peicode.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, does not validate size and offset values in the data dictionary, which allows remote attackers to cause a denial of service (segmentation violation and application crash) or possibly have unspecified other impact via a crafted PE file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-16832

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-17080
CVE STATUS: Patched
CVE SUMMARY: elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, does not validate sizes of core notes, which allows remote attackers to cause a denial of service (bfd_getl32 heap-based buffer over-read and application crash) via a crafted object file, related to elfcore_grok_netbsd_procinfo, elfcore_grok_openbsd_procinfo, and elfcore_grok_nto_status.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17080

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-17121
CVE STATUS: Patched
CVE SUMMARY: The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, allows remote attackers to cause a denial of service (memory access violation) or possibly have unspecified other impact via a COFF binary in which a relocation refers to a location after the end of the to-be-relocated section.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17121

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-17122
CVE STATUS: Patched
CVE SUMMARY: The dump_relocs_in_section function in objdump.c in GNU Binutils 2.29.1 does not check for reloc count integer overflows, which allows remote attackers to cause a denial of service (excessive memory allocation, or heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted PE file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17122

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-17123
CVE STATUS: Patched
CVE SUMMARY: The coff_slurp_reloc_table function in coffcode.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted COFF based file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17123

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-17124
CVE STATUS: Patched
CVE SUMMARY: The _bfd_coff_read_string_table function in coffgen.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, does not properly validate the size of the external string table, which allows remote attackers to cause a denial of service (excessive memory consumption, or heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted COFF binary.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17124

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-17125
CVE STATUS: Patched
CVE SUMMARY: nm.c and objdump.c in GNU Binutils 2.29.1 mishandle certain global symbols, which allows remote attackers to cause a denial of service (_bfd_elf_get_symbol_version_string buffer over-read and application crash) or possibly have unspecified other impact via a crafted ELF file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17125

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-17126
CVE STATUS: Patched
CVE SUMMARY: The load_debug_section function in readelf.c in GNU Binutils 2.29.1 allows remote attackers to cause a denial of service (invalid memory access and application crash) or possibly have unspecified other impact via an ELF file that lacks section headers.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17126

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-6965
CVE STATUS: Patched
CVE SUMMARY: readelf in GNU Binutils 2.28 writes to illegal addresses while processing corrupt input files containing symbol-difference relocations, leading to a heap-based buffer overflow.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-6965

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-6966
CVE STATUS: Patched
CVE SUMMARY: readelf in GNU Binutils 2.28 has a use-after-free (specifically read-after-free) error while processing multiple, relocated sections in an MSP430 binary. This is caused by mishandling of an invalid symbol index, and mishandling of state across invocations.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-6966

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-6969
CVE STATUS: Patched
CVE SUMMARY: readelf in GNU Binutils 2.28 is vulnerable to a heap-based buffer over-read while processing corrupt RL78 binaries. The vulnerability can trigger program crashes. It may lead to an information leak as well.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 9.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-6969

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-7209
CVE STATUS: Patched
CVE SUMMARY: The dump_section_as_bytes function in readelf in GNU Binutils 2.28 accesses a NULL pointer while reading section contents in a corrupt binary, leading to a program crash.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7209

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-7210
CVE STATUS: Patched
CVE SUMMARY: objdump in GNU Binutils 2.28 is vulnerable to multiple heap-based buffer over-reads (of size 1 and size 8) while handling corrupt STABS enum type strings in a crafted object file, leading to program crash.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7210

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-7223
CVE STATUS: Patched
CVE SUMMARY: GNU assembler in GNU Binutils 2.28 is vulnerable to a global buffer overflow (of size 1) while attempting to unget an EOF character from the input stream, potentially leading to a program crash.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7223

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-7224
CVE STATUS: Patched
CVE SUMMARY: The find_nearest_line function in objdump in GNU Binutils 2.28 is vulnerable to an invalid write (of size 1) while disassembling a corrupt binary that contains an empty function name, leading to a program crash.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7224

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-7225
CVE STATUS: Patched
CVE SUMMARY: The find_nearest_line function in addr2line in GNU Binutils 2.28 does not handle the case where the main file name and the directory name are both empty, triggering a NULL pointer dereference and an invalid write, and leading to a program crash.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7225

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-7226
CVE STATUS: Patched
CVE SUMMARY: The pe_ILF_object_p function in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to a heap-based buffer over-read of size 4049 because it uses the strlen function instead of strnlen, leading to program crashes in several utilities such as addr2line, size, and strings. It could lead to information disclosure as well.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 9.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7226

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-7227
CVE STATUS: Patched
CVE SUMMARY: GNU linker (ld) in GNU Binutils 2.28 is vulnerable to a heap-based buffer overflow while processing a bogus input script, leading to a program crash. This relates to lack of '\0' termination of a name field in ldlex.l.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7227

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-7299
CVE STATUS: Patched
CVE SUMMARY: The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, has an invalid read (of size 8) because the code to emit relocs (bfd_elf_final_link function in bfd/elflink.c) does not check the format of the input file before trying to read the ELF reloc section header. The vulnerability leads to a GNU linker (ld) program crash.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7299

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-7300
CVE STATUS: Patched
CVE SUMMARY: The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, has an aout_link_add_symbols function in bfd/aoutx.h that is vulnerable to a heap-based buffer over-read (off-by-one) because of an incomplete check for invalid string offsets while loading symbols, leading to a GNU linker (ld) program crash.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7300

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-7301
CVE STATUS: Patched
CVE SUMMARY: The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, has an aout_link_add_symbols function in bfd/aoutx.h that has an off-by-one vulnerability because it does not carefully check the string offset. The vulnerability could lead to a GNU linker (ld) program crash.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7301

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-7302
CVE STATUS: Patched
CVE SUMMARY: The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, has a swap_std_reloc_out function in bfd/aoutx.h that is vulnerable to an invalid read (of size 4) because of missing checks for relocs that could not be recognised. This vulnerability causes Binutils utilities like strip to crash.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7302

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-7303
CVE STATUS: Patched
CVE SUMMARY: The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read (of size 4) because of missing a check (in the find_link function) for null headers before attempting to match them. This vulnerability causes Binutils utilities like strip to crash.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7303

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-7304
CVE STATUS: Patched
CVE SUMMARY: The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read (of size 8) because of missing a check (in the copy_special_section_fields function) for an invalid sh_link field before attempting to follow it. This vulnerability causes Binutils utilities like strip to crash.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7304

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-7614
CVE STATUS: Patched
CVE SUMMARY: elflink.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, has a "member access within null pointer" undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via an "int main() {return 0;}" program.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7614

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-8392
CVE STATUS: Patched
CVE SUMMARY: The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read of size 8 because of missing a check to determine whether symbols are NULL in the _bfd_dwarf2_find_nearest_line function. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objdump, to crash.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8392

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-8393
CVE STATUS: Patched
CVE SUMMARY: The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to a global buffer over-read error because of an assumption made by code that runs for objcopy and strip, that SHT_REL/SHR_RELA sections are always named starting with a .rel/.rela prefix. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objcopy and strip, to crash.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8393

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-8394
CVE STATUS: Patched
CVE SUMMARY: The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read of size 4 due to NULL pointer dereferencing of _bfd_elf_large_com_section. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objcopy, to crash.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8394

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-8395
CVE STATUS: Patched
CVE SUMMARY: The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid write of size 8 because of missing a malloc() return-value check to see if memory had actually been allocated in the _bfd_generic_get_section_contents function. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objcopy, to crash.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8395

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-8396
CVE STATUS: Patched
CVE SUMMARY: The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read of size 1 because the existing reloc offset range tests didn't catch small negative offsets less than the size of the reloc field. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objdump, to crash.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8396

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-8397
CVE STATUS: Patched
CVE SUMMARY: The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read of size 1 and an invalid write of size 1 during processing of a corrupt binary containing reloc(s) with negative addresses. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objdump, to crash.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8397

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-8398
CVE STATUS: Patched
CVE SUMMARY: dwarf.c in GNU Binutils 2.28 is vulnerable to an invalid read of size 1 during dumping of debug information from a corrupt binary. This vulnerability causes programs that conduct an analysis of binary programs, such as objdump and readelf, to crash.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8398

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-8421
CVE STATUS: Patched
CVE SUMMARY: The function coff_set_alignment_hook in coffcode.h in Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, has a memory leak vulnerability which can cause memory exhaustion in objdump via a crafted PE file. Additional validation in dump_relocs_in_section in objdump.c can resolve this.
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8421

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-9038
CVE STATUS: Patched
CVE SUMMARY: GNU Binutils 2.28 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file, related to the byte_get_little_endian function in elfcomm.c, the get_unwind_section_word function in readelf.c, and ARM unwind information that contains invalid word offsets.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9038

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-9039
CVE STATUS: Patched
CVE SUMMARY: GNU Binutils 2.28 allows remote attackers to cause a denial of service (memory consumption) via a crafted ELF file with many program headers, related to the get_program_headers function in readelf.c.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9039

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-9040
CVE STATUS: Patched
CVE SUMMARY: GNU Binutils 2017-04-03 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash), related to the process_mips_specific function in readelf.c, via a crafted ELF file that triggers a large memory-allocation attempt.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9040

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-9041
CVE STATUS: Patched
CVE SUMMARY: GNU Binutils 2.28 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file, related to MIPS GOT mishandling in the process_mips_specific function in readelf.c.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9041

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-9042
CVE STATUS: Patched
CVE SUMMARY: readelf.c in GNU Binutils 2017-04-12 has a "cannot be represented in type long" issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted ELF file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9042

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-9043
CVE STATUS: Patched
CVE SUMMARY: readelf.c in GNU Binutils 2017-04-12 has a "shift exponent too large for type unsigned long" issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted ELF file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9043

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-9044
CVE STATUS: Patched
CVE SUMMARY: The print_symbol_for_build_attribute function in readelf.c in GNU Binutils 2017-04-12 allows remote attackers to cause a denial of service (invalid read and SEGV) via a crafted ELF file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9044

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-9742
CVE STATUS: Patched
CVE SUMMARY: The score_opcodes function in opcodes/score7-dis.c in GNU Binutils 2.28 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during "objdump -D" execution.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9742

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-9743
CVE STATUS: Patched
CVE SUMMARY: The print_insn_score32 function in opcodes/score7-dis.c:552 in GNU Binutils 2.28 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during "objdump -D" execution.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9743

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-9744
CVE STATUS: Patched
CVE SUMMARY: The sh_elf_set_mach_from_flags function in bfd/elf32-sh.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during "objdump -D" execution.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9744

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-9745
CVE STATUS: Patched
CVE SUMMARY: The _bfd_vms_slurp_etir function in bfd/vms-alpha.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during "objdump -D" execution.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9745

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-9746
CVE STATUS: Patched
CVE SUMMARY: The disassemble_bytes function in objdump.c in GNU Binutils 2.28 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of rae insns printing for this file during "objdump -D" execution.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9746

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-9747
CVE STATUS: Patched
CVE SUMMARY: The ieee_archive_p function in bfd/ieee.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, might allow remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during "objdump -D" execution. NOTE: this may be related to a compiler bug.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9747

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-9748
CVE STATUS: Patched
CVE SUMMARY: The ieee_object_p function in bfd/ieee.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, might allow remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during "objdump -D" execution. NOTE: this may be related to a compiler bug.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9748

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-9749
CVE STATUS: Patched
CVE SUMMARY: The *regs* macros in opcodes/bfin-dis.c in GNU Binutils 2.28 allow remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during "objdump -D" execution.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9749

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-9750
CVE STATUS: Patched
CVE SUMMARY: opcodes/rx-decode.opc in GNU Binutils 2.28 lacks bounds checks for certain scale arrays, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during "objdump -D" execution.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9750

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-9751
CVE STATUS: Patched
CVE SUMMARY: opcodes/rl78-decode.opc in GNU Binutils 2.28 has an unbounded GETBYTE macro, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during "objdump -D" execution.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9751

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-9752
CVE STATUS: Patched
CVE SUMMARY: bfd/vms-alpha.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file in the _bfd_vms_get_value and _bfd_vms_slurp_etir functions during "objdump -D" execution.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9752

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-9753
CVE STATUS: Patched
CVE SUMMARY: The versados_mkobject function in bfd/versados.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, does not initialize a certain data structure, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during "objdump -D" execution.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9753

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-9754
CVE STATUS: Patched
CVE SUMMARY: The process_otr function in bfd/versados.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, does not validate a certain offset, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during "objdump -D" execution.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9754

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-9755
CVE STATUS: Patched
CVE SUMMARY: opcodes/i386-dis.c in GNU Binutils 2.28 does not consider the number of registers for bnd mode, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during "objdump -D" execution.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9755

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-9756
CVE STATUS: Patched
CVE SUMMARY: The aarch64_ext_ldst_reglist function in opcodes/aarch64-dis.c in GNU Binutils 2.28 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during "objdump -D" execution.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9756

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-9954
CVE STATUS: Patched
CVE SUMMARY: The getvalue function in tekhex.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, allows remote attackers to cause a denial of service (stack-based buffer over-read and application crash) via a crafted tekhex file, as demonstrated by mishandling within the nm program.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9954

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2017-9955
CVE STATUS: Patched
CVE SUMMARY: The get_build_id function in opncls.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted file in which a certain size field is larger than a corresponding data field, as demonstrated by mishandling within the objdump program.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9955

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2018-1000876
CVE STATUS: Patched
CVE SUMMARY: binutils version 2.32 and earlier contains a Integer Overflow vulnerability in objdump, bfd_get_dynamic_reloc_upper_bound,bfd_canonicalize_dynamic_reloc that can result in Integer overflow trigger heap overflow. Successful exploitation allows execution of arbitrary code.. This attack appear to be exploitable via Local. This vulnerability appears to have been fixed in after commit 3a551c7a1b80fca579461774860574eabfd7f18f.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1000876

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2018-10372
CVE STATUS: Patched
CVE SUMMARY: process_cu_tu_index in dwarf.c in GNU Binutils 2.30 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted binary file, as demonstrated by readelf.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-10372

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2018-10373
CVE STATUS: Patched
CVE SUMMARY: concat_filename in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted binary file, as demonstrated by nm-new.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-10373

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2018-10534
CVE STATUS: Patched
CVE SUMMARY: The _bfd_XX_bfd_copy_private_bfd_data_common function in peXXigen.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, processes a negative Data Directory size with an unbounded loop that increases the value of (external_IMAGE_DEBUG_DIRECTORY) *edd so that the address exceeds its own memory region, resulting in an out-of-bounds memory write, as demonstrated by objcopy copying private info with _bfd_pex64_bfd_copy_private_bfd_data_common in pex64igen.c.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-10534

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2018-10535
CVE STATUS: Patched
CVE SUMMARY: The ignore_section_sym function in elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, does not validate the output_section pointer in the case of a symtab entry with a "SECTION" type that has a "0" value, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted file, as demonstrated by objcopy.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-10535

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2018-12641
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in arm_pt in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30. Stack Exhaustion occurs in the C++ demangling functions provided by libiberty, and there are recursive stack frames: demangle_arm_hp_template, demangle_class_name, demangle_fund_type, do_type, do_arg, demangle_args, and demangle_nested_args. This can occur during execution of nm-new.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-12641

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2018-12697
CVE STATUS: Patched
CVE SUMMARY: A NULL pointer dereference (aka SEGV on unknown address 0x000000000000) was discovered in work_stuff_copy_to_from in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30. This can occur during execution of objdump.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-12697

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2018-12698
CVE STATUS: Patched
CVE SUMMARY: demangle_template in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30, allows attackers to trigger excessive memory consumption (aka OOM) during the "Create an array for saving the template argument values" XNEWVEC call. This can occur during execution of objdump.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-12698

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2018-12699
CVE STATUS: Patched
CVE SUMMARY: finish_stab in stabs.c in GNU Binutils 2.30 allows attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact, as demonstrated by an out-of-bounds write of 8 bytes. This can occur during execution of objdump.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-12699

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2018-12934
CVE STATUS: Patched
CVE SUMMARY: remember_Ktype in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30, allows attackers to trigger excessive memory consumption (aka OOM). This can occur during execution of cxxfilt.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-12934

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2018-13033
CVE STATUS: Patched
CVE SUMMARY: The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (excessive memory allocation and application crash) via a crafted ELF file, as demonstrated by _bfd_elf_parse_attributes in elf-attrs.c and bfd_malloc in libbfd.c. This can occur during execution of nm.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-13033

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2018-17358
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31. An invalid memory access exists in _bfd_stab_section_find_nearest_line in syms.c. Attackers could leverage this vulnerability to cause a denial of service (application crash) via a crafted ELF file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-17358

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2018-17359
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31. An invalid memory access exists in bfd_zalloc in opncls.c. Attackers could leverage this vulnerability to cause a denial of service (application crash) via a crafted ELF file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-17359

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2018-17360
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31. a heap-based buffer over-read in bfd_getl32 in libbfd.c allows an attacker to cause a denial of service through a crafted PE file. This vulnerability can be triggered by the executable objdump.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-17360

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2018-17794
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31. There is a NULL pointer dereference in work_stuff_copy_to_from when called from iterate_demangle_function.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-17794

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2018-17985
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31. There is a stack consumption problem caused by the cplus_demangle_type function making recursive calls to itself in certain scenarios involving many 'P' characters.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-17985

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2018-18309
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31. An invalid memory address dereference was discovered in read_reloc in reloc.c. The vulnerability causes a segmentation fault and application crash, which leads to denial of service, as demonstrated by objdump, because of missing _bfd_clear_contents bounds checking.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-18309

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2018-18483
CVE STATUS: Patched
CVE SUMMARY: The get_count function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31, allows remote attackers to cause a denial of service (malloc called with the result of an integer-overflowing calculation) or possibly have unspecified other impact via a crafted string, as demonstrated by c++filt.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-18483

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2018-18484
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31. Stack Exhaustion occurs in the C++ demangling functions provided by libiberty, and there is a stack consumption problem caused by recursive stack frames: cplus_demangle_type, d_bare_function_type, d_function_type.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-18484

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2018-18605
CVE STATUS: Patched
CVE SUMMARY: A heap-based buffer over-read issue was discovered in the function sec_merge_hash_lookup in merge.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31, because _bfd_add_merge_section mishandles section merges when size is not a multiple of entsize. A specially crafted ELF allows remote attackers to cause a denial of service, as demonstrated by ld.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-18605

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2018-18606
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the merge_strings function in merge.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31. There is a NULL pointer dereference in _bfd_add_merge_section when attempting to merge sections with large alignments. A specially crafted ELF allows remote attackers to cause a denial of service, as demonstrated by ld.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-18606

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2018-18607
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in elf_link_input_bfd in elflink.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31. There is a NULL pointer dereference in elf_link_input_bfd when used for finding STT_TLS symbols without any TLS section. A specially crafted ELF allows remote attackers to cause a denial of service, as demonstrated by ld.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-18607

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2018-18700
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31. There is a stack consumption vulnerability resulting from infinite recursion in the functions d_name(), d_encoding(), and d_local_name() in cp-demangle.c. Remote attackers could leverage this vulnerability to cause a denial-of-service via an ELF file, as demonstrated by nm.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-18700

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2018-18701
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31. There is a stack consumption vulnerability resulting from infinite recursion in the functions next_is_type_qual() and cplus_demangle_type() in cp-demangle.c. Remote attackers could leverage this vulnerability to cause a denial-of-service via an ELF file, as demonstrated by nm.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-18701

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2018-19931
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils through 2.31. There is a heap-based buffer overflow in bfd_elf32_swap_phdr_in in elfcode.h because the number of program headers is not restricted.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19931

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2018-19932
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils through 2.31. There is an integer overflow and infinite loop caused by the IS_CONTAINED_BY_LMA macro in elf.c.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19932

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2018-20002
CVE STATUS: Patched
CVE SUMMARY: The _bfd_generic_read_minisymbols function in syms.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31, has a memory leak via a crafted ELF file, leading to a denial of service (memory consumption), as demonstrated by nm.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20002

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2018-20623
CVE STATUS: Patched
CVE SUMMARY: In GNU Binutils 2.31.1, there is a use-after-free in the error function in elfcomm.c when called from the process_archive function in readelf.c via a crafted ELF file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20623

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2018-20651
CVE STATUS: Patched
CVE SUMMARY: A NULL pointer dereference was discovered in elf_link_add_object_symbols in elflink.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31.1. This occurs for a crafted ET_DYN with no program headers. A specially crafted ELF file allows remote attackers to cause a denial of service, as demonstrated by ld.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20651

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2018-20657
CVE STATUS: Patched
CVE SUMMARY: The demangle_template function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31.1, has a memory leak via a crafted string, leading to a denial of service (memory consumption), as demonstrated by cxxfilt, a related issue to CVE-2018-12698.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20657

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2018-20671
CVE STATUS: Patched
CVE SUMMARY: load_specific_debug_section in objdump.c in GNU Binutils through 2.31.1 contains an integer overflow vulnerability that can trigger a heap-based buffer overflow via a crafted section size.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20671

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2018-20673
CVE STATUS: Patched
CVE SUMMARY: The demangle_template function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31.1, contains an integer overflow vulnerability (for "Create an array for saving the template argument values") that can trigger a heap-based buffer overflow, as demonstrated by nm.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20673

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2018-20712
CVE STATUS: Patched
CVE SUMMARY: A heap-based buffer over-read exists in the function d_expression_1 in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31.1. A crafted input can cause segmentation faults, leading to denial-of-service, as demonstrated by c++filt.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20712

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2018-6323
CVE STATUS: Patched
CVE SUMMARY: The elf_object_p function in elfcode.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, has an unsigned integer overflow because bfd_size_type multiplication is not used. A crafted ELF file allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-6323

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2018-6543
CVE STATUS: Patched
CVE SUMMARY: In GNU Binutils 2.30, there's an integer overflow in the function load_specific_debug_section() in objdump.c, which results in `malloc()` with 0 size. A crafted ELF file allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-6543

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2018-6759
CVE STATUS: Patched
CVE SUMMARY: The bfd_get_debug_link_info_1 function in opncls.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, has an unchecked strnlen operation. Remote attackers could leverage this vulnerability to cause a denial of service (segmentation fault) via a crafted ELF file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-6759

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2018-6872
CVE STATUS: Patched
CVE SUMMARY: The elf_parse_notes function in elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (out-of-bounds read and segmentation violation) via a note with a large alignment.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-6872

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2018-7208
CVE STATUS: Patched
CVE SUMMARY: In the coff_pointerize_aux function in coffgen.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, an index is not validated, which allows remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted file, as demonstrated by objcopy of a COFF object.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-7208

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2018-7568
CVE STATUS: Patched
CVE SUMMARY: The parse_die function in dwarf1.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (integer overflow and application crash) via an ELF file with corrupt dwarf1 debug information, as demonstrated by nm.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-7568

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2018-7569
CVE STATUS: Patched
CVE SUMMARY: dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (integer underflow or overflow, and application crash) via an ELF file with a corrupt DWARF FORM block, as demonstrated by nm.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-7569

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2018-7570
CVE STATUS: Patched
CVE SUMMARY: The assign_file_positions_for_non_load_sections function in elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an ELF file with a RELRO segment that lacks a matching LOAD segment, as demonstrated by objcopy.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-7570

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2018-7642
CVE STATUS: Patched
CVE SUMMARY: The swap_std_reloc_in function in aoutx.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (aout_32_swap_std_reloc_out NULL pointer dereference and application crash) via a crafted ELF file, as demonstrated by objcopy.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-7642

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2018-7643
CVE STATUS: Patched
CVE SUMMARY: The display_debug_ranges function in dwarf.c in GNU Binutils 2.30 allows remote attackers to cause a denial of service (integer overflow and application crash) or possibly have unspecified other impact via a crafted ELF file, as demonstrated by objdump.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-7643

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2018-8945
CVE STATUS: Patched
CVE SUMMARY: The bfd_section_from_shdr function in elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (segmentation fault) via a large attribute section.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-8945

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2018-9138
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.29 and 2.30. Stack Exhaustion occurs in the C++ demangling functions provided by libiberty, and there are recursive stack frames: demangle_nested_args, demangle_args, do_arg, and do_type.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-9138

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2018-9996
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30. Stack Exhaustion occurs in the C++ demangling functions provided by libiberty, and there are recursive stack frames: demangle_template_value_parm, demangle_integral_value, and demangle_expression.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-9996

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2019-1010204
CVE STATUS: Patched
CVE SUMMARY: GNU binutils gold gold v1.11-v1.16 (GNU binutils v2.21-v2.31.1) is affected by: Improper Input Validation, Signed/Unsigned Comparison, Out-of-bounds Read. The impact is: Denial of service. The component is: gold/fileread.cc:497, elfcpp/elfcpp_file.h:644. The attack vector is: An ELF file with an invalid e_shoff header field must be opened.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-1010204

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2019-12972
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. There is a heap-based buffer over-read in _bfd_doprnt in bfd.c because elf_object_p in elfcode.h mishandles an e_shstrndx section of type SHT_GROUP by omitting a trailing '\0' character.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-12972

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2019-14250
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.32. simple_object_elf_match in simple-object-elf.c does not check for a zero shstrndx value, leading to an integer overflow and resultant heap-based buffer overflow.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-14250

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2019-14444
CVE STATUS: Patched
CVE SUMMARY: apply_relocations in readelf.c in GNU Binutils 2.32 contains an integer overflow that allows attackers to trigger a write access violation (in byte_put_little_endian function in elfcomm.c) via an ELF file, as demonstrated by readelf.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-14444

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2019-17450
CVE STATUS: Patched
CVE SUMMARY: find_abstract_instance in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32, allows remote attackers to cause a denial of service (infinite recursion and application crash) via a crafted ELF file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-17450

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2019-17451
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. It is an integer overflow leading to a SEGV in _bfd_dwarf2_find_nearest_line in dwarf2.c, as demonstrated by nm.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-17451

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2019-9070
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.32. It is a heap-based buffer over-read in d_expression_1 in cp-demangle.c after many recursive calls.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-9070

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2019-9071
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.32. It is a stack consumption issue in d_count_templates_scopes in cp-demangle.c after many recursive calls.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-9071

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2019-9072
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. It is an attempted excessive memory allocation in setup_group in elf.c.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-9072

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2019-9073
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. It is an attempted excessive memory allocation in _bfd_elf_slurp_version_tables in elf.c.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-9073

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2019-9074
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. It is an out-of-bounds read leading to a SEGV in bfd_getl32 in libbfd.c, when called from pex64_get_runtime_function in pei-x86_64.c.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-9074

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2019-9075
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. It is a heap-based buffer overflow in _bfd_archive_64_bit_slurp_armap in archive64.c.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-9075

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2019-9076
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. It is an attempted excessive memory allocation in elf_read_notes in elf.c.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-9076

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2019-9077
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in GNU Binutils 2.32. It is a heap-based buffer overflow in process_mips_specific in readelf.c via a malformed MIPS option section.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-9077

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2020-16590
CVE STATUS: Patched
CVE SUMMARY: A double free vulnerability exists in the Binary File Descriptor (BFD) (aka libbrd) in GNU Binutils 2.35 in the process_symbol_table, as demonstrated in readelf, via a crafted file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-16590

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2020-16591
CVE STATUS: Patched
CVE SUMMARY: A Denial of Service vulnerability exists in the Binary File Descriptor (BFD) in GNU Binutils 2.35 due to an invalid read in process_symbol_table, as demonstrated in readeif.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-16591

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2020-16592
CVE STATUS: Patched
CVE SUMMARY: A use after free issue exists in the Binary File Descriptor (BFD) library (aka libbfd) in GNU Binutils 2.34 in bfd_hash_lookup, as demonstrated in nm-new, that can cause a denial of service via a crafted file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-16592

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2020-16593
CVE STATUS: Patched
CVE SUMMARY: A Null Pointer Dereference vulnerability exists in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.35, in scan_unit_for_symbols, as demonstrated in addr2line, that can cause a denial of service via a crafted file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-16593

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2020-16599
CVE STATUS: Patched
CVE SUMMARY: A Null Pointer Dereference vulnerability exists in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.35, in _bfd_elf_get_symbol_version_string, as demonstrated in nm-new, that can cause a denial of service via a crafted file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-16599

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2020-19724
CVE STATUS: Patched
CVE SUMMARY: A memory consumption issue in get_data function in binutils/nm.c in GNU nm before 2.34 allows attackers to cause a denial of service via crafted command.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-19724

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2020-19726
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in binutils libbfd.c 2.36 relating to the auxiliary symbol data allows attackers to read or write to system memory or cause a denial of service.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-19726

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2020-21490
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in GNU Binutils 2.34. It is a memory leak when process microblaze-dis.c. This one will consume memory on each insn disassembled.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-21490

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2020-35342
CVE STATUS: Patched
CVE SUMMARY: GNU Binutils before 2.34 has an uninitialized-heap vulnerability in function tic4x_print_cond (file opcodes/tic4x-dis.c) which could allow attackers to make an information leak.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-35342

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2020-35448
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.35.1. A heap-based buffer over-read can occur in bfd_getl_signed_32 in libbfd.c because sh_entsize is not validated in _bfd_elf_slurp_secondary_reloc_section in elf.c.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 3.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-35448

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2020-35493
CVE STATUS: Patched
CVE SUMMARY: A flaw exists in binutils in bfd/pef.c. An attacker who is able to submit a crafted PEF file to be parsed by objdump could cause a heap buffer overflow -> out-of-bounds read that could lead to an impact to application availability. This flaw affects binutils versions prior to 2.34.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-35493

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2020-35494
CVE STATUS: Patched
CVE SUMMARY: There's a flaw in binutils /opcodes/tic4x-dis.c. An attacker who is able to submit a crafted input file to be processed by binutils could cause usage of uninitialized memory. The highest threat is to application availability with a lower threat to data confidentiality. This flaw affects binutils versions prior to 2.34.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 6.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-35494

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2020-35495
CVE STATUS: Patched
CVE SUMMARY: There's a flaw in binutils /bfd/pef.c. An attacker who is able to submit a crafted input file to be processed by the objdump program could cause a null pointer dereference. The greatest threat from this flaw is to application availability. This flaw affects binutils versions prior to 2.34.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-35495

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2020-35496
CVE STATUS: Patched
CVE SUMMARY: There's a flaw in bfd_pef_scan_start_address() of bfd/pef.c in binutils which could allow an attacker who is able to submit a crafted file to be processed by objdump to cause a NULL pointer dereference. The greatest threat of this flaw is to application availability. This flaw affects binutils versions prior to 2.34.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-35496

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2020-35507
CVE STATUS: Patched
CVE SUMMARY: There's a flaw in bfd_pef_parse_function_stubs of bfd/pef.c in binutils in versions prior to 2.34 which could allow an attacker who is able to submit a crafted file to be processed by objdump to cause a NULL pointer dereference. The greatest threat of this flaw is to application availability.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-35507

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2021-20197
CVE STATUS: Patched
CVE SUMMARY: There is an open race window when writing output in the following utilities in GNU binutils version 2.35 and earlier:ar, objcopy, strip, ranlib. When these utilities are run as a privileged user (presumably as part of a script updating binaries across different users), an unprivileged user can trick these utilities into getting ownership of arbitrary files through a symlink.
CVSS v2 BASE SCORE: 3.3
CVSS v3 BASE SCORE: 6.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-20197

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2021-20284
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in GNU Binutils 2.35.1, where there is a heap-based buffer overflow in _bfd_elf_slurp_secondary_reloc_section in elf.c due to the number of symbols not calculated correctly. The highest threat from this vulnerability is to system availability.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-20284

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2021-20294
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in binutils readelf 2.35 program. An attacker who is able to convince a victim using readelf to read a crafted file could trigger a stack buffer overflow, out-of-bounds write of arbitrary data supplied by the attacker. The highest impact of this flaw is to confidentiality, integrity, and availability.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-20294

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2021-32256
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.36. It is a stack-overflow issue in demangle_type in rust-demangle.c.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-32256

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2021-3530
CVE STATUS: Patched
CVE SUMMARY: A flaw was discovered in GNU libiberty within demangle_path() in rust-demangle.c, as distributed in GNU Binutils version 2.36. A crafted symbol can cause stack memory to be exhausted leading to a crash.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3530

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2021-3549
CVE STATUS: Patched
CVE SUMMARY: An out of bounds flaw was found in GNU binutils objdump utility version 2.36. An attacker could use this flaw and pass a large section to avr_elf32_load_records_from_section() probably resulting in a crash or in some cases memory corruption. The highest threat from this vulnerability is to integrity as well as system availability.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 7.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3549

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2021-37322
CVE STATUS: Patched
CVE SUMMARY: GCC c++filt v2.26 was discovered to contain a use-after-free vulnerability via the component cplus-dem.c.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-37322

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2021-45078
CVE STATUS: Patched
CVE SUMMARY: stab_xcoff_builtin_type in stabs.c in GNU Binutils through 2.37 allows attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact, as demonstrated by an out-of-bounds write. NOTE: this issue exists because of an incorrect fix for CVE-2018-12699.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-45078

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2021-46174
CVE STATUS: Patched
CVE SUMMARY: Heap-based Buffer Overflow in function bfd_getl32 in Binutils objdump 3.37.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-46174

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2022-35205
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Binutils readelf 2.38.50, reachable assertion failure in function display_debug_names allows attackers to cause a denial of service.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-35205

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2022-35206
CVE STATUS: Patched
CVE SUMMARY: Null pointer dereference vulnerability in Binutils readelf 2.38.50 via function read_and_display_attr_value in file dwarf.c.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-35206

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2022-38533
CVE STATUS: Patched
CVE SUMMARY: In GNU Binutils before 2.40, there is a heap-buffer-overflow in the error function bfd_getl32 when called from the strip_main function in strip-new via a crafted file.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-38533

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2022-4285
CVE STATUS: Patched
CVE SUMMARY: An illegal memory access flaw was found in the binutils package. Parsing an ELF file containing corrupt symbol version information may result in a denial of service. This issue is the result of an incomplete fix for CVE-2020-16599.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-4285

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2022-44840
CVE STATUS: Patched
CVE SUMMARY: Heap buffer overflow vulnerability in binutils readelf before 2.40 via function find_section_in_set in file readelf.c.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-44840

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2022-45703
CVE STATUS: Patched
CVE SUMMARY: Heap buffer overflow vulnerability in binutils readelf before 2.40 via function display_debug_section in file readelf.c.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-45703

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2022-47007
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered function stab_demangle_v3_arg in stabs.c in Binutils 2.34 thru 2.38, allows attackers to cause a denial of service due to memory leaks.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-47007

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2022-47008
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered function make_tempdir, and make_tempname in bucomm.c in Binutils 2.34 thru 2.38, allows attackers to cause a denial of service due to memory leaks.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-47008

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2022-47010
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered function pr_function_type in prdbg.c in Binutils 2.34 thru 2.38, allows attackers to cause a denial of service due to memory leaks.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-47010

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2022-47011
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered function parse_stab_struct_fields in stabs.c in Binutils 2.34 thru 2.38, allows attackers to cause a denial of service due to memory leaks.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-47011

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2022-47673
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Binutils addr2line before 2.39.3, function parse_module contains multiple out of bound reads which may cause a denial of service or other unspecified impacts.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-47673

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2022-47695
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered Binutils objdump before 2.39.3 allows attackers to cause a denial of service or other unspecified impacts via function bfd_mach_o_get_synthetic_symtab in match-o.c.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-47695

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2022-47696
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered Binutils objdump before 2.39.3 allows attackers to cause a denial of service or other unspecified impacts via function compare_symbols.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-47696

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2022-48063
CVE STATUS: Patched
CVE SUMMARY: GNU Binutils before 2.40 was discovered to contain an excessive memory consumption vulnerability via the function load_separate_debug_files at dwarf2.c. The attacker could supply a crafted ELF file and cause a DNS attack.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48063

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2022-48064
CVE STATUS: Patched
CVE SUMMARY: GNU Binutils before 2.40 was discovered to contain an excessive memory consumption vulnerability via the function bfd_dwarf2_find_nearest_line_with_alt at dwarf2.c. The attacker could supply a crafted ELF file and cause a DNS attack.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48064

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2022-48065
CVE STATUS: Patched
CVE SUMMARY: GNU Binutils before 2.40 was discovered to contain a memory leak vulnerability var the function find_abstract_instance in dwarf2.c.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48065

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2023-1579
CVE STATUS: Patched
CVE SUMMARY: Heap based buffer overflow in binutils-gdb/bfd/libbfd.c in bfd_getl64.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-1579

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2023-1972
CVE STATUS: Patched
CVE SUMMARY: A potential heap based buffer overflow was found in _bfd_elf_slurp_version_tables() in bfd/elf.c. This may lead to loss of availability.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-1972

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2023-25584
CVE STATUS: Ignored
CVE DETAIL: cpe-incorrect
CVE DESCRIPTION: Applies only for version 2.40 and earlier
CVE SUMMARY: An out-of-bounds read flaw was found in the parse_module function in bfd/vms-alpha.c in Binutils.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.3
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-25584

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2023-25585
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in Binutils. The use of an uninitialized field in the struct module *module may lead to application crash and local denial of service.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-25585

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2023-25586
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in Binutils. A logic fail in the bfd_init_section_decompress_status function may lead to the use of an uninitialized variable that can cause a crash and local denial of service.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-25586

LAYER: meta
PACKAGE NAME: binutils-native
PACKAGE VERSION: 2.42
CVE: CVE-2023-25588
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in Binutils. The field `the_bfd` of `asymbol`struct is uninitialized in the `bfd_mach_o_get_synthetic_symtab` function, which may lead to an application crash and local denial of service.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-25588

LAYER: meta
PACKAGE NAME: libyaml
PACKAGE VERSION: 0.2.5
CVE: CVE-2013-6393
CVE STATUS: Patched
CVE SUMMARY: The yaml_parser_scan_tag_uri function in scanner.c in LibYAML before 0.1.5 performs an incorrect cast, which allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via crafted tags in a YAML document, which triggers a heap-based buffer overflow.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-6393

LAYER: meta
PACKAGE NAME: libyaml
PACKAGE VERSION: 0.2.5
CVE: CVE-2014-2525
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the yaml_parser_scan_uri_escapes function in LibYAML before 0.1.6 allows context-dependent attackers to execute arbitrary code via a long sequence of percent-encoded characters in a URI in a YAML file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-2525

LAYER: meta
PACKAGE NAME: libyaml
PACKAGE VERSION: 0.2.5
CVE: CVE-2014-9130
CVE STATUS: Patched
CVE SUMMARY: scanner.c in LibYAML 0.1.5 and 0.1.6, as used in the YAML-LibYAML (aka YAML-XS) module for Perl, allows context-dependent attackers to cause a denial of service (assertion failure and crash) via vectors involving line-wrapping.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9130

LAYER: meta
PACKAGE NAME: glib-networking
PACKAGE VERSION: 2.78.1
CVE: CVE-2020-13645
CVE STATUS: Patched
CVE SUMMARY: In GNOME glib-networking through 2.64.2, the implementation of GTlsClientConnection skips hostname verification of the server's TLS certificate if the application fails to specify the expected server identity. This is in contrast to its intended documented behavior, to fail the certificate verification. Applications that fail to provide the server identity, including Balsa before 2.5.11 and 2.6.x before 2.6.1, accept a TLS certificate if the certificate is valid for any host.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-13645

LAYER: meta
PACKAGE NAME: cmake
PACKAGE VERSION: 3.28.3
CVE: CVE-2016-10642
CVE STATUS: Ignored
CVE DETAIL: cpe-incorrect
CVE DESCRIPTION: This is specific to the npm package that installs cmake, so isn't relevant to OpenEmbedded
CVE SUMMARY: cmake installs the cmake x86 linux binaries. cmake downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 8.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10642

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-1999-0061
CVE STATUS: Patched
CVE SUMMARY: File creation and deletion, and remote execution, in the BSD line printer daemon (lpd).
CVSS v2 BASE SCORE: 5.1
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-1999-0061

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-1999-0074
CVE STATUS: Patched
CVE SUMMARY: Listening TCP ports are sequentially allocated, allowing spoofing attacks.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-1999-0074

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-1999-0128
CVE STATUS: Patched
CVE SUMMARY: Oversized ICMP ping packets can result in a denial of service, aka Ping o' Death.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-1999-0128

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-1999-0138
CVE STATUS: Patched
CVE SUMMARY: The suidperl and sperl program do not give up root privileges when changing UIDs back to the original users, allowing root access.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-1999-0138

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-1999-0165
CVE STATUS: Patched
CVE SUMMARY: NFS cache poisoning.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-1999-0165

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-1999-0171
CVE STATUS: Patched
CVE SUMMARY: Denial of service in syslog by sending it a large number of superfluous messages.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-1999-0171

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-1999-0183
CVE STATUS: Patched
CVE SUMMARY: Linux implementations of TFTP would allow access to files outside the restricted directory.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-1999-0183

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-1999-0195
CVE STATUS: Patched
CVE SUMMARY: Denial of service in RPC portmapper allows attackers to register or unregister RPC services or spoof RPC services using a spoofed source IP address such as 127.0.0.1.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-1999-0195

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-1999-0216
CVE STATUS: Patched
CVE SUMMARY: Denial of service of inetd on Linux through SYN and RST packets.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-1999-0216

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-1999-0245
CVE STATUS: Patched
CVE SUMMARY: Some configurations of NIS+ in Linux allowed attackers to log in as the user "+".
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-1999-0245

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-1999-0257
CVE STATUS: Patched
CVE SUMMARY: Nestea variation of teardrop IP fragmentation denial of service.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-1999-0257

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-1999-0317
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in Linux su command gives root access to local users.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-1999-0317

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-1999-0330
CVE STATUS: Patched
CVE SUMMARY: Linux bdash game has a buffer overflow that allows local users to gain root access.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-1999-0330

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-1999-0381
CVE STATUS: Patched
CVE SUMMARY: super 3.11.6 and other versions have a buffer overflow in the syslog utility which allows a local user to gain root access.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-1999-0381

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-1999-0400
CVE STATUS: Patched
CVE SUMMARY: Denial of service in Linux 2.2.0 running the ldd command on a core file.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-1999-0400

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-1999-0401
CVE STATUS: Patched
CVE SUMMARY: A race condition in Linux 2.2.1 allows local users to read arbitrary memory from /proc files.
CVSS v2 BASE SCORE: 3.7
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-1999-0401

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-1999-0414
CVE STATUS: Patched
CVE SUMMARY: In Linux before version 2.0.36, remote attackers can spoof a TCP connection and pass data to the application layer before fully establishing the connection.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-1999-0414

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-1999-0431
CVE STATUS: Patched
CVE SUMMARY: Linux 2.2.3 and earlier allow a remote attacker to perform an IP fragmentation attack, causing a denial of service.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-1999-0431

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-1999-0451
CVE STATUS: Patched
CVE SUMMARY: Denial of service in Linux 2.0.36 allows local users to prevent any server from listening on any non-privileged port.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-1999-0451

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-1999-0460
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in Linux autofs module through long directory names allows local users to perform a denial of service.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-1999-0460

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-1999-0461
CVE STATUS: Patched
CVE SUMMARY: Versions of rpcbind including Linux, IRIX, and Wietse Venema's rpcbind allow a remote attacker to insert and delete entries by spoofing a source address.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-1999-0461

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-1999-0513
CVE STATUS: Patched
CVE SUMMARY: ICMP messages to broadcast addresses are allowed, allowing for a Smurf attack that can cause a denial of service.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-1999-0513

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-1999-0524
CVE STATUS: Unpatched
CVE SUMMARY: ICMP information such as (1) netmask and (2) timestamp is allowed from arbitrary hosts.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-1999-0524

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-1999-0590
CVE STATUS: Patched
CVE SUMMARY: A system does not present an appropriate legal message or warning to a user who is accessing it.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-1999-0590

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-1999-0628
CVE STATUS: Patched
CVE SUMMARY: The rwho/rwhod service is running, which exposes machine status and user information.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-1999-0628

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-1999-0656
CVE STATUS: Unpatched
CVE SUMMARY: The ugidd RPC interface, by design, allows remote attackers to enumerate valid usernames by specifying arbitrary UIDs that ugidd maps to local user and group names.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-1999-0656

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-1999-0720
CVE STATUS: Patched
CVE SUMMARY: The pt_chown command in Linux allows local users to modify TTY terminal devices that belong to other users.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-1999-0720

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-1999-0780
CVE STATUS: Patched
CVE SUMMARY: KDE klock allows local users to kill arbitrary processes by specifying an arbitrary PID in the .kss.pid file.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-1999-0780

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-1999-0781
CVE STATUS: Patched
CVE SUMMARY: KDE allows local users to execute arbitrary commands by setting the KDEDIR environmental variable to modify the search path that KDE uses to locate its executables.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-1999-0781

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-1999-0782
CVE STATUS: Patched
CVE SUMMARY: KDE kppp allows local users to create a directory in an arbitrary location via the HOME environmental variable.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-1999-0782

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-1999-0804
CVE STATUS: Patched
CVE SUMMARY: Denial of service in Linux 2.2.x kernels via malformed ICMP packets containing unusual types, codes, and IP header lengths.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-1999-0804

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-1999-0986
CVE STATUS: Patched
CVE SUMMARY: The ping command in Linux 2.0.3x allows local users to cause a denial of service by sending large packets with the -R (record route) option.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-1999-0986

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-1999-1018
CVE STATUS: Patched
CVE SUMMARY: IPChains in Linux kernels 2.2.10 and earlier does not reassemble IP fragments before checking the header information, which allows a remote attacker to bypass the filtering rules using several fragments with 0 offsets.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-1999-1018

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-1999-1166
CVE STATUS: Patched
CVE SUMMARY: Linux 2.0.37 does not properly encode the Custom segment limit, which allows local users to gain root privileges by accessing and modifying kernel memory.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-1999-1166

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-1999-1225
CVE STATUS: Patched
CVE SUMMARY: rpc.mountd on Linux, Ultrix, and possibly other operating systems, allows remote attackers to determine the existence of a file on the server by attempting to mount that file, which generates different error messages depending on whether the file exists or not.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-1999-1225

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-1999-1276
CVE STATUS: Patched
CVE SUMMARY: fte-console in the fte package before 0.46b-4.1 does not drop root privileges, which allows local users to gain root access via the virtual console device.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-1999-1276

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-1999-1285
CVE STATUS: Patched
CVE SUMMARY: Linux 2.1.132 and earlier allows local users to cause a denial of service (resource exhaustion) by reading a large buffer from a random device (e.g. /dev/urandom), which cannot be interrupted until the read has completed.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-1999-1285

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-1999-1339
CVE STATUS: Patched
CVE SUMMARY: Vulnerability when Network Address Translation (NAT) is enabled in Linux 2.2.10 and earlier with ipchains, or FreeBSD 3.2 with ipfw, allows remote attackers to cause a denial of service (kernel panic) via a ping -R (record route) command.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-1999-1339

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-1999-1341
CVE STATUS: Patched
CVE SUMMARY: Linux kernel before 2.3.18 or 2.2.13pre15, with SLIP and PPP options, allows local unprivileged users to forge IP packets via the TIOCSETD option on tty devices.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-1999-1341

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-1999-1352
CVE STATUS: Patched
CVE SUMMARY: mknod in Linux 2.2 follows symbolic links, which could allow local users to overwrite files or gain privileges.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-1999-1352

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-1999-1441
CVE STATUS: Patched
CVE SUMMARY: Linux 2.0.34 does not properly prevent users from sending SIGIO signals to arbitrary processes, which allows local users to cause a denial of service by sending SIGIO to processes that do not catch it.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-1999-1441

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-1999-1442
CVE STATUS: Patched
CVE SUMMARY: Bug in AMD K6 processor on Linux 2.0.x and 2.1.x kernels allows local users to cause a denial of service (crash) via a particular sequence of instructions, possibly related to accessing addresses outside of segments.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-1999-1442

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2000-0006
CVE STATUS: Patched
CVE SUMMARY: strace allows local users to read arbitrary files via memory mapped file names.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2000-0006

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2000-0227
CVE STATUS: Patched
CVE SUMMARY: The Linux 2.2.x kernel does not restrict the number of Unix domain sockets as defined by the wmem_max parameter, which allows local users to cause a denial of service by requesting a large number of sockets.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2000-0227

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2000-0289
CVE STATUS: Patched
CVE SUMMARY: IP masquerading in Linux 2.2.x allows remote attackers to route UDP packets through the internal interface by modifying the external source IP address and port number to match those of an established connection.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2000-0289

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2000-0344
CVE STATUS: Patched
CVE SUMMARY: The knfsd NFS server in Linux kernel 2.2.x allows remote attackers to cause a denial of service via a negative size value.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2000-0344

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2000-0506
CVE STATUS: Patched
CVE SUMMARY: The "capabilities" feature in Linux before 2.2.16 allows local users to cause a denial of service or gain privileges by setting the capabilities to prevent a setuid program from dropping privileges, aka the "Linux kernel setuid/setcap vulnerability."
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2000-0506

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2001-0316
CVE STATUS: Patched
CVE SUMMARY: Linux kernel 2.4 and 2.2 allows local users to read kernel memory and possibly gain privileges via a negative argument to the sysctl call.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2001-0316

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2001-0317
CVE STATUS: Patched
CVE SUMMARY: Race condition in ptrace in Linux kernel 2.4 and 2.2 allows local users to gain privileges by using ptrace to track and modify a running setuid process.
CVSS v2 BASE SCORE: 3.7
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2001-0317

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2001-0405
CVE STATUS: Patched
CVE SUMMARY: ip_conntrack_ftp in the IPTables firewall for Linux 2.4 allows remote attackers to bypass access restrictions for an FTP server via a PORT command that lists an arbitrary IP address and port number, which is added to the RELATED table and allowed by the firewall.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2001-0405

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2001-0851
CVE STATUS: Patched
CVE SUMMARY: Linux kernel 2.0, 2.2 and 2.4 with syncookies enabled allows remote attackers to bypass firewall rules by brute force guessing the cookie.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2001-0851

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2001-0907
CVE STATUS: Patched
CVE SUMMARY: Linux kernel 2.2.1 through 2.2.19, and 2.4.1 through 2.4.10, allows local users to cause a denial of service via a series of deeply nested symlinks, which causes the kernel to spend extra time when trying to access the link.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2001-0907

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2001-0914
CVE STATUS: Patched
CVE SUMMARY: Linux kernel before 2.4.11pre3 in multiple Linux distributions allows local users to cause a denial of service (crash) by starting the core vmlinux kernel, possibly related to poor error checking during ELF loading.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2001-0914

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2001-1056
CVE STATUS: Patched
CVE SUMMARY: IRC DCC helper in the ip_masq_irc IP masquerading module 2.2 allows remote attackers to bypass intended firewall restrictions by causing the target system to send a "DCC SEND" request to a malicious server which listens on port 6667, which may cause the module to believe that the traffic is a valid request and allow the connection to the port specified in the DCC SEND request.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2001-1056

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2001-1244
CVE STATUS: Patched
CVE SUMMARY: Multiple TCP implementations could allow remote attackers to cause a denial of service (bandwidth and CPU exhaustion) by setting the maximum segment size (MSS) to a very small number and requesting large amounts of data, which generates more packets with less TCP-level data that amplify network traffic and consume more server CPU to process.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2001-1244

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2001-1273
CVE STATUS: Patched
CVE SUMMARY: The "mxcsr P4" vulnerability in the Linux kernel before 2.2.17-14, when running on certain Intel CPUs, allows local users to cause a denial of service (system halt).
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2001-1273

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2001-1384
CVE STATUS: Patched
CVE SUMMARY: ptrace in Linux 2.2.x through 2.2.19, and 2.4.x through 2.4.9, allows local users to gain root privileges by running ptrace on a setuid or setgid program that itself calls an unprivileged program, such as newgrp.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2001-1384

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2001-1390
CVE STATUS: Patched
CVE SUMMARY: Unknown vulnerability in binfmt_misc in the Linux kernel before 2.2.19, related to user pages.
CVSS v2 BASE SCORE: 6.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2001-1390

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2001-1391
CVE STATUS: Patched
CVE SUMMARY: Off-by-one vulnerability in CPIA driver of Linux kernel before 2.2.19 allows users to modify kernel memory.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2001-1391

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2001-1392
CVE STATUS: Patched
CVE SUMMARY: The Linux kernel before 2.2.19 does not have unregister calls for (1) CPUID and (2) MSR drivers, which could cause a DoS (crash) by unloading and reloading the drivers.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2001-1392

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2001-1393
CVE STATUS: Patched
CVE SUMMARY: Unknown vulnerability in classifier code for Linux kernel before 2.2.19 could result in denial of service (hang).
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2001-1393

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2001-1394
CVE STATUS: Patched
CVE SUMMARY: Signedness error in (1) getsockopt and (2) setsockopt for Linux kernel before 2.2.19 allows local users to cause a denial of service.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2001-1394

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2001-1395
CVE STATUS: Patched
CVE SUMMARY: Unknown vulnerability in sockfilter for Linux kernel before 2.2.19 related to "boundary cases," with unknown impact.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2001-1395

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2001-1396
CVE STATUS: Patched
CVE SUMMARY: Unknown vulnerabilities in strnlen_user for Linux kernel before 2.2.19, with unknown impact.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2001-1396

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2001-1397
CVE STATUS: Patched
CVE SUMMARY: The System V (SYS5) shared memory implementation for Linux kernel before 2.2.19 could allow attackers to modify recently freed memory.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2001-1397

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2001-1398
CVE STATUS: Patched
CVE SUMMARY: Masquerading code for Linux kernel before 2.2.19 does not fully check packet lengths in certain cases, which may lead to a vulnerability.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2001-1398

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2001-1399
CVE STATUS: Patched
CVE SUMMARY: Certain operations in Linux kernel before 2.2.19 on the x86 architecture copy the wrong number of bytes, which might allow attackers to modify memory, aka "User access asm bug on x86."
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2001-1399

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2001-1400
CVE STATUS: Patched
CVE SUMMARY: Unknown vulnerabilities in the UDP port allocation for Linux kernel before 2.2.19 could allow local users to cause a denial of service (deadlock).
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2001-1400

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2001-1551
CVE STATUS: Patched
CVE SUMMARY: Linux kernel 2.2.19 enables CAP_SYS_RESOURCE for setuid processes, which allows local users to exceed disk quota restrictions during execution of setuid programs.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2001-1551

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2001-1572
CVE STATUS: Patched
CVE SUMMARY: The MAC module in Netfilter in Linux kernel 2.4.1 through 2.4.11, when configured to filter based on MAC addresses, allows remote attackers to bypass packet filters via small packets.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2001-1572

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2002-0046
CVE STATUS: Patched
CVE SUMMARY: Linux kernel, and possibly other operating systems, allows remote attackers to read portions of memory via a series of fragmented ICMP packets that generate an ICMP TTL Exceeded response, which includes portions of the memory in the response packet.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-0046

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2002-0060
CVE STATUS: Patched
CVE SUMMARY: IRC connection tracking helper module in the netfilter subsystem for Linux 2.4.18-pre9 and earlier does not properly set the mask for conntrack expectations for incoming DCC connections, which could allow remote attackers to bypass intended firewall restrictions.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-0060

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2002-0429
CVE STATUS: Patched
CVE SUMMARY: The iBCS routines in arch/i386/kernel/traps.c for Linux kernels 2.4.18 and earlier on x86 systems allow local users to kill arbitrary processes via a a binary compatibility interface (lcall).
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-0429

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2002-0499
CVE STATUS: Patched
CVE SUMMARY: The d_path function in Linux kernel 2.2.20 and earlier, and 2.4.18 and earlier, truncates long pathnames without generating an error, which could allow local users to force programs to perform inappropriate operations on the wrong directories.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-0499

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2002-0510
CVE STATUS: Patched
CVE SUMMARY: The UDP implementation in Linux 2.4.x kernels keeps the IP Identification field at 0 for all non-fragmented packets, which could allow remote attackers to determine that a target system is running Linux.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-0510

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2002-0570
CVE STATUS: Patched
CVE SUMMARY: The encrypted loop device in Linux kernel 2.4.10 and earlier does not authenticate the entity that is encrypting data, which allows local users to modify encrypted data without knowing the key.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-0570

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2002-0704
CVE STATUS: Patched
CVE SUMMARY: The Network Address Translation (NAT) capability for Netfilter ("iptables") 1.2.6a and earlier leaks translated IP addresses in ICMP error messages.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-0704

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2002-1319
CVE STATUS: Patched
CVE SUMMARY: The Linux kernel 2.4.20 and earlier, and 2.5.x, when running on x86 systems, allows local users to cause a denial of service (hang) via the emulation mode, which does not properly clear TF and NT EFLAGs.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-1319

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2002-1380
CVE STATUS: Patched
CVE SUMMARY: Linux kernel 2.2.x allows local users to cause a denial of service (crash) by using the mmap() function with a PROT_READ parameter to access non-readable memory pages through the /proc/pid/mem interface.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-1380

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2002-1571
CVE STATUS: Patched
CVE SUMMARY: The linux 2.4 kernel before 2.4.19 assumes that the fninit instruction clears all registers, which could lead to an information leak on processors that do not clear all relevant SSE registers.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-1571

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2002-1572
CVE STATUS: Patched
CVE SUMMARY: Signed integer overflow in the bttv_read function in the bttv driver (bttv-driver.c) in Linux kernel before 2.4.20 has unknown impact and attack vectors.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-1572

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2002-1573
CVE STATUS: Patched
CVE SUMMARY: Unspecified vulnerability in the pcilynx ieee1394 firewire driver (pcilynx.c) in Linux kernel before 2.4.20 has unknown impact and attack vectors, related to "wrap handling."
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-1573

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2002-1574
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the ixj telephony card driver in Linux before 2.4.20 has unknown impact and attack vectors.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-1574

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2002-1963
CVE STATUS: Patched
CVE SUMMARY: Linux kernel 2.4.1 through 2.4.19 sets root's NR_RESERVED_FILES limit to 10 files, which allows local users to cause a denial of service (resource exhaustion) by opening 10 setuid binaries.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-1963

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2002-1976
CVE STATUS: Patched
CVE SUMMARY: ifconfig, when used on the Linux kernel 2.2 and later, does not report when the network interface is in promiscuous mode if it was put in promiscuous mode using PACKET_MR_PROMISC, which could allow attackers to sniff the network without detection, as demonstrated using libpcap.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-1976

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2002-2254
CVE STATUS: Patched
CVE SUMMARY: The experimental IP packet queuing feature in Netfilter / IPTables in Linux kernel 2.4 up to 2.4.19 and 2.5 up to 2.5.31, when a privileged process exits and network traffic is not being queued, may allow a later process with the same Process ID (PID) to access certain network traffic that would otherwise be restricted.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-2254

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2002-2438
CVE STATUS: Patched
CVE SUMMARY: TCP firewalls could be circumvented by sending a SYN Packets with other flags (like e.g. RST flag) set, which was not correctly discarded by the Linux TCP stack after firewalling.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-2438

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2003-0001
CVE STATUS: Patched
CVE SUMMARY: Multiple ethernet Network Interface Card (NIC) device drivers do not pad frames with null bytes, which allows remote attackers to obtain information from previous packets or kernel memory by using malformed packets, as demonstrated by Etherleak.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-0001

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2003-0018
CVE STATUS: Patched
CVE SUMMARY: Linux kernel 2.4.10 through 2.4.21-pre4 does not properly handle the O_DIRECT feature, which allows local attackers with write privileges to read portions of previously deleted files, or cause file system corruption.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-0018

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2003-0127
CVE STATUS: Patched
CVE SUMMARY: The kernel module loader in Linux kernel 2.2.x before 2.2.25, and 2.4.x before 2.4.21, allows local users to gain root privileges by using ptrace to attach to a child process that is spawned by the kernel.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-0127

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2003-0187
CVE STATUS: Patched
CVE SUMMARY: The connection tracking core of Netfilter for Linux 2.4.20, with CONFIG_IP_NF_CONNTRACK enabled or the ip_conntrack module loaded, allows remote attackers to cause a denial of service (resource consumption) due to an inconsistency with Linux 2.4.20's support of linked lists, which causes Netfilter to fail to identify connections with an UNCONFIRMED status and use large timeouts.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-0187

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2003-0244
CVE STATUS: Patched
CVE SUMMARY: The route cache implementation in Linux 2.4, and the Netfilter IP conntrack module, allows remote attackers to cause a denial of service (CPU consumption) via packets with forged source addresses that cause a large number of hash table collisions.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-0244

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2003-0246
CVE STATUS: Patched
CVE SUMMARY: The ioperm system call in Linux kernel 2.4.20 and earlier does not properly restrict privileges, which allows local users to gain read or write access to certain I/O ports.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-0246

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2003-0418
CVE STATUS: Patched
CVE SUMMARY: The Linux 2.0 kernel IP stack does not properly calculate the size of an ICMP citation, which causes it to include portions of unauthorized memory in ICMP error responses.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-0418

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2003-0462
CVE STATUS: Patched
CVE SUMMARY: A race condition in the way env_start and env_end pointers are initialized in the execve system call and used in fs/proc/base.c on Linux 2.4 allows local users to cause a denial of service (crash).
CVSS v2 BASE SCORE: 1.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-0462

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2003-0465
CVE STATUS: Patched
CVE SUMMARY: The kernel strncpy function in Linux 2.4 and 2.5 does not %NUL pad the buffer on architectures other than x86, as opposed to the expected behavior of strncpy as implemented in libc, which could lead to information leaks.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-0465

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2003-0467
CVE STATUS: Patched
CVE SUMMARY: Unknown vulnerability in ip_nat_sack_adjust of Netfilter in Linux kernels 2.4.20, and some 2.5.x, when CONFIG_IP_NF_NAT_FTP or CONFIG_IP_NF_NAT_IRC is enabled, or the ip_nat_ftp or ip_nat_irc modules are loaded, allows remote attackers to cause a denial of service (crash) in systems using NAT, possibly due to an integer signedness error.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-0467

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2003-0476
CVE STATUS: Patched
CVE SUMMARY: The execve system call in Linux 2.4.x records the file descriptor of the executable process in the file table of the calling process, which allows local users to gain read access to restricted file descriptors.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-0476

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2003-0501
CVE STATUS: Patched
CVE SUMMARY: The /proc filesystem in Linux allows local users to obtain sensitive information by opening various entries in /proc/self before executing a setuid program, which causes the program to fail to change the ownership and permissions of those entries.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-0501

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2003-0619
CVE STATUS: Patched
CVE SUMMARY: Integer signedness error in the decode_fh function of nfs3xdr.c in Linux kernel before 2.4.21 allows remote attackers to cause a denial of service (kernel panic) via a negative size value within XDR data of an NFSv3 procedure call.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-0619

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2003-0643
CVE STATUS: Patched
CVE SUMMARY: Integer signedness error in the Linux Socket Filter implementation (filter.c) in Linux 2.4.3-pre3 to 2.4.22-pre10 allows attackers to cause a denial of service (crash).
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-0643

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2003-0956
CVE STATUS: Patched
CVE SUMMARY: Multiple race conditions in the handling of O_DIRECT in Linux kernel prior to version 2.4.22 could cause stale data to be returned from the disk when handling sparse files, or cause incorrect data to be returned when a file is truncated as it is being read, which might allow local users to obtain sensitive data that was originally owned by other users, a different vulnerability than CVE-2003-0018.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-0956

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2003-0961
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the do_brk function for the brk system call in Linux kernel 2.4.22 and earlier allows local users to gain root privileges.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-0961

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2003-0984
CVE STATUS: Patched
CVE SUMMARY: Real time clock (RTC) routines in Linux kernel 2.4.23 and earlier do not properly initialize their structures, which could leak kernel data to user space.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-0984

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2003-0985
CVE STATUS: Patched
CVE SUMMARY: The mremap system call (do_mremap) in Linux kernel 2.4.x before 2.4.21, and possibly other versions before 2.4.24, does not properly perform bounds checks, which allows local users to cause a denial of service and possibly gain privileges by causing a remapping of a virtual memory area (VMA) to create a zero length VMA, a different vulnerability than CAN-2004-0077.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-0985

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2003-0986
CVE STATUS: Patched
CVE SUMMARY: Various routines for the ppc64 architecture on Linux kernel 2.6 prior to 2.6.2 and 2.4 prior to 2.4.24 do not use the copy_from_user function when copying data from userspace to kernelspace, which crosses security boundaries and allows local users to cause a denial of service.
CVSS v2 BASE SCORE: 1.7
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:S/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-0986

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2003-1040
CVE STATUS: Patched
CVE SUMMARY: kmod in the Linux kernel does not set its uid, suid, gid, or sgid to 0, which allows local users to cause a denial of service (crash) by sending certain signals to kmod.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-1040

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2003-1161
CVE STATUS: Patched
CVE SUMMARY: exit.c in Linux kernel 2.6-test9-CVS, as stored on kernel.bkbits.net, was modified to contain a backdoor, which could allow local users to elevate their privileges by passing __WCLONE|__WALL to the sys_wait4 function.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-1161

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2003-1604
CVE STATUS: Patched
CVE SUMMARY: The redirect_target function in net/ipv4/netfilter/ipt_REDIRECT.c in the Linux kernel before 2.6.0 allows remote attackers to cause a denial of service (NULL pointer dereference and OOPS) by sending packets to an interface that has a 0.0.0.0 IP address, a related issue to CVE-2015-8787.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-1604

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2004-0001
CVE STATUS: Patched
CVE SUMMARY: Unknown vulnerability in the eflags checking in the 32-bit ptrace emulation for the Linux kernel on AMD64 systems allows local users to gain privileges.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0001

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2004-0003
CVE STATUS: Patched
CVE SUMMARY: Unknown vulnerability in Linux kernel before 2.4.22 allows local users to gain privileges, related to "R128 DRI limits checking."
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0003

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2004-0010
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in the ncp_lookup function for ncpfs in Linux kernel 2.4.x allows local users to gain privileges.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0010

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2004-0058
CVE STATUS: Patched
CVE SUMMARY: Antivir / Linux 2.0.9-9, and possibly earlier versions, allows local users to overwrite arbitrary files via a symlink attack on the .pid_antivir_$$ temporary file.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0058

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2004-0075
CVE STATUS: Patched
CVE SUMMARY: The Vicam USB driver in Linux before 2.4.25 does not use the copy_from_user function when copying data from userspace to kernel space, which crosses security boundaries and allows local users to cause a denial of service.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0075

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2004-0077
CVE STATUS: Patched
CVE SUMMARY: The do_mremap function for the mremap system call in Linux 2.2 to 2.2.25, 2.4 to 2.4.24, and 2.6 to 2.6.2, does not properly check the return value from the do_munmap function when the maximum number of VMA descriptors is exceeded, which allows local users to gain root privileges, a different vulnerability than CAN-2003-0985.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0077

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2004-0109
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the ISO9660 file system component for Linux kernel 2.4.x, 2.5.x and 2.6.x, allows local users with physical access to overflow kernel memory and execute arbitrary code via a malformed CD containing a long symbolic link entry.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0109

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2004-0133
CVE STATUS: Patched
CVE SUMMARY: The XFS file system code in Linux 2.4.x has an information leak in which in-memory data is written to the device for the XFS file system, which allows local users to obtain sensitive information by reading the raw device.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0133

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2004-0138
CVE STATUS: Patched
CVE SUMMARY: The ELF loader in Linux kernel 2.4 before 2.4.25 allows local users to cause a denial of service (crash) via a crafted ELF file with an interpreter with an invalid arch (architecture), which triggers a BUG() when an invalid VMA is unmapped.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0138

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2004-0177
CVE STATUS: Patched
CVE SUMMARY: The ext3 code in Linux 2.4.x before 2.4.26 does not properly initialize journal descriptor blocks, which causes an information leak in which in-memory data is written to the device for the ext3 file system, which allows privileged users to obtain portions of kernel memory by reading the raw device.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0177

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2004-0178
CVE STATUS: Patched
CVE SUMMARY: The OSS code for the Sound Blaster (sb16) driver in Linux 2.4.x before 2.4.26, when operating in 16 bit mode, does not properly handle certain sample sizes, which allows local users to cause a denial of service (crash) via a sample with an odd number of bytes.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0178

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2004-0181
CVE STATUS: Patched
CVE SUMMARY: The JFS file system code in Linux 2.4.x has an information leak in which in-memory data is written to the device for the JFS file system, which allows local users to obtain sensitive information by reading the raw device.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0181

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2004-0186
CVE STATUS: Patched
CVE SUMMARY: smbmnt in Samba 2.x and 3.x on Linux 2.6, when installed setuid, allows local users to gain root privileges by mounting a Samba share that contains a setuid root program, whose setuid attributes are not cleared when the share is mounted.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0186

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2004-0228
CVE STATUS: Patched
CVE SUMMARY: Integer signedness error in the cpufreq proc handler (cpufreq_procctl) in Linux kernel 2.6 allows local users to gain privileges.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0228

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2004-0229
CVE STATUS: Patched
CVE SUMMARY: The framebuffer driver in Linux kernel 2.6.x does not properly use the fb_copy_cmap function, with unknown impact.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0229

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2004-0394
CVE STATUS: Patched
CVE SUMMARY: A "potential" buffer overflow exists in the panic() function in Linux 2.4.x, although it may not be exploitable due to the functionality of panic.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0394

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2004-0415
CVE STATUS: Patched
CVE SUMMARY: Linux kernel does not properly convert 64-bit file offset pointers to 32 bits, which allows local users to access portions of kernel memory.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0415

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2004-0424
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the ip_setsockopt function in Linux kernel 2.4.22 through 2.4.25 and 2.6.1 through 2.6.3 allows local users to cause a denial of service (crash) or execute arbitrary code via the MCAST_MSFILTER socket option.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0424

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2004-0427
CVE STATUS: Patched
CVE SUMMARY: The do_fork function in Linux 2.4.x before 2.4.26, and 2.6.x before 2.6.6, does not properly decrement the mm_count counter when an error occurs after the mm_struct for a child process has been activated, which triggers a memory leak that allows local users to cause a denial of service (memory exhaustion) via the clone (CLONE_VM) system call.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0427

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2004-0447
CVE STATUS: Patched
CVE SUMMARY: Unknown vulnerability in Linux before 2.4.26 for IA64 allows local users to cause a denial of service, with unknown impact.  NOTE: due to a typo, this issue was accidentally assigned CVE-2004-0477.  This is the proper candidate to use for the Linux local DoS.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0447

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2004-0495
CVE STATUS: Patched
CVE SUMMARY: Multiple unknown vulnerabilities in Linux kernel 2.4 and 2.6 allow local users to gain privileges or access kernel memory, as found by the Sparse source code checking tool.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0495

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2004-0496
CVE STATUS: Patched
CVE SUMMARY: Multiple unknown vulnerabilities in Linux kernel 2.6 allow local users to gain privileges or access kernel memory, a different set of vulnerabilities than those identified in CVE-2004-0495, as found by the Sparse source code checking tool.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0496

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2004-0497
CVE STATUS: Patched
CVE SUMMARY: Unknown vulnerability in Linux kernel 2.x may allow local users to modify the group ID of files, such as NFS exported files in kernel 2.4.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0497

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2004-0535
CVE STATUS: Patched
CVE SUMMARY: The e1000 driver for Linux kernel 2.4.26 and earlier does not properly initialize memory before using it, which allows local users to read portions of kernel memory.  NOTE: this issue was originally incorrectly reported as a "buffer overflow" by some sources.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0535

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2004-0554
CVE STATUS: Patched
CVE SUMMARY: Linux kernel 2.4.x and 2.6.x for x86 allows local users to cause a denial of service (system crash), possibly via an infinite loop that triggers a signal handler with a certain sequence of fsave and frstor instructions, as originally demonstrated using a "crash.c" program.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0554

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2004-0565
CVE STATUS: Patched
CVE SUMMARY: Floating point information leak in the context switch code for Linux 2.4.x only checks the MFH bit but does not verify the FPH owner, which allows local users to read register values of other processes by setting the MFH bit.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0565

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2004-0596
CVE STATUS: Patched
CVE SUMMARY: The Equalizer Load-balancer for serial network interfaces (eql.c) in Linux kernel 2.6.x up to 2.6.7 allows local users to cause a denial of service via a non-existent device name that triggers a null dereference.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0596

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2004-0626
CVE STATUS: Patched
CVE SUMMARY: The tcp_find_option function of the netfilter subsystem in Linux kernel 2.6, when using iptables and TCP options rules, allows remote attackers to cause a denial of service (CPU consumption by infinite loop) via a large option length that produces a negative integer after a casting operation to the char type.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0626

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2004-0658
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the hpsb_alloc_packet function (incorrectly reported as alloc_hpsb_packet) in IEEE 1394 (Firewire) driver 2.4 and 2.6 allows local users to cause a denial of service (crash) and possibly execute arbitrary code via the functions (1) raw1394_write, (2) state_connected, (3) handle_remote_request, or (4) hpsb_make_writebpacket.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0658

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2004-0685
CVE STATUS: Patched
CVE SUMMARY: Certain USB drivers in the Linux 2.4 kernel use the copy_to_user function on uninitialized structures, which could allow local users to obtain sensitive information by reading memory that was not cleared from previous usage.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0685

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2004-0812
CVE STATUS: Patched
CVE SUMMARY: Unknown vulnerability in the Linux kernel before 2.4.23, on the AMD AMD64 and Intel EM64T architectures, associated with "setting up TSS limits," allows local users to cause a denial of service (crash) and possibly execute arbitrary code.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0812

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2004-0814
CVE STATUS: Patched
CVE SUMMARY: Multiple race conditions in the terminal layer in Linux 2.4.x, and 2.6.x before 2.6.9, allow (1) local users to obtain portions of kernel data via a TIOCSETD ioctl call to a terminal interface that is being accessed by another thread, or (2) remote attackers to cause a denial of service (panic) by switching from console to PPP line discipline, then quickly sending data that is received during the switch.
CVSS v2 BASE SCORE: 1.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0814

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2004-0816
CVE STATUS: Patched
CVE SUMMARY: Integer underflow in the firewall logging rules for iptables in Linux before 2.6.8 allows remote attackers to cause a denial of service (application crash) via a malformed IP packet.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0816

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2004-0883
CVE STATUS: Patched
CVE SUMMARY: Multiple vulnerabilities in the samba filesystem (smbfs) in Linux kernel 2.4 and 2.6 allow remote samba servers to cause a denial of service (crash) or gain sensitive information from kernel memory via a samba server (1) returning more data than requested to the smb_proc_read function, (2) returning a data offset from outside the samba packet to the smb_proc_readX function, (3) sending a certain TRANS2 fragmented packet to the smb_receive_trans2 function, (4) sending a samba packet with a certain header size to the smb_proc_readX_data function, or (5) sending a certain packet based offset for the data in a packet to the smb_receive_trans2 function.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0883

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2004-0887
CVE STATUS: Patched
CVE SUMMARY: SUSE Linux Enterprise Server 9 on the S/390 platform does not properly handle a certain privileged instruction, which allows local users to gain root privileges.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0887

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2004-0949
CVE STATUS: Patched
CVE SUMMARY: The smb_recv_trans2 function call in the samba filesystem (smbfs) in Linux kernel 2.4 and 2.6 does not properly handle the re-assembly of fragmented packets correctly, which could allow remote samba servers to (1) read arbitrary kernel information or (2) raise a counter value to an arbitrary number by sending the first part of the fragmented packet multiple times.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0949

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2004-0986
CVE STATUS: Patched
CVE SUMMARY: Iptables before 1.2.11, under certain conditions, does not properly load the required modules at system startup, which causes the firewall rules to fail to load and protect the system from remote attackers.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0986

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2004-0997
CVE STATUS: Patched
CVE SUMMARY: Unspecified vulnerability in the ptrace MIPS assembly code in Linux kernel 2.4 before 2.4.17 allows local users to gain privileges via unknown vectors.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0997

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2004-1016
CVE STATUS: Patched
CVE SUMMARY: The scm_send function in the scm layer for Linux kernel 2.4.x up to 2.4.28, and 2.6.x up to 2.6.9, allows local users to cause a denial of service (system hang) via crafted auxiliary messages that are passed to the sendmsg function, which causes a deadlock condition.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-1016

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2004-1017
CVE STATUS: Patched
CVE SUMMARY: Multiple "overflows" in the io_edgeport driver for Linux kernel 2.4.x have unknown impact and unknown attack vectors.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-1017

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2004-1056
CVE STATUS: Patched
CVE SUMMARY: Direct Rendering Manager (DRM) driver in Linux kernel 2.6 does not properly check the DMA lock, which could allow remote attackers or local users to cause a denial of service (X Server crash) and possibly modify the video output.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-1056

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2004-1057
CVE STATUS: Patched
CVE SUMMARY: Multiple drivers in Linux kernel 2.4.19 and earlier do not properly mark memory with the VM_IO flag, which causes incorrect reference counts and may lead to a denial of service (kernel panic) when accessing freed kernel pages.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-1057

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2004-1058
CVE STATUS: Patched
CVE SUMMARY: Race condition in Linux kernel 2.6 allows local users to read the environment variables of another process that is still spawning via /proc/.../cmdline.
CVSS v2 BASE SCORE: 1.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-1058

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2004-1068
CVE STATUS: Patched
CVE SUMMARY: A "missing serialization" error in the unix_dgram_recvmsg function in Linux 2.4.27 and earlier, and 2.6.x up to 2.6.9, allows local users to gain privileges via a race condition.
CVSS v2 BASE SCORE: 6.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-1068

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2004-1069
CVE STATUS: Patched
CVE SUMMARY: Race condition in SELinux 2.6.x through 2.6.9 allows local users to cause a denial of service (kernel crash) via SOCK_SEQPACKET unix domain sockets, which are not properly handled in the sock_dgram_sendmsg function.
CVSS v2 BASE SCORE: 1.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-1069

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2004-1070
CVE STATUS: Patched
CVE SUMMARY: The load_elf_binary function in the binfmt_elf loader (binfmt_elf.c) in Linux kernel 2.4.x up to 2.4.27, and 2.6.x up to 2.6.8, does not properly check return values from calls to the kernel_read function, which may allow local users to modify sensitive memory in a setuid program and execute arbitrary code.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-1070

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2004-1071
CVE STATUS: Patched
CVE SUMMARY: The binfmt_elf loader (binfmt_elf.c) in Linux kernel 2.4.x up to 2.4.27, and 2.6.x up to 2.6.8, does not properly handle a failed call to the mmap function, which causes an incorrect mapped image and may allow local users to execute arbitrary code.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-1071

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2004-1072
CVE STATUS: Patched
CVE SUMMARY: The binfmt_elf loader (binfmt_elf.c) in Linux kernel 2.4.x up to 2.4.27, and 2.6.x up to 2.6.8, may create an interpreter name string that is not NULL terminated, which could cause strings longer than PATH_MAX to be used, leading to buffer overflows that allow local users to cause a denial of service (hang) and possibly execute arbitrary code.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-1072

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2004-1073
CVE STATUS: Patched
CVE SUMMARY: The open_exec function in the execve functionality (exec.c) in Linux kernel 2.4.x up to 2.4.27, and 2.6.x up to 2.6.8, allows local users to read non-readable ELF binaries by using the interpreter (PT_INTERP) functionality.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-1073

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2004-1137
CVE STATUS: Patched
CVE SUMMARY: Multiple vulnerabilities in the IGMP functionality for Linux kernel 2.4.22 to 2.4.28, and 2.6.x to 2.6.9, allow local and remote attackers to cause a denial of service or execute arbitrary code via (1) the ip_mc_source function, which decrements a counter to -1, or (2) the igmp_marksources function, which does not properly validate IGMP message parameters and performs an out-of-bounds read.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-1137

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2004-1144
CVE STATUS: Patched
CVE SUMMARY: Unknown vulnerability in the 32bit emulation code in Linux 2.4 on AMD64 systems allows local users to gain privileges.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-1144

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2004-1151
CVE STATUS: Patched
CVE SUMMARY: Multiple buffer overflows in the (1) sys32_ni_syscall and (2) sys32_vm86_warning functions in sys_ia32.c for Linux 2.6.x may allow local attackers to modify kernel memory and gain privileges.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-1151

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2004-1234
CVE STATUS: Patched
CVE SUMMARY: load_elf_binary in Linux before 2.4.26 allows local users to cause a denial of service (system crash) via an ELF binary in which the interpreter is NULL.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-1234

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2004-1235
CVE STATUS: Patched
CVE SUMMARY: Race condition in the (1) load_elf_library and (2) binfmt_aout function calls for uselib in Linux kernel 2.4 through 2.429-rc2 and 2.6 through 2.6.10 allows local users to execute arbitrary code by manipulating the VMA descriptor.
CVSS v2 BASE SCORE: 6.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-1235

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2004-1237
CVE STATUS: Patched
CVE SUMMARY: Unknown vulnerability in the system call filtering code in the audit subsystem for Red Hat Enterprise Linux 3 allows local users to cause a denial of service (system crash) via unknown vectors.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-1237

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2004-1333
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the vc_resize function in the Linux kernel 2.4 and 2.6 before 2.6.10 allows local users to cause a denial of service (kernel crash) via a short new screen value, which leads to a buffer overflow.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-1333

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2004-1335
CVE STATUS: Patched
CVE SUMMARY: Memory leak in the ip_options_get function in the Linux kernel before 2.6.10 allows local users to cause a denial of service (memory consumption) by repeatedly calling the ip_cmsg_send function.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-1335

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2004-2013
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the SCTP_SOCKOPT_DEBUG_NAME SCTP socket option in socket.c in the Linux kernel 2.4.25 and earlier allows local users to execute arbitrary code via an optlen value of -1, which causes kmalloc to allocate 0 bytes of memory.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-2013

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2004-2135
CVE STATUS: Patched
CVE SUMMARY: cryptoloop on Linux kernel 2.6.x, when used on certain file systems with a block size 1024 or greater, has certain "IV computation" weaknesses that allow watermarked files to be detected without decryption.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-2135

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2004-2136
CVE STATUS: Patched
CVE SUMMARY: dm-crypt on Linux kernel 2.6.x, when used on certain file systems with a block size 1024 or greater, has certain "IV computation" weaknesses that allow watermarked files to be detected without decryption.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-2136

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2004-2302
CVE STATUS: Patched
CVE SUMMARY: Race condition in the sysfs_read_file and sysfs_write_file functions in Linux kernel before 2.6.10 allows local users to read kernel memory and cause a denial of service (crash) via large offsets in sysfs files.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-2302

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2004-2536
CVE STATUS: Patched
CVE SUMMARY: The exit_thread function (process.c) in Linux kernel 2.6 through 2.6.5 does not invalidate the per-TSS io_bitmap pointers if a process obtains IO access permissions from the ioperm function but does not drop those permissions when it exits, which allows other processes to access the per-TSS pointers, access restricted memory locations, and possibly gain privileges.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-2536

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2004-2607
CVE STATUS: Patched
CVE SUMMARY: A numeric casting discrepancy in sdla_xfer in Linux kernel 2.6.x up to 2.6.5 and 2.4 up to 2.4.29-rc1 allows local users to read portions of kernel memory via a large len argument, which is received as an int but cast to a short, which prevents a read loop from filling a buffer.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-2607

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2004-2660
CVE STATUS: Patched
CVE SUMMARY: Memory leak in direct-io.c in Linux kernel 2.6.x before 2.6.10 allows local users to cause a denial of service (memory consumption) via certain O_DIRECT (direct IO) write requests.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-2660

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2004-2731
CVE STATUS: Patched
CVE SUMMARY: Multiple integer overflows in Sbus PROM driver (drivers/sbus/char/openprom.c) for the Linux kernel 2.4.x up to 2.4.27, 2.6.x up to 2.6.7, and possibly later versions, allow local users to execute arbitrary code by specifying (1) a small buffer size to the copyin_string function or (2) a negative buffer size to the copyin function.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-2731

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-0001
CVE STATUS: Patched
CVE SUMMARY: Race condition in the page fault handler (fault.c) for Linux kernel 2.2.x to 2.2.7, 2.4 to 2.4.29, and 2.6 to 2.6.10, when running on multiprocessor machines, allows local users to execute arbitrary code via concurrent threads that share the same virtual memory space and simultaneously request stack expansion.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-0001

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-0003
CVE STATUS: Patched
CVE SUMMARY: The 64 bit ELF support in Linux kernel 2.6 before 2.6.10, on 64-bit architectures, does not properly check for overlapping VMA (virtual memory address) allocations, which allows local users to cause a denial of service (system crash) or execute arbitrary code via a crafted ELF or a.out file.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-0003

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-0124
CVE STATUS: Patched
CVE SUMMARY: The coda_pioctl function in the coda functionality (pioctl.c) for Linux kernel 2.6.9 and 2.4.x before 2.4.29 may allow local users to cause a denial of service (crash) or execute arbitrary code via negative vi.in_size or vi.out_size values, which may trigger a buffer overflow.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-0124

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-0135
CVE STATUS: Patched
CVE SUMMARY: The unw_unwind_to_user function in unwind.c on Itanium (ia64) architectures in Linux kernel 2.6 allows local users to cause a denial of service (system crash).
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-0135

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-0136
CVE STATUS: Patched
CVE SUMMARY: The Linux kernel before 2.6.11 on the Itanium IA64 platform has certain "ptrace corner cases" that allow local users to cause a denial of service (crash) via crafted syscalls, possibly related to MCA/INIT, a different vulnerability than CVE-2005-1761.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-0136

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-0137
CVE STATUS: Patched
CVE SUMMARY: Linux kernel 2.6 on Itanium (ia64) architectures allows local users to cause a denial of service via a "missing Itanium syscall table entry."
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-0137

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-0176
CVE STATUS: Patched
CVE SUMMARY: The shmctl function in Linux 2.6.9 and earlier allows local users to unlock the memory of other processes, which could cause sensitive memory to be swapped to disk, which could allow it to be read by other users once it has been released.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-0176

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-0177
CVE STATUS: Patched
CVE SUMMARY: nls_ascii.c in Linux before 2.6.8.1 uses an incorrect table size, which allows attackers to cause a denial of service (kernel crash) via a buffer overflow.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-0177

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-0178
CVE STATUS: Patched
CVE SUMMARY: Race condition in the setsid function in Linux before 2.6.8.1 allows local users to cause a denial of service (crash) and possibly access portions of kernel memory, related to TTY changes, locking, and semaphores.
CVSS v2 BASE SCORE: 6.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-0178

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-0179
CVE STATUS: Patched
CVE SUMMARY: Linux kernel 2.4.x and 2.6.x allows local users to cause a denial of service (CPU and memory consumption) and bypass RLIM_MEMLOCK limits via the mlockall call.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-0179

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-0180
CVE STATUS: Patched
CVE SUMMARY: Multiple integer signedness errors in the sg_scsi_ioctl function in scsi_ioctl.c for Linux 2.6.x allow local users to read or modify kernel memory via negative integers in arguments to the scsi ioctl, which bypass a maximum length check before calling the copy_from_user and copy_to_user functions.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-0180

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-0204
CVE STATUS: Patched
CVE SUMMARY: Linux kernel before 2.6.9, when running on the AMD64 and Intel EM64T architectures, allows local users to write to privileged IO ports via the OUTS instruction.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-0204

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-0207
CVE STATUS: Patched
CVE SUMMARY: Unknown vulnerability in Linux kernel 2.4.x, 2.5.x, and 2.6.x allows NFS clients to cause a denial of service via O_DIRECT.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-0207

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-0209
CVE STATUS: Patched
CVE SUMMARY: Netfilter in Linux kernel 2.6.8.1 allows remote attackers to cause a denial of service (kernel crash) via crafted IP packet fragments.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-0209

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-0210
CVE STATUS: Patched
CVE SUMMARY: Netfilter in the Linux kernel 2.6.8.1 allows local users to cause a denial of service (memory consumption) via certain packet fragments that are reassembled twice, which causes a data structure to be allocated twice.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-0210

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-0400
CVE STATUS: Patched
CVE SUMMARY: The ext2_make_empty function call in the Linux kernel before 2.6.11.6 does not properly initialize memory when creating a block for a new directory entry, which allows local users to obtain potentially sensitive information by reading the block.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-0400

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-0449
CVE STATUS: Patched
CVE SUMMARY: The netfilter/iptables module in Linux before 2.6.8.1 allows remote attackers to cause a denial of service (kernel crash) or bypass firewall rules via crafted packets, which are not properly handled by the skb_checksum_help function.
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-0449

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-0489
CVE STATUS: Patched
CVE SUMMARY: The /proc handling (proc/base.c) Linux kernel 2.4 before 2.4.17 allows local users to cause a denial of service via unknown vectors that cause an invalid access of free memory.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-0489

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-0504
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the MoxaDriverIoctl function for the moxa serial driver (moxa.c) in Linux 2.2.x, 2.4.x, and 2.6.x before 2.6.22 allows local users to execute arbitrary code via a certain modified length value.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-0504

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-0529
CVE STATUS: Patched
CVE SUMMARY: Linux kernel 2.6.10 and 2.6.11rc1-bk6 uses different size types for offset arguments to the proc_file_read and locks_read_proc functions, which leads to a heap-based buffer overflow when a signed comparison causes negative integers to be used in a positive context.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-0529

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-0530
CVE STATUS: Patched
CVE SUMMARY: Signedness error in the copy_from_read_buf function in n_tty.c for Linux kernel 2.6.10 and 2.6.11rc1 allows local users to read kernel memory via a negative argument.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-0530

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-0531
CVE STATUS: Patched
CVE SUMMARY: The atm_get_addr function in addr.c for Linux kernel 2.6.10 and 2.6.11 before 2.6.11-rc4 may allow local users to trigger a buffer overflow via negative arguments.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-0531

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-0532
CVE STATUS: Patched
CVE SUMMARY: The reiserfs_copy_from_user_to_file_region function in reiserfs/file.c for Linux kernel 2.6.10 and 2.6.11 before 2.6.11-rc4, when running on 64-bit architectures, may allow local users to trigger a buffer overflow as a result of casting discrepancies between size_t and int data types.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-0532

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-0736
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in sys_epoll_wait in eventpoll.c for Linux kernel 2.6 to 2.6.11 allows local users to overwrite kernel memory via a large number of events.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-0736

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-0749
CVE STATUS: Patched
CVE SUMMARY: The load_elf_library in the Linux kernel before 2.6.11.6 allows local users to cause a denial of service (kernel crash) via a crafted ELF library or executable, which causes a free of an invalid pointer.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-0749

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-0750
CVE STATUS: Patched
CVE SUMMARY: The bluez_sock_create function in the Bluetooth stack for Linux kernel 2.4.6 through 2.4.30-rc1 and 2.6 through 2.6.11.5 allows local users to gain privileges via (1) socket or (2) socketpair call with a negative protocol value.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-0750

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-0756
CVE STATUS: Patched
CVE SUMMARY: ptrace in Linux kernel 2.6.8.1 does not properly verify addresses on the amd64 platform, which allows local users to cause a denial of service (kernel crash).
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-0756

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-0767
CVE STATUS: Patched
CVE SUMMARY: Race condition in the Radeon DRI driver for Linux kernel 2.6.8.1 allows local users with DRI privileges to execute arbitrary code as root.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-0767

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-0815
CVE STATUS: Patched
CVE SUMMARY: Multiple "range checking flaws" in the ISO9660 filesystem handler in Linux 2.6.11 and earlier may allow attackers to cause a denial of service or corrupt memory via a crafted filesystem.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-0815

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-0839
CVE STATUS: Patched
CVE SUMMARY: Linux kernel 2.6 before 2.6.11 does not restrict access to the N_MOUSE line discipline for a TTY, which allows local users to gain privileges by injecting mouse or keyboard events into other user sessions.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-0839

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-0867
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in Linux kernel 2.6 allows local users to overwrite kernel memory by writing to a sysfs file.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-0867

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-0916
CVE STATUS: Patched
CVE SUMMARY: AIO in the Linux kernel 2.6.11 on the PPC64 or IA64 architectures with CONFIG_HUGETLB_PAGE enabled allows local users to cause a denial of service (system panic) via a process that executes the io_queue_init function but exits without running io_queue_release, which causes exit_aio and is_hugepage_only_range to fail.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-0916

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-0937
CVE STATUS: Patched
CVE SUMMARY: Some futex functions in futex.c for Linux kernel 2.6.x perform get_user calls while holding the mmap_sem semaphore, which could allow local users to cause a deadlock condition in do_page_fault by triggering get_user faults while another thread is executing mmap or other functions.
CVSS v2 BASE SCORE: 1.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-0937

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-0977
CVE STATUS: Patched
CVE SUMMARY: The shmem_nopage function in shmem.c for the tmpfs driver in Linux kernel 2.6 does not properly verify the address argument, which allows local users to cause a denial of service (kernel crash) via an invalid address.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-0977

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-1041
CVE STATUS: Patched
CVE SUMMARY: The fib_seq_start function in fib_hash.c in Linux kernel allows local users to cause a denial of service (system crash) via /proc/net/route.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-1041

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-1263
CVE STATUS: Patched
CVE SUMMARY: The elf_core_dump function in binfmt_elf.c for Linux kernel 2.x.x to 2.2.27-rc2, 2.4.x to 2.4.31-pre1, and 2.6.x to 2.6.12-rc4 allows local users to execute arbitrary code via an ELF binary that, in certain conditions involving the create_elf_tables function, causes a negative length argument to pass a signed integer comparison, leading to a buffer overflow.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-1263

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-1264
CVE STATUS: Patched
CVE SUMMARY: Raw character devices (raw.c) in the Linux kernel 2.6.x call the wrong function before passing an ioctl to the block device, which crosses security boundaries by making kernel address space accessible from user space, a similar vulnerability to CVE-2005-1589.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-1264

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-1265
CVE STATUS: Patched
CVE SUMMARY: The mmap function in the Linux Kernel 2.6.10 can be used to create memory maps with a start address beyond the end address, which allows local users to cause a denial of service (kernel crash).
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-1265

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-1368
CVE STATUS: Patched
CVE SUMMARY: The key_user_lookup function in security/keys/key.c in Linux kernel 2.6.10 to 2.6.11.8 may allow attackers to cause a denial of service (oops) via SMP.
CVSS v2 BASE SCORE: 1.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-1368

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-1369
CVE STATUS: Patched
CVE SUMMARY: The (1) it87 and (2) via686a drivers in I2C for Linux 2.6.x before 2.6.11.8, and 2.6.12 before 2.6.12-rc2, create the sysfs "alarms" file with write permissions, which allows local users to cause a denial of service (CPU consumption) by attempting to write to the file, which does not have an associated store function.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-1369

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-1589
CVE STATUS: Patched
CVE SUMMARY: The pkt_ioctl function in the pktcdvd block device ioctl handler (pktcdvd.c) in Linux kernel 2.6.12-rc4 and earlier calls the wrong function before passing an ioctl to the block device, which crosses security boundaries by making kernel address space accessible from user space and allows local users to cause a denial of service and possibly execute arbitrary code, a similar vulnerability to CVE-2005-1264.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-1589

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-1762
CVE STATUS: Patched
CVE SUMMARY: The ptrace call in the Linux kernel 2.6.8.1 and 2.6.10 for the AMD64 platform allows local users to cause a denial of service (kernel crash) via a "non-canonical" address.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-1762

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-1764
CVE STATUS: Patched
CVE SUMMARY: Linux 2.6.11 on 64-bit x86 (x86_64) platforms does not use a guard page for the 47-bit address page to protect against an AMD K8 bug, which allows local users to cause a denial of service.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-1764

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-1765
CVE STATUS: Patched
CVE SUMMARY: syscall in the Linux kernel 2.6.8.1 and 2.6.10 for the AMD64 platform, when running in 32-bit compatibility mode, allows local users to cause a denial of service (kernel hang) via crafted arguments.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-1765

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-1768
CVE STATUS: Patched
CVE SUMMARY: Race condition in the ia32 compatibility code for the execve system call in Linux kernel 2.4 before 2.4.31 and 2.6 before 2.6.6 allows local users to cause a denial of service (kernel panic) and possibly execute arbitrary code via a concurrent thread that increments a pointer count after the nargs function has counted the pointers, but before the count is copied from user space to kernel space, which leads to a buffer overflow.
CVSS v2 BASE SCORE: 3.7
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-1768

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-1913
CVE STATUS: Patched
CVE SUMMARY: The Linux kernel 2.6 before 2.6.12.1 allows local users to cause a denial of service (kernel panic) via a non group-leader thread executing a different program than was pending in itimer, which causes the signal to be delivered to the old group-leader task, which does not exist.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-1913

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-2098
CVE STATUS: Patched
CVE SUMMARY: The KEYCTL_JOIN_SESSION_KEYRING operation in the Linux kernel before 2.6.12.5 contains an error path that does not properly release the session management semaphore, which allows local users or remote attackers to cause a denial of service (semaphore hang) via a new session keyring (1) with an empty name string, (2) with a long name string, (3) with the key quota reached, or (4) ENOMEM.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-2098

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-2099
CVE STATUS: Patched
CVE SUMMARY: The Linux kernel before 2.6.12.5 does not properly destroy a keyring that is not instantiated properly, which allows local users or remote attackers to cause a denial of service (kernel oops) via a keyring with a payload that is not empty, which causes the creation to fail, leading to a null dereference in the keyring destructor.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-2099

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-2456
CVE STATUS: Patched
CVE SUMMARY: Array index overflow in the xfrm_sk_policy_insert function in xfrm_user.c in Linux kernel 2.6 allows local users to cause a denial of service (oops or deadlock) and possibly execute arbitrary code via a p->dir value that is larger than XFRM_POLICY_OUT, which is used as an index in the sock->sk_policy array.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-2456

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-2457
CVE STATUS: Patched
CVE SUMMARY: The driver for compressed ISO file systems (zisofs) in the Linux kernel before 2.6.12.5 allows local users and remote attackers to cause a denial of service (kernel crash) via a crafted compressed ISO file system.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-2457

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-2458
CVE STATUS: Patched
CVE SUMMARY: inflate.c in the zlib routines in the Linux kernel before 2.6.12.5 allows remote attackers to cause a denial of service (kernel crash) via a compressed file with "improper tables".
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-2458

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-2459
CVE STATUS: Patched
CVE SUMMARY: The huft_build function in inflate.c in the zlib routines in the Linux kernel before 2.6.12.5 returns the wrong value, which allows remote attackers to cause a denial of service (kernel crash) via a certain compressed file that leads to a null pointer dereference, a different vulnerability than CVE-2005-2458.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-2459

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-2490
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in the sendmsg function call in the Linux kernel 2.6 before 2.6.13.1 allows local users to execute arbitrary code by calling sendmsg and modifying the message contents in another thread.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-2490

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-2492
CVE STATUS: Patched
CVE SUMMARY: The raw_sendmsg function in the Linux kernel 2.6 before 2.6.13.1 allows local users to cause a denial of service (change hardware state) or read from arbitrary memory via crafted input.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-2492

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-2500
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the xdr_xcode_array2 function in xdr.c in Linux kernel 2.6.12, as used in SuSE Linux Enterprise Server 9, might allow remote attackers to cause a denial of service and possibly execute arbitrary code via crafted XDR data for the nfsacl protocol.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-2500

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-2548
CVE STATUS: Patched
CVE SUMMARY: vlan_dev.c in the VLAN code for Linux kernel 2.6.8 allows remote attackers to cause a denial of service (kernel oops from null dereference) via certain UDP packets that lead to a function call with the wrong argument, as demonstrated using snmpwalk on snmpd.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-2548

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-2553
CVE STATUS: Patched
CVE SUMMARY: The find_target function in ptrace32.c in the Linux kernel 2.4.x before 2.4.29 does not properly handle a NULL return value from another function, which allows local users to cause a denial of service (kernel crash/oops) by running a 32-bit ltrace program with the -i option on a 64-bit executable program.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-2553

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-2555
CVE STATUS: Patched
CVE SUMMARY: Linux kernel 2.6.x does not properly restrict socket policy access to users with the CAP_NET_ADMIN capability, which could allow local users to conduct unauthorized activities via (1) ipv4/ip_sockglue.c and (2) ipv6/ipv6_sockglue.c.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-2555

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-2617
CVE STATUS: Patched
CVE SUMMARY: The syscall32_setup_pages function in syscall32.c for Linux kernel 2.6.12 and later, on the 64-bit x86 platform, does not check the return value of the insert_vm_struct function, which allows local users to trigger a memory leak via a 32-bit application with crafted ELF headers.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-2617

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-2708
CVE STATUS: Patched
CVE SUMMARY: The search_binary_handler function in exec.c in Linux 2.4 kernel on 64-bit x86 architectures does not check a return code for a particular function call when virtual memory is low, which allows local users to cause a denial of service (panic), as demonstrated by running a process using the bash ulimit -v command.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-2708

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-2709
CVE STATUS: Patched
CVE SUMMARY: The sysctl functionality (sysctl.c) in Linux kernel before 2.6.14.1 allows local users to cause a denial of service (kernel oops) and possibly execute code by opening an interface file in /proc/sys/net/ipv4/conf/, waiting until the interface is unregistered, then obtaining and modifying function pointers in memory that was used for the ctl_table.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-2709

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-2800
CVE STATUS: Patched
CVE SUMMARY: Memory leak in the seq_file implementation in the SCSI procfs interface (sg.c) in Linux kernel 2.6.13 and earlier allows local users to cause a denial of service (memory consumption) via certain repeated reads from the /proc/scsi/sg/devices file, which is not properly handled when the next() iterator returns NULL or an error.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-2800

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-2801
CVE STATUS: Patched
CVE SUMMARY: xattr.c in the ext2 and ext3 file system code for Linux kernel 2.6 does not properly compare the name_index fields when sharing xattr blocks, which could prevent default ACLs from being applied.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-2801

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-2872
CVE STATUS: Patched
CVE SUMMARY: The ipt_recent kernel module (ipt_recent.c) in Linux kernel before 2.6.12, when running on 64-bit processors such as AMD64, allows remote attackers to cause a denial of service (kernel panic) via certain attacks such as SSH brute force, which leads to memset calls using a length based on the u_int32_t type, acting on an array of unsigned long elements, a different vulnerability than CVE-2005-2873.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-2872

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-2873
CVE STATUS: Patched
CVE SUMMARY: The ipt_recent kernel module (ipt_recent.c) in Linux kernel 2.6.12 and earlier does not properly perform certain time tests when the jiffies value is greater than LONG_MAX, which can cause ipt_recent netfilter rules to block too early, a different vulnerability than CVE-2005-2872.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-2873

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-2973
CVE STATUS: Patched
CVE SUMMARY: The udp_v6_get_port function in udp.c in Linux 2.6 before 2.6.14-rc5, when running IPv6, allows local users to cause a denial of service (infinite loop and crash).
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-2973

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-3044
CVE STATUS: Patched
CVE SUMMARY: Multiple vulnerabilities in Linux kernel before 2.6.13.2 allow local users to cause a denial of service (kernel OOPS from null dereference) via (1) fput in a 32-bit ioctl on 64-bit x86 systems or (2) sockfd_put in the 32-bit routing_ioctl function on 64-bit systems.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-3044

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-3053
CVE STATUS: Patched
CVE SUMMARY: The sys_set_mempolicy function in mempolicy.c in Linux kernel 2.6.x allows local users to cause a denial of service (kernel BUG()) via a negative first argument.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-3053

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-3055
CVE STATUS: Patched
CVE SUMMARY: Linux kernel 2.6.8 to 2.6.14-rc2 allows local users to cause a denial of service (kernel OOPS) via a userspace process that issues a USB Request Block (URB) to a USB device and terminates before the URB is finished, which leads to a stale pointer reference.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-3055

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-3105
CVE STATUS: Patched
CVE SUMMARY: The mprotect code (mprotect.c) in Linux 2.6 on Itanium IA64 Montecito processors does not properly maintain cache coherency as required by the architecture, which allows local users to cause a denial of service and possibly corrupt data by modifying PTE protections.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-3105

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-3106
CVE STATUS: Patched
CVE SUMMARY: Race condition in Linux 2.6, when threads are sharing memory mapping via CLONE_VM (such as linuxthreads and vfork), might allow local users to cause a denial of service (deadlock) by triggering a core dump while waiting for a thread that has just performed an exec.
CVSS v2 BASE SCORE: 1.2
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-3106

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-3107
CVE STATUS: Patched
CVE SUMMARY: fs/exec.c in Linux 2.6, when one thread is tracing another thread that shares the same memory map, might allow local users to cause a denial of service (deadlock) by forcing a core dump when the traced thread is in the TASK_TRACED state.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-3107

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-3108
CVE STATUS: Patched
CVE SUMMARY: mm/ioremap.c in Linux 2.6 on 64-bit x86 systems allows local users to cause a denial of service or an information leak via an ioremap on a certain memory map that causes the iounmap to perform a lookup of a page that does not exist.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-3108

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-3109
CVE STATUS: Patched
CVE SUMMARY: The HFS and HFS+ (hfsplus) modules in Linux 2.6 allow attackers to cause a denial of service (oops) by using hfsplus to mount a filesystem that is not hfsplus.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-3109

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-3110
CVE STATUS: Patched
CVE SUMMARY: Race condition in ebtables netfilter module (ebtables.c) in Linux 2.6, when running on an SMP system that is operating under a heavy load, might allow remote attackers to cause a denial of service (crash) via a series of packets that cause a value to be modified after it has been read but before it has been locked.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-3110

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-3119
CVE STATUS: Patched
CVE SUMMARY: Memory leak in the request_key_auth_destroy function in request_key_auth in Linux kernel 2.6.10 up to 2.6.13 allows local users to cause a denial of service (memory consumption) via a large number of authorization token keys.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-3119

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-3179
CVE STATUS: Patched
CVE SUMMARY: drm.c in Linux kernel 2.6.10 to 2.6.13 creates a debug file in sysfs with world-readable and world-writable permissions, which allows local users to enable DRM debugging and obtain sensitive information.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-3179

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-3180
CVE STATUS: Patched
CVE SUMMARY: The Orinoco driver (orinoco.c) in Linux kernel 2.6.13 and earlier does not properly clear memory from a previously used packet whose length is increased, which allows remote attackers to obtain sensitive information.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-3180

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-3181
CVE STATUS: Patched
CVE SUMMARY: The audit system in Linux kernel 2.6.6, and other versions before 2.6.13.4, when CONFIG_AUDITSYSCALL is enabled, uses an incorrect function to free names_cache memory, which prevents the memory from being tracked by AUDITSYSCALL code and leads to a memory leak that allows attackers to cause a denial of service (memory consumption).
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-3181

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-3257
CVE STATUS: Patched
CVE SUMMARY: The VT implementation (vt_ioctl.c) in Linux kernel 2.6.12, and possibly other versions including 2.6.14.4, allows local users to use the KDSKBSENT ioctl on terminals of other users and gain privileges, as demonstrated by modifying key bindings using loadkeys.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-3257

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-3271
CVE STATUS: Patched
CVE SUMMARY: Exec in Linux kernel 2.6 does not properly clear posix-timers in multi-threaded environments, which results in a resource leak and could allow a large number of multiple local users to cause a denial of service by using more posix-timers than specified by the quota for a single user.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-3271

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-3272
CVE STATUS: Patched
CVE SUMMARY: Linux kernel before 2.6.12 allows remote attackers to poison the bridge forwarding table using frames that have already been dropped by filtering, which can cause the bridge to forward spoofed packets.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-3272

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-3273
CVE STATUS: Patched
CVE SUMMARY: The rose_rt_ioctl function in rose_route.c for Radionet Open Source Environment (ROSE) in Linux 2.6 kernels before 2.6.12, and 2.4 before 2.4.29, does not properly verify the ndigis argument for a new route, which allows attackers to trigger array out-of-bounds errors with a large number of digipeats.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-3273

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-3274
CVE STATUS: Patched
CVE SUMMARY: Race condition in ip_vs_conn_flush in Linux 2.6 before 2.6.13 and 2.4 before 2.4.32-pre2, when running on SMP systems, allows local users to cause a denial of service (null dereference) by causing a connection timer to expire while the connection table is being flushed before the appropriate lock is acquired.
CVSS v2 BASE SCORE: 1.2
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-3274

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-3275
CVE STATUS: Patched
CVE SUMMARY: The NAT code (1) ip_nat_proto_tcp.c and (2) ip_nat_proto_udp.c in Linux kernel 2.6 before 2.6.13 and 2.4 before 2.4.32-rc1 incorrectly declares a variable to be static, which allows remote attackers to cause a denial of service (memory corruption) by causing two packets for the same protocol to be NATed at the same time, which leads to memory corruption.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-3275

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-3276
CVE STATUS: Patched
CVE SUMMARY: The sys_get_thread_area function in process.c in Linux 2.6 before 2.6.12.4 and 2.6.13 does not clear a data structure before copying it to userspace, which might allow a user process to obtain sensitive information.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-3276

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-3356
CVE STATUS: Patched
CVE SUMMARY: The mq_open system call in Linux kernel 2.6.9, in certain situations, can decrement a counter twice ("double decrement") as a result of multiple calls to the mntput function when the dentry_open function call fails, which allows local users to cause a denial of service (panic) via unspecified attack vectors.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-3356

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-3358
CVE STATUS: Patched
CVE SUMMARY: Linux kernel before 2.6.15 allows local users to cause a denial of service (panic) via a set_mempolicy call with a 0 bitmask, which causes a panic when a page fault occurs.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-3358

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-3359
CVE STATUS: Patched
CVE SUMMARY: The atm module in Linux kernel 2.6 before 2.6.14 allows local users to cause a denial of service (panic) via certain socket calls that produce inconsistent reference counts for loadable protocol modules.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-3359

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-3527
CVE STATUS: Patched
CVE SUMMARY: Race condition in do_coredump in signal.c in Linux kernel 2.6 allows local users to cause a denial of service by triggering a core dump in one thread while another thread has a pending SIGSTOP.
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-3527

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-3623
CVE STATUS: Patched
CVE SUMMARY: nfs2acl.c in the Linux kernel 2.6.14.4 does not check for MAY_SATTR privilege before setting access controls (ACL) on files on exported NFS filesystems, which allows remote attackers to bypass ACLs for readonly mounted NFS filesystems.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-3623

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-3660
CVE STATUS: Patched
CVE SUMMARY: Linux kernel 2.4 and 2.6 allows attackers to cause a denial of service (memory exhaustion and panic) by creating a large number of connected file descriptors or socketpairs and setting a large data transfer buffer, then preventing Linux from being able to finish the transfer by causing the process to become a zombie, or closing the file descriptor without closing an associated reference.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-3660

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-3753
CVE STATUS: Patched
CVE SUMMARY: Linux kernel before after 2.6.12 and before 2.6.13.1 might allow attackers to cause a denial of service (Oops) via certain IPSec packets that cause alignment problems in standard multi-block cipher processors.  NOTE: it is not clear whether this issue can be triggered by an attacker.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-3753

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-3783
CVE STATUS: Patched
CVE SUMMARY: The ptrace functionality (ptrace.c) in Linux kernel 2.6 before 2.6.14.2, using CLONE_THREAD, does not use the thread group ID to check whether it is attaching to itself, which allows local users to cause a denial of service (crash).
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-3783

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-3784
CVE STATUS: Patched
CVE SUMMARY: The auto-reap of child processes in Linux kernel 2.6 before 2.6.15 includes processes with ptrace attached, which leads to a dangling ptrace reference and allows local users to cause a denial of service (crash) and gain root privileges.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-3784

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-3805
CVE STATUS: Patched
CVE SUMMARY: A locking problem in POSIX timer cleanup handling on exit in Linux kernel 2.6.10 to 2.6.14, when running on SMP systems, allows local users to cause a denial of service (deadlock) involving process CPU timers.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-3805

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-3806
CVE STATUS: Patched
CVE SUMMARY: The IPv6 flow label handling code (ip6_flowlabel.c) in Linux kernels 2.4 up to 2.4.32 and 2.6 before 2.6.14 modifies the wrong variable in certain circumstances, which allows local users to corrupt kernel memory or cause a denial of service (crash) by triggering a free of non-allocated memory.
CVSS v2 BASE SCORE: 6.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-3806

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-3807
CVE STATUS: Patched
CVE SUMMARY: Memory leak in the VFS file lease handling in locks.c in Linux kernels 2.6.10 to 2.6.15 allows local users to cause a denial of service (memory exhaustion) via certain Samba activities that cause an fasync entry to be re-allocated by the fcntl_setlease function after the fasync queue has already been cleaned by the locks_delete_lock function.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-3807

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-3808
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the invalidate_inode_pages2_range function in mm/truncate.c in Linux kernel 2.6.11 to 2.6.14 allows local users to cause a denial of service (hang) via 64-bit mmap calls that are not properly handled on a 32-bit system.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-3808

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-3809
CVE STATUS: Patched
CVE SUMMARY: The nfattr_to_tcp function in ip_conntrack_proto_tcp.c in ctnetlink in Linux kernel 2.6.14 up to 2.6.14.3 allows attackers to cause a denial of service (kernel oops) via an update message without private protocol information, which triggers a null dereference.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-3809

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-3810
CVE STATUS: Patched
CVE SUMMARY: ip_conntrack_proto_icmp.c in ctnetlink in Linux kernel 2.6.14 up to 2.6.14.3 allows attackers to cause a denial of service (kernel oops) via a message without ICMP ID (ICMP_ID) information, which leads to a null dereference.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-3810

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-3847
CVE STATUS: Patched
CVE SUMMARY: The handle_stop_signal function in signal.c in Linux kernel 2.6.11 up to other versions before 2.6.13 and 2.6.12.6 allows local users to cause a denial of service (deadlock) by sending a SIGKILL to a real-time threaded process while it is performing a core dump.
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-3847

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-3848
CVE STATUS: Patched
CVE SUMMARY: Memory leak in the icmp_push_reply function in Linux 2.6 before 2.6.12.6 and 2.6.13 allows remote attackers to cause a denial of service (memory consumption) via a large number of crafted packets that cause the ip_append_data function to fail, aka "DST leak in icmp_push_reply."
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-3848

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-3857
CVE STATUS: Patched
CVE SUMMARY: The time_out_leases function in locks.c for Linux kernel before 2.6.15-rc3 allows local users to cause a denial of service (kernel log message consumption) by causing a large number of broken leases, which is recorded to the log using the printk function.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-3857

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-3858
CVE STATUS: Patched
CVE SUMMARY: Memory leak in the ip6_input_finish function in ip6_input.c in Linux kernel 2.6.12 and earlier might allow attackers to cause a denial of service via malformed IPv6 packets with unspecified parameter problems, which prevents the SKB from being freed.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-3858

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-4351
CVE STATUS: Patched
CVE SUMMARY: The securelevels implementation in FreeBSD 7.0 and earlier, OpenBSD up to 3.8, DragonFly up to 1.2, and Linux up to 2.6.15 allows root users to bypass immutable settings for files by mounting another filesystem that masks the immutable files while the system is running.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:S/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-4351

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-4352
CVE STATUS: Patched
CVE SUMMARY: The securelevels implementation in NetBSD 2.1 and earlier, and Linux 2.6.15 and earlier, allows local users to bypass time setting restrictions and set the clock backwards by setting the clock ahead to the maximum unixtime value (19 Jan 2038), which then wraps around to the minimum value (13 Dec 1901), which can then be set ahead to the desired time, aka "settimeofday() time wrap."
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-4352

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-4605
CVE STATUS: Patched
CVE SUMMARY: The procfs code (proc_misc.c) in Linux 2.6.14.3 and other versions before 2.6.15 allows attackers to read sensitive kernel memory via unspecified vectors in which a signed value is added to an unsigned value.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-4605

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-4618
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in sysctl in the Linux Kernel 2.6 before 2.6.15 allows local users to corrupt user memory and possibly cause a denial of service via a long string, which causes sysctl to write a zero byte outside the buffer.  NOTE: since the sysctl is called from a userland program that provides the argument, this might not be a vulnerability, unless a legitimate user-assisted or setuid scenario can be identified.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-4618

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-4635
CVE STATUS: Patched
CVE SUMMARY: The nl_fib_input function in fib_frontend.c in the Linux kernel before 2.6.15 does not check for valid lengths of the header and payload, which allows remote attackers to cause a denial of service (invalid memory reference) via malformed fib_lookup netlink messages.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-4635

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-4639
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the CA-driver (dst_ca.c) for TwinHan DST Frontend/Card in Linux kernel 2.6.12 and other versions before 2.6.15 allows local users to cause a denial of service (crash) and possibly execute arbitrary code by "reading more than 8 bytes into an 8 byte long array".
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-4639

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-4798
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in NFS readlink handling in the Linux Kernel 2.4 up to 2.4.31 allows remote NFS servers to cause a denial of service (crash) via a long symlink, which is not properly handled in (1) nfs2xdr.c or (2) nfs3xdr.c and causes a crash in the NFS client.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-4798

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-4811
CVE STATUS: Patched
CVE SUMMARY: The hugepage code (hugetlb.c) in Linux kernel 2.6, possibly 2.6.12 and 2.6.13, in certain configurations, allows local users to cause a denial of service (crash) by triggering an mmap error before a prefault, which causes an error in the unmap_hugepage_area function.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-4811

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-4881
CVE STATUS: Patched
CVE SUMMARY: The netlink subsystem in the Linux kernel 2.4.x before 2.4.37.6 and 2.6.x before 2.6.13-rc1 does not initialize certain padding fields in structures, which might allow local users to obtain sensitive information from kernel memory via unspecified vectors, related to the (1) tc_fill_qdisc, (2) tcf_fill_node, (3) neightbl_fill_info, (4) neightbl_fill_param_info, (5) neigh_fill_info, (6) rtnetlink_fill_ifinfo, (7) rtnetlink_fill_iwinfo, (8) vif_delete, (9) ipmr_destroy_unres, (10) ipmr_cache_alloc_unres, (11) ipmr_cache_resolve, (12) inet6_fill_ifinfo, (13) tca_get_fill, (14) tca_action_flush, (15) tcf_add_notify, (16) tc_dump_action, (17) cbq_dump_police, (18) __nlmsg_put, (19) __rta_fill, (20) __rta_reserve, (21) inet6_fill_prefix, (22) rsvp_dump, and (23) cbq_dump_ovl functions.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-4881

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2005-4886
CVE STATUS: Patched
CVE SUMMARY: The selinux_parse_skb_ipv6 function in security/selinux/hooks.c in the Linux kernel before 2.6.12-rc4 allows remote attackers to cause a denial of service (OOPS) via vectors associated with an incorrect call to the ipv6_skip_exthdr function.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-4886

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-0035
CVE STATUS: Patched
CVE SUMMARY: The netlink_rcv_skb function in af_netlink.c in Linux kernel 2.6.14 and 2.6.15 allows local users to cause a denial of service (infinite loop) via a nlmsg_len field of 0.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-0035

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-0036
CVE STATUS: Patched
CVE SUMMARY: ip_nat_pptp in the PPTP NAT helper (netfilter/ip_nat_helper_pptp.c) in Linux kernel 2.6.14, and other versions, allows remote attackers to cause a denial of service (memory corruption or crash) via an inbound PPTP_IN_CALL_REQUEST packet that causes a null pointer to be used in an offset calculation.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-0036

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-0037
CVE STATUS: Patched
CVE SUMMARY: ip_nat_pptp in the PPTP NAT helper (netfilter/ip_nat_helper_pptp.c) in Linux kernel 2.6.14, and other versions, allows local users to cause a denial of service (memory corruption or crash) via a crafted outbound packet that causes an incorrect offset to be calculated from pointer arithmetic when non-linear SKBs (socket buffers) are used.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-0037

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-0038
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the do_replace function in netfilter for Linux before 2.6.16-rc3, when using "virtualization solutions" such as OpenVZ, allows local users with CAP_NET_ADMIN rights to cause a buffer overflow in the copy_from_user function.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-0038

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-0039
CVE STATUS: Patched
CVE SUMMARY: Race condition in the do_add_counters function in netfilter for Linux kernel 2.6.16 allows local users with CAP_NET_ADMIN capabilities to read kernel memory by triggering the race condition in a way that produces a size value that is inconsistent with allocated memory, which leads to a buffer over-read in IPT_ENTRY_ITERATE.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:P/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-0039

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-0095
CVE STATUS: Patched
CVE SUMMARY: dm-crypt in Linux kernel 2.6.15 and earlier does not clear a structure before it is freed, which leads to a memory disclosure that could allow local users to obtain sensitive information about a cryptographic key.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-0095

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-0096
CVE STATUS: Patched
CVE SUMMARY: wan/sdla.c in Linux kernel 2.6.x before 2.6.11 and 2.4.x before 2.4.29 does not require the CAP_SYS_RAWIO privilege for an SDLA firmware upgrade, with unknown impact and local attack vectors.  NOTE: further investigation suggests that this issue requires root privileges to exploit, since it is protected by CAP_NET_ADMIN; thus it might not be a vulnerability, although capabilities provide finer distinctions between privilege levels.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-0096

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-0454
CVE STATUS: Patched
CVE SUMMARY: Linux kernel before 2.6.15.3 down to 2.6.12, while constructing an ICMP response in icmp_send, does not properly handle when the ip_options_echo function in icmp.c fails, which allows remote attackers to cause a denial of service (crash) via vectors such as (1) record-route and (2) timestamp IP options with the needaddr bit set and a truncated value.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-0454

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-0456
CVE STATUS: Patched
CVE SUMMARY: The strnlen_user function in Linux kernel before 2.6.16 on IBM S/390 can return an incorrect value, which allows local users to cause a denial of service via unknown vectors.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-0456

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-0457
CVE STATUS: Patched
CVE SUMMARY: Race condition in the (1) add_key, (2) request_key, and (3) keyctl functions in Linux kernel 2.6.x allows local users to cause a denial of service (crash) or read sensitive kernel memory by modifying the length of a string argument between the time that the kernel calculates the length and when it copies the data into kernel memory.
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-0457

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-0482
CVE STATUS: Patched
CVE SUMMARY: Linux kernel 2.6.15.1 and earlier, when running on SPARC architectures, allows local users to cause a denial of service (hang) via a "date -s" command, which causes invalid sign extended arguments to be provided to the get_compat_timespec function call.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-0482

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-0554
CVE STATUS: Patched
CVE SUMMARY: Linux kernel 2.6 before 2.6.15.5 allows local users to obtain sensitive information via a crafted XFS ftruncate call, which may return stale data.
CVSS v2 BASE SCORE: 1.7
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:S/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-0554

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-0555
CVE STATUS: Patched
CVE SUMMARY: The Linux Kernel before 2.6.15.5 allows local users to cause a denial of service (NFS client panic) via unknown attack vectors related to the use of O_DIRECT (direct I/O).
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-0555

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-0557
CVE STATUS: Patched
CVE SUMMARY: sys_mbind in mempolicy.c in Linux kernel 2.6.16 and earlier does not sanity check the maxnod variable before making certain computations for the get_nodes function, which has unknown impact and attack vectors.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-0557

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-0558
CVE STATUS: Patched
CVE SUMMARY: perfmon (perfmon.c) in Linux kernel on IA64 architectures allows local users to cause a denial of service (crash) by interrupting a task while another process is accessing the mm_struct, which triggers a BUG_ON action in the put_page_testzero function.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-0558

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-0741
CVE STATUS: Patched
CVE SUMMARY: Linux kernel before 2.6.15.5, when running on Intel processors, allows local users to cause a denial of service ("endless recursive fault") via unknown attack vectors related to a "bad elf entry address."
CVSS v2 BASE SCORE: 1.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-0741

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-0742
CVE STATUS: Patched
CVE SUMMARY: The die_if_kernel function in arch/ia64/kernel/unaligned.c in Linux kernel 2.6.x before 2.6.15.6, possibly when compiled with certain versions of gcc, has the "noreturn" attribute set, which allows local users to cause a denial of service by causing user faults on Itanium systems.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:S/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-0742

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-0744
CVE STATUS: Patched
CVE SUMMARY: Linux kernel before 2.6.16.5 does not properly handle uncanonical return addresses on Intel EM64T CPUs, which reports an exception in the SYSRET instead of the next instruction, which causes the kernel exception handler to run on the user stack with the wrong GS.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-0744

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-1052
CVE STATUS: Patched
CVE SUMMARY: The selinux_ptrace logic in hooks.c in SELinux for Linux 2.6.6 allows local users with ptrace permissions to change the tracer SID to an SID of another process.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-1052

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-1055
CVE STATUS: Patched
CVE SUMMARY: The fill_write_buffer function in sysfs/file.c in Linux kernel 2.6.12 up to versions before 2.6.17-rc1 does not zero terminate a buffer when a length of PAGE_SIZE or more is requested, which might allow local users to cause a denial of service (crash) by causing an out-of-bounds read.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-1055

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-1056
CVE STATUS: Patched
CVE SUMMARY: The Linux kernel before 2.6.16.9 and the FreeBSD kernel, when running on AMD64 and other 7th and 8th generation AuthenticAMD processors, only save/restore the FOP, FIP, and FDP x87 registers in FXSAVE/FXRSTOR when an exception is pending, which allows one process to determine portions of the state of floating point instructions of other processes, which can be leveraged to obtain sensitive information such as cryptographic keys. NOTE: this is the documented behavior of AMD64 processors, but it is inconsistent with Intel processors in a security-relevant fashion that was not addressed by the kernels.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-1056

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-1066
CVE STATUS: Patched
CVE SUMMARY: Linux kernel 2.6.16-rc2 and earlier, when running on x86_64 systems with preemption enabled, allows local users to cause a denial of service (oops) via multiple ptrace tasks that perform single steps, which can cause corruption of the DEBUG_STACK stack during the do_debug function call.
CVSS v2 BASE SCORE: 1.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-1066

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-1242
CVE STATUS: Patched
CVE SUMMARY: The ip_push_pending_frames function in Linux 2.4.x and 2.6.x before 2.6.16 increments the IP ID field when sending a RST after receiving unsolicited TCP SYN-ACK packets, which allows remote attackers to conduct an Idle Scan (nmap -sI) attack, which bypasses intended protections against such attacks.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-1242

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-1342
CVE STATUS: Patched
CVE SUMMARY: net/ipv4/af_inet.c in Linux kernel 2.4 does not clear sockaddr_in.sin_zero before returning IPv4 socket names from the (1) getsockname, (2) getpeername, and (3) accept functions, which allows local users to obtain portions of potentially sensitive memory.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-1342

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-1343
CVE STATUS: Patched
CVE SUMMARY: net/ipv4/netfilter/ip_conntrack_core.c in Linux kernel 2.4 and 2.6, and possibly net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c in 2.6, does not clear sockaddr_in.sin_zero before returning IPv4 socket names from the getsockopt function with SO_ORIGINAL_DST, which allows local users to obtain portions of potentially sensitive memory.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-1343

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-1368
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the USB Gadget RNDIS implementation in the Linux kernel before 2.6.16 allows remote attackers to cause a denial of service (kmalloc'd memory corruption) via a remote NDIS response to OID_GEN_SUPPORTED_LIST, which causes memory to be allocated for the reply data but not the reply structure.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-1368

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-1522
CVE STATUS: Patched
CVE SUMMARY: The sys_add_key function in the keyring code in Linux kernel 2.6.16.1 and 2.6.17-rc1, and possibly earlier versions, allows local users to cause a denial of service (OOPS) via keyctl requests that add a key to a user key instead of a keyring key, which causes an invalid dereference in the __keyring_search_one function.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-1522

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-1523
CVE STATUS: Patched
CVE SUMMARY: The __group_complete_signal function in the RCU signal handling (signal.c) in Linux kernel 2.6.16, and possibly other versions, has unknown impact and attack vectors related to improper use of BUG_ON.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-1523

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-1524
CVE STATUS: Patched
CVE SUMMARY: madvise_remove in Linux kernel 2.6.16 up to 2.6.16.6 does not follow file and mmap restrictions, which allows local users to bypass IPC permissions and replace portions of readonly tmpfs files with zeroes, aka the MADV_REMOVE vulnerability.  NOTE: this description was originally written in a way that combined two separate issues.  The mprotect issue now has a separate name, CVE-2006-2071.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-1524

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-1525
CVE STATUS: Patched
CVE SUMMARY: ip_route_input in Linux kernel 2.6 before 2.6.16.8 allows local users to cause a denial of service (panic) via a request for a route for a multicast IP address, which triggers a null dereference.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-1525

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-1527
CVE STATUS: Patched
CVE SUMMARY: The SCTP-netfilter code in Linux kernel before 2.6.16.13 allows remote attackers to trigger a denial of service (infinite loop) via unknown vectors that cause an invalid SCTP chunk size to be processed by the for_each_sctp_chunk function.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-1527

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-1528
CVE STATUS: Patched
CVE SUMMARY: Linux kernel before 2.6.13 allows local users to cause a denial of service (crash) via a dio transfer from the sg driver to memory mapped (mmap) IO space.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-1528

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-1624
CVE STATUS: Patched
CVE SUMMARY: The default configuration of syslogd in the Linux sysklogd package does not enable the -x (disable name lookups) option, which allows remote attackers to cause a denial of service (traffic amplification) via messages with spoofed source IP addresses.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-1624

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-1855
CVE STATUS: Patched
CVE SUMMARY: choose_new_parent in Linux kernel before 2.6.11.12 includes certain debugging code, which allows local users to cause a denial of service (panic) by causing certain circumstances involving termination of a parent process.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-1855

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-1856
CVE STATUS: Patched
CVE SUMMARY: Certain modifications to the Linux kernel 2.6.16 and earlier do not add the appropriate Linux Security Modules (LSM) file_permission hooks to the (1) readv and (2) writev functions, which might allow attackers to bypass intended access restrictions.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-1856

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-1857
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in SCTP in Linux kernel before 2.6.16.17 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a malformed HB-ACK chunk.
CVSS v2 BASE SCORE: 9.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-1857

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-1858
CVE STATUS: Patched
CVE SUMMARY: SCTP in Linux kernel before 2.6.16.17 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a chunk length that is inconsistent with the actual length of provided parameters.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-1858

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-1859
CVE STATUS: Patched
CVE SUMMARY: Memory leak in __setlease in fs/locks.c in Linux kernel before 2.6.16.16 allows attackers to cause a denial of service (memory consumption) via unspecified actions related to an "uninitialised return value," aka "slab leak."
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-1859

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-1860
CVE STATUS: Patched
CVE SUMMARY: lease_init in fs/locks.c in Linux kernel before 2.6.16.16 allows attackers to cause a denial of service (fcntl_setlease lockup) via actions that cause lease_init to free a lock that might not have been allocated on the stack.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-1860

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-1862
CVE STATUS: Patched
CVE SUMMARY: The virtual memory implementation in Linux kernel 2.6.x allows local users to cause a denial of service (panic) by running lsof a large number of times in a way that produces a heavy system load.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-1862

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-1863
CVE STATUS: Patched
CVE SUMMARY: Directory traversal vulnerability in CIFS in Linux 2.6.16 and earlier allows local users to escape chroot restrictions for an SMB-mounted filesystem via "..\\" sequences, a similar vulnerability to CVE-2006-1864.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-1863

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-1864
CVE STATUS: Patched
CVE SUMMARY: Directory traversal vulnerability in smbfs in Linux 2.6.16 and earlier allows local users to escape chroot restrictions for an SMB-mounted filesystem via "..\\" sequences, a similar vulnerability to CVE-2006-1863.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-1864

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-2071
CVE STATUS: Patched
CVE SUMMARY: Linux kernel 2.4.x and 2.6.x up to 2.6.16 allows local users to bypass IPC permissions and modify a readonly attachment of shared memory by using mprotect to give write permission to the attachment.  NOTE: some original raw sources combined this issue with CVE-2006-1524, but they are different bugs.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-2071

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-2444
CVE STATUS: Patched
CVE SUMMARY: The snmp_trap_decode function in the SNMP NAT helper for Linux kernel before 2.6.16.18 allows remote attackers to cause a denial of service (crash) via unspecified remote attack vectors that cause failures in snmp_trap_decode that trigger (1) frees of random memory or (2) frees of previously-freed memory (double-free) by snmp_trap_decode as well as its calling function, as demonstrated via certain test cases of the PROTOS SNMP test suite.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-2444

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-2445
CVE STATUS: Patched
CVE SUMMARY: Race condition in run_posix_cpu_timers in Linux kernel before 2.6.16.21 allows local users to cause a denial of service (BUG_ON crash) by causing one CPU to attach a timer to a process that is exiting.
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-2445

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-2446
CVE STATUS: Patched
CVE SUMMARY: Race condition between the kfree_skb and __skb_unlink functions in the socket buffer handling in Linux kernel 2.6.9, and possibly other versions, allows remote attackers to cause a denial of service (crash), as demonstrated using the TCP stress tests from the LTP test suite.
CVSS v2 BASE SCORE: 5.4
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-2446

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-2448
CVE STATUS: Patched
CVE SUMMARY: Linux kernel before 2.6.16.21 and 2.6.17, when running on PowerPC, does not perform certain required access_ok checks, which allows local users to read arbitrary kernel memory on 64-bit systems (signal_64.c) and cause a denial of service (crash) and possibly read kernel memory on 32-bit systems (signal_32.c).
CVSS v2 BASE SCORE: 5.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:C/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-2448

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-2451
CVE STATUS: Patched
CVE SUMMARY: The suid_dumpable support in Linux kernel 2.6.13 up to versions before 2.6.17.4, and 2.6.16 before 2.6.16.24, allows a local user to cause a denial of service (disk consumption) and possibly gain privileges via the PR_SET_DUMPABLE argument of the prctl function and a program that causes a core dump file to be created in a directory for which the user does not have permissions.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-2451

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-2629
CVE STATUS: Patched
CVE SUMMARY: Race condition in Linux kernel 2.6.15 to 2.6.17, when running on SMP platforms, allows local users to cause a denial of service (crash) by creating and exiting a large number of tasks, then accessing the /proc entry of a task that is exiting, which causes memory corruption that leads to a failure in the prune_dcache function or a BUG_ON error in include/linux/list.h.
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-2629

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-2932
CVE STATUS: Unpatched
CVE SUMMARY: A regression error in the restore_all code path of the 4/4GB split support for non-hugemem Linux kernels on Red Hat Linux Desktop and Enterprise Linux 4 allows local users to cause a denial of service (panic) via unspecified vectors.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-2932

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-2934
CVE STATUS: Patched
CVE SUMMARY: SCTP conntrack (ip_conntrack_proto_sctp.c) in netfilter for Linux kernel 2.6.17 before 2.6.17.3 and 2.6.16 before 2.6.16.23 allows remote attackers to cause a denial of service (crash) via a packet without any chunks, which causes a variable to contain an invalid value that is later used to dereference a pointer.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-2934

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-2935
CVE STATUS: Patched
CVE SUMMARY: The dvd_read_bca function in the DVD handling code in drivers/cdrom/cdrom.c in Linux kernel 2.2.16, and later versions, assigns the wrong value to a length variable, which allows local users to execute arbitrary code via a crafted USB Storage device that triggers a buffer overflow.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-2935

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-2936
CVE STATUS: Patched
CVE SUMMARY: The ftdi_sio driver (usb/serial/ftdi_sio.c) in Linux kernel 2.6.x up to 2.6.17, and possibly later versions, allows local users to cause a denial of service (memory consumption) by writing more data to the serial port than the hardware can handle, which causes the data to be queued.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-2936

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-3085
CVE STATUS: Patched
CVE SUMMARY: xt_sctp in netfilter for Linux kernel before 2.6.17.1 allows attackers to cause a denial of service (infinite loop) via an SCTP chunk with a 0 length.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-3085

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-3468
CVE STATUS: Patched
CVE SUMMARY: Linux kernel 2.6.x, when using both NFS and EXT3, allows remote attackers to cause a denial of service (file system panic) via a crafted UDP packet with a V2 lookup procedure that specifies a bad file handle (inode number), which triggers an error and causes an exported directory to be remounted read-only.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-3468

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-3626
CVE STATUS: Patched
CVE SUMMARY: Race condition in Linux kernel 2.6.17.4 and earlier allows local users to gain root privileges by using prctl with PR_SET_DUMPABLE in a way that causes /proc/self/environ to become setuid root.
CVSS v2 BASE SCORE: 6.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-3626

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-3634
CVE STATUS: Patched
CVE SUMMARY: The (1) __futex_atomic_op and (2) futex_atomic_cmpxchg_inatomic functions in Linux kernel 2.6.17-rc4 to 2.6.18-rc2 perform the atomic futex operation in the kernel address space instead of the user address space, which allows local users to cause a denial of service (crash).
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-3634

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-3635
CVE STATUS: Patched
CVE SUMMARY: The ia64 subsystem in the Linux kernel before 2.6.26 allows local users to cause a denial of service (stack consumption and system crash) via a crafted application that leverages the mishandling of invalid Register Stack Engine (RSE) state.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-3635

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-3741
CVE STATUS: Patched
CVE SUMMARY: The perfmonctl system call (sys_perfmonctl) in Linux kernel 2.4.x and 2.6 before 2.6.18, when running on Itanium systems, does not properly track the reference count for file descriptors, which allows local users to cause a denial of service (file descriptor consumption).
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-3741

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-3745
CVE STATUS: Patched
CVE SUMMARY: Unspecified vulnerability in the sctp_make_abort_user function in the SCTP implementation in Linux 2.6.x before 2.6.17.10 and 2.4.23 up to 2.4.33 allows local users to cause a denial of service (panic) and possibly gain root privileges via unknown attack vectors.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-3745

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-4093
CVE STATUS: Patched
CVE SUMMARY: Linux kernel 2.x.6 before 2.6.17.9 and 2.4.x before 2.4.33.1 on PowerPC PPC970 systems allows local users to cause a denial of service (crash) related to the "HID0 attention enable on PPC970 at boot time."
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-4093

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-4145
CVE STATUS: Patched
CVE SUMMARY: The Universal Disk Format (UDF) filesystem driver in Linux kernel 2.6.17 and earlier allows local users to cause a denial of service (hang and crash) via certain operations involving truncated files, as demonstrated via the dd command.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-4145

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-4535
CVE STATUS: Patched
CVE SUMMARY: The Linux kernel 2.6.17.10 and 2.6.17.11 and 2.6.18-rc5 allows local users to cause a denial of service (crash) via an SCTP socket with a certain SO_LINGER value, possibly related to the patch for CVE-2006-3745.  NOTE: older kernel versions for specific Linux distributions are also affected, due to backporting of the CVE-2006-3745 patch.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-4535

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-4538
CVE STATUS: Patched
CVE SUMMARY: Linux kernel 2.6.17 and earlier, when running on IA64 or SPARC platforms, allows local users to cause a denial of service (crash) via a malformed ELF file that triggers memory maps that cross region boundaries.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-4538

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-4572
CVE STATUS: Patched
CVE SUMMARY: ip6_tables in netfilter in the Linux kernel before 2.6.16.31 allows remote attackers to (1) bypass a rule that disallows a protocol, via a packet with the protocol header not located immediately after the fragment header, aka "ip6_tables protocol bypass bug;" and (2) bypass a rule that looks for a certain extension header, via a packet with an extension header outside the first fragment, aka "ip6_tables extension header bypass bug."
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-4572

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-4623
CVE STATUS: Patched
CVE SUMMARY: The Unidirectional Lightweight Encapsulation (ULE) decapsulation component in dvb-core/dvb_net.c in the dvb driver in the Linux kernel 2.6.17.8 allows remote attackers to cause a denial of service (crash) via an SNDU length of 0 in a ULE packet.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-4623

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-4663
CVE STATUS: Patched
CVE SUMMARY: The source code tar archive of the Linux kernel 2.6.16, 2.6.17.11, and possibly other versions specifies weak permissions (0666 and 0777) for certain files and directories, which might allow local users to insert Trojan horse source code that would be used during the next kernel compilation.  NOTE: another researcher disputes the vulnerability, stating that he finds "Not a single world-writable file or directory." CVE analysis as of 20060908 indicates that permissions will only be weak under certain unusual or insecure scenarios
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-4663

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-4813
CVE STATUS: Patched
CVE SUMMARY: The __block_prepare_write function in fs/buffer.c for Linux kernel 2.6.x before 2.6.13 does not properly clear buffers during certain error conditions, which allows local users to read portions of files that have been unlinked.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-4813

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-4814
CVE STATUS: Patched
CVE SUMMARY: The mincore function in the Linux kernel before 2.4.33.6 does not properly lock access to user space, which has unspecified impact and attack vectors, possibly related to a deadlock.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:S/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-4814

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-4997
CVE STATUS: Patched
CVE SUMMARY: The clip_mkip function in net/atm/clip.c of the ATM subsystem in Linux kernel allows remote attackers to cause a denial of service (panic) via unknown vectors that cause the ATM subsystem to access the memory of socket buffers after they are freed (freed pointer dereference).
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-4997

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-5158
CVE STATUS: Patched
CVE SUMMARY: The nlmclnt_mark_reclaim in clntlock.c in NFS lockd in Linux kernel before 2.6.16 allows remote attackers to cause a denial of service (process crash) and deny access to NFS exports via unspecified vectors that trigger a kernel oops (null dereference) and a deadlock.
CVSS v2 BASE SCORE: 3.3
CVSS v3 BASE SCORE: 7.5
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-5158

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-5173
CVE STATUS: Patched
CVE SUMMARY: Linux kernel does not properly save or restore EFLAGS during a context switch, or reset the flags when creating new threads, which allows local users to cause a denial of service (process crash), as demonstrated using a process that sets the Alignment Check flag (EFLAGS 0x40000), which triggers a SIGBUS in other processes that have an unaligned access.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-5173

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-5174
CVE STATUS: Patched
CVE SUMMARY: The copy_from_user function in the uaccess code in Linux kernel 2.6 before 2.6.19-rc1, when running on s390, does not properly clear a kernel buffer, which allows local user space programs to read portions of kernel memory by "appending to a file from a bad address," which triggers a fault that prevents the unused memory from being cleared in the kernel buffer.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-5174

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-5331
CVE STATUS: Patched
CVE SUMMARY: The altivec_unavailable_exception function in arch/powerpc/kernel/traps.c in the Linux kernel before 2.6.19 on 64-bit systems mishandles the case where CONFIG_ALTIVEC is defined and the CPU actually supports Altivec, but the Altivec support was not detected by the kernel, which allows local users to cause a denial of service (panic) by triggering execution of an Altivec instruction.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-5331

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-5619
CVE STATUS: Patched
CVE SUMMARY: The seqfile handling (ip6fl_get_n function in ip6_flowlabel.c) in Linux kernel 2.6 up to 2.6.18-stable allows local users to cause a denial of service (hang or oops) via unspecified manipulations that trigger an infinite loop while searching for flowlabels.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-5619

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-5701
CVE STATUS: Patched
CVE SUMMARY: Double free vulnerability in squashfs module in the Linux kernel 2.6.x, as used in Fedora Core 5 and possibly other distributions, allows local users to cause a denial of service by mounting a crafted squashfs filesystem.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-5701

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-5749
CVE STATUS: Patched
CVE SUMMARY: The isdn_ppp_ccp_reset_alloc_state function in drivers/isdn/isdn_ppp.c in the Linux 2.4 kernel before 2.4.34-rc4 does not call the init_timer function for the ISDN PPP CCP reset state timer, which has unknown attack vectors and results in a system crash.
CVSS v2 BASE SCORE: 1.7
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:S/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-5749

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-5751
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the get_fdb_entries function in net/bridge/br_ioctl.c in the Linux kernel before 2.6.18.4 allows local users to execute arbitrary code via a large maxnum value in an ioctl request.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-5751

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-5753
CVE STATUS: Patched
CVE SUMMARY: Unspecified vulnerability in the listxattr system call in Linux kernel, when a "bad inode" is present, allows local users to cause a denial of service (data corruption) and possibly gain privileges via unknown vectors.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-5753

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-5754
CVE STATUS: Patched
CVE SUMMARY: The aio_setup_ring function in Linux kernel does not properly initialize a variable, which allows local users to cause a denial of service (crash) via an unspecified error path that causes an incorrect free operation.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-5754

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-5755
CVE STATUS: Patched
CVE SUMMARY: Linux kernel before 2.6.18, when running on x86_64 systems, does not properly save or restore EFLAGS during a context switch, which allows local users to cause a denial of service (crash) by causing SYSENTER to set an NT flag, which can trigger a crash on the IRET of the next task.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-5755

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-5757
CVE STATUS: Patched
CVE SUMMARY: Race condition in the __find_get_block_slow function in the ISO9660 filesystem in Linux 2.6.18 and possibly other versions allows local users to cause a denial of service (infinite loop) by mounting a crafted ISO9660 filesystem containing malformed data structures.
CVSS v2 BASE SCORE: 1.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-5757

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-5823
CVE STATUS: Patched
CVE SUMMARY: The zlib_inflate function in Linux kernel 2.6.x allows local users to cause a denial of service (crash) via a malformed filesystem that uses zlib compression that triggers memory corruption, as demonstrated using cramfs.
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-5823

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-5871
CVE STATUS: Patched
CVE SUMMARY: smbfs in Linux kernel 2.6.8 and other versions, and 2.4.x before 2.4.34, when UNIX extensions are enabled, ignores certain mount options, which could cause clients to use server-specified uid, gid and mode settings.
CVSS v2 BASE SCORE: 4.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:S/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-5871

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-6053
CVE STATUS: Patched
CVE SUMMARY: The ext3fs_dirhash function in Linux kernel 2.6.x allows local users to cause a denial of service (crash) via an ext3 stream with malformed data structures.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-6053

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-6054
CVE STATUS: Patched
CVE SUMMARY: The ext2 file system code in Linux kernel 2.6.x allows local users to cause a denial of service (crash) via an ext2 stream with malformed data structures that triggers an error in the ext2_check_page due to a length that is smaller than the minimum.
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-6054

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-6056
CVE STATUS: Patched
CVE SUMMARY: Linux kernel 2.6.x up to 2.6.18 and possibly other versions, when SELinux hooks are enabled, allows local users to cause a denial of service (crash) via a malformed file stream that triggers a NULL pointer dereference in the superblock_doinit function, as demonstrated using an HFS filesystem image.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-6056

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-6057
CVE STATUS: Patched
CVE SUMMARY: The Linux kernel 2.6.x up to 2.6.18, and possibly other versions, on Fedora Core 6 and possibly other operating systems, allows local users to cause a denial of service (crash) via a malformed gfs2 file stream that triggers a NULL pointer dereference in the init_journal function.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-6057

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-6058
CVE STATUS: Patched
CVE SUMMARY: The minix filesystem code in Linux kernel 2.6.x before 2.6.24, including 2.6.18, allows local users to cause a denial of service (hang) via a malformed minix file stream that triggers an infinite loop in the minix_bmap function.  NOTE: this issue might be due to an integer overflow or signedness error.
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-6058

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-6060
CVE STATUS: Patched
CVE SUMMARY: The NTFS filesystem code in Linux kernel 2.6.x up to 2.6.18, and possibly other versions, allows local users to cause a denial of service (CPU consumption) via a malformed NTFS file stream that triggers an infinite loop in the __find_get_block_slow function.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-6060

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-6106
CVE STATUS: Patched
CVE SUMMARY: Multiple buffer overflows in the cmtp_recv_interopmsg function in the Bluetooth driver (net/bluetooth/cmtp/capi.c) in the Linux kernel 2.4.22 up to 2.4.33.4 and 2.6.2 before 2.6.18.6, and 2.6.19.x, allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via CAPI messages with a large value for the length of the (1) manu (manufacturer) or (2) serial (serial number) field.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-6106

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-6128
CVE STATUS: Patched
CVE SUMMARY: The ReiserFS functionality in Linux kernel 2.6.18, and possibly other versions, allows local users to cause a denial of service via a malformed ReiserFS file system that triggers memory corruption when a sync is performed.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-6128

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-6304
CVE STATUS: Patched
CVE SUMMARY: The do_coredump function in fs/exec.c in the Linux kernel 2.6.19 sets the flag variable to O_EXCL but does not use it, which allows context-dependent attackers to modify arbitrary files via a rewrite attack during a core dump.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-6304

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-6333
CVE STATUS: Patched
CVE SUMMARY: The tr_rx function in ibmtr.c for Linux kernel 2.6.19 assigns the wrong flag to the ip_summed field, which allows remote attackers to cause a denial of service (memory corruption) via crafted packets that cause the kernel to interpret another field as an offset.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-6333

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-6535
CVE STATUS: Patched
CVE SUMMARY: The dev_queue_xmit function in Linux kernel 2.6 can fail before calling the local_bh_disable function, which could lead to data corruption and "node lockups."  NOTE: it is not clear whether this issue is exploitable.
CVSS v2 BASE SCORE: 9.4
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-6535

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-6921
CVE STATUS: Patched
CVE SUMMARY: Unspecified versions of the Linux kernel allow local users to cause a denial of service (unrecoverable zombie process) via a program with certain instructions that prevent init from properly reaping a child whose parent has died.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-6921

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-7051
CVE STATUS: Patched
CVE SUMMARY: The sys_timer_create function in posix-timers.c for Linux kernel 2.6.x allows local users to cause a denial of service (memory consumption) and possibly bypass memory limits or cause other processes to be killed by creating a large number of posix timers, which are allocated in kernel memory but are not treated as part of the process' memory.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-7051

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-7203
CVE STATUS: Patched
CVE SUMMARY: The compat_sys_mount function in fs/compat.c in Linux kernel 2.6.20 and earlier allows local users to cause a denial of service (NULL pointer dereference and oops) by mounting a smbfs file system in compatibility mode ("mount -t smbfs").
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-7203

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2006-7229
CVE STATUS: Patched
CVE SUMMARY: The skge driver 1.5 in Linux kernel 2.6.15 on Ubuntu does not properly use the spin_lock and spin_unlock functions, which allows remote attackers to cause a denial of service (machine crash) via a flood of network traffic.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-7229

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2007-0006
CVE STATUS: Patched
CVE SUMMARY: The key serial number collision avoidance code in the key_alloc_serial function in Linux kernel 2.6.9 up to 2.6.20 allows local users to cause a denial of service (crash) via vectors that trigger a null dereference, as originally reported as "spinlock CPU recursion."
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-0006

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2007-0771
CVE STATUS: Patched
CVE SUMMARY: The utrace support in Linux kernel 2.6.18, and other versions, allows local users to cause a denial of service (system hang) related to "MT exec + utrace_attach spin failure mode," as demonstrated by ptrace-thrash.c.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-0771

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2007-0772
CVE STATUS: Patched
CVE SUMMARY: The Linux kernel 2.6.13 and other versions before 2.6.20.1 allows remote attackers to cause a denial of service (oops) via a crafted NFSACL 2 ACCESS request that triggers a free of an incorrect pointer.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-0772

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2007-0822
CVE STATUS: Patched
CVE SUMMARY: umount, when running with the Linux 2.6.15 kernel on Slackware Linux 10.2, allows local users to trigger a NULL dereference and application crash by invoking the program with a pathname for a USB pen drive that was mounted and then physically removed, which might allow the users to obtain sensitive information, including core file contents.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-0822

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2007-0958
CVE STATUS: Patched
CVE SUMMARY: Linux kernel 2.6.x before 2.6.20 allows local users to read unreadable binaries by using the interpreter (PT_INTERP) functionality and triggering a core dump, a variant of CVE-2004-1073.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-0958

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2007-0997
CVE STATUS: Patched
CVE SUMMARY: Race condition in the tee (sys_tee) system call in the Linux kernel 2.6.17 through 2.6.17.6 might allow local users to cause a denial of service (system crash), obtain sensitive information (kernel memory contents), or gain privileges via unspecified vectors related to a potentially dropped ipipe lock during a race between two pipe readers.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-0997

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2007-1000
CVE STATUS: Patched
CVE SUMMARY: The ipv6_getsockopt_sticky function in net/ipv6/ipv6_sockglue.c in the Linux kernel before 2.6.20.2 allows local users to read arbitrary kernel memory via certain getsockopt calls that trigger a NULL dereference.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-1000

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2007-1217
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the bufprint function in capiutil.c in libcapi, as used in Linux kernel 2.6.9 to 2.6.20 and isdn4k-utils, allows local users to cause a denial of service (crash) and possibly gain privileges via a crafted CAPI packet.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-1217

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2007-1353
CVE STATUS: Patched
CVE SUMMARY: The setsockopt function in the L2CAP and HCI Bluetooth support in the Linux kernel before 2.4.34.3 allows context-dependent attackers to read kernel memory and obtain sensitive information via unspecified vectors involving the copy_from_user function accessing an uninitialized stack buffer.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-1353

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2007-1357
CVE STATUS: Patched
CVE SUMMARY: The atalk_sum_skb function in AppleTalk for Linux kernel 2.6.x before 2.6.21, and possibly 2.4.x, allows remote attackers to cause a denial of service (crash) via an AppleTalk frame that is shorter than the specified length, which triggers a BUG_ON call when an attempt is made to perform a checksum.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-1357

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2007-1388
CVE STATUS: Patched
CVE SUMMARY: The do_ipv6_setsockopt function in net/ipv6/ipv6_sockglue.c in Linux kernel before 2.6.20, and possibly other versions, allows local users to cause a denial of service (oops) by calling setsockopt with the IPV6_RTHDR option name and possibly a zero option length or invalid option value, which triggers a NULL pointer dereference.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:S/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-1388

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2007-1496
CVE STATUS: Patched
CVE SUMMARY: nfnetlink_log in netfilter in the Linux kernel before 2.6.20.3 allows attackers to cause a denial of service (crash) via unspecified vectors involving the (1) nfulnl_recv_config function, (2) using "multiple packets per netlink message", and (3) bridged packets, which trigger a NULL pointer dereference.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-1496

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2007-1497
CVE STATUS: Patched
CVE SUMMARY: nf_conntrack in netfilter in the Linux kernel before 2.6.20.3 does not set nfctinfo during reassembly of fragmented packets, which leaves the default value as IP_CT_ESTABLISHED and might allow remote attackers to bypass certain rulesets using IPv6 fragments.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-1497

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2007-1592
CVE STATUS: Patched
CVE SUMMARY: net/ipv6/tcp_ipv6.c in Linux kernel 2.6.x up to 2.6.21-rc3 inadvertently copies the ipv6_fl_socklist from a listening TCP socket to child sockets, which allows local users to cause a denial of service (OOPS) or double free by opening a listening IPv6 socket, attaching a flow label, and connecting to that socket.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-1592

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2007-1730
CVE STATUS: Patched
CVE SUMMARY: Integer signedness error in the DCCP support in the do_dccp_getsockopt function in net/dccp/proto.c in Linux kernel 2.6.20 and later allows local users to read kernel memory or cause a denial of service (oops) via a negative optlen value.
CVSS v2 BASE SCORE: 6.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-1730

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2007-1734
CVE STATUS: Patched
CVE SUMMARY: The DCCP support in the do_dccp_getsockopt function in net/dccp/proto.c in Linux kernel 2.6.20 and later does not verify the upper bounds of the optlen value, which allows local users running on certain architectures to read kernel memory or cause a denial of service (oops), a related issue to CVE-2007-1730.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-1734

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2007-1861
CVE STATUS: Patched
CVE SUMMARY: The nl_fib_lookup function in net/ipv4/fib_frontend.c in Linux Kernel before 2.6.20.8 allows attackers to cause a denial of service (kernel panic) via NETLINK_FIB_LOOKUP replies, which trigger infinite recursion and a stack overflow.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-1861

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2007-2172
CVE STATUS: Patched
CVE SUMMARY: A typo in Linux kernel 2.6 before 2.6.21-rc6 and 2.4 before 2.4.35 causes RTA_MAX to be used as an array size instead of RTN_MAX, which leads to an "out of bound access" by the (1) dn_fib_props (dn_fib.c, DECNet) and (2) fib_props (fib_semantics.c, IPv4) functions.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-2172

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2007-2451
CVE STATUS: Patched
CVE SUMMARY: Unspecified vulnerability in drivers/crypto/geode-aes.c in GEODE-AES in the Linux kernel before 2.6.21.3 allows attackers to obtain sensitive information via unspecified vectors.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-2451

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2007-2453
CVE STATUS: Patched
CVE SUMMARY: The random number feature in Linux kernel 2.6 before 2.6.20.13, and 2.6.21.x before 2.6.21.4, (1) does not properly seed pools when there is no entropy, or (2) uses an incorrect cast when extracting entropy, which might cause the random number generator to provide the same values after reboots on systems without an entropy source.
CVSS v2 BASE SCORE: 1.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-2453

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2007-2480
CVE STATUS: Patched
CVE SUMMARY: The _udp_lib_get_port function in net/ipv4/udp.c in Linux kernel 2.6.21 and earlier does not prevent a bind to a port with a local address when there is already a bind to that port with a wildcard local address, which might allow local users to intercept local traffic for daemons or other applications.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-2480

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2007-2525
CVE STATUS: Patched
CVE SUMMARY: Memory leak in the PPP over Ethernet (PPPoE) socket implementation in the Linux kernel before 2.6.21-git8 allows local users to cause a denial of service (memory consumption) by creating a socket using connect, and releasing it before the PPPIOCGCHAN ioctl is initialized.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-2525

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2007-2764
CVE STATUS: Unpatched
CVE SUMMARY: The embedded Linux kernel in certain Sun-Brocade SilkWorm switches before 20070516 does not properly handle a situation in which a non-root user creates a kernel process, which allows attackers to cause a denial of service (oops and device reboot) via unspecified vectors.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-2764

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2007-2875
CVE STATUS: Patched
CVE SUMMARY: Integer underflow in the cpuset_tasks_read function in the Linux kernel before 2.6.20.13, and 2.6.21.x before 2.6.21.4, when the cpuset filesystem is mounted, allows local users to obtain kernel memory contents by using a large offset when reading the /dev/cpuset/tasks file.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-2875

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2007-2876
CVE STATUS: Patched
CVE SUMMARY: The sctp_new function in (1) ip_conntrack_proto_sctp.c and (2) nf_conntrack_proto_sctp.c in Netfilter in Linux kernel 2.6 before 2.6.20.13, and 2.6.21.x before 2.6.21.4, allows remote attackers to cause a denial of service by causing certain invalid states that trigger a NULL pointer dereference.
CVSS v2 BASE SCORE: 6.1
CVSS v3 BASE SCORE: 0.0
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-2876

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2007-2878
CVE STATUS: Patched
CVE SUMMARY: The VFAT compat ioctls in the Linux kernel before 2.6.21.2, when run on a 64-bit system, allow local users to corrupt a kernel_dirent struct and cause a denial of service (system crash) via unknown vectors.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-2878

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2007-3104
CVE STATUS: Patched
CVE SUMMARY: The sysfs_readdir function in the Linux kernel 2.6, as used in Red Hat Enterprise Linux (RHEL) 4.5 and other distributions, allows users to cause a denial of service (kernel OOPS) by dereferencing a null pointer to an inode in a dentry.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-3104

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2007-3105
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in the random number generator (RNG) implementation in the Linux kernel before 2.6.22 might allow local root users to cause a denial of service or gain privileges by setting the default wakeup threshold to a value greater than the output pool size, which triggers writing random numbers to the stack by the pool transfer function involving "bound check ordering".  NOTE: this issue might only cross privilege boundaries in environments that have granular assignment of privileges for root.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-3105

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2007-3107
CVE STATUS: Patched
CVE SUMMARY: The signal handling in the Linux kernel before 2.6.22, including 2.6.2, when running on PowerPC systems using HTX, allows local users to cause a denial of service via unspecified vectors involving floating point corruption and concurrency, related to clearing of MSR bits.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-3107

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2007-3380
CVE STATUS: Patched
CVE SUMMARY: The Distributed Lock Manager (DLM) in the cluster manager for Linux kernel 2.6.15 allows remote attackers to cause a denial of service (loss of lock services) by connecting to the DLM port, which probably prevents other processes from accessing the service.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-3380

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2007-3513
CVE STATUS: Patched
CVE SUMMARY: The lcd_write function in drivers/usb/misc/usblcd.c in the Linux kernel before 2.6.22-rc7 does not limit the amount of memory used by a caller, which allows local users to cause a denial of service (memory consumption).
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-3513

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2007-3642
CVE STATUS: Patched
CVE SUMMARY: The decode_choice function in net/netfilter/nf_conntrack_h323_asn1.c in the Linux kernel before 2.6.20.15, 2.6.21.x before 2.6.21.6, and before 2.6.22 allows remote attackers to cause a denial of service (crash) via an encoded, out-of-range index value for a choice field, which triggers a NULL pointer dereference.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-3642

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2007-3719
CVE STATUS: Patched
CVE SUMMARY: The process scheduler in the Linux kernel 2.6.16 gives preference to "interactive" processes that perform voluntary sleeps, which allows local users to cause a denial of service (CPU consumption), as described in "Secretly Monopolizing the CPU Without Superuser Privileges."
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-3719

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2007-3720
CVE STATUS: Patched
CVE SUMMARY: The process scheduler in the Linux kernel 2.4 performs scheduling based on CPU billing gathered from periodic process sampling ticks, which allows local users to cause a denial of service (CPU consumption) by performing voluntary nanosecond sleeps that result in the process not being active during a clock interrupt, as described in "Secretly Monopolizing the CPU Without Superuser Privileges."
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-3720

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2007-3731
CVE STATUS: Patched
CVE SUMMARY: The Linux kernel 2.6.20 and 2.6.21 does not properly handle an invalid LDT segment selector in %cs (the xcs field) during ptrace single-step operations, which allows local users to cause a denial of service (NULL dereference and OOPS) via certain code that makes ptrace PTRACE_SETREGS and PTRACE_SINGLESTEP requests, related to the TRACE_IRQS_ON function, and possibly related to the arch_ptrace function.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-3731

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2007-3732
CVE STATUS: Patched
CVE SUMMARY: In Linux 2.6 before 2.6.23, the TRACE_IRQS_ON function in iret_exc calls a C function without ensuring that the segments are set properly. The kernel's %fs needs to be restored before the call in TRACE_IRQS_ON and before enabling interrupts, so that "current" references work. Without this, "current" used in the window between iret_exc and the middle of error_code where %fs is reset, would crash.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-3732

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2007-3740
CVE STATUS: Patched
CVE SUMMARY: The CIFS filesystem in the Linux kernel before 2.6.22, when Unix extension support is enabled, does not honor the umask of a process, which allows local users to gain privileges.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-3740

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2007-3843
CVE STATUS: Patched
CVE SUMMARY: The Linux kernel before 2.6.23-rc1 checks the wrong global variable for the CIFS sec mount option, which might allow remote attackers to spoof CIFS network traffic that the client configured for security signatures, as demonstrated by lack of signing despite sec=ntlmv2i in a SetupAndX request.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-3843

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2007-3848
CVE STATUS: Patched
CVE SUMMARY: Linux kernel 2.4.35 and other versions allows local users to send arbitrary signals to a child process that is running at higher privileges by causing a setuid-root parent process to die, which delivers an attacker-controlled parent process death signal (PR_SET_PDEATHSIG).
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-3848

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2007-3850
CVE STATUS: Patched
CVE SUMMARY: The eHCA driver in Linux kernel 2.6 before 2.6.22, when running on PowerPC, does not properly map userspace resources, which allows local users to read portions of physical address space.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-3850

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2007-3851
CVE STATUS: Patched
CVE SUMMARY: The drm/i915 component in the Linux kernel before 2.6.22.2, when used with i965G and later chipsets, allows local users with access to an X11 session and Direct Rendering Manager (DRM) to write to arbitrary memory locations and gain privileges via a crafted batchbuffer.
CVSS v2 BASE SCORE: 6.0
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:S/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-3851

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2007-4133
CVE STATUS: Patched
CVE SUMMARY: The (1) hugetlb_vmtruncate_list and (2) hugetlb_vmtruncate functions in fs/hugetlbfs/inode.c in the Linux kernel before 2.6.19-rc4 perform certain prio_tree calculations using HPAGE_SIZE instead of PAGE_SIZE units, which allows local users to cause a denial of service (panic) via unspecified vectors.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-4133

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2007-4311
CVE STATUS: Patched
CVE SUMMARY: The xfer_secondary_pool function in drivers/char/random.c in the Linux kernel 2.4 before 2.4.35 performs reseed operations on only the first few bytes of a buffer, which might make it easier for attackers to predict the output of the random number generator, related to incorrect use of the sizeof operator.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-4311

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2007-4567
CVE STATUS: Patched
CVE SUMMARY: The ipv6_hop_jumbo function in net/ipv6/exthdrs.c in the Linux kernel before 2.6.22 does not properly validate the hop-by-hop IPv6 extended header, which allows remote attackers to cause a denial of service (NULL pointer dereference and kernel panic) via a crafted IPv6 packet.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-4567

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2007-4571
CVE STATUS: Patched
CVE SUMMARY: The snd_mem_proc_read function in sound/core/memalloc.c in the Advanced Linux Sound Architecture (ALSA) in the Linux kernel before 2.6.22.8 does not return the correct write size, which allows local users to obtain sensitive information (kernel memory contents) via a small count argument, as demonstrated by multiple reads of /proc/driver/snd-page-alloc.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-4571

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2007-4573
CVE STATUS: Patched
CVE SUMMARY: The IA32 system call emulation functionality in Linux kernel 2.4.x and 2.6.x before 2.6.22.7, when running on the x86_64 architecture, does not zero extend the eax register after the 32bit entry path to ptrace is used, which might allow local users to gain privileges by triggering an out-of-bounds access to the system call table using the %RAX register.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-4573

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2007-4774
CVE STATUS: Patched
CVE SUMMARY: The Linux kernel before 2.4.36-rc1 has a race condition. It was possible to bypass systrace policies by flooding the ptraced process with SIGCONT signals, which can can wake up a PTRACED process.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-4774

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2007-4997
CVE STATUS: Patched
CVE SUMMARY: Integer underflow in the ieee80211_rx function in net/ieee80211/ieee80211_rx.c in the Linux kernel 2.6.x before 2.6.23 allows remote attackers to cause a denial of service (crash) via a crafted SKB length value in a runt IEEE 802.11 frame when the IEEE80211_STYPE_QOS_DATA flag is set, aka an "off-by-two error."
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-4997

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2007-4998
CVE STATUS: Unpatched
CVE SUMMARY: cp, when running with an option to preserve symlinks on multiple OSes, allows local, user-assisted attackers to overwrite arbitrary files via a symlink attack using crafted directories containing multiple source files that are copied to the same destination.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-4998

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2007-5087
CVE STATUS: Patched
CVE SUMMARY: The ATM module in the Linux kernel before 2.4.35.3, when CLIP support is enabled, allows local users to cause a denial of service (kernel panic) by reading /proc/net/atm/arp before the CLIP module has been loaded.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-5087

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2007-5093
CVE STATUS: Patched
CVE SUMMARY: The disconnect method in the Philips USB Webcam (pwc) driver in Linux kernel 2.6.x before 2.6.22.6 "relies on user space to close the device," which allows user-assisted local attackers to cause a denial of service (USB subsystem hang and CPU consumption in khubd) by not closing the device after the disconnect is invoked.  NOTE: this rarely crosses privilege boundaries, unless the attacker can convince the victim to unplug the affected device.
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-5093

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2007-5498
CVE STATUS: Patched
CVE SUMMARY: The Xen hypervisor block backend driver for Linux kernel 2.6.18, when running on a 64-bit host with a 32-bit paravirtualized guest, allows local privileged users in the guest OS to cause a denial of service (host OS crash) via a request that specifies a large number of blocks.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-5498

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2007-5500
CVE STATUS: Patched
CVE SUMMARY: The wait_task_stopped function in the Linux kernel before 2.6.23.8 checks a TASK_TRACED bit instead of an exit_state value, which allows local users to cause a denial of service (machine crash) via unspecified vectors.  NOTE: some of these details are obtained from third party information.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-5500

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2007-5501
CVE STATUS: Patched
CVE SUMMARY: The tcp_sacktag_write_queue function in net/ipv4/tcp_input.c in Linux kernel 2.6.21 through 2.6.23.7, and 2.6.24-rc through 2.6.24-rc2, allows remote attackers to cause a denial of service (crash) via crafted ACK responses that trigger a NULL pointer dereference.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-5501

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2007-5904
CVE STATUS: Patched
CVE SUMMARY: Multiple buffer overflows in CIFS VFS in Linux kernel 2.6.23 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via long SMB responses that trigger the overflows in the SendReceive function.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-5904

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2007-5966
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the hrtimer_start function in kernel/hrtimer.c in the Linux kernel before 2.6.23.10 allows local users to execute arbitrary code or cause a denial of service (panic) via a large relative timeout value.  NOTE: some of these details are obtained from third party information.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-5966

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2007-6063
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the isdn_net_setcfg function in isdn_net.c in Linux kernel 2.6.23 allows local users to have an unknown impact via a crafted argument to the isdn_ioctl function.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-6063

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2007-6151
CVE STATUS: Patched
CVE SUMMARY: The isdn_ioctl function in isdn_common.c in Linux kernel 2.6.23 allows local users to cause a denial of service via a crafted ioctl struct in which iocts is not null terminated, which triggers a buffer overflow.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-6151

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2007-6206
CVE STATUS: Patched
CVE SUMMARY: The do_coredump function in fs/exec.c in Linux kernel 2.4.x and 2.6.x up to 2.6.24-rc3, and possibly other versions, does not change the UID of a core dump file if it exists before a root process creates a core dump in the same location, which might allow local users to obtain sensitive information.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-6206

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2007-6417
CVE STATUS: Patched
CVE SUMMARY: The shmem_getpage function (mm/shmem.c) in Linux kernel 2.6.11 through 2.6.23 does not properly clear allocated memory in some rare circumstances related to tmpfs, which might allow local users to read sensitive kernel data or cause a denial of service (crash).
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-6417

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2007-6434
CVE STATUS: Patched
CVE SUMMARY: Linux kernel 2.6.23 allows local users to create low pages in virtual userspace memory and bypass mmap_min_addr protection via a crafted executable file that calls the do_brk function.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-6434

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2007-6694
CVE STATUS: Patched
CVE SUMMARY: The chrp_show_cpuinfo function (chrp/setup.c) in Linux kernel 2.4.21 through 2.6.18-53, when running on PowerPC, might allow local users to cause a denial of service (crash) via unknown vectors that cause the of_get_property function to fail, which triggers a NULL pointer dereference.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-6694

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2007-6712
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the hrtimer_forward function (hrtimer.c) in Linux kernel 2.6.21-rc4, when running on 64-bit systems, allows local users to cause a denial of service (infinite loop) via a timer with a large expiry value, which causes the timer to always be expired.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-6712

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2007-6716
CVE STATUS: Patched
CVE SUMMARY: fs/direct-io.c in the dio subsystem in the Linux kernel before 2.6.23 does not properly zero out the dio struct, which allows local users to cause a denial of service (OOPS), as demonstrated by a certain fio test.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-6716

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2007-6733
CVE STATUS: Patched
CVE SUMMARY: The nfs_lock function in fs/nfs/file.c in the Linux kernel 2.6.9 does not properly remove POSIX locks on files that are setgid without group-execute permission, which allows local users to cause a denial of service (BUG and system crash) by locking a file on an NFS filesystem and then changing this file's permissions, a related issue to CVE-2010-0727.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-6733

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2007-6761
CVE STATUS: Patched
CVE SUMMARY: drivers/media/video/videobuf-vmalloc.c in the Linux kernel before 2.6.24 does not initialize videobuf_mapping data structures, which allows local users to trigger an incorrect count value and videobuf leak via unspecified vectors, a different vulnerability than CVE-2010-5321.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-6761

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2007-6762
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel before 2.6.20, there is an off-by-one bug in net/netlabel/netlabel_cipso_v4.c where it is possible to overflow the doi_def->tags[] array.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-6762

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2008-0001
CVE STATUS: Patched
CVE SUMMARY: VFS in the Linux kernel before 2.6.22.16, and 2.6.23.x before 2.6.23.14, performs tests of access mode by using the flag variable instead of the acc_mode variable, which might allow local users to bypass intended permissions and remove directories.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-0001

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2008-0007
CVE STATUS: Patched
CVE SUMMARY: Linux kernel before 2.6.22.17, when using certain drivers that register a fault handler that does not perform range checks, allows local users to access kernel memory via an out-of-range offset.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-0007

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2008-0009
CVE STATUS: Patched
CVE SUMMARY: The vmsplice_to_user function in fs/splice.c in the Linux kernel 2.6.22 through 2.6.24 does not validate a certain userspace pointer before dereference, which might allow local users to access arbitrary kernel memory locations.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-0009

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2008-0010
CVE STATUS: Patched
CVE SUMMARY: The copy_from_user_mmap_sem function in fs/splice.c in the Linux kernel 2.6.22 through 2.6.24 does not validate a certain userspace pointer before dereference, which allow local users to read from arbitrary kernel memory locations.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-0010

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2008-0163
CVE STATUS: Patched
CVE SUMMARY: Linux kernel 2.6, when using vservers, allows local users to access resources of other vservers via a symlink attack in /proc.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-0163

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2008-0352
CVE STATUS: Patched
CVE SUMMARY: The Linux kernel 2.6.20 through 2.6.21.1 allows remote attackers to cause a denial of service (panic) via a certain IPv6 packet, possibly involving the Jumbo Payload hop-by-hop option (jumbogram).
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-0352

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2008-0598
CVE STATUS: Patched
CVE SUMMARY: Unspecified vulnerability in the 32-bit and 64-bit emulation in the Linux kernel 2.6.9, 2.6.18, and probably other versions allows local users to read uninitialized memory via unknown vectors involving a crafted binary.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-0598

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2008-0600
CVE STATUS: Patched
CVE SUMMARY: The vmsplice_to_pipe function in Linux kernel 2.6.17 through 2.6.24.1 does not validate a certain userspace pointer before dereference, which allows local users to gain root privileges via crafted arguments in a vmsplice system call, a different vulnerability than CVE-2008-0009 and CVE-2008-0010.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-0600

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2008-1294
CVE STATUS: Patched
CVE SUMMARY: Linux kernel 2.6.17, and other versions before 2.6.22, does not check when a user attempts to set RLIMIT_CPU to 0 until after the change is made, which allows local users to bypass intended resource limits.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1294

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2008-1375
CVE STATUS: Patched
CVE SUMMARY: Race condition in the directory notification subsystem (dnotify) in Linux kernel 2.6.x before 2.6.24.6, and 2.6.25 before 2.6.25.1, allows local users to cause a denial of service (OOPS) and possibly gain privileges via unspecified vectors.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1375

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2008-1514
CVE STATUS: Patched
CVE SUMMARY: arch/s390/kernel/ptrace.c in Linux kernel 2.6.9, and other versions before 2.6.27-rc6, on s390 platforms allows local users to cause a denial of service (kernel panic) via the user-area-padding test from the ptrace testsuite in 31-bit mode, which triggers an invalid dereference.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1514

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2008-1669
CVE STATUS: Patched
CVE SUMMARY: Linux kernel before 2.6.25.2 does not apply a certain protection mechanism for fcntl functionality, which allows local users to (1) execute code in parallel or (2) exploit a race condition to obtain "re-ordered access to the descriptor table."
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1669

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2008-1673
CVE STATUS: Patched
CVE SUMMARY: The asn1 implementation in (a) the Linux kernel 2.4 before 2.4.36.6 and 2.6 before 2.6.25.5, as used in the cifs and ip_nat_snmp_basic modules; and (b) the gxsnmp package; does not properly validate length values during decoding of ASN.1 BER data, which allows remote attackers to cause a denial of service (crash) or execute arbitrary code via (1) a length greater than the working buffer, which can lead to an unspecified overflow; (2) an oid length of zero, which can lead to an off-by-one error; or (3) an indefinite length for a primitive encoding.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1673

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2008-1675
CVE STATUS: Patched
CVE SUMMARY: The bdx_ioctl_priv function in the tehuti driver (tehuti.c) in Linux kernel 2.6.x before 2.6.25.1 does not properly check certain information related to register size, which has unspecified impact and local attack vectors, probably related to reading or writing kernel memory.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1675

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2008-2136
CVE STATUS: Patched
CVE SUMMARY: Memory leak in the ipip6_rcv function in net/ipv6/sit.c in the Linux kernel 2.4 before 2.4.36.5 and 2.6 before 2.6.25.3 allows remote attackers to cause a denial of service (memory consumption) via network traffic to a Simple Internet Transition (SIT) tunnel interface, related to the pskb_may_pull and kfree_skb functions, and management of an skb reference count.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-2136

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2008-2137
CVE STATUS: Patched
CVE SUMMARY: The (1) sparc_mmap_check function in arch/sparc/kernel/sys_sparc.c and the (2) sparc64_mmap_check function in arch/sparc64/kernel/sys_sparc.c, in the Linux kernel 2.4 before 2.4.36.5 and 2.6 before 2.6.25.3, omit some virtual-address range (aka span) checks when the mmap MAP_FIXED bit is not set, which allows local users to cause a denial of service (panic) via unspecified mmap calls.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-2137

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2008-2148
CVE STATUS: Patched
CVE SUMMARY: The utimensat system call (sys_utimensat) in Linux kernel 2.6.22 and other versions before 2.6.25.3 does not check file permissions when certain UTIME_NOW and UTIME_OMIT combinations are used, which allows local users to modify file times of arbitrary files, possibly leading to a denial of service.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-2148

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2008-2358
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the dccp_feat_change function in net/dccp/feat.c in the Datagram Congestion Control Protocol (DCCP) subsystem in the Linux kernel 2.6.18, and 2.6.17 through 2.6.20, allows local users to gain privileges via an invalid feature length, which leads to a heap-based buffer overflow.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-2358

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2008-2365
CVE STATUS: Patched
CVE SUMMARY: Race condition in the ptrace and utrace support in the Linux kernel 2.6.9 through 2.6.25, as used in Red Hat Enterprise Linux (RHEL) 4, allows local users to cause a denial of service (oops) via a long series of PTRACE_ATTACH ptrace calls to another user's process that trigger a conflict between utrace_detach and report_quiescent, related to "late ptrace_may_attach() check" and "race around &dead_engine_ops setting," a different vulnerability than CVE-2007-0771 and CVE-2008-1514.  NOTE: this issue might only affect kernel versions before 2.6.16.x.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-2365

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2008-2372
CVE STATUS: Patched
CVE SUMMARY: The Linux kernel 2.6.24 and 2.6.25 before 2.6.25.9 allows local users to cause a denial of service (memory consumption) via a large number of calls to the get_user_pages function, which lacks a ZERO_PAGE optimization and results in allocation of "useless newly zeroed pages."
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-2372

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2008-2544
CVE STATUS: Unpatched
CVE SUMMARY: Mounting /proc filesystem via chroot command silently mounts it in read-write mode. The user could bypass the chroot environment and gain write access to files, he would never have otherwise.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-2544

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2008-2729
CVE STATUS: Patched
CVE SUMMARY: arch/x86_64/lib/copy_user.S in the Linux kernel before 2.6.19 on some AMD64 systems does not erase destination memory locations after an exception during kernel memory copy, which allows local users to obtain sensitive information.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-2729

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2008-2750
CVE STATUS: Patched
CVE SUMMARY: The pppol2tp_recvmsg function in drivers/net/pppol2tp.c in the Linux kernel 2.6 before 2.6.26-rc6 allows remote attackers to cause a denial of service (kernel heap memory corruption and system crash) and possibly have unspecified other impact via a crafted PPPOL2TP packet that results in a large value for a certain length variable.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-2750

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2008-2812
CVE STATUS: Patched
CVE SUMMARY: The Linux kernel before 2.6.25.10 does not properly perform tty operations, which allows local users to cause a denial of service (system crash) or possibly gain privileges via vectors involving NULL pointer dereference of function pointers in (1) hamradio/6pack.c, (2) hamradio/mkiss.c, (3) irda/irtty-sir.c, (4) ppp_async.c, (5) ppp_synctty.c, (6) slip.c, (7) wan/x25_asy.c, and (8) wireless/strip.c in drivers/net/.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-2812

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2008-2826
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the sctp_getsockopt_local_addrs_old function in net/sctp/socket.c in the Stream Control Transmission Protocol (sctp) functionality in the Linux kernel before 2.6.25.9 allows local users to cause a denial of service (resource consumption and system outage) via vectors involving a large addr_num field in an sctp_getaddrs_old data structure.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-2826

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2008-2931
CVE STATUS: Patched
CVE SUMMARY: The do_change_type function in fs/namespace.c in the Linux kernel before 2.6.22 does not verify that the caller has the CAP_SYS_ADMIN capability, which allows local users to gain privileges or cause a denial of service by modifying the properties of a mountpoint.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-2931

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2008-2944
CVE STATUS: Patched
CVE SUMMARY: Double free vulnerability in the utrace support in the Linux kernel, probably 2.6.18, in Red Hat Enterprise Linux (RHEL) 5 and Fedora Core 6 (FC6) allows local users to cause a denial of service (oops), as demonstrated by a crash when running the GNU GDB testsuite, a different vulnerability than CVE-2008-2365.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-2944

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2008-3077
CVE STATUS: Patched
CVE SUMMARY: arch/x86/kernel/ptrace.c in the Linux kernel before 2.6.25.10 on the x86_64 platform leaks task_struct references into the sys32_ptrace function, which allows local users to cause a denial of service (system crash) or have unspecified other impact via unknown vectors, possibly a use-after-free vulnerability.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-3077

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2008-3247
CVE STATUS: Patched
CVE SUMMARY: The LDT implementation in the Linux kernel 2.6.25.x before 2.6.25.11 on x86_64 platforms uses an incorrect size for ldt_desc, which allows local users to cause a denial of service (system crash) or possibly gain privileges via unspecified vectors.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-3247

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2008-3272
CVE STATUS: Patched
CVE SUMMARY: The snd_seq_oss_synth_make_info function in sound/core/seq/oss/seq_oss_synth.c in the sound subsystem in the Linux kernel before 2.6.27-rc2 does not verify that the device number is within the range defined by max_synthdev before returning certain data to the caller, which allows local users to obtain sensitive information.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-3272

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2008-3275
CVE STATUS: Patched
CVE SUMMARY: The (1) real_lookup and (2) __lookup_hash functions in fs/namei.c in the vfs implementation in the Linux kernel before 2.6.25.15 do not prevent creation of a child dentry for a deleted (aka S_DEAD) directory, which allows local users to cause a denial of service ("overflow" of the UBIFS orphan area) via a series of attempted file creations within deleted directories.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-3275

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2008-3276
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the dccp_setsockopt_change function in net/dccp/proto.c in the Datagram Congestion Control Protocol (DCCP) subsystem in the Linux kernel 2.6.17-rc1 through 2.6.26.2 allows remote attackers to cause a denial of service (panic) via a crafted integer value, related to Change L and Change R options without at least one byte in the dccpsf_val field.
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-3276

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2008-3496
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in format descriptor parsing in the uvc_parse_format function in drivers/media/video/uvc/uvc_driver.c in uvcvideo in the video4linux (V4L) implementation in the Linux kernel before 2.6.26.1 has unknown impact and attack vectors.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-3496

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2008-3525
CVE STATUS: Patched
CVE SUMMARY: The sbni_ioctl function in drivers/net/wan/sbni.c in the wan subsystem in the Linux kernel 2.6.26.3 does not check for the CAP_NET_ADMIN capability before processing a (1) SIOCDEVRESINSTATS, (2) SIOCDEVSHWSTATE, (3) SIOCDEVENSLAVE, or (4) SIOCDEVEMANSIPATE ioctl request, which allows local users to bypass intended capability restrictions.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-3525

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2008-3526
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the sctp_setsockopt_auth_key function in net/sctp/socket.c in the Stream Control Transmission Protocol (sctp) implementation in the Linux kernel 2.6.24-rc1 through 2.6.26.3 allows remote attackers to cause a denial of service (panic) or possibly have unspecified other impact via a crafted sca_keylength field associated with the SCTP_AUTH_KEY option.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-3526

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2008-3527
CVE STATUS: Patched
CVE SUMMARY: arch/i386/kernel/sysenter.c in the Virtual Dynamic Shared Objects (vDSO) implementation in the Linux kernel before 2.6.21 does not properly check boundaries, which allows local users to gain privileges or cause a denial of service via unspecified vectors, related to the install_special_mapping, syscall, and syscall32_nopage functions.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-3527

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2008-3528
CVE STATUS: Patched
CVE SUMMARY: The error-reporting functionality in (1) fs/ext2/dir.c, (2) fs/ext3/dir.c, and possibly (3) fs/ext4/dir.c in the Linux kernel 2.6.26.5 does not limit the number of printk console messages that report directory corruption, which allows physically proximate attackers to cause a denial of service (temporary system hang) by mounting a filesystem that has corrupted dir->i_size and dir->i_blocks values and performing (a) read or (b) write operations.  NOTE: there are limited scenarios in which this crosses privilege boundaries.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-3528

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2008-3534
CVE STATUS: Patched
CVE SUMMARY: The shmem_delete_inode function in mm/shmem.c in the tmpfs implementation in the Linux kernel before 2.6.26.1 allows local users to cause a denial of service (system crash) via a certain sequence of file create, remove, and overwrite operations, as demonstrated by the insserv program, related to allocation of "useless pages" and improper maintenance of the i_blocks count.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-3534

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2008-3535
CVE STATUS: Patched
CVE SUMMARY: Off-by-one error in the iov_iter_advance function in mm/filemap.c in the Linux kernel before 2.6.27-rc2 allows local users to cause a denial of service (system crash) via a certain sequence of file I/O operations with readv and writev, as demonstrated by testcases/kernel/fs/ftest/ftest03 from the Linux Test Project.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-3535

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2008-3686
CVE STATUS: Patched
CVE SUMMARY: The rt6_fill_node function in net/ipv6/route.c in Linux kernel 2.6.26-rc4, 2.6.26.2, and possibly other 2.6.26 versions, allows local users to cause a denial of service (kernel OOPS) via IPv6 requests when no IPv6 input device is in use, which triggers a NULL pointer dereference.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-3686

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2008-3792
CVE STATUS: Patched
CVE SUMMARY: net/sctp/socket.c in the Stream Control Transmission Protocol (sctp) implementation in the Linux kernel before 2.6.26.4 does not verify that the SCTP-AUTH extension is enabled before proceeding with SCTP-AUTH API functions, which allows attackers to cause a denial of service (NULL pointer dereference and panic) via vectors that result in calls to (1) sctp_setsockopt_auth_chunk, (2) sctp_setsockopt_hmac_ident, (3) sctp_setsockopt_auth_key, (4) sctp_setsockopt_active_key, (5) sctp_setsockopt_del_key, (6) sctp_getsockopt_maxburst, (7) sctp_getsockopt_active_key, (8) sctp_getsockopt_peer_auth_chunks, or (9) sctp_getsockopt_local_auth_chunks.
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-3792

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2008-3831
CVE STATUS: Patched
CVE SUMMARY: The i915 driver in (1) drivers/char/drm/i915_dma.c in the Linux kernel 2.6.24 on Debian GNU/Linux and (2) sys/dev/pci/drm/i915_drv.c in OpenBSD does not restrict the DRM_I915_HWS_ADDR ioctl to the Direct Rendering Manager (DRM) master, which allows local users to cause a denial of service (memory corruption) via a crafted ioctl call, related to absence of the DRM_MASTER and DRM_ROOT_ONLY flags in the ioctl's configuration.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-3831

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2008-3833
CVE STATUS: Patched
CVE SUMMARY: The generic_file_splice_write function in fs/splice.c in the Linux kernel before 2.6.19 does not properly strip setuid and setgid bits when there is a write to a file, which allows local users to gain the privileges of a different group, and obtain sensitive information or possibly have unspecified other impact, by splicing into an inode in order to create an executable file in a setgid directory, a different vulnerability than CVE-2008-4210.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-3833

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2008-3911
CVE STATUS: Patched
CVE SUMMARY: The proc_do_xprt function in net/sunrpc/sysctl.c in the Linux kernel 2.6.26.3 does not check the length of a certain buffer obtained from userspace, which allows local users to overflow a stack-based buffer and have unspecified other impact via a crafted read system call for the /proc/sys/sunrpc/transports file.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-3911

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2008-3915
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in nfsd in the Linux kernel before 2.6.26.4, when NFSv4 is enabled, allows remote attackers to have an unknown impact via vectors related to decoding an NFSv4 acl.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-3915

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2008-4113
CVE STATUS: Patched
CVE SUMMARY: The sctp_getsockopt_hmac_ident function in net/sctp/socket.c in the Stream Control Transmission Protocol (sctp) implementation in the Linux kernel before 2.6.26.4, when the SCTP-AUTH extension is enabled, relies on an untrusted length value to limit copying of data from kernel memory, which allows local users to obtain sensitive information via a crafted SCTP_HMAC_IDENT IOCTL request involving the sctp_getsockopt function.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-4113

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2008-4210
CVE STATUS: Patched
CVE SUMMARY: fs/open.c in the Linux kernel before 2.6.22 does not properly strip setuid and setgid bits when there is a write to a file, which allows local users to gain the privileges of a different group, and obtain sensitive information or possibly have unspecified other impact, by creating an executable file in a setgid directory through the (1) truncate or (2) ftruncate function in conjunction with memory-mapped I/O.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-4210

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2008-4302
CVE STATUS: Patched
CVE SUMMARY: fs/splice.c in the splice subsystem in the Linux kernel before 2.6.22.2 does not properly handle a failure of the add_to_page_cache_lru function, and subsequently attempts to unlock a page that was not locked, which allows local users to cause a denial of service (kernel BUG and system crash), as demonstrated by the fio I/O tool.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-4302

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2008-4307
CVE STATUS: Patched
CVE SUMMARY: Race condition in the do_setlk function in fs/nfs/file.c in the Linux kernel before 2.6.26 allows local users to cause a denial of service (crash) via vectors resulting in an interrupted RPC call that leads to a stray FL_POSIX lock, related to improper handling of a race between fcntl and close in the EINTR case.
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-4307

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2008-4395
CVE STATUS: Patched
CVE SUMMARY: Multiple buffer overflows in the ndiswrapper module 1.53 for the Linux kernel 2.6 allow remote attackers to execute arbitrary code by sending packets over a local wireless network that specify long ESSIDs.
CVSS v2 BASE SCORE: 8.3
CVSS v3 BASE SCORE: 0.0
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-4395

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2008-4410
CVE STATUS: Patched
CVE SUMMARY: The vmi_write_ldt_entry function in arch/x86/kernel/vmi_32.c in the Virtual Machine Interface (VMI) in the Linux kernel 2.6.26.5 invokes write_idt_entry where write_ldt_entry was intended, which allows local users to cause a denial of service (persistent application failure) via crafted function calls, related to the Java Runtime Environment (JRE) experiencing improper LDT selector state, a different vulnerability than CVE-2008-3247.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-4410

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2008-4445
CVE STATUS: Patched
CVE SUMMARY: The sctp_auth_ep_set_hmacs function in net/sctp/auth.c in the Stream Control Transmission Protocol (sctp) implementation in the Linux kernel before 2.6.26.4, when the SCTP-AUTH extension is enabled, does not verify that the identifier index is within the bounds established by SCTP_AUTH_HMAC_ID_MAX, which allows local users to obtain sensitive information via a crafted SCTP_HMAC_IDENT IOCTL request involving the sctp_getsockopt function, a different vulnerability than CVE-2008-4113.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-4445

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2008-4554
CVE STATUS: Patched
CVE SUMMARY: The do_splice_from function in fs/splice.c in the Linux kernel before 2.6.27 does not reject file descriptors that have the O_APPEND flag set, which allows local users to bypass append mode and make arbitrary changes to other locations in the file.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-4554

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2008-4576
CVE STATUS: Patched
CVE SUMMARY: sctp in Linux kernel before 2.6.25.18 allows remote attackers to cause a denial of service (OOPS) via an INIT-ACK that states the peer does not support AUTH, which causes the sctp_process_init function to clean up active transports and triggers the OOPS when the T1-Init timer expires.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-4576

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2008-4609
CVE STATUS: Unpatched
CVE SUMMARY: The TCP implementation in (1) Linux, (2) platforms based on BSD Unix, (3) Microsoft Windows, (4) Cisco products, and probably other operating systems allows remote attackers to cause a denial of service (connection queue exhaustion) via multiple vectors that manipulate information in the TCP state table, as demonstrated by sockstress.
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-4609

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2008-4618
CVE STATUS: Patched
CVE SUMMARY: The Stream Control Transmission Protocol (sctp) implementation in the Linux kernel before 2.6.27 does not properly handle a protocol violation in which a parameter has an invalid length, which allows attackers to cause a denial of service (panic) via unspecified vectors, related to sctp_sf_violation_paramlen, sctp_sf_abort_violation, sctp_make_abort_violation, and incorrect data types in function calls.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-4618

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2008-4933
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the hfsplus_find_cat function in fs/hfsplus/catalog.c in the Linux kernel before 2.6.28-rc1 allows attackers to cause a denial of service (memory corruption or system crash) via an hfsplus filesystem image with an invalid catalog namelength field, related to the hfsplus_cat_build_key_uni function.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-4933

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2008-4934
CVE STATUS: Patched
CVE SUMMARY: The hfsplus_block_allocate function in fs/hfsplus/bitmap.c in the Linux kernel before 2.6.28-rc1 does not check a certain return value from the read_mapping_page function before calling kmap, which allows attackers to cause a denial of service (system crash) via a crafted hfsplus filesystem image.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-4934

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2008-5025
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in the hfs_cat_find_brec function in fs/hfs/catalog.c in the Linux kernel before 2.6.28-rc1 allows attackers to cause a denial of service (memory corruption or system crash) via an hfs filesystem image with an invalid catalog namelength field, a related issue to CVE-2008-4933.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-5025

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2008-5029
CVE STATUS: Patched
CVE SUMMARY: The __scm_destroy function in net/core/scm.c in the Linux kernel 2.6.27.4, 2.6.26, and earlier makes indirect recursive calls to itself through calls to the fput function, which allows local users to cause a denial of service (panic) via vectors related to sending an SCM_RIGHTS message through a UNIX domain socket and closing file descriptors.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-5029

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2008-5033
CVE STATUS: Patched
CVE SUMMARY: The chip_command function in drivers/media/video/tvaudio.c in the Linux kernel 2.6.25.x before 2.6.25.19, 2.6.26.x before 2.6.26.7, and 2.6.27.x before 2.6.27.3 allows attackers to cause a denial of service (NULL function pointer dereference and OOPS) via unknown vectors.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-5033

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2008-5079
CVE STATUS: Patched
CVE SUMMARY: net/atm/svc.c in the ATM subsystem in the Linux kernel 2.6.27.8 and earlier allows local users to cause a denial of service (kernel infinite loop) by making two calls to svc_listen for the same socket, and then reading a /proc/net/atm/*vc file, related to corruption of the vcc table.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-5079

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2008-5134
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the lbs_process_bss function in drivers/net/wireless/libertas/scan.c in the libertas subsystem in the Linux kernel before 2.6.27.5 allows remote attackers to have an unknown impact via an "invalid beacon/probe response."
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-5134

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2008-5182
CVE STATUS: Patched
CVE SUMMARY: The inotify functionality in Linux kernel 2.6 before 2.6.28-rc5 might allow local users to gain privileges via unknown vectors related to race conditions in inotify watch removal and umount.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-5182

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2008-5300
CVE STATUS: Patched
CVE SUMMARY: Linux kernel 2.6.28 allows local users to cause a denial of service ("soft lockup" and process loss) via a large number of sendmsg function calls, which does not block during AF_UNIX garbage collection and triggers an OOM condition, a different vulnerability than CVE-2008-5029.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-5300

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2008-5395
CVE STATUS: Patched
CVE SUMMARY: The parisc_show_stack function in arch/parisc/kernel/traps.c in the Linux kernel before 2.6.28-rc7 on PA-RISC allows local users to cause a denial of service (system crash) via vectors associated with an attempt to unwind a stack that contains userspace addresses.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-5395

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2008-5700
CVE STATUS: Patched
CVE SUMMARY: libata in the Linux kernel before 2.6.27.9 does not set minimum timeouts for SG_IO requests, which allows local users to cause a denial of service (Programmed I/O mode on drives) via multiple simultaneous invocations of an unspecified test program.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-5700

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2008-5701
CVE STATUS: Patched
CVE SUMMARY: Array index error in arch/mips/kernel/scall64-o32.S in the Linux kernel before 2.6.28-rc8 on 64-bit MIPS platforms allows local users to cause a denial of service (system crash) via an o32 syscall with a small syscall number, which leads to an attempted read operation outside the bounds of the syscall table.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-5701

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2008-5702
CVE STATUS: Patched
CVE SUMMARY: Buffer underflow in the ibwdt_ioctl function in drivers/watchdog/ib700wdt.c in the Linux kernel before 2.6.28-rc1 might allow local users to have an unknown impact via a certain /dev/watchdog WDIOC_SETTIMEOUT IOCTL call.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-5702

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2008-5713
CVE STATUS: Patched
CVE SUMMARY: The __qdisc_run function in net/sched/sch_generic.c in the Linux kernel before 2.6.25 on SMP machines allows local users to cause a denial of service (soft lockup) by sending a large amount of network traffic, as demonstrated by multiple simultaneous invocations of the Netperf benchmark application in UDP_STREAM mode.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-5713

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2008-6107
CVE STATUS: Patched
CVE SUMMARY: The (1) sys32_mremap function in arch/sparc64/kernel/sys_sparc32.c, the (2) sparc_mmap_check function in arch/sparc/kernel/sys_sparc.c, and the (3) sparc64_mmap_check function in arch/sparc64/kernel/sys_sparc.c, in the Linux kernel before 2.6.25.4, omit some virtual-address range (aka span) checks when the mremap MREMAP_FIXED bit is not set, which allows local users to cause a denial of service (panic) via unspecified mremap calls, a related issue to CVE-2008-2137.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-6107

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2008-7256
CVE STATUS: Patched
CVE SUMMARY: mm/shmem.c in the Linux kernel before 2.6.28-rc8, when strict overcommit is enabled and CONFIG_SECURITY is disabled, does not properly handle the export of shmemfs objects by knfsd, which allows attackers to cause a denial of service (NULL pointer dereference and knfsd crash) or possibly have unspecified other impact via unknown vectors.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2010-1643.
CVSS v2 BASE SCORE: 1.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-7256

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2008-7316
CVE STATUS: Patched
CVE SUMMARY: mm/filemap.c in the Linux kernel before 2.6.25 allows local users to cause a denial of service (infinite loop) via a writev system call that triggers an iovec of zero length, followed by a page fault for an iovec of nonzero length.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-7316

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-0024
CVE STATUS: Patched
CVE SUMMARY: The sys_remap_file_pages function in mm/fremap.c in the Linux kernel before 2.6.24.1 allows local users to cause a denial of service or gain privileges via unspecified vectors, related to the vm_file structure member, and the mmap_region and do_munmap functions.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-0024

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-0028
CVE STATUS: Patched
CVE SUMMARY: The clone system call in the Linux kernel 2.6.28 and earlier allows local users to send arbitrary signals to a parent process from an unprivileged child process by launching an additional child process with the CLONE_PARENT flag, and then letting this new process exit.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-0028

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-0029
CVE STATUS: Patched
CVE SUMMARY: The ABI in the Linux kernel 2.6.28 and earlier on s390, powerpc, sparc64, and mips 64-bit platforms requires that a 32-bit argument in a 64-bit register was properly sign extended when sent from a user-mode application, but cannot verify this, which allows local users to cause a denial of service (crash) or possibly gain privileges via a crafted system call.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-0029

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-0031
CVE STATUS: Patched
CVE SUMMARY: Memory leak in the keyctl_join_session_keyring function (security/keys/keyctl.c) in Linux kernel 2.6.29-rc2 and earlier allows local users to cause a denial of service (kernel memory consumption) via unknown vectors related to a "missing kfree."
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-0031

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-0065
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in net/sctp/sm_statefuns.c in the Stream Control Transmission Protocol (sctp) implementation in the Linux kernel before 2.6.28-git8 allows remote attackers to have an unknown impact via an FWD-TSN (aka FORWARD-TSN) chunk with a large stream ID.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-0065

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-0269
CVE STATUS: Patched
CVE SUMMARY: fs/ecryptfs/inode.c in the eCryptfs subsystem in the Linux kernel before 2.6.28.1 allows local users to cause a denial of service (fault or memory corruption), or possibly have unspecified other impact, via a readlink call that results in an error, leading to use of a -1 return value as an array index.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-0269

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-0322
CVE STATUS: Patched
CVE SUMMARY: drivers/firmware/dell_rbu.c in the Linux kernel before 2.6.27.13, and 2.6.28.x before 2.6.28.2, allows local users to cause a denial of service (system crash) via a read system call that specifies zero bytes from the (1) image_type or (2) packet_size file in /sys/devices/platform/dell_rbu/.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-0322

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-0605
CVE STATUS: Patched
CVE SUMMARY: Stack consumption vulnerability in the do_page_fault function in arch/x86/mm/fault.c in the Linux kernel before 2.6.28.5 allows local users to cause a denial of service (memory corruption) or possibly gain privileges via unspecified vectors that trigger page faults on a machine that has a registered Kprobes probe.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-0605

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-0675
CVE STATUS: Patched
CVE SUMMARY: The skfp_ioctl function in drivers/net/skfp/skfddi.c in the Linux kernel before 2.6.28.6 permits SKFP_CLR_STATS requests only when the CAP_NET_ADMIN capability is absent, instead of when this capability is present, which allows local users to reset the driver statistics, related to an "inverted logic" issue.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-0675

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-0676
CVE STATUS: Patched
CVE SUMMARY: The sock_getsockopt function in net/core/sock.c in the Linux kernel before 2.6.28.6 does not initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel memory via an SO_BSDCOMPAT getsockopt request.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-0676

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-0745
CVE STATUS: Patched
CVE SUMMARY: The ext4_group_add function in fs/ext4/resize.c in the Linux kernel 2.6.27 before 2.6.27.19 and 2.6.28 before 2.6.28.7 does not properly initialize the group descriptor during a resize (aka resize2fs) operation, which might allow local users to cause a denial of service (OOPS) by arranging for crafted values to be present in available memory.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-0745

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-0746
CVE STATUS: Patched
CVE SUMMARY: The make_indexed_dir function in fs/ext4/namei.c in the Linux kernel 2.6.27 before 2.6.27.19 and 2.6.28 before 2.6.28.7 does not validate a certain rec_len field, which allows local users to cause a denial of service (OOPS) by attempting to mount a crafted ext4 filesystem.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-0746

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-0747
CVE STATUS: Patched
CVE SUMMARY: The ext4_isize function in fs/ext4/ext4.h in the Linux kernel 2.6.27 before 2.6.27.19 and 2.6.28 before 2.6.28.7 uses the i_size_high structure member during operations on arbitrary types of files, which allows local users to cause a denial of service (CPU consumption and error-message flood) by attempting to mount a crafted ext4 filesystem.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-0747

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-0748
CVE STATUS: Patched
CVE SUMMARY: The ext4_fill_super function in fs/ext4/super.c in the Linux kernel 2.6.27 before 2.6.27.19 and 2.6.28 before 2.6.28.7 does not validate the superblock configuration, which allows local users to cause a denial of service (NULL pointer dereference and OOPS) by attempting to mount a crafted ext4 filesystem.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-0748

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-0778
CVE STATUS: Patched
CVE SUMMARY: The icmp_send function in net/ipv4/icmp.c in the Linux kernel before 2.6.25, when configured as a router with a REJECT route, does not properly manage the Protocol Independent Destination Cache (aka DST) in some situations involving transmission of an ICMP Host Unreachable message, which allows remote attackers to cause a denial of service (connectivity outage) by sending a large series of packets to many destination IP addresses within this REJECT route, related to an "rt_cache leak."
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-0778

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-0787
CVE STATUS: Patched
CVE SUMMARY: The ecryptfs_write_metadata_to_contents function in the eCryptfs functionality in the Linux kernel 2.6.28 before 2.6.28.9 uses an incorrect size when writing kernel memory to an eCryptfs file header, which triggers an out-of-bounds read and allows local users to obtain portions of kernel memory.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-0787

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-0834
CVE STATUS: Patched
CVE SUMMARY: The audit_syscall_entry function in the Linux kernel 2.6.28.7 and earlier on the x86_64 platform does not properly handle (1) a 32-bit process making a 64-bit syscall or (2) a 64-bit process making a 32-bit syscall, which allows local users to bypass certain syscall audit configurations via crafted syscalls, a related issue to CVE-2009-0342 and CVE-2009-0343.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-0834

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-0835
CVE STATUS: Patched
CVE SUMMARY: The __secure_computing function in kernel/seccomp.c in the seccomp subsystem in the Linux kernel 2.6.28.7 and earlier on the x86_64 platform, when CONFIG_SECCOMP is enabled, does not properly handle (1) a 32-bit process making a 64-bit syscall or (2) a 64-bit process making a 32-bit syscall, which allows local users to bypass intended access restrictions via crafted syscalls that are misinterpreted as (a) stat or (b) chmod, a related issue to CVE-2009-0342 and CVE-2009-0343.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-0835

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-0859
CVE STATUS: Patched
CVE SUMMARY: The shm_get_stat function in ipc/shm.c in the shm subsystem in the Linux kernel before 2.6.28.5, when CONFIG_SHMEM is disabled, misinterprets the data type of an inode, which allows local users to cause a denial of service (system hang) via an SHM_INFO shmctl call, as demonstrated by running the ipcs program.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-0859

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-0935
CVE STATUS: Patched
CVE SUMMARY: The inotify_read function in the Linux kernel 2.6.27 to 2.6.27.13, 2.6.28 to 2.6.28.2, and 2.6.29-rc3 allows local users to cause a denial of service (OOPS) via a read with an invalid address to an inotify instance, which causes the device's event list mutex to be unlocked twice and prevents proper synchronization of a data structure for the inotify instance.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-0935

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-1046
CVE STATUS: Patched
CVE SUMMARY: The console selection feature in the Linux kernel 2.6.28 before 2.6.28.4, 2.6.25, and possibly earlier versions, when the UTF-8 console is used, allows physically proximate attackers to cause a denial of service (memory corruption) by selecting a small number of 3-byte UTF-8 characters, which triggers an "off-by-two memory error." NOTE: it is not clear whether this issue crosses privilege boundaries.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-1046

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-1072
CVE STATUS: Patched
CVE SUMMARY: nfsd in the Linux kernel before 2.6.28.9 does not drop the CAP_MKNOD capability before handling a user request in a thread, which allows local users to create device nodes, as demonstrated on a filesystem that has been exported with the root_squash option.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:C/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-1072

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-1184
CVE STATUS: Patched
CVE SUMMARY: The selinux_ip_postroute_iptables_compat function in security/selinux/hooks.c in the SELinux subsystem in the Linux kernel before 2.6.27.22, and 2.6.28.x before 2.6.28.10, when compat_net is enabled, omits calls to avc_has_perm for the (1) node and (2) port, which allows local users to bypass intended restrictions on network traffic.  NOTE: this was incorrectly reported as an issue fixed in 2.6.27.21.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-1184

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-1192
CVE STATUS: Patched
CVE SUMMARY: The (1) agp_generic_alloc_page and (2) agp_generic_alloc_pages functions in drivers/char/agp/generic.c in the agp subsystem in the Linux kernel before 2.6.30-rc3 do not zero out pages that may later be available to a user-space process, which allows local users to obtain sensitive information by reading these pages.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-1192

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-1242
CVE STATUS: Patched
CVE SUMMARY: The vmx_set_msr function in arch/x86/kvm/vmx.c in the VMX implementation in the KVM subsystem in the Linux kernel before 2.6.29.1 on the i386 platform allows guest OS users to cause a denial of service (OOPS) by setting the EFER_LME (aka "Long mode enable") bit in the Extended Feature Enable Register (EFER) model-specific register, which is specific to the x86_64 platform.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-1242

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-1243
CVE STATUS: Patched
CVE SUMMARY: net/ipv4/udp.c in the Linux kernel before 2.6.29.1 performs an unlocking step in certain incorrect circumstances, which allows local users to cause a denial of service (panic) by reading zero bytes from the /proc/net/udp file and unspecified other files, related to the "udp seq_file infrastructure."
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-1243

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-1265
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in rose_sendmsg (sys/net/af_rose.c) in the Linux kernel 2.6.24.4, and other versions before 2.6.30-rc1, might allow remote attackers to obtain sensitive information via a large length value, which causes "garbage" memory to be sent.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-1265

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-1298
CVE STATUS: Patched
CVE SUMMARY: The ip_frag_reasm function in net/ipv4/ip_fragment.c in the Linux kernel 2.6.32-rc8, and 2.6.29 and later versions before 2.6.32, calls IP_INC_STATS_BH with an incorrect argument, which allows remote attackers to cause a denial of service (NULL pointer dereference and hang) via long IP packets, possibly related to the ip_defrag function.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-1298

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-1336
CVE STATUS: Patched
CVE SUMMARY: fs/nfs/client.c in the Linux kernel before 2.6.23 does not properly initialize a certain structure member that stores the maximum NFS filename length, which allows local users to cause a denial of service (OOPS) via a long filename, related to the encode_lookup function.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-1336

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-1337
CVE STATUS: Patched
CVE SUMMARY: The exit_notify function in kernel/exit.c in the Linux kernel before 2.6.30-rc1 does not restrict exit signals when the CAP_KILL capability is held, which allows local users to send an arbitrary signal to a process by running a program that modifies the exit_signal field and then uses an exec system call to launch a setuid application.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-1337

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-1338
CVE STATUS: Patched
CVE SUMMARY: The kill_something_info function in kernel/signal.c in the Linux kernel before 2.6.28 does not consider PID namespaces when processing signals directed to PID -1, which allows local users to bypass the intended namespace isolation, and send arbitrary signals to all processes in all namespaces, via a kill command.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-1338

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-1360
CVE STATUS: Patched
CVE SUMMARY: The __inet6_check_established function in net/ipv6/inet6_hashtables.c in the Linux kernel before 2.6.29, when Network Namespace Support (aka NET_NS) is enabled, allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) via vectors involving IPv6 packets.
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-1360

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-1385
CVE STATUS: Patched
CVE SUMMARY: Integer underflow in the e1000_clean_rx_irq function in drivers/net/e1000/e1000_main.c in the e1000 driver in the Linux kernel before 2.6.30-rc8, the e1000e driver in the Linux kernel, and Intel Wired Ethernet (aka e1000) before 7.5.5 allows remote attackers to cause a denial of service (panic) via a crafted frame size.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-1385

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-1388
CVE STATUS: Patched
CVE SUMMARY: The ptrace_start function in kernel/ptrace.c in the Linux kernel 2.6.18 does not properly handle simultaneous execution of the do_coredump function, which allows local users to cause a denial of service (deadlock) via vectors involving the ptrace system call and a coredumping thread.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-1388

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-1389
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the RTL8169 NIC driver (drivers/net/r8169.c) in the Linux kernel before 2.6.30 allows remote attackers to cause a denial of service (kernel memory corruption and crash) via a long packet.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-1389

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-1439
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in fs/cifs/connect.c in CIFS in the Linux kernel 2.6.29 and earlier allows remote attackers to cause a denial of service (crash) via a long nativeFileSystem field in a Tree Connect response to an SMB mount request.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-1439

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-1527
CVE STATUS: Patched
CVE SUMMARY: Race condition in the ptrace_attach function in kernel/ptrace.c in the Linux kernel before 2.6.30-rc4 allows local users to gain privileges via a PTRACE_ATTACH ptrace call during an exec system call that is launching a setuid application, related to locking an incorrect cred_exec_mutex object.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-1527

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-1630
CVE STATUS: Patched
CVE SUMMARY: The nfs_permission function in fs/nfs/dir.c in the NFS client implementation in the Linux kernel 2.6.29.3 and earlier, when atomic_open is available, does not check execute (aka EXEC or MAY_EXEC) permission bits, which allows local users to bypass permissions and execute files, as demonstrated by files on an NFSv4 fileserver.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-1630

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-1633
CVE STATUS: Patched
CVE SUMMARY: Multiple buffer overflows in the cifs subsystem in the Linux kernel before 2.6.29.4 allow remote CIFS servers to cause a denial of service (memory corruption) and possibly have unspecified other impact via (1) a malformed Unicode string, related to Unicode string area alignment in fs/cifs/sess.c; or (2) long Unicode characters, related to fs/cifs/cifssmb.c and the cifs_readdir function in fs/cifs/readdir.c.
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-1633

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-1883
CVE STATUS: Patched
CVE SUMMARY: The z90crypt_unlocked_ioctl function in the z90crypt driver in the Linux kernel 2.6.9 does not perform a capability check for the Z90QUIESCE operation, which allows local users to leverage euid 0 privileges to force a driver outage.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-1883

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-1895
CVE STATUS: Patched
CVE SUMMARY: The personality subsystem in the Linux kernel before 2.6.31-rc3 has a PER_CLEAR_ON_SETID setting that does not clear the ADDR_COMPAT_LAYOUT and MMAP_PAGE_ZERO flags when executing a setuid or setgid program, which makes it easier for local users to leverage the details of memory usage to (1) conduct NULL pointer dereference attacks, (2) bypass the mmap_min_addr protection mechanism, or (3) defeat address space layout randomization (ASLR).
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-1895

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-1897
CVE STATUS: Patched
CVE SUMMARY: The tun_chr_poll function in drivers/net/tun.c in the tun subsystem in the Linux kernel 2.6.30 and 2.6.30.1, when the -fno-delete-null-pointer-checks gcc option is omitted, allows local users to gain privileges via vectors involving a NULL pointer dereference and an mmap of /dev/net/tun, a different vulnerability than CVE-2009-1894.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-1897

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-1914
CVE STATUS: Patched
CVE SUMMARY: The pci_register_iommu_region function in arch/sparc/kernel/pci_common.c in the Linux kernel before 2.6.29 on the sparc64 platform allows local users to cause a denial of service (system crash) by reading the /proc/iomem file, related to uninitialized pointers and the request_resource function.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-1914

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-1961
CVE STATUS: Patched
CVE SUMMARY: The inode double locking code in fs/ocfs2/file.c in the Linux kernel 2.6.30 before 2.6.30-rc3, 2.6.27 before 2.6.27.24, 2.6.29 before 2.6.29.4, and possibly other versions down to 2.6.19 allows local users to cause a denial of service (prevention of file creation and removal) via a series of splice system calls that trigger a deadlock between the generic_file_splice_write, splice_from_pipe, and ocfs2_file_splice_write functions.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-1961

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-2287
CVE STATUS: Patched
CVE SUMMARY: The kvm_arch_vcpu_ioctl_set_sregs function in the KVM in Linux kernel 2.6 before 2.6.30, when running on x86 systems, does not validate the page table root in a KVM_SET_SREGS call, which allows local users to cause a denial of service (crash or hang) via a crafted cr3 value, which triggers a NULL pointer dereference in the gfn_to_rmap function.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-2287

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-2406
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in the parse_tag_11_packet function in fs/ecryptfs/keystore.c in the eCryptfs subsystem in the Linux kernel before 2.6.30.4 allows local users to cause a denial of service (system crash) or possibly gain privileges via vectors involving a crafted eCryptfs file, related to not ensuring that the key signature length in a Tag 11 packet is compatible with the key signature buffer size.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-2406

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-2407
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the parse_tag_3_packet function in fs/ecryptfs/keystore.c in the eCryptfs subsystem in the Linux kernel before 2.6.30.4 allows local users to cause a denial of service (system crash) or possibly gain privileges via vectors involving a crafted eCryptfs file, related to a large encrypted key size in a Tag 3 packet.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-2407

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-2584
CVE STATUS: Patched
CVE SUMMARY: Off-by-one error in the options_write function in drivers/misc/sgi-gru/gruprocfs.c in the SGI GRU driver in the Linux kernel 2.6.30.2 and earlier on ia64 and x86 platforms might allow local users to overwrite arbitrary memory locations and gain privileges via a crafted count argument, which triggers a stack-based buffer overflow.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-2584

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-2691
CVE STATUS: Patched
CVE SUMMARY: The mm_for_maps function in fs/proc/base.c in the Linux kernel 2.6.30.4 and earlier allows local users to read (1) maps and (2) smaps files under proc/ via vectors related to ELF loading, a setuid process, and a race condition.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-2691

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-2692
CVE STATUS: Patched
CVE SUMMARY: The Linux kernel 2.6.0 through 2.6.30.4, and 2.4.4 through 2.4.37.4, does not initialize all function pointers for socket operations in proto_ops structures, which allows local users to trigger a NULL pointer dereference and gain privileges by using mmap to map page zero, placing arbitrary code on this page, and then invoking an unavailable operation, as demonstrated by the sendpage operation (sock_sendpage function) on a PF_PPPOX socket.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-2692

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-2695
CVE STATUS: Patched
CVE SUMMARY: The Linux kernel before 2.6.31-rc7 does not properly prevent mmap operations that target page zero and other low memory addresses, which allows local users to gain privileges by exploiting NULL pointer dereference vulnerabilities, related to (1) the default configuration of the allow_unconfined_mmap_low boolean in SELinux on Red Hat Enterprise Linux (RHEL) 5, (2) an error that causes allow_unconfined_mmap_low to be ignored in the unconfined_t domain, (3) lack of a requirement for the CAP_SYS_RAWIO capability for these mmap operations, and (4) interaction between the mmap_min_addr protection mechanism and certain application programs.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-2695

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-2698
CVE STATUS: Patched
CVE SUMMARY: The udp_sendmsg function in the UDP implementation in (1) net/ipv4/udp.c and (2) net/ipv6/udp.c in the Linux kernel before 2.6.19 allows local users to gain privileges or cause a denial of service (NULL pointer dereference and system crash) via vectors involving the MSG_MORE flag and a UDP socket.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-2698

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-2767
CVE STATUS: Patched
CVE SUMMARY: The init_posix_timers function in kernel/posix-timers.c in the Linux kernel before 2.6.31-rc6 allows local users to cause a denial of service (OOPS) or possibly gain privileges via a CLOCK_MONOTONIC_RAW clock_nanosleep call that triggers a NULL pointer dereference.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-2767

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-2768
CVE STATUS: Patched
CVE SUMMARY: The load_flat_shared_library function in fs/binfmt_flat.c in the flat subsystem in the Linux kernel before 2.6.31-rc6 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by executing a shared flat binary, which triggers an access of an "uninitialized cred pointer."
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-2768

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-2844
CVE STATUS: Patched
CVE SUMMARY: cfg80211 in net/wireless/scan.c in the Linux kernel 2.6.30-rc1 and other versions before 2.6.31-rc6 allows remote attackers to cause a denial of service (crash) via a sequence of beacon frames in which one frame omits an SSID Information Element (IE) and the subsequent frame contains an SSID IE, which triggers a NULL pointer dereference in the cmp_ies function.  NOTE: a potential weakness in the is_mesh function was also addressed, but the relevant condition did not exist in the code, so it is not a vulnerability.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-2844

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-2846
CVE STATUS: Patched
CVE SUMMARY: The eisa_eeprom_read function in the parisc isa-eeprom component (drivers/parisc/eisa_eeprom.c) in the Linux kernel before 2.6.31-rc6 allows local users to access restricted memory via a negative ppos argument, which bypasses a check that assumes that ppos is positive and causes an out-of-bounds read in the readb function.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-2846

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-2847
CVE STATUS: Patched
CVE SUMMARY: The do_sigaltstack function in kernel/signal.c in Linux kernel 2.4 through 2.4.37 and 2.6 before 2.6.31-rc5, when running on 64-bit systems, does not clear certain padding bytes from a structure, which allows local users to obtain sensitive information from the kernel stack via the sigaltstack function.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-2847

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-2848
CVE STATUS: Patched
CVE SUMMARY: The execve function in the Linux kernel, possibly 2.6.30-rc6 and earlier, does not properly clear the current->clear_child_tid pointer, which allows local users to cause a denial of service (memory corruption) or possibly gain privileges via a clone system call with CLONE_CHILD_SETTID or CLONE_CHILD_CLEARTID enabled, which is not properly handled during thread creation and exit.
CVSS v2 BASE SCORE: 5.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-2848

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-2849
CVE STATUS: Patched
CVE SUMMARY: The md driver (drivers/md/md.c) in the Linux kernel before 2.6.30.2 might allow local users to cause a denial of service (NULL pointer dereference) via vectors related to "suspend_* sysfs attributes" and the (1) suspend_lo_store or (2) suspend_hi_store functions.  NOTE: this is only a vulnerability when sysfs is writable by an attacker.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-2849

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-2903
CVE STATUS: Patched
CVE SUMMARY: Memory leak in the appletalk subsystem in the Linux kernel 2.4.x through 2.4.37.6 and 2.6.x through 2.6.31, when the appletalk and ipddp modules are loaded but the ipddp"N" device is not found, allows remote attackers to cause a denial of service (memory consumption) via IP-DDP datagrams.
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-2903

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-2908
CVE STATUS: Patched
CVE SUMMARY: The d_delete function in fs/ecryptfs/inode.c in eCryptfs in the Linux kernel 2.6.31 allows local users to cause a denial of service (kernel OOPS) and possibly execute arbitrary code via unspecified vectors that cause a "negative dentry" and trigger a NULL pointer dereference, as demonstrated via a Mutt temporary directory in an eCryptfs mount.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-2908

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-2909
CVE STATUS: Patched
CVE SUMMARY: Integer signedness error in the ax25_setsockopt function in net/ax25/af_ax25.c in the ax25 subsystem in the Linux kernel before 2.6.31.2 allows local users to cause a denial of service (OOPS) via a crafted optlen value in an SO_BINDTODEVICE operation.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-2909

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-2910
CVE STATUS: Patched
CVE SUMMARY: arch/x86/ia32/ia32entry.S in the Linux kernel before 2.6.31.4 on the x86_64 platform does not clear certain kernel registers before a return to user mode, which allows local users to read register values from an earlier process by switching an ia32 process to 64-bit mode.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-2910

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-3001
CVE STATUS: Patched
CVE SUMMARY: The llc_ui_getname function in net/llc/af_llc.c in the Linux kernel 2.6.31-rc7 and earlier does not initialize a certain data structure, which allows local users to read the contents of some kernel memory locations by calling getsockname on an AF_LLC socket.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-3001

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-3002
CVE STATUS: Patched
CVE SUMMARY: The Linux kernel before 2.6.31-rc7 does not initialize certain data structures within getname functions, which allows local users to read the contents of some kernel memory locations by calling getsockname on (1) an AF_APPLETALK socket, related to the atalk_getname function in net/appletalk/ddp.c; (2) an AF_IRDA socket, related to the irda_getname function in net/irda/af_irda.c; (3) an AF_ECONET socket, related to the econet_getname function in net/econet/af_econet.c; (4) an AF_NETROM socket, related to the nr_getname function in net/netrom/af_netrom.c; (5) an AF_ROSE socket, related to the rose_getname function in net/rose/af_rose.c; or (6) a raw CAN socket, related to the raw_getname function in net/can/raw.c.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-3002

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-3043
CVE STATUS: Patched
CVE SUMMARY: The tty_ldisc_hangup function in drivers/char/tty_ldisc.c in the Linux kernel 2.6.31-rc before 2.6.31-rc8 allows local users to cause a denial of service (system crash, sometimes preceded by a NULL pointer dereference) or possibly gain privileges via certain pseudo-terminal I/O activity, as demonstrated by KernelTtyTest.c.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-3043

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-3080
CVE STATUS: Patched
CVE SUMMARY: Array index error in the gdth_read_event function in drivers/scsi/gdth.c in the Linux kernel before 2.6.32-rc8 allows local users to cause a denial of service or possibly gain privileges via a negative event index in an IOCTL request.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-3080

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-3228
CVE STATUS: Patched
CVE SUMMARY: The tc_fill_tclass function in net/sched/sch_api.c in the tc subsystem in the Linux kernel 2.4.x before 2.4.37.6 and 2.6.x before 2.6.31-rc9 does not initialize certain (1) tcm__pad1 and (2) tcm__pad2 structure members, which might allow local users to obtain sensitive information from kernel memory via unspecified vectors.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-3228

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-3234
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the perf_copy_attr function in kernel/perf_counter.c in the Linux kernel 2.6.31-rc1 allows local users to cause a denial of service (crash) and execute arbitrary code via a "big size data" to the perf_counter_open system call.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-3234

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-3238
CVE STATUS: Patched
CVE SUMMARY: The get_random_int function in drivers/char/random.c in the Linux kernel before 2.6.30 produces insufficiently random numbers, which allows attackers to predict the return value, and possibly defeat protection mechanisms based on randomization, via vectors that leverage the function's tendency to "return the same value over and over again for long stretches of time."
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-3238

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-3280
CVE STATUS: Patched
CVE SUMMARY: Integer signedness error in the find_ie function in net/wireless/scan.c in the cfg80211 subsystem in the Linux kernel before 2.6.31.1-rc1 allows remote attackers to cause a denial of service (soft lockup) via malformed packets.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-3280

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-3286
CVE STATUS: Patched
CVE SUMMARY: NFSv4 in the Linux kernel 2.6.18, and possibly other versions, does not properly clean up an inode when an O_EXCL create fails, which causes files to be created with insecure settings such as setuid bits, and possibly allows local users to gain privileges, related to the execution of the do_open_permission function even when a create fails.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-3286

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-3288
CVE STATUS: Patched
CVE SUMMARY: The sg_build_indirect function in drivers/scsi/sg.c in Linux kernel 2.6.28-rc1 through 2.6.31-rc8 uses an incorrect variable when accessing an array, which allows local users to cause a denial of service (kernel OOPS and NULL pointer dereference), as demonstrated by using xcdroast to duplicate a CD.  NOTE: this is only exploitable by users who can open the cdrom device.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-3288

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-3290
CVE STATUS: Patched
CVE SUMMARY: The kvm_emulate_hypercall function in arch/x86/kvm/x86.c in KVM in the Linux kernel 2.6.25-rc1, and other versions before 2.6.31, when running on x86 systems, does not prevent access to MMU hypercalls from ring 0, which allows local guest OS users to cause a denial of service (guest kernel crash) and read or write guest kernel memory via unspecified "random addresses."
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-3290

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-3547
CVE STATUS: Patched
CVE SUMMARY: Multiple race conditions in fs/pipe.c in the Linux kernel before 2.6.32-rc6 allow local users to cause a denial of service (NULL pointer dereference and system crash) or gain privileges by attempting to open an anonymous pipe via a /proc/*/fd/ pathname.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-3547

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-3556
CVE STATUS: Patched
CVE SUMMARY: A certain Red Hat configuration step for the qla2xxx driver in the Linux kernel 2.6.18 on Red Hat Enterprise Linux (RHEL) 5, when N_Port ID Virtualization (NPIV) hardware is used, sets world-writable permissions for the (1) vport_create and (2) vport_delete files under /sys/class/scsi_host/, which allows local users to make arbitrary changes to SCSI host attributes by modifying these files.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-3556

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-3612
CVE STATUS: Patched
CVE SUMMARY: The tcf_fill_node function in net/sched/cls_api.c in the netlink subsystem in the Linux kernel 2.6.x before 2.6.32-rc5, and 2.4.37.6 and earlier, does not initialize a certain tcm__pad2 structure member, which might allow local users to obtain sensitive information from kernel memory via unspecified vectors.  NOTE: this issue exists because of an incomplete fix for CVE-2005-4881.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-3612

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-3613
CVE STATUS: Patched
CVE SUMMARY: The swiotlb functionality in the r8169 driver in drivers/net/r8169.c in the Linux kernel before 2.6.27.22 allows remote attackers to cause a denial of service (IOMMU space exhaustion and system crash) by using jumbo frames for a large amount of network traffic, as demonstrated by a flood ping.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-3613

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-3620
CVE STATUS: Patched
CVE SUMMARY: The ATI Rage 128 (aka r128) driver in the Linux kernel before 2.6.31-git11 does not properly verify Concurrent Command Engine (CCE) state initialization, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly gain privileges via unspecified ioctl calls.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-3620

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-3621
CVE STATUS: Patched
CVE SUMMARY: net/unix/af_unix.c in the Linux kernel 2.6.31.4 and earlier allows local users to cause a denial of service (system hang) by creating an abstract-namespace AF_UNIX listening socket, performing a shutdown operation on this socket, and then performing a series of connect operations to this socket.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-3621

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-3623
CVE STATUS: Patched
CVE SUMMARY: The lookup_cb_cred function in fs/nfsd/nfs4callback.c in the nfsd4 subsystem in the Linux kernel before 2.6.31.2 attempts to access a credentials cache even when a client specifies the AUTH_NULL authentication flavor, which allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) via an NFSv4 mount request.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-3623

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-3624
CVE STATUS: Patched
CVE SUMMARY: The get_instantiation_keyring function in security/keys/keyctl.c in the KEYS subsystem in the Linux kernel before 2.6.32-rc5 does not properly maintain the reference count of a keyring, which allows local users to gain privileges or cause a denial of service (OOPS) via vectors involving calls to this function without specifying a keyring by ID, as demonstrated by a series of keyctl request2 and keyctl list commands.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-3624

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-3638
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the kvm_dev_ioctl_get_supported_cpuid function in arch/x86/kvm/x86.c in the KVM subsystem in the Linux kernel before 2.6.31.4 allows local users to have an unspecified impact via a KVM_GET_SUPPORTED_CPUID request to the kvm_arch_dev_ioctl function.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-3638

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-3640
CVE STATUS: Patched
CVE SUMMARY: The update_cr8_intercept function in arch/x86/kvm/x86.c in the KVM subsystem in the Linux kernel before 2.6.32-rc1 does not properly handle the absence of an Advanced Programmable Interrupt Controller (APIC), which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly gain privileges via a call to the kvm_vcpu_ioctl function.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-3640

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-3722
CVE STATUS: Patched
CVE SUMMARY: The handle_dr function in arch/x86/kvm/vmx.c in the KVM subsystem in the Linux kernel before 2.6.31.1 does not properly verify the Current Privilege Level (CPL) before accessing a debug register, which allows guest OS users to cause a denial of service (trap) on the host OS via a crafted application.
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-3722

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-3725
CVE STATUS: Patched
CVE SUMMARY: The connector layer in the Linux kernel before 2.6.31.5 does not require the CAP_SYS_ADMIN capability for certain interaction with the (1) uvesafb, (2) pohmelfs, (3) dst, or (4) dm subsystem, which allows local users to bypass intended access restrictions and gain privileges via calls to functions in these subsystems.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-3725

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-3726
CVE STATUS: Patched
CVE SUMMARY: The nfs4_proc_lock function in fs/nfs/nfs4proc.c in the NFSv4 client in the Linux kernel before 2.6.31-rc4 allows remote NFS servers to cause a denial of service (NULL pointer dereference and panic) by sending a certain response containing incorrect file attributes, which trigger attempted use of an open file that lacks NFSv4 state.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-3726

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-3888
CVE STATUS: Patched
CVE SUMMARY: The do_mmap_pgoff function in mm/nommu.c in the Linux kernel before 2.6.31.6, when the CPU lacks a memory management unit, allows local users to cause a denial of service (OOPS) via an application that attempts to allocate a large amount of memory.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-3888

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-3889
CVE STATUS: Patched
CVE SUMMARY: The dbg_lvl file for the megaraid_sas driver in the Linux kernel before 2.6.27 has world-writable permissions, which allows local users to change the (1) behavior and (2) logging level of the driver by modifying this file.
CVSS v2 BASE SCORE: 6.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-3889

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-3939
CVE STATUS: Patched
CVE SUMMARY: The poll_mode_io file for the megaraid_sas driver in the Linux kernel 2.6.31.6 and earlier has world-writable permissions, which allows local users to change the I/O mode of the driver by modifying this file.
CVSS v2 BASE SCORE: 6.6
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-3939

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-4004
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the kvm_vcpu_ioctl_x86_setup_mce function in arch/x86/kvm/x86.c in the KVM subsystem in the Linux kernel before 2.6.32-rc7 allows local users to cause a denial of service (memory corruption) or possibly gain privileges via a KVM_X86_SETUP_MCE IOCTL request that specifies a large number of Machine Check Exception (MCE) banks.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-4004

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-4005
CVE STATUS: Patched
CVE SUMMARY: The collect_rx_frame function in drivers/isdn/hisax/hfc_usb.c in the Linux kernel before 2.6.32-rc7 allows attackers to have an unspecified impact via a crafted HDLC packet that arrives over ISDN and triggers a buffer under-read.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-4005

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-4020
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in the hfs subsystem in the Linux kernel 2.6.32 allows remote attackers to have an unspecified impact via a crafted Hierarchical File System (HFS) filesystem, related to the hfs_readdir function in fs/hfs/dir.c.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-4020

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-4021
CVE STATUS: Patched
CVE SUMMARY: The fuse_direct_io function in fs/fuse/file.c in the fuse subsystem in the Linux kernel before 2.6.32-rc7 might allow attackers to cause a denial of service (invalid pointer dereference and OOPS) via vectors possibly related to a memory-consumption attack.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-4021

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-4026
CVE STATUS: Patched
CVE SUMMARY: The mac80211 subsystem in the Linux kernel before 2.6.32-rc8-next-20091201 allows remote attackers to cause a denial of service (panic) via a crafted Delete Block ACK (aka DELBA) packet, related to an erroneous "code shuffling patch."
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-4026

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-4027
CVE STATUS: Patched
CVE SUMMARY: Race condition in the mac80211 subsystem in the Linux kernel before 2.6.32-rc8-next-20091201 allows remote attackers to cause a denial of service (system crash) via a Delete Block ACK (aka DELBA) packet that triggers a certain state change in the absence of an aggregation session.
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-4027

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-4031
CVE STATUS: Patched
CVE SUMMARY: The do_insn_fetch function in arch/x86/kvm/emulate.c in the x86 emulator in the KVM subsystem in the Linux kernel before 2.6.32-rc8-next-20091125 tries to interpret instructions that contain too many bytes to be valid, which allows guest OS users to cause a denial of service (increased scheduling latency) on the host OS via unspecified manipulations related to SMP support.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-4031

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-4067
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the auerswald_probe function in the Auerswald Linux USB driver for the Linux kernel before 2.6.27 allows physically proximate attackers to execute arbitrary code, cause a denial of service via a crafted USB device, or take full control of the system.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 6.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-4067

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-4131
CVE STATUS: Patched
CVE SUMMARY: The EXT4_IOC_MOVE_EXT (aka move extents) ioctl implementation in the ext4 filesystem in the Linux kernel before 2.6.32-git6 allows local users to overwrite arbitrary files via a crafted request, related to insufficient checks for file permissions.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-4131

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-4138
CVE STATUS: Patched
CVE SUMMARY: drivers/firewire/ohci.c in the Linux kernel before 2.6.32-git9, when packet-per-buffer mode is used, allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unknown other impact via an unspecified ioctl associated with receiving an ISO packet that contains zero in the payload-length field.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-4138

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-4141
CVE STATUS: Patched
CVE SUMMARY: Use-after-free vulnerability in the fasync_helper function in fs/fcntl.c in the Linux kernel before 2.6.33-rc4-git1 allows local users to gain privileges via vectors that include enabling O_ASYNC (aka FASYNC or FIOASYNC) on a locked file, and then closing this file.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-4141

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-4271
CVE STATUS: Patched
CVE SUMMARY: The Linux kernel 2.6.9 through 2.6.17 on the x86_64 and amd64 platforms allows local users to cause a denial of service (panic) via a 32-bit application that calls mprotect on its Virtual Dynamic Shared Object (VDSO) page and then triggers a segmentation fault.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-4271

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-4272
CVE STATUS: Patched
CVE SUMMARY: A certain Red Hat patch for net/ipv4/route.c in the Linux kernel 2.6.18 on Red Hat Enterprise Linux (RHEL) 5 allows remote attackers to cause a denial of service (deadlock) via crafted packets that force collisions in the IPv4 routing hash table, and trigger a routing "emergency" in which a hash chain is too long.  NOTE: this is related to an issue in the Linux kernel before 2.6.31, when the kernel routing cache is disabled, involving an uninitialized pointer and a panic.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-4272

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-4306
CVE STATUS: Patched
CVE SUMMARY: Unspecified vulnerability in the EXT4_IOC_MOVE_EXT (aka move extents) ioctl implementation in the ext4 filesystem in the Linux kernel 2.6.32-git6 and earlier allows local users to cause a denial of service (filesystem corruption) via unknown vectors, a different vulnerability than CVE-2009-4131.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-4306

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-4307
CVE STATUS: Patched
CVE SUMMARY: The ext4_fill_flex_info function in fs/ext4/super.c in the Linux kernel before 2.6.32-git6 allows user-assisted remote attackers to cause a denial of service (divide-by-zero error and panic) via a malformed ext4 filesystem containing a super block with a large FLEX_BG group size (aka s_log_groups_per_flex value).
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-4307

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-4308
CVE STATUS: Patched
CVE SUMMARY: The ext4_decode_error function in fs/ext4/super.c in the ext4 filesystem in the Linux kernel before 2.6.32 allows user-assisted remote attackers to cause a denial of service (NULL pointer dereference), and possibly have unspecified other impact, via a crafted read-only filesystem that lacks a journal.
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-4308

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-4410
CVE STATUS: Patched
CVE SUMMARY: The fuse_ioctl_copy_user function in the ioctl handler in fs/fuse/file.c in the Linux kernel 2.6.29-rc1 through 2.6.30.y uses the wrong variable in an argument to the kunmap function, which allows local users to cause a denial of service (panic) via unknown vectors.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-4410

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-4536
CVE STATUS: Patched
CVE SUMMARY: drivers/net/e1000/e1000_main.c in the e1000 driver in the Linux kernel 2.6.32.3 and earlier handles Ethernet frames that exceed the MTU by processing certain trailing payload data as if it were a complete frame, which allows remote attackers to bypass packet filters via a large packet with a crafted payload.  NOTE: this vulnerability exists because of an incorrect fix for CVE-2009-1385.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-4536

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-4537
CVE STATUS: Patched
CVE SUMMARY: drivers/net/r8169.c in the r8169 driver in the Linux kernel 2.6.32.3 and earlier does not properly check the size of an Ethernet frame that exceeds the MTU, which allows remote attackers to (1) cause a denial of service (temporary network outage) via a packet with a crafted size, in conjunction with certain packets containing A characters and certain packets containing E characters; or (2) cause a denial of service (system crash) via a packet with a crafted size, in conjunction with certain packets containing '\0' characters, related to the value of the status register and erroneous behavior associated with the RxMaxSize register.  NOTE: this vulnerability exists because of an incorrect fix for CVE-2009-1389.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-4537

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-4538
CVE STATUS: Patched
CVE SUMMARY: drivers/net/e1000e/netdev.c in the e1000e driver in the Linux kernel 2.6.32.3 and earlier does not properly check the size of an Ethernet frame that exceeds the MTU, which allows remote attackers to have an unspecified impact via crafted packets, a related issue to CVE-2009-4537.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-4538

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2009-4895
CVE STATUS: Patched
CVE SUMMARY: Race condition in the tty_fasync function in drivers/char/tty_io.c in the Linux kernel before 2.6.32.6 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via unknown vectors, related to the put_tty_queue and __f_setown functions.  NOTE: the vulnerability was addressed in a different way in 2.6.32.9.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-4895

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-0003
CVE STATUS: Patched
CVE SUMMARY: The print_fatal_signal function in kernel/signal.c in the Linux kernel before 2.6.32.4 on the i386 platform, when print-fatal-signals is enabled, allows local users to discover the contents of arbitrary memory locations by jumping to an address and then reading a log file, and might allow local users to cause a denial of service (system slowdown or crash) by jumping to an address.
CVSS v2 BASE SCORE: 5.4
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-0003

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-0006
CVE STATUS: Patched
CVE SUMMARY: The ipv6_hop_jumbo function in net/ipv6/exthdrs.c in the Linux kernel before 2.6.32.4, when network namespaces are enabled, allows remote attackers to cause a denial of service (NULL pointer dereference) via an invalid IPv6 jumbogram, a related issue to CVE-2007-4567.
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-0006

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-0007
CVE STATUS: Patched
CVE SUMMARY: net/bridge/netfilter/ebtables.c in the ebtables module in the netfilter framework in the Linux kernel before 2.6.33-rc4 does not require the CAP_NET_ADMIN capability for setting or modifying rules, which allows local users to bypass intended access restrictions and configure arbitrary network-traffic filtering via a modified ebtables application.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-0007

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-0008
CVE STATUS: Patched
CVE SUMMARY: The sctp_rcv_ootb function in the SCTP implementation in the Linux kernel before 2.6.23 allows remote attackers to cause a denial of service (infinite loop) via (1) an Out Of The Blue (OOTB) chunk or (2) a chunk of zero length.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-0008

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-0291
CVE STATUS: Patched
CVE SUMMARY: The Linux kernel before 2.6.32.4 allows local users to gain privileges or cause a denial of service (panic) by calling the (1) mmap or (2) mremap function, aka the "do_mremap() mess" or "mremap/mmap mess."
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-0291

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-0298
CVE STATUS: Patched
CVE SUMMARY: The x86 emulator in KVM 83 does not use the Current Privilege Level (CPL) and I/O Privilege Level (IOPL) in determining the memory access available to CPL3 code, which allows guest OS users to cause a denial of service (guest OS crash) or gain privileges on the guest OS by leveraging access to a (1) IO port or (2) MMIO region, a related issue to CVE-2010-0306.
CVSS v2 BASE SCORE: 6.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:S/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-0298

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-0307
CVE STATUS: Patched
CVE SUMMARY: The load_elf_binary function in fs/binfmt_elf.c in the Linux kernel before 2.6.32.8 on the x86_64 platform does not ensure that the ELF interpreter is available before a call to the SET_PERSONALITY macro, which allows local users to cause a denial of service (system crash) via a 32-bit application that attempts to execute a 64-bit application and then triggers a segmentation fault, as demonstrated by amd64_killer, related to the flush_old_exec function.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-0307

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-0410
CVE STATUS: Patched
CVE SUMMARY: drivers/connector/connector.c in the Linux kernel before 2.6.32.8 allows local users to cause a denial of service (memory consumption and system crash) by sending the kernel many NETLINK_CONNECTOR messages.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-0410

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-0415
CVE STATUS: Patched
CVE SUMMARY: The do_pages_move function in mm/migrate.c in the Linux kernel before 2.6.33-rc7 does not validate node values, which allows local users to read arbitrary kernel memory locations, cause a denial of service (OOPS), and possibly have unspecified other impact by specifying a node that is not part of the kernel's node set.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-0415

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-0437
CVE STATUS: Patched
CVE SUMMARY: The ip6_dst_lookup_tail function in net/ipv6/ip6_output.c in the Linux kernel before 2.6.27 does not properly handle certain circumstances involving an IPv6 TUN network interface and a large number of neighbors, which allows attackers to cause a denial of service (NULL pointer dereference and OOPS) or possibly have unspecified other impact via unknown vectors.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-0437

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-0622
CVE STATUS: Patched
CVE SUMMARY: The wake_futex_pi function in kernel/futex.c in the Linux kernel before 2.6.33-rc7 does not properly handle certain unlock operations for a Priority Inheritance (PI) futex, which allows local users to cause a denial of service (OOPS) and possibly have unspecified other impact via vectors involving modification of the futex value from user space.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-0622

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-0623
CVE STATUS: Patched
CVE SUMMARY: The futex_lock_pi function in kernel/futex.c in the Linux kernel before 2.6.33-rc7 does not properly manage a certain reference count, which allows local users to cause a denial of service (OOPS) via vectors involving an unmount of an ext3 filesystem.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-0623

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-0727
CVE STATUS: Patched
CVE SUMMARY: The gfs2_lock function in the Linux kernel before 2.6.34-rc1-next-20100312, and the gfs_lock function in the Linux kernel on Red Hat Enterprise Linux (RHEL) 5 and 6, does not properly remove POSIX locks on files that are setgid without group-execute permission, which allows local users to cause a denial of service (BUG and system crash) by locking a file on a (1) GFS or (2) GFS2 filesystem, and then changing this file's permissions.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-0727

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-0741
CVE STATUS: Patched
CVE SUMMARY: The virtio_net_bad_features function in hw/virtio-net.c in the virtio-net driver in the Linux kernel before 2.6.26, when used on a guest OS in conjunction with qemu-kvm 0.11.0 or KVM 83, allows remote attackers to cause a denial of service (guest OS crash, and an associated qemu-kvm process exit) by sending a large amount of network traffic to a TCP port on the guest OS, related to a virtio-net whitelist that includes an improper implementation of TCP Segment Offloading (TSO).
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-0741

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-1083
CVE STATUS: Patched
CVE SUMMARY: The processcompl_compat function in drivers/usb/core/devio.c in Linux kernel 2.6.x through 2.6.32, and possibly other versions, does not clear the transfer buffer before returning to userspace when a USB command fails, which might make it easier for physically proximate attackers to obtain sensitive information (kernel memory).
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-1083

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-1084
CVE STATUS: Patched
CVE SUMMARY: Linux kernel 2.6.18 through 2.6.33, and possibly other versions, allows remote attackers to cause a denial of service (memory corruption) via a large number of Bluetooth sockets, related to the size of sysfs files in (1) net/bluetooth/l2cap.c, (2) net/bluetooth/rfcomm/core.c, (3) net/bluetooth/rfcomm/sock.c, and (4) net/bluetooth/sco.c.
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-1084

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-1085
CVE STATUS: Patched
CVE SUMMARY: The azx_position_ok function in hda_intel.c in Linux kernel 2.6.33-rc4 and earlier, when running on the AMD780V chip set, allows context-dependent attackers to cause a denial of service (crash) via unknown manipulations that trigger a divide-by-zero error.
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-1085

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-1086
CVE STATUS: Patched
CVE SUMMARY: The ULE decapsulation functionality in drivers/media/dvb/dvb-core/dvb_net.c in dvb-core in Linux kernel 2.6.33 and earlier allows attackers to cause a denial of service (infinite loop) via a crafted MPEG2-TS frame, related to an invalid Payload Pointer ULE.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-1086

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-1087
CVE STATUS: Patched
CVE SUMMARY: The nfs_wait_on_request function in fs/nfs/pagelist.c in Linux kernel 2.6.x through 2.6.33-rc5 allows attackers to cause a denial of service (Oops) via unknown vectors related to truncating a file and an operation that is not interruptible.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-1087

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-1088
CVE STATUS: Patched
CVE SUMMARY: fs/namei.c in Linux kernel 2.6.18 through 2.6.34 does not always follow NFS automount "symlinks," which allows attackers to have an unknown impact, related to LOOKUP_FOLLOW.
CVSS v2 BASE SCORE: 5.4
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-1088

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-1146
CVE STATUS: Patched
CVE SUMMARY: The Linux kernel 2.6.33.2 and earlier, when a ReiserFS filesystem exists, does not restrict read or write access to the .reiserfs_priv directory, which allows local users to gain privileges by modifying (1) extended attributes or (2) ACLs, as demonstrated by deleting a file under .reiserfs_priv/xattrs/.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-1146

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-1148
CVE STATUS: Patched
CVE SUMMARY: The cifs_create function in fs/cifs/dir.c in the Linux kernel 2.6.33.2 and earlier allows local users to cause a denial of service (NULL pointer dereference and OOPS) or possibly have unspecified other impact via a NULL nameidata (aka nd) field in a POSIX file-creation request to a server that supports UNIX extensions.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-1148

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-1162
CVE STATUS: Patched
CVE SUMMARY: The release_one_tty function in drivers/char/tty_io.c in the Linux kernel before 2.6.34-rc4 omits certain required calls to the put_pid function, which has unspecified impact and local attack vectors.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-1162

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-1173
CVE STATUS: Patched
CVE SUMMARY: The sctp_process_unk_param function in net/sctp/sm_make_chunk.c in the Linux kernel 2.6.33.3 and earlier, when SCTP is enabled, allows remote attackers to cause a denial of service (system crash) via an SCTPChunkInit packet containing multiple invalid parameters that require a large amount of error data.
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-1173

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-1187
CVE STATUS: Patched
CVE SUMMARY: The Transparent Inter-Process Communication (TIPC) functionality in Linux kernel 2.6.16-rc1 through 2.6.33, and possibly other versions, allows local users to cause a denial of service (kernel OOPS) by sending datagrams through AF_TIPC before entering network mode, which triggers a NULL pointer dereference.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-1187

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-1188
CVE STATUS: Patched
CVE SUMMARY: Use-after-free vulnerability in net/ipv4/tcp_input.c in the Linux kernel 2.6 before 2.6.20, when IPV6_RECVPKTINFO is set on a listening socket, allows remote attackers to cause a denial of service (kernel panic) via a SYN packet while the socket is in a listening (TCP_LISTEN) state, which is not properly handled and causes the skb structure to be freed.
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-1188

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-1436
CVE STATUS: Patched
CVE SUMMARY: gfs2 in the Linux kernel 2.6.18, and possibly other versions, does not properly handle when the gfs2_quota struct occupies two separate pages, which allows local users to cause a denial of service (kernel panic) via certain manipulations that cause an out-of-bounds write, as demonstrated by writing from an ext3 file system to a gfs2 file system.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-1436

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-1437
CVE STATUS: Patched
CVE SUMMARY: Race condition in the find_keyring_by_name function in security/keys/keyring.c in the Linux kernel 2.6.34-rc5 and earlier allows local users to cause a denial of service (memory corruption and system crash) or possibly have unspecified other impact via keyctl session commands that trigger access to a dead keyring that is undergoing deletion by the key_cleanup function.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-1437

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-1446
CVE STATUS: Patched
CVE SUMMARY: arch/powerpc/mm/fsl_booke_mmu.c in KGDB in the Linux kernel 2.6.30 and other versions before 2.6.33, when running on PowerPC, does not properly perform a security check for access to a kernel page, which allows local users to overwrite arbitrary kernel memory, related to Fsl booke.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-1446

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-1451
CVE STATUS: Patched
CVE SUMMARY: The TSB I-TLB load implementation in arch/sparc/kernel/tsb.S in the Linux kernel before 2.6.33 on the SPARC platform does not properly obtain the value of a certain _PAGE_EXEC_4U bit and consequently does not properly implement a non-executable stack, which makes it easier for context-dependent attackers to exploit stack-based buffer overflows via a crafted application.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-1451

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-1488
CVE STATUS: Patched
CVE SUMMARY: The proc_oom_score function in fs/proc/base.c in the Linux kernel before 2.6.34-rc4 uses inappropriate data structures during selection of a candidate for the OOM killer, which might allow local users to cause a denial of service via unspecified patterns of task creation.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-1488

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-1636
CVE STATUS: Patched
CVE SUMMARY: The btrfs_ioctl_clone function in fs/btrfs/ioctl.c in the btrfs functionality in the Linux kernel 2.6.29 through 2.6.32, and possibly other versions, does not ensure that a cloned file descriptor has been opened for reading, which allows local users to read sensitive information from a write-only file descriptor.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-1636

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-1641
CVE STATUS: Patched
CVE SUMMARY: The do_gfs2_set_flags function in fs/gfs2/file.c in the Linux kernel before 2.6.34-git10 does not verify the ownership of a file, which allows local users to bypass intended access restrictions via a SETFLAGS ioctl request.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-1641

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-1643
CVE STATUS: Patched
CVE SUMMARY: mm/shmem.c in the Linux kernel before 2.6.28-rc3, when strict overcommit is enabled, does not properly handle the export of shmemfs objects by knfsd, which allows attackers to cause a denial of service (NULL pointer dereference and knfsd crash) or possibly have unspecified other impact via unknown vectors.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-1643

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-2066
CVE STATUS: Patched
CVE SUMMARY: The mext_check_arguments function in fs/ext4/move_extent.c in the Linux kernel before 2.6.35 allows local users to overwrite an append-only file via a MOVE_EXT ioctl call that specifies this file as a donor.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2066

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-2071
CVE STATUS: Patched
CVE SUMMARY: The btrfs_xattr_set_acl function in fs/btrfs/acl.c in btrfs in the Linux kernel 2.6.34 and earlier does not check file ownership before setting an ACL, which allows local users to bypass file permissions by setting arbitrary ACLs, as demonstrated using setfacl.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2071

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-2226
CVE STATUS: Patched
CVE SUMMARY: The xfs_swapext function in fs/xfs/xfs_dfrag.c in the Linux kernel before 2.6.35 does not properly check the file descriptors passed to the SWAPEXT ioctl, which allows local users to leverage write access and obtain read access by swapping one file into another file.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2226

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-2240
CVE STATUS: Patched
CVE SUMMARY: The do_anonymous_page function in mm/memory.c in the Linux kernel before 2.6.27.52, 2.6.32.x before 2.6.32.19, 2.6.34.x before 2.6.34.4, and 2.6.35.x before 2.6.35.2 does not properly separate the stack and the heap, which allows context-dependent attackers to execute arbitrary code by writing to the bottom page of a shared memory segment, as demonstrated by a memory-exhaustion attack against the X.Org X server.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2240

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-2243
CVE STATUS: Patched
CVE SUMMARY: A vulnerability exists in kernel/time/clocksource.c in the Linux kernel before 2.6.34 where on non-GENERIC_TIME systems (GENERIC_TIME=n), accessing /sys/devices/system/clocksource/clocksource0/current_clocksource results in an OOPS.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2243

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-2248
CVE STATUS: Patched
CVE SUMMARY: fs/cifs/cifssmb.c in the CIFS implementation in the Linux kernel before 2.6.34-rc4 allows remote attackers to cause a denial of service (panic) via an SMB response packet with an invalid CountHigh value, as demonstrated by a response from an OS/2 server, related to the CIFSSMBWrite and CIFSSMBWrite2 functions.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2248

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-2478
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the ethtool_get_rxnfc function in net/core/ethtool.c in the Linux kernel before 2.6.33.7 on 32-bit platforms allows local users to cause a denial of service or possibly have unspecified other impact via an ETHTOOL_GRXCLSRLALL ethtool command with a large info.rule_cnt value that triggers a buffer overflow, a different vulnerability than CVE-2010-3084.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2478

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-2492
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the ecryptfs_uid_hash macro in fs/ecryptfs/messaging.c in the eCryptfs subsystem in the Linux kernel before 2.6.35 might allow local users to gain privileges or cause a denial of service (system crash) via unspecified vectors.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2492

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-2495
CVE STATUS: Patched
CVE SUMMARY: The pppol2tp_xmit function in drivers/net/pppol2tp.c in the L2TP implementation in the Linux kernel before 2.6.34 does not properly validate certain values associated with an interface, which allows attackers to cause a denial of service (NULL pointer dereference and OOPS) or possibly have unspecified other impact via vectors related to a routing change.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2495

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-2521
CVE STATUS: Patched
CVE SUMMARY: Multiple buffer overflows in fs/nfsd/nfs4xdr.c in the XDR implementation in the NFS server in the Linux kernel before 2.6.34-rc6 allow remote attackers to cause a denial of service (panic) or possibly execute arbitrary code via a crafted NFSv4 compound WRITE request, related to the read_buf and nfsd4_decode_compound functions.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2521

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-2524
CVE STATUS: Patched
CVE SUMMARY: The DNS resolution functionality in the CIFS implementation in the Linux kernel before 2.6.35, when CONFIG_CIFS_DFS_UPCALL is enabled, relies on a user's keyring for the dns_resolver upcall in the cifs.upcall userspace helper, which allows local users to spoof the results of DNS queries and perform arbitrary CIFS mounts via vectors involving an add_key call, related to a "cache stuffing" issue and MS-DFS referrals.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2524

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-2525
CVE STATUS: Patched
CVE SUMMARY: A flaw was discovered in gfs2 file system’s handling of acls (access control lists). An unprivileged local attacker could exploit this flaw to gain access or execute any file stored in the gfs2 file system.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2525

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-2537
CVE STATUS: Patched
CVE SUMMARY: The btrfs_ioctl_clone function in fs/btrfs/ioctl.c in the Linux kernel before 2.6.35 allows local users to overwrite an append-only file via a (1) BTRFS_IOC_CLONE or (2) BTRFS_IOC_CLONE_RANGE ioctl call that specifies this file as a donor.
CVSS v2 BASE SCORE: 6.6
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2537

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-2538
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the btrfs_ioctl_clone function in fs/btrfs/ioctl.c in the Linux kernel before 2.6.35 might allow local users to obtain sensitive information via a BTRFS_IOC_CLONE_RANGE ioctl call.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2538

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-2653
CVE STATUS: Patched
CVE SUMMARY: Race condition in the hvc_close function in drivers/char/hvc_console.c in the Linux kernel before 2.6.34 allows local users to cause a denial of service or possibly have unspecified other impact by closing a Hypervisor Virtual Console device, related to the hvc_open and hvc_remove functions.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2653

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-2798
CVE STATUS: Patched
CVE SUMMARY: The gfs2_dirent_find_space function in fs/gfs2/dir.c in the Linux kernel before 2.6.35 uses an incorrect size value in calculations associated with sentinel directory entries, which allows local users to cause a denial of service (NULL pointer dereference and panic) and possibly have unspecified other impact by renaming a file in a GFS2 filesystem, related to the gfs2_rename function in fs/gfs2/ops_inode.c.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2798

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-2803
CVE STATUS: Patched
CVE SUMMARY: The drm_ioctl function in drivers/gpu/drm/drm_drv.c in the Direct Rendering Manager (DRM) subsystem in the Linux kernel before 2.6.27.53, 2.6.32.x before 2.6.32.21, 2.6.34.x before 2.6.34.6, and 2.6.35.x before 2.6.35.4 allows local users to obtain potentially sensitive information from kernel memory by requesting a large memory-allocation amount.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2803

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-2938
CVE STATUS: Patched
CVE SUMMARY: arch/x86/hvm/vmx/vmcs.c in the virtual-machine control structure (VMCS) implementation in the Linux kernel 2.6.18 on Red Hat Enterprise Linux (RHEL) 5, when an Intel platform without Extended Page Tables (EPT) functionality is used, accesses VMCS fields without verifying hardware support for these fields, which allows local users to cause a denial of service (host OS crash) by requesting a VMCS dump for a fully virtualized Xen guest.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2938

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-2942
CVE STATUS: Patched
CVE SUMMARY: The actions implementation in the network queueing functionality in the Linux kernel before 2.6.36-rc2 does not properly initialize certain structure members when performing dump operations, which allows local users to obtain potentially sensitive information from kernel memory via vectors related to (1) the tcf_gact_dump function in net/sched/act_gact.c, (2) the tcf_mirred_dump function in net/sched/act_mirred.c, (3) the tcf_nat_dump function in net/sched/act_nat.c, (4) the tcf_simp_dump function in net/sched/act_simple.c, and (5) the tcf_skbedit_dump function in net/sched/act_skbedit.c.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2942

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-2943
CVE STATUS: Patched
CVE SUMMARY: The xfs implementation in the Linux kernel before 2.6.35 does not look up inode allocation btrees before reading inode buffers, which allows remote authenticated users to read unlinked files, or read or overwrite disk blocks that are currently assigned to an active file but were previously assigned to an unlinked file, by accessing a stale NFS filehandle.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 8.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2943

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-2946
CVE STATUS: Patched
CVE SUMMARY: fs/jfs/xattr.c in the Linux kernel before 2.6.35.2 does not properly handle a certain legacy format for storage of extended attributes, which might allow local users by bypass intended xattr namespace restrictions via an "os2." substring at the beginning of a name.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2946

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-2954
CVE STATUS: Patched
CVE SUMMARY: The irda_bind function in net/irda/af_irda.c in the Linux kernel before 2.6.36-rc3-next-20100901 does not properly handle failure of the irda_open_tsap function, which allows local users to cause a denial of service (NULL pointer dereference and panic) and possibly have unspecified other impact via multiple unsuccessful calls to bind on an AF_IRDA (aka PF_IRDA) socket.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2954

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-2955
CVE STATUS: Patched
CVE SUMMARY: The cfg80211_wext_giwessid function in net/wireless/wext-compat.c in the Linux kernel before 2.6.36-rc3-next-20100831 does not properly initialize certain structure members, which allows local users to leverage an off-by-one error in the ioctl_standard_iw_point function in net/wireless/wext-core.c, and obtain potentially sensitive information from kernel heap memory, via vectors involving an SIOCGIWESSID ioctl call that specifies a large buffer size.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2955

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-2959
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in net/can/bcm.c in the Controller Area Network (CAN) implementation in the Linux kernel before 2.6.27.53, 2.6.32.x before 2.6.32.21, 2.6.34.x before 2.6.34.6, and 2.6.35.x before 2.6.35.4 allows attackers to execute arbitrary code or cause a denial of service (system crash) via crafted CAN traffic.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2959

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-2960
CVE STATUS: Patched
CVE SUMMARY: The keyctl_session_to_parent function in security/keys/keyctl.c in the Linux kernel 2.6.35.4 and earlier expects that a certain parent session keyring exists, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a KEYCTL_SESSION_TO_PARENT argument to the keyctl function.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2960

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-2962
CVE STATUS: Patched
CVE SUMMARY: drivers/gpu/drm/i915/i915_gem.c in the Graphics Execution Manager (GEM) in the Intel i915 driver in the Direct Rendering Manager (DRM) subsystem in the Linux kernel before 2.6.36 does not properly validate pointers to blocks of memory, which allows local users to write to arbitrary kernel memory locations, and consequently gain privileges, via crafted use of the ioctl interface, related to (1) pwrite and (2) pread operations.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2962

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-2963
CVE STATUS: Patched
CVE SUMMARY: drivers/media/video/v4l2-compat-ioctl32.c in the Video4Linux (V4L) implementation in the Linux kernel before 2.6.36 on 64-bit platforms does not validate the destination of a memory copy operation, which allows local users to write to arbitrary kernel memory locations, and consequently gain privileges, via a VIDIOCSTUNER ioctl call on a /dev/video device, followed by a VIDIOCSMICROCODE ioctl call on this device.
CVSS v2 BASE SCORE: 6.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2963

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-3015
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the ext4_ext_get_blocks function in fs/ext4/extents.c in the Linux kernel before 2.6.34 allows local users to cause a denial of service (BUG and system crash) via a write operation on the last block of a large file, followed by a sync operation.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-3015

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-3066
CVE STATUS: Patched
CVE SUMMARY: The io_submit_one function in fs/aio.c in the Linux kernel before 2.6.23 allows local users to cause a denial of service (NULL pointer dereference) via a crafted io_submit system call with an IOCB_FLAG_RESFD flag.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-3066

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-3067
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the do_io_submit function in fs/aio.c in the Linux kernel before 2.6.36-rc4-next-20100915 allows local users to cause a denial of service or possibly have unspecified other impact via crafted use of the io_submit system call.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-3067

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-3078
CVE STATUS: Patched
CVE SUMMARY: The xfs_ioc_fsgetxattr function in fs/xfs/linux-2.6/xfs_ioctl.c in the Linux kernel before 2.6.36-rc4 does not initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via an ioctl call.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-3078

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-3079
CVE STATUS: Patched
CVE SUMMARY: kernel/trace/ftrace.c in the Linux kernel before 2.6.35.5, when debugfs is enabled, does not properly handle interaction between mutex possession and llseek operations, which allows local users to cause a denial of service (NULL pointer dereference and outage of all function tracing files) via an lseek call on a file descriptor associated with the set_ftrace_filter file.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-3079

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-3080
CVE STATUS: Patched
CVE SUMMARY: Double free vulnerability in the snd_seq_oss_open function in sound/core/seq/oss/seq_oss_init.c in the Linux kernel before 2.6.36-rc4 might allow local users to cause a denial of service or possibly have unspecified other impact via an unsuccessful attempt to open the /dev/sequencer device.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-3080

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-3081
CVE STATUS: Patched
CVE SUMMARY: The compat_alloc_user_space functions in include/asm/compat.h files in the Linux kernel before 2.6.36-rc4-git2 on 64-bit platforms do not properly allocate the userspace memory required for the 32-bit compatibility layer, which allows local users to gain privileges by leveraging the ability of the compat_mc_getsockopt function (aka the MCAST_MSFILTER getsockopt support) to control a certain length value, related to a "stack pointer underflow" issue, as exploited in the wild in September 2010.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-3081

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-3084
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the niu_get_ethtool_tcam_all function in drivers/net/niu.c in the Linux kernel before 2.6.36-rc4 allows local users to cause a denial of service or possibly have unspecified other impact via the ETHTOOL_GRXCLSRLALL ethtool command.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-3084

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-3086
CVE STATUS: Patched
CVE SUMMARY: include/asm-x86/futex.h in the Linux kernel before 2.6.25 does not properly implement exception fixup, which allows local users to cause a denial of service (panic) via an invalid application that triggers a page fault.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-3086

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-3296
CVE STATUS: Patched
CVE SUMMARY: The cxgb_extension_ioctl function in drivers/net/cxgb3/cxgb3_main.c in the Linux kernel before 2.6.36-rc5 does not properly initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via a CHELSIO_GET_QSET_NUM ioctl call.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-3296

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-3297
CVE STATUS: Patched
CVE SUMMARY: The eql_g_master_cfg function in drivers/net/eql.c in the Linux kernel before 2.6.36-rc5 does not properly initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via an EQL_GETMASTRCFG ioctl call.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-3297

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-3298
CVE STATUS: Patched
CVE SUMMARY: The hso_get_count function in drivers/net/usb/hso.c in the Linux kernel before 2.6.36-rc5 does not properly initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via a TIOCGICOUNT ioctl call.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-3298

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-3301
CVE STATUS: Patched
CVE SUMMARY: The IA32 system call emulation functionality in arch/x86/ia32/ia32entry.S in the Linux kernel before 2.6.36-rc4-git2 on the x86_64 platform does not zero extend the %eax register after the 32-bit entry path to ptrace is used, which allows local users to gain privileges by triggering an out-of-bounds access to the system call table using the %rax register.  NOTE: this vulnerability exists because of a CVE-2007-4573 regression.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-3301

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-3310
CVE STATUS: Patched
CVE SUMMARY: Multiple integer signedness errors in net/rose/af_rose.c in the Linux kernel before 2.6.36-rc5-next-20100923 allow local users to cause a denial of service (heap memory corruption) or possibly have unspecified other impact via a rose_getname function call, related to the rose_bind and rose_connect functions.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-3310

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-3432
CVE STATUS: Patched
CVE SUMMARY: The sctp_packet_config function in net/sctp/output.c in the Linux kernel before 2.6.35.6 performs extraneous initializations of packet data structures, which allows remote attackers to cause a denial of service (panic) via a certain sequence of SCTP traffic.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-3432

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-3437
CVE STATUS: Patched
CVE SUMMARY: Integer signedness error in the pkt_find_dev_from_minor function in drivers/block/pktcdvd.c in the Linux kernel before 2.6.36-rc6 allows local users to obtain sensitive information from kernel memory or cause a denial of service (invalid pointer dereference and system crash) via a crafted index value in a PKT_CTRL_CMD_STATUS ioctl call.
CVSS v2 BASE SCORE: 6.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-3437

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-3442
CVE STATUS: Patched
CVE SUMMARY: Multiple integer overflows in the snd_ctl_new function in sound/core/control.c in the Linux kernel before 2.6.36-rc5-next-20100929 allow local users to cause a denial of service (heap memory corruption) or possibly have unspecified other impact via a crafted (1) SNDRV_CTL_IOCTL_ELEM_ADD or (2) SNDRV_CTL_IOCTL_ELEM_REPLACE ioctl call.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-3442

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-3448
CVE STATUS: Patched
CVE SUMMARY: drivers/platform/x86/thinkpad_acpi.c in the Linux kernel before 2.6.34 on ThinkPad devices, when the X.Org X server is used, does not properly restrict access to the video output control state, which allows local users to cause a denial of service (system hang) via a (1) read or (2) write operation.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-3448

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-3477
CVE STATUS: Patched
CVE SUMMARY: The tcf_act_police_dump function in net/sched/act_police.c in the actions implementation in the network queueing functionality in the Linux kernel before 2.6.36-rc4 does not properly initialize certain structure members, which allows local users to obtain potentially sensitive information from kernel memory via vectors involving a dump operation.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2010-2942.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-3477

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-3698
CVE STATUS: Patched
CVE SUMMARY: The KVM implementation in the Linux kernel before 2.6.36 does not properly reload the FS and GS segment registers, which allows host OS users to cause a denial of service (host OS crash) via a KVM_RUN ioctl call in conjunction with a modified Local Descriptor Table (LDT).
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-3698

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-3705
CVE STATUS: Patched
CVE SUMMARY: The sctp_auth_asoc_get_hmac function in net/sctp/auth.c in the Linux kernel before 2.6.36 does not properly validate the hmac_ids array of an SCTP peer, which allows remote attackers to cause a denial of service (memory corruption and panic) via a crafted value in the last element of this array.
CVSS v2 BASE SCORE: 8.3
CVSS v3 BASE SCORE: 0.0
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-3705

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-3848
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in the econet_sendmsg function in net/econet/af_econet.c in the Linux kernel before 2.6.36.2, when an econet address is configured, allows local users to gain privileges by providing a large number of iovec structures.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-3848

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-3849
CVE STATUS: Patched
CVE SUMMARY: The econet_sendmsg function in net/econet/af_econet.c in the Linux kernel before 2.6.36.2, when an econet address is configured, allows local users to cause a denial of service (NULL pointer dereference and OOPS) via a sendmsg call that specifies a NULL value for the remote address field.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-3849

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-3850
CVE STATUS: Patched
CVE SUMMARY: The ec_dev_ioctl function in net/econet/af_econet.c in the Linux kernel before 2.6.36.2 does not require the CAP_NET_ADMIN capability, which allows local users to bypass intended access restrictions and configure econet addresses via an SIOCSIFADDR ioctl call.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-3850

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-3858
CVE STATUS: Patched
CVE SUMMARY: The setup_arg_pages function in fs/exec.c in the Linux kernel before 2.6.36, when CONFIG_STACK_GROWSDOWN is used, does not properly restrict the stack memory consumption of the (1) arguments and (2) environment for a 32-bit application on a 64-bit platform, which allows local users to cause a denial of service (system crash) via a crafted exec system call, a related issue to CVE-2010-2240.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-3858

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-3859
CVE STATUS: Patched
CVE SUMMARY: Multiple integer signedness errors in the TIPC implementation in the Linux kernel before 2.6.36.2 allow local users to gain privileges via a crafted sendmsg call that triggers a heap-based buffer overflow, related to the tipc_msg_build function in net/tipc/msg.c and the verify_iovec function in net/core/iovec.c.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-3859

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-3861
CVE STATUS: Patched
CVE SUMMARY: The ethtool_get_rxnfc function in net/core/ethtool.c in the Linux kernel before 2.6.36 does not initialize a certain block of heap memory, which allows local users to obtain potentially sensitive information via an ETHTOOL_GRXCLSRLALL ethtool command with a large info.rule_cnt value, a different vulnerability than CVE-2010-2478.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-3861

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-3865
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the rds_rdma_pages function in net/rds/rdma.c in the Linux kernel allows local users to cause a denial of service (crash) and possibly execute arbitrary code via a crafted iovec struct in a Reliable Datagram Sockets (RDS) request, which triggers a buffer overflow.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-3865

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-3873
CVE STATUS: Patched
CVE SUMMARY: The X.25 implementation in the Linux kernel before 2.6.36.2 does not properly parse facilities, which allows remote attackers to cause a denial of service (heap memory corruption and panic) or possibly have unspecified other impact via malformed (1) X25_FAC_CALLING_AE or (2) X25_FAC_CALLED_AE data, related to net/x25/x25_facilities.c and net/x25/x25_in.c, a different vulnerability than CVE-2010-4164.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-3873

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-3874
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the bcm_connect function in net/can/bcm.c (aka the Broadcast Manager) in the Controller Area Network (CAN) implementation in the Linux kernel before 2.6.36.2 on 64-bit platforms might allow local users to cause a denial of service (memory corruption) via a connect operation.
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-3874

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-3875
CVE STATUS: Patched
CVE SUMMARY: The ax25_getname function in net/ax25/af_ax25.c in the Linux kernel before 2.6.37-rc2 does not initialize a certain structure, which allows local users to obtain potentially sensitive information from kernel stack memory by reading a copy of this structure.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-3875

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-3876
CVE STATUS: Patched
CVE SUMMARY: net/packet/af_packet.c in the Linux kernel before 2.6.37-rc2 does not properly initialize certain structure members, which allows local users to obtain potentially sensitive information from kernel stack memory by leveraging the CAP_NET_RAW capability to read copies of the applicable structures.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-3876

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-3877
CVE STATUS: Patched
CVE SUMMARY: The get_name function in net/tipc/socket.c in the Linux kernel before 2.6.37-rc2 does not initialize a certain structure, which allows local users to obtain potentially sensitive information from kernel stack memory by reading a copy of this structure.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-3877

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-3880
CVE STATUS: Patched
CVE SUMMARY: net/ipv4/inet_diag.c in the Linux kernel before 2.6.37-rc2 does not properly audit INET_DIAG bytecode, which allows local users to cause a denial of service (kernel infinite loop) via crafted INET_DIAG_REQ_BYTECODE instructions in a netlink message that contains multiple attribute elements, as demonstrated by INET_DIAG_BC_JMP instructions.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-3880

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-3881
CVE STATUS: Patched
CVE SUMMARY: arch/x86/kvm/x86.c in the Linux kernel before 2.6.36.2 does not initialize certain structure members, which allows local users to obtain potentially sensitive information from kernel stack memory via read operations on the /dev/kvm device.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-3881

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-3904
CVE STATUS: Patched
CVE SUMMARY: The rds_page_copy_user function in net/rds/page.c in the Reliable Datagram Sockets (RDS) protocol implementation in the Linux kernel before 2.6.36 does not properly validate addresses obtained from user space, which allows local users to gain privileges via crafted use of the sendmsg and recvmsg system calls.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-3904

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-4072
CVE STATUS: Patched
CVE SUMMARY: The copy_shmid_to_user function in ipc/shm.c in the Linux kernel before 2.6.37-rc1 does not initialize a certain structure, which allows local users to obtain potentially sensitive information from kernel stack memory via vectors related to the shmctl system call and the "old shm interface."
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4072

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-4073
CVE STATUS: Patched
CVE SUMMARY: The ipc subsystem in the Linux kernel before 2.6.37-rc1 does not initialize certain structures, which allows local users to obtain potentially sensitive information from kernel stack memory via vectors related to the (1) compat_sys_semctl, (2) compat_sys_msgctl, and (3) compat_sys_shmctl functions in ipc/compat.c; and the (4) compat_sys_mq_open and (5) compat_sys_mq_getsetattr functions in ipc/compat_mq.c.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4073

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-4074
CVE STATUS: Patched
CVE SUMMARY: The USB subsystem in the Linux kernel before 2.6.36-rc5 does not properly initialize certain structure members, which allows local users to obtain potentially sensitive information from kernel stack memory via vectors related to TIOCGICOUNT ioctl calls, and the (1) mos7720_ioctl function in drivers/usb/serial/mos7720.c and (2) mos7840_ioctl function in drivers/usb/serial/mos7840.c.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4074

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-4075
CVE STATUS: Patched
CVE SUMMARY: The uart_get_count function in drivers/serial/serial_core.c in the Linux kernel before 2.6.37-rc1 does not properly initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via a TIOCGICOUNT ioctl call.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4075

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-4076
CVE STATUS: Patched
CVE SUMMARY: The rs_ioctl function in drivers/char/amiserial.c in the Linux kernel 2.6.36.1 and earlier does not properly initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via a TIOCGICOUNT ioctl call.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4076

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-4077
CVE STATUS: Patched
CVE SUMMARY: The ntty_ioctl_tiocgicount function in drivers/char/nozomi.c in the Linux kernel 2.6.36.1 and earlier does not properly initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via a TIOCGICOUNT ioctl call.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4077

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-4078
CVE STATUS: Patched
CVE SUMMARY: The sisfb_ioctl function in drivers/video/sis/sis_main.c in the Linux kernel before 2.6.36-rc6 does not properly initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via an FBIOGET_VBLANK ioctl call.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4078

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-4079
CVE STATUS: Patched
CVE SUMMARY: The ivtvfb_ioctl function in drivers/media/video/ivtv/ivtvfb.c in the Linux kernel before 2.6.36-rc8 does not properly initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via an FBIOGET_VBLANK ioctl call.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4079

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-4080
CVE STATUS: Patched
CVE SUMMARY: The snd_hdsp_hwdep_ioctl function in sound/pci/rme9652/hdsp.c in the Linux kernel before 2.6.36-rc6 does not initialize a certain structure, which allows local users to obtain potentially sensitive information from kernel stack memory via an SNDRV_HDSP_IOCTL_GET_CONFIG_INFO ioctl call.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4080

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-4081
CVE STATUS: Patched
CVE SUMMARY: The snd_hdspm_hwdep_ioctl function in sound/pci/rme9652/hdspm.c in the Linux kernel before 2.6.36-rc6 does not initialize a certain structure, which allows local users to obtain potentially sensitive information from kernel stack memory via an SNDRV_HDSPM_IOCTL_GET_CONFIG_INFO ioctl call.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4081

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-4082
CVE STATUS: Patched
CVE SUMMARY: The viafb_ioctl_get_viafb_info function in drivers/video/via/ioctl.c in the Linux kernel before 2.6.36-rc5 does not properly initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via a VIAFB_GET_INFO ioctl call.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4082

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-4083
CVE STATUS: Patched
CVE SUMMARY: The copy_semid_to_user function in ipc/sem.c in the Linux kernel before 2.6.36 does not initialize a certain structure, which allows local users to obtain potentially sensitive information from kernel stack memory via a (1) IPC_INFO, (2) SEM_INFO, (3) IPC_STAT, or (4) SEM_STAT command in a semctl system call.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4083

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-4157
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the ioc_general function in drivers/scsi/gdth.c in the Linux kernel before 2.6.36.1 on 64-bit platforms allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact via a large argument in an ioctl call.
CVSS v2 BASE SCORE: 6.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4157

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-4158
CVE STATUS: Patched
CVE SUMMARY: The sk_run_filter function in net/core/filter.c in the Linux kernel before 2.6.36.2 does not check whether a certain memory location has been initialized before executing a (1) BPF_S_LD_MEM or (2) BPF_S_LDX_MEM instruction, which allows local users to obtain potentially sensitive information from kernel stack memory via a crafted socket filter.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4158

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-4160
CVE STATUS: Patched
CVE SUMMARY: Multiple integer overflows in the (1) pppol2tp_sendmsg function in net/l2tp/l2tp_ppp.c, and the (2) l2tp_ip_sendmsg function in net/l2tp/l2tp_ip.c, in the PPPoL2TP and IPoL2TP implementations in the Linux kernel before 2.6.36.2 allow local users to cause a denial of service (heap memory corruption and panic) or possibly gain privileges via a crafted sendto call.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4160

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-4161
CVE STATUS: Patched
CVE SUMMARY: The udp_queue_rcv_skb function in net/ipv4/udp.c in a certain Red Hat build of the Linux kernel 2.6.18 in Red Hat Enterprise Linux (RHEL) 5 allows attackers to cause a denial of service (deadlock and system hang) by sending UDP traffic to a socket that has a crafted socket filter, a related issue to CVE-2010-4158.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4161

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-4162
CVE STATUS: Patched
CVE SUMMARY: Multiple integer overflows in fs/bio.c in the Linux kernel before 2.6.36.2 allow local users to cause a denial of service (system crash) via a crafted device ioctl to a SCSI device.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4162

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-4163
CVE STATUS: Patched
CVE SUMMARY: The blk_rq_map_user_iov function in block/blk-map.c in the Linux kernel before 2.6.36.2 allows local users to cause a denial of service (panic) via a zero-length I/O request in a device ioctl to a SCSI device.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4163

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-4164
CVE STATUS: Patched
CVE SUMMARY: Multiple integer underflows in the x25_parse_facilities function in net/x25/x25_facilities.c in the Linux kernel before 2.6.36.2 allow remote attackers to cause a denial of service (system crash) via malformed X.25 (1) X25_FAC_CLASS_A, (2) X25_FAC_CLASS_B, (3) X25_FAC_CLASS_C, or (4) X25_FAC_CLASS_D facility data, a different vulnerability than CVE-2010-3873.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4164

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-4165
CVE STATUS: Patched
CVE SUMMARY: The do_tcp_setsockopt function in net/ipv4/tcp.c in the Linux kernel before 2.6.37-rc2 does not properly restrict TCP_MAXSEG (aka MSS) values, which allows local users to cause a denial of service (OOPS) via a setsockopt call that specifies a small value, leading to a divide-by-zero error or incorrect use of a signed integer.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4165

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-4169
CVE STATUS: Patched
CVE SUMMARY: Use-after-free vulnerability in mm/mprotect.c in the Linux kernel before 2.6.37-rc2 allows local users to cause a denial of service via vectors involving an mprotect system call.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4169

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-4175
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the rds_cmsg_rdma_args function (net/rds/rdma.c) in Linux kernel 2.6.35 allows local users to cause a denial of service (crash) and possibly trigger memory corruption via a crafted Reliable Datagram Sockets (RDS) request, a different vulnerability than CVE-2010-3865.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4175

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-4242
CVE STATUS: Patched
CVE SUMMARY: The hci_uart_tty_open function in the HCI UART driver (drivers/bluetooth/hci_ldisc.c) in the Linux kernel 2.6.36, and possibly other versions, does not verify whether the tty has a write operation, which allows local users to cause a denial of service (NULL pointer dereference) via vectors related to the Bluetooth driver.
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4242

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-4243
CVE STATUS: Patched
CVE SUMMARY: fs/exec.c in the Linux kernel before 2.6.37 does not enable the OOM Killer to assess use of stack memory by arrays representing the (1) arguments and (2) environment, which allows local users to cause a denial of service (memory consumption) via a crafted exec system call, aka an "OOM dodging issue," a related issue to CVE-2010-3858.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4243

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-4248
CVE STATUS: Patched
CVE SUMMARY: Race condition in the __exit_signal function in kernel/exit.c in the Linux kernel before 2.6.37-rc2 allows local users to cause a denial of service via vectors related to multithreaded exec, the use of a thread group leader in kernel/posix-cpu-timers.c, and the selection of a new thread group leader in the de_thread function in fs/exec.c.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4248

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-4249
CVE STATUS: Patched
CVE SUMMARY: The wait_for_unix_gc function in net/unix/garbage.c in the Linux kernel before 2.6.37-rc3-next-20101125 does not properly select times for garbage collection of inflight sockets, which allows local users to cause a denial of service (system hang) via crafted use of the socketpair and sendmsg system calls for SOCK_SEQPACKET sockets.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4249

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-4250
CVE STATUS: Patched
CVE SUMMARY: Memory leak in the inotify_init1 function in fs/notify/inotify/inotify_user.c in the Linux kernel before 2.6.37 allows local users to cause a denial of service (memory consumption) via vectors involving failed attempts to create files.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4250

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-4251
CVE STATUS: Patched
CVE SUMMARY: The socket implementation in net/core/sock.c in the Linux kernel before 2.6.34 does not properly manage a backlog of received packets, which allows remote attackers to cause a denial of service (memory consumption) by sending a large amount of network traffic, as demonstrated by netperf UDP tests.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4251

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-4256
CVE STATUS: Patched
CVE SUMMARY: The pipe_fcntl function in fs/pipe.c in the Linux kernel before 2.6.37 does not properly determine whether a file is a named pipe, which allows local users to cause a denial of service via an F_SETPIPE_SZ fcntl call.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4256

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-4258
CVE STATUS: Patched
CVE SUMMARY: The do_exit function in kernel/exit.c in the Linux kernel before 2.6.36.2 does not properly handle a KERNEL_DS get_fs value, which allows local users to bypass intended access_ok restrictions, overwrite arbitrary kernel memory locations, and gain privileges by leveraging a (1) BUG, (2) NULL pointer dereference, or (3) page fault, as demonstrated by vectors involving the clear_child_tid feature and the splice system call.
CVSS v2 BASE SCORE: 6.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4258

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-4263
CVE STATUS: Patched
CVE SUMMARY: The igb_receive_skb function in drivers/net/igb/igb_main.c in the Intel Gigabit Ethernet (aka igb) subsystem in the Linux kernel before 2.6.34, when Single Root I/O Virtualization (SR-IOV) and promiscuous mode are enabled but no VLANs are registered, allows remote attackers to cause a denial of service (NULL pointer dereference and panic) and possibly have unspecified other impact via a VLAN tagged frame.
CVSS v2 BASE SCORE: 7.9
CVSS v3 BASE SCORE: 0.0
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4263

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-4342
CVE STATUS: Patched
CVE SUMMARY: The aun_incoming function in net/econet/af_econet.c in the Linux kernel before 2.6.37-rc6, when Econet is enabled, allows remote attackers to cause a denial of service (NULL pointer dereference and OOPS) by sending an Acorn Universal Networking (AUN) packet over UDP.
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4342

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-4343
CVE STATUS: Patched
CVE SUMMARY: drivers/scsi/bfa/bfa_core.c in the Linux kernel before 2.6.35 does not initialize a certain port data structure, which allows local users to cause a denial of service (system crash) via read operations on an fc_host statistics file.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4343

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-4346
CVE STATUS: Patched
CVE SUMMARY: The install_special_mapping function in mm/mmap.c in the Linux kernel before 2.6.37-rc6 does not make an expected security_file_mmap function call, which allows local users to bypass intended mmap_min_addr restrictions and possibly conduct NULL pointer dereference attacks via a crafted assembly-language application.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4346

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-4347
CVE STATUS: Patched
CVE SUMMARY: The ACPI subsystem in the Linux kernel before 2.6.36.2 uses 0222 permissions for the debugfs custom_method file, which allows local users to gain privileges by placing a custom ACPI method in the ACPI interpreter tables, related to the acpi_debugfs_init function in drivers/acpi/debugfs.c.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4347

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-4525
CVE STATUS: Patched
CVE SUMMARY: Linux kernel 2.6.33 and 2.6.34.y does not initialize the kvm_vcpu_events->interrupt.pad structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via unspecified vectors.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4525

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-4526
CVE STATUS: Patched
CVE SUMMARY: Race condition in the sctp_icmp_proto_unreachable function in net/sctp/input.c in Linux kernel 2.6.11-rc2 through 2.6.33 allows remote attackers to cause a denial of service (panic) via an ICMP unreachable message to a socket that is already locked by a user, which causes the socket to be freed and triggers list corruption, related to the sctp_wait_for_connect function.
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4526

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-4527
CVE STATUS: Patched
CVE SUMMARY: The load_mixer_volumes function in sound/oss/soundcard.c in the OSS sound subsystem in the Linux kernel before 2.6.37 incorrectly expects that a certain name field ends with a '\0' character, which allows local users to conduct buffer overflow attacks and gain privileges, or possibly obtain sensitive information from kernel memory, via a SOUND_MIXER_SETLEVELS ioctl call.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4527

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-4529
CVE STATUS: Patched
CVE SUMMARY: Integer underflow in the irda_getsockopt function in net/irda/af_irda.c in the Linux kernel before 2.6.37 on platforms other than x86 allows local users to obtain potentially sensitive information from kernel heap memory via an IRLMP_ENUMDEVICES getsockopt call.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4529

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-4563
CVE STATUS: Unpatched
CVE SUMMARY: The Linux kernel, when using IPv6, allows remote attackers to determine whether a host is sniffing the network by sending an ICMPv6 Echo Request to a multicast address and determining whether an Echo Reply is sent, as demonstrated by thcping.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4563

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-4565
CVE STATUS: Patched
CVE SUMMARY: The bcm_connect function in net/can/bcm.c (aka the Broadcast Manager) in the Controller Area Network (CAN) implementation in the Linux kernel 2.6.36 and earlier creates a publicly accessible file with a filename containing a kernel memory address, which allows local users to obtain potentially sensitive information about kernel memory use by listing this filename.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4565

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-4648
CVE STATUS: Patched
CVE SUMMARY: The orinoco_ioctl_set_auth function in drivers/net/wireless/orinoco/wext.c in the Linux kernel before 2.6.37 does not properly implement a TKIP protection mechanism, which makes it easier for remote attackers to obtain access to a Wi-Fi network by reading Wi-Fi frames.
CVSS v2 BASE SCORE: 3.3
CVSS v3 BASE SCORE: 0.0
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4648

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-4649
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the ib_uverbs_poll_cq function in drivers/infiniband/core/uverbs_cmd.c in the Linux kernel before 2.6.37 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact via a large value of a certain structure member.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4649

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-4650
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the fuse_do_ioctl function in fs/fuse/file.c in the Linux kernel before 2.6.37 allows local users to cause a denial of service or possibly have unspecified other impact by leveraging the ability to operate a CUSE server.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4650

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-4655
CVE STATUS: Patched
CVE SUMMARY: net/core/ethtool.c in the Linux kernel before 2.6.36 does not initialize certain data structures, which allows local users to obtain potentially sensitive information from kernel heap memory by leveraging the CAP_NET_ADMIN capability for an ethtool ioctl call.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4655

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-4656
CVE STATUS: Patched
CVE SUMMARY: The iowarrior_write function in drivers/usb/misc/iowarrior.c in the Linux kernel before 2.6.37 does not properly allocate memory, which might allow local users to trigger a heap-based buffer overflow, and consequently cause a denial of service or gain privileges, via a long report.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4656

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-4668
CVE STATUS: Patched
CVE SUMMARY: The blk_rq_map_user_iov function in block/blk-map.c in the Linux kernel before 2.6.37-rc7 allows local users to cause a denial of service (panic) via a zero-length I/O request in a device ioctl to a SCSI device, related to an unaligned map.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2010-4163.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4668

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-4805
CVE STATUS: Patched
CVE SUMMARY: The socket implementation in net/core/sock.c in the Linux kernel before 2.6.35 does not properly manage a backlog of received packets, which allows remote attackers to cause a denial of service by sending a large amount of network traffic, related to the sk_add_backlog function and the sk_rmem_alloc socket field.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2010-4251.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4805

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-5313
CVE STATUS: Patched
CVE SUMMARY: Race condition in arch/x86/kvm/x86.c in the Linux kernel before 2.6.38 allows L2 guest OS users to cause a denial of service (L1 guest OS crash) via a crafted instruction that triggers an L2 emulation failure report, a similar issue to CVE-2014-7842.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-5313

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-5321
CVE STATUS: Patched
CVE SUMMARY: Memory leak in drivers/media/video/videobuf-core.c in the videobuf subsystem in the Linux kernel 2.6.x through 4.x allows local users to cause a denial of service (memory consumption) by leveraging /dev/video access for a series of mmap calls that require new allocations, a different vulnerability than CVE-2007-6761.  NOTE: as of 2016-06-18, this affects only 11 drivers that have not been updated to use videobuf2 instead of videobuf.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 4.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-5321

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-5328
CVE STATUS: Patched
CVE SUMMARY: include/linux/init_task.h in the Linux kernel before 2.6.35 does not prevent signals with a process group ID of zero from reaching the swapper process, which allows local users to cause a denial of service (system crash) by leveraging access to this process group.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-5328

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-5329
CVE STATUS: Patched
CVE SUMMARY: The video_usercopy function in drivers/media/video/v4l2-ioctl.c in the Linux kernel before 2.6.39 relies on the count value of a v4l2_ext_controls data structure to determine a kmalloc size, which might allow local users to cause a denial of service (memory consumption) via a large value.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-5329

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-5331
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel before 2.6.34, a range check issue in drivers/gpu/drm/radeon/atombios.c could cause an off by one (buffer overflow) problem. NOTE: At least one Linux maintainer believes that this CVE is incorrectly assigned and should be rejected because the value is hard coded and are not user-controllable where it is used
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-5331

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2010-5332
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel before 2.6.37, an out of bounds array access happened in drivers/net/mlx4/port.c. When searching for a free entry in either mlx4_register_vlan() or mlx4_register_mac(), and there is no free entry, the loop terminates without updating the local variable free thus causing out of array bounds access.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 5.6
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-5332

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-0006
CVE STATUS: Patched
CVE SUMMARY: The ima_lsm_rule_init function in security/integrity/ima/ima_policy.c in the Linux kernel before 2.6.37, when the Linux Security Modules (LSM) framework is disabled, allows local users to bypass Integrity Measurement Architecture (IMA) rules in opportunistic circumstances by leveraging an administrator's addition of an IMA rule for LSM.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-0006

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-0463
CVE STATUS: Patched
CVE SUMMARY: The ocfs2_prepare_page_for_write function in fs/ocfs2/aops.c in the Oracle Cluster File System 2 (OCFS2) subsystem in the Linux kernel before 2.6.39-rc1 does not properly handle holes that cross page boundaries, which allows local users to obtain potentially sensitive information from uninitialized disk locations by reading a file.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-0463

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-0521
CVE STATUS: Patched
CVE SUMMARY: The dvb_ca_ioctl function in drivers/media/dvb/ttpci/av7110_ca.c in the Linux kernel before 2.6.38-rc2 does not check the sign of a certain integer field, which allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact via a negative value.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-0521

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-0695
CVE STATUS: Patched
CVE SUMMARY: Race condition in the cm_work_handler function in the InfiniBand driver (drivers/infiniband/core/cma.c) in Linux kernel 2.6.x allows remote attackers to cause a denial of service (panic) by sending an InfiniBand request while other request handlers are still running, which triggers an invalid pointer dereference.
CVSS v2 BASE SCORE: 5.7
CVSS v3 BASE SCORE: 0.0
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-0695

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-0699
CVE STATUS: Patched
CVE SUMMARY: Integer signedness error in the btrfs_ioctl_space_info function in the Linux kernel 2.6.37 allows local users to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted slot value.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-0699

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-0709
CVE STATUS: Patched
CVE SUMMARY: The br_mdb_ip_get function in net/bridge/br_multicast.c in the Linux kernel before 2.6.35-rc5 allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) via an IGMP packet, related to lack of a multicast table.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-0709

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-0710
CVE STATUS: Patched
CVE SUMMARY: The task_show_regs function in arch/s390/kernel/traps.c in the Linux kernel before 2.6.38-rc4-next-20110216 on the s390 platform allows local users to obtain the values of the registers of an arbitrary process by reading a status file under /proc/.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-0710

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-0711
CVE STATUS: Patched
CVE SUMMARY: The xfs_fs_geometry function in fs/xfs/xfs_fsops.c in the Linux kernel before 2.6.38-rc6-git3 does not initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via an FSGEOMETRY_V1 ioctl call.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-0711

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-0712
CVE STATUS: Patched
CVE SUMMARY: Multiple buffer overflows in the caiaq Native Instruments USB audio functionality in the Linux kernel before 2.6.38-rc4-next-20110215 might allow attackers to cause a denial of service or possibly have unspecified other impact via a long USB device name, related to (1) the snd_usb_caiaq_audio_init function in sound/usb/caiaq/audio.c and (2) the snd_usb_caiaq_midi_init function in sound/usb/caiaq/midi.c.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-0712

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-0714
CVE STATUS: Patched
CVE SUMMARY: Use-after-free vulnerability in a certain Red Hat patch for the RPC server sockets functionality in the Linux kernel 2.6.32 on Red Hat Enterprise Linux (RHEL) 6 might allow remote attackers to cause a denial of service (crash) via malformed data in a packet, related to lockd and the svc_xprt_received function.
CVSS v2 BASE SCORE: 5.7
CVSS v3 BASE SCORE: 0.0
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-0714

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-0716
CVE STATUS: Patched
CVE SUMMARY: The br_multicast_add_group function in net/bridge/br_multicast.c in the Linux kernel before 2.6.38, when a certain Ethernet bridge configuration is used, allows local users to cause a denial of service (memory corruption and system crash) by sending IGMP packets to a local interface.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-0716

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-0726
CVE STATUS: Patched
CVE SUMMARY: The do_task_stat function in fs/proc/array.c in the Linux kernel before 2.6.39-rc1 does not perform an expected uid check, which makes it easier for local users to defeat the ASLR protection mechanism by reading the start_code and end_code fields in the /proc/#####/stat file for a process executing a PIE binary.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-0726

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-0999
CVE STATUS: Patched
CVE SUMMARY: mm/huge_memory.c in the Linux kernel before 2.6.38-rc5 does not prevent creation of a transparent huge page (THP) during the existence of a temporary stack for an exec system call, which allows local users to cause a denial of service (memory consumption) or possibly have unspecified other impact via a crafted application.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-0999

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-1010
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the mac_partition function in fs/partitions/mac.c in the Linux kernel before 2.6.37.2 allows local users to cause a denial of service (panic) or possibly have unspecified other impact via a malformed Mac OS partition table.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1010

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-1012
CVE STATUS: Patched
CVE SUMMARY: The ldm_parse_vmdb function in fs/partitions/ldm.c in the Linux kernel before 2.6.38-rc6-git6 does not validate the VBLK size value in the VMDB structure in an LDM partition table, which allows local users to cause a denial of service (divide-by-zero error and OOPS) via a crafted partition table.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1012

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-1013
CVE STATUS: Patched
CVE SUMMARY: Integer signedness error in the drm_modeset_ctl function in (1) drivers/gpu/drm/drm_irq.c in the Direct Rendering Manager (DRM) subsystem in the Linux kernel before 2.6.38 and (2) sys/dev/pci/drm/drm_irq.c in the kernel in OpenBSD before 4.9 allows local users to trigger out-of-bounds write operations, and consequently cause a denial of service (system crash) or possibly have unspecified other impact, via a crafted num_crtcs (aka vb_num) structure member in an ioctl argument.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1013

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-1016
CVE STATUS: Patched
CVE SUMMARY: The Radeon GPU drivers in the Linux kernel before 2.6.38-rc5 do not properly validate data related to the AA resolve registers, which allows local users to write to arbitrary memory locations associated with (1) Video RAM (aka VRAM) or (2) the Graphics Translation Table (GTT) via crafted values.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1016

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-1017
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the ldm_frag_add function in fs/partitions/ldm.c in the Linux kernel 2.6.37.2 and earlier might allow local users to gain privileges or obtain sensitive information via a crafted LDM partition table.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1017

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-1019
CVE STATUS: Patched
CVE SUMMARY: The dev_load function in net/core/dev.c in the Linux kernel before 2.6.38 allows local users to bypass an intended CAP_SYS_MODULE capability requirement and load arbitrary modules by leveraging the CAP_NET_ADMIN capability.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1019

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-1020
CVE STATUS: Patched
CVE SUMMARY: The proc filesystem implementation in the Linux kernel 2.6.37 and earlier does not restrict access to the /proc directory tree of a process after this process performs an exec of a setuid program, which allows local users to obtain sensitive information or cause a denial of service via open, lseek, read, and write system calls.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1020

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-1021
CVE STATUS: Patched
CVE SUMMARY: drivers/acpi/debugfs.c in the Linux kernel before 3.0 allows local users to modify arbitrary kernel memory locations by leveraging root privileges to write to the /sys/kernel/debug/acpi/custom_method file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2010-4347.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1021

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-1023
CVE STATUS: Patched
CVE SUMMARY: The Reliable Datagram Sockets (RDS) subsystem in the Linux kernel before 2.6.38 does not properly handle congestion map updates, which allows local users to cause a denial of service (BUG_ON and system crash) via vectors involving (1) a loopback (aka loop) transmit operation or (2) an InfiniBand (aka ib) transmit operation.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1023

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-1044
CVE STATUS: Patched
CVE SUMMARY: The ib_uverbs_poll_cq function in drivers/infiniband/core/uverbs_cmd.c in the Linux kernel before 2.6.37 does not initialize a certain response buffer, which allows local users to obtain potentially sensitive information from kernel memory via vectors that cause this buffer to be only partially filled, a different vulnerability than CVE-2010-4649.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1044

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-1076
CVE STATUS: Patched
CVE SUMMARY: net/dns_resolver/dns_key.c in the Linux kernel before 2.6.38 allows remote DNS servers to cause a denial of service (NULL pointer dereference and OOPS) by not providing a valid response to a DNS query, as demonstrated by an erroneous grand.centrall.org query, which triggers improper handling of error data within a DNS resolver key.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1076

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-1078
CVE STATUS: Patched
CVE SUMMARY: The sco_sock_getsockopt_old function in net/bluetooth/sco.c in the Linux kernel before 2.6.39 does not initialize a certain structure, which allows local users to obtain potentially sensitive information from kernel stack memory via the SCO_CONNINFO option.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1078

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-1079
CVE STATUS: Patched
CVE SUMMARY: The bnep_sock_ioctl function in net/bluetooth/bnep/sock.c in the Linux kernel before 2.6.39 does not ensure that a certain device field ends with a '\0' character, which allows local users to obtain potentially sensitive information from kernel stack memory, or cause a denial of service (BUG and system crash), via a BNEPCONNADD command.
CVSS v2 BASE SCORE: 5.4
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1079

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-1080
CVE STATUS: Patched
CVE SUMMARY: The do_replace function in net/bridge/netfilter/ebtables.c in the Linux kernel before 2.6.39 does not ensure that a certain name field ends with a '\0' character, which allows local users to obtain potentially sensitive information from kernel stack memory by leveraging the CAP_NET_ADMIN capability to replace a table, and then reading a modprobe command line.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1080

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-1082
CVE STATUS: Patched
CVE SUMMARY: fs/eventpoll.c in the Linux kernel before 2.6.38 places epoll file descriptors within other epoll data structures without properly checking for (1) closed loops or (2) deep chains, which allows local users to cause a denial of service (deadlock or stack memory consumption) via a crafted application that makes epoll_create and epoll_ctl system calls.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1082

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-1083
CVE STATUS: Patched
CVE SUMMARY: The epoll implementation in the Linux kernel 2.6.37.2 and earlier does not properly traverse a tree of epoll file descriptors, which allows local users to cause a denial of service (CPU consumption) via a crafted application that makes epoll_create and epoll_ctl system calls.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1083

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-1090
CVE STATUS: Patched
CVE SUMMARY: The __nfs4_proc_set_acl function in fs/nfs/nfs4proc.c in the Linux kernel before 2.6.38 stores NFSv4 ACL data in memory that is allocated by kmalloc but not properly freed, which allows local users to cause a denial of service (panic) via a crafted attempt to set an ACL.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1090

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-1093
CVE STATUS: Patched
CVE SUMMARY: The dccp_rcv_state_process function in net/dccp/input.c in the Datagram Congestion Control Protocol (DCCP) implementation in the Linux kernel before 2.6.38 does not properly handle packets for a CLOSED endpoint, which allows remote attackers to cause a denial of service (NULL pointer dereference and OOPS) by sending a DCCP-Close packet followed by a DCCP-Reset packet.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1093

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-1160
CVE STATUS: Patched
CVE SUMMARY: The tpm_open function in drivers/char/tpm/tpm.c in the Linux kernel before 2.6.39 does not initialize a certain buffer, which allows local users to obtain potentially sensitive information from kernel memory via unspecified vectors.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1160

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-1162
CVE STATUS: Patched
CVE SUMMARY: The tpm_read function in the Linux kernel 2.6 does not properly clear memory, which might allow local users to read the results of the previous TPM command.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1162

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-1163
CVE STATUS: Patched
CVE SUMMARY: The osf_partition function in fs/partitions/osf.c in the Linux kernel before 2.6.38 does not properly handle an invalid number of partitions, which might allow local users to obtain potentially sensitive information from kernel heap memory via vectors related to partition-table parsing.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1163

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-1169
CVE STATUS: Patched
CVE SUMMARY: Array index error in the asihpi_hpi_ioctl function in sound/pci/asihpi/hpioctl.c in the AudioScience HPI driver in the Linux kernel before 2.6.38.1 might allow local users to cause a denial of service (memory corruption) or possibly gain privileges via a crafted adapter index value that triggers access to an invalid kernel pointer.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1169

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-1170
CVE STATUS: Patched
CVE SUMMARY: net/ipv4/netfilter/arp_tables.c in the IPv4 implementation in the Linux kernel before 2.6.39 does not place the expected '\0' character at the end of string data in the values of certain structure members, which allows local users to obtain potentially sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability to issue a crafted request, and then reading the argument to the resulting modprobe process.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1170

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-1171
CVE STATUS: Patched
CVE SUMMARY: net/ipv4/netfilter/ip_tables.c in the IPv4 implementation in the Linux kernel before 2.6.39 does not place the expected '\0' character at the end of string data in the values of certain structure members, which allows local users to obtain potentially sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability to issue a crafted request, and then reading the argument to the resulting modprobe process.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1171

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-1172
CVE STATUS: Patched
CVE SUMMARY: net/ipv6/netfilter/ip6_tables.c in the IPv6 implementation in the Linux kernel before 2.6.39 does not place the expected '\0' character at the end of string data in the values of certain structure members, which allows local users to obtain potentially sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability to issue a crafted request, and then reading the argument to the resulting modprobe process.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1172

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-1173
CVE STATUS: Patched
CVE SUMMARY: The econet_sendmsg function in net/econet/af_econet.c in the Linux kernel before 2.6.39 on the x86_64 platform allows remote attackers to obtain potentially sensitive information from kernel stack memory by reading uninitialized data in the ah field of an Acorn Universal Networking (AUN) packet.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1173

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-1180
CVE STATUS: Patched
CVE SUMMARY: Multiple stack-based buffer overflows in the iriap_getvaluebyclass_indication function in net/irda/iriap.c in the Linux kernel before 2.6.39 allow remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging connectivity to an IrDA infrared network and sending a large integer value for a (1) name length or (2) attribute length.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1180

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-1182
CVE STATUS: Patched
CVE SUMMARY: kernel/signal.c in the Linux kernel before 2.6.39 allows local users to spoof the uid and pid of a signal sender via a sigqueueinfo system call.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1182

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-1474
CVE STATUS: Patched
CVE SUMMARY: A locally locally exploitable DOS vulnerability was found in pax-linux versions 2.6.32.33-test79.patch, 2.6.38-test3.patch, and 2.6.37.4-test14.patch. A bad bounds check in arch_get_unmapped_area_topdown triggered by programs doing an mmap after a MAP_GROWSDOWN mmap will create an infinite loop condition without releasing the VM semaphore eventually leading to a system crash.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1474

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-1476
CVE STATUS: Patched
CVE SUMMARY: Integer underflow in the Open Sound System (OSS) subsystem in the Linux kernel before 2.6.39 on unspecified non-x86 platforms allows local users to cause a denial of service (memory corruption) by leveraging write access to /dev/sequencer.
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1476

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-1477
CVE STATUS: Patched
CVE SUMMARY: Multiple array index errors in sound/oss/opl3.c in the Linux kernel before 2.6.39 allow local users to cause a denial of service (heap memory corruption) or possibly gain privileges by leveraging write access to /dev/sequencer.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1477

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-1478
CVE STATUS: Patched
CVE SUMMARY: The napi_reuse_skb function in net/core/dev.c in the Generic Receive Offload (GRO) implementation in the Linux kernel before 2.6.38 does not reset the values of certain structure members, which might allow remote attackers to cause a denial of service (NULL pointer dereference) via a malformed VLAN frame.
CVSS v2 BASE SCORE: 5.7
CVSS v3 BASE SCORE: 0.0
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1478

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-1479
CVE STATUS: Patched
CVE SUMMARY: Double free vulnerability in the inotify subsystem in the Linux kernel before 2.6.39 allows local users to cause a denial of service (system crash) via vectors involving failed attempts to create files.  NOTE: this vulnerability exists because of an incorrect fix for CVE-2010-4250.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1479

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-1493
CVE STATUS: Patched
CVE SUMMARY: Array index error in the rose_parse_national function in net/rose/rose_subr.c in the Linux kernel before 2.6.39 allows remote attackers to cause a denial of service (heap memory corruption) or possibly have unspecified other impact by composing FAC_NATIONAL_DIGIS data that specifies a large number of digipeaters, and then sending this data to a ROSE socket.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1493

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-1494
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the _ctl_do_mpt_command function in drivers/scsi/mpt2sas/mpt2sas_ctl.c in the Linux kernel 2.6.38 and earlier might allow local users to gain privileges or cause a denial of service (memory corruption) via an ioctl call specifying a crafted value that triggers a heap-based buffer overflow.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1494

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-1495
CVE STATUS: Patched
CVE SUMMARY: drivers/scsi/mpt2sas/mpt2sas_ctl.c in the Linux kernel 2.6.38 and earlier does not validate (1) length and (2) offset values before performing memory copy operations, which might allow local users to gain privileges, cause a denial of service (memory corruption), or obtain sensitive information from kernel memory via a crafted ioctl call, related to the _ctl_do_mpt_command and _ctl_diag_read_buffer functions.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1495

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-1573
CVE STATUS: Patched
CVE SUMMARY: net/sctp/sm_make_chunk.c in the Linux kernel before 2.6.34, when addip_enable and auth_enable are used, does not consider the amount of zero padding during calculation of chunk lengths for (1) INIT and (2) INIT ACK chunks, which allows remote attackers to cause a denial of service (OOPS) via crafted packet data.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1573

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-1576
CVE STATUS: Patched
CVE SUMMARY: The Generic Receive Offload (GRO) implementation in the Linux kernel 2.6.18 on Red Hat Enterprise Linux 5 and 2.6.32 on Red Hat Enterprise Linux 6, as used in Red Hat Enterprise Virtualization (RHEV) Hypervisor and other products, allows remote attackers to cause a denial of service via crafted VLAN packets that are processed by the napi_reuse_skb function, leading to (1) a memory leak or (2) memory corruption, a different vulnerability than CVE-2011-1478.
CVSS v2 BASE SCORE: 5.7
CVSS v3 BASE SCORE: 0.0
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1576

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-1577
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the is_gpt_valid function in fs/partitions/efi.c in the Linux kernel 2.6.38 and earlier allows physically proximate attackers to cause a denial of service (OOPS) or possibly have unspecified other impact via a crafted size of the EFI GUID partition-table header on removable media.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1577

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-1581
CVE STATUS: Patched
CVE SUMMARY: The bond_select_queue function in drivers/net/bonding/bond_main.c in the Linux kernel before 2.6.39, when a network device with a large number of receive queues is installed but the default tx_queues setting is used, does not properly restrict queue indexes, which allows remote attackers to cause a denial of service (BUG and system crash) or possibly have unspecified other impact by sending network traffic.
CVSS v2 BASE SCORE: 9.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1581

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-1585
CVE STATUS: Patched
CVE SUMMARY: The cifs_find_smb_ses function in fs/cifs/connect.c in the Linux kernel before 2.6.36 does not properly determine the associations between users and sessions, which allows local users to bypass CIFS share authentication by leveraging a mount of a share by a different user.
CVSS v2 BASE SCORE: 3.3
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1585

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-1593
CVE STATUS: Patched
CVE SUMMARY: Multiple integer overflows in the next_pidmap function in kernel/pid.c in the Linux kernel before 2.6.38.4 allow local users to cause a denial of service (system crash) via a crafted (1) getdents or (2) readdir system call.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1593

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-1598
CVE STATUS: Patched
CVE SUMMARY: The bcm_release function in net/can/bcm.c in the Linux kernel before 2.6.39-rc6 does not properly validate a socket data structure, which allows local users to cause a denial of service (NULL pointer dereference) or possibly have unspecified other impact via a crafted release operation.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1598

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-1745
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the agp_generic_insert_memory function in drivers/char/agp/generic.c in the Linux kernel before 2.6.38.5 allows local users to gain privileges or cause a denial of service (system crash) via a crafted AGPIOC_BIND agp_ioctl ioctl call.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1745

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-1746
CVE STATUS: Patched
CVE SUMMARY: Multiple integer overflows in the (1) agp_allocate_memory and (2) agp_create_user_memory functions in drivers/char/agp/generic.c in the Linux kernel before 2.6.38.5 allow local users to trigger buffer overflows, and consequently cause a denial of service (system crash) or possibly have unspecified other impact, via vectors related to calls that specify a large number of memory pages.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1746

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-1747
CVE STATUS: Patched
CVE SUMMARY: The agp subsystem in the Linux kernel 2.6.38.5 and earlier does not properly restrict memory allocation by the (1) AGPIOC_RESERVE and (2) AGPIOC_ALLOCATE ioctls, which allows local users to cause a denial of service (memory consumption) by making many calls to these ioctls.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1747

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-1748
CVE STATUS: Patched
CVE SUMMARY: The raw_release function in net/can/raw.c in the Linux kernel before 2.6.39-rc6 does not properly validate a socket data structure, which allows local users to cause a denial of service (NULL pointer dereference) or possibly have unspecified other impact via a crafted release operation.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1748

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-1759
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the sys_oabi_semtimedop function in arch/arm/kernel/sys_oabi-compat.c in the Linux kernel before 2.6.39 on the ARM platform, when CONFIG_OABI_COMPAT is enabled, allows local users to gain privileges or cause a denial of service (heap memory corruption) by providing a crafted argument and leveraging a race condition.
CVSS v2 BASE SCORE: 6.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1759

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-1767
CVE STATUS: Patched
CVE SUMMARY: net/ipv4/ip_gre.c in the Linux kernel before 2.6.34, when ip_gre is configured as a module, allows remote attackers to cause a denial of service (OOPS) by sending a packet during module loading.
CVSS v2 BASE SCORE: 5.4
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1767

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-1768
CVE STATUS: Patched
CVE SUMMARY: The tunnels implementation in the Linux kernel before 2.6.34, when tunnel functionality is configured as a module, allows remote attackers to cause a denial of service (OOPS) by sending a packet during module loading.
CVSS v2 BASE SCORE: 5.4
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1768

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-1770
CVE STATUS: Patched
CVE SUMMARY: Integer underflow in the dccp_parse_options function (net/dccp/options.c) in the Linux kernel before 2.6.33.14 allows remote attackers to cause a denial of service via a Datagram Congestion Control Protocol (DCCP) packet with an invalid feature options length, which triggers a buffer over-read.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1770

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-1771
CVE STATUS: Patched
CVE SUMMARY: The cifs_close function in fs/cifs/file.c in the Linux kernel before 2.6.39 allows local users to cause a denial of service (NULL pointer dereference and BUG) or possibly have unspecified other impact by setting the O_DIRECT flag during an attempt to open a file on a CIFS filesystem.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1771

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-1776
CVE STATUS: Patched
CVE SUMMARY: The is_gpt_valid function in fs/partitions/efi.c in the Linux kernel before 2.6.39 does not check the size of an Extensible Firmware Interface (EFI) GUID Partition Table (GPT) entry, which allows physically proximate attackers to cause a denial of service (heap-based buffer overflow and OOPS) or obtain sensitive information from kernel heap memory by connecting a crafted GPT storage device, a different vulnerability than CVE-2011-1577.
CVSS v2 BASE SCORE: 5.6
CVSS v3 BASE SCORE: 6.1
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1776

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-1833
CVE STATUS: Patched
CVE SUMMARY: Race condition in the ecryptfs_mount function in fs/ecryptfs/main.c in the eCryptfs subsystem in the Linux kernel before 3.1 allows local users to bypass intended file permissions via a mount.ecryptfs_private mount with a mismatched uid.
CVSS v2 BASE SCORE: 3.3
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1833

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-1927
CVE STATUS: Patched
CVE SUMMARY: The ip_expire function in net/ipv4/ip_fragment.c in the Linux kernel before 2.6.39 does not properly construct ICMP_TIME_EXCEEDED packets after a timeout, which allows remote attackers to cause a denial of service (invalid pointer dereference) via crafted fragmented packets.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1927

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-2022
CVE STATUS: Patched
CVE SUMMARY: The agp_generic_remove_memory function in drivers/char/agp/generic.c in the Linux kernel before 2.6.38.5 does not validate a certain start parameter, which allows local users to gain privileges or cause a denial of service (system crash) via a crafted AGPIOC_UNBIND agp_ioctl ioctl call, a different vulnerability than CVE-2011-1745.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2022

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-2182
CVE STATUS: Patched
CVE SUMMARY: The ldm_frag_add function in fs/partitions/ldm.c in the Linux kernel before 2.6.39.1 does not properly handle memory allocation for non-initial fragments, which might allow local users to conduct buffer overflow attacks, and gain privileges or obtain sensitive information, via a crafted LDM partition table.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-1017.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2182

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-2183
CVE STATUS: Patched
CVE SUMMARY: Race condition in the scan_get_next_rmap_item function in mm/ksm.c in the Linux kernel before 2.6.39.3, when Kernel SamePage Merging (KSM) is enabled, allows local users to cause a denial of service (NULL pointer dereference) or possibly have unspecified other impact via a crafted application.
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2183

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-2184
CVE STATUS: Patched
CVE SUMMARY: The key_replace_session_keyring function in security/keys/process_keys.c in the Linux kernel before 2.6.39.1 does not initialize a certain structure member, which allows local users to cause a denial of service (NULL pointer dereference and OOPS) or possibly have unspecified other impact via a KEYCTL_SESSION_TO_PARENT argument to the keyctl function, a different vulnerability than CVE-2010-2960.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2184

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-2189
CVE STATUS: Patched
CVE SUMMARY: net/core/net_namespace.c in the Linux kernel 2.6.32 and earlier does not properly handle a high rate of creation and cleanup of network namespaces, which makes it easier for remote attackers to cause a denial of service (memory consumption) via requests to a daemon that requires a separate namespace per connection, as demonstrated by vsftpd.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2189

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-2203
CVE STATUS: Patched
CVE SUMMARY: The hfs_find_init function in the Linux kernel 2.6 allows local users to cause a denial of service (NULL pointer dereference and Oops) by mounting an HFS file system with a malformed MDB extent record.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2203

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-2208
CVE STATUS: Patched
CVE SUMMARY: Integer signedness error in the osf_getdomainname function in arch/alpha/kernel/osf_sys.c in the Linux kernel before 2.6.39.4 on the Alpha platform allows local users to obtain sensitive information from kernel memory via a crafted call.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2208

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-2209
CVE STATUS: Patched
CVE SUMMARY: Integer signedness error in the osf_sysinfo function in arch/alpha/kernel/osf_sys.c in the Linux kernel before 2.6.39.4 on the Alpha platform allows local users to obtain sensitive information from kernel memory via a crafted call.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2209

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-2210
CVE STATUS: Patched
CVE SUMMARY: The osf_getsysinfo function in arch/alpha/kernel/osf_sys.c in the Linux kernel before 2.6.39.4 on the Alpha platform does not properly restrict the data size for GSI_GET_HWRPB operations, which allows local users to obtain sensitive information from kernel memory via a crafted call.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2210

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-2211
CVE STATUS: Patched
CVE SUMMARY: The osf_wait4 function in arch/alpha/kernel/osf_sys.c in the Linux kernel before 2.6.39.4 on the Alpha platform uses an incorrect pointer, which allows local users to gain privileges by writing a certain integer value to kernel memory.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2211

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-2213
CVE STATUS: Patched
CVE SUMMARY: The inet_diag_bc_audit function in net/ipv4/inet_diag.c in the Linux kernel before 2.6.39.3 does not properly audit INET_DIAG bytecode, which allows local users to cause a denial of service (kernel infinite loop) via crafted INET_DIAG_REQ_BYTECODE instructions in a netlink message, as demonstrated by an INET_DIAG_BC_JMP instruction with a zero yes value, a different vulnerability than CVE-2010-3880.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2213

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-2479
CVE STATUS: Patched
CVE SUMMARY: The Linux kernel before 2.6.39 does not properly create transparent huge pages in response to a MAP_PRIVATE mmap system call on /dev/zero, which allows local users to cause a denial of service (system crash) via a crafted application.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2479

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-2482
CVE STATUS: Patched
CVE SUMMARY: A certain Red Hat patch to the sctp_sock_migrate function in net/sctp/socket.c in the Linux kernel before 2.6.21, as used in Red Hat Enterprise Linux (RHEL) 5, allows remote attackers to cause a denial of service (NULL pointer dereference and OOPS) via a crafted SCTP packet.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2482

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-2484
CVE STATUS: Patched
CVE SUMMARY: The add_del_listener function in kernel/taskstats.c in the Linux kernel 2.6.39.1 and earlier does not prevent multiple registrations of exit handlers, which allows local users to cause a denial of service (memory and CPU consumption), and bypass the OOM Killer, via a crafted application.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2484

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-2491
CVE STATUS: Patched
CVE SUMMARY: The Network Lock Manager (NLM) protocol implementation in the NFS client functionality in the Linux kernel before 3.0 allows local users to cause a denial of service (system hang) via a LOCK_UN flock system call.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2491

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-2492
CVE STATUS: Patched
CVE SUMMARY: The bluetooth subsystem in the Linux kernel before 3.0-rc4 does not properly initialize certain data structures, which allows local users to obtain potentially sensitive information from kernel memory via a crafted getsockopt system call, related to (1) the l2cap_sock_getsockopt_old function in net/bluetooth/l2cap_sock.c and (2) the rfcomm_sock_getsockopt_old function in net/bluetooth/rfcomm/sock.c.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2492

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-2493
CVE STATUS: Patched
CVE SUMMARY: The ext4_fill_super function in fs/ext4/super.c in the Linux kernel before 2.6.39 does not properly initialize a certain error-report data structure, which allows local users to cause a denial of service (OOPS) by attempting to mount a crafted ext4 filesystem.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2493

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-2494
CVE STATUS: Patched
CVE SUMMARY: kernel/taskstats.c in the Linux kernel before 3.1 allows local users to obtain sensitive I/O statistics by sending taskstats commands to a netlink socket, as demonstrated by discovering the length of another user's password.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2494

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-2495
CVE STATUS: Patched
CVE SUMMARY: fs/proc/base.c in the Linux kernel before 2.6.39.4 does not properly restrict access to /proc/#####/io files, which allows local users to obtain sensitive I/O statistics by polling a file, as demonstrated by discovering the length of another user's password.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2495

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-2496
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the vma_to_resize function in mm/mremap.c in the Linux kernel before 2.6.39 allows local users to cause a denial of service (BUG_ON and system crash) via a crafted mremap system call that expands a memory mapping.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2496

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-2497
CVE STATUS: Patched
CVE SUMMARY: Integer underflow in the l2cap_config_req function in net/bluetooth/l2cap_core.c in the Linux kernel before 3.0 allows remote attackers to cause a denial of service (heap memory corruption) or possibly have unspecified other impact via a small command-size value within the command header of a Logical Link Control and Adaptation Protocol (L2CAP) configuration request, leading to a buffer overflow.
CVSS v2 BASE SCORE: 8.3
CVSS v3 BASE SCORE: 0.0
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2497

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-2498
CVE STATUS: Patched
CVE SUMMARY: The Linux kernel from v2.3.36 before v2.6.39 allows local unprivileged users to cause a denial of service (memory consumption) by triggering creation of PTE pages.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2498

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-2517
CVE STATUS: Patched
CVE SUMMARY: Multiple buffer overflows in net/wireless/nl80211.c in the Linux kernel before 2.6.39.2 allow local users to gain privileges by leveraging the CAP_NET_ADMIN capability during scan operations with a long SSID value.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2517

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-2518
CVE STATUS: Patched
CVE SUMMARY: The tomoyo_mount_acl function in security/tomoyo/mount.c in the Linux kernel before 2.6.39.2 calls the kern_path function with arguments taken directly from a mount system call, which allows local users to cause a denial of service (OOPS) or possibly have unspecified other impact via a NULL value for the device name.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2518

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-2521
CVE STATUS: Patched
CVE SUMMARY: The x86_assign_hw_event function in arch/x86/kernel/cpu/perf_event.c in the Performance Events subsystem in the Linux kernel before 2.6.39 does not properly calculate counter values, which allows local users to cause a denial of service (panic) via the perf program.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2521

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-2525
CVE STATUS: Patched
CVE SUMMARY: The qdisc_notify function in net/sched/sch_api.c in the Linux kernel before 2.6.35 does not prevent tc_fill_qdisc function calls referencing builtin (aka CQ_F_BUILTIN) Qdisc structures, which allows local users to cause a denial of service (NULL pointer dereference and OOPS) or possibly have unspecified other impact via a crafted call.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2525

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-2534
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the clusterip_proc_write function in net/ipv4/netfilter/ipt_CLUSTERIP.c in the Linux kernel before 2.6.39 might allow local users to cause a denial of service or have unspecified other impact via a crafted write operation, related to string data that lacks a terminating '\0' character.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2534

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-2689
CVE STATUS: Patched
CVE SUMMARY: The gfs2_fallocate function in fs/gfs2/file.c in the Linux kernel before 3.0-rc1 does not ensure that the size of a chunk allocation is a multiple of the block size, which allows local users to cause a denial of service (BUG and system crash) by arranging for all resource groups to have too little free space.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2689

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-2695
CVE STATUS: Patched
CVE SUMMARY: Multiple off-by-one errors in the ext4 subsystem in the Linux kernel before 3.0-rc5 allow local users to cause a denial of service (BUG_ON and system crash) by accessing a sparse file in extent format with a write operation involving a block number corresponding to the largest possible 32-bit unsigned integer.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2695

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-2699
CVE STATUS: Patched
CVE SUMMARY: The IPv6 implementation in the Linux kernel before 3.1 does not generate Fragment Identification values separately for each destination, which makes it easier for remote attackers to cause a denial of service (disrupted networking) by predicting these values and sending crafted packets.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2699

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-2700
CVE STATUS: Patched
CVE SUMMARY: Multiple buffer overflows in the si4713_write_econtrol_string function in drivers/media/radio/si4713-i2c.c in the Linux kernel before 2.6.39.4 on the N900 platform might allow local users to cause a denial of service or have unspecified other impact via a crafted s_ext_ctrls operation with a (1) V4L2_CID_RDS_TX_PS_NAME or (2) V4L2_CID_RDS_TX_RADIO_TEXT control ID.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2700

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-2707
CVE STATUS: Patched
CVE SUMMARY: The ptrace_setxregs function in arch/xtensa/kernel/ptrace.c in the Linux kernel before 3.1 does not validate user-space pointers, which allows local users to obtain sensitive information from kernel memory locations via a crafted PTRACE_SETXTREGS request.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 6.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2707

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-2723
CVE STATUS: Patched
CVE SUMMARY: The skb_gro_header_slow function in include/linux/netdevice.h in the Linux kernel before 2.6.39.4, when Generic Receive Offload (GRO) is enabled, resets certain fields in incorrect situations, which allows remote attackers to cause a denial of service (system crash) via crafted network traffic.
CVSS v2 BASE SCORE: 5.7
CVSS v3 BASE SCORE: 0.0
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2723

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-2898
CVE STATUS: Patched
CVE SUMMARY: net/packet/af_packet.c in the Linux kernel before 2.6.39.3 does not properly restrict user-space access to certain packet data structures associated with VLAN Tag Control Information, which allows local users to obtain potentially sensitive information via a crafted application.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2898

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-2905
CVE STATUS: Patched
CVE SUMMARY: Untrusted search path vulnerability in the perf_config function in tools/perf/util/config.c in perf, as distributed in the Linux kernel before 3.1, allows local users to overwrite arbitrary files via a crafted config file in the current working directory.
CVSS v2 BASE SCORE: 6.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2905

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-2906
CVE STATUS: Patched
CVE SUMMARY: Integer signedness error in the pmcraid_ioctl_passthrough function in drivers/scsi/pmcraid.c in the Linux kernel before 3.1 might allow local users to cause a denial of service (memory consumption or memory corruption) via a negative size value in an ioctl call. NOTE: this may be a vulnerability only in unusual environments that provide a privileged program for obtaining the required file descriptor.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2906

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-2909
CVE STATUS: Patched
CVE SUMMARY: The do_devinfo_ioctl function in drivers/staging/comedi/comedi_fops.c in the Linux kernel before 3.1 allows local users to obtain sensitive information from kernel memory via a copy of a short string.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2909

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-2918
CVE STATUS: Patched
CVE SUMMARY: The Performance Events subsystem in the Linux kernel before 3.1 does not properly handle event overflows associated with PERF_COUNT_SW_CPU_CLOCK events, which allows local users to cause a denial of service (system hang) via a crafted application.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2918

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-2928
CVE STATUS: Patched
CVE SUMMARY: The befs_follow_link function in fs/befs/linuxvfs.c in the Linux kernel before 3.1-rc3 does not validate the length attribute of long symlinks, which allows local users to cause a denial of service (incorrect pointer dereference and OOPS) by accessing a long symlink on a malformed Be filesystem.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2928

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-2942
CVE STATUS: Patched
CVE SUMMARY: A certain Red Hat patch to the __br_deliver function in net/bridge/br_forward.c in the Linux kernel 2.6.18 on Red Hat Enterprise Linux (RHEL) 5 allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by leveraging connectivity to a network interface that uses an Ethernet bridge device.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2942

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-3188
CVE STATUS: Patched
CVE SUMMARY: The (1) IPv4 and (2) IPv6 implementations in the Linux kernel before 3.1 use a modified MD4 algorithm to generate sequence numbers and Fragment Identification values, which makes it easier for remote attackers to cause a denial of service (disrupted networking) or hijack network sessions by predicting these values and sending crafted packets.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 9.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3188

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-3191
CVE STATUS: Patched
CVE SUMMARY: Integer signedness error in the CIFSFindNext function in fs/cifs/cifssmb.c in the Linux kernel before 3.1 allows remote CIFS servers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a large length value in a response to a read request for a directory.
CVSS v2 BASE SCORE: 8.3
CVSS v3 BASE SCORE: 8.8
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3191

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-3209
CVE STATUS: Patched
CVE SUMMARY: The div_long_long_rem implementation in include/asm-x86/div64.h in the Linux kernel before 2.6.26 on the x86 platform allows local users to cause a denial of service (Divide Error Fault and panic) via a clock_gettime system call.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3209

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-3353
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the fuse_notify_inval_entry function in fs/fuse/dev.c in the Linux kernel before 3.1 allows local users to cause a denial of service (BUG_ON and system crash) by leveraging the ability to mount a FUSE filesystem.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3353

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-3359
CVE STATUS: Patched
CVE SUMMARY: The dma_rx function in drivers/net/wireless/b43/dma.c in the Linux kernel before 2.6.39 does not properly allocate receive buffers, which allows remote attackers to cause a denial of service (system crash) via a crafted frame.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3359

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-3363
CVE STATUS: Patched
CVE SUMMARY: The setup_cifs_sb function in fs/cifs/connect.c in the Linux kernel before 2.6.39 does not properly handle DFS referrals, which allows remote CIFS servers to cause a denial of service (system crash) by placing a referral at the root of a share.
CVSS v2 BASE SCORE: 6.1
CVSS v3 BASE SCORE: 6.5
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3363

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-3593
CVE STATUS: Patched
CVE SUMMARY: A certain Red Hat patch to the vlan_hwaccel_do_receive function in net/8021q/vlan_core.c in the Linux kernel 2.6.32 on Red Hat Enterprise Linux (RHEL) 6 allows remote attackers to cause a denial of service (system crash) via priority-tagged VLAN frames.
CVSS v2 BASE SCORE: 5.7
CVSS v3 BASE SCORE: 0.0
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3593

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-3619
CVE STATUS: Patched
CVE SUMMARY: The apparmor_setprocattr function in security/apparmor/lsm.c in the Linux kernel before 3.0 does not properly handle invalid parameters, which allows local users to cause a denial of service (NULL pointer dereference and OOPS) or possibly have unspecified other impact by writing to a /proc/#####/attr/current file.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3619

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-3637
CVE STATUS: Patched
CVE SUMMARY: The m_stop function in fs/proc/task_mmu.c in the Linux kernel before 2.6.39 allows local users to cause a denial of service (OOPS) via vectors that trigger an m_start error.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3637

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-3638
CVE STATUS: Patched
CVE SUMMARY: fs/ext4/extents.c in the Linux kernel before 3.0 does not mark a modified extent as dirty in certain cases of extent splitting, which allows local users to cause a denial of service (system crash) via vectors involving ext4 umount and mount operations.
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3638

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-4077
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the xfs_readlink function in fs/xfs/xfs_vnodeops.c in XFS in the Linux kernel 2.6, when CONFIG_XFS_DEBUG is disabled, allows local users to cause a denial of service (memory corruption and crash) and possibly execute arbitrary code via an XFS image containing a symbolic link with a long pathname.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-4077

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-4080
CVE STATUS: Patched
CVE SUMMARY: The sysrq_sysctl_handler function in kernel/sysctl.c in the Linux kernel before 2.6.39 does not require the CAP_SYS_ADMIN capability to modify the dmesg_restrict value, which allows local users to bypass intended access restrictions and read the kernel ring buffer by leveraging root privileges, as demonstrated by a root user in a Linux Containers (aka LXC) environment.
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:C/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-4080

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-4081
CVE STATUS: Patched
CVE SUMMARY: crypto/ghash-generic.c in the Linux kernel before 3.1 allows local users to cause a denial of service (NULL pointer dereference and OOPS) or possibly have unspecified other impact by triggering a failed or missing ghash_setkey function call, followed by a (1) ghash_update function call or (2) ghash_final function call, as demonstrated by a write operation on an AF_ALG socket.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-4081

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-4086
CVE STATUS: Patched
CVE SUMMARY: The journal_unmap_buffer function in fs/jbd2/transaction.c in the Linux kernel before 3.3.1 does not properly handle the _Delay and _Unwritten buffer head states, which allows local users to cause a denial of service (system crash) by leveraging the presence of an ext4 filesystem that was mounted with a journal.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-4086

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-4087
CVE STATUS: Patched
CVE SUMMARY: The br_parse_ip_options function in net/bridge/br_netfilter.c in the Linux kernel before 2.6.39 does not properly initialize a certain data structure, which allows remote attackers to cause a denial of service by leveraging connectivity to a network interface that uses an Ethernet bridge device.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-4087

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-4097
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the oom_badness function in mm/oom_kill.c in the Linux kernel before 3.1.8 on 64-bit platforms allows local users to cause a denial of service (memory consumption or process termination) by using a certain large amount of memory.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-4097

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-4098
CVE STATUS: Patched
CVE SUMMARY: The fallocate implementation in the GFS2 filesystem in the Linux kernel before 3.2 relies on the page cache, which might allow local users to cause a denial of service by preallocating blocks in certain situations involving insufficient memory.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-4098

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-4110
CVE STATUS: Patched
CVE SUMMARY: The user_update function in security/keys/user_defined.c in the Linux kernel 2.6 allows local users to cause a denial of service (NULL pointer dereference and kernel oops) via vectors related to a user-defined key and "updating a negative key into a fully instantiated key."
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-4110

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-4112
CVE STATUS: Patched
CVE SUMMARY: The net subsystem in the Linux kernel before 3.1 does not properly restrict use of the IFF_TX_SKB_SHARING flag, which allows local users to cause a denial of service (panic) by leveraging the CAP_NET_ADMIN capability to access /proc/net/pktgen/pgctrl, and then using the pktgen package in conjunction with a bridge device for a VLAN interface.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-4112

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-4127
CVE STATUS: Patched
CVE SUMMARY: The Linux kernel before 3.2.2 does not properly restrict SG_IO ioctl calls, which allows local users to bypass intended restrictions on disk read and write operations by sending a SCSI command to (1) a partition block device or (2) an LVM volume.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-4127

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-4131
CVE STATUS: Patched
CVE SUMMARY: The NFSv4 implementation in the Linux kernel before 3.2.2 does not properly handle bitmap sizes in GETACL replies, which allows remote NFS servers to cause a denial of service (OOPS) by sending an excessive number of bitmap words.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:H/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-4131

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-4132
CVE STATUS: Patched
CVE SUMMARY: The cleanup_journal_tail function in the Journaling Block Device (JBD) functionality in the Linux kernel 2.6 allows local users to cause a denial of service (assertion error and kernel oops) via an ext3 or ext4 image with an "invalid log first block value."
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-4132

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-4324
CVE STATUS: Patched
CVE SUMMARY: The encode_share_access function in fs/nfs/nfs4xdr.c in the Linux kernel before 2.6.29 allows local users to cause a denial of service (BUG and system crash) by using the mknod system call with a pathname on an NFSv4 filesystem.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-4324

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-4325
CVE STATUS: Patched
CVE SUMMARY: The NFS implementation in Linux kernel before 2.6.31-rc6 calls certain functions without properly initializing certain data, which allows local users to cause a denial of service (NULL pointer dereference and O_DIRECT oops), as demonstrated using diotest4 from LTP.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-4325

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-4326
CVE STATUS: Patched
CVE SUMMARY: The udp6_ufo_fragment function in net/ipv6/udp.c in the Linux kernel before 2.6.39, when a certain UDP Fragmentation Offload (UFO) configuration is enabled, allows remote attackers to cause a denial of service (system crash) by sending fragmented IPv6 UDP packets to a bridge device.
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-4326

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-4330
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in the hfs_mac2asc function in fs/hfs/trans.c in the Linux kernel 2.6 allows local users to cause a denial of service (crash) and possibly execute arbitrary code via an HFS image with a crafted len field.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-4330

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-4347
CVE STATUS: Patched
CVE SUMMARY: The kvm_vm_ioctl_assign_device function in virt/kvm/assigned-dev.c in the KVM subsystem in the Linux kernel before 3.1.10 does not verify permission to access PCI configuration space and BAR resources, which allows host OS users to assign PCI devices and cause a denial of service (host OS crash) via a KVM_ASSIGN_PCI_DEVICE operation.
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-4347

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-4348
CVE STATUS: Patched
CVE SUMMARY: Race condition in the sctp_rcv function in net/sctp/input.c in the Linux kernel before 2.6.29 allows remote attackers to cause a denial of service (system hang) via SCTP packets.  NOTE: in some environments, this issue exists because of an incomplete fix for CVE-2011-2482.
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-4348

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-4594
CVE STATUS: Patched
CVE SUMMARY: The __sys_sendmsg function in net/socket.c in the Linux kernel before 3.1 allows local users to cause a denial of service (system crash) via crafted use of the sendmmsg system call, leading to an incorrect pointer dereference.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-4594

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-4604
CVE STATUS: Patched
CVE SUMMARY: The bat_socket_read function in net/batman-adv/icmp_socket.c in the Linux kernel before 3.3 allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted batman-adv ICMP packet.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-4604

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-4611
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the perf_event_interrupt function in arch/powerpc/kernel/perf_event.c in the Linux kernel before 2.6.39 on powerpc platforms allows local users to cause a denial of service (unhandled performance monitor exception) via vectors that trigger certain outcomes of performance events.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-4611

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-4621
CVE STATUS: Patched
CVE SUMMARY: The Linux kernel before 2.6.37 does not properly implement a certain clock-update optimization, which allows local users to cause a denial of service (system hang) via an application that executes code in a loop.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-4621

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-4913
CVE STATUS: Patched
CVE SUMMARY: The rose_parse_ccitt function in net/rose/rose_subr.c in the Linux kernel before 2.6.39 does not validate the FAC_CCITT_DEST_NSAP and FAC_CCITT_SRC_NSAP fields, which allows remote attackers to (1) cause a denial of service (integer underflow, heap memory corruption, and panic) via a small length value in data sent to a ROSE socket, or (2) conduct stack-based buffer overflow attacks via a large length value in data sent to a ROSE socket.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-4913

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-4914
CVE STATUS: Patched
CVE SUMMARY: The ROSE protocol implementation in the Linux kernel before 2.6.39 does not verify that certain data-length values are consistent with the amount of data sent, which might allow remote attackers to obtain sensitive information from kernel memory or cause a denial of service (out-of-bounds read) via crafted data to a ROSE socket.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-4914

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-4915
CVE STATUS: Patched
CVE SUMMARY: fs/proc/base.c in the Linux kernel through 3.1 allows local users to obtain sensitive keystroke information via access to /proc/interrupts.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-4915

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-4916
CVE STATUS: Patched
CVE SUMMARY: Linux kernel through 3.1 allows local users to obtain sensitive keystroke information via access to /dev/pts/ and /dev/tty*.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-4916

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-4917
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel through 3.1 there is an information disclosure issue via /proc/stat.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-4917

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-5321
CVE STATUS: Patched
CVE SUMMARY: The tty_open function in drivers/tty/tty_io.c in the Linux kernel before 3.1.1 mishandles a driver-lookup failure, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via crafted access to a device file under the /dev/pts directory.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-5321

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2011-5327
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel before 3.1, an off by one in the drivers/target/loopback/tcm_loop.c tcm_loop_make_naa_tpg() function could result in at least memory corruption.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-5327

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2012-0028
CVE STATUS: Patched
CVE SUMMARY: The robust futex implementation in the Linux kernel before 2.6.28 does not properly handle processes that make exec system calls, which allows local users to cause a denial of service or possibly gain privileges by writing to a memory location in a child process.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-0028

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2012-0038
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the xfs_acl_from_disk function in fs/xfs/xfs_acl.c in the Linux kernel before 3.1.9 allows local users to cause a denial of service (panic) via a filesystem with a malformed ACL, leading to a heap-based buffer overflow.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-0038

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2012-0044
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the drm_mode_dirtyfb_ioctl function in drivers/gpu/drm/drm_crtc.c in the Direct Rendering Manager (DRM) subsystem in the Linux kernel before 3.1.5 allows local users to gain privileges or cause a denial of service (memory corruption) via a crafted ioctl call.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-0044

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2012-0045
CVE STATUS: Patched
CVE SUMMARY: The em_syscall function in arch/x86/kvm/emulate.c in the KVM implementation in the Linux kernel before 3.2.14 does not properly handle the 0f05 (aka syscall) opcode, which allows guest OS users to cause a denial of service (guest OS crash) via a crafted application, as demonstrated by an NASM file.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-0045

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2012-0055
CVE STATUS: Patched
CVE SUMMARY: OverlayFS in the Linux kernel before 3.0.0-16.28, as used in Ubuntu 10.0.4 LTS and 11.10, is missing inode security checks which could allow attackers to bypass security restrictions and perform unauthorized actions.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-0055

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2012-0056
CVE STATUS: Patched
CVE SUMMARY: The mem_write function in the Linux kernel before 3.2.2, when ASLR is disabled, does not properly check permissions when writing to /proc/<pid>/mem, which allows local users to gain privileges by modifying process memory, as demonstrated by Mempodipper.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-0056

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2012-0058
CVE STATUS: Patched
CVE SUMMARY: The kiocb_batch_free function in fs/aio.c in the Linux kernel before 3.2.2 allows local users to cause a denial of service (OOPS) via vectors that trigger incorrect iocb management.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-0058

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2012-0207
CVE STATUS: Patched
CVE SUMMARY: The igmp_heard_query function in net/ipv4/igmp.c in the Linux kernel before 3.2.1 allows remote attackers to cause a denial of service (divide-by-zero error and panic) via IGMP packets.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-0207

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2012-0810
CVE STATUS: Patched
CVE SUMMARY: The int3 handler in the Linux kernel before 3.3 relies on a per-CPU debug stack, which allows local users to cause a denial of service (stack corruption and panic) via a crafted application that triggers certain lock contention.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-0810

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2012-0879
CVE STATUS: Patched
CVE SUMMARY: The I/O implementation for block devices in the Linux kernel before 2.6.33 does not properly handle the CLONE_IO feature, which allows local users to cause a denial of service (I/O instability) by starting multiple processes that share an I/O context.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-0879

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2012-0957
CVE STATUS: Patched
CVE SUMMARY: The override_release function in kernel/sys.c in the Linux kernel before 3.4.16 allows local users to obtain sensitive information from kernel stack memory via a uname system call in conjunction with a UNAME26 personality.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-0957

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2012-1090
CVE STATUS: Patched
CVE SUMMARY: The cifs_lookup function in fs/cifs/dir.c in the Linux kernel before 3.2.10 allows local users to cause a denial of service (OOPS) via attempted access to a special file, as demonstrated by a FIFO.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1090

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2012-1097
CVE STATUS: Patched
CVE SUMMARY: The regset (aka register set) feature in the Linux kernel before 3.2.10 does not properly handle the absence of .get and .set methods, which allows local users to cause a denial of service (NULL pointer dereference) or possibly have unspecified other impact via a (1) PTRACE_GETREGSET or (2) PTRACE_SETREGSET ptrace call.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1097

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2012-1146
CVE STATUS: Patched
CVE SUMMARY: The mem_cgroup_usage_unregister_event function in mm/memcontrol.c in the Linux kernel before 3.2.10 does not properly handle multiple events that are attached to the same eventfd, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by registering memory threshold events.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1146

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2012-1179
CVE STATUS: Patched
CVE SUMMARY: The Linux kernel before 3.3.1, when KVM is used, allows guest OS users to cause a denial of service (host OS crash) by leveraging administrative access to the guest OS, related to the pmd_none_or_clear_bad function and page faults for huge pages.
CVSS v2 BASE SCORE: 5.2
CVSS v3 BASE SCORE: 0.0
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:M/Au:S/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1179

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2012-1583
CVE STATUS: Patched
CVE SUMMARY: Double free vulnerability in the xfrm6_tunnel_rcv function in net/ipv6/xfrm6_tunnel.c in the Linux kernel before 2.6.22, when the xfrm6_tunnel module is enabled, allows remote attackers to cause a denial of service (panic) via crafted IPv6 packets.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1583

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2012-1601
CVE STATUS: Patched
CVE SUMMARY: The KVM implementation in the Linux kernel before 3.3.6 allows host OS users to cause a denial of service (NULL pointer dereference and host OS crash) by making a KVM_CREATE_IRQCHIP ioctl call after a virtual CPU already exists.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1601

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2012-2100
CVE STATUS: Patched
CVE SUMMARY: The ext4_fill_flex_info function in fs/ext4/super.c in the Linux kernel before 3.2.2, on the x86 platform and unspecified other platforms, allows user-assisted remote attackers to trigger inconsistent filesystem-groups data and possibly cause a denial of service via a malformed ext4 filesystem containing a super block with a large FLEX_BG group size (aka s_log_groups_per_flex value).  NOTE: this vulnerability exists because of an incomplete fix for CVE-2009-4307.
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2100

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2012-2119
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the macvtap device driver in the Linux kernel before 3.4.5, when running in certain configurations, allows privileged KVM guest users to cause a denial of service (crash) via a long descriptor with a long vector length.
CVSS v2 BASE SCORE: 5.2
CVSS v3 BASE SCORE: 0.0
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:M/Au:S/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2119

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2012-2121
CVE STATUS: Patched
CVE SUMMARY: The KVM implementation in the Linux kernel before 3.3.4 does not properly manage the relationships between memory slots and the iommu, which allows guest OS users to cause a denial of service (memory leak and host OS crash) by leveraging administrative access to the guest OS to conduct hotunplug and hotplug operations on devices.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2121

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2012-2123
CVE STATUS: Patched
CVE SUMMARY: The cap_bprm_set_creds function in security/commoncap.c in the Linux kernel before 3.3.3 does not properly handle the use of file system capabilities (aka fcaps) for implementing a privileged executable file, which allows local users to bypass intended personality restrictions via a crafted application, as demonstrated by an attack that uses a parent process to disable ASLR.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2123

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2012-2127
CVE STATUS: Patched
CVE SUMMARY: fs/proc/root.c in the procfs implementation in the Linux kernel before 3.2 does not properly interact with CLONE_NEWPID clone system calls, which allows remote attackers to cause a denial of service (reference leak and memory consumption) by making many connections to a daemon that uses PID namespaces to isolate clients, as demonstrated by vsftpd.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2127

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2012-2133
CVE STATUS: Patched
CVE SUMMARY: Use-after-free vulnerability in the Linux kernel before 3.3.6, when huge pages are enabled, allows local users to cause a denial of service (system crash) or possibly gain privileges by interacting with a hugetlbfs filesystem, as demonstrated by a umount operation that triggers improper handling of quota data.
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2133

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2012-2136
CVE STATUS: Patched
CVE SUMMARY: The sock_alloc_send_pskb function in net/core/sock.c in the Linux kernel before 3.4.5 does not properly validate a certain length value, which allows local users to cause a denial of service (heap-based buffer overflow and system crash) or possibly gain privileges by leveraging access to a TUN/TAP device.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2136

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2012-2137
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in virt/kvm/irq_comm.c in the KVM subsystem in the Linux kernel before 3.2.24 allows local users to cause a denial of service (crash) and possibly execute arbitrary code via vectors related to Message Signaled Interrupts (MSI), irq routing entries, and an incorrect check by the setup_routing_entry function before invoking the kvm_set_irq function.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2137

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2012-2313
CVE STATUS: Patched
CVE SUMMARY: The rio_ioctl function in drivers/net/ethernet/dlink/dl2k.c in the Linux kernel before 3.3.7 does not restrict access to the SIOCSMIIREG command, which allows local users to write data to an Ethernet adapter via an ioctl call.
CVSS v2 BASE SCORE: 1.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2313

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2012-2319
CVE STATUS: Patched
CVE SUMMARY: Multiple buffer overflows in the hfsplus filesystem implementation in the Linux kernel before 3.3.5 allow local users to gain privileges via a crafted HFS plus filesystem, a related issue to CVE-2009-4020.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2319

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2012-2372
CVE STATUS: Patched
CVE SUMMARY: The rds_ib_xmit function in net/rds/ib_send.c in the Reliable Datagram Sockets (RDS) protocol implementation in the Linux kernel 3.7.4 and earlier allows local users to cause a denial of service (BUG_ON and kernel panic) by establishing an RDS connection with the source IP address equal to the IPoIB interface's own IP address, as demonstrated by rds-ping.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:S/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2372

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2012-2373
CVE STATUS: Patched
CVE SUMMARY: The Linux kernel before 3.4.5 on the x86 platform, when Physical Address Extension (PAE) is enabled, does not properly use the Page Middle Directory (PMD), which allows local users to cause a denial of service (panic) via a crafted application that triggers a race condition.
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2373

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2012-2375
CVE STATUS: Patched
CVE SUMMARY: The __nfs4_get_acl_uncached function in fs/nfs/nfs4proc.c in the NFSv4 implementation in the Linux kernel before 3.3.2 uses an incorrect length variable during a copy operation, which allows remote NFS servers to cause a denial of service (OOPS) by sending an excessive number of bitmap words in an FATTR4_ACL reply.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-4131.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:H/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2375

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2012-2383
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the i915_gem_execbuffer2 function in drivers/gpu/drm/i915/i915_gem_execbuffer.c in the Direct Rendering Manager (DRM) subsystem in the Linux kernel before 3.3.5 on 32-bit platforms allows local users to cause a denial of service (out-of-bounds write) or possibly have unspecified other impact via a crafted ioctl call.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2383

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2012-2384
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the i915_gem_do_execbuffer function in drivers/gpu/drm/i915/i915_gem_execbuffer.c in the Direct Rendering Manager (DRM) subsystem in the Linux kernel before 3.3.5 on 32-bit platforms allows local users to cause a denial of service (out-of-bounds write) or possibly have unspecified other impact via a crafted ioctl call.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2384

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2012-2390
CVE STATUS: Patched
CVE SUMMARY: Memory leak in mm/hugetlb.c in the Linux kernel before 3.4.2 allows local users to cause a denial of service (memory consumption or system crash) via invalid MAP_HUGETLB mmap operations.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2390

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2012-2669
CVE STATUS: Patched
CVE SUMMARY: The main function in tools/hv/hv_kvp_daemon.c in hypervkvpd, as distributed in the Linux kernel before 3.4.5, does not validate the origin of Netlink messages, which allows local users to spoof Netlink communication via a crafted connector message.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2669

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2012-2744
CVE STATUS: Patched
CVE SUMMARY: net/ipv6/netfilter/nf_conntrack_reasm.c in the Linux kernel before 2.6.34, when the nf_conntrack_ipv6 module is enabled, allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) via certain types of fragmented IPv6 packets.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2744

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2012-2745
CVE STATUS: Patched
CVE SUMMARY: The copy_creds function in kernel/cred.c in the Linux kernel before 3.3.2 provides an invalid replacement session keyring to a child process, which allows local users to cause a denial of service (panic) via a crafted application that uses the fork system call.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2745

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2012-3364
CVE STATUS: Patched
CVE SUMMARY: Multiple stack-based buffer overflows in the Near Field Communication Controller Interface (NCI) in the Linux kernel before 3.4.5 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via incoming frames with crafted length fields.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-3364

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2012-3375
CVE STATUS: Patched
CVE SUMMARY: The epoll_ctl system call in fs/eventpoll.c in the Linux kernel before 3.2.24 does not properly handle ELOOP errors in EPOLL_CTL_ADD operations, which allows local users to cause a denial of service (file-descriptor consumption and system crash) via a crafted application that attempts to create a circular epoll dependency.  NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-1083.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-3375

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2012-3400
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the udf_load_logicalvol function in fs/udf/super.c in the Linux kernel before 3.4.5 allows remote attackers to cause a denial of service (system crash) or possibly have unspecified other impact via a crafted UDF filesystem.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-3400

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2012-3412
CVE STATUS: Patched
CVE SUMMARY: The sfc (aka Solarflare Solarstorm) driver in the Linux kernel before 3.2.30 allows remote attackers to cause a denial of service (DMA descriptor consumption and network-controller outage) via crafted TCP packets that trigger a small MSS value.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-3412

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2012-3430
CVE STATUS: Patched
CVE SUMMARY: The rds_recvmsg function in net/rds/recv.c in the Linux kernel before 3.0.44 does not initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via a (1) recvfrom or (2) recvmsg system call on an RDS socket.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-3430

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2012-3510
CVE STATUS: Patched
CVE SUMMARY: Use-after-free vulnerability in the xacct_add_tsk function in kernel/tsacct.c in the Linux kernel before 2.6.19 allows local users to obtain potentially sensitive information from kernel memory or cause a denial of service (system crash) via a taskstats TASKSTATS_CMD_ATTR_PID command.
CVSS v2 BASE SCORE: 5.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-3510

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2012-3511
CVE STATUS: Patched
CVE SUMMARY: Multiple race conditions in the madvise_remove function in mm/madvise.c in the Linux kernel before 3.4.5 allow local users to cause a denial of service (use-after-free and system crash) via vectors involving a (1) munmap or (2) close system call.
CVSS v2 BASE SCORE: 6.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-3511

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2012-3520
CVE STATUS: Patched
CVE SUMMARY: The Netlink implementation in the Linux kernel before 3.2.30 does not properly handle messages that lack SCM_CREDENTIALS data, which might allow local users to spoof Netlink communication via a crafted message, as demonstrated by a message to (1) Avahi or (2) NetworkManager.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-3520

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2012-3552
CVE STATUS: Patched
CVE SUMMARY: Race condition in the IP implementation in the Linux kernel before 3.0 might allow remote attackers to cause a denial of service (slab corruption and system crash) by sending packets to an application that sets socket options during the handling of network traffic.
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-3552

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2012-4398
CVE STATUS: Patched
CVE SUMMARY: The __request_module function in kernel/kmod.c in the Linux kernel before 3.4 does not set a certain killable attribute, which allows local users to cause a denial of service (memory consumption) via a crafted application.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-4398

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2012-4444
CVE STATUS: Patched
CVE SUMMARY: The ip6_frag_queue function in net/ipv6/reassembly.c in the Linux kernel before 2.6.36 allows remote attackers to bypass intended network restrictions via overlapping IPv6 fragments.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-4444

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2012-4461
CVE STATUS: Patched
CVE SUMMARY: The KVM subsystem in the Linux kernel before 3.6.9, when running on hosts that use qemu userspace without XSAVE, allows local users to cause a denial of service (kernel OOPS) by using the KVM_SET_SREGS ioctl to set the X86_CR4_OSXSAVE bit in the guest cr4 register, then calling the KVM_RUN ioctl.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-4461

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2012-4467
CVE STATUS: Patched
CVE SUMMARY: The (1) do_siocgstamp and (2) do_siocgstampns functions in net/socket.c in the Linux kernel before 3.5.4 use an incorrect argument order, which allows local users to obtain sensitive information from kernel memory or cause a denial of service (system crash) via a crafted ioctl call.
CVSS v2 BASE SCORE: 6.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-4467

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2012-4508
CVE STATUS: Patched
CVE SUMMARY: Race condition in fs/ext4/extents.c in the Linux kernel before 3.4.16 allows local users to obtain sensitive information from a deleted file by reading an extent that was not properly marked as uninitialized.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-4508

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2012-4530
CVE STATUS: Patched
CVE SUMMARY: The load_script function in fs/binfmt_script.c in the Linux kernel before 3.7.2 does not properly handle recursion, which allows local users to obtain sensitive information from kernel stack memory via a crafted application.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-4530

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2012-4542
CVE STATUS: Patched
CVE SUMMARY: block/scsi_ioctl.c in the Linux kernel through 3.8 does not properly consider the SCSI device class during authorization of SCSI commands, which allows local users to bypass intended access restrictions via an SG_IO ioctl call that leverages overlapping opcodes.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-4542

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2012-4565
CVE STATUS: Patched
CVE SUMMARY: The tcp_illinois_info function in net/ipv4/tcp_illinois.c in the Linux kernel before 3.4.19, when the net.ipv4.tcp_congestion_control illinois setting is enabled, allows local users to cause a denial of service (divide-by-zero error and OOPS) by reading TCP stats.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-4565

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2012-5374
CVE STATUS: Patched
CVE SUMMARY: The CRC32C feature in the Btrfs implementation in the Linux kernel before 3.8-rc1 allows local users to cause a denial of service (extended runtime of kernel code) by creating many different files whose names are associated with the same CRC32C hash value.
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-5374

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2012-5375
CVE STATUS: Patched
CVE SUMMARY: The CRC32C feature in the Btrfs implementation in the Linux kernel before 3.8-rc1 allows local users to cause a denial of service (prevention of file creation) by leveraging the ability to write to a directory important to the victim, and creating a file with a crafted name that is associated with a specific CRC32C hash value.
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-5375

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2012-5517
CVE STATUS: Patched
CVE SUMMARY: The online_pages function in mm/memory_hotplug.c in the Linux kernel before 3.6 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact in opportunistic circumstances by using memory that was hot-added by an administrator.
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-5517

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2012-5532
CVE STATUS: Patched
CVE SUMMARY: The main function in tools/hv/hv_kvp_daemon.c in hypervkvpd, as distributed in the Linux kernel before 3.8-rc1, allows local users to cause a denial of service (daemon exit) via a crafted application that sends a Netlink message.  NOTE: this vulnerability exists because of an incorrect fix for CVE-2012-2669.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-5532

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2012-6536
CVE STATUS: Patched
CVE SUMMARY: net/xfrm/xfrm_user.c in the Linux kernel before 3.6 does not verify that the actual Netlink message length is consistent with a certain header field, which allows local users to obtain sensitive information from kernel heap memory by leveraging the CAP_NET_ADMIN capability and providing a (1) new or (2) updated state.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-6536

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2012-6537
CVE STATUS: Patched
CVE SUMMARY: net/xfrm/xfrm_user.c in the Linux kernel before 3.6 does not initialize certain structures, which allows local users to obtain sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-6537

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2012-6538
CVE STATUS: Patched
CVE SUMMARY: The copy_to_user_auth function in net/xfrm/xfrm_user.c in the Linux kernel before 3.6 uses an incorrect C library function for copying a string, which allows local users to obtain sensitive information from kernel heap memory by leveraging the CAP_NET_ADMIN capability.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-6538

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2012-6539
CVE STATUS: Patched
CVE SUMMARY: The dev_ifconf function in net/socket.c in the Linux kernel before 3.6 does not initialize a certain structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted application.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-6539

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2012-6540
CVE STATUS: Patched
CVE SUMMARY: The do_ip_vs_get_ctl function in net/netfilter/ipvs/ip_vs_ctl.c in the Linux kernel before 3.6 does not initialize a certain structure for IP_VS_SO_GET_TIMEOUT commands, which allows local users to obtain sensitive information from kernel stack memory via a crafted application.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-6540

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2012-6541
CVE STATUS: Patched
CVE SUMMARY: The ccid3_hc_tx_getsockopt function in net/dccp/ccids/ccid3.c in the Linux kernel before 3.6 does not initialize a certain structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted application.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-6541

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2012-6542
CVE STATUS: Patched
CVE SUMMARY: The llc_ui_getname function in net/llc/af_llc.c in the Linux kernel before 3.6 has an incorrect return value in certain circumstances, which allows local users to obtain sensitive information from kernel stack memory via a crafted application that leverages an uninitialized pointer argument.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-6542

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2012-6543
CVE STATUS: Patched
CVE SUMMARY: The l2tp_ip6_getname function in net/l2tp/l2tp_ip6.c in the Linux kernel before 3.6 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel stack memory via a crafted application.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-6543

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2012-6544
CVE STATUS: Patched
CVE SUMMARY: The Bluetooth protocol stack in the Linux kernel before 3.6 does not properly initialize certain structures, which allows local users to obtain sensitive information from kernel stack memory via a crafted application that targets the (1) L2CAP or (2) HCI implementation.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-6544

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2012-6545
CVE STATUS: Patched
CVE SUMMARY: The Bluetooth RFCOMM implementation in the Linux kernel before 3.6 does not properly initialize certain structures, which allows local users to obtain sensitive information from kernel memory via a crafted application.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-6545

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2012-6546
CVE STATUS: Patched
CVE SUMMARY: The ATM implementation in the Linux kernel before 3.6 does not initialize certain structures, which allows local users to obtain sensitive information from kernel stack memory via a crafted application.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-6546

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2012-6547
CVE STATUS: Patched
CVE SUMMARY: The __tun_chr_ioctl function in drivers/net/tun.c in the Linux kernel before 3.6 does not initialize a certain structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted application.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-6547

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2012-6548
CVE STATUS: Patched
CVE SUMMARY: The udf_encode_fh function in fs/udf/namei.c in the Linux kernel before 3.6 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel heap memory via a crafted application.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-6548

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2012-6549
CVE STATUS: Patched
CVE SUMMARY: The isofs_export_encode_fh function in fs/isofs/export.c in the Linux kernel before 3.6 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel heap memory via a crafted application.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-6549

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2012-6638
CVE STATUS: Patched
CVE SUMMARY: The tcp_rcv_state_process function in net/ipv4/tcp_input.c in the Linux kernel before 3.2.24 allows remote attackers to cause a denial of service (kernel resource consumption) via a flood of SYN+FIN TCP packets, a different vulnerability than CVE-2012-2663.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-6638

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2012-6647
CVE STATUS: Patched
CVE SUMMARY: The futex_wait_requeue_pi function in kernel/futex.c in the Linux kernel before 3.5.1 does not ensure that calls have two different futex addresses, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted FUTEX_WAIT_REQUEUE_PI command.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-6647

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2012-6657
CVE STATUS: Patched
CVE SUMMARY: The sock_setsockopt function in net/core/sock.c in the Linux kernel before 3.5.7 does not ensure that a keepalive action is associated with a stream socket, which allows local users to cause a denial of service (system crash) by leveraging the ability to create a raw socket.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-6657

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2012-6689
CVE STATUS: Patched
CVE SUMMARY: The netlink_sendmsg function in net/netlink/af_netlink.c in the Linux kernel before 3.5.5 does not validate the dst_pid field, which allows local users to have an unspecified impact by spoofing Netlink messages.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-6689

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2012-6701
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in fs/aio.c in the Linux kernel before 3.4.1 allows local users to cause a denial of service or possibly have unspecified other impact via a large AIO iovec.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-6701

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2012-6703
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the snd_compr_allocate_buffer function in sound/core/compress_offload.c in the ALSA subsystem in the Linux kernel before 3.6-rc6-next-20120917 allows local users to cause a denial of service (insufficient memory allocation) or possibly have unspecified other impact via a crafted SNDRV_COMPRESS_SET_PARAMS ioctl call.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-6703

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2012-6704
CVE STATUS: Patched
CVE SUMMARY: The sock_setsockopt function in net/core/sock.c in the Linux kernel before 3.5 mishandles negative values of sk_sndbuf and sk_rcvbuf, which allows local users to cause a denial of service (memory corruption and system crash) or possibly have unspecified other impact by leveraging the CAP_NET_ADMIN capability for a crafted setsockopt system call with the (1) SO_SNDBUF or (2) SO_RCVBUF option.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-6704

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2012-6712
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel before 3.4, a buffer overflow occurs in drivers/net/wireless/iwlwifi/iwl-agn-sta.c, which will cause at least memory corruption.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-6712

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-0160
CVE STATUS: Patched
CVE SUMMARY: The Linux kernel through 3.7.9 allows local users to obtain sensitive information about keystroke timing by using the inotify API on the /dev/ptmx device.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0160

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-0190
CVE STATUS: Patched
CVE SUMMARY: The xen_failsafe_callback function in Xen for the Linux kernel 2.6.23 and other versions, when running a 32-bit PVOPS guest, allows local users to cause a denial of service (guest crash) by triggering an iret fault, leading to use of an incorrect stack pointer and stack corruption.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0190

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-0216
CVE STATUS: Patched
CVE SUMMARY: The Xen netback functionality in the Linux kernel before 3.7.8 allows guest OS users to cause a denial of service (loop) by triggering ring pointer corruption.
CVSS v2 BASE SCORE: 5.2
CVSS v3 BASE SCORE: 0.0
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:M/Au:S/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0216

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-0217
CVE STATUS: Patched
CVE SUMMARY: Memory leak in drivers/net/xen-netback/netback.c in the Xen netback functionality in the Linux kernel before 3.7.8 allows guest OS users to cause a denial of service (memory consumption) by triggering certain error conditions.
CVSS v2 BASE SCORE: 5.2
CVSS v3 BASE SCORE: 0.0
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:M/Au:S/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0217

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-0228
CVE STATUS: Patched
CVE SUMMARY: The xen_iret function in arch/x86/xen/xen-asm_32.S in the Linux kernel before 3.7.9 on 32-bit Xen paravirt_ops platforms does not properly handle an invalid value in the DS segment register, which allows guest OS users to gain guest OS privileges via a crafted application.
CVSS v2 BASE SCORE: 6.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0228

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-0231
CVE STATUS: Patched
CVE SUMMARY: The pciback_enable_msi function in the PCI backend driver (drivers/xen/pciback/conf_space_capability_msi.c) in Xen for the Linux kernel 2.6.18 and 3.8 allows guest OS users with PCI device access to cause a denial of service via a large number of kernel log messages. NOTE: some of these details are obtained from third party information.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0231

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-0268
CVE STATUS: Patched
CVE SUMMARY: The msr_open function in arch/x86/kernel/msr.c in the Linux kernel before 3.7.6 allows local users to bypass intended capability restrictions by executing a crafted application as root, as demonstrated by msr32.c.
CVSS v2 BASE SCORE: 6.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0268

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-0290
CVE STATUS: Patched
CVE SUMMARY: The __skb_recv_datagram function in net/core/datagram.c in the Linux kernel before 3.8 does not properly handle the MSG_PEEK flag with zero-length data, which allows local users to cause a denial of service (infinite loop and system hang) via a crafted application.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0290

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-0309
CVE STATUS: Patched
CVE SUMMARY: arch/x86/include/asm/pgtable.h in the Linux kernel before 3.6.2, when transparent huge pages are used, does not properly support PROT_NONE memory regions, which allows local users to cause a denial of service (system crash) via a crafted application.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0309

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-0310
CVE STATUS: Patched
CVE SUMMARY: The cipso_v4_validate function in net/ipv4/cipso_ipv4.c in the Linux kernel before 3.4.8 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via an IPOPT_CIPSO IP_OPTIONS setsockopt system call.
CVSS v2 BASE SCORE: 6.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:S/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0310

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-0311
CVE STATUS: Patched
CVE SUMMARY: The translate_desc function in drivers/vhost/vhost.c in the Linux kernel before 3.7 does not properly handle cross-region descriptors, which allows guest OS users to obtain host OS privileges by leveraging KVM guest OS privileges.
CVSS v2 BASE SCORE: 6.5
CVSS v3 BASE SCORE: 0.0
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:H/Au:S/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0311

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-0313
CVE STATUS: Patched
CVE SUMMARY: The evm_update_evmxattr function in security/integrity/evm/evm_crypto.c in the Linux kernel before 3.7.5, when the Extended Verification Module (EVM) is enabled, allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via an attempted removexattr operation on an inode of a sockfs filesystem.
CVSS v2 BASE SCORE: 6.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0313

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-0343
CVE STATUS: Patched
CVE SUMMARY: The ipv6_create_tempaddr function in net/ipv6/addrconf.c in the Linux kernel through 3.8 does not properly handle problems with the generation of IPv6 temporary addresses, which allows remote attackers to cause a denial of service (excessive retries and address-generation outage), and consequently obtain sensitive information, via ICMPv6 Router Advertisement (RA) messages.
CVSS v2 BASE SCORE: 3.2
CVSS v3 BASE SCORE: 0.0
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:H/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0343

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-0349
CVE STATUS: Patched
CVE SUMMARY: The hidp_setup_hid function in net/bluetooth/hidp/core.c in the Linux kernel before 3.7.6 does not properly copy a certain name field, which allows local users to obtain sensitive information from kernel memory by setting a long name and making an HIDPCONNADD ioctl call.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0349

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-0871
CVE STATUS: Patched
CVE SUMMARY: Race condition in the ptrace functionality in the Linux kernel before 3.7.5 allows local users to gain privileges via a PTRACE_SETREGS ptrace system call in a crafted application, as demonstrated by ptrace_death.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0871

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-0913
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in drivers/gpu/drm/i915/i915_gem_execbuffer.c in the i915 driver in the Direct Rendering Manager (DRM) subsystem in the Linux kernel through 3.8.3, as used in Google Chrome OS before 25.0.1364.173 and other products, allows local users to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted application that triggers many relocation copies, and potentially leads to a race condition.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0913

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-0914
CVE STATUS: Patched
CVE SUMMARY: The flush_signal_handlers function in kernel/signal.c in the Linux kernel before 3.8.4 preserves the value of the sa_restorer field across an exec operation, which makes it easier for local users to bypass the ASLR protection mechanism via a crafted application containing a sigaction system call.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0914

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-1059
CVE STATUS: Patched
CVE SUMMARY: net/ceph/auth_none.c in the Linux kernel through 3.10 allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via an auth_reply message that triggers an attempted build_request operation.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1059

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-1763
CVE STATUS: Patched
CVE SUMMARY: Array index error in the __sock_diag_rcv_msg function in net/core/sock_diag.c in the Linux kernel before 3.7.10 allows local users to gain privileges via a large family value in a Netlink message.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1763

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-1767
CVE STATUS: Patched
CVE SUMMARY: Use-after-free vulnerability in the shmem_remount_fs function in mm/shmem.c in the Linux kernel before 3.7.10 allows local users to gain privileges or cause a denial of service (system crash) by remounting a tmpfs filesystem without specifying a required mpol (aka mempolicy) mount option.
CVSS v2 BASE SCORE: 6.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1767

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-1772
CVE STATUS: Patched
CVE SUMMARY: The log_prefix function in kernel/printk.c in the Linux kernel 3.x before 3.4.33 does not properly remove a prefix string from a syslog header, which allows local users to cause a denial of service (buffer overflow and system crash) by leveraging /dev/kmsg write access and triggering a call_console_drivers function call.
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1772

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-1773
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the VFAT filesystem implementation in the Linux kernel before 3.3 allows local users to gain privileges or cause a denial of service (system crash) via a VFAT write operation on a filesystem with the utf8 mount option, which is not properly handled during UTF-8 to UTF-16 conversion.
CVSS v2 BASE SCORE: 6.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1773

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-1774
CVE STATUS: Patched
CVE SUMMARY: The chase_port function in drivers/usb/serial/io_ti.c in the Linux kernel before 3.7.4 allows local users to cause a denial of service (NULL pointer dereference and system crash) via an attempted /dev/ttyUSB read or write operation on a disconnected Edgeport USB serial converter.
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1774

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-1792
CVE STATUS: Patched
CVE SUMMARY: Race condition in the install_user_keyrings function in security/keys/process_keys.c in the Linux kernel before 3.8.3 allows local users to cause a denial of service (NULL pointer dereference and system crash) via crafted keyctl system calls that trigger keyring operations in simultaneous threads.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1792

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-1796
CVE STATUS: Patched
CVE SUMMARY: The kvm_set_msr_common function in arch/x86/kvm/x86.c in the Linux kernel through 3.8.4 does not ensure a required time_page alignment during an MSR_KVM_SYSTEM_TIME operation, which allows guest OS users to cause a denial of service (buffer overflow and host OS memory corruption) or possibly have unspecified other impact via a crafted application.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1796

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-1797
CVE STATUS: Patched
CVE SUMMARY: Use-after-free vulnerability in arch/x86/kvm/x86.c in the Linux kernel through 3.8.4 allows guest OS users to cause a denial of service (host OS memory corruption) or possibly have unspecified other impact via a crafted application that triggers use of a guest physical address (GPA) in (1) movable or (2) removable memory during an MSR_KVM_SYSTEM_TIME kvm_set_msr_common operation.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1797

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-1798
CVE STATUS: Patched
CVE SUMMARY: The ioapic_read_indirect function in virt/kvm/ioapic.c in the Linux kernel through 3.8.4 does not properly handle a certain combination of invalid IOAPIC_REG_SELECT and IOAPIC_REG_WINDOW operations, which allows guest OS users to obtain sensitive information from host OS memory or cause a denial of service (host OS OOPS) via a crafted application.
CVSS v2 BASE SCORE: 6.2
CVSS v3 BASE SCORE: 0.0
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:H/Au:N/C:C/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1798

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-1819
CVE STATUS: Patched
CVE SUMMARY: The _xfs_buf_find function in fs/xfs/xfs_buf.c in the Linux kernel before 3.7.6 does not validate block numbers, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by leveraging the ability to mount an XFS filesystem containing a metadata inode with an invalid extent map.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1819

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-1826
CVE STATUS: Patched
CVE SUMMARY: The xfrm_state_netlink function in net/xfrm/xfrm_user.c in the Linux kernel before 3.5.7 does not properly handle error conditions in dump_one_state function calls, which allows local users to gain privileges or cause a denial of service (NULL pointer dereference and system crash) by leveraging the CAP_NET_ADMIN capability.
CVSS v2 BASE SCORE: 6.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1826

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-1827
CVE STATUS: Patched
CVE SUMMARY: net/dccp/ccid.h in the Linux kernel before 3.5.4 allows local users to gain privileges or cause a denial of service (NULL pointer dereference and system crash) by leveraging the CAP_NET_ADMIN capability for a certain (1) sender or (2) receiver getsockopt call.
CVSS v2 BASE SCORE: 6.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1827

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-1828
CVE STATUS: Patched
CVE SUMMARY: The sctp_getsockopt_assoc_stats function in net/sctp/socket.c in the Linux kernel before 3.8.4 does not validate a size value before proceeding to a copy_from_user operation, which allows local users to gain privileges via a crafted application that contains an SCTP_GET_ASSOC_STATS getsockopt system call.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1828

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-1848
CVE STATUS: Patched
CVE SUMMARY: fs/ext3/super.c in the Linux kernel before 3.8.4 uses incorrect arguments to functions in certain circumstances related to printk input, which allows local users to conduct format-string attacks and possibly gain privileges via a crafted application.
CVSS v2 BASE SCORE: 6.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1848

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-1858
CVE STATUS: Patched
CVE SUMMARY: The clone system-call implementation in the Linux kernel before 3.8.3 does not properly handle a combination of the CLONE_NEWUSER and CLONE_FS flags, which allows local users to gain privileges by calling chroot and leveraging the sharing of the / directory between a parent process and a child process.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1858

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-1860
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the wdm_in_callback function in drivers/usb/class/cdc-wdm.c in the Linux kernel before 3.8.4 allows physically proximate attackers to cause a denial of service (system crash) or possibly execute arbitrary code via a crafted cdc-wdm USB device.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1860

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-1928
CVE STATUS: Patched
CVE SUMMARY: The do_video_set_spu_palette function in fs/compat_ioctl.c in the Linux kernel before 3.6.5 on unspecified architectures lacks a certain error check, which might allow local users to obtain sensitive information from kernel stack memory via a crafted VIDEO_SET_SPU_PALETTE ioctl call on a /dev/dvb device.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1928

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-1929
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the tg3_read_vpd function in drivers/net/ethernet/broadcom/tg3.c in the Linux kernel before 3.8.6 allows physically proximate attackers to cause a denial of service (system crash) or possibly execute arbitrary code via crafted firmware that specifies a long string in the Vital Product Data (VPD) data structure.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1929

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-1943
CVE STATUS: Patched
CVE SUMMARY: The KVM subsystem in the Linux kernel before 3.0 does not check whether kernel addresses are specified during allocation of memory slots for use in a guest's physical address space, which allows local users to gain privileges or obtain sensitive information from kernel memory via a crafted application, related to arch/x86/kvm/paging_tmpl.h and virt/kvm/kvm_main.c.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1943

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-1956
CVE STATUS: Patched
CVE SUMMARY: The create_user_ns function in kernel/user_namespace.c in the Linux kernel before 3.8.6 does not check whether a chroot directory exists that differs from the namespace root directory, which allows local users to bypass intended filesystem restrictions via a crafted clone system call.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1956

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-1957
CVE STATUS: Patched
CVE SUMMARY: The clone_mnt function in fs/namespace.c in the Linux kernel before 3.8.6 does not properly restrict changes to the MNT_READONLY flag, which allows local users to bypass an intended read-only property of a filesystem by leveraging a separate mount namespace.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1957

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-1958
CVE STATUS: Patched
CVE SUMMARY: The scm_check_creds function in net/core/scm.c in the Linux kernel before 3.8.6 does not properly enforce capability requirements for controlling the PID value associated with a UNIX domain socket, which allows local users to bypass intended access restrictions by leveraging the time interval during which a user namespace has been created but a PID namespace has not been created.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1958

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-1959
CVE STATUS: Patched
CVE SUMMARY: kernel/user_namespace.c in the Linux kernel before 3.8.9 does not have appropriate capability requirements for the uid_map and gid_map files, which allows local users to gain privileges by opening a file within an unprivileged process and then modifying the file within a privileged process.
CVSS v2 BASE SCORE: 3.7
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1959

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-1979
CVE STATUS: Patched
CVE SUMMARY: The scm_set_cred function in include/net/scm.h in the Linux kernel before 3.8.11 uses incorrect uid and gid values during credentials passing, which allows local users to gain privileges via a crafted application.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1979

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-2015
CVE STATUS: Patched
CVE SUMMARY: The ext4_orphan_del function in fs/ext4/namei.c in the Linux kernel before 3.7.3 does not properly handle orphan-list entries for non-journal filesystems, which allows physically proximate attackers to cause a denial of service (system hang) via a crafted filesystem on removable media, as demonstrated by the e2fsprogs tests/f_orphan_extents_inode/image.gz test.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2015

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-2017
CVE STATUS: Patched
CVE SUMMARY: The veth (aka virtual Ethernet) driver in the Linux kernel before 2.6.34 does not properly manage skbs during congestion, which allows remote attackers to cause a denial of service (system crash) by leveraging lack of skb consumption in conjunction with a double-free error.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2017

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-2058
CVE STATUS: Patched
CVE SUMMARY: The host_start function in drivers/usb/chipidea/host.c in the Linux kernel before 3.7.4 does not properly support a certain non-streaming option, which allows local users to cause a denial of service (system crash) by sending a large amount of network traffic through a USB/Ethernet adapter.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2058

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-2094
CVE STATUS: Patched
CVE SUMMARY: The perf_swevent_init function in kernel/events/core.c in the Linux kernel before 3.8.9 uses an incorrect integer data type, which allows local users to gain privileges via a crafted perf_event_open system call.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2094

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-2128
CVE STATUS: Patched
CVE SUMMARY: The tcp_read_sock function in net/ipv4/tcp.c in the Linux kernel before 2.6.34 does not properly manage skb consumption, which allows local users to cause a denial of service (system crash) via a crafted splice system call for a TCP socket.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2128

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-2140
CVE STATUS: Patched
CVE SUMMARY: The dispatch_discard_io function in drivers/block/xen-blkback/blkback.c in the Xen blkback implementation in the Linux kernel before 3.10.5 allows guest OS users to cause a denial of service (data loss) via filesystem write operations on a read-only disk that supports the (1) BLKIF_OP_DISCARD (aka discard or TRIM) or (2) SCSI UNMAP feature.
CVSS v2 BASE SCORE: 3.8
CVSS v3 BASE SCORE: 0.0
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:M/Au:S/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2140

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-2141
CVE STATUS: Patched
CVE SUMMARY: The do_tkill function in kernel/signal.c in the Linux kernel before 3.8.9 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory via a crafted application that makes a (1) tkill or (2) tgkill system call.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2141

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-2146
CVE STATUS: Patched
CVE SUMMARY: arch/x86/kernel/cpu/perf_event_intel.c in the Linux kernel before 3.8.9, when the Performance Events Subsystem is enabled, specifies an incorrect bitmask, which allows local users to cause a denial of service (general protection fault and system crash) by attempting to set a reserved bit.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2146

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-2147
CVE STATUS: Patched
CVE SUMMARY: The HP Smart Array controller disk-array driver and Compaq SMART2 controller disk-array driver in the Linux kernel through 3.9.4 do not initialize certain data structures, which allows local users to obtain sensitive information from kernel memory via (1) a crafted IDAGETPCIINFO command for a /dev/ida device, related to the ida_locked_ioctl function in drivers/block/cpqarray.c or (2) a crafted CCISS_PASSTHRU32 command for a /dev/cciss device, related to the cciss_ioctl32_passthru function in drivers/block/cciss.c.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2147

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-2148
CVE STATUS: Patched
CVE SUMMARY: The fill_event_metadata function in fs/notify/fanotify/fanotify_user.c in the Linux kernel through 3.9.4 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel memory via a read operation on the fanotify descriptor.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2148

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-2164
CVE STATUS: Patched
CVE SUMMARY: The mmc_ioctl_cdrom_read_data function in drivers/cdrom/cdrom.c in the Linux kernel through 3.10 allows local users to obtain sensitive information from kernel memory via a read operation on a malfunctioning CD-ROM drive.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2164

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-2206
CVE STATUS: Patched
CVE SUMMARY: The sctp_sf_do_5_2_4_dupcook function in net/sctp/sm_statefuns.c in the SCTP implementation in the Linux kernel before 3.8.5 does not properly handle associations during the processing of a duplicate COOKIE ECHO chunk, which allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via crafted SCTP traffic.
CVSS v2 BASE SCORE: 5.4
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2206

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-2232
CVE STATUS: Patched
CVE SUMMARY: The ip6_sk_dst_check function in net/ipv6/ip6_output.c in the Linux kernel before 3.10 allows local users to cause a denial of service (system crash) by using an AF_INET6 socket for a connection to an IPv4 interface.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2232

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-2234
CVE STATUS: Patched
CVE SUMMARY: The (1) key_notify_sa_flush and (2) key_notify_policy_flush functions in net/key/af_key.c in the Linux kernel before 3.10 do not initialize certain structure members, which allows local users to obtain sensitive information from kernel heap memory by reading a broadcast message from the notify interface of an IPSec key_socket.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2234

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-2237
CVE STATUS: Patched
CVE SUMMARY: The key_notify_policy_flush function in net/key/af_key.c in the Linux kernel before 3.9 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel heap memory by reading a broadcast message from the notify_policy interface of an IPSec key_socket.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2237

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-2546
CVE STATUS: Patched
CVE SUMMARY: The report API in the crypto user configuration API in the Linux kernel through 3.8.2 uses an incorrect C library function for copying strings, which allows local users to obtain sensitive information from kernel stack memory by leveraging the CAP_NET_ADMIN capability.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2546

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-2547
CVE STATUS: Patched
CVE SUMMARY: The crypto_report_one function in crypto/crypto_user.c in the report API in the crypto user configuration API in the Linux kernel through 3.8.2 does not initialize certain structure members, which allows local users to obtain sensitive information from kernel heap memory by leveraging the CAP_NET_ADMIN capability.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2547

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-2548
CVE STATUS: Patched
CVE SUMMARY: The crypto_report_one function in crypto/crypto_user.c in the report API in the crypto user configuration API in the Linux kernel through 3.8.2 uses an incorrect length value during a copy operation, which allows local users to obtain sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2548

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-2596
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the fb_mmap function in drivers/video/fbmem.c in the Linux kernel before 3.8.9, as used in a certain Motorola build of Android 4.1.2 and other products, allows local users to create a read-write memory mapping for the entirety of kernel memory, and consequently gain privileges, via crafted /dev/graphics/fb0 mmap2 system calls, as demonstrated by the Motochopper pwn program.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2596

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-2634
CVE STATUS: Patched
CVE SUMMARY: net/dcb/dcbnl.c in the Linux kernel before 3.8.4 does not initialize certain structures, which allows local users to obtain sensitive information from kernel stack memory via a crafted application.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2634

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-2635
CVE STATUS: Patched
CVE SUMMARY: The rtnl_fill_ifinfo function in net/core/rtnetlink.c in the Linux kernel before 3.8.4 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel stack memory via a crafted application.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2635

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-2636
CVE STATUS: Patched
CVE SUMMARY: net/bridge/br_mdb.c in the Linux kernel before 3.8.4 does not initialize certain structures, which allows local users to obtain sensitive information from kernel memory via a crafted application.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2636

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-2850
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the iscsi_add_notunderstood_response function in drivers/target/iscsi/iscsi_target_parameters.c in the iSCSI target subsystem in the Linux kernel through 3.9.4 allows remote attackers to cause a denial of service (memory corruption and OOPS) or possibly execute arbitrary code via a long key that is not properly handled during construction of an error-response packet.
CVSS v2 BASE SCORE: 7.9
CVSS v3 BASE SCORE: 0.0
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2850

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-2851
CVE STATUS: Patched
CVE SUMMARY: Format string vulnerability in the register_disk function in block/genhd.c in the Linux kernel through 3.9.4 allows local users to gain privileges by leveraging root access and writing format string specifiers to /sys/module/md_mod/parameters/new_array in order to create a crafted /dev/md device name.
CVSS v2 BASE SCORE: 6.0
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:S/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2851

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-2852
CVE STATUS: Patched
CVE SUMMARY: Format string vulnerability in the b43_request_firmware function in drivers/net/wireless/b43/main.c in the Broadcom B43 wireless driver in the Linux kernel through 3.9.4 allows local users to gain privileges by leveraging root access and including format string specifiers in an fwpostfix modprobe parameter, leading to improper construction of an error message.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2852

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-2888
CVE STATUS: Patched
CVE SUMMARY: Multiple array index errors in drivers/hid/hid-core.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11 allow physically proximate attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via a crafted device that provides an invalid Report ID.
CVSS v2 BASE SCORE: 6.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2888

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-2889
CVE STATUS: Patched
CVE SUMMARY: drivers/hid/hid-zpff.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_ZEROPLUS is enabled, allows physically proximate attackers to cause a denial of service (heap-based out-of-bounds write) via a crafted device.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2889

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-2890
CVE STATUS: Patched
CVE SUMMARY: drivers/hid/hid-sony.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_SONY is enabled, allows physically proximate attackers to cause a denial of service (heap-based out-of-bounds write) via a crafted device.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2890

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-2891
CVE STATUS: Patched
CVE SUMMARY: drivers/hid/hid-steelseries.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_STEELSERIES is enabled, allows physically proximate attackers to cause a denial of service (heap-based out-of-bounds write) via a crafted device.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2891

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-2892
CVE STATUS: Patched
CVE SUMMARY: drivers/hid/hid-pl.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_PANTHERLORD is enabled, allows physically proximate attackers to cause a denial of service (heap-based out-of-bounds write) via a crafted device.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2892

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-2893
CVE STATUS: Patched
CVE SUMMARY: The Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_LOGITECH_FF, CONFIG_LOGIG940_FF, or CONFIG_LOGIWHEELS_FF is enabled, allows physically proximate attackers to cause a denial of service (heap-based out-of-bounds write) via a crafted device, related to (1) drivers/hid/hid-lgff.c, (2) drivers/hid/hid-lg3ff.c, and (3) drivers/hid/hid-lg4ff.c.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2893

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-2894
CVE STATUS: Patched
CVE SUMMARY: drivers/hid/hid-lenovo-tpkbd.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_LENOVO_TPKBD is enabled, allows physically proximate attackers to cause a denial of service (heap-based out-of-bounds write) via a crafted device.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2894

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-2895
CVE STATUS: Patched
CVE SUMMARY: drivers/hid/hid-logitech-dj.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_LOGITECH_DJ is enabled, allows physically proximate attackers to cause a denial of service (NULL pointer dereference and OOPS) or obtain sensitive information from kernel memory via a crafted device.
CVSS v2 BASE SCORE: 5.4
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2895

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-2896
CVE STATUS: Patched
CVE SUMMARY: drivers/hid/hid-ntrig.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_NTRIG is enabled, allows physically proximate attackers to cause a denial of service (NULL pointer dereference and OOPS) via a crafted device.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2896

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-2897
CVE STATUS: Patched
CVE SUMMARY: Multiple array index errors in drivers/hid/hid-multitouch.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_MULTITOUCH is enabled, allow physically proximate attackers to cause a denial of service (heap memory corruption, or NULL pointer dereference and OOPS) via a crafted device.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2897

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-2898
CVE STATUS: Patched
CVE SUMMARY: drivers/hid/hid-sensor-hub.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_SENSOR_HUB is enabled, allows physically proximate attackers to obtain sensitive information from kernel memory via a crafted device.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2898

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-2899
CVE STATUS: Patched
CVE SUMMARY: drivers/hid/hid-picolcd_core.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_PICOLCD is enabled, allows physically proximate attackers to cause a denial of service (NULL pointer dereference and OOPS) via a crafted device.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2899

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-2929
CVE STATUS: Patched
CVE SUMMARY: The Linux kernel before 3.12.2 does not properly use the get_dumpable function, which allows local users to bypass intended ptrace restrictions or obtain sensitive information from IA64 scratch registers via a crafted application, related to kernel/ptrace.c and arch/ia64/include/asm/processor.h.
CVSS v2 BASE SCORE: 3.3
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2929

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-2930
CVE STATUS: Patched
CVE SUMMARY: The perf_trace_event_perm function in kernel/trace/trace_event_perf.c in the Linux kernel before 3.12.2 does not properly restrict access to the perf subsystem, which allows local users to enable function tracing via a crafted application.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2930

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-3076
CVE STATUS: Patched
CVE SUMMARY: The crypto API in the Linux kernel through 3.9-rc8 does not initialize certain length variables, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call, related to the hash_recvmsg function in crypto/algif_hash.c and the skcipher_recvmsg function in crypto/algif_skcipher.c.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-3076

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-3222
CVE STATUS: Patched
CVE SUMMARY: The vcc_recvmsg function in net/atm/common.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-3222

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-3223
CVE STATUS: Patched
CVE SUMMARY: The ax25_recvmsg function in net/ax25/af_ax25.c in the Linux kernel before 3.9-rc7 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-3223

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-3224
CVE STATUS: Patched
CVE SUMMARY: The bt_sock_recvmsg function in net/bluetooth/af_bluetooth.c in the Linux kernel before 3.9-rc7 does not properly initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-3224

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-3225
CVE STATUS: Patched
CVE SUMMARY: The rfcomm_sock_recvmsg function in net/bluetooth/rfcomm/sock.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-3225

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-3226
CVE STATUS: Patched
CVE SUMMARY: The sco_sock_recvmsg function in net/bluetooth/sco.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-3226

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-3227
CVE STATUS: Patched
CVE SUMMARY: The caif_seqpkt_recvmsg function in net/caif/caif_socket.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-3227

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-3228
CVE STATUS: Patched
CVE SUMMARY: The irda_recvmsg_dgram function in net/irda/af_irda.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-3228

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-3229
CVE STATUS: Patched
CVE SUMMARY: The iucv_sock_recvmsg function in net/iucv/af_iucv.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-3229

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-3230
CVE STATUS: Patched
CVE SUMMARY: The l2tp_ip6_recvmsg function in net/l2tp/l2tp_ip6.c in the Linux kernel before 3.9-rc7 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-3230

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-3231
CVE STATUS: Patched
CVE SUMMARY: The llc_ui_recvmsg function in net/llc/af_llc.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-3231

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-3232
CVE STATUS: Patched
CVE SUMMARY: The nr_recvmsg function in net/netrom/af_netrom.c in the Linux kernel before 3.9-rc7 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-3232

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-3233
CVE STATUS: Patched
CVE SUMMARY: The llcp_sock_recvmsg function in net/nfc/llcp/sock.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable and a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-3233

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-3234
CVE STATUS: Patched
CVE SUMMARY: The rose_recvmsg function in net/rose/af_rose.c in the Linux kernel before 3.9-rc7 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-3234

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-3235
CVE STATUS: Patched
CVE SUMMARY: net/tipc/socket.c in the Linux kernel before 3.9-rc7 does not initialize a certain data structure and a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-3235

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-3236
CVE STATUS: Patched
CVE SUMMARY: The vmci_transport_dgram_dequeue function in net/vmw_vsock/vmci_transport.c in the Linux kernel before 3.9-rc7 does not properly initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-3236

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-3237
CVE STATUS: Patched
CVE SUMMARY: The vsock_stream_sendmsg function in net/vmw_vsock/af_vsock.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-3237

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-3301
CVE STATUS: Patched
CVE SUMMARY: The ftrace implementation in the Linux kernel before 3.8.8 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by leveraging the CAP_SYS_ADMIN capability for write access to the (1) set_ftrace_pid or (2) set_graph_function file, and then making an lseek system call.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-3301

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-3302
CVE STATUS: Patched
CVE SUMMARY: Race condition in the smb_send_rqst function in fs/cifs/transport.c in the Linux kernel before 3.7.2 allows local users to cause a denial of service (NULL pointer dereference and OOPS) or possibly have unspecified other impact via vectors involving a reconnection event.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-3302

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-4125
CVE STATUS: Patched
CVE SUMMARY: The fib6_add_rt2node function in net/ipv6/ip6_fib.c in the IPv6 stack in the Linux kernel through 3.10.1 does not properly handle Router Advertisement (RA) messages in certain circumstances involving three routes that initially qualified for membership in an ECMP route set until a change occurred for one of the first two routes, which allows remote attackers to cause a denial of service (system crash) via a crafted sequence of messages.
CVSS v2 BASE SCORE: 5.4
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4125

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-4127
CVE STATUS: Patched
CVE SUMMARY: Use-after-free vulnerability in the vhost_net_set_backend function in drivers/vhost/net.c in the Linux kernel through 3.10.3 allows local users to cause a denial of service (OOPS and system crash) via vectors involving powering on a virtual machine.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4127

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-4129
CVE STATUS: Patched
CVE SUMMARY: The bridge multicast implementation in the Linux kernel through 3.10.3 does not check whether a certain timer is armed before modifying the timeout value of that timer, which allows local users to cause a denial of service (BUG and system crash) via vectors involving the shutdown of a KVM virtual machine, related to net/bridge/br_mdb.c and net/bridge/br_multicast.c.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4129

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-4162
CVE STATUS: Patched
CVE SUMMARY: The udp_v6_push_pending_frames function in net/ipv6/udp.c in the IPv6 implementation in the Linux kernel through 3.10.3 makes an incorrect function call for pending data, which allows local users to cause a denial of service (BUG and system crash) via a crafted application that uses the UDP_CORK option in a setsockopt system call.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4162

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-4163
CVE STATUS: Patched
CVE SUMMARY: The ip6_append_data_mtu function in net/ipv6/ip6_output.c in the IPv6 implementation in the Linux kernel through 3.10.3 does not properly maintain information about whether the IPV6_MTU setsockopt option had been specified, which allows local users to cause a denial of service (BUG and system crash) via a crafted application that uses the UDP_CORK option in a setsockopt system call.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4163

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-4205
CVE STATUS: Patched
CVE SUMMARY: Memory leak in the unshare_userns function in kernel/user_namespace.c in the Linux kernel before 3.10.6 allows local users to cause a denial of service (memory consumption) via an invalid CLONE_NEWUSER unshare call.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4205

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-4220
CVE STATUS: Patched
CVE SUMMARY: The bad_mode function in arch/arm64/kernel/traps.c in the Linux kernel before 3.9.5 on the ARM64 platform allows local users to cause a denial of service (system crash) via vectors involving an attempted register access that triggers an unexpected value in the Exception Syndrome Register (ESR).
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4220

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-4247
CVE STATUS: Patched
CVE SUMMARY: Off-by-one error in the build_unc_path_to_root function in fs/cifs/connect.c in the Linux kernel before 3.9.6 allows remote attackers to cause a denial of service (memory corruption and system crash) via a DFS share mount operation that triggers use of an unexpected DFS referral name length.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4247

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-4254
CVE STATUS: Patched
CVE SUMMARY: The validate_event function in arch/arm/kernel/perf_event.c in the Linux kernel before 3.10.8 on the ARM platform allows local users to gain privileges or cause a denial of service (NULL pointer dereference and system crash) by adding a hardware event to an event group led by a software event.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4254

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-4270
CVE STATUS: Patched
CVE SUMMARY: The net_ctl_permissions function in net/sysctl_net.c in the Linux kernel before 3.11.5 does not properly determine uid and gid values, which allows local users to bypass intended /proc/sys/net restrictions via a crafted application.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4270

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-4299
CVE STATUS: Patched
CVE SUMMARY: Interpretation conflict in drivers/md/dm-snap-persistent.c in the Linux kernel through 3.11.6 allows remote authenticated users to obtain sensitive information or modify data via a crafted mapping to a snapshot block device.
CVSS v2 BASE SCORE: 6.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:S/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4299

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-4300
CVE STATUS: Patched
CVE SUMMARY: The scm_check_creds function in net/core/scm.c in the Linux kernel before 3.11 performs a capability check in an incorrect namespace, which allows local users to gain privileges via PID spoofing.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4300

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-4312
CVE STATUS: Patched
CVE SUMMARY: The Linux kernel before 4.4.1 allows local users to bypass file-descriptor limits and cause a denial of service (memory consumption) by sending each descriptor over a UNIX socket before closing it, related to net/unix/af_unix.c and net/unix/garbage.c.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 6.2
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4312

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-4343
CVE STATUS: Patched
CVE SUMMARY: Use-after-free vulnerability in drivers/net/tun.c in the Linux kernel through 3.11.1 allows local users to gain privileges by leveraging the CAP_NET_ADMIN capability and providing an invalid tuntap interface name in a TUNSETIFF ioctl call.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4343

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-4345
CVE STATUS: Patched
CVE SUMMARY: Off-by-one error in the get_prng_bytes function in crypto/ansi_cprng.c in the Linux kernel through 3.11.4 makes it easier for context-dependent attackers to defeat cryptographic protection mechanisms via multiple requests for small amounts of data, leading to improper management of the state of the consumed data.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4345

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-4348
CVE STATUS: Patched
CVE SUMMARY: The skb_flow_dissect function in net/core/flow_dissector.c in the Linux kernel through 3.12 allows remote attackers to cause a denial of service (infinite loop) via a small value in the IHL field of a packet with IPIP encapsulation.
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4348

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-4350
CVE STATUS: Patched
CVE SUMMARY: The IPv6 SCTP implementation in net/sctp/ipv6.c in the Linux kernel through 3.11.1 uses data structures and function calls that do not trigger an intended configuration of IPsec encryption, which allows remote attackers to obtain sensitive information by sniffing the network.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4350

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-4387
CVE STATUS: Patched
CVE SUMMARY: net/ipv6/ip6_output.c in the Linux kernel through 3.11.4 does not properly determine the need for UDP Fragmentation Offload (UFO) processing of small packets after the UFO queueing of a large packet, which allows remote attackers to cause a denial of service (memory corruption and system crash) or possibly have unspecified other impact via network traffic that triggers a large response packet.
CVSS v2 BASE SCORE: 6.1
CVSS v3 BASE SCORE: 0.0
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4387

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-4470
CVE STATUS: Patched
CVE SUMMARY: The Linux kernel before 3.12, when UDP Fragmentation Offload (UFO) is enabled, does not properly initialize certain data structures, which allows local users to cause a denial of service (memory corruption and system crash) or possibly gain privileges via a crafted application that uses the UDP_CORK option in a setsockopt system call and sends both short and long packets, related to the ip_ufo_append_data function in net/ipv4/ip_output.c and the ip6_ufo_append_data function in net/ipv6/ip6_output.c.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4470

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-4483
CVE STATUS: Patched
CVE SUMMARY: The ipc_rcu_putref function in ipc/util.c in the Linux kernel before 3.10 does not properly manage a reference count, which allows local users to cause a denial of service (memory consumption or system crash) via a crafted application.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4483

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-4511
CVE STATUS: Patched
CVE SUMMARY: Multiple integer overflows in Alchemy LCD frame-buffer drivers in the Linux kernel before 3.12 allow local users to create a read-write memory mapping for the entirety of kernel memory, and consequently gain privileges, via crafted mmap operations, related to the (1) au1100fb_fb_mmap function in drivers/video/au1100fb.c and the (2) au1200fb_fb_mmap function in drivers/video/au1200fb.c.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4511

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-4512
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the exitcode_proc_write function in arch/um/kernel/exitcode.c in the Linux kernel before 3.12 allows local users to cause a denial of service or possibly have unspecified other impact by leveraging root privileges for a write operation.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4512

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-4513
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the oz_cdev_write function in drivers/staging/ozwpan/ozcdev.c in the Linux kernel before 3.12 allows local users to cause a denial of service or possibly have unspecified other impact via a crafted write operation.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4513

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-4514
CVE STATUS: Patched
CVE SUMMARY: Multiple buffer overflows in drivers/staging/wlags49_h2/wl_priv.c in the Linux kernel before 3.12 allow local users to cause a denial of service or possibly have unspecified other impact by leveraging the CAP_NET_ADMIN capability and providing a long station-name string, related to the (1) wvlan_uil_put_info and (2) wvlan_set_station_nickname functions.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4514

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-4515
CVE STATUS: Patched
CVE SUMMARY: The bcm_char_ioctl function in drivers/staging/bcm/Bcmchar.c in the Linux kernel before 3.12 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory via an IOCTL_BCM_GET_DEVICE_DRIVER_INFO ioctl call.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4515

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-4516
CVE STATUS: Patched
CVE SUMMARY: The mp_get_count function in drivers/staging/sb105x/sb_pci_mp.c in the Linux kernel before 3.12 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via a TIOCGICOUNT ioctl call.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4516

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-4563
CVE STATUS: Patched
CVE SUMMARY: The udp6_ufo_fragment function in net/ipv6/udp_offload.c in the Linux kernel through 3.12, when UDP Fragmentation Offload (UFO) is enabled, does not properly perform a certain size comparison before inserting a fragment header, which allows remote attackers to cause a denial of service (panic) via a large IPv6 UDP packet, as demonstrated by use of the Token Bucket Filter (TBF) queueing discipline.
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4563

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-4579
CVE STATUS: Patched
CVE SUMMARY: The ath9k_htc_set_bssid_mask function in drivers/net/wireless/ath/ath9k/htc_drv_main.c in the Linux kernel through 3.12 uses a BSSID masking approach to determine the set of MAC addresses on which a Wi-Fi device is listening, which allows remote attackers to discover the original MAC address after spoofing by sending a series of packets to MAC addresses with certain bit manipulations.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4579

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-4587
CVE STATUS: Patched
CVE SUMMARY: Array index error in the kvm_vm_ioctl_create_vcpu function in virt/kvm/kvm_main.c in the KVM subsystem in the Linux kernel through 3.12.5 allows local users to gain privileges via a large id value.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4587

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-4588
CVE STATUS: Patched
CVE SUMMARY: Multiple stack-based buffer overflows in net/netfilter/ipvs/ip_vs_ctl.c in the Linux kernel before 2.6.33, when CONFIG_IP_VS is used, allow local users to gain privileges by leveraging the CAP_NET_ADMIN capability for (1) a getsockopt system call, related to the do_ip_vs_get_ctl function, or (2) a setsockopt system call, related to the do_ip_vs_set_ctl function.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4588

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-4591
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the __nfs4_get_acl_uncached function in fs/nfs/nfs4proc.c in the Linux kernel before 3.7.2 allows local users to cause a denial of service (memory corruption and system crash) or possibly have unspecified other impact via a getxattr system call for the system.nfs4_acl extended attribute of a pathname on an NFSv4 filesystem.
CVSS v2 BASE SCORE: 6.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4591

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-4592
CVE STATUS: Patched
CVE SUMMARY: Memory leak in the __kvm_set_memory_region function in virt/kvm/kvm_main.c in the Linux kernel before 3.9 allows local users to cause a denial of service (memory consumption) by leveraging certain device access to trigger movement of memory slots.
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4592

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-5634
CVE STATUS: Patched
CVE SUMMARY: arch/arm/kvm/arm.c in the Linux kernel before 3.10 on the ARM platform, when KVM is used, allows host OS users to cause a denial of service (NULL pointer dereference, OOPS, and host OS crash) or possibly have unspecified other impact by omitting vCPU initialization before a KVM_GET_REG_LIST ioctl call.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:H/Au:S/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-5634

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-6282
CVE STATUS: Patched
CVE SUMMARY: The (1) get_user and (2) put_user API functions in the Linux kernel before 3.5.5 on the v6k and v7 ARM platforms do not validate certain addresses, which allows attackers to read or modify the contents of arbitrary kernel memory locations via a crafted application, as exploited in the wild against Android devices in October and November 2013.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-6282

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-6367
CVE STATUS: Patched
CVE SUMMARY: The apic_get_tmcct function in arch/x86/kvm/lapic.c in the KVM subsystem in the Linux kernel through 3.12.5 allows guest OS users to cause a denial of service (divide-by-zero error and host OS crash) via crafted modifications of the TMICT value.
CVSS v2 BASE SCORE: 5.7
CVSS v3 BASE SCORE: 0.0
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-6367

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-6368
CVE STATUS: Patched
CVE SUMMARY: The KVM subsystem in the Linux kernel through 3.12.5 allows local users to gain privileges or cause a denial of service (system crash) via a VAPIC synchronization operation involving a page-end address.
CVSS v2 BASE SCORE: 6.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-6368

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-6376
CVE STATUS: Patched
CVE SUMMARY: The recalculate_apic_map function in arch/x86/kvm/lapic.c in the KVM subsystem in the Linux kernel through 3.12.5 allows guest OS users to cause a denial of service (host OS crash) via a crafted ICR write operation in x2apic mode.
CVSS v2 BASE SCORE: 5.2
CVSS v3 BASE SCORE: 0.0
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:M/Au:S/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-6376

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-6378
CVE STATUS: Patched
CVE SUMMARY: The lbs_debugfs_write function in drivers/net/wireless/libertas/debugfs.c in the Linux kernel through 3.12.1 allows local users to cause a denial of service (OOPS) by leveraging root privileges for a zero-length write operation.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:S/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-6378

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-6380
CVE STATUS: Patched
CVE SUMMARY: The aac_send_raw_srb function in drivers/scsi/aacraid/commctrl.c in the Linux kernel through 3.12.1 does not properly validate a certain size value, which allows local users to cause a denial of service (invalid pointer dereference) or possibly have unspecified other impact via an FSACTL_SEND_RAW_SRB ioctl call that triggers a crafted SRB command.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-6380

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-6381
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the qeth_snmp_command function in drivers/s390/net/qeth_core_main.c in the Linux kernel through 3.12.1 allows local users to cause a denial of service or possibly have unspecified other impact via an SNMP ioctl call with a length value that is incompatible with the command-buffer size.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-6381

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-6382
CVE STATUS: Patched
CVE SUMMARY: Multiple buffer underflows in the XFS implementation in the Linux kernel through 3.12.1 allow local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging the CAP_SYS_ADMIN capability for a (1) XFS_IOC_ATTRLIST_BY_HANDLE or (2) XFS_IOC_ATTRLIST_BY_HANDLE_32 ioctl call with a crafted length value, related to the xfs_attrlist_by_handle function in fs/xfs/xfs_ioctl.c and the xfs_compat_attrlist_by_handle function in fs/xfs/xfs_ioctl32.c.
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-6382

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-6383
CVE STATUS: Patched
CVE SUMMARY: The aac_compat_ioctl function in drivers/scsi/aacraid/linit.c in the Linux kernel before 3.11.8 does not require the CAP_SYS_RAWIO capability, which allows local users to bypass intended access restrictions via a crafted ioctl call.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-6383

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-6431
CVE STATUS: Patched
CVE SUMMARY: The fib6_add function in net/ipv6/ip6_fib.c in the Linux kernel before 3.11.5 does not properly implement error-code encoding, which allows local users to cause a denial of service (NULL pointer dereference and system crash) by leveraging the CAP_NET_ADMIN capability for an IPv6 SIOCADDRT ioctl call.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-6431

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-6432
CVE STATUS: Patched
CVE SUMMARY: The ping_recvmsg function in net/ipv4/ping.c in the Linux kernel before 3.12.4 does not properly interact with read system calls on ping sockets, which allows local users to cause a denial of service (NULL pointer dereference and system crash) by leveraging unspecified privileges to execute a crafted application.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:S/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-6432

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-6763
CVE STATUS: Patched
CVE SUMMARY: The uio_mmap_physical function in drivers/uio/uio.c in the Linux kernel before 3.12 does not validate the size of a memory block, which allows local users to cause a denial of service (memory corruption) or possibly gain privileges via crafted mmap operations, a different vulnerability than CVE-2013-4511.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-6763

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-7026
CVE STATUS: Patched
CVE SUMMARY: Multiple race conditions in ipc/shm.c in the Linux kernel before 3.12.2 allow local users to cause a denial of service (use-after-free and system crash) or possibly have unspecified other impact via a crafted application that uses shmctl IPC_RMID operations in conjunction with other shm system calls.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-7026

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-7027
CVE STATUS: Patched
CVE SUMMARY: The ieee80211_radiotap_iterator_init function in net/wireless/radiotap.c in the Linux kernel before 3.11.7 does not check whether a frame contains any data outside of the header, which might allow attackers to cause a denial of service (buffer over-read) via a crafted header.
CVSS v2 BASE SCORE: 6.1
CVSS v3 BASE SCORE: 0.0
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-7027

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-7263
CVE STATUS: Patched
CVE SUMMARY: The Linux kernel before 3.12.4 updates certain length values before ensuring that associated data structures have been initialized, which allows local users to obtain sensitive information from kernel stack memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call, related to net/ipv4/ping.c, net/ipv4/raw.c, net/ipv4/udp.c, net/ipv6/raw.c, and net/ipv6/udp.c.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-7263

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-7264
CVE STATUS: Patched
CVE SUMMARY: The l2tp_ip_recvmsg function in net/l2tp/l2tp_ip.c in the Linux kernel before 3.12.4 updates a certain length value before ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel stack memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-7264

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-7265
CVE STATUS: Patched
CVE SUMMARY: The pn_recvmsg function in net/phonet/datagram.c in the Linux kernel before 3.12.4 updates a certain length value before ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel stack memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-7265

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-7266
CVE STATUS: Patched
CVE SUMMARY: The mISDN_sock_recvmsg function in drivers/isdn/mISDN/socket.c in the Linux kernel before 3.12.4 does not ensure that a certain length value is consistent with the size of an associated data structure, which allows local users to obtain sensitive information from kernel memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-7266

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-7267
CVE STATUS: Patched
CVE SUMMARY: The atalk_recvmsg function in net/appletalk/ddp.c in the Linux kernel before 3.12.4 updates a certain length value without ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-7267

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-7268
CVE STATUS: Patched
CVE SUMMARY: The ipx_recvmsg function in net/ipx/af_ipx.c in the Linux kernel before 3.12.4 updates a certain length value without ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-7268

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-7269
CVE STATUS: Patched
CVE SUMMARY: The nr_recvmsg function in net/netrom/af_netrom.c in the Linux kernel before 3.12.4 updates a certain length value without ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-7269

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-7270
CVE STATUS: Patched
CVE SUMMARY: The packet_recvmsg function in net/packet/af_packet.c in the Linux kernel before 3.12.4 updates a certain length value before ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-7270

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-7271
CVE STATUS: Patched
CVE SUMMARY: The x25_recvmsg function in net/x25/af_x25.c in the Linux kernel before 3.12.4 updates a certain length value without ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-7271

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-7281
CVE STATUS: Patched
CVE SUMMARY: The dgram_recvmsg function in net/ieee802154/dgram.c in the Linux kernel before 3.12.4 updates a certain length value without ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel stack memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-7281

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-7339
CVE STATUS: Patched
CVE SUMMARY: The rds_ib_laddr_check function in net/rds/ib.c in the Linux kernel before 3.12.8 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a bind system call for an RDS socket on a system that lacks RDS transports.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-7339

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-7348
CVE STATUS: Patched
CVE SUMMARY: Double free vulnerability in the ioctx_alloc function in fs/aio.c in the Linux kernel before 3.12.4 allows local users to cause a denial of service (system crash) or possibly have unspecified other impact via vectors involving an error condition in the aio_setup_ring function.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-7348

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-7421
CVE STATUS: Patched
CVE SUMMARY: The Crypto API in the Linux kernel before 3.18.5 allows local users to load arbitrary kernel modules via a bind system call for an AF_ALG socket with a module name in the salg_name field, a different vulnerability than CVE-2014-9644.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-7421

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-7445
CVE STATUS: Patched
CVE SUMMARY: The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated by JavaScript code that creates many CANVAS elements for rendering by Chrome or Firefox.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-7445

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-7446
CVE STATUS: Patched
CVE SUMMARY: Use-after-free vulnerability in net/unix/af_unix.c in the Linux kernel before 4.3.3 allows local users to bypass intended AF_UNIX socket permissions or cause a denial of service (panic) via crafted epoll_ctl calls.
CVSS v2 BASE SCORE: 5.4
CVSS v3 BASE SCORE: 5.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:P/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-7446

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2013-7470
CVE STATUS: Patched
CVE SUMMARY: cipso_v4_validate in include/net/cipso_ipv4.h in the Linux kernel before 3.11.7, when CONFIG_NETLABEL is disabled, allows attackers to cause a denial of service (infinite loop and crash), as demonstrated by icmpsic, a different vulnerability than CVE-2013-0310.
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-7470

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-0038
CVE STATUS: Patched
CVE SUMMARY: The compat_sys_recvmmsg function in net/compat.c in the Linux kernel before 3.13.2, when CONFIG_X86_X32 is enabled, allows local users to gain privileges via a recvmmsg system call with a crafted timeout pointer parameter.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0038

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-0049
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the complete_emulated_mmio function in arch/x86/kvm/x86.c in the Linux kernel before 3.13.6 allows guest OS users to execute arbitrary code on the host OS by leveraging a loop that triggers an invalid memory copy affecting certain cancel_work_item data.
CVSS v2 BASE SCORE: 7.4
CVSS v3 BASE SCORE: 0.0
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:M/Au:S/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0049

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-0069
CVE STATUS: Patched
CVE SUMMARY: The cifs_iovec_write function in fs/cifs/file.c in the Linux kernel through 3.13.5 does not properly handle uncached write operations that copy fewer than the requested number of bytes, which allows local users to obtain sensitive information from kernel memory, cause a denial of service (memory corruption and system crash), or possibly gain privileges via a writev system call with a crafted pointer.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0069

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-0077
CVE STATUS: Patched
CVE SUMMARY: drivers/vhost/net.c in the Linux kernel before 3.13.10, when mergeable buffers are disabled, does not properly validate packet lengths, which allows guest OS users to cause a denial of service (memory corruption and host OS crash) or possibly gain privileges on the host OS via crafted packets, related to the handle_rx and get_rx_bufs functions.
CVSS v2 BASE SCORE: 5.5
CVSS v3 BASE SCORE: 0.0
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:H/Au:S/C:P/I:P/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0077

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-0100
CVE STATUS: Patched
CVE SUMMARY: Race condition in the inet_frag_intern function in net/ipv4/inet_fragment.c in the Linux kernel through 3.13.6 allows remote attackers to cause a denial of service (use-after-free error) or possibly have unspecified other impact via a large series of fragmented ICMP Echo Request packets to a system with a heavy CPU load.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0100

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-0101
CVE STATUS: Patched
CVE SUMMARY: The sctp_sf_do_5_1D_ce function in net/sctp/sm_statefuns.c in the Linux kernel through 3.13.6 does not validate certain auth_enable and auth_capable fields before making an sctp_sf_authenticate call, which allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) via an SCTP handshake with a modified INIT chunk and a crafted AUTH chunk before a COOKIE_ECHO chunk.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0101

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-0102
CVE STATUS: Patched
CVE SUMMARY: The keyring_detect_cycle_iterator function in security/keys/keyring.c in the Linux kernel through 3.13.6 does not properly determine whether keyrings are identical, which allows local users to cause a denial of service (OOPS) via crafted keyctl commands.
CVSS v2 BASE SCORE: 5.2
CVSS v3 BASE SCORE: 0.0
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:M/Au:S/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0102

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-0131
CVE STATUS: Patched
CVE SUMMARY: Use-after-free vulnerability in the skb_segment function in net/core/skbuff.c in the Linux kernel through 3.13.6 allows attackers to obtain sensitive information from kernel memory by leveraging the absence of a certain orphaning operation.
CVSS v2 BASE SCORE: 2.9
CVSS v3 BASE SCORE: 0.0
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0131

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-0155
CVE STATUS: Patched
CVE SUMMARY: The ioapic_deliver function in virt/kvm/ioapic.c in the Linux kernel through 3.14.1 does not properly validate the kvm_irq_delivery_to_apic return value, which allows guest OS users to cause a denial of service (host OS crash) via a crafted entry in the redirection table of an I/O APIC.  NOTE: the affected code was moved to the ioapic_service function before the vulnerability was announced.
CVSS v2 BASE SCORE: 5.5
CVSS v3 BASE SCORE: 0.0
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:L/Au:S/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0155

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-0181
CVE STATUS: Patched
CVE SUMMARY: The Netlink implementation in the Linux kernel through 3.14.1 does not provide a mechanism for authorizing socket operations based on the opener of a socket, which allows local users to bypass intended access restrictions and modify network configurations by using a Netlink socket for the (1) stdout or (2) stderr of a setuid program.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0181

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-0196
CVE STATUS: Patched
CVE SUMMARY: The n_tty_write function in drivers/tty/n_tty.c in the Linux kernel through 3.14.3 does not properly manage tty driver access in the "LECHO & !OPOST" case, which allows local users to cause a denial of service (memory corruption and system crash) or gain privileges by triggering a race condition involving read and write operations with long strings.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0196

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-0203
CVE STATUS: Patched
CVE SUMMARY: The __do_follow_link function in fs/namei.c in the Linux kernel before 2.6.33 does not properly handle the last pathname component during use of certain filesystems, which allows local users to cause a denial of service (incorrect free operations and system crash) via an open system call.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0203

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-0205
CVE STATUS: Patched
CVE SUMMARY: The futex_wait function in kernel/futex.c in the Linux kernel before 2.6.37 does not properly maintain a certain reference count during requeue operations, which allows local users to cause a denial of service (use-after-free and system crash) or possibly gain privileges via a crafted application that triggers a zero count.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0205

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-0206
CVE STATUS: Patched
CVE SUMMARY: Array index error in the aio_read_events_ring function in fs/aio.c in the Linux kernel through 3.15.1 allows local users to obtain sensitive information from kernel memory via a large head value.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0206

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-1438
CVE STATUS: Patched
CVE SUMMARY: The restore_fpu_checking function in arch/x86/include/asm/fpu-internal.h in the Linux kernel before 3.12.8 on the AMD K7 and K8 platforms does not clear pending exceptions before proceeding to an EMMS instruction, which allows local users to cause a denial of service (task kill) or possibly gain privileges via a crafted application.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-1438

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-1444
CVE STATUS: Patched
CVE SUMMARY: The fst_get_iface function in drivers/net/wan/farsync.c in the Linux kernel before 3.11.7 does not properly initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability for an SIOCWANDEV ioctl call.
CVSS v2 BASE SCORE: 1.7
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:S/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-1444

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-1445
CVE STATUS: Patched
CVE SUMMARY: The wanxl_ioctl function in drivers/net/wan/wanxl.c in the Linux kernel before 3.11.7 does not properly initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory via an ioctl call.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-1445

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-1446
CVE STATUS: Patched
CVE SUMMARY: The yam_ioctl function in drivers/net/hamradio/yam.c in the Linux kernel before 3.12.8 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability for an SIOCYAMGCFG ioctl call.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-1446

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-1690
CVE STATUS: Patched
CVE SUMMARY: The help function in net/netfilter/nf_nat_irc.c in the Linux kernel before 3.12.8 allows remote attackers to obtain sensitive information from kernel memory by establishing an IRC DCC session in which incorrect packet data is transmitted during use of the NAT mangle feature.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-1690

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-1737
CVE STATUS: Patched
CVE SUMMARY: The raw_cmd_copyin function in drivers/block/floppy.c in the Linux kernel through 3.14.3 does not properly handle error conditions during processing of an FDRAWCMD ioctl call, which allows local users to trigger kfree operations and gain privileges by leveraging write access to a /dev/fd device.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-1737

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-1738
CVE STATUS: Patched
CVE SUMMARY: The raw_cmd_copyout function in drivers/block/floppy.c in the Linux kernel through 3.14.3 does not properly restrict access to certain pointers during processing of an FDRAWCMD ioctl call, which allows local users to obtain sensitive information from kernel heap memory by leveraging write access to a /dev/fd device.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-1738

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-1739
CVE STATUS: Patched
CVE SUMMARY: The media_device_enum_entities function in drivers/media/media-device.c in the Linux kernel before 3.14.6 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory by leveraging /dev/media0 read access for a MEDIA_IOC_ENUM_ENTITIES ioctl call.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-1739

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-1874
CVE STATUS: Patched
CVE SUMMARY: The security_context_to_sid_core function in security/selinux/ss/services.c in the Linux kernel before 3.13.4 allows local users to cause a denial of service (system crash) by leveraging the CAP_MAC_ADMIN capability to set a zero-length security context.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-1874

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-2038
CVE STATUS: Patched
CVE SUMMARY: The nfs_can_extend_write function in fs/nfs/write.c in the Linux kernel before 3.13.3 relies on a write delegation to extend a write operation without a certain up-to-date verification, which allows local users to obtain sensitive information from kernel memory in opportunistic circumstances by writing to a file in an NFS filesystem and then reading the same file.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-2038

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-2039
CVE STATUS: Patched
CVE SUMMARY: arch/s390/kernel/head64.S in the Linux kernel before 3.13.5 on the s390 platform does not properly handle attempted use of the linkage stack, which allows local users to cause a denial of service (system crash) by executing a crafted instruction.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-2039

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-2309
CVE STATUS: Patched
CVE SUMMARY: The ip6_route_add function in net/ipv6/route.c in the Linux kernel through 3.13.6 does not properly count the addition of routes, which allows remote attackers to cause a denial of service (memory consumption) via a flood of ICMPv6 Router Advertisement packets.
CVSS v2 BASE SCORE: 6.1
CVSS v3 BASE SCORE: 0.0
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-2309

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-2523
CVE STATUS: Patched
CVE SUMMARY: net/netfilter/nf_conntrack_proto_dccp.c in the Linux kernel through 3.13.6 uses a DCCP header pointer incorrectly, which allows remote attackers to cause a denial of service (system crash) or possibly execute arbitrary code via a DCCP packet that triggers a call to the (1) dccp_new, (2) dccp_packet, or (3) dccp_error function.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-2523

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-2568
CVE STATUS: Patched
CVE SUMMARY: Use-after-free vulnerability in the nfqnl_zcopy function in net/netfilter/nfnetlink_queue_core.c in the Linux kernel through 3.13.6 allows attackers to obtain sensitive information from kernel memory by leveraging the absence of a certain orphaning operation. NOTE: the affected code was moved to the skb_zerocopy function in net/core/skbuff.c before the vulnerability was announced.
CVSS v2 BASE SCORE: 2.9
CVSS v3 BASE SCORE: 0.0
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-2568

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-2672
CVE STATUS: Patched
CVE SUMMARY: Race condition in the ath_tx_aggr_sleep function in drivers/net/wireless/ath/ath9k/xmit.c in the Linux kernel before 3.13.7 allows remote attackers to cause a denial of service (system crash) via a large amount of network traffic that triggers certain list deletions.
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-2672

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-2673
CVE STATUS: Patched
CVE SUMMARY: The arch_dup_task_struct function in the Transactional Memory (TM) implementation in arch/powerpc/kernel/process.c in the Linux kernel before 3.13.7 on the powerpc platform does not properly interact with the clone and fork system calls, which allows local users to cause a denial of service (Program Check and system crash) via certain instructions that are executed with the processor in the Transactional state.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-2673

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-2678
CVE STATUS: Patched
CVE SUMMARY: The rds_iw_laddr_check function in net/rds/iw.c in the Linux kernel through 3.14 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a bind system call for an RDS socket on a system that lacks RDS transports.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-2678

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-2706
CVE STATUS: Patched
CVE SUMMARY: Race condition in the mac80211 subsystem in the Linux kernel before 3.13.7 allows remote attackers to cause a denial of service (system crash) via network traffic that improperly interacts with the WLAN_STA_PS_STA state (aka power-save mode), related to sta_info.c and tx.c.
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-2706

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-2739
CVE STATUS: Patched
CVE SUMMARY: The cma_req_handler function in drivers/infiniband/core/cma.c in the Linux kernel 3.14.x through 3.14.1 attempts to resolve an RDMA over Converged Ethernet (aka RoCE) address that is properly resolved within a different module, which allows remote attackers to cause a denial of service (incorrect pointer dereference and system crash) via crafted network traffic.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:H/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-2739

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-2851
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the ping_init_sock function in net/ipv4/ping.c in the Linux kernel through 3.14.1 allows local users to cause a denial of service (use-after-free and system crash) or possibly gain privileges via a crafted application that leverages an improperly managed reference counter.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-2851

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-2889
CVE STATUS: Patched
CVE SUMMARY: Off-by-one error in the bpf_jit_compile function in arch/x86/net/bpf_jit_comp.c in the Linux kernel before 3.1.8, when BPF JIT is enabled, allows local users to cause a denial of service (system crash) or possibly gain privileges via a long jump after a conditional jump.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-2889

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-3122
CVE STATUS: Patched
CVE SUMMARY: The try_to_unmap_cluster function in mm/rmap.c in the Linux kernel before 3.14.3 does not properly consider which pages must be locked, which allows local users to cause a denial of service (system crash) by triggering a memory-usage pattern that requires removal of page-table mappings.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3122

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-3144
CVE STATUS: Patched
CVE SUMMARY: The (1) BPF_S_ANC_NLATTR and (2) BPF_S_ANC_NLATTR_NEST extension implementations in the sk_run_filter function in net/core/filter.c in the Linux kernel through 3.14.3 do not check whether a certain length value is sufficiently large, which allows local users to cause a denial of service (integer underflow and system crash) via crafted BPF instructions.  NOTE: the affected code was moved to the __skb_get_nlattr and __skb_get_nlattr_nest functions before the vulnerability was announced.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3144

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-3145
CVE STATUS: Patched
CVE SUMMARY: The BPF_S_ANC_NLATTR_NEST extension implementation in the sk_run_filter function in net/core/filter.c in the Linux kernel through 3.14.3 uses the reverse order in a certain subtraction, which allows local users to cause a denial of service (over-read and system crash) via crafted BPF instructions.  NOTE: the affected code was moved to the __skb_get_nlattr_nest function before the vulnerability was announced.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3145

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-3153
CVE STATUS: Patched
CVE SUMMARY: The futex_requeue function in kernel/futex.c in the Linux kernel through 3.14.5 does not ensure that calls have two different futex addresses, which allows local users to gain privileges via a crafted FUTEX_REQUEUE command that facilitates unsafe waiter modification.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3153

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-3180
CVE STATUS: Patched
CVE SUMMARY: In kernel/compat.c in the Linux kernel before 3.17, as used in Google Chrome OS and other products, there is a possible out-of-bounds read. restart_syscall uses uninitialized data when restarting compat_sys_nanosleep. NOTE: this is disputed because the code path is unreachable
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 9.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3180

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-3181
CVE STATUS: Patched
CVE SUMMARY: Multiple stack-based buffer overflows in the magicmouse_raw_event function in drivers/hid/hid-magicmouse.c in the Magic Mouse HID driver in the Linux kernel through 3.16.3 allow physically proximate attackers to cause a denial of service (system crash) or possibly execute arbitrary code via a crafted device that provides a large amount of (1) EHCI or (2) XHCI data associated with an event.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3181

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-3182
CVE STATUS: Patched
CVE SUMMARY: Array index error in the logi_dj_raw_event function in drivers/hid/hid-logitech-dj.c in the Linux kernel before 3.16.2 allows physically proximate attackers to execute arbitrary code or cause a denial of service (invalid kfree) via a crafted device that provides a malformed REPORT_TYPE_NOTIF_DEVICE_UNPAIRED value.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3182

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-3183
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the logi_dj_ll_raw_request function in drivers/hid/hid-logitech-dj.c in the Linux kernel before 3.16.2 allows physically proximate attackers to cause a denial of service (system crash) or possibly execute arbitrary code via a crafted device that specifies a large report size for an LED report.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3183

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-3184
CVE STATUS: Patched
CVE SUMMARY: The report_fixup functions in the HID subsystem in the Linux kernel before 3.16.2 might allow physically proximate attackers to cause a denial of service (out-of-bounds write) via a crafted device that provides a small report descriptor, related to (1) drivers/hid/hid-cherry.c, (2) drivers/hid/hid-kye.c, (3) drivers/hid/hid-lg.c, (4) drivers/hid/hid-monterey.c, (5) drivers/hid/hid-petalynx.c, and (6) drivers/hid/hid-sunplus.c.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3184

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-3185
CVE STATUS: Patched
CVE SUMMARY: Multiple buffer overflows in the command_port_read_callback function in drivers/usb/serial/whiteheat.c in the Whiteheat USB Serial Driver in the Linux kernel before 3.16.2 allow physically proximate attackers to execute arbitrary code or cause a denial of service (memory corruption and system crash) via a crafted device that provides a large amount of (1) EHCI or (2) XHCI data associated with a bulk response.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3185

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-3186
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the picolcd_raw_event function in devices/hid/hid-picolcd_core.c in the PicoLCD HID device driver in the Linux kernel through 3.16.3, as used in Android on Nexus 7 devices, allows physically proximate attackers to cause a denial of service (system crash) or possibly execute arbitrary code via a crafted device that sends a large report.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3186

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-3534
CVE STATUS: Patched
CVE SUMMARY: arch/s390/kernel/ptrace.c in the Linux kernel before 3.15.8 on the s390 platform does not properly restrict address-space control operations in PTRACE_POKEUSR_AREA requests, which allows local users to obtain read and write access to kernel memory locations, and consequently gain privileges, via a crafted application that makes a ptrace system call.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3534

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-3535
CVE STATUS: Patched
CVE SUMMARY: include/linux/netdevice.h in the Linux kernel before 2.6.36 incorrectly uses macros for netdev_printk and its related logging implementation, which allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) by sending invalid packets to a VxLAN interface.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3535

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-3601
CVE STATUS: Patched
CVE SUMMARY: The kvm_iommu_map_pages function in virt/kvm/iommu.c in the Linux kernel through 3.16.1 miscalculates the number of pages during the handling of a mapping failure, which allows guest OS users to (1) cause a denial of service (host OS memory corruption) or possibly have unspecified other impact by triggering a large gfn value or (2) cause a denial of service (host OS memory consumption) by triggering a small gfn value that leads to permanently pinned pages.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:H/Au:S/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3601

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-3610
CVE STATUS: Patched
CVE SUMMARY: The WRMSR processing functionality in the KVM subsystem in the Linux kernel through 3.17.2 does not properly handle the writing of a non-canonical address to a model-specific register, which allows guest OS users to cause a denial of service (host OS crash) by leveraging guest OS privileges, related to the wrmsr_interception function in arch/x86/kvm/svm.c and the handle_wrmsr function in arch/x86/kvm/vmx.c.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3610

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-3611
CVE STATUS: Patched
CVE SUMMARY: Race condition in the __kvm_migrate_pit_timer function in arch/x86/kvm/i8254.c in the KVM subsystem in the Linux kernel through 3.17.2 allows guest OS users to cause a denial of service (host OS crash) by leveraging incorrect PIT emulation.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3611

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-3631
CVE STATUS: Patched
CVE SUMMARY: The assoc_array_gc function in the associative-array implementation in lib/assoc_array.c in the Linux kernel before 3.16.3 does not properly implement garbage collection, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via multiple "keyctl newring" operations followed by a "keyctl timeout" operation.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3631

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-3645
CVE STATUS: Patched
CVE SUMMARY: arch/x86/kvm/vmx.c in the KVM subsystem in the Linux kernel before 3.12 does not have an exit handler for the INVEPT instruction, which allows guest OS users to cause a denial of service (guest OS crash) via a crafted application.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3645

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-3646
CVE STATUS: Patched
CVE SUMMARY: arch/x86/kvm/vmx.c in the KVM subsystem in the Linux kernel through 3.17.2 does not have an exit handler for the INVVPID instruction, which allows guest OS users to cause a denial of service (guest OS crash) via a crafted application.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3646

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-3647
CVE STATUS: Patched
CVE SUMMARY: arch/x86/kvm/emulate.c in the KVM subsystem in the Linux kernel through 3.17.2 does not properly perform RIP changes, which allows guest OS users to cause a denial of service (guest OS crash) via a crafted application.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3647

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-3673
CVE STATUS: Patched
CVE SUMMARY: The SCTP implementation in the Linux kernel through 3.17.2 allows remote attackers to cause a denial of service (system crash) via a malformed ASCONF chunk, related to net/sctp/sm_make_chunk.c and net/sctp/sm_statefuns.c.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3673

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-3687
CVE STATUS: Patched
CVE SUMMARY: The sctp_assoc_lookup_asconf_ack function in net/sctp/associola.c in the SCTP implementation in the Linux kernel through 3.17.2 allows remote attackers to cause a denial of service (panic) via duplicate ASCONF chunks that trigger an incorrect uncork within the side-effect interpreter.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3687

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-3688
CVE STATUS: Patched
CVE SUMMARY: The SCTP implementation in the Linux kernel before 3.17.4 allows remote attackers to cause a denial of service (memory consumption) by triggering a large number of chunks in an association's output queue, as demonstrated by ASCONF probes, related to net/sctp/inqueue.c and net/sctp/sm_statefuns.c.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3688

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-3690
CVE STATUS: Patched
CVE SUMMARY: arch/x86/kvm/vmx.c in the KVM subsystem in the Linux kernel before 3.17.2 on Intel processors does not ensure that the value in the CR4 control register remains the same after a VM entry, which allows host OS users to kill arbitrary processes or cause a denial of service (system disruption) by leveraging /dev/kvm access, as demonstrated by PR_SET_TSC prctl calls within a modified copy of QEMU.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3690

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-3917
CVE STATUS: Patched
CVE SUMMARY: kernel/auditsc.c in the Linux kernel through 3.14.5, when CONFIG_AUDITSYSCALL is enabled with certain syscall rules, allows local users to obtain potentially sensitive single-bit values from kernel memory or cause a denial of service (OOPS) via a large value of a syscall number.
CVSS v2 BASE SCORE: 3.3
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3917

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-3940
CVE STATUS: Patched
CVE SUMMARY: The Linux kernel through 3.14.5 does not properly consider the presence of hugetlb entries, which allows local users to cause a denial of service (memory corruption or system crash) by accessing certain memory locations, as demonstrated by triggering a race condition via numa_maps read operations during hugepage migration, related to fs/proc/task_mmu.c and mm/mempolicy.c.
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3940

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-4014
CVE STATUS: Patched
CVE SUMMARY: The capabilities implementation in the Linux kernel before 3.14.8 does not properly consider that namespaces are inapplicable to inodes, which allows local users to bypass intended chmod restrictions by first creating a user namespace, as demonstrated by setting the setgid bit on a file with group ownership of root.
CVSS v2 BASE SCORE: 6.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-4014

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-4027
CVE STATUS: Patched
CVE SUMMARY: The rd_build_device_space function in drivers/target/target_core_rd.c in the Linux kernel before 3.14 does not properly initialize a certain data structure, which allows local users to obtain sensitive information from ramdisk_mcp memory by leveraging access to a SCSI initiator.
CVSS v2 BASE SCORE: 2.3
CVSS v3 BASE SCORE: 0.0
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:M/Au:S/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-4027

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-4157
CVE STATUS: Patched
CVE SUMMARY: arch/mips/include/asm/thread_info.h in the Linux kernel before 3.14.8 on the MIPS platform does not configure _TIF_SECCOMP checks on the fast system-call path, which allows local users to bypass intended PR_SET_SECCOMP restrictions by executing a crafted application without invoking a trace or audit subsystem.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-4157

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-4171
CVE STATUS: Patched
CVE SUMMARY: mm/shmem.c in the Linux kernel through 3.15.1 does not properly implement the interaction between range notification and hole punching, which allows local users to cause a denial of service (i_mutex hold) by using the mmap system call to access a hole, as demonstrated by interfering with intended shmem activity by blocking completion of (1) an MADV_REMOVE madvise call or (2) an FALLOC_FL_PUNCH_HOLE fallocate call.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-4171

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-4322
CVE STATUS: Patched
CVE SUMMARY: drivers/misc/qseecom.c in the QSEECOM driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not validate certain offset, length, and base values within an ioctl call, which allows attackers to gain privileges or cause a denial of service (memory corruption) via a crafted application.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-4322

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-4323
CVE STATUS: Patched
CVE SUMMARY: The mdp_lut_hw_update function in drivers/video/msm/mdp.c in the MDP display driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not validate certain start and length values within an ioctl call, which allows attackers to gain privileges via a crafted application.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-4323

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-4508
CVE STATUS: Patched
CVE SUMMARY: arch/x86/kernel/entry_32.S in the Linux kernel through 3.15.1 on 32-bit x86 platforms, when syscall auditing is enabled and the sep CPU feature flag is set, allows local users to cause a denial of service (OOPS and system crash) via an invalid syscall number, as demonstrated by number 1000.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-4508

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-4608
CVE STATUS: Patched
CVE SUMMARY: Multiple integer overflows in the lzo1x_decompress_safe function in lib/lzo/lzo1x_decompress_safe.c in the LZO decompressor in the Linux kernel before 3.15.2 allow context-dependent attackers to cause a denial of service (memory corruption) via a crafted Literal Run.  NOTE: the author of the LZO algorithms says "the Linux kernel is *not* affected; media hype.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-4608

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-4611
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the LZ4 algorithm implementation, as used in Yann Collet LZ4 before r118 and in the lz4_uncompress function in lib/lz4/lz4_decompress.c in the Linux kernel before 3.15.2, on 32-bit platforms might allow context-dependent attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted Literal Run that would be improperly handled by programs not complying with an API limitation, a different vulnerability than CVE-2014-4715.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-4611

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-4652
CVE STATUS: Patched
CVE SUMMARY: Race condition in the tlv handler functionality in the snd_ctl_elem_user_tlv function in sound/core/control.c in the ALSA control implementation in the Linux kernel before 3.15.2 allows local users to obtain sensitive information from kernel memory by leveraging /dev/snd/controlCX access.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-4652

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-4653
CVE STATUS: Patched
CVE SUMMARY: sound/core/control.c in the ALSA control implementation in the Linux kernel before 3.15.2 does not ensure possession of a read/write lock, which allows local users to cause a denial of service (use-after-free) and obtain sensitive information from kernel memory by leveraging /dev/snd/controlCX access.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-4653

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-4654
CVE STATUS: Patched
CVE SUMMARY: The snd_ctl_elem_add function in sound/core/control.c in the ALSA control implementation in the Linux kernel before 3.15.2 does not check authorization for SNDRV_CTL_IOCTL_ELEM_REPLACE commands, which allows local users to remove kernel controls and cause a denial of service (use-after-free and system crash) by leveraging /dev/snd/controlCX access for an ioctl call.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-4654

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-4655
CVE STATUS: Patched
CVE SUMMARY: The snd_ctl_elem_add function in sound/core/control.c in the ALSA control implementation in the Linux kernel before 3.15.2 does not properly maintain the user_ctl_count value, which allows local users to cause a denial of service (integer overflow and limit bypass) by leveraging /dev/snd/controlCX access for a large number of SNDRV_CTL_IOCTL_ELEM_REPLACE ioctl calls.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-4655

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-4656
CVE STATUS: Patched
CVE SUMMARY: Multiple integer overflows in sound/core/control.c in the ALSA control implementation in the Linux kernel before 3.15.2 allow local users to cause a denial of service by leveraging /dev/snd/controlCX access, related to (1) index values in the snd_ctl_add function and (2) numid values in the snd_ctl_remove_numid_conflict function.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-4656

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-4667
CVE STATUS: Patched
CVE SUMMARY: The sctp_association_free function in net/sctp/associola.c in the Linux kernel before 3.15.2 does not properly manage a certain backlog value, which allows remote attackers to cause a denial of service (socket outage) via a crafted SCTP packet.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-4667

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-4699
CVE STATUS: Patched
CVE SUMMARY: The Linux kernel before 3.15.4 on Intel processors does not properly restrict use of a non-canonical value for the saved RIP address in the case of a system call that does not use IRET, which allows local users to leverage a race condition and gain privileges, or cause a denial of service (double fault), via a crafted application that makes ptrace and fork system calls.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-4699

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-4943
CVE STATUS: Patched
CVE SUMMARY: The PPPoL2TP feature in net/l2tp/l2tp_ppp.c in the Linux kernel through 3.15.6 allows local users to gain privileges by leveraging data-structure differences between an l2tp socket and an inet socket.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-4943

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-5045
CVE STATUS: Patched
CVE SUMMARY: The mountpoint_last function in fs/namei.c in the Linux kernel before 3.15.8 does not properly maintain a certain reference count during attempts to use the umount system call in conjunction with a symlink, which allows local users to cause a denial of service (memory consumption or use-after-free) or possibly have unspecified other impact via the umount program.
CVSS v2 BASE SCORE: 6.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-5045

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-5077
CVE STATUS: Patched
CVE SUMMARY: The sctp_assoc_update function in net/sctp/associola.c in the Linux kernel through 3.15.8, when SCTP authentication is enabled, allows remote attackers to cause a denial of service (NULL pointer dereference and OOPS) by starting to establish an association between two endpoints immediately after an exchange of INIT and INIT ACK chunks to establish an earlier association between these endpoints in the opposite direction.
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-5077

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-5206
CVE STATUS: Patched
CVE SUMMARY: The do_remount function in fs/namespace.c in the Linux kernel through 3.16.1 does not maintain the MNT_LOCK_READONLY bit across a remount of a bind mount, which allows local users to bypass an intended read-only restriction and defeat certain sandbox protection mechanisms via a "mount -o remount" command within a user namespace.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-5206

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-5207
CVE STATUS: Patched
CVE SUMMARY: fs/namespace.c in the Linux kernel through 3.16.1 does not properly restrict clearing MNT_NODEV, MNT_NOSUID, and MNT_NOEXEC and changing MNT_ATIME_MASK during a remount of a bind mount, which allows local users to gain privileges, interfere with backups and auditing on systems that had atime enabled, or cause a denial of service (excessive filesystem updating) on systems that had atime disabled via a "mount -o remount" command within a user namespace.
CVSS v2 BASE SCORE: 6.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-5207

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-5332
CVE STATUS: Patched
CVE SUMMARY: Race condition in NVMap in NVIDIA Tegra Linux Kernel 3.10 allows local users to gain privileges via a crafted NVMAP_IOC_CREATE IOCTL call, which triggers a use-after-free error, as demonstrated by using a race condition to escape the Chrome sandbox.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-5332

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-5471
CVE STATUS: Patched
CVE SUMMARY: Stack consumption vulnerability in the parse_rock_ridge_inode_internal function in fs/isofs/rock.c in the Linux kernel through 3.16.1 allows local users to cause a denial of service (uncontrolled recursion, and system crash or reboot) via a crafted iso9660 image with a CL entry referring to a directory entry that has a CL entry.
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-5471

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-5472
CVE STATUS: Patched
CVE SUMMARY: The parse_rock_ridge_inode_internal function in fs/isofs/rock.c in the Linux kernel through 3.16.1 allows local users to cause a denial of service (unkillable mount process) via a crafted iso9660 image with a self-referential CL entry.
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-5472

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-6410
CVE STATUS: Patched
CVE SUMMARY: The __udf_read_inode function in fs/udf/inode.c in the Linux kernel through 3.16.3 does not restrict the amount of ICB indirection, which allows physically proximate attackers to cause a denial of service (infinite loop or stack consumption) via a UDF filesystem with a crafted inode.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-6410

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-6416
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in net/ceph/auth_x.c in Ceph, as used in the Linux kernel before 3.16.3, allows remote attackers to cause a denial of service (memory corruption and panic) or possibly have unspecified other impact via a long unencrypted auth ticket.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-6416

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-6417
CVE STATUS: Patched
CVE SUMMARY: net/ceph/auth_x.c in Ceph, as used in the Linux kernel before 3.16.3, does not properly consider the possibility of kmalloc failure, which allows remote attackers to cause a denial of service (system crash) or possibly have unspecified other impact via a long unencrypted auth ticket.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-6417

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-6418
CVE STATUS: Patched
CVE SUMMARY: net/ceph/auth_x.c in Ceph, as used in the Linux kernel before 3.16.3, does not properly validate auth replies, which allows remote attackers to cause a denial of service (system crash) or possibly have unspecified other impact via crafted data from the IP address of a Ceph Monitor.
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-6418

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-7145
CVE STATUS: Patched
CVE SUMMARY: The SMB2_tcon function in fs/cifs/smb2pdu.c in the Linux kernel before 3.16.3 allows remote CIFS servers to cause a denial of service (NULL pointer dereference and client system crash) or possibly have unspecified other impact by deleting the IPC$ share during resolution of DFS referrals.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-7145

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-7207
CVE STATUS: Patched
CVE SUMMARY: A certain Debian patch to the IPv6 implementation in the Linux kernel 3.2.x through 3.2.63 does not properly validate arguments in ipv6_select_ident function calls, which allows local users to cause a denial of service (NULL pointer dereference and system crash) by leveraging (1) tun or (2) macvtap device access.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-7207

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-7283
CVE STATUS: Patched
CVE SUMMARY: The xfs_da3_fixhashpath function in fs/xfs/xfs_da_btree.c in the xfs implementation in the Linux kernel before 3.14.2 does not properly compare btree hash values, which allows local users to cause a denial of service (filesystem corruption, and OOPS or panic) via operations on directories that have hash collisions, as demonstrated by rmdir operations.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-7283

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-7284
CVE STATUS: Patched
CVE SUMMARY: The net_get_random_once implementation in net/core/utils.c in the Linux kernel 3.13.x and 3.14.x before 3.14.5 on certain Intel processors does not perform the intended slow-path operation to initialize random seeds, which makes it easier for remote attackers to spoof or disrupt IP communication by leveraging the predictability of TCP sequence numbers, TCP and UDP port numbers, and IP ID values.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-7284

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-7822
CVE STATUS: Patched
CVE SUMMARY: The implementation of certain splice_write file operations in the Linux kernel before 3.16 does not enforce a restriction on the maximum size of a single file, which allows local users to cause a denial of service (system crash) or possibly have unspecified other impact via a crafted splice system call, as demonstrated by use of a file descriptor associated with an ext4 filesystem.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-7822

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-7825
CVE STATUS: Patched
CVE SUMMARY: kernel/trace/trace_syscalls.c in the Linux kernel through 3.17.2 does not properly handle private syscall numbers during use of the perf subsystem, which allows local users to cause a denial of service (out-of-bounds read and OOPS) or bypass the ASLR protection mechanism via a crafted application.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-7825

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-7826
CVE STATUS: Patched
CVE SUMMARY: kernel/trace/trace_syscalls.c in the Linux kernel through 3.17.2 does not properly handle private syscall numbers during use of the ftrace subsystem, which allows local users to gain privileges or cause a denial of service (invalid pointer dereference) via a crafted application.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-7826

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-7841
CVE STATUS: Patched
CVE SUMMARY: The sctp_process_param function in net/sctp/sm_make_chunk.c in the SCTP implementation in the Linux kernel before 3.17.4, when ASCONF is used, allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) via a malformed INIT chunk.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-7841

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-7842
CVE STATUS: Patched
CVE SUMMARY: Race condition in arch/x86/kvm/x86.c in the Linux kernel before 3.17.4 allows guest OS users to cause a denial of service (guest OS crash) via a crafted application that performs an MMIO transaction or a PIO transaction to trigger a guest userspace emulation error report, a similar issue to CVE-2010-5313.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-7842

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-7843
CVE STATUS: Patched
CVE SUMMARY: The __clear_user function in arch/arm64/lib/clear_user.S in the Linux kernel before 3.17.4 on the ARM64 platform allows local users to cause a denial of service (system crash) by reading one byte beyond a /dev/zero page boundary.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-7843

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-7970
CVE STATUS: Patched
CVE SUMMARY: The pivot_root implementation in fs/namespace.c in the Linux kernel through 3.17 does not properly interact with certain locations of a chroot directory, which allows local users to cause a denial of service (mount-tree loop) via . (dot) values in both arguments to the pivot_root system call.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-7970

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-7975
CVE STATUS: Patched
CVE SUMMARY: The do_umount function in fs/namespace.c in the Linux kernel through 3.17 does not require the CAP_SYS_ADMIN capability for do_remount_sb calls that change the root filesystem to read-only, which allows local users to cause a denial of service (loss of writability) by making certain unshare system calls, clearing the / MNT_LOCKED flag, and making an MNT_FORCE umount system call.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-7975

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-8086
CVE STATUS: Patched
CVE SUMMARY: Race condition in the ext4_file_write_iter function in fs/ext4/file.c in the Linux kernel through 3.17 allows local users to cause a denial of service (file unavailability) via a combination of a write action and an F_SETFL fcntl operation for the O_DIRECT flag.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8086

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-8133
CVE STATUS: Patched
CVE SUMMARY: arch/x86/kernel/tls.c in the Thread Local Storage (TLS) implementation in the Linux kernel through 3.18.1 allows local users to bypass the espfix protection mechanism, and consequently makes it easier for local users to bypass the ASLR protection mechanism, via a crafted application that makes a set_thread_area system call and later reads a 16-bit value.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8133

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-8134
CVE STATUS: Patched
CVE SUMMARY: The paravirt_ops_setup function in arch/x86/kernel/kvm.c in the Linux kernel through 3.18 uses an improper paravirt_enabled setting for KVM guest kernels, which makes it easier for guest OS users to bypass the ASLR protection mechanism via a crafted application that reads a 16-bit value.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 3.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8134

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-8159
CVE STATUS: Patched
CVE SUMMARY: The InfiniBand (IB) implementation in the Linux kernel package before 2.6.32-504.12.2 on Red Hat Enterprise Linux (RHEL) 6 does not properly restrict use of User Verbs for registration of memory regions, which allows local users to access arbitrary physical memory locations, and consequently cause a denial of service (system crash) or gain privileges, by leveraging permissions on a uverbs device under /dev/infiniband/.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8159

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-8160
CVE STATUS: Patched
CVE SUMMARY: net/netfilter/nf_conntrack_proto_generic.c in the Linux kernel before 3.18 generates incorrect conntrack entries during handling of certain iptables rule sets for the SCTP, DCCP, GRE, and UDP-Lite protocols, which allows remote attackers to bypass intended access restrictions via packets with disallowed port numbers.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8160

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-8171
CVE STATUS: Unpatched
CVE SUMMARY: The memory resource controller (aka memcg) in the Linux kernel allows local users to cause a denial of service (deadlock) by spawning new processes within a memory-constrained cgroup.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8171

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-8172
CVE STATUS: Patched
CVE SUMMARY: The filesystem implementation in the Linux kernel before 3.13 performs certain operations on lists of files with an inappropriate locking approach, which allows local users to cause a denial of service (soft lockup or system crash) via unspecified use of Asynchronous I/O (AIO) operations.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8172

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-8173
CVE STATUS: Patched
CVE SUMMARY: The pmd_none_or_trans_huge_or_clear_bad function in include/asm-generic/pgtable.h in the Linux kernel before 3.13 on NUMA systems does not properly determine whether a Page Middle Directory (PMD) entry is a transparent huge-table entry, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted MADV_WILLNEED madvise system call that leverages the absence of a page-table lock.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8173

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-8369
CVE STATUS: Patched
CVE SUMMARY: The kvm_iommu_map_pages function in virt/kvm/iommu.c in the Linux kernel through 3.17.2 miscalculates the number of pages during the handling of a mapping failure, which allows guest OS users to cause a denial of service (host OS page unpinning) or possibly have unspecified other impact by leveraging guest OS privileges.  NOTE: this vulnerability exists because of an incorrect fix for CVE-2014-3601.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8369

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-8480
CVE STATUS: Patched
CVE SUMMARY: The instruction decoder in arch/x86/kvm/emulate.c in the KVM subsystem in the Linux kernel before 3.18-rc2 lacks intended decoder-table flags for certain RIP-relative instructions, which allows guest OS users to cause a denial of service (NULL pointer dereference and host OS crash) via a crafted application.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8480

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-8481
CVE STATUS: Patched
CVE SUMMARY: The instruction decoder in arch/x86/kvm/emulate.c in the KVM subsystem in the Linux kernel before 3.18-rc2 does not properly handle invalid instructions, which allows guest OS users to cause a denial of service (NULL pointer dereference and host OS crash) via a crafted application that triggers (1) an improperly fetched instruction or (2) an instruction that occupies too many bytes.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-8480.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8481

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-8559
CVE STATUS: Patched
CVE SUMMARY: The d_walk function in fs/dcache.c in the Linux kernel through 3.17.2 does not properly maintain the semantics of rename_lock, which allows local users to cause a denial of service (deadlock and system hang) via a crafted application.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8559

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-8709
CVE STATUS: Patched
CVE SUMMARY: The ieee80211_fragment function in net/mac80211/tx.c in the Linux kernel before 3.13.5 does not properly maintain a certain tail pointer, which allows remote attackers to obtain sensitive cleartext information by reading packets.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8709

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-8884
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in the ttusbdecfe_dvbs_diseqc_send_master_cmd function in drivers/media/usb/ttusb-dec/ttusbdecfe.c in the Linux kernel before 3.17.4 allows local users to cause a denial of service (system crash) or possibly gain privileges via a large message length in an ioctl call.
CVSS v2 BASE SCORE: 6.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8884

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-8989
CVE STATUS: Patched
CVE SUMMARY: The Linux kernel through 3.17.4 does not properly restrict dropping of supplemental group memberships in certain namespace scenarios, which allows local users to bypass intended file permissions by leveraging a POSIX ACL containing an entry for the group category that is more restrictive than the entry for the other category, aka a "negative groups" issue, related to kernel/groups.c, kernel/uid16.c, and kernel/user_namespace.c.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8989

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-9090
CVE STATUS: Patched
CVE SUMMARY: The do_double_fault function in arch/x86/kernel/traps.c in the Linux kernel through 3.17.4 does not properly handle faults associated with the Stack Segment (SS) segment register, which allows local users to cause a denial of service (panic) via a modify_ldt system call, as demonstrated by sigreturn_32 in the linux-clock-tests test suite.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9090

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-9322
CVE STATUS: Patched
CVE SUMMARY: arch/x86/kernel/entry_64.S in the Linux kernel before 3.17.5 does not properly handle faults associated with the Stack Segment (SS) segment register, which allows local users to gain privileges by triggering an IRET instruction that leads to access to a GS Base address from the wrong space.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9322

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-9410
CVE STATUS: Patched
CVE SUMMARY: The vfe31_proc_general function in drivers/media/video/msm/vfe/msm_vfe31.c in the MSM-VFE31 driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not validate a certain id value, which allows attackers to gain privileges or cause a denial of service (memory corruption) via an application that makes a crafted ioctl call.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 9.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9410

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-9419
CVE STATUS: Patched
CVE SUMMARY: The __switch_to function in arch/x86/kernel/process_64.c in the Linux kernel through 3.18.1 does not ensure that Thread Local Storage (TLS) descriptors are loaded before proceeding with other steps, which makes it easier for local users to bypass the ASLR protection mechanism via a crafted application that reads a TLS base address.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9419

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-9420
CVE STATUS: Patched
CVE SUMMARY: The rock_continue function in fs/isofs/rock.c in the Linux kernel through 3.18.1 does not restrict the number of Rock Ridge continuation entries, which allows local users to cause a denial of service (infinite loop, and system crash or hang) via a crafted iso9660 image.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9420

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-9428
CVE STATUS: Patched
CVE SUMMARY: The batadv_frag_merge_packets function in net/batman-adv/fragmentation.c in the B.A.T.M.A.N. implementation in the Linux kernel through 3.18.1 uses an incorrect length field during a calculation of an amount of memory, which allows remote attackers to cause a denial of service (mesh-node system crash) via fragmented packets.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9428

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-9529
CVE STATUS: Patched
CVE SUMMARY: Race condition in the key_gc_unused_keys function in security/keys/gc.c in the Linux kernel through 3.18.2 allows local users to cause a denial of service (memory corruption or panic) or possibly have unspecified other impact via keyctl commands that trigger access to a key structure member during garbage collection of a key.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9529

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-9584
CVE STATUS: Patched
CVE SUMMARY: The parse_rock_ridge_inode_internal function in fs/isofs/rock.c in the Linux kernel before 3.18.2 does not validate a length value in the Extensions Reference (ER) System Use Field, which allows local users to obtain sensitive information from kernel memory via a crafted iso9660 image.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9584

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-9585
CVE STATUS: Patched
CVE SUMMARY: The vdso_addr function in arch/x86/vdso/vma.c in the Linux kernel through 3.18.2 does not properly choose memory locations for the vDSO area, which makes it easier for local users to bypass the ASLR protection mechanism by guessing a location at the end of a PMD.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9585

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-9644
CVE STATUS: Patched
CVE SUMMARY: The Crypto API in the Linux kernel before 3.18.5 allows local users to load arbitrary kernel modules via a bind system call for an AF_ALG socket with a parenthesized module template expression in the salg_name field, as demonstrated by the vfat(aes) expression, a different vulnerability than CVE-2013-7421.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9644

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-9683
CVE STATUS: Patched
CVE SUMMARY: Off-by-one error in the ecryptfs_decode_from_filename function in fs/ecryptfs/crypto.c in the eCryptfs subsystem in the Linux kernel before 3.18.2 allows local users to cause a denial of service (buffer overflow and system crash) or possibly gain privileges via a crafted filename.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9683

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-9710
CVE STATUS: Patched
CVE SUMMARY: The Btrfs implementation in the Linux kernel before 3.19 does not ensure that the visible xattr state is consistent with a requested replacement, which allows local users to bypass intended ACL settings and gain privileges via standard filesystem operations (1) during an xattr-replacement time window, related to a race condition, or (2) after an xattr-replacement attempt that fails because the data does not fit.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9710

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-9715
CVE STATUS: Patched
CVE SUMMARY: include/net/netfilter/nf_conntrack_extend.h in the netfilter subsystem in the Linux kernel before 3.14.5 uses an insufficiently large data type for certain extension data, which allows local users to cause a denial of service (NULL pointer dereference and OOPS) via outbound network traffic that triggers extension loading, as demonstrated by configuring a PPTP tunnel in a NAT environment.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9715

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-9717
CVE STATUS: Patched
CVE SUMMARY: fs/namespace.c in the Linux kernel before 4.0.2 processes MNT_DETACH umount2 system calls without verifying that the MNT_LOCKED flag is unset, which allows local users to bypass intended access restrictions and navigate to filesystem locations beneath a mount by calling umount2 within a user namespace.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 6.1
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9717

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-9728
CVE STATUS: Patched
CVE SUMMARY: The UDF filesystem implementation in the Linux kernel before 3.18.2 does not validate certain lengths, which allows local users to cause a denial of service (buffer over-read and system crash) via a crafted filesystem image, related to fs/udf/inode.c and fs/udf/symlink.c.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9728

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-9729
CVE STATUS: Patched
CVE SUMMARY: The udf_read_inode function in fs/udf/inode.c in the Linux kernel before 3.18.2 does not ensure a certain data-structure size consistency, which allows local users to cause a denial of service (system crash) via a crafted UDF filesystem image.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9729

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-9730
CVE STATUS: Patched
CVE SUMMARY: The udf_pc_to_char function in fs/udf/symlink.c in the Linux kernel before 3.18.2 relies on component lengths that are unused, which allows local users to cause a denial of service (system crash) via a crafted UDF filesystem image.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9730

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-9731
CVE STATUS: Patched
CVE SUMMARY: The UDF filesystem implementation in the Linux kernel before 3.18.2 does not ensure that space is available for storing a symlink target's name along with a trailing \0 character, which allows local users to obtain sensitive information via a crafted filesystem image, related to fs/udf/symlink.c and fs/udf/unicode.c.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9731

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-9803
CVE STATUS: Patched
CVE SUMMARY: arch/arm64/include/asm/pgtable.h in the Linux kernel before 3.15-rc5-next-20140519, as used in Android before 2016-07-05 on Nexus 5X and 6P devices, mishandles execute-only pages, which allows attackers to gain privileges via a crafted application, aka Android internal bug 28557020.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9803

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-9870
CVE STATUS: Patched
CVE SUMMARY: The Linux kernel before 3.11 on ARM platforms, as used in Android before 2016-08-05 on Nexus 5 and 7 (2013) devices, does not properly consider user-space access to the TPIDRURW register, which allows local users to gain privileges via a crafted application, aka Android internal bug 28749743 and Qualcomm internal bug CR561044.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9870

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-9888
CVE STATUS: Patched
CVE SUMMARY: arch/arm/mm/dma-mapping.c in the Linux kernel before 3.13 on ARM platforms, as used in Android before 2016-08-05 on Nexus 5 and 7 (2013) devices, does not prevent executable DMA mappings, which might allow local users to gain privileges via a crafted application, aka Android internal bug 28803642 and Qualcomm internal bug CR642735.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9888

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-9892
CVE STATUS: Patched
CVE SUMMARY: The snd_compr_tstamp function in sound/core/compress_offload.c in the Linux kernel through 4.7, as used in Android before 2016-08-05 on Nexus 5 and 7 (2013) devices, does not properly initialize a timestamp data structure, which allows attackers to obtain sensitive information via a crafted application, aka Android internal bug 28770164 and Qualcomm internal bug CR568717.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9892

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-9895
CVE STATUS: Patched
CVE SUMMARY: drivers/media/media-device.c in the Linux kernel before 3.11, as used in Android before 2016-08-05 on Nexus 5 and 7 (2013) devices, does not properly initialize certain data structures, which allows local users to obtain sensitive information via a crafted application, aka Android internal bug 28750150 and Qualcomm internal bug CR570757, a different vulnerability than CVE-2014-1739.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9895

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-9900
CVE STATUS: Patched
CVE SUMMARY: The ethtool_get_wol function in net/core/ethtool.c in the Linux kernel through 4.7, as used in Android before 2016-08-05 on Nexus 5 and 7 (2013) devices, does not initialize a certain data structure, which allows local users to obtain sensitive information via a crafted application, aka Android internal bug 28803952 and Qualcomm internal bug CR570754.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9900

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-9903
CVE STATUS: Patched
CVE SUMMARY: The sched_read_attr function in kernel/sched/core.c in the Linux kernel 3.14-rc before 3.14-rc4 uses an incorrect size, which allows local users to obtain sensitive information from kernel stack memory via a crafted sched_getattr system call.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9903

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-9904
CVE STATUS: Patched
CVE SUMMARY: The snd_compress_check_input function in sound/core/compress_offload.c in the ALSA subsystem in the Linux kernel before 3.17 does not properly check for an integer overflow, which allows local users to cause a denial of service (insufficient memory allocation) or possibly have unspecified other impact via a crafted SNDRV_COMPRESS_SET_PARAMS ioctl call.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9904

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-9914
CVE STATUS: Patched
CVE SUMMARY: Race condition in the ip4_datagram_release_cb function in net/ipv4/datagram.c in the Linux kernel before 3.15.2 allows local users to gain privileges or cause a denial of service (use-after-free) by leveraging incorrect expectations about locking during multithreaded access to internal data structures for IPv4 UDP sockets.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9914

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-9922
CVE STATUS: Patched
CVE SUMMARY: The eCryptfs subsystem in the Linux kernel before 3.18 allows local users to gain privileges via a large filesystem stack that includes an overlayfs layer, related to fs/ecryptfs/main.c and fs/overlayfs/super.c.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9922

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2014-9940
CVE STATUS: Patched
CVE SUMMARY: The regulator_ena_gpio_free function in drivers/regulator/core.c in the Linux kernel before 3.19 allows local users to gain privileges or cause a denial of service (use-after-free) via a crafted application.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9940

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-0239
CVE STATUS: Patched
CVE SUMMARY: The em_sysenter function in arch/x86/kvm/emulate.c in the Linux kernel before 3.18.5, when the guest OS lacks SYSENTER MSR initialization, allows guest OS users to gain guest OS privileges or cause a denial of service (guest OS crash) by triggering use of a 16-bit code segment for emulation of a SYSENTER instruction.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0239

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-0274
CVE STATUS: Patched
CVE SUMMARY: The XFS implementation in the Linux kernel before 3.15 improperly uses an old size value during remote attribute replacement, which allows local users to cause a denial of service (transaction overrun and data corruption) or possibly gain privileges by leveraging XFS filesystem access.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0274

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-0275
CVE STATUS: Patched
CVE SUMMARY: The ext4_zero_range function in fs/ext4/extents.c in the Linux kernel before 4.1 allows local users to cause a denial of service (BUG) via a crafted fallocate zero-range request.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0275

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-0568
CVE STATUS: Patched
CVE SUMMARY: Use-after-free vulnerability in the msm_set_crop function in drivers/media/video/msm/msm_camera.c in the MSM-Camera driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to gain privileges or cause a denial of service (memory corruption) via an application that makes a crafted ioctl call.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0568

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-0569
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the private wireless extensions IOCTL implementation in wlan_hdd_wext.c in the WLAN (aka Wi-Fi) driver for the Linux kernel 3.x and 4.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to gain privileges via a crafted application that establishes a packet filter.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0569

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-0570
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in the SET_WPS_IE IOCTL implementation in wlan_hdd_hostapd.c in the WLAN (aka Wi-Fi) driver for the Linux kernel 3.x and 4.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to gain privileges via a crafted application that uses a long WPS IE element.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0570

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-0571
CVE STATUS: Patched
CVE SUMMARY: The WLAN (aka Wi-Fi) driver for the Linux kernel 3.x and 4.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not verify authorization for private SET IOCTL calls, which allows attackers to gain privileges via a crafted application, related to wlan_hdd_hostapd.c and wlan_hdd_wext.c.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0571

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-0572
CVE STATUS: Patched
CVE SUMMARY: Multiple race conditions in drivers/char/adsprpc.c and drivers/char/adsprpc_compat.c in the ADSPRPC driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allow attackers to cause a denial of service (zero-value write) or possibly have unspecified other impact via a COMPAT_FASTRPC_IOCTL_INVOKE_FD ioctl call.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0572

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-0573
CVE STATUS: Patched
CVE SUMMARY: drivers/media/platform/msm/broadcast/tsc.c in the TSC driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to cause a denial of service (invalid pointer dereference) or possibly have unspecified other impact via a crafted application that makes a TSC_GET_CARD_STATUS ioctl call.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0573

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-1328
CVE STATUS: Patched
CVE SUMMARY: The overlayfs implementation in the linux (aka Linux kernel) package before 3.19.0-21.21 in Ubuntu through 15.04 does not properly check permissions for file creation in the upper filesystem directory, which allows local users to obtain root access by leveraging a configuration in which overlayfs is permitted in an arbitrary mount namespace.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1328

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-1333
CVE STATUS: Patched
CVE SUMMARY: Memory leak in the __key_link_end function in security/keys/keyring.c in the Linux kernel before 4.1.4 allows local users to cause a denial of service (memory consumption) via many add_key system calls that refer to existing keys.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1333

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-1339
CVE STATUS: Patched
CVE SUMMARY: Memory leak in the cuse_channel_release function in fs/fuse/cuse.c in the Linux kernel before 4.4 allows local users to cause a denial of service (memory consumption) or possibly have unspecified other impact by opening /dev/cuse many times.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 6.2
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1339

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-1350
CVE STATUS: Patched
CVE SUMMARY: The VFS subsystem in the Linux kernel 3.x provides an incomplete set of requirements for setattr operations that underspecifies removing extended privilege attributes, which allows local users to cause a denial of service (capability stripping) via a failed invocation of a system call, as demonstrated by using chown to remove a capability from the ping or Wireshark dumpcap program.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1350

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-1420
CVE STATUS: Patched
CVE SUMMARY: Race condition in the handle_to_path function in fs/fhandle.c in the Linux kernel through 3.19.1 allows local users to bypass intended size restrictions and trigger read operations on additional memory locations by changing the handle_bytes value of a file handle during the execution of this function.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1420

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-1421
CVE STATUS: Patched
CVE SUMMARY: Use-after-free vulnerability in the sctp_assoc_update function in net/sctp/associola.c in the Linux kernel before 3.18.8 allows remote attackers to cause a denial of service (slab corruption and panic) or possibly have unspecified other impact by triggering an INIT collision that leads to improper handling of shared-key data.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1421

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-1465
CVE STATUS: Patched
CVE SUMMARY: The IPv4 implementation in the Linux kernel before 3.18.8 does not properly consider the length of the Read-Copy Update (RCU) grace period for redirecting lookups in the absence of caching, which allows remote attackers to cause a denial of service (memory consumption or system crash) via a flood of packets.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1465

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-1573
CVE STATUS: Patched
CVE SUMMARY: The nft_flush_table function in net/netfilter/nf_tables_api.c in the Linux kernel before 3.18.5 mishandles the interaction between cross-chain jumps and ruleset flushes, which allows local users to cause a denial of service (panic) by leveraging the CAP_NET_ADMIN capability.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1573

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-1593
CVE STATUS: Patched
CVE SUMMARY: The stack randomization feature in the Linux kernel before 3.19.1 on 64-bit platforms uses incorrect data types for the results of bitwise left-shift operations, which makes it easier for attackers to bypass the ASLR protection mechanism by predicting the address of the top of the stack, related to the randomize_stack_top function in fs/binfmt_elf.c and the stack_maxrandom_size function in arch/x86/mm/mmap.c.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1593

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-1805
CVE STATUS: Patched
CVE SUMMARY: The (1) pipe_read and (2) pipe_write implementations in fs/pipe.c in the Linux kernel before 3.16 do not properly consider the side effects of failed __copy_to_user_inatomic and __copy_from_user_inatomic calls, which allows local users to cause a denial of service (system crash) or possibly gain privileges via a crafted application, aka an "I/O vector array overrun."
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1805

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-2041
CVE STATUS: Patched
CVE SUMMARY: net/llc/sysctl_net_llc.c in the Linux kernel before 3.19 uses an incorrect data type in a sysctl table, which allows local users to obtain potentially sensitive information from kernel memory or possibly have unspecified other impact by accessing a sysctl entry.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-2041

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-2042
CVE STATUS: Patched
CVE SUMMARY: net/rds/sysctl.c in the Linux kernel before 3.19 uses an incorrect data type in a sysctl table, which allows local users to obtain potentially sensitive information from kernel memory or possibly have unspecified other impact by accessing a sysctl entry.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-2042

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-2150
CVE STATUS: Patched
CVE SUMMARY: Xen 3.3.x through 4.5.x and the Linux kernel through 3.19.1 do not properly restrict access to PCI command registers, which might allow local guest OS users to cause a denial of service (non-maskable interrupt and host crash) by disabling the (1) memory or (2) I/O decoding for a PCI Express device and then accessing the device, which triggers an Unsupported Request (UR) response.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-2150

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-2666
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in the get_matching_model_microcode function in arch/x86/kernel/cpu/microcode/intel_early.c in the Linux kernel before 4.0 allows context-dependent attackers to gain privileges by constructing a crafted microcode header and leveraging root privileges for write access to the initrd.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-2666

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-2672
CVE STATUS: Patched
CVE SUMMARY: The xsave/xrstor implementation in arch/x86/include/asm/xsave.h in the Linux kernel before 3.19.2 creates certain .altinstr_replacement pointers and consequently does not provide any protection against instruction faulting, which allows local users to cause a denial of service (panic) by triggering a fault, as demonstrated by an unaligned memory operand or a non-canonical address memory operand.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-2672

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-2686
CVE STATUS: Patched
CVE SUMMARY: net/socket.c in the Linux kernel 3.19 before 3.19.3 does not validate certain range data for (1) sendto and (2) recvfrom system calls, which allows local users to gain privileges by leveraging a subsystem that uses the copy_from_iter function in the iov_iter interface, as demonstrated by the Bluetooth subsystem.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-2686

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-2830
CVE STATUS: Patched
CVE SUMMARY: arch/x86/kernel/entry_64.S in the Linux kernel before 3.19.2 does not prevent the TS_COMPAT flag from reaching a user-mode task, which might allow local users to bypass the seccomp or audit protection mechanism via a crafted application that uses the (1) fork or (2) close system call, as demonstrated by an attack against seccomp before 3.16.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-2830

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-2877
CVE STATUS: Patched
CVE SUMMARY: Kernel Samepage Merging (KSM) in the Linux kernel 2.6.32 through 4.x does not prevent use of a write-timing side channel, which allows guest OS users to defeat the ASLR protection mechanism on other guest OS instances via a Cross-VM ASL INtrospection (CAIN) attack.  NOTE: the vendor states "Basically if you care about this attack vector, disable deduplication." Share-until-written approaches for memory conservation among mutually untrusting tenants are inherently detectable for information disclosure, and can be classified as potentially misunderstood behaviors rather than vulnerabilities
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 3.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-2877

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-2922
CVE STATUS: Patched
CVE SUMMARY: The ndisc_router_discovery function in net/ipv6/ndisc.c in the Neighbor Discovery (ND) protocol implementation in the IPv6 stack in the Linux kernel before 3.19.6 allows remote attackers to reconfigure a hop-limit setting via a small hop_limit value in a Router Advertisement (RA) message.
CVSS v2 BASE SCORE: 3.3
CVSS v3 BASE SCORE: 0.0
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-2922

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-2925
CVE STATUS: Patched
CVE SUMMARY: The prepend_path function in fs/dcache.c in the Linux kernel before 4.2.4 does not properly handle rename actions inside a bind mount, which allows local users to bypass an intended container protection mechanism by renaming a directory, related to a "double-chroot attack."
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-2925

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-3212
CVE STATUS: Patched
CVE SUMMARY: Race condition in net/sctp/socket.c in the Linux kernel before 4.1.2 allows local users to cause a denial of service (list corruption and panic) via a rapid series of system calls related to sockets, as demonstrated by setsockopt calls.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3212

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-3214
CVE STATUS: Patched
CVE SUMMARY: The pit_ioport_read in i8254.c in the Linux kernel before 2.6.33 and QEMU before 2.3.1 does not distinguish between read lengths and write lengths, which might allow guest OS users to execute arbitrary code on the host OS by triggering use of an invalid index.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3214

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-3288
CVE STATUS: Patched
CVE SUMMARY: mm/memory.c in the Linux kernel before 4.1.4 mishandles anonymous pages, which allows local users to gain privileges or cause a denial of service (page tainting) via a crafted application that triggers writing to page zero.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3288

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-3290
CVE STATUS: Patched
CVE SUMMARY: arch/x86/entry/entry_64.S in the Linux kernel before 4.1.6 on the x86_64 platform improperly relies on espfix64 during nested NMI processing, which allows local users to gain privileges by triggering an NMI within a certain instruction window.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3290

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-3291
CVE STATUS: Patched
CVE SUMMARY: arch/x86/entry/entry_64.S in the Linux kernel before 4.1.6 on the x86_64 platform does not properly determine when nested NMI processing is occurring, which allows local users to cause a denial of service (skipped NMI) by modifying the rsp register, issuing a syscall instruction, and triggering an NMI.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3291

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-3331
CVE STATUS: Patched
CVE SUMMARY: The __driver_rfc4106_decrypt function in arch/x86/crypto/aesni-intel_glue.c in the Linux kernel before 3.19.3 does not properly determine the memory locations used for encrypted data, which allows context-dependent attackers to cause a denial of service (buffer overflow and system crash) or possibly execute arbitrary code by triggering a crypto API call, as demonstrated by use of a libkcapi test program with an AF_ALG(aead) socket.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3331

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-3332
CVE STATUS: Patched
CVE SUMMARY: A certain backport in the TCP Fast Open implementation for the Linux kernel before 3.18 does not properly maintain a count value, which allow local users to cause a denial of service (system crash) via the Fast Open feature, as demonstrated by visiting the chrome://flags/#enable-tcp-fast-open URL when using certain 3.10.x through 3.16.x kernel builds, including longterm-maintenance releases and ckt (aka Canonical Kernel Team) builds.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3332

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-3339
CVE STATUS: Patched
CVE SUMMARY: Race condition in the prepare_binprm function in fs/exec.c in the Linux kernel before 3.19.6 allows local users to gain privileges by executing a setuid program at a time instant when a chown to root is in progress, and the ownership is changed but the setuid bit is not yet stripped.
CVSS v2 BASE SCORE: 6.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3339

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-3636
CVE STATUS: Patched
CVE SUMMARY: The ping_unhash function in net/ipv4/ping.c in the Linux kernel before 4.0.3 does not initialize a certain list data structure during an unhash operation, which allows local users to gain privileges or cause a denial of service (use-after-free and system crash) by leveraging the ability to make a SOCK_DGRAM socket system call for the IPPROTO_ICMP or IPPROTO_ICMPV6 protocol, and then making a connect system call after a disconnect.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3636

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-4001
CVE STATUS: Patched
CVE SUMMARY: Integer signedness error in the oz_hcd_get_desc_cnf function in drivers/staging/ozwpan/ozhcd.c in the OZWPAN driver in the Linux kernel through 4.0.5 allows remote attackers to cause a denial of service (system crash) or possibly execute arbitrary code via a crafted packet.
CVSS v2 BASE SCORE: 9.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-4001

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-4002
CVE STATUS: Patched
CVE SUMMARY: drivers/staging/ozwpan/ozusbsvc1.c in the OZWPAN driver in the Linux kernel through 4.0.5 does not ensure that certain length values are sufficiently large, which allows remote attackers to cause a denial of service (system crash or large loop) or possibly execute arbitrary code via a crafted packet, related to the (1) oz_usb_rx and (2) oz_usb_handle_ep_data functions.
CVSS v2 BASE SCORE: 9.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-4002

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-4003
CVE STATUS: Patched
CVE SUMMARY: The oz_usb_handle_ep_data function in drivers/staging/ozwpan/ozusbsvc1.c in the OZWPAN driver in the Linux kernel through 4.0.5 allows remote attackers to cause a denial of service (divide-by-zero error and system crash) via a crafted packet.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-4003

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-4004
CVE STATUS: Patched
CVE SUMMARY: The OZWPAN driver in the Linux kernel through 4.0.5 relies on an untrusted length field during packet parsing, which allows remote attackers to obtain sensitive information from kernel memory or cause a denial of service (out-of-bounds read and system crash) via a crafted packet.
CVSS v2 BASE SCORE: 8.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-4004

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-4036
CVE STATUS: Patched
CVE SUMMARY: Array index error in the tcm_vhost_make_tpg function in drivers/vhost/scsi.c in the Linux kernel before 4.0 might allow guest OS users to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted VHOST_SCSI_SET_ENDPOINT ioctl call.  NOTE: the affected function was renamed to vhost_scsi_make_tpg before the vulnerability was announced.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-4036

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-4167
CVE STATUS: Patched
CVE SUMMARY: The udf_read_inode function in fs/udf/inode.c in the Linux kernel before 3.19.1 does not validate certain length values, which allows local users to cause a denial of service (incorrect data representation or integer overflow, and OOPS) via a crafted UDF filesystem.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-4167

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-4170
CVE STATUS: Patched
CVE SUMMARY: Race condition in the ldsem_cmpxchg function in drivers/tty/tty_ldsem.c in the Linux kernel before 3.13-rc4-next-20131218 allows local users to cause a denial of service (ldsem_down_read and ldsem_down_write deadlock) by establishing a new tty thread during shutdown of a previous tty thread.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-4170

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-4176
CVE STATUS: Patched
CVE SUMMARY: fs/namespace.c in the Linux kernel before 4.0.2 does not properly support mount connectivity, which allows local users to read arbitrary files by leveraging user-namespace root access for deletion of a file or directory.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-4176

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-4177
CVE STATUS: Patched
CVE SUMMARY: The collect_mounts function in fs/namespace.c in the Linux kernel before 4.0.5 does not properly consider that it may execute after a path has been unmounted, which allows local users to cause a denial of service (system crash) by leveraging user-namespace root access for an MNT_DETACH umount2 system call.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-4177

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-4178
CVE STATUS: Patched
CVE SUMMARY: The fs_pin implementation in the Linux kernel before 4.0.5 does not ensure the internal consistency of a certain list data structure, which allows local users to cause a denial of service (system crash) by leveraging user-namespace root access for an MNT_DETACH umount2 system call, related to fs/fs_pin.c and include/linux/fs_pin.h.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-4178

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-4692
CVE STATUS: Patched
CVE SUMMARY: The kvm_apic_has_events function in arch/x86/kvm/lapic.h in the Linux kernel through 4.1.3 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by leveraging /dev/kvm access for an ioctl call.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-4692

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-4700
CVE STATUS: Patched
CVE SUMMARY: The bpf_int_jit_compile function in arch/x86/net/bpf_jit_comp.c in the Linux kernel before 4.0.6 allows local users to cause a denial of service (system crash) by creating a packet filter and then loading crafted BPF instructions that trigger late convergence by the JIT compiler.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-4700

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-5156
CVE STATUS: Patched
CVE SUMMARY: The virtnet_probe function in drivers/net/virtio_net.c in the Linux kernel before 4.2 attempts to support a FRAGLIST feature without proper memory allocation, which allows guest OS users to cause a denial of service (buffer overflow and memory corruption) via a crafted sequence of fragmented packets.
CVSS v2 BASE SCORE: 6.1
CVSS v3 BASE SCORE: 0.0
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-5156

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-5157
CVE STATUS: Patched
CVE SUMMARY: arch/x86/entry/entry_64.S in the Linux kernel before 4.1.6 on the x86_64 platform mishandles IRET faults in processing NMIs that occurred during userspace execution, which might allow local users to gain privileges by triggering an NMI.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-5157

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-5257
CVE STATUS: Patched
CVE SUMMARY: drivers/usb/serial/whiteheat.c in the Linux kernel before 4.2.4 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and OOPS) or possibly have unspecified other impact via a crafted USB device.  NOTE: this ID was incorrectly used for an Apache Cordova issue that has the correct ID of CVE-2015-8320.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-5257

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-5283
CVE STATUS: Patched
CVE SUMMARY: The sctp_init function in net/sctp/protocol.c in the Linux kernel before 4.2.3 has an incorrect sequence of protocol-initialization steps, which allows local users to cause a denial of service (panic or memory corruption) by creating SCTP sockets before all of the steps have finished.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-5283

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-5307
CVE STATUS: Patched
CVE SUMMARY: The KVM subsystem in the Linux kernel through 4.2.6, and Xen 4.3.x through 4.6.x, allows guest OS users to cause a denial of service (host OS panic or hang) by triggering many #AC (aka Alignment Check) exceptions, related to svm.c and vmx.c.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-5307

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-5327
CVE STATUS: Patched
CVE SUMMARY: Out-of-bounds memory read in the x509_decode_time function in x509_cert_parser.c in Linux kernels 4.3-rc1 and after.
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:S/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-5327

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-5364
CVE STATUS: Patched
CVE SUMMARY: The (1) udp_recvmsg and (2) udpv6_recvmsg functions in the Linux kernel before 4.0.6 do not properly consider yielding a processor, which allows remote attackers to cause a denial of service (system hang) via incorrect checksums within a UDP packet flood.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-5364

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-5366
CVE STATUS: Patched
CVE SUMMARY: The (1) udp_recvmsg and (2) udpv6_recvmsg functions in the Linux kernel before 4.0.6 provide inappropriate -EAGAIN return values, which allows remote attackers to cause a denial of service (EPOLLET epoll application read outage) via an incorrect checksum in a UDP packet, a different vulnerability than CVE-2015-5364.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-5366

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-5697
CVE STATUS: Patched
CVE SUMMARY: The get_bitmap_file function in drivers/md/md.c in the Linux kernel before 4.1.6 does not initialize a certain bitmap data structure, which allows local users to obtain sensitive information from kernel memory via a GET_BITMAP_FILE ioctl call.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-5697

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-5706
CVE STATUS: Patched
CVE SUMMARY: Use-after-free vulnerability in the path_openat function in fs/namei.c in the Linux kernel 3.x and 4.x before 4.0.4 allows local users to cause a denial of service or possibly have unspecified other impact via O_TMPFILE filesystem operations that leverage a duplicate cleanup operation.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-5706

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-5707
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the sg_start_req function in drivers/scsi/sg.c in the Linux kernel 2.6.x through 4.x before 4.1 allows local users to cause a denial of service or possibly have unspecified other impact via a large iov_count value in a write request.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-5707

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-6252
CVE STATUS: Patched
CVE SUMMARY: The vhost_dev_ioctl function in drivers/vhost/vhost.c in the Linux kernel before 4.1.5 allows local users to cause a denial of service (memory consumption) via a VHOST_SET_LOG_FD ioctl call that triggers permanent file-descriptor allocation.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-6252

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-6526
CVE STATUS: Patched
CVE SUMMARY: The perf_callchain_user_64 function in arch/powerpc/perf/callchain.c in the Linux kernel before 4.0.2 on ppc64 platforms allows local users to cause a denial of service (infinite loop) via a deep 64-bit userspace backtrace.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-6526

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-6937
CVE STATUS: Patched
CVE SUMMARY: The __rds_conn_create function in net/rds/connection.c in the Linux kernel through 4.2.3 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by using a socket that was not properly bound.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-6937

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-7312
CVE STATUS: Patched
CVE SUMMARY: Multiple race conditions in the Advanced Union Filesystem (aufs) aufs3-mmap.patch and aufs4-mmap.patch patches for the Linux kernel 3.x and 4.x allow local users to cause a denial of service (use-after-free and BUG) or possibly gain privileges via a (1) madvise or (2) msync system call, related to mm/madvise.c and mm/msync.c.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7312

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-7509
CVE STATUS: Patched
CVE SUMMARY: fs/ext4/namei.c in the Linux kernel before 3.7 allows physically proximate attackers to cause a denial of service (system crash) via a crafted no-journal filesystem, a related issue to CVE-2013-2015.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 4.4
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7509

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-7513
CVE STATUS: Patched
CVE SUMMARY: arch/x86/kvm/x86.c in the Linux kernel before 4.4 does not reset the PIT counter values during state restoration, which allows guest OS users to cause a denial of service (divide-by-zero error and host OS crash) via a zero value, related to the kvm_vm_ioctl_set_pit and kvm_vm_ioctl_set_pit2 functions.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 6.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7513

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-7515
CVE STATUS: Patched
CVE SUMMARY: The aiptek_probe function in drivers/input/tablet/aiptek.c in the Linux kernel before 4.4 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted USB device that lacks endpoints.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 4.6
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7515

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-7550
CVE STATUS: Patched
CVE SUMMARY: The keyctl_read_key function in security/keys/keyctl.c in the Linux kernel before 4.3.4 does not properly use a semaphore, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted application that leverages a race condition between keyctl_revoke and keyctl_read calls.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7550

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-7566
CVE STATUS: Patched
CVE SUMMARY: The clie_5_attach function in drivers/usb/serial/visor.c in the Linux kernel through 4.4.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by inserting a USB device that lacks a bulk-out endpoint.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 4.6
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7566

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-7613
CVE STATUS: Patched
CVE SUMMARY: Race condition in the IPC object implementation in the Linux kernel through 4.2.3 allows local users to gain privileges by triggering an ipc_addid call that leads to uid and gid comparisons against uninitialized data, related to msg.c, shm.c, and util.c.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7613

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-7799
CVE STATUS: Patched
CVE SUMMARY: The slhc_init function in drivers/net/slip/slhc.c in the Linux kernel through 4.2.3 does not ensure that certain slot numbers are valid, which allows local users to cause a denial of service (NULL pointer dereference and system crash) via a crafted PPPIOCSMAXCID ioctl call.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7799

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-7872
CVE STATUS: Patched
CVE SUMMARY: The key_gc_unused_keys function in security/keys/gc.c in the Linux kernel through 4.2.6 allows local users to cause a denial of service (OOPS) via crafted keyctl commands.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7872

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-7884
CVE STATUS: Patched
CVE SUMMARY: The vivid_fb_ioctl function in drivers/media/platform/vivid/vivid-osd.c in the Linux kernel through 4.3.3 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel memory via a crafted application.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 2.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7884

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-7885
CVE STATUS: Patched
CVE SUMMARY: The dgnc_mgmt_ioctl function in drivers/staging/dgnc/dgnc_mgmt.c in the Linux kernel through 4.3.3 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel memory via a crafted application.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 2.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7885

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-7990
CVE STATUS: Patched
CVE SUMMARY: Race condition in the rds_sendmsg function in net/rds/sendmsg.c in the Linux kernel before 4.3.3 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by using a socket that was not properly bound.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-6937.
CVSS v2 BASE SCORE: 5.9
CVSS v3 BASE SCORE: 5.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7990

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-8019
CVE STATUS: Patched
CVE SUMMARY: The skb_copy_and_csum_datagram_iovec function in net/core/datagram.c in the Linux kernel 3.14.54 and 3.18.22 does not accept a length argument, which allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact via a write system call followed by a recvmsg system call.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8019

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-8104
CVE STATUS: Patched
CVE SUMMARY: The KVM subsystem in the Linux kernel through 4.2.6, and Xen 4.3.x through 4.6.x, allows guest OS users to cause a denial of service (host OS panic or hang) by triggering many #DB (aka Debug) exceptions, related to svm.c.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8104

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-8215
CVE STATUS: Patched
CVE SUMMARY: net/ipv6/addrconf.c in the IPv6 stack in the Linux kernel before 4.0 does not validate attempted changes to the MTU value, which allows context-dependent attackers to cause a denial of service (packet loss) via a value that is (1) smaller than the minimum compliant value or (2) larger than the MTU of an interface, as demonstrated by a Router Advertisement (RA) message that is not validated by a daemon, a different vulnerability than CVE-2015-0272.  NOTE: the scope of CVE-2015-0272 is limited to the NetworkManager product.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8215

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-8324
CVE STATUS: Patched
CVE SUMMARY: The ext4 implementation in the Linux kernel before 2.6.34 does not properly track the initialization of certain data structures, which allows physically proximate attackers to cause a denial of service (NULL pointer dereference and panic) via a crafted USB device, related to the ext4_fill_super function.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 4.6
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8324

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-8374
CVE STATUS: Patched
CVE SUMMARY: fs/btrfs/inode.c in the Linux kernel before 4.3.3 mishandles compressed inline extents, which allows local users to obtain sensitive pre-truncation information from a file via a clone action.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 4.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8374

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-8539
CVE STATUS: Patched
CVE SUMMARY: The KEYS subsystem in the Linux kernel before 4.4 allows local users to gain privileges or cause a denial of service (BUG) via crafted keyctl commands that negatively instantiate a key, related to security/keys/encrypted-keys/encrypted.c, security/keys/trusted.c, and security/keys/user_defined.c.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8539

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-8543
CVE STATUS: Patched
CVE SUMMARY: The networking implementation in the Linux kernel through 4.3.3, as used in Android and other products, does not validate protocol identifiers for certain protocol families, which allows local users to cause a denial of service (NULL function pointer dereference and system crash) or possibly gain privileges by leveraging CLONE_NEWUSER support to execute a crafted SOCK_RAW application.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8543

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-8551
CVE STATUS: Patched
CVE SUMMARY: The PCI backend driver in Xen, when running on an x86 system and using Linux 3.1.x through 4.3.x as the driver domain, allows local guest administrators to hit BUG conditions and cause a denial of service (NULL pointer dereference and host OS crash) by leveraging a system with access to a passed-through MSI or MSI-X capable physical PCI device and a crafted sequence of XEN_PCI_OP_* operations, aka "Linux pciback missing sanity checks."
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 6.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8551

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-8569
CVE STATUS: Patched
CVE SUMMARY: The (1) pptp_bind and (2) pptp_connect functions in drivers/net/ppp/pptp.c in the Linux kernel through 4.3.3 do not verify an address length, which allows local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism via a crafted application.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 2.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8569

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-8575
CVE STATUS: Patched
CVE SUMMARY: The sco_sock_bind function in net/bluetooth/sco.c in the Linux kernel before 4.3.4 does not verify an address length, which allows local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism via a crafted application.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 4.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8575

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-8660
CVE STATUS: Patched
CVE SUMMARY: The ovl_setattr function in fs/overlayfs/inode.c in the Linux kernel through 4.3.3 attempts to merge distinct setattr operations, which allows local users to bypass intended access restrictions and modify the attributes of arbitrary overlay files via a crafted application.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 6.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8660

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-8709
CVE STATUS: Patched
CVE SUMMARY: kernel/ptrace.c in the Linux kernel through 4.4.1 mishandles uid and gid mappings, which allows local users to gain privileges by establishing a user namespace, waiting for a root process to enter that namespace with an unsafe uid or gid, and then using the ptrace system call.  NOTE: the vendor states "there is no kernel bug here.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8709

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-8746
CVE STATUS: Patched
CVE SUMMARY: fs/nfs/nfs4proc.c in the NFS client in the Linux kernel before 4.2.2 does not properly initialize memory for migration recovery operations, which allows remote NFS servers to cause a denial of service (NULL pointer dereference and panic) via crafted network traffic.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8746

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-8767
CVE STATUS: Patched
CVE SUMMARY: net/sctp/sm_sideeffect.c in the Linux kernel before 4.3 does not properly manage the relationship between a lock and a socket, which allows local users to cause a denial of service (deadlock) via a crafted sctp_accept call.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 6.2
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8767

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-8785
CVE STATUS: Patched
CVE SUMMARY: The fuse_fill_write_pages function in fs/fuse/file.c in the Linux kernel before 4.4 allows local users to cause a denial of service (infinite loop) via a writev system call that triggers a zero length for the first segment of an iov.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 6.2
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8785

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-8787
CVE STATUS: Patched
CVE SUMMARY: The nf_nat_redirect_ipv4 function in net/netfilter/nf_nat_redirect.c in the Linux kernel before 4.4 allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by sending certain IPv4 packets to an incompletely configured interface, a related issue to CVE-2003-1604.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8787

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-8812
CVE STATUS: Patched
CVE SUMMARY: drivers/infiniband/hw/cxgb3/iwch_cm.c in the Linux kernel before 4.5 does not properly identify error conditions, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free) via crafted packets.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8812

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-8816
CVE STATUS: Patched
CVE SUMMARY: The hub_activate function in drivers/usb/core/hub.c in the Linux kernel before 4.3.5 does not properly maintain a hub-interface data structure, which allows physically proximate attackers to cause a denial of service (invalid memory access and system crash) or possibly have unspecified other impact by unplugging a USB hub device.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 6.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8816

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-8830
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the aio_setup_single_vector function in fs/aio.c in the Linux kernel 4.0 allows local users to cause a denial of service or possibly have unspecified other impact via a large AIO iovec.  NOTE: this vulnerability exists because of a CVE-2012-6701 regression.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8830

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-8839
CVE STATUS: Patched
CVE SUMMARY: Multiple race conditions in the ext4 filesystem implementation in the Linux kernel before 4.5 allow local users to cause a denial of service (disk corruption) by writing to a page that is associated with a different user's file after unsynchronized hole punching and page-fault handling.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 5.1
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8839

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-8844
CVE STATUS: Patched
CVE SUMMARY: The signal implementation in the Linux kernel before 4.3.5 on powerpc platforms does not check for an MSR with both the S and T bits set, which allows local users to cause a denial of service (TM Bad Thing exception and panic) via a crafted application.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8844

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-8845
CVE STATUS: Patched
CVE SUMMARY: The tm_reclaim_thread function in arch/powerpc/kernel/process.c in the Linux kernel before 4.4.1 on powerpc platforms does not ensure that TM suspend mode exists before proceeding with a tm_reclaim call, which allows local users to cause a denial of service (TM Bad Thing exception and panic) via a crafted application.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8845

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-8944
CVE STATUS: Patched
CVE SUMMARY: The ioresources_init function in kernel/resource.c in the Linux kernel through 4.7, as used in Android before 2016-08-05 on Nexus 6 and 7 (2013) devices, uses weak permissions for /proc/iomem, which allows local users to obtain sensitive information by reading this file, aka Android internal bug 28814213 and Qualcomm internal bug CR786116. NOTE: the permissions may be intentional in most non-Android contexts.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8944

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-8950
CVE STATUS: Patched
CVE SUMMARY: arch/arm64/mm/dma-mapping.c in the Linux kernel before 4.0.3, as used in the ION subsystem in Android and other products, does not initialize certain data structures, which allows local users to obtain sensitive information from kernel memory by triggering a dma_mmap call.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8950

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-8952
CVE STATUS: Patched
CVE SUMMARY: The mbcache feature in the ext2 and ext4 filesystem implementations in the Linux kernel before 4.6 mishandles xattr block caching, which allows local users to cause a denial of service (soft lockup) via filesystem operations in environments that use many attributes, as demonstrated by Ceph and Samba.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8952

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-8953
CVE STATUS: Patched
CVE SUMMARY: fs/overlayfs/copy_up.c in the Linux kernel before 4.2.6 uses an incorrect cleanup code path, which allows local users to cause a denial of service (dentry reference leak) via filesystem operations on a large file in a lower overlayfs layer.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8953

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-8955
CVE STATUS: Patched
CVE SUMMARY: arch/arm64/kernel/perf_event.c in the Linux kernel before 4.1 on arm64 platforms allows local users to gain privileges or cause a denial of service (invalid pointer dereference) via vectors involving events that are mishandled during a span of multiple HW PMUs.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 7.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8955

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-8956
CVE STATUS: Patched
CVE SUMMARY: The rfcomm_sock_bind function in net/bluetooth/rfcomm/sock.c in the Linux kernel before 4.2 allows local users to obtain sensitive information or cause a denial of service (NULL pointer dereference) via vectors involving a bind system call on a Bluetooth RFCOMM socket.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 6.1
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8956

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-8961
CVE STATUS: Patched
CVE SUMMARY: The __ext4_journal_stop function in fs/ext4/ext4_jbd2.c in the Linux kernel before 4.3.3 allows local users to gain privileges or cause a denial of service (use-after-free) by leveraging improper access to a certain error field.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8961

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-8962
CVE STATUS: Patched
CVE SUMMARY: Double free vulnerability in the sg_common_write function in drivers/scsi/sg.c in the Linux kernel before 4.4 allows local users to gain privileges or cause a denial of service (memory corruption and system crash) by detaching a device during an SG_IO ioctl call.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 7.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8962

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-8963
CVE STATUS: Patched
CVE SUMMARY: Race condition in kernel/events/core.c in the Linux kernel before 4.4 allows local users to gain privileges or cause a denial of service (use-after-free) by leveraging incorrect handling of an swevent data structure during a CPU unplug operation.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8963

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-8964
CVE STATUS: Patched
CVE SUMMARY: The tty_set_termios_ldisc function in drivers/tty/tty_ldisc.c in the Linux kernel before 4.5 allows local users to obtain sensitive information from kernel memory by reading a tty data structure.
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8964

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-8966
CVE STATUS: Patched
CVE SUMMARY: arch/arm/kernel/sys_oabi-compat.c in the Linux kernel before 4.4 allows local users to gain privileges via a crafted (1) F_OFD_GETLK, (2) F_OFD_SETLK, or (3) F_OFD_SETLKW command in an fcntl64 system call.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8966

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-8967
CVE STATUS: Patched
CVE SUMMARY: arch/arm64/kernel/sys.c in the Linux kernel before 4.0 allows local users to bypass the "strict page permissions" protection mechanism and modify the system-call table, and consequently gain privileges, by leveraging write access.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8967

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-8970
CVE STATUS: Patched
CVE SUMMARY: crypto/algif_skcipher.c in the Linux kernel before 4.4.2 does not verify that a setkey operation has been performed on an AF_ALG socket before an accept system call is processed, which allows local users to cause a denial of service (NULL pointer dereference and system crash) via a crafted application that does not supply a key, related to the lrw_crypt function in crypto/lrw.c.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8970

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-9004
CVE STATUS: Patched
CVE SUMMARY: kernel/events/core.c in the Linux kernel before 3.19 mishandles counter grouping, which allows local users to gain privileges via a crafted application, related to the perf_pmu_register and perf_event_open functions.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-9004

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2015-9289
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel before 4.1.4, a buffer overflow occurs when checking userspace params in drivers/media/dvb-frontends/cx24116.c. The maximum size for a DiSEqC command is 6, according to the userspace API. However, the code allows larger values such as 23.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-9289

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-0723
CVE STATUS: Patched
CVE SUMMARY: Race condition in the tty_ioctl function in drivers/tty/tty_io.c in the Linux kernel through 4.4.1 allows local users to obtain sensitive information from kernel memory or cause a denial of service (use-after-free and system crash) by making a TIOCGETD ioctl call during processing of a TIOCSETD ioctl call.
CVSS v2 BASE SCORE: 5.6
CVSS v3 BASE SCORE: 6.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-0723

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-0728
CVE STATUS: Patched
CVE SUMMARY: The join_session_keyring function in security/keys/process_keys.c in the Linux kernel before 4.4.1 mishandles object references in a certain error case, which allows local users to gain privileges or cause a denial of service (integer overflow and use-after-free) via crafted keyctl commands.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-0728

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-0758
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in lib/asn1_decoder.c in the Linux kernel before 4.6 allows local users to gain privileges via crafted ASN.1 data.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-0758

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-0774
CVE STATUS: Unpatched
CVE SUMMARY: The (1) pipe_read and (2) pipe_write implementations in fs/pipe.c in a certain Linux kernel backport in the linux package before 3.2.73-2+deb7u3 on Debian wheezy and the kernel package before 3.10.0-229.26.2 on Red Hat Enterprise Linux (RHEL) 7.1 do not properly consider the side effects of failed __copy_to_user_inatomic and __copy_from_user_inatomic calls, which allows local users to cause a denial of service (system crash) or possibly gain privileges via a crafted application, aka an "I/O vector array overrun." NOTE: this vulnerability exists because of an incorrect fix for CVE-2015-1805.
CVSS v2 BASE SCORE: 5.6
CVSS v3 BASE SCORE: 6.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-0774

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-0821
CVE STATUS: Patched
CVE SUMMARY: The LIST_POISON feature in include/linux/poison.h in the Linux kernel before 4.3, as used in Android 6.0.1 before 2016-03-01, does not properly consider the relationship to the mmap_min_addr value, which makes it easier for attackers to bypass a poison-pointer protection mechanism by triggering the use of an uninitialized list entry, aka Android internal bug 26186802, a different vulnerability than CVE-2015-3636.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-0821

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-0823
CVE STATUS: Patched
CVE SUMMARY: The pagemap_open function in fs/proc/task_mmu.c in the Linux kernel before 3.19.3, as used in Android 6.0.1 before 2016-03-01, allows local users to obtain sensitive physical-address information by reading a pagemap file, aka Android internal bug 25739721.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 4.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-0823

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-10044
CVE STATUS: Patched
CVE SUMMARY: The aio_mount function in fs/aio.c in the Linux kernel before 4.7.7 does not properly restrict execute access, which makes it easier for local users to bypass intended SELinux W^X policy restrictions, and consequently gain privileges, via an io_setup system call.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10044

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-10088
CVE STATUS: Patched
CVE SUMMARY: The sg implementation in the Linux kernel through 4.9 does not properly restrict write operations in situations where the KERNEL_DS option is set, which allows local users to read or write to arbitrary kernel memory locations or cause a denial of service (use-after-free) by leveraging access to a /dev/sg device, related to block/bsg.c and drivers/scsi/sg.c.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-9576.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10088

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-10147
CVE STATUS: Patched
CVE SUMMARY: crypto/mcryptd.c in the Linux kernel before 4.8.15 allows local users to cause a denial of service (NULL pointer dereference and system crash) by using an AF_ALG socket with an incompatible algorithm, as demonstrated by mcryptd(md5).
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10147

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-10150
CVE STATUS: Patched
CVE SUMMARY: Use-after-free vulnerability in the kvm_ioctl_create_device function in virt/kvm/kvm_main.c in the Linux kernel before 4.8.13 allows host OS users to cause a denial of service (host OS crash) or possibly gain privileges via crafted ioctl calls on the /dev/kvm device.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10150

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-10153
CVE STATUS: Patched
CVE SUMMARY: The crypto scatterlist API in the Linux kernel 4.9.x before 4.9.6 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging reliance on earlier net/ceph/crypto.c code.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10153

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-10154
CVE STATUS: Patched
CVE SUMMARY: The smbhash function in fs/cifs/smbencrypt.c in the Linux kernel 4.9.x before 4.9.1 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a scatterlist.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10154

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-10200
CVE STATUS: Patched
CVE SUMMARY: Race condition in the L2TPv3 IP Encapsulation feature in the Linux kernel before 4.8.14 allows local users to gain privileges or cause a denial of service (use-after-free) by making multiple bind system calls without properly ascertaining whether a socket has the SOCK_ZAPPED status, related to net/l2tp/l2tp_ip.c and net/l2tp/l2tp_ip6.c.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10200

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-10208
CVE STATUS: Patched
CVE SUMMARY: The ext4_fill_super function in fs/ext4/super.c in the Linux kernel through 4.9.8 does not properly validate meta block groups, which allows physically proximate attackers to cause a denial of service (out-of-bounds read and system crash) via a crafted ext4 image.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 4.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10208

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-10229
CVE STATUS: Patched
CVE SUMMARY: udp.c in the Linux kernel before 4.5 allows remote attackers to execute arbitrary code via UDP traffic that triggers an unsafe second checksum calculation during execution of a recv system call with the MSG_PEEK flag.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10229

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-10277
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Motorola bootloader could enable a local malicious application to execute arbitrary code within the context of the bootloader. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-33840490.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10277

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-10283
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32094986. References: QC-CR#2002052.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10283

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-10284
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Qualcomm video driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32402303. References: QC-CR#2000664.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10284

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-10285
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Qualcomm video driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-33752702. References: QC-CR#1104899.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10285

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-10286
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Qualcomm video driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-35400904. References: QC-CR#1090237.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10286

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-10287
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Qualcomm sound driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-33784446. References: QC-CR#1112751.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10287

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-10288
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Qualcomm LED driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-33863909. References: QC-CR#1109763.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10288

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-10289
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Qualcomm crypto driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-33899710. References: QC-CR#1116295.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10289

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-10290
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Qualcomm shared memory driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-33898330. References: QC-CR#1109782.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10290

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-10291
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Qualcomm Slimbus driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-34030871. References: QC-CR#986837.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10291

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-10292
CVE STATUS: Patched
CVE SUMMARY: A denial of service vulnerability in the Qualcomm Wi-Fi driver could enable a proximate attacker to cause a denial of service in the Wi-Fi subsystem. This issue is rated as High due to the possibility of remote denial of service. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-34514463. References: QC-CR#1065466.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10292

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-10293
CVE STATUS: Patched
CVE SUMMARY: An information disclosure vulnerability in the Qualcomm video driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-33352393. References: QC-CR#1101943.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 4.7
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10293

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-10294
CVE STATUS: Patched
CVE SUMMARY: An information disclosure vulnerability in the Qualcomm power driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-33621829. References: QC-CR#1105481.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 4.7
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10294

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-10295
CVE STATUS: Patched
CVE SUMMARY: An information disclosure vulnerability in the Qualcomm LED driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-33781694. References: QC-CR#1109326.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 4.7
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10295

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-10296
CVE STATUS: Patched
CVE SUMMARY: An information disclosure vulnerability in the Qualcomm shared memory driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-33845464. References: QC-CR#1109782.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 4.7
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10296

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-10318
CVE STATUS: Patched
CVE SUMMARY: A missing authorization check in the fscrypt_process_policy function in fs/crypto/policy.c in the ext4 and f2fs filesystem encryption support in the Linux kernel before 4.7.4 allows a user to assign an encryption policy to a directory owned by a different user, potentially creating a denial of service.
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:S/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10318

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-10723
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel through 4.17.2. Since the page allocator does not yield CPU resources to the owner of the oom_lock mutex, a local unprivileged user can trivially lock up the system forever by wasting CPU resources from the page allocator (e.g., via concurrent page fault events) when the global OOM killer is invoked. NOTE: the software maintainer has not accepted certain proposed patches, in part because of a viewpoint that "the underlying problem is non-trivial to handle.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10723

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-10741
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel before 4.9.3, fs/xfs/xfs_aops.c allows local users to cause a denial of service (system crash) because there is a race condition between direct and memory-mapped I/O (associated with a hole) that is handled with BUG_ON instead of an I/O failure.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10741

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-10764
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel before 4.9.6, there is an off by one in the drivers/mtd/spi-nor/cadence-quadspi.c cqspi_setup_flash() function. There are CQSPI_MAX_CHIPSELECT elements in the ->f_pdata array so the ">" should be ">=" instead.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10764

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-10905
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in fs/gfs2/rgrp.c in the Linux kernel before 4.8. A use-after-free is caused by the functions gfs2_clear_rgrpd and read_rindex_entry.
CVSS v2 BASE SCORE: 6.1
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10905

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-10906
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in drivers/net/ethernet/arc/emac_main.c in the Linux kernel before 4.5. A use-after-free is caused by a race condition between the functions arc_emac_tx and arc_emac_tx_clean.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10906

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-10907
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in drivers/iio/dac/ad5755.c in the Linux kernel before 4.8.6. There is an out of bounds write in the function ad5755_parse_dt.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10907

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-1237
CVE STATUS: Patched
CVE SUMMARY: nfsd in the Linux kernel through 4.6.3 allows local users to bypass intended file-permission restrictions by setting a POSIX ACL, related to nfs2acl.c, nfs3acl.c, and nfs4acl.c.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-1237

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-1575
CVE STATUS: Patched
CVE SUMMARY: The overlayfs implementation in the Linux kernel through 4.5.2 does not properly maintain POSIX ACL xattr data, which allows local users to gain privileges by leveraging a group-writable setgid directory.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-1575

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-1576
CVE STATUS: Patched
CVE SUMMARY: The overlayfs implementation in the Linux kernel through 4.5.2 does not properly restrict the mount namespace, which allows local users to gain privileges by mounting an overlayfs filesystem on top of a FUSE filesystem, and then executing a crafted setuid program.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-1576

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-1583
CVE STATUS: Patched
CVE SUMMARY: The ecryptfs_privileged_open function in fs/ecryptfs/kthread.c in the Linux kernel before 4.6.3 allows local users to gain privileges or cause a denial of service (stack memory consumption) via vectors involving crafted mmap calls for /proc pathnames, leading to recursive pagefault handling.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-1583

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-2053
CVE STATUS: Patched
CVE SUMMARY: The asn1_ber_decoder function in lib/asn1_decoder.c in the Linux kernel before 4.3 allows attackers to cause a denial of service (panic) via an ASN.1 BER file that lacks a public key, leading to mishandling by the public_key_verify_signature function in crypto/asymmetric_keys/public_key.c.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2053

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-2059
CVE STATUS: Patched
CVE SUMMARY: The msm_ipc_router_bind_control_port function in net/ipc_router/ipc_router_core.c in the IPC router kernel module for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not verify that a port is a client port, which allows attackers to gain privileges or cause a denial of service (race condition and list corruption) by making many BIND_CONTROL_PORT ioctl calls.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2059

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-2061
CVE STATUS: Patched
CVE SUMMARY: Integer signedness error in the MSM V4L2 video driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to gain privileges or cause a denial of service (array overflow and memory corruption) via a crafted application that triggers an msm_isp_axi_create_stream call.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2061

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-2062
CVE STATUS: Patched
CVE SUMMARY: The adreno_perfcounter_query_group function in drivers/gpu/msm/adreno_perfcounter.c in the Adreno GPU driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, uses an incorrect integer data type, which allows attackers to cause a denial of service (integer overflow, heap-based buffer overflow, and incorrect memory allocation) or possibly have unspecified other impact via a crafted IOCTL_KGSL_PERFCOUNTER_QUERY ioctl call.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2062

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-2063
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in the supply_lm_input_write function in drivers/thermal/supply_lm_core.c in the MSM Thermal driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to cause a denial of service or possibly have unspecified other impact via a crafted application that sends a large amount of data through the debugfs interface.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2063

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-2064
CVE STATUS: Patched
CVE SUMMARY: sound/soc/msm/qdsp6v2/msm-audio-effects-q6-v2.c in the MSM QDSP6 audio driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via a crafted application that makes an ioctl call specifying many commands.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2064

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-2065
CVE STATUS: Patched
CVE SUMMARY: sound/soc/msm/qdsp6v2/msm-audio-effects-q6-v2.c in the MSM QDSP6 audio driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to cause a denial of service (out-of-bounds write and memory corruption) or possibly have unspecified other impact via a crafted application that makes an ioctl call triggering incorrect use of a parameters pointer.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2065

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-2066
CVE STATUS: Patched
CVE SUMMARY: Integer signedness error in the MSM QDSP6 audio driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to gain privileges or cause a denial of service (memory corruption) via a crafted application that makes an ioctl call.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2066

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-2067
CVE STATUS: Patched
CVE SUMMARY: drivers/gpu/msm/kgsl.c in the MSM graphics driver (aka GPU driver) for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, mishandles the KGSL_MEMFLAGS_GPUREADONLY flag, which allows attackers to gain privileges by leveraging accidental read-write mappings, aka Qualcomm internal bug CR988993.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2067

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-2068
CVE STATUS: Patched
CVE SUMMARY: The MSM QDSP6 audio driver (aka sound driver) for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to gain privileges or cause a denial of service (integer overflow, and buffer overflow or buffer over-read) via a crafted application that performs a (1) AUDIO_EFFECTS_WRITE or (2) AUDIO_EFFECTS_READ operation, aka Qualcomm internal bug CR1006609.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2068

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-2069
CVE STATUS: Patched
CVE SUMMARY: Race condition in arch/x86/mm/tlb.c in the Linux kernel before 4.4.1 allows local users to gain privileges by triggering access to a paging structure by a different CPU.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 7.4
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2069

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-2070
CVE STATUS: Patched
CVE SUMMARY: The tcp_cwnd_reduction function in net/ipv4/tcp_input.c in the Linux kernel before 4.3.5 allows remote attackers to cause a denial of service (divide-by-zero error and system crash) via crafted TCP traffic.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2070

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-2085
CVE STATUS: Patched
CVE SUMMARY: The evm_verify_hmac function in security/integrity/evm/evm_main.c in the Linux kernel before 4.5 does not properly copy data, which makes it easier for local users to forge MAC values via a timing side-channel attack.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2085

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-2117
CVE STATUS: Patched
CVE SUMMARY: The atl2_probe function in drivers/net/ethernet/atheros/atlx/atl2.c in the Linux kernel through 4.5.2 incorrectly enables scatter/gather I/O, which allows remote attackers to obtain sensitive information from kernel memory by reading packet data.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2117

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-2143
CVE STATUS: Patched
CVE SUMMARY: The fork implementation in the Linux kernel before 4.5 on s390 platforms mishandles the case of four page-table levels, which allows local users to cause a denial of service (system crash) or possibly have unspecified other impact via a crafted application, related to arch/s390/include/asm/mmu_context.h and arch/s390/include/asm/pgalloc.h.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2143

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-2184
CVE STATUS: Patched
CVE SUMMARY: The create_fixed_stream_quirk function in sound/usb/quirks.c in the snd-usb-audio driver in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference or double free, and system crash) via a crafted endpoints value in a USB device descriptor.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 4.6
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2184

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-2185
CVE STATUS: Patched
CVE SUMMARY: The ati_remote2_probe function in drivers/input/misc/ati_remote2.c in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 4.6
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2185

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-2186
CVE STATUS: Patched
CVE SUMMARY: The powermate_probe function in drivers/input/misc/powermate.c in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 4.6
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2186

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-2187
CVE STATUS: Patched
CVE SUMMARY: The gtco_probe function in drivers/input/tablet/gtco.c in the Linux kernel through 4.5.2 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 4.6
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2187

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-2188
CVE STATUS: Patched
CVE SUMMARY: The iowarrior_probe function in drivers/usb/misc/iowarrior.c in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 4.6
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2188

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-2383
CVE STATUS: Patched
CVE SUMMARY: The adjust_branches function in kernel/bpf/verifier.c in the Linux kernel before 4.5 does not consider the delta in the backward-jump case, which allows local users to obtain sensitive information from kernel memory by creating a packet filter and then loading crafted BPF instructions.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2383

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-2384
CVE STATUS: Patched
CVE SUMMARY: Double free vulnerability in the snd_usbmidi_create function in sound/usb/midi.c in the Linux kernel before 4.5 allows physically proximate attackers to cause a denial of service (panic) or possibly have unspecified other impact via vectors involving an invalid USB descriptor.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 4.6
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2384

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-2543
CVE STATUS: Patched
CVE SUMMARY: The snd_seq_ioctl_remove_events function in sound/core/seq/seq_clientmgr.c in the Linux kernel before 4.4.1 does not verify FIFO assignment before proceeding with FIFO clearing, which allows local users to cause a denial of service (NULL pointer dereference and OOPS) via a crafted ioctl call.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 6.2
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2543

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-2544
CVE STATUS: Patched
CVE SUMMARY: Race condition in the queue_delete function in sound/core/seq/seq_queue.c in the Linux kernel before 4.4.1 allows local users to cause a denial of service (use-after-free and system crash) by making an ioctl call at a certain time.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 5.1
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2544

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-2545
CVE STATUS: Patched
CVE SUMMARY: The snd_timer_interrupt function in sound/core/timer.c in the Linux kernel before 4.4.1 does not properly maintain a certain linked list, which allows local users to cause a denial of service (race condition and system crash) via a crafted ioctl call.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 5.1
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2545

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-2546
CVE STATUS: Patched
CVE SUMMARY: sound/core/timer.c in the Linux kernel before 4.4.1 uses an incorrect type of mutex, which allows local users to cause a denial of service (race condition, use-after-free, and system crash) via a crafted ioctl call.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 5.1
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2546

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-2547
CVE STATUS: Patched
CVE SUMMARY: sound/core/timer.c in the Linux kernel before 4.4.1 employs a locking approach that does not consider slave timer instances, which allows local users to cause a denial of service (race condition, use-after-free, and system crash) via a crafted ioctl call.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 5.1
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2547

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-2548
CVE STATUS: Patched
CVE SUMMARY: sound/core/timer.c in the Linux kernel before 4.4.1 retains certain linked lists after a close or stop action, which allows local users to cause a denial of service (system crash) via a crafted ioctl call, related to the (1) snd_timer_close and (2) _snd_timer_stop functions.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 6.2
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2548

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-2549
CVE STATUS: Patched
CVE SUMMARY: sound/core/hrtimer.c in the Linux kernel before 4.4.1 does not prevent recursive callback access, which allows local users to cause a denial of service (deadlock) via a crafted ioctl call.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 6.2
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2549

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-2550
CVE STATUS: Patched
CVE SUMMARY: The Linux kernel before 4.5 allows local users to bypass file-descriptor limits and cause a denial of service (memory consumption) by leveraging incorrect tracking of descriptor ownership and sending each descriptor over a UNIX socket before closing it. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-4312.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2550

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-2782
CVE STATUS: Patched
CVE SUMMARY: The treo_attach function in drivers/usb/serial/visor.c in the Linux kernel before 4.5 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by inserting a USB device that lacks a (1) bulk-in or (2) interrupt-in endpoint.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 4.6
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2782

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-2847
CVE STATUS: Patched
CVE SUMMARY: fs/pipe.c in the Linux kernel before 4.5 does not limit the amount of unread data in pipes, which allows local users to cause a denial of service (memory consumption) by creating many pipes with non-default sizes.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 6.2
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2847

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-2853
CVE STATUS: Patched
CVE SUMMARY: The aufs module for the Linux kernel 3.x and 4.x does not properly restrict the mount namespace, which allows local users to gain privileges by mounting an aufs filesystem on top of a FUSE filesystem, and then executing a crafted setuid program.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2853

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-2854
CVE STATUS: Patched
CVE SUMMARY: The aufs module for the Linux kernel 3.x and 4.x does not properly maintain POSIX ACL xattr data, which allows local users to gain privileges by leveraging a group-writable setgid directory.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2854

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-3070
CVE STATUS: Patched
CVE SUMMARY: The trace_writeback_dirty_page implementation in include/trace/events/writeback.h in the Linux kernel before 4.4 improperly interacts with mm/migrate.c, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by triggering a certain page move.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3070

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-3134
CVE STATUS: Patched
CVE SUMMARY: The netfilter subsystem in the Linux kernel through 4.5.2 does not validate certain offset fields, which allows local users to gain privileges or cause a denial of service (heap memory corruption) via an IPT_SO_SET_REPLACE setsockopt call.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 8.4
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3134

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-3135
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the xt_alloc_table_info function in net/netfilter/x_tables.c in the Linux kernel through 4.5.2 on 32-bit platforms allows local users to gain privileges or cause a denial of service (heap memory corruption) via an IPT_SO_SET_REPLACE setsockopt call.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3135

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-3136
CVE STATUS: Patched
CVE SUMMARY: The mct_u232_msr_to_state function in drivers/usb/serial/mct_u232.c in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted USB device without two interrupt-in endpoint descriptors.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 4.6
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3136

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-3137
CVE STATUS: Patched
CVE SUMMARY: drivers/usb/serial/cypress_m8.c in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a USB device without both an interrupt-in and an interrupt-out endpoint descriptor, related to the cypress_generic_port_probe and cypress_open functions.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 4.6
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3137

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-3138
CVE STATUS: Patched
CVE SUMMARY: The acm_probe function in drivers/usb/class/cdc-acm.c in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a USB device without both a control and a data endpoint descriptor.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 4.6
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3138

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-3139
CVE STATUS: Patched
CVE SUMMARY: The wacom_probe function in drivers/input/tablet/wacom_sys.c in the Linux kernel before 3.17 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 4.6
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3139

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-3140
CVE STATUS: Patched
CVE SUMMARY: The digi_port_init function in drivers/usb/serial/digi_acceleport.c in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 4.6
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3140

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-3156
CVE STATUS: Patched
CVE SUMMARY: The IPv4 implementation in the Linux kernel before 4.5.2 mishandles destruction of device objects, which allows guest OS users to cause a denial of service (host OS networking outage) by arranging for a large number of IP addresses.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3156

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-3672
CVE STATUS: Patched
CVE SUMMARY: The arch_pick_mmap_layout function in arch/x86/mm/mmap.c in the Linux kernel through 4.5.2 does not properly randomize the legacy base address, which makes it easier for local users to defeat the intended restrictions on the ADDR_NO_RANDOMIZE flag, and bypass the ASLR protection mechanism for a setuid or setgid program, by disabling stack-consumption resource limits.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3672

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-3689
CVE STATUS: Patched
CVE SUMMARY: The ims_pcu_parse_cdc_data function in drivers/input/misc/ims-pcu.c in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (system crash) via a USB device without both a master and a slave interface.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 4.6
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3689

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-3695
CVE STATUS: Unpatched
CVE SUMMARY: The einj_error_inject function in drivers/acpi/apei/einj.c in the Linux kernel allows local users to simulate hardware errors and consequently cause a denial of service by leveraging failure to disable APEI error injection through EINJ when securelevel is set.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3695

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-3699
CVE STATUS: Unpatched
CVE SUMMARY: The Linux kernel, as used in Red Hat Enterprise Linux 7.2 and Red Hat Enterprise MRG 2 and when booted with UEFI Secure Boot enabled, allows local users to bypass intended Secure Boot restrictions and execute untrusted code by appending ACPI tables to the initrd.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 7.4
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3699

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-3713
CVE STATUS: Patched
CVE SUMMARY: The msr_mtrr_valid function in arch/x86/kvm/mtrr.c in the Linux kernel before 4.6.1 supports MSR 0x2f8, which allows guest OS users to read or write to the kvm_arch_vcpu data structure, and consequently obtain sensitive information or cause a denial of service (system crash), via a crafted ioctl call.
CVSS v2 BASE SCORE: 5.6
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3713

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-3841
CVE STATUS: Patched
CVE SUMMARY: The IPv6 stack in the Linux kernel before 4.3.3 mishandles options data, which allows local users to gain privileges or cause a denial of service (use-after-free and system crash) via a crafted sendmsg system call.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3841

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-3951
CVE STATUS: Patched
CVE SUMMARY: Double free vulnerability in drivers/net/usb/cdc_ncm.c in the Linux kernel before 4.5 allows physically proximate attackers to cause a denial of service (system crash) or possibly have unspecified other impact by inserting a USB device with an invalid USB descriptor.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 4.6
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3951

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-3955
CVE STATUS: Patched
CVE SUMMARY: The usbip_recv_xbuff function in drivers/usb/usbip/usbip_common.c in the Linux kernel before 4.5.3 allows remote attackers to cause a denial of service (out-of-bounds write) or possibly have unspecified other impact via a crafted length value in a USB/IP packet.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3955

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-4440
CVE STATUS: Patched
CVE SUMMARY: arch/x86/kvm/vmx.c in the Linux kernel through 4.6.3 mishandles the APICv on/off state, which allows guest OS users to obtain direct APIC MSR access on the host OS, and consequently cause a denial of service (host OS crash) or possibly execute arbitrary code on the host OS, via x2APIC mode.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4440

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-4470
CVE STATUS: Patched
CVE SUMMARY: The key_reject_and_link function in security/keys/key.c in the Linux kernel through 4.6.3 does not ensure that a certain data structure is initialized, which allows local users to cause a denial of service (system crash) via vectors involving a crafted keyctl request2 command.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4470

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-4482
CVE STATUS: Patched
CVE SUMMARY: The proc_connectinfo function in drivers/usb/core/devio.c in the Linux kernel through 4.6 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted USBDEVFS_CONNECTINFO ioctl call.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 6.2
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4482

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-4485
CVE STATUS: Patched
CVE SUMMARY: The llc_cmsg_rcv function in net/llc/af_llc.c in the Linux kernel before 4.5.5 does not initialize a certain data structure, which allows attackers to obtain sensitive information from kernel stack memory by reading a message.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4485

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-4486
CVE STATUS: Patched
CVE SUMMARY: The rtnl_fill_link_ifmap function in net/core/rtnetlink.c in the Linux kernel before 4.5.5 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory by reading a Netlink message.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 3.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4486

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-4557
CVE STATUS: Patched
CVE SUMMARY: The replace_map_fd_with_map_ptr function in kernel/bpf/verifier.c in the Linux kernel before 4.5.5 does not properly maintain an fd data structure, which allows local users to gain privileges or cause a denial of service (use-after-free) via crafted BPF instructions that reference an incorrect file descriptor.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4557

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-4558
CVE STATUS: Patched
CVE SUMMARY: The BPF subsystem in the Linux kernel before 4.5.5 mishandles reference counts, which allows local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via a crafted application on (1) a system with more than 32 Gb of memory, related to the program reference count or (2) a 1 Tb system, related to the map reference count.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4558

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-4565
CVE STATUS: Patched
CVE SUMMARY: The InfiniBand (aka IB) stack in the Linux kernel before 4.5.3 incorrectly relies on the write system call, which allows local users to cause a denial of service (kernel memory write operation) or possibly have unspecified other impact via a uAPI interface.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4565

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-4568
CVE STATUS: Patched
CVE SUMMARY: drivers/media/v4l2-core/videobuf2-v4l2.c in the Linux kernel before 4.5.3 allows local users to cause a denial of service (kernel memory write operation) or possibly have unspecified other impact via a crafted number of planes in a VIDIOC_DQBUF ioctl call.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4568

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-4569
CVE STATUS: Patched
CVE SUMMARY: The snd_timer_user_params function in sound/core/timer.c in the Linux kernel through 4.6 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via crafted use of the ALSA timer interface.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4569

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-4578
CVE STATUS: Patched
CVE SUMMARY: sound/core/timer.c in the Linux kernel through 4.6 does not initialize certain r1 data structures, which allows local users to obtain sensitive information from kernel stack memory via crafted use of the ALSA timer interface, related to the (1) snd_timer_user_ccallback and (2) snd_timer_user_tinterrupt functions.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4578

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-4580
CVE STATUS: Patched
CVE SUMMARY: The x25_negotiate_facilities function in net/x25/x25_facilities.c in the Linux kernel before 4.5.5 does not properly initialize a certain data structure, which allows attackers to obtain sensitive information from kernel stack memory via an X.25 Call Request.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4580

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-4581
CVE STATUS: Patched
CVE SUMMARY: fs/pnode.c in the Linux kernel before 4.5.4 does not properly traverse a mount propagation tree in a certain case involving a slave mount, which allows local users to cause a denial of service (NULL pointer dereference and OOPS) via a crafted series of mount system calls.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4581

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-4794
CVE STATUS: Patched
CVE SUMMARY: Use-after-free vulnerability in mm/percpu.c in the Linux kernel through 4.6 allows local users to cause a denial of service (BUG) or possibly have unspecified other impact via crafted use of the mmap and bpf system calls.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4794

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-4805
CVE STATUS: Patched
CVE SUMMARY: Use-after-free vulnerability in drivers/net/ppp/ppp_generic.c in the Linux kernel before 4.5.2 allows local users to cause a denial of service (memory corruption and system crash, or spinlock) or possibly have unspecified other impact by removing a network namespace, related to the ppp_register_net_channel and ppp_unregister_channel functions.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4805

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-4913
CVE STATUS: Patched
CVE SUMMARY: The get_rock_ridge_filename function in fs/isofs/rock.c in the Linux kernel before 4.5.5 mishandles NM (aka alternate name) entries containing \0 characters, which allows local users to obtain sensitive information from kernel memory or possibly have unspecified other impact via a crafted isofs filesystem.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4913

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-4951
CVE STATUS: Patched
CVE SUMMARY: The tipc_nl_publ_dump function in net/tipc/socket.c in the Linux kernel through 4.6 does not verify socket existence, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a dumpit operation.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4951

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-4997
CVE STATUS: Patched
CVE SUMMARY: The compat IPT_SO_SET_REPLACE and IP6T_SO_SET_REPLACE setsockopt implementations in the netfilter subsystem in the Linux kernel before 4.6.3 allow local users to gain privileges or cause a denial of service (memory corruption) by leveraging in-container root access to provide a crafted offset value that triggers an unintended decrement.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4997

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-4998
CVE STATUS: Patched
CVE SUMMARY: The IPT_SO_SET_REPLACE setsockopt implementation in the netfilter subsystem in the Linux kernel before 4.6 allows local users to cause a denial of service (out-of-bounds read) or possibly obtain sensitive information from kernel heap memory by leveraging in-container root access to provide a crafted offset value that leads to crossing a ruleset blob boundary.
CVSS v2 BASE SCORE: 5.6
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4998

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-5195
CVE STATUS: Patched
CVE SUMMARY: Race condition in mm/gup.c in the Linux kernel 2.x through 4.x before 4.8.3 allows local users to gain privileges by leveraging incorrect handling of a copy-on-write (COW) feature to write to a read-only memory mapping, as exploited in the wild in October 2016, aka "Dirty COW."
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5195

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-5243
CVE STATUS: Patched
CVE SUMMARY: The tipc_nl_compat_link_dump function in net/tipc/netlink_compat.c in the Linux kernel through 4.6.3 does not properly copy a certain string, which allows local users to obtain sensitive information from kernel stack memory by reading a Netlink message.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5243

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-5244
CVE STATUS: Patched
CVE SUMMARY: The rds_inc_info_copy function in net/rds/recv.c in the Linux kernel through 4.6.3 does not initialize a certain structure member, which allows remote attackers to obtain sensitive information from kernel stack memory by reading an RDS message.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5244

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-5340
CVE STATUS: Patched
CVE SUMMARY: The is_ashmem_file function in drivers/staging/android/ashmem.c in a certain Qualcomm Innovation Center (QuIC) Android patch for the Linux kernel 3.x mishandles pointer validation within the KGSL Linux Graphics Module, which allows attackers to bypass intended access restrictions by using the /ashmem string as the dentry name.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5340

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-5342
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the wcnss_wlan_write function in drivers/net/wireless/wcnss/wcnss_wlan.c in the wcnss_wlan device driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to cause a denial of service or possibly have unspecified other impact by writing to /dev/wcnss_wlan with an unexpected amount of data.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5342

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-5343
CVE STATUS: Patched
CVE SUMMARY: drivers/soc/qcom/qdsp6v2/voice_svc.c in the QDSP6v2 Voice Service driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a write request, as demonstrated by a voice_svc_send_req buffer overflow.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5343

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-5344
CVE STATUS: Patched
CVE SUMMARY: Multiple integer overflows in the MDSS driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allow attackers to cause a denial of service or possibly have unspecified other impact via a large size value, related to mdss_compat_utils.c, mdss_fb.c, and mdss_rotator.c.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5344

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-5400
CVE STATUS: Patched
CVE SUMMARY: Memory leak in the airspy_probe function in drivers/media/usb/airspy/airspy.c in the airspy USB driver in the Linux kernel before 4.7 allows local users to cause a denial of service (memory consumption) via a crafted USB device that emulates many VFL_TYPE_SDR or VFL_TYPE_SUBDEV devices and performs many connect and disconnect operations.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 4.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5400

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-5412
CVE STATUS: Patched
CVE SUMMARY: arch/powerpc/kvm/book3s_hv_rmhandlers.S in the Linux kernel through 4.7 on PowerPC platforms, when CONFIG_KVM_BOOK3S_64_HV is enabled, allows guest OS users to cause a denial of service (host OS infinite loop) by making a H_CEDE hypercall during the existence of a suspended transaction.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 6.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:S/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5412

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-5696
CVE STATUS: Patched
CVE SUMMARY: net/ipv4/tcp_input.c in the Linux kernel before 4.7 does not properly determine the rate of challenge ACK segments, which makes it easier for remote attackers to hijack TCP sessions via a blind in-window attack.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 4.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5696

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-5728
CVE STATUS: Patched
CVE SUMMARY: Race condition in the vop_ioctl function in drivers/misc/mic/vop/vop_vringh.c in the MIC VOP driver in the Linux kernel before 4.6.1 allows local users to obtain sensitive information from kernel memory or cause a denial of service (memory corruption and system crash) by changing a certain header, aka a "double fetch" vulnerability.
CVSS v2 BASE SCORE: 5.4
CVSS v3 BASE SCORE: 6.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5728

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-5828
CVE STATUS: Patched
CVE SUMMARY: The start_thread function in arch/powerpc/kernel/process.c in the Linux kernel through 4.6.3 on powerpc platforms mishandles transactional state, which allows local users to cause a denial of service (invalid process state or TM Bad Thing exception, and system crash) or possibly have unspecified other impact by starting and suspending a transaction before an exec system call.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5828

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-5829
CVE STATUS: Patched
CVE SUMMARY: Multiple heap-based buffer overflows in the hiddev_ioctl_usage function in drivers/hid/usbhid/hiddev.c in the Linux kernel through 4.6.3 allow local users to cause a denial of service or possibly have unspecified other impact via a crafted (1) HIDIOCGUSAGES or (2) HIDIOCSUSAGES ioctl call.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5829

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-5856
CVE STATUS: Patched
CVE SUMMARY: Drivers/soc/qcom/spcom.c in the Qualcomm SPCom driver in the Android kernel 2017-03-05 allows local users to gain privileges, a different vulnerability than CVE-2016-5857.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5856

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-5870
CVE STATUS: Patched
CVE SUMMARY: The msm_ipc_router_close function in net/ipc_router/ipc_router_socket.c in the ipc_router component for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allow attackers to cause a denial of service (NULL pointer dereference) or possibly have unspecified other impact by triggering failure of an accept system call for an AF_MSM_IPC socket.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5870

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-6130
CVE STATUS: Patched
CVE SUMMARY: Race condition in the sclp_ctl_ioctl_sccb function in drivers/s390/char/sclp_ctl.c in the Linux kernel before 4.6 allows local users to obtain sensitive information from kernel memory by changing a certain length value, aka a "double fetch" vulnerability.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6130

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-6136
CVE STATUS: Patched
CVE SUMMARY: Race condition in the audit_log_single_execve_arg function in kernel/auditsc.c in the Linux kernel through 4.7 allows local users to bypass intended character-set restrictions or disrupt system-call auditing by changing a certain string, aka a "double fetch" vulnerability.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6136

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-6156
CVE STATUS: Patched
CVE SUMMARY: Race condition in the ec_device_ioctl_xcmd function in drivers/platform/chrome/cros_ec_dev.c in the Linux kernel before 4.7 allows local users to cause a denial of service (out-of-bounds array access) by changing a certain size value, aka a "double fetch" vulnerability.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 5.1
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6156

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-6162
CVE STATUS: Patched
CVE SUMMARY: net/core/skbuff.c in the Linux kernel 4.7-rc6 allows local users to cause a denial of service (panic) or possibly have unspecified other impact via certain IPv6 socket operations.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6162

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-6187
CVE STATUS: Patched
CVE SUMMARY: The apparmor_setprocattr function in security/apparmor/lsm.c in the Linux kernel before 4.6.5 does not validate the buffer size, which allows local users to gain privileges by triggering an AppArmor setprocattr hook.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6187

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-6197
CVE STATUS: Patched
CVE SUMMARY: fs/overlayfs/dir.c in the OverlayFS filesystem implementation in the Linux kernel before 4.6 does not properly verify the upper dentry before proceeding with unlink and rename system-call processing, which allows local users to cause a denial of service (system crash) via a rename system call that specifies a self-hardlink.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6197

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-6198
CVE STATUS: Patched
CVE SUMMARY: The filesystem layer in the Linux kernel before 4.5.5 proceeds with post-rename operations after an OverlayFS file is renamed to a self-hardlink, which allows local users to cause a denial of service (system crash) via a rename system call, related to fs/namei.c and fs/open.c.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6198

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-6213
CVE STATUS: Patched
CVE SUMMARY: fs/namespace.c in the Linux kernel before 4.9 does not restrict how many mounts may exist in a mount namespace, which allows local users to cause a denial of service (memory consumption and deadlock) via MS_BIND mount system calls, as demonstrated by a loop that triggers exponential growth in the number of mounts.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6213

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-6327
CVE STATUS: Patched
CVE SUMMARY: drivers/infiniband/ulp/srpt/ib_srpt.c in the Linux kernel before 4.5.1 allows local users to cause a denial of service (NULL pointer dereference and system crash) by using an ABORT_TASK command to abort a device write operation.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6327

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-6480
CVE STATUS: Patched
CVE SUMMARY: Race condition in the ioctl_send_fib function in drivers/scsi/aacraid/commctrl.c in the Linux kernel through 4.7 allows local users to cause a denial of service (out-of-bounds access or system crash) by changing a certain size value, aka a "double fetch" vulnerability.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 5.1
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6480

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-6516
CVE STATUS: Patched
CVE SUMMARY: Race condition in the ioctl_file_dedupe_range function in fs/ioctl.c in the Linux kernel through 4.7 allows local users to cause a denial of service (heap-based buffer overflow) or possibly gain privileges by changing a certain count value, aka a "double fetch" vulnerability.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 7.4
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6516

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-6755
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Qualcomm camera driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-30740545. References: QC-CR#1065916.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6755

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-6756
CVE STATUS: Patched
CVE SUMMARY: An information disclosure vulnerability in Qualcomm components including the camera driver and video driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-29464815. References: QC-CR#1042068.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 4.7
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6756

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-6757
CVE STATUS: Patched
CVE SUMMARY: An information disclosure vulnerability in Qualcomm components including the camera driver and video driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-30148242. References: QC-CR#1052821.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 4.7
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6757

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-6758
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in Qualcomm media codecs could enable a local malicious application to execute arbitrary code within the context of a privileged process. This issue is rated as High because it could be used to gain local access to elevated capabilities, which are not normally accessible to a third-party application. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-30148882. References: QC-CR#1071731.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6758

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-6759
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in Qualcomm media codecs could enable a local malicious application to execute arbitrary code within the context of a privileged process. This issue is rated as High because it could be used to gain local access to elevated capabilities, which are not normally accessible to a third-party application. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-29982686. References: QC-CR#1055766.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6759

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-6760
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in Qualcomm media codecs could enable a local malicious application to execute arbitrary code within the context of a privileged process. This issue is rated as High because it could be used to gain local access to elevated capabilities, which are not normally accessible to a third-party application. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-29617572. References: QC-CR#1055783.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6760

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-6761
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in Qualcomm media codecs could enable a local malicious application to execute arbitrary code within the context of a privileged process. This issue is rated as High because it could be used to gain local access to elevated capabilities, which are not normally accessible to a third-party application. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-29421682. References: QC-CR#1055792.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6761

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-6775
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.10. Android ID: A-31222873. References: N-CVE-2016-6775.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6775

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-6776
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.10. Android ID: A-31680980. References: N-CVE-2016-6776.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6776

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-6777
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.10. Android ID: A-31910462. References: N-CVE-2016-6777.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6777

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-6778
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the HTC sound codec driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-31384646.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6778

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-6779
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the HTC sound codec driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-31386004.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6779

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-6780
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the HTC sound codec driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-31251496.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6780

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-6781
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the MediaTek driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-31095175. References: MT-ALPS02943455.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6781

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-6782
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the MediaTek driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-31224389. References: MT-ALPS02943506.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6782

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-6785
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the MediaTek driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-31748056. References: MT-ALPS02961400.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6785

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-6786
CVE STATUS: Patched
CVE SUMMARY: kernel/events/core.c in the performance subsystem in the Linux kernel before 4.0 mismanages locks during certain migrations, which allows local users to gain privileges via a crafted application, aka Android internal bug 30955111.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6786

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-6787
CVE STATUS: Patched
CVE SUMMARY: kernel/events/core.c in the performance subsystem in the Linux kernel before 4.0 mismanages locks during certain migrations, which allows local users to gain privileges via a crafted application, aka Android internal bug 31095224.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6787

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-6789
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the NVIDIA libomx library (libnvomx) could enable a local malicious application to execute arbitrary code within the context of a privileged process. This issue is rated as High because it could be used to gain local access to elevated capabilities, which are not normally accessible to a third-party application. Product: Android. Versions: Kernel-3.18. Android ID: A-31251973. References: N-CVE-2016-6789.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6789

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-6790
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the NVIDIA libomx library (libnvomx) could enable a local malicious application to execute arbitrary code within the context of a privileged process. This issue is rated as High because it could be used to gain local access to elevated capabilities, which are not normally accessible to a third-party application. Product: Android. Versions: Kernel-3.18. Android ID: A-31251628. References: N-CVE-2016-6790.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6790

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-6791
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Qualcomm sound driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31252384. References: QC-CR#1071809.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6791

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-6828
CVE STATUS: Patched
CVE SUMMARY: The tcp_check_send_head function in include/net/tcp.h in the Linux kernel before 4.7.5 does not properly maintain certain SACK state after a failed data copy, which allows local users to cause a denial of service (tcp_xmit_retransmit_queue use-after-free and system crash) via a crafted SACK option.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6828

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-7039
CVE STATUS: Patched
CVE SUMMARY: The IP stack in the Linux kernel through 4.8.2 allows remote attackers to cause a denial of service (stack consumption and panic) or possibly have unspecified other impact by triggering use of the GRO path for large crafted packets, as demonstrated by packets that contain only VLAN headers, a related issue to CVE-2016-8666.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7039

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-7042
CVE STATUS: Patched
CVE SUMMARY: The proc_keys_show function in security/keys/proc.c in the Linux kernel through 4.8.2, when the GNU Compiler Collection (gcc) stack protector is enabled, uses an incorrect buffer size for certain timeout data, which allows local users to cause a denial of service (stack memory corruption and panic) by reading the /proc/keys file.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 6.2
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7042

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-7097
CVE STATUS: Patched
CVE SUMMARY: The filesystem implementation in the Linux kernel through 4.8.2 preserves the setgid bit during a setxattr call, which allows local users to gain group privileges by leveraging the existence of a setgid program with restrictions on execute permissions.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 4.4
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7097

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-7117
CVE STATUS: Patched
CVE SUMMARY: Use-after-free vulnerability in the __sys_recvmmsg function in net/socket.c in the Linux kernel before 4.5.2 allows remote attackers to execute arbitrary code via vectors involving a recvmmsg system call that is mishandled during error processing.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7117

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-7425
CVE STATUS: Patched
CVE SUMMARY: The arcmsr_iop_message_xfer function in drivers/scsi/arcmsr/arcmsr_hba.c in the Linux kernel through 4.8.2 does not restrict a certain length field, which allows local users to gain privileges or cause a denial of service (heap-based buffer overflow) via an ARCMSR_MESSAGE_WRITE_WQBUFFER control code.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7425

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-7910
CVE STATUS: Patched
CVE SUMMARY: Use-after-free vulnerability in the disk_seqf_stop function in block/genhd.c in the Linux kernel before 4.7.1 allows local users to gain privileges by leveraging the execution of a certain stop operation even if the corresponding start operation had failed.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7910

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-7911
CVE STATUS: Patched
CVE SUMMARY: Race condition in the get_task_ioprio function in block/ioprio.c in the Linux kernel before 4.6.6 allows local users to gain privileges or cause a denial of service (use-after-free) via a crafted ioprio_get system call.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7911

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-7912
CVE STATUS: Patched
CVE SUMMARY: Use-after-free vulnerability in the ffs_user_copy_worker function in drivers/usb/gadget/function/f_fs.c in the Linux kernel before 4.5.3 allows local users to gain privileges by accessing an I/O data structure after a certain callback call.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7912

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-7913
CVE STATUS: Patched
CVE SUMMARY: The xc2028_set_config function in drivers/media/tuners/tuner-xc2028.c in the Linux kernel before 4.6 allows local users to gain privileges or cause a denial of service (use-after-free) via vectors involving omission of the firmware name from a certain data structure.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7913

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-7914
CVE STATUS: Patched
CVE SUMMARY: The assoc_array_insert_into_terminal_node function in lib/assoc_array.c in the Linux kernel before 4.5.3 does not check whether a slot is a leaf, which allows local users to obtain sensitive information from kernel memory or cause a denial of service (invalid pointer dereference and out-of-bounds read) via an application that uses associative-array data structures, as demonstrated by the keyutils test suite.
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7914

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-7915
CVE STATUS: Patched
CVE SUMMARY: The hid_input_field function in drivers/hid/hid-core.c in the Linux kernel before 4.6 allows physically proximate attackers to obtain sensitive information from kernel memory or cause a denial of service (out-of-bounds read) by connecting a device, as demonstrated by a Logitech DJ receiver.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7915

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-7916
CVE STATUS: Patched
CVE SUMMARY: Race condition in the environ_read function in fs/proc/base.c in the Linux kernel before 4.5.4 allows local users to obtain sensitive information from kernel memory by reading a /proc/*/environ file during a process-setup time interval in which environment-variable copying is incomplete.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7916

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-7917
CVE STATUS: Patched
CVE SUMMARY: The nfnetlink_rcv_batch function in net/netfilter/nfnetlink.c in the Linux kernel before 4.5 does not check whether a batch message's length field is large enough, which allows local users to obtain sensitive information from kernel memory or cause a denial of service (infinite loop or out-of-bounds read) by leveraging the CAP_NET_ADMIN capability.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7917

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-8391
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Qualcomm sound driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31253255. References: QC-CR#1072166.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8391

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-8392
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Qualcomm sound driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31385862. References: QC-CR#1073136.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8392

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-8393
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Synaptics touchscreen driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-31911920.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8393

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-8394
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Synaptics touchscreen driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-31913197.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8394

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-8395
CVE STATUS: Patched
CVE SUMMARY: A denial of service vulnerability in the NVIDIA camera driver could enable an attacker to cause a local permanent denial of service, which may require reflashing the operating system to repair the device. This issue is rated as High due to the possibility of local permanent denial of service. Product: Android. Versions: Kernel-3.10. Android ID: A-31403040. References: N-CVE-2016-8395.
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 4.7
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8395

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-8397
CVE STATUS: Patched
CVE SUMMARY: An information disclosure vulnerability in the NVIDIA video driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as High because it could be used to access sensitive data without explicit user permission. Product: Android. Versions: Kernel-3.10. Android ID: A-31385953. References: N-CVE-2016-8397.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8397

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-8398
CVE STATUS: Patched
CVE SUMMARY: Unauthenticated messages processed by the UE. Certain NAS messages are processed when no EPS security context exists in the UE. Product: Android. Versions: Kernel 3.18. Android ID: A-31548486. References: QC-CR#877705.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8398

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-8399
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the kernel networking subsystem could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Moderate because it first requires compromising a privileged process and current compiler optimizations restrict access to the vulnerable code. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31349935.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8399

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-8400
CVE STATUS: Patched
CVE SUMMARY: An information disclosure vulnerability in the NVIDIA librm library (libnvrm) could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it could be used to access sensitive data without permission. Product: Android. Versions: Kernel-3.18. Android ID: A-31251599. References: N-CVE-2016-8400.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8400

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-8401
CVE STATUS: Patched
CVE SUMMARY: An information disclosure vulnerability in kernel components including the ION subsystem, Binder, USB driver and networking subsystem could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31494725.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 4.7
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8401

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-8402
CVE STATUS: Patched
CVE SUMMARY: An information disclosure vulnerability in kernel components including the ION subsystem, Binder, USB driver and networking subsystem could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31495231.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 4.7
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8402

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-8403
CVE STATUS: Patched
CVE SUMMARY: An information disclosure vulnerability in kernel components including the ION subsystem, Binder, USB driver and networking subsystem could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-31495348.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 4.7
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8403

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-8404
CVE STATUS: Patched
CVE SUMMARY: An information disclosure vulnerability in kernel components including the ION subsystem, Binder, USB driver and networking subsystem could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-31496950.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 4.7
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8404

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-8405
CVE STATUS: Patched
CVE SUMMARY: An information disclosure vulnerability in kernel components including the ION subsystem, Binder, USB driver and networking subsystem could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31651010.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 4.7
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8405

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-8406
CVE STATUS: Patched
CVE SUMMARY: An information disclosure vulnerability in kernel components including the ION subsystem, Binder, USB driver and networking subsystem could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31796940.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 4.7
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8406

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-8407
CVE STATUS: Patched
CVE SUMMARY: An information disclosure vulnerability in kernel components including the ION subsystem, Binder, USB driver and networking subsystem could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31802656.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 4.7
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8407

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-8408
CVE STATUS: Patched
CVE SUMMARY: An information disclosure vulnerability in the NVIDIA video driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-31496571. References: N-CVE-2016-8408.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 4.7
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8408

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-8409
CVE STATUS: Patched
CVE SUMMARY: An information disclosure vulnerability in the NVIDIA video driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-31495687. References: N-CVE-2016-8409.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 4.7
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8409

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-8410
CVE STATUS: Patched
CVE SUMMARY: An information disclosure vulnerability in the Qualcomm sound driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31498403. References: QC-CR#987010.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 4.7
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8410

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-8412
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Qualcomm camera could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31225246. References: QC-CR#1071891.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8412

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-8413
CVE STATUS: Patched
CVE SUMMARY: An information disclosure vulnerability in the Qualcomm camera driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32709702. References: QC-CR#518731.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 4.7
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8413

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-8414
CVE STATUS: Patched
CVE SUMMARY: An information disclosure vulnerability in the Qualcomm Secure Execution Environment Communicator could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31704078. References: QC-CR#1076407.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 4.7
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8414

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-8415
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31750554. References: QC-CR#1079596.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8415

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-8416
CVE STATUS: Patched
CVE SUMMARY: An information disclosure vulnerability in the Qualcomm video driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-32510746. References: QC-CR#1088206.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 4.7
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8416

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-8417
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Qualcomm camera driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Moderate because it first requires compromising a privileged process and is mitigated by current platform configurations. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32342399. References: QC-CR#1088824.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8417

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-8419
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32454494. References: QC-CR#1087209.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8419

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-8420
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32451171. References: QC-CR#1087807.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8420

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-8421
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32451104. References: QC-CR#1087797.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8421

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-8424
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.10. Android ID: A-31606947. References: N-CVE-2016-8424.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8424

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-8425
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.10. Android ID: A-31797770. References: N-CVE-2016-8425.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8425

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-8426
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.10. Android ID: A-31799206. References: N-CVE-2016-8426.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8426

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-8427
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.10. Android ID: A-31799885. References: N-CVE-2016-8427.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8427

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-8428
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.10. Android ID: A-31993456. References: N-CVE-2016-8428.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8428

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-8429
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.10. Android ID: A-32160775. References: N-CVE-2016-8429.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8429

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-8430
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.10. Android ID: A-32225180. References: N-CVE-2016-8430.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8430

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-8431
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.18. Android ID: A-32402179. References: N-CVE-2016-8431.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8431

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-8432
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.18. Android ID: A-32447738. References: N-CVE-2016-8432.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8432

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-8434
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Qualcomm GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.10. Android ID: A-32125137. References: QC-CR#1081855.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8434

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-8435
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.18. Android ID: A-32700935. References: N-CVE-2016-8435.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8435

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-8436
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Qualcomm video driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.18. Android ID: A-32450261. References: QC-CR#1007860.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8436

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-8437
CVE STATUS: Patched
CVE SUMMARY: Improper input validation in Access Control APIs. Access control API may return memory range checking incorrectly. Product: Android. Versions: Kernel 3.18. Android ID: A-31623057. References: QC-CR#1009695.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8437

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-8438
CVE STATUS: Patched
CVE SUMMARY: Integer overflow leading to a TOCTOU condition in hypervisor PIL. An integer overflow exposes a race condition that may be used to bypass (Peripheral Image Loader) PIL authentication. Product: Android. Versions: Kernel 3.18. Android ID: A-31624565. References: QC-CR#1023638.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8438

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-8439
CVE STATUS: Patched
CVE SUMMARY: Possible buffer overflow in trust zone access control API. Buffer overflow may occur due to lack of buffer size checking. Product: Android. Versions: Kernel 3.18. Android ID: A-31625204. References: QC-CR#1027804.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8439

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-8440
CVE STATUS: Patched
CVE SUMMARY: Possible buffer overflow in SMMU system call. Improper input validation in ADSP SID2CB system call may result in hypervisor memory overwrite. Product: Android. Versions: Kernel 3.18. Android ID: A-31625306. References: QC-CR#1036747.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8440

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-8441
CVE STATUS: Patched
CVE SUMMARY: Possible buffer overflow in the hypervisor. Inappropriate usage of a static array could lead to a buffer overrun. Product: Android. Versions: Kernel 3.18. Android ID: A-31625904. References: QC-CR#1027769.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8441

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-8442
CVE STATUS: Patched
CVE SUMMARY: Possible unauthorized memory access in the hypervisor. Lack of input validation could allow hypervisor memory to be accessed by the HLOS. Product: Android. Versions: Kernel 3.18. Android ID: A-31625910. QC-CR#1038173.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8442

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-8443
CVE STATUS: Patched
CVE SUMMARY: Possible unauthorized memory access in the hypervisor. Incorrect configuration provides access to subsystem page tables. Product: Android. Versions: Kernel 3.18. Android ID: A-32576499. References: QC-CR#964185.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8443

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-8444
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Qualcomm camera could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-31243641. References: QC-CR#1074310.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8444

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-8449
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-31798848. References: N-CVE-2016-8449.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8449

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-8450
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Qualcomm sound driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-32450563. References: QC-CR#880388.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8450

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-8451
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Synaptics touchscreen driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.4. Android ID: A-32178033.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8451

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-8452
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32506396. References: QC-CR#1050323.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8452

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-8453
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Broadcom Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-24739315. References: B-RB#73392.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8453

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-8454
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Broadcom Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32174590. References: B-RB#107142.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8454

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-8455
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Broadcom Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-32219121. References: B-RB#106311.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8455

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-8456
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Broadcom Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32219255. References: B-RB#105580.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8456

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-8457
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Broadcom Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32219453. References: B-RB#106116.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8457

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-8458
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Synaptics touchscreen driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31968442.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8458

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-8459
CVE STATUS: Patched
CVE SUMMARY: Possible buffer overflow in storage subsystem. Bad parameters as part of listener responses to RPMB commands could lead to buffer overflow. Product: Android. Versions: Kernel 3.18. Android ID: A-32577972. References: QC-CR#988462.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8459

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-8460
CVE STATUS: Patched
CVE SUMMARY: An information disclosure vulnerability in the NVIDIA video driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as High because it could be used to access sensitive data without explicit user permission. Product: Android. Versions: Kernel-3.10. Android ID: A-31668540. References: N-CVE-2016-8460.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8460

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-8461
CVE STATUS: Patched
CVE SUMMARY: An information disclosure vulnerability in the bootloader could enable a local attacker to access data outside of its permission level. This issue is rated as High because it could be used to access sensitive data. Product: Android. Versions: Kernel-3.18. Android ID: A-32369621.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8461

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-8463
CVE STATUS: Patched
CVE SUMMARY: A denial of service vulnerability in the Qualcomm FUSE file system could enable a remote attacker to use a specially crafted file to cause a device hang or reboot. This issue is rated as High due to the possibility of remote denial of service. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-30786860. References: QC-CR#586855.
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8463

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-8464
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Broadcom Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Moderate because it first requires compromising a privileged process and is mitigated by current platform configurations. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-29000183. References: B-RB#106314.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8464

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-8465
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Broadcom Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Moderate because it first requires compromising a privileged process and is mitigated by current platform configurations. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32474971. References: B-RB#106053.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8465

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-8466
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Broadcom Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Moderate because it first requires compromising a privileged process and is mitigated by current platform configurations. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31822524. References: B-RB#105268.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8466

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-8468
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in Binder could enable a local malicious application to execute arbitrary code within the context of a privileged process. This issue is rated as Moderate because it first requires compromising a privileged process and is mitigated by current platform configurations. Product: Android. Versions: Kernel-3.18. Android ID: A-32394425.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8468

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-8469
CVE STATUS: Patched
CVE SUMMARY: An information disclosure vulnerability in the camera driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-31351206. References: N-CVE-2016-8469.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 4.7
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8469

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-8473
CVE STATUS: Patched
CVE SUMMARY: An information disclosure vulnerability in the STMicroelectronics driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-31795790.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 4.7
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8473

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-8474
CVE STATUS: Patched
CVE SUMMARY: An information disclosure vulnerability in the STMicroelectronics driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-31799972.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 4.7
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8474

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-8475
CVE STATUS: Patched
CVE SUMMARY: An information disclosure vulnerability in the HTC input driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-32591129.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 4.7
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8475

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-8476
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32879283. References: QC-CR#1091940.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8476

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-8477
CVE STATUS: Patched
CVE SUMMARY: An information disclosure vulnerability in the Qualcomm camera driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32720522. References: QC-CR#1090007.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 4.7
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8477

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-8478
CVE STATUS: Patched
CVE SUMMARY: An information disclosure vulnerability in the Qualcomm video driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-32511270. References: QC-CR#1088206.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 4.7
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8478

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-8479
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Qualcomm GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31824853. References: QC-CR#1093687.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8479

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-8480
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Qualcomm Secure Execution Environment Communicator driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31804432. References: QC-CR#1086186.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8480

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-8481
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Qualcomm sound driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31906415. References: QC-CR#1078000.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8481

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-8483
CVE STATUS: Patched
CVE SUMMARY: An information disclosure vulnerability in the Qualcomm power driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as High because it could be used to access sensitive data without explicit user permission. Product: Android. Versions: Kernel-3.10. Android ID: A-33745862. References: QC-CR#1035099.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8483

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-8630
CVE STATUS: Patched
CVE SUMMARY: The x86_decode_insn function in arch/x86/kvm/emulate.c in the Linux kernel before 4.8.7, when KVM is enabled, allows local users to cause a denial of service (host OS crash) via a certain use of a ModR/M byte in an undefined instruction.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8630

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-8632
CVE STATUS: Patched
CVE SUMMARY: The tipc_msg_build function in net/tipc/msg.c in the Linux kernel through 4.8.11 does not validate the relationship between the minimum fragment length and the maximum packet size, which allows local users to gain privileges or cause a denial of service (heap-based buffer overflow) by leveraging the CAP_NET_ADMIN capability.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8632

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-8633
CVE STATUS: Patched
CVE SUMMARY: drivers/firewire/net.c in the Linux kernel before 4.8.7, in certain unusual hardware configurations, allows remote attackers to execute arbitrary code via crafted fragmented packets.
CVSS v2 BASE SCORE: 6.2
CVSS v3 BASE SCORE: 6.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8633

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-8636
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the mem_check_range function in drivers/infiniband/sw/rxe/rxe_mr.c in the Linux kernel before 4.9.10 allows local users to cause a denial of service (memory corruption), obtain sensitive information from kernel memory, or possibly have unspecified other impact via a write or read request involving the "RDMA protocol over infiniband" (aka Soft RoCE) technology.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8636

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-8645
CVE STATUS: Patched
CVE SUMMARY: The TCP stack in the Linux kernel before 4.8.10 mishandles skb truncation, which allows local users to cause a denial of service (system crash) via a crafted application that makes sendto system calls, related to net/ipv4/tcp_ipv4.c and net/ipv6/tcp_ipv6.c.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8645

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-8646
CVE STATUS: Patched
CVE SUMMARY: The hash_accept function in crypto/algif_hash.c in the Linux kernel before 4.3.6 allows local users to cause a denial of service (OOPS) by attempting to trigger use of in-kernel hash algorithms for a socket that has received zero bytes of data.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8646

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-8650
CVE STATUS: Patched
CVE SUMMARY: The mpi_powm function in lib/mpi/mpi-pow.c in the Linux kernel through 4.8.11 does not ensure that memory is allocated for limb data, which allows local users to cause a denial of service (stack memory corruption and panic) via an add_key system call for an RSA key with a zero exponent.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8650

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-8655
CVE STATUS: Patched
CVE SUMMARY: Race condition in net/packet/af_packet.c in the Linux kernel through 4.8.12 allows local users to gain privileges or cause a denial of service (use-after-free) by leveraging the CAP_NET_RAW capability to change a socket version, related to the packet_set_ring and packet_setsockopt functions.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8655

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-8658
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in the brcmf_cfg80211_start_ap function in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c in the Linux kernel before 4.7.5 allows local users to cause a denial of service (system crash) or possibly have unspecified other impact via a long SSID Information Element in a command to a Netlink socket.
CVSS v2 BASE SCORE: 5.6
CVSS v3 BASE SCORE: 6.1
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8658

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-8660
CVE STATUS: Patched
CVE SUMMARY: The XFS subsystem in the Linux kernel through 4.8.2 allows local users to cause a denial of service (fdatasync failure and system hang) by using the vfs syscall group in the trinity program, related to a "page lock order bug in the XFS seek hole/data implementation."
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8660

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-8666
CVE STATUS: Patched
CVE SUMMARY: The IP stack in the Linux kernel before 4.6 allows remote attackers to cause a denial of service (stack consumption and panic) or possibly have unspecified other impact by triggering use of the GRO path for packets with tunnel stacking, as demonstrated by interleaved IPv4 headers and GRE headers, a related issue to CVE-2016-7039.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8666

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-9083
CVE STATUS: Patched
CVE SUMMARY: drivers/vfio/pci/vfio_pci.c in the Linux kernel through 4.8.11 allows local users to bypass integer overflow checks, and cause a denial of service (memory corruption) or have unspecified other impact, by leveraging access to a vfio PCI device file for a VFIO_DEVICE_SET_IRQS ioctl call, aka a "state machine confusion bug."
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9083

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-9084
CVE STATUS: Patched
CVE SUMMARY: drivers/vfio/pci/vfio_pci_intrs.c in the Linux kernel through 4.8.11 misuses the kzalloc function, which allows local users to cause a denial of service (integer overflow) or have unspecified other impact by leveraging access to a vfio PCI device file.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9084

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-9120
CVE STATUS: Patched
CVE SUMMARY: Race condition in the ion_ioctl function in drivers/staging/android/ion/ion.c in the Linux kernel before 4.6 allows local users to gain privileges or cause a denial of service (use-after-free) by calling ION_IOC_FREE on two CPUs at the same time.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9120

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-9178
CVE STATUS: Patched
CVE SUMMARY: The __get_user_asm_ex macro in arch/x86/include/asm/uaccess.h in the Linux kernel before 4.7.5 does not initialize a certain integer variable, which allows local users to obtain sensitive information from kernel stack memory by triggering failure of a get_user_ex call.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9178

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-9191
CVE STATUS: Patched
CVE SUMMARY: The cgroup offline implementation in the Linux kernel through 4.8.11 mishandles certain drain operations, which allows local users to cause a denial of service (system hang) by leveraging access to a container environment for executing a crafted application, as demonstrated by trinity.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9191

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-9313
CVE STATUS: Patched
CVE SUMMARY: security/keys/big_key.c in the Linux kernel before 4.8.7 mishandles unsuccessful crypto registration in conjunction with successful key-type registration, which allows local users to cause a denial of service (NULL pointer dereference and panic) or possibly have unspecified other impact via a crafted application that uses the big_key data type.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9313

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-9555
CVE STATUS: Patched
CVE SUMMARY: The sctp_sf_ootb function in net/sctp/sm_statefuns.c in the Linux kernel before 4.8.8 lacks chunk-length checking for the first chunk, which allows remote attackers to cause a denial of service (out-of-bounds slab access) or possibly have unspecified other impact via crafted SCTP data.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9555

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-9576
CVE STATUS: Patched
CVE SUMMARY: The blk_rq_map_user_iov function in block/blk-map.c in the Linux kernel before 4.8.14 does not properly restrict the type of iterator, which allows local users to read or write to arbitrary kernel memory locations or cause a denial of service (use-after-free) by leveraging access to a /dev/sg device.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9576

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-9588
CVE STATUS: Patched
CVE SUMMARY: arch/x86/kvm/vmx.c in the Linux kernel through 4.9 mismanages the #BP and #OF exceptions, which allows guest OS users to cause a denial of service (guest OS crash) by declining to handle an exception thrown by an L2 guest.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9588

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-9604
CVE STATUS: Patched
CVE SUMMARY: It was discovered in the Linux kernel before 4.11-rc8 that root can gain direct access to an internal keyring, such as '.dns_resolver' in RHEL-7 or '.builtin_trusted_keys' upstream, by joining it as its session keyring. This allows root to bypass module signature verification by adding a new public key of its own devising to the keyring.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 4.4
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9604

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-9644
CVE STATUS: Patched
CVE SUMMARY: The __get_user_asm_ex macro in arch/x86/include/asm/uaccess.h in the Linux kernel 4.4.22 through 4.4.28 contains extended asm statements that are incompatible with the exception table, which allows local users to obtain root access on non-SMEP platforms via a crafted application.  NOTE: this vulnerability exists because of incorrect backporting of the CVE-2016-9178 patch to older kernels.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9644

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-9685
CVE STATUS: Patched
CVE SUMMARY: Multiple memory leaks in error paths in fs/xfs/xfs_attr_list.c in the Linux kernel before 4.5.1 allow local users to cause a denial of service (memory consumption) via crafted XFS filesystem operations.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9685

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-9754
CVE STATUS: Patched
CVE SUMMARY: The ring_buffer_resize function in kernel/trace/ring_buffer.c in the profiling subsystem in the Linux kernel before 4.6.1 mishandles certain integer calculations, which allows local users to gain privileges by writing to the /sys/kernel/debug/tracing/buffer_size_kb file.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9754

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-9755
CVE STATUS: Patched
CVE SUMMARY: The netfilter subsystem in the Linux kernel before 4.9 mishandles IPv6 reassembly, which allows local users to cause a denial of service (integer overflow, out-of-bounds write, and GPF) or possibly have unspecified other impact via a crafted application that makes socket, connect, and writev system calls, related to net/ipv6/netfilter/nf_conntrack_reasm.c and net/ipv6/netfilter/nf_defrag_ipv6_hooks.c.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9755

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-9756
CVE STATUS: Patched
CVE SUMMARY: arch/x86/kvm/emulate.c in the Linux kernel before 4.8.12 does not properly initialize Code Segment (CS) in certain error cases, which allows local users to obtain sensitive information from kernel stack memory via a crafted application.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9756

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-9777
CVE STATUS: Patched
CVE SUMMARY: KVM in the Linux kernel before 4.8.12, when I/O APIC is enabled, does not properly restrict the VCPU index, which allows guest OS users to gain host OS privileges or cause a denial of service (out-of-bounds array access and host OS crash) via a crafted interrupt request, related to arch/x86/kvm/ioapic.c and arch/x86/kvm/ioapic.h.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9777

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-9793
CVE STATUS: Patched
CVE SUMMARY: The sock_setsockopt function in net/core/sock.c in the Linux kernel before 4.8.14 mishandles negative values of sk_sndbuf and sk_rcvbuf, which allows local users to cause a denial of service (memory corruption and system crash) or possibly have unspecified other impact by leveraging the CAP_NET_ADMIN capability for a crafted setsockopt system call with the (1) SO_SNDBUFFORCE or (2) SO_RCVBUFFORCE option.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9793

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-9794
CVE STATUS: Patched
CVE SUMMARY: Race condition in the snd_pcm_period_elapsed function in sound/core/pcm_lib.c in the ALSA subsystem in the Linux kernel before 4.7 allows local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via a crafted SNDRV_PCM_TRIGGER_START command.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9794

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-9806
CVE STATUS: Patched
CVE SUMMARY: Race condition in the netlink_dump function in net/netlink/af_netlink.c in the Linux kernel before 4.6.3 allows local users to cause a denial of service (double free) or possibly have unspecified other impact via a crafted application that makes sendmsg system calls, leading to a free operation associated with a new dump that started earlier than anticipated.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9806

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2016-9919
CVE STATUS: Patched
CVE SUMMARY: The icmp6_send function in net/ipv6/icmp.c in the Linux kernel through 4.8.12 omits a certain check of the dst data structure, which allows remote attackers to cause a denial of service (panic) via a fragmented IPv6 packet.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9919

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0306
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.10. Android ID: A-34132950. References: N-CVE-2017-0306.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0306

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0307
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.18. Android ID: A-33177895. References: N-CVE-2017-0307.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0307

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0325
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the NVIDIA I2C HID driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel 3.10 and Kernel 3.18. Android ID: A-33040280. References: N-CVE-2017-0325.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0325

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0327
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the NVIDIA crypto driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel 3.10. Android ID: A-33893669. References: N-CVE-2017-0327.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0327

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0328
CVE STATUS: Patched
CVE SUMMARY: An information disclosure vulnerability in the NVIDIA crypto driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel 3.10. Android ID: A-33898322. References: N-CVE-2017-0328.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 4.7
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0328

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0329
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the NVIDIA boot and power management processor driver could enable a local malicious application to execute arbitrary code within the context of the boot and power management processor. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel 3.18. Android ID:A-34115304. References: N-CVE-2017-0329.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0329

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0330
CVE STATUS: Patched
CVE SUMMARY: An information disclosure vulnerability in the NVIDIA crypto driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel 3.10. Android ID: A-33899858. References: N-CVE-2017-0330.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 4.7
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0330

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0331
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the NVIDIA video driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel 3.10. Android ID: A-34113000. References: N-CVE-2017-0331.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0331

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0332
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the NVIDIA crypto driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel 3.10. Android ID: A-33812508. References: N-CVE-2017-0332.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0332

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0333
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.18. Android ID: A-33899363. References: N-CVE-2017-0333.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0333

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0334
CVE STATUS: Patched
CVE SUMMARY: An information disclosure vulnerability in the NVIDIA GPU driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as High because it could be used to access sensitive data without explicit user permission. Product: Android. Versions: Kernel-3.18. Android ID: A-33245849. References: N-CVE-2017-0334.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0334

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0335
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.18. Android ID: A-33043375. References: N-CVE-2017-0335.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0335

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0336
CVE STATUS: Patched
CVE SUMMARY: An information disclosure vulnerability in the NVIDIA GPU driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as High because it could be used to access sensitive data without explicit user permission. Product: Android. Versions: Kernel-3.18. Android ID: A-33042679. References: N-CVE-2017-0336.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0336

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0337
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.18. Android ID: A-31992762. References: N-CVE-2017-0337.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0337

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0338
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.18. Android ID: A-33057977. References: N-CVE-2017-0338.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0338

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0339
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the NVIDIA crypto driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel 3.10. Android ID: A-27930566. References: N-CVE-2017-0339.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0339

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0403
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the kernel performance subsystem could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32402548.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0403

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0404
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the kernel sound subsystem could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32510733.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0404

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0427
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the kernel file system could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31495866.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0427

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0428
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.10. Android ID: A-32401526. References: N-CVE-2017-0428.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0428

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0429
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.10. Android ID: A-32636619. References: N-CVE-2017-0429.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0429

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0430
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Broadcom Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32838767. References: B-RB#107459.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0430

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0432
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the MediaTek driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-28332719.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0432

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0433
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Synaptics touchscreen driver could enable a local malicious application to execute arbitrary code within the context of the touchscreen chipset. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-31913571.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0433

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0434
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Synaptics touchscreen driver could enable a local malicious application to execute arbitrary code within the context of the touchscreen chipset. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-33001936.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0434

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0435
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Qualcomm sound driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31906657. References: QC-CR#1078000.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0435

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0436
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Qualcomm sound driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32624661. References: QC-CR#1078000.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0436

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0437
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32402310. References: QC-CR#1092497.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0437

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0438
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32402604. References: QC-CR#1092497.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0438

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0439
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32450647. References: QC-CR#1092059.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0439

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0440
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-33252788. References: QC-CR#1095770.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0440

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0441
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32872662. References: QC-CR#1095009.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0441

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0442
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32871330. References: QC-CR#1092497.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0442

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0443
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32877494. References: QC-CR#1092497.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0443

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0444
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Realtek sound driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-32705232.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0444

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0445
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the HTC touchscreen driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-32769717.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0445

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0446
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the HTC touchscreen driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-32917445.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0446

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0447
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the HTC touchscreen driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-32919560.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0447

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0448
CVE STATUS: Patched
CVE SUMMARY: An information disclosure vulnerability in the NVIDIA video driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as High because it could be used to access sensitive data without explicit user permission. Product: Android. Versions: Kernel-3.10. Android ID: A-32721029. References: N-CVE-2017-0448.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0448

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0449
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Broadcom Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Moderate because it first requires compromising a privileged process and is mitigated by current platform configurations. Product: Android. Versions: Kernel-3.10. Android ID: A-31707909. References: B-RB#32094.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0449

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0451
CVE STATUS: Patched
CVE SUMMARY: An information disclosure vulnerability in the Qualcomm sound driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31796345. References: QC-CR#1073129.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 4.7
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0451

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0452
CVE STATUS: Patched
CVE SUMMARY: An information disclosure vulnerability in the Qualcomm camera driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Low because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-32873615. References: QC-CR#1093693.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 4.7
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0452

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0453
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-33979145. References: QC-CR#1105085.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0453

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0454
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Qualcomm audio driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-33353700. References: QC-CR#1104067.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0454

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0455
CVE STATUS: Patched
CVE SUMMARY: An information disclosure vulnerability in the Qualcomm bootloader could help to enable a local malicious application to to execute arbitrary code within the context of the bootloader. This issue is rated as High because it is a general bypass for a bootloader level defense in depth or exploit mitigation technology. Product: Android. Versions: Kernel-3.18. Android ID: A-32370952. References: QC-CR#1082755.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0455

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0456
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Qualcomm IPA driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-33106520. References: QC-CR#1099598.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0456

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0457
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Qualcomm ADSPRPC driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31695439. References: QC-CR#1086123, QC-CR#1100695.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0457

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0458
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Qualcomm camera driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-32588962. References: QC-CR#1089433.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0458

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0459
CVE STATUS: Patched
CVE SUMMARY: An information disclosure vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-32644895. References: QC-CR#1091939.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 4.7
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0459

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0460
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Qualcomm networking driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31252965. References: QC-CR#1098801.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0460

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0461
CVE STATUS: Patched
CVE SUMMARY: An information disclosure vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32073794. References: QC-CR#1100132.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 4.7
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0461

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0462
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Qualcomm Seemp driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-33353601. References: QC-CR#1102288.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0462

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0463
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Qualcomm networking driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-33277611. References: QC-CR#1101792.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0463

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0464
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32940193. References: QC-CR#1102593.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0464

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0465
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Qualcomm ADSPRPC driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-34112914. References: QC-CR#1110747.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0465

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0507
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the kernel ION subsystem could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31992382.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0507

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0508
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the kernel ION subsystem could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.18. Android ID: A-33940449.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0508

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0510
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the kernel FIQ debugger could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.10. Android ID: A-32402555.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0510

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0516
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Qualcomm input hardware driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32341680. References: QC-CR#1096301.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0516

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0518
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Qualcomm fingerprint sensor driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-32370896. References: QC-CR#1086530.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0518

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0519
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Qualcomm fingerprint sensor driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-32372915. References: QC-CR#1086530.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0519

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0520
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Qualcomm crypto engine driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31750232. References: QC-CR#1082636.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0520

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0521
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Qualcomm camera driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32919951. References: QC-CR#1097709.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0521

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0523
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: N/A. Android ID: A-32835279. References: QC-CR#1096945.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0523

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0524
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Synaptics touchscreen driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-33002026.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0524

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0525
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Qualcomm IPA driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-33139056. References: QC-CR#1097714.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0525

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0526
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the HTC Sensor Hub Driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-33897738.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0526

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0527
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the HTC Sensor Hub Driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-33899318.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0527

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0528
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the kernel security subsystem could enable a local malicious application to to execute code in the context of a privileged process. This issue is rated as High because it is a general bypass for a kernel level defense in depth or exploit mitigation technology. Product: Android. Versions: Kernel-3.18. Android ID: A-33351919.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0528

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0531
CVE STATUS: Patched
CVE SUMMARY: An information disclosure vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32877245. References: QC-CR#1087469.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 4.7
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0531

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0533
CVE STATUS: Patched
CVE SUMMARY: An information disclosure vulnerability in the Qualcomm video driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-32509422. References: QC-CR#1088206.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 4.7
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0533

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0534
CVE STATUS: Patched
CVE SUMMARY: An information disclosure vulnerability in the Qualcomm video driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-32508732. References: QC-CR#1088206.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 4.7
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0534

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0535
CVE STATUS: Patched
CVE SUMMARY: An information disclosure vulnerability in the HTC sound codec driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-33547247.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 4.7
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0535

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0536
CVE STATUS: Patched
CVE SUMMARY: An information disclosure vulnerability in the Synaptics touchscreen driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-33555878.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 4.7
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0536

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0537
CVE STATUS: Patched
CVE SUMMARY: An information disclosure vulnerability in the kernel USB gadget driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-31614969.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 4.7
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0537

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0561
CVE STATUS: Patched
CVE SUMMARY: A remote code execution vulnerability in the Broadcom Wi-Fi firmware could enable a remote attacker to execute arbitrary code within the context of the Wi-Fi SoC. This issue is rated as Critical due to the possibility of remote code execution in the context of the Wi-Fi SoC. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-34199105. References: B-RB#110814.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0561

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0563
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the HTC touchscreen driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.10. Android ID: A-32089409.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0563

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0564
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the kernel ION subsystem could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-34276203.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0564

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0567
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Broadcom Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32125310. References: B-RB#112575.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0567

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0568
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Broadcom Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-34197514. References: B-RB#112600.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0568

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0569
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Broadcom Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-34198729. References: B-RB#110666.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0569

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0570
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Broadcom Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-34199963. References: B-RB#110688.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0570

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0571
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Broadcom Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-34203305. References: B-RB#111541.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0571

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0572
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Broadcom Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-34198931. References: B-RB#112597.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0572

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0573
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Broadcom Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-34469904. References: B-RB#91539.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0573

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0574
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Broadcom Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-34624457. References: B-RB#113189.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0574

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0575
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32658595. References: QC-CR#1103099.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0575

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0576
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Qualcomm crypto engine driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-33544431. References: QC-CR#1103089.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0576

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0577
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the HTC touchscreen driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-33842951.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0577

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0579
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Qualcomm video driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-34125463. References: QC-CR#1115406.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0579

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0580
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Synaptics Touchscreen driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-34325986.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0580

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0581
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Synaptics Touchscreen driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-34614485.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0581

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0582
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the HTC OEM fastboot command could enable a local malicious application to execute arbitrary code within the context of the sensor hub. This issue is rated as Moderate because it first requires exploitation of separate vulnerabilities. Product: Android. Versions: Kernel-3.10. Android ID: A-33178836.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0582

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0583
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Qualcomm CP access driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Moderate because it first requires compromising a privileged process and because of vulnerability specific details which limit the impact of the issue. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32068683. References: QC-CR#1103788.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0583

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0584
CVE STATUS: Patched
CVE SUMMARY: An information disclosure vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32074353. References: QC-CR#1104731.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 4.7
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0584

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0585
CVE STATUS: Patched
CVE SUMMARY: An information disclosure vulnerability in the Broadcom Wi-Fi driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32475556. References: B-RB#112953.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 4.7
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0585

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0586
CVE STATUS: Patched
CVE SUMMARY: An information disclosure vulnerability in the Qualcomm sound driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-33649808. References: QC-CR#1097569.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 4.7
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0586

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0606
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Qualcomm sound driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-34088848. References: QC-CR#1116015.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0606

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0607
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Qualcomm sound driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-35400551. References: QC-CR#1085928.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0607

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0608
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Qualcomm sound driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-35400458. References: QC-CR#1098363.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0608

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0609
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Qualcomm sound driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-35399801. References: QC-CR#1090482.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0609

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0610
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Qualcomm sound driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-35399404. References: QC-CR#1094852.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0610

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0611
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Qualcomm sound driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-35393841. References: QC-CR#1084210.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0611

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0612
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Qualcomm Secure Execution Environment Communicator driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-34389303. References: QC-CR#1061845.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0612

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0613
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Qualcomm Secure Execution Environment Communicator driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-35400457. References: QC-CR#1086140.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0613

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0614
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Qualcomm Secure Execution Environment Communicator driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-35399405. References: QC-CR#1080290.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0614

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0619
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Qualcomm pin controller driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-35401152. References: QC-CR#826566.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0619

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0620
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Qualcomm Secure Channel Manager driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-35401052. References: QC-CR#1081711.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0620

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0621
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Qualcomm camera driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-35399703. References: QC-CR#831322.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0621

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0622
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the Goodix touchscreen driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-32749036. References: QC-CR#1098602.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0622

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0623
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the HTC bootloader could enable a local malicious application to execute arbitrary code within the context of the bootloader. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-32512358.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0623

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0624
CVE STATUS: Patched
CVE SUMMARY: An information disclosure vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as High because it could be used to access sensitive data without explicit user permission. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-34327795. References: QC-CR#2005832.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0624

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0626
CVE STATUS: Patched
CVE SUMMARY: An information disclosure vulnerability in the Qualcomm crypto engine driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as High because it could be used to access sensitive data without explicit user permission. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-35393124. References: QC-CR#1088050.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0626

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0627
CVE STATUS: Patched
CVE SUMMARY: An information disclosure vulnerability in the kernel UVC driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-33300353.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 4.7
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0627

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0628
CVE STATUS: Patched
CVE SUMMARY: An information disclosure vulnerability in the Qualcomm camera driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-34230377. References: QC-CR#1086833.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 4.7
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0628

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0629
CVE STATUS: Patched
CVE SUMMARY: An information disclosure vulnerability in the Qualcomm camera driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-35214296. References: QC-CR#1086833.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 4.7
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0629

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0630
CVE STATUS: Patched
CVE SUMMARY: An information disclosure vulnerability in the kernel trace subsystem could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-34277115.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 4.7
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0630

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0631
CVE STATUS: Patched
CVE SUMMARY: An information disclosure vulnerability in the Qualcomm camera driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-35399756. References: QC-CR#1093232.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 4.7
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0631

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0632
CVE STATUS: Patched
CVE SUMMARY: An information disclosure vulnerability in the Qualcomm sound codec driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-35392586. References: QC-CR#832915.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 4.7
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0632

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0633
CVE STATUS: Patched
CVE SUMMARY: An information disclosure vulnerability in the Broadcom Wi-Fi driver could enable a local malicious component to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-36000515. References: B-RB#117131.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 4.7
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0633

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0634
CVE STATUS: Patched
CVE SUMMARY: An information disclosure vulnerability in the Synaptics touchscreen driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-32511682.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 4.7
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0634

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0648
CVE STATUS: Patched
CVE SUMMARY: An elevation of privilege vulnerability in the kernel FIQ debugger could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.10. Android ID: A-36101220.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0648

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0650
CVE STATUS: Patched
CVE SUMMARY: An information disclosure vulnerability in the Synaptics touchscreen driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Low because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-35472278.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 4.7
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0650

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-0651
CVE STATUS: Patched
CVE SUMMARY: An information disclosure vulnerability in the kernel ION subsystem could enable a local malicious application to access data outside of its permission levels. This issue is rated as Low because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-35644815.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 4.7
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0651

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-1000111
CVE STATUS: Patched
CVE SUMMARY: Linux kernel: heap out-of-bounds in AF_PACKET sockets. This new issue is analogous to previously disclosed CVE-2016-8655. In both cases, a socket option that changes socket state may race with safety checks in packet_set_ring. Previously with PACKET_VERSION. This time with PACKET_RESERVE. The solution is similar: lock the socket for the update. This issue may be exploitable, we did not investigate further. As this issue affects PF_PACKET sockets, it requires CAP_NET_RAW in the process namespace. But note that with user namespaces enabled, any process can create a namespace in which it has CAP_NET_RAW.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-1000111

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-1000112
CVE STATUS: Patched
CVE SUMMARY: Linux kernel: Exploitable memory corruption due to UFO to non-UFO path switch. When building a UFO packet with MSG_MORE __ip_append_data() calls ip_ufo_append_data() to append. However in between two send() calls, the append path can be switched from UFO to non-UFO one, which leads to a memory corruption. In case UFO packet lengths exceeds MTU, copy = maxfraglen - skb->len becomes negative on the non-UFO path and the branch to allocate new skb is taken. This triggers fragmentation and computation of fraggap = skb_prev->len - maxfraglen. Fraggap can exceed MTU, causing copy = datalen - transhdrlen - fraggap to become negative. Subsequently skb_copy_and_csum_bits() writes out-of-bounds. A similar issue is present in IPv6 code. The bug was introduced in e89e9cf539a2 ("[IPv4/IPv6]: UFO Scatter-gather approach") on Oct 18 2005.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-1000112

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-1000251
CVE STATUS: Patched
CVE SUMMARY: The native Bluetooth stack in the Linux Kernel (BlueZ), starting at the Linux kernel version 2.6.32 and up to and including 4.13.1, are vulnerable to a stack overflow vulnerability in the processing of L2CAP configuration responses resulting in Remote code execution in kernel space.
CVSS v2 BASE SCORE: 7.7
CVSS v3 BASE SCORE: 8.0
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:L/Au:S/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-1000251

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-1000252
CVE STATUS: Patched
CVE SUMMARY: The KVM subsystem in the Linux kernel through 4.13.3 allows guest OS users to cause a denial of service (assertion failure, and hypervisor hang or crash) via an out-of bounds guest_irq value, related to arch/x86/kvm/vmx.c and virt/kvm/eventfd.c.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-1000252

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-1000253
CVE STATUS: Patched
CVE SUMMARY: Linux distributions that have not patched their long-term kernels with https://git.kernel.org/linus/a87938b2e246b81b4fb713edb371a9fa3c5c3c86 (committed on April 14, 2015). This kernel vulnerability was fixed in April 2015 by commit a87938b2e246b81b4fb713edb371a9fa3c5c3c86 (backported to Linux 3.10.77 in May 2015), but it was not recognized as a security threat. With CONFIG_ARCH_BINFMT_ELF_RANDOMIZE_PIE enabled, and a normal top-down address allocation strategy, load_elf_binary() will attempt to map a PIE binary into an address range immediately below mm->mmap_base. Unfortunately, load_elf_ binary() does not take account of the need to allocate sufficient space for the entire binary which means that, while the first PT_LOAD segment is mapped below mm->mmap_base, the subsequent PT_LOAD segment(s) end up being mapped above mm->mmap_base into the are that is supposed to be the "gap" between the stack and the binary.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-1000253

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-1000255
CVE STATUS: Unpatched
CVE SUMMARY: On Linux running on PowerPC hardware (Power8 or later) a user process can craft a signal frame and then do a sigreturn so that the kernel will take an exception (interrupt), and use the r1 value *from the signal frame* as the kernel stack pointer. As part of the exception entry the content of the signal frame is written to the kernel stack, allowing an attacker to overwrite arbitrary locations with arbitrary values. The exception handling does produce an oops, and a panic if panic_on_oops=1, but only after kernel memory has been over written. This flaw was introduced in commit: "5d176f751ee3 (powerpc: tm: Enable transactional memory (TM) lazily for userspace)" which was merged upstream into v4.9-rc1. Please note that kernels built with CONFIG_PPC_TRANSACTIONAL_MEM=n are not vulnerable.
CVSS v2 BASE SCORE: 6.6
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-1000255

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-1000363
CVE STATUS: Patched
CVE SUMMARY: Linux drivers/char/lp.c Out-of-Bounds Write. Due to a missing bounds check, and the fact that parport_ptr integer is static, a 'secure boot' kernel command line adversary (can happen due to bootloader vulns, e.g. Google Nexus 6's CVE-2016-10277, where due to a vulnerability the adversary has partial control over the command line) can overflow the parport_nr array in the following code, by appending many (>LP_NO) 'lp=none' arguments to the command line.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-1000363

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-1000364
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the size of the stack guard page on Linux, specifically a 4k stack guard page is not sufficiently large and can be "jumped" over (the stack guard page is bypassed), this affects Linux Kernel versions 4.11.5 and earlier (the stackguard page was introduced in 2010).
CVSS v2 BASE SCORE: 6.2
CVSS v3 BASE SCORE: 7.4
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-1000364

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-1000365
CVE STATUS: Patched
CVE SUMMARY: The Linux Kernel imposes a size restriction on the arguments and environmental strings passed through RLIMIT_STACK/RLIM_INFINITY (1/4 of the size), but does not take the argument and environment pointers into account, which allows attackers to bypass this limitation. This affects Linux Kernel versions 4.11.5 and earlier. It appears that this feature was introduced in the Linux Kernel version 2.6.23.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-1000365

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-1000370
CVE STATUS: Patched
CVE SUMMARY: The offset2lib patch as used in the Linux Kernel contains a vulnerability that allows a PIE binary to be execve()'ed with 1GB of arguments or environmental strings then the stack occupies the address 0x80000000 and the PIE binary is mapped above 0x40000000 nullifying the protection of the offset2lib patch. This affects Linux Kernel version 4.11.5 and earlier. This is a different issue than CVE-2017-1000371. This issue appears to be limited to i386 based systems.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-1000370

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-1000371
CVE STATUS: Patched
CVE SUMMARY: The offset2lib patch as used by the Linux Kernel contains a vulnerability, if RLIMIT_STACK is set to RLIM_INFINITY and 1 Gigabyte of memory is allocated (the maximum under the 1/4 restriction) then the stack will be grown down to 0x80000000, and as the PIE binary is mapped above 0x80000000 the minimum distance between the end of the PIE binary's read-write segment and the start of the stack becomes small enough that the stack guard page can be jumped over by an attacker. This affects Linux Kernel version 4.11.5. This is a different issue than CVE-2017-1000370 and CVE-2017-1000365. This issue appears to be limited to i386 based systems.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-1000371

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-1000377
CVE STATUS: Unpatched
CVE SUMMARY: An issue was discovered in the size of the default stack guard page on PAX Linux (originally from GRSecurity but shipped by other Linux vendors), specifically the default stack guard page is not sufficiently large and can be "jumped" over (the stack guard page is bypassed), this affects PAX Linux Kernel versions as of June 19, 2017 (specific version information is not available at this time).
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 5.9
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-1000377

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-1000379
CVE STATUS: Patched
CVE SUMMARY: The Linux Kernel running on AMD64 systems will sometimes map the contents of PIE executable, the heap or ld.so to where the stack is mapped allowing attackers to more easily manipulate the stack. Linux Kernel version 4.11.5 is affected.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-1000379

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-1000380
CVE STATUS: Patched
CVE SUMMARY: sound/core/timer.c in the Linux kernel before 4.11.5 is vulnerable to a data race in the ALSA /dev/snd/timer driver resulting in local users being able to read information belonging to other users, i.e., uninitialized memory contents may be disclosed when a read and an ioctl happen at the same time.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-1000380

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-1000405
CVE STATUS: Patched
CVE SUMMARY: The Linux Kernel versions 2.6.38 through 4.14 have a problematic use of pmd_mkdirty() in the touch_pmd() function inside the THP implementation. touch_pmd() can be reached by get_user_pages(). In such case, the pmd will become dirty. This scenario breaks the new can_follow_write_pmd()'s logic - pmd can become dirty without going through a COW cycle. This bug is not as severe as the original "Dirty cow" because an ext4 file (or any other regular file) cannot be mapped using THP. Nevertheless, it does allow us to overwrite read-only huge pages. For example, the zero huge page and sealed shmem files can be overwritten (since their mapping can be populated using THP). Note that after the first write page-fault to the zero page, it will be replaced with a new fresh (and zeroed) thp.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-1000405

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-1000407
CVE STATUS: Patched
CVE SUMMARY: The Linux Kernel 2.6.32 and later are affected by a denial of service, by flooding the diagnostic port 0x80 an exception can be triggered leading to a kernel panic.
CVSS v2 BASE SCORE: 6.1
CVSS v3 BASE SCORE: 7.4
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-1000407

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-1000410
CVE STATUS: Patched
CVE SUMMARY: The Linux kernel version 3.3-rc1 and later is affected by a vulnerability lies in the processing of incoming L2CAP commands - ConfigRequest, and ConfigResponse messages. This info leak is a result of uninitialized stack variables that may be returned to an attacker in their uninitialized state. By manipulating the code flows that precede the handling of these configuration messages, an attacker can also gain some control over which data will be held in the uninitialized stack variables. This can allow him to bypass KASLR, and stack canaries protection - as both pointers and stack canaries may be leaked in this manner. Combining this vulnerability (for example) with the previously disclosed RCE vulnerability in L2CAP configuration parsing (CVE-2017-1000251) may allow an attacker to exploit the RCE against kernels which were built with the above mitigations. These are the specifics of this vulnerability: In the function l2cap_parse_conf_rsp and in the function l2cap_parse_conf_req the following variable is declared without initialization: struct l2cap_conf_efs efs; In addition, when parsing input configuration parameters in both of these functions, the switch case for handling EFS elements may skip the memcpy call that will write to the efs variable: ... case L2CAP_CONF_EFS: if (olen == sizeof(efs)) memcpy(&efs, (void *)val, olen); ... The olen in the above if is attacker controlled, and regardless of that if, in both of these functions the efs variable would eventually be added to the outgoing configuration request that is being built: l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs), (unsigned long) &efs); So by sending a configuration request, or response, that contains an L2CAP_CONF_EFS element, but with an element length that is not sizeof(efs) - the memcpy to the uninitialized efs variable can be avoided, and the uninitialized variable would be returned to the attacker (16 bytes).
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-1000410

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-10661
CVE STATUS: Patched
CVE SUMMARY: Race condition in fs/timerfd.c in the Linux kernel before 4.10.15 allows local users to gain privileges or cause a denial of service (list corruption or use-after-free) via simultaneous file-descriptor operations that leverage improper might_cancel queueing.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-10661

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-10662
CVE STATUS: Patched
CVE SUMMARY: The sanity_check_raw_super function in fs/f2fs/super.c in the Linux kernel before 4.11.1 does not validate the segment count, which allows local users to gain privileges via unspecified vectors.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-10662

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-10663
CVE STATUS: Patched
CVE SUMMARY: The sanity_check_ckpt function in fs/f2fs/super.c in the Linux kernel before 4.12.4 does not validate the blkoff and segno arrays, which allows local users to gain privileges via unspecified vectors.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-10663

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-10810
CVE STATUS: Patched
CVE SUMMARY: Memory leak in the virtio_gpu_object_create function in drivers/gpu/drm/virtio/virtgpu_object.c in the Linux kernel through 4.11.8 allows attackers to cause a denial of service (memory consumption) by triggering object-initialization failures.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-10810

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-10911
CVE STATUS: Patched
CVE SUMMARY: The make_response function in drivers/block/xen-blkback/blkback.c in the Linux kernel before 4.11.8 allows guest OS users to obtain sensitive information from host OS (or other guest OS) kernel memory by leveraging the copying of uninitialized padding fields in Xen block-interface response structures, aka XSA-216.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 6.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-10911

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-11176
CVE STATUS: Patched
CVE SUMMARY: The mq_notify function in the Linux kernel through 4.11.9 does not set the sock pointer to NULL upon entry into the retry logic. During a user-space close of a Netlink socket, it allows attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-11176

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-11472
CVE STATUS: Patched
CVE SUMMARY: The acpi_ns_terminate() function in drivers/acpi/acpica/nsutils.c in the Linux kernel before 4.12 does not flush the operand cache and causes a kernel stack dump, which allows local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism (in the kernel through 4.9) via a crafted ACPI table.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-11472

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-11473
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the mp_override_legacy_irq() function in arch/x86/kernel/acpi/boot.c in the Linux kernel through 3.2 allows local users to gain privileges via a crafted ACPI table.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-11473

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-11600
CVE STATUS: Patched
CVE SUMMARY: net/xfrm/xfrm_policy.c in the Linux kernel through 4.12.3, when CONFIG_XFRM_MIGRATE is enabled, does not ensure that the dir value of xfrm_userpolicy_id is XFRM_POLICY_MAX or less, which allows local users to cause a denial of service (out-of-bounds access) or possibly have unspecified other impact via an XFRM_MSG_MIGRATE xfrm Netlink message.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-11600

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-12146
CVE STATUS: Patched
CVE SUMMARY: The driver_override implementation in drivers/base/platform.c in the Linux kernel before 4.12.1 allows local users to gain privileges by leveraging a race condition between a read operation and a store operation that involve different overrides.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-12146

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-12153
CVE STATUS: Patched
CVE SUMMARY: A security flaw was discovered in the nl80211_set_rekey_data() function in net/wireless/nl80211.c in the Linux kernel through 4.13.3. This function does not check whether the required attributes are present in a Netlink request. This request can be issued by a user with the CAP_NET_ADMIN capability and may result in a NULL pointer dereference and system crash.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 4.4
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-12153

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-12154
CVE STATUS: Patched
CVE SUMMARY: The prepare_vmcs02 function in arch/x86/kvm/vmx.c in the Linux kernel through 4.13.3 does not ensure that the "CR8-load exiting" and "CR8-store exiting" L0 vmcs02 controls exist in cases where L1 omits the "use TPR shadow" vmcs12 control, which allows KVM L2 guest OS users to obtain read and write access to the hardware CR8 register.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-12154

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-12168
CVE STATUS: Patched
CVE SUMMARY: The access_pmu_evcntr function in arch/arm64/kvm/sys_regs.c in the Linux kernel before 4.8.11 allows privileged KVM guest OS users to cause a denial of service (assertion failure and host OS crash) by accessing the Performance Monitors Cycle Count Register (PMCCNTR).
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 6.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-12168

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-12188
CVE STATUS: Patched
CVE SUMMARY: arch/x86/kvm/mmu.c in the Linux kernel through 4.13.5, when nested virtualisation is used, does not properly traverse guest pagetable entries to resolve a guest virtual address, which allows L1 guest OS users to execute arbitrary code on the host OS or cause a denial of service (incorrect index during page walking, and host OS crash), aka an "MMU potential stack buffer overrun."
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-12188

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-12190
CVE STATUS: Patched
CVE SUMMARY: The bio_map_user_iov and bio_unmap_user functions in block/bio.c in the Linux kernel before 4.13.8 do unbalanced refcounting when a SCSI I/O vector has small consecutive buffers belonging to the same page. The bio_add_pc_page function merges them into one, but the page reference is never dropped. This causes a memory leak and possible system lockup (exploitable against the host OS by a guest OS user, if a SCSI disk is passed through to a virtual machine) due to an out-of-memory condition.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 6.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-12190

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-12192
CVE STATUS: Patched
CVE SUMMARY: The keyctl_read_key function in security/keys/keyctl.c in the Key Management subcomponent in the Linux kernel before 4.13.5 does not properly consider that a key may be possessed but negatively instantiated, which allows local users to cause a denial of service (OOPS and system crash) via a crafted KEYCTL_READ operation.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-12192

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-12193
CVE STATUS: Patched
CVE SUMMARY: The assoc_array_insert_into_terminal_node function in lib/assoc_array.c in the Linux kernel before 4.13.11 mishandles node splitting, which allows local users to cause a denial of service (NULL pointer dereference and panic) via a crafted application, as demonstrated by the keyring key type, and key addition and link creation operations.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-12193

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-12762
CVE STATUS: Patched
CVE SUMMARY: In /drivers/isdn/i4l/isdn_net.c: A user-controlled buffer is copied into a local buffer of constant size using strcpy without a length check which can cause a buffer overflow. This affects the Linux kernel 4.9-stable tree, 4.12-stable tree, 3.18-stable tree, and 4.4-stable tree.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-12762

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-13686
CVE STATUS: Patched
CVE SUMMARY: net/ipv4/route.c in the Linux kernel 4.13-rc1 through 4.13-rc6 is too late to check for a NULL fi field when RTM_F_FIB_MATCH is set, which allows local users to cause a denial of service (NULL pointer dereference) or possibly have unspecified other impact via crafted system calls. NOTE: this does not affect any stable release.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-13686

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-13693
CVE STATUS: Patched
CVE SUMMARY: The acpi_ds_create_operands() function in drivers/acpi/acpica/dsutils.c in the Linux kernel through 4.12.9 does not flush the operand cache and causes a kernel stack dump, which allows local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism (in the kernel through 4.9) via a crafted ACPI table.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-13693

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-13694
CVE STATUS: Patched
CVE SUMMARY: The acpi_ps_complete_final_op() function in drivers/acpi/acpica/psobject.c in the Linux kernel through 4.12.9 does not flush the node and node_ext caches and causes a kernel stack dump, which allows local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism (in the kernel through 4.9) via a crafted ACPI table.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-13694

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-13695
CVE STATUS: Patched
CVE SUMMARY: The acpi_ns_evaluate() function in drivers/acpi/acpica/nseval.c in the Linux kernel through 4.12.9 does not flush the operand cache and causes a kernel stack dump, which allows local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism (in the kernel through 4.9) via a crafted ACPI table.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-13695

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-13715
CVE STATUS: Patched
CVE SUMMARY: The __skb_flow_dissect function in net/core/flow_dissector.c in the Linux kernel before 4.3 does not ensure that n_proto, ip_proto, and thoff are initialized, which allows remote attackers to cause a denial of service (system crash) or possibly execute arbitrary code via a single crafted MPLS packet.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-13715

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-14051
CVE STATUS: Patched
CVE SUMMARY: An integer overflow in the qla2x00_sysfs_write_optrom_ctl function in drivers/scsi/qla2xxx/qla_attr.c in the Linux kernel through 4.12.10 allows local users to cause a denial of service (memory corruption and system crash) by leveraging root access.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 4.4
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14051

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-14106
CVE STATUS: Patched
CVE SUMMARY: The tcp_disconnect function in net/ipv4/tcp.c in the Linux kernel before 4.12 allows local users to cause a denial of service (__tcp_select_window divide-by-zero error and system crash) by triggering a disconnect within a certain tcp_recvmsg code path.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14106

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-14140
CVE STATUS: Patched
CVE SUMMARY: The move_pages system call in mm/migrate.c in the Linux kernel before 4.12.9 doesn't check the effective uid of the target process, enabling a local attacker to learn the memory layout of a setuid executable despite ASLR.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14140

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-14156
CVE STATUS: Patched
CVE SUMMARY: The atyfb_ioctl function in drivers/video/fbdev/aty/atyfb_base.c in the Linux kernel through 4.12.10 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory by reading locations associated with padding bytes.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14156

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-14340
CVE STATUS: Patched
CVE SUMMARY: The XFS_IS_REALTIME_INODE macro in fs/xfs/xfs_linux.h in the Linux kernel before 4.13.2 does not verify that a filesystem has a realtime device, which allows local users to cause a denial of service (NULL pointer dereference and OOPS) via vectors related to setting an RHINHERIT flag on a directory.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14340

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-14489
CVE STATUS: Patched
CVE SUMMARY: The iscsi_if_rx function in drivers/scsi/scsi_transport_iscsi.c in the Linux kernel through 4.13.2 allows local users to cause a denial of service (panic) by leveraging incorrect length validation.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14489

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-14497
CVE STATUS: Patched
CVE SUMMARY: The tpacket_rcv function in net/packet/af_packet.c in the Linux kernel before 4.13 mishandles vnet headers, which might allow local users to cause a denial of service (buffer overflow, and disk and memory corruption) or possibly have unspecified other impact via crafted system calls.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14497

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-14954
CVE STATUS: Patched
CVE SUMMARY: The waitid implementation in kernel/exit.c in the Linux kernel through 4.13.4 accesses rusage data structures in unintended cases, which allows local users to obtain sensitive information, and bypass the KASLR protection mechanism, via a crafted system call.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14954

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-14991
CVE STATUS: Patched
CVE SUMMARY: The sg_ioctl function in drivers/scsi/sg.c in the Linux kernel before 4.13.4 allows local users to obtain sensitive information from uninitialized kernel heap-memory locations via an SG_GET_REQUEST_TABLE ioctl call for /dev/sg0.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14991

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-15102
CVE STATUS: Patched
CVE SUMMARY: The tower_probe function in drivers/usb/misc/legousbtower.c in the Linux kernel before 4.8.1 allows local users (who are physically proximate for inserting a crafted USB device) to gain privileges by leveraging a write-what-where condition that occurs after a race condition and a NULL pointer dereference.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 6.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15102

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-15115
CVE STATUS: Patched
CVE SUMMARY: The sctp_do_peeloff function in net/sctp/socket.c in the Linux kernel before 4.14 does not check whether the intended netns is used in a peel-off action, which allows local users to cause a denial of service (use-after-free and system crash) or possibly have unspecified other impact via crafted system calls.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15115

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-15116
CVE STATUS: Patched
CVE SUMMARY: The rngapi_reset function in crypto/rng.c in the Linux kernel before 4.2 allows attackers to cause a denial of service (NULL pointer dereference).
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15116

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-15126
CVE STATUS: Patched
CVE SUMMARY: A use-after-free flaw was found in fs/userfaultfd.c in the Linux kernel before 4.13.6. The issue is related to the handling of fork failure when dealing with event messages. Failure to fork correctly can lead to a situation where a fork event will be removed from an already freed list of events with userfaultfd_ctx_put().
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 8.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15126

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-15127
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the hugetlb_mcopy_atomic_pte function in mm/hugetlb.c in the Linux kernel before 4.13. A superfluous implicit page unlock for VM_SHARED hugetlbfs mapping could trigger a local denial of service (BUG).
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15127

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-15128
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the hugetlb_mcopy_atomic_pte function in mm/hugetlb.c in the Linux kernel before 4.13.12. A lack of size check could cause a denial of service (BUG).
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15128

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-15129
CVE STATUS: Patched
CVE SUMMARY: A use-after-free vulnerability was found in network namespaces code affecting the Linux kernel before 4.14.11. The function get_net_ns_by_id() in net/core/net_namespace.c does not check for the net::count value after it has found a peer network in netns_ids idr, which could lead to double free and memory corruption. This vulnerability could allow an unprivileged local user to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although it is thought to be unlikely.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15129

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-15265
CVE STATUS: Patched
CVE SUMMARY: Race condition in the ALSA subsystem in the Linux kernel before 4.13.8 allows local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via crafted /dev/snd/seq ioctl calls, related to sound/core/seq/seq_clientmgr.c and sound/core/seq/seq_ports.c.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15265

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-15274
CVE STATUS: Patched
CVE SUMMARY: security/keys/keyctl.c in the Linux kernel before 4.11.5 does not consider the case of a NULL payload in conjunction with a nonzero length value, which allows local users to cause a denial of service (NULL pointer dereference and OOPS) via a crafted add_key or keyctl system call, a different vulnerability than CVE-2017-12192.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15274

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-15299
CVE STATUS: Patched
CVE SUMMARY: The KEYS subsystem in the Linux kernel through 4.13.7 mishandles use of add_key for a key that already exists but is uninstantiated, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted system call.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15299

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-15306
CVE STATUS: Patched
CVE SUMMARY: The kvm_vm_ioctl_check_extension function in arch/powerpc/kvm/powerpc.c in the Linux kernel before 4.13.11 allows local users to cause a denial of service (NULL pointer dereference and system crash) via a KVM_CHECK_EXTENSION KVM_CAP_PPC_HTM ioctl call to /dev/kvm.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15306

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-15537
CVE STATUS: Patched
CVE SUMMARY: The x86/fpu (Floating Point Unit) subsystem in the Linux kernel before 4.13.5, when a processor supports the xsave feature but not the xsaves feature, does not correctly handle attempts to set reserved bits in the xstate header via the ptrace() or rt_sigreturn() system call, allowing local users to read the FPU registers of other processes on the system, related to arch/x86/kernel/fpu/regset.c and arch/x86/kernel/fpu/signal.c.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15537

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-15649
CVE STATUS: Patched
CVE SUMMARY: net/packet/af_packet.c in the Linux kernel before 4.13.6 allows local users to gain privileges via crafted system calls that trigger mishandling of packet_fanout data structures, because of a race condition (involving fanout_add and packet_do_bind) that leads to a use-after-free, a different vulnerability than CVE-2017-6346.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15649

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-15868
CVE STATUS: Patched
CVE SUMMARY: The bnep_add_connection function in net/bluetooth/bnep/core.c in the Linux kernel before 3.19 does not ensure that an l2cap socket is available, which allows local users to gain privileges via a crafted application.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15868

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-15951
CVE STATUS: Patched
CVE SUMMARY: The KEYS subsystem in the Linux kernel before 4.13.10 does not correctly synchronize the actions of updating versus finding a key in the "negative" state to avoid a race condition, which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15951

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-16525
CVE STATUS: Patched
CVE SUMMARY: The usb_serial_console_disconnect function in drivers/usb/serial/console.c in the Linux kernel before 4.13.8 allows local users to cause a denial of service (use-after-free and system crash) or possibly have unspecified other impact via a crafted USB device, related to disconnection and failed setup.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 6.6
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-16525

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-16526
CVE STATUS: Patched
CVE SUMMARY: drivers/uwb/uwbd.c in the Linux kernel before 4.13.6 allows local users to cause a denial of service (general protection fault and system crash) or possibly have unspecified other impact via a crafted USB device.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-16526

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-16527
CVE STATUS: Patched
CVE SUMMARY: sound/usb/mixer.c in the Linux kernel before 4.13.8 allows local users to cause a denial of service (snd_usb_mixer_interrupt use-after-free and system crash) or possibly have unspecified other impact via a crafted USB device.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 6.6
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-16527

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-16528
CVE STATUS: Patched
CVE SUMMARY: sound/core/seq_device.c in the Linux kernel before 4.13.4 allows local users to cause a denial of service (snd_rawmidi_dev_seq_free use-after-free and system crash) or possibly have unspecified other impact via a crafted USB device.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 6.6
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-16528

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-16529
CVE STATUS: Patched
CVE SUMMARY: The snd_usb_create_streams function in sound/usb/card.c in the Linux kernel before 4.13.6 allows local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 6.6
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-16529

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-16530
CVE STATUS: Patched
CVE SUMMARY: The uas driver in the Linux kernel before 4.13.6 allows local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device, related to drivers/usb/storage/uas-detect.h and drivers/usb/storage/uas.c.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 6.6
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-16530

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-16531
CVE STATUS: Patched
CVE SUMMARY: drivers/usb/core/config.c in the Linux kernel before 4.13.6 allows local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device, related to the USB_DT_INTERFACE_ASSOCIATION descriptor.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 6.6
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-16531

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-16532
CVE STATUS: Patched
CVE SUMMARY: The get_endpoints function in drivers/usb/misc/usbtest.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted USB device.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 6.6
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-16532

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-16533
CVE STATUS: Patched
CVE SUMMARY: The usbhid_parse function in drivers/hid/usbhid/hid-core.c in the Linux kernel before 4.13.8 allows local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 6.6
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-16533

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-16534
CVE STATUS: Patched
CVE SUMMARY: The cdc_parse_cdc_header function in drivers/usb/core/message.c in the Linux kernel before 4.13.6 allows local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 6.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-16534

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-16535
CVE STATUS: Patched
CVE SUMMARY: The usb_get_bos_descriptor function in drivers/usb/core/config.c in the Linux kernel before 4.13.10 allows local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 6.6
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-16535

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-16536
CVE STATUS: Patched
CVE SUMMARY: The cx231xx_usb_probe function in drivers/media/usb/cx231xx/cx231xx-cards.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted USB device.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 6.6
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-16536

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-16537
CVE STATUS: Patched
CVE SUMMARY: The imon_probe function in drivers/media/rc/imon.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted USB device.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 6.6
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-16537

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-16538
CVE STATUS: Patched
CVE SUMMARY: drivers/media/usb/dvb-usb-v2/lmedm04.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (general protection fault and system crash) or possibly have unspecified other impact via a crafted USB device, related to a missing warm-start check and incorrect attach timing (dm04_lme2510_frontend_attach versus dm04_lme2510_tuner).
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 6.6
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-16538

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-16643
CVE STATUS: Patched
CVE SUMMARY: The parse_hid_report_descriptor function in drivers/input/tablet/gtco.c in the Linux kernel before 4.13.11 allows local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 6.6
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-16643

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-16644
CVE STATUS: Patched
CVE SUMMARY: The hdpvr_probe function in drivers/media/usb/hdpvr/hdpvr-core.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (improper error handling and system crash) or possibly have unspecified other impact via a crafted USB device.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 6.6
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-16644

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-16645
CVE STATUS: Patched
CVE SUMMARY: The ims_pcu_get_cdc_union_desc function in drivers/input/misc/ims-pcu.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (ims_pcu_parse_cdc_data out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 6.6
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-16645

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-16646
CVE STATUS: Patched
CVE SUMMARY: drivers/media/usb/dvb-usb/dib0700_devices.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (BUG and system crash) or possibly have unspecified other impact via a crafted USB device.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 6.6
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-16646

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-16647
CVE STATUS: Patched
CVE SUMMARY: drivers/net/usb/asix_devices.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted USB device.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 6.6
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-16647

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-16648
CVE STATUS: Patched
CVE SUMMARY: The dvb_frontend_free function in drivers/media/dvb-core/dvb_frontend.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (use-after-free and system crash) or possibly have unspecified other impact via a crafted USB device. NOTE: the function was later renamed __dvb_frontend_free.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 6.6
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-16648

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-16649
CVE STATUS: Patched
CVE SUMMARY: The usbnet_generic_cdc_bind function in drivers/net/usb/cdc_ether.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (divide-by-zero error and system crash) or possibly have unspecified other impact via a crafted USB device.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 6.6
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-16649

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-16650
CVE STATUS: Patched
CVE SUMMARY: The qmi_wwan_bind function in drivers/net/usb/qmi_wwan.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (divide-by-zero error and system crash) or possibly have unspecified other impact via a crafted USB device.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 6.6
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-16650

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-16911
CVE STATUS: Patched
CVE SUMMARY: The vhci_hcd driver in the Linux Kernel before version 4.14.8 and 4.4.114 allows allows local attackers to disclose kernel memory addresses. Successful exploitation requires that a USB device is attached over IP.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-16911

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-16912
CVE STATUS: Patched
CVE SUMMARY: The "get_pipe()" function (drivers/usb/usbip/stub_rx.c) in the Linux Kernel before version 4.14.8, 4.9.71, and 4.4.114 allows attackers to cause a denial of service (out-of-bounds read) via a specially crafted USB over IP packet.
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-16912

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-16913
CVE STATUS: Patched
CVE SUMMARY: The "stub_recv_cmd_submit()" function (drivers/usb/usbip/stub_rx.c) in the Linux Kernel before version 4.14.8, 4.9.71, and 4.4.114 when handling CMD_SUBMIT packets allows attackers to cause a denial of service (arbitrary memory allocation) via a specially crafted USB over IP packet.
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-16913

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-16914
CVE STATUS: Patched
CVE SUMMARY: The "stub_send_ret_submit()" function (drivers/usb/usbip/stub_tx.c) in the Linux Kernel before version 4.14.8, 4.9.71, 4.1.49, and 4.4.107 allows attackers to cause a denial of service (NULL pointer dereference) via a specially crafted USB over IP packet.
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-16914

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-16939
CVE STATUS: Patched
CVE SUMMARY: The XFRM dump policy implementation in net/xfrm/xfrm_user.c in the Linux kernel before 4.13.11 allows local users to gain privileges or cause a denial of service (use-after-free) via a crafted SO_RCVBUF setsockopt system call in conjunction with XFRM_MSG_GETPOLICY Netlink messages.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-16939

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-16994
CVE STATUS: Patched
CVE SUMMARY: The walk_hugetlb_range function in mm/pagewalk.c in the Linux kernel before 4.14.2 mishandles holes in hugetlb ranges, which allows local users to obtain sensitive information from uninitialized kernel memory via crafted use of the mincore() system call.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-16994

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-16995
CVE STATUS: Patched
CVE SUMMARY: The check_alu_op function in kernel/bpf/verifier.c in the Linux kernel through 4.4 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging incorrect sign extension.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-16995

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-16996
CVE STATUS: Patched
CVE SUMMARY: kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging register truncation mishandling.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-16996

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-17052
CVE STATUS: Patched
CVE SUMMARY: The mm_init function in kernel/fork.c in the Linux kernel before 4.12.10 does not clear the ->exe_file member of a new process's mm_struct, allowing a local attacker to achieve a use-after-free or possibly have unspecified other impact by running a specially crafted program.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17052

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-17053
CVE STATUS: Patched
CVE SUMMARY: The init_new_context function in arch/x86/include/asm/mmu_context.h in the Linux kernel before 4.12.10 does not correctly handle errors from LDT table allocation when forking a new process, allowing a local attacker to achieve a use-after-free or possibly have unspecified other impact by running a specially crafted program. This vulnerability only affected kernels built with CONFIG_MODIFY_LDT_SYSCALL=y.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17053

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-17448
CVE STATUS: Patched
CVE SUMMARY: net/netfilter/nfnetlink_cthelper.c in the Linux kernel through 4.14.4 does not require the CAP_NET_ADMIN capability for new, get, and del operations, which allows local users to bypass intended access restrictions because the nfnl_cthelper_list data structure is shared across all net namespaces.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17448

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-17449
CVE STATUS: Patched
CVE SUMMARY: The __netlink_deliver_tap_skb function in net/netlink/af_netlink.c in the Linux kernel through 4.14.4, when CONFIG_NLMON is enabled, does not restrict observations of Netlink messages to a single net namespace, which allows local users to obtain sensitive information by leveraging the CAP_NET_ADMIN capability to sniff an nlmon interface for all Netlink activity on the system.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17449

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-17450
CVE STATUS: Patched
CVE SUMMARY: net/netfilter/xt_osf.c in the Linux kernel through 4.14.4 does not require the CAP_NET_ADMIN capability for add_callback and remove_callback operations, which allows local users to bypass intended access restrictions because the xt_osf_fingers data structure is shared across all net namespaces.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17450

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-17558
CVE STATUS: Patched
CVE SUMMARY: The usb_destroy_configuration function in drivers/usb/core/config.c in the USB core subsystem in the Linux kernel through 4.14.5 does not consider the maximum number of configurations and interfaces before attempting to release resources, which allows local users to cause a denial of service (out-of-bounds write access) or possibly have unspecified other impact via a crafted USB device.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 6.6
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17558

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-17712
CVE STATUS: Patched
CVE SUMMARY: The raw_sendmsg() function in net/ipv4/raw.c in the Linux kernel through 4.14.6 has a race condition in inet->hdrincl that leads to uninitialized stack pointer usage; this allows a local user to execute code and gain privileges.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17712

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-17741
CVE STATUS: Patched
CVE SUMMARY: The KVM implementation in the Linux kernel through 4.14.7 allows attackers to obtain potentially sensitive information from kernel memory, aka a write_mmio stack-based out-of-bounds read, related to arch/x86/kvm/x86.c and include/trace/events/kvm.h.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 6.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17741

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-17805
CVE STATUS: Patched
CVE SUMMARY: The Salsa20 encryption algorithm in the Linux kernel before 4.14.8 does not correctly handle zero-length inputs, allowing a local attacker able to use the AF_ALG-based skcipher interface (CONFIG_CRYPTO_USER_API_SKCIPHER) to cause a denial of service (uninitialized-memory free and kernel crash) or have unspecified other impact by executing a crafted sequence of system calls that use the blkcipher_walk API. Both the generic implementation (crypto/salsa20_generic.c) and x86 implementation (arch/x86/crypto/salsa20_glue.c) of Salsa20 were vulnerable.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17805

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-17806
CVE STATUS: Patched
CVE SUMMARY: The HMAC implementation (crypto/hmac.c) in the Linux kernel before 4.14.8 does not validate that the underlying cryptographic hash algorithm is unkeyed, allowing a local attacker able to use the AF_ALG-based hash interface (CONFIG_CRYPTO_USER_API_HASH) and the SHA-3 hash algorithm (CONFIG_CRYPTO_SHA3) to cause a kernel stack buffer overflow by executing a crafted sequence of system calls that encounter a missing SHA-3 initialization.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17806

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-17807
CVE STATUS: Patched
CVE SUMMARY: The KEYS subsystem in the Linux kernel before 4.14.6 omitted an access-control check when adding a key to the current task's "default request-key keyring" via the request_key() system call, allowing a local user to use a sequence of crafted system calls to add keys to a keyring with only Search permission (not Write permission) to that keyring, related to construct_get_dest_keyring() in security/keys/request_key.c.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 3.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17807

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-17852
CVE STATUS: Patched
CVE SUMMARY: kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging mishandling of 32-bit ALU ops.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17852

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-17853
CVE STATUS: Patched
CVE SUMMARY: kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging incorrect BPF_RSH signed bounds calculations.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17853

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-17854
CVE STATUS: Patched
CVE SUMMARY: kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local users to cause a denial of service (integer overflow and memory corruption) or possibly have unspecified other impact by leveraging unrestricted integer values for pointer arithmetic.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17854

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-17855
CVE STATUS: Patched
CVE SUMMARY: kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging improper use of pointers in place of scalars.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17855

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-17856
CVE STATUS: Patched
CVE SUMMARY: kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging the lack of stack-pointer alignment enforcement.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17856

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-17857
CVE STATUS: Patched
CVE SUMMARY: The check_stack_boundary function in kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging mishandling of invalid variable stack read operations.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17857

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-17862
CVE STATUS: Patched
CVE SUMMARY: kernel/bpf/verifier.c in the Linux kernel through 4.14.8 ignores unreachable code, even though it would still be processed by JIT compilers. This behavior, also considered an improper branch-pruning logic issue, could possibly be used by local users for denial of service.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17862

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-17863
CVE STATUS: Patched
CVE SUMMARY: kernel/bpf/verifier.c in the Linux kernel 4.9.x through 4.9.71 does not check the relationship between pointer values and the BPF stack, which allows local users to cause a denial of service (integer overflow or invalid memory access) or possibly have unspecified other impact.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17863

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-17864
CVE STATUS: Patched
CVE SUMMARY: kernel/bpf/verifier.c in the Linux kernel through 4.14.8 mishandles states_equal comparisons between the pointer data type and the UNKNOWN_VALUE data type, which allows local users to obtain potentially sensitive address information, aka a "pointer leak."
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 3.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17864

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-17975
CVE STATUS: Patched
CVE SUMMARY: Use-after-free in the usbtv_probe function in drivers/media/usb/usbtv/usbtv-core.c in the Linux kernel through 4.14.10 allows attackers to cause a denial of service (system crash) or possibly have unspecified other impact by triggering failure of audio registration, because a kfree of the usbtv data structure occurs during a usbtv_video_free call, but the usbtv_video_fail label's code attempts to both access and free this data structure.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17975

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-18017
CVE STATUS: Patched
CVE SUMMARY: The tcpmss_mangle_packet function in net/netfilter/xt_TCPMSS.c in the Linux kernel before 4.11, and 4.9.x before 4.9.36, allows remote attackers to cause a denial of service (use-after-free and memory corruption) or possibly have unspecified other impact by leveraging the presence of xt_TCPMSS in an iptables action.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-18017

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-18075
CVE STATUS: Patched
CVE SUMMARY: crypto/pcrypt.c in the Linux kernel before 4.14.13 mishandles freeing instances, allowing a local user able to access the AF_ALG-based AEAD interface (CONFIG_CRYPTO_USER_API_AEAD) and pcrypt (CONFIG_CRYPTO_PCRYPT) to cause a denial of service (kfree of an incorrect pointer) or possibly have unspecified other impact by executing a crafted sequence of system calls.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-18075

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-18079
CVE STATUS: Patched
CVE SUMMARY: drivers/input/serio/i8042.c in the Linux kernel before 4.12.4 allows attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact because the port->exists value can change after it is validated.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-18079

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-18174
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel before 4.7, the amd_gpio_remove function in drivers/pinctrl/pinctrl-amd.c calls the pinctrl_unregister function, leading to a double free.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-18174

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-18193
CVE STATUS: Patched
CVE SUMMARY: fs/f2fs/extent_cache.c in the Linux kernel before 4.13 mishandles extent trees, which allows local users to cause a denial of service (BUG) via an application with multiple threads.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-18193

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-18200
CVE STATUS: Patched
CVE SUMMARY: The f2fs implementation in the Linux kernel before 4.14 mishandles reference counts associated with f2fs_wait_discard_bios calls, which allows local users to cause a denial of service (BUG), as demonstrated by fstrim.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-18200

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-18202
CVE STATUS: Patched
CVE SUMMARY: The __oom_reap_task_mm function in mm/oom_kill.c in the Linux kernel before 4.14.4 mishandles gather operations, which allows attackers to cause a denial of service (TLB entry leak or use-after-free) or possibly have unspecified other impact by triggering a copy_to_user call within a certain time window.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-18202

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-18203
CVE STATUS: Patched
CVE SUMMARY: The dm_get_from_kobject function in drivers/md/dm.c in the Linux kernel before 4.14.3 allow local users to cause a denial of service (BUG) by leveraging a race condition with __dm_destroy during creation and removal of DM devices.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-18203

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-18204
CVE STATUS: Patched
CVE SUMMARY: The ocfs2_setattr function in fs/ocfs2/file.c in the Linux kernel before 4.14.2 allows local users to cause a denial of service (deadlock) via DIO requests.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-18204

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-18208
CVE STATUS: Patched
CVE SUMMARY: The madvise_willneed function in mm/madvise.c in the Linux kernel before 4.14.4 allows local users to cause a denial of service (infinite loop) by triggering use of MADVISE_WILLNEED for a DAX mapping.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-18208

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-18216
CVE STATUS: Patched
CVE SUMMARY: In fs/ocfs2/cluster/nodemanager.c in the Linux kernel before 4.15, local users can cause a denial of service (NULL pointer dereference and BUG) because a required mutex is not used.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-18216

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-18218
CVE STATUS: Patched
CVE SUMMARY: In drivers/net/ethernet/hisilicon/hns/hns_enet.c in the Linux kernel before 4.13, local users can cause a denial of service (use-after-free and BUG) or possibly have unspecified other impact by leveraging differences in skb handling between hns_nic_net_xmit_hw and hns_nic_net_xmit.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-18218

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-18221
CVE STATUS: Patched
CVE SUMMARY: The __munlock_pagevec function in mm/mlock.c in the Linux kernel before 4.11.4 allows local users to cause a denial of service (NR_MLOCK accounting corruption) via crafted use of mlockall and munlockall system calls.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-18221

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-18222
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel before 4.12, Hisilicon Network Subsystem (HNS) does not consider the ETH_SS_PRIV_FLAGS case when retrieving sset_count data, which allows local users to cause a denial of service (buffer overflow and memory corruption) or possibly have unspecified other impact, as demonstrated by incompatibility between hns_get_sset_count and ethtool_get_strings.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-18222

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-18224
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel before 4.15, fs/ocfs2/aops.c omits use of a semaphore and consequently has a race condition for access to the extent tree during read operations in DIRECT mode, which allows local users to cause a denial of service (BUG) by modifying a certain e_cpos field.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-18224

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-18232
CVE STATUS: Patched
CVE SUMMARY: The Serial Attached SCSI (SAS) implementation in the Linux kernel through 4.15.9 mishandles a mutex within libsas, which allows local users to cause a denial of service (deadlock) by triggering certain error-handling code.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-18232

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-18241
CVE STATUS: Patched
CVE SUMMARY: fs/f2fs/segment.c in the Linux kernel before 4.13 allows local users to cause a denial of service (NULL pointer dereference and panic) by using a noflush_merge option that triggers a NULL value for a flush_cmd_control data structure.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-18241

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-18249
CVE STATUS: Patched
CVE SUMMARY: The add_free_nid function in fs/f2fs/node.c in the Linux kernel before 4.12 does not properly track an allocated nid, which allows local users to cause a denial of service (race condition) or possibly have unspecified other impact via concurrent threads.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-18249

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-18255
CVE STATUS: Patched
CVE SUMMARY: The perf_cpu_time_max_percent_handler function in kernel/events/core.c in the Linux kernel before 4.11 allows local users to cause a denial of service (integer overflow) or possibly have unspecified other impact via a large value, as demonstrated by an incorrect sample-rate calculation.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-18255

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-18257
CVE STATUS: Patched
CVE SUMMARY: The __get_data_block function in fs/f2fs/data.c in the Linux kernel before 4.11 allows local users to cause a denial of service (integer overflow and loop) via crafted use of the open and fallocate system calls with an FS_IOC_FIEMAP ioctl.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-18257

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-18261
CVE STATUS: Patched
CVE SUMMARY: The arch_timer_reg_read_stable macro in arch/arm64/include/asm/arch_timer.h in the Linux kernel before 4.13 allows local users to cause a denial of service (infinite recursion) by writing to a file under /sys/kernel/debug in certain circumstances, as demonstrated by a scenario involving debugfs, ftrace, PREEMPT_TRACER, and FUNCTION_GRAPH_TRACER.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-18261

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-18270
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel before 4.13.5, a local user could create keyrings for other users via keyctl commands, setting unwanted defaults or causing a denial of service.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-18270

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-18344
CVE STATUS: Patched
CVE SUMMARY: The timer_create syscall implementation in kernel/time/posix-timers.c in the Linux kernel before 4.14.8 doesn't properly validate the sigevent->sigev_notify field, which leads to out-of-bounds access in the show_timer function (called when /proc/$PID/timers is read). This allows userspace applications to read arbitrary kernel memory (on a kernel built with CONFIG_POSIX_TIMERS and CONFIG_CHECKPOINT_RESTORE).
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-18344

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-18360
CVE STATUS: Patched
CVE SUMMARY: In change_port_settings in drivers/usb/serial/io_ti.c in the Linux kernel before 4.11.3, local users could cause a denial of service by division-by-zero in the serial device layer by trying to set very high baud rates.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-18360

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-18379
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel before 4.14, an out of boundary access happened in drivers/nvme/target/fc.c.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-18379

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-18509
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in net/ipv6/ip6mr.c in the Linux kernel before 4.11. By setting a specific socket option, an attacker can control a pointer in kernel land and cause an inet_csk_listen_stop general protection fault, or potentially execute arbitrary code under certain circumstances. The issue can be triggered as root (e.g., inside a default LXC container or with the CAP_NET_ADMIN capability) or after namespace unsharing. This occurs because sk_type and protocol are not checked in the appropriate part of the ip6_mroute_* functions. NOTE: this affects Linux distributions that use 4.9.x longterm kernels before 4.9.187.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-18509

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-18549
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in drivers/scsi/aacraid/commctrl.c in the Linux kernel before 4.13. There is potential exposure of kernel stack memory because aac_send_raw_srb does not initialize the reply structure.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-18549

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-18550
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in drivers/scsi/aacraid/commctrl.c in the Linux kernel before 4.13. There is potential exposure of kernel stack memory because aac_get_hba_info does not initialize the hbainfo structure.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-18550

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-18551
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in drivers/i2c/i2c-core-smbus.c in the Linux kernel before 4.14.15. There is an out of bounds write in the function i2c_smbus_xfer_emulated.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 6.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-18551

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-18552
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in net/rds/af_rds.c in the Linux kernel before 4.11. There is an out of bounds write and read in the function rds_recv_track_latency.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-18552

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-18595
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 4.14.11. A double free may be caused by the function allocate_trace_buffer in the file kernel/trace/trace.c.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-18595

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-2583
CVE STATUS: Patched
CVE SUMMARY: The load_segment_descriptor implementation in arch/x86/kvm/emulate.c in the Linux kernel before 4.9.5 improperly emulates a "MOV SS, NULL selector" instruction, which allows guest OS users to cause a denial of service (guest OS crash) or gain guest OS privileges via a crafted application.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 8.4
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-2583

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-2584
CVE STATUS: Patched
CVE SUMMARY: arch/x86/kvm/emulate.c in the Linux kernel through 4.9.3 allows local users to obtain sensitive information from kernel memory or cause a denial of service (use-after-free) via a crafted application that leverages instruction emulation for fxrstor, fxsave, sgdt, and sidt.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-2584

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-2596
CVE STATUS: Patched
CVE SUMMARY: The nested_vmx_check_vmptr function in arch/x86/kvm/vmx.c in the Linux kernel through 4.9.8 improperly emulates the VMXON instruction, which allows KVM L1 guest OS users to cause a denial of service (host OS memory consumption) by leveraging the mishandling of page references.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 6.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-2596

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-2618
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the Linux kernel's handling of clearing SELinux attributes on /proc/pid/attr files before 4.9.10. An empty (null) write to this file can crash the system by causing the system to attempt to access unmapped kernel memory.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-2618

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-2634
CVE STATUS: Patched
CVE SUMMARY: It was found that the Linux kernel's Datagram Congestion Control Protocol (DCCP) implementation before 2.6.22.17 used the IPv4-only inet_sk_rebuild_header() function for both IPv4 and IPv6 DCCP connections, which could result in memory corruptions. A remote attacker could use this flaw to crash the system.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-2634

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-2636
CVE STATUS: Patched
CVE SUMMARY: Race condition in drivers/tty/n_hdlc.c in the Linux kernel through 4.10.1 allows local users to gain privileges or cause a denial of service (double free) by setting the HDLC line discipline.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-2636

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-2647
CVE STATUS: Patched
CVE SUMMARY: The KEYS subsystem in the Linux kernel before 3.18 allows local users to gain privileges or cause a denial of service (NULL pointer dereference and system crash) via vectors involving a NULL value for a certain match field, related to the keyring_search_iterator function in keyring.c.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-2647

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-2671
CVE STATUS: Patched
CVE SUMMARY: The ping_unhash function in net/ipv4/ping.c in the Linux kernel through 4.10.8 is too late in obtaining a certain lock and consequently cannot ensure that disconnect function calls are safe, which allows local users to cause a denial of service (panic) by leveraging access to the protocol value of IPPROTO_ICMP in a socket system call.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-2671

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-5123
CVE STATUS: Patched
CVE SUMMARY: Insufficient data validation in waitid allowed an user to escape sandboxes on Linux.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 8.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5123

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-5546
CVE STATUS: Patched
CVE SUMMARY: The freelist-randomization feature in mm/slab.c in the Linux kernel 4.8.x and 4.9.x before 4.9.5 allows local users to cause a denial of service (duplicate freelist entries and system crash) or possibly have unspecified other impact in opportunistic circumstances by leveraging the selection of a large value for a random number.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5546

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-5547
CVE STATUS: Patched
CVE SUMMARY: drivers/hid/hid-corsair.c in the Linux kernel 4.9.x before 4.9.6 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5547

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-5548
CVE STATUS: Patched
CVE SUMMARY: drivers/net/ieee802154/atusb.c in the Linux kernel 4.9.x before 4.9.6 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5548

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-5549
CVE STATUS: Patched
CVE SUMMARY: The klsi_105_get_line_state function in drivers/usb/serial/kl5kusb105.c in the Linux kernel before 4.9.5 places uninitialized heap-memory contents into a log entry upon a failure to read the line status, which allows local users to obtain sensitive information by reading the log.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5549

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-5550
CVE STATUS: Patched
CVE SUMMARY: Off-by-one error in the pipe_advance function in lib/iov_iter.c in the Linux kernel before 4.9.5 allows local users to obtain sensitive information from uninitialized heap-memory locations in opportunistic circumstances by reading from a pipe after an incorrect buffer-release decision.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5550

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-5551
CVE STATUS: Patched
CVE SUMMARY: The simple_set_acl function in fs/posix_acl.c in the Linux kernel before 4.9.6 preserves the setgid bit during a setxattr call involving a tmpfs filesystem, which allows local users to gain group privileges by leveraging the existence of a setgid program with restrictions on execute permissions.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-7097.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 4.4
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5551

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-5576
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the vc4_get_bcl function in drivers/gpu/drm/vc4/vc4_gem.c in the VideoCore DRM driver in the Linux kernel before 4.9.7 allows local users to cause a denial of service or possibly have unspecified other impact via a crafted size value in a VC4_SUBMIT_CL ioctl call.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5576

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-5577
CVE STATUS: Patched
CVE SUMMARY: The vc4_get_bcl function in drivers/gpu/drm/vc4/vc4_gem.c in the VideoCore DRM driver in the Linux kernel before 4.9.7 does not set an errno value upon certain overflow detections, which allows local users to cause a denial of service (incorrect pointer dereference and OOPS) via inconsistent size values in a VC4_SUBMIT_CL ioctl call.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5577

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-5669
CVE STATUS: Patched
CVE SUMMARY: The do_shmat function in ipc/shm.c in the Linux kernel through 4.9.12 does not restrict the address calculated by a certain rounding operation, which allows local users to map page zero, and consequently bypass a protection mechanism that exists for the mmap system call, by making crafted shmget and shmat system calls in a privileged context.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5669

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-5897
CVE STATUS: Patched
CVE SUMMARY: The ip6gre_err function in net/ipv6/ip6_gre.c in the Linux kernel allows remote attackers to have unspecified impact via vectors involving GRE flags in an IPv6 packet, which trigger an out-of-bounds access.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5897

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-5967
CVE STATUS: Patched
CVE SUMMARY: The time subsystem in the Linux kernel through 4.9.9, when CONFIG_TIMER_STATS is enabled, allows local users to discover real PID values (as distinguished from PID values inside a PID namespace) by reading the /proc/timer_list file, related to the print_timer function in kernel/time/timer_list.c and the __timer_stats_timer_set_start_info function in kernel/time/timer.c.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 4.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5967

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-5970
CVE STATUS: Patched
CVE SUMMARY: The ipv4_pktinfo_prepare function in net/ipv4/ip_sockglue.c in the Linux kernel through 4.9.9 allows attackers to cause a denial of service (system crash) via (1) an application that makes crafted system calls or possibly (2) IPv4 traffic with invalid IP options.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5970

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-5972
CVE STATUS: Patched
CVE SUMMARY: The TCP stack in the Linux kernel 3.x does not properly implement a SYN cookie protection mechanism for the case of a fast network connection, which allows remote attackers to cause a denial of service (CPU consumption) by sending many TCP SYN packets, as demonstrated by an attack against the kernel-3.10.0 package in CentOS Linux 7. NOTE: third parties have been unable to discern any relationship between the GitHub Engineering finding and the Trigemini.c attack code.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5972

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-5986
CVE STATUS: Patched
CVE SUMMARY: Race condition in the sctp_wait_for_sndbuf function in net/sctp/socket.c in the Linux kernel before 4.9.11 allows local users to cause a denial of service (assertion failure and panic) via a multithreaded application that peels off an association in a certain buffer-full state.
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5986

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-6001
CVE STATUS: Patched
CVE SUMMARY: Race condition in kernel/events/core.c in the Linux kernel before 4.9.7 allows local users to gain privileges via a crafted application that makes concurrent perf_event_open system calls for moving a software group into a hardware context.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-6786.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-6001

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-6074
CVE STATUS: Patched
CVE SUMMARY: The dccp_rcv_state_process function in net/dccp/input.c in the Linux kernel through 4.9.11 mishandles DCCP_PKT_REQUEST packet data structures in the LISTEN state, which allows local users to obtain root privileges or cause a denial of service (double free) via an application that makes an IPV6_RECVPKTINFO setsockopt system call.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-6074

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-6214
CVE STATUS: Patched
CVE SUMMARY: The tcp_splice_read function in net/ipv4/tcp.c in the Linux kernel before 4.9.11 allows remote attackers to cause a denial of service (infinite loop and soft lockup) via vectors involving a TCP packet with the URG flag.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-6214

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-6264
CVE STATUS: Unpatched
CVE SUMMARY: An elevation of privilege vulnerability exists in the NVIDIA GPU driver (gm20b_clk_throt_set_cdev_state), where an out of bound memory read is used as a function pointer could lead to code execution in the kernel.This issue is rated as high because it could allow a local malicious application to execute arbitrary code within the context of a privileged process. Product: Android. Version: N/A. Android ID: A-34705430. References: N-CVE-2017-6264.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-6264

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-6345
CVE STATUS: Patched
CVE SUMMARY: The LLC subsystem in the Linux kernel before 4.9.13 does not ensure that a certain destructor exists in required circumstances, which allows local users to cause a denial of service (BUG_ON) or possibly have unspecified other impact via crafted system calls.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-6345

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-6346
CVE STATUS: Patched
CVE SUMMARY: Race condition in net/packet/af_packet.c in the Linux kernel before 4.9.13 allows local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via a multithreaded application that makes PACKET_FANOUT setsockopt system calls.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-6346

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-6347
CVE STATUS: Patched
CVE SUMMARY: The ip_cmsg_recv_checksum function in net/ipv4/ip_sockglue.c in the Linux kernel before 4.10.1 has incorrect expectations about skb data layout, which allows local users to cause a denial of service (buffer over-read) or possibly have unspecified other impact via crafted system calls, as demonstrated by use of the MSG_MORE flag in conjunction with loopback UDP transmission.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-6347

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-6348
CVE STATUS: Patched
CVE SUMMARY: The hashbin_delete function in net/irda/irqueue.c in the Linux kernel before 4.9.13 improperly manages lock dropping, which allows local users to cause a denial of service (deadlock) via crafted operations on IrDA devices.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-6348

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-6353
CVE STATUS: Patched
CVE SUMMARY: net/sctp/socket.c in the Linux kernel through 4.10.1 does not properly restrict association peel-off operations during certain wait states, which allows local users to cause a denial of service (invalid unlock and double free) via a multithreaded application.  NOTE: this vulnerability exists because of an incorrect fix for CVE-2017-5986.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-6353

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-6874
CVE STATUS: Patched
CVE SUMMARY: Race condition in kernel/ucount.c in the Linux kernel through 4.10.2 allows local users to cause a denial of service (use-after-free and system crash) or possibly have unspecified other impact via crafted system calls that leverage certain decrement behavior that causes incorrect interaction between put_ucounts and get_ucounts.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-6874

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-6951
CVE STATUS: Patched
CVE SUMMARY: The keyring_search_aux function in security/keys/keyring.c in the Linux kernel through 3.14.79 allows local users to cause a denial of service (NULL pointer dereference and OOPS) via a request_key system call for the "dead" type.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-6951

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-7184
CVE STATUS: Patched
CVE SUMMARY: The xfrm_replay_verify_len function in net/xfrm/xfrm_user.c in the Linux kernel through 4.10.6 does not validate certain size data after an XFRM_MSG_NEWAE update, which allows local users to obtain root privileges or cause a denial of service (heap-based out-of-bounds access) by leveraging the CAP_NET_ADMIN capability, as demonstrated during a Pwn2Own competition at CanSecWest 2017 for the Ubuntu 16.10 linux-image-* package 4.8.0.41.52.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7184

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-7187
CVE STATUS: Patched
CVE SUMMARY: The sg_ioctl function in drivers/scsi/sg.c in the Linux kernel through 4.10.4 allows local users to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impact via a large command size in an SG_NEXT_CMD_LEN ioctl call, leading to out-of-bounds write access in the sg_write function.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7187

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-7261
CVE STATUS: Patched
CVE SUMMARY: The vmw_surface_define_ioctl function in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel through 4.10.5 does not check for a zero value of certain levels data, which allows local users to cause a denial of service (ZERO_SIZE_PTR dereference, and GPF and possibly panic) via a crafted ioctl call for a /dev/dri/renderD* device.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7261

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-7273
CVE STATUS: Patched
CVE SUMMARY: The cp_report_fixup function in drivers/hid/hid-cypress.c in the Linux kernel 3.2 and 4.x before 4.9.4 allows physically proximate attackers to cause a denial of service (integer underflow) or possibly have unspecified other impact via a crafted HID report.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 6.6
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7273

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-7277
CVE STATUS: Patched
CVE SUMMARY: The TCP stack in the Linux kernel through 4.10.6 mishandles the SCM_TIMESTAMPING_OPT_STATS feature, which allows local users to obtain sensitive information from the kernel's internal socket data structures or cause a denial of service (out-of-bounds read) via crafted system calls, related to net/core/skbuff.c and net/socket.c.
CVSS v2 BASE SCORE: 6.6
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7277

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-7294
CVE STATUS: Patched
CVE SUMMARY: The vmw_surface_define_ioctl function in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel through 4.10.6 does not validate addition of certain levels data, which allows local users to trigger an integer overflow and out-of-bounds write, and cause a denial of service (system hang or crash) or possibly gain privileges, via a crafted ioctl call for a /dev/dri/renderD* device.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7294

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-7308
CVE STATUS: Patched
CVE SUMMARY: The packet_set_ring function in net/packet/af_packet.c in the Linux kernel through 4.10.6 does not properly validate certain block-size data, which allows local users to cause a denial of service (integer signedness error and out-of-bounds write), or gain privileges (if the CAP_NET_RAW capability is held), via crafted system calls.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7308

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-7346
CVE STATUS: Patched
CVE SUMMARY: The vmw_gb_surface_define_ioctl function in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel through 4.10.7 does not validate certain levels data, which allows local users to cause a denial of service (system hang) via a crafted ioctl call for a /dev/dri/renderD* device.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7346

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-7374
CVE STATUS: Patched
CVE SUMMARY: Use-after-free vulnerability in fs/crypto/ in the Linux kernel before 4.10.7 allows local users to cause a denial of service (NULL pointer dereference) or possibly gain privileges by revoking keyring keys being used for ext4, f2fs, or ubifs encryption, causing cryptographic transform objects to be freed prematurely.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7374

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-7472
CVE STATUS: Patched
CVE SUMMARY: The KEYS subsystem in the Linux kernel before 4.10.13 allows local users to cause a denial of service (memory consumption) via a series of KEY_REQKEY_DEFL_THREAD_KEYRING keyctl_set_reqkey_keyring calls.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7472

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-7477
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in drivers/net/macsec.c in the MACsec module in the Linux kernel through 4.10.12 allows attackers to cause a denial of service or possibly have unspecified other impact by leveraging the use of a MAX_SKB_FRAGS+1 size in conjunction with the NETIF_F_FRAGLIST feature, leading to an error in the skb_to_sgvec function.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7477

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-7482
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel before version 4.12, Kerberos 5 tickets decoded when using the RXRPC keys incorrectly assumes the size of a field. This could lead to the size-remaining variable wrapping and the data pointer going over the end of the buffer. This could possibly lead to memory corruption and possible privilege escalation.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7482

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-7487
CVE STATUS: Patched
CVE SUMMARY: The ipxitf_ioctl function in net/ipx/af_ipx.c in the Linux kernel through 4.11.1 mishandles reference counts, which allows local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via a failed SIOCGIFADDR ioctl call for an IPX interface.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7487

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-7495
CVE STATUS: Patched
CVE SUMMARY: fs/ext4/inode.c in the Linux kernel before 4.6.2, when ext4 data=ordered mode is used, mishandles a needs-flushing-before-commit list, which allows local users to obtain sensitive information from other users' files in opportunistic circumstances by waiting for a hardware reset, creating a new file, making write system calls, and reading this file.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7495

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-7518
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the Linux kernel before version 4.12 in the way the KVM module processed the trap flag(TF) bit in EFLAGS during emulation of the syscall instruction, which leads to a debug exception(#DB) being raised in the guest stack. A user/process inside a guest could use this flaw to potentially escalate their privileges inside the guest. Linux guests are not affected by this.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7518

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-7533
CVE STATUS: Patched
CVE SUMMARY: Race condition in the fsnotify implementation in the Linux kernel through 4.12.4 allows local users to gain privileges or cause a denial of service (memory corruption) via a crafted application that leverages simultaneous execution of the inotify_handle_event and vfs_rename functions.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7533

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-7541
CVE STATUS: Patched
CVE SUMMARY: The brcmf_cfg80211_mgmt_tx function in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c in the Linux kernel before 4.12.3 allows local users to cause a denial of service (buffer overflow and system crash) or possibly gain privileges via a crafted NL80211_CMD_FRAME Netlink packet.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7541

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-7542
CVE STATUS: Patched
CVE SUMMARY: The ip6_find_1stfragopt function in net/ipv6/output_core.c in the Linux kernel through 4.12.3 allows local users to cause a denial of service (integer overflow and infinite loop) by leveraging the ability to open a raw socket.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7542

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-7558
CVE STATUS: Patched
CVE SUMMARY: A kernel data leak due to an out-of-bound read was found in the Linux kernel in inet_diag_msg_sctp{,l}addr_fill() and sctp_get_sctp_info() functions present since version 4.7-rc1 through version 4.13. A data leak happens when these functions fill in sockaddr data structures used to export socket's diagnostic information. As a result, up to 100 bytes of the slab data could be leaked to a userspace.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7558

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-7616
CVE STATUS: Patched
CVE SUMMARY: Incorrect error handling in the set_mempolicy and mbind compat syscalls in mm/mempolicy.c in the Linux kernel through 4.10.9 allows local users to obtain sensitive information from uninitialized stack data by triggering failure of a certain bitmap operation.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7616

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-7618
CVE STATUS: Patched
CVE SUMMARY: crypto/ahash.c in the Linux kernel through 4.10.9 allows attackers to cause a denial of service (API operation calling its own callback, and infinite recursion) by triggering EBUSY on a full queue.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7618

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-7645
CVE STATUS: Patched
CVE SUMMARY: The NFSv2/NFSv3 server in the nfsd subsystem in the Linux kernel through 4.10.11 allows remote attackers to cause a denial of service (system crash) via a long RPC reply, related to net/sunrpc/svc.c, fs/nfsd/nfs3xdr.c, and fs/nfsd/nfsxdr.c.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7645

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-7889
CVE STATUS: Patched
CVE SUMMARY: The mm subsystem in the Linux kernel through 3.2 does not properly enforce the CONFIG_STRICT_DEVMEM protection mechanism, which allows local users to read or write to kernel memory locations in the first megabyte (and bypass slab-allocation access restrictions) via an application that opens the /dev/mem file, related to arch/x86/mm/init.c and drivers/char/mem.c.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7889

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-7895
CVE STATUS: Patched
CVE SUMMARY: The NFSv2 and NFSv3 server implementations in the Linux kernel through 4.10.13 lack certain checks for the end of a buffer, which allows remote attackers to trigger pointer-arithmetic errors or possibly have unspecified other impact via crafted requests, related to fs/nfsd/nfs3xdr.c and fs/nfsd/nfsxdr.c.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7895

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-7979
CVE STATUS: Patched
CVE SUMMARY: The cookie feature in the packet action API implementation in net/sched/act_api.c in the Linux kernel 4.11.x through 4.11-rc7 mishandles the tb nlattr array, which allows local users to cause a denial of service (uninitialized memory access and refcount underflow, and system hang or crash) or possibly have unspecified other impact via "tc filter add" commands in certain contexts. NOTE: this does not affect stable kernels, such as 4.10.x, from kernel.org.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7979

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-8061
CVE STATUS: Patched
CVE SUMMARY: drivers/media/usb/dvb-usb/dvb-usb-firmware.c in the Linux kernel 4.9.x and 4.10.x before 4.10.7 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8061

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-8062
CVE STATUS: Patched
CVE SUMMARY: drivers/media/usb/dvb-usb/dw2102.c in the Linux kernel 4.9.x and 4.10.x before 4.10.4 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8062

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-8063
CVE STATUS: Patched
CVE SUMMARY: drivers/media/usb/dvb-usb/cxusb.c in the Linux kernel 4.9.x and 4.10.x before 4.10.12 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8063

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-8064
CVE STATUS: Patched
CVE SUMMARY: drivers/media/usb/dvb-usb-v2/dvb_usb_core.c in the Linux kernel 4.9.x and 4.10.x before 4.10.12 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8064

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-8065
CVE STATUS: Patched
CVE SUMMARY: crypto/ccm.c in the Linux kernel 4.9.x and 4.10.x through 4.10.12 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8065

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-8066
CVE STATUS: Patched
CVE SUMMARY: drivers/net/can/usb/gs_usb.c in the Linux kernel 4.9.x and 4.10.x before 4.10.2 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8066

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-8067
CVE STATUS: Patched
CVE SUMMARY: drivers/char/virtio_console.c in the Linux kernel 4.9.x and 4.10.x before 4.10.12 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8067

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-8068
CVE STATUS: Patched
CVE SUMMARY: drivers/net/usb/pegasus.c in the Linux kernel 4.9.x before 4.9.11 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8068

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-8069
CVE STATUS: Patched
CVE SUMMARY: drivers/net/usb/rtl8150.c in the Linux kernel 4.9.x before 4.9.11 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8069

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-8070
CVE STATUS: Patched
CVE SUMMARY: drivers/net/usb/catc.c in the Linux kernel 4.9.x before 4.9.11 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8070

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-8071
CVE STATUS: Patched
CVE SUMMARY: drivers/hid/hid-cp2112.c in the Linux kernel 4.9.x before 4.9.9 uses a spinlock without considering that sleeping is possible in a USB HID request callback, which allows local users to cause a denial of service (deadlock) via unspecified vectors.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8071

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-8072
CVE STATUS: Patched
CVE SUMMARY: The cp2112_gpio_direction_input function in drivers/hid/hid-cp2112.c in the Linux kernel 4.9.x before 4.9.9 does not have the expected EIO error status for a zero-length report, which allows local users to have an unspecified impact via unknown vectors.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8072

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-8106
CVE STATUS: Patched
CVE SUMMARY: The handle_invept function in arch/x86/kvm/vmx.c in the Linux kernel 3.12 through 3.15 allows privileged KVM guest OS users to cause a denial of service (NULL pointer dereference and host OS crash) via a single-context INVEPT instruction with a NULL EPT pointer.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8106

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-8797
CVE STATUS: Patched
CVE SUMMARY: The NFSv4 server in the Linux kernel before 4.11.3 does not properly validate the layout type when processing the NFSv4 pNFS GETDEVICEINFO or LAYOUTGET operand in a UDP packet from a remote attacker. This type value is uninitialized upon encountering certain error conditions. This value is used as an array index for dereferencing, which leads to an OOPS and eventually a DoS of knfsd and a soft-lockup of the whole system.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8797

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-8824
CVE STATUS: Patched
CVE SUMMARY: The dccp_disconnect function in net/dccp/proto.c in the Linux kernel through 4.14.3 allows local users to gain privileges or cause a denial of service (use-after-free) via an AF_UNSPEC connect system call during the DCCP_LISTEN state.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8824

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-8831
CVE STATUS: Patched
CVE SUMMARY: The saa7164_bus_get function in drivers/media/pci/saa7164/saa7164-bus.c in the Linux kernel through 4.11.5 allows local users to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact by changing a certain sequence-number value, aka a "double fetch" vulnerability.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 6.4
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8831

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-8890
CVE STATUS: Patched
CVE SUMMARY: The inet_csk_clone_lock function in net/ipv4/inet_connection_sock.c in the Linux kernel through 4.10.15 allows attackers to cause a denial of service (double free) or possibly have unspecified other impact by leveraging use of the accept system call.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8890

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-8924
CVE STATUS: Patched
CVE SUMMARY: The edge_bulk_in_callback function in drivers/usb/serial/io_ti.c in the Linux kernel before 4.10.4 allows local users to obtain sensitive information (in the dmesg ringbuffer and syslog) from uninitialized kernel memory by using a crafted USB device (posing as an io_ti USB serial device) to trigger an integer underflow.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 4.6
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8924

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-8925
CVE STATUS: Patched
CVE SUMMARY: The omninet_open function in drivers/usb/serial/omninet.c in the Linux kernel before 4.10.4 allows local users to cause a denial of service (tty exhaustion) by leveraging reference count mishandling.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8925

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-9059
CVE STATUS: Patched
CVE SUMMARY: The NFSv4 implementation in the Linux kernel through 4.11.1 allows local users to cause a denial of service (resource consumption) by leveraging improper channel callback shutdown when unmounting an NFSv4 filesystem, aka a "module reference and kernel daemon" leak.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9059

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-9074
CVE STATUS: Patched
CVE SUMMARY: The IPv6 fragmentation implementation in the Linux kernel through 4.11.1 does not consider that the nexthdr field may be associated with an invalid option, which allows local users to cause a denial of service (out-of-bounds read and BUG) or possibly have unspecified other impact via crafted socket and send system calls.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9074

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-9075
CVE STATUS: Patched
CVE SUMMARY: The sctp_v6_create_accept_sk function in net/sctp/ipv6.c in the Linux kernel through 4.11.1 mishandles inheritance, which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9075

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-9076
CVE STATUS: Patched
CVE SUMMARY: The dccp_v6_request_recv_sock function in net/dccp/ipv6.c in the Linux kernel through 4.11.1 mishandles inheritance, which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9076

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-9077
CVE STATUS: Patched
CVE SUMMARY: The tcp_v6_syn_recv_sock function in net/ipv6/tcp_ipv6.c in the Linux kernel through 4.11.1 mishandles inheritance, which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9077

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-9150
CVE STATUS: Patched
CVE SUMMARY: The do_check function in kernel/bpf/verifier.c in the Linux kernel before 4.11.1 does not make the allow_ptr_leaks value available for restricting the output of the print_bpf_insn function, which allows local users to obtain sensitive address information via crafted bpf system calls.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9150

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-9211
CVE STATUS: Patched
CVE SUMMARY: The crypto_skcipher_init_tfm function in crypto/skcipher.c in the Linux kernel through 4.11.2 relies on a setkey function that lacks a key-size check, which allows local users to cause a denial of service (NULL pointer dereference) via a crafted application.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9211

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-9242
CVE STATUS: Patched
CVE SUMMARY: The __ip6_append_data function in net/ipv6/ip6_output.c in the Linux kernel through 4.11.3 is too late in checking whether an overwrite of an skb data structure may occur, which allows local users to cause a denial of service (system crash) via crafted system calls.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9242

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-9605
CVE STATUS: Patched
CVE SUMMARY: The vmw_gb_surface_define_ioctl function (accessible via DRM_IOCTL_VMW_GB_SURFACE_CREATE) in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel through 4.11.4 defines a backup_handle variable but does not give it an initial value. If one attempts to create a GB surface, with a previously allocated DMA buffer to be used as a backup buffer, the backup_handle variable does not get written to and is then later returned to user space, allowing local users to obtain sensitive information from uninitialized kernel memory via a crafted ioctl call.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9605

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-9984
CVE STATUS: Patched
CVE SUMMARY: The snd_msnd_interrupt function in sound/isa/msnd/msnd_pinnacle.c in the Linux kernel through 4.11.7 allows local users to cause a denial of service (over-boundary access) or possibly have unspecified other impact by changing the value of a message queue head pointer between two kernel reads of that value, aka a "double fetch" vulnerability.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9984

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-9985
CVE STATUS: Patched
CVE SUMMARY: The snd_msndmidi_input_read function in sound/isa/msnd/msnd_midi.c in the Linux kernel through 4.11.7 allows local users to cause a denial of service (over-boundary access) or possibly have unspecified other impact by changing the value of a message queue head pointer between two kernel reads of that value, aka a "double fetch" vulnerability.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9985

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2017-9986
CVE STATUS: Patched
CVE SUMMARY: The intr function in sound/oss/msnd_pinnacle.c in the Linux kernel through 4.11.7 allows local users to cause a denial of service (over-boundary access) or possibly have unspecified other impact by changing the value of a message queue head pointer between two kernel reads of that value, aka a "double fetch" vulnerability.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9986

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-1000004
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel 4.12, 3.10, 2.6 and possibly earlier versions a race condition vulnerability exists in the sound system, this can lead to a deadlock and denial of service condition.
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1000004

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-1000026
CVE STATUS: Patched
CVE SUMMARY: Linux Linux kernel version at least v4.8 onwards, probably well before contains a Insufficient input validation vulnerability in bnx2x network card driver that can result in DoS: Network card firmware assertion takes card off-line. This attack appear to be exploitable via An attacker on a must pass a very large, specially crafted packet to the bnx2x card. This can be done from an untrusted guest VM..
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.7
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:S/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1000026

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-1000028
CVE STATUS: Patched
CVE SUMMARY: Linux kernel version after commit bdcf0a423ea1 - 4.15-rc4+, 4.14.8+, 4.9.76+, 4.4.111+ contains a Incorrect Access Control vulnerability in NFS server (nfsd) that can result in remote users reading or writing files they should not be able to via NFS. This attack appear to be exploitable via NFS server must export a filesystem with the "rootsquash" options enabled. This vulnerability appears to have been fixed in after commit 1995266727fa.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 7.4
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1000028

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-1000199
CVE STATUS: Patched
CVE SUMMARY: The Linux Kernel version 3.18 contains a dangerous feature vulnerability in modify_user_hw_breakpoint() that can result in crash and possibly memory corruption. This attack appear to be exploitable via local code execution and the ability to use ptrace. This vulnerability appears to have been fixed in git commit f67b15037a7a50c57f72e69a6d59941ad90a0f0f.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1000199

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-1000200
CVE STATUS: Patched
CVE SUMMARY: The Linux Kernel versions 4.14, 4.15, and 4.16 has a null pointer dereference which can result in an out of memory (OOM) killing of large mlocked processes. The issue arises from an oom killed process's final thread calling exit_mmap(), which calls munlock_vma_pages_all() for mlocked vmas.This can happen synchronously with the oom reaper's unmap_page_range() since the vma's VM_LOCKED bit is cleared before munlocking (to determine if any other vmas share the memory and are mlocked).
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1000200

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-1000204
CVE STATUS: Patched
CVE SUMMARY: Linux Kernel version 3.18 to 4.16 incorrectly handles an SG_IO ioctl on /dev/sg0 with dxfer_direction=SG_DXFER_FROM_DEV and an empty 6-byte cmdp. This may lead to copying up to 1000 kernel heap pages to the userspace. This has been fixed upstream in https://github.com/torvalds/linux/commit/a45b599ad808c3c982fdcdc12b0b8611c2f92824 already. The problem has limited scope, as users don't usually have permissions to access SCSI devices. On the other hand, e.g. the Nero user manual suggests doing `chmod o+r+w /dev/sg*` to make the devices accessible. NOTE: third parties dispute the relevance of this report, noting that the requirement for an attacker to have both the CAP_SYS_ADMIN and CAP_SYS_RAWIO capabilities makes it "virtually impossible to exploit.
CVSS v2 BASE SCORE: 6.3
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:S/C:C/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1000204

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-10021
CVE STATUS: Patched
CVE SUMMARY: drivers/scsi/libsas/sas_scsi_host.c in the Linux kernel before 4.16 allows local users to cause a denial of service (ata qc leak) by triggering certain failure conditions. NOTE: a third party disputes the relevance of this report because the failure can only occur for physically proximate attackers who unplug SAS Host Bus Adapter cables
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-10021

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-10074
CVE STATUS: Patched
CVE SUMMARY: The hi3660_stub_clk_probe function in drivers/clk/hisilicon/clk-hi3660-stub.c in the Linux kernel before 4.16 allows local users to cause a denial of service (NULL pointer dereference) by triggering a failure of resource retrieval.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-10074

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-10087
CVE STATUS: Patched
CVE SUMMARY: The kernel_wait4 function in kernel/exit.c in the Linux kernel before 4.13, when an unspecified architecture and compiler is used, might allow local users to cause a denial of service by triggering an attempted use of the -INT_MIN value.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-10087

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-10124
CVE STATUS: Patched
CVE SUMMARY: The kill_something_info function in kernel/signal.c in the Linux kernel before 4.13, when an unspecified architecture and compiler is used, might allow local users to cause a denial of service via an INT_MIN argument.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-10124

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-10322
CVE STATUS: Patched
CVE SUMMARY: The xfs_dinode_verify function in fs/xfs/libxfs/xfs_inode_buf.c in the Linux kernel through 4.16.3 allows local users to cause a denial of service (xfs_ilock_attr_map_shared invalid pointer dereference) via a crafted xfs image.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-10322

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-10323
CVE STATUS: Patched
CVE SUMMARY: The xfs_bmap_extents_to_btree function in fs/xfs/libxfs/xfs_bmap.c in the Linux kernel through 4.16.3 allows local users to cause a denial of service (xfs_bmapi_write NULL pointer dereference) via a crafted xfs image.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-10323

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-1065
CVE STATUS: Patched
CVE SUMMARY: The netfilter subsystem in the Linux kernel through 4.15.7 mishandles the case of a rule blob that contains a jump but lacks a user-defined chain, which allows local users to cause a denial of service (NULL pointer dereference) by leveraging the CAP_NET_RAW or CAP_NET_ADMIN capability, related to arpt_do_table in net/ipv4/netfilter/arp_tables.c, ipt_do_table in net/ipv4/netfilter/ip_tables.c, and ip6t_do_table in net/ipv6/netfilter/ip6_tables.c.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1065

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-1066
CVE STATUS: Patched
CVE SUMMARY: The Linux kernel before version 4.11 is vulnerable to a NULL pointer dereference in fs/cifs/cifsencrypt.c:setup_ntlmv2_rsp() that allows an attacker controlling a CIFS server to kernel panic a client that has this server mounted, because an empty TargetInfo field in an NTLMSSP setup negotiation response is mishandled during session recovery.
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1066

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-10675
CVE STATUS: Patched
CVE SUMMARY: The do_get_mempolicy function in mm/mempolicy.c in the Linux kernel before 4.12.9 allows local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via crafted system calls.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-10675

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-1068
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the Linux 4.x kernel's implementation of 32-bit syscall interface for bridging. This allowed a privileged user to arbitrarily write to a limited range of kernel memory.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 6.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1068

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-10840
CVE STATUS: Unpatched
CVE SUMMARY: Linux kernel is vulnerable to a heap-based buffer overflow in the fs/ext4/xattr.c:ext4_xattr_set_entry() function. An attacker could exploit this by operating on a mounted crafted ext4 image.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 5.2
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-10840

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-10853
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the way Linux kernel KVM hypervisor before 4.18 emulated instructions such as sgdt/sidt/fxsave/fxrstor. It did not check current privilege(CPL) level while emulating unprivileged instructions. An unprivileged guest user/process could use this flaw to potentially escalate privileges inside guest.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-10853

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-1087
CVE STATUS: Patched
CVE SUMMARY: kernel KVM before versions kernel 4.16, kernel 4.16-rc7, kernel 4.17-rc1, kernel 4.17-rc2 and kernel 4.17-rc3 is vulnerable to a flaw in the way the Linux kernel's KVM hypervisor handled exceptions delivered after a stack switch operation via Mov SS or Pop SS instructions. During the stack switch operation, the processor did not deliver interrupts and exceptions, rather they are delivered once the first instruction after the stack switch is executed. An unprivileged KVM guest user could use this flaw to crash the guest or, potentially, escalate their privileges in the guest.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 8.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1087

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-10876
CVE STATUS: Unpatched
CVE SUMMARY: A flaw was found in Linux kernel in the ext4 filesystem code. A use-after-free is possible in ext4_ext_remove_space() function when mounting and operating a crafted ext4 image.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-10876

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-10877
CVE STATUS: Patched
CVE SUMMARY: Linux kernel ext4 filesystem is vulnerable to an out-of-bound access in the ext4_ext_drop_refs() function when operating on a crafted ext4 filesystem image.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-10877

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-10878
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the Linux kernel's ext4 filesystem. A local user can cause an out-of-bounds write and a denial of service or unspecified other impact is possible by mounting and operating a crafted ext4 filesystem image.
CVSS v2 BASE SCORE: 6.1
CVSS v3 BASE SCORE: 4.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-10878

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-10879
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the Linux kernel's ext4 filesystem. A local user can cause a use-after-free in ext4_xattr_set_entry function and a denial of service or unspecified other impact may occur by renaming a file in a crafted ext4 filesystem image.
CVSS v2 BASE SCORE: 6.1
CVSS v3 BASE SCORE: 4.2
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-10879

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-10880
CVE STATUS: Patched
CVE SUMMARY: Linux kernel is vulnerable to a stack-out-of-bounds write in the ext4 filesystem code when mounting and writing to a crafted ext4 image in ext4_update_inline_data(). An attacker could use this to cause a system crash and a denial of service.
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-10880

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-10881
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the Linux kernel's ext4 filesystem. A local user can cause an out-of-bound access in ext4_get_group_info function, a denial of service, and a system crash by mounting and operating on a crafted ext4 filesystem image.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 4.2
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-10881

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-10882
CVE STATUS: Unpatched
CVE SUMMARY: A flaw was found in the Linux kernel's ext4 filesystem. A local user can cause an out-of-bound write in in fs/jbd2/transaction.c code, a denial of service, and a system crash by unmounting a crafted ext4 filesystem image.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 4.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-10882

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-10883
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the Linux kernel's ext4 filesystem. A local user can cause an out-of-bounds write in jbd2_journal_dirty_metadata(), a denial of service, and a system crash by mounting and operating on a crafted ext4 filesystem image.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 4.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-10883

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-10901
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in Linux kernel's KVM virtualization subsystem. The VMX code does not restore the GDT.LIMIT to the previous host value, but instead sets it to 64KB. With a corrupted GDT limit a host's userspace code has an ability to place malicious entries in the GDT, particularly to the per-cpu variables. An attacker can use this to escalate their privileges.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-10901

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-10902
CVE STATUS: Unpatched
CVE SUMMARY: It was found that the raw midi kernel driver does not protect against concurrent access which leads to a double realloc (double free) in snd_rawmidi_input_params() and snd_rawmidi_output_status() which are part of snd_rawmidi_ioctl() handler in rawmidi.c file. A malicious local attacker could possibly use this for privilege escalation.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-10902

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-1091
CVE STATUS: Patched
CVE SUMMARY: In the flush_tmregs_to_thread function in arch/powerpc/kernel/ptrace.c in the Linux kernel before 4.13.5, a guest kernel crash can be triggered from unprivileged userspace during a core dump on a POWER host due to a missing processor feature check and an erroneous use of transactional memory (TM) instructions in the core dump path, leading to a denial of service.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1091

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-1092
CVE STATUS: Patched
CVE SUMMARY: The ext4_iget function in fs/ext4/inode.c in the Linux kernel through 4.15.15 mishandles the case of a root directory with a zero i_links_count, which allows attackers to cause a denial of service (ext4_process_freed_data NULL pointer dereference and OOPS) via a crafted ext4 image.
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1092

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-1093
CVE STATUS: Patched
CVE SUMMARY: The ext4_valid_block_bitmap function in fs/ext4/balloc.c in the Linux kernel through 4.15.15 allows attackers to cause a denial of service (out-of-bounds read and system crash) via a crafted ext4 image because balloc.c and ialloc.c do not validate bitmap block numbers.
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1093

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-10938
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the Linux kernel present since v4.0-rc1 and through v4.13-rc4. A crafted network packet sent remotely by an attacker may force the kernel to enter an infinite loop in the cipso_v4_optptr() function in net/ipv4/cipso_ipv4.c leading to a denial-of-service. A certain non-default configuration of LSM (Linux Security Module) and NetLabel should be set up on a system before an attacker could leverage this flaw.
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-10938

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-1094
CVE STATUS: Patched
CVE SUMMARY: The ext4_fill_super function in fs/ext4/super.c in the Linux kernel through 4.15.15 does not always initialize the crc32c checksum driver, which allows attackers to cause a denial of service (ext4_xattr_inode_hash NULL pointer dereference and system crash) via a crafted ext4 image.
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1094

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-10940
CVE STATUS: Patched
CVE SUMMARY: The cdrom_ioctl_media_changed function in drivers/cdrom/cdrom.c in the Linux kernel before 4.16.6 allows local attackers to use a incorrect bounds check in the CDROM driver CDROM_MEDIA_CHANGED ioctl to read out kernel memory.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-10940

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-1095
CVE STATUS: Patched
CVE SUMMARY: The ext4_xattr_check_entries function in fs/ext4/xattr.c in the Linux kernel through 4.15.15 does not properly validate xattr sizes, which causes misinterpretation of a size as an error code, and consequently allows attackers to cause a denial of service (get_acl NULL pointer dereference and system crash) via a crafted ext4 image.
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1095

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-1108
CVE STATUS: Patched
CVE SUMMARY: kernel drivers before version 4.17-rc1 are vulnerable to a weakness in the Linux kernel's implementation of random seed data. Programs, early in the boot sequence, could use the data allocated for the seed before it was sufficiently generated.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1108

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-1118
CVE STATUS: Patched
CVE SUMMARY: Linux kernel vhost since version 4.8 does not properly initialize memory in messages passed between virtual guests and the host operating system in the vhost/vhost.c:vhost_new_msg() function. This can allow local privileged users to read some kernel memory contents when reading from the /dev/vhost-net device file.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 2.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1118

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-1120
CVE STATUS: Patched
CVE SUMMARY: A flaw was found affecting the Linux kernel before version 4.17. By mmap()ing a FUSE-backed file onto a process's memory containing command line arguments (or environment strings), an attacker can cause utilities from psutils or procps (such as ps, w) or any other program which makes a read() call to the /proc/<pid>/cmdline (or /proc/<pid>/environ) files to block indefinitely (denial of service) or for some controlled time (as a synchronization primitive for other attacks).
CVSS v2 BASE SCORE: 3.5
CVSS v3 BASE SCORE: 2.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:S/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1120

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-11232
CVE STATUS: Patched
CVE SUMMARY: The etm_setup_aux function in drivers/hwtracing/coresight/coresight-etm-perf.c in the Linux kernel before 4.10.2 allows attackers to cause a denial of service (panic) because a parameter is incorrectly used as a local variable.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-11232

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-1130
CVE STATUS: Patched
CVE SUMMARY: Linux kernel before version 4.16-rc7 is vulnerable to a null pointer dereference in dccp_write_xmit() function in net/dccp/output.c in that allows a local user to cause a denial of service by a number of certain crafted system calls.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1130

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-11412
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel 4.13 through 4.16.11, ext4_read_inline_data() in fs/ext4/inline.c performs a memcpy with an untrusted length value in certain circumstances involving a crafted filesystem that stores the system.data extended attribute value in a dedicated inode.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-11412

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-11506
CVE STATUS: Patched
CVE SUMMARY: The sr_do_ioctl function in drivers/scsi/sr_ioctl.c in the Linux kernel through 4.16.12 allows local users to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impact because sense buffers have different sizes at the CDROM layer and the SCSI layer, as demonstrated by a CDROMREADMODE2 ioctl call.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-11506

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-11508
CVE STATUS: Patched
CVE SUMMARY: The compat_get_timex function in kernel/compat.c in the Linux kernel before 4.16.9 allows local users to obtain sensitive information from kernel memory via adjtimex.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-11508

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-12232
CVE STATUS: Patched
CVE SUMMARY: In net/socket.c in the Linux kernel through 4.17.1, there is a race condition between fchownat and close in cases where they target the same socket file descriptor, related to the sock_close and sockfs_setattr functions. fchownat does not increment the file descriptor reference count, which allows close to set the socket to NULL during fchownat's execution, leading to a NULL pointer dereference and system crash.
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-12232

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-12233
CVE STATUS: Patched
CVE SUMMARY: In the ea_get function in fs/jfs/xattr.c in the Linux kernel through 4.17.1, a memory corruption bug in JFS can be triggered by calling setxattr twice with two different extended attribute names on the same file. This vulnerability can be triggered by an unprivileged user with the ability to create files and execute programs. A kmalloc call is incorrect, leading to slab-out-of-bounds in jfs_xattr.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-12233

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-12633
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel through 4.17.2. vbg_misc_device_ioctl() in drivers/virt/vboxguest/vboxguest_linux.c reads the same user data twice with copy_from_user. The header part of the user data is double-fetched, and a malicious user thread can tamper with the critical variables (hdr.size_in and hdr.size_out) in the header between the two fetches because of a race condition, leading to severe kernel errors, such as buffer over-accesses. This bug can cause a local denial of service and information leakage.
CVSS v2 BASE SCORE: 6.3
CVSS v3 BASE SCORE: 6.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-12633

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-12714
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel through 4.17.2. The filter parsing in kernel/trace/trace_events_filter.c could be called with no filter, which is an N=0 case when it expected at least one line to have been read, thus making the N-1 index invalid. This allows attackers to cause a denial of service (slab out-of-bounds write) or possibly have unspecified other impact via crafted perf_event_open and mmap system calls.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-12714

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-12896
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel through 4.17.3. An Integer Overflow in kernel/time/posix-timers.c in the POSIX timer code is caused by the way the overrun accounting works. Depending on interval and expiry time values, the overrun can be larger than INT_MAX, but the accounting is int based. This basically makes the accounting values, which are visible to user space via timer_getoverrun(2) and siginfo::si_overrun, random. For example, a local user can cause a denial of service (signed integer overflow) via crafted mmap, futex, timer_create, and timer_settime system calls.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-12896

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-12904
CVE STATUS: Patched
CVE SUMMARY: In arch/x86/kvm/vmx.c in the Linux kernel before 4.17.2, when nested virtualization is used, local attackers could cause L1 KVM guests to VMEXIT, potentially allowing privilege escalations and denial of service attacks due to lack of checking of CPL.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 4.9
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-12904

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-12928
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel 4.15.0, a NULL pointer dereference was discovered in hfs_ext_read_extent in hfs.ko. This can occur during a mount of a crafted hfs filesystem.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-12928

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-12929
CVE STATUS: Patched
CVE SUMMARY: ntfs_read_locked_inode in the ntfs.ko filesystem driver in the Linux kernel 4.15.0 allows attackers to trigger a use-after-free read and possibly cause a denial of service (kernel oops or panic) via a crafted ntfs filesystem.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-12929

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-12930
CVE STATUS: Patched
CVE SUMMARY: ntfs_end_buffer_async_read in the ntfs.ko filesystem driver in the Linux kernel 4.15.0 allows attackers to trigger a stack-based out-of-bounds write and cause a denial of service (kernel oops or panic) or possibly have unspecified other impact via a crafted ntfs filesystem.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-12930

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-12931
CVE STATUS: Patched
CVE SUMMARY: ntfs_attr_find in the ntfs.ko filesystem driver in the Linux kernel 4.15.0 allows attackers to trigger a stack-based out-of-bounds write and cause a denial of service (kernel oops or panic) or possibly have unspecified other impact via a crafted ntfs filesystem.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-12931

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-13053
CVE STATUS: Patched
CVE SUMMARY: The alarm_timer_nsleep function in kernel/time/alarmtimer.c in the Linux kernel through 4.17.3 has an integer overflow via a large relative timeout because ktime_add_safe is not used.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 3.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-13053

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-13093
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in fs/xfs/xfs_icache.c in the Linux kernel through 4.17.3. There is a NULL pointer dereference and panic in lookup_slow() on a NULL inode->i_ops pointer when doing pathwalks on a corrupted xfs image. This occurs because of a lack of proper validation that cached inodes are free during allocation.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-13093

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-13094
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in fs/xfs/libxfs/xfs_attr_leaf.c in the Linux kernel through 4.17.3. An OOPS may occur for a corrupted xfs image after xfs_da_shrink_inode() is called with a NULL bp.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-13094

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-13095
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in fs/xfs/libxfs/xfs_inode_buf.c in the Linux kernel through 4.17.3. A denial of service (memory corruption and BUG) can occur for a corrupted xfs image upon encountering an inode that is in extent format, but has more extents than fit in the inode fork.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-13095

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-13096
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in fs/f2fs/super.c in the Linux kernel through 4.14. A denial of service (out-of-bounds memory access and BUG) can occur upon encountering an abnormal bitmap size when mounting a crafted f2fs image.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-13096

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-13097
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in fs/f2fs/super.c in the Linux kernel through 4.17.3. There is an out-of-bounds read or a divide-by-zero error for an incorrect user_block_count in a corrupted f2fs image, leading to a denial of service (BUG).
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-13097

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-13098
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in fs/f2fs/inode.c in the Linux kernel through 4.17.3. A denial of service (slab out-of-bounds read and BUG) can occur for a modified f2fs filesystem image in which FI_EXTRA_ATTR is set in an inode.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-13098

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-13099
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in fs/f2fs/inline.c in the Linux kernel through 4.4. A denial of service (out-of-bounds memory access and BUG) can occur for a modified f2fs filesystem image in which an inline inode contains an invalid reserved blkaddr.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-13099

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-13100
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in fs/f2fs/super.c in the Linux kernel through 4.17.3, which does not properly validate secs_per_zone in a corrupted f2fs image, as demonstrated by a divide-by-zero error.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-13100

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-13405
CVE STATUS: Patched
CVE SUMMARY: The inode_init_owner function in fs/inode.c in the Linux kernel through 3.16 allows local users to create files with an unintended group ownership, in a scenario where a directory is SGID to a certain group and is writable by a user who is not a member of that group. Here, the non-member can trigger creation of a plain file whose group ownership is that group. The intended behavior was that the non-member can trigger creation of a directory (but not a plain file) whose group ownership is that group. The non-member can escalate privileges by making the plain file executable and SGID.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-13405

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-13406
CVE STATUS: Patched
CVE SUMMARY: An integer overflow in the uvesafb_setcmap function in drivers/video/fbdev/uvesafb.c in the Linux kernel before 4.17.4 could result in local attackers being able to crash the kernel or potentially elevate privileges because kmalloc_array is not used.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-13406

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-14609
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel through 4.17.10. There is an invalid pointer dereference in __del_reloc_root() in fs/btrfs/relocation.c when mounting a crafted btrfs image, related to removing reloc rb_trees when reloc control has not been initialized.
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-14609

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-14610
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel through 4.17.10. There is out-of-bounds access in write_extent_buffer() when mounting and operating a crafted btrfs image, because of a lack of verification that each block group has a corresponding chunk at mount time, within btrfs_read_block_groups in fs/btrfs/extent-tree.c.
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-14610

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-14611
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel through 4.17.10. There is a use-after-free in try_merge_free_space() when mounting a crafted btrfs image, because of a lack of chunk type flag checks in btrfs_check_chunk_valid in fs/btrfs/volumes.c.
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-14611

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-14612
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel through 4.17.10. There is an invalid pointer dereference in btrfs_root_node() when mounting a crafted btrfs image, because of a lack of chunk block group mapping validation in btrfs_read_block_groups in fs/btrfs/extent-tree.c, and a lack of empty-tree checks in check_leaf in fs/btrfs/tree-checker.c.
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-14612

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-14613
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel through 4.17.10. There is an invalid pointer dereference in io_ctl_map_page() when mounting and operating a crafted btrfs image, because of a lack of block group item validation in check_leaf_item in fs/btrfs/tree-checker.c.
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-14613

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-14614
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel through 4.17.10. There is an out-of-bounds access in __remove_dirty_segment() in fs/f2fs/segment.c when mounting an f2fs image.
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-14614

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-14615
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel through 4.17.10. There is a buffer overflow in truncate_inline_inode() in fs/f2fs/inline.c when umounting an f2fs image, because a length value may be negative.
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-14615

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-14616
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel through 4.17.10. There is a NULL pointer dereference in fscrypt_do_page_crypto() in fs/crypto/crypto.c when operating on a file in a corrupted f2fs image.
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-14616

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-14617
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel through 4.17.10. There is a NULL pointer dereference and panic in hfsplus_lookup() in fs/hfsplus/dir.c when opening a file (that is purportedly a hard link) in an hfs+ filesystem that has malformed catalog data, and is mounted read-only without a metadata directory.
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-14617

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-14619
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the crypto subsystem of the Linux kernel before version kernel-4.15-rc4. The "null skcipher" was being dropped when each af_alg_ctx was freed instead of when the aead_tfm was freed. This can cause the null skcipher to be freed while it is still in use leading to a local user being able to crash the system or possibly escalate privileges.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 6.2
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-14619

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-14625
CVE STATUS: Unpatched
CVE SUMMARY: A flaw was found in the Linux Kernel where an attacker may be able to have an uncontrolled read to kernel-memory from within a vm guest. A race condition between connect() and close() function may allow an attacker using the AF_VSOCK protocol to gather a 4 byte information leak or possibly intercept or corrupt AF_VSOCK messages destined to other clients.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 5.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-14625

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-14633
CVE STATUS: Patched
CVE SUMMARY: A security flaw was found in the chap_server_compute_md5() function in the ISCSI target code in the Linux kernel in a way an authentication request from an ISCSI initiator is processed. An unauthenticated remote attacker can cause a stack buffer overflow and smash up to 17 bytes of the stack. The attack requires the iSCSI target to be enabled on the victim host. Depending on how the target's code was built (i.e. depending on a compiler, compile flags and hardware architecture) an attack may lead to a system crash and thus to a denial-of-service or possibly to a non-authorized access to data exported by an iSCSI target. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is highly unlikely. Kernel versions 4.18.x, 4.14.x and 3.10.x are believed to be vulnerable.
CVSS v2 BASE SCORE: 8.3
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-14633

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-14634
CVE STATUS: Patched
CVE SUMMARY: An integer overflow flaw was found in the Linux kernel's create_elf_tables() function. An unprivileged local user with access to SUID (or otherwise privileged) binary could use this flaw to escalate their privileges on the system. Kernel versions 2.6.x, 3.10.x and 4.14.x are believed to be vulnerable.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-14634

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-14641
CVE STATUS: Patched
CVE SUMMARY: A security flaw was found in the ip_frag_reasm() function in net/ipv4/ip_fragment.c in the Linux kernel from 4.19-rc1 to 4.19-rc3 inclusive, which can cause a later system crash in ip_do_fragment(). With certain non-default, but non-rare, configuration of a victim host, an attacker can trigger this crash remotely, thus leading to a remote denial-of-service.
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-14641

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-14646
CVE STATUS: Patched
CVE SUMMARY: The Linux kernel before 4.15-rc8 was found to be vulnerable to a NULL pointer dereference bug in the __netlink_ns_capable() function in the net/netlink/af_netlink.c file. A local attacker could exploit this when a net namespace with a netnsid is assigned to cause a kernel panic and a denial of service.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-14646

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-14656
CVE STATUS: Patched
CVE SUMMARY: A missing address check in the callers of the show_opcodes() in the Linux kernel allows an attacker to dump the kernel memory at an arbitrary kernel address into the dmesg log.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-14656

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-14678
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel through 4.17.11, as used in Xen through 4.11.x. The xen_failsafe_callback entry point in arch/x86/entry/entry_64.S does not properly maintain RBX, which allows local users to cause a denial of service (uninitialized memory usage and system crash). Within Xen, 64-bit x86 PV Linux guest OS users can trigger a guest OS crash or possibly gain privileges.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-14678

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-14734
CVE STATUS: Patched
CVE SUMMARY: drivers/infiniband/core/ucma.c in the Linux kernel through 4.17.11 allows ucma_leave_multicast to access a certain data structure after a cleanup step in ucma_process_join, which allows attackers to cause a denial of service (use-after-free).
CVSS v2 BASE SCORE: 6.1
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-14734

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-15471
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in xenvif_set_hash_mapping in drivers/net/xen-netback/hash.c in the Linux kernel through 4.18.1, as used in Xen through 4.11.x and other products. The Linux netback driver allows frontends to control mapping of requests to request queues. When processing a request to set or change this mapping, some input validation (e.g., for an integer overflow) was missing or flawed, leading to OOB access in hash handling. A malicious or buggy frontend may cause the (usually privileged) backend to make out of bounds memory accesses, potentially resulting in one or more of privilege escalation, Denial of Service (DoS), or information leaks.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:S/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-15471

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-15572
CVE STATUS: Patched
CVE SUMMARY: The spectre_v2_select_mitigation function in arch/x86/kernel/cpu/bugs.c in the Linux kernel before 4.18.1 does not always fill RSB upon a context switch, which makes it easier for attackers to conduct userspace-userspace spectreRSB attacks.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 6.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-15572

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-15594
CVE STATUS: Patched
CVE SUMMARY: arch/x86/kernel/paravirt.c in the Linux kernel before 4.18.1 mishandles certain indirect calls, which makes it easier for attackers to conduct Spectre-v2 attacks against paravirtual guests.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-15594

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-16276
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in yurex_read in drivers/usb/misc/yurex.c in the Linux kernel before 4.17.7. Local attackers could use user access read/writes with incorrect bounds checking in the yurex USB driver to crash the kernel or potentially escalate privileges.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-16276

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-16597
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 4.8. Incorrect access checking in overlayfs mounts could be used by local attackers to modify or truncate files in the underlying filesystem.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:C/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-16597

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-16658
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 4.18.6. An information leak in cdrom_ioctl_drive_status in drivers/cdrom/cdrom.c could be used by local attackers to read kernel memory because a cast from unsigned long to int interferes with bounds checking. This is similar to CVE-2018-10940.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 6.1
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-16658

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-16862
CVE STATUS: Patched
CVE SUMMARY: A security flaw was found in the Linux kernel in a way that the cleancache subsystem clears an inode after the final file truncation (removal). The new file created with the same inode may contain leftover pages from cleancache and the old file data instead of the new one.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-16862

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-16871
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the Linux kernel's NFS implementation, all versions 3.x and all versions 4.x up to 4.20. An attacker, who is able to mount an exported NFS filesystem, is able to trigger a null pointer dereference by using an invalid NFS sequence. This can panic the machine and deny access to the NFS server. Any outstanding disk writes to the NFS server will be lost.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-16871

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-16880
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the Linux kernel's handle_rx() function in the [vhost_net] driver. A malicious virtual guest, under specific conditions, can trigger an out-of-bounds write in a kmalloc-8 slab on a virtual host which may lead to a kernel memory corruption and a system panic. Due to the nature of the flaw, privilege escalation cannot be fully ruled out. Versions from v4.16 and newer are vulnerable.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 5.9
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-16880

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-16882
CVE STATUS: Patched
CVE SUMMARY: A use-after-free issue was found in the way the Linux kernel's KVM hypervisor processed posted interrupts when nested(=1) virtualization is enabled. In nested_get_vmcs12_pages(), in case of an error while processing posted interrupt address, it unmaps the 'pi_desc_page' without resetting 'pi_desc' descriptor address, which is later used in pi_test_and_clear_on(). A guest user/process could use this flaw to crash the host kernel resulting in DoS or potentially gain privileged access to a system. Kernel versions before 4.14.91 and before 4.19.13 are vulnerable.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 6.1
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-16882

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-16884
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the Linux kernel's NFS41+ subsystem. NFS41+ shares mounted in different network namespaces at the same time can make bc_svc_process() use wrong back-channel IDs and cause a use-after-free vulnerability. Thus a malicious container user can cause a host kernel memory corruption and a system panic. Due to the nature of the flaw, privilege escalation cannot be fully ruled out.
CVSS v2 BASE SCORE: 6.7
CVSS v3 BASE SCORE: 6.5
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:L/Au:S/C:P/I:P/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-16884

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-16885
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the Linux kernel that allows the userspace to call memcpy_fromiovecend() and similar functions with a zero offset and buffer length which causes the read beyond the buffer boundaries, in certain cases causing a memory access fault and a system halt by accessing invalid memory address. This issue only affects kernel version 3.10.x as shipped with Red Hat Enterprise Linux 7.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-16885

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-17182
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel through 4.18.8. The vmacache_flush_all function in mm/vmacache.c mishandles sequence number overflows. An attacker can trigger a use-after-free (and possibly gain privileges) via certain thread creation, map, unmap, invalidation, and dereference operations.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-17182

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-17972
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the proc_pid_stack function in fs/proc/base.c in the Linux kernel through 4.18.11. It does not ensure that only root may inspect the kernel stack of an arbitrary task, allowing a local attacker to exploit racy stack unwinding and leak kernel task stack contents.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-17972

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-17977
CVE STATUS: Patched
CVE SUMMARY: The Linux kernel 4.14.67 mishandles certain interaction among XFRM Netlink messages, IPPROTO_AH packets, and IPPROTO_IP packets, which allows local users to cause a denial of service (memory consumption and system hang) by leveraging root access to execute crafted applications, as demonstrated on CentOS 7.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 4.4
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-17977

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-18021
CVE STATUS: Patched
CVE SUMMARY: arch/arm64/kvm/guest.c in KVM in the Linux kernel before 4.18.12 on the arm64 platform mishandles the KVM_SET_ON_REG ioctl. This is exploitable by attackers who can create virtual machines. An attacker can arbitrarily redirect the hypervisor flow of control (with full register control). An attacker can also cause a denial of service (hypervisor panic) via an illegal exception return. This occurs because of insufficient restrictions on userspace access to the core register file, and because PSTATE.M validation does not prevent unintended execution modes.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-18021

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-18281
CVE STATUS: Patched
CVE SUMMARY: Since Linux kernel version 3.2, the mremap() syscall performs TLB flushes after dropping pagetable locks. If a syscall such as ftruncate() removes entries from the pagetables of a task that is in the middle of mremap(), a stale TLB entry can remain for a short time that permits access to a physical page after it has been released back to the page allocator and reused. This is fixed in the following kernel versions: 4.9.135, 4.14.78, 4.18.16, 4.19.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-18281

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-18386
CVE STATUS: Patched
CVE SUMMARY: drivers/tty/n_tty.c in the Linux kernel before 4.14.11 allows local attackers (who are able to access pseudo terminals) to hang/block further usage of any pseudo terminal devices due to an EXTPROC versus ICANON confusion in TIOCINQ.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 3.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-18386

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-18397
CVE STATUS: Patched
CVE SUMMARY: The userfaultfd implementation in the Linux kernel before 4.19.7 mishandles access control for certain UFFDIO_ ioctl calls, as demonstrated by allowing local users to write data into holes in a tmpfs file (if the user has read-only access to that file, and that file contains holes), related to fs/userfaultfd.c and mm/userfaultfd.c.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-18397

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-18445
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel 4.14.x, 4.15.x, 4.16.x, 4.17.x, and 4.18.x before 4.18.13, faulty computation of numeric bounds in the BPF verifier permits out-of-bounds memory accesses because adjust_scalar_min_max_vals in kernel/bpf/verifier.c mishandles 32-bit right shifts.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-18445

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-18559
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel through 4.19, a use-after-free can occur due to a race condition between fanout_add from setsockopt and bind on an AF_PACKET socket. This issue exists because of the 15fe076edea787807a7cdc168df832544b58eba6 incomplete fix for a race condition. The code mishandles a certain multithreaded case involving a packet_do_bind unregister action followed by a packet_notifier register action. Later, packet_release operates on only one of the two applicable linked lists. The attacker can achieve Program Counter control.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-18559

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-18690
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel before 4.17, a local attacker able to set attributes on an xfs filesystem could make this filesystem non-operational until the next mount by triggering an unchecked error condition during an xfs attribute change, because xfs_attr_shortform_addname in fs/xfs/libxfs/xfs_attr.c mishandles ATTR_REPLACE operations with conversion of an attr from short to long form.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-18690

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-18710
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel through 4.19. An information leak in cdrom_ioctl_select_disc in drivers/cdrom/cdrom.c could be used by local attackers to read kernel memory because a cast from unsigned long to int interferes with bounds checking. This is similar to CVE-2018-10940 and CVE-2018-16658.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-18710

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-18955
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel 4.15.x through 4.19.x before 4.19.2, map_write() in kernel/user_namespace.c allows privilege escalation because it mishandles nested user namespaces with more than 5 UID or GID ranges. A user who has CAP_SYS_ADMIN in an affected user namespace can bypass access controls on resources outside the namespace, as demonstrated by reading /etc/shadow. This occurs because an ID transformation takes place properly for the namespaced-to-kernel direction but not for the kernel-to-namespaced direction.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-18955

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-19406
CVE STATUS: Patched
CVE SUMMARY: kvm_pv_send_ipi in arch/x86/kvm/lapic.c in the Linux kernel through 4.19.2 allows local users to cause a denial of service (NULL pointer dereference and BUG) via crafted system calls that reach a situation where the apic map is uninitialized.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19406

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-19407
CVE STATUS: Patched
CVE SUMMARY: The vcpu_scan_ioapic function in arch/x86/kvm/x86.c in the Linux kernel through 4.19.2 allows local users to cause a denial of service (NULL pointer dereference and BUG) via crafted system calls that reach a situation where ioapic is uninitialized.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19407

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-19824
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel through 4.19.6, a local user could exploit a use-after-free in the ALSA driver by supplying a malicious USB Sound device (with zero interfaces) that is mishandled in usb_audio_probe in sound/usb/card.c.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19824

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-19854
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 4.19.3. crypto_report_one() and related functions in crypto/crypto_user.c (the crypto user configuration API) do not fully initialize structures that are copied to userspace, potentially leaking sensitive memory to user programs. NOTE: this is a CVE-2013-2547 regression but with easier exploitability because the attacker does not need a capability (however, the system must have the CONFIG_CRYPTO_USER kconfig option).
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19854

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-19985
CVE STATUS: Patched
CVE SUMMARY: The function hso_get_config_data in drivers/net/usb/hso.c in the Linux kernel through 4.19.8 reads if_num from the USB device (as a u8) and uses it to index a small array, resulting in an object out-of-bounds (OOB) read that potentially allows arbitrary read in the kernel address space.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 4.6
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19985

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-20169
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 4.19.9. The USB subsystem mishandles size checks during the reading of an extra descriptor, related to __usb_get_extra_descriptor in drivers/usb/core/usb.c.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 6.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20169

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-20449
CVE STATUS: Patched
CVE SUMMARY: The hidma_chan_stats function in drivers/dma/qcom/hidma_dbg.c in the Linux kernel 4.14.90 allows local users to obtain sensitive address information by reading "callback=" lines in a debugfs file.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20449

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-20509
CVE STATUS: Patched
CVE SUMMARY: The print_binder_ref_olocked function in drivers/android/binder.c in the Linux kernel 4.14.90 allows local users to obtain sensitive address information by reading " ref *desc *node" lines in a debugfs file.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20509

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-20510
CVE STATUS: Patched
CVE SUMMARY: The print_binder_transaction_ilocked function in drivers/android/binder.c in the Linux kernel 4.14.90 allows local users to obtain sensitive address information by reading "*from *code *flags" lines in a debugfs file.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20510

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-20511
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 4.18.11. The ipddp_ioctl function in drivers/net/appletalk/ipddp.c allows local users to obtain sensitive kernel address information by leveraging CAP_NET_ADMIN to read the ipddp_route dev and next fields via an SIOCFINDIPDDPRT ioctl call.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20511

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-20669
CVE STATUS: Patched
CVE SUMMARY: An issue where a provided address with access_ok() is not checked was discovered in i915_gem_execbuffer2_ioctl in drivers/gpu/drm/i915/i915_gem_execbuffer.c in the Linux kernel through 4.19.13. A local attacker can craft a malicious IOCTL function call to overwrite arbitrary kernel memory, resulting in a Denial of Service or privilege escalation.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20669

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-20784
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel before 4.20.2, kernel/sched/fair.c mishandles leaf cfs_rq's, which allows attackers to cause a denial of service (infinite loop in update_blocked_averages) or possibly have unspecified other impact by inducing a high load.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20784

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-20836
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 4.20. There is a race condition in smp_task_timedout() and smp_task_done() in drivers/scsi/libsas/sas_expander.c, leading to a use-after-free.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 8.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20836

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-20854
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 4.20. drivers/phy/mscc/phy-ocelot-serdes.c has an off-by-one error with a resultant ctrl->phys out-of-bounds read.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20854

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-20855
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 4.18.7. In create_qp_common in drivers/infiniband/hw/mlx5/qp.c, mlx5_ib_create_qp_resp was never initialized, resulting in a leak of stack memory to userspace.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 3.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20855

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-20856
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 4.18.7. In block/blk-core.c, there is an __blk_drain_queue() use-after-free because a certain error case is mishandled.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20856

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-20961
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel before 4.16.4, a double free vulnerability in the f_midi_set_alt function of drivers/usb/gadget/function/f_midi.c in the f_midi driver may allow attackers to cause a denial of service or possibly have unspecified other impact.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20961

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-20976
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in fs/xfs/xfs_super.c in the Linux kernel before 4.18. A use after free exists, related to xfs_fs_fill_super failure.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20976

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-21008
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 4.16.7. A use-after-free can be caused by the function rsi_mac80211_detach in the file drivers/net/wireless/rsi/rsi_91x_mac80211.c.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-21008

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-25015
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 4.14.16. There is a use-after-free in net/sctp/socket.c for a held lock after a peel off, aka CID-a0ff660058b8.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-25015

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-25020
CVE STATUS: Patched
CVE SUMMARY: The BPF subsystem in the Linux kernel before 4.17 mishandles situations with a long jump over an instruction sequence where inner instructions require substantial expansions into multiple BPF instructions, leading to an overflow. This affects kernel/bpf/core.c and net/core/filter.c.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-25020

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-5332
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel through 3.2, the rds_message_alloc_sgs() function does not validate a value that is used during DMA page allocation, leading to a heap-based out-of-bounds write (related to the rds_rdma_extra_size function in net/rds/rdma.c).
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-5332

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-5333
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel through 4.14.13, the rds_cmsg_atomic function in net/rds/rdma.c mishandles cases where page pinning fails or an invalid address is supplied, leading to an rds_atomic_free_op NULL pointer dereference.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-5333

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-5344
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel through 4.14.13, drivers/block/loop.c mishandles lo_release serialization, which allows attackers to cause a denial of service (__lock_acquire use-after-free) or possibly have unspecified other impact.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-5344

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-5390
CVE STATUS: Patched
CVE SUMMARY: Linux kernel versions 4.9+ can be forced to make very expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() for every incoming packet which can lead to a denial of service.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-5390

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-5391
CVE STATUS: Patched
CVE SUMMARY: The Linux kernel, versions 3.9+, is vulnerable to a denial of service attack with low rates of specially modified packets targeting IP fragment re-assembly. An attacker may cause a denial of service condition by sending specially crafted IP fragments. Various vulnerabilities in IP fragmentation have been discovered and fixed over the years. The current vulnerability (CVE-2018-5391) became exploitable in the Linux kernel with the increase of the IP fragment reassembly queue size.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-5391

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-5703
CVE STATUS: Patched
CVE SUMMARY: The tcp_v6_syn_recv_sock function in net/ipv6/tcp_ipv6.c in the Linux kernel through 4.14.11 allows attackers to cause a denial of service (slab out-of-bounds write) or possibly have unspecified other impact via vectors involving TLS.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-5703

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-5750
CVE STATUS: Patched
CVE SUMMARY: The acpi_smbus_hc_add function in drivers/acpi/sbshc.c in the Linux kernel through 4.14.15 allows local users to obtain sensitive address information by reading dmesg data from an SBS HC printk call.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-5750

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-5803
CVE STATUS: Patched
CVE SUMMARY: In the Linux Kernel before version 4.15.8, 4.14.25, 4.9.87, 4.4.121, 4.1.51, and 3.2.102, an error in the "_sctp_make_chunk()" function (net/sctp/sm_make_chunk.c) when handling SCTP packets length can be exploited to cause a kernel crash.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-5803

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-5814
CVE STATUS: Patched
CVE SUMMARY: In the Linux Kernel before version 4.16.11, 4.14.43, 4.9.102, and 4.4.133, multiple race condition errors when handling probe, disconnect, and rebind operations can be exploited to trigger a use-after-free condition or a NULL pointer dereference by sending multiple USB over IP packets.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-5814

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-5873
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the __ns_get_path function in fs/nsfs.c in the Linux kernel before 4.11. Due to a race condition when accessing files, a Use After Free condition can occur. This also affects all Android releases from CAF using the Linux kernel (Android for MSM, Firefox OS for MSM, QRD Android) before security patch level 2018-07-05.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-5873

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-5953
CVE STATUS: Patched
CVE SUMMARY: The swiotlb_print_info function in lib/swiotlb.c in the Linux kernel through 4.14.14 allows local users to obtain sensitive address information by reading dmesg data from a "software IO TLB" printk call.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-5953

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-5995
CVE STATUS: Patched
CVE SUMMARY: The pcpu_embed_first_chunk function in mm/percpu.c in the Linux kernel through 4.14.14 allows local users to obtain sensitive address information by reading dmesg data from a "pages/cpu" printk call.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-5995

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-6412
CVE STATUS: Patched
CVE SUMMARY: In the function sbusfb_ioctl_helper() in drivers/video/fbdev/sbuslib.c in the Linux kernel through 4.15, an integer signedness error allows arbitrary information leakage for the FBIOPUTCMAP_SPARC and FBIOGETCMAP_SPARC commands.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-6412

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-6554
CVE STATUS: Patched
CVE SUMMARY: Memory leak in the irda_bind function in net/irda/af_irda.c and later in drivers/staging/irda/net/af_irda.c in the Linux kernel before 4.17 allows local users to cause a denial of service (memory consumption) by repeatedly binding an AF_IRDA socket.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-6554

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-6555
CVE STATUS: Patched
CVE SUMMARY: The irda_setsockopt function in net/irda/af_irda.c and later in drivers/staging/irda/net/af_irda.c in the Linux kernel before 4.17 allows local users to cause a denial of service (ias_object use-after-free and system crash) or possibly have unspecified other impact via an AF_IRDA socket.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-6555

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-6559
CVE STATUS: Unpatched
CVE SUMMARY: The Linux kernel, as used in Ubuntu 18.04 LTS and Ubuntu 18.10, allows local users to obtain names of files in which they would not normally be able to access via an overlayfs mount inside of a user namespace.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 3.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-6559

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-6927
CVE STATUS: Patched
CVE SUMMARY: The futex_requeue function in kernel/futex.c in the Linux kernel before 4.14.15 might allow attackers to cause a denial of service (integer overflow) or possibly have unspecified other impact by triggering a negative wake or requeue value.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-6927

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-7191
CVE STATUS: Patched
CVE SUMMARY: In the tun subsystem in the Linux kernel before 4.13.14, dev_get_valid_name is not called before register_netdevice. This allows local users to cause a denial of service (NULL pointer dereference and panic) via an ioctl(TUNSETIFF) call with a dev name containing a / character. This is similar to CVE-2013-4343.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-7191

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-7273
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel through 4.15.4, the floppy driver reveals the addresses of kernel functions and global variables using printk calls within the function show_floppy in drivers/block/floppy.c. An attacker can read this information from dmesg and use the addresses to find the locations of kernel code and data and bypass kernel security protections such as KASLR.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-7273

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-7480
CVE STATUS: Patched
CVE SUMMARY: The blkcg_init_queue function in block/blk-cgroup.c in the Linux kernel before 4.11 allows local users to cause a denial of service (double free) or possibly have unspecified other impact by triggering a creation failure.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-7480

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-7492
CVE STATUS: Patched
CVE SUMMARY: A NULL pointer dereference was found in the net/rds/rdma.c __rds_rdma_map() function in the Linux kernel before 4.14.7 allowing local attackers to cause a system panic and a denial-of-service, related to RDS_GET_MR and RDS_GET_MR_FOR_DEST.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-7492

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-7566
CVE STATUS: Patched
CVE SUMMARY: The Linux kernel 4.15 has a Buffer Overflow via an SNDRV_SEQ_IOCTL_SET_CLIENT_POOL ioctl write operation to /dev/snd/seq by a local user.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-7566

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-7740
CVE STATUS: Patched
CVE SUMMARY: The resv_map_release function in mm/hugetlb.c in the Linux kernel through 4.15.7 allows local users to cause a denial of service (BUG) via a crafted application that makes mmap system calls and has a large pgoff argument to the remap_file_pages system call.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-7740

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-7754
CVE STATUS: Patched
CVE SUMMARY: The aoedisk_debugfs_show function in drivers/block/aoe/aoeblk.c in the Linux kernel through 4.16.4rc4 allows local users to obtain sensitive address information by reading "ffree: " lines in a debugfs file.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-7754

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-7755
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the fd_locked_ioctl function in drivers/block/floppy.c in the Linux kernel through 4.15.7. The floppy driver will copy a kernel pointer to user memory in response to the FDGETPRM ioctl. An attacker can send the FDGETPRM ioctl and use the obtained kernel pointer to discover the location of kernel code and data and bypass kernel security protections such as KASLR.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-7755

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-7757
CVE STATUS: Patched
CVE SUMMARY: Memory leak in the sas_smp_get_phy_events function in drivers/scsi/libsas/sas_expander.c in the Linux kernel through 4.15.7 allows local users to cause a denial of service (memory consumption) via many read accesses to files in the /sys/class/sas_phy directory, as demonstrated by the /sys/class/sas_phy/phy-1:0:12/invalid_dword_count file.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-7757

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-7995
CVE STATUS: Patched
CVE SUMMARY: Race condition in the store_int_with_restart() function in arch/x86/kernel/cpu/mcheck/mce.c in the Linux kernel through 4.15.7 allows local users to cause a denial of service (panic) by leveraging root access to write to the check_interval file in a /sys/devices/system/machinecheck/machinecheck<cpu number> directory. NOTE: a third party has indicated that this report is not security relevant
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-7995

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-8043
CVE STATUS: Patched
CVE SUMMARY: The unimac_mdio_probe function in drivers/net/phy/mdio-bcm-unimac.c in the Linux kernel through 4.15.8 does not validate certain resource availability, which allows local users to cause a denial of service (NULL pointer dereference).
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-8043

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-8087
CVE STATUS: Patched
CVE SUMMARY: Memory leak in the hwsim_new_radio_nl function in drivers/net/wireless/mac80211_hwsim.c in the Linux kernel through 4.15.9 allows local users to cause a denial of service (memory consumption) by triggering an out-of-array error case.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-8087

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-8781
CVE STATUS: Patched
CVE SUMMARY: The udl_fb_mmap function in drivers/gpu/drm/udl/udl_fb.c at the Linux kernel version 3.4 and up to and including 4.15 has an integer-overflow vulnerability allowing local users with access to the udldrmfb driver to obtain full read and write permissions on kernel physical pages, resulting in a code execution in kernel space.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-8781

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-8822
CVE STATUS: Patched
CVE SUMMARY: Incorrect buffer length handling in the ncp_read_kernel function in fs/ncpfs/ncplib_kernel.c in the Linux kernel through 4.15.11, and in drivers/staging/ncpfs/ncplib_kernel.c in the Linux kernel 4.16-rc through 4.16-rc6, could be exploited by malicious NCPFS servers to crash the kernel or execute code.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-8822

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-9363
CVE STATUS: Patched
CVE SUMMARY: In the hidp_process_report in bluetooth, there is an integer overflow. This could lead to an out of bounds write with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android kernel Android ID: A-65853588 References: Upstream kernel.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 8.4
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-9363

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2018-9568
CVE STATUS: Patched
CVE SUMMARY: In sk_clone_lock of sock.c, there is a possible memory corruption due to type confusion. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android kernel. Android ID: A-113509306. References: Upstream kernel.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-9568

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-0145
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in i40e driver for Intel(R) Ethernet 700 Series Controllers versions before 7.0 may allow an authenticated user to potentially enable an escalation of privilege via local access.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-0145

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-10125
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in aio_poll() in fs/aio.c in the Linux kernel through 5.0.4. A file may be released by aio_poll_wake() if an expected event is triggered immediately (e.g., by the close of a pair of pipes) after the return of vfs_poll(), and this will cause a use-after-free.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-10125

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-10126
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the Linux kernel. A heap based buffer overflow in mwifiex_uap_parse_tail_ies function in drivers/net/wireless/marvell/mwifiex/ie.c might lead to memory corruption and possibly other consequences.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-10126

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-10140
CVE STATUS: Patched
CVE SUMMARY: A vulnerability was found in Linux kernel's, versions up to 3.10, implementation of overlayfs. An attacker with local access can create a denial of service situation via NULL pointer dereference in ovl_posix_acl_create function in fs/overlayfs/dir.c. This can allow attackers with ability to create directories on overlayfs to crash the kernel creating a denial of service (DOS).
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-10140

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-10142
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the Linux kernel's freescale hypervisor manager implementation, kernel versions 5.0.x up to, excluding 5.0.17. A parameter passed to an ioctl was incorrectly validated and used in size calculations for the page size calculation. An attacker can use this flaw to crash the system, corrupt memory, or create other adverse security affects.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-10142

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-10207
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the Linux kernel's Bluetooth implementation of UART, all versions kernel 3.x.x before 4.18.0 and kernel 5.x.x. An attacker with local access and write permissions to the Bluetooth hardware could use this flaw to issue a specially crafted ioctl function call and cause the system to crash.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-10207

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-10220
CVE STATUS: Patched
CVE SUMMARY: Linux kernel CIFS implementation, version 4.9.0 is vulnerable to a relative paths injection in directory entry lists.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 8.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-10220

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-10638
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel before 5.1.7, a device can be tracked by an attacker using the IP ID values the kernel produces for connection-less protocols (e.g., UDP and ICMP). When such traffic is sent to multiple destination IP addresses, it is possible to obtain hash collisions (of indices to the counter array) and thereby obtain the hashing key (via enumeration). An attack may be conducted by hosting a crafted web page that uses WebRTC or gQUIC to force UDP traffic to attacker-controlled IP addresses.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-10638

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-10639
CVE STATUS: Patched
CVE SUMMARY: The Linux kernel 4.x (starting from 4.1) and 5.x before 5.0.8 allows Information Exposure (partial kernel address disclosure), leading to a KASLR bypass. Specifically, it is possible to extract the KASLR kernel image offset using the IP ID values the kernel produces for connection-less protocols (e.g., UDP and ICMP). When such traffic is sent to multiple destination IP addresses, it is possible to obtain hash collisions (of indices to the counter array) and thereby obtain the hashing key (via enumeration). This key contains enough bits from a kernel address (of a static variable) so when the key is extracted (via enumeration), the offset of the kernel image is exposed. This attack can be carried out remotely, by the attacker forcing the target device to send UDP or ICMP (or certain other) traffic to attacker-controlled IP addresses. Forcing a server to send UDP traffic is trivial if the server is a DNS server. ICMP traffic is trivial if the server answers ICMP Echo requests (ping). For client targets, if the target visits the attacker's web page, then WebRTC or gQUIC can be used to force UDP traffic to attacker-controlled IP addresses. NOTE: this attack against KASLR became viable in 4.1 because IP ID generation was changed to have a dependency on an address associated with a network namespace.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-10639

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-11190
CVE STATUS: Patched
CVE SUMMARY: The Linux kernel before 4.8 allows local users to bypass ASLR on setuid programs (such as /bin/su) because install_exec_creds() is called too late in load_elf_binary() in fs/binfmt_elf.c, and thus the ptrace_may_access() check has a race condition when reading /proc/pid/stat.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-11190

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-11191
CVE STATUS: Patched
CVE SUMMARY: The Linux kernel through 5.0.7, when CONFIG_IA32_AOUT is enabled and ia32_aout is loaded, allows local users to bypass ASLR on setuid a.out programs (if any exist) because install_exec_creds() is called too late in load_aout_binary() in fs/binfmt_aout.c, and thus the ptrace_may_access() check has a race condition when reading /proc/pid/stat. NOTE: the software maintainer disputes that this is a vulnerability because ASLR for a.out format executables has never been supported
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 2.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-11191

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-11477
CVE STATUS: Patched
CVE SUMMARY: Jonathan Looney discovered that the TCP_SKB_CB(skb)->tcp_gso_segs value was subject to an integer overflow in the Linux kernel when handling TCP Selective Acknowledgments (SACKs). A remote attacker could use this to cause a denial of service. This has been fixed in stable kernel releases 4.4.182, 4.9.182, 4.14.127, 4.19.52, 5.1.11, and is fixed in commit 3b4929f65b0d8249f19a50245cd88ed1a2f78cff.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-11477

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-11478
CVE STATUS: Patched
CVE SUMMARY: Jonathan Looney discovered that the TCP retransmission queue implementation in tcp_fragment in the Linux kernel could be fragmented when handling certain TCP Selective Acknowledgment (SACK) sequences. A remote attacker could use this to cause a denial of service. This has been fixed in stable kernel releases 4.4.182, 4.9.182, 4.14.127, 4.19.52, 5.1.11, and is fixed in commit f070ef2ac66716357066b683fb0baf55f8191a2e.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-11478

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-11479
CVE STATUS: Patched
CVE SUMMARY: Jonathan Looney discovered that the Linux kernel default MSS is hard-coded to 48 bytes. This allows a remote peer to fragment TCP resend queues significantly more than if a larger MSS were enforced. A remote attacker could use this to cause a denial of service. This has been fixed in stable kernel releases 4.4.182, 4.9.182, 4.14.127, 4.19.52, 5.1.11, and is fixed in commits 967c05aee439e6e5d7d805e195b3a20ef5c433d6 and 5f3e2bf008c2221478101ee72f5cb4654b9fc363.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-11479

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-11486
CVE STATUS: Patched
CVE SUMMARY: The Siemens R3964 line discipline driver in drivers/tty/n_r3964.c in the Linux kernel before 5.0.8 has multiple race conditions.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-11486

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-11487
CVE STATUS: Patched
CVE SUMMARY: The Linux kernel before 5.1-rc5 allows page->_refcount reference count overflow, with resultant use-after-free issues, if about 140 GiB of RAM exists. This is related to fs/fuse/dev.c, fs/pipe.c, fs/splice.c, include/linux/mm.h, include/linux/pipe_fs_i.h, kernel/trace/trace.c, mm/gup.c, and mm/hugetlb.c. It can occur with FUSE requests.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-11487

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-11599
CVE STATUS: Patched
CVE SUMMARY: The coredump implementation in the Linux kernel before 5.0.10 does not use locking or other mechanisms to prevent vma layout or vma flags changes while it runs, which allows local users to obtain sensitive information, cause a denial of service, or possibly have unspecified other impact by triggering a race condition with mmget_not_zero or get_task_mm calls. This is related to fs/userfaultfd.c, mm/mmap.c, fs/proc/task_mmu.c, and drivers/infiniband/core/uverbs_main.c.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-11599

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-11683
CVE STATUS: Patched
CVE SUMMARY: udp_gro_receive_segment in net/ipv4/udp_offload.c in the Linux kernel 5.x before 5.0.13 allows remote attackers to cause a denial of service (slab-out-of-bounds memory corruption) or possibly have unspecified other impact via UDP packets with a 0 payload, because of mishandling of padded packets, aka the "GRO packet of death" issue.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-11683

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-11810
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 5.0.7. A NULL pointer dereference can occur when megasas_create_frame_pool() fails in megasas_alloc_cmds() in drivers/scsi/megaraid/megaraid_sas_base.c. This causes a Denial of Service, related to a use-after-free.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-11810

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-11811
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 5.0.4. There is a use-after-free upon attempted read access to /proc/ioports after the ipmi_si module is removed, related to drivers/char/ipmi/ipmi_si_intf.c, drivers/char/ipmi/ipmi_si_mem_io.c, and drivers/char/ipmi/ipmi_si_port_io.c.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-11811

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-11815
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in rds_tcp_kill_sock in net/rds/tcp.c in the Linux kernel before 5.0.8. There is a race condition leading to a use-after-free, related to net namespace cleanup.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 8.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-11815

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-11833
CVE STATUS: Patched
CVE SUMMARY: fs/ext4/extents.c in the Linux kernel through 5.1.2 does not zero out the unused memory region in the extent tree block, which might allow local users to obtain sensitive information by reading uninitialized data in the filesystem.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-11833

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-11884
CVE STATUS: Patched
CVE SUMMARY: The do_hidp_sock_ioctl function in net/bluetooth/hidp/sock.c in the Linux kernel before 5.0.15 allows a local user to obtain potentially sensitive information from kernel stack memory via a HIDPCONNADD command, because a name field may not end with a '\0' character.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 3.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-11884

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-12378
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in ip6_ra_control in net/ipv6/ipv6_sockglue.c in the Linux kernel through 5.1.5. There is an unchecked kmalloc of new_ra, which might allow an attacker to cause a denial of service (NULL pointer dereference and system crash). NOTE: This has been disputed as not an issue
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-12378

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-12379
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in con_insert_unipair in drivers/tty/vt/consolemap.c in the Linux kernel through 5.1.5. There is a memory leak in a certain case of an ENOMEM outcome of kmalloc. NOTE: This id is disputed as not being an issue
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-12379

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-12380
CVE STATUS: Patched
CVE SUMMARY: **DISPUTED** An issue was discovered in the efi subsystem in the Linux kernel through 5.1.5. phys_efi_set_virtual_address_map in arch/x86/platform/efi/efi.c and efi_call_phys_prolog in arch/x86/platform/efi/efi_64.c mishandle memory allocation failures. NOTE: This id is disputed as not being an issue because “All the code touched by the referenced commit runs only at boot, before any user processes are started. Therefore, there is no possibility for an unprivileged user to control it.”.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-12380

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-12381
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in ip_ra_control in net/ipv4/ip_sockglue.c in the Linux kernel through 5.1.5. There is an unchecked kmalloc of new_ra, which might allow an attacker to cause a denial of service (NULL pointer dereference and system crash). NOTE: this is disputed because new_ra is never used if it is NULL
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-12381

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-12382
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in drm_load_edid_firmware in drivers/gpu/drm/drm_edid_load.c in the Linux kernel through 5.1.5. There is an unchecked kstrdup of fwstr, which might allow an attacker to cause a denial of service (NULL pointer dereference and system crash). NOTE: The vendor disputes this issues as not being a vulnerability because kstrdup() returning NULL is handled sufficiently and there is no chance for a NULL pointer dereference
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-12382

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-12454
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in wcd9335_codec_enable_dec in sound/soc/codecs/wcd9335.c in the Linux kernel through 5.1.5. It uses kstrndup instead of kmemdup_nul, which allows attackers to have an unspecified impact via unknown vectors. NOTE: The vendor disputes this issues as not being a vulnerability because switching to kmemdup_nul() would only fix a security issue if the source string wasn't NUL-terminated, which is not the case
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-12454

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-12455
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in sunxi_divs_clk_setup in drivers/clk/sunxi/clk-sunxi.c in the Linux kernel through 5.1.5. There is an unchecked kstrndup of derived_name, which might allow an attacker to cause a denial of service (NULL pointer dereference and system crash). NOTE: This id is disputed as not being an issue because “The memory allocation that was not checked is part of a code that only runs at boot time, before user processes are started. Therefore, there is no possibility for an unprivileged user to control it, and no denial of service.”
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-12455

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-12456
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the MPT3COMMAND case in _ctl_ioctl_main in drivers/scsi/mpt3sas/mpt3sas_ctl.c in the Linux kernel through 5.1.5. It allows local users to cause a denial of service or possibly have unspecified other impact by changing the value of ioc_number between two kernel reads of that value, aka a "double fetch" vulnerability. NOTE: a third party reports that this is unexploitable because the doubly fetched value is not used
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-12456

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-12614
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in dlpar_parse_cc_property in arch/powerpc/platforms/pseries/dlpar.c in the Linux kernel through 5.1.6. There is an unchecked kstrdup of prop->name, which might allow an attacker to cause a denial of service (NULL pointer dereference and system crash).
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 4.1
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-12614

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-12615
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in get_vdev_port_node_info in arch/sparc/kernel/mdesc.c in the Linux kernel through 5.1.6. There is an unchecked kstrdup_const of node_info->vdev_port.name, which might allow an attacker to cause a denial of service (NULL pointer dereference and system crash).
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-12615

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-12817
CVE STATUS: Patched
CVE SUMMARY: arch/powerpc/mm/mmu_context_book3s64.c in the Linux kernel before 5.1.15 for powerpc has a bug where unrelated processes may be able to read/write to one another's virtual memory under certain conditions via an mmap above 512 TB. Only a subset of powerpc systems are affected.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-12817

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-12818
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 4.20.15. The nfc_llcp_build_tlv function in net/nfc/llcp_commands.c may return NULL. If the caller does not check for this, it will trigger a NULL pointer dereference. This will cause denial of service. This affects nfc_llcp_build_gb in net/nfc/llcp_core.c.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-12818

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-12819
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 5.0. The function __mdiobus_register() in drivers/net/phy/mdio_bus.c calls put_device(), which will trigger a fixed_mdio_bus_init use-after-free. This will cause a denial of service.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-12819

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-12881
CVE STATUS: Patched
CVE SUMMARY: i915_gem_userptr_get_pages in drivers/gpu/drm/i915/i915_gem_userptr.c in the Linux kernel 4.15.0 on Ubuntu 18.04.2 allows local users to cause a denial of service (NULL pointer dereference and BUG) or possibly have unspecified other impact via crafted ioctl calls to /dev/dri/card0.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-12881

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-12984
CVE STATUS: Patched
CVE SUMMARY: A NULL pointer dereference vulnerability in the function nfc_genl_deactivate_target() in net/nfc/netlink.c in the Linux kernel before 5.1.13 can be triggered by a malicious user-mode program that omits certain NFC attributes, leading to denial of service.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-12984

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-13233
CVE STATUS: Patched
CVE SUMMARY: In arch/x86/lib/insn-eval.c in the Linux kernel before 5.1.9, there is a use-after-free for access to an LDT entry because of a race condition between modify_ldt() and a #BR exception for an MPX bounds violation.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-13233

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-13272
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel before 5.1.17, ptrace_link in kernel/ptrace.c mishandles the recording of the credentials of a process that wants to create a ptrace relationship, which allows local users to obtain root access by leveraging certain scenarios with a parent-child process relationship, where a parent drops privileges and calls execve (potentially allowing control by an attacker). One contributing factor is an object lifetime issue (which can also cause a panic). Another contributing factor is incorrect marking of a ptrace relationship as privileged, which is exploitable through (for example) Polkit's pkexec helper with PTRACE_TRACEME. NOTE: SELinux deny_ptrace might be a usable workaround in some environments.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-13272

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-13631
CVE STATUS: Patched
CVE SUMMARY: In parse_hid_report_descriptor in drivers/input/tablet/gtco.c in the Linux kernel through 5.2.1, a malicious USB device can send an HID report that triggers an out-of-bounds write during generation of debugging messages.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 6.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-13631

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-13648
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel through 5.2.1 on the powerpc platform, when hardware transactional memory is disabled, a local user can cause a denial of service (TM Bad Thing exception and system crash) via a sigreturn() system call that sends a crafted signal frame. This affects arch/powerpc/kernel/signal_32.c and arch/powerpc/kernel/signal_64.c.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-13648

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-14283
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel before 5.2.3, set_geometry in drivers/block/floppy.c does not validate the sect and head fields, as demonstrated by an integer overflow and out-of-bounds read. It can be triggered by an unprivileged local user when a floppy disk has been inserted. NOTE: QEMU creates the floppy device by default.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 6.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-14283

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-14284
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel before 5.2.3, drivers/block/floppy.c allows a denial of service by setup_format_params division-by-zero. Two consecutive ioctls can trigger the bug: the first one should set the drive geometry with .sect and .rate values that make F_SECT_PER_TRACK be zero. Next, the floppy format operation should be called. It can be triggered by an unprivileged local user even when a floppy disk has not been inserted. NOTE: QEMU creates the floppy device by default.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 6.2
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-14284

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-14763
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel before 4.16.4, a double-locking error in drivers/usb/dwc3/gadget.c may potentially cause a deadlock with f_hid.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-14763

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-14814
CVE STATUS: Patched
CVE SUMMARY: There is heap-based buffer overflow in Linux kernel, all versions up to, excluding 5.3, in the marvell wifi chip driver in Linux kernel, that allows local users to cause a denial of service(system crash) or possibly execute arbitrary code.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-14814

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-14815
CVE STATUS: Patched
CVE SUMMARY: A vulnerability was found in Linux Kernel, where a Heap Overflow was found in mwifiex_set_wmm_params() function of Marvell Wifi Driver.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-14815

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-14816
CVE STATUS: Patched
CVE SUMMARY: There is heap-based buffer overflow in kernel, all versions up to, excluding 5.3, in the marvell wifi chip driver in Linux kernel, that allows local users to cause a denial of service(system crash) or possibly execute arbitrary code.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-14816

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-14821
CVE STATUS: Patched
CVE SUMMARY: An out-of-bounds access issue was found in the Linux kernel, all versions through 5.3, in the way Linux kernel's KVM hypervisor implements the Coalesced MMIO write operation. It operates on an MMIO ring buffer 'struct kvm_coalesced_mmio' object, wherein write indices 'ring->first' and 'ring->last' value could be supplied by a host user-space process. An unprivileged host user or process with access to '/dev/kvm' device could use this flaw to crash the host kernel, resulting in a denial of service or potentially escalating privileges on the system.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-14821

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-14835
CVE STATUS: Patched
CVE SUMMARY: A buffer overflow flaw was found, in versions from 2.6.34 to 5.2.x, in the way Linux kernel's vhost functionality that translates virtqueue buffers to IOVs, logged the buffer descriptors during migration. A privileged guest user able to pass descriptors with invalid length to the host when migration is underway, could use this flaw to increase their privileges on the host.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.2
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-14835

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-14895
CVE STATUS: Patched
CVE SUMMARY: A heap-based buffer overflow was discovered in the Linux kernel, all versions 3.x.x and 4.x.x before 4.18.0, in Marvell WiFi chip driver. The flaw could occur when the station attempts a connection negotiation during the handling of the remote devices country settings. This could allow the remote device to cause a denial of service (system crash) or possibly execute arbitrary code.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 8.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-14895

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-14896
CVE STATUS: Patched
CVE SUMMARY: A heap-based buffer overflow vulnerability was found in the Linux kernel, version kernel-2.6.32, in Marvell WiFi chip driver. A remote attacker could cause a denial of service (system crash) or, possibly execute arbitrary code, when the lbs_ibss_join_existing function is called after a STA connects to an AP.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-14896

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-14897
CVE STATUS: Patched
CVE SUMMARY: A stack-based buffer overflow was found in the Linux kernel, version kernel-2.6.32, in Marvell WiFi chip driver. An attacker is able to cause a denial of service (system crash) or, possibly execute arbitrary code, when a STA works in IBSS mode (allows connecting stations together without the use of an AP) and connects to another STA.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 6.6
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-14897

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-14898
CVE STATUS: Patched
CVE SUMMARY: The fix for CVE-2019-11599, affecting the Linux kernel before 5.0.10 was not complete. A local user could use this flaw to obtain sensitive information, cause a denial of service, or possibly have other unspecified impacts by triggering a race condition with mmget_not_zero or get_task_mm calls.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-14898

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-14899
CVE STATUS: Unpatched
CVE SUMMARY: A vulnerability was discovered in Linux, FreeBSD, OpenBSD, MacOS, iOS, and Android that allows a malicious access point, or an adjacent user, to determine if a connected user is using a VPN, make positive inferences about the websites they are visiting, and determine the correct sequence and acknowledgement numbers in use, allowing the bad actor to inject data into the TCP stream. This provides everything that is needed for an attacker to hijack active connections inside the VPN tunnel.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 7.4
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:M/Au:S/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-14899

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-14901
CVE STATUS: Patched
CVE SUMMARY: A heap overflow flaw was found in the Linux kernel, all versions 3.x.x and 4.x.x before 4.18.0, in Marvell WiFi chip driver. The vulnerability allows a remote attacker to cause a system crash, resulting in a denial of service, or execute arbitrary code. The highest threat with this vulnerability is with the availability of the system. If code execution occurs, the code will run with the permissions of root. This will affect both confidentiality and integrity of files on the system.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-14901

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-15030
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel through 5.2.14 on the powerpc platform, a local user can read vector registers of other users' processes via a Facility Unavailable exception. To exploit the venerability, a local user starts a transaction (via the hardware transactional memory instruction tbegin) and then accesses vector registers. At some point, the vector registers will be corrupted with the values from a different local Linux process because of a missing arch/powerpc/kernel/process.c check.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 4.4
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-15030

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-15031
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel through 5.2.14 on the powerpc platform, a local user can read vector registers of other users' processes via an interrupt. To exploit the venerability, a local user starts a transaction (via the hardware transactional memory instruction tbegin) and then accesses vector registers. At some point, the vector registers will be corrupted with the values from a different local Linux process, because MSR_TM_ACTIVE is misused in arch/powerpc/kernel/process.c.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 4.4
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-15031

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-15090
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in drivers/scsi/qedi/qedi_dbg.c in the Linux kernel before 5.1.12. In the qedi_dbg_* family of functions, there is an out-of-bounds read.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 6.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-15090

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-15098
CVE STATUS: Patched
CVE SUMMARY: drivers/net/wireless/ath/ath6kl/usb.c in the Linux kernel through 5.2.9 has a NULL pointer dereference via an incomplete address in an endpoint descriptor.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 4.6
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-15098

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-15099
CVE STATUS: Patched
CVE SUMMARY: drivers/net/wireless/ath/ath10k/usb.c in the Linux kernel through 5.2.8 has a NULL pointer dereference via an incomplete address in an endpoint descriptor.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-15099

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-15117
CVE STATUS: Patched
CVE SUMMARY: parse_audio_mixer_unit in sound/usb/mixer.c in the Linux kernel through 5.2.9 mishandles a short descriptor, leading to out-of-bounds memory access.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-15117

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-15118
CVE STATUS: Patched
CVE SUMMARY: check_input_term in sound/usb/mixer.c in the Linux kernel through 5.2.9 mishandles recursion, leading to kernel stack exhaustion.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-15118

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-15211
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 5.2.6. There is a use-after-free caused by a malicious USB device in the drivers/media/v4l2-core/v4l2-dev.c driver because drivers/media/radio/radio-raremono.c does not properly allocate memory.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 4.6
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-15211

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-15212
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 5.1.8. There is a double-free caused by a malicious USB device in the drivers/usb/misc/rio500.c driver.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 4.6
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-15212

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-15213
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 5.2.3. There is a use-after-free caused by a malicious USB device in the drivers/media/usb/dvb-usb/dvb-usb-init.c driver.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 4.6
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-15213

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-15214
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 5.0.10. There is a use-after-free in the sound subsystem because card disconnection causes certain data structures to be deleted too early. This is related to sound/core/init.c and sound/core/info.c.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 6.4
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-15214

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-15215
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 5.2.6. There is a use-after-free caused by a malicious USB device in the drivers/media/usb/cpia2/cpia2_usb.c driver.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 4.6
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-15215

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-15216
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 5.0.14. There is a NULL pointer dereference caused by a malicious USB device in the drivers/usb/misc/yurex.c driver.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 4.6
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-15216

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-15217
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 5.2.3. There is a NULL pointer dereference caused by a malicious USB device in the drivers/media/usb/zr364xx/zr364xx.c driver.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 4.6
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-15217

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-15218
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 5.1.8. There is a NULL pointer dereference caused by a malicious USB device in the drivers/media/usb/siano/smsusb.c driver.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 4.6
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-15218

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-15219
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 5.1.8. There is a NULL pointer dereference caused by a malicious USB device in the drivers/usb/misc/sisusbvga/sisusb.c driver.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 4.6
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-15219

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-15220
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 5.2.1. There is a use-after-free caused by a malicious USB device in the drivers/net/wireless/intersil/p54/p54usb.c driver.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 4.6
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-15220

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-15221
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 5.1.17. There is a NULL pointer dereference caused by a malicious USB device in the sound/usb/line6/pcm.c driver.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 4.6
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-15221

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-15222
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 5.2.8. There is a NULL pointer dereference caused by a malicious USB device in the sound/usb/helper.c (motu_microbookii) driver.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 4.6
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-15222

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-15223
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 5.1.8. There is a NULL pointer dereference caused by a malicious USB device in the sound/usb/line6/driver.c driver.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 4.6
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-15223

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-15239
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, a certain net/ipv4/tcp_output.c change, which was properly incorporated into 4.16.12, was incorrectly backported to the earlier longterm kernels, introducing a new vulnerability that was potentially more severe than the issue that was intended to be fixed by backporting. Specifically, by adding to a write queue between disconnection and re-connection, a local attacker can trigger multiple use-after-free conditions. This can result in a kernel crash, or potentially in privilege escalation. NOTE: this affects (for example) Linux distributions that use 4.9.x longterm kernels before 4.9.190 or 4.14.x longterm kernels before 4.14.139.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-15239

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-15291
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel through 5.2.9. There is a NULL pointer dereference caused by a malicious USB device in the flexcop_usb_probe function in the drivers/media/usb/b2c2/flexcop-usb.c driver.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 4.6
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-15291

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-15292
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 5.0.9. There is a use-after-free in atalk_proc_exit, related to net/appletalk/atalk_proc.c, net/appletalk/ddp.c, and net/appletalk/sysctl_net_atalk.c.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 4.7
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-15292

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-15504
CVE STATUS: Patched
CVE SUMMARY: drivers/net/wireless/rsi/rsi_91x_usb.c in the Linux kernel through 5.2.9 has a Double Free via crafted USB device traffic (which may be remote via usbip or usbredir).
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-15504

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-15505
CVE STATUS: Patched
CVE SUMMARY: drivers/media/usb/dvb-usb/technisat-usb2.c in the Linux kernel through 5.2.9 has an out-of-bounds read via crafted USB device traffic (which may be remote via usbip or usbredir).
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-15505

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-15538
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in xfs_setattr_nonsize in fs/xfs/xfs_iops.c in the Linux kernel through 5.2.9. XFS partially wedges when a chgrp fails on account of being out of disk quota. xfs_setattr_nonsize is failing to unlock the ILOCK after the xfs_qm_vop_chown_reserve call fails. This is primarily a local DoS attack vector, but it might result as well in remote DoS if the XFS filesystem is exported for instance via NFS.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-15538

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-15666
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 5.0.19. There is an out-of-bounds array access in __xfrm_policy_unlink, which will cause denial of service, because verify_newpolicy_info in net/xfrm/xfrm_user.c mishandles directory validation.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 4.4
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-15666

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-15791
CVE STATUS: Patched
CVE SUMMARY: In shiftfs, a non-upstream patch to the Linux kernel included in the Ubuntu 5.0 and 5.3 kernel series, shiftfs_btrfs_ioctl_fd_replace() installs an fd referencing a file from the lower filesystem without taking an additional reference to that file. After the btrfs ioctl completes this fd is closed, which then puts a reference to that file, leading to a refcount underflow.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-15791

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-15792
CVE STATUS: Patched
CVE SUMMARY: In shiftfs, a non-upstream patch to the Linux kernel included in the Ubuntu 5.0 and 5.3 kernel series, shiftfs_btrfs_ioctl_fd_replace() calls fdget(oldfd), then without further checks passes the resulting file* into shiftfs_real_fdget(), which casts file->private_data, a void* that points to a filesystem-dependent type, to a "struct shiftfs_file_info *". As the private_data is not required to be a pointer, an attacker can use this to cause a denial of service or possibly execute arbitrary code.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-15792

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-15793
CVE STATUS: Patched
CVE SUMMARY: In shiftfs, a non-upstream patch to the Linux kernel included in the Ubuntu 5.0 and 5.3 kernel series, several locations which shift ids translate user/group ids before performing operations in the lower filesystem were translating them into init_user_ns, whereas they should have been translated into the s_user_ns for the lower filesystem. This resulted in using ids other than the intended ones in the lower fs, which likely did not map into the shifts s_user_ns. A local attacker could use this to possibly bypass discretionary access control permissions.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 6.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-15793

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-15794
CVE STATUS: Patched
CVE SUMMARY: Overlayfs in the Linux kernel and shiftfs, a non-upstream patch to the Linux kernel included in the Ubuntu 5.0 and 5.3 kernel series, both replace vma->vm_file in their mmap handlers. On error the original value is not restored, and the reference is put for the file to which vm_file points. On upstream kernels this is not an issue, as no callers dereference vm_file following after call_mmap() returns an error. However, the aufs patchs change mmap_region() to replace the fput() using a local variable with vma_fput(), which will fput() vm_file, leading to a refcount underflow.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-15794

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-15807
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel before 5.1.13, there is a memory leak in drivers/scsi/libsas/sas_expander.c when SAS expander discovery fails. This will cause a BUG and denial of service.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-15807

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-15902
CVE STATUS: Patched
CVE SUMMARY: A backporting error was discovered in the Linux stable/longterm kernel 4.4.x through 4.4.190, 4.9.x through 4.9.190, 4.14.x through 4.14.141, 4.19.x through 4.19.69, and 5.2.x through 5.2.11. Misuse of the upstream "x86/ptrace: Fix possible spectre-v1 in ptrace_get_debugreg()" commit reintroduced the Spectre vulnerability that it aimed to eliminate. This occurred because the backport process depends on cherry picking specific commits, and because two (correctly ordered) code lines were swapped.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 5.6
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-15902

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-15916
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 5.0.1. There is a memory leak in register_queue_kobjects() in net/core/net-sysfs.c, which will cause denial of service.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-15916

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-15917
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 5.0.5. There is a use-after-free issue when hci_uart_register_dev() fails in hci_uart_set_proto() in drivers/bluetooth/hci_ldisc.c.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-15917

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-15918
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 5.0.10. SMB2_negotiate in fs/cifs/smb2pdu.c has an out-of-bounds read because data structures are incompletely updated after a change from smb30 to smb21.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-15918

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-15919
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 5.0.10. SMB2_write in fs/cifs/smb2pdu.c has a use-after-free.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 3.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-15919

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-15920
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 5.0.10. SMB2_read in fs/cifs/smb2pdu.c has a use-after-free. NOTE: this was not fixed correctly in 5.0.10; see the 5.0.11 ChangeLog, which documents a memory leak.
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 4.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:S/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-15920

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-15921
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 5.0.6. There is a memory leak issue when idr_alloc() fails in genl_register_family() in net/netlink/genetlink.c.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-15921

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-15922
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 5.0.9. There is a NULL pointer dereference for a pf data structure if alloc_disk fails in drivers/block/paride/pf.c.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-15922

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-15923
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 5.0.9. There is a NULL pointer dereference for a cd data structure if alloc_disk fails in drivers/block/paride/pf.c.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-15923

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-15924
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 5.0.11. fm10k_init_module in drivers/net/ethernet/intel/fm10k/fm10k_main.c has a NULL pointer dereference because there is no -ENOMEM upon an alloc_workqueue failure.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-15924

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-15925
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 5.2.3. An out of bounds access exists in the function hclge_tm_schd_mode_vnet_base_cfg in the file drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-15925

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-15926
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 5.2.3. Out of bounds access exists in the functions ath6kl_wmi_pstream_timeout_event_rx and ath6kl_wmi_cac_event_rx in the file drivers/net/wireless/ath/ath6kl/wmi.c.
CVSS v2 BASE SCORE: 9.4
CVSS v3 BASE SCORE: 9.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-15926

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-15927
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 4.20.2. An out-of-bounds access exists in the function build_audio_procunit in the file sound/usb/mixer.c.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-15927

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-16089
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel through 5.2.13. nbd_genl_status in drivers/block/nbd.c does not check the nla_nest_start_noflag return value.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 4.1
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-16089

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-16229
CVE STATUS: Patched
CVE SUMMARY: drivers/gpu/drm/amd/amdkfd/kfd_interrupt.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value, leading to a NULL pointer dereference. NOTE: The security community disputes this issues as not being serious enough to be deserving a CVE id
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 4.1
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-16229

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-16230
CVE STATUS: Patched
CVE SUMMARY: drivers/gpu/drm/radeon/radeon_display.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value, leading to a NULL pointer dereference. NOTE: A third-party software maintainer states that the work queue allocation is happening during device initialization, which for a graphics card occurs during boot. It is not attacker controllable and OOM at that time is highly unlikely
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-16230

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-16231
CVE STATUS: Patched
CVE SUMMARY: drivers/net/fjes/fjes_main.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value, leading to a NULL pointer dereference.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 4.1
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-16231

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-16232
CVE STATUS: Patched
CVE SUMMARY: drivers/net/wireless/marvell/libertas/if_sdio.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value, leading to a NULL pointer dereference.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 4.1
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-16232

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-16233
CVE STATUS: Patched
CVE SUMMARY: drivers/scsi/qla2xxx/qla_os.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value, leading to a NULL pointer dereference.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 4.1
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-16233

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-16234
CVE STATUS: Patched
CVE SUMMARY: drivers/net/wireless/intel/iwlwifi/pcie/trans.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value, leading to a NULL pointer dereference.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-16234

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-16413
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 5.0.4. The 9p filesystem did not protect i_size_write() properly, which causes an i_size_read() infinite loop and denial of service on SMP systems.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-16413

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-16714
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel before 5.2.14, rds6_inc_info_copy in net/rds/recv.c allows attackers to obtain sensitive information from kernel stack memory because tos and flags fields are not initialized.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-16714

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-16746
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in net/wireless/nl80211.c in the Linux kernel through 5.2.17. It does not check the length of variable elements in a beacon head, leading to a buffer overflow.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-16746

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-16921
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel before 4.17, hns_roce_alloc_ucontext in drivers/infiniband/hw/hns/hns_roce_main.c does not initialize the resp data structure, which might allow attackers to obtain sensitive information from kernel stack memory, aka CID-df7e40425813.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-16921

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-16994
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel before 5.0, a memory leak exists in sit_init_net() in net/ipv6/sit.c when register_netdev() fails to register sitn->fb_tunnel_dev, which may cause denial of service, aka CID-07f12b26e21a.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-16994

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-16995
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel before 5.0.3, a memory leak exits in hsr_dev_finalize() in net/hsr/hsr_device.c if hsr_add_port fails to add a port, which may cause denial of service, aka CID-6caabe7f197d.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-16995

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-17052
CVE STATUS: Patched
CVE SUMMARY: ax25_create in net/ax25/af_ax25.c in the AF_AX25 network module in the Linux kernel 3.16 through 5.3.2 does not enforce CAP_NET_RAW, which means that unprivileged users can create a raw socket, aka CID-0614e2b73768.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 3.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-17052

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-17053
CVE STATUS: Patched
CVE SUMMARY: ieee802154_create in net/ieee802154/socket.c in the AF_IEEE802154 network module in the Linux kernel through 5.3.2 does not enforce CAP_NET_RAW, which means that unprivileged users can create a raw socket, aka CID-e69dbd4619e7.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 3.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-17053

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-17054
CVE STATUS: Patched
CVE SUMMARY: atalk_create in net/appletalk/ddp.c in the AF_APPLETALK network module in the Linux kernel through 5.3.2 does not enforce CAP_NET_RAW, which means that unprivileged users can create a raw socket, aka CID-6cc03e8aa36c.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 3.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-17054

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-17055
CVE STATUS: Patched
CVE SUMMARY: base_sock_create in drivers/isdn/mISDN/socket.c in the AF_ISDN network module in the Linux kernel through 5.3.2 does not enforce CAP_NET_RAW, which means that unprivileged users can create a raw socket, aka CID-b91ee4aa2a21.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 3.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-17055

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-17056
CVE STATUS: Patched
CVE SUMMARY: llcp_sock_create in net/nfc/llcp_sock.c in the AF_NFC network module in the Linux kernel through 5.3.2 does not enforce CAP_NET_RAW, which means that unprivileged users can create a raw socket, aka CID-3a359798b176.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 3.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-17056

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-17075
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in write_tpt_entry in drivers/infiniband/hw/cxgb4/mem.c in the Linux kernel through 5.3.2. The cxgb4 driver is directly calling dma_map_single (a DMA function) from a stack variable. This could allow an attacker to trigger a Denial of Service, exploitable if this driver is used on an architecture for which this stack/DMA interaction has security relevance.
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-17075

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-17133
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel through 5.3.2, cfg80211_mgd_wext_giwessid in net/wireless/wext-sme.c does not reject a long SSID IE, leading to a Buffer Overflow.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-17133

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-17351
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in drivers/xen/balloon.c in the Linux kernel before 5.2.3, as used in Xen through 4.12.x, allowing guest OS users to cause a denial of service because of unrestricted resource consumption during the mapping of guest memory, aka CID-6ef36ab967c7.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 6.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-17351

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-17666
CVE STATUS: Patched
CVE SUMMARY: rtl_p2p_noa_ie in drivers/net/wireless/realtek/rtlwifi/ps.c in the Linux kernel through 5.3.6 lacks a certain upper-bound check, leading to a buffer overflow.
CVSS v2 BASE SCORE: 8.3
CVSS v3 BASE SCORE: 8.8
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-17666

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-18198
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel before 5.3.4, a reference count usage error in the fib6_rule_suppress() function in the fib6 suppression feature of net/ipv6/fib6_rules.c, when handling the FIB_LOOKUP_NOREF flag, can be exploited by a local attacker to corrupt memory, aka CID-ca7a03c41753.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-18198

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-18282
CVE STATUS: Patched
CVE SUMMARY: The flow_dissector feature in the Linux kernel 4.3 through 5.x before 5.3.10 has a device tracking vulnerability, aka CID-55667441c84f. This occurs because the auto flowlabel of a UDP IPv6 packet relies on a 32-bit hashrnd value as a secret, and because jhash (instead of siphash) is used. The hashrnd value remains the same starting from boot time, and can be inferred by an attacker. This affects net/core/flow_dissector.c and related code.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-18282

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-18660
CVE STATUS: Patched
CVE SUMMARY: The Linux kernel before 5.4.1 on powerpc allows Information Exposure because the Spectre-RSB mitigation is not in place for all applicable CPUs, aka CID-39e72bf96f58. This is related to arch/powerpc/kernel/entry_64.S and arch/powerpc/kernel/security.c.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-18660

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-18675
CVE STATUS: Patched
CVE SUMMARY: The Linux kernel through 5.3.13 has a start_offset+size Integer Overflow in cpia2_remap_buffer in drivers/media/usb/cpia2/cpia2_core.c because cpia2 has its own mmap implementation. This allows local users (with /dev/video0 access) to obtain read and write permissions on kernel physical pages, which can possibly result in a privilege escalation.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-18675

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-18680
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel 4.4.x before 4.4.195. There is a NULL pointer dereference in rds_tcp_kill_sock() in net/rds/tcp.c that will cause denial of service, aka CID-91573ae4aed0.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-18680

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-18683
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in drivers/media/platform/vivid in the Linux kernel through 5.3.8. It is exploitable for privilege escalation on some Linux distributions where local users have /dev/video0 access, but only if the driver happens to be loaded. There are multiple race conditions during streaming stopping in this driver (part of the V4L2 subsystem). These issues are caused by wrong mutex locking in vivid_stop_generating_vid_cap(), vivid_stop_generating_vid_out(), sdr_cap_stop_streaming(), and the corresponding kthreads. At least one of these race conditions leads to a use-after-free.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-18683

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-18786
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel through 5.3.8, f->fmt.sdr.reserved is uninitialized in rcar_drif_g_fmt_sdr_cap in drivers/media/platform/rcar_drif.c, which could cause a memory disclosure problem.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-18786

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-18805
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in net/ipv4/sysctl_net_ipv4.c in the Linux kernel before 5.0.11. There is a net/ipv4/tcp_input.c signed integer overflow in tcp_ack_update_rtt() when userspace writes a very large integer to /proc/sys/net/ipv4/tcp_min_rtt_wlen, leading to a denial of service or possibly unspecified other impact, aka CID-19fad20d15a6.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-18805

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-18806
CVE STATUS: Patched
CVE SUMMARY: A memory leak in the ql_alloc_large_buffers() function in drivers/net/ethernet/qlogic/qla3xxx.c in the Linux kernel before 5.3.5 allows local users to cause a denial of service (memory consumption) by triggering pci_dma_mapping_error() failures, aka CID-1acb8f2a7a9f.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-18806

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-18807
CVE STATUS: Patched
CVE SUMMARY: Two memory leaks in the sja1105_static_config_upload() function in drivers/net/dsa/sja1105/sja1105_spi.c in the Linux kernel before 5.3.5 allow attackers to cause a denial of service (memory consumption) by triggering static_config_buf_prepare_for_upload() or sja1105_inhibit_tx() failures, aka CID-68501df92d11.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-18807

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-18808
CVE STATUS: Patched
CVE SUMMARY: A memory leak in the ccp_run_sha_cmd() function in drivers/crypto/ccp/ccp-ops.c in the Linux kernel through 5.3.9 allows attackers to cause a denial of service (memory consumption), aka CID-128c66429247.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-18808

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-18809
CVE STATUS: Patched
CVE SUMMARY: A memory leak in the af9005_identify_state() function in drivers/media/usb/dvb-usb/af9005.c in the Linux kernel through 5.3.9 allows attackers to cause a denial of service (memory consumption), aka CID-2289adbfa559.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 4.6
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-18809

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-18810
CVE STATUS: Patched
CVE SUMMARY: A memory leak in the komeda_wb_connector_add() function in drivers/gpu/drm/arm/display/komeda/komeda_wb_connector.c in the Linux kernel before 5.3.8 allows attackers to cause a denial of service (memory consumption) by triggering drm_writeback_connector_init() failures, aka CID-a0ecd6fdbf5d.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-18810

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-18811
CVE STATUS: Patched
CVE SUMMARY: A memory leak in the sof_set_get_large_ctrl_data() function in sound/soc/sof/ipc.c in the Linux kernel through 5.3.9 allows attackers to cause a denial of service (memory consumption) by triggering sof_get_ctrl_copy_params() failures, aka CID-45c1380358b1.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-18811

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-18812
CVE STATUS: Patched
CVE SUMMARY: A memory leak in the sof_dfsentry_write() function in sound/soc/sof/debug.c in the Linux kernel through 5.3.9 allows attackers to cause a denial of service (memory consumption), aka CID-c0a333d842ef.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-18812

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-18813
CVE STATUS: Patched
CVE SUMMARY: A memory leak in the dwc3_pci_probe() function in drivers/usb/dwc3/dwc3-pci.c in the Linux kernel through 5.3.9 allows attackers to cause a denial of service (memory consumption) by triggering platform_device_add_properties() failures, aka CID-9bbfceea12a8.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-18813

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-18814
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel through 5.3.9. There is a use-after-free when aa_label_parse() fails in aa_audit_rule_init() in security/apparmor/audit.c.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-18814

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-18885
CVE STATUS: Patched
CVE SUMMARY: fs/btrfs/volumes.c in the Linux kernel before 5.1 allows a btrfs_verify_dev_extents NULL pointer dereference via a crafted btrfs image because fs_devices->devices is mishandled within find_device, aka CID-09ba3bc9dd15.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-18885

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-19036
CVE STATUS: Patched
CVE SUMMARY: btrfs_root_node in fs/btrfs/ctree.c in the Linux kernel through 5.3.12 allows a NULL pointer dereference because rcu_dereference(root->node) can be zero.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19036

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-19037
CVE STATUS: Patched
CVE SUMMARY: ext4_empty_dir in fs/ext4/namei.c in the Linux kernel through 5.3.12 allows a NULL pointer dereference because ext4_read_dirblock(inode,0,DIRENT_HTREE) can be zero.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19037

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-19039
CVE STATUS: Patched
CVE SUMMARY: __btrfs_free_extent in fs/btrfs/extent-tree.c in the Linux kernel through 5.3.12 calls btrfs_print_leaf in a certain ENOENT case, which allows local users to obtain potentially sensitive information about register values via the dmesg program. NOTE: The BTRFS development team disputes this issues as not being a vulnerability because “1) The kernel provide facilities to restrict access to dmesg - dmesg_restrict=1 sysctl option. So it's really up to the system administrator to judge whether dmesg access shall be disallowed or not. 2) WARN/WARN_ON are widely used macros in the linux kernel. If this CVE is considered valid this would mean there are literally thousands CVE lurking in the kernel - something which clearly is not the case.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19039

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-19043
CVE STATUS: Patched
CVE SUMMARY: A memory leak in the i40e_setup_macvlans() function in drivers/net/ethernet/intel/i40e/i40e_main.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering i40e_setup_channel() failures, aka CID-27d461333459.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19043

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-19044
CVE STATUS: Patched
CVE SUMMARY: Two memory leaks in the v3d_submit_cl_ioctl() function in drivers/gpu/drm/v3d/v3d_gem.c in the Linux kernel before 5.3.11 allow attackers to cause a denial of service (memory consumption) by triggering kcalloc() or v3d_job_init() failures, aka CID-29cd13cfd762.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19044

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-19045
CVE STATUS: Patched
CVE SUMMARY: A memory leak in the mlx5_fpga_conn_create_cq() function in drivers/net/ethernet/mellanox/mlx5/core/fpga/conn.c in the Linux kernel before 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering mlx5_vector2eqn() failures, aka CID-c8c2a057fdc7.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 4.4
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19045

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-19046
CVE STATUS: Patched
CVE SUMMARY: A memory leak in the __ipmi_bmc_register() function in drivers/char/ipmi/ipmi_msghandler.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering ida_simple_get() failure, aka CID-4aa7afb0ee20. NOTE: third parties dispute the relevance of this because an attacker cannot realistically control this failure at probe time
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:S/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19046

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-19047
CVE STATUS: Patched
CVE SUMMARY: A memory leak in the mlx5_fw_fatal_reporter_dump() function in drivers/net/ethernet/mellanox/mlx5/core/health.c in the Linux kernel before 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering mlx5_crdump_collect() failures, aka CID-c7ed6d0183d5.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19047

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-19048
CVE STATUS: Patched
CVE SUMMARY: A memory leak in the crypto_reportstat() function in drivers/virt/vboxguest/vboxguest_utils.c in the Linux kernel before 5.3.9 allows attackers to cause a denial of service (memory consumption) by triggering copy_form_user() failures, aka CID-e0b0cb938864.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19048

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-19049
CVE STATUS: Patched
CVE SUMMARY: A memory leak in the unittest_data_add() function in drivers/of/unittest.c in the Linux kernel before 5.3.10 allows attackers to cause a denial of service (memory consumption) by triggering of_fdt_unflatten_tree() failures, aka CID-e13de8fe0d6a. NOTE: third parties dispute the relevance of this because unittest.c can only be reached during boot
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19049

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-19050
CVE STATUS: Patched
CVE SUMMARY: A memory leak in the crypto_reportstat() function in crypto/crypto_user_stat.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering crypto_reportstat_alg() failures, aka CID-c03b04dcdba1.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19050

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-19051
CVE STATUS: Patched
CVE SUMMARY: A memory leak in the i2400m_op_rfkill_sw_toggle() function in drivers/net/wimax/i2400m/op-rfkill.c in the Linux kernel before 5.3.11 allows attackers to cause a denial of service (memory consumption), aka CID-6f3ef5c25cc7.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19051

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-19052
CVE STATUS: Patched
CVE SUMMARY: A memory leak in the gs_can_open() function in drivers/net/can/usb/gs_usb.c in the Linux kernel before 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering usb_submit_urb() failures, aka CID-fb5be6a7b486.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19052

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-19053
CVE STATUS: Patched
CVE SUMMARY: A memory leak in the rpmsg_eptdev_write_iter() function in drivers/rpmsg/rpmsg_char.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering copy_from_iter_full() failures, aka CID-bbe692e349e2.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19053

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-19054
CVE STATUS: Patched
CVE SUMMARY: A memory leak in the cx23888_ir_probe() function in drivers/media/pci/cx23885/cx23888-ir.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering kfifo_alloc() failures, aka CID-a7b2df76b42b.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19054

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-19055
CVE STATUS: Patched
CVE SUMMARY: A memory leak in the nl80211_get_ftm_responder_stats() function in net/wireless/nl80211.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering nl80211hdr_put() failures, aka CID-1399c59fa929. NOTE: third parties dispute the relevance of this because it occurs on a code path where a successful allocation has already occurred
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19055

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-19056
CVE STATUS: Patched
CVE SUMMARY: A memory leak in the mwifiex_pcie_alloc_cmdrsp_buf() function in drivers/net/wireless/marvell/mwifiex/pcie.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering mwifiex_map_pci_memory() failures, aka CID-db8fd2cde932.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19056

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-19057
CVE STATUS: Patched
CVE SUMMARY: Two memory leaks in the mwifiex_pcie_init_evt_ring() function in drivers/net/wireless/marvell/mwifiex/pcie.c in the Linux kernel through 5.3.11 allow attackers to cause a denial of service (memory consumption) by triggering mwifiex_map_pci_memory() failures, aka CID-d10dcb615c8e.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 3.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19057

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-19058
CVE STATUS: Patched
CVE SUMMARY: A memory leak in the alloc_sgtable() function in drivers/net/wireless/intel/iwlwifi/fw/dbg.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering alloc_page() failures, aka CID-b4b814fec1a5.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19058

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-19059
CVE STATUS: Patched
CVE SUMMARY: Multiple memory leaks in the iwl_pcie_ctxt_info_gen3_init() function in drivers/net/wireless/intel/iwlwifi/pcie/ctxt-info-gen3.c in the Linux kernel through 5.3.11 allow attackers to cause a denial of service (memory consumption) by triggering iwl_pcie_init_fw_sec() or dma_alloc_coherent() failures, aka CID-0f4f199443fa.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19059

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-19060
CVE STATUS: Patched
CVE SUMMARY: A memory leak in the adis_update_scan_mode() function in drivers/iio/imu/adis_buffer.c in the Linux kernel before 5.3.9 allows attackers to cause a denial of service (memory consumption), aka CID-ab612b1daf41.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19060

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-19061
CVE STATUS: Patched
CVE SUMMARY: A memory leak in the adis_update_scan_mode_burst() function in drivers/iio/imu/adis_buffer.c in the Linux kernel before 5.3.9 allows attackers to cause a denial of service (memory consumption), aka CID-9c0530e898f3.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19061

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-19062
CVE STATUS: Patched
CVE SUMMARY: A memory leak in the crypto_report() function in crypto/crypto_user_base.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering crypto_report_alg() failures, aka CID-ffdde5932042.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19062

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-19063
CVE STATUS: Patched
CVE SUMMARY: Two memory leaks in the rtl_usb_probe() function in drivers/net/wireless/realtek/rtlwifi/usb.c in the Linux kernel through 5.3.11 allow attackers to cause a denial of service (memory consumption), aka CID-3f9361695113.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 4.6
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19063

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-19064
CVE STATUS: Patched
CVE SUMMARY: A memory leak in the fsl_lpspi_probe() function in drivers/spi/spi-fsl-lpspi.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering pm_runtime_get_sync() failures, aka CID-057b8945f78f. NOTE: third parties dispute the relevance of this because an attacker cannot realistically control these failures at probe time
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19064

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-19065
CVE STATUS: Patched
CVE SUMMARY: A memory leak in the sdma_init() function in drivers/infiniband/hw/hfi1/sdma.c in the Linux kernel before 5.3.9 allows attackers to cause a denial of service (memory consumption) by triggering rhashtable_init() failures, aka CID-34b3be18a04e. NOTE: This has been disputed as not a vulnerability because "rhashtable_init() can only fail if it is passed invalid values in the second parameter's struct, but when invoked from sdma_init() that is a pointer to a static const struct, so an attacker could only trigger failure if they could corrupt kernel memory (in which case a small memory leak is not a significant problem).
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19065

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-19066
CVE STATUS: Patched
CVE SUMMARY: A memory leak in the bfad_im_get_stats() function in drivers/scsi/bfa/bfad_attr.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering bfa_port_get_stats() failures, aka CID-0e62395da2bd.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19066

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-19067
CVE STATUS: Patched
CVE SUMMARY: Four memory leaks in the acp_hw_init() function in drivers/gpu/drm/amd/amdgpu/amdgpu_acp.c in the Linux kernel before 5.3.8 allow attackers to cause a denial of service (memory consumption) by triggering mfd_add_hotplug_devices() or pm_genpd_add_device() failures, aka CID-57be09c6e874. NOTE: third parties dispute the relevance of this because the attacker must already have privileges for module loading
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 4.4
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19067

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-19068
CVE STATUS: Patched
CVE SUMMARY: A memory leak in the rtl8xxxu_submit_int_urb() function in drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering usb_submit_urb() failures, aka CID-a2cdd07488e6.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 4.6
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19068

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-19069
CVE STATUS: Patched
CVE SUMMARY: A memory leak in the fastrpc_dma_buf_attach() function in drivers/misc/fastrpc.c in the Linux kernel before 5.3.9 allows attackers to cause a denial of service (memory consumption) by triggering dma_get_sgtable() failures, aka CID-fc739a058d99.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19069

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-19070
CVE STATUS: Patched
CVE SUMMARY: A memory leak in the spi_gpio_probe() function in drivers/spi/spi-gpio.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering devm_add_action_or_reset() failures, aka CID-d3b0ffa1d75d. NOTE: third parties dispute the relevance of this because the system must have already been out of memory before the probe began
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19070

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-19071
CVE STATUS: Patched
CVE SUMMARY: A memory leak in the rsi_send_beacon() function in drivers/net/wireless/rsi/rsi_91x_mgmt.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering rsi_prepare_beacon() failures, aka CID-d563131ef23c.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19071

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-19072
CVE STATUS: Patched
CVE SUMMARY: A memory leak in the predicate_parse() function in kernel/trace/trace_events_filter.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption), aka CID-96c5c6e6a5b6.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 4.4
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19072

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-19073
CVE STATUS: Patched
CVE SUMMARY: Memory leaks in drivers/net/wireless/ath/ath9k/htc_hst.c in the Linux kernel through 5.3.11 allow attackers to cause a denial of service (memory consumption) by triggering wait_for_completion_timeout() failures. This affects the htc_config_pipe_credits() function, the htc_setup_complete() function, and the htc_connect_service() function, aka CID-853acf7caf10.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 4.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19073

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-19074
CVE STATUS: Patched
CVE SUMMARY: A memory leak in the ath9k_wmi_cmd() function in drivers/net/wireless/ath/ath9k/wmi.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption), aka CID-728c1e2a05e4.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19074

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-19075
CVE STATUS: Patched
CVE SUMMARY: A memory leak in the ca8210_probe() function in drivers/net/ieee802154/ca8210.c in the Linux kernel before 5.3.8 allows attackers to cause a denial of service (memory consumption) by triggering ca8210_get_platform_data() failures, aka CID-6402939ec86e.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19075

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-19076
CVE STATUS: Patched
CVE SUMMARY: A memory leak in the nfp_abm_u32_knode_replace() function in drivers/net/ethernet/netronome/nfp/abm/cls.c in the Linux kernel before 5.3.6 allows attackers to cause a denial of service (memory consumption), aka CID-78beef629fd9. NOTE: This has been argued as not a valid vulnerability. The upstream commit 78beef629fd9 was reverted
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19076

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-19077
CVE STATUS: Patched
CVE SUMMARY: A memory leak in the bnxt_re_create_srq() function in drivers/infiniband/hw/bnxt_re/ib_verbs.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering copy to udata failures, aka CID-4a9d46a9fe14.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19077

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-19078
CVE STATUS: Patched
CVE SUMMARY: A memory leak in the ath10k_usb_hif_tx_sg() function in drivers/net/wireless/ath/ath10k/usb.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering usb_submit_urb() failures, aka CID-b8d17e7d93d2.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19078

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-19079
CVE STATUS: Patched
CVE SUMMARY: A memory leak in the qrtr_tun_write_iter() function in net/qrtr/tun.c in the Linux kernel before 5.3 allows attackers to cause a denial of service (memory consumption), aka CID-a21b7f0cff19.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19079

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-19080
CVE STATUS: Patched
CVE SUMMARY: Four memory leaks in the nfp_flower_spawn_phy_reprs() function in drivers/net/ethernet/netronome/nfp/flower/main.c in the Linux kernel before 5.3.4 allow attackers to cause a denial of service (memory consumption), aka CID-8572cea1461a.
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19080

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-19081
CVE STATUS: Patched
CVE SUMMARY: A memory leak in the nfp_flower_spawn_vnic_reprs() function in drivers/net/ethernet/netronome/nfp/flower/main.c in the Linux kernel before 5.3.4 allows attackers to cause a denial of service (memory consumption), aka CID-8ce39eb5a67a.
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19081

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-19082
CVE STATUS: Patched
CVE SUMMARY: Memory leaks in *create_resource_pool() functions under drivers/gpu/drm/amd/display/dc in the Linux kernel through 5.3.11 allow attackers to cause a denial of service (memory consumption). This affects the dce120_create_resource_pool() function in drivers/gpu/drm/amd/display/dc/dce120/dce120_resource.c, the dce110_create_resource_pool() function in drivers/gpu/drm/amd/display/dc/dce110/dce110_resource.c, the dce100_create_resource_pool() function in drivers/gpu/drm/amd/display/dc/dce100/dce100_resource.c, the dcn10_create_resource_pool() function in drivers/gpu/drm/amd/display/dc/dcn10/dcn10_resource.c, and the dce112_create_resource_pool() function in drivers/gpu/drm/amd/display/dc/dce112/dce112_resource.c, aka CID-104c307147ad.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19082

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-19083
CVE STATUS: Patched
CVE SUMMARY: Memory leaks in *clock_source_create() functions under drivers/gpu/drm/amd/display/dc in the Linux kernel before 5.3.8 allow attackers to cause a denial of service (memory consumption). This affects the dce112_clock_source_create() function in drivers/gpu/drm/amd/display/dc/dce112/dce112_resource.c, the dce100_clock_source_create() function in drivers/gpu/drm/amd/display/dc/dce100/dce100_resource.c, the dcn10_clock_source_create() function in drivers/gpu/drm/amd/display/dc/dcn10/dcn10_resource.c, the dcn20_clock_source_create() function in drivers/gpu/drm/amd/display/dc/dcn20/dcn20_resource.c, the dce120_clock_source_create() function in drivers/gpu/drm/amd/display/dc/dce120/dce120_resource.c, the dce110_clock_source_create() function in drivers/gpu/drm/amd/display/dc/dce110/dce110_resource.c, and the dce80_clock_source_create() function in drivers/gpu/drm/amd/display/dc/dce80/dce80_resource.c, aka CID-055e547478a1.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19083

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-19227
CVE STATUS: Patched
CVE SUMMARY: In the AppleTalk subsystem in the Linux kernel before 5.1, there is a potential NULL pointer dereference because register_snap_client may return NULL. This will lead to denial of service in net/appletalk/aarp.c and net/appletalk/ddp.c, as demonstrated by unregister_snap_client, aka CID-9804501fa122.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19227

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-19241
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel before 5.4.2, the io_uring feature leads to requests that inadvertently have UID 0 and full capabilities, aka CID-181e448d8709. This is related to fs/io-wq.c, fs/io_uring.c, and net/socket.c. For example, an attacker can bypass intended restrictions on adding an IPv4 address to the loopback interface. This occurs because IORING_OP_SENDMSG operations, although requested in the context of an unprivileged user, are sometimes performed by a kernel worker thread without considering that context.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19241

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-19252
CVE STATUS: Patched
CVE SUMMARY: vcs_write in drivers/tty/vt/vc_screen.c in the Linux kernel through 5.3.13 does not prevent write access to vcsu devices, aka CID-0c9acb1af77a.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19252

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-19318
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel 5.3.11, mounting a crafted btrfs image twice can cause an rwsem_down_write_slowpath use-after-free because (in rwsem_can_spin_on_owner in kernel/locking/rwsem.c) rwsem_owner_flags returns an already freed pointer,
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 4.4
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19318

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-19319
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel before 5.2, a setxattr operation, after a mount of a crafted ext4 image, can cause a slab-out-of-bounds write access because of an ext4_xattr_set_entry use-after-free in fs/ext4/xattr.c when a large old_size value is used in a memset call, aka CID-345c0dbf3a30.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 6.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19319

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-19332
CVE STATUS: Patched
CVE SUMMARY: An out-of-bounds memory write issue was found in the Linux Kernel, version 3.13 through 5.4, in the way the Linux kernel's KVM hypervisor handled the 'KVM_GET_EMULATED_CPUID' ioctl(2) request to get CPUID features emulated by the KVM hypervisor. A user or process able to access the '/dev/kvm' device could use this flaw to crash the system, resulting in a denial of service.
CVSS v2 BASE SCORE: 5.6
CVSS v3 BASE SCORE: 6.1
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19332

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-19338
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the fix for CVE-2019-11135, in the Linux upstream kernel versions before 5.5 where, the way Intel CPUs handle speculative execution of instructions when a TSX Asynchronous Abort (TAA) error occurs. When a guest is running on a host CPU affected by the TAA flaw (TAA_NO=0), but is not affected by the MDS issue (MDS_NO=1), the guest was to clear the affected buffers by using a VERW instruction mechanism. But when the MDS_NO=1 bit was exported to the guests, the guests did not use the VERW mechanism to clear the affected buffers. This issue affects guests running on Cascade Lake CPUs and requires that host has 'TSX' enabled. Confidentiality of data is the highest threat associated with this vulnerability.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19338

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-19377
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel 5.0.21, mounting a crafted btrfs filesystem image, performing some operations, and unmounting can lead to a use-after-free in btrfs_queue_work in fs/btrfs/async-thread.c.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19377

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-19378
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel 5.0.21, mounting a crafted btrfs filesystem image can lead to slab-out-of-bounds write access in index_rbio_pages in fs/btrfs/raid56.c.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19378

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-19447
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel 5.0.21, mounting a crafted ext4 filesystem image, performing some operations, and unmounting can lead to a use-after-free in ext4_put_super in fs/ext4/super.c, related to dump_orphan_list in fs/ext4/super.c.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19447

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-19448
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel 5.0.21 and 5.3.11, mounting a crafted btrfs filesystem image, performing some operations, and then making a syncfs system call can lead to a use-after-free in try_merge_free_space in fs/btrfs/free-space-cache.c because the pointer to a left data structure can be the same as the pointer to a right data structure.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19448

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-19449
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel 5.0.21, mounting a crafted f2fs filesystem image can lead to slab-out-of-bounds read access in f2fs_build_segment_manager in fs/f2fs/segment.c, related to init_min_max_mtime in fs/f2fs/segment.c (because the second argument to get_seg_entry is not validated).
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19449

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-19462
CVE STATUS: Patched
CVE SUMMARY: relay_open in kernel/relay.c in the Linux kernel through 5.4.1 allows local users to cause a denial of service (such as relay blockage) by triggering a NULL alloc_percpu result.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19462

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-19523
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel before 5.3.7, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/misc/adutux.c driver, aka CID-44efc269db79.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 4.6
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19523

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-19524
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel before 5.3.12, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/input/ff-memless.c driver, aka CID-fa3a5a1880c9.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 4.6
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19524

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-19525
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel before 5.3.6, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/net/ieee802154/atusb.c driver, aka CID-7fd25e6fc035.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 4.6
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19525

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-19526
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel before 5.3.9, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/nfc/pn533/usb.c driver, aka CID-6af3aa57a098.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 4.6
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19526

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-19527
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel before 5.2.10, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/hid/usbhid/hiddev.c driver, aka CID-9c09b214f30e.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 6.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19527

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-19528
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel before 5.3.7, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/misc/iowarrior.c driver, aka CID-edc4746f253d.
CVSS v2 BASE SCORE: 5.6
CVSS v3 BASE SCORE: 6.1
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19528

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-19529
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel before 5.3.11, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/net/can/usb/mcba_usb.c driver, aka CID-4d6636498c41.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 6.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19529

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-19530
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel before 5.2.10, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/class/cdc-acm.c driver, aka CID-c52873e5a1ef.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 4.6
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19530

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-19531
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel before 5.2.9, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/misc/yurex.c driver, aka CID-fc05481b2fca.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 6.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19531

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-19532
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel before 5.3.9, there are multiple out-of-bounds write bugs that can be caused by a malicious USB device in the Linux kernel HID drivers, aka CID-d9d4b1e46d95. This affects drivers/hid/hid-axff.c, drivers/hid/hid-dr.c, drivers/hid/hid-emsff.c, drivers/hid/hid-gaff.c, drivers/hid/hid-holtekff.c, drivers/hid/hid-lg2ff.c, drivers/hid/hid-lg3ff.c, drivers/hid/hid-lg4ff.c, drivers/hid/hid-lgff.c, drivers/hid/hid-logitech-hidpp.c, drivers/hid/hid-microsoft.c, drivers/hid/hid-sony.c, drivers/hid/hid-tmff.c, and drivers/hid/hid-zpff.c.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 6.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19532

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-19533
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel before 5.3.4, there is an info-leak bug that can be caused by a malicious USB device in the drivers/media/usb/ttusb-dec/ttusb_dec.c driver, aka CID-a10feaf8c464.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 2.4
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19533

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-19534
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel before 5.3.11, there is an info-leak bug that can be caused by a malicious USB device in the drivers/net/can/usb/peak_usb/pcan_usb_core.c driver, aka CID-f7a1337f0d29.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 2.4
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19534

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-19535
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel before 5.2.9, there is an info-leak bug that can be caused by a malicious USB device in the drivers/net/can/usb/peak_usb/pcan_usb_fd.c driver, aka CID-30a8beeb3042.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 4.6
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19535

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-19536
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel before 5.2.9, there is an info-leak bug that can be caused by a malicious USB device in the drivers/net/can/usb/peak_usb/pcan_usb_pro.c driver, aka CID-ead16e53c2f0.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 4.6
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19536

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-19537
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel before 5.2.10, there is a race condition bug that can be caused by a malicious USB device in the USB character device driver layer, aka CID-303911cfc5b9. This affects drivers/usb/core/file.c.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 4.2
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19537

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-19543
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel before 5.1.6, there is a use-after-free in serial_ir_init_module() in drivers/media/rc/serial_ir.c.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19543

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-19602
CVE STATUS: Patched
CVE SUMMARY: fpregs_state_valid in arch/x86/include/asm/fpu/internal.h in the Linux kernel before 5.4.2, when GCC 9 is used, allows context-dependent attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact because of incorrect fpu_fpregs_owner_ctx caching, as demonstrated by mishandling of signal-based non-cooperative preemption in Go 1.14 prereleases on amd64, aka CID-59c4bd853abc.
CVSS v2 BASE SCORE: 5.4
CVSS v3 BASE SCORE: 6.1
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19602

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-19767
CVE STATUS: Patched
CVE SUMMARY: The Linux kernel before 5.4.2 mishandles ext4_expand_extra_isize, as demonstrated by use-after-free errors in __ext4_expand_extra_isize and ext4_xattr_set_entry, related to fs/ext4/inode.c and fs/ext4/super.c, aka CID-4ea99936a163.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19767

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-19768
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel 5.4.0-rc2, there is a use-after-free (read) in the __blk_add_trace function in kernel/trace/blktrace.c (which is used to fill out a blk_io_trace structure and place it in a per-cpu sub-buffer).
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19768

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-19769
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel 5.3.10, there is a use-after-free (read) in the perf_trace_lock_acquire function (related to include/trace/events/lock.h).
CVSS v2 BASE SCORE: 6.5
CVSS v3 BASE SCORE: 6.7
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:S/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19769

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-19770
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel 4.19.83, there is a use-after-free (read) in the debugfs_remove function in fs/debugfs/inode.c (which is used to remove a file or directory in debugfs that was previously created with a call to another debugfs function such as debugfs_create_file). NOTE: Linux kernel developers dispute this issue as not being an issue with debugfs, instead this is an issue with misuse of debugfs within blktrace
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 8.2
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19770

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-19807
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel before 5.3.11, sound/core/timer.c has a use-after-free caused by erroneous code refactoring, aka CID-e7af6307a8a5. This is related to snd_timer_open and snd_timer_close_locked. The timeri variable was originally intended to be for a newly created timer instance, but was used for a different purpose after refactoring.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19807

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-19813
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel 5.0.21, mounting a crafted btrfs filesystem image, performing some operations, and then making a syncfs system call can lead to a use-after-free in __mutex_lock in kernel/locking/mutex.c. This is related to mutex_can_spin_on_owner in kernel/locking/mutex.c, __btrfs_qgroup_free_meta in fs/btrfs/qgroup.c, and btrfs_insert_delayed_items in fs/btrfs/delayed-inode.c.
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19813

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-19814
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel 5.0.21, mounting a crafted f2fs filesystem image can cause __remove_dirty_segment slab-out-of-bounds write access because an array is bounded by the number of dirty types (8) but the array index can exceed this.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19814

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-19815
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel 5.0.21, mounting a crafted f2fs filesystem image can cause a NULL pointer dereference in f2fs_recover_fsync_data in fs/f2fs/recovery.c. This is related to F2FS_P_SB in fs/f2fs/f2fs.h.
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19815

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-19816
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel 5.0.21, mounting a crafted btrfs filesystem image and performing some operations can cause slab-out-of-bounds write access in __btrfs_map_block in fs/btrfs/volumes.c, because a value of 1 for the number of data stripes is mishandled.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19816

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-19922
CVE STATUS: Patched
CVE SUMMARY: kernel/sched/fair.c in the Linux kernel before 5.3.9, when cpu.cfs_quota_us is used (e.g., with Kubernetes), allows attackers to cause a denial of service against non-cpu-bound applications by generating a workload that triggers unwanted slice expiration, aka CID-de53fd7aedb1. (In other words, although this slice expiration would typically be seen with benign workloads, it is possible that an attacker could calculate how many stray requests are required to force an entire Kubernetes cluster into a low-performance state caused by slice expiration, and ensure that a DDoS attack sent that number of stray requests. An attack does not affect the stability of the kernel; it only causes mismanagement of application execution.)
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19922

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-19927
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel 5.0.0-rc7 (as distributed in ubuntu/linux.git on kernel.ubuntu.com), mounting a crafted f2fs filesystem image and performing some operations can lead to slab-out-of-bounds read access in ttm_put_pages in drivers/gpu/drm/ttm/ttm_page_alloc.c. This is related to the vmwgfx or ttm module.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 6.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19927

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-19947
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel through 5.4.6, there are information leaks of uninitialized memory to a USB device in the drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c driver, aka CID-da2311a6385c.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 4.6
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19947

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-19965
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel through 5.4.6, there is a NULL pointer dereference in drivers/scsi/libsas/sas_discover.c because of mishandling of port disconnection during discovery, related to a PHY down race condition, aka CID-f70267f379b5.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19965

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-19966
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel before 5.1.6, there is a use-after-free in cpia2_exit() in drivers/media/usb/cpia2/cpia2_v4l.c that will cause denial of service, aka CID-dea37a972655.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 4.6
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19966

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-20054
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel before 5.0.6, there is a NULL pointer dereference in drop_sysctl_table() in fs/proc/proc_sysctl.c, related to put_links, aka CID-23da9588037e.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-20054

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-20095
CVE STATUS: Patched
CVE SUMMARY: mwifiex_tm_cmd in drivers/net/wireless/marvell/mwifiex/cfg80211.c in the Linux kernel before 5.1.6 has some error-handling cases that did not free allocated hostcmd memory, aka CID-003b686ace82. This will cause a memory leak and denial of service.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-20095

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-20096
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel before 5.1, there is a memory leak in __feat_register_sp() in net/dccp/feat.c, which may cause denial of service, aka CID-1d3ff0950e2b.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-20096

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-20422
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel before 5.3.4, fib6_rule_lookup in net/ipv6/ip6_fib.c mishandles the RT6_LOOKUP_F_DST_NOREF flag in a reference-count decision, leading to (for example) a crash that was identified by syzkaller, aka CID-7b09c2d052db.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-20422

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-20636
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel before 5.4.12, drivers/input/input.c has out-of-bounds writes via a crafted keycode table, as demonstrated by input_set_keycode, aka CID-cb222aed03d7.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 6.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-20636

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-20794
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel 4.18 through 5.6.11 when unprivileged user namespaces are allowed. A user can create their own PID namespace, and mount a FUSE filesystem. Upon interaction with this FUSE filesystem, if the userspace component is terminated via a kill of the PID namespace's pid 1, it will result in a hung task, and resources being permanently locked up until system reboot. This can result in resource exhaustion.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-20794

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-20806
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 5.2. There is a NULL pointer dereference in tw5864_handle_frame() in drivers/media/pci/tw5864/tw5864-video.c, which may cause denial of service, aka CID-2e7682ebfc75.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 4.4
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-20806

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-20810
CVE STATUS: Patched
CVE SUMMARY: go7007_snd_init in drivers/media/usb/go7007/snd-go7007.c in the Linux kernel before 5.6 does not call snd_card_free for a failure path, which causes a memory leak, aka CID-9453264ef586.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-20810

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-20811
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 5.0.6. In rx_queue_add_kobject() and netdev_queue_add_kobject() in net/core/net-sysfs.c, a reference count is mishandled, aka CID-a3e23f719f5c.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-20811

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-20812
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 5.4.7. The prb_calc_retire_blk_tmo() function in net/packet/af_packet.c can result in a denial of service (CPU consumption and soft lockup) in a certain failure case involving TPACKET_V3, aka CID-b43d1f9f7067.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-20812

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-20908
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in drivers/firmware/efi/efi.c in the Linux kernel before 5.4. Incorrect access permissions for the efivar_ssdt ACPI variable could be used by attackers to bypass lockdown or secure boot restrictions, aka CID-1957a85b0032.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 6.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-20908

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-20934
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 5.2.6. On NUMA systems, the Linux fair scheduler has a use-after-free in show_numa_stats() because NUMA fault statistics are inappropriately freed, aka CID-16d51a590a8c.
CVSS v2 BASE SCORE: 5.4
CVSS v3 BASE SCORE: 5.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-20934

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-25044
CVE STATUS: Patched
CVE SUMMARY: The block subsystem in the Linux kernel before 5.2 has a use-after-free that can lead to arbitrary code execution in the kernel context and privilege escalation, aka CID-c3e2219216c9. This is related to blk_mq_free_rqs and blk_cleanup_queue.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-25044

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-25045
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 5.0.19. The XFRM subsystem has a use-after-free, related to an xfrm_state_fini panic, aka CID-dbb2483b2a46.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-25045

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-25160
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

netlabel: fix out-of-bounds memory accesses

There are two array out-of-bounds memory accesses, one in
cipso_v4_map_lvl_valid(), the other in netlbl_bitmap_walk().  Both
errors are embarassingly simple, and the fixes are straightforward.

As a FYI for anyone backporting this patch to kernels prior to v4.8,
you'll want to apply the netlbl_bitmap_walk() patch to
cipso_v4_bitmap_walk() as netlbl_bitmap_walk() doesn't exist before
Linux v4.8.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-25160

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-25162
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

i2c: Fix a potential use after free

Free the adap structure only after we are done using it.
This patch just moves the put_device() down a bit to avoid the
use after free.

[wsa: added comment to the code, added Fixes tag]
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-25162

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-3016
CVE STATUS: Unpatched
CVE SUMMARY: In a Linux KVM guest that has PV TLB enabled, a process in the guest kernel may be able to read memory locations from another process in the same guest. This problem is limit to the host running linux kernel 4.10 with a guest running linux kernel 4.16 or later. The problem mainly affects AMD processors but Intel CPUs cannot be ruled out.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 6.2
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-3016

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-3459
CVE STATUS: Patched
CVE SUMMARY: A heap address information leak while using L2CAP_GET_CONF_OPT was discovered in the Linux kernel before 5.1-rc1.
CVSS v2 BASE SCORE: 3.3
CVSS v3 BASE SCORE: 6.5
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-3459

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-3460
CVE STATUS: Patched
CVE SUMMARY: A heap data infoleak in multiple locations including L2CAP_PARSE_CONF_RSP was found in the Linux kernel before 5.1-rc1.
CVSS v2 BASE SCORE: 3.3
CVSS v3 BASE SCORE: 6.5
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-3460

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-3701
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in can_can_gw_rcv in net/can/gw.c in the Linux kernel through 4.19.13. The CAN frame modification rules allow bitwise logical operations that can be also applied to the can_dlc field. The privileged user "root" with CAP_NET_ADMIN can create a CAN frame modification rule that makes the data length code a higher value than the available CAN frame data size. In combination with a configured checksum calculation where the result is stored relatively to the end of the data (e.g. cgw_csum_xor_rel) the tail of the skb (e.g. frag_list pointer in skb_shared_info) can be rewritten which finally can cause a system crash. Because of a missing check, the CAN drivers may write arbitrary content beyond the data registers in the CAN controller's I/O memory when processing can-gw manipulated outgoing frames.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 4.4
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-3701

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-3819
CVE STATUS: Unpatched
CVE SUMMARY: A flaw was found in the Linux kernel in the function hid_debug_events_read() in drivers/hid/hid-debug.c file which may enter an infinite loop with certain parameters passed from a userspace. A local privileged user ("root") can cause a system lock up and a denial of service. Versions from v4.18 and newer are vulnerable.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 4.2
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-3819

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-3837
CVE STATUS: Patched
CVE SUMMARY: It was found that the net_dma code in tcp_recvmsg() in the 2.6.32 kernel as shipped in RHEL6 is thread-unsafe. So an unprivileged multi-threaded userspace application calling recvmsg() for the same network socket in parallel executed on ioatdma-enabled hardware with net_dma enabled can leak the memory, crash the host leading to a denial-of-service or cause a random memory corruption.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 6.1
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-3837

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-3846
CVE STATUS: Patched
CVE SUMMARY: A flaw that allowed an attacker to corrupt memory and possibly escalate privileges was found in the mwifiex kernel module while connecting to a malicious wireless network.
CVSS v2 BASE SCORE: 8.3
CVSS v3 BASE SCORE: 8.0
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-3846

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-3874
CVE STATUS: Patched
CVE SUMMARY: The SCTP socket buffer used by a userspace application is not accounted by the cgroups subsystem. An attacker can use this flaw to cause a denial of service attack. Kernel 3.10.x and 4.18.x branches are believed to be vulnerable.
CVSS v2 BASE SCORE: 3.3
CVSS v3 BASE SCORE: 5.3
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-3874

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-3882
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the Linux kernel's vfio interface implementation that permits violation of the user's locked memory limit. If a device is bound to a vfio driver, such as vfio-pci, and the local attacker is administratively granted ownership of the device, it may cause a system memory exhaustion and thus a denial of service (DoS). Versions 3.10, 4.14 and 4.18 are vulnerable.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-3882

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-3887
CVE STATUS: Unpatched
CVE SUMMARY: A flaw was found in the way KVM hypervisor handled x2APIC Machine Specific Rregister (MSR) access with nested(=1) virtualization enabled. In that, L1 guest could access L0's APIC register values via L2 guest, when 'virtualize x2APIC mode' is enabled. A guest could use this flaw to potentially crash the host kernel resulting in DoS issue. Kernel versions from 4.16 and newer are vulnerable to this issue.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 6.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-3887

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-3896
CVE STATUS: Patched
CVE SUMMARY: A double-free can happen in idr_remove_all() in lib/idr.c in the Linux kernel 2.6 branch. An unprivileged local attacker can use this flaw for a privilege escalation or for a system crash and a denial of service (DoS).
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-3896

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-3900
CVE STATUS: Patched
CVE SUMMARY: An infinite loop issue was found in the vhost_net kernel module in Linux Kernel up to and including v5.1-rc6, while handling incoming packets in handle_rx(). It could occur if one end sends packets faster than the other end can process them. A guest user, maybe remote one, could use this flaw to stall the vhost_net kernel thread, resulting in a DoS scenario.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 6.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:S/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-3900

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-3901
CVE STATUS: Patched
CVE SUMMARY: A race condition in perf_event_open() allows local attackers to leak sensitive data from setuid programs. As no relevant locks (in particular the cred_guard_mutex) are held during the ptrace_may_access() call, it is possible for the specified target task to perform an execve() syscall with setuid execution before perf_event_alloc() actually attaches to it, allowing an attacker to bypass the ptrace_may_access() check and the perf_event_exit_task(current) call that is performed in install_exec_creds() during privileged execve() calls. This issue affects kernel versions before 4.8.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 5.6
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-3901

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-5108
CVE STATUS: Patched
CVE SUMMARY: An exploitable denial-of-service vulnerability exists in the Linux kernel prior to mainline 5.3. An attacker could exploit this vulnerability by triggering AP to send IAPP location updates for stations before the required authentication process has completed. This could lead to different denial-of-service scenarios, either by causing CAM table attacks, or by leading to traffic flapping if faking already existing clients in other nearby APs of the same wireless infrastructure. An attacker can forge Authentication and Association Request packets to trigger this vulnerability.
CVSS v2 BASE SCORE: 3.3
CVSS v3 BASE SCORE: 7.4
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-5108

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-5489
CVE STATUS: Patched
CVE SUMMARY: The mincore() implementation in mm/mincore.c in the Linux kernel through 4.19.13 allowed local attackers to observe page cache access patterns of other processes on the same system, potentially allowing sniffing of secret information. (Fixing this affects the output of the fincore program.) Limited remote exploitation may be possible, as demonstrated by latency differences in accessing public files from an Apache HTTP Server.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-5489

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-6974
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel before 4.20.8, kvm_ioctl_create_device in virt/kvm/kvm_main.c mishandles reference counting because of a race condition, leading to a use-after-free.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-6974

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-7221
CVE STATUS: Patched
CVE SUMMARY: The KVM implementation in the Linux kernel through 4.20.5 has a Use-after-Free.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-7221

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-7222
CVE STATUS: Patched
CVE SUMMARY: The KVM implementation in the Linux kernel through 4.20.5 has an Information Leak.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-7222

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-7308
CVE STATUS: Patched
CVE SUMMARY: kernel/bpf/verifier.c in the Linux kernel before 4.20.6 performs undesirable out-of-bounds speculation on pointer arithmetic in various cases, including cases of different branches with different state or limits to sanitize, leading to side-channel attacks.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 5.6
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-7308

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-8912
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel through 4.20.11, af_alg_release() in crypto/af_alg.c neglects to set a NULL value for a certain structure member, which leads to a use-after-free in sockfs_setattr.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-8912

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-8956
CVE STATUS: Patched
CVE SUMMARY: In the Linux Kernel before versions 4.20.8 and 4.19.21 a use-after-free error in the "sctp_sendmsg()" function (net/sctp/socket.c) when handling SCTP_SENDALL flag can be exploited to corrupt memory.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-8956

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-8980
CVE STATUS: Patched
CVE SUMMARY: A memory leak in the kernel_read_file function in fs/exec.c in the Linux kernel through 4.20.11 allows attackers to cause a denial of service (memory consumption) by triggering vfs_read failures.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-8980

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-9003
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel before 4.20.5, attackers can trigger a drivers/char/ipmi/ipmi_msghandler.c use-after-free and OOPS by arranging for certain simultaneous execution of the code, as demonstrated by a "service ipmievd restart" loop.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-9003

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-9162
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel before 4.20.12, net/ipv4/netfilter/nf_nat_snmp_basic_main.c in the SNMP NAT module has insufficient ASN.1 length checks (aka an array index error), making out-of-bounds read and write operations possible, leading to an OOPS or local privilege escalation. This affects snmp_version and snmp_helper.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-9162

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-9213
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel before 4.20.14, expand_downwards in mm/mmap.c lacks a check for the mmap minimum address, which makes it easier for attackers to exploit kernel NULL pointer dereferences on non-SMAP platforms. This is related to a capability check for the wrong task.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-9213

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-9500
CVE STATUS: Patched
CVE SUMMARY: The Broadcom brcmfmac WiFi driver prior to commit 1b5e2423164b3670e8bc9174e4762d297990deff is vulnerable to a heap buffer overflow. If the Wake-up on Wireless LAN functionality is configured, a malicious event frame can be constructed to trigger an heap buffer overflow in the brcmf_wowl_nd_results function. This vulnerability can be exploited with compromised chipsets to compromise the host, or when used in combination with CVE-2019-9503, can be used remotely. In the worst case scenario, by sending specially-crafted WiFi packets, a remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system. More typically, this vulnerability will result in denial-of-service conditions.
CVSS v2 BASE SCORE: 7.9
CVSS v3 BASE SCORE: 7.9
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-9500

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2019-9857
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel through 5.0.2, the function inotify_update_existing_watch() in fs/notify/inotify/inotify_user.c neglects to call fsnotify_put_mark() with IN_MASK_CREATE after fsnotify_find_mark(), which will cause a memory leak (aka refcount leak). Finally, this will cause a denial of service.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-9857

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-10690
CVE STATUS: Patched
CVE SUMMARY: There is a use-after-free in kernel versions before 5.5 due to a race condition between the release of ptp_clock and cdev while resource deallocation. When a (high privileged) process allocates a ptp device file (like /dev/ptpX) and voluntarily goes to sleep. During this time if the underlying device is removed, it can cause an exploitable condition as the process wakes up to terminate and clean all attached files. The system crashes due to the cdev structure being invalid (as already freed) which is pointed to by the inode.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 6.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-10690

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-10711
CVE STATUS: Patched
CVE SUMMARY: A NULL pointer dereference flaw was found in the Linux kernel's SELinux subsystem in versions before 5.7. This flaw occurs while importing the Commercial IP Security Option (CIPSO) protocol's category bitmap into the SELinux extensible bitmap via the' ebitmap_netlbl_import' routine. While processing the CIPSO restricted bitmap tag in the 'cipso_v4_parsetag_rbm' routine, it sets the security attribute to indicate that the category bitmap is present, even if it has not been allocated. This issue leads to a NULL pointer dereference issue while importing the same category bitmap into SELinux. This flaw allows a remote network user to crash the system kernel, resulting in a denial of service.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-10711

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-10720
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the Linux kernel's implementation of GRO in versions before 5.2. This flaw allows an attacker with local access to crash the system.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-10720

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-10732
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the Linux kernel's implementation of Userspace core dumps. This flaw allows an attacker with a local account to crash a trivial program and exfiltrate private kernel data.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 3.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-10732

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-10742
CVE STATUS: Unpatched
CVE SUMMARY: A flaw was found in the Linux kernel. An index buffer overflow during Direct IO write leading to the NFS client to crash. In some cases, a reach out of the index after one memory allocation by kmalloc will cause a kernel panic. The highest threat from this vulnerability is to data confidentiality and system availability.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 6.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-10742

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-10757
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the Linux Kernel in versions after 4.5-rc1 in the way mremap handled DAX Huge Pages. This flaw allows a local attacker with access to a DAX enabled storage to escalate their privileges on the system.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-10757

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-10766
CVE STATUS: Patched
CVE SUMMARY: A logic bug flaw was found in Linux kernel before 5.8-rc1 in the implementation of SSBD. A bug in the logic handling allows an attacker with a local account to disable SSBD protection during a context switch when additional speculative execution mitigations are in place. This issue was introduced when the per task/process conditional STIPB switching was added on top of the existing SSBD switching. The highest threat from this vulnerability is to confidentiality.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-10766

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-10767
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the Linux kernel before 5.8-rc1 in the implementation of the Enhanced IBPB (Indirect Branch Prediction Barrier). The IBPB mitigation will be disabled when STIBP is not available or when the Enhanced Indirect Branch Restricted Speculation (IBRS) is available. This flaw allows a local attacker to perform a Spectre V2 style attack when this configuration is active. The highest threat from this vulnerability is to confidentiality.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-10767

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-10768
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the Linux Kernel before 5.8-rc1 in the prctl() function, where it can be used to enable indirect branch speculation after it has been disabled. This call incorrectly reports it as being 'force disabled' when it is not and opens the system to Spectre v2 attacks. The highest threat from this vulnerability is to confidentiality.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-10768

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-10773
CVE STATUS: Patched
CVE SUMMARY: A stack information leak flaw was found in s390/s390x in the Linux kernel’s memory manager functionality, where it incorrectly writes to the /proc/sys/vm/cmm_timeout file. This flaw allows a local user to see the kernel data.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 4.4
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-10773

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-10774
CVE STATUS: Patched
CVE SUMMARY: A memory disclosure flaw was found in the Linux kernel's versions before 4.18.0-193.el8 in the sysctl subsystem when reading the /proc/sys/kernel/rh_features file. This flaw allows a local user to read uninitialized values from the kernel memory. The highest threat from this vulnerability is to confidentiality.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-10774

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-10781
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the Linux Kernel before 5.8-rc6 in the ZRAM kernel module, where a user with a local account and the ability to read the /sys/class/zram-control/hot_add file can create ZRAM device nodes in the /dev/ directory. This read allocates kernel memory and is not accounted for a user that triggers the creation of that ZRAM device. With this vulnerability, continually reading the device may consume a large amount of system memory and cause the Out-of-Memory (OOM) killer to activate and terminate random userspace processes, possibly making the system inoperable.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-10781

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-10942
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel before 5.5.8, get_raw_socket in drivers/vhost/net.c lacks validation of an sk_family field, which might allow attackers to trigger kernel stack corruption via crafted system calls.
CVSS v2 BASE SCORE: 5.4
CVSS v3 BASE SCORE: 5.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:P/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-10942

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-11494
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in slc_bump in drivers/net/can/slcan.c in the Linux kernel 3.16 through 5.6.2. It allows attackers to read uninitialized can_frame data, potentially containing sensitive information from kernel stack memory, if the configuration lacks CONFIG_INIT_STACK_ALL, aka CID-b9258a2cece4.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 4.4
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-11494

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-11565
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel through 5.6.2. mpol_parse_str in mm/mempolicy.c has a stack-based out-of-bounds write because an empty nodelist is mishandled during mount option parsing, aka CID-aa9f7d5172fa. NOTE: Someone in the security community disagrees that this is a vulnerability because the issue “is a bug in parsing mount options which can only be specified by a privileged user, so triggering the bug does not grant any powers not already held.”
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 6.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-11565

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-11608
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 5.6.1. drivers/media/usb/gspca/ov519.c allows NULL pointer dereferences in ov511_mode_init_regs and ov518_mode_init_regs when there are zero endpoints, aka CID-998912346c0d.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 4.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-11608

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-11609
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the stv06xx subsystem in the Linux kernel before 5.6.1. drivers/media/usb/gspca/stv06xx/stv06xx.c and drivers/media/usb/gspca/stv06xx/stv06xx_pb0100.c mishandle invalid descriptors, as demonstrated by a NULL pointer dereference, aka CID-485b06aadb93.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 4.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-11609

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-11668
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel before 5.6.1, drivers/media/usb/gspca/xirlink_cit.c (aka the Xirlink camera USB driver) mishandles invalid descriptors, aka CID-a246b4d54770.
CVSS v2 BASE SCORE: 5.6
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-11668

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-11669
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 5.2 on the powerpc platform. arch/powerpc/kernel/idle_book3s.S does not have save/restore functionality for PNV_POWERSAVE_AMR, PNV_POWERSAVE_UAMOR, and PNV_POWERSAVE_AMOR, aka CID-53a712bae5dd.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-11669

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-11725
CVE STATUS: Patched
CVE SUMMARY: snd_ctl_elem_add in sound/core/control.c in the Linux kernel through 5.6.3 has a count=info->owner line, which later affects a private_size*count multiplication for unspecified "interesting side effects." NOTE: kernel engineers dispute this finding, because it could be relevant only if new callers were added that were unfamiliar with the misuse of the info->owner field to represent data unrelated to the "owner" concept. The existing callers, SNDRV_CTL_IOCTL_ELEM_ADD and SNDRV_CTL_IOCTL_ELEM_REPLACE, have been designed to misuse the info->owner field in a safe way
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-11725

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-11884
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel 4.19 through 5.6.7 on the s390 platform, code execution may occur because of a race condition, as demonstrated by code in enable_sacf_uaccess in arch/s390/lib/uaccess.c that fails to protect against a concurrent page table upgrade, aka CID-3f777e19d171. A crash could also occur.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-11884

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-12114
CVE STATUS: Patched
CVE SUMMARY: A pivot_root race condition in fs/namespace.c in the Linux kernel 4.4.x before 4.4.221, 4.9.x before 4.9.221, 4.14.x before 4.14.178, 4.19.x before 4.19.119, and 5.x before 5.3 allows local users to cause a denial of service (panic) by corrupting a mountpoint reference counter.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-12114

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-12351
CVE STATUS: Patched
CVE SUMMARY: Improper input validation in BlueZ may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 8.8
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-12351

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-12352
CVE STATUS: Patched
CVE SUMMARY: Improper access control in BlueZ may allow an unauthenticated user to potentially enable information disclosure via adjacent access.
CVSS v2 BASE SCORE: 3.3
CVSS v3 BASE SCORE: 6.5
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-12352

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-12464
CVE STATUS: Patched
CVE SUMMARY: usb_sg_cancel in drivers/usb/core/message.c in the Linux kernel before 5.6.8 has a use-after-free because a transfer occurs without a reference, aka CID-056ad39ee925.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 6.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-12464

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-12465
CVE STATUS: Patched
CVE SUMMARY: An array overflow was discovered in mt76_add_fragment in drivers/net/wireless/mediatek/mt76/dma.c in the Linux kernel before 5.5.10, aka CID-b102f0c522cf. An oversized packet with too many rx fragments can corrupt memory of adjacent pages.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 6.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-12465

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-12652
CVE STATUS: Patched
CVE SUMMARY: The __mptctl_ioctl function in drivers/message/fusion/mptctl.c in the Linux kernel before 5.4.14 allows local users to hold an incorrect lock during the ioctl operation and trigger a race condition, i.e., a "double fetch" vulnerability, aka CID-28d76df18f0a. NOTE: the vendor states "The security impact of this bug is not as bad as it could have been because these operations are all privileged and root already has enormous destructive power."
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 4.1
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-12652

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-12653
CVE STATUS: Patched
CVE SUMMARY: An issue was found in Linux kernel before 5.5.4. The mwifiex_cmd_append_vsie_tlv() function in drivers/net/wireless/marvell/mwifiex/scan.c allows local users to gain privileges or cause a denial of service because of an incorrect memcpy and buffer overflow, aka CID-b70261a288ea.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-12653

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-12654
CVE STATUS: Patched
CVE SUMMARY: An issue was found in Linux kernel before 5.5.4. mwifiex_ret_wmm_get_status() in drivers/net/wireless/marvell/mwifiex/wmm.c allows a remote AP to trigger a heap-based buffer overflow because of an incorrect memcpy, aka CID-3a9b153c5591.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 7.1
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:H/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-12654

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-12655
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in xfs_agf_verify in fs/xfs/libxfs/xfs_alloc.c in the Linux kernel through 5.6.10. Attackers may trigger a sync of excessive duration via an XFS v5 image with crafted metadata, aka CID-d0c7feaf8767.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-12655

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-12656
CVE STATUS: Patched
CVE SUMMARY: gss_mech_free in net/sunrpc/auth_gss/gss_mech_switch.c in the rpcsec_gss_krb5 implementation in the Linux kernel through 5.6.10 lacks certain domain_release calls, leading to a memory leak. Note: This was disputed with the assertion that the issue does not grant any access not already available. It is a problem that on unloading a specific kernel module some memory is leaked, but loading kernel modules is a privileged operation. A user could also write a kernel module to consume any amount of memory they like and load that replicating the effect of this bug
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-12656

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-12657
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 5.6.5. There is a use-after-free in block/bfq-iosched.c related to bfq_idle_slice_timer_body.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-12657

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-12659
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 5.6.7. xdp_umem_reg in net/xdp/xdp_umem.c has an out-of-bounds write (by a user with the CAP_NET_ADMIN capability) because of a lack of headroom validation.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 6.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-12659

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-12768
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 5.6. svm_cpu_uninit in arch/x86/kvm/svm.c has a memory leak, aka CID-d80b64ff297e. NOTE: third parties dispute this issue because it's a one-time leak at the boot, the size is negligible, and it can't be triggered at will
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-12768

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-12769
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 5.4.17. drivers/spi/spi-dw.c allows attackers to cause a panic via concurrent calls to dw_spi_irq and dw_spi_transfer_one, aka CID-19b61392c5a8.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-12769

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-12770
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel through 5.6.11. sg_write lacks an sg_remove_request call in a certain failure case, aka CID-83c6f2390040.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 6.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-12770

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-12771
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel through 5.6.11. btree_gc_coalesce in drivers/md/bcache/btree.c has a deadlock if a coalescing operation fails.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-12771

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-12826
CVE STATUS: Patched
CVE SUMMARY: A signal access-control issue was discovered in the Linux kernel before 5.6.5, aka CID-7395ea4e65c2. Because exec_id in include/linux/sched.h is only 32 bits, an integer overflow can interfere with a do_notify_parent protection mechanism. A child process can send an arbitrary signal to a parent process in a different security domain. Exploitation limitations include the amount of elapsed time before an integer overflow occurs, and the lack of scenarios where signals to a parent process present a substantial operational threat.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 5.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-12826

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-12888
CVE STATUS: Patched
CVE SUMMARY: The VFIO PCI driver in the Linux kernel through 5.6.13 mishandles attempts to access disabled memory space.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 5.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-12888

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-13143
CVE STATUS: Patched
CVE SUMMARY: gadget_dev_desc_UDC_store in drivers/usb/gadget/configfs.c in the Linux kernel 3.16 through 5.6.13 relies on kstrdup without considering the possibility of an internal '\0' value, which allows attackers to trigger an out-of-bounds read, aka CID-15753588bcd4.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-13143

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-13974
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel 4.4 through 5.7.1. drivers/tty/vt/keyboard.c has an integer overflow if k_ascii is called several times in a row, aka CID-b86dab054059. NOTE: Members in the community argue that the integer overflow does not lead to a security issue in this case.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-13974

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-14304
CVE STATUS: Patched
CVE SUMMARY: A memory disclosure flaw was found in the Linux kernel's ethernet drivers, in the way it read data from the EEPROM of the device. This flaw allows a local user to read uninitialized values from the kernel memory. The highest threat from this vulnerability is to confidentiality.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 4.4
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-14304

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-14305
CVE STATUS: Patched
CVE SUMMARY: An out-of-bounds memory write flaw was found in how the Linux kernel’s Voice Over IP H.323 connection tracking functionality handled connections on ipv6 port 1720. This flaw allows an unauthenticated remote user to crash the system, causing a denial of service. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
CVSS v2 BASE SCORE: 8.3
CVSS v3 BASE SCORE: 8.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-14305

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-14314
CVE STATUS: Patched
CVE SUMMARY: A memory out-of-bounds read flaw was found in the Linux kernel before 5.9-rc2 with the ext3/ext4 file system, in the way it accesses a directory with broken indexing. This flaw allows a local user to crash the system if the directory exists. The highest threat from this vulnerability is to system availability.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-14314

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-14331
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the Linux kernel’s implementation of the invert video code on VGA consoles when a local attacker attempts to resize the console, calling an ioctl VT_RESIZE, which causes an out-of-bounds write to occur. This flaw allows a local user with access to the VGA console to crash the system, potentially escalating their privileges on the system. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 6.6
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-14331

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-14351
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the Linux kernel. A use-after-free memory flaw was found in the perf subsystem allowing a local attacker with permission to monitor perf events to corrupt memory and possibly escalate privileges. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-14351

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-14356
CVE STATUS: Patched
CVE SUMMARY: A flaw null pointer dereference in the Linux kernel cgroupv2 subsystem in versions before 5.7.10 was found in the way when reboot the system. A local user could use this flaw to crash the system or escalate their privileges on the system.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-14356

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-14381
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the Linux kernel’s futex implementation. This flaw allows a local attacker to corrupt system memory or escalate their privileges when creating a futex on a filesystem that is about to be unmounted. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-14381

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-14385
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the Linux kernel before 5.9-rc4. A failure of the file system metadata validator in XFS can cause an inode with a valid, user-creatable extended attribute to be flagged as corrupt. This can lead to the filesystem being shutdown, or otherwise rendered inaccessible until it is remounted, leading to a denial of service. The highest threat from this vulnerability is to system availability.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-14385

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-14386
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the Linux kernel before 5.9-rc4. Memory corruption can be exploited to gain root privileges from unprivileged processes. The highest threat from this vulnerability is to data confidentiality and integrity.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 6.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-14386

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-14390
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the Linux kernel in versions before 5.9-rc6. When changing screen size, an out-of-bounds memory write can occur leading to memory corruption or a denial of service. Due to the nature of the flaw, privilege escalation cannot be fully ruled out.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 5.6
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-14390

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-14416
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel before 5.4.16, a race condition in tty->disc_data handling in the slip and slcan line discipline could lead to a use-after-free, aka CID-0ace17d56824. This affects drivers/net/slip/slip.c and drivers/net/can/slcan.c.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 4.2
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-14416

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-15393
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel 4.4 through 5.7.6, usbtest_disconnect in drivers/usb/misc/usbtest.c has a memory leak, aka CID-28ebeb8db770.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-15393

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-15436
CVE STATUS: Patched
CVE SUMMARY: Use-after-free vulnerability in fs/block_dev.c in the Linux kernel before 5.8 allows local users to gain privileges or cause a denial of service by leveraging improper access to a certain error field.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 6.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-15436

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-15437
CVE STATUS: Patched
CVE SUMMARY: The Linux kernel before version 5.8 is vulnerable to a NULL pointer dereference in drivers/tty/serial/8250/8250_core.c:serial8250_isa_init_ports() that allows local users to cause a denial of service by using the p->serial_in pointer which uninitialized.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 4.4
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-15437

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-15780
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in drivers/acpi/acpi_configfs.c in the Linux kernel before 5.7.7. Injection of malicious ACPI tables via configfs could be used by attackers to bypass lockdown and secure boot restrictions, aka CID-75b0cea7bf30.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 6.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-15780

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-15852
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel 5.5 through 5.7.9, as used in Xen through 4.13.x for x86 PV guests. An attacker may be granted the I/O port permissions of an unrelated task. This occurs because tss_invalidate_io_bitmap mishandling causes a loss of synchronization between the I/O bitmaps of TSS and Xen, aka CID-cadfad870154.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-15852

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-16119
CVE STATUS: Unpatched
CVE SUMMARY: Use-after-free vulnerability in the Linux kernel exploitable by a local attacker due to reuse of a DCCP socket with an attached dccps_hc_tx_ccid object as a listener after being released. Fixed in Ubuntu Linux kernel 5.4.0-51.56, 5.3.0-68.63, 4.15.0-121.123, 4.4.0-193.224, 3.13.0.182.191 and 3.2.0-149.196.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 6.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-16119

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-16120
CVE STATUS: Patched
CVE SUMMARY: Overlayfs did not properly perform permission checking when copying up files in an overlayfs and could be exploited from within a user namespace, if, for example, unprivileged user namespaces were allowed. It was possible to have a file not readable by an unprivileged user to be copied to a mountpoint controlled by the user, like a removable device. This was introduced in kernel version 4.19 by commit d1d04ef ("ovl: stack file ops"). This was fixed in kernel version 5.8 by commits 56230d9 ("ovl: verify permissions in ovl_path_open()"), 48bd024 ("ovl: switch to mounter creds in readdir") and 05acefb ("ovl: check permission to open real file"). Additionally, commits 130fdbc ("ovl: pass correct flags for opening real directory") and 292f902 ("ovl: call secutiry hook in ovl_real_ioctl()") in kernel 5.8 might also be desired or necessary. These additional commits introduced a regression in overlay mounts within user namespaces which prevented access to files with ownership outside of the user namespace. This regression was mitigated by subsequent commit b6650da ("ovl: do not fail because of O_NOATIMEi") in kernel 5.11.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.1
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-16120

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-16166
CVE STATUS: Patched
CVE SUMMARY: The Linux kernel through 5.7.11 allows remote attackers to make observations that help to obtain sensitive information about the internal state of the network RNG, aka CID-f227e3ec3b5c. This is related to drivers/char/random.c and kernel/time/timer.c.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 3.7
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-16166

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-1749
CVE STATUS: Unpatched
CVE SUMMARY: A flaw was found in the Linux kernel's implementation of some networking protocols in IPsec, such as VXLAN and GENEVE tunnels over IPv6. When an encrypted tunnel is created between two hosts, the kernel isn't correctly routing tunneled data over the encrypted link; rather sending the data unencrypted. This would allow anyone in between the two endpoints to read the traffic unencrypted. The main threat from this vulnerability is to data confidentiality.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-1749

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-24394
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel before 5.7.8, fs/nfsd/vfs.c (in the NFS server) can set incorrect permissions on new filesystem objects when the filesystem lacks ACL support, aka CID-22cf8419f131. This occurs because the current umask is not considered.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-24394

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-24586
CVE STATUS: Patched
CVE SUMMARY: The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP, CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.
CVSS v2 BASE SCORE: 2.9
CVSS v3 BASE SCORE: 3.5
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-24586

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-24587
CVE STATUS: Patched
CVE SUMMARY: The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed.
CVSS v2 BASE SCORE: 1.8
CVSS v3 BASE SCORE: 2.6
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:H/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-24587

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-24588
CVE STATUS: Patched
CVE SUMMARY: The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated. Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an adversary can abuse this to inject arbitrary network packets.
CVSS v2 BASE SCORE: 2.9
CVSS v3 BASE SCORE: 3.5
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-24588

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-25211
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel through 5.8.7, local attackers able to inject conntrack netlink configuration could overflow a local buffer, causing crashes or triggering use of incorrect protocol numbers in ctnetlink_parse_tuple_filter in net/netfilter/nf_conntrack_netlink.c, aka CID-1cc5ef91d2ff.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 6.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-25211

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-25212
CVE STATUS: Patched
CVE SUMMARY: A TOCTOU mismatch in the NFS client code in the Linux kernel before 5.8.3 could be used by local attackers to corrupt memory or possibly have unspecified other impact because a size check is in fs/nfs/nfs4proc.c instead of fs/nfs/nfs4xdr.c, aka CID-b4487b935452.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-25212

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-25220
CVE STATUS: Patched
CVE SUMMARY: The Linux kernel 4.9.x before 4.9.233, 4.14.x before 4.14.194, and 4.19.x before 4.19.140 has a use-after-free because skcd->no_refcnt was not considered during a backport of a CVE-2020-14356 patch. This is related to the cgroups feature.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-25220

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-25221
CVE STATUS: Patched
CVE SUMMARY: get_gate_page in mm/gup.c in the Linux kernel 5.7.x and 5.8.x before 5.8.7 allows privilege escalation because of incorrect reference counting (caused by gate page mishandling) of the struct page that backs the vsyscall page. The result is a refcount underflow. This can be triggered by any 64-bit process that can use ptrace() or process_vm_readv(), aka CID-9fa2dd946743.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-25221

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-25284
CVE STATUS: Patched
CVE SUMMARY: The rbd block device driver in drivers/block/rbd.c in the Linux kernel through 5.8.9 used incomplete permission checking for access to rbd devices, which could be leveraged by local attackers to map or unmap rbd block devices, aka CID-f44d04e696fe.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 4.1
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-25284

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-25285
CVE STATUS: Patched
CVE SUMMARY: A race condition between hugetlb sysctl handlers in mm/hugetlb.c in the Linux kernel before 5.8.8 could be used by local attackers to corrupt memory, cause a NULL pointer dereference, or possibly have unspecified other impact, aka CID-17743798d812.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 6.4
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-25285

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-25639
CVE STATUS: Patched
CVE SUMMARY: A NULL pointer dereference flaw was found in the Linux kernel's GPU Nouveau driver functionality in versions prior to 5.12-rc1 in the way the user calls ioctl DRM_IOCTL_NOUVEAU_CHANNEL_ALLOC. This flaw allows a local user to crash the system.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 4.4
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-25639

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-25641
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the Linux kernel's implementation of biovecs in versions before 5.9-rc7. A zero-length biovec request issued by the block subsystem could cause the kernel to enter an infinite loop, causing a denial of service. This flaw allows a local attacker with basic privileges to issue requests to a block device, resulting in a denial of service. The highest threat from this vulnerability is to system availability.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-25641

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-25643
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the HDLC_PPP module of the Linux kernel in versions before 5.9-rc7. Memory corruption and a read overflow is caused by improper input validation in the ppp_cp_parse_cr function which can cause the system to crash or cause a denial of service. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 7.2
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:S/C:P/I:P/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-25643

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-25645
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the Linux kernel in versions before 5.9-rc7. Traffic between two Geneve endpoints may be unencrypted when IPsec is configured to encrypt traffic for the specific UDP port used by the GENEVE tunnel allowing anyone between the two endpoints to read the traffic unencrypted. The main threat from this vulnerability is to data confidentiality.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-25645

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-25656
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the Linux kernel. A use-after-free was found in the way the console subsystem was using ioctls KDGKBSENT and KDSKBSENT. A local user could use this flaw to get read memory access out of bounds. The highest threat from this vulnerability is to data confidentiality.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 4.1
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-25656

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-25668
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in Linux Kernel because access to the global variable fg_console is not properly synchronized leading to a use after free in con_font_op.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-25668

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-25669
CVE STATUS: Patched
CVE SUMMARY: A vulnerability was found in the Linux Kernel where the function sunkbd_reinit having been scheduled by sunkbd_interrupt before sunkbd being freed. Though the dangling pointer is set to NULL in sunkbd_disconnect, there is still an alias in sunkbd_reinit causing Use After Free.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-25669

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-25670
CVE STATUS: Patched
CVE SUMMARY: A vulnerability was found in Linux Kernel where refcount leak in llcp_sock_bind() causing use-after-free which might lead to privilege escalations.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-25670

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-25671
CVE STATUS: Patched
CVE SUMMARY: A vulnerability was found in Linux Kernel, where a refcount leak in llcp_sock_connect() causing use-after-free which might lead to privilege escalations.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-25671

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-25672
CVE STATUS: Unpatched
CVE SUMMARY: A memory leak vulnerability was found in Linux kernel in llcp_sock_connect
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-25672

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-25673
CVE STATUS: Patched
CVE SUMMARY: A vulnerability was found in Linux kernel where non-blocking socket in llcp_sock_connect() leads to leak and eventually hanging-up the system.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-25673

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-25704
CVE STATUS: Patched
CVE SUMMARY: A flaw memory leak in the Linux kernel performance monitoring subsystem was found in the way if using PERF_EVENT_IOC_SET_FILTER. A local user could use this flaw to starve the resources causing denial of service.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-25704

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-25705
CVE STATUS: Patched
CVE SUMMARY: A flaw in ICMP packets in the Linux kernel may allow an attacker to quickly scan open UDP ports. This flaw allows an off-path remote attacker to effectively bypass source port UDP randomization. Software that relies on UDP source port randomization are indirectly affected as well on the Linux Based Products (RUGGEDCOM RM1224: All versions between v5.0 and v6.4, SCALANCE M-800: All versions between v5.0 and v6.4, SCALANCE S615: All versions between v5.0 and v6.4, SCALANCE SC-600: All versions prior to v2.1.3, SCALANCE W1750D: v8.3.0.1, v8.6.0, and v8.7.0, SIMATIC Cloud Connect 7: All versions, SIMATIC MV500 Family: All versions, SIMATIC NET CP 1243-1 (incl. SIPLUS variants): Versions 3.1.39 and later, SIMATIC NET CP 1243-7 LTE EU: Version
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 7.4
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-25705

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-26088
CVE STATUS: Patched
CVE SUMMARY: A missing CAP_NET_RAW check in NFC socket creation in net/nfc/rawsock.c in the Linux kernel before 5.8.2 could be used by local attackers to create raw sockets, bypassing security mechanisms, aka CID-26896f01467a.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-26088

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-26147
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used.
CVSS v2 BASE SCORE: 3.2
CVSS v3 BASE SCORE: 5.4
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:H/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-26147

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-26541
CVE STATUS: Patched
CVE SUMMARY: The Linux kernel through 5.8.13 does not properly enforce the Secure Boot Forbidden Signature Database (aka dbx) protection mechanism. This affects certs/blacklist.c and certs/system_keyring.c.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 6.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-26541

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-26558
CVE STATUS: Patched
CVE SUMMARY: Bluetooth LE and BR/EDR secure pairing in Bluetooth Core Specification 2.1 through 5.2 may permit a nearby man-in-the-middle attacker to identify the Passkey used during pairing (in the Passkey authentication procedure) by reflection of the public key and the authentication evidence of the initiating device, potentially permitting this attacker to complete authenticated pairing with the responding device using the correct Passkey for the pairing session. The attack methodology determines the Passkey value one bit at a time.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 4.2
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:M/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-26558

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-27152
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in ioapic_lazy_update_eoi in arch/x86/kvm/ioapic.c in the Linux kernel before 5.9.2. It has an infinite loop related to improper interaction between a resampler and edge triggering, aka CID-77377064c3a9.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-27152

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-27170
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 5.11.8. kernel/bpf/verifier.c performs undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory, aka CID-f232326f6966. This affects pointer types that do not define a ptr_limit.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-27170

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-27171
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 5.11.8. kernel/bpf/verifier.c has an off-by-one error (with a resultant integer underflow) affecting out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory, aka CID-10d2bb2e6b1d.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 6.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-27171

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-27194
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 5.8.15. scalar32_min_max_or in kernel/bpf/verifier.c mishandles bounds tracking during use of 64-bit values, aka CID-5b9fbeb75b6a.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-27194

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-27673
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel through 5.9.1, as used with Xen through 4.14.x. Guest OS users can cause a denial of service (host OS hang) via a high rate of events to dom0, aka CID-e99502f76271.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-27673

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-27675
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel through 5.9.1, as used with Xen through 4.14.x. drivers/xen/events/events_base.c allows event-channel removal during the event-handling loop (a race condition). This can cause a use-after-free or NULL pointer dereference, as demonstrated by a dom0 crash via events for an in-reconfiguration paravirtualized device, aka CID-073d0552ead5.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-27675

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-27777
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the way RTAS handled memory accesses in userspace to kernel communication. On a locked down (usually due to Secure Boot) guest system running on top of PowerVM or KVM hypervisors (pseries platform) a root like local user could use this flaw to further increase their privileges to that of a running kernel.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 6.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-27777

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-27784
CVE STATUS: Patched
CVE SUMMARY: A vulnerability was found in the Linux kernel, where accessing a deallocated instance in printer_ioctl() printer_ioctl() tries to access of a printer_dev instance. However, use-after-free arises because it had been freed by gprinter_free().
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-27784

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-27786
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the Linux kernel’s implementation of MIDI, where an attacker with a local account and the permissions to issue ioctl commands to midi devices could trigger a use-after-free issue. A write to this specific memory while freed and before use causes the flow of execution to change and possibly allow for memory corruption or privilege escalation. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-27786

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-27815
CVE STATUS: Unpatched
CVE SUMMARY: A flaw was found in the JFS filesystem code in the Linux Kernel which allows a local attacker with the ability to set extended attributes to panic the system, causing memory corruption or escalating privileges. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
CVSS v2 BASE SCORE: 6.1
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-27815

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-27820
CVE STATUS: Patched
CVE SUMMARY: A vulnerability was found in Linux kernel, where a use-after-frees in nouveau's postclose() handler could happen if removing device (that is not common to remove video card physically without power-off, but same happens if "unbind" the driver).
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-27820

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-27825
CVE STATUS: Patched
CVE SUMMARY: A use-after-free flaw was found in kernel/trace/ring_buffer.c in Linux kernel (before 5.10-rc1). There was a race problem in trace_open and resize of cpu buffer running parallely on different cpus, may cause a denial of service problem (DOS). This flaw could even allow a local attacker with special user privilege to a kernel information leak threat.
CVSS v2 BASE SCORE: 5.4
CVSS v3 BASE SCORE: 5.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-27825

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-27830
CVE STATUS: Patched
CVE SUMMARY: A vulnerability was found in Linux Kernel where in the spk_ttyio_receive_buf2() function, it would dereference spk_ttyio_synth without checking whether it is NULL or not, and may lead to a NULL-ptr deref crash.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-27830

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-28097
CVE STATUS: Patched
CVE SUMMARY: The vgacon subsystem in the Linux kernel before 5.8.10 mishandles software scrollback. There is a vgacon_scrolldelta out-of-bounds read, aka CID-973c096f6a85.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 5.9
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-28097

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-28374
CVE STATUS: Patched
CVE SUMMARY: In drivers/target/target_core_xcopy.c in the Linux kernel before 5.10.7, insufficient identifier checking in the LIO SCSI target code can be used by remote attackers to read or write files via directory traversal in an XCOPY request, aka CID-2896c93811e3. For example, an attack can occur over a network if the attacker has access to one iSCSI LUN. The attacker gains control over file access because I/O operations are proxied via an attacker-selected backstore.
CVSS v2 BASE SCORE: 5.5
CVSS v3 BASE SCORE: 8.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:S/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-28374

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-28588
CVE STATUS: Patched
CVE SUMMARY: An information disclosure vulnerability exists in the /proc/pid/syscall functionality of Linux Kernel 5.1 Stable and 5.4.66. More specifically, this issue has been introduced in v5.1-rc4 (commit 631b7abacd02b88f4b0795c08b54ad4fc3e7c7c0) and is still present in v5.10-rc4, so it’s likely that all versions in between are affected. An attacker can read /proc/pid/syscall to trigger this vulnerability, which leads to the kernel leaking memory contents.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 4.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-28588

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-28915
CVE STATUS: Patched
CVE SUMMARY: A buffer over-read (at the framebuffer layer) in the fbcon code in the Linux kernel before 5.8.15 could be used by local attackers to read kernel memory, aka CID-6735b4632def.
CVSS v2 BASE SCORE: 6.1
CVSS v3 BASE SCORE: 5.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-28915

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-28941
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in drivers/accessibility/speakup/spk_ttyio.c in the Linux kernel through 5.9.9. Local attackers on systems with the speakup driver could cause a local denial of service attack, aka CID-d41227544427. This occurs because of an invalid free when the line discipline is used more than once.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-28941

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-28974
CVE STATUS: Patched
CVE SUMMARY: A slab-out-of-bounds read in fbcon in the Linux kernel before 5.9.7 could be used by local attackers to read privileged information or potentially crash the kernel, aka CID-3c4e0dff2095. This occurs because KD_FONT_OP_COPY in drivers/tty/vt/vt.c can be used for manipulations such as font height.
CVSS v2 BASE SCORE: 6.1
CVSS v3 BASE SCORE: 5.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-28974

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-29368
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in __split_huge_pmd in mm/huge_memory.c in the Linux kernel before 5.7.5. The copy-on-write implementation can grant unintended write access because of a race condition in a THP mapcount check, aka CID-c444eb564fb1.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-29368

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-29369
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in mm/mmap.c in the Linux kernel before 5.7.11. There is a race condition between certain expand functions (expand_downwards and expand_upwards) and page-table free operations from an munmap call, aka CID-246c320a8cfe.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-29369

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-29370
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in kmem_cache_alloc_bulk in mm/slub.c in the Linux kernel before 5.5.11. The slowpath lacks the required TID increment, aka CID-fd4d9c7d0c71.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-29370

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-29371
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in romfs_dev_read in fs/romfs/storage.c in the Linux kernel before 5.8.4. Uninitialized memory leaks to userspace, aka CID-bcf85fcedfdd.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 3.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-29371

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-29372
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in do_madvise in mm/madvise.c in the Linux kernel before 5.6.8. There is a race condition between coredump operations and the IORING_OP_MADVISE implementation, aka CID-bc0c4d1e176e.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-29372

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-29373
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in fs/io_uring.c in the Linux kernel before 5.6. It unsafely handles the root directory during path lookups, and thus a process inside a mount namespace can escape to unintended filesystem locations, aka CID-ff002b30181d.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 6.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-29373

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-29374
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 5.7.3, related to mm/gup.c and mm/huge_memory.c. The get_user_pages (aka gup) implementation, when used for a copy-on-write page, does not properly consider the semantics of read operations and therefore can grant unintended write access, aka CID-17839856fd58.
CVSS v2 BASE SCORE: 3.3
CVSS v3 BASE SCORE: 3.6
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-29374

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-29534
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 5.9.3. io_uring takes a non-refcounted reference to the files_struct of the process that submitted a request, causing execve() to incorrectly optimize unshare_fd(), aka CID-0f2122045b94.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-29534

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-29569
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel through 5.10.1, as used with Xen through 4.14.x. The Linux kernel PV block backend expects the kernel thread handler to reset ring->xenblkd to NULL when stopped. However, the handler may not have time to run if the frontend quickly toggles between the states connect and disconnect. As a consequence, the block backend may re-use a pointer after it was freed. A misbehaving guest can trigger a dom0 crash by continuously connecting / disconnecting a block frontend. Privilege escalation and information leaks cannot be ruled out. This only affects systems with a Linux blkback.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 8.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-29569

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-29660
CVE STATUS: Patched
CVE SUMMARY: A locking inconsistency issue was discovered in the tty subsystem of the Linux kernel through 5.9.13. drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c may allow a read-after-free attack against TIOCGSID, aka CID-c8bcd9c5be24.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 4.4
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-29660

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-29661
CVE STATUS: Patched
CVE SUMMARY: A locking issue was discovered in the tty subsystem of the Linux kernel through 5.9.13. drivers/tty/tty_jobctrl.c allows a use-after-free attack against TIOCSPGRP, aka CID-54ffccbf053b.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-29661

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-35499
CVE STATUS: Patched
CVE SUMMARY: A NULL pointer dereference flaw in Linux kernel versions prior to 5.11 may be seen if sco_sock_getsockopt function in net/bluetooth/sco.c do not have a sanity check for a socket connection, when using BT_SNDMTU/BT_RCVMTU for SCO sockets. This could allow a local attacker with a special user privilege to crash the system (DOS) or leak kernel internal information.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 6.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-35499

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-35501
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the Linux kernels implementation of audit rules, where a syscall can unexpectedly not be correctly not be logged by the audit subsystem
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 3.4
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-35501

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-35508
CVE STATUS: Patched
CVE SUMMARY: A flaw possibility of race condition and incorrect initialization of the process id was found in the Linux kernel child/parent process identification handling while filtering signal handlers. A local attacker is able to abuse this flaw to bypass checks to send any signal to a privileged process.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 4.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-35508

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-35513
CVE STATUS: Patched
CVE SUMMARY: A flaw incorrect umask during file or directory modification in the Linux kernel NFS (network file system) functionality was found in the way user create and delete object using NFSv4.2 or newer if both simultaneously accessing the NFS by the other process that is not using new NFSv4.2. A user with access to the NFS could use this flaw to starve the resources causing denial of service.
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 4.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:S/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-35513

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-35519
CVE STATUS: Patched
CVE SUMMARY: An out-of-bounds (OOB) memory access flaw was found in x25_bind in net/x25/af_x25.c in the Linux kernel version v5.12-rc5. A bounds check failure allows a local attacker with a user account on the system to gain access to out-of-bounds memory, leading to a system crash or a leak of internal kernel information. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:P/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-35519

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-36158
CVE STATUS: Patched
CVE SUMMARY: mwifiex_cmd_802_11_ad_hoc_start in drivers/net/wireless/marvell/mwifiex/join.c in the Linux kernel through 5.10.4 might allow remote attackers to execute arbitrary code via a long SSID value, aka CID-5c455c5ab332.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 8.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-36158

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-36310
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 5.8. arch/x86/kvm/svm/svm.c allows a set_memory_region_test infinite loop for certain nested page faults, aka CID-e72436bc3a52.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-36310

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-36311
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 5.9. arch/x86/kvm/svm/sev.c allows attackers to cause a denial of service (soft lockup) by triggering destruction of a large SEV VM (which requires unregistering many encrypted regions), aka CID-7be74942f184.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-36311

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-36312
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 5.8.10. virt/kvm/kvm_main.c has a kvm_io_bus_unregister_dev memory leak upon a kmalloc failure, aka CID-f65886606c2d.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-36312

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-36313
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 5.7. The KVM subsystem allows out-of-range access to memslots after a deletion, aka CID-0774a964ef56. This affects arch/s390/kvm/kvm-s390.c, include/linux/kvm_host.h, and virt/kvm/kvm_main.c.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-36313

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-36322
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the FUSE filesystem implementation in the Linux kernel before 5.10.6, aka CID-5d069dbe8aaf. fuse_do_getattr() calls make_bad_inode() in inappropriate situations, causing a system crash. NOTE: the original fix for this vulnerability was incomplete, and its incompleteness is tracked as CVE-2021-28950.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-36322

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-36385
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 5.10. drivers/infiniband/core/ucma.c has a use-after-free because the ctx is reached via the ctx_list in some ucma_migrate_id situations where ucma_close is called, aka CID-f5449e74802c.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-36385

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-36386
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 5.8.1. net/bluetooth/hci_event.c has a slab out-of-bounds read in hci_extended_inquiry_result_evt, aka CID-51c19bf3d5cf.
CVSS v2 BASE SCORE: 5.6
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-36386

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-36387
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 5.8.2. fs/io_uring.c has a use-after-free related to io_async_task_func and ctx reference holding, aka CID-6d816e088c35.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-36387

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-36516
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel through 5.16.11. The mixed IPID assignment method with the hash-based IPID assignment policy allows an off-path attacker to inject data into a victim's TCP session or terminate that session.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:S/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-36516

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-36557
CVE STATUS: Patched
CVE SUMMARY: A race condition in the Linux kernel before 5.6.2 between the VT_DISALLOCATE ioctl and closing/opening of ttys could lead to a use-after-free.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-36557

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-36558
CVE STATUS: Patched
CVE SUMMARY: A race condition in the Linux kernel before 5.5.7 involving VT_RESIZEX could lead to a NULL pointer dereference and general protection fault.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-36558

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-36691
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 5.8. lib/nlattr.c allows attackers to cause a denial of service (unbounded recursion) via a nested Netlink policy with a back reference.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-36691

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-36694
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in netfilter in the Linux kernel before 5.10. There can be a use-after-free in the packet processing context, because the per-CPU sequence count is mishandled during concurrent iptables rules replacement. This could be exploited with the CAP_NET_ADMIN capability in an unprivileged namespace. NOTE: cc00bca was reverted in 5.12.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-36694

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-36766
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 5.8.6. drivers/media/cec/core/cec-api.c leaks one byte of kernel memory on specific hardware to unprivileged users, because of directly assigning log_addrs with a hole in the struct.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 3.3
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-36766

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-36775
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

f2fs: fix to avoid potential deadlock

Using f2fs_trylock_op() in f2fs_write_compressed_pages() to avoid potential
deadlock like we did in f2fs_write_single_data_page().
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-36775

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-36776
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

thermal/drivers/cpufreq_cooling: Fix slab OOB issue

Slab OOB issue is scanned by KASAN in cpu_power_to_freq().
If power is limited below the power of OPP0 in EM table,
it will cause slab out-of-bound issue with negative array
index.

Return the lowest frequency if limited power cannot found
a suitable OPP in EM table to fix this issue.

Backtrace:
[<ffffffd02d2a37f0>] die+0x104/0x5ac
[<ffffffd02d2a5630>] bug_handler+0x64/0xd0
[<ffffffd02d288ce4>] brk_handler+0x160/0x258
[<ffffffd02d281e5c>] do_debug_exception+0x248/0x3f0
[<ffffffd02d284488>] el1_dbg+0x14/0xbc
[<ffffffd02d75d1d4>] __kasan_report+0x1dc/0x1e0
[<ffffffd02d75c2e0>] kasan_report+0x10/0x20
[<ffffffd02d75def8>] __asan_report_load8_noabort+0x18/0x28
[<ffffffd02e6fce5c>] cpufreq_power2state+0x180/0x43c
[<ffffffd02e6ead80>] power_actor_set_power+0x114/0x1d4
[<ffffffd02e6fac24>] allocate_power+0xaec/0xde0
[<ffffffd02e6f9f80>] power_allocator_throttle+0x3ec/0x5a4
[<ffffffd02e6ea888>] handle_thermal_trip+0x160/0x294
[<ffffffd02e6edd08>] thermal_zone_device_check+0xe4/0x154
[<ffffffd02d351cb4>] process_one_work+0x5e4/0xe28
[<ffffffd02d352f44>] worker_thread+0xa4c/0xfac
[<ffffffd02d360124>] kthread+0x33c/0x358
[<ffffffd02d289940>] ret_from_fork+0xc/0x18
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-36776

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-36777
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

media: dvbdev: Fix memory leak in dvb_media_device_free()

dvb_media_device_free() is leaking memory. Free `dvbdev->adapter->conn`
before setting it to NULL, as documented in include/media/media-device.h:
"The media_entity instance itself must be freed explicitly by the driver
if required."
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-36777

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-7053
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel 4.14 longterm through 4.14.165 and 4.19 longterm through 4.19.96 (and 5.x before 5.2), there is a use-after-free (write) in the i915_ppgtt_close function in drivers/gpu/drm/i915/i915_gem_gtt.c, aka CID-7dc40713618c. This is related to i915_gem_context_destroy_ioctl in drivers/gpu/drm/i915/i915_gem_context.c.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-7053

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-8428
CVE STATUS: Patched
CVE SUMMARY: fs/namei.c in the Linux kernel before 5.5 has a may_create_in_sticky use-after-free, which allows local users to cause a denial of service (OOPS) or possibly obtain sensitive information from kernel memory, aka CID-d0cb50185ae9. One attack vector may be an open system call for a UNIX domain socket, if the socket is being moved to a new parent directory and its old parent directory is being removed.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-8428

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-8647
CVE STATUS: Patched
CVE SUMMARY: There is a use-after-free vulnerability in the Linux kernel through 5.5.2 in the vc_do_resize function in drivers/tty/vt/vt.c.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 6.1
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-8647

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-8648
CVE STATUS: Patched
CVE SUMMARY: There is a use-after-free vulnerability in the Linux kernel through 5.5.2 in the n_tty_receive_buf_common function in drivers/tty/n_tty.c.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-8648

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-8649
CVE STATUS: Patched
CVE SUMMARY: There is a use-after-free vulnerability in the Linux kernel through 5.5.2 in the vgacon_invert_region function in drivers/video/console/vgacon.c.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 5.9
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-8649

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-8834
CVE STATUS: Unpatched
CVE SUMMARY: KVM in the Linux kernel on Power8 processors has a conflicting use of HSTATE_HOST_R1 to store r1 state in kvmppc_hv_entry plus in kvmppc_{save,restore}_tm, leading to a stack corruption. Because of this, an attacker with the ability run code in kernel space of a guest VM can cause the host kernel to panic. There were two commits that, according to the reporter, introduced the vulnerability: f024ee098476 ("KVM: PPC: Book3S HV: Pull out TM state save/restore into separate procedures") 87a11bb6a7f7 ("KVM: PPC: Book3S HV: Work around XER[SO] bug in fake suspend mode") The former landed in 4.8, the latter in 4.17. This was fixed without realizing the impact in 4.18 with the following three commits, though it's believed the first is the only strictly necessary commit: 6f597c6b63b6 ("KVM: PPC: Book3S PR: Add guest MSR parameter for kvmppc_save_tm()/kvmppc_restore_tm()") 7b0e827c6970 ("KVM: PPC: Book3S HV: Factor fake-suspend handling out of kvmppc_save/restore_tm") 009c872a8bc4 ("KVM: PPC: Book3S PR: Move kvmppc_save_tm/kvmppc_restore_tm to separate file")
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 6.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-8834

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-8835
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel 5.5.0 and newer, the bpf verifier (kernel/bpf/verifier.c) did not properly restrict the register bounds for 32-bit operations, leading to out-of-bounds reads and writes in kernel memory. The vulnerability also affects the Linux 5.4 stable series, starting with v5.4.7, as the introducing commit was backported to that branch. This vulnerability was fixed in 5.6.1, 5.5.14, and 5.4.29. (issue is aka ZDI-CAN-10780)
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-8835

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-8992
CVE STATUS: Patched
CVE SUMMARY: ext4_protect_reserved_inode in fs/ext4/block_validity.c in the Linux kernel through 5.5.3 allows attackers to cause a denial of service (soft lockup) via a crafted journal size.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-8992

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-9383
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel 3.16 through 5.5.6. set_fdc in drivers/block/floppy.c leads to a wait_til_ready out-of-bounds read because the FDC index is not checked for errors before assigning it, aka CID-2e90ca68b0d2.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-9383

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2020-9391
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel 5.4 and 5.5 through 5.5.6 on the AArch64 architecture. It ignores the top byte in the address passed to the brk system call, potentially moving the memory break downwards when the application expects it to move upwards, aka CID-dcde237319e6. This has been observed to cause heap corruption with the GNU C Library malloc implementation.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-9391

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-20177
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the Linux kernel's implementation of string matching within a packet. A privileged user (with root or CAP_NET_ADMIN) when inserting iptables rules could insert a rule which can panic the system. Kernel before kernel 5.5-rc1 is affected.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 4.4
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-20177

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-20194
CVE STATUS: Unpatched
CVE SUMMARY: There is a vulnerability in the linux kernel versions higher than 5.2 (if kernel compiled with config params CONFIG_BPF_SYSCALL=y , CONFIG_BPF=y , CONFIG_CGROUPS=y , CONFIG_CGROUP_BPF=y , CONFIG_HARDENED_USERCOPY not set, and BPF hook to getsockopt is registered). As result of BPF execution, the local user can trigger bug in __cgroup_bpf_run_filter_getsockopt() function that can lead to heap overflow (because of non-hardened usercopy). The impact of attack could be deny of service or possibly privileges escalation.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-20194

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-20219
CVE STATUS: Patched
CVE SUMMARY: A denial of service vulnerability was found in n_tty_receive_char_special in drivers/tty/n_tty.c of the Linux kernel. In this flaw a local attacker with a normal user privilege could delay the loop (due to a changing ldata->read_head, and a missing sanity check) and cause a threat to the system availability.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-20219

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-20226
CVE STATUS: Patched
CVE SUMMARY: A use-after-free flaw was found in the io_uring in Linux kernel, where a local attacker with a user privilege could cause a denial of service problem on the system The issue results from the lack of validating the existence of an object prior to performing operations on the object by not incrementing the file reference counter while in use. The highest threat from this vulnerability is to data integrity, confidentiality and system availability.
CVSS v2 BASE SCORE: 6.1
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-20226

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-20239
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the Linux kernel in versions before 5.4.92 in the BPF protocol. This flaw allows an attacker with a local account to leak information about kernel internal addresses. The highest threat from this vulnerability is to confidentiality.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 3.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-20239

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-20261
CVE STATUS: Patched
CVE SUMMARY: A race condition was found in the Linux kernels implementation of the floppy disk drive controller driver software. The impact of this issue is lessened by the fact that the default permissions on the floppy device (/dev/fd0) are restricted to root. If the permissions on the device have changed the impact changes greatly. In the default configuration root (or equivalent) permissions are required to attack this flaw.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 6.4
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-20261

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-20265
CVE STATUS: Unpatched
CVE SUMMARY: A flaw was found in the way memory resources were freed in the unix_stream_recvmsg function in the Linux kernel when a signal was pending. This flaw allows an unprivileged local user to crash the system by exhausting available memory. The highest threat from this vulnerability is to system availability.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-20265

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-20268
CVE STATUS: Patched
CVE SUMMARY: An out-of-bounds access flaw was found in the Linux kernel's implementation of the eBPF code verifier in the way a user running the eBPF script calls dev_map_init_map or sock_map_alloc. This flaw allows a local user to crash the system or possibly escalate their privileges. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-20268

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-20292
CVE STATUS: Patched
CVE SUMMARY: There is a flaw reported in the Linux kernel in versions before 5.9 in drivers/gpu/drm/nouveau/nouveau_sgdma.c in nouveau_sgdma_create_ttm in Nouveau DRM subsystem. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker with a local account with a root privilege, can leverage this vulnerability to escalate privileges and execute code in the context of the kernel.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 6.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-20292

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-20317
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the Linux kernel. A corrupted timer tree caused the task wakeup to be missing in the timerqueue_add function in lib/timerqueue.c. This flaw allows a local attacker with special user privileges to cause a denial of service, slowing and eventually stopping the system while running OSP.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 4.4
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-20317

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-20320
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in s390 eBPF JIT in bpf_jit_insn in arch/s390/net/bpf_jit_comp.c in the Linux kernel. In this flaw, a local attacker with special user privilege can circumvent the verifier and may lead to a confidentiality problem.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-20320

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-20321
CVE STATUS: Patched
CVE SUMMARY: A race condition accessing file object in the Linux kernel OverlayFS subsystem was found in the way users do rename in specific way with OverlayFS. A local user could use this flaw to crash the system.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-20321

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-20322
CVE STATUS: Patched
CVE SUMMARY: A flaw in the processing of received ICMP errors (ICMP fragment needed and ICMP redirect) in the Linux kernel functionality was found to allow the ability to quickly scan open UDP ports. This flaw allows an off-path remote user to effectively bypass the source port UDP randomization. The highest threat from this vulnerability is to confidentiality and possibly integrity, because software that relies on UDP source port randomization are indirectly affected as well.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 7.4
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-20322

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-21781
CVE STATUS: Patched
CVE SUMMARY: An information disclosure vulnerability exists in the ARM SIGPAGE functionality of Linux Kernel v5.4.66 and v5.4.54. The latest version (5.11-rc4) seems to still be vulnerable. A userland application can read the contents of the sigpage, which can leak kernel memory contents. An attacker can read a process’s memory at a specific offset to trigger this vulnerability. This was fixed in kernel releases: 4.14.222 4.19.177 5.4.99 5.10.17 5.11
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 4.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-21781

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-22543
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Linux: KVM through Improper handling of VM_IO|VM_PFNMAP vmas in KVM can bypass RO checks and can lead to pages being freed while still accessible by the VMM and guest. This allows users with the ability to start and control a VM to read/write random pages of memory and can result in local privilege escalation.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-22543

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-22555
CVE STATUS: Patched
CVE SUMMARY: A heap out-of-bounds write affecting Linux since v2.6.19-rc1 was discovered in net/netfilter/x_tables.c. This allows an attacker to gain privileges or cause a DoS (via heap memory corruption) through user name space
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 8.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-22555

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-22600
CVE STATUS: Patched
CVE SUMMARY: A double free bug in packet_set_ring() in net/packet/af_packet.c can be exploited by a local user through crafted syscalls to escalate privileges or deny service. We recommend upgrading kernel past the effected versions or rebuilding past ec6af094ea28f0f2dda1a6a33b14cd57e36a9755
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 6.6
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-22600

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-23133
CVE STATUS: Patched
CVE SUMMARY: A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel privilege escalation from the context of a network service or an unprivileged process. If sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock then an element is removed from the auto_asconf_splist list without any proper locking. This can be exploited by an attacker with network service privileges to escalate to root or from the context of an unprivileged user directly if a BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 6.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-23133

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-23134
CVE STATUS: Patched
CVE SUMMARY: Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local user with the CAP_NET_RAW capability.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-23134

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-26708
CVE STATUS: Patched
CVE SUMMARY: A local privilege escalation was discovered in the Linux kernel before 5.10.13. Multiple race conditions in the AF_VSOCK implementation are caused by wrong locking in net/vmw_vsock/af_vsock.c. The race conditions were implicitly introduced in the commits that added VSOCK multi-transport support.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-26708

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-26930
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel 3.11 through 5.10.16, as used by Xen. To service requests to the PV backend, the driver maps grant references provided by the frontend. In this process, errors may be encountered. In one case, an error encountered earlier might be discarded by later processing, resulting in the caller assuming successful mapping, and hence subsequent operations trying to access space that wasn't mapped. In another case, internal state would be insufficiently updated, preventing safe recovery from the error. This affects drivers/block/xen-blkback/blkback.c.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-26930

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-26931
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel 2.6.39 through 5.10.16, as used in Xen. Block, net, and SCSI backends consider certain errors a plain bug, deliberately causing a kernel crash. For errors potentially being at least under the influence of guests (such as out of memory conditions), it isn't correct to assume a plain bug. Memory allocations potentially causing such crashes occur only when Linux is running in PV mode, though. This affects drivers/block/xen-blkback/blkback.c and drivers/xen/xen-scsiback.c.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-26931

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-26932
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel 3.2 through 5.10.16, as used by Xen. Grant mapping operations often occur in batch hypercalls, where a number of operations are done in a single hypercall, the success or failure of each one is reported to the backend driver, and the backend driver then loops over the results, performing follow-up actions based on the success or failure of each operation. Unfortunately, when running in PV mode, the Linux backend drivers mishandle this: Some errors are ignored, effectively implying their success from the success of related batch elements. In other cases, errors resulting from one batch element lead to further batch elements not being inspected, and hence successful ones to not be possible to properly unmap upon error recovery. Only systems with Linux backends running in PV mode are vulnerable. Linux backends run in HVM / PVH modes are not vulnerable. This affects arch/*/xen/p2m.c and drivers/xen/gntdev.c.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-26932

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-26934
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel 4.18 through 5.10.16, as used by Xen. The backend allocation (aka be-alloc) mode of the drm_xen_front drivers was not meant to be a supported configuration, but this wasn't stated accordingly in its support status entry.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-26934

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-27363
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel through 5.11.3. A kernel pointer leak can be used to determine the address of the iscsi_transport structure. When an iSCSI transport is registered with the iSCSI subsystem, the transport's handle is available to unprivileged users via the sysfs file system, at /sys/class/iscsi_transport/$TRANSPORT_NAME/handle. When read, the show_transport_handle function (in drivers/scsi/scsi_transport_iscsi.c) is called, which leaks the handle. This handle is actually the pointer to an iscsi_transport struct in the kernel module's global variables.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 4.4
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-27363

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-27364
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel through 5.11.3. drivers/scsi/scsi_transport_iscsi.c is adversely affected by the ability of an unprivileged user to craft Netlink messages.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-27364

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-27365
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel through 5.11.3. Certain iSCSI data structures do not have appropriate length constraints or checks, and can exceed the PAGE_SIZE value. An unprivileged user can send a Netlink message that is associated with iSCSI, and has a length up to the maximum length of a Netlink message.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-27365

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-28038
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel through 5.11.3, as used with Xen PV. A certain part of the netback driver lacks necessary treatment of errors such as failed memory allocations (as a result of changes to the handling of grant mapping errors). A host OS denial of service may occur during misbehavior of a networking frontend driver. NOTE: this issue exists because of an incomplete fix for CVE-2021-26931.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 6.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-28038

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-28039
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel 5.9.x through 5.11.3, as used with Xen. In some less-common configurations, an x86 PV guest OS user can crash a Dom0 or driver domain via a large amount of I/O activity. The issue relates to misuse of guest physical addresses when a configuration has CONFIG_XEN_UNPOPULATED_ALLOC but not CONFIG_XEN_BALLOON_MEMORY_HOTPLUG.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 6.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-28039

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-28375
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel through 5.11.6. fastrpc_internal_invoke in drivers/misc/fastrpc.c does not prevent user applications from sending kernel RPC messages, aka CID-20c40794eb85. This is a related issue to CVE-2019-2308.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-28375

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-28660
CVE STATUS: Patched
CVE SUMMARY: rtw_wx_set_scan in drivers/staging/rtl8188eu/os_dep/ioctl_linux.c in the Linux kernel through 5.11.6 allows writing beyond the end of the ->ssid[] array. NOTE: from the perspective of kernel.org releases, CVE IDs are not normally used for drivers/staging/* (unfinished work); however, system integrators may have situations in which a drivers/staging issue is relevant to their own customer base.
CVSS v2 BASE SCORE: 8.3
CVSS v3 BASE SCORE: 8.8
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-28660

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-28688
CVE STATUS: Patched
CVE SUMMARY: The fix for XSA-365 includes initialization of pointers such that subsequent cleanup code wouldn't use uninitialized or stale values. This initialization went too far and may under certain conditions also overwrite pointers which are in need of cleaning up. The lack of cleanup would result in leaking persistent grants. The leak in turn would prevent fully cleaning up after a respective guest has died, leaving around zombie domains. All Linux versions having the fix for XSA-365 applied are vulnerable. XSA-365 was classified to affect versions back to at least 3.11.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 6.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-28688

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-28691
CVE STATUS: Patched
CVE SUMMARY: Guest triggered use-after-free in Linux xen-netback A malicious or buggy network PV frontend can force Linux netback to disable the interface and terminate the receive kernel thread associated with queue 0 in response to the frontend sending a malformed packet. Such kernel thread termination will lead to a use-after-free in Linux netback when the backend is destroyed, as the kernel thread associated with queue 0 will have already exited and thus the call to kthread_stop will be performed against a stale pointer.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-28691

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-28714
CVE STATUS: Patched
CVE SUMMARY: Guest can force Linux netback driver to hog large amounts of kernel memory T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Incoming data packets for a guest in the Linux kernel's netback driver are buffered until the guest is ready to process them. There are some measures taken for avoiding to pile up too much data, but those can be bypassed by the guest: There is a timeout how long the client side of an interface can stop consuming new packets before it is assumed to have stalled, but this timeout is rather long (60 seconds by default). Using a UDP connection on a fast interface can easily accumulate gigabytes of data in that time. (CVE-2021-28715) The timeout could even never trigger if the guest manages to have only one free slot in its RX queue ring page and the next package would require more than one free slot, which may be the case when using GSO, XDP, or software hashing. (CVE-2021-28714)
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 6.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-28714

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-28715
CVE STATUS: Patched
CVE SUMMARY: Guest can force Linux netback driver to hog large amounts of kernel memory T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Incoming data packets for a guest in the Linux kernel's netback driver are buffered until the guest is ready to process them. There are some measures taken for avoiding to pile up too much data, but those can be bypassed by the guest: There is a timeout how long the client side of an interface can stop consuming new packets before it is assumed to have stalled, but this timeout is rather long (60 seconds by default). Using a UDP connection on a fast interface can easily accumulate gigabytes of data in that time. (CVE-2021-28715) The timeout could even never trigger if the guest manages to have only one free slot in its RX queue ring page and the next package would require more than one free slot, which may be the case when using GSO, XDP, or software hashing. (CVE-2021-28714)
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 6.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-28715

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-28950
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in fs/fuse/fuse_i.h in the Linux kernel before 5.11.8. A "stall on CPU" can occur because a retry loop continually finds the same bad inode, aka CID-775c5033a0d1.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-28950

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-28951
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in fs/io_uring.c in the Linux kernel through 5.11.8. It allows attackers to cause a denial of service (deadlock) because exit may be waiting to park a SQPOLL thread, but concurrently that SQPOLL thread is waiting for a signal to start, aka CID-3ebba796fa25.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-28951

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-28952
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel through 5.11.8. The sound/soc/qcom/sdm845.c soundwire device driver has a buffer overflow when an unexpected port ID number is encountered, aka CID-1c668e1c0a0f. (This has been fixed in 5.12-rc4.)
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-28952

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-28964
CVE STATUS: Patched
CVE SUMMARY: A race condition was discovered in get_old_root in fs/btrfs/ctree.c in the Linux kernel through 5.11.8. It allows attackers to cause a denial of service (BUG) because of a lack of locking on an extent buffer before a cloning operation, aka CID-dbcc7d57bffc.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-28964

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-28971
CVE STATUS: Patched
CVE SUMMARY: In intel_pmu_drain_pebs_nhm in arch/x86/events/intel/ds.c in the Linux kernel through 5.11.8 on some Haswell CPUs, userspace applications (such as perf-fuzzer) can cause a system crash because the PEBS status in a PEBS record is mishandled, aka CID-d88d05a9e0b6.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-28971

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-28972
CVE STATUS: Patched
CVE SUMMARY: In drivers/pci/hotplug/rpadlpar_sysfs.c in the Linux kernel through 5.11.8, the RPA PCI Hotplug driver has a user-tolerable buffer overflow when writing a new device name to the driver from userspace, allowing userspace to write data to the kernel stack frame directly. This occurs because add_slot_store and remove_slot_store mishandle drc_name '\0' termination, aka CID-cc7a0bb058b8.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 6.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-28972

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-29154
CVE STATUS: Patched
CVE SUMMARY: BPF JIT compilers in the Linux kernel through 5.11.12 have incorrect computation of branch displacements, allowing them to execute arbitrary code within the kernel context. This affects arch/x86/net/bpf_jit_comp.c and arch/x86/net/bpf_jit_comp32.c.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-29154

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-29155
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel through 5.11.x. kernel/bpf/verifier.c performs undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory. Specifically, for sequences of pointer arithmetic operations, the pointer modification performed by the first operation is not correctly accounted for when restricting subsequent operations.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-29155

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-29264
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel through 5.11.10. drivers/net/ethernet/freescale/gianfar.c in the Freescale Gianfar Ethernet driver allows attackers to cause a system crash because a negative fragment size is calculated in situations involving an rx queue overrun when jumbo packets are used and NAPI is enabled, aka CID-d8861bab48b6.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-29264

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-29265
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 5.11.7. usbip_sockfd_store in drivers/usb/usbip/stub_dev.c allows attackers to cause a denial of service (GPF) because the stub-up sequence has race conditions during an update of the local and shared status, aka CID-9380afd6df70.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-29265

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-29266
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 5.11.9. drivers/vhost/vdpa.c has a use-after-free because v->config_ctx has an invalid value upon re-opening a character device, aka CID-f6bbf0010ba0.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-29266

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-29646
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 5.11.11. tipc_nl_retrieve_key in net/tipc/node.c does not properly validate certain data sizes, aka CID-0217ed2848e8.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-29646

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-29647
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 5.11.11. qrtr_recvmsg in net/qrtr/qrtr.c allows attackers to obtain sensitive information from kernel memory because of a partially uninitialized data structure, aka CID-50535249f624.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-29647

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-29648
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 5.11.11. The BPF subsystem does not properly consider that resolved_ids and resolved_sizes are intentionally uninitialized in the vmlinux BPF Type Format (BTF), which can cause a system crash upon an unexpected access attempt (in map_create in kernel/bpf/syscall.c or check_btf_info in kernel/bpf/verifier.c), aka CID-350a5c4dd245.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-29648

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-29649
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 5.11.11. The user mode driver (UMD) has a copy_process() memory leak, related to a lack of cleanup steps in kernel/usermode_driver.c and kernel/bpf/preload/bpf_preload_kern.c, aka CID-f60a85cad677.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-29649

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-29650
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 5.11.11. The netfilter subsystem allows attackers to cause a denial of service (panic) because net/netfilter/x_tables.c and include/linux/netfilter/x_tables.h lack a full memory barrier upon the assignment of a new table value, aka CID-175e476b8cdf.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-29650

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-29657
CVE STATUS: Patched
CVE SUMMARY: arch/x86/kvm/svm/nested.c in the Linux kernel before 5.11.12 has a use-after-free in which an AMD KVM guest can bypass access control on host OS MSRs when there are nested guests, aka CID-a58d9166a756. This occurs because of a TOCTOU race condition associated with a VMCB12 double fetch in nested_svm_vmrun.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 7.4
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-29657

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-30002
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 5.11.3 when a webcam device exists. video_usercopy in drivers/media/v4l2-core/v4l2-ioctl.c has a memory leak for large arguments, aka CID-fb18802a338b.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 6.2
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-30002

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-30178
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel through 5.11.11. synic_get in arch/x86/kvm/hyperv.c has a NULL pointer dereference for certain accesses to the SynIC Hyper-V context, aka CID-919f4ebc5987.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-30178

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-31440
CVE STATUS: Patched
CVE SUMMARY: This vulnerability allows local attackers to escalate privileges on affected installations of Linux Kernel 5.11.15. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the handling of eBPF programs. The issue results from the lack of proper validation of user-supplied eBPF programs prior to executing them. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the kernel. Was ZDI-CAN-13661.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 8.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-31440

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-3178
CVE STATUS: Patched
CVE SUMMARY: fs/nfsd/nfs3xdr.c in the Linux kernel through 5.10.8, when there is an NFS export of a subdirectory of a filesystem, allows remote attackers to traverse to other parts of the filesystem via READDIRPLUS. NOTE: some parties argue that such a subdirectory export is not intended to prevent this attack; see also the exports(5) no_subtree_check default behavior
CVSS v2 BASE SCORE: 5.5
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:S/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3178

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-31829
CVE STATUS: Patched
CVE SUMMARY: kernel/bpf/verifier.c in the Linux kernel through 5.12.1 performs undesirable speculative loads, leading to disclosure of stack content via side-channel attacks, aka CID-801c6058d14a. The specific concern is not protecting the BPF stack area against speculative loads. Also, the BPF stack can contain uninitialized data that might represent sensitive information previously operated on by the kernel.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-31829

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-31916
CVE STATUS: Patched
CVE SUMMARY: An out-of-bounds (OOB) memory write flaw was found in list_devices in drivers/md/dm-ioctl.c in the Multi-device driver module in the Linux kernel before 5.12. A bound check failure allows an attacker with special user (CAP_SYS_ADMIN) privilege to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The highest threat from this vulnerability is to system availability.
CVSS v2 BASE SCORE: 6.1
CVSS v3 BASE SCORE: 6.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-31916

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-32078
CVE STATUS: Patched
CVE SUMMARY: An Out-of-Bounds Read was discovered in arch/arm/mach-footbridge/personal-pci.c in the Linux kernel through 5.12.11 because of the lack of a check for a value that shouldn't be negative, e.g., access to element -2 of an array, aka CID-298a58e165e4.
CVSS v2 BASE SCORE: 6.6
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-32078

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-32399
CVE STATUS: Patched
CVE SUMMARY: net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI controller.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-32399

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-32606
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel 5.11 through 5.12.2, isotp_setsockopt in net/can/isotp.c allows privilege escalation to root by leveraging a use-after-free. (This does not affect earlier versions that lack CAN ISOTP SF_BROADCAST support.)
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-32606

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-33033
CVE STATUS: Patched
CVE SUMMARY: The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-33033

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-33034
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-33034

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-33200
CVE STATUS: Patched
CVE SUMMARY: kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel memory, leading to local privilege escalation to root. In particular, there is a corner case where the off reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-33200

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-3347
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel through 5.10.11. PI futexes have a kernel stack use-after-free during fault handling, allowing local users to execute code in the kernel, aka CID-34b1a1ce1458.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3347

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-3348
CVE STATUS: Patched
CVE SUMMARY: nbd_add_socket in drivers/block/nbd.c in the Linux kernel through 5.10.12 has an ndb_queue_rq use-after-free that could be triggered by local attackers (with access to the nbd device) via an I/O request at a certain point during device setup, aka CID-b98e762e3d71.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3348

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-33624
CVE STATUS: Patched
CVE SUMMARY: In kernel/bpf/verifier.c in the Linux kernel before 5.12.13, a branch can be mispredicted (e.g., because of type confusion) and consequently an unprivileged BPF program can read arbitrary memory locations via a side-channel attack, aka CID-9183671af6db.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-33624

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-33655
CVE STATUS: Patched
CVE SUMMARY: When sending malicous data to kernel by ioctl cmd FBIOPUT_VSCREENINFO,kernel will write memory out of bounds.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-33655

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-33656
CVE STATUS: Patched
CVE SUMMARY: When setting font with malicous data by ioctl cmd PIO_FONT,kernel will write memory out of bounds.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.8
VECTOR: PHYSICAL
VECTORSTRING: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-33656

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-33909
CVE STATUS: Patched
CVE SUMMARY: fs/seq_file.c in the Linux kernel 3.16 through 5.13.x before 5.13.4 does not properly restrict seq buffer allocations, leading to an integer overflow, an Out-of-bounds Write, and escalation to root by an unprivileged user, aka CID-8cae8cd89f05.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-33909

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-3411
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the Linux kernel in versions prior to 5.10. A violation of memory access was found while detecting a padding of int3 in the linking state. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 6.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3411

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-3428
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the Linux kernel. A denial of service problem is identified if an extent tree is corrupted in a crafted ext4 filesystem in fs/ext4/extents.c in ext4_es_cache_extent. Fabricating an integer overflow, A local attacker with a special user privilege may cause a system crash problem which can lead to an availability threat.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3428

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-3444
CVE STATUS: Patched
CVE SUMMARY: The bpf verifier in the Linux kernel did not properly handle mod32 destination register truncation when the source register was known to be 0. A local attacker with the ability to load bpf programs could use this gain out-of-bounds reads in kernel memory leading to information disclosure (kernel memory), and possibly out-of-bounds writes that could potentially lead to code execution. This issue was addressed in the upstream kernel in commit 9b00f1b78809 ("bpf: Fix truncation handling for mod32 dst reg wrt zero") and in Linux stable kernels 5.11.2, 5.10.19, and 5.4.101.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3444

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-34556
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel through 5.13.7, an unprivileged BPF program can obtain sensitive information from kernel memory via a Speculative Store Bypass side-channel attack because the protection mechanism neglects the possibility of uninitialized memory locations on the BPF stack.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-34556

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-34693
CVE STATUS: Patched
CVE SUMMARY: net/can/bcm.c in the Linux kernel through 5.12.10 allows local users to obtain sensitive information from kernel stack memory because parts of a data structure are uninitialized.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-34693

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-3483
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the Nosy driver in the Linux kernel. This issue allows a device to be inserted twice into a doubly-linked list, leading to a use-after-free when one of these devices is removed. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. Versions before kernel 5.12-rc6 are affected
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3483

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-34866
CVE STATUS: Patched
CVE SUMMARY: This vulnerability allows local attackers to escalate privileges on affected installations of Linux Kernel 5.14-rc3. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the handling of eBPF programs. The issue results from the lack of proper validation of user-supplied eBPF programs, which can result in a type confusion condition. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the kernel. Was ZDI-CAN-14689.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 8.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-34866

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-3489
CVE STATUS: Patched
CVE SUMMARY: The eBPF RINGBUF bpf_ringbuf_reserve() function in the Linux kernel did not check that the allocated size was smaller than the ringbuf size, allowing an attacker to perform out-of-bounds writes within the kernel and therefore, arbitrary code execution. This issue was fixed via commit 4b81ccebaeee ("bpf, ringbuf: Deny reserve of buffers larger than ringbuf") (v5.13-rc4) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. It was introduced via 457f44363a88 ("bpf: Implement BPF ring buffer and verifier support for it") (v5.8-rc1).
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3489

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-3490
CVE STATUS: Patched
CVE SUMMARY: The eBPF ALU32 bounds tracking for bitwise ops (AND, OR and XOR) in the Linux kernel did not properly update 32-bit bounds, which could be turned into out of bounds reads and writes in the Linux kernel and therefore, arbitrary code execution. This issue was fixed via commit 049c4e13714e ("bpf: Fix alu32 const subreg bound tracking on bitwise operations") (v5.13-rc4) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. The AND/OR issues were introduced by commit 3f50f132d840 ("bpf: Verifier, do explicit ALU32 bounds tracking") (5.7-rc1) and the XOR variant was introduced by 2921c90d4718 ("bpf:Fix a verifier failure with xor") ( 5.10-rc1).
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3490

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-3491
CVE STATUS: Patched
CVE SUMMARY: The io_uring subsystem in the Linux kernel allowed the MAX_RW_COUNT limit to be bypassed in the PROVIDE_BUFFERS operation, which led to negative values being usedin mem_rw when reading /proc/<PID>/mem. This could be used to create a heap overflow leading to arbitrary code execution in the kernel. It was addressed via commit d1f82808877b ("io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers") (v5.13-rc1) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. It was introduced in ddf0322db79c ("io_uring: add IORING_OP_PROVIDE_BUFFERS") (v5.7-rc1).
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3491

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-3501
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the Linux kernel in versions before 5.12. The value of internal.ndata, in the KVM API, is mapped to an array index, which can be updated by a user process at anytime which could lead to an out-of-bounds write. The highest threat from this vulnerability is to data integrity and system availability.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3501

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-35039
CVE STATUS: Patched
CVE SUMMARY: kernel/module.c in the Linux kernel before 5.12.14 mishandles Signature Verification, aka CID-0c18f29aae7c. Without CONFIG_MODULE_SIG, verification that a kernel module is signed, for loading via init_module, does not occur for a module.sig_enforce=1 command-line argument.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-35039

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-3506
CVE STATUS: Patched
CVE SUMMARY: An out-of-bounds (OOB) memory access flaw was found in fs/f2fs/node.c in the f2fs module in the Linux kernel in versions before 5.12.0-rc4. A bounds check failure allows a local attacker to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The highest threat from this vulnerability is to system availability.
CVSS v2 BASE SCORE: 5.6
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3506

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-35477
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel through 5.13.7, an unprivileged BPF program can obtain sensitive information from kernel memory via a Speculative Store Bypass side-channel attack because a certain preempting store operation does not necessarily occur before a store operation that has an attacker-controlled value.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-35477

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-3564
CVE STATUS: Unpatched
CVE SUMMARY: A flaw double-free memory corruption in the Linux kernel HCI device initialization subsystem was found in the way user attach malicious HCI TTY Bluetooth device. A local user could use this flaw to crash the system. This flaw affects all the Linux kernel versions starting from 3.13.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3564

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-3573
CVE STATUS: Patched
CVE SUMMARY: A use-after-free in function hci_sock_bound_ioctl() of the Linux kernel HCI subsystem was found in the way user calls ioct HCIUNBLOCKADDR or other way triggers race condition of the call hci_unregister_dev() together with one of the calls hci_sock_blacklist_add(), hci_sock_blacklist_del(), hci_get_conn_info(), hci_get_auth_info(). A privileged local user could use this flaw to crash the system or escalate their privileges on the system. This flaw affects the Linux kernel versions prior to 5.13-rc5.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 6.4
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3573

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-3600
CVE STATUS: Patched
CVE SUMMARY: It was discovered that the eBPF implementation in the Linux kernel did not properly track bounds information for 32 bit registers when performing div and mod operations. A local attacker could use this to possibly execute arbitrary code.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3600

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-3609
CVE STATUS: Patched
CVE SUMMARY: .A flaw was found in the CAN BCM networking protocol in the Linux kernel, where a local attacker can abuse a flaw in the CAN subsystem to corrupt memory, crash the system or escalate privileges. This race condition in net/can/bcm.c in the Linux kernel allows for local privilege escalation to root.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3609

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-3612
CVE STATUS: Patched
CVE SUMMARY: An out-of-bounds memory write flaw was found in the Linux kernel's joystick devices subsystem in versions before 5.9-rc1, in the way the user calls ioctl JSIOCSBTNMAP. This flaw allows a local user to crash the system or possibly escalate their privileges on the system. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3612

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-3635
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the Linux kernel netfilter implementation in versions prior to 5.5-rc7. A user with root (CAP_SYS_ADMIN) access is able to panic the system when issuing netfilter netflow commands.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 4.4
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3635

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-3640
CVE STATUS: Patched
CVE SUMMARY: A flaw use-after-free in function sco_sock_sendmsg() of the Linux kernel HCI subsystem was found in the way user calls ioct UFFDIO_REGISTER or other way triggers race condition of the call sco_conn_del() together with the call sco_sock_sendmsg() with the expected controllable faulting memory page. A privileged local user could use this flaw to crash the system or escalate their privileges on the system.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3640

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-3653
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the KVM's AMD code for supporting SVM nested virtualization. The flaw occurs when processing the VMCB (virtual machine control block) provided by the L1 guest to spawn/handle a nested guest (L2). Due to improper validation of the "int_ctl" field, this issue could allow a malicious L1 to enable AVIC support (Advanced Virtual Interrupt Controller) for the L2 guest. As a result, the L2 guest would be allowed to read/write physical pages of the host, resulting in a crash of the entire system, leak of sensitive data or potential guest-to-host escape. This flaw affects Linux kernel versions prior to 5.14-rc7.
CVSS v2 BASE SCORE: 6.1
CVSS v3 BASE SCORE: 8.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3653

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-3655
CVE STATUS: Patched
CVE SUMMARY: A vulnerability was found in the Linux kernel in versions prior to v5.14-rc1. Missing size validations on inbound SCTP packets may allow the kernel to read uninitialized memory.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 3.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3655

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-3656
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the KVM's AMD code for supporting SVM nested virtualization. The flaw occurs when processing the VMCB (virtual machine control block) provided by the L1 guest to spawn/handle a nested guest (L2). Due to improper validation of the "virt_ext" field, this issue could allow a malicious L1 to disable both VMLOAD/VMSAVE intercepts and VLS (Virtual VMLOAD/VMSAVE) for the L2 guest. As a result, the L2 guest would be allowed to read/write physical pages of the host, resulting in a crash of the entire system, leak of sensitive data or potential guest-to-host escape.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 8.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3656

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-3659
CVE STATUS: Patched
CVE SUMMARY: A NULL pointer dereference flaw was found in the Linux kernel’s IEEE 802.15.4 wireless networking subsystem in the way the user closes the LR-WPAN connection. This flaw allows a local user to crash the system. The highest threat from this vulnerability is to system availability.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3659

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-3669
CVE STATUS: Unpatched
CVE SUMMARY: A flaw was found in the Linux kernel. Measuring usage of the shared memory does not scale with large shared memory segment counts which could lead to resource exhaustion and DoS.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3669

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-3679
CVE STATUS: Patched
CVE SUMMARY: A lack of CPU resource in the Linux kernel tracing module functionality in versions prior to 5.14-rc3 was found in the way user uses trace ring buffer in a specific way. Only privileged local users (with CAP_SYS_ADMIN capability) could use this flaw to starve the resources causing denial of service.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3679

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-3714
CVE STATUS: Unpatched
CVE SUMMARY: A flaw was found in the Linux kernels memory deduplication mechanism. Previous work has shown that memory deduplication can be attacked via a local exploitation mechanism. The same technique can be used if an attacker can upload page sized files and detect the change in access time from a networked service to determine if the page has been merged.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3714

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-3715
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the "Routing decision" classifier in the Linux kernel's Traffic Control networking subsystem in the way it handled changing of classification filters, leading to a use-after-free condition. This flaw allows unprivileged local users to escalate their privileges on the system. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3715

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-37159
CVE STATUS: Patched
CVE SUMMARY: hso_free_net_device in drivers/net/usb/hso.c in the Linux kernel through 5.13.4 calls unregister_netdev without checking for the NETREG_REGISTERED state, leading to a use-after-free and a double free.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 6.4
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-37159

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-3732
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the Linux kernel's OverlayFS subsystem in the way the user mounts the TmpFS filesystem with OverlayFS. This flaw allows a local user to gain access to hidden files that should not be accessible.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3732

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-3736
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the Linux kernel. A memory leak problem was found in mbochs_ioctl in samples/vfio-mdev/mbochs.c in Virtual Function I/O (VFIO) Mediated devices. This flaw could allow a local attacker to leak internal kernel information.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3736

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-3739
CVE STATUS: Patched
CVE SUMMARY: A NULL pointer dereference flaw was found in the btrfs_rm_device function in fs/btrfs/volumes.c in the Linux Kernel, where triggering the bug requires ‘CAP_SYS_ADMIN’. This flaw allows a local attacker to crash the system or leak kernel internal information. The highest threat from this vulnerability is to system availability.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3739

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-3743
CVE STATUS: Patched
CVE SUMMARY: An out-of-bounds (OOB) memory read flaw was found in the Qualcomm IPC router protocol in the Linux kernel. A missing sanity check allows a local attacker to gain access to out-of-bounds memory, leading to a system crash or a leak of internal kernel information. The highest threat from this vulnerability is to system availability.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3743

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-3744
CVE STATUS: Patched
CVE SUMMARY: A memory leak flaw was found in the Linux kernel in the ccp_run_aes_gcm_cmd() function in drivers/crypto/ccp/ccp-ops.c, which allows attackers to cause a denial of service (memory consumption). This vulnerability is similar with the older CVE-2019-18808.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3744

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-3752
CVE STATUS: Patched
CVE SUMMARY: A use-after-free flaw was found in the Linux kernel’s Bluetooth subsystem in the way user calls connect to the socket and disconnect simultaneously due to a race condition. This flaw allows a user to crash the system or escalate their privileges. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
CVSS v2 BASE SCORE: 7.9
CVSS v3 BASE SCORE: 7.1
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3752

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-3753
CVE STATUS: Patched
CVE SUMMARY: A race problem was seen in the vt_k_ioctl in drivers/tty/vt/vt_ioctl.c in the Linux kernel, which may cause an out of bounds read in vt as the write access to vc_mode is not protected by lock-in vt_ioctl (KDSETMDE). The highest threat from this vulnerability is to data confidentiality.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3753

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-37576
CVE STATUS: Patched
CVE SUMMARY: arch/powerpc/kvm/book3s_rtas.c in the Linux kernel through 5.13.5 on the powerpc platform allows KVM guest OS users to cause host OS memory corruption via rtas_args.nargs, aka CID-f62f3c20647e.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-37576

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-3759
CVE STATUS: Unpatched
CVE SUMMARY: A memory overflow vulnerability was found in the Linux kernel’s ipc functionality of the memcg subsystem, in the way a user calls the semget function multiple times, creating semaphores. This flaw allows a local user to starve the resources, causing a denial of service. The highest threat from this vulnerability is to system availability.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3759

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-3760
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the Linux kernel. A use-after-free vulnerability in the NFC stack can lead to a threat to confidentiality, integrity, and system availability.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3760

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-3764
CVE STATUS: Patched
CVE SUMMARY: A memory leak flaw was found in the Linux kernel's ccp_run_aes_gcm_cmd() function that allows an attacker to cause a denial of service. The vulnerability is similar to the older CVE-2019-18808. The highest threat from this vulnerability is to system availability.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3764

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-3772
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the Linux SCTP stack. A blind attacker may be able to kill an existing SCTP association through invalid chunks if the attacker knows the IP-addresses and port numbers being used and the attacker can send packets with spoofed IP addresses.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3772

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-3773
CVE STATUS: Patched
CVE SUMMARY: A flaw in netfilter could allow a network-connected attacker to infer openvpn connection endpoint information for further use in traditional network attacks.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3773

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-38160
CVE STATUS: Patched
CVE SUMMARY: In drivers/char/virtio_console.c in the Linux kernel before 5.13.4, data corruption or loss can be triggered by an untrusted device that supplies a buf->len value exceeding the buffer size. NOTE: the vendor indicates that the cited data corruption is not a vulnerability in any existing use case; the length validation was added solely for robustness in the face of anomalous host OS behavior
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-38160

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-38166
CVE STATUS: Patched
CVE SUMMARY: In kernel/bpf/hashtab.c in the Linux kernel through 5.13.8, there is an integer overflow and out-of-bounds write when many elements are placed in a single bucket. NOTE: exploitation might be impractical without the CAP_SYS_ADMIN capability.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-38166

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-38198
CVE STATUS: Patched
CVE SUMMARY: arch/x86/kvm/mmu/paging_tmpl.h in the Linux kernel before 5.12.11 incorrectly computes the access permissions of a shadow page, leading to a missing guest protection page fault.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-38198

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-38199
CVE STATUS: Patched
CVE SUMMARY: fs/nfs/nfs4client.c in the Linux kernel before 5.13.4 has incorrect connection-setup ordering, which allows operators of remote NFSv4 servers to cause a denial of service (hanging of mounts) by arranging for those servers to be unreachable during trunking detection.
CVSS v2 BASE SCORE: 3.3
CVSS v3 BASE SCORE: 6.5
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-38199

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-38200
CVE STATUS: Patched
CVE SUMMARY: arch/powerpc/perf/core-book3s.c in the Linux kernel before 5.12.13, on systems with perf_event_paranoid=-1 and no specific PMU driver support registered, allows local users to cause a denial of service (perf_instruction_pointer NULL pointer dereference and OOPS) via a "perf record" command.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-38200

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-38201
CVE STATUS: Patched
CVE SUMMARY: net/sunrpc/xdr.c in the Linux kernel before 5.13.4 allows remote attackers to cause a denial of service (xdr_set_page_base slab-out-of-bounds access) by performing many NFS 4.2 READ_PLUS operations.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-38201

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-38202
CVE STATUS: Patched
CVE SUMMARY: fs/nfsd/trace.h in the Linux kernel before 5.13.4 might allow remote attackers to cause a denial of service (out-of-bounds read in strlen) by sending NFS traffic when the trace event framework is being used for nfsd.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-38202

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-38203
CVE STATUS: Patched
CVE SUMMARY: btrfs in the Linux kernel before 5.13.4 allows attackers to cause a denial of service (deadlock) via processes that trigger allocation of new system chunks during times when there is a shortage of free space in the system space_info.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-38203

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-38204
CVE STATUS: Patched
CVE SUMMARY: drivers/usb/host/max3421-hcd.c in the Linux kernel before 5.13.6 allows physically proximate attackers to cause a denial of service (use-after-free and panic) by removing a MAX-3421 USB device in certain situations.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 6.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-38204

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-38205
CVE STATUS: Patched
CVE SUMMARY: drivers/net/ethernet/xilinx/xilinx_emaclite.c in the Linux kernel before 5.13.3 makes it easier for attackers to defeat an ASLR protection mechanism because it prints a kernel pointer (i.e., the real IOMEM pointer).
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 3.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-38205

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-38206
CVE STATUS: Patched
CVE SUMMARY: The mac80211 subsystem in the Linux kernel before 5.12.13, when a device supporting only 5 GHz is used, allows attackers to cause a denial of service (NULL pointer dereference in the radiotap parser) by injecting a frame with 802.11a rates.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-38206

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-38207
CVE STATUS: Patched
CVE SUMMARY: drivers/net/ethernet/xilinx/ll_temac_main.c in the Linux kernel before 5.12.13 allows remote attackers to cause a denial of service (buffer overflow and lockup) by sending heavy network traffic for about ten minutes.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-38207

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-38208
CVE STATUS: Patched
CVE SUMMARY: net/nfc/llcp_sock.c in the Linux kernel before 5.12.10 allows local unprivileged users to cause a denial of service (NULL pointer dereference and BUG) by making a getsockname call after a certain type of failure of a bind call.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-38208

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-38209
CVE STATUS: Patched
CVE SUMMARY: net/netfilter/nf_conntrack_standalone.c in the Linux kernel before 5.12.2 allows observation of changes in any net namespace because these changes are leaked into all other net namespaces. This is related to the NF_SYSCTL_CT_MAX, NF_SYSCTL_CT_EXPECT_MAX, and NF_SYSCTL_CT_BUCKETS sysctls.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 3.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-38209

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-38300
CVE STATUS: Patched
CVE SUMMARY: arch/mips/net/bpf_jit.c in the Linux kernel before 5.4.10 can generate undesirable machine code when transforming unprivileged cBPF programs, allowing execution of arbitrary code within the kernel context. This occurs because conditional branches can exceed the 128 KB limit of the MIPS architecture.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-38300

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-3847
CVE STATUS: Patched
CVE SUMMARY: An unauthorized access to the execution of the setuid file with capabilities flaw in the Linux kernel OverlayFS subsystem was found in the way user copying a capable file from a nosuid mount into another mount. A local user could use this flaw to escalate their privileges on the system.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3847

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-3864
CVE STATUS: Unpatched
CVE SUMMARY: A flaw was found in the way the dumpable flag setting was handled when certain SUID binaries executed its descendants. The prerequisite is a SUID binary that sets real UID equal to effective UID, and real GID equal to effective GID. The descendant will then have a dumpable value set to 1. As a result, if the descendant process crashes and core_pattern is set to a relative value, its core dump is stored in the current directory with uid:gid permissions. An unprivileged local user with eligible root SUID binary could use this flaw to place core dumps into root-owned directories, potentially resulting in escalation of privileges.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3864

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-3923
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the Linux kernel's implementation of RDMA over infiniband. An attacker with a privileged local account can leak kernel stack information when issuing commands to the /dev/infiniband/rdma_cm device node. While this access is unlikely to leak sensitive user information, it can be further used to defeat existing kernel protection mechanisms.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 2.3
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3923

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-4001
CVE STATUS: Patched
CVE SUMMARY: A race condition was found in the Linux kernel's ebpf verifier between bpf_map_update_elem and bpf_map_freeze due to a missing lock in kernel/bpf/syscall.c. In this flaw, a local user with a special privilege (cap_sys_admin or cap_bpf) can modify the frozen mapped address space. This flaw affects kernel versions prior to 5.16 rc2.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 4.1
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:C/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-4001

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-4002
CVE STATUS: Patched
CVE SUMMARY: A memory leak flaw in the Linux kernel's hugetlbfs memory usage was found in the way the user maps some regions of memory twice using shmget() which are aligned to PUD alignment with the fault of some of the memory pages. A local user could use this flaw to get unauthorized access to some data.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 4.4
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-4002

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-4023
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the io-workqueue implementation in the Linux kernel versions prior to 5.15-rc1. The kernel can panic when an improper cancellation operation triggers the submission of new io-uring operations during a shortage of free space. This flaw allows a local user with permissions to execute io-uring requests to possibly crash the system.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-4023

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-4028
CVE STATUS: Patched
CVE SUMMARY: A flaw in the Linux kernel's implementation of RDMA communications manager listener code allowed an attacker with local access to setup a socket to listen on a high port allowing for a list element to be used after free. Given the ability to execute code, a local attacker could leverage this use-after-free to crash the system or possibly escalate privileges on the system.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-4028

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-4032
CVE STATUS: Patched
CVE SUMMARY: A vulnerability was found in the Linux kernel's KVM subsystem in arch/x86/kvm/lapic.c kvm_free_lapic when a failure allocation was detected. In this flaw the KVM subsystem may crash the kernel due to mishandling of memory errors that happens during VCPU construction, which allows an attacker with special user privilege to cause a denial of service. This flaw affects kernel versions prior to 5.15 rc7.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 4.4
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-4032

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-4037
CVE STATUS: Patched
CVE SUMMARY: A vulnerability was found in the fs/inode.c:inode_init_owner() function logic of the LInux kernel that allows local users to create files for the XFS file-system with an unintended group ownership and with group execution and SGID permission bits set, in a scenario where a directory is SGID and belongs to a certain group and is writable by a user who is not a member of this group. This can lead to excessive permissions granted in case when they should not. This vulnerability is similar to the previous CVE-2018-13405 and adds the missed fix for the XFS.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-4037

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-40490
CVE STATUS: Patched
CVE SUMMARY: A race condition was discovered in ext4_write_inline_data_end in fs/ext4/inline.c in the ext4 subsystem in the Linux kernel through 5.13.13.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-40490

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-4083
CVE STATUS: Patched
CVE SUMMARY: A read-after-free memory flaw was found in the Linux kernel's garbage collection for Unix domain socket file handlers in the way users call close() and fget() simultaneously and can potentially trigger a race condition. This flaw allows a local user to crash the system or escalate their privileges on the system. This flaw affects Linux kernel versions prior to 5.16-rc4.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-4083

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-4090
CVE STATUS: Patched
CVE SUMMARY: An out-of-bounds (OOB) memory write flaw was found in the NFSD in the Linux kernel. Missing sanity may lead to a write beyond bmval[bmlen-1] in nfsd4_decode_bitmap4 in fs/nfsd/nfs4xdr.c. In this flaw, a local attacker with user privilege may gain access to out-of-bounds memory, leading to a system integrity and confidentiality threat.
CVSS v2 BASE SCORE: 6.6
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-4090

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-4093
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the KVM's AMD code for supporting the Secure Encrypted Virtualization-Encrypted State (SEV-ES). A KVM guest using SEV-ES can trigger out-of-bounds reads and writes in the host kernel via a malicious VMGEXIT for a string I/O instruction (for example, outs or ins) using the exit reason SVM_EXIT_IOIO. This issue results in a crash of the entire system or a potential guest-to-host escape scenario.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 8.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-4093

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-4095
CVE STATUS: Patched
CVE SUMMARY: A NULL pointer dereference was found in the Linux kernel's KVM when dirty ring logging is enabled without an active vCPU context. An unprivileged local attacker on the host may use this flaw to cause a kernel oops condition and thus a denial of service by issuing a KVM_XEN_HVM_SET_ATTR ioctl. This flaw affects Linux kernel versions prior to 5.17-rc1.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-4095

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-41073
CVE STATUS: Patched
CVE SUMMARY: loop_rw_iter in fs/io_uring.c in the Linux kernel 5.10 through 5.14.6 allows local users to gain privileges by using IORING_OP_PROVIDE_BUFFERS to trigger a free of a kernel buffer, as demonstrated by using /proc/<pid>/maps for exploitation.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-41073

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-4135
CVE STATUS: Patched
CVE SUMMARY: A memory leak vulnerability was found in the Linux kernel's eBPF for the Simulated networking device driver in the way user uses BPF for the device such that function nsim_map_alloc_elem being called. A local user could use this flaw to get unauthorized access to some data.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-4135

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-4148
CVE STATUS: Patched
CVE SUMMARY: A vulnerability was found in the Linux kernel's block_invalidatepage in fs/buffer.c in the filesystem. A missing sanity check may allow a local attacker with user privilege to cause a denial of service (DOS) problem.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-4148

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-4149
CVE STATUS: Patched
CVE SUMMARY: A vulnerability was found in btrfs_alloc_tree_b in fs/btrfs/extent-tree.c in the Linux kernel due to an improper lock operation in btrfs. In this flaw, a user with a local privilege may cause a denial of service (DOS) due to a deadlock problem.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-4149

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-4150
CVE STATUS: Patched
CVE SUMMARY: A use-after-free flaw was found in the add_partition in block/partitions/core.c in the Linux kernel. A local attacker with user privileges could cause a denial of service on the system. The issue results from the lack of code cleanup when device_add call fails when adding a partition to the disk.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-4150

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-4154
CVE STATUS: Patched
CVE SUMMARY: A use-after-free flaw was found in cgroup1_parse_param in kernel/cgroup/cgroup-v1.c in the Linux kernel's cgroup v1 parser. A local attacker with a user privilege could cause a privilege escalation by exploiting the fsconfig syscall parameter leading to a container breakout and a denial of service on the system.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 8.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-4154

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-4155
CVE STATUS: Patched
CVE SUMMARY: A data leak flaw was found in the way XFS_IOC_ALLOCSP IOCTL in the XFS filesystem allowed for size increase of files with unaligned size. A local attacker could use this flaw to leak data on the XFS filesystem otherwise not accessible to them.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-4155

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-4157
CVE STATUS: Patched
CVE SUMMARY: An out of memory bounds write flaw (1 or 2 bytes of memory) in the Linux kernel NFS subsystem was found in the way users use mirroring (replication of files with NFS). A user, having access to the NFS mount, could potentially use this flaw to crash the system or escalate privileges on the system.
CVSS v2 BASE SCORE: 7.4
CVSS v3 BASE SCORE: 8.0
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:M/Au:S/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-4157

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-4159
CVE STATUS: Patched
CVE SUMMARY: A vulnerability was found in the Linux kernel's EBPF verifier when handling internal data structures. Internal memory locations could be returned to userspace. A local attacker with the permissions to insert eBPF code to the kernel can use this to leak internal kernel memory details defeating some of the exploit mitigations in place for the kernel.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.4
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-4159

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-41864
CVE STATUS: Patched
CVE SUMMARY: prealloc_elems_and_freelist in kernel/bpf/stackmap.c in the Linux kernel before 5.14.12 allows unprivileged users to trigger an eBPF multiplication integer overflow with a resultant out-of-bounds write.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-41864

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-4197
CVE STATUS: Patched
CVE SUMMARY: An unprivileged write to the file handler flaw in the Linux kernel's control groups and namespaces subsystem was found in the way users have access to some less privileged process that are controlled by cgroups and have higher privileged parent process. It is actually both for cgroup2 and cgroup1 versions of control groups. A local user could use this flaw to crash the system or escalate their privileges on the system.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-4197

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-42008
CVE STATUS: Patched
CVE SUMMARY: The decode_data function in drivers/net/hamradio/6pack.c in the Linux kernel before 5.13.13 has a slab out-of-bounds write. Input from a process that has the CAP_NET_ADMIN capability can lead to root access.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-42008

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-4202
CVE STATUS: Patched
CVE SUMMARY: A use-after-free flaw was found in nci_request in net/nfc/nci/core.c in NFC Controller Interface (NCI) in the Linux kernel. This flaw could allow a local attacker with user privileges to cause a data race problem while the device is getting removed, leading to a privilege escalation problem.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-4202

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-4203
CVE STATUS: Patched
CVE SUMMARY: A use-after-free read flaw was found in sock_getsockopt() in net/core/sock.c due to SO_PEERCRED and SO_PEERGROUPS race with listen() (and connect()) in the Linux kernel. In this flaw, an attacker with a user privileges may crash the system or leak internal kernel information.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 6.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:S/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-4203

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-4204
CVE STATUS: Patched
CVE SUMMARY: An out-of-bounds (OOB) memory access flaw was found in the Linux kernel's eBPF due to an Improper Input Validation. This flaw allows a local attacker with a special privilege to crash the system or leak internal information.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-4204

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-4218
CVE STATUS: Unpatched
CVE SUMMARY: A flaw was found in the Linux kernel’s implementation of reading the SVC RDMA counters. Reading the counter sysctl panics the system. This flaw allows a local attacker with local access to cause a denial of service while the system reboots. The issue is specific to CentOS/RHEL.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-4218

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-42252
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in aspeed_lpc_ctrl_mmap in drivers/soc/aspeed/aspeed-lpc-ctrl.c in the Linux kernel before 5.14.6. Local attackers able to access the Aspeed LPC control interface could overwrite memory in the kernel and potentially execute privileges, aka CID-b49a0e69a7b1. This occurs because a certain comparison uses values that are not memory sizes.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-42252

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-42327
CVE STATUS: Patched
CVE SUMMARY: dp_link_settings_write in drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c in the Linux kernel through 5.14.14 allows a heap-based buffer overflow by an attacker who can write a string to the AMD GPU display drivers debug filesystem. There are no checks on size within parse_write_buffer_into_params when it uses the size of copy_from_user to copy a userspace buffer into a 40-byte heap buffer.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 6.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-42327

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-42739
CVE STATUS: Patched
CVE SUMMARY: The firewire subsystem in the Linux kernel through 5.14.13 has a buffer overflow related to drivers/media/firewire/firedtv-avc.c and drivers/media/firewire/firedtv-ci.c, because avc_ca_pmt mishandles bounds checking.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 6.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-42739

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-43056
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel for powerpc before 5.14.15. It allows a malicious KVM guest to crash the host, when the host is running on Power8, due to an arch/powerpc/kvm/book3s_hv_rmhandlers.S implementation bug in the handling of the SRR1 register values.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-43056

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-43057
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 5.14.8. A use-after-free in selinux_ptrace_traceme (aka the SELinux handler for PTRACE_TRACEME) could be used by local attackers to cause memory corruption and escalate privileges, aka CID-a3727a8bac0a. This occurs because of an attempt to access the subjective credentials of another task.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-43057

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-43267
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in net/tipc/crypto.c in the Linux kernel before 5.14.16. The Transparent Inter-Process Communication (TIPC) functionality allows remote attackers to exploit insufficient validation of user-supplied sizes for the MSG_CRYPTO message type.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-43267

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-43389
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 5.14.15. There is an array-index-out-of-bounds flaw in the detach_capi_ctr function in drivers/isdn/capi/kcapi.c.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-43389

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-43975
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel through 5.15.2, hw_atl_utils_fw_rpc_wait in drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_utils.c allows an attacker (who can introduce a crafted device) to trigger an out-of-bounds write via a crafted length value.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 6.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-43975

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-43976
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel through 5.15.2, mwifiex_usb_recv in drivers/net/wireless/marvell/mwifiex/usb.c allows an attacker (who can connect a crafted USB device) to cause a denial of service (skb_over_panic).
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 4.6
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-43976

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-4439
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

isdn: cpai: check ctr->cnr to avoid array index out of bound

The cmtp_add_connection() would add a cmtp session to a controller
and run a kernel thread to process cmtp.

	__module_get(THIS_MODULE);
	session->task = kthread_run(cmtp_session, session, "kcmtpd_ctr_%d",
								session->num);

During this process, the kernel thread would call detach_capi_ctr()
to detach a register controller. if the controller
was not attached yet, detach_capi_ctr() would
trigger an array-index-out-bounds bug.

[   46.866069][ T6479] UBSAN: array-index-out-of-bounds in
drivers/isdn/capi/kcapi.c:483:21
[   46.867196][ T6479] index -1 is out of range for type 'capi_ctr *[32]'
[   46.867982][ T6479] CPU: 1 PID: 6479 Comm: kcmtpd_ctr_0 Not tainted
5.15.0-rc2+ #8
[   46.869002][ T6479] Hardware name: QEMU Standard PC (i440FX + PIIX,
1996), BIOS 1.14.0-2 04/01/2014
[   46.870107][ T6479] Call Trace:
[   46.870473][ T6479]  dump_stack_lvl+0x57/0x7d
[   46.870974][ T6479]  ubsan_epilogue+0x5/0x40
[   46.871458][ T6479]  __ubsan_handle_out_of_bounds.cold+0x43/0x48
[   46.872135][ T6479]  detach_capi_ctr+0x64/0xc0
[   46.872639][ T6479]  cmtp_session+0x5c8/0x5d0
[   46.873131][ T6479]  ? __init_waitqueue_head+0x60/0x60
[   46.873712][ T6479]  ? cmtp_add_msgpart+0x120/0x120
[   46.874256][ T6479]  kthread+0x147/0x170
[   46.874709][ T6479]  ? set_kthread_struct+0x40/0x40
[   46.875248][ T6479]  ret_from_fork+0x1f/0x30
[   46.875773][ T6479]
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-4439

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-4441
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

spi: spi-zynq-qspi: Fix a NULL pointer dereference in zynq_qspi_exec_mem_op()

In zynq_qspi_exec_mem_op(), kzalloc() is directly used in memset(),
which could lead to a NULL pointer dereference on failure of
kzalloc().

Fix this bug by adding a check of tmpbuf.

This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.

Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.

Builds with CONFIG_SPI_ZYNQ_QSPI=m show no new warnings,
and our static analyzer no longer warns about this code.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-4441

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-4442
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

tcp: add sanity tests to TCP_QUEUE_SEQ

Qingyu Li reported a syzkaller bug where the repro
changes RCV SEQ _after_ restoring data in the receive queue.

mprotect(0x4aa000, 12288, PROT_READ)    = 0
mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000
mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000
mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000
socket(AF_INET6, SOCK_STREAM, IPPROTO_IP) = 3
setsockopt(3, SOL_TCP, TCP_REPAIR, [1], 4) = 0
connect(3, {sa_family=AF_INET6, sin6_port=htons(0), sin6_flowinfo=htonl(0), inet_pton(AF_INET6, "::1", &sin6_addr), sin6_scope_id=0}, 28) = 0
setsockopt(3, SOL_TCP, TCP_REPAIR_QUEUE, [1], 4) = 0
sendmsg(3, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="0x0000000000000003\0\0", iov_len=20}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, 0) = 20
setsockopt(3, SOL_TCP, TCP_REPAIR, [0], 4) = 0
setsockopt(3, SOL_TCP, TCP_QUEUE_SEQ, [128], 4) = 0
recvfrom(3, NULL, 20, 0, NULL, NULL)    = -1 ECONNRESET (Connection reset by peer)

syslog shows:
[  111.205099] TCP recvmsg seq # bug 2: copied 80, seq 0, rcvnxt 80, fl 0
[  111.207894] WARNING: CPU: 1 PID: 356 at net/ipv4/tcp.c:2343 tcp_recvmsg_locked+0x90e/0x29a0

This should not be allowed. TCP_QUEUE_SEQ should only be used
when queues are empty.

This patch fixes this case, and the tx path as well.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-4442

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-44733
CVE STATUS: Patched
CVE SUMMARY: A use-after-free exists in drivers/tee/tee_shm.c in the TEE subsystem in the Linux kernel through 5.15.11. This occurs because of a race condition in tee_shm_get_from_id during an attempt to free a shared memory object.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-44733

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-44879
CVE STATUS: Patched
CVE SUMMARY: In gc_data_segment in fs/f2fs/gc.c in the Linux kernel before 5.16.3, special files are not considered, leading to a move_data_page NULL pointer dereference.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-44879

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-45095
CVE STATUS: Patched
CVE SUMMARY: pep_sock_accept in net/phonet/pep.c in the Linux kernel through 5.15.8 has a refcount leak.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-45095

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-45402
CVE STATUS: Patched
CVE SUMMARY: The check_alu_op() function in kernel/bpf/verifier.c in the Linux kernel through v5.16-rc5 did not properly update bounds while handling the mov32 instruction, which allows local users to obtain potentially sensitive address information, aka a "pointer leak."
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-45402

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-45469
CVE STATUS: Patched
CVE SUMMARY: In __f2fs_setxattr in fs/f2fs/xattr.c in the Linux kernel through 5.15.11, there is an out-of-bounds memory access when an inode has an invalid last xattr entry.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-45469

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-45480
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 5.15.11. There is a memory leak in the __rds_conn_create() function in net/rds/connection.c in a certain combination of circumstances.
CVSS v2 BASE SCORE: 4.7
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-45480

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-45485
CVE STATUS: Patched
CVE SUMMARY: In the IPv6 implementation in the Linux kernel before 5.13.3, net/ipv6/output_core.c has an information leak because of certain use of a hash table which, although big, doesn't properly consider that IPv6-based attackers can typically choose among many IPv6 source addresses.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-45485

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-45486
CVE STATUS: Patched
CVE SUMMARY: In the IPv4 implementation in the Linux kernel before 5.12.4, net/ipv4/route.c has an information leak because the hash table is very small.
CVSS v2 BASE SCORE: 2.7
CVSS v3 BASE SCORE: 3.5
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:L/Au:S/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-45486

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-45868
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel before 5.15.3, fs/quota/quota_tree.c does not validate the block number in the quota tree (on disk). This can, for example, lead to a kernel/locking/rwsem.c use-after-free if there is a corrupted quota file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-45868

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-46283
CVE STATUS: Patched
CVE SUMMARY: nf_tables_newset in net/netfilter/nf_tables_api.c in the Linux kernel before 5.12.13 allows local users to cause a denial of service (NULL pointer dereference and general protection fault) because of the missing initialization for nft_set_elem_expr_alloc. A local user can set a netfilter table expression in their own namespace.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-46283

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-46904
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: hso: fix null-ptr-deref during tty device unregistration

Multiple ttys try to claim the same the minor number causing a double
unregistration of the same device. The first unregistration succeeds
but the next one results in a null-ptr-deref.

The get_free_serial_index() function returns an available minor number
but doesn't assign it immediately. The assignment is done by the caller
later. But before this assignment, calls to get_free_serial_index()
would return the same minor number.

Fix this by modifying get_free_serial_index to assign the minor number
immediately after one is found to be and rename it to obtain_minor()
to better reflect what it does. Similary, rename set_serial_by_index()
to release_minor() and modify it to free up the minor number of the
given hso_serial. Every obtain_minor() should have corresponding
release_minor() call.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-46904

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-46905
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: hso: fix NULL-deref on disconnect regression

Commit 8a12f8836145 ("net: hso: fix null-ptr-deref during tty device
unregistration") fixed the racy minor allocation reported by syzbot, but
introduced an unconditional NULL-pointer dereference on every disconnect
instead.

Specifically, the serial device table must no longer be accessed after
the minor has been released by hso_serial_tty_unregister().
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-46905

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-46906
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

HID: usbhid: fix info leak in hid_submit_ctrl

In hid_submit_ctrl(), the way of calculating the report length doesn't
take into account that report->size can be zero. When running the
syzkaller reproducer, a report of size 0 causes hid_submit_ctrl) to
calculate transfer_buffer_length as 16384. When this urb is passed to
the usb core layer, KMSAN reports an info leak of 16384 bytes.

To fix this, first modify hid_report_len() to account for the zero
report size case by using DIV_ROUND_UP for the division. Then, call it
from hid_submit_ctrl().
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-46906

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-46908
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

bpf: Use correct permission flag for mixed signed bounds arithmetic

We forbid adding unknown scalars with mixed signed bounds due to the
spectre v1 masking mitigation. Hence this also needs bypass_spec_v1
flag instead of allow_ptr_leaks.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-46908

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-46909
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ARM: footbridge: fix PCI interrupt mapping

Since commit 30fdfb929e82 ("PCI: Add a call to pci_assign_irq() in
pci_device_probe()"), the PCI code will call the IRQ mapping function
whenever a PCI driver is probed. If these are marked as __init, this
causes an oops if a PCI driver is loaded or bound after the kernel has
initialised.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-46909

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-46910
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ARM: 9063/1: mm: reduce maximum number of CPUs if DEBUG_KMAP_LOCAL is enabled

The debugging code for kmap_local() doubles the number of per-CPU fixmap
slots allocated for kmap_local(), in order to use half of them as guard
regions. This causes the fixmap region to grow downwards beyond the start
of its reserved window if the supported number of CPUs is large, and collide
with the newly added virtual DT mapping right below it, which is obviously
not good.

One manifestation of this is EFI boot on a kernel built with NR_CPUS=32
and CONFIG_DEBUG_KMAP_LOCAL=y, which may pass the FDT in highmem, resulting
in block entries below the fixmap region that the fixmap code misidentifies
as fixmap table entries, and subsequently tries to dereference using a
phys-to-virt translation that is only valid for lowmem. This results in a
cryptic splat such as the one below.

  ftrace: allocating 45548 entries in 89 pages
  8<--- cut here ---
  Unable to handle kernel paging request at virtual address fc6006f0
  pgd = (ptrval)
  [fc6006f0] *pgd=80000040207003, *pmd=00000000
  Internal error: Oops: a06 [#1] SMP ARM
  Modules linked in:
  CPU: 0 PID: 0 Comm: swapper Not tainted 5.11.0+ #382
  Hardware name: Generic DT based system
  PC is at cpu_ca15_set_pte_ext+0x24/0x30
  LR is at __set_fixmap+0xe4/0x118
  pc : [<c041ac9c>]    lr : [<c04189d8>]    psr: 400000d3
  sp : c1601ed8  ip : 00400000  fp : 00800000
  r10: 0000071f  r9 : 00421000  r8 : 00c00000
  r7 : 00c00000  r6 : 0000071f  r5 : ffade000  r4 : 4040171f
  r3 : 00c00000  r2 : 4040171f  r1 : c041ac78  r0 : fc6006f0
  Flags: nZcv  IRQs off  FIQs off  Mode SVC_32  ISA ARM  Segment none
  Control: 30c5387d  Table: 40203000  DAC: 00000001
  Process swapper (pid: 0, stack limit = 0x(ptrval))

So let's limit CONFIG_NR_CPUS to 16 when CONFIG_DEBUG_KMAP_LOCAL=y. Also,
fix the BUILD_BUG_ON() check that was supposed to catch this, by checking
whether the region grows below the start address rather than above the end
address.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-46910

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-46911
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ch_ktls: Fix kernel panic

Taking page refcount is not ideal and causes kernel panic
sometimes. It's better to take tx_ctx lock for the complete
skb transmit, to avoid page cleanup if ACK received in middle.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-46911

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-46912
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: Make tcp_allowed_congestion_control readonly in non-init netns

Currently, tcp_allowed_congestion_control is global and writable;
writing to it in any net namespace will leak into all other net
namespaces.

tcp_available_congestion_control and tcp_allowed_congestion_control are
the only sysctls in ipv4_net_table (the per-netns sysctl table) with a
NULL data pointer; their handlers (proc_tcp_available_congestion_control
and proc_allowed_congestion_control) have no other way of referencing a
struct net. Thus, they operate globally.

Because ipv4_net_table does not use designated initializers, there is no
easy way to fix up this one "bad" table entry. However, the data pointer
updating logic shouldn't be applied to NULL pointers anyway, so we
instead force these entries to be read-only.

These sysctls used to exist in ipv4_table (init-net only), but they were
moved to the per-net ipv4_net_table, presumably without realizing that
tcp_allowed_congestion_control was writable and thus introduced a leak.

Because the intent of that commit was only to know (i.e. read) "which
congestion algorithms are available or allowed", this read-only solution
should be sufficient.

The logic added in recent commit
31c4d2f160eb: ("net: Ensure net namespace isolation of sysctls")
does not and cannot check for NULL data pointers, because
other table entries (e.g. /proc/sys/net/netfilter/nf_log/) have
.data=NULL but use other methods (.extra2) to access the struct net.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-46912

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-46913
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

netfilter: nftables: clone set element expression template

memcpy() breaks when using connlimit in set elements. Use
nft_expr_clone() to initialize the connlimit expression list, otherwise
connlimit garbage collector crashes when walking on the list head copy.

[  493.064656] Workqueue: events_power_efficient nft_rhash_gc [nf_tables]
[  493.064685] RIP: 0010:find_or_evict+0x5a/0x90 [nf_conncount]
[  493.064694] Code: 2b 43 40 83 f8 01 77 0d 48 c7 c0 f5 ff ff ff 44 39 63 3c 75 df 83 6d 18 01 48 8b 43 08 48 89 de 48 8b 13 48 8b 3d ee 2f 00 00 <48> 89 42 08 48 89 10 48 b8 00 01 00 00 00 00 ad de 48 89 03 48 83
[  493.064699] RSP: 0018:ffffc90000417dc0 EFLAGS: 00010297
[  493.064704] RAX: 0000000000000000 RBX: ffff888134f38410 RCX: 0000000000000000
[  493.064708] RDX: 0000000000000000 RSI: ffff888134f38410 RDI: ffff888100060cc0
[  493.064711] RBP: ffff88812ce594a8 R08: ffff888134f38438 R09: 00000000ebb9025c
[  493.064714] R10: ffffffff8219f838 R11: 0000000000000017 R12: 0000000000000001
[  493.064718] R13: ffffffff82146740 R14: ffff888134f38410 R15: 0000000000000000
[  493.064721] FS:  0000000000000000(0000) GS:ffff88840e440000(0000) knlGS:0000000000000000
[  493.064725] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  493.064729] CR2: 0000000000000008 CR3: 00000001330aa002 CR4: 00000000001706e0
[  493.064733] Call Trace:
[  493.064737]  nf_conncount_gc_list+0x8f/0x150 [nf_conncount]
[  493.064746]  nft_rhash_gc+0x106/0x390 [nf_tables]
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-46913

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-46914
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ixgbe: fix unbalanced device enable/disable in suspend/resume

pci_disable_device() called in __ixgbe_shutdown() decreases
dev->enable_cnt by 1. pci_enable_device_mem() which increases
dev->enable_cnt by 1, was removed from ixgbe_resume() in commit
6f82b2558735 ("ixgbe: use generic power management"). This caused
unbalanced increase/decrease. So add pci_enable_device_mem() back.

Fix the following call trace.

  ixgbe 0000:17:00.1: disabling already-disabled device
  Call Trace:
   __ixgbe_shutdown+0x10a/0x1e0 [ixgbe]
   ixgbe_suspend+0x32/0x70 [ixgbe]
   pci_pm_suspend+0x87/0x160
   ? pci_pm_freeze+0xd0/0xd0
   dpm_run_callback+0x42/0x170
   __device_suspend+0x114/0x460
   async_suspend+0x1f/0xa0
   async_run_entry_fn+0x3c/0xf0
   process_one_work+0x1dd/0x410
   worker_thread+0x34/0x3f0
   ? cancel_delayed_work+0x90/0x90
   kthread+0x14c/0x170
   ? kthread_park+0x90/0x90
   ret_from_fork+0x1f/0x30
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-46914

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-46915
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

netfilter: nft_limit: avoid possible divide error in nft_limit_init

div_u64() divides u64 by u32.

nft_limit_init() wants to divide u64 by u64, use the appropriate
math function (div64_u64)

divide error: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 8390 Comm: syz-executor188 Not tainted 5.12.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:div_u64_rem include/linux/math64.h:28 [inline]
RIP: 0010:div_u64 include/linux/math64.h:127 [inline]
RIP: 0010:nft_limit_init+0x2a2/0x5e0 net/netfilter/nft_limit.c:85
Code: ef 4c 01 eb 41 0f 92 c7 48 89 de e8 38 a5 22 fa 4d 85 ff 0f 85 97 02 00 00 e8 ea 9e 22 fa 4c 0f af f3 45 89 ed 31 d2 4c 89 f0 <49> f7 f5 49 89 c6 e8 d3 9e 22 fa 48 8d 7d 48 48 b8 00 00 00 00 00
RSP: 0018:ffffc90009447198 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000200000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff875152e6 RDI: 0000000000000003
RBP: ffff888020f80908 R08: 0000200000000000 R09: 0000000000000000
R10: ffffffff875152d8 R11: 0000000000000000 R12: ffffc90009447270
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
FS:  000000000097a300(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000200001c4 CR3: 0000000026a52000 CR4: 00000000001506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 nf_tables_newexpr net/netfilter/nf_tables_api.c:2675 [inline]
 nft_expr_init+0x145/0x2d0 net/netfilter/nf_tables_api.c:2713
 nft_set_elem_expr_alloc+0x27/0x280 net/netfilter/nf_tables_api.c:5160
 nf_tables_newset+0x1997/0x3150 net/netfilter/nf_tables_api.c:4321
 nfnetlink_rcv_batch+0x85a/0x21b0 net/netfilter/nfnetlink.c:456
 nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:580 [inline]
 nfnetlink_rcv+0x3af/0x420 net/netfilter/nfnetlink.c:598
 netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline]
 netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338
 netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1927
 sock_sendmsg_nosec net/socket.c:654 [inline]
 sock_sendmsg+0xcf/0x120 net/socket.c:674
 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2350
 ___sys_sendmsg+0xf3/0x170 net/socket.c:2404
 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xae
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-46915

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-46916
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ixgbe: Fix NULL pointer dereference in ethtool loopback test

The ixgbe driver currently generates a NULL pointer dereference when
performing the ethtool loopback test. This is due to the fact that there
isn't a q_vector associated with the test ring when it is setup as
interrupts are not normally added to the test rings.

To address this I have added code that will check for a q_vector before
returning a napi_id value. If a q_vector is not present it will return a
value of 0.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-46916

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-46917
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

dmaengine: idxd: fix wq cleanup of WQCFG registers

A pre-release silicon erratum workaround where wq reset does not clear
WQCFG registers was leaked into upstream code. Use wq reset command
instead of blasting the MMIO region. This also address an issue where
we clobber registers in future devices.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-46917

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-46918
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

dmaengine: idxd: clear MSIX permission entry on shutdown

Add disabling/clearing of MSIX permission entries on device shutdown to
mirror the enabling of the MSIX entries on probe. Current code left the
MSIX enabled and the pasid entries still programmed at device shutdown.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-46918

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-46919
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

dmaengine: idxd: fix wq size store permission state

WQ size can only be changed when the device is disabled. Current code
allows change when device is enabled but wq is disabled. Change the check
to detect device state.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-46919

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-46920
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

dmaengine: idxd: Fix clobbering of SWERR overflow bit on writeback

Current code blindly writes over the SWERR and the OVERFLOW bits. Write
back the bits actually read instead so the driver avoids clobbering the
OVERFLOW bit that comes after the register is read.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-46920

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-46921
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

locking/qrwlock: Fix ordering in queued_write_lock_slowpath()

While this code is executed with the wait_lock held, a reader can
acquire the lock without holding wait_lock.  The writer side loops
checking the value with the atomic_cond_read_acquire(), but only truly
acquires the lock when the compare-and-exchange is completed
successfully which isn’t ordered. This exposes the window between the
acquire and the cmpxchg to an A-B-A problem which allows reads
following the lock acquisition to observe values speculatively before
the write lock is truly acquired.

We've seen a problem in epoll where the reader does a xchg while
holding the read lock, but the writer can see a value change out from
under it.

  Writer                                | Reader
  --------------------------------------------------------------------------------
  ep_scan_ready_list()                  |
  |- write_lock_irq()                   |
      |- queued_write_lock_slowpath()   |
	|- atomic_cond_read_acquire()   |
				        | read_lock_irqsave(&ep->lock, flags);
     --> (observes value before unlock) |  chain_epi_lockless()
     |                                  |    epi->next = xchg(&ep->ovflist, epi);
     |                                  | read_unlock_irqrestore(&ep->lock, flags);
     |                                  |
     |     atomic_cmpxchg_relaxed()     |
     |-- READ_ONCE(ep->ovflist);        |

A core can order the read of the ovflist ahead of the
atomic_cmpxchg_relaxed(). Switching the cmpxchg to use acquire
semantics addresses this issue at which point the atomic_cond_read can
be switched to use relaxed semantics.

[peterz: use try_cmpxchg()]
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-46921

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-46922
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

KEYS: trusted: Fix TPM reservation for seal/unseal

The original patch 8c657a0590de ("KEYS: trusted: Reserve TPM for seal
and unseal operations") was correct on the mailing list:

https://lore.kernel.org/linux-integrity/20210128235621.127925-4-jarkko@kernel.org/

But somehow got rebased so that the tpm_try_get_ops() in
tpm2_seal_trusted() got lost.  This causes an imbalanced put of the
TPM ops and causes oopses on TIS based hardware.

This fix puts back the lost tpm_try_get_ops()
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-46922

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-46923
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

fs/mount_setattr: always cleanup mount_kattr

Make sure that finish_mount_kattr() is called after mount_kattr was
succesfully built in both the success and failure case to prevent
leaking any references we took when we built it.  We returned early if
path lookup failed thereby risking to leak an additional reference we
took when building mount_kattr when an idmapped mount was requested.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-46923

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-46924
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

NFC: st21nfca: Fix memory leak in device probe and remove

'phy->pending_skb' is alloced when device probe, but forgot to free
in the error handling path and remove path, this cause memory leak
as follows:

unreferenced object 0xffff88800bc06800 (size 512):
  comm "8", pid 11775, jiffies 4295159829 (age 9.032s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [<00000000d66c09ce>] __kmalloc_node_track_caller+0x1ed/0x450
    [<00000000c93382b3>] kmalloc_reserve+0x37/0xd0
    [<000000005fea522c>] __alloc_skb+0x124/0x380
    [<0000000019f29f9a>] st21nfca_hci_i2c_probe+0x170/0x8f2

Fix it by freeing 'pending_skb' in error and remove.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-46924

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-46925
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net/smc: fix kernel panic caused by race of smc_sock

A crash occurs when smc_cdc_tx_handler() tries to access smc_sock
but smc_release() has already freed it.

[ 4570.695099] BUG: unable to handle page fault for address: 000000002eae9e88
[ 4570.696048] #PF: supervisor write access in kernel mode
[ 4570.696728] #PF: error_code(0x0002) - not-present page
[ 4570.697401] PGD 0 P4D 0
[ 4570.697716] Oops: 0002 [#1] PREEMPT SMP NOPTI
[ 4570.698228] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.16.0-rc4+ #111
[ 4570.699013] Hardware name: Alibaba Cloud Alibaba Cloud ECS, BIOS 8c24b4c 04/0
[ 4570.699933] RIP: 0010:_raw_spin_lock+0x1a/0x30
<...>
[ 4570.711446] Call Trace:
[ 4570.711746]  <IRQ>
[ 4570.711992]  smc_cdc_tx_handler+0x41/0xc0
[ 4570.712470]  smc_wr_tx_tasklet_fn+0x213/0x560
[ 4570.712981]  ? smc_cdc_tx_dismisser+0x10/0x10
[ 4570.713489]  tasklet_action_common.isra.17+0x66/0x140
[ 4570.714083]  __do_softirq+0x123/0x2f4
[ 4570.714521]  irq_exit_rcu+0xc4/0xf0
[ 4570.714934]  common_interrupt+0xba/0xe0

Though smc_cdc_tx_handler() checked the existence of smc connection,
smc_release() may have already dismissed and released the smc socket
before smc_cdc_tx_handler() further visits it.

smc_cdc_tx_handler()           |smc_release()
if (!conn)                     |
                               |
                               |smc_cdc_tx_dismiss_slots()
                               |      smc_cdc_tx_dismisser()
                               |
                               |sock_put(&smc->sk) <- last sock_put,
                               |                      smc_sock freed
bh_lock_sock(&smc->sk) (panic) |

To make sure we won't receive any CDC messages after we free the
smc_sock, add a refcount on the smc_connection for inflight CDC
message(posted to the QP but haven't received related CQE), and
don't release the smc_connection until all the inflight CDC messages
haven been done, for both success or failed ones.

Using refcount on CDC messages brings another problem: when the link
is going to be destroyed, smcr_link_clear() will reset the QP, which
then remove all the pending CQEs related to the QP in the CQ. To make
sure all the CQEs will always come back so the refcount on the
smc_connection can always reach 0, smc_ib_modify_qp_reset() was replaced
by smc_ib_modify_qp_error().
And remove the timeout in smc_wr_tx_wait_no_pending_sends() since we
need to wait for all pending WQEs done, or we may encounter use-after-
free when handling CQEs.

For IB device removal routine, we need to wait for all the QPs on that
device been destroyed before we can destroy CQs on the device, or
the refcount on smc_connection won't reach 0 and smc_sock cannot be
released.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-46925

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-46926
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ALSA: hda: intel-sdw-acpi: harden detection of controller

The existing code currently sets a pointer to an ACPI handle before
checking that it's actually a SoundWire controller. This can lead to
issues where the graph walk continues and eventually fails, but the
pointer was set already.

This patch changes the logic so that the information provided to
the caller is set when a controller is found.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-46926

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-46927
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

nitro_enclaves: Use get_user_pages_unlocked() call to handle mmap assert

After commit 5b78ed24e8ec ("mm/pagemap: add mmap_assert_locked()
annotations to find_vma*()"), the call to get_user_pages() will trigger
the mmap assert.

static inline void mmap_assert_locked(struct mm_struct *mm)
{
	lockdep_assert_held(&mm->mmap_lock);
	VM_BUG_ON_MM(!rwsem_is_locked(&mm->mmap_lock), mm);
}

[   62.521410] kernel BUG at include/linux/mmap_lock.h:156!
...........................................................
[   62.538938] RIP: 0010:find_vma+0x32/0x80
...........................................................
[   62.605889] Call Trace:
[   62.608502]  <TASK>
[   62.610956]  ? lock_timer_base+0x61/0x80
[   62.614106]  find_extend_vma+0x19/0x80
[   62.617195]  __get_user_pages+0x9b/0x6a0
[   62.620356]  __gup_longterm_locked+0x42d/0x450
[   62.623721]  ? finish_wait+0x41/0x80
[   62.626748]  ? __kmalloc+0x178/0x2f0
[   62.629768]  ne_set_user_memory_region_ioctl.isra.0+0x225/0x6a0 [nitro_enclaves]
[   62.635776]  ne_enclave_ioctl+0x1cf/0x6d7 [nitro_enclaves]
[   62.639541]  __x64_sys_ioctl+0x82/0xb0
[   62.642620]  do_syscall_64+0x3b/0x90
[   62.645642]  entry_SYSCALL_64_after_hwframe+0x44/0xae

Use get_user_pages_unlocked() when setting the enclave memory regions.
That's a similar pattern as mmap_read_lock() used together with
get_user_pages().
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-46927

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-46928
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

parisc: Clear stale IIR value on instruction access rights trap

When a trap 7 (Instruction access rights) occurs, this means the CPU
couldn't execute an instruction due to missing execute permissions on
the memory region.  In this case it seems the CPU didn't even fetched
the instruction from memory and thus did not store it in the cr19 (IIR)
register before calling the trap handler. So, the trap handler will find
some random old stale value in cr19.

This patch simply overwrites the stale IIR value with a constant magic
"bad food" value (0xbaadf00d), in the hope people don't start to try to
understand the various random IIR values in trap 7 dumps.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-46928

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-46929
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

sctp: use call_rcu to free endpoint

This patch is to delay the endpoint free by calling call_rcu() to fix
another use-after-free issue in sctp_sock_dump():

  BUG: KASAN: use-after-free in __lock_acquire+0x36d9/0x4c20
  Call Trace:
    __lock_acquire+0x36d9/0x4c20 kernel/locking/lockdep.c:3218
    lock_acquire+0x1ed/0x520 kernel/locking/lockdep.c:3844
    __raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline]
    _raw_spin_lock_bh+0x31/0x40 kernel/locking/spinlock.c:168
    spin_lock_bh include/linux/spinlock.h:334 [inline]
    __lock_sock+0x203/0x350 net/core/sock.c:2253
    lock_sock_nested+0xfe/0x120 net/core/sock.c:2774
    lock_sock include/net/sock.h:1492 [inline]
    sctp_sock_dump+0x122/0xb20 net/sctp/diag.c:324
    sctp_for_each_transport+0x2b5/0x370 net/sctp/socket.c:5091
    sctp_diag_dump+0x3ac/0x660 net/sctp/diag.c:527
    __inet_diag_dump+0xa8/0x140 net/ipv4/inet_diag.c:1049
    inet_diag_dump+0x9b/0x110 net/ipv4/inet_diag.c:1065
    netlink_dump+0x606/0x1080 net/netlink/af_netlink.c:2244
    __netlink_dump_start+0x59a/0x7c0 net/netlink/af_netlink.c:2352
    netlink_dump_start include/linux/netlink.h:216 [inline]
    inet_diag_handler_cmd+0x2ce/0x3f0 net/ipv4/inet_diag.c:1170
    __sock_diag_cmd net/core/sock_diag.c:232 [inline]
    sock_diag_rcv_msg+0x31d/0x410 net/core/sock_diag.c:263
    netlink_rcv_skb+0x172/0x440 net/netlink/af_netlink.c:2477
    sock_diag_rcv+0x2a/0x40 net/core/sock_diag.c:274

This issue occurs when asoc is peeled off and the old sk is freed after
getting it by asoc->base.sk and before calling lock_sock(sk).

To prevent the sk free, as a holder of the sk, ep should be alive when
calling lock_sock(). This patch uses call_rcu() and moves sock_put and
ep free into sctp_endpoint_destroy_rcu(), so that it's safe to try to
hold the ep under rcu_read_lock in sctp_transport_traverse_process().

If sctp_endpoint_hold() returns true, it means this ep is still alive
and we have held it and can continue to dump it; If it returns false,
it means this ep is dead and can be freed after rcu_read_unlock, and
we should skip it.

In sctp_sock_dump(), after locking the sk, if this ep is different from
tsp->asoc->ep, it means during this dumping, this asoc was peeled off
before calling lock_sock(), and the sk should be skipped; If this ep is
the same with tsp->asoc->ep, it means no peeloff happens on this asoc,
and due to lock_sock, no peeloff will happen either until release_sock.

Note that delaying endpoint free won't delay the port release, as the
port release happens in sctp_endpoint_destroy() before calling call_rcu().
Also, freeing endpoint by call_rcu() makes it safe to access the sk by
asoc->base.sk in sctp_assocs_seq_show() and sctp_rcv().

Thanks Jones to bring this issue up.

v1->v2:
  - improve the changelog.
  - add kfree(ep) into sctp_endpoint_destroy_rcu(), as Jakub noticed.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-46929

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-46930
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

usb: mtu3: fix list_head check warning

This is caused by uninitialization of list_head.

BUG: KASAN: use-after-free in __list_del_entry_valid+0x34/0xe4

Call trace:
dump_backtrace+0x0/0x298
show_stack+0x24/0x34
dump_stack+0x130/0x1a8
print_address_description+0x88/0x56c
__kasan_report+0x1b8/0x2a0
kasan_report+0x14/0x20
__asan_load8+0x9c/0xa0
__list_del_entry_valid+0x34/0xe4
mtu3_req_complete+0x4c/0x300 [mtu3]
mtu3_gadget_stop+0x168/0x448 [mtu3]
usb_gadget_unregister_driver+0x204/0x3a0
unregister_gadget_item+0x44/0xa4
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-46930

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-46931
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net/mlx5e: Wrap the tx reporter dump callback to extract the sq

Function mlx5e_tx_reporter_dump_sq() casts its void * argument to struct
mlx5e_txqsq *, but in TX-timeout-recovery flow the argument is actually
of type struct mlx5e_tx_timeout_ctx *.

 mlx5_core 0000:08:00.1 enp8s0f1: TX timeout detected
 mlx5_core 0000:08:00.1 enp8s0f1: TX timeout on queue: 1, SQ: 0x11ec, CQ: 0x146d, SQ Cons: 0x0 SQ Prod: 0x1, usecs since last trans: 21565000
 BUG: stack guard page was hit at 0000000093f1a2de (stack is 00000000b66ea0dc..000000004d932dae)
 kernel stack overflow (page fault): 0000 [#1] SMP NOPTI
 CPU: 5 PID: 95 Comm: kworker/u20:1 Tainted: G W OE 5.13.0_mlnx #1
 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
 Workqueue: mlx5e mlx5e_tx_timeout_work [mlx5_core]
 RIP: 0010:mlx5e_tx_reporter_dump_sq+0xd3/0x180
 [mlx5_core]
 Call Trace:
 mlx5e_tx_reporter_dump+0x43/0x1c0 [mlx5_core]
 devlink_health_do_dump.part.91+0x71/0xd0
 devlink_health_report+0x157/0x1b0
 mlx5e_reporter_tx_timeout+0xb9/0xf0 [mlx5_core]
 ? mlx5e_tx_reporter_err_cqe_recover+0x1d0/0x1d0
 [mlx5_core]
 ? mlx5e_health_queue_dump+0xd0/0xd0 [mlx5_core]
 ? update_load_avg+0x19b/0x550
 ? set_next_entity+0x72/0x80
 ? pick_next_task_fair+0x227/0x340
 ? finish_task_switch+0xa2/0x280
   mlx5e_tx_timeout_work+0x83/0xb0 [mlx5_core]
   process_one_work+0x1de/0x3a0
   worker_thread+0x2d/0x3c0
 ? process_one_work+0x3a0/0x3a0
   kthread+0x115/0x130
 ? kthread_park+0x90/0x90
   ret_from_fork+0x1f/0x30
 --[ end trace 51ccabea504edaff ]---
 RIP: 0010:mlx5e_tx_reporter_dump_sq+0xd3/0x180
 PKRU: 55555554
 Kernel panic - not syncing: Fatal exception
 Kernel Offset: disabled
 end Kernel panic - not syncing: Fatal exception

To fix this bug add a wrapper for mlx5e_tx_reporter_dump_sq() which
extracts the sq from struct mlx5e_tx_timeout_ctx and set it as the
TX-timeout-recovery flow dump callback.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-46931

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-46932
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

Input: appletouch - initialize work before device registration

Syzbot has reported warning in __flush_work(). This warning is caused by
work->func == NULL, which means missing work initialization.

This may happen, since input_dev->close() calls
cancel_work_sync(&dev->work), but dev->work initalization happens _after_
input_register_device() call.

So this patch moves dev->work initialization before registering input
device
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-46932

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-46933
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

usb: gadget: f_fs: Clear ffs_eventfd in ffs_data_clear.

ffs_data_clear is indirectly called from both ffs_fs_kill_sb and
ffs_ep0_release, so it ends up being called twice when userland closes ep0
and then unmounts f_fs.
If userland provided an eventfd along with function's USB descriptors, it
ends up calling eventfd_ctx_put as many times, causing a refcount
underflow.
NULL-ify ffs_eventfd to prevent these extraneous eventfd_ctx_put calls.

Also, set epfiles to NULL right after de-allocating it, for readability.

For completeness, ffs_data_clear actually ends up being called thrice, the
last call being before the whole ffs structure gets freed, so when this
specific sequence happens there is a second underflow happening (but not
being reported):

/sys/kernel/debug/tracing# modprobe usb_f_fs
/sys/kernel/debug/tracing# echo ffs_data_clear > set_ftrace_filter
/sys/kernel/debug/tracing# echo function > current_tracer
/sys/kernel/debug/tracing# echo 1 > tracing_on
(setup gadget, run and kill function userland process, teardown gadget)
/sys/kernel/debug/tracing# echo 0 > tracing_on
/sys/kernel/debug/tracing# cat trace
 smartcard-openp-436     [000] .....  1946.208786: ffs_data_clear <-ffs_data_closed
 smartcard-openp-431     [000] .....  1946.279147: ffs_data_clear <-ffs_data_closed
 smartcard-openp-431     [000] .n...  1946.905512: ffs_data_clear <-ffs_data_put

Warning output corresponding to above trace:
[ 1946.284139] WARNING: CPU: 0 PID: 431 at lib/refcount.c:28 refcount_warn_saturate+0x110/0x15c
[ 1946.293094] refcount_t: underflow; use-after-free.
[ 1946.298164] Modules linked in: usb_f_ncm(E) u_ether(E) usb_f_fs(E) hci_uart(E) btqca(E) btrtl(E) btbcm(E) btintel(E) bluetooth(E) nls_ascii(E) nls_cp437(E) vfat(E) fat(E) bcm2835_v4l2(CE) bcm2835_mmal_vchiq(CE) videobuf2_vmalloc(E) videobuf2_memops(E) sha512_generic(E) videobuf2_v4l2(E) sha512_arm(E) videobuf2_common(E) videodev(E) cpufreq_dt(E) snd_bcm2835(CE) brcmfmac(E) mc(E) vc4(E) ctr(E) brcmutil(E) snd_soc_core(E) snd_pcm_dmaengine(E) drbg(E) snd_pcm(E) snd_timer(E) snd(E) soundcore(E) drm_kms_helper(E) cec(E) ansi_cprng(E) rc_core(E) syscopyarea(E) raspberrypi_cpufreq(E) sysfillrect(E) sysimgblt(E) cfg80211(E) max17040_battery(OE) raspberrypi_hwmon(E) fb_sys_fops(E) regmap_i2c(E) ecdh_generic(E) rfkill(E) ecc(E) bcm2835_rng(E) rng_core(E) vchiq(CE) leds_gpio(E) libcomposite(E) fuse(E) configfs(E) ip_tables(E) x_tables(E) autofs4(E) ext4(E) crc16(E) mbcache(E) jbd2(E) crc32c_generic(E) sdhci_iproc(E) sdhci_pltfm(E) sdhci(E)
[ 1946.399633] CPU: 0 PID: 431 Comm: smartcard-openp Tainted: G         C OE     5.15.0-1-rpi #1  Debian 5.15.3-1
[ 1946.417950] Hardware name: BCM2835
[ 1946.425442] Backtrace:
[ 1946.432048] [<c08d60a0>] (dump_backtrace) from [<c08d62ec>] (show_stack+0x20/0x24)
[ 1946.448226]  r7:00000009 r6:0000001c r5:c04a948c r4:c0a64e2c
[ 1946.458412] [<c08d62cc>] (show_stack) from [<c08d9ae0>] (dump_stack+0x28/0x30)
[ 1946.470380] [<c08d9ab8>] (dump_stack) from [<c0123500>] (__warn+0xe8/0x154)
[ 1946.482067]  r5:c04a948c r4:c0a71dc8
[ 1946.490184] [<c0123418>] (__warn) from [<c08d6948>] (warn_slowpath_fmt+0xa0/0xe4)
[ 1946.506758]  r7:00000009 r6:0000001c r5:c0a71dc8 r4:c0a71e04
[ 1946.517070] [<c08d68ac>] (warn_slowpath_fmt) from [<c04a948c>] (refcount_warn_saturate+0x110/0x15c)
[ 1946.535309]  r8:c0100224 r7:c0dfcb84 r6:ffffffff r5:c3b84c00 r4:c24a17c0
[ 1946.546708] [<c04a937c>] (refcount_warn_saturate) from [<c0380134>] (eventfd_ctx_put+0x48/0x74)
[ 1946.564476] [<c03800ec>] (eventfd_ctx_put) from [<bf5464e8>] (ffs_data_clear+0xd0/0x118 [usb_f_fs])
[ 1946.582664]  r5:c3b84c00 r4:c2695b00
[ 1946.590668] [<bf546418>] (ffs_data_clear [usb_f_fs]) from [<bf547cc0>] (ffs_data_closed+0x9c/0x150 [usb_f_fs])
[ 1946.609608]  r5:bf54d014 r4:c2695b00
[ 1946.617522] [<bf547c24>] (ffs_data_closed [usb_f_fs]) from [<bf547da0>] (ffs_fs_kill_sb+0x2c/0x30 [usb_f_fs])
[ 1946.636217]  r7:c0dfcb
---truncated---
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-46933

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-46934
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

i2c: validate user data in compat ioctl

Wrong user data may cause warning in i2c_transfer(), ex: zero msgs.
Userspace should not be able to trigger warnings, so this patch adds
validation checks for user data in compact ioctl to prevent reported
warnings
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 3.3
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-46934

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-46935
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

binder: fix async_free_space accounting for empty parcels

In 4.13, commit 74310e06be4d ("android: binder: Move buffer out of area shared with user space")
fixed a kernel structure visibility issue. As part of that patch,
sizeof(void *) was used as the buffer size for 0-length data payloads so
the driver could detect abusive clients sending 0-length asynchronous
transactions to a server by enforcing limits on async_free_size.

Unfortunately, on the "free" side, the accounting of async_free_space
did not add the sizeof(void *) back. The result was that up to 8-bytes of
async_free_space were leaked on every async transaction of 8-bytes or
less.  These small transactions are uncommon, so this accounting issue
has gone undetected for several years.

The fix is to use "buffer_size" (the allocated buffer size) instead of
"size" (the logical buffer size) when updating the async_free_space
during the free operation. These are the same except for this
corner case of asynchronous transactions with payloads < 8 bytes.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-46935

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-46936
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: fix use-after-free in tw_timer_handler

A real world panic issue was found as follow in Linux 5.4.

    BUG: unable to handle page fault for address: ffffde49a863de28
    PGD 7e6fe62067 P4D 7e6fe62067 PUD 7e6fe63067 PMD f51e064067 PTE 0
    RIP: 0010:tw_timer_handler+0x20/0x40
    Call Trace:
     <IRQ>
     call_timer_fn+0x2b/0x120
     run_timer_softirq+0x1ef/0x450
     __do_softirq+0x10d/0x2b8
     irq_exit+0xc7/0xd0
     smp_apic_timer_interrupt+0x68/0x120
     apic_timer_interrupt+0xf/0x20

This issue was also reported since 2017 in the thread [1],
unfortunately, the issue was still can be reproduced after fixing
DCCP.

The ipv4_mib_exit_net is called before tcp_sk_exit_batch when a net
namespace is destroyed since tcp_sk_ops is registered befrore
ipv4_mib_ops, which means tcp_sk_ops is in the front of ipv4_mib_ops
in the list of pernet_list. There will be a use-after-free on
net->mib.net_statistics in tw_timer_handler after ipv4_mib_exit_net
if there are some inflight time-wait timers.

This bug is not introduced by commit f2bf415cfed7 ("mib: add net to
NET_ADD_STATS_BH") since the net_statistics is a global variable
instead of dynamic allocation and freeing. Actually, commit
61a7e26028b9 ("mib: put net statistics on struct net") introduces
the bug since it put net statistics on struct net and free it when
net namespace is destroyed.

Moving init_ipv4_mibs() to the front of tcp_init() to fix this bug
and replace pr_crit() with panic() since continuing is meaningless
when init_ipv4_mibs() fails.

[1] https://groups.google.com/g/syzkaller/c/p1tn-_Kc6l4/m/smuL_FMAAgAJ?pli=1
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-46936

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-46937
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

mm/damon/dbgfs: fix 'struct pid' leaks in 'dbgfs_target_ids_write()'

DAMON debugfs interface increases the reference counts of 'struct pid's
for targets from the 'target_ids' file write callback
('dbgfs_target_ids_write()'), but decreases the counts only in DAMON
monitoring termination callback ('dbgfs_before_terminate()').

Therefore, when 'target_ids' file is repeatedly written without DAMON
monitoring start/termination, the reference count is not decreased and
therefore memory for the 'struct pid' cannot be freed.  This commit
fixes this issue by decreasing the reference counts when 'target_ids' is
written.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-46937

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-46938
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

dm rq: fix double free of blk_mq_tag_set in dev remove after table load fails

When loading a device-mapper table for a request-based mapped device,
and the allocation/initialization of the blk_mq_tag_set for the device
fails, a following device remove will cause a double free.

E.g. (dmesg):
  device-mapper: core: Cannot initialize queue for request-based dm-mq mapped device
  device-mapper: ioctl: unable to set up device queue for new table.
  Unable to handle kernel pointer dereference in virtual kernel address space
  Failing address: 0305e098835de000 TEID: 0305e098835de803
  Fault in home space mode while using kernel ASCE.
  AS:000000025efe0007 R3:0000000000000024
  Oops: 0038 ilc:3 [#1] SMP
  Modules linked in: ... lots of modules ...
  Supported: Yes, External
  CPU: 0 PID: 7348 Comm: multipathd Kdump: loaded Tainted: G        W      X    5.3.18-53-default #1 SLE15-SP3
  Hardware name: IBM 8561 T01 7I2 (LPAR)
  Krnl PSW : 0704e00180000000 000000025e368eca (kfree+0x42/0x330)
             R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0 RI:0 EA:3
  Krnl GPRS: 000000000000004a 000000025efe5230 c1773200d779968d 0000000000000000
             000000025e520270 000000025e8d1b40 0000000000000003 00000007aae10000
             000000025e5202a2 0000000000000001 c1773200d779968d 0305e098835de640
             00000007a8170000 000003ff80138650 000000025e5202a2 000003e00396faa8
  Krnl Code: 000000025e368eb8: c4180041e100       lgrl    %r1,25eba50b8
             000000025e368ebe: ecba06b93a55       risbg   %r11,%r10,6,185,58
            #000000025e368ec4: e3b010000008       ag      %r11,0(%r1)
            >000000025e368eca: e310b0080004       lg      %r1,8(%r11)
             000000025e368ed0: a7110001           tmll    %r1,1
             000000025e368ed4: a7740129           brc     7,25e369126
             000000025e368ed8: e320b0080004       lg      %r2,8(%r11)
             000000025e368ede: b904001b           lgr     %r1,%r11
  Call Trace:
   [<000000025e368eca>] kfree+0x42/0x330
   [<000000025e5202a2>] blk_mq_free_tag_set+0x72/0xb8
   [<000003ff801316a8>] dm_mq_cleanup_mapped_device+0x38/0x50 [dm_mod]
   [<000003ff80120082>] free_dev+0x52/0xd0 [dm_mod]
   [<000003ff801233f0>] __dm_destroy+0x150/0x1d0 [dm_mod]
   [<000003ff8012bb9a>] dev_remove+0x162/0x1c0 [dm_mod]
   [<000003ff8012a988>] ctl_ioctl+0x198/0x478 [dm_mod]
   [<000003ff8012ac8a>] dm_ctl_ioctl+0x22/0x38 [dm_mod]
   [<000000025e3b11ee>] ksys_ioctl+0xbe/0xe0
   [<000000025e3b127a>] __s390x_sys_ioctl+0x2a/0x40
   [<000000025e8c15ac>] system_call+0xd8/0x2c8
  Last Breaking-Event-Address:
   [<000000025e52029c>] blk_mq_free_tag_set+0x6c/0xb8
  Kernel panic - not syncing: Fatal exception: panic_on_oops

When allocation/initialization of the blk_mq_tag_set fails in
dm_mq_init_request_queue(), it is uninitialized/freed, but the pointer
is not reset to NULL; so when dev_remove() later gets into
dm_mq_cleanup_mapped_device() it sees the pointer and tries to
uninitialize and free it again.

Fix this by setting the pointer to NULL in dm_mq_init_request_queue()
error-handling. Also set it to NULL in dm_mq_cleanup_mapped_device().
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-46938

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-46939
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

tracing: Restructure trace_clock_global() to never block

It was reported that a fix to the ring buffer recursion detection would
cause a hung machine when performing suspend / resume testing. The
following backtrace was extracted from debugging that case:

Call Trace:
 trace_clock_global+0x91/0xa0
 __rb_reserve_next+0x237/0x460
 ring_buffer_lock_reserve+0x12a/0x3f0
 trace_buffer_lock_reserve+0x10/0x50
 __trace_graph_return+0x1f/0x80
 trace_graph_return+0xb7/0xf0
 ? trace_clock_global+0x91/0xa0
 ftrace_return_to_handler+0x8b/0xf0
 ? pv_hash+0xa0/0xa0
 return_to_handler+0x15/0x30
 ? ftrace_graph_caller+0xa0/0xa0
 ? trace_clock_global+0x91/0xa0
 ? __rb_reserve_next+0x237/0x460
 ? ring_buffer_lock_reserve+0x12a/0x3f0
 ? trace_event_buffer_lock_reserve+0x3c/0x120
 ? trace_event_buffer_reserve+0x6b/0xc0
 ? trace_event_raw_event_device_pm_callback_start+0x125/0x2d0
 ? dpm_run_callback+0x3b/0xc0
 ? pm_ops_is_empty+0x50/0x50
 ? platform_get_irq_byname_optional+0x90/0x90
 ? trace_device_pm_callback_start+0x82/0xd0
 ? dpm_run_callback+0x49/0xc0

With the following RIP:

RIP: 0010:native_queued_spin_lock_slowpath+0x69/0x200

Since the fix to the recursion detection would allow a single recursion to
happen while tracing, this lead to the trace_clock_global() taking a spin
lock and then trying to take it again:

ring_buffer_lock_reserve() {
  trace_clock_global() {
    arch_spin_lock() {
      queued_spin_lock_slowpath() {
        /* lock taken */
        (something else gets traced by function graph tracer)
          ring_buffer_lock_reserve() {
            trace_clock_global() {
              arch_spin_lock() {
                queued_spin_lock_slowpath() {
                /* DEAD LOCK! */

Tracing should *never* block, as it can lead to strange lockups like the
above.

Restructure the trace_clock_global() code to instead of simply taking a
lock to update the recorded "prev_time" simply use it, as two events
happening on two different CPUs that calls this at the same time, really
doesn't matter which one goes first. Use a trylock to grab the lock for
updating the prev_time, and if it fails, simply try again the next time.
If it failed to be taken, that means something else is already updating
it.


Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=212761
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-46939

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-46940
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

tools/power turbostat: Fix offset overflow issue in index converting

The idx_to_offset() function returns type int (32-bit signed), but
MSR_PKG_ENERGY_STAT is u32 and would be interpreted as a negative number.
The end result is that it hits the if (offset < 0) check in update_msr_sum()
which prevents the timer callback from updating the stat in the background when
long durations are used. The similar issue exists in offset_to_idx() and
update_msr_sum(). Fix this issue by converting the 'int' to 'off_t' accordingly.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-46940

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-46941
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

usb: dwc3: core: Do core softreset when switch mode


According to the programming guide, to switch mode for DRD controller,
the driver needs to do the following.

To switch from device to host:
1. Reset controller with GCTL.CoreSoftReset
2. Set GCTL.PrtCapDir(host mode)
3. Reset the host with USBCMD.HCRESET
4. Then follow up with the initializing host registers sequence

To switch from host to device:
1. Reset controller with GCTL.CoreSoftReset
2. Set GCTL.PrtCapDir(device mode)
3. Reset the device with DCTL.CSftRst
4. Then follow up with the initializing registers sequence

Currently we're missing step 1) to do GCTL.CoreSoftReset and step 3) of
switching from host to device. John Stult reported a lockup issue seen
with HiKey960 platform without these steps[1]. Similar issue is observed
with Ferry's testing platform[2].

So, apply the required steps along with some fixes to Yu Chen's and John
Stultz's version. The main fixes to their versions are the missing wait
for clocks synchronization before clearing GCTL.CoreSoftReset and only
apply DCTL.CSftRst when switching from host to device.

[1] https://lore.kernel.org/linux-usb/20210108015115.27920-1-john.stultz@linaro.org/
[2] https://lore.kernel.org/linux-usb/0ba7a6ba-e6a7-9cd4-0695-64fc927e01f1@gmail.com/
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-46941

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-46942
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

io_uring: fix shared sqpoll cancellation hangs

[  736.982891] INFO: task iou-sqp-4294:4295 blocked for more than 122 seconds.
[  736.982897] Call Trace:
[  736.982901]  schedule+0x68/0xe0
[  736.982903]  io_uring_cancel_sqpoll+0xdb/0x110
[  736.982908]  io_sqpoll_cancel_cb+0x24/0x30
[  736.982911]  io_run_task_work_head+0x28/0x50
[  736.982913]  io_sq_thread+0x4e3/0x720

We call io_uring_cancel_sqpoll() one by one for each ctx either in
sq_thread() itself or via task works, and it's intended to cancel all
requests of a specified context. However the function uses per-task
counters to track the number of inflight requests, so it counts more
requests than available via currect io_uring ctx and goes to sleep for
them to appear (e.g. from IRQ), that will never happen.

Cancel a bit more than before, i.e. all ctxs that share sqpoll
and continue to use shared counters. Don't forget that we should not
remove ctx from the list before running that task_work sqpoll-cancel,
otherwise the function wouldn't be able to find the context and will
hang.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-46942

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-46943
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

media: staging/intel-ipu3: Fix set_fmt error handling

If there in an error during a set_fmt, do not overwrite the previous
sizes with the invalid config.

Without this patch, v4l2-compliance ends up allocating 4GiB of RAM and
causing the following OOPs

[   38.662975] ipu3-imgu 0000:00:05.0: swiotlb buffer is full (sz: 4096 bytes)
[   38.662980] DMA: Out of SW-IOMMU space for 4096 bytes at device 0000:00:05.0
[   38.663010] general protection fault: 0000 [#1] PREEMPT SMP
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-46943

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-46944
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

media: staging/intel-ipu3: Fix memory leak in imu_fmt

We are losing the reference to an allocated memory if try. Change the
order of the check to avoid that.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-46944

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-46945
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ext4: always panic when errors=panic is specified

Before commit 014c9caa29d3 ("ext4: make ext4_abort() use
__ext4_error()"), the following series of commands would trigger a
panic:

1. mount /dev/sda -o ro,errors=panic test
2. mount /dev/sda -o remount,abort test

After commit 014c9caa29d3, remounting a file system using the test
mount option "abort" will no longer trigger a panic.  This commit will
restore the behaviour immediately before commit 014c9caa29d3.
(However, note that the Linux kernel's behavior has not been
consistent; some previous kernel versions, including 5.4 and 4.19
similarly did not panic after using the mount option "abort".)

This also makes a change to long-standing behaviour; namely, the
following series commands will now cause a panic, when previously it
did not:

1. mount /dev/sda -o ro,errors=panic test
2. echo test > /sys/fs/ext4/sda/trigger_fs_error

However, this makes ext4's behaviour much more consistent, so this is
a good thing.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-46945

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-46947
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

sfc: adjust efx->xdp_tx_queue_count with the real number of initialized queues

efx->xdp_tx_queue_count is initially initialized to num_possible_cpus() and is
later used to allocate and traverse efx->xdp_tx_queues lookup array. However,
we may end up not initializing all the array slots with real queues during
probing. This results, for example, in a NULL pointer dereference, when running
"# ethtool -S <iface>", similar to below

[2570283.664955][T4126959] BUG: kernel NULL pointer dereference, address: 00000000000000f8
[2570283.681283][T4126959] #PF: supervisor read access in kernel mode
[2570283.695678][T4126959] #PF: error_code(0x0000) - not-present page
[2570283.710013][T4126959] PGD 0 P4D 0
[2570283.721649][T4126959] Oops: 0000 [#1] SMP PTI
[2570283.734108][T4126959] CPU: 23 PID: 4126959 Comm: ethtool Tainted: G           O      5.10.20-cloudflare-2021.3.1 #1
[2570283.752641][T4126959] Hardware name: <redacted>
[2570283.781408][T4126959] RIP: 0010:efx_ethtool_get_stats+0x2ca/0x330 [sfc]
[2570283.796073][T4126959] Code: 00 85 c0 74 39 48 8b 95 a8 0f 00 00 48 85 d2 74 2d 31 c0 eb 07 48 8b 95 a8 0f 00 00 48 63 c8 49 83 c4 08 83 c0 01 48 8b 14 ca <48> 8b 92 f8 00 00 00 49 89 54 24 f8 39 85 a0 0f 00 00 77 d7 48 8b
[2570283.831259][T4126959] RSP: 0018:ffffb79a77657ce8 EFLAGS: 00010202
[2570283.845121][T4126959] RAX: 0000000000000019 RBX: ffffb799cd0c9280 RCX: 0000000000000018
[2570283.860872][T4126959] RDX: 0000000000000000 RSI: ffff96dd970ce000 RDI: 0000000000000005
[2570283.876525][T4126959] RBP: ffff96dd86f0a000 R08: ffff96dd970ce480 R09: 000000000000005f
[2570283.892014][T4126959] R10: ffffb799cd0c9fff R11: ffffb799cd0c9000 R12: ffffb799cd0c94f8
[2570283.907406][T4126959] R13: ffffffffc11b1090 R14: ffff96dd970ce000 R15: ffffffffc11cd66c
[2570283.922705][T4126959] FS:  00007fa7723f8740(0000) GS:ffff96f51fac0000(0000) knlGS:0000000000000000
[2570283.938848][T4126959] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[2570283.952524][T4126959] CR2: 00000000000000f8 CR3: 0000001a73e6e006 CR4: 00000000007706e0
[2570283.967529][T4126959] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[2570283.982400][T4126959] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[2570283.997308][T4126959] PKRU: 55555554
[2570284.007649][T4126959] Call Trace:
[2570284.017598][T4126959]  dev_ethtool+0x1832/0x2830

Fix this by adjusting efx->xdp_tx_queue_count after probing to reflect the true
value of initialized slots in efx->xdp_tx_queues.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-46947

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-46948
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

sfc: farch: fix TX queue lookup in TX event handling

We're starting from a TXQ label, not a TXQ type, so
 efx_channel_get_tx_queue() is inappropriate (and could return NULL,
 leading to panics).
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-46948

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-46949
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

sfc: farch: fix TX queue lookup in TX flush done handling

We're starting from a TXQ instance number ('qid'), not a TXQ type, so
 efx_get_tx_queue() is inappropriate (and could return NULL, leading
 to panics).
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-46949

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-46950
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

md/raid1: properly indicate failure when ending a failed write request

This patch addresses a data corruption bug in raid1 arrays using bitmaps.
Without this fix, the bitmap bits for the failed I/O end up being cleared.

Since we are in the failure leg of raid1_end_write_request, the request
either needs to be retried (R1BIO_WriteError) or failed (R1BIO_Degraded).
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-46950

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-46951
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

tpm: efi: Use local variable for calculating final log size

When tpm_read_log_efi is called multiple times, which happens when
one loads and unloads a TPM2 driver multiple times, then the global
variable efi_tpm_final_log_size will at some point become a negative
number due to the subtraction of final_events_preboot_size occurring
each time. Use a local variable to avoid this integer underflow.

The following issue is now resolved:

Mar  8 15:35:12 hibinst kernel: Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
Mar  8 15:35:12 hibinst kernel: Workqueue: tpm-vtpm vtpm_proxy_work [tpm_vtpm_proxy]
Mar  8 15:35:12 hibinst kernel: RIP: 0010:__memcpy+0x12/0x20
Mar  8 15:35:12 hibinst kernel: Code: 00 b8 01 00 00 00 85 d2 74 0a c7 05 44 7b ef 00 0f 00 00 00 c3 cc cc cc 66 66 90 66 90 48 89 f8 48 89 d1 48 c1 e9 03 83 e2 07 <f3> 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48 89 d1 f3 a4
Mar  8 15:35:12 hibinst kernel: RSP: 0018:ffff9ac4c0fcfde0 EFLAGS: 00010206
Mar  8 15:35:12 hibinst kernel: RAX: ffff88f878cefed5 RBX: ffff88f878ce9000 RCX: 1ffffffffffffe0f
Mar  8 15:35:12 hibinst kernel: RDX: 0000000000000003 RSI: ffff9ac4c003bff9 RDI: ffff88f878cf0e4d
Mar  8 15:35:12 hibinst kernel: RBP: ffff9ac4c003b000 R08: 0000000000001000 R09: 000000007e9d6073
Mar  8 15:35:12 hibinst kernel: R10: ffff9ac4c003b000 R11: ffff88f879ad3500 R12: 0000000000000ed5
Mar  8 15:35:12 hibinst kernel: R13: ffff88f878ce9760 R14: 0000000000000002 R15: ffff88f77de7f018
Mar  8 15:35:12 hibinst kernel: FS:  0000000000000000(0000) GS:ffff88f87bd00000(0000) knlGS:0000000000000000
Mar  8 15:35:12 hibinst kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Mar  8 15:35:12 hibinst kernel: CR2: ffff9ac4c003c000 CR3: 00000001785a6004 CR4: 0000000000060ee0
Mar  8 15:35:12 hibinst kernel: Call Trace:
Mar  8 15:35:12 hibinst kernel: tpm_read_log_efi+0x152/0x1a7
Mar  8 15:35:12 hibinst kernel: tpm_bios_log_setup+0xc8/0x1c0
Mar  8 15:35:12 hibinst kernel: tpm_chip_register+0x8f/0x260
Mar  8 15:35:12 hibinst kernel: vtpm_proxy_work+0x16/0x60 [tpm_vtpm_proxy]
Mar  8 15:35:12 hibinst kernel: process_one_work+0x1b4/0x370
Mar  8 15:35:12 hibinst kernel: worker_thread+0x53/0x3e0
Mar  8 15:35:12 hibinst kernel: ? process_one_work+0x370/0x370
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-46951

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-46952
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

NFS: fs_context: validate UDP retrans to prevent shift out-of-bounds

Fix shift out-of-bounds in xprt_calc_majortimeo(). This is caused
by a garbage timeout (retrans) mount option being passed to nfs mount,
in this case from syzkaller.

If the protocol is XPRT_TRANSPORT_UDP, then 'retrans' is a shift
value for a 64-bit long integer, so 'retrans' cannot be >= 64.
If it is >= 64, fail the mount and return an error.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-46952

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-46953
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ACPI: GTDT: Don't corrupt interrupt mappings on watchdow probe failure

When failing the driver probe because of invalid firmware properties,
the GTDT driver unmaps the interrupt that it mapped earlier.

However, it never checks whether the mapping of the interrupt actially
succeeded. Even more, should the firmware report an illegal interrupt
number that overlaps with the GIC SGI range, this can result in an
IPI being unmapped, and subsequent fireworks (as reported by Dann
Frazier).

Rework the driver to have a slightly saner behaviour and actually
check whether the interrupt has been mapped before unmapping things.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-46953

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-46954
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net/sched: sch_frag: fix stack OOB read while fragmenting IPv4 packets

when 'act_mirred' tries to fragment IPv4 packets that had been previously
re-assembled using 'act_ct', splats like the following can be observed on
kernels built with KASAN:

 BUG: KASAN: stack-out-of-bounds in ip_do_fragment+0x1b03/0x1f60
 Read of size 1 at addr ffff888147009574 by task ping/947

 CPU: 0 PID: 947 Comm: ping Not tainted 5.12.0-rc6+ #418
 Hardware name: Red Hat KVM, BIOS 1.11.1-4.module+el8.1.0+4066+0f1aadab 04/01/2014
 Call Trace:
  <IRQ>
  dump_stack+0x92/0xc1
  print_address_description.constprop.7+0x1a/0x150
  kasan_report.cold.13+0x7f/0x111
  ip_do_fragment+0x1b03/0x1f60
  sch_fragment+0x4bf/0xe40
  tcf_mirred_act+0xc3d/0x11a0 [act_mirred]
  tcf_action_exec+0x104/0x3e0
  fl_classify+0x49a/0x5e0 [cls_flower]
  tcf_classify_ingress+0x18a/0x820
  __netif_receive_skb_core+0xae7/0x3340
  __netif_receive_skb_one_core+0xb6/0x1b0
  process_backlog+0x1ef/0x6c0
  __napi_poll+0xaa/0x500
  net_rx_action+0x702/0xac0
  __do_softirq+0x1e4/0x97f
  do_softirq+0x71/0x90
  </IRQ>
  __local_bh_enable_ip+0xdb/0xf0
  ip_finish_output2+0x760/0x2120
  ip_do_fragment+0x15a5/0x1f60
  __ip_finish_output+0x4c2/0xea0
  ip_output+0x1ca/0x4d0
  ip_send_skb+0x37/0xa0
  raw_sendmsg+0x1c4b/0x2d00
  sock_sendmsg+0xdb/0x110
  __sys_sendto+0x1d7/0x2b0
  __x64_sys_sendto+0xdd/0x1b0
  do_syscall_64+0x33/0x40
  entry_SYSCALL_64_after_hwframe+0x44/0xae
 RIP: 0033:0x7f82e13853eb
 Code: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 f3 0f 1e fa 48 8d 05 75 42 2c 00 41 89 ca 8b 00 85 c0 75 14 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 75 c3 0f 1f 40 00 41 57 4d 89 c7 41 56 41 89
 RSP: 002b:00007ffe01fad888 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
 RAX: ffffffffffffffda RBX: 00005571aac13700 RCX: 00007f82e13853eb
 RDX: 0000000000002330 RSI: 00005571aac13700 RDI: 0000000000000003
 RBP: 0000000000002330 R08: 00005571aac10500 R09: 0000000000000010
 R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffe01faefb0
 R13: 00007ffe01fad890 R14: 00007ffe01fad980 R15: 00005571aac0f0a0

 The buggy address belongs to the page:
 page:000000001dff2e03 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x147009
 flags: 0x17ffffc0001000(reserved)
 raw: 0017ffffc0001000 ffffea00051c0248 ffffea00051c0248 0000000000000000
 raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
 page dumped because: kasan: bad access detected

 Memory state around the buggy address:
  ffff888147009400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  ffff888147009480: f1 f1 f1 f1 04 f2 f2 f2 f2 f2 f2 f2 00 00 00 00
 >ffff888147009500: 00 00 00 00 00 00 00 00 00 00 f2 f2 f2 f2 f2 f2
                                                              ^
  ffff888147009580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  ffff888147009600: 00 00 00 00 00 00 00 00 00 00 00 00 00 f2 f2 f2

for IPv4 packets, sch_fragment() uses a temporary struct dst_entry. Then,
in the following call graph:

  ip_do_fragment()
    ip_skb_dst_mtu()
      ip_dst_mtu_maybe_forward()
        ip_mtu_locked()

the pointer to struct dst_entry is used as pointer to struct rtable: this
turns the access to struct members like rt_mtu_locked into an OOB read in
the stack. Fix this changing the temporary variable used for IPv4 packets
in sch_fragment(), similarly to what is done for IPv6 few lines below.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-46954

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-47164
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net/mlx5e: Fix null deref accessing lag dev

It could be the lag dev is null so stop processing the event.
In bond_enslave() the active/backup slave being set before setting the
upper dev so first event is without an upper dev.
After setting the upper dev with bond_master_upper_dev_link() there is
a second event and in that event we have an upper dev.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-47164

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-47171
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: usb: fix memory leak in smsc75xx_bind

Syzbot reported memory leak in smsc75xx_bind().
The problem was is non-freed memory in case of
errors after memory allocation.

backtrace:
  [<ffffffff84245b62>] kmalloc include/linux/slab.h:556 [inline]
  [<ffffffff84245b62>] kzalloc include/linux/slab.h:686 [inline]
  [<ffffffff84245b62>] smsc75xx_bind+0x7a/0x334 drivers/net/usb/smsc75xx.c:1460
  [<ffffffff82b5b2e6>] usbnet_probe+0x3b6/0xc30 drivers/net/usb/usbnet.c:1728
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-47171

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-47173
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

misc/uss720: fix memory leak in uss720_probe

uss720_probe forgets to decrease the refcount of usbdev in uss720_probe.
Fix this by decreasing the refcount of usbdev by usb_put_dev.

BUG: memory leak
unreferenced object 0xffff888101113800 (size 2048):
  comm "kworker/0:1", pid 7, jiffies 4294956777 (age 28.870s)
  hex dump (first 32 bytes):
    ff ff ff ff 31 00 00 00 00 00 00 00 00 00 00 00  ....1...........
    00 00 00 00 00 00 00 00 00 00 00 00 03 00 00 00  ................
  backtrace:
    [<ffffffff82b8e822>] kmalloc include/linux/slab.h:554 [inline]
    [<ffffffff82b8e822>] kzalloc include/linux/slab.h:684 [inline]
    [<ffffffff82b8e822>] usb_alloc_dev+0x32/0x450 drivers/usb/core/usb.c:582
    [<ffffffff82b98441>] hub_port_connect drivers/usb/core/hub.c:5129 [inline]
    [<ffffffff82b98441>] hub_port_connect_change drivers/usb/core/hub.c:5363 [inline]
    [<ffffffff82b98441>] port_event drivers/usb/core/hub.c:5509 [inline]
    [<ffffffff82b98441>] hub_event+0x1171/0x20c0 drivers/usb/core/hub.c:5591
    [<ffffffff81259229>] process_one_work+0x2c9/0x600 kernel/workqueue.c:2275
    [<ffffffff81259b19>] worker_thread+0x59/0x5d0 kernel/workqueue.c:2421
    [<ffffffff81261228>] kthread+0x178/0x1b0 kernel/kthread.c:292
    [<ffffffff8100227f>] ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-47173

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-47179
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

NFSv4: Fix a NULL pointer dereference in pnfs_mark_matching_lsegs_return()

Commit de144ff4234f changes _pnfs_return_layout() to call
pnfs_mark_matching_lsegs_return() passing NULL as the struct
pnfs_layout_range argument. Unfortunately,
pnfs_mark_matching_lsegs_return() doesn't check if we have a value here
before dereferencing it, causing an oops.

I'm able to hit this crash consistently when running connectathon basic
tests on NFS v4.1/v4.2 against Ontap.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-47179

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-47193
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

scsi: pm80xx: Fix memory leak during rmmod

Driver failed to release all memory allocated. This would lead to memory
leak during driver removal.

Properly free memory when the module is removed.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-47193

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-47194
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

cfg80211: call cfg80211_stop_ap when switch from P2P_GO type

If the userspace tools switch from NL80211_IFTYPE_P2P_GO to
NL80211_IFTYPE_ADHOC via send_msg(NL80211_CMD_SET_INTERFACE), it
does not call the cleanup cfg80211_stop_ap(), this leads to the
initialization of in-use data. For example, this path re-init the
sdata->assigned_chanctx_list while it is still an element of
assigned_vifs list, and makes that linked list corrupt.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-47194

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-47195
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

spi: fix use-after-free of the add_lock mutex

Commit 6098475d4cb4 ("spi: Fix deadlock when adding SPI controllers on
SPI buses") introduced a per-controller mutex. But mutex_unlock() of
said lock is called after the controller is already freed:

  spi_unregister_controller(ctlr)
  -> put_device(&ctlr->dev)
    -> spi_controller_release(dev)
  -> mutex_unlock(&ctrl->add_lock)

Move the put_device() after the mutex_unlock().
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-47195

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-47198
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

scsi: lpfc: Fix use-after-free in lpfc_unreg_rpi() routine

An error is detected with the following report when unloading the driver:
  "KASAN: use-after-free in lpfc_unreg_rpi+0x1b1b"

The NLP_REG_LOGIN_SEND nlp_flag is set in lpfc_reg_fab_ctrl_node(), but the
flag is not cleared upon completion of the login.

This allows a second call to lpfc_unreg_rpi() to proceed with nlp_rpi set
to LPFC_RPI_ALLOW_ERROR.  This results in a use after free access when used
as an rpi_ids array index.

Fix by clearing the NLP_REG_LOGIN_SEND nlp_flag in
lpfc_mbx_cmpl_fc_reg_login().
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-47198

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-47513
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: dsa: felix: Fix memory leak in felix_setup_mmio_filtering

Avoid a memory leak if there is not a CPU port defined.

Addresses-Coverity-ID: 1492897 ("Resource leak")
Addresses-Coverity-ID: 1492899 ("Resource leak")
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-47513

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-47516
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

nfp: Fix memory leak in nfp_cpp_area_cache_add()

In line 800 (#1), nfp_cpp_area_alloc() allocates and initializes a
CPP area structure. But in line 807 (#2), when the cache is allocated
failed, this CPP area structure is not freed, which will result in
memory leak.

We can fix it by freeing the CPP area when the cache is allocated
failed (#2).

792 int nfp_cpp_area_cache_add(struct nfp_cpp *cpp, size_t size)
793 {
794 	struct nfp_cpp_area_cache *cache;
795 	struct nfp_cpp_area *area;

800	area = nfp_cpp_area_alloc(cpp, NFP_CPP_ID(7, NFP_CPP_ACTION_RW, 0),
801 				  0, size);
	// #1: allocates and initializes

802 	if (!area)
803 		return -ENOMEM;

805 	cache = kzalloc(sizeof(*cache), GFP_KERNEL);
806 	if (!cache)
807 		return -ENOMEM; // #2: missing free

817	return 0;
818 }
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-47516

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-47518
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

nfc: fix potential NULL pointer deref in nfc_genl_dump_ses_done

The done() netlink callback nfc_genl_dump_ses_done() should check if
received argument is non-NULL, because its allocation could fail earlier
in dumpit() (nfc_genl_dump_ses()).
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-47518

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-47519
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

can: m_can: m_can_read_fifo: fix memory leak in error branch

In m_can_read_fifo(), if the second call to m_can_fifo_read() fails,
the function jump to the out_fail label and returns without calling
m_can_receive_skb(). This means that the skb previously allocated by
alloc_can_skb() is not freed. In other terms, this is a memory leak.

This patch adds a goto label to destroy the skb if an error occurs.

Issue was found with GCC -fanalyzer, please follow the link below for
details.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-47519

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-47520
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

can: pch_can: pch_can_rx_normal: fix use after free

After calling netif_receive_skb(skb), dereferencing skb is unsafe.
Especially, the can_frame cf which aliases skb memory is dereferenced
just after the call netif_receive_skb(skb).

Reordering the lines solves the issue.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-47520

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-47521
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

can: sja1000: fix use after free in ems_pcmcia_add_card()

If the last channel is not available then "dev" is freed.  Fortunately,
we can just use "pdev->irq" instead.

Also we should check if at least one channel was set up.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-47521

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-47522
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

HID: bigbenff: prevent null pointer dereference

When emulating the device through uhid, there is a chance we don't have
output reports and so report_field is null.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-47522

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-47525
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

serial: liteuart: fix use-after-free and memleak on unbind

Deregister the port when unbinding the driver to prevent it from being
used after releasing the driver data and leaking memory allocated by
serial core.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-47525

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-47526
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

serial: liteuart: Fix NULL pointer dereference in ->remove()

drvdata has to be set in _probe() - otherwise platform_get_drvdata()
causes null pointer dereference BUG in _remove().
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-47526

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-47528
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

usb: cdnsp: Fix a NULL pointer dereference in cdnsp_endpoint_init()

In cdnsp_endpoint_init(), cdnsp_ring_alloc() is assigned to pep->ring
and there is a dereference of it in cdnsp_endpoint_init(), which could
lead to a NULL pointer dereference on failure of cdnsp_ring_alloc().

Fix this bug by adding a check of pep->ring.

This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.

Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.

Builds with CONFIG_USB_CDNSP_GADGET=y show no new warnings,
and our static analyzer no longer warns about this code.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-47528

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-47529
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

iwlwifi: Fix memory leaks in error handling path

Should an error occur (invalid TLV len or memory allocation failure), the
memory already allocated in 'reduce_power_data' should be freed before
returning, otherwise it is leaking.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-47529

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-47537
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

octeontx2-af: Fix a memleak bug in rvu_mbox_init()

In rvu_mbox_init(), mbox_regions is not freed or passed out
under the switch-default region, which could lead to a memory leak.

Fix this bug by changing 'return err' to 'goto free_regions'.

This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.

Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.

Builds with CONFIG_OCTEONTX2_AF=y show no new warnings,
and our static analyzer no longer warns about this code.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-47537

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-47540
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

mt76: mt7915: fix NULL pointer dereference in mt7915_get_phy_mode

Fix the following NULL pointer dereference in mt7915_get_phy_mode
routine adding an ibss interface to the mt7915 driver.

[  101.137097] wlan0: Trigger new scan to find an IBSS to join
[  102.827039] wlan0: Creating new IBSS network, BSSID 26:a4:50:1a:6e:69
[  103.064756] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
[  103.073670] Mem abort info:
[  103.076520]   ESR = 0x96000005
[  103.079614]   EC = 0x25: DABT (current EL), IL = 32 bits
[  103.084934]   SET = 0, FnV = 0
[  103.088042]   EA = 0, S1PTW = 0
[  103.091215] Data abort info:
[  103.094104]   ISV = 0, ISS = 0x00000005
[  103.098041]   CM = 0, WnR = 0
[  103.101044] user pgtable: 4k pages, 39-bit VAs, pgdp=00000000460b1000
[  103.107565] [0000000000000000] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000
[  103.116590] Internal error: Oops: 96000005 [#1] SMP
[  103.189066] CPU: 1 PID: 333 Comm: kworker/u4:3 Not tainted 5.10.75 #0
[  103.195498] Hardware name: MediaTek MT7622 RFB1 board (DT)
[  103.201124] Workqueue: phy0 ieee80211_iface_work [mac80211]
[  103.206695] pstate: 20000005 (nzCv daif -PAN -UAO -TCO BTYPE=--)
[  103.212705] pc : mt7915_get_phy_mode+0x68/0x120 [mt7915e]
[  103.218103] lr : mt7915_mcu_add_bss_info+0x11c/0x760 [mt7915e]
[  103.223927] sp : ffffffc011cdb9e0
[  103.227235] x29: ffffffc011cdb9e0 x28: ffffff8006563098
[  103.232545] x27: ffffff8005f4da22 x26: ffffff800685ac40
[  103.237855] x25: 0000000000000001 x24: 000000000000011f
[  103.243165] x23: ffffff8005f4e260 x22: ffffff8006567918
[  103.248475] x21: ffffff8005f4df80 x20: ffffff800685ac58
[  103.253785] x19: ffffff8006744400 x18: 0000000000000000
[  103.259094] x17: 0000000000000000 x16: 0000000000000001
[  103.264403] x15: 000899c3a2d9d2e4 x14: 000899bdc3c3a1c8
[  103.269713] x13: 0000000000000000 x12: 0000000000000000
[  103.275024] x11: ffffffc010e30c20 x10: 0000000000000000
[  103.280333] x9 : 0000000000000050 x8 : ffffff8006567d88
[  103.285642] x7 : ffffff8006563b5c x6 : ffffff8006563b44
[  103.290952] x5 : 0000000000000002 x4 : 0000000000000001
[  103.296262] x3 : 0000000000000001 x2 : 0000000000000001
[  103.301572] x1 : 0000000000000000 x0 : 0000000000000011
[  103.306882] Call trace:
[  103.309328]  mt7915_get_phy_mode+0x68/0x120 [mt7915e]
[  103.314378]  mt7915_bss_info_changed+0x198/0x200 [mt7915e]
[  103.319941]  ieee80211_bss_info_change_notify+0x128/0x290 [mac80211]
[  103.326360]  __ieee80211_sta_join_ibss+0x308/0x6c4 [mac80211]
[  103.332171]  ieee80211_sta_create_ibss+0x8c/0x10c [mac80211]
[  103.337895]  ieee80211_ibss_work+0x3dc/0x614 [mac80211]
[  103.343185]  ieee80211_iface_work+0x388/0x3f0 [mac80211]
[  103.348495]  process_one_work+0x288/0x690
[  103.352499]  worker_thread+0x70/0x464
[  103.356157]  kthread+0x144/0x150
[  103.359380]  ret_from_fork+0x10/0x18
[  103.362952] Code: 394008c3 52800220 394000e4 7100007f (39400023)
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-47540

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-47541
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net/mlx4_en: Fix an use-after-free bug in mlx4_en_try_alloc_resources()

In mlx4_en_try_alloc_resources(), mlx4_en_copy_priv() is called and
tmp->tx_cq will be freed on the error path of mlx4_en_copy_priv().
After that mlx4_en_alloc_resources() is called and there is a dereference
of &tmp->tx_cq[t][i] in mlx4_en_alloc_resources(), which could lead to
a use after free problem on failure of mlx4_en_copy_priv().

Fix this bug by adding a check of mlx4_en_copy_priv()

This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.

Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.

Builds with CONFIG_MLX4_EN=m show no new warnings,
and our static analyzer no longer warns about this code.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-47541

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-47542
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: qlogic: qlcnic: Fix a NULL pointer dereference in qlcnic_83xx_add_rings()

In qlcnic_83xx_add_rings(), the indirect function of
ahw->hw_ops->alloc_mbx_args will be called to allocate memory for
cmd.req.arg, and there is a dereference of it in qlcnic_83xx_add_rings(),
which could lead to a NULL pointer dereference on failure of the
indirect function like qlcnic_83xx_alloc_mbx_args().

Fix this bug by adding a check of alloc_mbx_args(), this patch
imitates the logic of mbx_cmd()'s failure handling.

This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.

Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.

Builds with CONFIG_QLCNIC=m show no new warnings, and our
static analyzer no longer warns about this code.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-47542

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-47546
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ipv6: fix memory leak in fib6_rule_suppress

The kernel leaks memory when a `fib` rule is present in IPv6 nftables
firewall rules and a suppress_prefix rule is present in the IPv6 routing
rules (used by certain tools such as wg-quick). In such scenarios, every
incoming packet will leak an allocation in `ip6_dst_cache` slab cache.

After some hours of `bpftrace`-ing and source code reading, I tracked
down the issue to ca7a03c41753 ("ipv6: do not free rt if
FIB_LOOKUP_NOREF is set on suppress rule").

The problem with that change is that the generic `args->flags` always have
`FIB_LOOKUP_NOREF` set[1][2] but the IPv6-specific flag
`RT6_LOOKUP_F_DST_NOREF` might not be, leading to `fib6_rule_suppress` not
decreasing the refcount when needed.

How to reproduce:
 - Add the following nftables rule to a prerouting chain:
     meta nfproto ipv6 fib saddr . mark . iif oif missing drop
   This can be done with:
     sudo nft create table inet test
     sudo nft create chain inet test test_chain '{ type filter hook prerouting priority filter + 10; policy accept; }'
     sudo nft add rule inet test test_chain meta nfproto ipv6 fib saddr . mark . iif oif missing drop
 - Run:
     sudo ip -6 rule add table main suppress_prefixlength 0
 - Watch `sudo slabtop -o | grep ip6_dst_cache` to see memory usage increase
   with every incoming ipv6 packet.

This patch exposes the protocol-specific flags to the protocol
specific `suppress` function, and check the protocol-specific `flags`
argument for RT6_LOOKUP_F_DST_NOREF instead of the generic
FIB_LOOKUP_NOREF when decreasing the refcount, like this.

[1]: https://github.com/torvalds/linux/blob/ca7a03c4175366a92cee0ccc4fec0038c3266e26/net/ipv6/fib6_rules.c#L71
[2]: https://github.com/torvalds/linux/blob/ca7a03c4175366a92cee0ccc4fec0038c3266e26/net/ipv6/fib6_rules.c#L99
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-47546

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-47550
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/amdgpu: fix potential memleak

In function amdgpu_get_xgmi_hive, when kobject_init_and_add failed
There is a potential memleak if not call kobject_put.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-47550

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-47556
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ethtool: ioctl: fix potential NULL deref in ethtool_set_coalesce()

ethtool_set_coalesce() now uses both the .get_coalesce() and
.set_coalesce() callbacks. But the check for their availability is
buggy, so changing the coalesce settings on a device where the driver
provides only _one_ of the callbacks results in a NULL pointer
dereference instead of an -EOPNOTSUPP.

Fix the condition so that the availability of both callbacks is
ensured. This also matches the netlink code.

Note that reproducing this requires some effort - it only affects the
legacy ioctl path, and needs a specific combination of driver options:
- have .get_coalesce() and .coalesce_supported but no
 .set_coalesce(), or
- have .set_coalesce() but no .get_coalesce(). Here eg. ethtool doesn't
  cause the crash as it first attempts to call ethtool_get_coalesce()
  and bails out on error.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-47556

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-47559
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net/smc: Fix NULL pointer dereferencing in smc_vlan_by_tcpsk()

Coverity reports a possible NULL dereferencing problem:

in smc_vlan_by_tcpsk():
6. returned_null: netdev_lower_get_next returns NULL (checked 29 out of 30 times).
7. var_assigned: Assigning: ndev = NULL return value from netdev_lower_get_next.
1623                ndev = (struct net_device *)netdev_lower_get_next(ndev, &lower);
CID 1468509 (#1 of 1): Dereference null return value (NULL_RETURNS)
8. dereference: Dereferencing a pointer that might be NULL ndev when calling is_vlan_dev.
1624                if (is_vlan_dev(ndev)) {

Remove the manual implementation and use netdev_walk_all_lower_dev() to
iterate over the lower devices. While on it remove an obsolete function
parameter comment.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-47559

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-47570
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

staging: r8188eu: fix a memory leak in rtw_wx_read32()

Free "ptmp" before returning -EINVAL.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-47570

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-47571
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

staging: rtl8192e: Fix use after free in _rtl92e_pci_disconnect()

The free_rtllib() function frees the "dev" pointer so there is use
after free on the next line.  Re-arrange things to avoid that.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-47571

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-47572
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: nexthop: fix null pointer dereference when IPv6 is not enabled

When we try to add an IPv6 nexthop and IPv6 is not enabled
(!CONFIG_IPV6) we'll hit a NULL pointer dereference[1] in the error path
of nh_create_ipv6() due to calling ipv6_stub->fib6_nh_release. The bug
has been present since the beginning of IPv6 nexthop gateway support.
Commit 1aefd3de7bc6 ("ipv6: Add fib6_nh_init and release to stubs") tells
us that only fib6_nh_init has a dummy stub because fib6_nh_release should
not be called if fib6_nh_init returns an error, but the commit below added
a call to ipv6_stub->fib6_nh_release in its error path. To fix it return
the dummy stub's -EAFNOSUPPORT error directly without calling
ipv6_stub->fib6_nh_release in nh_create_ipv6()'s error path.

[1]
 Output is a bit truncated, but it clearly shows the error.
 BUG: kernel NULL pointer dereference, address: 000000000000000000
 #PF: supervisor instruction fetch in kernel modede
 #PF: error_code(0x0010) - not-present pagege
 PGD 0 P4D 0
 Oops: 0010 [#1] PREEMPT SMP NOPTI
 CPU: 4 PID: 638 Comm: ip Kdump: loaded Not tainted 5.16.0-rc1+ #446
 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-4.fc34 04/01/2014
 RIP: 0010:0x0
 Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6.
 RSP: 0018:ffff888109f5b8f0 EFLAGS: 00010286^Ac
 RAX: 0000000000000000 RBX: ffff888109f5ba28 RCX: 0000000000000000
 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8881008a2860
 RBP: ffff888109f5b9d8 R08: 0000000000000000 R09: 0000000000000000
 R10: ffff888109f5b978 R11: ffff888109f5b948 R12: 00000000ffffff9f
 R13: ffff8881008a2a80 R14: ffff8881008a2860 R15: ffff8881008a2840
 FS:  00007f98de70f100(0000) GS:ffff88822bf00000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: ffffffffffffffd6 CR3: 0000000100efc000 CR4: 00000000000006e0
 Call Trace:
  <TASK>
  nh_create_ipv6+0xed/0x10c
  rtm_new_nexthop+0x6d7/0x13f3
  ? check_preemption_disabled+0x3d/0xf2
  ? lock_is_held_type+0xbe/0xfd
  rtnetlink_rcv_msg+0x23f/0x26a
  ? check_preemption_disabled+0x3d/0xf2
  ? rtnl_calcit.isra.0+0x147/0x147
  netlink_rcv_skb+0x61/0xb2
  netlink_unicast+0x100/0x187
  netlink_sendmsg+0x37f/0x3a0
  ? netlink_unicast+0x187/0x187
  sock_sendmsg_nosec+0x67/0x9b
  ____sys_sendmsg+0x19d/0x1f9
  ? copy_msghdr_from_user+0x4c/0x5e
  ? rcu_read_lock_any_held+0x2a/0x78
  ___sys_sendmsg+0x6c/0x8c
  ? asm_sysvec_apic_timer_interrupt+0x12/0x20
  ? lockdep_hardirqs_on+0xd9/0x102
  ? sockfd_lookup_light+0x69/0x99
  __sys_sendmsg+0x50/0x6e
  do_syscall_64+0xcb/0xf2
  entry_SYSCALL_64_after_hwframe+0x44/0xae
 RIP: 0033:0x7f98dea28914
 Code: 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b5 0f 1f 80 00 00 00 00 48 8d 05 e9 5d 0c 00 8b 00 85 c0 75 13 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 41 54 41 89 d4 55 48 89 f5 53
 RSP: 002b:00007fff859f5e68 EFLAGS: 00000246 ORIG_RAX: 000000000000002e2e
 RAX: ffffffffffffffda RBX: 00000000619cb810 RCX: 00007f98dea28914
 RDX: 0000000000000000 RSI: 00007fff859f5ed0 RDI: 0000000000000003
 RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000008
 R10: fffffffffffffce6 R11: 0000000000000246 R12: 0000000000000001
 R13: 000055c0097ae520 R14: 000055c0097957fd R15: 00007fff859f63a0
 </TASK>
 Modules linked in: bridge stp llc bonding virtio_net
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-47572

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-47576
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

scsi: scsi_debug: Sanity check block descriptor length in resp_mode_select()

In resp_mode_select() sanity check the block descriptor len to avoid UAF.

BUG: KASAN: use-after-free in resp_mode_select+0xa4c/0xb40 drivers/scsi/scsi_debug.c:2509
Read of size 1 at addr ffff888026670f50 by task scsicmd/15032

CPU: 1 PID: 15032 Comm: scsicmd Not tainted 5.15.0-01d0625 #15
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
Call Trace:
 <TASK>
 dump_stack_lvl+0x89/0xb5 lib/dump_stack.c:107
 print_address_description.constprop.9+0x28/0x160 mm/kasan/report.c:257
 kasan_report.cold.14+0x7d/0x117 mm/kasan/report.c:443
 __asan_report_load1_noabort+0x14/0x20 mm/kasan/report_generic.c:306
 resp_mode_select+0xa4c/0xb40 drivers/scsi/scsi_debug.c:2509
 schedule_resp+0x4af/0x1a10 drivers/scsi/scsi_debug.c:5483
 scsi_debug_queuecommand+0x8c9/0x1e70 drivers/scsi/scsi_debug.c:7537
 scsi_queue_rq+0x16b4/0x2d10 drivers/scsi/scsi_lib.c:1521
 blk_mq_dispatch_rq_list+0xb9b/0x2700 block/blk-mq.c:1640
 __blk_mq_sched_dispatch_requests+0x28f/0x590 block/blk-mq-sched.c:325
 blk_mq_sched_dispatch_requests+0x105/0x190 block/blk-mq-sched.c:358
 __blk_mq_run_hw_queue+0xe5/0x150 block/blk-mq.c:1762
 __blk_mq_delay_run_hw_queue+0x4f8/0x5c0 block/blk-mq.c:1839
 blk_mq_run_hw_queue+0x18d/0x350 block/blk-mq.c:1891
 blk_mq_sched_insert_request+0x3db/0x4e0 block/blk-mq-sched.c:474
 blk_execute_rq_nowait+0x16b/0x1c0 block/blk-exec.c:63
 sg_common_write.isra.18+0xeb3/0x2000 drivers/scsi/sg.c:837
 sg_new_write.isra.19+0x570/0x8c0 drivers/scsi/sg.c:775
 sg_ioctl_common+0x14d6/0x2710 drivers/scsi/sg.c:941
 sg_ioctl+0xa2/0x180 drivers/scsi/sg.c:1166
 __x64_sys_ioctl+0x19d/0x220 fs/ioctl.c:52
 do_syscall_64+0x3a/0x80 arch/x86/entry/common.c:50
 entry_SYSCALL_64_after_hwframe+0x44/0xae arch/x86/entry/entry_64.S:113
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-47576

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-47578
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

scsi: scsi_debug: Don't call kcalloc() if size arg is zero

If the size arg to kcalloc() is zero, it returns ZERO_SIZE_PTR.  Because of
that, for a following NULL pointer check to work on the returned pointer,
kcalloc() must not be called with the size arg equal to zero. Return early
without error before the kcalloc() call if size arg is zero.

BUG: KASAN: null-ptr-deref in memcpy include/linux/fortify-string.h:191 [inline]
BUG: KASAN: null-ptr-deref in sg_copy_buffer+0x138/0x240 lib/scatterlist.c:974
Write of size 4 at addr 0000000000000010 by task syz-executor.1/22789

CPU: 1 PID: 22789 Comm: syz-executor.1 Not tainted 5.15.0-syzk #1
Hardware name: Red Hat KVM, BIOS 1.13.0-2
Call Trace:
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x89/0xb5 lib/dump_stack.c:106
 __kasan_report mm/kasan/report.c:446 [inline]
 kasan_report.cold.14+0x112/0x117 mm/kasan/report.c:459
 check_region_inline mm/kasan/generic.c:183 [inline]
 kasan_check_range+0x1a3/0x210 mm/kasan/generic.c:189
 memcpy+0x3b/0x60 mm/kasan/shadow.c:66
 memcpy include/linux/fortify-string.h:191 [inline]
 sg_copy_buffer+0x138/0x240 lib/scatterlist.c:974
 do_dout_fetch drivers/scsi/scsi_debug.c:2954 [inline]
 do_dout_fetch drivers/scsi/scsi_debug.c:2946 [inline]
 resp_verify+0x49e/0x930 drivers/scsi/scsi_debug.c:4276
 schedule_resp+0x4d8/0x1a70 drivers/scsi/scsi_debug.c:5478
 scsi_debug_queuecommand+0x8c9/0x1ec0 drivers/scsi/scsi_debug.c:7533
 scsi_dispatch_cmd drivers/scsi/scsi_lib.c:1520 [inline]
 scsi_queue_rq+0x16b0/0x2d40 drivers/scsi/scsi_lib.c:1699
 blk_mq_dispatch_rq_list+0xb9b/0x2700 block/blk-mq.c:1639
 __blk_mq_sched_dispatch_requests+0x28f/0x590 block/blk-mq-sched.c:325
 blk_mq_sched_dispatch_requests+0x105/0x190 block/blk-mq-sched.c:358
 __blk_mq_run_hw_queue+0xe5/0x150 block/blk-mq.c:1761
 __blk_mq_delay_run_hw_queue+0x4f8/0x5c0 block/blk-mq.c:1838
 blk_mq_run_hw_queue+0x18d/0x350 block/blk-mq.c:1891
 blk_mq_sched_insert_request+0x3db/0x4e0 block/blk-mq-sched.c:474
 blk_execute_rq_nowait+0x16b/0x1c0 block/blk-exec.c:62
 blk_execute_rq+0xdb/0x360 block/blk-exec.c:102
 sg_scsi_ioctl drivers/scsi/scsi_ioctl.c:621 [inline]
 scsi_ioctl+0x8bb/0x15c0 drivers/scsi/scsi_ioctl.c:930
 sg_ioctl_common+0x172d/0x2710 drivers/scsi/sg.c:1112
 sg_ioctl+0xa2/0x180 drivers/scsi/sg.c:1165
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:874 [inline]
 __se_sys_ioctl fs/ioctl.c:860 [inline]
 __x64_sys_ioctl+0x19d/0x220 fs/ioctl.c:860
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3a/0x80 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-47578

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-47583
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

media: mxl111sf: change mutex_init() location

Syzbot reported, that mxl111sf_ctrl_msg() uses uninitialized
mutex. The problem was in wrong mutex_init() location.

Previous mutex_init(&state->msg_lock) call was in ->init() function, but
dvb_usbv2_init() has this order of calls:

	dvb_usbv2_init()
	  dvb_usbv2_adapter_init()
	    dvb_usbv2_adapter_frontend_init()
	      props->frontend_attach()

	  props->init()

Since mxl111sf_* devices call mxl111sf_ctrl_msg() in ->frontend_attach()
internally we need to initialize state->msg_lock before
frontend_attach(). To achieve it, ->probe() call added to all mxl111sf_*
devices, which will simply initiaize mutex.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-47583

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-47584
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

iocost: Fix divide-by-zero on donation from low hweight cgroup

The donation calculation logic assumes that the donor has non-zero
after-donation hweight, so the lowest active hweight a donating cgroup can
have is 2 so that it can donate 1 while keeping the other 1 for itself.
Earlier, we only donated from cgroups with sizable surpluses so this
condition was always true. However, with the precise donation algorithm
implemented, f1de2439ec43 ("blk-iocost: revamp donation amount
determination") made the donation amount calculation exact enabling even low
hweight cgroups to donate.

This means that in rare occasions, a cgroup with active hweight of 1 can
enter donation calculation triggering the following warning and then a
divide-by-zero oops.

 WARNING: CPU: 4 PID: 0 at block/blk-iocost.c:1928 transfer_surpluses.cold+0x0/0x53 [884/94867]
 ...
 RIP: 0010:transfer_surpluses.cold+0x0/0x53
 Code: 92 ff 48 c7 c7 28 d1 ab b5 65 48 8b 34 25 00 ae 01 00 48 81 c6 90 06 00 00 e8 8b 3f fe ff 48 c7 c0 ea ff ff ff e9 95 ff 92 ff <0f> 0b 48 c7 c7 30 da ab b5 e8 71 3f fe ff 4c 89 e8 4d 85 ed 74 0
4
 ...
 Call Trace:
  <IRQ>
  ioc_timer_fn+0x1043/0x1390
  call_timer_fn+0xa1/0x2c0
  __run_timers.part.0+0x1ec/0x2e0
  run_timer_softirq+0x35/0x70
 ...
 iocg: invalid donation weights in /a/b: active=1 donating=1 after=0

Fix it by excluding cgroups w/ active hweight < 2 from donating. Excluding
these extreme low hweight donations shouldn't affect work conservation in
any meaningful way.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-47584

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-47585
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix memory leak in __add_inode_ref()

Line 1169 (#3) allocates a memory chunk for victim_name by kmalloc(),
but  when the function returns in line 1184 (#4) victim_name allocated
by line 1169 (#3) is not freed, which will lead to a memory leak.
There is a similar snippet of code in this function as allocating a memory
chunk for victim_name in line 1104 (#1) as well as releasing the memory
in line 1116 (#2).

We should kfree() victim_name when the return value of backref_in_log()
is less than zero and before the function returns in line 1184 (#4).

1057 static inline int __add_inode_ref(struct btrfs_trans_handle *trans,
1058 				  struct btrfs_root *root,
1059 				  struct btrfs_path *path,
1060 				  struct btrfs_root *log_root,
1061 				  struct btrfs_inode *dir,
1062 				  struct btrfs_inode *inode,
1063 				  u64 inode_objectid, u64 parent_objectid,
1064 				  u64 ref_index, char *name, int namelen,
1065 				  int *search_done)
1066 {

1104 	victim_name = kmalloc(victim_name_len, GFP_NOFS);
	// #1: kmalloc (victim_name-1)
1105 	if (!victim_name)
1106 		return -ENOMEM;

1112	ret = backref_in_log(log_root, &search_key,
1113			parent_objectid, victim_name,
1114			victim_name_len);
1115	if (ret < 0) {
1116		kfree(victim_name); // #2: kfree (victim_name-1)
1117		return ret;
1118	} else if (!ret) {

1169 	victim_name = kmalloc(victim_name_len, GFP_NOFS);
	// #3: kmalloc (victim_name-2)
1170 	if (!victim_name)
1171 		return -ENOMEM;

1180 	ret = backref_in_log(log_root, &search_key,
1181 			parent_objectid, victim_name,
1182 			victim_name_len);
1183 	if (ret < 0) {
1184 		return ret; // #4: missing kfree (victim_name-2)
1185 	} else if (!ret) {

1241 	return 0;
1242 }
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-47585

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-47587
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: systemport: Add global locking for descriptor lifecycle

The descriptor list is a shared resource across all of the transmit queues, and
the locking mechanism used today only protects concurrency across a given
transmit queue between the transmit and reclaiming. This creates an opportunity
for the SYSTEMPORT hardware to work on corrupted descriptors if we have
multiple producers at once which is the case when using multiple transmit
queues.

This was particularly noticeable when using multiple flows/transmit queues and
it showed up in interesting ways in that UDP packets would get a correct UDP
header checksum being calculated over an incorrect packet length. Similarly TCP
packets would get an equally correct checksum computed by the hardware over an
incorrect packet length.

The SYSTEMPORT hardware maintains an internal descriptor list that it re-arranges
when the driver produces a new descriptor anytime it writes to the
WRITE_PORT_{HI,LO} registers, there is however some delay in the hardware to
re-organize its descriptors and it is possible that concurrent TX queues
eventually break this internal allocation scheme to the point where the
length/status part of the descriptor gets used for an incorrect data buffer.

The fix is to impose a global serialization for all TX queues in the short
section where we are writing to the WRITE_PORT_{HI,LO} registers which solves
the corruption even with multiple concurrent TX queues being used.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-47587

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-47589
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

igbvf: fix double free in `igbvf_probe`

In `igbvf_probe`, if register_netdev() fails, the program will go to
label err_hw_init, and then to label err_ioremap. In free_netdev() which
is just below label err_ioremap, there is `list_for_each_entry_safe` and
`netif_napi_del` which aims to delete all entries in `dev->napi_list`.
The program has added an entry `adapter->rx_ring->napi` which is added by
`netif_napi_add` in igbvf_alloc_queues(). However, adapter->rx_ring has
been freed below label err_hw_init. So this a UAF.

In terms of how to patch the problem, we can refer to igbvf_remove() and
delete the entry before `adapter->rx_ring`.

The KASAN logs are as follows:

[   35.126075] BUG: KASAN: use-after-free in free_netdev+0x1fd/0x450
[   35.127170] Read of size 8 at addr ffff88810126d990 by task modprobe/366
[   35.128360]
[   35.128643] CPU: 1 PID: 366 Comm: modprobe Not tainted 5.15.0-rc2+ #14
[   35.129789] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
[   35.131749] Call Trace:
[   35.132199]  dump_stack_lvl+0x59/0x7b
[   35.132865]  print_address_description+0x7c/0x3b0
[   35.133707]  ? free_netdev+0x1fd/0x450
[   35.134378]  __kasan_report+0x160/0x1c0
[   35.135063]  ? free_netdev+0x1fd/0x450
[   35.135738]  kasan_report+0x4b/0x70
[   35.136367]  free_netdev+0x1fd/0x450
[   35.137006]  igbvf_probe+0x121d/0x1a10 [igbvf]
[   35.137808]  ? igbvf_vlan_rx_add_vid+0x100/0x100 [igbvf]
[   35.138751]  local_pci_probe+0x13c/0x1f0
[   35.139461]  pci_device_probe+0x37e/0x6c0
[   35.165526]
[   35.165806] Allocated by task 366:
[   35.166414]  ____kasan_kmalloc+0xc4/0xf0
[   35.167117]  foo_kmem_cache_alloc_trace+0x3c/0x50 [igbvf]
[   35.168078]  igbvf_probe+0x9c5/0x1a10 [igbvf]
[   35.168866]  local_pci_probe+0x13c/0x1f0
[   35.169565]  pci_device_probe+0x37e/0x6c0
[   35.179713]
[   35.179993] Freed by task 366:
[   35.180539]  kasan_set_track+0x4c/0x80
[   35.181211]  kasan_set_free_info+0x1f/0x40
[   35.181942]  ____kasan_slab_free+0x103/0x140
[   35.182703]  kfree+0xe3/0x250
[   35.183239]  igbvf_probe+0x1173/0x1a10 [igbvf]
[   35.184040]  local_pci_probe+0x13c/0x1f0
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-47589

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-47590
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

mptcp: fix deadlock in __mptcp_push_pending()

__mptcp_push_pending() may call mptcp_flush_join_list() with subflow
socket lock held. If such call hits mptcp_sockopt_sync_all() then
subsequently __mptcp_sockopt_sync() could try to lock the subflow
socket for itself, causing a deadlock.

sysrq: Show Blocked State
task:ss-server       state:D stack:    0 pid:  938 ppid:     1 flags:0x00000000
Call Trace:
 <TASK>
 __schedule+0x2d6/0x10c0
 ? __mod_memcg_state+0x4d/0x70
 ? csum_partial+0xd/0x20
 ? _raw_spin_lock_irqsave+0x26/0x50
 schedule+0x4e/0xc0
 __lock_sock+0x69/0x90
 ? do_wait_intr_irq+0xa0/0xa0
 __lock_sock_fast+0x35/0x50
 mptcp_sockopt_sync_all+0x38/0xc0
 __mptcp_push_pending+0x105/0x200
 mptcp_sendmsg+0x466/0x490
 sock_sendmsg+0x57/0x60
 __sys_sendto+0xf0/0x160
 ? do_wait_intr_irq+0xa0/0xa0
 ? fpregs_restore_userregs+0x12/0xd0
 __x64_sys_sendto+0x20/0x30
 do_syscall_64+0x38/0x90
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f9ba546c2d0
RSP: 002b:00007ffdc3b762d8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00007f9ba56c8060 RCX: 00007f9ba546c2d0
RDX: 000000000000077a RSI: 0000000000e5e180 RDI: 0000000000000234
RBP: 0000000000cc57f0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f9ba56c8060
R13: 0000000000b6ba60 R14: 0000000000cc7840 R15: 41d8685b1d7901b8
 </TASK>

Fix the issue by using __mptcp_flush_join_list() instead of plain
mptcp_flush_join_list() inside __mptcp_push_pending(), as suggested by
Florian. The sockopt sync will be deferred to the workqueue.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-47590

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-47591
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

mptcp: remove tcp ulp setsockopt support

TCP_ULP setsockopt cannot be used for mptcp because its already
used internally to plumb subflow (tcp) sockets to the mptcp layer.

syzbot managed to trigger a crash for mptcp connections that are
in fallback mode:

KASAN: null-ptr-deref in range [0x0000000000000020-0x0000000000000027]
CPU: 1 PID: 1083 Comm: syz-executor.3 Not tainted 5.16.0-rc2-syzkaller #0
RIP: 0010:tls_build_proto net/tls/tls_main.c:776 [inline]
[..]
 __tcp_set_ulp net/ipv4/tcp_ulp.c:139 [inline]
 tcp_set_ulp+0x428/0x4c0 net/ipv4/tcp_ulp.c:160
 do_tcp_setsockopt+0x455/0x37c0 net/ipv4/tcp.c:3391
 mptcp_setsockopt+0x1b47/0x2400 net/mptcp/sockopt.c:638

Remove support for TCP_ULP setsockopt.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-47591

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-47592
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: stmmac: fix tc flower deletion for VLAN priority Rx steering

To replicate the issue:-

1) Add 1 flower filter for VLAN Priority based frame steering:-
$ IFDEVNAME=eth0
$ tc qdisc add dev $IFDEVNAME ingress
$ tc qdisc add dev $IFDEVNAME root mqprio num_tc 8 \
   map 0 1 2 3 4 5 6 7 0 0 0 0 0 0 0 0 \
   queues 1@0 1@1 1@2 1@3 1@4 1@5 1@6 1@7 hw 0
$ tc filter add dev $IFDEVNAME parent ffff: protocol 802.1Q \
   flower vlan_prio 0 hw_tc 0

2) Get the 'pref' id
$ tc filter show dev $IFDEVNAME ingress

3) Delete a specific tc flower record (say pref 49151)
$ tc filter del dev $IFDEVNAME parent ffff: pref 49151

From dmesg, we will observe kernel NULL pointer ooops

[  197.170464] BUG: kernel NULL pointer dereference, address: 0000000000000000
[  197.171367] #PF: supervisor read access in kernel mode
[  197.171367] #PF: error_code(0x0000) - not-present page
[  197.171367] PGD 0 P4D 0
[  197.171367] Oops: 0000 [#1] PREEMPT SMP NOPTI

<snip>

[  197.171367] RIP: 0010:tc_setup_cls+0x20b/0x4a0 [stmmac]

<snip>

[  197.171367] Call Trace:
[  197.171367]  <TASK>
[  197.171367]  ? __stmmac_disable_all_queues+0xa8/0xe0 [stmmac]
[  197.171367]  stmmac_setup_tc_block_cb+0x70/0x110 [stmmac]
[  197.171367]  tc_setup_cb_destroy+0xb3/0x180
[  197.171367]  fl_hw_destroy_filter+0x94/0xc0 [cls_flower]

The above issue is due to previous incorrect implementation of
tc_del_vlan_flow(), shown below, that uses flow_cls_offload_flow_rule()
to get struct flow_rule *rule which is no longer valid for tc filter
delete operation.

  struct flow_rule *rule = flow_cls_offload_flow_rule(cls);
  struct flow_dissector *dissector = rule->match.dissector;

So, to ensure tc_del_vlan_flow() deletes the right VLAN cls record for
earlier configured RX queue (configured by hw_tc) in tc_add_vlan_flow(),
this patch introduces stmmac_rfs_entry as driver-side flow_cls_offload
record for 'RX frame steering' tc flower, currently used for VLAN
priority. The implementation has taken consideration for future extension
to include other type RX frame steering such as EtherType based.

v2:
 - Clean up overly extensive backtrace and rewrite git message to better
   explain the kernel NULL pointer issue.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-47592

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-47593
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

mptcp: clear 'kern' flag from fallback sockets

The mptcp ULP extension relies on sk->sk_sock_kern being set correctly:
It prevents setsockopt(fd, IPPROTO_TCP, TCP_ULP, "mptcp", 6); from
working for plain tcp sockets (any userspace-exposed socket).

But in case of fallback, accept() can return a plain tcp sk.
In such case, sk is still tagged as 'kernel' and setsockopt will work.

This will crash the kernel, The subflow extension has a NULL ctx->conn
mptcp socket:

BUG: KASAN: null-ptr-deref in subflow_data_ready+0x181/0x2b0
Call Trace:
 tcp_data_ready+0xf8/0x370
 [..]
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-47593

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-47594
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

mptcp: never allow the PM to close a listener subflow

Currently, when deleting an endpoint the netlink PM treverses
all the local MPTCP sockets, regardless of their status.

If an MPTCP listener socket is bound to the IP matching the
delete endpoint, the listener TCP socket will be closed.
That is unexpected, the PM should only affect data subflows.

Additionally, syzbot was able to trigger a NULL ptr dereference
due to the above:

general protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]
CPU: 1 PID: 6550 Comm: syz-executor122 Not tainted 5.16.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__lock_acquire+0xd7d/0x54a0 kernel/locking/lockdep.c:4897
Code: 0f 0e 41 be 01 00 00 00 0f 86 c8 00 00 00 89 05 69 cc 0f 0e e9 bd 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 da 48 c1 ea 03 <80> 3c 02 00 0f 85 f3 2f 00 00 48 81 3b 20 75 17 8f 0f 84 52 f3 ff
RSP: 0018:ffffc90001f2f818 EFLAGS: 00010016
RAX: dffffc0000000000 RBX: 0000000000000018 RCX: 0000000000000000
RDX: 0000000000000003 RSI: 0000000000000000 RDI: 0000000000000001
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000001
R10: 0000000000000000 R11: 000000000000000a R12: 0000000000000000
R13: ffff88801b98d700 R14: 0000000000000000 R15: 0000000000000001
FS:  00007f177cd3d700(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f177cd1b268 CR3: 000000001dd55000 CR4: 0000000000350ee0
Call Trace:
 <TASK>
 lock_acquire kernel/locking/lockdep.c:5637 [inline]
 lock_acquire+0x1ab/0x510 kernel/locking/lockdep.c:5602
 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
 _raw_spin_lock_irqsave+0x39/0x50 kernel/locking/spinlock.c:162
 finish_wait+0xc0/0x270 kernel/sched/wait.c:400
 inet_csk_wait_for_connect net/ipv4/inet_connection_sock.c:464 [inline]
 inet_csk_accept+0x7de/0x9d0 net/ipv4/inet_connection_sock.c:497
 mptcp_accept+0xe5/0x500 net/mptcp/protocol.c:2865
 inet_accept+0xe4/0x7b0 net/ipv4/af_inet.c:739
 mptcp_stream_accept+0x2e7/0x10e0 net/mptcp/protocol.c:3345
 do_accept+0x382/0x510 net/socket.c:1773
 __sys_accept4_file+0x7e/0xe0 net/socket.c:1816
 __sys_accept4+0xb0/0x100 net/socket.c:1846
 __do_sys_accept net/socket.c:1864 [inline]
 __se_sys_accept net/socket.c:1861 [inline]
 __x64_sys_accept+0x71/0xb0 net/socket.c:1861
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f177cd8b8e9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f177cd3d308 EFLAGS: 00000246 ORIG_RAX: 000000000000002b
RAX: ffffffffffffffda RBX: 00007f177ce13408 RCX: 00007f177cd8b8e9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 00007f177ce13400 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f177ce1340c
R13: 00007f177cde1004 R14: 6d705f706374706d R15: 0000000000022000
 </TASK>

Fix the issue explicitly skipping MPTCP socket in TCP_LISTEN
status.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-47594

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-47595
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net/sched: sch_ets: don't remove idle classes from the round-robin list

Shuang reported that the following script:

 1) tc qdisc add dev ddd0 handle 10: parent 1: ets bands 8 strict 4 priomap 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7
 2) mausezahn ddd0  -A 10.10.10.1 -B 10.10.10.2 -c 0 -a own -b 00:c1:a0:c1:a0:00 -t udp &
 3) tc qdisc change dev ddd0 handle 10: ets bands 4 strict 2 quanta 2500 2500 priomap 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3

crashes systematically when line 2) is commented:

 list_del corruption, ffff8e028404bd30->next is LIST_POISON1 (dead000000000100)
 ------------[ cut here ]------------
 kernel BUG at lib/list_debug.c:47!
 invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
 CPU: 0 PID: 954 Comm: tc Not tainted 5.16.0-rc4+ #478
 Hardware name: Red Hat KVM, BIOS 1.11.1-4.module+el8.1.0+4066+0f1aadab 04/01/2014
 RIP: 0010:__list_del_entry_valid.cold.1+0x12/0x47
 Code: fe ff 0f 0b 48 89 c1 4c 89 c6 48 c7 c7 08 42 1b 87 e8 1d c5 fe ff 0f 0b 48 89 fe 48 89 c2 48 c7 c7 98 42 1b 87 e8 09 c5 fe ff <0f> 0b 48 c7 c7 48 43 1b 87 e8 fb c4 fe ff 0f 0b 48 89 f2 48 89 fe
 RSP: 0018:ffffae46807a3888 EFLAGS: 00010246
 RAX: 000000000000004e RBX: 0000000000000007 RCX: 0000000000000202
 RDX: 0000000000000000 RSI: ffffffff871ac536 RDI: 00000000ffffffff
 RBP: ffffae46807a3a10 R08: 0000000000000000 R09: c0000000ffff7fff
 R10: 0000000000000001 R11: ffffae46807a36a8 R12: ffff8e028404b800
 R13: ffff8e028404bd30 R14: dead000000000100 R15: ffff8e02fafa2400
 FS:  00007efdc92e4480(0000) GS:ffff8e02fb600000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 0000000000682f48 CR3: 00000001058be000 CR4: 0000000000350ef0
 Call Trace:
  <TASK>
  ets_qdisc_change+0x58b/0xa70 [sch_ets]
  tc_modify_qdisc+0x323/0x880
  rtnetlink_rcv_msg+0x169/0x4a0
  netlink_rcv_skb+0x50/0x100
  netlink_unicast+0x1a5/0x280
  netlink_sendmsg+0x257/0x4d0
  sock_sendmsg+0x5b/0x60
  ____sys_sendmsg+0x1f2/0x260
  ___sys_sendmsg+0x7c/0xc0
  __sys_sendmsg+0x57/0xa0
  do_syscall_64+0x3a/0x80
  entry_SYSCALL_64_after_hwframe+0x44/0xae
 RIP: 0033:0x7efdc8031338
 Code: 89 02 48 c7 c0 ff ff ff ff eb b5 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 8d 05 25 43 2c 00 8b 00 85 c0 75 17 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 41 54 41 89 d4 55
 RSP: 002b:00007ffdf1ce9828 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
 RAX: ffffffffffffffda RBX: 0000000061b37a97 RCX: 00007efdc8031338
 RDX: 0000000000000000 RSI: 00007ffdf1ce9890 RDI: 0000000000000003
 RBP: 0000000000000000 R08: 0000000000000001 R09: 000000000078a940
 R10: 000000000000000c R11: 0000000000000246 R12: 0000000000000001
 R13: 0000000000688880 R14: 0000000000000000 R15: 0000000000000000
  </TASK>
 Modules linked in: sch_ets sch_tbf dummy rfkill iTCO_wdt iTCO_vendor_support intel_rapl_msr intel_rapl_common joydev pcspkr i2c_i801 virtio_balloon i2c_smbus lpc_ich ip_tables xfs libcrc32c crct10dif_pclmul crc32_pclmul crc32c_intel serio_raw ghash_clmulni_intel ahci libahci libata virtio_blk virtio_console virtio_net net_failover failover sunrpc dm_mirror dm_region_hash dm_log dm_mod [last unloaded: sch_ets]
 ---[ end trace f35878d1912655c2 ]---
 RIP: 0010:__list_del_entry_valid.cold.1+0x12/0x47
 Code: fe ff 0f 0b 48 89 c1 4c 89 c6 48 c7 c7 08 42 1b 87 e8 1d c5 fe ff 0f 0b 48 89 fe 48 89 c2 48 c7 c7 98 42 1b 87 e8 09 c5 fe ff <0f> 0b 48 c7 c7 48 43 1b 87 e8 fb c4 fe ff 0f 0b 48 89 f2 48 89 fe
 RSP: 0018:ffffae46807a3888 EFLAGS: 00010246
 RAX: 000000000000004e RBX: 0000000000000007 RCX: 0000000000000202
 RDX: 0000000000000000 RSI: ffffffff871ac536 RDI: 00000000ffffffff
 RBP: ffffae46807a3a10 R08: 0000000000000000 R09: c0000000ffff7fff
 R10: 0000000000000001 R11: ffffae46807a36a8 R12: ffff8e028404b800
 R13: ffff8e028404bd30 R14: dead000000000100 R15: ffff8e02fafa2400
 FS:  00007efdc92e4480(0000) GS:ffff8e02fb600000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 000000000
---truncated---
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-47595

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-47596
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: hns3: fix use-after-free bug in hclgevf_send_mbx_msg

Currently, the hns3_remove function firstly uninstall client instance,
and then uninstall acceletion engine device. The netdevice is freed in
client instance uninstall process, but acceletion engine device uninstall
process still use it to trace runtime information. This causes a use after
free problem.

So fixes it by check the instance register state to avoid use after free.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-47596

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-47597
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

inet_diag: fix kernel-infoleak for UDP sockets

KMSAN reported a kernel-infoleak [1], that can exploited
by unpriv users.

After analysis it turned out UDP was not initializing
r->idiag_expires. Other users of inet_sk_diag_fill()
might make the same mistake in the future, so fix this
in inet_sk_diag_fill().

[1]
BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:121 [inline]
BUG: KMSAN: kernel-infoleak in copyout lib/iov_iter.c:156 [inline]
BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x69d/0x25c0 lib/iov_iter.c:670
 instrument_copy_to_user include/linux/instrumented.h:121 [inline]
 copyout lib/iov_iter.c:156 [inline]
 _copy_to_iter+0x69d/0x25c0 lib/iov_iter.c:670
 copy_to_iter include/linux/uio.h:155 [inline]
 simple_copy_to_iter+0xf3/0x140 net/core/datagram.c:519
 __skb_datagram_iter+0x2cb/0x1280 net/core/datagram.c:425
 skb_copy_datagram_iter+0xdc/0x270 net/core/datagram.c:533
 skb_copy_datagram_msg include/linux/skbuff.h:3657 [inline]
 netlink_recvmsg+0x660/0x1c60 net/netlink/af_netlink.c:1974
 sock_recvmsg_nosec net/socket.c:944 [inline]
 sock_recvmsg net/socket.c:962 [inline]
 sock_read_iter+0x5a9/0x630 net/socket.c:1035
 call_read_iter include/linux/fs.h:2156 [inline]
 new_sync_read fs/read_write.c:400 [inline]
 vfs_read+0x1631/0x1980 fs/read_write.c:481
 ksys_read+0x28c/0x520 fs/read_write.c:619
 __do_sys_read fs/read_write.c:629 [inline]
 __se_sys_read fs/read_write.c:627 [inline]
 __x64_sys_read+0xdb/0x120 fs/read_write.c:627
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Uninit was created at:
 slab_post_alloc_hook mm/slab.h:524 [inline]
 slab_alloc_node mm/slub.c:3251 [inline]
 __kmalloc_node_track_caller+0xe0c/0x1510 mm/slub.c:4974
 kmalloc_reserve net/core/skbuff.c:354 [inline]
 __alloc_skb+0x545/0xf90 net/core/skbuff.c:426
 alloc_skb include/linux/skbuff.h:1126 [inline]
 netlink_dump+0x3d5/0x16a0 net/netlink/af_netlink.c:2245
 __netlink_dump_start+0xd1c/0xee0 net/netlink/af_netlink.c:2370
 netlink_dump_start include/linux/netlink.h:254 [inline]
 inet_diag_handler_cmd+0x2e7/0x400 net/ipv4/inet_diag.c:1343
 sock_diag_rcv_msg+0x24a/0x620
 netlink_rcv_skb+0x447/0x800 net/netlink/af_netlink.c:2491
 sock_diag_rcv+0x63/0x80 net/core/sock_diag.c:276
 netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]
 netlink_unicast+0x1095/0x1360 net/netlink/af_netlink.c:1345
 netlink_sendmsg+0x16f3/0x1870 net/netlink/af_netlink.c:1916
 sock_sendmsg_nosec net/socket.c:704 [inline]
 sock_sendmsg net/socket.c:724 [inline]
 sock_write_iter+0x594/0x690 net/socket.c:1057
 do_iter_readv_writev+0xa7f/0xc70
 do_iter_write+0x52c/0x1500 fs/read_write.c:851
 vfs_writev fs/read_write.c:924 [inline]
 do_writev+0x63f/0xe30 fs/read_write.c:967
 __do_sys_writev fs/read_write.c:1040 [inline]
 __se_sys_writev fs/read_write.c:1037 [inline]
 __x64_sys_writev+0xe5/0x120 fs/read_write.c:1037
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Bytes 68-71 of 312 are uninitialized
Memory access of size 312 starts at ffff88812ab54000
Data copied to user address 0000000020001440

CPU: 1 PID: 6365 Comm: syz-executor801 Not tainted 5.16.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-47597

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-47598
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

sch_cake: do not call cake_destroy() from cake_init()

qdiscs are not supposed to call their own destroy() method
from init(), because core stack already does that.

syzbot was able to trigger use after free:

DEBUG_LOCKS_WARN_ON(lock->magic != lock)
WARNING: CPU: 0 PID: 21902 at kernel/locking/mutex.c:586 __mutex_lock_common kernel/locking/mutex.c:586 [inline]
WARNING: CPU: 0 PID: 21902 at kernel/locking/mutex.c:586 __mutex_lock+0x9ec/0x12f0 kernel/locking/mutex.c:740
Modules linked in:
CPU: 0 PID: 21902 Comm: syz-executor189 Not tainted 5.16.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__mutex_lock_common kernel/locking/mutex.c:586 [inline]
RIP: 0010:__mutex_lock+0x9ec/0x12f0 kernel/locking/mutex.c:740
Code: 08 84 d2 0f 85 19 08 00 00 8b 05 97 38 4b 04 85 c0 0f 85 27 f7 ff ff 48 c7 c6 20 00 ac 89 48 c7 c7 a0 fe ab 89 e8 bf 76 ba ff <0f> 0b e9 0d f7 ff ff 48 8b 44 24 40 48 8d b8 c8 08 00 00 48 89 f8
RSP: 0018:ffffc9000627f290 EFLAGS: 00010282
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffff88802315d700 RSI: ffffffff815f1db8 RDI: fffff52000c4fe44
RBP: ffff88818f28e000 R08: 0000000000000000 R09: 0000000000000000
R10: ffffffff815ebb5e R11: 0000000000000000 R12: 0000000000000000
R13: dffffc0000000000 R14: ffffc9000627f458 R15: 0000000093c30000
FS:  0000555556abc400(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fda689c3303 CR3: 000000001cfbb000 CR4: 0000000000350ef0
Call Trace:
 <TASK>
 tcf_chain0_head_change_cb_del+0x2e/0x3d0 net/sched/cls_api.c:810
 tcf_block_put_ext net/sched/cls_api.c:1381 [inline]
 tcf_block_put_ext net/sched/cls_api.c:1376 [inline]
 tcf_block_put+0xbc/0x130 net/sched/cls_api.c:1394
 cake_destroy+0x3f/0x80 net/sched/sch_cake.c:2695
 qdisc_create.constprop.0+0x9da/0x10f0 net/sched/sch_api.c:1293
 tc_modify_qdisc+0x4c5/0x1980 net/sched/sch_api.c:1660
 rtnetlink_rcv_msg+0x413/0xb80 net/core/rtnetlink.c:5571
 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2496
 netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]
 netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1345
 netlink_sendmsg+0x904/0xdf0 net/netlink/af_netlink.c:1921
 sock_sendmsg_nosec net/socket.c:704 [inline]
 sock_sendmsg+0xcf/0x120 net/socket.c:724
 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2409
 ___sys_sendmsg+0xf3/0x170 net/socket.c:2463
 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2492
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f1bb06badb9
Code: Unable to access opcode bytes at RIP 0x7f1bb06bad8f.
RSP: 002b:00007fff3012a658 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f1bb06badb9
RDX: 0000000000000000 RSI: 00000000200007c0 RDI: 0000000000000003
RBP: 0000000000000000 R08: 0000000000000003 R09: 0000000000000003
R10: 0000000000000003 R11: 0000000000000246 R12: 00007fff3012a688
R13: 00007fff3012a6a0 R14: 00007fff3012a6e0 R15: 00000000000013c2
 </TASK>
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-47598

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-47599
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

btrfs: use latest_dev in btrfs_show_devname

The test case btrfs/238 reports the warning below:

 WARNING: CPU: 3 PID: 481 at fs/btrfs/super.c:2509 btrfs_show_devname+0x104/0x1e8 [btrfs]
 CPU: 2 PID: 1 Comm: systemd Tainted: G        W  O 5.14.0-rc1-custom #72
 Hardware name: QEMU QEMU Virtual Machine, BIOS 0.0.0 02/06/2015
 Call trace:
   btrfs_show_devname+0x108/0x1b4 [btrfs]
   show_mountinfo+0x234/0x2c4
   m_show+0x28/0x34
   seq_read_iter+0x12c/0x3c4
   vfs_read+0x29c/0x2c8
   ksys_read+0x80/0xec
   __arm64_sys_read+0x28/0x34
   invoke_syscall+0x50/0xf8
   do_el0_svc+0x88/0x138
   el0_svc+0x2c/0x8c
   el0t_64_sync_handler+0x84/0xe4
   el0t_64_sync+0x198/0x19c

Reason:
While btrfs_prepare_sprout() moves the fs_devices::devices into
fs_devices::seed_list, the btrfs_show_devname() searches for the devices
and found none, leading to the warning as in above.

Fix:
latest_dev is updated according to the changes to the device list.
That means we could use the latest_dev->name to show the device name in
/proc/self/mounts, the pointer will be always valid as it's assigned
before the device is deleted from the list in remove or replace.
The RCU protection is sufficient as the device structure is freed after
synchronization.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-47599

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-47600
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

dm btree remove: fix use after free in rebalance_children()

Move dm_tm_unlock() after dm_tm_dec().
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-47600

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-47601
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

tee: amdtee: fix an IS_ERR() vs NULL bug

The __get_free_pages() function does not return error pointers it returns
NULL so fix this condition to avoid a NULL dereference.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-47601

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-47602
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

mac80211: track only QoS data frames for admission control

For admission control, obviously all of that only works for
QoS data frames, otherwise we cannot even access the QoS
field in the header.

Syzbot reported (see below) an uninitialized value here due
to a status of a non-QoS nullfunc packet, which isn't even
long enough to contain the QoS header.

Fix this to only do anything for QoS data packets.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-47602

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-47603
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

audit: improve robustness of the audit queue handling

If the audit daemon were ever to get stuck in a stopped state the
kernel's kauditd_thread() could get blocked attempting to send audit
records to the userspace audit daemon.  With the kernel thread
blocked it is possible that the audit queue could grow unbounded as
certain audit record generating events must be exempt from the queue
limits else the system enter a deadlock state.

This patch resolves this problem by lowering the kernel thread's
socket sending timeout from MAX_SCHEDULE_TIMEOUT to HZ/10 and tweaks
the kauditd_send_queue() function to better manage the various audit
queues when connection problems occur between the kernel and the
audit daemon.  With this patch, the backlog may temporarily grow
beyond the defined limits when the audit daemon is stopped and the
system is under heavy audit pressure, but kauditd_thread() will
continue to make progress and drain the queues as it would for other
connection problems.  For example, with the audit daemon put into a
stopped state and the system configured to audit every syscall it
was still possible to shutdown the system without a kernel panic,
deadlock, etc.; granted, the system was slow to shutdown but that is
to be expected given the extreme pressure of recording every syscall.

The timeout value of HZ/10 was chosen primarily through
experimentation and this developer's "gut feeling".  There is likely
no one perfect value, but as this scenario is limited in scope (root
privileges would be needed to send SIGSTOP to the audit daemon), it
is likely not worth exposing this as a tunable at present.  This can
always be done at a later date if it proves necessary.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.4
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-47603

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-47604
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

vduse: check that offset is within bounds in get_config()

This condition checks "len" but it does not check "offset" and that
could result in an out of bounds read if "offset > dev->config_size".
The problem is that since both variables are unsigned the
"dev->config_size - offset" subtraction would result in a very high
unsigned value.

I think these checks might not be necessary because "len" and "offset"
are supposed to already have been validated using the
vhost_vdpa_config_validate() function.  But I do not know the code
perfectly, and I like to be safe.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-47604

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-47605
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

vduse: fix memory corruption in vduse_dev_ioctl()

The "config.offset" comes from the user.  There needs to a check to
prevent it being out of bounds.  The "config.offset" and
"dev->config_size" variables are both type u32.  So if the offset if
out of bounds then the "dev->config_size - config.offset" subtraction
results in a very high u32 value.  The out of bounds offset can result
in memory corruption.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-47605

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-47606
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: netlink: af_netlink: Prevent empty skb by adding a check on len.

Adding a check on len parameter to avoid empty skb. This prevents a
division error in netem_enqueue function which is caused when skb->len=0
and skb->data_len=0 in the randomized corruption step as shown below.

skb->data[prandom_u32() % skb_headlen(skb)] ^= 1<<(prandom_u32() % 8);

Crash Report:
[  343.170349] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family
0 port 6081 - 0
[  343.216110] netem: version 1.3
[  343.235841] divide error: 0000 [#1] PREEMPT SMP KASAN NOPTI
[  343.236680] CPU: 3 PID: 4288 Comm: reproducer Not tainted 5.16.0-rc1+
[  343.237569] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS 1.11.0-2.el7 04/01/2014
[  343.238707] RIP: 0010:netem_enqueue+0x1590/0x33c0 [sch_netem]
[  343.239499] Code: 89 85 58 ff ff ff e8 5f 5d e9 d3 48 8b b5 48 ff ff
ff 8b 8d 50 ff ff ff 8b 85 58 ff ff ff 48 8b bd 70 ff ff ff 31 d2 2b 4f
74 <f7> f1 48 b8 00 00 00 00 00 fc ff df 49 01 d5 4c 89 e9 48 c1 e9 03
[  343.241883] RSP: 0018:ffff88800bcd7368 EFLAGS: 00010246
[  343.242589] RAX: 00000000ba7c0a9c RBX: 0000000000000001 RCX:
0000000000000000
[  343.243542] RDX: 0000000000000000 RSI: ffff88800f8edb10 RDI:
ffff88800f8eda40
[  343.244474] RBP: ffff88800bcd7458 R08: 0000000000000000 R09:
ffffffff94fb8445
[  343.245403] R10: ffffffff94fb8336 R11: ffffffff94fb8445 R12:
0000000000000000
[  343.246355] R13: ffff88800a5a7000 R14: ffff88800a5b5800 R15:
0000000000000020
[  343.247291] FS:  00007fdde2bd7700(0000) GS:ffff888109780000(0000)
knlGS:0000000000000000
[  343.248350] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  343.249120] CR2: 00000000200000c0 CR3: 000000000ef4c000 CR4:
00000000000006e0
[  343.250076] Call Trace:
[  343.250423]  <TASK>
[  343.250713]  ? memcpy+0x4d/0x60
[  343.251162]  ? netem_init+0xa0/0xa0 [sch_netem]
[  343.251795]  ? __sanitizer_cov_trace_pc+0x21/0x60
[  343.252443]  netem_enqueue+0xe28/0x33c0 [sch_netem]
[  343.253102]  ? stack_trace_save+0x87/0xb0
[  343.253655]  ? filter_irq_stacks+0xb0/0xb0
[  343.254220]  ? netem_init+0xa0/0xa0 [sch_netem]
[  343.254837]  ? __kasan_check_write+0x14/0x20
[  343.255418]  ? _raw_spin_lock+0x88/0xd6
[  343.255953]  dev_qdisc_enqueue+0x50/0x180
[  343.256508]  __dev_queue_xmit+0x1a7e/0x3090
[  343.257083]  ? netdev_core_pick_tx+0x300/0x300
[  343.257690]  ? check_kcov_mode+0x10/0x40
[  343.258219]  ? _raw_spin_unlock_irqrestore+0x29/0x40
[  343.258899]  ? __kasan_init_slab_obj+0x24/0x30
[  343.259529]  ? setup_object.isra.71+0x23/0x90
[  343.260121]  ? new_slab+0x26e/0x4b0
[  343.260609]  ? kasan_poison+0x3a/0x50
[  343.261118]  ? kasan_unpoison+0x28/0x50
[  343.261637]  ? __kasan_slab_alloc+0x71/0x90
[  343.262214]  ? memcpy+0x4d/0x60
[  343.262674]  ? write_comp_data+0x2f/0x90
[  343.263209]  ? __kasan_check_write+0x14/0x20
[  343.263802]  ? __skb_clone+0x5d6/0x840
[  343.264329]  ? __sanitizer_cov_trace_pc+0x21/0x60
[  343.264958]  dev_queue_xmit+0x1c/0x20
[  343.265470]  netlink_deliver_tap+0x652/0x9c0
[  343.266067]  netlink_unicast+0x5a0/0x7f0
[  343.266608]  ? netlink_attachskb+0x860/0x860
[  343.267183]  ? __sanitizer_cov_trace_pc+0x21/0x60
[  343.267820]  ? write_comp_data+0x2f/0x90
[  343.268367]  netlink_sendmsg+0x922/0xe80
[  343.268899]  ? netlink_unicast+0x7f0/0x7f0
[  343.269472]  ? __sanitizer_cov_trace_pc+0x21/0x60
[  343.270099]  ? write_comp_data+0x2f/0x90
[  343.270644]  ? netlink_unicast+0x7f0/0x7f0
[  343.271210]  sock_sendmsg+0x155/0x190
[  343.271721]  ____sys_sendmsg+0x75f/0x8f0
[  343.272262]  ? kernel_sendmsg+0x60/0x60
[  343.272788]  ? write_comp_data+0x2f/0x90
[  343.273332]  ? write_comp_data+0x2f/0x90
[  343.273869]  ___sys_sendmsg+0x10f/0x190
[  343.274405]  ? sendmsg_copy_msghdr+0x80/0x80
[  343.274984]  ? slab_post_alloc_hook+0x70/0x230
[  343.275597]  ? futex_wait_setup+0x240/0x240
[  343.276175]  ? security_file_alloc+0x3e/0x170
[  343.276779]  ? write_comp_d
---truncated---
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-47606

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-47607
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix kernel address leakage in atomic cmpxchg's r0 aux reg

The implementation of BPF_CMPXCHG on a high level has the following parameters:

  .-[old-val]                                          .-[new-val]
  BPF_R0 = cmpxchg{32,64}(DST_REG + insn->off, BPF_R0, SRC_REG)
                          `-[mem-loc]          `-[old-val]

Given a BPF insn can only have two registers (dst, src), the R0 is fixed and
used as an auxilliary register for input (old value) as well as output (returning
old value from memory location). While the verifier performs a number of safety
checks, it misses to reject unprivileged programs where R0 contains a pointer as
old value.

Through brute-forcing it takes about ~16sec on my machine to leak a kernel pointer
with BPF_CMPXCHG. The PoC is basically probing for kernel addresses by storing the
guessed address into the map slot as a scalar, and using the map value pointer as
R0 while SRC_REG has a canary value to detect a matching address.

Fix it by checking R0 for pointers, and reject if that's the case for unprivileged
programs.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-47607

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-47608
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix kernel address leakage in atomic fetch

The change in commit 37086bfdc737 ("bpf: Propagate stack bounds to registers
in atomics w/ BPF_FETCH") around check_mem_access() handling is buggy since
this would allow for unprivileged users to leak kernel pointers. For example,
an atomic fetch/and with -1 on a stack destination which holds a spilled
pointer will migrate the spilled register type into a scalar, which can then
be exported out of the program (since scalar != pointer) by dumping it into
a map value.

The original implementation of XADD was preventing this situation by using
a double call to check_mem_access() one with BPF_READ and a subsequent one
with BPF_WRITE, in both cases passing -1 as a placeholder value instead of
register as per XADD semantics since it didn't contain a value fetch. The
BPF_READ also included a check in check_stack_read_fixed_off() which rejects
the program if the stack slot is of __is_pointer_value() if dst_regno < 0.
The latter is to distinguish whether we're dealing with a regular stack spill/
fill or some arithmetical operation which is disallowed on non-scalars, see
also 6e7e63cbb023 ("bpf: Forbid XADD on spilled pointers for unprivileged
users") for more context on check_mem_access() and its handling of placeholder
value -1.

One minimally intrusive option to fix the leak is for the BPF_FETCH case to
initially check the BPF_READ case via check_mem_access() with -1 as register,
followed by the actual load case with non-negative load_reg to propagate
stack bounds to registers.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-47608

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-47609
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

firmware: arm_scpi: Fix string overflow in SCPI genpd driver

Without the bound checks for scpi_pd->name, it could result in the buffer
overflow when copying the SCPI device name from the corresponding device
tree node as the name string is set at maximum size of 30.

Let us fix it by using devm_kasprintf so that the string buffer is
allocated dynamically.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-47609

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-47610
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/msm: Fix null ptr access msm_ioctl_gem_submit()

Fix the below null pointer dereference in msm_ioctl_gem_submit():

 26545.260705:   Call trace:
 26545.263223:    kref_put+0x1c/0x60
 26545.266452:    msm_ioctl_gem_submit+0x254/0x744
 26545.270937:    drm_ioctl_kernel+0xa8/0x124
 26545.274976:    drm_ioctl+0x21c/0x33c
 26545.278478:    drm_compat_ioctl+0xdc/0xf0
 26545.282428:    __arm64_compat_sys_ioctl+0xc8/0x100
 26545.287169:    el0_svc_common+0xf8/0x250
 26545.291025:    do_el0_svc_compat+0x28/0x54
 26545.295066:    el0_svc_compat+0x10/0x1c
 26545.298838:    el0_sync_compat_handler+0xa8/0xcc
 26545.303403:    el0_sync_compat+0x188/0x1c0
 26545.307445:   Code: d503201f d503201f 52800028 4b0803e8 (b8680008)
 26545.318799:   Kernel panic - not syncing: Oops: Fatal exception
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-47610

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-47611
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

mac80211: validate extended element ID is present

Before attempting to parse an extended element, verify that
the extended element ID is present.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-47611

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-47612
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

nfc: fix segfault in nfc_genl_dump_devices_done

When kmalloc in nfc_genl_dump_devices() fails then
nfc_genl_dump_devices_done() segfaults as below

KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
CPU: 0 PID: 25 Comm: kworker/0:1 Not tainted 5.16.0-rc4-01180-g2a987e65025e-dirty #5
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-6.fc35 04/01/2014
Workqueue: events netlink_sock_destruct_work
RIP: 0010:klist_iter_exit+0x26/0x80
Call Trace:
<TASK>
class_dev_iter_exit+0x15/0x20
nfc_genl_dump_devices_done+0x3b/0x50
genl_lock_done+0x84/0xd0
netlink_sock_destruct+0x8f/0x270
__sk_destruct+0x64/0x3b0
sk_destruct+0xa8/0xd0
__sk_free+0x2e8/0x3d0
sk_free+0x51/0x90
netlink_sock_destruct_work+0x1c/0x20
process_one_work+0x411/0x710
worker_thread+0x6fd/0xa80
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-47612

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-47613
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

i2c: virtio: fix completion handling

The driver currently assumes that the notify callback is only received
when the device is done with all the queued buffers.

However, this is not true, since the notify callback could be called
without any of the queued buffers being completed (for example, with
virtio-pci and shared interrupts) or with only some of the buffers being
completed (since the driver makes them available to the device in
multiple separate virtqueue_add_sgs() calls).

This can lead to incorrect data on the I2C bus or memory corruption in
the guest if the device operates on buffers which are have been freed by
the driver.  (The WARN_ON in the driver is also triggered.)

 BUG kmalloc-128 (Tainted: G        W        ): Poison overwritten
 First byte 0x0 instead of 0x6b
 Allocated in i2cdev_ioctl_rdwr+0x9d/0x1de age=243 cpu=0 pid=28
 	memdup_user+0x2e/0xbd
 	i2cdev_ioctl_rdwr+0x9d/0x1de
 	i2cdev_ioctl+0x247/0x2ed
 	vfs_ioctl+0x21/0x30
 	sys_ioctl+0xb18/0xb41
 Freed in i2cdev_ioctl_rdwr+0x1bb/0x1de age=68 cpu=0 pid=28
 	kfree+0x1bd/0x1cc
 	i2cdev_ioctl_rdwr+0x1bb/0x1de
 	i2cdev_ioctl+0x247/0x2ed
 	vfs_ioctl+0x21/0x30
 	sys_ioctl+0xb18/0xb41

Fix this by calling virtio_get_buf() from the notify handler like other
virtio drivers and by actually waiting for all the buffers to be
completed.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-47613

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-47614
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

RDMA/irdma: Fix a user-after-free in add_pble_prm

When irdma_hmc_sd_one fails, 'chunk' is freed while its still on the PBLE
info list.

Add the chunk entry to the PBLE info list only after successful setting of
the SD in irdma_hmc_sd_one.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-47614

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-47615
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

RDMA/mlx5: Fix releasing unallocated memory in dereg MR flow

For the case of IB_MR_TYPE_DM the mr does doesn't have a umem, even though
it is a user MR. This causes function mlx5_free_priv_descs() to think that
it is a kernel MR, leading to wrongly accessing mr->descs that will get
wrong values in the union which leads to attempt to release resources that
were not allocated in the first place.

For example:
 DMA-API: mlx5_core 0000:08:00.1: device driver tries to free DMA memory it has not allocated [device address=0x0000000000000000] [size=0 bytes]
 WARNING: CPU: 8 PID: 1021 at kernel/dma/debug.c:961 check_unmap+0x54f/0x8b0
 RIP: 0010:check_unmap+0x54f/0x8b0
 Call Trace:
  debug_dma_unmap_page+0x57/0x60
  mlx5_free_priv_descs+0x57/0x70 [mlx5_ib]
  mlx5_ib_dereg_mr+0x1fb/0x3d0 [mlx5_ib]
  ib_dereg_mr_user+0x60/0x140 [ib_core]
  uverbs_destroy_uobject+0x59/0x210 [ib_uverbs]
  uobj_destroy+0x3f/0x80 [ib_uverbs]
  ib_uverbs_cmd_verbs+0x435/0xd10 [ib_uverbs]
  ? uverbs_finalize_object+0x50/0x50 [ib_uverbs]
  ? lock_acquire+0xc4/0x2e0
  ? lock_acquired+0x12/0x380
  ? lock_acquire+0xc4/0x2e0
  ? lock_acquire+0xc4/0x2e0
  ? ib_uverbs_ioctl+0x7c/0x140 [ib_uverbs]
  ? lock_release+0x28a/0x400
  ib_uverbs_ioctl+0xc0/0x140 [ib_uverbs]
  ? ib_uverbs_ioctl+0x7c/0x140 [ib_uverbs]
  __x64_sys_ioctl+0x7f/0xb0
  do_syscall_64+0x38/0x90

Fix it by reorganizing the dereg flow and mlx5_ib_mr structure:
 - Move the ib_umem field into the user MRs structure in the union as it's
   applicable only there.
 - Function mlx5_ib_dereg_mr() will now call mlx5_free_priv_descs() only
   in case there isn't udata, which indicates that this isn't a user MR.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-47615

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-47616
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

RDMA: Fix use-after-free in rxe_queue_cleanup

On error handling path in rxe_qp_from_init() qp->sq.queue is freed and
then rxe_create_qp() will drop last reference to this object. qp clean up
function will try to free this queue one time and it causes UAF bug.

Fix it by zeroing queue pointer after freeing queue in rxe_qp_from_init().
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-47616

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-47617
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

PCI: pciehp: Fix infinite loop in IRQ handler upon power fault

The Power Fault Detected bit in the Slot Status register differs from
all other hotplug events in that it is sticky:  It can only be cleared
after turning off slot power.  Per PCIe r5.0, sec. 6.7.1.8:

  If a power controller detects a main power fault on the hot-plug slot,
  it must automatically set its internal main power fault latch [...].
  The main power fault latch is cleared when software turns off power to
  the hot-plug slot.

The stickiness used to cause interrupt storms and infinite loops which
were fixed in 2009 by commits 5651c48cfafe ("PCI pciehp: fix power fault
interrupt storm problem") and 99f0169c17f3 ("PCI: pciehp: enable
software notification on empty slots").

Unfortunately in 2020 the infinite loop issue was inadvertently
reintroduced by commit 8edf5332c393 ("PCI: pciehp: Fix MSI interrupt
race"):  The hardirq handler pciehp_isr() clears the PFD bit until
pciehp's power_fault_detected flag is set.  That happens in the IRQ
thread pciehp_ist(), which never learns of the event because the hardirq
handler is stuck in an infinite loop.  Fix by setting the
power_fault_detected flag already in the hardirq handler.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-47617

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-47619
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

i40e: Fix queues reservation for XDP

When XDP was configured on a system with large number of CPUs
and X722 NIC there was a call trace with NULL pointer dereference.

i40e 0000:87:00.0: failed to get tracking for 256 queues for VSI 0 err -12
i40e 0000:87:00.0: setup of MAIN VSI failed

BUG: kernel NULL pointer dereference, address: 0000000000000000
RIP: 0010:i40e_xdp+0xea/0x1b0 [i40e]
Call Trace:
? i40e_reconfig_rss_queues+0x130/0x130 [i40e]
dev_xdp_install+0x61/0xe0
dev_xdp_attach+0x18a/0x4c0
dev_change_xdp_fd+0x1e6/0x220
do_setlink+0x616/0x1030
? ahci_port_stop+0x80/0x80
? ata_qc_issue+0x107/0x1e0
? lock_timer_base+0x61/0x80
? __mod_timer+0x202/0x380
rtnl_setlink+0xe5/0x170
? bpf_lsm_binder_transaction+0x10/0x10
? security_capable+0x36/0x50
rtnetlink_rcv_msg+0x121/0x350
? rtnl_calcit.isra.0+0x100/0x100
netlink_rcv_skb+0x50/0xf0
netlink_unicast+0x1d3/0x2a0
netlink_sendmsg+0x22a/0x440
sock_sendmsg+0x5e/0x60
__sys_sendto+0xf0/0x160
? __sys_getsockname+0x7e/0xc0
? _copy_from_user+0x3c/0x80
? __sys_setsockopt+0xc8/0x1a0
__x64_sys_sendto+0x20/0x30
do_syscall_64+0x33/0x40
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f83fa7a39e0

This was caused by PF queue pile fragmentation due to
flow director VSI queue being placed right after main VSI.
Because of this main VSI was not able to resize its
queue allocation for XDP resulting in no queues allocated
for main VSI when XDP was turned on.

Fix this by always allocating last queue in PF queue pile
for a flow director VSI.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-47619

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-47620
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: refactor malicious adv data check

Check for out-of-bound read was being performed at the end of while
num_reports loop, and would fill journal with false positives. Added
check to beginning of loop processing so that it doesn't get checked
after ptr has been advanced.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-47620

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-47622
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

scsi: ufs: Fix a deadlock in the error handler

The following deadlock has been observed on a test setup:

 - All tags allocated

 - The SCSI error handler calls ufshcd_eh_host_reset_handler()

 - ufshcd_eh_host_reset_handler() queues work that calls
   ufshcd_err_handler()

 - ufshcd_err_handler() locks up as follows:

Workqueue: ufs_eh_wq_0 ufshcd_err_handler.cfi_jt
Call trace:
 __switch_to+0x298/0x5d8
 __schedule+0x6cc/0xa94
 schedule+0x12c/0x298
 blk_mq_get_tag+0x210/0x480
 __blk_mq_alloc_request+0x1c8/0x284
 blk_get_request+0x74/0x134
 ufshcd_exec_dev_cmd+0x68/0x640
 ufshcd_verify_dev_init+0x68/0x35c
 ufshcd_probe_hba+0x12c/0x1cb8
 ufshcd_host_reset_and_restore+0x88/0x254
 ufshcd_reset_and_restore+0xd0/0x354
 ufshcd_err_handler+0x408/0xc58
 process_one_work+0x24c/0x66c
 worker_thread+0x3e8/0xa4c
 kthread+0x150/0x1b4
 ret_from_fork+0x10/0x30

Fix this lockup by making ufshcd_exec_dev_cmd() allocate a reserved
request.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-47622

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2021-47624
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net/sunrpc: fix reference count leaks in rpc_sysfs_xprt_state_change

The refcount leak issues take place in an error handling path. When the
3rd argument buf doesn't match with "offline", "online" or "remove", the
function simply returns -EINVAL and forgets to decrease the reference
count of a rpc_xprt object and a rpc_xprt_switch object increased by
rpc_sysfs_xprt_kobj_get_xprt() and
rpc_sysfs_xprt_kobj_get_xprt_switch(), causing reference count leaks of
both unused objects.

Fix this issue by jumping to the error handling path labelled with
out_put when buf matches none of "offline", "online" or "remove".
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-47624

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-0168
CVE STATUS: Patched
CVE SUMMARY: A denial of service (DOS) issue was found in the Linux kernel’s smb2_ioctl_query_info function in the fs/cifs/smb2ops.c Common Internet File System (CIFS) due to an incorrect return from the memdup_user function. This flaw allows a local, privileged (CAP_SYS_ADMIN) attacker to crash the system.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.4
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0168

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-0171
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the Linux kernel. The existing KVM SEV API has a vulnerability that allows a non-root (host) user-level application to crash the host kernel by creating a confidential guest VM instance in AMD CPU that supports Secure Encrypted Virtualization (SEV).
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0171

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-0185
CVE STATUS: Patched
CVE SUMMARY: A heap-based buffer overflow flaw was found in the way the legacy_parse_param function in the Filesystem Context functionality of the Linux kernel verified the supplied parameters length. An unprivileged (in case of unprivileged user namespaces enabled, otherwise needs namespaced CAP_SYS_ADMIN privilege) local user able to open a filesystem that does not support the Filesystem Context API (and thus fallbacks to legacy handling) could use this flaw to escalate their privileges on the system.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 8.4
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0185

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-0264
CVE STATUS: Patched
CVE SUMMARY: A vulnerability was found in the Linux kernel's eBPF verifier when handling internal data structures. Internal memory locations could be returned to userspace. A local attacker with the permissions to insert eBPF code to the kernel can use this to leak internal kernel memory details defeating some of the exploit mitigations in place for the kernel. This flaws affects kernel versions < v5.16-rc6
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0264

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-0286
CVE STATUS: Unpatched
CVE SUMMARY: A flaw was found in the Linux kernel. A null pointer dereference in bond_ipsec_add_sa() may lead to local denial of service.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0286

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-0322
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the sctp_make_strreset_req function in net/sctp/sm_make_chunk.c in the SCTP network protocol in the Linux kernel with a local user privilege access. In this flaw, an attempt to use more buffer than is allocated triggers a BUG_ON issue, leading to a denial of service (DOS).
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0322

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-0330
CVE STATUS: Patched
CVE SUMMARY: A random memory access flaw was found in the Linux kernel's GPU i915 kernel driver functionality in the way a user may run malicious code on the GPU. This flaw allows a local user to crash the system or escalate their privileges on the system.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0330

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-0382
CVE STATUS: Patched
CVE SUMMARY: An information leak flaw was found due to uninitialized memory in the Linux kernel's TIPC protocol subsystem, in the way a user sends a TIPC datagram to one or more destinations. This flaw allows a local user to read some kernel memory. This issue is limited to no more than 7 bytes, and the user cannot control what is read. This flaw affects the Linux kernel versions prior to 5.17-rc1.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0382

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-0400
CVE STATUS: Unpatched
CVE SUMMARY: An out-of-bounds read vulnerability was discovered in linux kernel in the smc protocol stack, causing remote dos.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0400

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-0433
CVE STATUS: Patched
CVE SUMMARY: A NULL pointer dereference flaw was found in the Linux kernel's BPF subsystem in the way a user triggers the map_get_next_key function of the BPF bloom filter. This flaw allows a local user to crash the system. This flaw affects Linux kernel versions prior to 5.17-rc1.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0433

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-0435
CVE STATUS: Patched
CVE SUMMARY: A stack overflow flaw was found in the Linux kernel's TIPC protocol functionality in the way a user sends a packet with malicious content where the number of domain member nodes is higher than the 64 allowed. This flaw allows a remote user to crash the system or possibly escalate their privileges if they have access to the TIPC network.
CVSS v2 BASE SCORE: 9.0
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:S/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0435

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-0480
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the filelock_init in fs/locks.c function in the Linux kernel. This issue can lead to host memory exhaustion due to memcg not limiting the number of Portable Operating System Interface (POSIX) file locks.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0480

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-0487
CVE STATUS: Patched
CVE SUMMARY: A use-after-free vulnerability was found in rtsx_usb_ms_drv_remove in drivers/memstick/host/rtsx_usb_ms.c in memstick in the Linux kernel. In this flaw, a local attacker with a user privilege may impact system Confidentiality. This flaw affects kernel versions prior to 5.14 rc1.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0487

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-0492
CVE STATUS: Patched
CVE SUMMARY: A vulnerability was found in the Linux kernel’s cgroup_release_agent_write in the kernel/cgroup/cgroup-v1.c function. This flaw, under certain circumstances, allows the use of the cgroups v1 release_agent feature to escalate privileges and bypass the namespace isolation unexpectedly.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0492

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-0494
CVE STATUS: Patched
CVE SUMMARY: A kernel information leak flaw was identified in the scsi_ioctl function in drivers/scsi/scsi_ioctl.c in the Linux kernel. This flaw allows a local attacker with a special user privilege (CAP_SYS_ADMIN or CAP_SYS_RAWIO) to create issues with confidentiality.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 4.4
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0494

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-0500
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in unrestricted eBPF usage by the BPF_BTF_LOAD, leading to a possible out-of-bounds memory write in the Linux kernel’s BPF subsystem due to the way a user loads BTF. This flaw allows a local user to crash or escalate their privileges on the system.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0500

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-0516
CVE STATUS: Patched
CVE SUMMARY: A vulnerability was found in kvm_s390_guest_sida_op in the arch/s390/kvm/kvm-s390.c function in KVM for s390 in the Linux kernel. This flaw allows a local attacker with a normal user privilege to obtain unauthorized memory write access. This flaw affects Linux kernel versions prior to 5.17-rc4.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0516

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-0617
CVE STATUS: Patched
CVE SUMMARY: A flaw null pointer dereference in the Linux kernel UDF file system functionality was found in the way user triggers udf_file_write_iter function for the malicious UDF image. A local user could use this flaw to crash the system. Actual from Linux kernel 4.2-rc1 till 5.17-rc2.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0617

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-0646
CVE STATUS: Patched
CVE SUMMARY: A flaw use after free in the Linux kernel Management Component Transport Protocol (MCTP) subsystem was found in the way user triggers cancel_work_sync after the unregister_netdev during removing device. A local user could use this flaw to crash the system or escalate their privileges on the system. It is actual from Linux Kernel 5.17-rc1 (when mctp-serial.c introduced) till 5.17-rc5.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0646

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-0742
CVE STATUS: Patched
CVE SUMMARY: Memory leak in icmp6 implementation in Linux Kernel 5.13+ allows a remote attacker to DoS a host by making it go out-of-memory via icmp6 packets of type 130 or 131. We recommend upgrading past commit 2d3916f3189172d5c69d33065c3c21119fe539fc.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 9.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0742

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-0812
CVE STATUS: Patched
CVE SUMMARY: An information leak flaw was found in NFS over RDMA in the net/sunrpc/xprtrdma/rpc_rdma.c in the Linux Kernel. This flaw allows an attacker with normal user privileges to leak kernel information.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.3
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0812

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-0847
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the way the "flags" member of the new pipe buffer structure was lacking proper initialization in copy_page_to_iter_pipe and push_pipe functions in the Linux kernel and could thus contain stale values. An unprivileged local user could use this flaw to write to pages in the page cache backed by read only files and as such escalate their privileges on the system.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0847

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-0850
CVE STATUS: Patched
CVE SUMMARY: A vulnerability was found in linux kernel, where an information leak occurs via ext4_extent_header to userspace.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0850

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-0854
CVE STATUS: Patched
CVE SUMMARY: A memory leak flaw was found in the Linux kernel’s DMA subsystem, in the way a user calls DMA_FROM_DEVICE. This flaw allows a local user to read random memory from the kernel space.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0854

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-0995
CVE STATUS: Patched
CVE SUMMARY: An out-of-bounds (OOB) memory write flaw was found in the Linux kernel’s watch_queue event notification subsystem. This flaw can overwrite parts of the kernel state, potentially allowing a local user to gain privileged access or cause a denial of service on the system.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0995

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-0998
CVE STATUS: Patched
CVE SUMMARY: An integer overflow flaw was found in the Linux kernel’s virtio device driver code in the way a user triggers the vhost_vdpa_config_validate function. This flaw allows a local user to crash or potentially escalate their privileges on the system.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0998

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-1011
CVE STATUS: Patched
CVE SUMMARY: A use-after-free flaw was found in the Linux kernel’s FUSE filesystem in the way a user triggers write(). This flaw allows a local user to gain unauthorized access to data from the FUSE filesystem, resulting in privilege escalation.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1011

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-1012
CVE STATUS: Patched
CVE SUMMARY: A memory leak problem was found in the TCP source port generation algorithm in net/ipv4/tcp.c due to the small table perturb size. This flaw may allow an attacker to information leak and may cause a denial of service problem.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.2
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1012

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-1015
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the Linux kernel in linux/net/netfilter/nf_tables_api.c of the netfilter subsystem. This flaw allows a local user to cause an out-of-bounds write issue.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 6.6
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1015

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-1016
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the Linux kernel in net/netfilter/nf_tables_core.c:nft_do_chain, which can cause a use-after-free. This issue needs to handle 'return' with proper preconditions, as it can lead to a kernel information leak problem caused by a local, unprivileged attacker.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1016

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-1043
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the Linux kernel’s io_uring implementation. This flaw allows an attacker with a local account to corrupt system memory, crash the system or escalate privileges.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1043

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-1048
CVE STATUS: Patched
CVE SUMMARY: A use-after-free flaw was found in the Linux kernel’s sound subsystem in the way a user triggers concurrent calls of PCM hw_params. The hw_free ioctls or similar race condition happens inside ALSA PCM for other ioctls. This flaw allows a local user to crash or potentially escalate their privileges on the system.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1048

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-1055
CVE STATUS: Patched
CVE SUMMARY: A use-after-free exists in the Linux Kernel in tc_new_tfilter that could allow a local attacker to gain privilege escalation. The exploit requires unprivileged user namespaces. We recommend upgrading past commit 04c2a47ffb13c29778e2a14e414ad4cb5a5db4b5
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1055

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-1116
CVE STATUS: Patched
CVE SUMMARY: Integer Overflow or Wraparound vulnerability in io_uring of Linux Kernel allows local attacker to cause memory corruption and escalate privileges to root. This issue affects: Linux Kernel versions prior to 5.4.189; version 5.4.24 and later versions.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1116

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-1158
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in KVM. When updating a guest's page table entry, vm_pgoff was improperly used as the offset to get the page's pfn. As vaddr and vm_pgoff are controllable by user-mode processes, this flaw allows unprivileged local users on the host to write outside the userspace region and potentially corrupt the kernel, resulting in a denial of service condition.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1158

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-1184
CVE STATUS: Patched
CVE SUMMARY: A use-after-free flaw was found in fs/ext4/namei.c:dx_insert_block() in the Linux kernel’s filesystem sub-component. This flaw allows a local attacker with a user privilege to cause a denial of service.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1184

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-1195
CVE STATUS: Patched
CVE SUMMARY: A use-after-free vulnerability was found in the Linux kernel in drivers/net/hamradio. This flaw allows a local attacker with a user privilege to cause a denial of service (DOS) when the mkiss or sixpack device is detached and reclaim resources early.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1195

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-1198
CVE STATUS: Patched
CVE SUMMARY: A use-after-free vulnerabilitity was discovered in drivers/net/hamradio/6pack.c of linux that allows an attacker to crash linux kernel by simulating ax25 device using 6pack driver from user space.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1198

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-1199
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the Linux kernel. This flaw allows an attacker to crash the Linux kernel by simulating amateur radio from the user space, resulting in a null-ptr-deref vulnerability and a use-after-free vulnerability.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1199

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-1204
CVE STATUS: Patched
CVE SUMMARY: A use-after-free flaw was found in the Linux kernel’s Amateur Radio AX.25 protocol functionality in the way a user connects with the protocol. This flaw allows a local user to crash the system.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1204

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-1205
CVE STATUS: Patched
CVE SUMMARY: A NULL pointer dereference flaw was found in the Linux kernel’s Amateur Radio AX.25 protocol functionality in the way a user connects with the protocol. This flaw allows a local user to crash the system.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1205

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-1247
CVE STATUS: Unpatched
CVE SUMMARY: An issue found in linux-kernel that leads to a race condition in rose_connect(). The rose driver uses rose_neigh->use to represent how many objects are using the rose_neigh. When a user wants to delete a rose_route via rose_ioctl(), the rose driver calls rose_del_node() and removes neighbours only if their “count” and “use” are zero.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1247

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-1263
CVE STATUS: Patched
CVE SUMMARY: A NULL pointer dereference issue was found in KVM when releasing a vCPU with dirty ring support enabled. This flaw allows an unprivileged local attacker on the host to issue specific ioctl calls, causing a kernel oops condition that results in a denial of service.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1263

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-1280
CVE STATUS: Patched
CVE SUMMARY: A use-after-free vulnerability was found in drm_lease_held in drivers/gpu/drm/drm_lease.c in the Linux kernel due to a race problem. This flaw allows a local user privilege attacker to cause a denial of service (DoS) or a kernel information leak.
CVSS v2 BASE SCORE: 3.3
CVSS v3 BASE SCORE: 6.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1280

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-1353
CVE STATUS: Patched
CVE SUMMARY: A vulnerability was found in the pfkey_register function in net/key/af_key.c in the Linux kernel. This flaw allows a local, unprivileged user to gain access to kernel memory, leading to a system crash or a leak of internal kernel information.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1353

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-1419
CVE STATUS: Patched
CVE SUMMARY: The root cause of this vulnerability is that the ioctl$DRM_IOCTL_MODE_DESTROY_DUMB can decrease refcount of *drm_vgem_gem_object *(created in *vgem_gem_dumb_create*) concurrently, and *vgem_gem_dumb_create *will access the freed drm_vgem_gem_object.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1419

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-1462
CVE STATUS: Unpatched
CVE SUMMARY: An out-of-bounds read flaw was found in the Linux kernel’s TeleTYpe subsystem. The issue occurs in how a user triggers a race condition using ioctls TIOCSPTLCK and TIOCGPTPEER and TIOCSTI and TCXONC with leakage of memory in the flush_to_ldisc function. This flaw allows a local user to crash the system or read unauthorized random data from memory.
CVSS v2 BASE SCORE: 3.3
CVSS v3 BASE SCORE: 6.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1462

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-1508
CVE STATUS: Patched
CVE SUMMARY: An out-of-bounds read flaw was found in the Linux kernel’s io_uring module in the way a user triggers the io_read() function with some special parameters. This flaw allows a local user to read some memory out of bounds.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1508

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-1516
CVE STATUS: Patched
CVE SUMMARY: A NULL pointer dereference flaw was found in the Linux kernel’s X.25 set of standardized network protocols functionality in the way a user terminates their session using a simulated Ethernet card and continued usage of this connection. This flaw allows a local user to crash the system.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1516

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-1651
CVE STATUS: Patched
CVE SUMMARY: A memory leak flaw was found in the Linux kernel in acrn_dev_ioctl in the drivers/virt/acrn/hsm.c function in how the ACRN Device Model emulates virtual NICs in VM. This flaw allows a local privileged attacker to leak unauthorized kernel information, causing a denial of service.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1651

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-1652
CVE STATUS: Patched
CVE SUMMARY: Linux Kernel could allow a local attacker to execute arbitrary code on the system, caused by a concurrency use-after-free flaw in the bad_flp_intr function. By executing a specially-crafted program, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1652

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-1671
CVE STATUS: Patched
CVE SUMMARY: A NULL pointer dereference flaw was found in rxrpc_preparse_s in net/rxrpc/server_key.c in the Linux kernel. This flaw allows a local attacker to crash the system or leak internal kernel information.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1671

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-1678
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux Kernel from 4.18 to 4.19, an improper update of sock reference in TCP pacing can lead to memory/netns leak, which can be used by remote clients.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1678

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-1679
CVE STATUS: Patched
CVE SUMMARY: A use-after-free flaw was found in the Linux kernel’s Atheros wireless adapter driver in the way a user forces the ath9k_htc_wait_for_target function to fail with some input messages. This flaw allows a local user to crash or potentially escalate their privileges on the system.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1679

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-1729
CVE STATUS: Patched
CVE SUMMARY: A race condition was found the Linux kernel in perf_event_open() which can be exploited by an unprivileged user to gain root privileges. The bug allows to build several exploit primitives such as kernel address information leak, arbitrary execution, etc.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1729

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-1734
CVE STATUS: Patched
CVE SUMMARY: A flaw in Linux Kernel found in nfcmrvl_nci_unregister_dev() in drivers/nfc/nfcmrvl/main.c can lead to use after free both read or write when non synchronized between cleanup routine and firmware download routine.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1734

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-1786
CVE STATUS: Patched
CVE SUMMARY: A use-after-free flaw was found in the Linux kernel’s io_uring subsystem in the way a user sets up a ring with IORING_SETUP_IOPOLL with more than one task completing submissions on this ring. This flaw allows a local user to crash or escalate their privileges on the system.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1786

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-1789
CVE STATUS: Patched
CVE SUMMARY: With shadow paging enabled, the INVPCID instruction results in a call to kvm_mmu_invpcid_gva. If INVPCID is executed with CR0.PG=0, the invlpg callback is not set and the result is a NULL pointer dereference.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 6.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1789

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-1852
CVE STATUS: Patched
CVE SUMMARY: A NULL pointer dereference flaw was found in the Linux kernel’s KVM module, which can lead to a denial of service in the x86_emulate_insn in arch/x86/kvm/emulate.c. This flaw occurs while executing an illegal instruction in guest in the Intel CPU.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1852

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-1882
CVE STATUS: Patched
CVE SUMMARY: A use-after-free flaw was found in the Linux kernel’s pipes functionality in how a user performs manipulations with the pipe post_one_notification() after free_pipe_info() that is already called. This flaw allows a local user to crash or potentially escalate their privileges on the system.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1882

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-1943
CVE STATUS: Patched
CVE SUMMARY: A flaw out of bounds memory write in the Linux kernel UDF file system functionality was found in the way user triggers some file operation which triggers udf_write_fi(). A local user could use this flaw to crash the system or potentially
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1943

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-1973
CVE STATUS: Patched
CVE SUMMARY: A use-after-free flaw was found in the Linux kernel in log_replay in fs/ntfs3/fslog.c in the NTFS journal. This flaw allows a local attacker to crash the system and leads to a kernel information leak problem.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1973

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-1974
CVE STATUS: Patched
CVE SUMMARY: A use-after-free flaw was found in the Linux kernel's NFC core functionality due to a race condition between kobject creation and delete. This vulnerability allows a local attacker with CAP_NET_ADMIN privilege to leak kernel information.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1974

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-1975
CVE STATUS: Patched
CVE SUMMARY: There is a sleep-in-atomic bug in /net/nfc/netlink.c that allows an attacker to crash the Linux kernel by simulating a nfc device from user-space.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1975

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-1976
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the Linux kernel’s implementation of IO-URING. This flaw allows an attacker with local executable permission to create a string of requests that can cause a use-after-free flaw within the kernel. This issue leads to memory corruption and possible privilege escalation.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1976

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-1998
CVE STATUS: Patched
CVE SUMMARY: A use after free in the Linux kernel File System notify functionality was found in the way user triggers copy_info_records_to_user() call to fail in copy_event_to_user(). A local user could use this flaw to crash the system or potentially escalate their privileges on the system.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1998

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-20105
CVE STATUS: Patched
CVE SUMMARY: In MM service, there is a possible out of bounds write due to a stack-based buffer overflow. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: DTV03330460; Issue ID: DTV03330460.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 6.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-20105

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-20106
CVE STATUS: Patched
CVE SUMMARY: In MM service, there is a possible out of bounds write due to a heap-based buffer overflow. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: DTV03330460; Issue ID: DTV03330460.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 6.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-20106

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-20107
CVE STATUS: Patched
CVE SUMMARY: In subtitle service, there is a possible application crash due to an integer overflow. This could lead to local denial of service with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: DTV03330673; Issue ID: DTV03330673.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 4.4
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-20107

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-20108
CVE STATUS: Patched
CVE SUMMARY: In voice service, there is a possible out of bounds write due to a stack-based buffer overflow. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: DTV03330702; Issue ID: DTV03330702.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 6.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-20108

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-2078
CVE STATUS: Patched
CVE SUMMARY: A vulnerability was found in the Linux kernel's nft_set_desc_concat_parse() function .This flaw allows an attacker to trigger a buffer overflow via nft_set_desc_concat_parse() , causing a denial of service and possibly to run code.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2078

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-2153
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the Linux kernel’s KVM when attempting to set a SynIC IRQ. This issue makes it possible for a misbehaving VMM to write to SYNIC/STIMER MSRs, causing a NULL pointer dereference. This flaw allows an unprivileged local attacker on the host to issue specific ioctl calls, causing a kernel oops condition that results in a denial of service.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2153

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-2196
CVE STATUS: Patched
CVE SUMMARY: A regression exists in the Linux Kernel within KVM: nVMX that allowed for speculative execution attacks. L2 can carry out Spectre v2 attacks on L1 due to L1 thinking it doesn't need retpolines or IBPB after running L2 due to KVM (L0) advertising eIBRS support to L1. An attacker at L2 with code execution can execute code on an indirect branch on the host machine. We recommend upgrading to Kernel 6.2 or past commit 2e7eab81425a

CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2196

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-2308
CVE STATUS: Unpatched
CVE SUMMARY: A flaw was found in vDPA with VDUSE backend. There are currently no checks in VDUSE kernel driver to ensure the size of the device config space is in line with the features advertised by the VDUSE userspace application. In case of a mismatch, Virtio drivers config read helpers do not initialize the memory indirectly passed to vduse_vdpa_get_config() returning uninitialized memory from the stack. This could cause undefined behavior or data leaks in Virtio drivers.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2308

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-2318
CVE STATUS: Patched
CVE SUMMARY: There are use-after-free vulnerabilities caused by timer handler in net/rose/rose_timer.c of linux that allow attackers to crash linux kernel without any privileges.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2318

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-23222
CVE STATUS: Patched
CVE SUMMARY: kernel/bpf/verifier.c in the Linux kernel through 5.15.14 allows local users to gain privileges because of the availability of pointer arithmetic via certain *_OR_NULL pointer types.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-23222

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-2327
CVE STATUS: Unpatched
CVE SUMMARY: io_uring use work_flags to determine which identity need to grab from the calling process to make sure it is consistent with the calling process when executing IORING_OP. Some operations are missing some types, which can lead to incorrect reference counts which can then lead to a double free. We recommend upgrading the kernel past commit df3f3bb5059d20ef094d6b2f0256c4bf4127a859
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2327

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-2380
CVE STATUS: Patched
CVE SUMMARY: The Linux kernel was found vulnerable out of bounds memory access in the drivers/video/fbdev/sm712fb.c:smtcfb_read() function. The vulnerability could result in local attackers being able to crash the kernel.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2380

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-24122
CVE STATUS: Patched
CVE SUMMARY: kernel/ucount.c in the Linux kernel 5.14 through 5.16.4, when unprivileged user namespaces are enabled, allows a use-after-free and privilege escalation because a ucounts object can outlive its namespace.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-24122

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-24448
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in fs/nfs/dir.c in the Linux kernel before 5.16.5. If an application sets the O_DIRECTORY flag, and tries to open a regular file, nfs_atomic_open() performs a regular lookup. If a regular file is found, ENOTDIR should occur, but the server instead returns uninitialized data in the file descriptor.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 3.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-24448

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-24958
CVE STATUS: Patched
CVE SUMMARY: drivers/usb/gadget/legacy/inode.c in the Linux kernel through 5.16.8 mishandles dev->buf release.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-24958

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-24959
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 5.16.5. There is a memory leak in yam_siocdevprivate in drivers/net/hamradio/yam.c.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-24959

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-2503
CVE STATUS: Patched
CVE SUMMARY: Dm-verity is used for extending root-of-trust to root filesystems. LoadPin builds on this property to restrict module/firmware loads to just the trusted root filesystem. Device-mapper table reloads currently allow users with root privileges to switch out the target with an equivalent dm-linear target and bypass verification till reboot. This allows root to bypass LoadPin and can be used to load untrusted and unverified kernel modules and firmware, which implies arbitrary kernel execution and persistence for peripherals that do not verify firmware updates. We recommend upgrading past commit 4caae58406f8ceb741603eee460d79bacca9b1b5
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.9
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2503

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-25258
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in drivers/usb/gadget/composite.c in the Linux kernel before 5.16.10. The USB Gadget subsystem lacks certain validation of interface OS descriptor requests (ones with a large array index and ones associated with NULL function pointer retrieval). Memory corruption might occur.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 4.6
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-25258

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-25265
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel through 5.16.10, certain binary files may have the exec-all attribute if they were built in approximately 2003 (e.g., with GCC 3.2.2 and Linux kernel 2.4.20). This can cause execution of bytes located in supposedly non-executable regions of a file.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-25265

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-25375
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in drivers/usb/gadget/function/rndis.c in the Linux kernel before 5.16.10. The RNDIS USB gadget lacks validation of the size of the RNDIS_MSG_SET command. Attackers can obtain sensitive information from kernel memory.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-25375

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-25636
CVE STATUS: Patched
CVE SUMMARY: net/netfilter/nf_dup_netdev.c in the Linux kernel 5.4 through 5.6.10 allows local users to gain privileges because of a heap out-of-bounds write. This is related to nf_tables_offload.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-25636

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-2585
CVE STATUS: Patched
CVE SUMMARY: It was discovered that when exec'ing from a non-leader thread, armed POSIX CPU timers would be left on a list but freed, leading to a use-after-free.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.3
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2585

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-2586
CVE STATUS: Patched
CVE SUMMARY: It was discovered that a nft object or expression could reference a nft set on a different nft table, leading to a use-after-free once that table was deleted.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.3
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2586

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-2588
CVE STATUS: Patched
CVE SUMMARY: It was discovered that the cls_route filter implementation in the Linux kernel would not remove an old filter from the hashtable before freeing it if its handle had the value 0.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.3
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2588

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-2590
CVE STATUS: Patched
CVE SUMMARY: A race condition was found in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only shared memory mappings. This flaw allows an unprivileged, local user to gain write access to read-only memory mappings, increasing their privileges on the system.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2590

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-2602
CVE STATUS: Patched
CVE SUMMARY: io_uring UAF, Unix SCM garbage collection
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.3
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2602

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-26365
CVE STATUS: Patched
CVE SUMMARY: Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742).
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-26365

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-2639
CVE STATUS: Patched
CVE SUMMARY: An integer coercion error was found in the openvswitch kernel module. Given a sufficiently large number of actions, while copying and reserving memory for a new action of a new flow, the reserve_sfa_size() function does not return -EMSGSIZE as expected, potentially leading to an out-of-bounds write access. This flaw allows a local user to crash or potentially escalate their privileges on the system.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2639

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-26490
CVE STATUS: Patched
CVE SUMMARY: st21nfca_connectivity_event_received in drivers/nfc/st21nfca/se.c in the Linux kernel through 5.16.12 has EVT_TRANSACTION buffer overflows because of untrusted length parameters.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-26490

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-2663
CVE STATUS: Unpatched
CVE SUMMARY: An issue was found in the Linux kernel in nf_conntrack_irc where the message handling can be confused and incorrectly matches the message. A firewall may be able to be bypassed when users are using unencrypted IRC with nf_conntrack_irc configured.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2663

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-26878
CVE STATUS: Patched
CVE SUMMARY: drivers/bluetooth/virtio_bt.c in the Linux kernel before 5.16.3 has a memory leak (socket buffers have memory allocated but not freed).
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-26878

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-26966
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 5.16.12. drivers/net/usb/sr9700.c allows attackers to obtain sensitive information from heap memory via crafted frame lengths from a device.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-26966

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-27223
CVE STATUS: Patched
CVE SUMMARY: In drivers/usb/gadget/udc/udc-xilinx.c in the Linux kernel before 5.16.12, the endpoint index is not validated and might be manipulated by the host for out-of-array access.
CVSS v2 BASE SCORE: 6.5
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:S/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-27223

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-27666
CVE STATUS: Patched
CVE SUMMARY: A heap buffer overflow flaw was found in IPsec ESP transformation code in net/ipv4/esp4.c and net/ipv6/esp6.c. This flaw allows a local attacker with a normal user privilege to overwrite kernel heap objects and may cause a local privilege escalation threat.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-27666

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-2785
CVE STATUS: Unpatched
CVE SUMMARY: There exists an arbitrary memory read within the Linux Kernel BPF - Constants provided to fill pointers in structs passed in to bpf_sys_bpf are not verified and can point anywhere, including memory not owned by BPF. An attacker with CAP_BPF can arbitrarily read memory from anywhere on the system. We recommend upgrading past commit 86f44fcec22c
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2785

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-27950
CVE STATUS: Patched
CVE SUMMARY: In drivers/hid/hid-elo.c in the Linux kernel before 5.16.11, a memory leak exists for a certain hid_parse error condition.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-27950

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-28356
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel before 5.17.1, a refcount leak bug was found in net/llc/af_llc.c.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-28356

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-28388
CVE STATUS: Patched
CVE SUMMARY: usb_8dev_start_xmit in drivers/net/can/usb/usb_8dev.c in the Linux kernel through 5.17.1 has a double free.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-28388

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-28389
CVE STATUS: Patched
CVE SUMMARY: mcba_usb_start_xmit in drivers/net/can/usb/mcba_usb.c in the Linux kernel through 5.17.1 has a double free.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-28389

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-28390
CVE STATUS: Patched
CVE SUMMARY: ems_usb_start_xmit in drivers/net/can/usb/ems_usb.c in the Linux kernel through 5.17.1 has a double free.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-28390

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-2873
CVE STATUS: Patched
CVE SUMMARY: An out-of-bounds memory access flaw was found in the Linux kernel Intel’s iSMT SMBus host controller driver in the way a user triggers the I2C_SMBUS_BLOCK_DATA (with the ioctl I2C_SMBUS) with malicious input data. This flaw allows a local user to crash the system.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2873

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-28796
CVE STATUS: Patched
CVE SUMMARY: jbd2_journal_wait_updates in fs/jbd2/transaction.c in the Linux kernel before 5.17.1 has a use-after-free caused by a transaction_t race condition.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-28796

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-28893
CVE STATUS: Patched
CVE SUMMARY: The SUNRPC subsystem in the Linux kernel through 5.17.2 can call xs_xprt_free before ensuring that sockets are in the intended state.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-28893

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-2905
CVE STATUS: Patched
CVE SUMMARY: An out-of-bounds memory read flaw was found in the Linux kernel's BPF subsystem in how a user calls the bpf_tail_call function with a key larger than the max_entries of the map. This flaw allows a local user to gain unauthorized access to data.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2905

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-29156
CVE STATUS: Patched
CVE SUMMARY: drivers/infiniband/ulp/rtrs/rtrs-clt.c in the Linux kernel before 5.16.12 has a double free related to rtrs_clt_dev_release.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-29156

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-2938
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the Linux kernel's implementation of Pressure Stall Information. While the feature is disabled by default, it could allow an attacker to crash the system or have other memory-corruption side effects.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2938

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-29581
CVE STATUS: Patched
CVE SUMMARY: Improper Update of Reference Count vulnerability in net/sched of Linux Kernel allows local attacker to cause privilege escalation to root. This issue affects: Linux Kernel versions prior to 5.18; version 4.14 and later versions.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-29581

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-29582
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel before 5.17.3, fs/io_uring.c has a use-after-free due to a race condition in io_uring timeouts. This can be triggered by a local user who has no access to any user namespace; however, the race condition perhaps can only be exploited infrequently.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-29582

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-2959
CVE STATUS: Patched
CVE SUMMARY: A race condition was found in the Linux kernel's watch queue due to a missing lock in pipe_resize_ring(). The specific flaw exists within the handling of pipe buffers. The issue results from the lack of proper locking when performing operations on an object. This flaw allows a local user to crash the system or escalate their privileges on the system.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2959

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-2961
CVE STATUS: Patched
CVE SUMMARY: A use-after-free flaw was found in the Linux kernel’s PLP Rose functionality in the way a user triggers a race condition by calling bind while simultaneously triggering the rose_bind() function. This flaw allows a local user to crash or potentially escalate their privileges on the system.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2961

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-2964
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the Linux kernel’s driver for the ASIX AX88179_178A-based USB 2.0/3.0 Gigabit Ethernet Devices. The vulnerability contains multiple out-of-bounds reads and possible out-of-bounds writes.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2964

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-2977
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the Linux kernel implementation of proxied virtualized TPM devices. On a system where virtualized TPM devices are configured (this is not the default) a local attacker can create a use-after-free and create a situation where it may be possible to escalate privileges on the system.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2977

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-2978
CVE STATUS: Patched
CVE SUMMARY: A flaw use after free in the Linux kernel NILFS file system was found in the way user triggers function security_inode_alloc to fail with following call to function nilfs_mdt_destroy. A local user could use this flaw to crash the system or potentially escalate their privileges on the system.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2978

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-2991
CVE STATUS: Patched
CVE SUMMARY: A heap-based buffer overflow was found in the Linux kernel's LightNVM subsystem. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. This vulnerability allows a local attacker to escalate privileges and execute arbitrary code in the context of the kernel. The attacker must first obtain the ability to execute high-privileged code on the target system to exploit this vulnerability.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2991

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-29968
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel through 5.17.5. io_rw_init_file in fs/io_uring.c lacks initialization of kiocb->private.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-29968

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-3028
CVE STATUS: Patched
CVE SUMMARY: A race condition was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem) when multiple calls to xfrm_probe_algs occurred simultaneously. This flaw could allow a local attacker to potentially trigger an out-of-bounds write or leak kernel heap memory by performing an out-of-bounds read and copying it into a socket.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3028

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-30594
CVE STATUS: Patched
CVE SUMMARY: The Linux kernel before 5.17.2 mishandles seccomp permissions. The PTRACE_SEIZE code path allows attackers to bypass intended restrictions on setting the PT_SUSPEND_SECCOMP flag.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-30594

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-3061
CVE STATUS: Patched
CVE SUMMARY: Found Linux Kernel flaw in the i740 driver. The Userspace program could pass any values to the driver through ioctl() interface. The driver doesn't check the value of 'pixclock', so it may cause a divide by zero error.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3061

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-3077
CVE STATUS: Patched
CVE SUMMARY: A buffer overflow vulnerability was found in the Linux kernel Intel’s iSMT SMBus host controller driver in the way it handled the I2C_SMBUS_BLOCK_PROC_CALL case (via the ioctl I2C_SMBUS) with malicious input data. This flaw could allow a local user to crash the system.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3077

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-3078
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel through 5.16-rc6. There is a lack of check after calling vzalloc() and lack of free after allocation in drivers/media/test-drivers/vidtv/vidtv_s302m.c.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3078

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-3103
CVE STATUS: Patched
CVE SUMMARY: off-by-one in io_uring module.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3103

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-3104
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel through 5.16-rc6. lkdtm_ARRAY_BOUNDS in drivers/misc/lkdtm/bugs.c lacks check of the return value of kmalloc() and will cause the null pointer dereference.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3104

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-3105
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel through 5.16-rc6. uapi_finalize in drivers/infiniband/core/uverbs_uapi.c lacks check of kmalloc_array().
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3105

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-3106
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel through 5.16-rc6. ef100_update_stats in drivers/net/ethernet/sfc/ef100_nic.c lacks check of the return value of kmalloc().
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3106

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-3107
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel through 5.16-rc6. netvsc_get_ethtool_stats in drivers/net/hyperv/netvsc_drv.c lacks check of the return value of kvmalloc_array() and will cause the null pointer dereference.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3107

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-3108
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel through 5.16-rc6. kfd_parse_subtype_iolink in drivers/gpu/drm/amd/amdkfd/kfd_crat.c lacks check of the return value of kmemdup().
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3108

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-3110
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel through 5.16-rc6. _rtw_init_xmit_priv in drivers/staging/r8188eu/core/rtw_xmit.c lacks check of the return value of rtw_alloc_hwxmits() and will cause the null pointer dereference.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3110

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-3111
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel through 5.16-rc6. free_charger_irq() in drivers/power/supply/wm8350_power.c lacks free of WM8350_IRQ_CHG_FAST_RDY, which is registered in wm8350_init_charger().
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3111

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-3112
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel through 5.16-rc6. amvdec_set_canvases in drivers/staging/media/meson/vdec/vdec_helpers.c lacks check of the return value of kzalloc() and will cause the null pointer dereference.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3112

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-3113
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel through 5.16-rc6. mtk_vcodec_fw_vpu_init in drivers/media/platform/mtk-vcodec/mtk_vcodec_fw_vpu.c lacks check of the return value of devm_kzalloc() and will cause the null pointer dereference.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3113

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-3114
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel through 5.16-rc6. imx_register_uart_clocks in drivers/clk/imx/clk.c lacks check of the return value of kcalloc() and will cause the null pointer dereference.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3114

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-3115
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel through 5.16-rc6. malidp_crtc_reset in drivers/gpu/drm/arm/malidp_crtc.c lacks check of the return value of kzalloc() and will cause the null pointer dereference.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3115

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-3169
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the Linux kernel. A denial of service flaw may occur if there is a consecutive request of the NVME_IOCTL_RESET and the NVME_IOCTL_SUBSYS_RESET through the device file of the driver, resulting in a PCIe link disconnect.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3169

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-3170
CVE STATUS: Patched
CVE SUMMARY: An out-of-bounds access issue was found in the Linux kernel sound subsystem. It could occur when the 'id->name' provided by the user did not end with '\0'. A privileged local user could pass a specially crafted name through ioctl() interface and crash the system or potentially escalate their privileges on the system.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3170

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-3176
CVE STATUS: Patched
CVE SUMMARY: There exists a use-after-free in io_uring in the Linux kernel. Signalfd_poll() and binder_poll() use a waitqueue whose lifetime is the current task. It will send a POLLFREE notification to all waiters before the queue is freed. Unfortunately, the io_uring poll doesn't handle POLLFREE. This allows a use-after-free to occur if a signalfd or binder fd is polled with io_uring poll, and the waitqueue gets freed. We recommend upgrading past commit fc78b2fc21f10c4c9c4d5d659a685710ffa63659
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3176

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-3202
CVE STATUS: Patched
CVE SUMMARY: A NULL pointer dereference flaw in diFree in fs/jfs/inode.c in Journaled File System (JFS)in the Linux kernel. This could allow a local attacker to crash the system or leak kernel internal information.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3202

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-32250
CVE STATUS: Patched
CVE SUMMARY: net/netfilter/nf_tables_api.c in the Linux kernel through 5.18.1 allows a local user (able to create user/net namespaces) to escalate privileges to root because an incorrect NFT_STATEFUL_EXPR check leads to a use-after-free.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-32250

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-32296
CVE STATUS: Patched
CVE SUMMARY: The Linux kernel before 5.17.9 allows TCP servers to identify clients by observing what source ports are used. This occurs because of use of Algorithm 4 ("Double-Hash Port Selection Algorithm") of RFC 6056.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 3.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-32296

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-3238
CVE STATUS: Patched
CVE SUMMARY: A double-free flaw was found in the Linux kernel’s NTFS3 subsystem in how a user triggers remount and umount simultaneously. This flaw allows a local user to crash or potentially escalate their privileges on the system.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3238

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-3239
CVE STATUS: Patched
CVE SUMMARY: A flaw use after free in the Linux kernel video4linux driver was found in the way user triggers em28xx_usb_probe() for the Empia 28xx based TV cards. A local user could use this flaw to crash the system or potentially escalate their privileges on the system.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3239

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-32981
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel through 5.18.3 on powerpc 32-bit platforms. There is a buffer overflow in ptrace PEEKUSER and POKEUSER (aka PEEKUSR and POKEUSR) when accessing floating point registers.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-32981

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-3303
CVE STATUS: Patched
CVE SUMMARY: A race condition flaw was found in the Linux kernel sound subsystem due to improper locking. It could lead to a NULL pointer dereference while handling the SNDCTL_DSP_SYNC ioctl. A privileged local user (root or member of the audio group) could use this flaw to crash the system, resulting in a denial of service condition
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3303

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-3344
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the KVM's AMD nested virtualization (SVM). A malicious L1 guest could purposely fail to intercept the shutdown of a cooperative nested guest (L2), possibly leading to a page fault and kernel panic in the host (L0).
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3344

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-33740
CVE STATUS: Patched
CVE SUMMARY: Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742).
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-33740

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-33741
CVE STATUS: Patched
CVE SUMMARY: Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742).
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-33741

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-33742
CVE STATUS: Patched
CVE SUMMARY: Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742).
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-33742

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-33743
CVE STATUS: Patched
CVE SUMMARY: network backend may cause Linux netfront to use freed SKBs While adding logic to support XDP (eXpress Data Path), a code label was moved in a way allowing for SKBs having references (pointers) retained for further processing to nevertheless be freed.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-33743

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-33744
CVE STATUS: Patched
CVE SUMMARY: Arm guests can cause Dom0 DoS via PV devices When mapping pages of guests on Arm, dom0 is using an rbtree to keep track of the foreign mappings. Updating of that rbtree is not always done completely with the related lock held, resulting in a small race window, which can be used by unprivileged guests via PV devices to cause inconsistencies of the rbtree. These inconsistencies can lead to Denial of Service (DoS) of dom0, e.g. by causing crashes or the inability to perform further mappings of other guests' memory pages.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-33744

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-33981
CVE STATUS: Patched
CVE SUMMARY: drivers/block/floppy.c in the Linux kernel before 5.17.6 is vulnerable to a denial of service, because of a concurrency use-after-free flaw after deallocating raw_cmd in the raw_cmd_ioctl function.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 3.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-33981

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-3424
CVE STATUS: Patched
CVE SUMMARY: A use-after-free flaw was found in the Linux kernel’s SGI GRU driver in the way the first gru_file_unlocked_ioctl function is called by the user, where a fail pass occurs in the gru_check_chiplet_assignment function. This flaw allows a local user to crash or potentially escalate their privileges on the system.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3424

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-3435
CVE STATUS: Unpatched
CVE SUMMARY: A vulnerability classified as problematic has been found in Linux Kernel. This affects the function fib_nh_match of the file net/ipv4/fib_semantics.c of the component IPv4 Handler. The manipulation leads to out-of-bounds read. It is possible to initiate the attack remotely. It is recommended to apply a patch to fix this issue. The identifier VDB-210357 was assigned to this vulnerability.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.3
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3435

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-34494
CVE STATUS: Patched
CVE SUMMARY: rpmsg_virtio_add_ctrl_dev in drivers/rpmsg/virtio_rpmsg_bus.c in the Linux kernel before 5.18.4 has a double free.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-34494

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-34495
CVE STATUS: Patched
CVE SUMMARY: rpmsg_probe in drivers/rpmsg/virtio_rpmsg_bus.c in the Linux kernel before 5.18.4 has a double free.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-34495

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-34918
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel through 5.18.9. A type confusion bug in nft_set_elem_init (leading to a buffer overflow) could be used by a local attacker to escalate privileges, a different vulnerability than CVE-2022-32250. (The attacker can obtain root access, but must start with an unprivileged user namespace to obtain CAP_NET_ADMIN access.) This can be fixed in nft_setelem_parse_data in net/netfilter/nf_tables_api.c.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-34918

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-3521
CVE STATUS: Patched
CVE SUMMARY: A vulnerability has been found in Linux Kernel and classified as problematic. This vulnerability affects the function kcm_tx_work of the file net/kcm/kcmsock.c of the component kcm. The manipulation leads to race condition. It is recommended to apply a patch to fix this issue. VDB-211018 is the identifier assigned to this vulnerability.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 2.6
VECTOR: ADJACENT_NETWORK
VECTORSTRING: CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3521

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-3523
CVE STATUS: Unpatched
CVE SUMMARY: A vulnerability was found in Linux Kernel. It has been classified as problematic. Affected is an unknown function of the file mm/memory.c of the component Driver Handler. The manipulation leads to use after free. It is possible to launch the attack remotely. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211020.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3523

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-3524
CVE STATUS: Patched
CVE SUMMARY: A vulnerability was found in Linux Kernel. It has been declared as problematic. Affected by this vulnerability is the function ipv6_renew_options of the component IPv6 Handler. The manipulation leads to memory leak. The attack can be launched remotely. It is recommended to apply a patch to fix this issue. The identifier VDB-211021 was assigned to this vulnerability.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.3
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3524

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-3526
CVE STATUS: Patched
CVE SUMMARY: A vulnerability classified as problematic was found in Linux Kernel. This vulnerability affects the function macvlan_handle_frame of the file drivers/net/macvlan.c of the component skb. The manipulation leads to memory leak. The attack can be initiated remotely. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211024.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3526

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-3533
CVE STATUS: Patched
CVE SUMMARY: A vulnerability was found in Linux Kernel. It has been rated as problematic. This issue affects the function parse_usdt_arg of the file tools/lib/bpf/usdt.c of the component BPF. The manipulation of the argument reg_name leads to memory leak. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-211031.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 3.5
VECTOR: ADJACENT_NETWORK
VECTORSTRING: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3533

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-3534
CVE STATUS: Unpatched
CVE SUMMARY: A vulnerability classified as critical has been found in Linux Kernel. Affected is the function btf_dump_name_dups of the file tools/lib/bpf/btf_dump.c of the component libbpf. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211032.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: ADJACENT_NETWORK
VECTORSTRING: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3534

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-3541
CVE STATUS: Patched
CVE SUMMARY: A vulnerability classified as critical has been found in Linux Kernel. This affects the function spl2sw_nvmem_get_mac_address of the file drivers/net/ethernet/sunplus/spl2sw_driver.c of the component BPF. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The identifier VDB-211041 was assigned to this vulnerability.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: ADJACENT_NETWORK
VECTORSTRING: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3541

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-3543
CVE STATUS: Patched
CVE SUMMARY: A vulnerability, which was classified as problematic, has been found in Linux Kernel. This issue affects the function unix_sock_destructor/unix_release_sock of the file net/unix/af_unix.c of the component BPF. The manipulation leads to memory leak. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-211043.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 3.5
VECTOR: ADJACENT_NETWORK
VECTORSTRING: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3543

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-3544
CVE STATUS: Patched
CVE SUMMARY: A vulnerability, which was classified as problematic, was found in Linux Kernel. Affected is the function damon_sysfs_add_target of the file mm/damon/sysfs.c of the component Netfilter. The manipulation leads to memory leak. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211044.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 3.5
VECTOR: ADJACENT_NETWORK
VECTORSTRING: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3544

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-3545
CVE STATUS: Patched
CVE SUMMARY: A vulnerability has been found in Linux Kernel and classified as critical. Affected by this vulnerability is the function area_cache_get of the file drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c of the component IPsec. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The identifier VDB-211045 was assigned to this vulnerability.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: ADJACENT_NETWORK
VECTORSTRING: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3545

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-3564
CVE STATUS: Patched
CVE SUMMARY: A vulnerability classified as critical was found in Linux Kernel. Affected by this vulnerability is the function l2cap_reassemble_sdu of the file net/bluetooth/l2cap_core.c of the component Bluetooth. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-211087.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: ADJACENT_NETWORK
VECTORSTRING: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3564

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-3565
CVE STATUS: Patched
CVE SUMMARY: A vulnerability, which was classified as critical, has been found in Linux Kernel. Affected by this issue is the function del_timer of the file drivers/isdn/mISDN/l1oip_core.c of the component Bluetooth. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211088.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.6
VECTOR: ADJACENT_NETWORK
VECTORSTRING: CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3565

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-3566
CVE STATUS: Unpatched
CVE SUMMARY: A vulnerability, which was classified as problematic, was found in Linux Kernel. This affects the function tcp_getsockopt/tcp_setsockopt of the component TCP Handler. The manipulation leads to race condition. It is recommended to apply a patch to fix this issue. The identifier VDB-211089 was assigned to this vulnerability.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.6
VECTOR: ADJACENT_NETWORK
VECTORSTRING: CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3566

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-3567
CVE STATUS: Unpatched
CVE SUMMARY: A vulnerability has been found in Linux Kernel and classified as problematic. This vulnerability affects the function inet6_stream_ops/inet6_dgram_ops of the component IPv6 Handler. The manipulation leads to race condition. It is recommended to apply a patch to fix this issue. VDB-211090 is the identifier assigned to this vulnerability.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.6
VECTOR: ADJACENT_NETWORK
VECTORSTRING: CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3567

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-3577
CVE STATUS: Patched
CVE SUMMARY: An out-of-bounds memory write flaw was found in the Linux kernel’s Kid-friendly Wired Controller driver. This flaw allows a local user to crash or potentially escalate their privileges on the system. It is in bigben_probe of drivers/hid/hid-bigbenff.c. The reason is incorrect assumption - bigben devices all have inputs. However, malicious devices can break this assumption, leaking to out-of-bound write.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3577

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-3586
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the Linux kernel’s networking code. A use-after-free was found in the way the sch_sfb enqueue function used the socket buffer (SKB) cb field after the same SKB had been enqueued (and freed) into a child qdisc. This flaw allows a local, unprivileged user to crash the system, causing a denial of service.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3586

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-3594
CVE STATUS: Patched
CVE SUMMARY: A vulnerability was found in Linux Kernel. It has been declared as problematic. Affected by this vulnerability is the function intr_callback of the file drivers/net/usb/r8152.c of the component BPF. The manipulation leads to logging of excessive data. The attack can be launched remotely. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-211363.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3594

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-3595
CVE STATUS: Patched
CVE SUMMARY: A vulnerability was found in Linux Kernel. It has been rated as problematic. Affected by this issue is the function sess_free_buffer of the file fs/cifs/sess.c of the component CIFS Handler. The manipulation leads to double free. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211364.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 3.5
VECTOR: ADJACENT_NETWORK
VECTORSTRING: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3595

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-3606
CVE STATUS: Patched
CVE SUMMARY: A vulnerability was found in Linux Kernel. It has been classified as problematic. This affects the function find_prog_by_sec_insn of the file tools/lib/bpf/libbpf.c of the component BPF. The manipulation leads to null pointer dereference. It is recommended to apply a patch to fix this issue. The identifier VDB-211749 was assigned to this vulnerability.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 3.5
VECTOR: ADJACENT_NETWORK
VECTORSTRING: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3606

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-36123
CVE STATUS: Patched
CVE SUMMARY: The Linux kernel before 5.18.13 lacks a certain clear operation for the block starting symbol (.bss). This allows Xen PV guest OS users to cause a denial of service or gain privileges.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-36123

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-3619
CVE STATUS: Unpatched
CVE SUMMARY: A vulnerability has been found in Linux Kernel and classified as problematic. This vulnerability affects the function l2cap_recv_acldata of the file net/bluetooth/l2cap_core.c of the component Bluetooth. The manipulation leads to memory leak. It is recommended to apply a patch to fix this issue. VDB-211918 is the identifier assigned to this vulnerability.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 3.5
VECTOR: ADJACENT_NETWORK
VECTORSTRING: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3619

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-3621
CVE STATUS: Unpatched
CVE SUMMARY: A vulnerability was found in Linux Kernel. It has been classified as problematic. Affected is the function nilfs_bmap_lookup_at_level of the file fs/nilfs2/inode.c of the component nilfs2. The manipulation leads to null pointer dereference. It is possible to launch the attack remotely. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211920.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.3
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3621

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-3623
CVE STATUS: Patched
CVE SUMMARY: A vulnerability was found in Linux Kernel. It has been declared as problematic. Affected by this vulnerability is the function follow_page_pte of the file mm/gup.c of the component BPF. The manipulation leads to race condition. The attack can be launched remotely. It is recommended to apply a patch to fix this issue. The identifier VDB-211921 was assigned to this vulnerability.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.0
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3623

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-3624
CVE STATUS: Unpatched
CVE SUMMARY: A vulnerability was found in Linux Kernel and classified as problematic. Affected by this issue is the function rlb_arp_xmit of the file drivers/net/bonding/bond_alb.c of the component IPsec. The manipulation leads to memory leak. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211928.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 3.5
VECTOR: ADJACENT_NETWORK
VECTORSTRING: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3624

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-3625
CVE STATUS: Patched
CVE SUMMARY: A vulnerability was found in Linux Kernel. It has been classified as critical. This affects the function devlink_param_set/devlink_param_get of the file net/core/devlink.c of the component IPsec. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The identifier VDB-211929 was assigned to this vulnerability.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.6
VECTOR: ADJACENT_NETWORK
VECTORSTRING: CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3625

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-3628
CVE STATUS: Patched
CVE SUMMARY: A buffer overflow flaw was found in the Linux kernel Broadcom Full MAC Wi-Fi driver. This issue occurs when a user connects to a malicious USB device. This can allow a local user to crash the system or escalate their privileges.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.6
VECTOR: PHYSICAL
VECTORSTRING: CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3628

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-36280
CVE STATUS: Patched
CVE SUMMARY: An out-of-bounds(OOB) memory access vulnerability was found in vmwgfx driver in drivers/gpu/vmxgfx/vmxgfx_kms.c in GPU component in the Linux kernel with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS).
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.3
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-36280

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-3629
CVE STATUS: Unpatched
CVE SUMMARY: A vulnerability was found in Linux Kernel. It has been declared as problematic. This vulnerability affects the function vsock_connect of the file net/vmw_vsock/af_vsock.c. The manipulation leads to memory leak. The complexity of an attack is rather high. The exploitation appears to be difficult. It is recommended to apply a patch to fix this issue. VDB-211930 is the identifier assigned to this vulnerability.
CVSS v2 BASE SCORE: 1.4
CVSS v3 BASE SCORE: 2.6
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:H/Au:S/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3629

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-3630
CVE STATUS: Unpatched
CVE SUMMARY: A vulnerability was found in Linux Kernel. It has been rated as problematic. This issue affects some unknown processing of the file fs/fscache/cookie.c of the component IPsec. The manipulation leads to memory leak. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-211931.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 3.1
VECTOR: ADJACENT_NETWORK
VECTORSTRING: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3630

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-3633
CVE STATUS: Unpatched
CVE SUMMARY: A vulnerability classified as problematic has been found in Linux Kernel. Affected is the function j1939_session_destroy of the file net/can/j1939/transport.c. The manipulation leads to memory leak. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211932.
CVSS v2 BASE SCORE: 2.7
CVSS v3 BASE SCORE: 3.5
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:L/Au:S/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3633

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-3635
CVE STATUS: Patched
CVE SUMMARY: A vulnerability, which was classified as critical, has been found in Linux Kernel. Affected by this issue is the function tst_timer of the file drivers/atm/idt77252.c of the component IPsec. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. VDB-211934 is the identifier assigned to this vulnerability.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: ADJACENT_NETWORK
VECTORSTRING: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3635

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-3636
CVE STATUS: Unpatched
CVE SUMMARY: A vulnerability, which was classified as critical, was found in Linux Kernel. This affects the function __mtk_ppe_check_skb of the file drivers/net/ethernet/mediatek/mtk_ppe.c of the component Ethernet Handler. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-211935.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: ADJACENT_NETWORK
VECTORSTRING: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3636

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-3640
CVE STATUS: Patched
CVE SUMMARY: A vulnerability, which was classified as critical, was found in Linux Kernel. Affected is the function l2cap_conn_del of the file net/bluetooth/l2cap_core.c of the component Bluetooth. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211944.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: ADJACENT_NETWORK
VECTORSTRING: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3640

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-36402
CVE STATUS: Unpatched
CVE SUMMARY: An integer overflow vulnerability was found in vmwgfx driver in drivers/gpu/vmxgfx/vmxgfx_execbuf.c in GPU component of Linux kernel with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS).
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.3
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-36402

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-3643
CVE STATUS: Patched
CVE SUMMARY: Guests can trigger NIC interface reset/abort/crash via netback It is possible for a guest to trigger a NIC interface reset/abort/crash in a Linux based network backend by sending certain kinds of packets. It appears to be an (unwritten?) assumption in the rest of the Linux network stack that packet protocol headers are all contained within the linear section of the SKB and some NICs behave badly if this is not the case. This has been reported to occur with Cisco (enic) and Broadcom NetXtrem II BCM5780 (bnx2x) though it may be an issue with other NICs/drivers as well. In case the frontend is sending requests with split headers, netback will forward those violating above mentioned assumption to the networking core, resulting in said misbehavior.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3643

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-3646
CVE STATUS: Unpatched
CVE SUMMARY: A vulnerability, which was classified as problematic, has been found in Linux Kernel. This issue affects the function nilfs_attach_log_writer of the file fs/nilfs2/segment.c of the component BPF. The manipulation leads to memory leak. The attack may be initiated remotely. It is recommended to apply a patch to fix this issue. The identifier VDB-211961 was assigned to this vulnerability.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 3.1
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3646

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-3649
CVE STATUS: Patched
CVE SUMMARY: A vulnerability was found in Linux Kernel. It has been classified as problematic. Affected is the function nilfs_new_inode of the file fs/nilfs2/inode.c of the component BPF. The manipulation leads to use after free. It is possible to launch the attack remotely. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211992.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 3.1
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3649

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-36879
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel through 5.18.14. xfrm_expand_policies in net/xfrm/xfrm_policy.c can cause a refcount to be dropped twice.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-36879

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-36946
CVE STATUS: Patched
CVE SUMMARY: nfqnl_mangle in net/netfilter/nfnetlink_queue.c in the Linux kernel through 5.18.14 allows remote attackers to cause a denial of service (panic) because, in the case of an nf_queue verdict with a one-byte nfta_payload attribute, an skb_pull can encounter a negative skb->len.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-36946

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-3707
CVE STATUS: Patched
CVE SUMMARY: A double-free memory flaw was found in the Linux kernel. The Intel GVT-g graphics driver triggers VGA card system resource overload, causing a fail in the intel_gvt_dma_map_guest_page function. This issue could allow a local user to crash the system.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3707

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-38096
CVE STATUS: Unpatched
CVE SUMMARY: A NULL pointer dereference vulnerability was found in vmwgfx driver in drivers/gpu/vmxgfx/vmxgfx_execbuf.c in GPU component of Linux kernel with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS).
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.3
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-38096

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-38457
CVE STATUS: Patched
CVE SUMMARY: A use-after-free(UAF) vulnerability was found in function 'vmw_cmd_res_check' in drivers/gpu/vmxgfx/vmxgfx_execbuf.c in Linux kernel's vmwgfx driver with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS).
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.3
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-38457

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-3903
CVE STATUS: Patched
CVE SUMMARY: An incorrect read request flaw was found in the Infrared Transceiver USB driver in the Linux kernel. This issue occurs when a user attaches a malicious USB device. A local user could use this flaw to starve the resources, causing denial of service or potentially crashing the system.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.6
VECTOR: PHYSICAL
VECTORSTRING: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3903

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-3910
CVE STATUS: Patched
CVE SUMMARY: Use After Free vulnerability in Linux Kernel allows Privilege Escalation. An improper Update of Reference Count in io_uring leads to Use-After-Free and Local Privilege Escalation.
When io_msg_ring was invoked with a fixed file, it called io_fput_file() which improperly decreased its reference count (leading to Use-After-Free and Local Privilege Escalation). Fixed files are permanently registered to the ring, and should not be put separately.

We recommend upgrading past commit  https://github.com/torvalds/linux/commit/fc7222c3a9f56271fba02aabbfbae999042f1679 https://github.com/torvalds/linux/commit/fc7222c3a9f56271fba02aabbfbae999042f1679 

CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3910

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-39188
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in include/asm-generic/tlb.h in the Linux kernel before 5.19. Because of a race condition (unmap_mapping_range versus munmap), a device driver can free a page while it still has stale TLB entries. This only occurs in situations with VM_PFNMAP VMAs.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-39188

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-39189
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered the x86 KVM subsystem in the Linux kernel before 5.18.17. Unprivileged guest users can compromise the guest kernel because TLB flush operations are mishandled in certain KVM_VCPU_PREEMPTED situations.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-39189

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-39190
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in net/netfilter/nf_tables_api.c in the Linux kernel before 5.19.6. A denial of service can occur upon binding to an already bound chain.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-39190

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-3977
CVE STATUS: Patched
CVE SUMMARY: A use-after-free flaw was found in the Linux kernel MCTP (Management Component Transport Protocol) functionality. This issue occurs when a user simultaneously calls DROPTAG ioctl and socket close happens, which could allow a local user to crash the system or potentially escalate their privileges on the system.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3977

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-39842
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 5.19. In pxa3xx_gcu_write in drivers/video/fbdev/pxa3xx-gcu.c, the count parameter has a type conflict of size_t versus int, causing an integer overflow and bypassing the size check. After that, because it is used as the third argument to copy_from_user(), a heap overflow may occur. NOTE: the original discoverer disputes that the overflow can actually happen.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-39842

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-40133
CVE STATUS: Patched
CVE SUMMARY: A use-after-free(UAF) vulnerability was found in function 'vmw_execbuf_tie_context' in drivers/gpu/vmxgfx/vmxgfx_execbuf.c in Linux kernel's vmwgfx driver with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS).
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.3
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-40133

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-40307
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel through 5.19.8. drivers/firmware/efi/capsule-loader.c has a race condition with a resultant use-after-free.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-40307

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-40476
CVE STATUS: Patched
CVE SUMMARY: A null pointer dereference issue was discovered in fs/io_uring.c in the Linux kernel before 5.15.62. A local user could use this flaw to crash the system or potentially cause a denial of service.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-40476

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-40768
CVE STATUS: Patched
CVE SUMMARY: drivers/scsi/stex.c in the Linux kernel through 5.19.9 allows local users to obtain sensitive information from kernel memory because stex_queuecommand_lck lacks a memset for the PASSTHRU_CMD case.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-40768

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-4095
CVE STATUS: Patched
CVE SUMMARY: A use-after-free flaw was found in Linux kernel before 5.19.2. This issue occurs in cmd_hdl_filter in drivers/staging/rtl8712/rtl8712_cmd.c, allowing an attacker to launch a local denial of service attack and gain escalation of privileges.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-4095

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-41218
CVE STATUS: Patched
CVE SUMMARY: In drivers/media/dvb-core/dmxdev.c in the Linux kernel through 5.19.10, there is a use-after-free caused by refcount races, affecting dvb_demux_open and dvb_dmxdev_release.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-41218

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-41222
CVE STATUS: Patched
CVE SUMMARY: mm/mremap.c in the Linux kernel before 5.13.3 has a use-after-free via a stale TLB because an rmap lock is not held during a PUD move.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-41222

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-4127
CVE STATUS: Patched
CVE SUMMARY: A NULL pointer dereference issue was discovered in the Linux kernel in io_files_update_with_index_alloc. A local user could use this flaw to potentially crash the system causing a denial of service.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-4127

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-4139
CVE STATUS: Patched
CVE SUMMARY: An incorrect TLB flush issue was found in the Linux kernel’s GPU i915 kernel driver, potentially leading to random memory corruption or data leaks. This flaw could allow a local user to crash the system or escalate their privileges on the system.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-4139

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-41674
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 5.19.16. Attackers able to inject WLAN frames could cause a buffer overflow in the ieee80211_bss_info_update function in net/mac80211/scan.c.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.1
VECTOR: ADJACENT_NETWORK
VECTORSTRING: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-41674

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-41848
CVE STATUS: Patched
CVE SUMMARY: drivers/char/pcmcia/synclink_cs.c in the Linux kernel through 5.19.12 has a race condition and resultant use-after-free if a physically proximate attacker removes a PCMCIA device while calling ioctl, aka a race condition between mgslpc_ioctl and mgslpc_detach.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.2
VECTOR: PHYSICAL
VECTORSTRING: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-41848

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-41849
CVE STATUS: Patched
CVE SUMMARY: drivers/video/fbdev/smscufx.c in the Linux kernel through 5.19.12 has a race condition and resultant use-after-free if a physically proximate attacker removes a USB device while calling open(), aka a race condition between ufx_ops_open and ufx_usb_disconnect.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.2
VECTOR: PHYSICAL
VECTORSTRING: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-41849

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-41850
CVE STATUS: Patched
CVE SUMMARY: roccat_report_event in drivers/hid/hid-roccat.c in the Linux kernel through 5.19.12 has a race condition and resultant use-after-free in certain situations where a report is received while copying a report->value is in progress.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-41850

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-41858
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the Linux kernel. A NULL pointer dereference may occur while a slip driver is in progress to detach in sl_tx_timeout in drivers/net/slip/slip.c. This issue could allow an attacker to crash the system or leak internal kernel information.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-41858

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-42328
CVE STATUS: Patched
CVE SUMMARY: Guests can trigger deadlock in Linux netback driver T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] The patch for XSA-392 introduced another issue which might result in a deadlock when trying to free the SKB of a packet dropped due to the XSA-392 handling (CVE-2022-42328). Additionally when dropping packages for other reasons the same deadlock could occur in case of netpoll being active for the interface the xen-netback driver is connected to (CVE-2022-42329).
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-42328

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-42329
CVE STATUS: Patched
CVE SUMMARY: Guests can trigger deadlock in Linux netback driver T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] The patch for XSA-392 introduced another issue which might result in a deadlock when trying to free the SKB of a packet dropped due to the XSA-392 handling (CVE-2022-42328). Additionally when dropping packages for other reasons the same deadlock could occur in case of netpoll being active for the interface the xen-netback driver is connected to (CVE-2022-42329).
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-42329

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-42432
CVE STATUS: Patched
CVE SUMMARY: This vulnerability allows local attackers to disclose sensitive information on affected installations of the Linux Kernel 6.0-rc2. An attacker must first obtain the ability to execute high-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the nft_osf_eval function. The issue results from the lack of proper initialization of memory prior to accessing it. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the kernel. Was ZDI-CAN-18540.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-42432

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-4269
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the Linux kernel Traffic Control (TC) subsystem. Using a specific networking configuration (redirecting egress packets to ingress using TC action "mirred") a local unprivileged user could trigger a CPU soft lockup (ABBA deadlock) when the transport protocol in use (TCP or SCTP) does a retransmission, resulting in a denial of service condition.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-4269

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-42703
CVE STATUS: Patched
CVE SUMMARY: mm/rmap.c in the Linux kernel before 5.19.7 has a use-after-free related to leaf anon_vma double reuse.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-42703

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-42719
CVE STATUS: Patched
CVE SUMMARY: A use-after-free in the mac80211 stack when parsing a multi-BSSID element in the Linux kernel 5.2 through 5.19.x before 5.19.16 could be used by attackers (able to inject WLAN frames) to crash the kernel and potentially execute code.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.8
VECTOR: ADJACENT_NETWORK
VECTORSTRING: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-42719

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-42720
CVE STATUS: Patched
CVE SUMMARY: Various refcounting bugs in the multi-BSS handling in the mac80211 stack in the Linux kernel 5.1 through 5.19.x before 5.19.16 could be used by local attackers (able to inject WLAN frames) to trigger use-after-free conditions to potentially execute code.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-42720

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-42721
CVE STATUS: Patched
CVE SUMMARY: A list management bug in BSS handling in the mac80211 stack in the Linux kernel 5.1 through 5.19.x before 5.19.16 could be used by local attackers (able to inject WLAN frames) to corrupt a linked list and, in turn, potentially execute code.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-42721

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-42722
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel 5.8 through 5.19.x before 5.19.16, local attackers able to inject WLAN frames into the mac80211 stack could cause a NULL pointer dereference denial-of-service attack against the beacon protection of P2P devices.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-42722

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-42895
CVE STATUS: Unpatched
CVE SUMMARY: There is an infoleak vulnerability in the Linux kernel's net/bluetooth/l2cap_core.c's l2cap_parse_conf_req function which can be used to leak kernel pointers remotely.
We recommend upgrading past commit  https://github.com/torvalds/linux/commit/b1a2cd50c0357f243b7435a732b4e62ba3157a2e https://www.google.com/url 


CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-42895

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-42896
CVE STATUS: Patched
CVE SUMMARY: There are use-after-free vulnerabilities in the Linux kernel's net/bluetooth/l2cap_core.c's l2cap_connect and l2cap_le_connect_req functions which may allow code execution and leaking kernel memory (respectively) remotely via Bluetooth. A remote attacker could execute code leaking kernel memory via Bluetooth if within proximity of the victim.

We recommend upgrading past commit   https://www.google.com/url  https://github.com/torvalds/linux/commit/711f8c3fb3db61897080468586b970c87c61d9e4 https://www.google.com/url 


CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.0
VECTOR: ADJACENT_NETWORK
VECTORSTRING: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-42896

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-43750
CVE STATUS: Patched
CVE SUMMARY: drivers/usb/mon/mon_bin.c in usbmon in the Linux kernel before 5.19.15 and 6.x before 6.0.1 allows a user-space client to corrupt the monitor's internal memory.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-43750

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-4378
CVE STATUS: Patched
CVE SUMMARY: A stack overflow flaw was found in the Linux kernel's SYSCTL subsystem in how a user changes certain kernel parameters and variables. This flaw allows a local user to crash or potentially escalate their privileges on the system.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-4378

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-4379
CVE STATUS: Patched
CVE SUMMARY: A use-after-free vulnerability was found in __nfs42_ssc_open() in fs/nfs/nfs4file.c in the Linux kernel. This flaw allows an attacker to conduct a remote denial
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-4379

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-4382
CVE STATUS: Unpatched
CVE SUMMARY: A use-after-free flaw caused by a race among the superblock operations in the gadgetfs Linux driver was found. It could be triggered by yanking out a device that is running the gadgetfs side.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.4
VECTOR: PHYSICAL
VECTORSTRING: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-4382

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-43945
CVE STATUS: Patched
CVE SUMMARY: The Linux kernel NFSD implementation prior to versions 5.19.17 and 6.0.2 are vulnerable to buffer overflow. NFSD tracks the number of pages held by each NFSD thread by combining the receive and send buffers of a remote procedure call (RPC) into a single array of pages. A client can force the send buffer to shrink by sending an RPC message over TCP with garbage data added at the end of the message. The RPC message with garbage data is still correctly formed according to the specification and is passed forward to handlers. Vulnerable code in NFSD is not expecting the oversized request and writes beyond the allocated buffer space. CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-43945

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-44032
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel through 6.0.6. drivers/char/pcmcia/cm4000_cs.c has a race condition and resultant use-after-free if a physically proximate attacker removes a PCMCIA device while calling open(), aka a race condition between cmm_open() and cm4000_detach().
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.4
VECTOR: PHYSICAL
VECTORSTRING: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-44032

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-44033
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel through 6.0.6. drivers/char/pcmcia/cm4040_cs.c has a race condition and resultant use-after-free if a physically proximate attacker removes a PCMCIA device while calling open(), aka a race condition between cm4040_open() and reader_detach().
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.4
VECTOR: PHYSICAL
VECTORSTRING: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-44033

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-44034
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel through 6.0.6. drivers/char/pcmcia/scr24x_cs.c has a race condition and resultant use-after-free if a physically proximate attacker removes a PCMCIA device while calling open(), aka a race condition between scr24x_open() and scr24x_remove().
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.4
VECTOR: PHYSICAL
VECTORSTRING: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-44034

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-4543
CVE STATUS: Unpatched
CVE SUMMARY: A flaw named "EntryBleed" was found in the Linux Kernel Page Table Isolation (KPTI). This issue could allow a local attacker to leak KASLR base via prefetch side-channels based on TLB timing for Intel systems.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-4543

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-45869
CVE STATUS: Patched
CVE SUMMARY: A race condition in the x86 KVM subsystem in the Linux kernel through 6.1-rc6 allows guest OS users to cause a denial of service (host OS crash or host OS memory corruption) when nested virtualisation and the TDP MMU are enabled.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-45869

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-45884
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel through 6.0.9. drivers/media/dvb-core/dvbdev.c has a use-after-free, related to dvb_register_device dynamically allocating fops.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-45884

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-45885
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel through 6.0.9. drivers/media/dvb-core/dvb_frontend.c has a race condition that can cause a use-after-free when a device is disconnected.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-45885

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-45886
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel through 6.0.9. drivers/media/dvb-core/dvb_net.c has a .disconnect versus dvb_device_open race condition that leads to a use-after-free.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-45886

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-45887
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel through 6.0.9. drivers/media/usb/ttusb-dec/ttusb_dec.c has a memory leak because of the lack of a dvb_frontend_detach call.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-45887

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-45888
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel through 6.0.9. drivers/char/xillybus/xillyusb.c has a race condition and use-after-free during physical removal of a USB device.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.4
VECTOR: PHYSICAL
VECTORSTRING: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-45888

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-45919
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel through 6.0.10. In drivers/media/dvb-core/dvb_ca_en50221.c, a use-after-free can occur is there is a disconnect after an open, because of the lack of a wait_event.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-45919

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-45934
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel through 6.0.10. l2cap_config_req in net/bluetooth/l2cap_core.c has an integer wraparound via L2CAP_CONF_REQ packets.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-45934

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-4662
CVE STATUS: Patched
CVE SUMMARY: A flaw incorrect access control in the Linux kernel USB core subsystem was found in the way user attaches usb device. A local user could use this flaw to crash the system.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-4662

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-4696
CVE STATUS: Patched
CVE SUMMARY: There exists a use-after-free vulnerability in the Linux kernel through io_uring and the IORING_OP_SPLICE operation. If IORING_OP_SPLICE is missing the IO_WQ_WORK_FILES flag, which signals that the operation won't use current->nsproxy, so its reference counter is not increased. This assumption is not always true as calling io_splice on specific files will call the get_uts function which will use current->nsproxy leading to invalidly decreasing its reference counter later causing the use-after-free vulnerability. We recommend upgrading to version 5.10.160 or above

CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-4696

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-4744
CVE STATUS: Patched
CVE SUMMARY: A double-free flaw was found in the Linux kernel’s TUN/TAP device driver functionality in how a user registers the device when the register_netdevice function fails (NETDEV_REGISTER notifier). This flaw allows a local user to crash or potentially escalate their privileges on the system.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-4744

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-47518
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 6.0.11. Missing validation of the number of channels in drivers/net/wireless/microchip/wilc1000/cfg80211.c in the WILC1000 wireless driver can trigger a heap-based buffer overflow when copying the list of operating channels from Wi-Fi management frames.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-47518

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-47519
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 6.0.11. Missing validation of IEEE80211_P2P_ATTR_OPER_CHANNEL in drivers/net/wireless/microchip/wilc1000/cfg80211.c in the WILC1000 wireless driver can trigger an out-of-bounds write when parsing the channel list attribute from Wi-Fi management frames.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-47519

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-47520
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 6.0.11. Missing offset validation in drivers/net/wireless/microchip/wilc1000/hif.c in the WILC1000 wireless driver can trigger an out-of-bounds read when parsing a Robust Security Network (RSN) information element from a Netlink packet.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-47520

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-47521
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 6.0.11. Missing validation of IEEE80211_P2P_ATTR_CHANNEL_LIST in drivers/net/wireless/microchip/wilc1000/cfg80211.c in the WILC1000 wireless driver can trigger a heap-based buffer overflow when parsing the operating channel attribute from Wi-Fi management frames.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-47521

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-47929
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel before 6.1.6, a NULL pointer dereference bug in the traffic control subsystem allows an unprivileged user to trigger a denial of service (system crash) via a crafted traffic control configuration that is set up with "tc qdisc" and "tc class" commands. This affects qdisc_graft in net/sched/sch_api.c.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-47929

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-47938
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in ksmbd in the Linux kernel 5.15 through 5.19 before 5.19.2. fs/ksmbd/smb2misc.c has an out-of-bounds read and OOPS for SMB2_TREE_CONNECT.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-47938

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-47939
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in ksmbd in the Linux kernel 5.15 through 5.19 before 5.19.2. fs/ksmbd/smb2pdu.c has a use-after-free and OOPS for SMB2_TREE_DISCONNECT.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-47939

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-47940
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in ksmbd in the Linux kernel 5.15 through 5.18 before 5.18.18. fs/ksmbd/smb2pdu.c lacks length validation in the non-padding case in smb2_write.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.1
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-47940

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-47941
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in ksmbd in the Linux kernel 5.15 through 5.19 before 5.19.2. fs/ksmbd/smb2pdu.c omits a kfree call in certain smb2_handle_negotiate error conditions, aka a memory leak.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-47941

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-47942
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in ksmbd in the Linux kernel 5.15 through 5.19 before 5.19.2. There is a heap-based buffer overflow in set_ntacl_dacl, related to use of SMB2_QUERY_INFO_HE after a malformed SMB2_SET_INFO_HE command.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-47942

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-47943
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in ksmbd in the Linux kernel 5.15 through 5.19 before 5.19.2. There is an out-of-bounds read and OOPS for SMB2_WRITE, when there is a large length in the zero DataOffset case.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.1
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-47943

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-47946
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel 5.10.x before 5.10.155. A use-after-free in io_sqpoll_wait_sq in fs/io_uring.c allows an attacker to crash the kernel, resulting in denial of service. finish_wait can be skipped. An attack can occur in some situations by forking a process and then quickly terminating it. NOTE: later kernel versions, such as the 5.15 longterm series, substantially changed the implementation of io_sqpoll_wait_sq.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-47946

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-4842
CVE STATUS: Patched
CVE SUMMARY: A flaw NULL Pointer Dereference in the Linux kernel NTFS3 driver function attr_punch_hole() was found. A local user could use this flaw to crash the system.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-4842

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48423
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel before 6.1.3, fs/ntfs3/record.c does not validate resident attribute names. An out-of-bounds write may occur.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48423

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48424
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel before 6.1.3, fs/ntfs3/inode.c does not validate the attribute name offset. An unhandled page fault may occur.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48424

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48425
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel through 6.2.7, fs/ntfs3/inode.c has an invalid kfree because it does not validate MFT flags before replaying logs.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48425

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48502
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 6.2. The ntfs3 subsystem does not properly check for correctness during disk reads, leading to an out-of-bounds read in ntfs_set_ea in fs/ntfs3/xattr.c.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48502

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48619
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in drivers/input/input.c in the Linux kernel before 5.17.10. An attacker can cause a denial of service (panic) because input_set_capability mishandles the situation in which an event code falls outside of a bitmap.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48619

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48626
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

moxart: fix potential use-after-free on remove path

It was reported that the mmc host structure could be accessed after it
was freed in moxart_remove(), so fix this by saving the base register of
the device and using it instead of the pointer dereference.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48626

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48654
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

netfilter: nfnetlink_osf: fix possible bogus match in nf_osf_find()

nf_osf_find() incorrectly returns true on mismatch, this leads to
copying uninitialized memory area in nft_osf which can be used to leak
stale kernel stack data to userspace.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48654

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48655
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

firmware: arm_scmi: Harden accesses to the reset domains

Accessing reset domains descriptors by the index upon the SCMI drivers
requests through the SCMI reset operations interface can potentially
lead to out-of-bound violations if the SCMI driver misbehave.

Add an internal consistency check before any such domains descriptors
accesses.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48655

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48656
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

dmaengine: ti: k3-udma-private: Fix refcount leak bug in of_xudma_dev_get()

We should call of_node_put() for the reference returned by
of_parse_phandle() in fail path or when it is not used anymore.
Here we only need to move the of_node_put() before the check.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48656

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48657
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

arm64: topology: fix possible overflow in amu_fie_setup()

cpufreq_get_hw_max_freq() returns max frequency in kHz as *unsigned int*,
while freq_inv_set_max_ratio() gets passed this frequency in Hz as 'u64'.
Multiplying max frequency by 1000 can potentially result in overflow --
multiplying by 1000ULL instead should avoid that...

Found by Linux Verification Center (linuxtesting.org) with the SVACE static
analysis tool.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48657

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48658
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

mm: slub: fix flush_cpu_slab()/__free_slab() invocations in task context.

Commit 5a836bf6b09f ("mm: slub: move flush_cpu_slab() invocations
__free_slab() invocations out of IRQ context") moved all flush_cpu_slab()
invocations to the global workqueue to avoid a problem related
with deactivate_slab()/__free_slab() being called from an IRQ context
on PREEMPT_RT kernels.

When the flush_all_cpu_locked() function is called from a task context
it may happen that a workqueue with WQ_MEM_RECLAIM bit set ends up
flushing the global workqueue, this will cause a dependency issue.

 workqueue: WQ_MEM_RECLAIM nvme-delete-wq:nvme_delete_ctrl_work [nvme_core]
   is flushing !WQ_MEM_RECLAIM events:flush_cpu_slab
 WARNING: CPU: 37 PID: 410 at kernel/workqueue.c:2637
   check_flush_dependency+0x10a/0x120
 Workqueue: nvme-delete-wq nvme_delete_ctrl_work [nvme_core]
 RIP: 0010:check_flush_dependency+0x10a/0x120[  453.262125] Call Trace:
 __flush_work.isra.0+0xbf/0x220
 ? __queue_work+0x1dc/0x420
 flush_all_cpus_locked+0xfb/0x120
 __kmem_cache_shutdown+0x2b/0x320
 kmem_cache_destroy+0x49/0x100
 bioset_exit+0x143/0x190
 blk_release_queue+0xb9/0x100
 kobject_cleanup+0x37/0x130
 nvme_fc_ctrl_free+0xc6/0x150 [nvme_fc]
 nvme_free_ctrl+0x1ac/0x2b0 [nvme_core]

Fix this bug by creating a workqueue for the flush operation with
the WQ_MEM_RECLAIM bit set.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48658

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48659
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

mm/slub: fix to return errno if kmalloc() fails

In create_unique_id(), kmalloc(, GFP_KERNEL) can fail due to
out-of-memory, if it fails, return errno correctly rather than
triggering panic via BUG_ON();

kernel BUG at mm/slub.c:5893!
Internal error: Oops - BUG: 0 [#1] PREEMPT SMP

Call trace:
 sysfs_slab_add+0x258/0x260 mm/slub.c:5973
 __kmem_cache_create+0x60/0x118 mm/slub.c:4899
 create_cache mm/slab_common.c:229 [inline]
 kmem_cache_create_usercopy+0x19c/0x31c mm/slab_common.c:335
 kmem_cache_create+0x1c/0x28 mm/slab_common.c:390
 f2fs_kmem_cache_create fs/f2fs/f2fs.h:2766 [inline]
 f2fs_init_xattr_caches+0x78/0xb4 fs/f2fs/xattr.c:808
 f2fs_fill_super+0x1050/0x1e0c fs/f2fs/super.c:4149
 mount_bdev+0x1b8/0x210 fs/super.c:1400
 f2fs_mount+0x44/0x58 fs/f2fs/super.c:4512
 legacy_get_tree+0x30/0x74 fs/fs_context.c:610
 vfs_get_tree+0x40/0x140 fs/super.c:1530
 do_new_mount+0x1dc/0x4e4 fs/namespace.c:3040
 path_mount+0x358/0x914 fs/namespace.c:3370
 do_mount fs/namespace.c:3383 [inline]
 __do_sys_mount fs/namespace.c:3591 [inline]
 __se_sys_mount fs/namespace.c:3568 [inline]
 __arm64_sys_mount+0x2f8/0x408 fs/namespace.c:3568
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48659

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48660
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

gpiolib: cdev: Set lineevent_state::irq after IRQ register successfully

When running gpio test on nxp-ls1028 platform with below command
gpiomon --num-events=3 --rising-edge gpiochip1 25
There will be a warning trace as below:
Call trace:
free_irq+0x204/0x360
lineevent_free+0x64/0x70
gpio_ioctl+0x598/0x6a0
__arm64_sys_ioctl+0xb4/0x100
invoke_syscall+0x5c/0x130
......
el0t_64_sync+0x1a0/0x1a4
The reason of this issue is that calling request_threaded_irq()
function failed, and then lineevent_free() is invoked to release
the resource. Since the lineevent_state::irq was already set, so
the subsequent invocation of free_irq() would trigger the above
warning call trace. To fix this issue, set the lineevent_state::irq
after the IRQ register successfully.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48660

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48661
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

gpio: mockup: Fix potential resource leakage when register a chip

If creation of software node fails, the locally allocated string
array is left unfreed. Free it on error path.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48661

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48662
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/i915/gem: Really move i915_gem_context.link under ref protection

i915_perf assumes that it can use the i915_gem_context reference to
protect its i915->gem.contexts.list iteration. However, this requires
that we do not remove the context from the list until after we drop the
final reference and release the struct. If, as currently, we remove the
context from the list during context_close(), the link.next pointer may
be poisoned while we are holding the context reference and cause a GPF:

[ 4070.573157] i915 0000:00:02.0: [drm:i915_perf_open_ioctl [i915]] filtering on ctx_id=0x1fffff ctx_id_mask=0x1fffff
[ 4070.574881] general protection fault, probably for non-canonical address 0xdead000000000100: 0000 [#1] PREEMPT SMP
[ 4070.574897] CPU: 1 PID: 284392 Comm: amd_performance Tainted: G            E     5.17.9 #180
[ 4070.574903] Hardware name: Intel Corporation NUC7i5BNK/NUC7i5BNB, BIOS BNKBL357.86A.0052.2017.0918.1346 09/18/2017
[ 4070.574907] RIP: 0010:oa_configure_all_contexts.isra.0+0x222/0x350 [i915]
[ 4070.574982] Code: 08 e8 32 6e 10 e1 4d 8b 6d 50 b8 ff ff ff ff 49 83 ed 50 f0 41 0f c1 04 24 83 f8 01 0f 84 e3 00 00 00 85 c0 0f 8e fa 00 00 00 <49> 8b 45 50 48 8d 70 b0 49 8d 45 50 48 39 44 24 10 0f 85 34 fe ff
[ 4070.574990] RSP: 0018:ffffc90002077b78 EFLAGS: 00010202
[ 4070.574995] RAX: 0000000000000002 RBX: 0000000000000002 RCX: 0000000000000000
[ 4070.575000] RDX: 0000000000000001 RSI: ffffc90002077b20 RDI: ffff88810ddc7c68
[ 4070.575004] RBP: 0000000000000001 R08: ffff888103242648 R09: fffffffffffffffc
[ 4070.575008] R10: ffffffff82c50bc0 R11: 0000000000025c80 R12: ffff888101bf1860
[ 4070.575012] R13: dead0000000000b0 R14: ffffc90002077c04 R15: ffff88810be5cabc
[ 4070.575016] FS:  00007f1ed50c0780(0000) GS:ffff88885ec80000(0000) knlGS:0000000000000000
[ 4070.575021] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 4070.575025] CR2: 00007f1ed5590280 CR3: 000000010ef6f005 CR4: 00000000003706e0
[ 4070.575029] Call Trace:
[ 4070.575033]  <TASK>
[ 4070.575037]  lrc_configure_all_contexts+0x13e/0x150 [i915]
[ 4070.575103]  gen8_enable_metric_set+0x4d/0x90 [i915]
[ 4070.575164]  i915_perf_open_ioctl+0xbc0/0x1500 [i915]
[ 4070.575224]  ? asm_common_interrupt+0x1e/0x40
[ 4070.575232]  ? i915_oa_init_reg_state+0x110/0x110 [i915]
[ 4070.575290]  drm_ioctl_kernel+0x85/0x110
[ 4070.575296]  ? update_load_avg+0x5f/0x5e0
[ 4070.575302]  drm_ioctl+0x1d3/0x370
[ 4070.575307]  ? i915_oa_init_reg_state+0x110/0x110 [i915]
[ 4070.575382]  ? gen8_gt_irq_handler+0x46/0x130 [i915]
[ 4070.575445]  __x64_sys_ioctl+0x3c4/0x8d0
[ 4070.575451]  ? __do_softirq+0xaa/0x1d2
[ 4070.575456]  do_syscall_64+0x35/0x80
[ 4070.575461]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 4070.575467] RIP: 0033:0x7f1ed5c10397
[ 4070.575471] Code: 3c 1c e8 1c ff ff ff 85 c0 79 87 49 c7 c4 ff ff ff ff 5b 5d 4c 89 e0 41 5c c3 66 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d a9 da 0d 00 f7 d8 64 89 01 48
[ 4070.575478] RSP: 002b:00007ffd65c8d7a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 4070.575484] RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 00007f1ed5c10397
[ 4070.575488] RDX: 00007ffd65c8d7c0 RSI: 0000000040106476 RDI: 0000000000000006
[ 4070.575492] RBP: 00005620972f9c60 R08: 000000000000000a R09: 0000000000000005
[ 4070.575496] R10: 000000000000000d R11: 0000000000000246 R12: 000000000000000a
[ 4070.575500] R13: 000000000000000d R14: 0000000000000000 R15: 00007ffd65c8d7c0
[ 4070.575505]  </TASK>
[ 4070.575507] Modules linked in: nls_ascii(E) nls_cp437(E) vfat(E) fat(E) i915(E) x86_pkg_temp_thermal(E) intel_powerclamp(E) crct10dif_pclmul(E) crc32_pclmul(E) crc32c_intel(E) aesni_intel(E) crypto_simd(E) intel_gtt(E) cryptd(E) ttm(E) rapl(E) intel_cstate(E) drm_kms_helper(E) cfbfillrect(E) syscopyarea(E) cfbimgblt(E) intel_uncore(E) sysfillrect(E) mei_me(E) sysimgblt(E) i2c_i801(E) fb_sys_fops(E) mei(E) intel_pch_thermal(E) i2c_smbus
---truncated---
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48662

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48670
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

peci: cpu: Fix use-after-free in adev_release()

When auxiliary_device_add() returns an error, auxiliary_device_uninit()
is called, which causes refcount for device to be decremented and
.release callback will be triggered.

Because adev_release() re-calls auxiliary_device_uninit(), it will cause
use-after-free:
[ 1269.455172] WARNING: CPU: 0 PID: 14267 at lib/refcount.c:28 refcount_warn_saturate+0x110/0x15
[ 1269.464007] refcount_t: underflow; use-after-free.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48670

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48671
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

cgroup: Add missing cpus_read_lock() to cgroup_attach_task_all()

syzbot is hitting percpu_rwsem_assert_held(&cpu_hotplug_lock) warning at
cpuset_attach() [1], for commit 4f7e7236435ca0ab ("cgroup: Fix
threadgroup_rwsem <-> cpus_read_lock() deadlock") missed that
cpuset_attach() is also called from cgroup_attach_task_all().
Add cpus_read_lock() like what cgroup_procs_write_start() does.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48671

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48672
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

of: fdt: fix off-by-one error in unflatten_dt_nodes()

Commit 78c44d910d3e ("drivers/of: Fix depth when unflattening devicetree")
forgot to fix up the depth check in the loop body in unflatten_dt_nodes()
which makes it possible to overflow the nps[] buffer...

Found by Linux Verification Center (linuxtesting.org) with the SVACE static
analysis tool.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48672

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48673
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net/smc: Fix possible access to freed memory in link clear

After modifying the QP to the Error state, all RX WR would be completed
with WC in IB_WC_WR_FLUSH_ERR status. Current implementation does not
wait for it is done, but destroy the QP and free the link group directly.
So there is a risk that accessing the freed memory in tasklet context.

Here is a crash example:

 BUG: unable to handle page fault for address: ffffffff8f220860
 #PF: supervisor write access in kernel mode
 #PF: error_code(0x0002) - not-present page
 PGD f7300e067 P4D f7300e067 PUD f7300f063 PMD 8c4e45063 PTE 800ffff08c9df060
 Oops: 0002 [#1] SMP PTI
 CPU: 1 PID: 0 Comm: swapper/1 Kdump: loaded Tainted: G S         OE     5.10.0-0607+ #23
 Hardware name: Inspur NF5280M4/YZMB-00689-101, BIOS 4.1.20 07/09/2018
 RIP: 0010:native_queued_spin_lock_slowpath+0x176/0x1b0
 Code: f3 90 48 8b 32 48 85 f6 74 f6 eb d5 c1 ee 12 83 e0 03 83 ee 01 48 c1 e0 05 48 63 f6 48 05 00 c8 02 00 48 03 04 f5 00 09 98 8e <48> 89 10 8b 42 08 85 c0 75 09 f3 90 8b 42 08 85 c0 74 f7 48 8b 32
 RSP: 0018:ffffb3b6c001ebd8 EFLAGS: 00010086
 RAX: ffffffff8f220860 RBX: 0000000000000246 RCX: 0000000000080000
 RDX: ffff91db1f86c800 RSI: 000000000000173c RDI: ffff91db62bace00
 RBP: ffff91db62bacc00 R08: 0000000000000000 R09: c00000010000028b
 R10: 0000000000055198 R11: ffffb3b6c001ea58 R12: ffff91db80e05010
 R13: 000000000000000a R14: 0000000000000006 R15: 0000000000000040
 FS:  0000000000000000(0000) GS:ffff91db1f840000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: ffffffff8f220860 CR3: 00000001f9580004 CR4: 00000000003706e0
 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
 Call Trace:
  <IRQ>
  _raw_spin_lock_irqsave+0x30/0x40
  mlx5_ib_poll_cq+0x4c/0xc50 [mlx5_ib]
  smc_wr_rx_tasklet_fn+0x56/0xa0 [smc]
  tasklet_action_common.isra.21+0x66/0x100
  __do_softirq+0xd5/0x29c
  asm_call_irq_on_stack+0x12/0x20
  </IRQ>
  do_softirq_own_stack+0x37/0x40
  irq_exit_rcu+0x9d/0xa0
  sysvec_call_function_single+0x34/0x80
  asm_sysvec_call_function_single+0x12/0x20
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48673

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48674
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

erofs: fix pcluster use-after-free on UP platforms

During stress testing with CONFIG_SMP disabled, KASAN reports as below:

==================================================================
BUG: KASAN: use-after-free in __mutex_lock+0xe5/0xc30
Read of size 8 at addr ffff8881094223f8 by task stress/7789

CPU: 0 PID: 7789 Comm: stress Not tainted 6.0.0-rc1-00002-g0d53d2e882f9 #3
Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
Call Trace:
 <TASK>
..
 __mutex_lock+0xe5/0xc30
..
 z_erofs_do_read_page+0x8ce/0x1560
..
 z_erofs_readahead+0x31c/0x580
..
Freed by task 7787
 kasan_save_stack+0x1e/0x40
 kasan_set_track+0x20/0x30
 kasan_set_free_info+0x20/0x40
 __kasan_slab_free+0x10c/0x190
 kmem_cache_free+0xed/0x380
 rcu_core+0x3d5/0xc90
 __do_softirq+0x12d/0x389

Last potentially related work creation:
 kasan_save_stack+0x1e/0x40
 __kasan_record_aux_stack+0x97/0xb0
 call_rcu+0x3d/0x3f0
 erofs_shrink_workstation+0x11f/0x210
 erofs_shrink_scan+0xdc/0x170
 shrink_slab.constprop.0+0x296/0x530
 drop_slab+0x1c/0x70
 drop_caches_sysctl_handler+0x70/0x80
 proc_sys_call_handler+0x20a/0x2f0
 vfs_write+0x555/0x6c0
 ksys_write+0xbe/0x160
 do_syscall_64+0x3b/0x90

The root cause is that erofs_workgroup_unfreeze() doesn't reset to
orig_val thus it causes a race that the pcluster reuses unexpectedly
before freeing.

Since UP platforms are quite rare now, such path becomes unnecessary.
Let's drop such specific-designed path directly instead.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48674

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48675
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

IB/core: Fix a nested dead lock as part of ODP flow

Fix a nested dead lock as part of ODP flow by using mmput_async().

From the below call trace [1] can see that calling mmput() once we have
the umem_odp->umem_mutex locked as required by
ib_umem_odp_map_dma_and_lock() might trigger in the same task the
exit_mmap()->__mmu_notifier_release()->mlx5_ib_invalidate_range() which
may dead lock when trying to lock the same mutex.

Moving to use mmput_async() will solve the problem as the above
exit_mmap() flow will be called in other task and will be executed once
the lock will be available.

[1]
[64843.077665] task:kworker/u133:2  state:D stack:    0 pid:80906 ppid:
2 flags:0x00004000
[64843.077672] Workqueue: mlx5_ib_page_fault mlx5_ib_eqe_pf_action [mlx5_ib]
[64843.077719] Call Trace:
[64843.077722]  <TASK>
[64843.077724]  __schedule+0x23d/0x590
[64843.077729]  schedule+0x4e/0xb0
[64843.077735]  schedule_preempt_disabled+0xe/0x10
[64843.077740]  __mutex_lock.constprop.0+0x263/0x490
[64843.077747]  __mutex_lock_slowpath+0x13/0x20
[64843.077752]  mutex_lock+0x34/0x40
[64843.077758]  mlx5_ib_invalidate_range+0x48/0x270 [mlx5_ib]
[64843.077808]  __mmu_notifier_release+0x1a4/0x200
[64843.077816]  exit_mmap+0x1bc/0x200
[64843.077822]  ? walk_page_range+0x9c/0x120
[64843.077828]  ? __cond_resched+0x1a/0x50
[64843.077833]  ? mutex_lock+0x13/0x40
[64843.077839]  ? uprobe_clear_state+0xac/0x120
[64843.077860]  mmput+0x5f/0x140
[64843.077867]  ib_umem_odp_map_dma_and_lock+0x21b/0x580 [ib_core]
[64843.077931]  pagefault_real_mr+0x9a/0x140 [mlx5_ib]
[64843.077962]  pagefault_mr+0xb4/0x550 [mlx5_ib]
[64843.077992]  pagefault_single_data_segment.constprop.0+0x2ac/0x560
[mlx5_ib]
[64843.078022]  mlx5_ib_eqe_pf_action+0x528/0x780 [mlx5_ib]
[64843.078051]  process_one_work+0x22b/0x3d0
[64843.078059]  worker_thread+0x53/0x410
[64843.078065]  ? process_one_work+0x3d0/0x3d0
[64843.078073]  kthread+0x12a/0x150
[64843.078079]  ? set_kthread_struct+0x50/0x50
[64843.078085]  ret_from_fork+0x22/0x30
[64843.078093]  </TASK>
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48675

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48686
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

nvme-tcp: fix UAF when detecting digest errors

We should also bail from the io_work loop when we set rd_enabled to true,
so we don't attempt to read data from the socket when the TCP stream is
already out-of-sync or corrupted.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48686

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48687
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ipv6: sr: fix out-of-bounds read when setting HMAC data.

The SRv6 layer allows defining HMAC data that can later be used to sign IPv6
Segment Routing Headers. This configuration is realised via netlink through
four attributes: SEG6_ATTR_HMACKEYID, SEG6_ATTR_SECRET, SEG6_ATTR_SECRETLEN and
SEG6_ATTR_ALGID. Because the SECRETLEN attribute is decoupled from the actual
length of the SECRET attribute, it is possible to provide invalid combinations
(e.g., secret = "", secretlen = 64). This case is not checked in the code and
with an appropriately crafted netlink message, an out-of-bounds read of up
to 64 bytes (max secret length) can occur past the skb end pointer and into
skb_shared_info:

Breakpoint 1, seg6_genl_sethmac (skb=<optimized out>, info=<optimized out>) at net/ipv6/seg6.c:208
208		memcpy(hinfo->secret, secret, slen);
(gdb) bt
 #0  seg6_genl_sethmac (skb=<optimized out>, info=<optimized out>) at net/ipv6/seg6.c:208
 #1  0xffffffff81e012e9 in genl_family_rcv_msg_doit (skb=skb@entry=0xffff88800b1f9f00, nlh=nlh@entry=0xffff88800b1b7600,
    extack=extack@entry=0xffffc90000ba7af0, ops=ops@entry=0xffffc90000ba7a80, hdrlen=4, net=0xffffffff84237580 <init_net>, family=<optimized out>,
    family=<optimized out>) at net/netlink/genetlink.c:731
 #2  0xffffffff81e01435 in genl_family_rcv_msg (extack=0xffffc90000ba7af0, nlh=0xffff88800b1b7600, skb=0xffff88800b1f9f00,
    family=0xffffffff82fef6c0 <seg6_genl_family>) at net/netlink/genetlink.c:775
 #3  genl_rcv_msg (skb=0xffff88800b1f9f00, nlh=0xffff88800b1b7600, extack=0xffffc90000ba7af0) at net/netlink/genetlink.c:792
 #4  0xffffffff81dfffc3 in netlink_rcv_skb (skb=skb@entry=0xffff88800b1f9f00, cb=cb@entry=0xffffffff81e01350 <genl_rcv_msg>)
    at net/netlink/af_netlink.c:2501
 #5  0xffffffff81e00919 in genl_rcv (skb=0xffff88800b1f9f00) at net/netlink/genetlink.c:803
 #6  0xffffffff81dff6ae in netlink_unicast_kernel (ssk=0xffff888010eec800, skb=0xffff88800b1f9f00, sk=0xffff888004aed000)
    at net/netlink/af_netlink.c:1319
 #7  netlink_unicast (ssk=ssk@entry=0xffff888010eec800, skb=skb@entry=0xffff88800b1f9f00, portid=portid@entry=0, nonblock=<optimized out>)
    at net/netlink/af_netlink.c:1345
 #8  0xffffffff81dff9a4 in netlink_sendmsg (sock=<optimized out>, msg=0xffffc90000ba7e48, len=<optimized out>) at net/netlink/af_netlink.c:1921
...
(gdb) p/x ((struct sk_buff *)0xffff88800b1f9f00)->head + ((struct sk_buff *)0xffff88800b1f9f00)->end
$1 = 0xffff88800b1b76c0
(gdb) p/x secret
$2 = 0xffff88800b1b76c0
(gdb) p slen
$3 = 64 '@'

The OOB data can then be read back from userspace by dumping HMAC state. This
commit fixes this by ensuring SECRETLEN cannot exceed the actual length of
SECRET.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48687

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48688
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

i40e: Fix kernel crash during module removal

The driver incorrectly frees client instance and subsequent
i40e module removal leads to kernel crash.

Reproducer:
1. Do ethtool offline test followed immediately by another one
host# ethtool -t eth0 offline; ethtool -t eth0 offline
2. Remove recursively irdma module that also removes i40e module
host# modprobe -r irdma

Result:
[ 8675.035651] i40e 0000:3d:00.0 eno1: offline testing starting
[ 8675.193774] i40e 0000:3d:00.0 eno1: testing finished
[ 8675.201316] i40e 0000:3d:00.0 eno1: offline testing starting
[ 8675.358921] i40e 0000:3d:00.0 eno1: testing finished
[ 8675.496921] i40e 0000:3d:00.0: IRDMA hardware initialization FAILED init_state=2 status=-110
[ 8686.188955] i40e 0000:3d:00.1: i40e_ptp_stop: removed PHC on eno2
[ 8686.943890] i40e 0000:3d:00.1: Deleted LAN device PF1 bus=0x3d dev=0x00 func=0x01
[ 8686.952669] i40e 0000:3d:00.0: i40e_ptp_stop: removed PHC on eno1
[ 8687.761787] BUG: kernel NULL pointer dereference, address: 0000000000000030
[ 8687.768755] #PF: supervisor read access in kernel mode
[ 8687.773895] #PF: error_code(0x0000) - not-present page
[ 8687.779034] PGD 0 P4D 0
[ 8687.781575] Oops: 0000 [#1] PREEMPT SMP NOPTI
[ 8687.785935] CPU: 51 PID: 172891 Comm: rmmod Kdump: loaded Tainted: G        W I        5.19.0+ #2
[ 8687.794800] Hardware name: Intel Corporation S2600WFD/S2600WFD, BIOS SE5C620.86B.0X.02.0001.051420190324 05/14/2019
[ 8687.805222] RIP: 0010:i40e_lan_del_device+0x13/0xb0 [i40e]
[ 8687.810719] Code: d4 84 c0 0f 84 b8 25 01 00 e9 9c 25 01 00 41 bc f4 ff ff ff eb 91 90 0f 1f 44 00 00 41 54 55 53 48 8b 87 58 08 00 00 48 89 fb <48> 8b 68 30 48 89 ef e8 21 8a 0f d5 48 89 ef e8 a9 78 0f d5 48 8b
[ 8687.829462] RSP: 0018:ffffa604072efce0 EFLAGS: 00010202
[ 8687.834689] RAX: 0000000000000000 RBX: ffff8f43833b2000 RCX: 0000000000000000
[ 8687.841821] RDX: 0000000000000000 RSI: ffff8f4b0545b298 RDI: ffff8f43833b2000
[ 8687.848955] RBP: ffff8f43833b2000 R08: 0000000000000001 R09: 0000000000000000
[ 8687.856086] R10: 0000000000000000 R11: 000ffffffffff000 R12: ffff8f43833b2ef0
[ 8687.863218] R13: ffff8f43833b2ef0 R14: ffff915103966000 R15: ffff8f43833b2008
[ 8687.870342] FS:  00007f79501c3740(0000) GS:ffff8f4adffc0000(0000) knlGS:0000000000000000
[ 8687.878427] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 8687.884174] CR2: 0000000000000030 CR3: 000000014276e004 CR4: 00000000007706e0
[ 8687.891306] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 8687.898441] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 8687.905572] PKRU: 55555554
[ 8687.908286] Call Trace:
[ 8687.910737]  <TASK>
[ 8687.912843]  i40e_remove+0x2c0/0x330 [i40e]
[ 8687.917040]  pci_device_remove+0x33/0xa0
[ 8687.920962]  device_release_driver_internal+0x1aa/0x230
[ 8687.926188]  driver_detach+0x44/0x90
[ 8687.929770]  bus_remove_driver+0x55/0xe0
[ 8687.933693]  pci_unregister_driver+0x2a/0xb0
[ 8687.937967]  i40e_exit_module+0xc/0xf48 [i40e]

Two offline tests cause IRDMA driver failure (ETIMEDOUT) and this
failure is indicated back to i40e_client_subtask() that calls
i40e_client_del_instance() to free client instance referenced
by pf->cinst and sets this pointer to NULL. During the module
removal i40e_remove() calls i40e_lan_del_device() that dereferences
pf->cinst that is NULL -> crash.
Do not remove client instance when client open callbacks fails and
just clear __I40E_CLIENT_INSTANCE_OPENED bit. The driver also needs
to take care about this situation (when netdev is up and client
is NOT opened) in i40e_notify_client_of_netdev_close() and
calls client close callback only when __I40E_CLIENT_INSTANCE_OPENED
is set.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48688

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48689
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

tcp: TX zerocopy should not sense pfmemalloc status

We got a recent syzbot report [1] showing a possible misuse
of pfmemalloc page status in TCP zerocopy paths.

Indeed, for pages coming from user space or other layers,
using page_is_pfmemalloc() is moot, and possibly could give
false positives.

There has been attempts to make page_is_pfmemalloc() more robust,
but not using it in the first place in this context is probably better,
removing cpu cycles.

Note to stable teams :

You need to backport 84ce071e38a6 ("net: introduce
__skb_fill_page_desc_noacc") as a prereq.

Race is more probable after commit c07aea3ef4d4
("mm: add a signature in struct page") because page_is_pfmemalloc()
is now using low order bit from page->lru.next, which can change
more often than page->index.

Low order bit should never be set for lru.next (when used as an anchor
in LRU list), so KCSAN report is mostly a false positive.

Backporting to older kernel versions seems not necessary.

[1]
BUG: KCSAN: data-race in lru_add_fn / tcp_build_frag

write to 0xffffea0004a1d2c8 of 8 bytes by task 18600 on cpu 0:
__list_add include/linux/list.h:73 [inline]
list_add include/linux/list.h:88 [inline]
lruvec_add_folio include/linux/mm_inline.h:105 [inline]
lru_add_fn+0x440/0x520 mm/swap.c:228
folio_batch_move_lru+0x1e1/0x2a0 mm/swap.c:246
folio_batch_add_and_move mm/swap.c:263 [inline]
folio_add_lru+0xf1/0x140 mm/swap.c:490
filemap_add_folio+0xf8/0x150 mm/filemap.c:948
__filemap_get_folio+0x510/0x6d0 mm/filemap.c:1981
pagecache_get_page+0x26/0x190 mm/folio-compat.c:104
grab_cache_page_write_begin+0x2a/0x30 mm/folio-compat.c:116
ext4_da_write_begin+0x2dd/0x5f0 fs/ext4/inode.c:2988
generic_perform_write+0x1d4/0x3f0 mm/filemap.c:3738
ext4_buffered_write_iter+0x235/0x3e0 fs/ext4/file.c:270
ext4_file_write_iter+0x2e3/0x1210
call_write_iter include/linux/fs.h:2187 [inline]
new_sync_write fs/read_write.c:491 [inline]
vfs_write+0x468/0x760 fs/read_write.c:578
ksys_write+0xe8/0x1a0 fs/read_write.c:631
__do_sys_write fs/read_write.c:643 [inline]
__se_sys_write fs/read_write.c:640 [inline]
__x64_sys_write+0x3e/0x50 fs/read_write.c:640
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd

read to 0xffffea0004a1d2c8 of 8 bytes by task 18611 on cpu 1:
page_is_pfmemalloc include/linux/mm.h:1740 [inline]
__skb_fill_page_desc include/linux/skbuff.h:2422 [inline]
skb_fill_page_desc include/linux/skbuff.h:2443 [inline]
tcp_build_frag+0x613/0xb20 net/ipv4/tcp.c:1018
do_tcp_sendpages+0x3e8/0xaf0 net/ipv4/tcp.c:1075
tcp_sendpage_locked net/ipv4/tcp.c:1140 [inline]
tcp_sendpage+0x89/0xb0 net/ipv4/tcp.c:1150
inet_sendpage+0x7f/0xc0 net/ipv4/af_inet.c:833
kernel_sendpage+0x184/0x300 net/socket.c:3561
sock_sendpage+0x5a/0x70 net/socket.c:1054
pipe_to_sendpage+0x128/0x160 fs/splice.c:361
splice_from_pipe_feed fs/splice.c:415 [inline]
__splice_from_pipe+0x222/0x4d0 fs/splice.c:559
splice_from_pipe fs/splice.c:594 [inline]
generic_splice_sendpage+0x89/0xc0 fs/splice.c:743
do_splice_from fs/splice.c:764 [inline]
direct_splice_actor+0x80/0xa0 fs/splice.c:931
splice_direct_to_actor+0x305/0x620 fs/splice.c:886
do_splice_direct+0xfb/0x180 fs/splice.c:974
do_sendfile+0x3bf/0x910 fs/read_write.c:1249
__do_sys_sendfile64 fs/read_write.c:1317 [inline]
__se_sys_sendfile64 fs/read_write.c:1303 [inline]
__x64_sys_sendfile64+0x10c/0x150 fs/read_write.c:1303
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd

value changed: 0x0000000000000000 -> 0xffffea0004a1d288

Reported by Kernel Concurrency Sanitizer on:
CPU: 1 PID: 18611 Comm: syz-executor.4 Not tainted 6.0.0-rc2-syzkaller-00248-ge022620b5d05-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48689

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48691
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

netfilter: nf_tables: clean up hook list when offload flags check fails

splice back the hook list so nft_chain_release_hook() has a chance to
release the hooks.

BUG: memory leak
unreferenced object 0xffff88810180b100 (size 96):
  comm "syz-executor133", pid 3619, jiffies 4294945714 (age 12.690s)
  hex dump (first 32 bytes):
    28 64 23 02 81 88 ff ff 28 64 23 02 81 88 ff ff  (d#.....(d#.....
    90 a8 aa 83 ff ff ff ff 00 00 b5 0f 81 88 ff ff  ................
  backtrace:
    [<ffffffff83a8c59b>] kmalloc include/linux/slab.h:600 [inline]
    [<ffffffff83a8c59b>] nft_netdev_hook_alloc+0x3b/0xc0 net/netfilter/nf_tables_api.c:1901
    [<ffffffff83a9239a>] nft_chain_parse_netdev net/netfilter/nf_tables_api.c:1998 [inline]
    [<ffffffff83a9239a>] nft_chain_parse_hook+0x33a/0x530 net/netfilter/nf_tables_api.c:2073
    [<ffffffff83a9b14b>] nf_tables_addchain.constprop.0+0x10b/0x950 net/netfilter/nf_tables_api.c:2218
    [<ffffffff83a9c41b>] nf_tables_newchain+0xa8b/0xc60 net/netfilter/nf_tables_api.c:2593
    [<ffffffff83a3d6a6>] nfnetlink_rcv_batch+0xa46/0xd20 net/netfilter/nfnetlink.c:517
    [<ffffffff83a3db79>] nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:638 [inline]
    [<ffffffff83a3db79>] nfnetlink_rcv+0x1f9/0x220 net/netfilter/nfnetlink.c:656
    [<ffffffff83a13b17>] netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]
    [<ffffffff83a13b17>] netlink_unicast+0x397/0x4c0 net/netlink/af_netlink.c:1345
    [<ffffffff83a13fd6>] netlink_sendmsg+0x396/0x710 net/netlink/af_netlink.c:1921
    [<ffffffff83865ab6>] sock_sendmsg_nosec net/socket.c:714 [inline]
    [<ffffffff83865ab6>] sock_sendmsg+0x56/0x80 net/socket.c:734
    [<ffffffff8386601c>] ____sys_sendmsg+0x36c/0x390 net/socket.c:2482
    [<ffffffff8386a918>] ___sys_sendmsg+0xa8/0x110 net/socket.c:2536
    [<ffffffff8386aaa8>] __sys_sendmsg+0x88/0x100 net/socket.c:2565
    [<ffffffff845e5955>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
    [<ffffffff845e5955>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
    [<ffffffff84800087>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48691

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48692
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

RDMA/srp: Set scmnd->result only when scmnd is not NULL

This change fixes the following kernel NULL pointer dereference
which is reproduced by blktests srp/007 occasionally.

BUG: kernel NULL pointer dereference, address: 0000000000000170
PGD 0 P4D 0
Oops: 0002 [#1] PREEMPT SMP NOPTI
CPU: 0 PID: 9 Comm: kworker/0:1H Kdump: loaded Not tainted 6.0.0-rc1+ #37
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.15.0-29-g6a62e0cb0dfe-prebuilt.qemu.org 04/01/2014
Workqueue:  0x0 (kblockd)
RIP: 0010:srp_recv_done+0x176/0x500 [ib_srp]
Code: 00 4d 85 ff 0f 84 52 02 00 00 48 c7 82 80 02 00 00 00 00 00 00 4c 89 df 4c 89 14 24 e8 53 d3 4a f6 4c 8b 14 24 41 0f b6 42 13 <41> 89 87 70 01 00 00 41 0f b6 52 12 f6 c2 02 74 44 41 8b 42 1c b9
RSP: 0018:ffffaef7c0003e28 EFLAGS: 00000282
RAX: 0000000000000000 RBX: ffff9bc9486dea60 RCX: 0000000000000000
RDX: 0000000000000102 RSI: ffffffffb76bbd0e RDI: 00000000ffffffff
RBP: ffff9bc980099a00 R08: 0000000000000001 R09: 0000000000000001
R10: ffff9bca53ef0000 R11: ffff9bc980099a10 R12: ffff9bc956e14000
R13: ffff9bc9836b9cb0 R14: ffff9bc9557b4480 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff9bc97ec00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000170 CR3: 0000000007e04000 CR4: 00000000000006f0
Call Trace:
 <IRQ>
 __ib_process_cq+0xb7/0x280 [ib_core]
 ib_poll_handler+0x2b/0x130 [ib_core]
 irq_poll_softirq+0x93/0x150
 __do_softirq+0xee/0x4b8
 irq_exit_rcu+0xf7/0x130
 sysvec_apic_timer_interrupt+0x8e/0xc0
 </IRQ>
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48692

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48693
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

soc: brcmstb: pm-arm: Fix refcount leak and __iomem leak bugs

In brcmstb_pm_probe(), there are two kinds of leak bugs:

(1) we need to add of_node_put() when for_each__matching_node() breaks
(2) we need to add iounmap() for each iomap in fail path
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48693

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48694
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

RDMA/irdma: Fix drain SQ hang with no completion

SW generated completions for outstanding WRs posted on SQ
after QP is in error target the wrong CQ. This causes the
ib_drain_sq to hang with no completion.

Fix this to generate completions on the right CQ.

[  863.969340] INFO: task kworker/u52:2:671 blocked for more than 122 seconds.
[  863.979224]       Not tainted 5.14.0-130.el9.x86_64 #1
[  863.986588] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
[  863.996997] task:kworker/u52:2   state:D stack:    0 pid:  671 ppid:     2 flags:0x00004000
[  864.007272] Workqueue: xprtiod xprt_autoclose [sunrpc]
[  864.014056] Call Trace:
[  864.017575]  __schedule+0x206/0x580
[  864.022296]  schedule+0x43/0xa0
[  864.026736]  schedule_timeout+0x115/0x150
[  864.032185]  __wait_for_common+0x93/0x1d0
[  864.037717]  ? usleep_range_state+0x90/0x90
[  864.043368]  __ib_drain_sq+0xf6/0x170 [ib_core]
[  864.049371]  ? __rdma_block_iter_next+0x80/0x80 [ib_core]
[  864.056240]  ib_drain_sq+0x66/0x70 [ib_core]
[  864.062003]  rpcrdma_xprt_disconnect+0x82/0x3b0 [rpcrdma]
[  864.069365]  ? xprt_prepare_transmit+0x5d/0xc0 [sunrpc]
[  864.076386]  xprt_rdma_close+0xe/0x30 [rpcrdma]
[  864.082593]  xprt_autoclose+0x52/0x100 [sunrpc]
[  864.088718]  process_one_work+0x1e8/0x3c0
[  864.094170]  worker_thread+0x50/0x3b0
[  864.099109]  ? rescuer_thread+0x370/0x370
[  864.104473]  kthread+0x149/0x170
[  864.109022]  ? set_kthread_struct+0x40/0x40
[  864.114713]  ret_from_fork+0x22/0x30
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48694

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48718
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm: mxsfb: Fix NULL pointer dereference

mxsfb should not ever dereference the NULL pointer which
drm_atomic_get_new_bridge_state is allowed to return.
Assume a fixed format instead.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48718

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48719
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net, neigh: Do not trigger immediate probes on NUD_FAILED from neigh_managed_work

syzkaller was able to trigger a deadlock for NTF_MANAGED entries [0]:

  kworker/0:16/14617 is trying to acquire lock:
  ffffffff8d4dd370 (&tbl->lock){++-.}-{2:2}, at: ___neigh_create+0x9e1/0x2990 net/core/neighbour.c:652
  [...]
  but task is already holding lock:
  ffffffff8d4dd370 (&tbl->lock){++-.}-{2:2}, at: neigh_managed_work+0x35/0x250 net/core/neighbour.c:1572

The neighbor entry turned to NUD_FAILED state, where __neigh_event_send()
triggered an immediate probe as per commit cd28ca0a3dd1 ("neigh: reduce
arp latency") via neigh_probe() given table lock was held.

One option to fix this situation is to defer the neigh_probe() back to
the neigh_timer_handler() similarly as pre cd28ca0a3dd1. For the case
of NTF_MANAGED, this deferral is acceptable given this only happens on
actual failure state and regular / expected state is NUD_VALID with the
entry already present.

The fix adds a parameter to __neigh_event_send() in order to communicate
whether immediate probe is allowed or disallowed. Existing call-sites
of neigh_event_send() default as-is to immediate probe. However, the
neigh_managed_work() disables it via use of neigh_event_send_probe().

[0] <TASK>
  __dump_stack lib/dump_stack.c:88 [inline]
  dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
  print_deadlock_bug kernel/locking/lockdep.c:2956 [inline]
  check_deadlock kernel/locking/lockdep.c:2999 [inline]
  validate_chain kernel/locking/lockdep.c:3788 [inline]
  __lock_acquire.cold+0x149/0x3ab kernel/locking/lockdep.c:5027
  lock_acquire kernel/locking/lockdep.c:5639 [inline]
  lock_acquire+0x1ab/0x510 kernel/locking/lockdep.c:5604
  __raw_write_lock_bh include/linux/rwlock_api_smp.h:202 [inline]
  _raw_write_lock_bh+0x2f/0x40 kernel/locking/spinlock.c:334
  ___neigh_create+0x9e1/0x2990 net/core/neighbour.c:652
  ip6_finish_output2+0x1070/0x14f0 net/ipv6/ip6_output.c:123
  __ip6_finish_output net/ipv6/ip6_output.c:191 [inline]
  __ip6_finish_output+0x61e/0xe90 net/ipv6/ip6_output.c:170
  ip6_finish_output+0x32/0x200 net/ipv6/ip6_output.c:201
  NF_HOOK_COND include/linux/netfilter.h:296 [inline]
  ip6_output+0x1e4/0x530 net/ipv6/ip6_output.c:224
  dst_output include/net/dst.h:451 [inline]
  NF_HOOK include/linux/netfilter.h:307 [inline]
  ndisc_send_skb+0xa99/0x17f0 net/ipv6/ndisc.c:508
  ndisc_send_ns+0x3a9/0x840 net/ipv6/ndisc.c:650
  ndisc_solicit+0x2cd/0x4f0 net/ipv6/ndisc.c:742
  neigh_probe+0xc2/0x110 net/core/neighbour.c:1040
  __neigh_event_send+0x37d/0x1570 net/core/neighbour.c:1201
  neigh_event_send include/net/neighbour.h:470 [inline]
  neigh_managed_work+0x162/0x250 net/core/neighbour.c:1574
  process_one_work+0x9ac/0x1650 kernel/workqueue.c:2307
  worker_thread+0x657/0x1110 kernel/workqueue.c:2454
  kthread+0x2e9/0x3a0 kernel/kthread.c:377
  ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
  </TASK>
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48719

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48723
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

spi: uniphier: fix reference count leak in uniphier_spi_probe()

The issue happens in several error paths in uniphier_spi_probe().
When either dma_get_slave_caps() or devm_spi_register_master() returns
an error code, the function forgets to decrease the refcount of both
`dma_rx` and `dma_tx` objects, which may lead to refcount leaks.

Fix it by decrementing the reference count of specific objects in
those error paths.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48723

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48724
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

iommu/vt-d: Fix potential memory leak in intel_setup_irq_remapping()

After commit e3beca48a45b ("irqdomain/treewide: Keep firmware node
unconditionally allocated"). For tear down scenario, fn is only freed
after fail to allocate ir_domain, though it also should be freed in case
dmar_enable_qi returns error.

Besides free fn, irq_domain and ir_msi_domain need to be removed as well
if intel_setup_irq_remapping fails to enable queued invalidation.

Improve the rewinding path by add out_free_ir_domain and out_free_fwnode
lables per Baolu's suggestion.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48724

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48725
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

RDMA/siw: Fix refcounting leak in siw_create_qp()

The atomic_inc() needs to be paired with an atomic_dec() on the error
path.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48725

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48726
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

RDMA/ucma: Protect mc during concurrent multicast leaves

Partially revert the commit mentioned in the Fixes line to make sure that
allocation and erasing multicast struct are locked.

  BUG: KASAN: use-after-free in ucma_cleanup_multicast drivers/infiniband/core/ucma.c:491 [inline]
  BUG: KASAN: use-after-free in ucma_destroy_private_ctx+0x914/0xb70 drivers/infiniband/core/ucma.c:579
  Read of size 8 at addr ffff88801bb74b00 by task syz-executor.1/25529
  CPU: 0 PID: 25529 Comm: syz-executor.1 Not tainted 5.16.0-rc7-syzkaller #0
  Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
  Call Trace:
   __dump_stack lib/dump_stack.c:88 [inline]
   dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
   print_address_description.constprop.0.cold+0x8d/0x320 mm/kasan/report.c:247
   __kasan_report mm/kasan/report.c:433 [inline]
   kasan_report.cold+0x83/0xdf mm/kasan/report.c:450
   ucma_cleanup_multicast drivers/infiniband/core/ucma.c:491 [inline]
   ucma_destroy_private_ctx+0x914/0xb70 drivers/infiniband/core/ucma.c:579
   ucma_destroy_id+0x1e6/0x280 drivers/infiniband/core/ucma.c:614
   ucma_write+0x25c/0x350 drivers/infiniband/core/ucma.c:1732
   vfs_write+0x28e/0xae0 fs/read_write.c:588
   ksys_write+0x1ee/0x250 fs/read_write.c:643
   do_syscall_x64 arch/x86/entry/common.c:50 [inline]
   do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
   entry_SYSCALL_64_after_hwframe+0x44/0xae

Currently the xarray search can touch a concurrently freeing mc as the
xa_for_each() is not surrounded by any lock. Rather than hold the lock for
a full scan hold it only for the effected items, which is usually an empty
list.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48726

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48728
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

IB/hfi1: Fix AIP early init panic

An early failure in hfi1_ipoib_setup_rn() can lead to the following panic:

  BUG: unable to handle kernel NULL pointer dereference at 00000000000001b0
  PGD 0 P4D 0
  Oops: 0002 [#1] SMP NOPTI
  Workqueue: events work_for_cpu_fn
  RIP: 0010:try_to_grab_pending+0x2b/0x140
  Code: 1f 44 00 00 41 55 41 54 55 48 89 d5 53 48 89 fb 9c 58 0f 1f 44 00 00 48 89 c2 fa 66 0f 1f 44 00 00 48 89 55 00 40 84 f6 75 77 <f0> 48 0f ba 2b 00 72 09 31 c0 5b 5d 41 5c 41 5d c3 48 89 df e8 6c
  RSP: 0018:ffffb6b3cf7cfa48 EFLAGS: 00010046
  RAX: 0000000000000246 RBX: 00000000000001b0 RCX: 0000000000000000
  RDX: 0000000000000246 RSI: 0000000000000000 RDI: 00000000000001b0
  RBP: ffffb6b3cf7cfa70 R08: 0000000000000f09 R09: 0000000000000001
  R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000
  R13: ffffb6b3cf7cfa90 R14: ffffffff9b2fbfc0 R15: ffff8a4fdf244690
  FS:  0000000000000000(0000) GS:ffff8a527f400000(0000) knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  CR2: 00000000000001b0 CR3: 00000017e2410003 CR4: 00000000007706f0
  DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
  DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
  PKRU: 55555554
  Call Trace:
   __cancel_work_timer+0x42/0x190
   ? dev_printk_emit+0x4e/0x70
   iowait_cancel_work+0x15/0x30 [hfi1]
   hfi1_ipoib_txreq_deinit+0x5a/0x220 [hfi1]
   ? dev_err+0x6c/0x90
   hfi1_ipoib_netdev_dtor+0x15/0x30 [hfi1]
   hfi1_ipoib_setup_rn+0x10e/0x150 [hfi1]
   rdma_init_netdev+0x5a/0x80 [ib_core]
   ? hfi1_ipoib_free_rdma_netdev+0x20/0x20 [hfi1]
   ipoib_intf_init+0x6c/0x350 [ib_ipoib]
   ipoib_intf_alloc+0x5c/0xc0 [ib_ipoib]
   ipoib_add_one+0xbe/0x300 [ib_ipoib]
   add_client_context+0x12c/0x1a0 [ib_core]
   enable_device_and_get+0xdc/0x1d0 [ib_core]
   ib_register_device+0x572/0x6b0 [ib_core]
   rvt_register_device+0x11b/0x220 [rdmavt]
   hfi1_register_ib_device+0x6b4/0x770 [hfi1]
   do_init_one.isra.20+0x3e3/0x680 [hfi1]
   local_pci_probe+0x41/0x90
   work_for_cpu_fn+0x16/0x20
   process_one_work+0x1a7/0x360
   ? create_worker+0x1a0/0x1a0
   worker_thread+0x1cf/0x390
   ? create_worker+0x1a0/0x1a0
   kthread+0x116/0x130
   ? kthread_flush_work_fn+0x10/0x10
   ret_from_fork+0x1f/0x40

The panic happens in hfi1_ipoib_txreq_deinit() because there is a NULL
deref when hfi1_ipoib_netdev_dtor() is called in this error case.

hfi1_ipoib_txreq_init() and hfi1_ipoib_rxq_init() are self unwinding so
fix by adjusting the error paths accordingly.

Other changes:
- hfi1_ipoib_free_rdma_netdev() is deleted including the free_netdev()
  since the netdev core code deletes calls free_netdev()
- The switch to the accelerated entrances is moved to the success path.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48728

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48729
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

IB/hfi1: Fix panic with larger ipoib send_queue_size

When the ipoib send_queue_size is increased from the default the following
panic happens:

  RIP: 0010:hfi1_ipoib_drain_tx_ring+0x45/0xf0 [hfi1]
  Code: 31 e4 eb 0f 8b 85 c8 02 00 00 41 83 c4 01 44 39 e0 76 60 8b 8d cc 02 00 00 44 89 e3 be 01 00 00 00 d3 e3 48 03 9d c0 02 00 00 <c7> 83 18 01 00 00 00 00 00 00 48 8b bb 30 01 00 00 e8 25 af a7 e0
  RSP: 0018:ffffc9000798f4a0 EFLAGS: 00010286
  RAX: 0000000000008000 RBX: ffffc9000aa0f000 RCX: 000000000000000f
  RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
  RBP: ffff88810ff08000 R08: ffff88889476d900 R09: 0000000000000101
  R10: 0000000000000000 R11: ffffc90006590ff8 R12: 0000000000000200
  R13: ffffc9000798fba8 R14: 0000000000000000 R15: 0000000000000001
  FS:  00007fd0f79cc3c0(0000) GS:ffff88885fb00000(0000) knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  CR2: ffffc9000aa0f118 CR3: 0000000889c84001 CR4: 00000000001706e0
  Call Trace:
   <TASK>
   hfi1_ipoib_napi_tx_disable+0x45/0x60 [hfi1]
   hfi1_ipoib_dev_stop+0x18/0x80 [hfi1]
   ipoib_ib_dev_stop+0x1d/0x40 [ib_ipoib]
   ipoib_stop+0x48/0xc0 [ib_ipoib]
   __dev_close_many+0x9e/0x110
   __dev_change_flags+0xd9/0x210
   dev_change_flags+0x21/0x60
   do_setlink+0x31c/0x10f0
   ? __nla_validate_parse+0x12d/0x1a0
   ? __nla_parse+0x21/0x30
   ? inet6_validate_link_af+0x5e/0xf0
   ? cpumask_next+0x1f/0x20
   ? __snmp6_fill_stats64.isra.53+0xbb/0x140
   ? __nla_validate_parse+0x47/0x1a0
   __rtnl_newlink+0x530/0x910
   ? pskb_expand_head+0x73/0x300
   ? __kmalloc_node_track_caller+0x109/0x280
   ? __nla_put+0xc/0x20
   ? cpumask_next_and+0x20/0x30
   ? update_sd_lb_stats.constprop.144+0xd3/0x820
   ? _raw_spin_unlock_irqrestore+0x25/0x37
   ? __wake_up_common_lock+0x87/0xc0
   ? kmem_cache_alloc_trace+0x3d/0x3d0
   rtnl_newlink+0x43/0x60

The issue happens when the shift that should have been a function of the
txq item size mistakenly used the ring size.

Fix by using the item size.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48729

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48732
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/nouveau: fix off by one in BIOS boundary checking

Bounds checking when parsing init scripts embedded in the BIOS reject
access to the last byte. This causes driver initialization to fail on
Apple eMac's with GeForce 2 MX GPUs, leaving the system with no working
console.

This is probably only seen on OpenFirmware machines like PowerPC Macs
because the BIOS image provided by OF is only the used parts of the ROM,
not a power-of-two blocks read from PCI directly so PCs always have
empty bytes at the end that are never accessed.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48732

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48733
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix use-after-free after failure to create a snapshot

At ioctl.c:create_snapshot(), we allocate a pending snapshot structure and
then attach it to the transaction's list of pending snapshots. After that
we call btrfs_commit_transaction(), and if that returns an error we jump
to 'fail' label, where we kfree() the pending snapshot structure. This can
result in a later use-after-free of the pending snapshot:

1) We allocated the pending snapshot and added it to the transaction's
   list of pending snapshots;

2) We call btrfs_commit_transaction(), and it fails either at the first
   call to btrfs_run_delayed_refs() or btrfs_start_dirty_block_groups().
   In both cases, we don't abort the transaction and we release our
   transaction handle. We jump to the 'fail' label and free the pending
   snapshot structure. We return with the pending snapshot still in the
   transaction's list;

3) Another task commits the transaction. This time there's no error at
   all, and then during the transaction commit it accesses a pointer
   to the pending snapshot structure that the snapshot creation task
   has already freed, resulting in a user-after-free.

This issue could actually be detected by smatch, which produced the
following warning:

  fs/btrfs/ioctl.c:843 create_snapshot() warn: '&pending_snapshot->list' not removed from list

So fix this by not having the snapshot creation ioctl directly add the
pending snapshot to the transaction's list. Instead add the pending
snapshot to the transaction handle, and then at btrfs_commit_transaction()
we add the snapshot to the list only when we can guarantee that any error
returned after that point will result in a transaction abort, in which
case the ioctl code can safely free the pending snapshot and no one can
access it anymore.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48733

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48734
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix deadlock between quota disable and qgroup rescan worker

Quota disable ioctl starts a transaction before waiting for the qgroup
rescan worker completes. However, this wait can be infinite and results
in deadlock because of circular dependency among the quota disable
ioctl, the qgroup rescan worker and the other task with transaction such
as block group relocation task.

The deadlock happens with the steps following:

1) Task A calls ioctl to disable quota. It starts a transaction and
   waits for qgroup rescan worker completes.
2) Task B such as block group relocation task starts a transaction and
   joins to the transaction that task A started. Then task B commits to
   the transaction. In this commit, task B waits for a commit by task A.
3) Task C as the qgroup rescan worker starts its job and starts a
   transaction. In this transaction start, task C waits for completion
   of the transaction that task A started and task B committed.

This deadlock was found with fstests test case btrfs/115 and a zoned
null_blk device. The test case enables and disables quota, and the
block group reclaim was triggered during the quota disable by chance.
The deadlock was also observed by running quota enable and disable in
parallel with 'btrfs balance' command on regular null_blk devices.

An example report of the deadlock:

  [372.469894] INFO: task kworker/u16:6:103 blocked for more than 122 seconds.
  [372.479944]       Not tainted 5.16.0-rc8 #7
  [372.485067] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
  [372.493898] task:kworker/u16:6   state:D stack:    0 pid:  103 ppid:     2 flags:0x00004000
  [372.503285] Workqueue: btrfs-qgroup-rescan btrfs_work_helper [btrfs]
  [372.510782] Call Trace:
  [372.514092]  <TASK>
  [372.521684]  __schedule+0xb56/0x4850
  [372.530104]  ? io_schedule_timeout+0x190/0x190
  [372.538842]  ? lockdep_hardirqs_on+0x7e/0x100
  [372.547092]  ? _raw_spin_unlock_irqrestore+0x3e/0x60
  [372.555591]  schedule+0xe0/0x270
  [372.561894]  btrfs_commit_transaction+0x18bb/0x2610 [btrfs]
  [372.570506]  ? btrfs_apply_pending_changes+0x50/0x50 [btrfs]
  [372.578875]  ? free_unref_page+0x3f2/0x650
  [372.585484]  ? finish_wait+0x270/0x270
  [372.591594]  ? release_extent_buffer+0x224/0x420 [btrfs]
  [372.599264]  btrfs_qgroup_rescan_worker+0xc13/0x10c0 [btrfs]
  [372.607157]  ? lock_release+0x3a9/0x6d0
  [372.613054]  ? btrfs_qgroup_account_extent+0xda0/0xda0 [btrfs]
  [372.620960]  ? do_raw_spin_lock+0x11e/0x250
  [372.627137]  ? rwlock_bug.part.0+0x90/0x90
  [372.633215]  ? lock_is_held_type+0xe4/0x140
  [372.639404]  btrfs_work_helper+0x1ae/0xa90 [btrfs]
  [372.646268]  process_one_work+0x7e9/0x1320
  [372.652321]  ? lock_release+0x6d0/0x6d0
  [372.658081]  ? pwq_dec_nr_in_flight+0x230/0x230
  [372.664513]  ? rwlock_bug.part.0+0x90/0x90
  [372.670529]  worker_thread+0x59e/0xf90
  [372.676172]  ? process_one_work+0x1320/0x1320
  [372.682440]  kthread+0x3b9/0x490
  [372.687550]  ? _raw_spin_unlock_irq+0x24/0x50
  [372.693811]  ? set_kthread_struct+0x100/0x100
  [372.700052]  ret_from_fork+0x22/0x30
  [372.705517]  </TASK>
  [372.709747] INFO: task btrfs-transacti:2347 blocked for more than 123 seconds.
  [372.729827]       Not tainted 5.16.0-rc8 #7
  [372.745907] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
  [372.767106] task:btrfs-transacti state:D stack:    0 pid: 2347 ppid:     2 flags:0x00004000
  [372.787776] Call Trace:
  [372.801652]  <TASK>
  [372.812961]  __schedule+0xb56/0x4850
  [372.830011]  ? io_schedule_timeout+0x190/0x190
  [372.852547]  ? lockdep_hardirqs_on+0x7e/0x100
  [372.871761]  ? _raw_spin_unlock_irqrestore+0x3e/0x60
  [372.886792]  schedule+0xe0/0x270
  [372.901685]  wait_current_trans+0x22c/0x310 [btrfs]
  [372.919743]  ? btrfs_put_transaction+0x3d0/0x3d0 [btrfs]
  [372.938923]  ? finish_wait+0x270/0x270
  [372.959085]  ? join_transaction+0xc7
---truncated---
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48734

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48735
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ALSA: hda: Fix UAF of leds class devs at unbinding

The LED class devices that are created by HD-audio codec drivers are
registered via devm_led_classdev_register() and associated with the
HD-audio codec device.  Unfortunately, it turned out that the devres
release doesn't work for this case; namely, since the codec resource
release happens before the devm call chain, it triggers a NULL
dereference or a UAF for a stale set_brightness_delay callback.

For fixing the bug, this patch changes the LED class device register
and unregister in a manual manner without devres, keeping the
instances in hda_gen_spec.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48735

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48740
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

selinux: fix double free of cond_list on error paths

On error path from cond_read_list() and duplicate_policydb_cond_list()
the cond_list_destroy() gets called a second time in caller functions,
resulting in NULL pointer deref.  Fix this by resetting the
cond_list_len to 0 in cond_list_destroy(), making subsequent calls a
noop.

Also consistently reset the cond_list pointer to NULL after freeing.

[PM: fix line lengths in the description]
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48740

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48741
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ovl: fix NULL pointer dereference in copy up warning

This patch is fixing a NULL pointer dereference to get a recently
introduced warning message working.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48741

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48742
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

rtnetlink: make sure to refresh master_dev/m_ops in __rtnl_newlink()

While looking at one unrelated syzbot bug, I found the replay logic
in __rtnl_newlink() to potentially trigger use-after-free.

It is better to clear master_dev and m_ops inside the loop,
in case we have to replay it.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48742

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48743
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: amd-xgbe: Fix skb data length underflow

There will be BUG_ON() triggered in include/linux/skbuff.h leading to
intermittent kernel panic, when the skb length underflow is detected.

Fix this by dropping the packet if such length underflows are seen
because of inconsistencies in the hardware descriptors.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48743

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48749
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/msm/dpu: invalid parameter check in dpu_setup_dspp_pcc

The function performs a check on the "ctx" input parameter, however, it
is used before the check.

Initialize the "base" variable after the sanity check to avoid a
possible NULL pointer dereference.

Addresses-Coverity-ID: 1493866 ("Null pointer dereference")
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48749

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48750
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

hwmon: (nct6775) Fix crash in clear_caseopen

Paweł Marciniak reports the following crash, observed when clearing
the chassis intrusion alarm.

BUG: kernel NULL pointer dereference, address: 0000000000000028
PGD 0 P4D 0
Oops: 0000 [#1] PREEMPT SMP PTI
CPU: 3 PID: 4815 Comm: bash Tainted: G S                5.16.2-200.fc35.x86_64 #1
Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./Z97 Extreme4, BIOS P2.60A 05/03/2018
RIP: 0010:clear_caseopen+0x5a/0x120 [nct6775]
Code: 68 70 e8 e9 32 b1 e3 85 c0 0f 85 d2 00 00 00 48 83 7c 24 ...
RSP: 0018:ffffabcb02803dd8 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000000
RDX: ffff8e8808192880 RSI: 0000000000000000 RDI: ffff8e87c7509a68
RBP: 0000000000000000 R08: 0000000000000001 R09: 000000000000000a
R10: 000000000000000a R11: f000000000000000 R12: 000000000000001f
R13: ffff8e87c7509828 R14: ffff8e87c7509a68 R15: ffff8e88494527a0
FS:  00007f4db9151740(0000) GS:ffff8e8ebfec0000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000028 CR3: 0000000166b66001 CR4: 00000000001706e0
Call Trace:
 <TASK>
 kernfs_fop_write_iter+0x11c/0x1b0
 new_sync_write+0x10b/0x180
 vfs_write+0x209/0x2a0
 ksys_write+0x4f/0xc0
 do_syscall_64+0x3b/0x90
 entry_SYSCALL_64_after_hwframe+0x44/0xae

The problem is that the device passed to clear_caseopen() is the hwmon
device, not the platform device, and the platform data is not set in the
hwmon device. Store the pointer to sio_data in struct nct6775_data and
get if from there if needed.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48750

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48753
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

block: fix memory leak in disk_register_independent_access_ranges

kobject_init_and_add() takes reference even when it fails.
According to the doc of kobject_init_and_add()

   If this function returns an error, kobject_put() must be called to
   properly clean up the memory associated with the object.

Fix this issue by adding kobject_put().
Callback function blk_ia_ranges_sysfs_release() in kobject_put()
can handle the pointer "iars" properly.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48753

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48756
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/msm/dsi: invalid parameter check in msm_dsi_phy_enable

The function performs a check on the "phy" input parameter, however, it
is used before the check.

Initialize the "dev" variable after the sanity check to avoid a possible
NULL pointer dereference.

Addresses-Coverity-ID: 1493860 ("Null pointer dereference")
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48756

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48768
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

tracing/histogram: Fix a potential memory leak for kstrdup()

kfree() is missing on an error path to free the memory allocated by
kstrdup():

  p = param = kstrdup(data->params[i], GFP_KERNEL);

So it is better to free it via kfree(p).
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48768

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48772
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

media: lgdt3306a: Add a check against null-pointer-def

The driver should check whether the client provides the platform_data.

The following log reveals it:

[   29.610324] BUG: KASAN: null-ptr-deref in kmemdup+0x30/0x40
[   29.610730] Read of size 40 at addr 0000000000000000 by task bash/414
[   29.612820] Call Trace:
[   29.613030]  <TASK>
[   29.613201]  dump_stack_lvl+0x56/0x6f
[   29.613496]  ? kmemdup+0x30/0x40
[   29.613754]  print_report.cold+0x494/0x6b7
[   29.614082]  ? kmemdup+0x30/0x40
[   29.614340]  kasan_report+0x8a/0x190
[   29.614628]  ? kmemdup+0x30/0x40
[   29.614888]  kasan_check_range+0x14d/0x1d0
[   29.615213]  memcpy+0x20/0x60
[   29.615454]  kmemdup+0x30/0x40
[   29.615700]  lgdt3306a_probe+0x52/0x310
[   29.616339]  i2c_device_probe+0x951/0xa90
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48772

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48773
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

xprtrdma: fix pointer derefs in error cases of rpcrdma_ep_create

If there are failures then we must not leave the non-NULL pointers with
the error value, otherwise `rpcrdma_ep_destroy` gets confused and tries
free them, resulting in an Oops.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48773

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48775
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

Drivers: hv: vmbus: Fix memory leak in vmbus_add_channel_kobj

kobject_init_and_add() takes reference even when it fails.
According to the doc of kobject_init_and_add()：

   If this function returns an error, kobject_put() must be called to
   properly clean up the memory associated with the object.

Fix memory leak by calling kobject_put().
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48775

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48777
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

mtd: parsers: qcom: Fix kernel panic on skipped partition

In the event of a skipped partition (case when the entry name is empty)
the kernel panics in the cleanup function as the name entry is NULL.
Rework the parser logic by first checking the real partition number and
then allocate the space and set the data for the valid partitions.

The logic was also fundamentally wrong as with a skipped partition, the
parts number returned was incorrect by not decreasing it for the skipped
partitions.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48777

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48778
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

mtd: rawnand: gpmi: don't leak PM reference in error path

If gpmi_nfc_apply_timings() fails, the PM runtime usage counter must be
dropped.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48778

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48779
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: mscc: ocelot: fix use-after-free in ocelot_vlan_del()

ocelot_vlan_member_del() will free the struct ocelot_bridge_vlan, so if
this is the same as the port's pvid_vlan which we access afterwards,
what we're accessing is freed memory.

Fix the bug by determining whether to clear ocelot_port->pvid_vlan prior
to calling ocelot_vlan_member_del().
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48779

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48781
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

crypto: af_alg - get rid of alg_memory_allocated

alg_memory_allocated does not seem to be really used.

alg_proto does have a .memory_allocated field, but no
corresponding .sysctl_mem.

This means sk_has_account() returns true, but all sk_prot_mem_limits()
users will trigger a NULL dereference [1].

THis was not a problem until SO_RESERVE_MEM addition.

general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
CPU: 1 PID: 3591 Comm: syz-executor153 Not tainted 5.17.0-rc3-syzkaller-00316-gb81b1829e7e3 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:sk_prot_mem_limits include/net/sock.h:1523 [inline]
RIP: 0010:sock_reserve_memory+0x1d7/0x330 net/core/sock.c:1000
Code: 08 00 74 08 48 89 ef e8 27 20 bb f9 4c 03 7c 24 10 48 8b 6d 00 48 83 c5 08 48 89 e8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 08 48 89 ef e8 fb 1f bb f9 48 8b 6d 00 4c 89 ff 48
RSP: 0018:ffffc90001f1fb68 EFLAGS: 00010202
RAX: 0000000000000001 RBX: ffff88814aabc000 RCX: dffffc0000000000
RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffffffff90e18120
RBP: 0000000000000008 R08: dffffc0000000000 R09: fffffbfff21c3025
R10: fffffbfff21c3025 R11: 0000000000000000 R12: ffffffff8d109840
R13: 0000000000001002 R14: 0000000000000001 R15: 0000000000000001
FS:  0000555556e08300(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fc74416f130 CR3: 0000000073d9e000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 sock_setsockopt+0x14a9/0x3a30 net/core/sock.c:1446
 __sys_setsockopt+0x5af/0x980 net/socket.c:2176
 __do_sys_setsockopt net/socket.c:2191 [inline]
 __se_sys_setsockopt net/socket.c:2188 [inline]
 __x64_sys_setsockopt+0xb1/0xc0 net/socket.c:2188
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7fc7440fddc9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffe98f07968 EFLAGS: 00000246 ORIG_RAX: 0000000000000036
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fc7440fddc9
RDX: 0000000000000049 RSI: 0000000000000001 RDI: 0000000000000004
RBP: 0000000000000000 R08: 0000000000000004 R09: 00007ffe98f07990
R10: 0000000020000000 R11: 0000000000000246 R12: 00007ffe98f0798c
R13: 00007ffe98f079a0 R14: 00007ffe98f079e0 R15: 0000000000000000
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:sk_prot_mem_limits include/net/sock.h:1523 [inline]
RIP: 0010:sock_reserve_memory+0x1d7/0x330 net/core/sock.c:1000
Code: 08 00 74 08 48 89 ef e8 27 20 bb f9 4c 03 7c 24 10 48 8b 6d 00 48 83 c5 08 48 89 e8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 08 48 89 ef e8 fb 1f bb f9 48 8b 6d 00 4c 89 ff 48
RSP: 0018:ffffc90001f1fb68 EFLAGS: 00010202
RAX: 0000000000000001 RBX: ffff88814aabc000 RCX: dffffc0000000000
RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffffffff90e18120
RBP: 0000000000000008 R08: dffffc0000000000 R09: fffffbfff21c3025
R10: fffffbfff21c3025 R11: 0000000000000000 R12: ffffffff8d109840
R13: 0000000000001002 R14: 0000000000000001 R15: 0000000000000001
FS:  0000555556e08300(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fc74416f130 CR3: 0000000073d9e000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48781

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48782
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

mctp: fix use after free

Clang static analysis reports this problem
route.c:425:4: warning: Use of memory after it is freed
  trace_mctp_key_acquire(key);
  ^~~~~~~~~~~~~~~~~~~~~~~~~~~
When mctp_key_add() fails, key is freed but then is later
used in trace_mctp_key_acquire().  Add an else statement
to use the key only when mctp_key_add() is successful.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48782

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48783
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: dsa: lantiq_gswip: fix use after free in gswip_remove()

of_node_put(priv->ds->slave_mii_bus->dev.of_node) should be
done before mdiobus_free(priv->ds->slave_mii_bus).
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48783

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48787
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

iwlwifi: fix use-after-free

If no firmware was present at all (or, presumably, all of the
firmware files failed to parse), we end up unbinding by calling
device_release_driver(), which calls remove(), which then in
iwlwifi calls iwl_drv_stop(), freeing the 'drv' struct. However
the new code I added will still erroneously access it after it
was freed.

Set 'failure=false' in this case to avoid the access, all data
was already freed anyway.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48787

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48788
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

nvme-rdma: fix possible use-after-free in transport error_recovery work

While nvme_rdma_submit_async_event_work is checking the ctrl and queue
state before preparing the AER command and scheduling io_work, in order
to fully prevent a race where this check is not reliable the error
recovery work must flush async_event_work before continuing to destroy
the admin queue after setting the ctrl state to RESETTING such that
there is no race .submit_async_event and the error recovery handler
itself changing the ctrl state.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48788

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48789
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

nvme-tcp: fix possible use-after-free in transport error_recovery work

While nvme_tcp_submit_async_event_work is checking the ctrl and queue
state before preparing the AER command and scheduling io_work, in order
to fully prevent a race where this check is not reliable the error
recovery work must flush async_event_work before continuing to destroy
the admin queue after setting the ctrl state to RESETTING such that
there is no race .submit_async_event and the error recovery handler
itself changing the ctrl state.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48789

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48790
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

nvme: fix a possible use-after-free in controller reset during load

Unlike .queue_rq, in .submit_async_event drivers may not check the ctrl
readiness for AER submission. This may lead to a use-after-free
condition that was observed with nvme-tcp.

The race condition may happen in the following scenario:
1. driver executes its reset_ctrl_work
2. -> nvme_stop_ctrl - flushes ctrl async_event_work
3. ctrl sends AEN which is received by the host, which in turn
   schedules AEN handling
4. teardown admin queue (which releases the queue socket)
5. AEN processed, submits another AER, calling the driver to submit
6. driver attempts to send the cmd
==> use-after-free

In order to fix that, add ctrl state check to validate the ctrl
is actually able to accept the AER submission.

This addresses the above race in controller resets because the driver
during teardown should:
1. change ctrl state to RESETTING
2. flush async_event_work (as well as other async work elements)

So after 1,2, any other AER command will find the
ctrl state to be RESETTING and bail out without submitting the AER.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48790

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48791
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

scsi: pm8001: Fix use-after-free for aborted TMF sas_task

Currently a use-after-free may occur if a TMF sas_task is aborted before we
handle the IO completion in mpi_ssp_completion(). The abort occurs due to
timeout.

When the timeout occurs, the SAS_TASK_STATE_ABORTED flag is set and the
sas_task is freed in pm8001_exec_internal_tmf_task().

However, if the I/O completion occurs later, the I/O completion still
thinks that the sas_task is available. Fix this by clearing the ccb->task
if the TMF times out - the I/O completion handler does nothing if this
pointer is cleared.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48791

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48792
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

scsi: pm8001: Fix use-after-free for aborted SSP/STP sas_task

Currently a use-after-free may occur if a sas_task is aborted by the upper
layer before we handle the I/O completion in mpi_ssp_completion() or
mpi_sata_completion().

In this case, the following are the two steps in handling those I/O
completions:

 - Call complete() to inform the upper layer handler of completion of
   the I/O.

 - Release driver resources associated with the sas_task in
   pm8001_ccb_task_free() call.

When complete() is called, the upper layer may free the sas_task. As such,
we should not touch the associated sas_task afterwards, but we do so in the
pm8001_ccb_task_free() call.

Fix by swapping the complete() and pm8001_ccb_task_free() calls ordering.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48792

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48793
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

KVM: x86: nSVM: fix potential NULL derefernce on nested migration

Turns out that due to review feedback and/or rebases
I accidentally moved the call to nested_svm_load_cr3 to be too early,
before the NPT is enabled, which is very wrong to do.

KVM can't even access guest memory at that point as nested NPT
is needed for that, and of course it won't initialize the walk_mmu,
which is main issue the patch was addressing.

Fix this for real.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48793

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48796
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

iommu: Fix potential use-after-free during probe

Kasan has reported the following use after free on dev->iommu.
when a device probe fails and it is in process of freeing dev->iommu
in dev_iommu_free function, a deferred_probe_work_func runs in parallel
and tries to access dev->iommu->fwspec in of_iommu_configure path thus
causing use after free.

BUG: KASAN: use-after-free in of_iommu_configure+0xb4/0x4a4
Read of size 8 at addr ffffff87a2f1acb8 by task kworker/u16:2/153

Workqueue: events_unbound deferred_probe_work_func
Call trace:
 dump_backtrace+0x0/0x33c
 show_stack+0x18/0x24
 dump_stack_lvl+0x16c/0x1e0
 print_address_description+0x84/0x39c
 __kasan_report+0x184/0x308
 kasan_report+0x50/0x78
 __asan_load8+0xc0/0xc4
 of_iommu_configure+0xb4/0x4a4
 of_dma_configure_id+0x2fc/0x4d4
 platform_dma_configure+0x40/0x5c
 really_probe+0x1b4/0xb74
 driver_probe_device+0x11c/0x228
 __device_attach_driver+0x14c/0x304
 bus_for_each_drv+0x124/0x1b0
 __device_attach+0x25c/0x334
 device_initial_probe+0x24/0x34
 bus_probe_device+0x78/0x134
 deferred_probe_work_func+0x130/0x1a8
 process_one_work+0x4c8/0x970
 worker_thread+0x5c8/0xaec
 kthread+0x1f8/0x220
 ret_from_fork+0x10/0x18

Allocated by task 1:
 ____kasan_kmalloc+0xd4/0x114
 __kasan_kmalloc+0x10/0x1c
 kmem_cache_alloc_trace+0xe4/0x3d4
 __iommu_probe_device+0x90/0x394
 probe_iommu_group+0x70/0x9c
 bus_for_each_dev+0x11c/0x19c
 bus_iommu_probe+0xb8/0x7d4
 bus_set_iommu+0xcc/0x13c
 arm_smmu_bus_init+0x44/0x130 [arm_smmu]
 arm_smmu_device_probe+0xb88/0xc54 [arm_smmu]
 platform_drv_probe+0xe4/0x13c
 really_probe+0x2c8/0xb74
 driver_probe_device+0x11c/0x228
 device_driver_attach+0xf0/0x16c
 __driver_attach+0x80/0x320
 bus_for_each_dev+0x11c/0x19c
 driver_attach+0x38/0x48
 bus_add_driver+0x1dc/0x3a4
 driver_register+0x18c/0x244
 __platform_driver_register+0x88/0x9c
 init_module+0x64/0xff4 [arm_smmu]
 do_one_initcall+0x17c/0x2f0
 do_init_module+0xe8/0x378
 load_module+0x3f80/0x4a40
 __se_sys_finit_module+0x1a0/0x1e4
 __arm64_sys_finit_module+0x44/0x58
 el0_svc_common+0x100/0x264
 do_el0_svc+0x38/0xa4
 el0_svc+0x20/0x30
 el0_sync_handler+0x68/0xac
 el0_sync+0x160/0x180

Freed by task 1:
 kasan_set_track+0x4c/0x84
 kasan_set_free_info+0x28/0x4c
 ____kasan_slab_free+0x120/0x15c
 __kasan_slab_free+0x18/0x28
 slab_free_freelist_hook+0x204/0x2fc
 kfree+0xfc/0x3a4
 __iommu_probe_device+0x284/0x394
 probe_iommu_group+0x70/0x9c
 bus_for_each_dev+0x11c/0x19c
 bus_iommu_probe+0xb8/0x7d4
 bus_set_iommu+0xcc/0x13c
 arm_smmu_bus_init+0x44/0x130 [arm_smmu]
 arm_smmu_device_probe+0xb88/0xc54 [arm_smmu]
 platform_drv_probe+0xe4/0x13c
 really_probe+0x2c8/0xb74
 driver_probe_device+0x11c/0x228
 device_driver_attach+0xf0/0x16c
 __driver_attach+0x80/0x320
 bus_for_each_dev+0x11c/0x19c
 driver_attach+0x38/0x48
 bus_add_driver+0x1dc/0x3a4
 driver_register+0x18c/0x244
 __platform_driver_register+0x88/0x9c
 init_module+0x64/0xff4 [arm_smmu]
 do_one_initcall+0x17c/0x2f0
 do_init_module+0xe8/0x378
 load_module+0x3f80/0x4a40
 __se_sys_finit_module+0x1a0/0x1e4
 __arm64_sys_finit_module+0x44/0x58
 el0_svc_common+0x100/0x264
 do_el0_svc+0x38/0xa4
 el0_svc+0x20/0x30
 el0_sync_handler+0x68/0xac
 el0_sync+0x160/0x180

Fix this by setting dev->iommu to NULL first and
then freeing dev_iommu structure in dev_iommu_free
function.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48796

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48800
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

mm: vmscan: remove deadlock due to throttling failing to make progress

A soft lockup bug in kcompactd was reported in a private bugzilla with
the following visible in dmesg;

  watchdog: BUG: soft lockup - CPU#33 stuck for 26s! [kcompactd0:479]
  watchdog: BUG: soft lockup - CPU#33 stuck for 52s! [kcompactd0:479]
  watchdog: BUG: soft lockup - CPU#33 stuck for 78s! [kcompactd0:479]
  watchdog: BUG: soft lockup - CPU#33 stuck for 104s! [kcompactd0:479]

The machine had 256G of RAM with no swap and an earlier failed
allocation indicated that node 0 where kcompactd was run was potentially
unreclaimable;

  Node 0 active_anon:29355112kB inactive_anon:2913528kB active_file:0kB
    inactive_file:0kB unevictable:64kB isolated(anon):0kB isolated(file):0kB
    mapped:8kB dirty:0kB writeback:0kB shmem:26780kB shmem_thp:
    0kB shmem_pmdmapped: 0kB anon_thp: 23480320kB writeback_tmp:0kB
    kernel_stack:2272kB pagetables:24500kB all_unreclaimable? yes

Vlastimil Babka investigated a crash dump and found that a task
migrating pages was trying to drain PCP lists;

  PID: 52922  TASK: ffff969f820e5000  CPU: 19  COMMAND: "kworker/u128:3"
  Call Trace:
     __schedule
     schedule
     schedule_timeout
     wait_for_completion
     __flush_work
     __drain_all_pages
     __alloc_pages_slowpath.constprop.114
     __alloc_pages
     alloc_migration_target
     migrate_pages
     migrate_to_node
     do_migrate_pages
     cpuset_migrate_mm_workfn
     process_one_work
     worker_thread
     kthread
     ret_from_fork

This failure is specific to CONFIG_PREEMPT=n builds.  The root of the
problem is that kcompact0 is not rescheduling on a CPU while a task that
has isolated a large number of the pages from the LRU is waiting on
kcompact0 to reschedule so the pages can be released.  While
shrink_inactive_list() only loops once around too_many_isolated, reclaim
can continue without rescheduling if sc->skipped_deactivate == 1 which
could happen if there was no file LRU and the inactive anon list was not
low.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48800

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48804
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

vt_ioctl: fix array_index_nospec in vt_setactivate

array_index_nospec ensures that an out-of-bounds value is set to zero
on the transient path. Decreasing the value by one afterwards causes
a transient integer underflow. vsa.console should be decreased first
and then sanitized with array_index_nospec.

Kasper Acknowledgements: Jakob Koschel, Brian Johannesmeyer, Kaveh
Razavi, Herbert Bos, Cristiano Giuffrida from the VUSec group at VU
Amsterdam.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48804

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48808
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: dsa: fix panic when DSA master device unbinds on shutdown

Rafael reports that on a system with LX2160A and Marvell DSA switches,
if a reboot occurs while the DSA master (dpaa2-eth) is up, the following
panic can be seen:

systemd-shutdown[1]: Rebooting.
Unable to handle kernel paging request at virtual address 00a0000800000041
[00a0000800000041] address between user and kernel address ranges
Internal error: Oops: 96000004 [#1] PREEMPT SMP
CPU: 6 PID: 1 Comm: systemd-shutdow Not tainted 5.16.5-00042-g8f5585009b24 #32
pc : dsa_slave_netdevice_event+0x130/0x3e4
lr : raw_notifier_call_chain+0x50/0x6c
Call trace:
 dsa_slave_netdevice_event+0x130/0x3e4
 raw_notifier_call_chain+0x50/0x6c
 call_netdevice_notifiers_info+0x54/0xa0
 __dev_close_many+0x50/0x130
 dev_close_many+0x84/0x120
 unregister_netdevice_many+0x130/0x710
 unregister_netdevice_queue+0x8c/0xd0
 unregister_netdev+0x20/0x30
 dpaa2_eth_remove+0x68/0x190
 fsl_mc_driver_remove+0x20/0x5c
 __device_release_driver+0x21c/0x220
 device_release_driver_internal+0xac/0xb0
 device_links_unbind_consumers+0xd4/0x100
 __device_release_driver+0x94/0x220
 device_release_driver+0x28/0x40
 bus_remove_device+0x118/0x124
 device_del+0x174/0x420
 fsl_mc_device_remove+0x24/0x40
 __fsl_mc_device_remove+0xc/0x20
 device_for_each_child+0x58/0xa0
 dprc_remove+0x90/0xb0
 fsl_mc_driver_remove+0x20/0x5c
 __device_release_driver+0x21c/0x220
 device_release_driver+0x28/0x40
 bus_remove_device+0x118/0x124
 device_del+0x174/0x420
 fsl_mc_bus_remove+0x80/0x100
 fsl_mc_bus_shutdown+0xc/0x1c
 platform_shutdown+0x20/0x30
 device_shutdown+0x154/0x330
 __do_sys_reboot+0x1cc/0x250
 __arm64_sys_reboot+0x20/0x30
 invoke_syscall.constprop.0+0x4c/0xe0
 do_el0_svc+0x4c/0x150
 el0_svc+0x24/0xb0
 el0t_64_sync_handler+0xa8/0xb0
 el0t_64_sync+0x178/0x17c

It can be seen from the stack trace that the problem is that the
deregistration of the master causes a dev_close(), which gets notified
as NETDEV_GOING_DOWN to dsa_slave_netdevice_event().
But dsa_switch_shutdown() has already run, and this has unregistered the
DSA slave interfaces, and yet, the NETDEV_GOING_DOWN handler attempts to
call dev_close_many() on those slave interfaces, leading to the problem.

The previous attempt to avoid the NETDEV_GOING_DOWN on the master after
dsa_switch_shutdown() was called seems improper. Unregistering the slave
interfaces is unnecessary and unhelpful. Instead, after the slaves have
stopped being uppers of the DSA master, we can now reset to NULL the
master->dsa_ptr pointer, which will make DSA start ignoring all future
notifier events on the master.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48808

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48809
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: fix a memleak when uncloning an skb dst and its metadata

When uncloning an skb dst and its associated metadata, a new
dst+metadata is allocated and later replaces the old one in the skb.
This is helpful to have a non-shared dst+metadata attached to a specific
skb.

The issue is the uncloned dst+metadata is initialized with a refcount of
1, which is increased to 2 before attaching it to the skb. When
tun_dst_unclone returns, the dst+metadata is only referenced from a
single place (the skb) while its refcount is 2. Its refcount will never
drop to 0 (when the skb is consumed), leading to a memory leak.

Fix this by removing the call to dst_hold in tun_dst_unclone, as the
dst+metadata refcount is already 1.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48809

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48820
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

phy: stm32: fix a refcount leak in stm32_usbphyc_pll_enable()

This error path needs to decrement "usbphyc->n_pll_cons.counter" before
returning.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48820

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48822
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

usb: f_fs: Fix use-after-free for epfile

Consider a case where ffs_func_eps_disable is called from
ffs_func_disable as part of composition switch and at the
same time ffs_epfile_release get called from userspace.
ffs_epfile_release will free up the read buffer and call
ffs_data_closed which in turn destroys ffs->epfiles and
mark it as NULL. While this was happening the driver has
already initialized the local epfile in ffs_func_eps_disable
which is now freed and waiting to acquire the spinlock. Once
spinlock is acquired the driver proceeds with the stale value
of epfile and tries to free the already freed read buffer
causing use-after-free.

Following is the illustration of the race:

      CPU1                                  CPU2

   ffs_func_eps_disable
   epfiles (local copy)
					ffs_epfile_release
					ffs_data_closed
					if (last file closed)
					ffs_data_reset
					ffs_data_clear
					ffs_epfiles_destroy
spin_lock
dereference epfiles

Fix this races by taking epfiles local copy & assigning it under
spinlock and if epfiles(local) is null then update it in ffs->epfiles
then finally destroy it.
Extending the scope further from the race, protecting the ep related
structures, and concurrent accesses.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48822

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48824
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

scsi: myrs: Fix crash in error case

In myrs_detect(), cs->disable_intr is NULL when privdata->hw_init() fails
with non-zero. In this case, myrs_cleanup(cs) will call a NULL ptr and
crash the kernel.

[    1.105606] myrs 0000:00:03.0: Unknown Initialization Error 5A
[    1.105872] myrs 0000:00:03.0: Failed to initialize Controller
[    1.106082] BUG: kernel NULL pointer dereference, address: 0000000000000000
[    1.110774] Call Trace:
[    1.110950]  myrs_cleanup+0xe4/0x150 [myrs]
[    1.111135]  myrs_probe.cold+0x91/0x56a [myrs]
[    1.111302]  ? DAC960_GEM_intr_handler+0x1f0/0x1f0 [myrs]
[    1.111500]  local_pci_probe+0x48/0x90
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48824

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48826
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/vc4: Fix deadlock on DSI device attach error

DSI device attach to DSI host will be done with host device's lock
held.

Un-registering host in "device attach" error path (ex: probe retry)
will result in deadlock with below call trace and non operational
DSI display.

Startup Call trace:
[   35.043036]  rt_mutex_slowlock.constprop.21+0x184/0x1b8
[   35.043048]  mutex_lock_nested+0x7c/0xc8
[   35.043060]  device_del+0x4c/0x3e8
[   35.043075]  device_unregister+0x20/0x40
[   35.043082]  mipi_dsi_remove_device_fn+0x18/0x28
[   35.043093]  device_for_each_child+0x68/0xb0
[   35.043105]  mipi_dsi_host_unregister+0x40/0x90
[   35.043115]  vc4_dsi_host_attach+0xf0/0x120 [vc4]
[   35.043199]  mipi_dsi_attach+0x30/0x48
[   35.043209]  tc358762_probe+0x128/0x164 [tc358762]
[   35.043225]  mipi_dsi_drv_probe+0x28/0x38
[   35.043234]  really_probe+0xc0/0x318
[   35.043244]  __driver_probe_device+0x80/0xe8
[   35.043254]  driver_probe_device+0xb8/0x118
[   35.043263]  __device_attach_driver+0x98/0xe8
[   35.043273]  bus_for_each_drv+0x84/0xd8
[   35.043281]  __device_attach+0xf0/0x150
[   35.043290]  device_initial_probe+0x1c/0x28
[   35.043300]  bus_probe_device+0xa4/0xb0
[   35.043308]  deferred_probe_work_func+0xa0/0xe0
[   35.043318]  process_one_work+0x254/0x700
[   35.043330]  worker_thread+0x4c/0x448
[   35.043339]  kthread+0x19c/0x1a8
[   35.043348]  ret_from_fork+0x10/0x20

Shutdown Call trace:
[  365.565417] Call trace:
[  365.565423]  __switch_to+0x148/0x200
[  365.565452]  __schedule+0x340/0x9c8
[  365.565467]  schedule+0x48/0x110
[  365.565479]  schedule_timeout+0x3b0/0x448
[  365.565496]  wait_for_completion+0xac/0x138
[  365.565509]  __flush_work+0x218/0x4e0
[  365.565523]  flush_work+0x1c/0x28
[  365.565536]  wait_for_device_probe+0x68/0x158
[  365.565550]  device_shutdown+0x24/0x348
[  365.565561]  kernel_restart_prepare+0x40/0x50
[  365.565578]  kernel_restart+0x20/0x70
[  365.565591]  __do_sys_reboot+0x10c/0x220
[  365.565605]  __arm64_sys_reboot+0x2c/0x38
[  365.565619]  invoke_syscall+0x4c/0x110
[  365.565634]  el0_svc_common.constprop.3+0xfc/0x120
[  365.565648]  do_el0_svc+0x2c/0x90
[  365.565661]  el0_svc+0x4c/0xf0
[  365.565671]  el0t_64_sync_handler+0x90/0xb8
[  365.565682]  el0t_64_sync+0x180/0x184
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48826

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48834
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

usb: usbtmc: Fix bug in pipe direction for control transfers

The syzbot fuzzer reported a minor bug in the usbtmc driver:

usb 5-1: BOGUS control dir, pipe 80001e80 doesn't match bRequestType 0
WARNING: CPU: 0 PID: 3813 at drivers/usb/core/urb.c:412
usb_submit_urb+0x13a5/0x1970 drivers/usb/core/urb.c:410
Modules linked in:
CPU: 0 PID: 3813 Comm: syz-executor122 Not tainted
5.17.0-rc5-syzkaller-00306-g2293be58d6a1 #0
...
Call Trace:
 <TASK>
 usb_start_wait_urb+0x113/0x530 drivers/usb/core/message.c:58
 usb_internal_control_msg drivers/usb/core/message.c:102 [inline]
 usb_control_msg+0x2a5/0x4b0 drivers/usb/core/message.c:153
 usbtmc_ioctl_request drivers/usb/class/usbtmc.c:1947 [inline]

The problem is that usbtmc_ioctl_request() uses usb_rcvctrlpipe() for
all of its transfers, whether they are in or out.  It's easy to fix.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48834

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48835
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

scsi: mpt3sas: Page fault in reply q processing

A page fault was encountered in mpt3sas on a LUN reset error path:

[  145.763216] mpt3sas_cm1: Task abort tm failed: handle(0x0002),timeout(30) tr_method(0x0) smid(3) msix_index(0)
[  145.778932] scsi 1:0:0:0: task abort: FAILED scmd(0x0000000024ba29a2)
[  145.817307] scsi 1:0:0:0: attempting device reset! scmd(0x0000000024ba29a2)
[  145.827253] scsi 1:0:0:0: [sg1] tag#2 CDB: Receive Diagnostic 1c 01 01 ff fc 00
[  145.837617] scsi target1:0:0: handle(0x0002), sas_address(0x500605b0000272b9), phy(0)
[  145.848598] scsi target1:0:0: enclosure logical id(0x500605b0000272b8), slot(0)
[  149.858378] mpt3sas_cm1: Poll ReplyDescriptor queues for completion of smid(0), task_type(0x05), handle(0x0002)
[  149.875202] BUG: unable to handle page fault for address: 00000007fffc445d
[  149.885617] #PF: supervisor read access in kernel mode
[  149.894346] #PF: error_code(0x0000) - not-present page
[  149.903123] PGD 0 P4D 0
[  149.909387] Oops: 0000 [#1] PREEMPT SMP NOPTI
[  149.917417] CPU: 24 PID: 3512 Comm: scsi_eh_1 Kdump: loaded Tainted: G S         O      5.10.89-altav-1 #1
[  149.934327] Hardware name: DDN           200NVX2             /200NVX2-MB          , BIOS ATHG2.2.02.01 09/10/2021
[  149.951871] RIP: 0010:_base_process_reply_queue+0x4b/0x900 [mpt3sas]
[  149.961889] Code: 0f 84 22 02 00 00 8d 48 01 49 89 fd 48 8d 57 38 f0 0f b1 4f 38 0f 85 d8 01 00 00 49 8b 45 10 45 31 e4 41 8b 55 0c 48 8d 1c d0 <0f> b6 03 83 e0 0f 3c 0f 0f 85 a2 00 00 00 e9 e6 01 00 00 0f b7 ee
[  149.991952] RSP: 0018:ffffc9000f1ebcb8 EFLAGS: 00010246
[  150.000937] RAX: 0000000000000055 RBX: 00000007fffc445d RCX: 000000002548f071
[  150.011841] RDX: 00000000ffff8881 RSI: 0000000000000001 RDI: ffff888125ed50d8
[  150.022670] RBP: 0000000000000000 R08: 0000000000000000 R09: c0000000ffff7fff
[  150.033445] R10: ffffc9000f1ebb68 R11: ffffc9000f1ebb60 R12: 0000000000000000
[  150.044204] R13: ffff888125ed50d8 R14: 0000000000000080 R15: 34cdc00034cdea80
[  150.054963] FS:  0000000000000000(0000) GS:ffff88dfaf200000(0000) knlGS:0000000000000000
[  150.066715] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  150.076078] CR2: 00000007fffc445d CR3: 000000012448a006 CR4: 0000000000770ee0
[  150.086887] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  150.097670] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[  150.108323] PKRU: 55555554
[  150.114690] Call Trace:
[  150.120497]  ? printk+0x48/0x4a
[  150.127049]  mpt3sas_scsih_issue_tm.cold.114+0x2e/0x2b3 [mpt3sas]
[  150.136453]  mpt3sas_scsih_issue_locked_tm+0x86/0xb0 [mpt3sas]
[  150.145759]  scsih_dev_reset+0xea/0x300 [mpt3sas]
[  150.153891]  scsi_eh_ready_devs+0x541/0x9e0 [scsi_mod]
[  150.162206]  ? __scsi_host_match+0x20/0x20 [scsi_mod]
[  150.170406]  ? scsi_try_target_reset+0x90/0x90 [scsi_mod]
[  150.178925]  ? blk_mq_tagset_busy_iter+0x45/0x60
[  150.186638]  ? scsi_try_target_reset+0x90/0x90 [scsi_mod]
[  150.195087]  scsi_error_handler+0x3a5/0x4a0 [scsi_mod]
[  150.203206]  ? __schedule+0x1e9/0x610
[  150.209783]  ? scsi_eh_get_sense+0x210/0x210 [scsi_mod]
[  150.217924]  kthread+0x12e/0x150
[  150.224041]  ? kthread_worker_fn+0x130/0x130
[  150.231206]  ret_from_fork+0x1f/0x30

This is caused by mpt3sas_base_sync_reply_irqs() using an invalid reply_q
pointer outside of the list_for_each_entry() loop. At the end of the full
list traversal the pointer is invalid.

Move the _base_process_reply_queue() call inside of the loop.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48835

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48836
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

Input: aiptek - properly check endpoint type

Syzbot reported warning in usb_submit_urb() which is caused by wrong
endpoint type. There was a check for the number of endpoints, but not
for the type of endpoint.

Fix it by replacing old desc.bNumEndpoints check with
usb_find_common_endpoints() helper for finding endpoints

Fail log:

usb 5-1: BOGUS urb xfer, pipe 1 != type 3
WARNING: CPU: 2 PID: 48 at drivers/usb/core/urb.c:502 usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502
Modules linked in:
CPU: 2 PID: 48 Comm: kworker/2:2 Not tainted 5.17.0-rc6-syzkaller-00226-g07ebd38a0da2 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014
Workqueue: usb_hub_wq hub_event
...
Call Trace:
 <TASK>
 aiptek_open+0xd5/0x130 drivers/input/tablet/aiptek.c:830
 input_open_device+0x1bb/0x320 drivers/input/input.c:629
 kbd_connect+0xfe/0x160 drivers/tty/vt/keyboard.c:1593
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48836

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48837
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

usb: gadget: rndis: prevent integer overflow in rndis_set_response()

If "BufOffset" is very large the "BufOffset + 8" operation can have an
integer overflow.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48837

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48838
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

usb: gadget: Fix use-after-free bug by not setting udc->dev.driver

The syzbot fuzzer found a use-after-free bug:

BUG: KASAN: use-after-free in dev_uevent+0x712/0x780 drivers/base/core.c:2320
Read of size 8 at addr ffff88802b934098 by task udevd/3689

CPU: 2 PID: 3689 Comm: udevd Not tainted 5.17.0-rc4-syzkaller-00229-g4f12b742eb2b #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
 print_address_description.constprop.0.cold+0x8d/0x303 mm/kasan/report.c:255
 __kasan_report mm/kasan/report.c:442 [inline]
 kasan_report.cold+0x83/0xdf mm/kasan/report.c:459
 dev_uevent+0x712/0x780 drivers/base/core.c:2320
 uevent_show+0x1b8/0x380 drivers/base/core.c:2391
 dev_attr_show+0x4b/0x90 drivers/base/core.c:2094

Although the bug manifested in the driver core, the real cause was a
race with the gadget core.  dev_uevent() does:

	if (dev->driver)
		add_uevent_var(env, "DRIVER=%s", dev->driver->name);

and between the test and the dereference of dev->driver, the gadget
core sets dev->driver to NULL.

The race wouldn't occur if the gadget core registered its devices on
a real bus, using the standard synchronization techniques of the
driver core.  However, it's not necessary to make such a large change
in order to fix this bug; all we need to do is make sure that
udc->dev.driver is always NULL.

In fact, there is no reason for udc->dev.driver ever to be set to
anything, let alone to the value it currently gets: the address of the
gadget's driver.  After all, a gadget driver only knows how to manage
a gadget, not how to manage a UDC.

This patch simply removes the statements in the gadget core that touch
udc->dev.driver.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48838

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48839
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net/packet: fix slab-out-of-bounds access in packet_recvmsg()

syzbot found that when an AF_PACKET socket is using PACKET_COPY_THRESH
and mmap operations, tpacket_rcv() is queueing skbs with
garbage in skb->cb[], triggering a too big copy [1]

Presumably, users of af_packet using mmap() already gets correct
metadata from the mapped buffer, we can simply make sure
to clear 12 bytes that might be copied to user space later.

BUG: KASAN: stack-out-of-bounds in memcpy include/linux/fortify-string.h:225 [inline]
BUG: KASAN: stack-out-of-bounds in packet_recvmsg+0x56c/0x1150 net/packet/af_packet.c:3489
Write of size 165 at addr ffffc9000385fb78 by task syz-executor233/3631

CPU: 0 PID: 3631 Comm: syz-executor233 Not tainted 5.17.0-rc7-syzkaller-02396-g0b3660695e80 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
 print_address_description.constprop.0.cold+0xf/0x336 mm/kasan/report.c:255
 __kasan_report mm/kasan/report.c:442 [inline]
 kasan_report.cold+0x83/0xdf mm/kasan/report.c:459
 check_region_inline mm/kasan/generic.c:183 [inline]
 kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189
 memcpy+0x39/0x60 mm/kasan/shadow.c:66
 memcpy include/linux/fortify-string.h:225 [inline]
 packet_recvmsg+0x56c/0x1150 net/packet/af_packet.c:3489
 sock_recvmsg_nosec net/socket.c:948 [inline]
 sock_recvmsg net/socket.c:966 [inline]
 sock_recvmsg net/socket.c:962 [inline]
 ____sys_recvmsg+0x2c4/0x600 net/socket.c:2632
 ___sys_recvmsg+0x127/0x200 net/socket.c:2674
 __sys_recvmsg+0xe2/0x1a0 net/socket.c:2704
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7fdfd5954c29
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 41 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffcf8e71e48 EFLAGS: 00000246 ORIG_RAX: 000000000000002f
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fdfd5954c29
RDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000005
RBP: 0000000000000000 R08: 000000000000000d R09: 000000000000000d
R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffcf8e71e60
R13: 00000000000f4240 R14: 000000000000c1ff R15: 00007ffcf8e71e54
 </TASK>

addr ffffc9000385fb78 is located in stack of task syz-executor233/3631 at offset 32 in frame:
 ____sys_recvmsg+0x0/0x600 include/linux/uio.h:246

this frame has 1 object:
 [32, 160) 'addr'

Memory state around the buggy address:
 ffffc9000385fa80: 00 04 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00 00
 ffffc9000385fb00: 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00
>ffffc9000385fb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f3
                                                                ^
 ffffc9000385fc00: f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 f1
 ffffc9000385fc80: f1 f1 f1 00 f2 f2 f2 00 f2 f2 f2 00 00 00 00 00
==================================================================
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48839

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48840
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

iavf: Fix hang during reboot/shutdown

Recent commit 974578017fc1 ("iavf: Add waiting so the port is
initialized in remove") adds a wait-loop at the beginning of
iavf_remove() to ensure that port initialization is finished
prior unregistering net device. This causes a regression
in reboot/shutdown scenario because in this case callback
iavf_shutdown() is called and this callback detaches the device,
makes it down if it is running and sets its state to __IAVF_REMOVE.
Later shutdown callback of associated PF driver (e.g. ice_shutdown)
is called. That callback calls among other things sriov_disable()
that calls indirectly iavf_remove() (see stack trace below).
As the adapter state is already __IAVF_REMOVE then the mentioned
loop is end-less and shutdown process hangs.

The patch fixes this by checking adapter's state at the beginning
of iavf_remove() and skips the rest of the function if the adapter
is already in remove state (shutdown is in progress).

Reproducer:
1. Create VF on PF driven by ice or i40e driver
2. Ensure that the VF is bound to iavf driver
3. Reboot

[52625.981294] sysrq: SysRq : Show Blocked State
[52625.988377] task:reboot          state:D stack:    0 pid:17359 ppid:     1 f2
[52625.996732] Call Trace:
[52625.999187]  __schedule+0x2d1/0x830
[52626.007400]  schedule+0x35/0xa0
[52626.010545]  schedule_hrtimeout_range_clock+0x83/0x100
[52626.020046]  usleep_range+0x5b/0x80
[52626.023540]  iavf_remove+0x63/0x5b0 [iavf]
[52626.027645]  pci_device_remove+0x3b/0xc0
[52626.031572]  device_release_driver_internal+0x103/0x1f0
[52626.036805]  pci_stop_bus_device+0x72/0xa0
[52626.040904]  pci_stop_and_remove_bus_device+0xe/0x20
[52626.045870]  pci_iov_remove_virtfn+0xba/0x120
[52626.050232]  sriov_disable+0x2f/0xe0
[52626.053813]  ice_free_vfs+0x7c/0x340 [ice]
[52626.057946]  ice_remove+0x220/0x240 [ice]
[52626.061967]  ice_shutdown+0x16/0x50 [ice]
[52626.065987]  pci_device_shutdown+0x34/0x60
[52626.070086]  device_shutdown+0x165/0x1c5
[52626.074011]  kernel_restart+0xe/0x30
[52626.077593]  __do_sys_reboot+0x1d2/0x210
[52626.093815]  do_syscall_64+0x5b/0x1a0
[52626.097483]  entry_SYSCALL_64_after_hwframe+0x65/0xca
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48840

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48841
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ice: fix NULL pointer dereference in ice_update_vsi_tx_ring_stats()

It is possible to do NULL pointer dereference in routine that updates
Tx ring stats. Currently only stats and bytes are updated when ring
pointer is valid, but later on ring is accessed to propagate gathered Tx
stats onto VSI stats.

Change the existing logic to move to next ring when ring is NULL.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48841

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48842
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ice: Fix race condition during interface enslave

Commit 5dbbbd01cbba83 ("ice: Avoid RTNL lock when re-creating
auxiliary device") changes a process of re-creation of aux device
so ice_plug_aux_dev() is called from ice_service_task() context.
This unfortunately opens a race window that can result in dead-lock
when interface has left LAG and immediately enters LAG again.

Reproducer:
```
#!/bin/sh

ip link add lag0 type bond mode 1 miimon 100
ip link set lag0

for n in {1..10}; do
        echo Cycle: $n
        ip link set ens7f0 master lag0
        sleep 1
        ip link set ens7f0 nomaster
done
```

This results in:
[20976.208697] Workqueue: ice ice_service_task [ice]
[20976.213422] Call Trace:
[20976.215871]  __schedule+0x2d1/0x830
[20976.219364]  schedule+0x35/0xa0
[20976.222510]  schedule_preempt_disabled+0xa/0x10
[20976.227043]  __mutex_lock.isra.7+0x310/0x420
[20976.235071]  enum_all_gids_of_dev_cb+0x1c/0x100 [ib_core]
[20976.251215]  ib_enum_roce_netdev+0xa4/0xe0 [ib_core]
[20976.256192]  ib_cache_setup_one+0x33/0xa0 [ib_core]
[20976.261079]  ib_register_device+0x40d/0x580 [ib_core]
[20976.266139]  irdma_ib_register_device+0x129/0x250 [irdma]
[20976.281409]  irdma_probe+0x2c1/0x360 [irdma]
[20976.285691]  auxiliary_bus_probe+0x45/0x70
[20976.289790]  really_probe+0x1f2/0x480
[20976.298509]  driver_probe_device+0x49/0xc0
[20976.302609]  bus_for_each_drv+0x79/0xc0
[20976.306448]  __device_attach+0xdc/0x160
[20976.310286]  bus_probe_device+0x9d/0xb0
[20976.314128]  device_add+0x43c/0x890
[20976.321287]  __auxiliary_device_add+0x43/0x60
[20976.325644]  ice_plug_aux_dev+0xb2/0x100 [ice]
[20976.330109]  ice_service_task+0xd0c/0xed0 [ice]
[20976.342591]  process_one_work+0x1a7/0x360
[20976.350536]  worker_thread+0x30/0x390
[20976.358128]  kthread+0x10a/0x120
[20976.365547]  ret_from_fork+0x1f/0x40
...
[20976.438030] task:ip              state:D stack:    0 pid:213658 ppid:213627 flags:0x00004084
[20976.446469] Call Trace:
[20976.448921]  __schedule+0x2d1/0x830
[20976.452414]  schedule+0x35/0xa0
[20976.455559]  schedule_preempt_disabled+0xa/0x10
[20976.460090]  __mutex_lock.isra.7+0x310/0x420
[20976.464364]  device_del+0x36/0x3c0
[20976.467772]  ice_unplug_aux_dev+0x1a/0x40 [ice]
[20976.472313]  ice_lag_event_handler+0x2a2/0x520 [ice]
[20976.477288]  notifier_call_chain+0x47/0x70
[20976.481386]  __netdev_upper_dev_link+0x18b/0x280
[20976.489845]  bond_enslave+0xe05/0x1790 [bonding]
[20976.494475]  do_setlink+0x336/0xf50
[20976.502517]  __rtnl_newlink+0x529/0x8b0
[20976.543441]  rtnl_newlink+0x43/0x60
[20976.546934]  rtnetlink_rcv_msg+0x2b1/0x360
[20976.559238]  netlink_rcv_skb+0x4c/0x120
[20976.563079]  netlink_unicast+0x196/0x230
[20976.567005]  netlink_sendmsg+0x204/0x3d0
[20976.570930]  sock_sendmsg+0x4c/0x50
[20976.574423]  ____sys_sendmsg+0x1eb/0x250
[20976.586807]  ___sys_sendmsg+0x7c/0xc0
[20976.606353]  __sys_sendmsg+0x57/0xa0
[20976.609930]  do_syscall_64+0x5b/0x1a0
[20976.613598]  entry_SYSCALL_64_after_hwframe+0x65/0xca

1. Command 'ip link ... set nomaster' causes that ice_plug_aux_dev()
   is called from ice_service_task() context, aux device is created
   and associated device->lock is taken.
2. Command 'ip link ... set master...' calls ice's notifier under
   RTNL lock and that notifier calls ice_unplug_aux_dev(). That
   function tries to take aux device->lock but this is already taken
   by ice_plug_aux_dev() in step 1
3. Later ice_plug_aux_dev() tries to take RTNL lock but this is already
   taken in step 2
4. Dead-lock

The patch fixes this issue by following changes:
- Bit ICE_FLAG_PLUG_AUX_DEV is kept to be set during ice_plug_aux_dev()
  call in ice_service_task()
- The bit is checked in ice_clear_rdma_cap() and only if it is not set
  then ice_unplug_aux_dev() is called. If it is set (in other words
  plugging of aux device was requested and ice_plug_aux_dev() is
  potentially running) then the function only clears the
---truncated---
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48842

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48843
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/vrr: Set VRR capable prop only if it is attached to connector

VRR capable property is not attached by default to the connector
It is attached only if VRR is supported.
So if the driver tries to call drm core set prop function without
it being attached that causes NULL dereference.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48843

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48844
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: hci_core: Fix leaking sent_cmd skb

sent_cmd memory is not freed before freeing hci_dev causing it to leak
it contents.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48844

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48845
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

MIPS: smp: fill in sibling and core maps earlier

After enabling CONFIG_SCHED_CORE (landed during 5.14 cycle),
2-core 2-thread-per-core interAptiv (CPS-driven) started emitting
the following:

[    0.025698] CPU1 revision is: 0001a120 (MIPS interAptiv (multi))
[    0.048183] ------------[ cut here ]------------
[    0.048187] WARNING: CPU: 1 PID: 0 at kernel/sched/core.c:6025 sched_core_cpu_starting+0x198/0x240
[    0.048220] Modules linked in:
[    0.048233] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.17.0-rc3+ #35 b7b319f24073fd9a3c2aa7ad15fb7993eec0b26f
[    0.048247] Stack : 817f0000 00000004 327804c8 810eb050 00000000 00000004 00000000 c314fdd1
[    0.048278]         830cbd64 819c0000 81800000 817f0000 83070bf4 00000001 830cbd08 00000000
[    0.048307]         00000000 00000000 815fcbc4 00000000 00000000 00000000 00000000 00000000
[    0.048334]         00000000 00000000 00000000 00000000 817f0000 00000000 00000000 817f6f34
[    0.048361]         817f0000 818a3c00 817f0000 00000004 00000000 00000000 4dc33260 0018c933
[    0.048389]         ...
[    0.048396] Call Trace:
[    0.048399] [<8105a7bc>] show_stack+0x3c/0x140
[    0.048424] [<8131c2a0>] dump_stack_lvl+0x60/0x80
[    0.048440] [<8108b5c0>] __warn+0xc0/0xf4
[    0.048454] [<8108b658>] warn_slowpath_fmt+0x64/0x10c
[    0.048467] [<810bd418>] sched_core_cpu_starting+0x198/0x240
[    0.048483] [<810c6514>] sched_cpu_starting+0x14/0x80
[    0.048497] [<8108c0f8>] cpuhp_invoke_callback_range+0x78/0x140
[    0.048510] [<8108d914>] notify_cpu_starting+0x94/0x140
[    0.048523] [<8106593c>] start_secondary+0xbc/0x280
[    0.048539]
[    0.048543] ---[ end trace 0000000000000000 ]---
[    0.048636] Synchronize counters for CPU 1: done.

...for each but CPU 0/boot.
Basic debug printks right before the mentioned line say:

[    0.048170] CPU: 1, smt_mask:

So smt_mask, which is sibling mask obviously, is empty when entering
the function.
This is critical, as sched_core_cpu_starting() calculates
core-scheduling parameters only once per CPU start, and it's crucial
to have all the parameters filled in at that moment (at least it
uses cpu_smt_mask() which in fact is `&cpu_sibling_map[cpu]` on
MIPS).

A bit of debugging led me to that set_cpu_sibling_map() performing
the actual map calculation, was being invocated after
notify_cpu_start(), and exactly the latter function starts CPU HP
callback round (sched_core_cpu_starting() is basically a CPU HP
callback).
While the flow is same on ARM64 (maps after the notifier, although
before calling set_cpu_online()), x86 started calculating sibling
maps earlier than starting the CPU HP callbacks in Linux 4.14 (see
[0] for the reference). Neither me nor my brief tests couldn't find
any potential caveats in calculating the maps right after performing
delay calibration, but the WARN splat is now gone.
The very same debug prints now yield exactly what I expected from
them:

[    0.048433] CPU: 1, smt_mask: 0-1

[0] https://git.kernel.org/pub/scm/linux/kernel/git/mips/linux.git/commit/?id=76ce7cfe35ef
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48845

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48846
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

block: release rq qos structures for queue without disk

blkcg_init_queue() may add rq qos structures to request queue, previously
blk_cleanup_queue() calls rq_qos_exit() to release them, but commit
8e141f9eb803 ("block: drain file system I/O on del_gendisk")
moves rq_qos_exit() into del_gendisk(), so memory leak is caused
because queues may not have disk, such as un-present scsi luns, nvme
admin queue, ...

Fixes the issue by adding rq_qos_exit() to blk_cleanup_queue() back.

BTW, v5.18 won't need this patch any more since we move
blkcg_init_queue()/blkcg_exit_queue() into disk allocation/release
handler, and patches have been in for-5.18/block.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48846

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48847
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

watch_queue: Fix filter limit check

In watch_queue_set_filter(), there are a couple of places where we check
that the filter type value does not exceed what the type_filter bitmap
can hold.  One place calculates the number of bits by:

   if (tf[i].type >= sizeof(wfilter->type_filter) * 8)

which is fine, but the second does:

   if (tf[i].type >= sizeof(wfilter->type_filter) * BITS_PER_LONG)

which is not.  This can lead to a couple of out-of-bounds writes due to
a too-large type:

 (1) __set_bit() on wfilter->type_filter
 (2) Writing more elements in wfilter->filters[] than we allocated.

Fix this by just using the proper WATCH_TYPE__NR instead, which is the
number of types we actually know about.

The bug may cause an oops looking something like:

  BUG: KASAN: slab-out-of-bounds in watch_queue_set_filter+0x659/0x740
  Write of size 4 at addr ffff88800d2c66bc by task watch_queue_oob/611
  ...
  Call Trace:
   <TASK>
   dump_stack_lvl+0x45/0x59
   print_address_description.constprop.0+0x1f/0x150
   ...
   kasan_report.cold+0x7f/0x11b
   ...
   watch_queue_set_filter+0x659/0x740
   ...
   __x64_sys_ioctl+0x127/0x190
   do_syscall_64+0x43/0x90
   entry_SYSCALL_64_after_hwframe+0x44/0xae

  Allocated by task 611:
   kasan_save_stack+0x1e/0x40
   __kasan_kmalloc+0x81/0xa0
   watch_queue_set_filter+0x23a/0x740
   __x64_sys_ioctl+0x127/0x190
   do_syscall_64+0x43/0x90
   entry_SYSCALL_64_after_hwframe+0x44/0xae

  The buggy address belongs to the object at ffff88800d2c66a0
   which belongs to the cache kmalloc-32 of size 32
  The buggy address is located 28 bytes inside of
   32-byte region [ffff88800d2c66a0, ffff88800d2c66c0)
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48847

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48848
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

tracing/osnoise: Do not unregister events twice

Nicolas reported that using:

 # trace-cmd record -e all -M 10 -p osnoise --poll

Resulted in the following kernel warning:

 ------------[ cut here ]------------
 WARNING: CPU: 0 PID: 1217 at kernel/tracepoint.c:404 tracepoint_probe_unregister+0x280/0x370
 [...]
 CPU: 0 PID: 1217 Comm: trace-cmd Not tainted 5.17.0-rc6-next-20220307-nico+ #19
 RIP: 0010:tracepoint_probe_unregister+0x280/0x370
 [...]
 CR2: 00007ff919b29497 CR3: 0000000109da4005 CR4: 0000000000170ef0
 Call Trace:
  <TASK>
  osnoise_workload_stop+0x36/0x90
  tracing_set_tracer+0x108/0x260
  tracing_set_trace_write+0x94/0xd0
  ? __check_object_size.part.0+0x10a/0x150
  ? selinux_file_permission+0x104/0x150
  vfs_write+0xb5/0x290
  ksys_write+0x5f/0xe0
  do_syscall_64+0x3b/0x90
  entry_SYSCALL_64_after_hwframe+0x44/0xae
 RIP: 0033:0x7ff919a18127
 [...]
 ---[ end trace 0000000000000000 ]---

The warning complains about an attempt to unregister an
unregistered tracepoint.

This happens on trace-cmd because it first stops tracing, and
then switches the tracer to nop. Which is equivalent to:

  # cd /sys/kernel/tracing/
  # echo osnoise > current_tracer
  # echo 0 > tracing_on
  # echo nop > current_tracer

The osnoise tracer stops the workload when no trace instance
is actually collecting data. This can be caused both by
disabling tracing or disabling the tracer itself.

To avoid unregistering events twice, use the existing
trace_osnoise_callback_enabled variable to check if the events
(and the workload) are actually active before trying to
deactivate them.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48848

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48849
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amdgpu: bypass tiling flag check in virtual display case (v2)

vkms leverages common amdgpu framebuffer creation, and
also as it does not support FB modifier, there is no need
to check tiling flags when initing framebuffer when virtual
display is enabled.

This can fix below calltrace:

amdgpu 0000:00:08.0: GFX9+ requires FB check based on format modifier
WARNING: CPU: 0 PID: 1023 at drivers/gpu/drm/amd/amdgpu/amdgpu_display.c:1150 amdgpu_display_framebuffer_init+0x8e7/0xb40 [amdgpu]

v2: check adev->enable_virtual_display instead as vkms can be
	enabled in bare metal as well.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48849

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48850
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net-sysfs: add check for netdevice being present to speed_show

When bringing down the netdevice or system shutdown, a panic can be
triggered while accessing the sysfs path because the device is already
removed.

    [  755.549084] mlx5_core 0000:12:00.1: Shutdown was called
    [  756.404455] mlx5_core 0000:12:00.0: Shutdown was called
    ...
    [  757.937260] BUG: unable to handle kernel NULL pointer dereference at           (null)
    [  758.031397] IP: [<ffffffff8ee11acb>] dma_pool_alloc+0x1ab/0x280

    crash> bt
    ...
    PID: 12649  TASK: ffff8924108f2100  CPU: 1   COMMAND: "amsd"
    ...
     #9 [ffff89240e1a38b0] page_fault at ffffffff8f38c778
        [exception RIP: dma_pool_alloc+0x1ab]
        RIP: ffffffff8ee11acb  RSP: ffff89240e1a3968  RFLAGS: 00010046
        RAX: 0000000000000246  RBX: ffff89243d874100  RCX: 0000000000001000
        RDX: 0000000000000000  RSI: 0000000000000246  RDI: ffff89243d874090
        RBP: ffff89240e1a39c0   R8: 000000000001f080   R9: ffff8905ffc03c00
        R10: ffffffffc04680d4  R11: ffffffff8edde9fd  R12: 00000000000080d0
        R13: ffff89243d874090  R14: ffff89243d874080  R15: 0000000000000000
        ORIG_RAX: ffffffffffffffff  CS: 0010  SS: 0018
    #10 [ffff89240e1a39c8] mlx5_alloc_cmd_msg at ffffffffc04680f3 [mlx5_core]
    #11 [ffff89240e1a3a18] cmd_exec at ffffffffc046ad62 [mlx5_core]
    #12 [ffff89240e1a3ab8] mlx5_cmd_exec at ffffffffc046b4fb [mlx5_core]
    #13 [ffff89240e1a3ae8] mlx5_core_access_reg at ffffffffc0475434 [mlx5_core]
    #14 [ffff89240e1a3b40] mlx5e_get_fec_caps at ffffffffc04a7348 [mlx5_core]
    #15 [ffff89240e1a3bb0] get_fec_supported_advertised at ffffffffc04992bf [mlx5_core]
    #16 [ffff89240e1a3c08] mlx5e_get_link_ksettings at ffffffffc049ab36 [mlx5_core]
    #17 [ffff89240e1a3ce8] __ethtool_get_link_ksettings at ffffffff8f25db46
    #18 [ffff89240e1a3d48] speed_show at ffffffff8f277208
    #19 [ffff89240e1a3dd8] dev_attr_show at ffffffff8f0b70e3
    #20 [ffff89240e1a3df8] sysfs_kf_seq_show at ffffffff8eedbedf
    #21 [ffff89240e1a3e18] kernfs_seq_show at ffffffff8eeda596
    #22 [ffff89240e1a3e28] seq_read at ffffffff8ee76d10
    #23 [ffff89240e1a3e98] kernfs_fop_read at ffffffff8eedaef5
    #24 [ffff89240e1a3ed8] vfs_read at ffffffff8ee4e3ff
    #25 [ffff89240e1a3f08] sys_read at ffffffff8ee4f27f
    #26 [ffff89240e1a3f50] system_call_fastpath at ffffffff8f395f92

    crash> net_device.state ffff89443b0c0000
      state = 0x5  (__LINK_STATE_START| __LINK_STATE_NOCARRIER)

To prevent this scenario, we also make sure that the netdevice is present.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48850

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48851
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

staging: gdm724x: fix use after free in gdm_lte_rx()

The netif_rx_ni() function frees the skb so we can't dereference it to
save the skb->len.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48851

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48852
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/vc4: hdmi: Unregister codec device on unbind

On bind we will register the HDMI codec device but we don't unregister
it on unbind, leading to a device leakage. Unregister our device at
unbind.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 3.3
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48852

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48853
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

swiotlb: fix info leak with DMA_FROM_DEVICE

The problem I'm addressing was discovered by the LTP test covering
cve-2018-1000204.

A short description of what happens follows:
1) The test case issues a command code 00 (TEST UNIT READY) via the SG_IO
   interface with: dxfer_len == 524288, dxdfer_dir == SG_DXFER_FROM_DEV
   and a corresponding dxferp. The peculiar thing about this is that TUR
   is not reading from the device.
2) In sg_start_req() the invocation of blk_rq_map_user() effectively
   bounces the user-space buffer. As if the device was to transfer into
   it. Since commit a45b599ad808 ("scsi: sg: allocate with __GFP_ZERO in
   sg_build_indirect()") we make sure this first bounce buffer is
   allocated with GFP_ZERO.
3) For the rest of the story we keep ignoring that we have a TUR, so the
   device won't touch the buffer we prepare as if the we had a
   DMA_FROM_DEVICE type of situation. My setup uses a virtio-scsi device
   and the  buffer allocated by SG is mapped by the function
   virtqueue_add_split() which uses DMA_FROM_DEVICE for the "in" sgs (here
   scatter-gather and not scsi generics). This mapping involves bouncing
   via the swiotlb (we need swiotlb to do virtio in protected guest like
   s390 Secure Execution, or AMD SEV).
4) When the SCSI TUR is done, we first copy back the content of the second
   (that is swiotlb) bounce buffer (which most likely contains some
   previous IO data), to the first bounce buffer, which contains all
   zeros.  Then we copy back the content of the first bounce buffer to
   the user-space buffer.
5) The test case detects that the buffer, which it zero-initialized,
  ain't all zeros and fails.

One can argue that this is an swiotlb problem, because without swiotlb
we leak all zeros, and the swiotlb should be transparent in a sense that
it does not affect the outcome (if all other participants are well
behaved).

Copying the content of the original buffer into the swiotlb buffer is
the only way I can think of to make swiotlb transparent in such
scenarios. So let's do just that if in doubt, but allow the driver
to tell us that the whole mapped buffer is going to be overwritten,
in which case we can preserve the old behavior and avoid the performance
impact of the extra bounce.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48853

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48854
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: arc_emac: Fix use after free in arc_mdio_probe()

If bus->state is equal to MDIOBUS_ALLOCATED, mdiobus_free(bus) will free
the "bus". But bus->name is still used in the next line, which will lead
to a use after free.

We can fix it by putting the name in a local variable and make the
bus->name point to the rodata section "name",then use the name in the
error message without referring to bus to avoid the uaf.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48854

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48855
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

sctp: fix kernel-infoleak for SCTP sockets

syzbot reported a kernel infoleak [1] of 4 bytes.

After analysis, it turned out r->idiag_expires is not initialized
if inet_sctp_diag_fill() calls inet_diag_msg_common_fill()

Make sure to clear idiag_timer/idiag_retrans/idiag_expires
and let inet_diag_msg_sctpasoc_fill() fill them again if needed.

[1]

BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:121 [inline]
BUG: KMSAN: kernel-infoleak in copyout lib/iov_iter.c:154 [inline]
BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x6ef/0x25a0 lib/iov_iter.c:668
 instrument_copy_to_user include/linux/instrumented.h:121 [inline]
 copyout lib/iov_iter.c:154 [inline]
 _copy_to_iter+0x6ef/0x25a0 lib/iov_iter.c:668
 copy_to_iter include/linux/uio.h:162 [inline]
 simple_copy_to_iter+0xf3/0x140 net/core/datagram.c:519
 __skb_datagram_iter+0x2d5/0x11b0 net/core/datagram.c:425
 skb_copy_datagram_iter+0xdc/0x270 net/core/datagram.c:533
 skb_copy_datagram_msg include/linux/skbuff.h:3696 [inline]
 netlink_recvmsg+0x669/0x1c80 net/netlink/af_netlink.c:1977
 sock_recvmsg_nosec net/socket.c:948 [inline]
 sock_recvmsg net/socket.c:966 [inline]
 __sys_recvfrom+0x795/0xa10 net/socket.c:2097
 __do_sys_recvfrom net/socket.c:2115 [inline]
 __se_sys_recvfrom net/socket.c:2111 [inline]
 __x64_sys_recvfrom+0x19d/0x210 net/socket.c:2111
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Uninit was created at:
 slab_post_alloc_hook mm/slab.h:737 [inline]
 slab_alloc_node mm/slub.c:3247 [inline]
 __kmalloc_node_track_caller+0xe0c/0x1510 mm/slub.c:4975
 kmalloc_reserve net/core/skbuff.c:354 [inline]
 __alloc_skb+0x545/0xf90 net/core/skbuff.c:426
 alloc_skb include/linux/skbuff.h:1158 [inline]
 netlink_dump+0x3e5/0x16c0 net/netlink/af_netlink.c:2248
 __netlink_dump_start+0xcf8/0xe90 net/netlink/af_netlink.c:2373
 netlink_dump_start include/linux/netlink.h:254 [inline]
 inet_diag_handler_cmd+0x2e7/0x400 net/ipv4/inet_diag.c:1341
 sock_diag_rcv_msg+0x24a/0x620
 netlink_rcv_skb+0x40c/0x7e0 net/netlink/af_netlink.c:2494
 sock_diag_rcv+0x63/0x80 net/core/sock_diag.c:277
 netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]
 netlink_unicast+0x1093/0x1360 net/netlink/af_netlink.c:1343
 netlink_sendmsg+0x14d9/0x1720 net/netlink/af_netlink.c:1919
 sock_sendmsg_nosec net/socket.c:705 [inline]
 sock_sendmsg net/socket.c:725 [inline]
 sock_write_iter+0x594/0x690 net/socket.c:1061
 do_iter_readv_writev+0xa7f/0xc70
 do_iter_write+0x52c/0x1500 fs/read_write.c:851
 vfs_writev fs/read_write.c:924 [inline]
 do_writev+0x645/0xe00 fs/read_write.c:967
 __do_sys_writev fs/read_write.c:1040 [inline]
 __se_sys_writev fs/read_write.c:1037 [inline]
 __x64_sys_writev+0xe5/0x120 fs/read_write.c:1037
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Bytes 68-71 of 2508 are uninitialized
Memory access of size 2508 starts at ffff888114f9b000
Data copied to user address 00007f7fe09ff2e0

CPU: 1 PID: 3478 Comm: syz-executor306 Not tainted 5.17.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48855

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48856
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

gianfar: ethtool: Fix refcount leak in gfar_get_ts_info

The of_find_compatible_node() function returns a node pointer with
refcount incremented, We should use of_node_put() on it when done
Add the missing of_node_put() to release the refcount.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48856

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48857
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

NFC: port100: fix use-after-free in port100_send_complete

Syzbot reported UAF in port100_send_complete(). The root case is in
missing usb_kill_urb() calls on error handling path of ->probe function.

port100_send_complete() accesses devm allocated memory which will be
freed on probe failure. We should kill this urbs before returning an
error from probe function to prevent reported use-after-free

Fail log:

BUG: KASAN: use-after-free in port100_send_complete+0x16e/0x1a0 drivers/nfc/port100.c:935
Read of size 1 at addr ffff88801bb59540 by task ksoftirqd/2/26
...
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
 print_address_description.constprop.0.cold+0x8d/0x303 mm/kasan/report.c:255
 __kasan_report mm/kasan/report.c:442 [inline]
 kasan_report.cold+0x83/0xdf mm/kasan/report.c:459
 port100_send_complete+0x16e/0x1a0 drivers/nfc/port100.c:935
 __usb_hcd_giveback_urb+0x2b0/0x5c0 drivers/usb/core/hcd.c:1670

...

Allocated by task 1255:
 kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
 kasan_set_track mm/kasan/common.c:45 [inline]
 set_alloc_info mm/kasan/common.c:436 [inline]
 ____kasan_kmalloc mm/kasan/common.c:515 [inline]
 ____kasan_kmalloc mm/kasan/common.c:474 [inline]
 __kasan_kmalloc+0xa6/0xd0 mm/kasan/common.c:524
 alloc_dr drivers/base/devres.c:116 [inline]
 devm_kmalloc+0x96/0x1d0 drivers/base/devres.c:823
 devm_kzalloc include/linux/device.h:209 [inline]
 port100_probe+0x8a/0x1320 drivers/nfc/port100.c:1502

Freed by task 1255:
 kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
 kasan_set_track+0x21/0x30 mm/kasan/common.c:45
 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370
 ____kasan_slab_free mm/kasan/common.c:366 [inline]
 ____kasan_slab_free+0xff/0x140 mm/kasan/common.c:328
 kasan_slab_free include/linux/kasan.h:236 [inline]
 __cache_free mm/slab.c:3437 [inline]
 kfree+0xf8/0x2b0 mm/slab.c:3794
 release_nodes+0x112/0x1a0 drivers/base/devres.c:501
 devres_release_all+0x114/0x190 drivers/base/devres.c:530
 really_probe+0x626/0xcc0 drivers/base/dd.c:670
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48857

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48858
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net/mlx5: Fix a race on command flush flow

Fix a refcount use after free warning due to a race on command entry.
Such race occurs when one of the commands releases its last refcount and
frees its index and entry while another process running command flush
flow takes refcount to this command entry. The process which handles
commands flush may see this command as needed to be flushed if the other
process released its refcount but didn't release the index yet. Fix it
by adding the needed spin lock.

It fixes the following warning trace:

refcount_t: addition on 0; use-after-free.
WARNING: CPU: 11 PID: 540311 at lib/refcount.c:25 refcount_warn_saturate+0x80/0xe0
...
RIP: 0010:refcount_warn_saturate+0x80/0xe0
...
Call Trace:
 <TASK>
 mlx5_cmd_trigger_completions+0x293/0x340 [mlx5_core]
 mlx5_cmd_flush+0x3a/0xf0 [mlx5_core]
 enter_error_state+0x44/0x80 [mlx5_core]
 mlx5_fw_fatal_reporter_err_work+0x37/0xe0 [mlx5_core]
 process_one_work+0x1be/0x390
 worker_thread+0x4d/0x3d0
 ? rescuer_thread+0x350/0x350
 kthread+0x141/0x160
 ? set_kthread_struct+0x40/0x40
 ret_from_fork+0x1f/0x30
 </TASK>
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48858

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48859
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: marvell: prestera: Add missing of_node_put() in prestera_switch_set_base_mac_addr

This node pointer is returned by of_find_compatible_node() with
refcount incremented. Calling of_node_put() to aovid the refcount leak.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48859

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48860
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ethernet: Fix error handling in xemaclite_of_probe

This node pointer is returned by of_parse_phandle() with refcount
incremented in this function. Calling of_node_put() to avoid the
refcount leak. As the remove function do.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48860

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48861
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

vdpa: fix use-after-free on vp_vdpa_remove

When vp_vdpa driver is unbind, vp_vdpa is freed in vdpa_unregister_device
and then vp_vdpa->mdev.pci_dev is dereferenced in vp_modern_remove,
triggering use-after-free.

Call Trace of unbinding driver free vp_vdpa :
do_syscall_64
  vfs_write
    kernfs_fop_write_iter
      device_release_driver_internal
        pci_device_remove
          vp_vdpa_remove
            vdpa_unregister_device
              kobject_release
                device_release
                  kfree

Call Trace of dereference vp_vdpa->mdev.pci_dev:
vp_modern_remove
  pci_release_selected_regions
    pci_release_region
      pci_resource_len
        pci_resource_end
          (dev)->resource[(bar)].end
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48861

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48862
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

vhost: fix hung thread due to erroneous iotlb entries

In vhost_iotlb_add_range_ctx(), range size can overflow to 0 when
start is 0 and last is ULONG_MAX. One instance where it can happen
is when userspace sends an IOTLB message with iova=size=uaddr=0
(vhost_process_iotlb_msg). So, an entry with size = 0, start = 0,
last = ULONG_MAX ends up in the iotlb. Next time a packet is sent,
iotlb_access_ok() loops indefinitely due to that erroneous entry.

	Call Trace:
	 <TASK>
	 iotlb_access_ok+0x21b/0x3e0 drivers/vhost/vhost.c:1340
	 vq_meta_prefetch+0xbc/0x280 drivers/vhost/vhost.c:1366
	 vhost_transport_do_send_pkt+0xe0/0xfd0 drivers/vhost/vsock.c:104
	 vhost_worker+0x23d/0x3d0 drivers/vhost/vhost.c:372
	 kthread+0x2e9/0x3a0 kernel/kthread.c:377
	 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
	 </TASK>

Reported by syzbot at:
	https://syzkaller.appspot.com/bug?extid=0abd373e2e50d704db87

To fix this, do two things:

1. Return -EINVAL in vhost_chr_write_iter() when userspace asks to map
   a range with size 0.
2. Fix vhost_iotlb_add_range_ctx() to handle the range [0, ULONG_MAX]
   by splitting it into two entries.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48862

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48863
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

mISDN: Fix memory leak in dsp_pipeline_build()

dsp_pipeline_build() allocates dup pointer by kstrdup(cfg),
but then it updates dup variable by strsep(&dup, "|").
As a result when it calls kfree(dup), the dup variable contains NULL.

Found by Linux Driver Verification project (linuxtesting.org) with SVACE.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48863

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48864
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

vdpa/mlx5: add validation for VIRTIO_NET_CTRL_MQ_VQ_PAIRS_SET command

When control vq receives a VIRTIO_NET_CTRL_MQ_VQ_PAIRS_SET command
request from the driver, presently there is no validation against the
number of queue pairs to configure, or even if multiqueue had been
negotiated or not is unverified. This may lead to kernel panic due to
uninitialized resource for the queues were there any bogus request
sent down by untrusted driver. Tie up the loose ends there.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48864

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48865
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

tipc: fix kernel panic when enabling bearer

When enabling a bearer on a node, a kernel panic is observed:

[    4.498085] RIP: 0010:tipc_mon_prep+0x4e/0x130 [tipc]
...
[    4.520030] Call Trace:
[    4.520689]  <IRQ>
[    4.521236]  tipc_link_build_proto_msg+0x375/0x750 [tipc]
[    4.522654]  tipc_link_build_state_msg+0x48/0xc0 [tipc]
[    4.524034]  __tipc_node_link_up+0xd7/0x290 [tipc]
[    4.525292]  tipc_rcv+0x5da/0x730 [tipc]
[    4.526346]  ? __netif_receive_skb_core+0xb7/0xfc0
[    4.527601]  tipc_l2_rcv_msg+0x5e/0x90 [tipc]
[    4.528737]  __netif_receive_skb_list_core+0x20b/0x260
[    4.530068]  netif_receive_skb_list_internal+0x1bf/0x2e0
[    4.531450]  ? dev_gro_receive+0x4c2/0x680
[    4.532512]  napi_complete_done+0x6f/0x180
[    4.533570]  virtnet_poll+0x29c/0x42e [virtio_net]
...

The node in question is receiving activate messages in another
thread after changing bearer status to allow message sending/
receiving in current thread:

         thread 1           |              thread 2
         --------           |              --------
                            |
tipc_enable_bearer()        |
  test_and_set_bit_lock()   |
    tipc_bearer_xmit_skb()  |
                            | tipc_l2_rcv_msg()
                            |   tipc_rcv()
                            |     __tipc_node_link_up()
                            |       tipc_link_build_state_msg()
                            |         tipc_link_build_proto_msg()
                            |           tipc_mon_prep()
                            |           {
                            |             ...
                            |             // null-pointer dereference
                            |             u16 gen = mon->dom_gen;
                            |             ...
                            |           }
  // Not being executed yet |
  tipc_mon_create()         |
  {                         |
    ...                     |
    // allocate             |
    mon = kzalloc();        |
    ...                     |
  }                         |

Monitoring pointer in thread 2 is dereferenced before monitoring data
is allocated in thread 1. This causes kernel panic.

This commit fixes it by allocating the monitoring data before enabling
the bearer to receive messages.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48865

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48866
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

HID: hid-thrustmaster: fix OOB read in thrustmaster_interrupts

Syzbot reported an slab-out-of-bounds Read in thrustmaster_probe() bug.
The root case is in missing validation check of actual number of endpoints.

Code should not blindly access usb_host_interface::endpoint array, since
it may contain less endpoints than code expects.

Fix it by adding missing validaion check and print an error if
number of endpoints do not match expected number
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48866

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48867
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

dmaengine: idxd: Prevent use after free on completion memory

On driver unload any pending descriptors are flushed at the
time the interrupt is freed:
idxd_dmaengine_drv_remove() ->
	drv_disable_wq() ->
		idxd_wq_free_irq() ->
			idxd_flush_pending_descs().

If there are any descriptors present that need to be flushed this
flow triggers a "not present" page fault as below:

 BUG: unable to handle page fault for address: ff391c97c70c9040
 #PF: supervisor read access in kernel mode
 #PF: error_code(0x0000) - not-present page

The address that triggers the fault is the address of the
descriptor that was freed moments earlier via:
drv_disable_wq()->idxd_wq_free_resources()

Fix the use after free by freeing the descriptors after any possible
usage. This is done after idxd_wq_reset() to ensure that the memory
remains accessible during possible completion writes by the device.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48867

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48868
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

dmaengine: idxd: Let probe fail when workqueue cannot be enabled

The workqueue is enabled when the appropriate driver is loaded and
disabled when the driver is removed. When the driver is removed it
assumes that the workqueue was enabled successfully and proceeds to
free allocations made during workqueue enabling.

Failure during workqueue enabling does not prevent the driver from
being loaded. This is because the error path within drv_enable_wq()
returns success unless a second failure is encountered
during the error path. By returning success it is possible to load
the driver even if the workqueue cannot be enabled and
allocations that do not exist are attempted to be freed during
driver remove.

Some examples of problematic flows:
(a)

 idxd_dmaengine_drv_probe() -> drv_enable_wq() -> idxd_wq_request_irq():
 In above flow, if idxd_wq_request_irq() fails then
 idxd_wq_unmap_portal() is called on error exit path, but
 drv_enable_wq() returns 0 because idxd_wq_disable() succeeds. The
 driver is thus loaded successfully.

 idxd_dmaengine_drv_remove()->drv_disable_wq()->idxd_wq_unmap_portal()
 Above flow on driver unload triggers the WARN in devm_iounmap() because
 the device resource has already been removed during error path of
 drv_enable_wq().

(b)

 idxd_dmaengine_drv_probe() -> drv_enable_wq() -> idxd_wq_request_irq():
 In above flow, if idxd_wq_request_irq() fails then
 idxd_wq_init_percpu_ref() is never called to initialize the percpu
 counter, yet the driver loads successfully because drv_enable_wq()
 returns 0.

 idxd_dmaengine_drv_remove()->__idxd_wq_quiesce()->percpu_ref_kill():
 Above flow on driver unload triggers a BUG when attempting to drop the
 initial ref of the uninitialized percpu ref:
 BUG: kernel NULL pointer dereference, address: 0000000000000010

Fix the drv_enable_wq() error path by returning the original error that
indicates failure of workqueue enabling. This ensures that the probe
fails when an error is encountered and the driver remove paths are only
attempted when the workqueue was enabled successfully.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48868

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48869
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

USB: gadgetfs: Fix race between mounting and unmounting

The syzbot fuzzer and Gerald Lee have identified a use-after-free bug
in the gadgetfs driver, involving processes concurrently mounting and
unmounting the gadgetfs filesystem.  In particular, gadgetfs_fill_super()
can race with gadgetfs_kill_sb(), causing the latter to deallocate
the_device while the former is using it.  The output from KASAN says,
in part:

BUG: KASAN: use-after-free in instrument_atomic_read_write include/linux/instrumented.h:102 [inline]
BUG: KASAN: use-after-free in atomic_fetch_sub_release include/linux/atomic/atomic-instrumented.h:176 [inline]
BUG: KASAN: use-after-free in __refcount_sub_and_test include/linux/refcount.h:272 [inline]
BUG: KASAN: use-after-free in __refcount_dec_and_test include/linux/refcount.h:315 [inline]
BUG: KASAN: use-after-free in refcount_dec_and_test include/linux/refcount.h:333 [inline]
BUG: KASAN: use-after-free in put_dev drivers/usb/gadget/legacy/inode.c:159 [inline]
BUG: KASAN: use-after-free in gadgetfs_kill_sb+0x33/0x100 drivers/usb/gadget/legacy/inode.c:2086
Write of size 4 at addr ffff8880276d7840 by task syz-executor126/18689

CPU: 0 PID: 18689 Comm: syz-executor126 Not tainted 6.1.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
 <TASK>
...
 atomic_fetch_sub_release include/linux/atomic/atomic-instrumented.h:176 [inline]
 __refcount_sub_and_test include/linux/refcount.h:272 [inline]
 __refcount_dec_and_test include/linux/refcount.h:315 [inline]
 refcount_dec_and_test include/linux/refcount.h:333 [inline]
 put_dev drivers/usb/gadget/legacy/inode.c:159 [inline]
 gadgetfs_kill_sb+0x33/0x100 drivers/usb/gadget/legacy/inode.c:2086
 deactivate_locked_super+0xa7/0xf0 fs/super.c:332
 vfs_get_super fs/super.c:1190 [inline]
 get_tree_single+0xd0/0x160 fs/super.c:1207
 vfs_get_tree+0x88/0x270 fs/super.c:1531
 vfs_fsconfig_locked fs/fsopen.c:232 [inline]

The simplest solution is to ensure that gadgetfs_fill_super() and
gadgetfs_kill_sb() are serialized by making them both acquire a new
mutex.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48869

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48870
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

tty: fix possible null-ptr-defer in spk_ttyio_release

Run the following tests on the qemu platform:

syzkaller:~# modprobe speakup_audptr
 input: Speakup as /devices/virtual/input/input4
 initialized device: /dev/synth, node (MAJOR 10, MINOR 125)
 speakup 3.1.6: initialized
 synth name on entry is: (null)
 synth probe

spk_ttyio_initialise_ldisc failed because tty_kopen_exclusive returned
failed (errno -16), then remove the module, we will get a null-ptr-defer
problem, as follow:

syzkaller:~# modprobe -r speakup_audptr
 releasing synth audptr
 BUG: kernel NULL pointer dereference, address: 0000000000000080
 #PF: supervisor write access in kernel mode
 #PF: error_code(0x0002) - not-present page
 PGD 0 P4D 0
 Oops: 0002 [#1] PREEMPT SMP PTI
 CPU: 2 PID: 204 Comm: modprobe Not tainted 6.1.0-rc6-dirty #1
 RIP: 0010:mutex_lock+0x14/0x30
 Call Trace:
 <TASK>
  spk_ttyio_release+0x19/0x70 [speakup]
  synth_release.part.6+0xac/0xc0 [speakup]
  synth_remove+0x56/0x60 [speakup]
  __x64_sys_delete_module+0x156/0x250
  ? fpregs_assert_state_consistent+0x1d/0x50
  do_syscall_64+0x37/0x90
  entry_SYSCALL_64_after_hwframe+0x63/0xcd
 </TASK>
 Modules linked in: speakup_audptr(-) speakup
 Dumping ftrace buffer:

in_synth->dev was not initialized during modprobe, so we add check
for in_synth->dev to fix this bug.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48870

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48871
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

tty: serial: qcom-geni-serial: fix slab-out-of-bounds on RX FIFO buffer

Driver's probe allocates memory for RX FIFO (port->rx_fifo) based on
default RX FIFO depth, e.g. 16.  Later during serial startup the
qcom_geni_serial_port_setup() updates the RX FIFO depth
(port->rx_fifo_depth) to match real device capabilities, e.g. to 32.

The RX UART handle code will read "port->rx_fifo_depth" number of words
into "port->rx_fifo" buffer, thus exceeding the bounds.  This can be
observed in certain configurations with Qualcomm Bluetooth HCI UART
device and KASAN:

  Bluetooth: hci0: QCA Product ID   :0x00000010
  Bluetooth: hci0: QCA SOC Version  :0x400a0200
  Bluetooth: hci0: QCA ROM Version  :0x00000200
  Bluetooth: hci0: QCA Patch Version:0x00000d2b
  Bluetooth: hci0: QCA controller version 0x02000200
  Bluetooth: hci0: QCA Downloading qca/htbtfw20.tlv
  bluetooth hci0: Direct firmware load for qca/htbtfw20.tlv failed with error -2
  Bluetooth: hci0: QCA Failed to request file: qca/htbtfw20.tlv (-2)
  Bluetooth: hci0: QCA Failed to download patch (-2)
  ==================================================================
  BUG: KASAN: slab-out-of-bounds in handle_rx_uart+0xa8/0x18c
  Write of size 4 at addr ffff279347d578c0 by task swapper/0/0

  CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.1.0-rt5-00350-gb2450b7e00be-dirty #26
  Hardware name: Qualcomm Technologies, Inc. Robotics RB5 (DT)
  Call trace:
   dump_backtrace.part.0+0xe0/0xf0
   show_stack+0x18/0x40
   dump_stack_lvl+0x8c/0xb8
   print_report+0x188/0x488
   kasan_report+0xb4/0x100
   __asan_store4+0x80/0xa4
   handle_rx_uart+0xa8/0x18c
   qcom_geni_serial_handle_rx+0x84/0x9c
   qcom_geni_serial_isr+0x24c/0x760
   __handle_irq_event_percpu+0x108/0x500
   handle_irq_event+0x6c/0x110
   handle_fasteoi_irq+0x138/0x2cc
   generic_handle_domain_irq+0x48/0x64

If the RX FIFO depth changes after probe, be sure to resize the buffer.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48871

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48872
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

misc: fastrpc: Fix use-after-free race condition for maps

It is possible that in between calling fastrpc_map_get() until
map->fl->lock is taken in fastrpc_free_map(), another thread can call
fastrpc_map_lookup() and get a reference to a map that is about to be
deleted.

Rewrite fastrpc_map_get() to only increase the reference count of a map
if it's non-zero. Propagate this to callers so they can know if a map is
about to be deleted.

Fixes this warning:
refcount_t: addition on 0; use-after-free.
WARNING: CPU: 5 PID: 10100 at lib/refcount.c:25 refcount_warn_saturate
...
Call trace:
 refcount_warn_saturate
 [fastrpc_map_get inlined]
 [fastrpc_map_lookup inlined]
 fastrpc_map_create
 fastrpc_internal_invoke
 fastrpc_device_ioctl
 __arm64_sys_ioctl
 invoke_syscall
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48872

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48873
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

misc: fastrpc: Don't remove map on creater_process and device_release

Do not remove the map from the list on error path in
fastrpc_init_create_process, instead call fastrpc_map_put, to avoid
use-after-free. Do not remove it on fastrpc_device_release either,
call fastrpc_map_put instead.

The fastrpc_free_map is the only proper place to remove the map.
This is called only after the reference count is 0.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48873

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48874
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

misc: fastrpc: Fix use-after-free and race in fastrpc_map_find

Currently, there is a race window between the point when the mutex is
unlocked in fastrpc_map_lookup and the reference count increasing
(fastrpc_map_get) in fastrpc_map_find, which can also lead to
use-after-free.

So lets merge fastrpc_map_find into fastrpc_map_lookup which allows us
to both protect the maps list by also taking the &fl->lock spinlock and
the reference count, since the spinlock will be released only after.
Add take_ref argument to make this suitable for all callers.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48874

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48875
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

wifi: mac80211: sdata can be NULL during AMPDU start

ieee80211_tx_ba_session_handle_start() may get NULL for sdata when a
deauthentication is ongoing.

Here a trace triggering the race with the hostapd test
multi_ap_fronthaul_on_ap:

(gdb) list *drv_ampdu_action+0x46
0x8b16 is in drv_ampdu_action (net/mac80211/driver-ops.c:396).
391             int ret = -EOPNOTSUPP;
392
393             might_sleep();
394
395             sdata = get_bss_sdata(sdata);
396             if (!check_sdata_in_driver(sdata))
397                     return -EIO;
398
399             trace_drv_ampdu_action(local, sdata, params);
400

wlan0: moving STA 02:00:00:00:03:00 to state 3
wlan0: associated
wlan0: deauthenticating from 02:00:00:00:03:00 by local choice (Reason: 3=DEAUTH_LEAVING)
wlan3.sta1: Open BA session requested for 02:00:00:00:00:00 tid 0
wlan3.sta1: dropped frame to 02:00:00:00:00:00 (unauthorized port)
wlan0: moving STA 02:00:00:00:03:00 to state 2
wlan0: moving STA 02:00:00:00:03:00 to state 1
wlan0: Removed STA 02:00:00:00:03:00
wlan0: Destroyed STA 02:00:00:00:03:00
BUG: unable to handle page fault for address: fffffffffffffb48
PGD 11814067 P4D 11814067 PUD 11816067 PMD 0
Oops: 0000 [#1] PREEMPT SMP PTI
CPU: 2 PID: 133397 Comm: kworker/u16:1 Tainted: G        W          6.1.0-rc8-wt+ #59
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-20220807_005459-localhost 04/01/2014
Workqueue: phy3 ieee80211_ba_session_work [mac80211]
RIP: 0010:drv_ampdu_action+0x46/0x280 [mac80211]
Code: 53 48 89 f3 be 89 01 00 00 e8 d6 43 bf ef e8 21 46 81 f0 83 bb a0 1b 00 00 04 75 0e 48 8b 9b 28 0d 00 00 48 81 eb 10 0e 00 00 <8b> 93 58 09 00 00 f6 c2 20 0f 84 3b 01 00 00 8b 05 dd 1c 0f 00 85
RSP: 0018:ffffc900025ebd20 EFLAGS: 00010287
RAX: 0000000000000000 RBX: fffffffffffff1f0 RCX: ffff888102228240
RDX: 0000000080000000 RSI: ffffffff918c5de0 RDI: ffff888102228b40
RBP: ffffc900025ebd40 R08: 0000000000000001 R09: 0000000000000001
R10: 0000000000000001 R11: 0000000000000000 R12: ffff888118c18ec0
R13: 0000000000000000 R14: ffffc900025ebd60 R15: ffff888018b7efb8
FS:  0000000000000000(0000) GS:ffff88817a600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffffffffffffb48 CR3: 0000000105228006 CR4: 0000000000170ee0
Call Trace:
 <TASK>
 ieee80211_tx_ba_session_handle_start+0xd0/0x190 [mac80211]
 ieee80211_ba_session_work+0xff/0x2e0 [mac80211]
 process_one_work+0x29f/0x620
 worker_thread+0x4d/0x3d0
 ? process_one_work+0x620/0x620
 kthread+0xfb/0x120
 ? kthread_complete_and_exit+0x20/0x20
 ret_from_fork+0x22/0x30
 </TASK>
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48875

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48876
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

wifi: mac80211: fix initialization of rx->link and rx->link_sta

There are some codepaths that do not initialize rx->link_sta properly. This
causes a crash in places which assume that rx->link_sta is valid if rx->sta
is valid.
One known instance is triggered by __ieee80211_rx_h_amsdu being called from
fast-rx. It results in a crash like this one:

 BUG: kernel NULL pointer dereference, address: 00000000000000a8
 #PF: supervisor write access in kernel mode
 #PF: error_code(0x0002) - not-present page PGD 0 P4D 0
 Oops: 0002 [#1] PREEMPT SMP PTI
 CPU: 1 PID: 506 Comm: mt76-usb-rx phy Tainted: G            E      6.1.0-debian64x+1.7 #3
 Hardware name: ZOTAC ZBOX-ID92/ZBOX-IQ01/ZBOX-ID92/ZBOX-IQ01, BIOS B220P007 05/21/2014
 RIP: 0010:ieee80211_deliver_skb+0x62/0x1f0 [mac80211]
 Code: 00 48 89 04 24 e8 9e a7 c3 df 89 c0 48 03 1c c5 a0 ea 39 a1 4c 01 6b 08 48 ff 03 48
       83 7d 28 00 74 11 48 8b 45 30 48 63 55 44 <48> 83 84 d0 a8 00 00 00 01 41 8b 86 c0
       11 00 00 8d 50 fd 83 fa 01
 RSP: 0018:ffff999040803b10 EFLAGS: 00010286
 RAX: 0000000000000000 RBX: ffffb9903f496480 RCX: 0000000000000000
 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
 RBP: ffff999040803ce0 R08: 0000000000000000 R09: 0000000000000000
 R10: 0000000000000000 R11: 0000000000000000 R12: ffff8d21828ac900
 R13: 000000000000004a R14: ffff8d2198ed89c0 R15: ffff8d2198ed8000
 FS:  0000000000000000(0000) GS:ffff8d24afe80000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 00000000000000a8 CR3: 0000000429810002 CR4: 00000000001706e0
 Call Trace:
  <TASK>
  __ieee80211_rx_h_amsdu+0x1b5/0x240 [mac80211]
  ? ieee80211_prepare_and_rx_handle+0xcdd/0x1320 [mac80211]
  ? __local_bh_enable_ip+0x3b/0xa0
  ieee80211_prepare_and_rx_handle+0xcdd/0x1320 [mac80211]
  ? prepare_transfer+0x109/0x1a0 [xhci_hcd]
  ieee80211_rx_list+0xa80/0xda0 [mac80211]
  mt76_rx_complete+0x207/0x2e0 [mt76]
  mt76_rx_poll_complete+0x357/0x5a0 [mt76]
  mt76u_rx_worker+0x4f5/0x600 [mt76_usb]
  ? mt76_get_min_avg_rssi+0x140/0x140 [mt76]
  __mt76_worker_fn+0x50/0x80 [mt76]
  kthread+0xed/0x120
  ? kthread_complete_and_exit+0x20/0x20
  ret_from_fork+0x22/0x30

Since the initialization of rx->link and rx->link_sta is rather convoluted
and duplicated in many places, clean it up by using a helper function to
set it.

[remove unnecessary rx->sta->sta.mlo check]
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48876

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48877
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

f2fs: let's avoid panic if extent_tree is not created

This patch avoids the below panic.

pc : __lookup_extent_tree+0xd8/0x760
lr : f2fs_do_write_data_page+0x104/0x87c
sp : ffffffc010cbb3c0
x29: ffffffc010cbb3e0 x28: 0000000000000000
x27: ffffff8803e7f020 x26: ffffff8803e7ed40
x25: ffffff8803e7f020 x24: ffffffc010cbb460
x23: ffffffc010cbb480 x22: 0000000000000000
x21: 0000000000000000 x20: ffffffff22e90900
x19: 0000000000000000 x18: ffffffc010c5d080
x17: 0000000000000000 x16: 0000000000000020
x15: ffffffdb1acdbb88 x14: ffffff888759e2b0
x13: 0000000000000000 x12: ffffff802da49000
x11: 000000000a001200 x10: ffffff8803e7ed40
x9 : ffffff8023195800 x8 : ffffff802da49078
x7 : 0000000000000001 x6 : 0000000000000000
x5 : 0000000000000006 x4 : ffffffc010cbba28
x3 : 0000000000000000 x2 : ffffffc010cbb480
x1 : 0000000000000000 x0 : ffffff8803e7ed40
Call trace:
 __lookup_extent_tree+0xd8/0x760
 f2fs_do_write_data_page+0x104/0x87c
 f2fs_write_single_data_page+0x420/0xb60
 f2fs_write_cache_pages+0x418/0xb1c
 __f2fs_write_data_pages+0x428/0x58c
 f2fs_write_data_pages+0x30/0x40
 do_writepages+0x88/0x190
 __writeback_single_inode+0x48/0x448
 writeback_sb_inodes+0x468/0x9e8
 __writeback_inodes_wb+0xb8/0x2a4
 wb_writeback+0x33c/0x740
 wb_do_writeback+0x2b4/0x400
 wb_workfn+0xe4/0x34c
 process_one_work+0x24c/0x5bc
 worker_thread+0x3e8/0xa50
 kthread+0x150/0x1b4
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48877

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48878
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: hci_qca: Fix driver shutdown on closed serdev

The driver shutdown callback (which sends EDL_SOC_RESET to the device
over serdev) should not be invoked when HCI device is not open (e.g. if
hci_dev_open_sync() failed), because the serdev and its TTY are not open
either.  Also skip this step if device is powered off
(qca_power_shutdown()).

The shutdown callback causes use-after-free during system reboot with
Qualcomm Atheros Bluetooth:

  Unable to handle kernel paging request at virtual address
  0072662f67726fd7
  ...
  CPU: 6 PID: 1 Comm: systemd-shutdow Tainted: G        W
  6.1.0-rt5-00325-g8a5f56bcfcca #8
  Hardware name: Qualcomm Technologies, Inc. Robotics RB5 (DT)
  Call trace:
   tty_driver_flush_buffer+0x4/0x30
   serdev_device_write_flush+0x24/0x34
   qca_serdev_shutdown+0x80/0x130 [hci_uart]
   device_shutdown+0x15c/0x260
   kernel_restart+0x48/0xac

KASAN report:

  BUG: KASAN: use-after-free in tty_driver_flush_buffer+0x1c/0x50
  Read of size 8 at addr ffff16270c2e0018 by task systemd-shutdow/1

  CPU: 7 PID: 1 Comm: systemd-shutdow Not tainted
  6.1.0-next-20221220-00014-gb85aaf97fb01-dirty #28
  Hardware name: Qualcomm Technologies, Inc. Robotics RB5 (DT)
  Call trace:
   dump_backtrace.part.0+0xdc/0xf0
   show_stack+0x18/0x30
   dump_stack_lvl+0x68/0x84
   print_report+0x188/0x488
   kasan_report+0xa4/0xf0
   __asan_load8+0x80/0xac
   tty_driver_flush_buffer+0x1c/0x50
   ttyport_write_flush+0x34/0x44
   serdev_device_write_flush+0x48/0x60
   qca_serdev_shutdown+0x124/0x274
   device_shutdown+0x1e8/0x350
   kernel_restart+0x48/0xb0
   __do_sys_reboot+0x244/0x2d0
   __arm64_sys_reboot+0x54/0x70
   invoke_syscall+0x60/0x190
   el0_svc_common.constprop.0+0x7c/0x160
   do_el0_svc+0x44/0xf0
   el0_svc+0x2c/0x6c
   el0t_64_sync_handler+0xbc/0x140
   el0t_64_sync+0x190/0x194
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48878

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48879
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

efi: fix NULL-deref in init error path

In cases where runtime services are not supported or have been disabled,
the runtime services workqueue will never have been allocated.

Do not try to destroy the workqueue unconditionally in the unlikely
event that EFI initialisation fails to avoid dereferencing a NULL
pointer.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48879

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48881
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

platform/x86/amd: Fix refcount leak in amd_pmc_probe

pci_get_domain_bus_and_slot() takes reference, the caller should release
the reference by calling pci_dev_put() after use. Call pci_dev_put() in
the error path to fix this.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48881

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48882
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net/mlx5e: Fix macsec possible null dereference when updating MAC security entity (SecY)

Upon updating MAC security entity (SecY) in hw offload path, the macsec
security association (SA) initialization routine is called. In case of
extended packet number (epn) is enabled the salt and ssci attributes are
retrieved using the MACsec driver rx_sa context which is unavailable when
updating a SecY property such as encoding-sa hence the null dereference.
Fix by using the provided SA to set those attributes.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48882

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48885
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ice: Fix potential memory leak in ice_gnss_tty_write()

The ice_gnss_tty_write() return directly if the write_buf alloc failed,
leaking the cmd_buf.

Fix by free cmd_buf if write_buf alloc failed.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48885

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48886
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ice: Add check for kzalloc

Add the check for the return value of kzalloc in order to avoid
NULL pointer dereference.
Moreover, use the goto-label to share the clean code.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48886

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48887
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/vmwgfx: Remove rcu locks from user resources

User resource lookups used rcu to avoid two extra atomics. Unfortunately
the rcu paths were buggy and it was easy to make the driver crash by
submitting command buffers from two different threads. Because the
lookups never show up in performance profiles replace them with a
regular spin lock which fixes the races in accesses to those shared
resources.

Fixes kernel oops'es in IGT's vmwgfx execution_buffer stress test and
seen crashes with apps using shared resources.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48887

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48888
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/msm/dpu: Fix memory leak in msm_mdss_parse_data_bus_icc_path

of_icc_get() alloc resources for path1, we should release it when not
need anymore. Early return when IS_ERR_OR_NULL(path0) may leak path1.
Defer getting path1 to fix this.

Patchwork: https://patchwork.freedesktop.org/patch/514264/
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48888

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48889
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ASoC: Intel: sof-nau8825: fix module alias overflow

The maximum name length for a platform_device_id entry is 20 characters
including the trailing NUL byte. The sof_nau8825.c file exceeds that,
which causes an obscure error message:

sound/soc/intel/boards/snd-soc-sof_nau8825.mod.c:35:45: error: illegal character encoding in string literal [-Werror,-Winvalid-source-encoding]
MODULE_ALIAS("platform:adl_max98373_nau8825<U+0018><AA>");
                                                   ^~~~
include/linux/module.h:168:49: note: expanded from macro 'MODULE_ALIAS'
                                                ^~~~~~
include/linux/module.h:165:56: note: expanded from macro 'MODULE_INFO'
                                                       ^~~~
include/linux/moduleparam.h:26:47: note: expanded from macro '__MODULE_INFO'
                = __MODULE_INFO_PREFIX __stringify(tag) "=" info

I could not figure out how to make the module handling robust enough
to handle this better, but as a quick fix, using slightly shorter
names that are still unique avoids the build issue.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48889

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48890
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

scsi: storvsc: Fix swiotlb bounce buffer leak in confidential VM

storvsc_queuecommand() maps the scatter/gather list using scsi_dma_map(),
which in a confidential VM allocates swiotlb bounce buffers. If the I/O
submission fails in storvsc_do_io(), the I/O is typically retried by higher
level code, but the bounce buffer memory is never freed.  The mostly like
cause of I/O submission failure is a full VMBus channel ring buffer, which
is not uncommon under high I/O loads.  Eventually enough bounce buffer
memory leaks that the confidential VM can't do any I/O. The same problem
can arise in a non-confidential VM with kernel boot parameter
swiotlb=force.

Fix this by doing scsi_dma_unmap() in the case of an I/O submission
error, which frees the bounce buffer memory.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48890

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48891
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

regulator: da9211: Use irq handler when ready

If the system does not come from reset (like when it is kexec()), the
regulator might have an IRQ waiting for us.

If we enable the IRQ handler before its structures are ready, we crash.

This patch fixes:

[    1.141839] Unable to handle kernel read from unreadable memory at virtual address 0000000000000078
[    1.316096] Call trace:
[    1.316101]  blocking_notifier_call_chain+0x20/0xa8
[    1.322757] cpu cpu0: dummy supplies not allowed for exclusive requests
[    1.327823]  regulator_notifier_call_chain+0x1c/0x2c
[    1.327825]  da9211_irq_handler+0x68/0xf8
[    1.327829]  irq_thread+0x11c/0x234
[    1.327833]  kthread+0x13c/0x154
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48891

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48892
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

sched/core: Fix use-after-free bug in dup_user_cpus_ptr()

Since commit 07ec77a1d4e8 ("sched: Allow task CPU affinity to be
restricted on asymmetric systems"), the setting and clearing of
user_cpus_ptr are done under pi_lock for arm64 architecture. However,
dup_user_cpus_ptr() accesses user_cpus_ptr without any lock
protection. Since sched_setaffinity() can be invoked from another
process, the process being modified may be undergoing fork() at
the same time.  When racing with the clearing of user_cpus_ptr in
__set_cpus_allowed_ptr_locked(), it can lead to user-after-free and
possibly double-free in arm64 kernel.

Commit 8f9ea86fdf99 ("sched: Always preserve the user requested
cpumask") fixes this problem as user_cpus_ptr, once set, will never
be cleared in a task's lifetime. However, this bug was re-introduced
in commit 851a723e45d1 ("sched: Always clear user_cpus_ptr in
do_set_cpus_allowed()") which allows the clearing of user_cpus_ptr in
do_set_cpus_allowed(). This time, it will affect all arches.

Fix this bug by always clearing the user_cpus_ptr of the newly
cloned/forked task before the copying process starts and check the
user_cpus_ptr state of the source task under pi_lock.

Note to stable, this patch won't be applicable to stable releases.
Just copy the new dup_user_cpus_ptr() function over.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48892

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48893
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/i915/gt: Cleanup partial engine discovery failures

If we abort driver initialisation in the middle of gt/engine discovery,
some engines will be fully setup and some not. Those incompletely setup
engines only have 'engine->release == NULL' and so will leak any of the
common objects allocated.

v2:
 - Drop the destroy_pinned_context() helper for now.  It's not really
   worth it with just a single callsite at the moment.  (Janusz)
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48893

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48894
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

iommu/arm-smmu-v3: Don't unregister on shutdown

Similar to SMMUv2, this driver calls iommu_device_unregister() from the
shutdown path, which removes the IOMMU groups with no coordination
whatsoever with their users - shutdown methods are optional in device
drivers. This can lead to NULL pointer dereferences in those drivers'
DMA API calls, or worse.

Instead of calling the full arm_smmu_device_remove() from
arm_smmu_device_shutdown(), let's pick only the relevant function call -
arm_smmu_device_disable() - more or less the reverse of
arm_smmu_device_reset() - and call just that from the shutdown path.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48894

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48895
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

iommu/arm-smmu: Don't unregister on shutdown

Michael Walle says he noticed the following stack trace while performing
a shutdown with "reboot -f". He suggests he got "lucky" and just hit the
correct spot for the reboot while there was a packet transmission in
flight.

Unable to handle kernel NULL pointer dereference at virtual address 0000000000000098
CPU: 0 PID: 23 Comm: kworker/0:1 Not tainted 6.1.0-rc5-00088-gf3600ff8e322 #1930
Hardware name: Kontron KBox A-230-LS (DT)
pc : iommu_get_dma_domain+0x14/0x20
lr : iommu_dma_map_page+0x9c/0x254
Call trace:
 iommu_get_dma_domain+0x14/0x20
 dma_map_page_attrs+0x1ec/0x250
 enetc_start_xmit+0x14c/0x10b0
 enetc_xmit+0x60/0xdc
 dev_hard_start_xmit+0xb8/0x210
 sch_direct_xmit+0x11c/0x420
 __dev_queue_xmit+0x354/0xb20
 ip6_finish_output2+0x280/0x5b0
 __ip6_finish_output+0x15c/0x270
 ip6_output+0x78/0x15c
 NF_HOOK.constprop.0+0x50/0xd0
 mld_sendpack+0x1bc/0x320
 mld_ifc_work+0x1d8/0x4dc
 process_one_work+0x1e8/0x460
 worker_thread+0x178/0x534
 kthread+0xe0/0xe4
 ret_from_fork+0x10/0x20
Code: d503201f f9416800 d503233f d50323bf (f9404c00)
---[ end trace 0000000000000000 ]---
Kernel panic - not syncing: Oops: Fatal exception in interrupt

This appears to be reproducible when the board has a fixed IP address,
is ping flooded from another host, and "reboot -f" is used.

The following is one more manifestation of the issue:

$ reboot -f
kvm: exiting hardware virtualization
cfg80211: failed to load regulatory.db
arm-smmu 5000000.iommu: disabling translation
sdhci-esdhc 2140000.mmc: Removing from iommu group 11
sdhci-esdhc 2150000.mmc: Removing from iommu group 12
fsl-edma 22c0000.dma-controller: Removing from iommu group 17
dwc3 3100000.usb: Removing from iommu group 9
dwc3 3110000.usb: Removing from iommu group 10
ahci-qoriq 3200000.sata: Removing from iommu group 2
fsl-qdma 8380000.dma-controller: Removing from iommu group 20
platform f080000.display: Removing from iommu group 0
etnaviv-gpu f0c0000.gpu: Removing from iommu group 1
etnaviv etnaviv: Removing from iommu group 1
caam_jr 8010000.jr: Removing from iommu group 13
caam_jr 8020000.jr: Removing from iommu group 14
caam_jr 8030000.jr: Removing from iommu group 15
caam_jr 8040000.jr: Removing from iommu group 16
fsl_enetc 0000:00:00.0: Removing from iommu group 4
arm-smmu 5000000.iommu: Blocked unknown Stream ID 0x429; boot with "arm-smmu.disable_bypass=0" to allow, but this may have security implications
arm-smmu 5000000.iommu:         GFSR 0x80000002, GFSYNR0 0x00000002, GFSYNR1 0x00000429, GFSYNR2 0x00000000
fsl_enetc 0000:00:00.1: Removing from iommu group 5
arm-smmu 5000000.iommu: Blocked unknown Stream ID 0x429; boot with "arm-smmu.disable_bypass=0" to allow, but this may have security implications
arm-smmu 5000000.iommu:         GFSR 0x80000002, GFSYNR0 0x00000002, GFSYNR1 0x00000429, GFSYNR2 0x00000000
arm-smmu 5000000.iommu: Blocked unknown Stream ID 0x429; boot with "arm-smmu.disable_bypass=0" to allow, but this may have security implications
arm-smmu 5000000.iommu:         GFSR 0x80000002, GFSYNR0 0x00000000, GFSYNR1 0x00000429, GFSYNR2 0x00000000
fsl_enetc 0000:00:00.2: Removing from iommu group 6
fsl_enetc_mdio 0000:00:00.3: Removing from iommu group 8
mscc_felix 0000:00:00.5: Removing from iommu group 3
fsl_enetc 0000:00:00.6: Removing from iommu group 7
pcieport 0001:00:00.0: Removing from iommu group 18
arm-smmu 5000000.iommu: Blocked unknown Stream ID 0x429; boot with "arm-smmu.disable_bypass=0" to allow, but this may have security implications
arm-smmu 5000000.iommu:         GFSR 0x00000002, GFSYNR0 0x00000000, GFSYNR1 0x00000429, GFSYNR2 0x00000000
pcieport 0002:00:00.0: Removing from iommu group 19
Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a8
pc : iommu_get_dma_domain+0x14/0x20
lr : iommu_dma_unmap_page+0x38/0xe0
Call trace:
 iommu_get_dma_domain+0x14/0x20
 dma_unmap_page_attrs+0x38/0x1d0
 en
---truncated---
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48895

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48896
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ixgbe: fix pci device refcount leak

As the comment of pci_get_domain_bus_and_slot() says, it
returns a PCI device with refcount incremented, when finish
using it, the caller must decrement the reference count by
calling pci_dev_put().

In ixgbe_get_first_secondary_devfn() and ixgbe_x550em_a_has_mii(),
pci_dev_put() is called to avoid leak.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48896

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48897
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

arm64/mm: fix incorrect file_map_count for invalid pmd

The page table check trigger BUG_ON() unexpectedly when split hugepage:

 ------------[ cut here ]------------
 kernel BUG at mm/page_table_check.c:119!
 Internal error: Oops - BUG: 00000000f2000800 [#1] SMP
 Dumping ftrace buffer:
    (ftrace buffer empty)
 Modules linked in:
 CPU: 7 PID: 210 Comm: transhuge-stres Not tainted 6.1.0-rc3+ #748
 Hardware name: linux,dummy-virt (DT)
 pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
 pc : page_table_check_set.isra.0+0x398/0x468
 lr : page_table_check_set.isra.0+0x1c0/0x468
[...]
 Call trace:
  page_table_check_set.isra.0+0x398/0x468
  __page_table_check_pte_set+0x160/0x1c0
  __split_huge_pmd_locked+0x900/0x1648
  __split_huge_pmd+0x28c/0x3b8
  unmap_page_range+0x428/0x858
  unmap_single_vma+0xf4/0x1c8
  zap_page_range+0x2b0/0x410
  madvise_vma_behavior+0xc44/0xe78
  do_madvise+0x280/0x698
  __arm64_sys_madvise+0x90/0xe8
  invoke_syscall.constprop.0+0xdc/0x1d8
  do_el0_svc+0xf4/0x3f8
  el0_svc+0x58/0x120
  el0t_64_sync_handler+0xb8/0xc0
  el0t_64_sync+0x19c/0x1a0
[...]

On arm64, pmd_leaf() will return true even if the pmd is invalid due to
pmd_present_invalid() check. So in pmdp_invalidate() the file_map_count
will not only decrease once but also increase once. Then in set_pte_at(),
the file_map_count increase again, and so trigger BUG_ON() unexpectedly.

Add !pmd_present_invalid() check in pmd_user_accessible_page() to fix the
problem.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48897

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48898
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/msm/dp: do not complete dp_aux_cmd_fifo_tx() if irq is not for aux transfer

There are 3 possible interrupt sources are handled by DP controller,
HPDstatus, Controller state changes and Aux read/write transaction.
At every irq, DP controller have to check isr status of every interrupt
sources and service the interrupt if its isr status bits shows interrupts
are pending. There is potential race condition may happen at current aux
isr handler implementation since it is always complete dp_aux_cmd_fifo_tx()
even irq is not for aux read or write transaction. This may cause aux read
transaction return premature if host aux data read is in the middle of
waiting for sink to complete transferring data to host while irq happen.
This will cause host's receiving buffer contains unexpected data. This
patch fixes this problem by checking aux isr and return immediately at
aux isr handler if there are no any isr status bits set.

Current there is a bug report regrading eDP edid corruption happen during
system booting up. After lengthy debugging to found that VIDEO_READY
interrupt was continuously firing during system booting up which cause
dp_aux_isr() to complete dp_aux_cmd_fifo_tx() prematurely to retrieve data
from aux hardware buffer which is not yet contains complete data transfer
from sink. This cause edid corruption.

Follows are the signature at kernel logs when problem happen,
EDID has corrupt header
panel-simple-dp-aux aux-aea0000.edp: Couldn't identify panel via EDID

Changes in v2:
-- do complete if (ret == IRQ_HANDLED) ay dp-aux_isr()
-- add more commit text

Changes in v3:
-- add Stephen suggested
-- dp_aux_isr() return IRQ_XXX back to caller
-- dp_ctrl_isr() return IRQ_XXX back to caller

Changes in v4:
-- split into two patches

Changes in v5:
-- delete empty line between tags

Changes in v6:
-- remove extra "that" and fixed line more than 75 char at commit text

Patchwork: https://patchwork.freedesktop.org/patch/516121/
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48898

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48899
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/virtio: Fix GEM handle creation UAF

Userspace can guess the handle value and try to race GEM object creation
with handle close, resulting in a use-after-free if we dereference the
object after dropping the handle's reference.  For that reason, dropping
the handle's reference must be done *after* we are done dereferencing
the object.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48899

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48901
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

btrfs: do not start relocation until in progress drops are done

We hit a bug with a recovering relocation on mount for one of our file
systems in production.  I reproduced this locally by injecting errors
into snapshot delete with balance running at the same time.  This
presented as an error while looking up an extent item

  WARNING: CPU: 5 PID: 1501 at fs/btrfs/extent-tree.c:866 lookup_inline_extent_backref+0x647/0x680
  CPU: 5 PID: 1501 Comm: btrfs-balance Not tainted 5.16.0-rc8+ #8
  RIP: 0010:lookup_inline_extent_backref+0x647/0x680
  RSP: 0018:ffffae0a023ab960 EFLAGS: 00010202
  RAX: 0000000000000001 RBX: 0000000000000000 RCX: 0000000000000000
  RDX: 0000000000000000 RSI: 000000000000000c RDI: 0000000000000000
  RBP: ffff943fd2a39b60 R08: 0000000000000000 R09: 0000000000000001
  R10: 0001434088152de0 R11: 0000000000000000 R12: 0000000001d05000
  R13: ffff943fd2a39b60 R14: ffff943fdb96f2a0 R15: ffff9442fc923000
  FS:  0000000000000000(0000) GS:ffff944e9eb40000(0000) knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  CR2: 00007f1157b1fca8 CR3: 000000010f092000 CR4: 0000000000350ee0
  Call Trace:
   <TASK>
   insert_inline_extent_backref+0x46/0xd0
   __btrfs_inc_extent_ref.isra.0+0x5f/0x200
   ? btrfs_merge_delayed_refs+0x164/0x190
   __btrfs_run_delayed_refs+0x561/0xfa0
   ? btrfs_search_slot+0x7b4/0xb30
   ? btrfs_update_root+0x1a9/0x2c0
   btrfs_run_delayed_refs+0x73/0x1f0
   ? btrfs_update_root+0x1a9/0x2c0
   btrfs_commit_transaction+0x50/0xa50
   ? btrfs_update_reloc_root+0x122/0x220
   prepare_to_merge+0x29f/0x320
   relocate_block_group+0x2b8/0x550
   btrfs_relocate_block_group+0x1a6/0x350
   btrfs_relocate_chunk+0x27/0xe0
   btrfs_balance+0x777/0xe60
   balance_kthread+0x35/0x50
   ? btrfs_balance+0xe60/0xe60
   kthread+0x16b/0x190
   ? set_kthread_struct+0x40/0x40
   ret_from_fork+0x22/0x30
   </TASK>

Normally snapshot deletion and relocation are excluded from running at
the same time by the fs_info->cleaner_mutex.  However if we had a
pending balance waiting to get the ->cleaner_mutex, and a snapshot
deletion was running, and then the box crashed, we would come up in a
state where we have a half deleted snapshot.

Again, in the normal case the snapshot deletion needs to complete before
relocation can start, but in this case relocation could very well start
before the snapshot deletion completes, as we simply add the root to the
dead roots list and wait for the next time the cleaner runs to clean up
the snapshot.

Fix this by setting a bit on the fs_info if we have any DEAD_ROOT's that
had a pending drop_progress key.  If they do then we know we were in the
middle of the drop operation and set a flag on the fs_info.  Then
balance can wait until this flag is cleared to start up again.

If there are DEAD_ROOT's that don't have a drop_progress set then we're
safe to start balance right away as we'll be properly protected by the
cleaner_mutex.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48901

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48902
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

btrfs: do not WARN_ON() if we have PageError set

Whenever we do any extent buffer operations we call
assert_eb_page_uptodate() to complain loudly if we're operating on an
non-uptodate page.  Our overnight tests caught this warning earlier this
week

  WARNING: CPU: 1 PID: 553508 at fs/btrfs/extent_io.c:6849 assert_eb_page_uptodate+0x3f/0x50
  CPU: 1 PID: 553508 Comm: kworker/u4:13 Tainted: G        W         5.17.0-rc3+ #564
  Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-2.fc32 04/01/2014
  Workqueue: btrfs-cache btrfs_work_helper
  RIP: 0010:assert_eb_page_uptodate+0x3f/0x50
  RSP: 0018:ffffa961440a7c68 EFLAGS: 00010246
  RAX: 0017ffffc0002112 RBX: ffffe6e74453f9c0 RCX: 0000000000001000
  RDX: ffffe6e74467c887 RSI: ffffe6e74453f9c0 RDI: ffff8d4c5efc2fc0
  RBP: 0000000000000d56 R08: ffff8d4d4a224000 R09: 0000000000000000
  R10: 00015817fa9d1ef0 R11: 000000000000000c R12: 00000000000007b1
  R13: ffff8d4c5efc2fc0 R14: 0000000001500000 R15: 0000000001cb1000
  FS:  0000000000000000(0000) GS:ffff8d4dbbd00000(0000) knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  CR2: 00007ff31d3448d8 CR3: 0000000118be8004 CR4: 0000000000370ee0
  Call Trace:

   extent_buffer_test_bit+0x3f/0x70
   free_space_test_bit+0xa6/0xc0
   load_free_space_tree+0x1f6/0x470
   caching_thread+0x454/0x630
   ? rcu_read_lock_sched_held+0x12/0x60
   ? rcu_read_lock_sched_held+0x12/0x60
   ? rcu_read_lock_sched_held+0x12/0x60
   ? lock_release+0x1f0/0x2d0
   btrfs_work_helper+0xf2/0x3e0
   ? lock_release+0x1f0/0x2d0
   ? finish_task_switch.isra.0+0xf9/0x3a0
   process_one_work+0x26d/0x580
   ? process_one_work+0x580/0x580
   worker_thread+0x55/0x3b0
   ? process_one_work+0x580/0x580
   kthread+0xf0/0x120
   ? kthread_complete_and_exit+0x20/0x20
   ret_from_fork+0x1f/0x30

This was partially fixed by c2e39305299f01 ("btrfs: clear extent buffer
uptodate when we fail to write it"), however all that fix did was keep
us from finding extent buffers after a failed writeout.  It didn't keep
us from continuing to use a buffer that we already had found.

In this case we're searching the commit root to cache the block group,
so we can start committing the transaction and switch the commit root
and then start writing.  After the switch we can look up an extent
buffer that hasn't been written yet and start processing that block
group.  Then we fail to write that block out and clear Uptodate on the
page, and then we start spewing these errors.

Normally we're protected by the tree lock to a certain degree here.  If
we read a block we have that block read locked, and we block the writer
from locking the block before we submit it for the write.  However this
isn't necessarily fool proof because the read could happen before we do
the submit_bio and after we locked and unlocked the extent buffer.

Also in this particular case we have path->skip_locking set, so that
won't save us here.  We'll simply get a block that was valid when we
read it, but became invalid while we were using it.

What we really want is to catch the case where we've "read" a block but
it's not marked Uptodate.  On read we ClearPageError(), so if we're
!Uptodate and !Error we know we didn't do the right thing for reading
the page.

Fix this by checking !Uptodate && !Error, this way we will not complain
if our buffer gets invalidated while we're using it, and we'll maintain
the spirit of the check which is to make sure we have a fully in-cache
block while we're messing with it.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48902

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48903
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix relocation crash due to premature return from btrfs_commit_transaction()

We are seeing crashes similar to the following trace:

[38.969182] WARNING: CPU: 20 PID: 2105 at fs/btrfs/relocation.c:4070 btrfs_relocate_block_group+0x2dc/0x340 [btrfs]
[38.973556] CPU: 20 PID: 2105 Comm: btrfs Not tainted 5.17.0-rc4 #54
[38.974580] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
[38.976539] RIP: 0010:btrfs_relocate_block_group+0x2dc/0x340 [btrfs]
[38.980336] RSP: 0000:ffffb0dd42e03c20 EFLAGS: 00010206
[38.981218] RAX: ffff96cfc4ede800 RBX: ffff96cfc3ce0000 RCX: 000000000002ca14
[38.982560] RDX: 0000000000000000 RSI: 4cfd109a0bcb5d7f RDI: ffff96cfc3ce0360
[38.983619] RBP: ffff96cfc309c000 R08: 0000000000000000 R09: 0000000000000000
[38.984678] R10: ffff96cec0000001 R11: ffffe84c80000000 R12: ffff96cfc4ede800
[38.985735] R13: 0000000000000000 R14: 0000000000000000 R15: ffff96cfc3ce0360
[38.987146] FS:  00007f11c15218c0(0000) GS:ffff96d6dfb00000(0000) knlGS:0000000000000000
[38.988662] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[38.989398] CR2: 00007ffc922c8e60 CR3: 00000001147a6001 CR4: 0000000000370ee0
[38.990279] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[38.991219] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[38.992528] Call Trace:
[38.992854]  <TASK>
[38.993148]  btrfs_relocate_chunk+0x27/0xe0 [btrfs]
[38.993941]  btrfs_balance+0x78e/0xea0 [btrfs]
[38.994801]  ? vsnprintf+0x33c/0x520
[38.995368]  ? __kmalloc_track_caller+0x351/0x440
[38.996198]  btrfs_ioctl_balance+0x2b9/0x3a0 [btrfs]
[38.997084]  btrfs_ioctl+0x11b0/0x2da0 [btrfs]
[38.997867]  ? mod_objcg_state+0xee/0x340
[38.998552]  ? seq_release+0x24/0x30
[38.999184]  ? proc_nr_files+0x30/0x30
[38.999654]  ? call_rcu+0xc8/0x2f0
[39.000228]  ? __x64_sys_ioctl+0x84/0xc0
[39.000872]  ? btrfs_ioctl_get_supported_features+0x30/0x30 [btrfs]
[39.001973]  __x64_sys_ioctl+0x84/0xc0
[39.002566]  do_syscall_64+0x3a/0x80
[39.003011]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[39.003735] RIP: 0033:0x7f11c166959b
[39.007324] RSP: 002b:00007fff2543e998 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[39.008521] RAX: ffffffffffffffda RBX: 00007f11c1521698 RCX: 00007f11c166959b
[39.009833] RDX: 00007fff2543ea40 RSI: 00000000c4009420 RDI: 0000000000000003
[39.011270] RBP: 0000000000000003 R08: 0000000000000013 R09: 00007f11c16f94e0
[39.012581] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fff25440df3
[39.014046] R13: 0000000000000000 R14: 00007fff2543ea40 R15: 0000000000000001
[39.015040]  </TASK>
[39.015418] ---[ end trace 0000000000000000 ]---
[43.131559] ------------[ cut here ]------------
[43.132234] kernel BUG at fs/btrfs/extent-tree.c:2717!
[43.133031] invalid opcode: 0000 [#1] PREEMPT SMP PTI
[43.133702] CPU: 1 PID: 1839 Comm: btrfs Tainted: G        W         5.17.0-rc4 #54
[43.134863] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
[43.136426] RIP: 0010:unpin_extent_range+0x37a/0x4f0 [btrfs]
[43.139913] RSP: 0000:ffffb0dd4216bc70 EFLAGS: 00010246
[43.140629] RAX: 0000000000000000 RBX: ffff96cfc34490f8 RCX: 0000000000000001
[43.141604] RDX: 0000000080000001 RSI: 0000000051d00000 RDI: 00000000ffffffff
[43.142645] RBP: 0000000000000000 R08: 0000000000000000 R09: ffff96cfd07dca50
[43.143669] R10: ffff96cfc46e8a00 R11: fffffffffffec000 R12: 0000000041d00000
[43.144657] R13: ffff96cfc3ce0000 R14: ffffb0dd4216bd08 R15: 0000000000000000
[43.145686] FS:  00007f7657dd68c0(0000) GS:ffff96d6df640000(0000) knlGS:0000000000000000
[43.146808] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[43.147584] CR2: 00007f7fe81bf5b0 CR3: 00000001093ee004 CR4: 0000000000370ee0
[43.148589] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[43.149581] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 00000000000
---truncated---
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48903

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48904
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

iommu/amd: Fix I/O page table memory leak

The current logic updates the I/O page table mode for the domain
before calling the logic to free memory used for the page table.
This results in IOMMU page table memory leak, and can be observed
when launching VM w/ pass-through devices.

Fix by freeing the memory used for page table before updating the mode.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48904

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48905
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ibmvnic: free reset-work-item when flushing

Fix a tiny memory leak when flushing the reset work queue.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48905

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48906
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

mptcp: Correctly set DATA_FIN timeout when number of retransmits is large

Syzkaller with UBSAN uncovered a scenario where a large number of
DATA_FIN retransmits caused a shift-out-of-bounds in the DATA_FIN
timeout calculation:

================================================================================
UBSAN: shift-out-of-bounds in net/mptcp/protocol.c:470:29
shift exponent 32 is too large for 32-bit type 'unsigned int'
CPU: 1 PID: 13059 Comm: kworker/1:0 Not tainted 5.17.0-rc2-00630-g5fbf21c90c60 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
Workqueue: events mptcp_worker
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
 ubsan_epilogue+0xb/0x5a lib/ubsan.c:151
 __ubsan_handle_shift_out_of_bounds.cold+0xb2/0x20e lib/ubsan.c:330
 mptcp_set_datafin_timeout net/mptcp/protocol.c:470 [inline]
 __mptcp_retrans.cold+0x72/0x77 net/mptcp/protocol.c:2445
 mptcp_worker+0x58a/0xa70 net/mptcp/protocol.c:2528
 process_one_work+0x9df/0x16d0 kernel/workqueue.c:2307
 worker_thread+0x95/0xe10 kernel/workqueue.c:2454
 kthread+0x2f4/0x3b0 kernel/kthread.c:377
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
 </TASK>
================================================================================

This change limits the maximum timeout by limiting the size of the
shift, which keeps all intermediate values in-bounds.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48906

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48907
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

auxdisplay: lcd2s: Fix memory leak in ->remove()

Once allocated the struct lcd2s_data is never freed.
Fix the memory leak by switching to devm_kzalloc().
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48907

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48908
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: arcnet: com20020: Fix null-ptr-deref in com20020pci_probe()

During driver initialization, the pointer of card info, i.e. the
variable 'ci' is required. However, the definition of
'com20020pci_id_table' reveals that this field is empty for some
devices, which will cause null pointer dereference when initializing
these devices.

The following log reveals it:

[    3.973806] KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]
[    3.973819] RIP: 0010:com20020pci_probe+0x18d/0x13e0 [com20020_pci]
[    3.975181] Call Trace:
[    3.976208]  local_pci_probe+0x13f/0x210
[    3.977248]  pci_device_probe+0x34c/0x6d0
[    3.977255]  ? pci_uevent+0x470/0x470
[    3.978265]  really_probe+0x24c/0x8d0
[    3.978273]  __driver_probe_device+0x1b3/0x280
[    3.979288]  driver_probe_device+0x50/0x370

Fix this by checking whether the 'ci' is a null pointer first.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48908

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48909
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net/smc: fix connection leak

There's a potential leak issue under following execution sequence :

smc_release  				smc_connect_work
if (sk->sk_state == SMC_INIT)
					send_clc_confirim
	tcp_abort();
					...
					sk.sk_state = SMC_ACTIVE
smc_close_active
switch(sk->sk_state) {
...
case SMC_ACTIVE:
	smc_close_final()
	// then wait peer closed

Unfortunately, tcp_abort() may discard CLC CONFIRM messages that are
still in the tcp send buffer, in which case our connection token cannot
be delivered to the server side, which means that we cannot get a
passive close message at all. Therefore, it is impossible for the to be
disconnected at all.

This patch tries a very simple way to avoid this issue, once the state
has changed to SMC_ACTIVE after tcp_abort(), we can actively abort the
smc connection, considering that the state is SMC_INIT before
tcp_abort(), abandoning the complete disconnection process should not
cause too much problem.

In fact, this problem may exist as long as the CLC CONFIRM message is
not received by the server. Whether a timer should be added after
smc_close_final() needs to be discussed in the future. But even so, this
patch provides a faster release for connection in above case, it should
also be valuable.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48909

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48910
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: ipv6: ensure we call ipv6_mc_down() at most once

There are two reasons for addrconf_notify() to be called with NETDEV_DOWN:
either the network device is actually going down, or IPv6 was disabled
on the interface.

If either of them stays down while the other is toggled, we repeatedly
call the code for NETDEV_DOWN, including ipv6_mc_down(), while never
calling the corresponding ipv6_mc_up() in between. This will cause a
new entry in idev->mc_tomb to be allocated for each multicast group
the interface is subscribed to, which in turn leaks one struct ifmcaddr6
per nontrivial multicast group the interface is subscribed to.

The following reproducer will leak at least $n objects:

ip addr add ff2e::4242/32 dev eth0 autojoin
sysctl -w net.ipv6.conf.eth0.disable_ipv6=1
for i in $(seq 1 $n); do
	ip link set up eth0; ip link set down eth0
done

Joining groups with IPV6_ADD_MEMBERSHIP (unprivileged) or setting the
sysctl net.ipv6.conf.eth0.forwarding to 1 (=> subscribing to ff02::2)
can also be used to create a nontrivial idev->mc_list, which will the
leak objects with the right up-down-sequence.

Based on both sources for NETDEV_DOWN events the interface IPv6 state
should be considered:

 - not ready if the network interface is not ready OR IPv6 is disabled
   for it
 - ready if the network interface is ready AND IPv6 is enabled for it

The functions ipv6_mc_up() and ipv6_down() should only be run when this
state changes.

Implement this by remembering when the IPv6 state is ready, and only
run ipv6_mc_down() if it actually changed from ready to not ready.

The other direction (not ready -> ready) already works correctly, as:

 - the interface notification triggered codepath for NETDEV_UP /
   NETDEV_CHANGE returns early if ipv6 is disabled, and
 - the disable_ipv6=0 triggered codepath skips fully initializing the
   interface as long as addrconf_link_ready(dev) returns false
 - calling ipv6_mc_up() repeatedly does not leak anything
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48910

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48911
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

netfilter: nf_queue: fix possible use-after-free

Eric Dumazet says:
  The sock_hold() side seems suspect, because there is no guarantee
  that sk_refcnt is not already 0.

On failure, we cannot queue the packet and need to indicate an
error.  The packet will be dropped by the caller.

v2: split skb prefetch hunk into separate change
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48911

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48912
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

netfilter: fix use-after-free in __nf_register_net_hook()

We must not dereference @new_hooks after nf_hook_mutex has been released,
because other threads might have freed our allocated hooks already.

BUG: KASAN: use-after-free in nf_hook_entries_get_hook_ops include/linux/netfilter.h:130 [inline]
BUG: KASAN: use-after-free in hooks_validate net/netfilter/core.c:171 [inline]
BUG: KASAN: use-after-free in __nf_register_net_hook+0x77a/0x820 net/netfilter/core.c:438
Read of size 2 at addr ffff88801c1a8000 by task syz-executor237/4430

CPU: 1 PID: 4430 Comm: syz-executor237 Not tainted 5.17.0-rc5-syzkaller-00306-g2293be58d6a1 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
 print_address_description.constprop.0.cold+0x8d/0x336 mm/kasan/report.c:255
 __kasan_report mm/kasan/report.c:442 [inline]
 kasan_report.cold+0x83/0xdf mm/kasan/report.c:459
 nf_hook_entries_get_hook_ops include/linux/netfilter.h:130 [inline]
 hooks_validate net/netfilter/core.c:171 [inline]
 __nf_register_net_hook+0x77a/0x820 net/netfilter/core.c:438
 nf_register_net_hook+0x114/0x170 net/netfilter/core.c:571
 nf_register_net_hooks+0x59/0xc0 net/netfilter/core.c:587
 nf_synproxy_ipv6_init+0x85/0xe0 net/netfilter/nf_synproxy_core.c:1218
 synproxy_tg6_check+0x30d/0x560 net/ipv6/netfilter/ip6t_SYNPROXY.c:81
 xt_check_target+0x26c/0x9e0 net/netfilter/x_tables.c:1038
 check_target net/ipv6/netfilter/ip6_tables.c:530 [inline]
 find_check_entry.constprop.0+0x7f1/0x9e0 net/ipv6/netfilter/ip6_tables.c:573
 translate_table+0xc8b/0x1750 net/ipv6/netfilter/ip6_tables.c:735
 do_replace net/ipv6/netfilter/ip6_tables.c:1153 [inline]
 do_ip6t_set_ctl+0x56e/0xb90 net/ipv6/netfilter/ip6_tables.c:1639
 nf_setsockopt+0x83/0xe0 net/netfilter/nf_sockopt.c:101
 ipv6_setsockopt+0x122/0x180 net/ipv6/ipv6_sockglue.c:1024
 rawv6_setsockopt+0xd3/0x6a0 net/ipv6/raw.c:1084
 __sys_setsockopt+0x2db/0x610 net/socket.c:2180
 __do_sys_setsockopt net/socket.c:2191 [inline]
 __se_sys_setsockopt net/socket.c:2188 [inline]
 __x64_sys_setsockopt+0xba/0x150 net/socket.c:2188
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f65a1ace7d9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f65a1a7f308 EFLAGS: 00000246 ORIG_RAX: 0000000000000036
RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 00007f65a1ace7d9
RDX: 0000000000000040 RSI: 0000000000000029 RDI: 0000000000000003
RBP: 00007f65a1b574c8 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000020000000 R11: 0000000000000246 R12: 00007f65a1b55130
R13: 00007f65a1b574c0 R14: 00007f65a1b24090 R15: 0000000000022000
 </TASK>

The buggy address belongs to the page:
page:ffffea0000706a00 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1c1a8
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 ffffea0001c1b108 ffffea000046dd08 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 2, migratetype Unmovable, gfp_mask 0x52dc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_ZERO), pid 4430, ts 1061781545818, free_ts 1061791488993
 prep_new_page mm/page_alloc.c:2434 [inline]
 get_page_from_freelist+0xa72/0x2f50 mm/page_alloc.c:4165
 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5389
 __alloc_pages_node include/linux/gfp.h:572 [inline]
 alloc_pages_node include/linux/gfp.h:595 [inline]
 kmalloc_large_node+0x62/0x130 mm/slub.c:4438
 __kmalloc_node+0x35a/0x4a0 mm/slub.
---truncated---
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48912

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48913
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

blktrace: fix use after free for struct blk_trace

When tracing the whole disk, 'dropped' and 'msg' will be created
under 'q->debugfs_dir' and 'bt->dir' is NULL, thus blk_trace_free()
won't remove those files. What's worse, the following UAF can be
triggered because of accessing stale 'dropped' and 'msg':

==================================================================
BUG: KASAN: use-after-free in blk_dropped_read+0x89/0x100
Read of size 4 at addr ffff88816912f3d8 by task blktrace/1188

CPU: 27 PID: 1188 Comm: blktrace Not tainted 5.17.0-rc4-next-20220217+ #469
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_073836-4
Call Trace:
 <TASK>
 dump_stack_lvl+0x34/0x44
 print_address_description.constprop.0.cold+0xab/0x381
 ? blk_dropped_read+0x89/0x100
 ? blk_dropped_read+0x89/0x100
 kasan_report.cold+0x83/0xdf
 ? blk_dropped_read+0x89/0x100
 kasan_check_range+0x140/0x1b0
 blk_dropped_read+0x89/0x100
 ? blk_create_buf_file_callback+0x20/0x20
 ? kmem_cache_free+0xa1/0x500
 ? do_sys_openat2+0x258/0x460
 full_proxy_read+0x8f/0xc0
 vfs_read+0xc6/0x260
 ksys_read+0xb9/0x150
 ? vfs_write+0x3d0/0x3d0
 ? fpregs_assert_state_consistent+0x55/0x60
 ? exit_to_user_mode_prepare+0x39/0x1e0
 do_syscall_64+0x35/0x80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7fbc080d92fd
Code: ce 20 00 00 75 10 b8 00 00 00 00 0f 05 48 3d 01 f0 ff ff 73 31 c3 48 83 1
RSP: 002b:00007fbb95ff9cb0 EFLAGS: 00000293 ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: 00007fbb95ff9dc0 RCX: 00007fbc080d92fd
RDX: 0000000000000100 RSI: 00007fbb95ff9cc0 RDI: 0000000000000045
RBP: 0000000000000045 R08: 0000000000406299 R09: 00000000fffffffd
R10: 000000000153afa0 R11: 0000000000000293 R12: 00007fbb780008c0
R13: 00007fbb78000938 R14: 0000000000608b30 R15: 00007fbb780029c8
 </TASK>

Allocated by task 1050:
 kasan_save_stack+0x1e/0x40
 __kasan_kmalloc+0x81/0xa0
 do_blk_trace_setup+0xcb/0x410
 __blk_trace_setup+0xac/0x130
 blk_trace_ioctl+0xe9/0x1c0
 blkdev_ioctl+0xf1/0x390
 __x64_sys_ioctl+0xa5/0xe0
 do_syscall_64+0x35/0x80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Freed by task 1050:
 kasan_save_stack+0x1e/0x40
 kasan_set_track+0x21/0x30
 kasan_set_free_info+0x20/0x30
 __kasan_slab_free+0x103/0x180
 kfree+0x9a/0x4c0
 __blk_trace_remove+0x53/0x70
 blk_trace_ioctl+0x199/0x1c0
 blkdev_common_ioctl+0x5e9/0xb30
 blkdev_ioctl+0x1a5/0x390
 __x64_sys_ioctl+0xa5/0xe0
 do_syscall_64+0x35/0x80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

The buggy address belongs to the object at ffff88816912f380
 which belongs to the cache kmalloc-96 of size 96
The buggy address is located 88 bytes inside of
 96-byte region [ffff88816912f380, ffff88816912f3e0)
The buggy address belongs to the page:
page:000000009a1b4e7c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0f
flags: 0x17ffffc0000200(slab|node=0|zone=2|lastcpupid=0x1fffff)
raw: 0017ffffc0000200 ffffea00044f1100 dead000000000002 ffff88810004c780
raw: 0000000000000000 0000000000200020 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88816912f280: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
 ffff88816912f300: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
>ffff88816912f380: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
                                                    ^
 ffff88816912f400: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
 ffff88816912f480: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
==================================================================
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48913

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48914
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

xen/netfront: destroy queues before real_num_tx_queues is zeroed

xennet_destroy_queues() relies on info->netdev->real_num_tx_queues to
delete queues. Since d7dac083414eb5bb99a6d2ed53dc2c1b405224e5
("net-sysfs: update the queue counts in the unregistration path"),
unregister_netdev() indirectly sets real_num_tx_queues to 0. Those two
facts together means, that xennet_destroy_queues() called from
xennet_remove() cannot do its job, because it's called after
unregister_netdev(). This results in kfree-ing queues that are still
linked in napi, which ultimately crashes:

    BUG: kernel NULL pointer dereference, address: 0000000000000000
    #PF: supervisor read access in kernel mode
    #PF: error_code(0x0000) - not-present page
    PGD 0 P4D 0
    Oops: 0000 [#1] PREEMPT SMP PTI
    CPU: 1 PID: 52 Comm: xenwatch Tainted: G        W         5.16.10-1.32.fc32.qubes.x86_64+ #226
    RIP: 0010:free_netdev+0xa3/0x1a0
    Code: ff 48 89 df e8 2e e9 00 00 48 8b 43 50 48 8b 08 48 8d b8 a0 fe ff ff 48 8d a9 a0 fe ff ff 49 39 c4 75 26 eb 47 e8 ed c1 66 ff <48> 8b 85 60 01 00 00 48 8d 95 60 01 00 00 48 89 ef 48 2d 60 01 00
    RSP: 0000:ffffc90000bcfd00 EFLAGS: 00010286
    RAX: 0000000000000000 RBX: ffff88800edad000 RCX: 0000000000000000
    RDX: 0000000000000001 RSI: ffffc90000bcfc30 RDI: 00000000ffffffff
    RBP: fffffffffffffea0 R08: 0000000000000000 R09: 0000000000000000
    R10: 0000000000000000 R11: 0000000000000001 R12: ffff88800edad050
    R13: ffff8880065f8f88 R14: 0000000000000000 R15: ffff8880066c6680
    FS:  0000000000000000(0000) GS:ffff8880f3300000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 0000000000000000 CR3: 00000000e998c006 CR4: 00000000003706e0
    Call Trace:
     <TASK>
     xennet_remove+0x13d/0x300 [xen_netfront]
     xenbus_dev_remove+0x6d/0xf0
     __device_release_driver+0x17a/0x240
     device_release_driver+0x24/0x30
     bus_remove_device+0xd8/0x140
     device_del+0x18b/0x410
     ? _raw_spin_unlock+0x16/0x30
     ? klist_iter_exit+0x14/0x20
     ? xenbus_dev_request_and_reply+0x80/0x80
     device_unregister+0x13/0x60
     xenbus_dev_changed+0x18e/0x1f0
     xenwatch_thread+0xc0/0x1a0
     ? do_wait_intr_irq+0xa0/0xa0
     kthread+0x16b/0x190
     ? set_kthread_struct+0x40/0x40
     ret_from_fork+0x22/0x30
     </TASK>

Fix this by calling xennet_destroy_queues() from xennet_uninit(),
when real_num_tx_queues is still available. This ensures that queues are
destroyed when real_num_tx_queues is set to 0, regardless of how
unregister_netdev() was called.

Originally reported at
https://github.com/QubesOS/qubes-issues/issues/7257
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48914

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48915
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

thermal: core: Fix TZ_GET_TRIP NULL pointer dereference

Do not call get_trip_hyst() from thermal_genl_cmd_tz_get_trip() if
the thermal zone does not define one.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48915

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48916
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

iommu/vt-d: Fix double list_add when enabling VMD in scalable mode

When enabling VMD and IOMMU scalable mode, the following kernel panic
call trace/kernel log is shown in Eagle Stream platform (Sapphire Rapids
CPU) during booting:

pci 0000:59:00.5: Adding to iommu group 42
...
vmd 0000:59:00.5: PCI host bridge to bus 10000:80
pci 10000:80:01.0: [8086:352a] type 01 class 0x060400
pci 10000:80:01.0: reg 0x10: [mem 0x00000000-0x0001ffff 64bit]
pci 10000:80:01.0: enabling Extended Tags
pci 10000:80:01.0: PME# supported from D0 D3hot D3cold
pci 10000:80:01.0: DMAR: Setup RID2PASID failed
pci 10000:80:01.0: Failed to add to iommu group 42: -16
pci 10000:80:03.0: [8086:352b] type 01 class 0x060400
pci 10000:80:03.0: reg 0x10: [mem 0x00000000-0x0001ffff 64bit]
pci 10000:80:03.0: enabling Extended Tags
pci 10000:80:03.0: PME# supported from D0 D3hot D3cold
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:29!
invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
CPU: 0 PID: 7 Comm: kworker/0:1 Not tainted 5.17.0-rc3+ #7
Hardware name: Lenovo ThinkSystem SR650V3/SB27A86647, BIOS ESE101Y-1.00 01/13/2022
Workqueue: events work_for_cpu_fn
RIP: 0010:__list_add_valid.cold+0x26/0x3f
Code: 9a 4a ab ff 4c 89 c1 48 c7 c7 40 0c d9 9e e8 b9 b1 fe ff 0f
      0b 48 89 f2 4c 89 c1 48 89 fe 48 c7 c7 f0 0c d9 9e e8 a2 b1
      fe ff <0f> 0b 48 89 d1 4c 89 c6 4c 89 ca 48 c7 c7 98 0c d9
      9e e8 8b b1 fe
RSP: 0000:ff5ad434865b3a40 EFLAGS: 00010246
RAX: 0000000000000058 RBX: ff4d61160b74b880 RCX: ff4d61255e1fffa8
RDX: 0000000000000000 RSI: 00000000fffeffff RDI: ffffffff9fd34f20
RBP: ff4d611d8e245c00 R08: 0000000000000000 R09: ff5ad434865b3888
R10: ff5ad434865b3880 R11: ff4d61257fdc6fe8 R12: ff4d61160b74b8a0
R13: ff4d61160b74b8a0 R14: ff4d611d8e245c10 R15: ff4d611d8001ba70
FS:  0000000000000000(0000) GS:ff4d611d5ea00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ff4d611fa1401000 CR3: 0000000aa0210001 CR4: 0000000000771ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
 <TASK>
 intel_pasid_alloc_table+0x9c/0x1d0
 dmar_insert_one_dev_info+0x423/0x540
 ? device_to_iommu+0x12d/0x2f0
 intel_iommu_attach_device+0x116/0x290
 __iommu_attach_device+0x1a/0x90
 iommu_group_add_device+0x190/0x2c0
 __iommu_probe_device+0x13e/0x250
 iommu_probe_device+0x24/0x150
 iommu_bus_notifier+0x69/0x90
 blocking_notifier_call_chain+0x5a/0x80
 device_add+0x3db/0x7b0
 ? arch_memremap_can_ram_remap+0x19/0x50
 ? memremap+0x75/0x140
 pci_device_add+0x193/0x1d0
 pci_scan_single_device+0xb9/0xf0
 pci_scan_slot+0x4c/0x110
 pci_scan_child_bus_extend+0x3a/0x290
 vmd_enable_domain.constprop.0+0x63e/0x820
 vmd_probe+0x163/0x190
 local_pci_probe+0x42/0x80
 work_for_cpu_fn+0x13/0x20
 process_one_work+0x1e2/0x3b0
 worker_thread+0x1c4/0x3a0
 ? rescuer_thread+0x370/0x370
 kthread+0xc7/0xf0
 ? kthread_complete_and_exit+0x20/0x20
 ret_from_fork+0x1f/0x30
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
...
Kernel panic - not syncing: Fatal exception
Kernel Offset: 0x1ca00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
---[ end Kernel panic - not syncing: Fatal exception ]---

The following 'lspci' output shows devices '10000:80:*' are subdevices of
the VMD device 0000:59:00.5:

  $ lspci
  ...
  0000:59:00.5 RAID bus controller: Intel Corporation Volume Management Device NVMe RAID Controller (rev 20)
  ...
  10000:80:01.0 PCI bridge: Intel Corporation Device 352a (rev 03)
  10000:80:03.0 PCI bridge: Intel Corporation Device 352b (rev 03)
  10000:80:05.0 PCI bridge: Intel Corporation Device 352c (rev 03)
  10000:80:07.0 PCI bridge: Intel Corporation Device 352d (rev 03)
  10000:81:00.0 Non-Volatile memory controller: Intel Corporation NVMe Datacenter SSD [3DNAND, Beta Rock Controller]
  10000:82:00
---truncated---
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48916

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48917
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ASoC: ops: Shift tested values in snd_soc_put_volsw() by +min

While the $val/$val2 values passed in from userspace are always >= 0
integers, the limits of the control can be signed integers and the $min
can be non-zero and less than zero. To correctly validate $val/$val2
against platform_max, add the $min offset to val first.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48917

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48918
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

iwlwifi: mvm: check debugfs_dir ptr before use

When "debugfs=off" is used on the kernel command line, iwiwifi's
mvm module uses an invalid/unchecked debugfs_dir pointer and causes
a BUG:

 BUG: kernel NULL pointer dereference, address: 000000000000004f
 #PF: supervisor read access in kernel mode
 #PF: error_code(0x0000) - not-present page
 PGD 0 P4D 0
 Oops: 0000 [#1] PREEMPT SMP
 CPU: 1 PID: 503 Comm: modprobe Tainted: G        W         5.17.0-rc5 #7
 Hardware name: Dell Inc. Inspiron 15 5510/076F7Y, BIOS 2.4.1 11/05/2021
 RIP: 0010:iwl_mvm_dbgfs_register+0x692/0x700 [iwlmvm]
 Code: 69 a0 be 80 01 00 00 48 c7 c7 50 73 6a a0 e8 95 cf ee e0 48 8b 83 b0 1e 00 00 48 c7 c2 54 73 6a a0 be 64 00 00 00 48 8d 7d 8c <48> 8b 48 50 e8 15 22 07 e1 48 8b 43 28 48 8d 55 8c 48 c7 c7 5f 73
 RSP: 0018:ffffc90000a0ba68 EFLAGS: 00010246
 RAX: ffffffffffffffff RBX: ffff88817d6e3328 RCX: ffff88817d6e3328
 RDX: ffffffffa06a7354 RSI: 0000000000000064 RDI: ffffc90000a0ba6c
 RBP: ffffc90000a0bae0 R08: ffffffff824e4880 R09: ffffffffa069d620
 R10: ffffc90000a0ba00 R11: ffffffffffffffff R12: 0000000000000000
 R13: ffffc90000a0bb28 R14: ffff88817d6e3328 R15: ffff88817d6e3320
 FS:  00007f64dd92d740(0000) GS:ffff88847f640000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 000000000000004f CR3: 000000016fc79001 CR4: 0000000000770ee0
 PKRU: 55555554
 Call Trace:
  <TASK>
  ? iwl_mvm_mac_setup_register+0xbdc/0xda0 [iwlmvm]
  iwl_mvm_start_post_nvm+0x71/0x100 [iwlmvm]
  iwl_op_mode_mvm_start+0xab8/0xb30 [iwlmvm]
  _iwl_op_mode_start+0x6f/0xd0 [iwlwifi]
  iwl_opmode_register+0x6a/0xe0 [iwlwifi]
  ? 0xffffffffa0231000
  iwl_mvm_init+0x35/0x1000 [iwlmvm]
  ? 0xffffffffa0231000
  do_one_initcall+0x5a/0x1b0
  ? kmem_cache_alloc+0x1e5/0x2f0
  ? do_init_module+0x1e/0x220
  do_init_module+0x48/0x220
  load_module+0x2602/0x2bc0
  ? __kernel_read+0x145/0x2e0
  ? kernel_read_file+0x229/0x290
  __do_sys_finit_module+0xc5/0x130
  ? __do_sys_finit_module+0xc5/0x130
  __x64_sys_finit_module+0x13/0x20
  do_syscall_64+0x38/0x90
  entry_SYSCALL_64_after_hwframe+0x44/0xae
 RIP: 0033:0x7f64dda564dd
 Code: 5b 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 1b 29 0f 00 f7 d8 64 89 01 48
 RSP: 002b:00007ffdba393f88 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f64dda564dd
 RDX: 0000000000000000 RSI: 00005575399e2ab2 RDI: 0000000000000001
 RBP: 000055753a91c5e0 R08: 0000000000000000 R09: 0000000000000002
 R10: 0000000000000001 R11: 0000000000000246 R12: 00005575399e2ab2
 R13: 000055753a91ceb0 R14: 0000000000000000 R15: 000055753a923018
  </TASK>
 Modules linked in: btintel(+) btmtk bluetooth vfat snd_hda_codec_hdmi fat snd_hda_codec_realtek snd_hda_codec_generic iwlmvm(+) snd_sof_pci_intel_tgl mac80211 snd_sof_intel_hda_common soundwire_intel soundwire_generic_allocation soundwire_cadence soundwire_bus snd_sof_intel_hda snd_sof_pci snd_sof snd_sof_xtensa_dsp snd_soc_hdac_hda snd_hda_ext_core snd_soc_acpi_intel_match snd_soc_acpi snd_soc_core btrfs snd_compress snd_hda_intel snd_intel_dspcfg snd_intel_sdw_acpi snd_hda_codec raid6_pq iwlwifi snd_hda_core snd_pcm snd_timer snd soundcore cfg80211 intel_ish_ipc(+) thunderbolt rfkill intel_ishtp ucsi_acpi wmi i2c_hid_acpi i2c_hid evdev
 CR2: 000000000000004f
 ---[ end trace 0000000000000000 ]---

Check the debugfs_dir pointer for an error before using it.

[change to make both conditional]
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48918

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48919
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

cifs: fix double free race when mount fails in cifs_get_root()

When cifs_get_root() fails during cifs_smb3_do_mount() we call
deactivate_locked_super() which eventually will call delayed_free() which
will free the context.
In this situation we should not proceed to enter the out: section in
cifs_smb3_do_mount() and free the same resources a second time.

[Thu Feb 10 12:59:06 2022] BUG: KASAN: use-after-free in rcu_cblist_dequeue+0x32/0x60
[Thu Feb 10 12:59:06 2022] Read of size 8 at addr ffff888364f4d110 by task swapper/1/0

[Thu Feb 10 12:59:06 2022] CPU: 1 PID: 0 Comm: swapper/1 Tainted: G           OE     5.17.0-rc3+ #4
[Thu Feb 10 12:59:06 2022] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.0 12/17/2019
[Thu Feb 10 12:59:06 2022] Call Trace:
[Thu Feb 10 12:59:06 2022]  <IRQ>
[Thu Feb 10 12:59:06 2022]  dump_stack_lvl+0x5d/0x78
[Thu Feb 10 12:59:06 2022]  print_address_description.constprop.0+0x24/0x150
[Thu Feb 10 12:59:06 2022]  ? rcu_cblist_dequeue+0x32/0x60
[Thu Feb 10 12:59:06 2022]  kasan_report.cold+0x7d/0x117
[Thu Feb 10 12:59:06 2022]  ? rcu_cblist_dequeue+0x32/0x60
[Thu Feb 10 12:59:06 2022]  __asan_load8+0x86/0xa0
[Thu Feb 10 12:59:06 2022]  rcu_cblist_dequeue+0x32/0x60
[Thu Feb 10 12:59:06 2022]  rcu_core+0x547/0xca0
[Thu Feb 10 12:59:06 2022]  ? call_rcu+0x3c0/0x3c0
[Thu Feb 10 12:59:06 2022]  ? __this_cpu_preempt_check+0x13/0x20
[Thu Feb 10 12:59:06 2022]  ? lock_is_held_type+0xea/0x140
[Thu Feb 10 12:59:06 2022]  rcu_core_si+0xe/0x10
[Thu Feb 10 12:59:06 2022]  __do_softirq+0x1d4/0x67b
[Thu Feb 10 12:59:06 2022]  __irq_exit_rcu+0x100/0x150
[Thu Feb 10 12:59:06 2022]  irq_exit_rcu+0xe/0x30
[Thu Feb 10 12:59:06 2022]  sysvec_hyperv_stimer0+0x9d/0xc0
...
[Thu Feb 10 12:59:07 2022] Freed by task 58179:
[Thu Feb 10 12:59:07 2022]  kasan_save_stack+0x26/0x50
[Thu Feb 10 12:59:07 2022]  kasan_set_track+0x25/0x30
[Thu Feb 10 12:59:07 2022]  kasan_set_free_info+0x24/0x40
[Thu Feb 10 12:59:07 2022]  ____kasan_slab_free+0x137/0x170
[Thu Feb 10 12:59:07 2022]  __kasan_slab_free+0x12/0x20
[Thu Feb 10 12:59:07 2022]  slab_free_freelist_hook+0xb3/0x1d0
[Thu Feb 10 12:59:07 2022]  kfree+0xcd/0x520
[Thu Feb 10 12:59:07 2022]  cifs_smb3_do_mount+0x149/0xbe0 [cifs]
[Thu Feb 10 12:59:07 2022]  smb3_get_tree+0x1a0/0x2e0 [cifs]
[Thu Feb 10 12:59:07 2022]  vfs_get_tree+0x52/0x140
[Thu Feb 10 12:59:07 2022]  path_mount+0x635/0x10c0
[Thu Feb 10 12:59:07 2022]  __x64_sys_mount+0x1bf/0x210
[Thu Feb 10 12:59:07 2022]  do_syscall_64+0x5c/0xc0
[Thu Feb 10 12:59:07 2022]  entry_SYSCALL_64_after_hwframe+0x44/0xae

[Thu Feb 10 12:59:07 2022] Last potentially related work creation:
[Thu Feb 10 12:59:07 2022]  kasan_save_stack+0x26/0x50
[Thu Feb 10 12:59:07 2022]  __kasan_record_aux_stack+0xb6/0xc0
[Thu Feb 10 12:59:07 2022]  kasan_record_aux_stack_noalloc+0xb/0x10
[Thu Feb 10 12:59:07 2022]  call_rcu+0x76/0x3c0
[Thu Feb 10 12:59:07 2022]  cifs_umount+0xce/0xe0 [cifs]
[Thu Feb 10 12:59:07 2022]  cifs_kill_sb+0xc8/0xe0 [cifs]
[Thu Feb 10 12:59:07 2022]  deactivate_locked_super+0x5d/0xd0
[Thu Feb 10 12:59:07 2022]  cifs_smb3_do_mount+0xab9/0xbe0 [cifs]
[Thu Feb 10 12:59:07 2022]  smb3_get_tree+0x1a0/0x2e0 [cifs]
[Thu Feb 10 12:59:07 2022]  vfs_get_tree+0x52/0x140
[Thu Feb 10 12:59:07 2022]  path_mount+0x635/0x10c0
[Thu Feb 10 12:59:07 2022]  __x64_sys_mount+0x1bf/0x210
[Thu Feb 10 12:59:07 2022]  do_syscall_64+0x5c/0xc0
[Thu Feb 10 12:59:07 2022]  entry_SYSCALL_64_after_hwframe+0x44/0xae
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48919

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48920
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

btrfs: get rid of warning on transaction commit when using flushoncommit

When using the flushoncommit mount option, during almost every transaction
commit we trigger a warning from __writeback_inodes_sb_nr():

  $ cat fs/fs-writeback.c:
  (...)
  static void __writeback_inodes_sb_nr(struct super_block *sb, ...
  {
        (...)
        WARN_ON(!rwsem_is_locked(&sb->s_umount));
        (...)
  }
  (...)

The trace produced in dmesg looks like the following:

  [947.473890] WARNING: CPU: 5 PID: 930 at fs/fs-writeback.c:2610 __writeback_inodes_sb_nr+0x7e/0xb3
  [947.481623] Modules linked in: nfsd nls_cp437 cifs asn1_decoder cifs_arc4 fscache cifs_md4 ipmi_ssif
  [947.489571] CPU: 5 PID: 930 Comm: btrfs-transacti Not tainted 95.16.3-srb-asrock-00001-g36437ad63879 #186
  [947.497969] RIP: 0010:__writeback_inodes_sb_nr+0x7e/0xb3
  [947.502097] Code: 24 10 4c 89 44 24 18 c6 (...)
  [947.519760] RSP: 0018:ffffc90000777e10 EFLAGS: 00010246
  [947.523818] RAX: 0000000000000000 RBX: 0000000000963300 RCX: 0000000000000000
  [947.529765] RDX: 0000000000000000 RSI: 000000000000fa51 RDI: ffffc90000777e50
  [947.535740] RBP: ffff888101628a90 R08: ffff888100955800 R09: ffff888100956000
  [947.541701] R10: 0000000000000002 R11: 0000000000000001 R12: ffff888100963488
  [947.547645] R13: ffff888100963000 R14: ffff888112fb7200 R15: ffff888100963460
  [947.553621] FS:  0000000000000000(0000) GS:ffff88841fd40000(0000) knlGS:0000000000000000
  [947.560537] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  [947.565122] CR2: 0000000008be50c4 CR3: 000000000220c000 CR4: 00000000001006e0
  [947.571072] Call Trace:
  [947.572354]  <TASK>
  [947.573266]  btrfs_commit_transaction+0x1f1/0x998
  [947.576785]  ? start_transaction+0x3ab/0x44e
  [947.579867]  ? schedule_timeout+0x8a/0xdd
  [947.582716]  transaction_kthread+0xe9/0x156
  [947.585721]  ? btrfs_cleanup_transaction.isra.0+0x407/0x407
  [947.590104]  kthread+0x131/0x139
  [947.592168]  ? set_kthread_struct+0x32/0x32
  [947.595174]  ret_from_fork+0x22/0x30
  [947.597561]  </TASK>
  [947.598553] ---[ end trace 644721052755541c ]---

This is because we started using writeback_inodes_sb() to flush delalloc
when committing a transaction (when using -o flushoncommit), in order to
avoid deadlocks with filesystem freeze operations. This change was made
by commit ce8ea7cc6eb313 ("btrfs: don't call btrfs_start_delalloc_roots
in flushoncommit"). After that change we started producing that warning,
and every now and then a user reports this since the warning happens too
often, it spams dmesg/syslog, and a user is unsure if this reflects any
problem that might compromise the filesystem's reliability.

We can not just lock the sb->s_umount semaphore before calling
writeback_inodes_sb(), because that would at least deadlock with
filesystem freezing, since at fs/super.c:freeze_super() sync_filesystem()
is called while we are holding that semaphore in write mode, and that can
trigger a transaction commit, resulting in a deadlock. It would also
trigger the same type of deadlock in the unmount path. Possibly, it could
also introduce some other locking dependencies that lockdep would report.

To fix this call try_to_writeback_inodes_sb() instead of
writeback_inodes_sb(), because that will try to read lock sb->s_umount
and then will only call writeback_inodes_sb() if it was able to lock it.
This is fine because the cases where it can't read lock sb->s_umount
are during a filesystem unmount or during a filesystem freeze - in those
cases sb->s_umount is write locked and sync_filesystem() is called, which
calls writeback_inodes_sb(). In other words, in all cases where we can't
take a read lock on sb->s_umount, writeback is already being triggered
elsewhere.

An alternative would be to call btrfs_start_delalloc_roots() with a
number of pages different from LONG_MAX, for example matching the number
of delalloc bytes we currently have, in 
---truncated---
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48920

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48921
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

sched/fair: Fix fault in reweight_entity

Syzbot found a GPF in reweight_entity. This has been bisected to
commit 4ef0c5c6b5ba ("kernel/sched: Fix sched_fork() access an invalid
sched_task_group")

There is a race between sched_post_fork() and setpriority(PRIO_PGRP)
within a thread group that causes a null-ptr-deref in
reweight_entity() in CFS. The scenario is that the main process spawns
number of new threads, which then call setpriority(PRIO_PGRP, 0, -20),
wait, and exit.  For each of the new threads the copy_process() gets
invoked, which adds the new task_struct and calls sched_post_fork()
for it.

In the above scenario there is a possibility that
setpriority(PRIO_PGRP) and set_one_prio() will be called for a thread
in the group that is just being created by copy_process(), and for
which the sched_post_fork() has not been executed yet. This will
trigger a null pointer dereference in reweight_entity(), as it will
try to access the run queue pointer, which hasn't been set.

Before the mentioned change the cfs_rq pointer for the task  has been
set in sched_fork(), which is called much earlier in copy_process(),
before the new task is added to the thread_group.  Now it is done in
the sched_post_fork(), which is called after that.  To fix the issue
the remove the update_load param from the update_load param() function
and call reweight_task() only if the task flag doesn't have the
TASK_NEW flag set.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48921

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48922
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

riscv: fix oops caused by irqsoff latency tracer

The trace_hardirqs_{on,off}() require the caller to setup frame pointer
properly. This because these two functions use macro 'CALLER_ADDR1' (aka.
__builtin_return_address(1)) to acquire caller info. If the $fp is used
for other purpose, the code generated this macro (as below) could trigger
memory access fault.

   0xffffffff8011510e <+80>:    ld      a1,-16(s0)
   0xffffffff80115112 <+84>:    ld      s2,-8(a1)  # <-- paging fault here

The oops message during booting if compiled with 'irqoff' tracer enabled:
[    0.039615][    T0] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000f8
[    0.041925][    T0] Oops [#1]
[    0.042063][    T0] Modules linked in:
[    0.042864][    T0] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.17.0-rc1-00233-g9a20c48d1ed2 #29
[    0.043568][    T0] Hardware name: riscv-virtio,qemu (DT)
[    0.044343][    T0] epc : trace_hardirqs_on+0x56/0xe2
[    0.044601][    T0]  ra : restore_all+0x12/0x6e
[    0.044721][    T0] epc : ffffffff80126a5c ra : ffffffff80003b94 sp : ffffffff81403db0
[    0.044801][    T0]  gp : ffffffff8163acd8 tp : ffffffff81414880 t0 : 0000000000000020
[    0.044882][    T0]  t1 : 0098968000000000 t2 : 0000000000000000 s0 : ffffffff81403de0
[    0.044967][    T0]  s1 : 0000000000000000 a0 : 0000000000000001 a1 : 0000000000000100
[    0.045046][    T0]  a2 : 0000000000000000 a3 : 0000000000000000 a4 : 0000000000000000
[    0.045124][    T0]  a5 : 0000000000000000 a6 : 0000000000000000 a7 : 0000000054494d45
[    0.045210][    T0]  s2 : ffffffff80003b94 s3 : ffffffff81a8f1b0 s4 : ffffffff80e27b50
[    0.045289][    T0]  s5 : ffffffff81414880 s6 : ffffffff8160fa00 s7 : 00000000800120e8
[    0.045389][    T0]  s8 : 0000000080013100 s9 : 000000000000007f s10: 0000000000000000
[    0.045474][    T0]  s11: 0000000000000000 t3 : 7fffffffffffffff t4 : 0000000000000000
[    0.045548][    T0]  t5 : 0000000000000000 t6 : ffffffff814aa368
[    0.045620][    T0] status: 0000000200000100 badaddr: 00000000000000f8 cause: 000000000000000d
[    0.046402][    T0] [<ffffffff80003b94>] restore_all+0x12/0x6e

This because the $fp(aka. $s0) register is not used as frame pointer in the
assembly entry code.

	resume_kernel:
		REG_L s0, TASK_TI_PREEMPT_COUNT(tp)
		bnez s0, restore_all
		REG_L s0, TASK_TI_FLAGS(tp)
                andi s0, s0, _TIF_NEED_RESCHED
                beqz s0, restore_all
                call preempt_schedule_irq
                j restore_all

To fix above issue, here we add one extra level wrapper for function
trace_hardirqs_{on,off}() so they can be safely called by low level entry
code.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48922

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48923
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

btrfs: prevent copying too big compressed lzo segment

Compressed length can be corrupted to be a lot larger than memory
we have allocated for buffer.
This will cause memcpy in copy_compressed_segment to write outside
of allocated memory.

This mostly results in stuck read syscall but sometimes when using
btrfs send can get #GP

  kernel: general protection fault, probably for non-canonical address 0x841551d5c1000: 0000 [#1] PREEMPT SMP NOPTI
  kernel: CPU: 17 PID: 264 Comm: kworker/u256:7 Tainted: P           OE     5.17.0-rc2-1 #12
  kernel: Workqueue: btrfs-endio btrfs_work_helper [btrfs]
  kernel: RIP: 0010:lzo_decompress_bio (./include/linux/fortify-string.h:225 fs/btrfs/lzo.c:322 fs/btrfs/lzo.c:394) btrfs
  Code starting with the faulting instruction
  ===========================================
     0:*  48 8b 06                mov    (%rsi),%rax              <-- trapping instruction
     3:   48 8d 79 08             lea    0x8(%rcx),%rdi
     7:   48 83 e7 f8             and    $0xfffffffffffffff8,%rdi
     b:   48 89 01                mov    %rax,(%rcx)
     e:   44 89 f0                mov    %r14d,%eax
    11:   48 8b 54 06 f8          mov    -0x8(%rsi,%rax,1),%rdx
  kernel: RSP: 0018:ffffb110812efd50 EFLAGS: 00010212
  kernel: RAX: 0000000000001000 RBX: 000000009ca264c8 RCX: ffff98996e6d8ff8
  kernel: RDX: 0000000000000064 RSI: 000841551d5c1000 RDI: ffffffff9500435d
  kernel: RBP: ffff989a3be856c0 R08: 0000000000000000 R09: 0000000000000000
  kernel: R10: 0000000000000000 R11: 0000000000001000 R12: ffff98996e6d8000
  kernel: R13: 0000000000000008 R14: 0000000000001000 R15: 000841551d5c1000
  kernel: FS:  0000000000000000(0000) GS:ffff98a09d640000(0000) knlGS:0000000000000000
  kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  kernel: CR2: 00001e9f984d9ea8 CR3: 000000014971a000 CR4: 00000000003506e0
  kernel: Call Trace:
  kernel:  <TASK>
  kernel: end_compressed_bio_read (fs/btrfs/compression.c:104 fs/btrfs/compression.c:1363 fs/btrfs/compression.c:323) btrfs
  kernel: end_workqueue_fn (fs/btrfs/disk-io.c:1923) btrfs
  kernel: btrfs_work_helper (fs/btrfs/async-thread.c:326) btrfs
  kernel: process_one_work (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:212 ./include/trace/events/workqueue.h:108 kernel/workqueue.c:2312)
  kernel: worker_thread (./include/linux/list.h:292 kernel/workqueue.c:2455)
  kernel: ? process_one_work (kernel/workqueue.c:2397)
  kernel: kthread (kernel/kthread.c:377)
  kernel: ? kthread_complete_and_exit (kernel/kthread.c:332)
  kernel: ret_from_fork (arch/x86/entry/entry_64.S:301)
  kernel:  </TASK>
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48923

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48924
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

thermal: int340x: fix memory leak in int3400_notify()

It is easy to hit the below memory leaks in my TigerLake platform:

unreferenced object 0xffff927c8b91dbc0 (size 32):
  comm "kworker/0:2", pid 112, jiffies 4294893323 (age 83.604s)
  hex dump (first 32 bytes):
    4e 41 4d 45 3d 49 4e 54 33 34 30 30 20 54 68 65  NAME=INT3400 The
    72 6d 61 6c 00 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b a5  rmal.kkkkkkkkkk.
  backtrace:
    [<ffffffff9c502c3e>] __kmalloc_track_caller+0x2fe/0x4a0
    [<ffffffff9c7b7c15>] kvasprintf+0x65/0xd0
    [<ffffffff9c7b7d6e>] kasprintf+0x4e/0x70
    [<ffffffffc04cb662>] int3400_notify+0x82/0x120 [int3400_thermal]
    [<ffffffff9c8b7358>] acpi_ev_notify_dispatch+0x54/0x71
    [<ffffffff9c88f1a7>] acpi_os_execute_deferred+0x17/0x30
    [<ffffffff9c2c2c0a>] process_one_work+0x21a/0x3f0
    [<ffffffff9c2c2e2a>] worker_thread+0x4a/0x3b0
    [<ffffffff9c2cb4dd>] kthread+0xfd/0x130
    [<ffffffff9c201c1f>] ret_from_fork+0x1f/0x30

Fix it by calling kfree() accordingly.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48924

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48925
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

RDMA/cma: Do not change route.addr.src_addr outside state checks

If the state is not idle then resolve_prepare_src() should immediately
fail and no change to global state should happen. However, it
unconditionally overwrites the src_addr trying to build a temporary any
address.

For instance if the state is already RDMA_CM_LISTEN then this will corrupt
the src_addr and would cause the test in cma_cancel_operation():

           if (cma_any_addr(cma_src_addr(id_priv)) && !id_priv->cma_dev)

Which would manifest as this trace from syzkaller:

  BUG: KASAN: use-after-free in __list_add_valid+0x93/0xa0 lib/list_debug.c:26
  Read of size 8 at addr ffff8881546491e0 by task syz-executor.1/32204

  CPU: 1 PID: 32204 Comm: syz-executor.1 Not tainted 5.12.0-rc8-syzkaller #0
  Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
  Call Trace:
   __dump_stack lib/dump_stack.c:79 [inline]
   dump_stack+0x141/0x1d7 lib/dump_stack.c:120
   print_address_description.constprop.0.cold+0x5b/0x2f8 mm/kasan/report.c:232
   __kasan_report mm/kasan/report.c:399 [inline]
   kasan_report.cold+0x7c/0xd8 mm/kasan/report.c:416
   __list_add_valid+0x93/0xa0 lib/list_debug.c:26
   __list_add include/linux/list.h:67 [inline]
   list_add_tail include/linux/list.h:100 [inline]
   cma_listen_on_all drivers/infiniband/core/cma.c:2557 [inline]
   rdma_listen+0x787/0xe00 drivers/infiniband/core/cma.c:3751
   ucma_listen+0x16a/0x210 drivers/infiniband/core/ucma.c:1102
   ucma_write+0x259/0x350 drivers/infiniband/core/ucma.c:1732
   vfs_write+0x28e/0xa30 fs/read_write.c:603
   ksys_write+0x1ee/0x250 fs/read_write.c:658
   do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
   entry_SYSCALL_64_after_hwframe+0x44/0xae

This is indicating that an rdma_id_private was destroyed without doing
cma_cancel_listens().

Instead of trying to re-use the src_addr memory to indirectly create an
any address derived from the dst build one explicitly on the stack and
bind to that as any other normal flow would do. rdma_bind_addr() will copy
it over the src_addr once it knows the state is valid.

This is similar to commit bc0bdc5afaa7 ("RDMA/cma: Do not change
route.addr.src_addr.ss_family")
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48925

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48926
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

usb: gadget: rndis: add spinlock for rndis response list

There's no lock for rndis response list. It could cause list corruption
if there're two different list_add at the same time like below.
It's better to add in rndis_add_response / rndis_free_response
/ rndis_get_next_response to prevent any race condition on response list.

[  361.894299] [1:   irq/191-dwc3:16979] list_add corruption.
next->prev should be prev (ffffff80651764d0),
but was ffffff883dc36f80. (next=ffffff80651764d0).

[  361.904380] [1:   irq/191-dwc3:16979] Call trace:
[  361.904391] [1:   irq/191-dwc3:16979]  __list_add_valid+0x74/0x90
[  361.904401] [1:   irq/191-dwc3:16979]  rndis_msg_parser+0x168/0x8c0
[  361.904409] [1:   irq/191-dwc3:16979]  rndis_command_complete+0x24/0x84
[  361.904417] [1:   irq/191-dwc3:16979]  usb_gadget_giveback_request+0x20/0xe4
[  361.904426] [1:   irq/191-dwc3:16979]  dwc3_gadget_giveback+0x44/0x60
[  361.904434] [1:   irq/191-dwc3:16979]  dwc3_ep0_complete_data+0x1e8/0x3a0
[  361.904442] [1:   irq/191-dwc3:16979]  dwc3_ep0_interrupt+0x29c/0x3dc
[  361.904450] [1:   irq/191-dwc3:16979]  dwc3_process_event_entry+0x78/0x6cc
[  361.904457] [1:   irq/191-dwc3:16979]  dwc3_process_event_buf+0xa0/0x1ec
[  361.904465] [1:   irq/191-dwc3:16979]  dwc3_thread_interrupt+0x34/0x5c
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48926

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48927
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

iio: adc: tsc2046: fix memory corruption by preventing array overflow

On one side we have indio_dev->num_channels includes all physical channels +
timestamp channel. On other side we have an array allocated only for
physical channels. So, fix memory corruption by ARRAY_SIZE() instead of
num_channels variable.

Note the first case is a cleanup rather than a fix as the software
timestamp channel bit in active_scanmask is never set by the IIO core.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48927

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48928
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

iio: adc: men_z188_adc: Fix a resource leak in an error handling path

If iio_device_register() fails, a previous ioremap() is left unbalanced.

Update the error handling path and add the missing iounmap() call, as
already done in the remove function.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48928

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48929
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix crash due to out of bounds access into reg2btf_ids.

When commit e6ac2450d6de ("bpf: Support bpf program calling kernel function") added
kfunc support, it defined reg2btf_ids as a cheap way to translate the verifier
reg type to the appropriate btf_vmlinux BTF ID, however
commit c25b2ae13603 ("bpf: Replace PTR_TO_XXX_OR_NULL with PTR_TO_XXX | PTR_MAYBE_NULL")
moved the __BPF_REG_TYPE_MAX from the last member of bpf_reg_type enum to after
the base register types, and defined other variants using type flag
composition. However, now, the direct usage of reg->type to index into
reg2btf_ids may no longer fall into __BPF_REG_TYPE_MAX range, and hence lead to
out of bounds access and kernel crash on dereference of bad pointer.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48929

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48930
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

RDMA/ib_srp: Fix a deadlock

Remove the flush_workqueue(system_long_wq) call since flushing
system_long_wq is deadlock-prone and since that call is redundant with a
preceding cancel_work_sync()
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48930

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48931
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

configfs: fix a race in configfs_{,un}register_subsystem()

When configfs_register_subsystem() or configfs_unregister_subsystem()
is executing link_group() or unlink_group(),
it is possible that two processes add or delete list concurrently.
Some unfortunate interleavings of them can cause kernel panic.

One of cases is:
A --> B --> C --> D
A <-- B <-- C <-- D

     delete list_head *B        |      delete list_head *C
--------------------------------|-----------------------------------
configfs_unregister_subsystem   |   configfs_unregister_subsystem
  unlink_group                  |     unlink_group
    unlink_obj                  |       unlink_obj
      list_del_init             |         list_del_init
        __list_del_entry        |           __list_del_entry
          __list_del            |             __list_del
            // next == C        |
            next->prev = prev   |
                                |               next->prev = prev
            prev->next = next   |
                                |                 // prev == B
                                |                 prev->next = next

Fix this by adding mutex when calling link_group() or unlink_group(),
but parent configfs_subsystem is NULL when config_item is root.
So I create a mutex configfs_subsystem_mutex.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48931

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48932
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net/mlx5: DR, Fix slab-out-of-bounds in mlx5_cmd_dr_create_fte

When adding a rule with 32 destinations, we hit the following out-of-band
access issue:

  BUG: KASAN: slab-out-of-bounds in mlx5_cmd_dr_create_fte+0x18ee/0x1e70

This patch fixes the issue by both increasing the allocated buffers to
accommodate for the needed actions and by checking the number of actions
to prevent this issue when a rule with too many actions is provided.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48932

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48933
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

netfilter: nf_tables: fix memory leak during stateful obj update

stateful objects can be updated from the control plane.
The transaction logic allocates a temporary object for this purpose.

The ->init function was called for this object, so plain kfree() leaks
resources. We must call ->destroy function of the object.

nft_obj_destroy does this, but it also decrements the module refcount,
but the update path doesn't increment it.

To avoid special-casing the update object release, do module_get for
the update case too and release it via nft_obj_destroy().
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48933

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48934
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

nfp: flower: Fix a potential leak in nfp_tunnel_add_shared_mac()

ida_simple_get() returns an id between min (0) and max (NFP_MAX_MAC_INDEX)
inclusive.
So NFP_MAX_MAC_INDEX (0xff) is a valid id.

In order for the error handling path to work correctly, the 'invalid'
value for 'ida_idx' should not be in the 0..NFP_MAX_MAC_INDEX range,
inclusive.

So set it to -1.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48934

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48935
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

netfilter: nf_tables: unregister flowtable hooks on netns exit

Unregister flowtable hooks before they are releases via
nf_tables_flowtable_destroy() otherwise hook core reports UAF.

BUG: KASAN: use-after-free in nf_hook_entries_grow+0x5a7/0x700 net/netfilter/core.c:142 net/netfilter/core.c:142
Read of size 4 at addr ffff8880736f7438 by task syz-executor579/3666

CPU: 0 PID: 3666 Comm: syz-executor579 Not tainted 5.16.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 __dump_stack lib/dump_stack.c:88 [inline] lib/dump_stack.c:106
 dump_stack_lvl+0x1dc/0x2d8 lib/dump_stack.c:106 lib/dump_stack.c:106
 print_address_description+0x65/0x380 mm/kasan/report.c:247 mm/kasan/report.c:247
 __kasan_report mm/kasan/report.c:433 [inline]
 __kasan_report mm/kasan/report.c:433 [inline] mm/kasan/report.c:450
 kasan_report+0x19a/0x1f0 mm/kasan/report.c:450 mm/kasan/report.c:450
 nf_hook_entries_grow+0x5a7/0x700 net/netfilter/core.c:142 net/netfilter/core.c:142
 __nf_register_net_hook+0x27e/0x8d0 net/netfilter/core.c:429 net/netfilter/core.c:429
 nf_register_net_hook+0xaa/0x180 net/netfilter/core.c:571 net/netfilter/core.c:571
 nft_register_flowtable_net_hooks+0x3c5/0x730 net/netfilter/nf_tables_api.c:7232 net/netfilter/nf_tables_api.c:7232
 nf_tables_newflowtable+0x2022/0x2cf0 net/netfilter/nf_tables_api.c:7430 net/netfilter/nf_tables_api.c:7430
 nfnetlink_rcv_batch net/netfilter/nfnetlink.c:513 [inline]
 nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:634 [inline]
 nfnetlink_rcv_batch net/netfilter/nfnetlink.c:513 [inline] net/netfilter/nfnetlink.c:652
 nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:634 [inline] net/netfilter/nfnetlink.c:652
 nfnetlink_rcv+0x10e6/0x2550 net/netfilter/nfnetlink.c:652 net/netfilter/nfnetlink.c:652

__nft_release_hook() calls nft_unregister_flowtable_net_hooks() which
only unregisters the hooks, then after RCU grace period, it is
guaranteed that no packets add new entries to the flowtable (no flow
offload rules and flowtable hooks are reachable from packet path), so it
is safe to call nf_flow_table_free() which cleans up the remaining
entries from the flowtable (both software and hardware) and it unbinds
the flow_block.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48935

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48937
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

io_uring: add a schedule point in io_add_buffers()

Looping ~65535 times doing kmalloc() calls can trigger soft lockups,
especially with DEBUG features (like KASAN).

[  253.536212] watchdog: BUG: soft lockup - CPU#64 stuck for 26s! [b219417889:12575]
[  253.544433] Modules linked in: vfat fat i2c_mux_pca954x i2c_mux spidev cdc_acm xhci_pci xhci_hcd sha3_generic gq(O)
[  253.544451] CPU: 64 PID: 12575 Comm: b219417889 Tainted: G S         O      5.17.0-smp-DEV #801
[  253.544457] RIP: 0010:kernel_text_address (./include/asm-generic/sections.h:192 ./include/linux/kallsyms.h:29 kernel/extable.c:67 kernel/extable.c:98)
[  253.544464] Code: 0f 93 c0 48 c7 c1 e0 63 d7 a4 48 39 cb 0f 92 c1 20 c1 0f b6 c1 5b 5d c3 90 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 53 48 89 fb <48> c7 c0 00 00 80 a0 41 be 01 00 00 00 48 39 c7 72 0c 48 c7 c0 40
[  253.544468] RSP: 0018:ffff8882d8baf4c0 EFLAGS: 00000246
[  253.544471] RAX: 1ffff1105b175e00 RBX: ffffffffa13ef09a RCX: 00000000a13ef001
[  253.544474] RDX: ffffffffa13ef09a RSI: ffff8882d8baf558 RDI: ffffffffa13ef09a
[  253.544476] RBP: ffff8882d8baf4d8 R08: ffff8882d8baf5e0 R09: 0000000000000004
[  253.544479] R10: ffff8882d8baf5e8 R11: ffffffffa0d59a50 R12: ffff8882eab20380
[  253.544481] R13: ffffffffa0d59a50 R14: dffffc0000000000 R15: 1ffff1105b175eb0
[  253.544483] FS:  00000000016d3380(0000) GS:ffff88af48c00000(0000) knlGS:0000000000000000
[  253.544486] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  253.544488] CR2: 00000000004af0f0 CR3: 00000002eabfa004 CR4: 00000000003706e0
[  253.544491] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  253.544492] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[  253.544494] Call Trace:
[  253.544496]  <TASK>
[  253.544498] ? io_queue_sqe (fs/io_uring.c:7143)
[  253.544505] __kernel_text_address (kernel/extable.c:78)
[  253.544508] unwind_get_return_address (arch/x86/kernel/unwind_frame.c:19)
[  253.544514] arch_stack_walk (arch/x86/kernel/stacktrace.c:27)
[  253.544517] ? io_queue_sqe (fs/io_uring.c:7143)
[  253.544521] stack_trace_save (kernel/stacktrace.c:123)
[  253.544527] ____kasan_kmalloc (mm/kasan/common.c:39 mm/kasan/common.c:45 mm/kasan/common.c:436 mm/kasan/common.c:515)
[  253.544531] ? ____kasan_kmalloc (mm/kasan/common.c:39 mm/kasan/common.c:45 mm/kasan/common.c:436 mm/kasan/common.c:515)
[  253.544533] ? __kasan_kmalloc (mm/kasan/common.c:524)
[  253.544535] ? kmem_cache_alloc_trace (./include/linux/kasan.h:270 mm/slab.c:3567)
[  253.544541] ? io_issue_sqe (fs/io_uring.c:4556 fs/io_uring.c:4589 fs/io_uring.c:6828)
[  253.544544] ? __io_queue_sqe (fs/io_uring.c:?)
[  253.544551] __kasan_kmalloc (mm/kasan/common.c:524)
[  253.544553] kmem_cache_alloc_trace (./include/linux/kasan.h:270 mm/slab.c:3567)
[  253.544556] ? io_issue_sqe (fs/io_uring.c:4556 fs/io_uring.c:4589 fs/io_uring.c:6828)
[  253.544560] io_issue_sqe (fs/io_uring.c:4556 fs/io_uring.c:4589 fs/io_uring.c:6828)
[  253.544564] ? __kasan_slab_alloc (mm/kasan/common.c:45 mm/kasan/common.c:436 mm/kasan/common.c:469)
[  253.544567] ? __kasan_slab_alloc (mm/kasan/common.c:39 mm/kasan/common.c:45 mm/kasan/common.c:436 mm/kasan/common.c:469)
[  253.544569] ? kmem_cache_alloc_bulk (mm/slab.h:732 mm/slab.c:3546)
[  253.544573] ? __io_alloc_req_refill (fs/io_uring.c:2078)
[  253.544578] ? io_submit_sqes (fs/io_uring.c:7441)
[  253.544581] ? __se_sys_io_uring_enter (fs/io_uring.c:10154 fs/io_uring.c:10096)
[  253.544584] ? __x64_sys_io_uring_enter (fs/io_uring.c:10096)
[  253.544587] ? do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
[  253.544590] ? entry_SYSCALL_64_after_hwframe (??:?)
[  253.544596] __io_queue_sqe (fs/io_uring.c:?)
[  253.544600] io_queue_sqe (fs/io_uring.c:7143)
[  253.544603] io_submit_sqe (fs/io_uring.c:?)
[  253.544608] io_submit_sqes (fs/io_uring.c:?)
[  253.544612] __se_sys_io_uring_enter (fs/io_uring.c:10154 fs/io_uri
---truncated---
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 3.3
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48937

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48938
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

CDC-NCM: avoid overflow in sanity checking

A broken device may give an extreme offset like 0xFFF0
and a reasonable length for a fragment. In the sanity
check as formulated now, this will create an integer
overflow, defeating the sanity check. Both offset
and offset + len need to be checked in such a manner
that no overflow can occur.
And those quantities should be unsigned.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48938

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48939
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

bpf: Add schedule points in batch ops

syzbot reported various soft lockups caused by bpf batch operations.

 INFO: task kworker/1:1:27 blocked for more than 140 seconds.
 INFO: task hung in rcu_barrier

Nothing prevents batch ops to process huge amount of data,
we need to add schedule points in them.

Note that maybe_wait_bpf_programs(map) calls from
generic_map_delete_batch() can be factorized by moving
the call after the loop.

This will be done later in -next tree once we get this fix merged,
unless there is strong opinion doing this optimization sooner.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 3.3
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48939

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48940
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix crash due to incorrect copy_map_value

When both bpf_spin_lock and bpf_timer are present in a BPF map value,
copy_map_value needs to skirt both objects when copying a value into and
out of the map. However, the current code does not set both s_off and
t_off in copy_map_value, which leads to a crash when e.g. bpf_spin_lock
is placed in map value with bpf_timer, as bpf_map_update_elem call will
be able to overwrite the other timer object.

When the issue is not fixed, an overwriting can produce the following
splat:

[root@(none) bpf]# ./test_progs -t timer_crash
[   15.930339] bpf_testmod: loading out-of-tree module taints kernel.
[   16.037849] ==================================================================
[   16.038458] BUG: KASAN: user-memory-access in __pv_queued_spin_lock_slowpath+0x32b/0x520
[   16.038944] Write of size 8 at addr 0000000000043ec0 by task test_progs/325
[   16.039399]
[   16.039514] CPU: 0 PID: 325 Comm: test_progs Tainted: G           OE     5.16.0+ #278
[   16.039983] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ArchLinux 1.15.0-1 04/01/2014
[   16.040485] Call Trace:
[   16.040645]  <TASK>
[   16.040805]  dump_stack_lvl+0x59/0x73
[   16.041069]  ? __pv_queued_spin_lock_slowpath+0x32b/0x520
[   16.041427]  kasan_report.cold+0x116/0x11b
[   16.041673]  ? __pv_queued_spin_lock_slowpath+0x32b/0x520
[   16.042040]  __pv_queued_spin_lock_slowpath+0x32b/0x520
[   16.042328]  ? memcpy+0x39/0x60
[   16.042552]  ? pv_hash+0xd0/0xd0
[   16.042785]  ? lockdep_hardirqs_off+0x95/0xd0
[   16.043079]  __bpf_spin_lock_irqsave+0xdf/0xf0
[   16.043366]  ? bpf_get_current_comm+0x50/0x50
[   16.043608]  ? jhash+0x11a/0x270
[   16.043848]  bpf_timer_cancel+0x34/0xe0
[   16.044119]  bpf_prog_c4ea1c0f7449940d_sys_enter+0x7c/0x81
[   16.044500]  bpf_trampoline_6442477838_0+0x36/0x1000
[   16.044836]  __x64_sys_nanosleep+0x5/0x140
[   16.045119]  do_syscall_64+0x59/0x80
[   16.045377]  ? lock_is_held_type+0xe4/0x140
[   16.045670]  ? irqentry_exit_to_user_mode+0xa/0x40
[   16.046001]  ? mark_held_locks+0x24/0x90
[   16.046287]  ? asm_exc_page_fault+0x1e/0x30
[   16.046569]  ? asm_exc_page_fault+0x8/0x30
[   16.046851]  ? lockdep_hardirqs_on+0x7e/0x100
[   16.047137]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[   16.047405] RIP: 0033:0x7f9e4831718d
[   16.047602] Code: b4 0c 00 0f 05 eb a9 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d b3 6c 0c 00 f7 d8 64 89 01 48
[   16.048764] RSP: 002b:00007fff488086b8 EFLAGS: 00000206 ORIG_RAX: 0000000000000023
[   16.049275] RAX: ffffffffffffffda RBX: 00007f9e48683740 RCX: 00007f9e4831718d
[   16.049747] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00007fff488086d0
[   16.050225] RBP: 00007fff488086f0 R08: 00007fff488085d7 R09: 00007f9e4cb594a0
[   16.050648] R10: 0000000000000000 R11: 0000000000000206 R12: 00007f9e484cde30
[   16.051124] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   16.051608]  </TASK>
[   16.051762] ==================================================================
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48940

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48941
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ice: fix concurrent reset and removal of VFs

Commit c503e63200c6 ("ice: Stop processing VF messages during teardown")
introduced a driver state flag, ICE_VF_DEINIT_IN_PROGRESS, which is
intended to prevent some issues with concurrently handling messages from
VFs while tearing down the VFs.

This change was motivated by crashes caused while tearing down and
bringing up VFs in rapid succession.

It turns out that the fix actually introduces issues with the VF driver
caused because the PF no longer responds to any messages sent by the VF
during its .remove routine. This results in the VF potentially removing
its DMA memory before the PF has shut down the device queues.

Additionally, the fix doesn't actually resolve concurrency issues within
the ice driver. It is possible for a VF to initiate a reset just prior
to the ice driver removing VFs. This can result in the remove task
concurrently operating while the VF is being reset. This results in
similar memory corruption and panics purportedly fixed by that commit.

Fix this concurrency at its root by protecting both the reset and
removal flows using the existing VF cfg_lock. This ensures that we
cannot remove the VF while any outstanding critical tasks such as a
virtchnl message or a reset are occurring.

This locking change also fixes the root cause originally fixed by commit
c503e63200c6 ("ice: Stop processing VF messages during teardown"), so we
can simply revert it.

Note that I kept these two changes together because simply reverting the
original commit alone would leave the driver vulnerable to worse race
conditions.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48941

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48942
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

hwmon: Handle failure to register sensor with thermal zone correctly

If an attempt is made to a sensor with a thermal zone and it fails,
the call to devm_thermal_zone_of_sensor_register() may return -ENODEV.
This may result in crashes similar to the following.

Unable to handle kernel NULL pointer dereference at virtual address 00000000000003cd
...
Internal error: Oops: 96000021 [#1] PREEMPT SMP
...
pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : mutex_lock+0x18/0x60
lr : thermal_zone_device_update+0x40/0x2e0
sp : ffff800014c4fc60
x29: ffff800014c4fc60 x28: ffff365ee3f6e000 x27: ffffdde218426790
x26: ffff365ee3f6e000 x25: 0000000000000000 x24: ffff365ee3f6e000
x23: ffffdde218426870 x22: ffff365ee3f6e000 x21: 00000000000003cd
x20: ffff365ee8bf3308 x19: ffffffffffffffed x18: 0000000000000000
x17: ffffdde21842689c x16: ffffdde1cb7a0b7c x15: 0000000000000040
x14: ffffdde21a4889a0 x13: 0000000000000228 x12: 0000000000000000
x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000
x8 : 0000000001120000 x7 : 0000000000000001 x6 : 0000000000000000
x5 : 0068000878e20f07 x4 : 0000000000000000 x3 : 00000000000003cd
x2 : ffff365ee3f6e000 x1 : 0000000000000000 x0 : 00000000000003cd
Call trace:
 mutex_lock+0x18/0x60
 hwmon_notify_event+0xfc/0x110
 0xffffdde1cb7a0a90
 0xffffdde1cb7a0b7c
 irq_thread_fn+0x2c/0xa0
 irq_thread+0x134/0x240
 kthread+0x178/0x190
 ret_from_fork+0x10/0x20
Code: d503201f d503201f d2800001 aa0103e4 (c8e47c02)

Jon Hunter reports that the exact call sequence is:

hwmon_notify_event()
  --> hwmon_thermal_notify()
    --> thermal_zone_device_update()
      --> update_temperature()
        --> mutex_lock()

The hwmon core needs to handle all errors returned from calls
to devm_thermal_zone_of_sensor_register(). If the call fails
with -ENODEV, report that the sensor was not attached to a
thermal zone  but continue to register the hwmon device.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48942

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48943
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

KVM: x86/mmu: make apf token non-zero to fix bug

In current async pagefault logic, when a page is ready, KVM relies on
kvm_arch_can_dequeue_async_page_present() to determine whether to deliver
a READY event to the Guest. This function test token value of struct
kvm_vcpu_pv_apf_data, which must be reset to zero by Guest kernel when a
READY event is finished by Guest. If value is zero meaning that a READY
event is done, so the KVM can deliver another.
But the kvm_arch_setup_async_pf() may produce a valid token with zero
value, which is confused with previous mention and may lead the loss of
this READY event.

This bug may cause task blocked forever in Guest:
 INFO: task stress:7532 blocked for more than 1254 seconds.
       Not tainted 5.10.0 #16
 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
 task:stress          state:D stack:    0 pid: 7532 ppid:  1409
 flags:0x00000080
 Call Trace:
  __schedule+0x1e7/0x650
  schedule+0x46/0xb0
  kvm_async_pf_task_wait_schedule+0xad/0xe0
  ? exit_to_user_mode_prepare+0x60/0x70
  __kvm_handle_async_pf+0x4f/0xb0
  ? asm_exc_page_fault+0x8/0x30
  exc_page_fault+0x6f/0x110
  ? asm_exc_page_fault+0x8/0x30
  asm_exc_page_fault+0x1e/0x30
 RIP: 0033:0x402d00
 RSP: 002b:00007ffd31912500 EFLAGS: 00010206
 RAX: 0000000000071000 RBX: ffffffffffffffff RCX: 00000000021a32b0
 RDX: 000000000007d011 RSI: 000000000007d000 RDI: 00000000021262b0
 RBP: 00000000021262b0 R08: 0000000000000003 R09: 0000000000000086
 R10: 00000000000000eb R11: 00007fefbdf2baa0 R12: 0000000000000000
 R13: 0000000000000002 R14: 000000000007d000 R15: 0000000000001000
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48943

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48944
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

sched: Fix yet more sched_fork() races

Where commit 4ef0c5c6b5ba ("kernel/sched: Fix sched_fork() access an
invalid sched_task_group") fixed a fork race vs cgroup, it opened up a
race vs syscalls by not placing the task on the runqueue before it
gets exposed through the pidhash.

Commit 13765de8148f ("sched/fair: Fix fault in reweight_entity") is
trying to fix a single instance of this, instead fix the whole class
of issues, effectively reverting this commit.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48944

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48946
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

udf: Fix preallocation discarding at indirect extent boundary

When preallocation extent is the first one in the extent block, the
code would corrupt extent tree header instead. Fix the problem and use
udf_delete_aext() for deleting extent to avoid some code duplication.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48946

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48947
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: L2CAP: Fix u8 overflow

By keep sending L2CAP_CONF_REQ packets, chan->num_conf_rsp increases
multiple times and eventually it will wrap around the maximum number
(i.e., 255).
This patch prevents this by adding a boundary check with
L2CAP_MAX_CONF_RSP

Btmon log:
Bluetooth monitor ver 5.64
= Note: Linux version 6.1.0-rc2 (x86_64)                               0.264594
= Note: Bluetooth subsystem version 2.22                               0.264636
@ MGMT Open: btmon (privileged) version 1.22                  {0x0001} 0.272191
= New Index: 00:00:00:00:00:00 (Primary,Virtual,hci0)          [hci0] 13.877604
@ RAW Open: 9496 (privileged) version 2.22                   {0x0002} 13.890741
= Open Index: 00:00:00:00:00:00                                [hci0] 13.900426
(...)
> ACL Data RX: Handle 200 flags 0x00 dlen 1033             #32 [hci0] 14.273106
        invalid packet size (12 != 1033)
        08 00 01 00 02 01 04 00 01 10 ff ff              ............
> ACL Data RX: Handle 200 flags 0x00 dlen 1547             #33 [hci0] 14.273561
        invalid packet size (14 != 1547)
        0a 00 01 00 04 01 06 00 40 00 00 00 00 00        ........@.....
> ACL Data RX: Handle 200 flags 0x00 dlen 2061             #34 [hci0] 14.274390
        invalid packet size (16 != 2061)
        0c 00 01 00 04 01 08 00 40 00 00 00 00 00 00 04  ........@.......
> ACL Data RX: Handle 200 flags 0x00 dlen 2061             #35 [hci0] 14.274932
        invalid packet size (16 != 2061)
        0c 00 01 00 04 01 08 00 40 00 00 00 07 00 03 00  ........@.......
= bluetoothd: Bluetooth daemon 5.43                                   14.401828
> ACL Data RX: Handle 200 flags 0x00 dlen 1033             #36 [hci0] 14.275753
        invalid packet size (12 != 1033)
        08 00 01 00 04 01 04 00 40 00 00 00              ........@...
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48947

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48948
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

usb: gadget: uvc: Prevent buffer overflow in setup handler

Setup function uvc_function_setup permits control transfer
requests with up to 64 bytes of payload (UVC_MAX_REQUEST_SIZE),
data stage handler for OUT transfer uses memcpy to copy req->actual
bytes to uvc_event->data.data array of size 60. This may result
in an overflow of 4 bytes.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48948

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48949
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

igb: Initialize mailbox message for VF reset

When a MAC address is not assigned to the VF, that portion of the message
sent to the VF is not set. The memory, however, is allocated from the
stack meaning that information may be leaked to the VM. Initialize the
message buffer to 0 so that no information is passed to the VM in this
case.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48949

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48950
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

perf: Fix perf_pending_task() UaF

Per syzbot it is possible for perf_pending_task() to run after the
event is free()'d. There are two related but distinct cases:

 - the task_work was already queued before destroying the event;
 - destroying the event itself queues the task_work.

The first cannot be solved using task_work_cancel() since
perf_release() itself might be called from a task_work (____fput),
which means the current->task_works list is already empty and
task_work_cancel() won't be able to find the perf_pending_task()
entry.

The simplest alternative is extending the perf_event lifetime to cover
the task_work.

The second is just silly, queueing a task_work while you know the
event is going away makes no sense and is easily avoided by
re-arranging how the event is marked STATE_DEAD and ensuring it goes
through STATE_OFF on the way down.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48950

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48951
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ASoC: ops: Check bounds for second channel in snd_soc_put_volsw_sx()

The bounds checks in snd_soc_put_volsw_sx() are only being applied to the
first channel, meaning it is possible to write out of bounds values to the
second channel in stereo controls. Add appropriate checks.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48951

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48952
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

PCI: mt7621: Add sentinel to quirks table

Current driver is missing a sentinel in the struct soc_device_attribute
array, which causes an oops when assessed by the
soc_device_match(mt7621_pcie_quirks_match) call.

This was only exposed once the CONFIG_SOC_MT7621 mt7621 soc_dev_attr
was fixed to register the SOC as a device, in:

commit 7c18b64bba3b ("mips: ralink: mt7621: do not use kzalloc too early")

Fix it by adding the required sentinel.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48952

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48953
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

rtc: cmos: Fix event handler registration ordering issue

Because acpi_install_fixed_event_handler() enables the event
automatically on success, it is incorrect to call it before the
handler routine passed to it is ready to handle events.

Unfortunately, the rtc-cmos driver does exactly the incorrect thing
by calling cmos_wake_setup(), which passes rtc_handler() to
acpi_install_fixed_event_handler(), before cmos_do_probe(), because
rtc_handler() uses dev_get_drvdata() to get to the cmos object
pointer and the driver data pointer is only populated in
cmos_do_probe().

This leads to a NULL pointer dereference in rtc_handler() on boot
if the RTC fixed event happens to be active at the init time.

To address this issue, change the initialization ordering of the
driver so that cmos_wake_setup() is always called after a successful
cmos_do_probe() call.

While at it, change cmos_pnp_probe() to call cmos_do_probe() after
the initial if () statement used for computing the IRQ argument to
be passed to cmos_do_probe() which is cleaner than calling it in
each branch of that if () (local variable "irq" can be of type int,
because it is passed to that function as an argument of type int).

Note that commit 6492fed7d8c9 ("rtc: rtc-cmos: Do not check
ACPI_FADT_LOW_POWER_S0") caused this issue to affect a larger number
of systems, because previously it only affected systems with
ACPI_FADT_LOW_POWER_S0 set, but it is present regardless of that
commit.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48953

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48954
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

s390/qeth: fix use-after-free in hsci

KASAN found that addr was dereferenced after br2dev_event_work was freed.

==================================================================
BUG: KASAN: use-after-free in qeth_l2_br2dev_worker+0x5ba/0x6b0
Read of size 1 at addr 00000000fdcea440 by task kworker/u760:4/540
CPU: 17 PID: 540 Comm: kworker/u760:4 Tainted: G            E      6.1.0-20221128.rc7.git1.5aa3bed4ce83.300.fc36.s390x+kasan #1
Hardware name: IBM 8561 T01 703 (LPAR)
Workqueue: 0.0.8000_event qeth_l2_br2dev_worker
Call Trace:
 [<000000016944d4ce>] dump_stack_lvl+0xc6/0xf8
 [<000000016942cd9c>] print_address_description.constprop.0+0x34/0x2a0
 [<000000016942d118>] print_report+0x110/0x1f8
 [<0000000167a7bd04>] kasan_report+0xfc/0x128
 [<000000016938d79a>] qeth_l2_br2dev_worker+0x5ba/0x6b0
 [<00000001673edd1e>] process_one_work+0x76e/0x1128
 [<00000001673ee85c>] worker_thread+0x184/0x1098
 [<000000016740718a>] kthread+0x26a/0x310
 [<00000001672c606a>] __ret_from_fork+0x8a/0xe8
 [<00000001694711da>] ret_from_fork+0xa/0x40
Allocated by task 108338:
 kasan_save_stack+0x40/0x68
 kasan_set_track+0x36/0x48
 __kasan_kmalloc+0xa0/0xc0
 qeth_l2_switchdev_event+0x25a/0x738
 atomic_notifier_call_chain+0x9c/0xf8
 br_switchdev_fdb_notify+0xf4/0x110
 fdb_notify+0x122/0x180
 fdb_add_entry.constprop.0.isra.0+0x312/0x558
 br_fdb_add+0x59e/0x858
 rtnl_fdb_add+0x58a/0x928
 rtnetlink_rcv_msg+0x5f8/0x8d8
 netlink_rcv_skb+0x1f2/0x408
 netlink_unicast+0x570/0x790
 netlink_sendmsg+0x752/0xbe0
 sock_sendmsg+0xca/0x110
 ____sys_sendmsg+0x510/0x6a8
 ___sys_sendmsg+0x12a/0x180
 __sys_sendmsg+0xe6/0x168
 __do_sys_socketcall+0x3c8/0x468
 do_syscall+0x22c/0x328
 __do_syscall+0x94/0xf0
 system_call+0x82/0xb0
Freed by task 540:
 kasan_save_stack+0x40/0x68
 kasan_set_track+0x36/0x48
 kasan_save_free_info+0x4c/0x68
 ____kasan_slab_free+0x14e/0x1a8
 __kasan_slab_free+0x24/0x30
 __kmem_cache_free+0x168/0x338
 qeth_l2_br2dev_worker+0x154/0x6b0
 process_one_work+0x76e/0x1128
 worker_thread+0x184/0x1098
 kthread+0x26a/0x310
 __ret_from_fork+0x8a/0xe8
 ret_from_fork+0xa/0x40
Last potentially related work creation:
 kasan_save_stack+0x40/0x68
 __kasan_record_aux_stack+0xbe/0xd0
 insert_work+0x56/0x2e8
 __queue_work+0x4ce/0xd10
 queue_work_on+0xf4/0x100
 qeth_l2_switchdev_event+0x520/0x738
 atomic_notifier_call_chain+0x9c/0xf8
 br_switchdev_fdb_notify+0xf4/0x110
 fdb_notify+0x122/0x180
 fdb_add_entry.constprop.0.isra.0+0x312/0x558
 br_fdb_add+0x59e/0x858
 rtnl_fdb_add+0x58a/0x928
 rtnetlink_rcv_msg+0x5f8/0x8d8
 netlink_rcv_skb+0x1f2/0x408
 netlink_unicast+0x570/0x790
 netlink_sendmsg+0x752/0xbe0
 sock_sendmsg+0xca/0x110
 ____sys_sendmsg+0x510/0x6a8
 ___sys_sendmsg+0x12a/0x180
 __sys_sendmsg+0xe6/0x168
 __do_sys_socketcall+0x3c8/0x468
 do_syscall+0x22c/0x328
 __do_syscall+0x94/0xf0
 system_call+0x82/0xb0
Second to last potentially related work creation:
 kasan_save_stack+0x40/0x68
 __kasan_record_aux_stack+0xbe/0xd0
 kvfree_call_rcu+0xb2/0x760
 kernfs_unlink_open_file+0x348/0x430
 kernfs_fop_release+0xc2/0x320
 __fput+0x1ae/0x768
 task_work_run+0x1bc/0x298
 exit_to_user_mode_prepare+0x1a0/0x1a8
 __do_syscall+0x94/0xf0
 system_call+0x82/0xb0
The buggy address belongs to the object at 00000000fdcea400
 which belongs to the cache kmalloc-96 of size 96
The buggy address is located 64 bytes inside of
 96-byte region [00000000fdcea400, 00000000fdcea460)
The buggy address belongs to the physical page:
page:000000005a9c26e8 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xfdcea
flags: 0x3ffff00000000200(slab|node=0|zone=1|lastcpupid=0x1ffff)
raw: 3ffff00000000200 0000000000000000 0000000100000122 000000008008cc00
raw: 0000000000000000 0020004100000000 ffffffff00000001 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
 00000000fdcea300: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
 00000000fdcea380: fb fb fb fb fb fb f
---truncated---
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48954

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48955
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: thunderbolt: fix memory leak in tbnet_open()

When tb_ring_alloc_rx() failed in tbnet_open(), ida that allocated in
tb_xdomain_alloc_out_hopid() is not released. Add
tb_xdomain_release_out_hopid() to the error path to release ida.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48955

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48956
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ipv6: avoid use-after-free in ip6_fragment()

Blamed commit claimed rcu_read_lock() was held by ip6_fragment() callers.

It seems to not be always true, at least for UDP stack.

syzbot reported:

BUG: KASAN: use-after-free in ip6_dst_idev include/net/ip6_fib.h:245 [inline]
BUG: KASAN: use-after-free in ip6_fragment+0x2724/0x2770 net/ipv6/ip6_output.c:951
Read of size 8 at addr ffff88801d403e80 by task syz-executor.3/7618

CPU: 1 PID: 7618 Comm: syz-executor.3 Not tainted 6.1.0-rc6-syzkaller-00012-g4312098baf37 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:284 [inline]
 print_report+0x15e/0x45d mm/kasan/report.c:395
 kasan_report+0xbf/0x1f0 mm/kasan/report.c:495
 ip6_dst_idev include/net/ip6_fib.h:245 [inline]
 ip6_fragment+0x2724/0x2770 net/ipv6/ip6_output.c:951
 __ip6_finish_output net/ipv6/ip6_output.c:193 [inline]
 ip6_finish_output+0x9a3/0x1170 net/ipv6/ip6_output.c:206
 NF_HOOK_COND include/linux/netfilter.h:291 [inline]
 ip6_output+0x1f1/0x540 net/ipv6/ip6_output.c:227
 dst_output include/net/dst.h:445 [inline]
 ip6_local_out+0xb3/0x1a0 net/ipv6/output_core.c:161
 ip6_send_skb+0xbb/0x340 net/ipv6/ip6_output.c:1966
 udp_v6_send_skb+0x82a/0x18a0 net/ipv6/udp.c:1286
 udp_v6_push_pending_frames+0x140/0x200 net/ipv6/udp.c:1313
 udpv6_sendmsg+0x18da/0x2c80 net/ipv6/udp.c:1606
 inet6_sendmsg+0x9d/0xe0 net/ipv6/af_inet6.c:665
 sock_sendmsg_nosec net/socket.c:714 [inline]
 sock_sendmsg+0xd3/0x120 net/socket.c:734
 sock_write_iter+0x295/0x3d0 net/socket.c:1108
 call_write_iter include/linux/fs.h:2191 [inline]
 new_sync_write fs/read_write.c:491 [inline]
 vfs_write+0x9ed/0xdd0 fs/read_write.c:584
 ksys_write+0x1ec/0x250 fs/read_write.c:637
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fde3588c0d9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fde365b6168 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007fde359ac050 RCX: 00007fde3588c0d9
RDX: 000000000000ffdc RSI: 00000000200000c0 RDI: 000000000000000a
RBP: 00007fde358e7ae9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fde35acfb1f R14: 00007fde365b6300 R15: 0000000000022000
 </TASK>

Allocated by task 7618:
 kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
 kasan_set_track+0x25/0x30 mm/kasan/common.c:52
 __kasan_slab_alloc+0x82/0x90 mm/kasan/common.c:325
 kasan_slab_alloc include/linux/kasan.h:201 [inline]
 slab_post_alloc_hook mm/slab.h:737 [inline]
 slab_alloc_node mm/slub.c:3398 [inline]
 slab_alloc mm/slub.c:3406 [inline]
 __kmem_cache_alloc_lru mm/slub.c:3413 [inline]
 kmem_cache_alloc+0x2b4/0x3d0 mm/slub.c:3422
 dst_alloc+0x14a/0x1f0 net/core/dst.c:92
 ip6_dst_alloc+0x32/0xa0 net/ipv6/route.c:344
 ip6_rt_pcpu_alloc net/ipv6/route.c:1369 [inline]
 rt6_make_pcpu_route net/ipv6/route.c:1417 [inline]
 ip6_pol_route+0x901/0x1190 net/ipv6/route.c:2254
 pol_lookup_func include/net/ip6_fib.h:582 [inline]
 fib6_rule_lookup+0x52e/0x6f0 net/ipv6/fib6_rules.c:121
 ip6_route_output_flags_noref+0x2e6/0x380 net/ipv6/route.c:2625
 ip6_route_output_flags+0x76/0x320 net/ipv6/route.c:2638
 ip6_route_output include/net/ip6_route.h:98 [inline]
 ip6_dst_lookup_tail+0x5ab/0x1620 net/ipv6/ip6_output.c:1092
 ip6_dst_lookup_flow+0x90/0x1d0 net/ipv6/ip6_output.c:1222
 ip6_sk_dst_lookup_flow+0x553/0x980 net/ipv6/ip6_output.c:1260
 udpv6_sendmsg+0x151d/0x2c80 net/ipv6/udp.c:1554
 inet6_sendmsg+0x9d/0xe0 net/ipv6/af_inet6.c:665
 sock_sendmsg_nosec n
---truncated---
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48956

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48957
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

dpaa2-switch: Fix memory leak in dpaa2_switch_acl_entry_add() and dpaa2_switch_acl_entry_remove()

The cmd_buff needs to be freed when error happened in
dpaa2_switch_acl_entry_add() and dpaa2_switch_acl_entry_remove().
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48957

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48958
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ethernet: aeroflex: fix potential skb leak in greth_init_rings()

The greth_init_rings() function won't free the newly allocated skb when
dma_mapping_error() returns error, so add dev_kfree_skb() to fix it.

Compile tested only.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48958

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48959
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: dsa: sja1105: fix memory leak in sja1105_setup_devlink_regions()

When dsa_devlink_region_create failed in sja1105_setup_devlink_regions(),
priv->regions is not released.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48959

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48960
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: hisilicon: Fix potential use-after-free in hix5hd2_rx()

The skb is delivered to napi_gro_receive() which may free it, after
calling this, dereferencing skb may trigger use-after-free.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48960

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48961
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: mdio: fix unbalanced fwnode reference count in mdio_device_release()

There is warning report about of_node refcount leak
while probing mdio device:

OF: ERROR: memory leak, expected refcount 1 instead of 2,
of_node_get()/of_node_put() unbalanced - destroy cset entry:
attach overlay node /spi/soc@0/mdio@710700c0/ethernet@4

In of_mdiobus_register_device(), we increase fwnode refcount
by fwnode_handle_get() before associating the of_node with
mdio device, but it has never been decreased in normal path.
Since that, in mdio_device_release(), it needs to call
fwnode_handle_put() in addition instead of calling kfree()
directly.

After above, just calling mdio_device_free() in the error handle
path of of_mdiobus_register_device() is enough to keep the
refcount balanced.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48961

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48962
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: hisilicon: Fix potential use-after-free in hisi_femac_rx()

The skb is delivered to napi_gro_receive() which may free it, after
calling this, dereferencing skb may trigger use-after-free.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48962

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48963
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: wwan: iosm: fix memory leak in ipc_mux_init()

When failed to alloc ipc_mux->ul_adb.pp_qlt in ipc_mux_init(), ipc_mux
is not released.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48963

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48964
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ravb: Fix potential use-after-free in ravb_rx_gbeth()

The skb is delivered to napi_gro_receive() which may free it, after calling this,
dereferencing skb may trigger use-after-free.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48964

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48965
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

gpio/rockchip: fix refcount leak in rockchip_gpiolib_register()

The node returned by of_get_parent() with refcount incremented,
of_node_put() needs be called when finish using it. So add it in the
end of of_pinctrl_get().
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48965

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48966
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: mvneta: Prevent out of bounds read in mvneta_config_rss()

The pp->indir[0] value comes from the user.  It is passed to:

	if (cpu_online(pp->rxq_def))

inside the mvneta_percpu_elect() function.  It needs bounds checkeding
to ensure that it is not beyond the end of the cpu bitmap.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48966

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48967
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

NFC: nci: Bounds check struct nfc_target arrays

While running under CONFIG_FORTIFY_SOURCE=y, syzkaller reported:

  memcpy: detected field-spanning write (size 129) of single field "target->sensf_res" at net/nfc/nci/ntf.c:260 (size 18)

This appears to be a legitimate lack of bounds checking in
nci_add_new_protocol(). Add the missing checks.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48967

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48968
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

octeontx2-pf: Fix potential memory leak in otx2_init_tc()

In otx2_init_tc(), if rhashtable_init() failed, it does not free
tc->tc_entries_bitmap which is allocated in otx2_tc_alloc_ent_bitmap().
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48968

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48969
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

xen-netfront: Fix NULL sring after live migration

A NAPI is setup for each network sring to poll data to kernel
The sring with source host is destroyed before live migration and
new sring with target host is setup after live migration.
The NAPI for the old sring is not deleted until setup new sring
with target host after migration. With busy_poll/busy_read enabled,
the NAPI can be polled before got deleted when resume VM.

BUG: unable to handle kernel NULL pointer dereference at
0000000000000008
IP: xennet_poll+0xae/0xd20
PGD 0 P4D 0
Oops: 0000 [#1] SMP PTI
Call Trace:
 finish_task_switch+0x71/0x230
 timerqueue_del+0x1d/0x40
 hrtimer_try_to_cancel+0xb5/0x110
 xennet_alloc_rx_buffers+0x2a0/0x2a0
 napi_busy_loop+0xdb/0x270
 sock_poll+0x87/0x90
 do_sys_poll+0x26f/0x580
 tracing_map_insert+0x1d4/0x2f0
 event_hist_trigger+0x14a/0x260

 finish_task_switch+0x71/0x230
 __schedule+0x256/0x890
 recalc_sigpending+0x1b/0x50
 xen_sched_clock+0x15/0x20
 __rb_reserve_next+0x12d/0x140
 ring_buffer_lock_reserve+0x123/0x3d0
 event_triggers_call+0x87/0xb0
 trace_event_buffer_commit+0x1c4/0x210
 xen_clocksource_get_cycles+0x15/0x20
 ktime_get_ts64+0x51/0xf0
 SyS_ppoll+0x160/0x1a0
 SyS_ppoll+0x160/0x1a0
 do_syscall_64+0x73/0x130
 entry_SYSCALL_64_after_hwframe+0x41/0xa6
...
RIP: xennet_poll+0xae/0xd20 RSP: ffffb4f041933900
CR2: 0000000000000008
---[ end trace f8601785b354351c ]---

xen frontend should remove the NAPIs for the old srings before live
migration as the bond srings are destroyed

There is a tiny window between the srings are set to NULL and
the NAPIs are disabled, It is safe as the NAPI threads are still
frozen at that time
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48969

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48970
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

af_unix: Get user_ns from in_skb in unix_diag_get_exact().

Wei Chen reported a NULL deref in sk_user_ns() [0][1], and Paolo diagnosed
the root cause: in unix_diag_get_exact(), the newly allocated skb does not
have sk. [2]

We must get the user_ns from the NETLINK_CB(in_skb).sk and pass it to
sk_diag_fill().

[0]:
BUG: kernel NULL pointer dereference, address: 0000000000000270
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 12bbce067 P4D 12bbce067 PUD 12bc40067 PMD 0
Oops: 0000 [#1] PREEMPT SMP
CPU: 0 PID: 27942 Comm: syz-executor.0 Not tainted 6.1.0-rc5-next-20221118 #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.13.0-48-gd9c812dda519-prebuilt.qemu.org 04/01/2014
RIP: 0010:sk_user_ns include/net/sock.h:920 [inline]
RIP: 0010:sk_diag_dump_uid net/unix/diag.c:119 [inline]
RIP: 0010:sk_diag_fill+0x77d/0x890 net/unix/diag.c:170
Code: 89 ef e8 66 d4 2d fd c7 44 24 40 00 00 00 00 49 8d 7c 24 18 e8
54 d7 2d fd 49 8b 5c 24 18 48 8d bb 70 02 00 00 e8 43 d7 2d fd <48> 8b
9b 70 02 00 00 48 8d 7b 10 e8 33 d7 2d fd 48 8b 5b 10 48 8d
RSP: 0018:ffffc90000d67968 EFLAGS: 00010246
RAX: ffff88812badaa48 RBX: 0000000000000000 RCX: ffffffff840d481d
RDX: 0000000000000465 RSI: 0000000000000000 RDI: 0000000000000270
RBP: ffffc90000d679a8 R08: 0000000000000277 R09: 0000000000000000
R10: 0001ffffffffffff R11: 0001c90000d679a8 R12: ffff88812ac03800
R13: ffff88812c87c400 R14: ffff88812ae42210 R15: ffff888103026940
FS:  00007f08b4e6f700(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000270 CR3: 000000012c58b000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 unix_diag_get_exact net/unix/diag.c:285 [inline]
 unix_diag_handler_dump+0x3f9/0x500 net/unix/diag.c:317
 __sock_diag_cmd net/core/sock_diag.c:235 [inline]
 sock_diag_rcv_msg+0x237/0x250 net/core/sock_diag.c:266
 netlink_rcv_skb+0x13e/0x250 net/netlink/af_netlink.c:2564
 sock_diag_rcv+0x24/0x40 net/core/sock_diag.c:277
 netlink_unicast_kernel net/netlink/af_netlink.c:1330 [inline]
 netlink_unicast+0x5e9/0x6b0 net/netlink/af_netlink.c:1356
 netlink_sendmsg+0x739/0x860 net/netlink/af_netlink.c:1932
 sock_sendmsg_nosec net/socket.c:714 [inline]
 sock_sendmsg net/socket.c:734 [inline]
 ____sys_sendmsg+0x38f/0x500 net/socket.c:2476
 ___sys_sendmsg net/socket.c:2530 [inline]
 __sys_sendmsg+0x197/0x230 net/socket.c:2559
 __do_sys_sendmsg net/socket.c:2568 [inline]
 __se_sys_sendmsg net/socket.c:2566 [inline]
 __x64_sys_sendmsg+0x42/0x50 net/socket.c:2566
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x4697f9
Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f08b4e6ec48 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 000000000077bf80 RCX: 00000000004697f9
RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003
RBP: 00000000004d29e9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000077bf80
R13: 0000000000000000 R14: 000000000077bf80 R15: 00007ffdb36bc6c0
 </TASK>
Modules linked in:
CR2: 0000000000000270

[1]: https://lore.kernel.org/netdev/CAO4mrfdvyjFpokhNsiwZiP-wpdSD0AStcJwfKcKQdAALQ9_2Qw@mail.gmail.com/
[2]: https://lore.kernel.org/netdev/e04315e7c90d9a75613f3993c2baf2d344eef7eb.camel@redhat.com/
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48970

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48971
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: Fix not cleanup led when bt_init fails

bt_init() calls bt_leds_init() to register led, but if it fails later,
bt_leds_cleanup() is not called to unregister it.

This can cause panic if the argument "bluetooth-power" in text is freed
and then another led_trigger_register() tries to access it:

BUG: unable to handle page fault for address: ffffffffc06d3bc0
RIP: 0010:strcmp+0xc/0x30
  Call Trace:
    <TASK>
    led_trigger_register+0x10d/0x4f0
    led_trigger_register_simple+0x7d/0x100
    bt_init+0x39/0xf7 [bluetooth]
    do_one_initcall+0xd0/0x4e0
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48971

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48972
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

mac802154: fix missing INIT_LIST_HEAD in ieee802154_if_add()

Kernel fault injection test reports null-ptr-deref as follows:

BUG: kernel NULL pointer dereference, address: 0000000000000008
RIP: 0010:cfg802154_netdev_notifier_call+0x120/0x310 include/linux/list.h:114
Call Trace:
 <TASK>
 raw_notifier_call_chain+0x6d/0xa0 kernel/notifier.c:87
 call_netdevice_notifiers_info+0x6e/0xc0 net/core/dev.c:1944
 unregister_netdevice_many_notify+0x60d/0xcb0 net/core/dev.c:1982
 unregister_netdevice_queue+0x154/0x1a0 net/core/dev.c:10879
 register_netdevice+0x9a8/0xb90 net/core/dev.c:10083
 ieee802154_if_add+0x6ed/0x7e0 net/mac802154/iface.c:659
 ieee802154_register_hw+0x29c/0x330 net/mac802154/main.c:229
 mcr20a_probe+0xaaa/0xcb1 drivers/net/ieee802154/mcr20a.c:1316

ieee802154_if_add() allocates wpan_dev as netdev's private data, but not
init the list in struct wpan_dev. cfg802154_netdev_notifier_call() manage
the list when device register/unregister, and may lead to null-ptr-deref.

Use INIT_LIST_HEAD() on it to initialize it correctly.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48972

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48973
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

gpio: amd8111: Fix PCI device reference count leak

for_each_pci_dev() is implemented by pci_get_device(). The comment of
pci_get_device() says that it will increase the reference count for the
returned pci_dev and also decrease the reference count for the input
pci_dev @from if it is not NULL.

If we break for_each_pci_dev() loop with pdev not NULL, we need to call
pci_dev_put() to decrease the reference count. Add the missing
pci_dev_put() after the 'out' label. Since pci_dev_put() can handle NULL
input parameter, there is no problem for the 'Device not found' branch.
For the normal path, add pci_dev_put() in amd_gpio_exit().
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48973

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48974
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

netfilter: conntrack: fix using __this_cpu_add in preemptible

Currently in nf_conntrack_hash_check_insert(), when it fails in
nf_ct_ext_valid_pre/post(), NF_CT_STAT_INC() will be called in the
preemptible context, a call trace can be triggered:

   BUG: using __this_cpu_add() in preemptible [00000000] code: conntrack/1636
   caller is nf_conntrack_hash_check_insert+0x45/0x430 [nf_conntrack]
   Call Trace:
    <TASK>
    dump_stack_lvl+0x33/0x46
    check_preemption_disabled+0xc3/0xf0
    nf_conntrack_hash_check_insert+0x45/0x430 [nf_conntrack]
    ctnetlink_create_conntrack+0x3cd/0x4e0 [nf_conntrack_netlink]
    ctnetlink_new_conntrack+0x1c0/0x450 [nf_conntrack_netlink]
    nfnetlink_rcv_msg+0x277/0x2f0 [nfnetlink]
    netlink_rcv_skb+0x50/0x100
    nfnetlink_rcv+0x65/0x144 [nfnetlink]
    netlink_unicast+0x1ae/0x290
    netlink_sendmsg+0x257/0x4f0
    sock_sendmsg+0x5f/0x70

This patch is to fix it by changing to use NF_CT_STAT_INC_ATOMIC() for
nf_ct_ext_valid_pre/post() check in nf_conntrack_hash_check_insert(),
as well as nf_ct_ext_valid_post() in __nf_conntrack_confirm().

Note that nf_ct_ext_valid_pre() check in __nf_conntrack_confirm() is
safe to use NF_CT_STAT_INC(), as it's under local_bh_disable().
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48974

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48975
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

gpiolib: fix memory leak in gpiochip_setup_dev()

Here is a backtrace report about memory leak detected in
gpiochip_setup_dev():

unreferenced object 0xffff88810b406400 (size 512):
  comm "python3", pid 1682, jiffies 4295346908 (age 24.090s)
  backtrace:
    kmalloc_trace
    device_add		device_private_init at drivers/base/core.c:3361
			(inlined by) device_add at drivers/base/core.c:3411
    cdev_device_add
    gpiolib_cdev_register
    gpiochip_setup_dev
    gpiochip_add_data_with_key

gcdev_register() & gcdev_unregister() would call device_add() &
device_del() (no matter CONFIG_GPIO_CDEV is enabled or not) to
register/unregister device.

However, if device_add() succeeds, some resource (like
struct device_private allocated by device_private_init())
is not released by device_del().

Therefore, after device_add() succeeds by gcdev_register(), it
needs to call put_device() to release resource in the error handle
path.

Here we move forward the register of release function, and let it
release every piece of resource by put_device() instead of kfree().

While at it, fix another subtle issue, i.e. when gc->ngpio is equal
to 0, we still call kcalloc() and, in case of further error, kfree()
on the ZERO_PTR pointer, which is not NULL. It's not a bug per se,
but rather waste of the resources and potentially wrong expectation
about contents of the gdev->descs variable.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48975

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48976
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

netfilter: flowtable_offload: fix using __this_cpu_add in preemptible

flow_offload_queue_work() can be called in workqueue without
bh disabled, like the call trace showed in my act_ct testing,
calling NF_FLOW_TABLE_STAT_INC() there would cause a call
trace:

  BUG: using __this_cpu_add() in preemptible [00000000] code: kworker/u4:0/138560
  caller is flow_offload_queue_work+0xec/0x1b0 [nf_flow_table]
  Workqueue: act_ct_workqueue tcf_ct_flow_table_cleanup_work [act_ct]
  Call Trace:
   <TASK>
   dump_stack_lvl+0x33/0x46
   check_preemption_disabled+0xc3/0xf0
   flow_offload_queue_work+0xec/0x1b0 [nf_flow_table]
   nf_flow_table_iterate+0x138/0x170 [nf_flow_table]
   nf_flow_table_free+0x140/0x1a0 [nf_flow_table]
   tcf_ct_flow_table_cleanup_work+0x2f/0x2b0 [act_ct]
   process_one_work+0x6a3/0x1030
   worker_thread+0x8a/0xdf0

This patch fixes it by using NF_FLOW_TABLE_STAT_INC_ATOMIC()
instead in flow_offload_queue_work().

Note that for FLOW_CLS_REPLACE branch in flow_offload_queue_work(),
it may not be called in preemptible path, but it's good to use
NF_FLOW_TABLE_STAT_INC_ATOMIC() for all cases in
flow_offload_queue_work().
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48976

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48977
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

can: af_can: fix NULL pointer dereference in can_rcv_filter

Analogue to commit 8aa59e355949 ("can: af_can: fix NULL pointer
dereference in can_rx_register()") we need to check for a missing
initialization of ml_priv in the receive path of CAN frames.

Since commit 4e096a18867a ("net: introduce CAN specific pointer in the
struct net_device") the check for dev->type to be ARPHRD_CAN is not
sufficient anymore since bonding or tun netdevices claim to be CAN
devices but do not initialize ml_priv accordingly.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48977

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48978
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

HID: core: fix shift-out-of-bounds in hid_report_raw_event

Syzbot reported shift-out-of-bounds in hid_report_raw_event.

microsoft 0003:045E:07DA.0001: hid_field_extract() called with n (128) >
32! (swapper/0)
======================================================================
UBSAN: shift-out-of-bounds in drivers/hid/hid-core.c:1323:20
shift exponent 127 is too large for 32-bit type 'int'
CPU: 0 PID: 0 Comm: swapper/0 Not tainted
6.1.0-rc4-syzkaller-00159-g4bbf3422df78 #0
Hardware name: Google Compute Engine/Google Compute Engine, BIOS
Google 10/26/2022
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
 ubsan_epilogue lib/ubsan.c:151 [inline]
 __ubsan_handle_shift_out_of_bounds+0x3a6/0x420 lib/ubsan.c:322
 snto32 drivers/hid/hid-core.c:1323 [inline]
 hid_input_fetch_field drivers/hid/hid-core.c:1572 [inline]
 hid_process_report drivers/hid/hid-core.c:1665 [inline]
 hid_report_raw_event+0xd56/0x18b0 drivers/hid/hid-core.c:1998
 hid_input_report+0x408/0x4f0 drivers/hid/hid-core.c:2066
 hid_irq_in+0x459/0x690 drivers/hid/usbhid/hid-core.c:284
 __usb_hcd_giveback_urb+0x369/0x530 drivers/usb/core/hcd.c:1671
 dummy_timer+0x86b/0x3110 drivers/usb/gadget/udc/dummy_hcd.c:1988
 call_timer_fn+0xf5/0x210 kernel/time/timer.c:1474
 expire_timers kernel/time/timer.c:1519 [inline]
 __run_timers+0x76a/0x980 kernel/time/timer.c:1790
 run_timer_softirq+0x63/0xf0 kernel/time/timer.c:1803
 __do_softirq+0x277/0x75b kernel/softirq.c:571
 __irq_exit_rcu+0xec/0x170 kernel/softirq.c:650
 irq_exit_rcu+0x5/0x20 kernel/softirq.c:662
 sysvec_apic_timer_interrupt+0x91/0xb0 arch/x86/kernel/apic/apic.c:1107
======================================================================

If the size of the integer (unsigned n) is bigger than 32 in snto32(),
shift exponent will be too large for 32-bit type 'int', resulting in a
shift-out-of-bounds bug.
Fix this by adding a check on the size of the integer (unsigned n) in
snto32(). To add support for n greater than 32 bits, set n to 32, if n
is greater than 32.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48978

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48979
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: fix array index out of bound error in DCN32 DML

[Why&How]
LinkCapacitySupport array is indexed with the number of voltage states and
not the number of max DPPs. Fix the error by changing the array
declaration to use the correct (larger) array size of total number of
voltage states.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48979

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48980
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: dsa: sja1105: avoid out of bounds access in sja1105_init_l2_policing()

The SJA1105 family has 45 L2 policing table entries
(SJA1105_MAX_L2_POLICING_COUNT) and SJA1110 has 110
(SJA1110_MAX_L2_POLICING_COUNT). Keeping the table structure but
accounting for the difference in port count (5 in SJA1105 vs 10 in
SJA1110) does not fully explain the difference. Rather, the SJA1110 also
has L2 ingress policers for multicast traffic. If a packet is classified
as multicast, it will be processed by the policer index 99 + SRCPORT.

The sja1105_init_l2_policing() function initializes all L2 policers such
that they don't interfere with normal packet reception by default. To have
a common code between SJA1105 and SJA1110, the index of the multicast
policer for the port is calculated because it's an index that is out of
bounds for SJA1105 but in bounds for SJA1110, and a bounds check is
performed.

The code fails to do the proper thing when determining what to do with the
multicast policer of port 0 on SJA1105 (ds->num_ports = 5). The "mcast"
index will be equal to 45, which is also equal to
table->ops->max_entry_count (SJA1105_MAX_L2_POLICING_COUNT). So it passes
through the check. But at the same time, SJA1105 doesn't have multicast
policers. So the code programs the SHARINDX field of an out-of-bounds
element in the L2 Policing table of the static config.

The comparison between index 45 and 45 entries should have determined the
code to not access this policer index on SJA1105, since its memory wasn't
even allocated.

With enough bad luck, the out-of-bounds write could even overwrite other
valid kernel data, but in this case, the issue was detected using KASAN.

Kernel log:

sja1105 spi5.0: Probed switch chip: SJA1105Q
==================================================================
BUG: KASAN: slab-out-of-bounds in sja1105_setup+0x1cbc/0x2340
Write of size 8 at addr ffffff880bd57708 by task kworker/u8:0/8
...
Workqueue: events_unbound deferred_probe_work_func
Call trace:
...
sja1105_setup+0x1cbc/0x2340
dsa_register_switch+0x1284/0x18d0
sja1105_probe+0x748/0x840
...
Allocated by task 8:
...
sja1105_setup+0x1bcc/0x2340
dsa_register_switch+0x1284/0x18d0
sja1105_probe+0x748/0x840
...
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48980

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48981
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/shmem-helper: Remove errant put in error path

drm_gem_shmem_mmap() doesn't own this reference, resulting in the GEM
object getting prematurely freed leading to a later use-after-free.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48981

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48982
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: Fix crash when replugging CSR fake controllers

It seems fake CSR 5.0 clones can cause the suspend notifier to be
registered twice causing the following kernel panic:

[   71.986122] Call Trace:
[   71.986124]  <TASK>
[   71.986125]  blocking_notifier_chain_register+0x33/0x60
[   71.986130]  hci_register_dev+0x316/0x3d0 [bluetooth 99b5497ea3d09708fa1366c1dc03288bf3cca8da]
[   71.986154]  btusb_probe+0x979/0xd85 [btusb e1e0605a4f4c01984a4b9c8ac58c3666ae287477]
[   71.986159]  ? __pm_runtime_set_status+0x1a9/0x300
[   71.986162]  ? ktime_get_mono_fast_ns+0x3e/0x90
[   71.986167]  usb_probe_interface+0xe3/0x2b0
[   71.986171]  really_probe+0xdb/0x380
[   71.986174]  ? pm_runtime_barrier+0x54/0x90
[   71.986177]  __driver_probe_device+0x78/0x170
[   71.986180]  driver_probe_device+0x1f/0x90
[   71.986183]  __device_attach_driver+0x89/0x110
[   71.986186]  ? driver_allows_async_probing+0x70/0x70
[   71.986189]  bus_for_each_drv+0x8c/0xe0
[   71.986192]  __device_attach+0xb2/0x1e0
[   71.986195]  bus_probe_device+0x92/0xb0
[   71.986198]  device_add+0x422/0x9a0
[   71.986201]  ? sysfs_merge_group+0xd4/0x110
[   71.986205]  usb_set_configuration+0x57a/0x820
[   71.986208]  usb_generic_driver_probe+0x4f/0x70
[   71.986211]  usb_probe_device+0x3a/0x110
[   71.986213]  really_probe+0xdb/0x380
[   71.986216]  ? pm_runtime_barrier+0x54/0x90
[   71.986219]  __driver_probe_device+0x78/0x170
[   71.986221]  driver_probe_device+0x1f/0x90
[   71.986224]  __device_attach_driver+0x89/0x110
[   71.986227]  ? driver_allows_async_probing+0x70/0x70
[   71.986230]  bus_for_each_drv+0x8c/0xe0
[   71.986232]  __device_attach+0xb2/0x1e0
[   71.986235]  bus_probe_device+0x92/0xb0
[   71.986237]  device_add+0x422/0x9a0
[   71.986239]  ? _dev_info+0x7d/0x98
[   71.986242]  ? blake2s_update+0x4c/0xc0
[   71.986246]  usb_new_device.cold+0x148/0x36d
[   71.986250]  hub_event+0xa8a/0x1910
[   71.986255]  process_one_work+0x1c4/0x380
[   71.986259]  worker_thread+0x51/0x390
[   71.986262]  ? rescuer_thread+0x3b0/0x3b0
[   71.986264]  kthread+0xdb/0x110
[   71.986266]  ? kthread_complete_and_exit+0x20/0x20
[   71.986268]  ret_from_fork+0x1f/0x30
[   71.986273]  </TASK>
[   71.986274] ---[ end trace 0000000000000000 ]---
[   71.986284] btusb: probe of 2-1.6:1.0 failed with error -17
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48982

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48983
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

io_uring: Fix a null-ptr-deref in io_tctx_exit_cb()

Syzkaller reports a NULL deref bug as follows:

 BUG: KASAN: null-ptr-deref in io_tctx_exit_cb+0x53/0xd3
 Read of size 4 at addr 0000000000000138 by task file1/1955

 CPU: 1 PID: 1955 Comm: file1 Not tainted 6.1.0-rc7-00103-gef4d3ea40565 #75
 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014
 Call Trace:
  <TASK>
  dump_stack_lvl+0xcd/0x134
  ? io_tctx_exit_cb+0x53/0xd3
  kasan_report+0xbb/0x1f0
  ? io_tctx_exit_cb+0x53/0xd3
  kasan_check_range+0x140/0x190
  io_tctx_exit_cb+0x53/0xd3
  task_work_run+0x164/0x250
  ? task_work_cancel+0x30/0x30
  get_signal+0x1c3/0x2440
  ? lock_downgrade+0x6e0/0x6e0
  ? lock_downgrade+0x6e0/0x6e0
  ? exit_signals+0x8b0/0x8b0
  ? do_raw_read_unlock+0x3b/0x70
  ? do_raw_spin_unlock+0x50/0x230
  arch_do_signal_or_restart+0x82/0x2470
  ? kmem_cache_free+0x260/0x4b0
  ? putname+0xfe/0x140
  ? get_sigframe_size+0x10/0x10
  ? do_execveat_common.isra.0+0x226/0x710
  ? lockdep_hardirqs_on+0x79/0x100
  ? putname+0xfe/0x140
  ? do_execveat_common.isra.0+0x238/0x710
  exit_to_user_mode_prepare+0x15f/0x250
  syscall_exit_to_user_mode+0x19/0x50
  do_syscall_64+0x42/0xb0
  entry_SYSCALL_64_after_hwframe+0x63/0xcd
 RIP: 0023:0x0
 Code: Unable to access opcode bytes at 0xffffffffffffffd6.
 RSP: 002b:00000000fffb7790 EFLAGS: 00000200 ORIG_RAX: 000000000000000b
 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
  </TASK>
 Kernel panic - not syncing: panic_on_warn set ...

This happens because the adding of task_work from io_ring_exit_work()
isn't synchronized with canceling all work items from eg exec. The
execution of the two are ordered in that they are both run by the task
itself, but if io_tctx_exit_cb() is queued while we're canceling all
work items off exec AND gets executed when the task exits to userspace
rather than in the main loop in io_uring_cancel_generic(), then we can
find current->io_uring == NULL and hit the above crash.

It's safe to add this NULL check here, because the execution of the two
paths are done by the task itself.

[axboe: add code comment and also put an explanation in the commit msg]
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48983

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48984
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

can: slcan: fix freed work crash

The LTP test pty03 is causing a crash in slcan:
  BUG: kernel NULL pointer dereference, address: 0000000000000008
  #PF: supervisor read access in kernel mode
  #PF: error_code(0x0000) - not-present page
  PGD 0 P4D 0
  Oops: 0000 [#1] PREEMPT SMP NOPTI
  CPU: 0 PID: 348 Comm: kworker/0:3 Not tainted 6.0.8-1-default #1 openSUSE Tumbleweed 9d20364b934f5aab0a9bdf84e8f45cfdfae39dab
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b-rebuilt.opensuse.org 04/01/2014
  Workqueue:  0x0 (events)
  RIP: 0010:process_one_work (/home/rich/kernel/linux/kernel/workqueue.c:706 /home/rich/kernel/linux/kernel/workqueue.c:2185)
  Code: 49 89 ff 41 56 41 55 41 54 55 53 48 89 f3 48 83 ec 10 48 8b 06 48 8b 6f 48 49 89 c4 45 30 e4 a8 04 b8 00 00 00 00 4c 0f 44 e0 <49> 8b 44 24 08 44 8b a8 00 01 00 00 41 83 e5 20 f6 45 10 04 75 0e
  RSP: 0018:ffffaf7b40f47e98 EFLAGS: 00010046
  RAX: 0000000000000000 RBX: ffff9d644e1b8b48 RCX: ffff9d649e439968
  RDX: 00000000ffff8455 RSI: ffff9d644e1b8b48 RDI: ffff9d64764aa6c0
  RBP: ffff9d649e4335c0 R08: 0000000000000c00 R09: ffff9d64764aa734
  R10: 0000000000000007 R11: 0000000000000001 R12: 0000000000000000
  R13: ffff9d649e4335e8 R14: ffff9d64490da780 R15: ffff9d64764aa6c0
  FS:  0000000000000000(0000) GS:ffff9d649e400000(0000) knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  CR2: 0000000000000008 CR3: 0000000036424000 CR4: 00000000000006f0
  Call Trace:
   <TASK>
  worker_thread (/home/rich/kernel/linux/kernel/workqueue.c:2436)
  kthread (/home/rich/kernel/linux/kernel/kthread.c:376)
  ret_from_fork (/home/rich/kernel/linux/arch/x86/entry/entry_64.S:312)

Apparently, the slcan's tx_work is freed while being scheduled. While
slcan_netdev_close() (netdev side) calls flush_work(&sl->tx_work),
slcan_close() (tty side) does not. So when the netdev is never set UP,
but the tty is stuffed with bytes and forced to wakeup write, the work
is scheduled, but never flushed.

So add an additional flush_work() to slcan_close() to be sure the work
is flushed under all circumstances.

The Fixes commit below moved flush_work() from slcan_close() to
slcan_netdev_close(). What was the rationale behind it? Maybe we can
drop the one in slcan_netdev_close()?

I see the same pattern in can327. So it perhaps needs the very same fix.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48984

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48985
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: mana: Fix race on per-CQ variable napi work_done

After calling napi_complete_done(), the NAPIF_STATE_SCHED bit may be
cleared, and another CPU can start napi thread and access per-CQ variable,
cq->work_done. If the other thread (for example, from busy_poll) sets
it to a value >= budget, this thread will continue to run when it should
stop, and cause memory corruption and panic.

To fix this issue, save the per-CQ work_done variable in a local variable
before napi_complete_done(), so it won't be corrupted by a possible
concurrent thread after napi_complete_done().

Also, add a flag bit to advertise to the NIC firmware: the NAPI work_done
variable race is fixed, so the driver is able to reliably support features
like busy_poll.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48985

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48986
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

mm/gup: fix gup_pud_range() for dax

For dax pud, pud_huge() returns true on x86. So the function works as long
as hugetlb is configured. However, dax doesn't depend on hugetlb.
Commit 414fd080d125 ("mm/gup: fix gup_pmd_range() for dax") fixed
devmap-backed huge PMDs, but missed devmap-backed huge PUDs. Fix this as
well.

This fixes the below kernel panic:

general protection fault, probably for non-canonical address 0x69e7c000cc478: 0000 [#1] SMP
	< snip >
Call Trace:
<TASK>
get_user_pages_fast+0x1f/0x40
iov_iter_get_pages+0xc6/0x3b0
? mempool_alloc+0x5d/0x170
bio_iov_iter_get_pages+0x82/0x4e0
? bvec_alloc+0x91/0xc0
? bio_alloc_bioset+0x19a/0x2a0
blkdev_direct_IO+0x282/0x480
? __io_complete_rw_common+0xc0/0xc0
? filemap_range_has_page+0x82/0xc0
generic_file_direct_write+0x9d/0x1a0
? inode_update_time+0x24/0x30
__generic_file_write_iter+0xbd/0x1e0
blkdev_write_iter+0xb4/0x150
? io_import_iovec+0x8d/0x340
io_write+0xf9/0x300
io_issue_sqe+0x3c3/0x1d30
? sysvec_reschedule_ipi+0x6c/0x80
__io_queue_sqe+0x33/0x240
? fget+0x76/0xa0
io_submit_sqes+0xe6a/0x18d0
? __fget_light+0xd1/0x100
__x64_sys_io_uring_enter+0x199/0x880
? __context_tracking_enter+0x1f/0x70
? irqentry_exit_to_user_mode+0x24/0x30
? irqentry_exit+0x1d/0x30
? __context_tracking_exit+0xe/0x70
do_syscall_64+0x3b/0x90
entry_SYSCALL_64_after_hwframe+0x61/0xcb
RIP: 0033:0x7fc97c11a7be
	< snip >
</TASK>
---[ end trace 48b2e0e67debcaeb ]---
RIP: 0010:internal_get_user_pages_fast+0x340/0x990
	< snip >
Kernel panic - not syncing: Fatal exception
Kernel Offset: disabled
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48986

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48987
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

media: v4l2-dv-timings.c: fix too strict blanking sanity checks

Sanity checks were added to verify the v4l2_bt_timings blanking fields
in order to avoid integer overflows when userspace passes weird values.

But that assumed that userspace would correctly fill in the front porch,
backporch and sync values, but sometimes all you know is the total
blanking, which is then assigned to just one of these fields.

And that can fail with these checks.

So instead set a maximum for the total horizontal and vertical
blanking and check that each field remains below that.

That is still sufficient to avoid integer overflows, but it also
allows for more flexibility in how userspace fills in these fields.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48987

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48988
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

memcg: fix possible use-after-free in memcg_write_event_control()

memcg_write_event_control() accesses the dentry->d_name of the specified
control fd to route the write call.  As a cgroup interface file can't be
renamed, it's safe to access d_name as long as the specified file is a
regular cgroup file.  Also, as these cgroup interface files can't be
removed before the directory, it's safe to access the parent too.

Prior to 347c4a874710 ("memcg: remove cgroup_event->cft"), there was a
call to __file_cft() which verified that the specified file is a regular
cgroupfs file before further accesses.  The cftype pointer returned from
__file_cft() was no longer necessary and the commit inadvertently dropped
the file type check with it allowing any file to slip through.  With the
invarients broken, the d_name and parent accesses can now race against
renames and removals of arbitrary files and cause use-after-free's.

Fix the bug by resurrecting the file type check in __file_cft().  Now that
cgroupfs is implemented through kernfs, checking the file operations needs
to go through a layer of indirection.  Instead, let's check the superblock
and dentry type.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48988

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48989
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

fscache: Fix oops due to race with cookie_lru and use_cookie

If a cookie expires from the LRU and the LRU_DISCARD flag is set, but
the state machine has not run yet, it's possible another thread can call
fscache_use_cookie and begin to use it.

When the cookie_worker finally runs, it will see the LRU_DISCARD flag
set, transition the cookie->state to LRU_DISCARDING, which will then
withdraw the cookie.  Once the cookie is withdrawn the object is removed
the below oops will occur because the object associated with the cookie
is now NULL.

Fix the oops by clearing the LRU_DISCARD bit if another thread uses the
cookie before the cookie_worker runs.

  BUG: kernel NULL pointer dereference, address: 0000000000000008
  ...
  CPU: 31 PID: 44773 Comm: kworker/u130:1 Tainted: G     E    6.0.0-5.dneg.x86_64 #1
  Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022
  Workqueue: events_unbound netfs_rreq_write_to_cache_work [netfs]
  RIP: 0010:cachefiles_prepare_write+0x28/0x90 [cachefiles]
  ...
  Call Trace:
    netfs_rreq_write_to_cache_work+0x11c/0x320 [netfs]
    process_one_work+0x217/0x3e0
    worker_thread+0x4a/0x3b0
    kthread+0xd6/0x100
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48989

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48990
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amdgpu: fix use-after-free during gpu recovery

[Why]
    [  754.862560] refcount_t: underflow; use-after-free.
    [  754.862898] Call Trace:
    [  754.862903]  <TASK>
    [  754.862913]  amdgpu_job_free_cb+0xc2/0xe1 [amdgpu]
    [  754.863543]  drm_sched_main.cold+0x34/0x39 [amd_sched]

[How]
    The fw_fence may be not init, check whether dma_fence_init
    is performed before job free
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48990

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48991
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

mm/khugepaged: invoke MMU notifiers in shmem/file collapse paths

Any codepath that zaps page table entries must invoke MMU notifiers to
ensure that secondary MMUs (like KVM) don't keep accessing pages which
aren't mapped anymore.  Secondary MMUs don't hold their own references to
pages that are mirrored over, so failing to notify them can lead to page
use-after-free.

I'm marking this as addressing an issue introduced in commit f3f0e1d2150b
("khugepaged: add support of collapse for tmpfs/shmem pages"), but most of
the security impact of this only came in commit 27e1f8273113 ("khugepaged:
enable collapse pmd for pte-mapped THP"), which actually omitted flushes
for the removal of present PTEs, not just for the removal of empty page
tables.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48991

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48992
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ASoC: soc-pcm: Add NULL check in BE reparenting

Add NULL check in dpcm_be_reparent API, to handle
kernel NULL pointer dereference error.
The issue occurred in fuzzing test.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48992

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48994
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ALSA: seq: Fix function prototype mismatch in snd_seq_expand_var_event

With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG),
indirect call targets are validated against the expected function
pointer prototype to make sure the call target is valid to help mitigate
ROP attacks. If they are not identical, there is a failure at run time,
which manifests as either a kernel panic or thread getting killed.

seq_copy_in_user() and seq_copy_in_kernel() did not have prototypes
matching snd_seq_dump_func_t. Adjust this and remove the casts. There
are not resulting binary output differences.

This was found as a result of Clang's new -Wcast-function-type-strict
flag, which is more sensitive than the simpler -Wcast-function-type,
which only checks for type width mismatches.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48994

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48995
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

Input: raydium_ts_i2c - fix memory leak in raydium_i2c_send()

There is a kmemleak when test the raydium_i2c_ts with bpf mock device:

  unreferenced object 0xffff88812d3675a0 (size 8):
    comm "python3", pid 349, jiffies 4294741067 (age 95.695s)
    hex dump (first 8 bytes):
      11 0e 10 c0 01 00 04 00                          ........
    backtrace:
      [<0000000068427125>] __kmalloc+0x46/0x1b0
      [<0000000090180f91>] raydium_i2c_send+0xd4/0x2bf [raydium_i2c_ts]
      [<000000006e631aee>] raydium_i2c_initialize.cold+0xbc/0x3e4 [raydium_i2c_ts]
      [<00000000dc6fcf38>] raydium_i2c_probe+0x3cd/0x6bc [raydium_i2c_ts]
      [<00000000a310de16>] i2c_device_probe+0x651/0x680
      [<00000000f5a96bf3>] really_probe+0x17c/0x3f0
      [<00000000096ba499>] __driver_probe_device+0xe3/0x170
      [<00000000c5acb4d9>] driver_probe_device+0x49/0x120
      [<00000000264fe082>] __device_attach_driver+0xf7/0x150
      [<00000000f919423c>] bus_for_each_drv+0x114/0x180
      [<00000000e067feca>] __device_attach+0x1e5/0x2d0
      [<0000000054301fc2>] bus_probe_device+0x126/0x140
      [<00000000aad93b22>] device_add+0x810/0x1130
      [<00000000c086a53f>] i2c_new_client_device+0x352/0x4e0
      [<000000003c2c248c>] of_i2c_register_device+0xf1/0x110
      [<00000000ffec4177>] of_i2c_notify+0x100/0x160
  unreferenced object 0xffff88812d3675c8 (size 8):
    comm "python3", pid 349, jiffies 4294741070 (age 95.692s)
    hex dump (first 8 bytes):
      22 00 36 2d 81 88 ff ff                          ".6-....
    backtrace:
      [<0000000068427125>] __kmalloc+0x46/0x1b0
      [<0000000090180f91>] raydium_i2c_send+0xd4/0x2bf [raydium_i2c_ts]
      [<000000001d5c9620>] raydium_i2c_initialize.cold+0x223/0x3e4 [raydium_i2c_ts]
      [<00000000dc6fcf38>] raydium_i2c_probe+0x3cd/0x6bc [raydium_i2c_ts]
      [<00000000a310de16>] i2c_device_probe+0x651/0x680
      [<00000000f5a96bf3>] really_probe+0x17c/0x3f0
      [<00000000096ba499>] __driver_probe_device+0xe3/0x170
      [<00000000c5acb4d9>] driver_probe_device+0x49/0x120
      [<00000000264fe082>] __device_attach_driver+0xf7/0x150
      [<00000000f919423c>] bus_for_each_drv+0x114/0x180
      [<00000000e067feca>] __device_attach+0x1e5/0x2d0
      [<0000000054301fc2>] bus_probe_device+0x126/0x140
      [<00000000aad93b22>] device_add+0x810/0x1130
      [<00000000c086a53f>] i2c_new_client_device+0x352/0x4e0
      [<000000003c2c248c>] of_i2c_register_device+0xf1/0x110
      [<00000000ffec4177>] of_i2c_notify+0x100/0x160

After BANK_SWITCH command from i2c BUS, no matter success or error
happened, the tx_buf should be freed.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48995

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48996
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

mm/damon/sysfs: fix wrong empty schemes assumption under online tuning in damon_sysfs_set_schemes()

Commit da87878010e5 ("mm/damon/sysfs: support online inputs update") made
'damon_sysfs_set_schemes()' to be called for running DAMON context, which
could have schemes.  In the case, DAMON sysfs interface is supposed to
update, remove, or add schemes to reflect the sysfs files.  However, the
code is assuming the DAMON context wouldn't have schemes at all, and
therefore creates and adds new schemes.  As a result, the code doesn't
work as intended for online schemes tuning and could have more than
expected memory footprint.  The schemes are all in the DAMON context, so
it doesn't leak the memory, though.

Remove the wrong asssumption (the DAMON context wouldn't have schemes) in
'damon_sysfs_set_schemes()' to fix the bug.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48996

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48997
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

char: tpm: Protect tpm_pm_suspend with locks

Currently tpm transactions are executed unconditionally in
tpm_pm_suspend() function, which may lead to races with other tpm
accessors in the system.

Specifically, the hw_random tpm driver makes use of tpm_get_random(),
and this function is called in a loop from a kthread, which means it's
not frozen alongside userspace, and so can race with the work done
during system suspend:

  tpm tpm0: tpm_transmit: tpm_recv: error -52
  tpm tpm0: invalid TPM_STS.x 0xff, dumping stack for forensics
  CPU: 0 PID: 1 Comm: init Not tainted 6.1.0-rc5+ #135
  Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-20220807_005459-localhost 04/01/2014
  Call Trace:
   tpm_tis_status.cold+0x19/0x20
   tpm_transmit+0x13b/0x390
   tpm_transmit_cmd+0x20/0x80
   tpm1_pm_suspend+0xa6/0x110
   tpm_pm_suspend+0x53/0x80
   __pnp_bus_suspend+0x35/0xe0
   __device_suspend+0x10f/0x350

Fix this by calling tpm_try_get_ops(), which itself is a wrapper around
tpm_chip_start(), but takes the appropriate mutex.

[Jason: reworked commit message, added metadata]
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48997

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48998
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

powerpc/bpf/32: Fix Oops on tail call tests

test_bpf tail call tests end up as:

  test_bpf: #0 Tail call leaf jited:1 85 PASS
  test_bpf: #1 Tail call 2 jited:1 111 PASS
  test_bpf: #2 Tail call 3 jited:1 145 PASS
  test_bpf: #3 Tail call 4 jited:1 170 PASS
  test_bpf: #4 Tail call load/store leaf jited:1 190 PASS
  test_bpf: #5 Tail call load/store jited:1
  BUG: Unable to handle kernel data access on write at 0xf1b4e000
  Faulting instruction address: 0xbe86b710
  Oops: Kernel access of bad area, sig: 11 [#1]
  BE PAGE_SIZE=4K MMU=Hash PowerMac
  Modules linked in: test_bpf(+)
  CPU: 0 PID: 97 Comm: insmod Not tainted 6.1.0-rc4+ #195
  Hardware name: PowerMac3,1 750CL 0x87210 PowerMac
  NIP:  be86b710 LR: be857e88 CTR: be86b704
  REGS: f1b4df20 TRAP: 0300   Not tainted  (6.1.0-rc4+)
  MSR:  00009032 <EE,ME,IR,DR,RI>  CR: 28008242  XER: 00000000
  DAR: f1b4e000 DSISR: 42000000
  GPR00: 00000001 f1b4dfe0 c11d2280 00000000 00000000 00000000 00000002 00000000
  GPR08: f1b4e000 be86b704 f1b4e000 00000000 00000000 100d816a f2440000 fe73baa8
  GPR16: f2458000 00000000 c1941ae4 f1fe2248 00000045 c0de0000 f2458030 00000000
  GPR24: 000003e8 0000000f f2458000 f1b4dc90 3e584b46 00000000 f24466a0 c1941a00
  NIP [be86b710] 0xbe86b710
  LR [be857e88] __run_one+0xec/0x264 [test_bpf]
  Call Trace:
  [f1b4dfe0] [00000002] 0x2 (unreliable)
  Instruction dump:
  XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
  XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
  ---[ end trace 0000000000000000 ]---

This is a tentative to write above the stack. The problem is encoutered
with tests added by commit 38608ee7b690 ("bpf, tests: Add load store
test case for tail call")

This happens because tail call is done to a BPF prog with a different
stack_depth. At the time being, the stack is kept as is when the caller
tail calls its callee. But at exit, the callee restores the stack based
on its own properties. Therefore here, at each run, r1 is erroneously
increased by 32 - 16 = 16 bytes.

This was done that way in order to pass the tail call count from caller
to callee through the stack. As powerpc32 doesn't have a red zone in
the stack, it was necessary the maintain the stack as is for the tail
call. But it was not anticipated that the BPF frame size could be
different.

Let's take a new approach. Use register r4 to carry the tail call count
during the tail call, and save it into the stack at function entry if
required. This means the input parameter must be in r3, which is more
correct as it is a 32 bits parameter, then tail call better match with
normal BPF function entry, the down side being that we move that input
parameter back and forth between r3 and r4. That can be optimised later.

Doing that also has the advantage of maximising the common parts between
tail calls and a normal function exit.

With the fix, tail call tests are now successfull:

  test_bpf: #0 Tail call leaf jited:1 53 PASS
  test_bpf: #1 Tail call 2 jited:1 115 PASS
  test_bpf: #2 Tail call 3 jited:1 154 PASS
  test_bpf: #3 Tail call 4 jited:1 165 PASS
  test_bpf: #4 Tail call load/store leaf jited:1 101 PASS
  test_bpf: #5 Tail call load/store jited:1 141 PASS
  test_bpf: #6 Tail call error path, max count reached jited:1 994 PASS
  test_bpf: #7 Tail call count preserved across function calls jited:1 140975 PASS
  test_bpf: #8 Tail call error path, NULL target jited:1 110 PASS
  test_bpf: #9 Tail call error path, index out of range jited:1 69 PASS
  test_bpf: test_tail_calls: Summary: 10 PASSED, 0 FAILED, [10/10 JIT'ed]
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48998

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-48999
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ipv4: Handle attempt to delete multipath route when fib_info contains an nh reference

Gwangun Jung reported a slab-out-of-bounds access in fib_nh_match:
    fib_nh_match+0xf98/0x1130 linux-6.0-rc7/net/ipv4/fib_semantics.c:961
    fib_table_delete+0x5f3/0xa40 linux-6.0-rc7/net/ipv4/fib_trie.c:1753
    inet_rtm_delroute+0x2b3/0x380 linux-6.0-rc7/net/ipv4/fib_frontend.c:874

Separate nexthop objects are mutually exclusive with the legacy
multipath spec. Fix fib_nh_match to return if the config for the
to be deleted route contains a multipath spec while the fib_info
is using a nexthop object.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48999

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-49000
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

iommu/vt-d: Fix PCI device refcount leak in has_external_pci()

for_each_pci_dev() is implemented by pci_get_device(). The comment of
pci_get_device() says that it will increase the reference count for the
returned pci_dev and also decrease the reference count for the input
pci_dev @from if it is not NULL.

If we break for_each_pci_dev() loop with pdev not NULL, we need to call
pci_dev_put() to decrease the reference count. Add the missing
pci_dev_put() before 'return true' to avoid reference count leak.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-49000

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-49001
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

riscv: fix race when vmap stack overflow

Currently, when detecting vmap stack overflow, riscv firstly switches
to the so called shadow stack, then use this shadow stack to call the
get_overflow_stack() to get the overflow stack. However, there's
a race here if two or more harts use the same shadow stack at the same
time.

To solve this race, we introduce spin_shadow_stack atomic var, which
will be swap between its own address and 0 in atomic way, when the
var is set, it means the shadow_stack is being used; when the var
is cleared, it means the shadow_stack isn't being used.

[Palmer: Add AQ to the swap, and also some comments.]
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-49001

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-49002
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

iommu/vt-d: Fix PCI device refcount leak in dmar_dev_scope_init()

for_each_pci_dev() is implemented by pci_get_device(). The comment of
pci_get_device() says that it will increase the reference count for the
returned pci_dev and also decrease the reference count for the input
pci_dev @from if it is not NULL.

If we break for_each_pci_dev() loop with pdev not NULL, we need to call
pci_dev_put() to decrease the reference count. Add the missing
pci_dev_put() for the error path to avoid reference count leak.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-49002

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-49003
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

nvme: fix SRCU protection of nvme_ns_head list

Walking the nvme_ns_head siblings list is protected by the head's srcu
in nvme_ns_head_submit_bio() but not nvme_mpath_revalidate_paths().
Removing namespaces from the list also fails to synchronize the srcu.
Concurrent scan work can therefore cause use-after-frees.

Hold the head's srcu lock in nvme_mpath_revalidate_paths() and
synchronize with the srcu, not the global RCU, in nvme_ns_remove().

Observed the following panic when making NVMe/RDMA connections
with native multipath on the Rocky Linux 8.6 kernel
(it seems the upstream kernel has the same race condition).
Disassembly shows the faulting instruction is cmp 0x50(%rdx),%rcx;
computing capacity != get_capacity(ns->disk).
Address 0x50 is dereferenced because ns->disk is NULL.
The NULL disk appears to be the result of concurrent scan work
freeing the namespace (note the log line in the middle of the panic).

[37314.206036] BUG: unable to handle kernel NULL pointer dereference at 0000000000000050
[37314.206036] nvme0n3: detected capacity change from 0 to 11811160064
[37314.299753] PGD 0 P4D 0
[37314.299756] Oops: 0000 [#1] SMP PTI
[37314.299759] CPU: 29 PID: 322046 Comm: kworker/u98:3 Kdump: loaded Tainted: G        W      X --------- -  - 4.18.0-372.32.1.el8test86.x86_64 #1
[37314.299762] Hardware name: Dell Inc. PowerEdge R720/0JP31P, BIOS 2.7.0 05/23/2018
[37314.299763] Workqueue: nvme-wq nvme_scan_work [nvme_core]
[37314.299783] RIP: 0010:nvme_mpath_revalidate_paths+0x26/0xb0 [nvme_core]
[37314.299790] Code: 1f 44 00 00 66 66 66 66 90 55 53 48 8b 5f 50 48 8b 83 c8 c9 00 00 48 8b 13 48 8b 48 50 48 39 d3 74 20 48 8d 42 d0 48 8b 50 20 <48> 3b 4a 50 74 05 f0 80 60 70 ef 48 8b 50 30 48 8d 42 d0 48 39 d3
[37315.058803] RSP: 0018:ffffabe28f913d10 EFLAGS: 00010202
[37315.121316] RAX: ffff927a077da800 RBX: ffff92991dd70000 RCX: 0000000001600000
[37315.206704] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff92991b719800
[37315.292106] RBP: ffff929a6b70c000 R08: 000000010234cd4a R09: c0000000ffff7fff
[37315.377501] R10: 0000000000000001 R11: ffffabe28f913a30 R12: 0000000000000000
[37315.462889] R13: ffff92992716600c R14: ffff929964e6e030 R15: ffff92991dd70000
[37315.548286] FS:  0000000000000000(0000) GS:ffff92b87fb80000(0000) knlGS:0000000000000000
[37315.645111] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[37315.713871] CR2: 0000000000000050 CR3: 0000002208810006 CR4: 00000000000606e0
[37315.799267] Call Trace:
[37315.828515]  nvme_update_ns_info+0x1ac/0x250 [nvme_core]
[37315.892075]  nvme_validate_or_alloc_ns+0x2ff/0xa00 [nvme_core]
[37315.961871]  ? __blk_mq_free_request+0x6b/0x90
[37316.015021]  nvme_scan_work+0x151/0x240 [nvme_core]
[37316.073371]  process_one_work+0x1a7/0x360
[37316.121318]  ? create_worker+0x1a0/0x1a0
[37316.168227]  worker_thread+0x30/0x390
[37316.212024]  ? create_worker+0x1a0/0x1a0
[37316.258939]  kthread+0x10a/0x120
[37316.297557]  ? set_kthread_struct+0x50/0x50
[37316.347590]  ret_from_fork+0x35/0x40
[37316.390360] Modules linked in: nvme_rdma nvme_tcp(X) nvme_fabrics nvme_core netconsole iscsi_tcp libiscsi_tcp dm_queue_length dm_service_time nf_conntrack_netlink br_netfilter bridge stp llc overlay nft_chain_nat ipt_MASQUERADE nf_nat xt_addrtype xt_CT nft_counter xt_state xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 xt_comment xt_multiport nft_compat nf_tables libcrc32c nfnetlink dm_multipath tg3 rpcrdma sunrpc rdma_ucm ib_srpt ib_isert iscsi_target_mod target_core_mod ib_iser libiscsi scsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm intel_rapl_msr iTCO_wdt iTCO_vendor_support dcdbas intel_rapl_common sb_edac x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel ipmi_ssif kvm irqbypass crct10dif_pclmul crc32_pclmul mlx5_ib ghash_clmulni_intel ib_uverbs rapl intel_cstate intel_uncore ib_core ipmi_si joydev mei_me pcspkr ipmi_devintf mei lpc_ich wmi ipmi_msghandler acpi_power_meter ex
---truncated---
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-49003

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-49004
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

riscv: Sync efi page table's kernel mappings before switching

The EFI page table is initially created as a copy of the kernel page table.
With VMAP_STACK enabled, kernel stacks are allocated in the vmalloc area:
if the stack is allocated in a new PGD (one that was not present at the
moment of the efi page table creation or not synced in a previous vmalloc
fault), the kernel will take a trap when switching to the efi page table
when the vmalloc kernel stack is accessed, resulting in a kernel panic.

Fix that by updating the efi kernel mappings before switching to the efi
page table.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-49004

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-49005
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ASoC: ops: Fix bounds check for _sx controls

For _sx controls the semantics of the max field is not the usual one, max
is the number of steps rather than the maximum value. This means that our
check in snd_soc_put_volsw_sx() needs to just check against the maximum
value.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-49005

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-49006
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

tracing: Free buffers when a used dynamic event is removed

After 65536 dynamic events have been added and removed, the "type" field
of the event then uses the first type number that is available (not
currently used by other events). A type number is the identifier of the
binary blobs in the tracing ring buffer (known as events) to map them to
logic that can parse the binary blob.

The issue is that if a dynamic event (like a kprobe event) is traced and
is in the ring buffer, and then that event is removed (because it is
dynamic, which means it can be created and destroyed), if another dynamic
event is created that has the same number that new event's logic on
parsing the binary blob will be used.

To show how this can be an issue, the following can crash the kernel:

 # cd /sys/kernel/tracing
 # for i in `seq 65536`; do
     echo 'p:kprobes/foo do_sys_openat2 $arg1:u32' > kprobe_events
 # done

For every iteration of the above, the writing to the kprobe_events will
remove the old event and create a new one (with the same format) and
increase the type number to the next available on until the type number
reaches over 65535 which is the max number for the 16 bit type. After it
reaches that number, the logic to allocate a new number simply looks for
the next available number. When an dynamic event is removed, that number
is then available to be reused by the next dynamic event created. That is,
once the above reaches the max number, the number assigned to the event in
that loop will remain the same.

Now that means deleting one dynamic event and created another will reuse
the previous events type number. This is where bad things can happen.
After the above loop finishes, the kprobes/foo event which reads the
do_sys_openat2 function call's first parameter as an integer.

 # echo 1 > kprobes/foo/enable
 # cat /etc/passwd > /dev/null
 # cat trace
             cat-2211    [005] ....  2007.849603: foo: (do_sys_openat2+0x0/0x130) arg1=4294967196
             cat-2211    [005] ....  2007.849620: foo: (do_sys_openat2+0x0/0x130) arg1=4294967196
             cat-2211    [005] ....  2007.849838: foo: (do_sys_openat2+0x0/0x130) arg1=4294967196
             cat-2211    [005] ....  2007.849880: foo: (do_sys_openat2+0x0/0x130) arg1=4294967196
 # echo 0 > kprobes/foo/enable

Now if we delete the kprobe and create a new one that reads a string:

 # echo 'p:kprobes/foo do_sys_openat2 +0($arg2):string' > kprobe_events

And now we can the trace:

 # cat trace
        sendmail-1942    [002] .....   530.136320: foo: (do_sys_openat2+0x0/0x240) arg1=             cat-2046    [004] .....   530.930817: foo: (do_sys_openat2+0x0/0x240) arg1="������������������������������������������������������������������������������������������������"
             cat-2046    [004] .....   530.930961: foo: (do_sys_openat2+0x0/0x240) arg1="������������������������������������������������������������������������������������������������"
             cat-2046    [004] .....   530.934278: foo: (do_sys_openat2+0x0/0x240) arg1="������������������������������������������������������������������������������������������������"
             cat-2046    [004] .....   530.934563: foo: (do_sys_openat2+0x0/0x240) arg1="���������������������������������������
---truncated---
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-49006

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-49007
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

nilfs2: fix NULL pointer dereference in nilfs_palloc_commit_free_entry()

Syzbot reported a null-ptr-deref bug:

 NILFS (loop0): segctord starting. Construction interval = 5 seconds, CP
 frequency < 30 seconds
 general protection fault, probably for non-canonical address
 0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN
 KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]
 CPU: 1 PID: 3603 Comm: segctord Not tainted
 6.1.0-rc2-syzkaller-00105-gb229b6ca5abb #0
 Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google
 10/11/2022
 RIP: 0010:nilfs_palloc_commit_free_entry+0xe5/0x6b0
 fs/nilfs2/alloc.c:608
 Code: 00 00 00 00 fc ff df 80 3c 02 00 0f 85 cd 05 00 00 48 b8 00 00 00
 00 00 fc ff df 4c 8b 73 08 49 8d 7e 10 48 89 fa 48 c1 ea 03 <80> 3c 02
 00 0f 85 26 05 00 00 49 8b 46 10 be a6 00 00 00 48 c7 c7
 RSP: 0018:ffffc90003dff830 EFLAGS: 00010212
 RAX: dffffc0000000000 RBX: ffff88802594e218 RCX: 000000000000000d
 RDX: 0000000000000002 RSI: 0000000000002000 RDI: 0000000000000010
 RBP: ffff888071880222 R08: 0000000000000005 R09: 000000000000003f
 R10: 000000000000000d R11: 0000000000000000 R12: ffff888071880158
 R13: ffff88802594e220 R14: 0000000000000000 R15: 0000000000000004
 FS:  0000000000000000(0000) GS:ffff8880b9b00000(0000)
 knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 00007fb1c08316a8 CR3: 0000000018560000 CR4: 0000000000350ee0
 Call Trace:
  <TASK>
  nilfs_dat_commit_free fs/nilfs2/dat.c:114 [inline]
  nilfs_dat_commit_end+0x464/0x5f0 fs/nilfs2/dat.c:193
  nilfs_dat_commit_update+0x26/0x40 fs/nilfs2/dat.c:236
  nilfs_btree_commit_update_v+0x87/0x4a0 fs/nilfs2/btree.c:1940
  nilfs_btree_commit_propagate_v fs/nilfs2/btree.c:2016 [inline]
  nilfs_btree_propagate_v fs/nilfs2/btree.c:2046 [inline]
  nilfs_btree_propagate+0xa00/0xd60 fs/nilfs2/btree.c:2088
  nilfs_bmap_propagate+0x73/0x170 fs/nilfs2/bmap.c:337
  nilfs_collect_file_data+0x45/0xd0 fs/nilfs2/segment.c:568
  nilfs_segctor_apply_buffers+0x14a/0x470 fs/nilfs2/segment.c:1018
  nilfs_segctor_scan_file+0x3f4/0x6f0 fs/nilfs2/segment.c:1067
  nilfs_segctor_collect_blocks fs/nilfs2/segment.c:1197 [inline]
  nilfs_segctor_collect fs/nilfs2/segment.c:1503 [inline]
  nilfs_segctor_do_construct+0x12fc/0x6af0 fs/nilfs2/segment.c:2045
  nilfs_segctor_construct+0x8e3/0xb30 fs/nilfs2/segment.c:2379
  nilfs_segctor_thread_construct fs/nilfs2/segment.c:2487 [inline]
  nilfs_segctor_thread+0x3c3/0xf30 fs/nilfs2/segment.c:2570
  kthread+0x2e4/0x3a0 kernel/kthread.c:376
  ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
  </TASK>
 ...

If DAT metadata file is corrupted on disk, there is a case where
req->pr_desc_bh is NULL and blocknr is 0 at nilfs_dat_commit_end() during
a b-tree operation that cascadingly updates ancestor nodes of the b-tree,
because nilfs_dat_commit_alloc() for a lower level block can initialize
the blocknr on the same DAT entry between nilfs_dat_prepare_end() and
nilfs_dat_commit_end().

If this happens, nilfs_dat_commit_end() calls nilfs_dat_commit_free()
without valid buffer heads in req->pr_desc_bh and req->pr_bitmap_bh, and
causes the NULL pointer dereference above in
nilfs_palloc_commit_free_entry() function, which leads to a crash.

Fix this by adding a NULL check on req->pr_desc_bh and req->pr_bitmap_bh
before nilfs_palloc_commit_free_entry() in nilfs_dat_commit_free().

This also calls nilfs_error() in that case to notify that there is a fatal
flaw in the filesystem metadata and prevent further operations.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-49007

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-49008
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

can: can327: can327_feed_frame_to_netdev(): fix potential skb leak when netdev is down

In can327_feed_frame_to_netdev(), it did not free the skb when netdev
is down, and all callers of can327_feed_frame_to_netdev() did not free
allocated skb too. That would trigger skb leak.

Fix it by adding kfree_skb() in can327_feed_frame_to_netdev() when netdev
is down. Not tested, just compiled.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-49008

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-49009
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

hwmon: (asus-ec-sensors) Add checks for devm_kcalloc

As the devm_kcalloc may return NULL, the return value needs to be checked
to avoid NULL poineter dereference.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-49009

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-49010
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

hwmon: (coretemp) Check for null before removing sysfs attrs

If coretemp_add_core() gets an error then pdata->core_data[indx]
is already NULL and has been kfreed. Don't pass that to
sysfs_remove_group() as that will crash in sysfs_remove_group().

[Shortened for readability]
[91854.020159] sysfs: cannot create duplicate filename '/devices/platform/coretemp.0/hwmon/hwmon2/temp20_label'
<cpu offline>
[91855.126115] BUG: kernel NULL pointer dereference, address: 0000000000000188
[91855.165103] #PF: supervisor read access in kernel mode
[91855.194506] #PF: error_code(0x0000) - not-present page
[91855.224445] PGD 0 P4D 0
[91855.238508] Oops: 0000 [#1] PREEMPT SMP PTI
...
[91855.342716] RIP: 0010:sysfs_remove_group+0xc/0x80
...
[91855.796571] Call Trace:
[91855.810524]  coretemp_cpu_offline+0x12b/0x1dd [coretemp]
[91855.841738]  ? coretemp_cpu_online+0x180/0x180 [coretemp]
[91855.871107]  cpuhp_invoke_callback+0x105/0x4b0
[91855.893432]  cpuhp_thread_fun+0x8e/0x150
...

Fix this by checking for NULL first.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-49010

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-49011
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

hwmon: (coretemp) fix pci device refcount leak in nv1a_ram_new()

As comment of pci_get_domain_bus_and_slot() says, it returns
a pci device with refcount increment, when finish using it,
the caller must decrement the reference count by calling
pci_dev_put(). So call it after using to avoid refcount leak.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-49011

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-49012
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

afs: Fix server->active leak in afs_put_server

The atomic_read was accidentally replaced with atomic_inc_return,
which prevents the server from getting cleaned up and causes rmmod
to hang with a warning:

    Can't purge s=00000001
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-49012

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-49013
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

sctp: fix memory leak in sctp_stream_outq_migrate()

When sctp_stream_outq_migrate() is called to release stream out resources,
the memory pointed to by prio_head in stream out is not released.

The memory leak information is as follows:
 unreferenced object 0xffff88801fe79f80 (size 64):
   comm "sctp_repo", pid 7957, jiffies 4294951704 (age 36.480s)
   hex dump (first 32 bytes):
     80 9f e7 1f 80 88 ff ff 80 9f e7 1f 80 88 ff ff  ................
     90 9f e7 1f 80 88 ff ff 90 9f e7 1f 80 88 ff ff  ................
   backtrace:
     [<ffffffff81b215c6>] kmalloc_trace+0x26/0x60
     [<ffffffff88ae517c>] sctp_sched_prio_set+0x4cc/0x770
     [<ffffffff88ad64f2>] sctp_stream_init_ext+0xd2/0x1b0
     [<ffffffff88aa2604>] sctp_sendmsg_to_asoc+0x1614/0x1a30
     [<ffffffff88ab7ff1>] sctp_sendmsg+0xda1/0x1ef0
     [<ffffffff87f765ed>] inet_sendmsg+0x9d/0xe0
     [<ffffffff8754b5b3>] sock_sendmsg+0xd3/0x120
     [<ffffffff8755446a>] __sys_sendto+0x23a/0x340
     [<ffffffff87554651>] __x64_sys_sendto+0xe1/0x1b0
     [<ffffffff89978b49>] do_syscall_64+0x39/0xb0
     [<ffffffff89a0008b>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-49013

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-49014
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: tun: Fix use-after-free in tun_detach()

syzbot reported use-after-free in tun_detach() [1].  This causes call
trace like below:

==================================================================
BUG: KASAN: use-after-free in notifier_call_chain+0x1ee/0x200 kernel/notifier.c:75
Read of size 8 at addr ffff88807324e2a8 by task syz-executor.0/3673

CPU: 0 PID: 3673 Comm: syz-executor.0 Not tainted 6.1.0-rc5-syzkaller-00044-gcc675d22e422 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:284 [inline]
 print_report+0x15e/0x461 mm/kasan/report.c:395
 kasan_report+0xbf/0x1f0 mm/kasan/report.c:495
 notifier_call_chain+0x1ee/0x200 kernel/notifier.c:75
 call_netdevice_notifiers_info+0x86/0x130 net/core/dev.c:1942
 call_netdevice_notifiers_extack net/core/dev.c:1983 [inline]
 call_netdevice_notifiers net/core/dev.c:1997 [inline]
 netdev_wait_allrefs_any net/core/dev.c:10237 [inline]
 netdev_run_todo+0xbc6/0x1100 net/core/dev.c:10351
 tun_detach drivers/net/tun.c:704 [inline]
 tun_chr_close+0xe4/0x190 drivers/net/tun.c:3467
 __fput+0x27c/0xa90 fs/file_table.c:320
 task_work_run+0x16f/0x270 kernel/task_work.c:179
 exit_task_work include/linux/task_work.h:38 [inline]
 do_exit+0xb3d/0x2a30 kernel/exit.c:820
 do_group_exit+0xd4/0x2a0 kernel/exit.c:950
 get_signal+0x21b1/0x2440 kernel/signal.c:2858
 arch_do_signal_or_restart+0x86/0x2300 arch/x86/kernel/signal.c:869
 exit_to_user_mode_loop kernel/entry/common.c:168 [inline]
 exit_to_user_mode_prepare+0x15f/0x250 kernel/entry/common.c:203
 __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
 syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:296
 do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

The cause of the issue is that sock_put() from __tun_detach() drops
last reference count for struct net, and then notifier_call_chain()
from netdev_state_change() accesses that struct net.

This patch fixes the issue by calling sock_put() from tun_detach()
after all necessary accesses for the struct net has done.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-49014

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-49015
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: hsr: Fix potential use-after-free

The skb is delivered to netif_rx() which may free it, after calling this,
dereferencing skb may trigger use-after-free.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-49015

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-49016
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: mdiobus: fix unbalanced node reference count

I got the following report while doing device(mscc-miim) load test
with CONFIG_OF_UNITTEST and CONFIG_OF_DYNAMIC enabled:

  OF: ERROR: memory leak, expected refcount 1 instead of 2,
  of_node_get()/of_node_put() unbalanced - destroy cset entry:
  attach overlay node /spi/soc@0/mdio@7107009c/ethernet-phy@0

If the 'fwnode' is not an acpi node, the refcount is get in
fwnode_mdiobus_phy_device_register(), but it has never been
put when the device is freed in the normal path. So call
fwnode_handle_put() in phy_device_release() to avoid leak.

If it's an acpi node, it has never been get, but it's put
in the error path, so call fwnode_handle_get() before
phy_device_register() to keep get/put operation balanced.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-49016

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-49017
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

tipc: re-fetch skb cb after tipc_msg_validate

As the call trace shows, the original skb was freed in tipc_msg_validate(),
and dereferencing the old skb cb would cause an use-after-free crash.

  BUG: KASAN: use-after-free in tipc_crypto_rcv_complete+0x1835/0x2240 [tipc]
  Call Trace:
   <IRQ>
   tipc_crypto_rcv_complete+0x1835/0x2240 [tipc]
   tipc_crypto_rcv+0xd32/0x1ec0 [tipc]
   tipc_rcv+0x744/0x1150 [tipc]
  ...
  Allocated by task 47078:
   kmem_cache_alloc_node+0x158/0x4d0
   __alloc_skb+0x1c1/0x270
   tipc_buf_acquire+0x1e/0xe0 [tipc]
   tipc_msg_create+0x33/0x1c0 [tipc]
   tipc_link_build_proto_msg+0x38a/0x2100 [tipc]
   tipc_link_timeout+0x8b8/0xef0 [tipc]
   tipc_node_timeout+0x2a1/0x960 [tipc]
   call_timer_fn+0x2d/0x1c0
  ...
  Freed by task 47078:
   tipc_msg_validate+0x7b/0x440 [tipc]
   tipc_crypto_rcv_complete+0x4b5/0x2240 [tipc]
   tipc_crypto_rcv+0xd32/0x1ec0 [tipc]
   tipc_rcv+0x744/0x1150 [tipc]

This patch fixes it by re-fetching the skb cb from the new allocated skb
after calling tipc_msg_validate().
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-49017

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-49018
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

mptcp: fix sleep in atomic at close time

Matt reported a splat at msk close time:

    BUG: sleeping function called from invalid context at net/mptcp/protocol.c:2877
    in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 155, name: packetdrill
    preempt_count: 201, expected: 0
    RCU nest depth: 0, expected: 0
    4 locks held by packetdrill/155:
    #0: ffff888001536990 (&sb->s_type->i_mutex_key#6){+.+.}-{3:3}, at: __sock_release (net/socket.c:650)
    #1: ffff88800b498130 (sk_lock-AF_INET){+.+.}-{0:0}, at: mptcp_close (net/mptcp/protocol.c:2973)
    #2: ffff88800b49a130 (sk_lock-AF_INET/1){+.+.}-{0:0}, at: __mptcp_close_ssk (net/mptcp/protocol.c:2363)
    #3: ffff88800b49a0b0 (slock-AF_INET){+...}-{2:2}, at: __lock_sock_fast (include/net/sock.h:1820)
    Preemption disabled at:
    0x0
    CPU: 1 PID: 155 Comm: packetdrill Not tainted 6.1.0-rc5 #365
    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
    Call Trace:
    <TASK>
    dump_stack_lvl (lib/dump_stack.c:107 (discriminator 4))
    __might_resched.cold (kernel/sched/core.c:9891)
    __mptcp_destroy_sock (include/linux/kernel.h:110)
    __mptcp_close (net/mptcp/protocol.c:2959)
    mptcp_subflow_queue_clean (include/net/sock.h:1777)
    __mptcp_close_ssk (net/mptcp/protocol.c:2363)
    mptcp_destroy_common (net/mptcp/protocol.c:3170)
    mptcp_destroy (include/net/sock.h:1495)
    __mptcp_destroy_sock (net/mptcp/protocol.c:2886)
    __mptcp_close (net/mptcp/protocol.c:2959)
    mptcp_close (net/mptcp/protocol.c:2974)
    inet_release (net/ipv4/af_inet.c:432)
    __sock_release (net/socket.c:651)
    sock_close (net/socket.c:1367)
    __fput (fs/file_table.c:320)
    task_work_run (kernel/task_work.c:181 (discriminator 1))
    exit_to_user_mode_prepare (include/linux/resume_user_mode.h:49)
    syscall_exit_to_user_mode (kernel/entry/common.c:130)
    do_syscall_64 (arch/x86/entry/common.c:87)
    entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)

We can't call mptcp_close under the 'fast' socket lock variant, replace
it with a sock_lock_nested() as the relevant code is already under the
listening msk socket lock protection.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-49018

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-49019
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: ethernet: nixge: fix NULL dereference

In function nixge_hw_dma_bd_release() dereference of NULL pointer
priv->rx_bd_v is possible for the case of its allocation failure in
nixge_hw_dma_bd_init().

Move for() loop with priv->rx_bd_v dereference under the check for
its validity.

Found by Linux Verification Center (linuxtesting.org) with SVACE.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-49019

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-49020
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net/9p: Fix a potential socket leak in p9_socket_open

Both p9_fd_create_tcp() and p9_fd_create_unix() will call
p9_socket_open(). If the creation of p9_trans_fd fails,
p9_fd_create_tcp() and p9_fd_create_unix() will return an
error directly instead of releasing the cscoket, which will
result in a socket leak.

This patch adds sock_release() to fix the leak issue.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-49020

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-49021
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: phy: fix null-ptr-deref while probe() failed

I got a null-ptr-deref report as following when doing fault injection test:

BUG: kernel NULL pointer dereference, address: 0000000000000058
Oops: 0000 [#1] PREEMPT SMP KASAN PTI
CPU: 1 PID: 253 Comm: 507-spi-dm9051 Tainted: G    B            N 6.1.0-rc3+
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
RIP: 0010:klist_put+0x2d/0xd0
Call Trace:
 <TASK>
 klist_remove+0xf1/0x1c0
 device_release_driver_internal+0x23e/0x2d0
 bus_remove_device+0x1bd/0x240
 device_del+0x357/0x770
 phy_device_remove+0x11/0x30
 mdiobus_unregister+0xa5/0x140
 release_nodes+0x6a/0xa0
 devres_release_all+0xf8/0x150
 device_unbind_cleanup+0x19/0xd0

//probe path:
phy_device_register()
  device_add()

phy_connect
  phy_attach_direct() //set device driver
    probe() //it's failed, driver is not bound
    device_bind_driver() // probe failed, it's not called

//remove path:
phy_device_remove()
  device_del()
    device_release_driver_internal()
      __device_release_driver() //dev->drv is not NULL
        klist_remove() <- knode_driver is not added yet, cause null-ptr-deref

In phy_attach_direct(), after setting the 'dev->driver', probe() fails,
device_bind_driver() is not called, so the knode_driver->n_klist is not
set, then it causes null-ptr-deref in __device_release_driver() while
deleting device. Fix this by setting dev->driver to NULL in the error
path in phy_attach_direct().
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-49021

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-49022
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

wifi: mac8021: fix possible oob access in ieee80211_get_rate_duration

Fix possible out-of-bound access in ieee80211_get_rate_duration routine
as reported by the following UBSAN report:

UBSAN: array-index-out-of-bounds in net/mac80211/airtime.c:455:47
index 15 is out of range for type 'u16 [12]'
CPU: 2 PID: 217 Comm: kworker/u32:10 Not tainted 6.1.0-060100rc3-generic
Hardware name: Acer Aspire TC-281/Aspire TC-281, BIOS R01-A2 07/18/2017
Workqueue: mt76 mt76u_tx_status_data [mt76_usb]
Call Trace:
 <TASK>
 show_stack+0x4e/0x61
 dump_stack_lvl+0x4a/0x6f
 dump_stack+0x10/0x18
 ubsan_epilogue+0x9/0x43
 __ubsan_handle_out_of_bounds.cold+0x42/0x47
ieee80211_get_rate_duration.constprop.0+0x22f/0x2a0 [mac80211]
 ? ieee80211_tx_status_ext+0x32e/0x640 [mac80211]
 ieee80211_calc_rx_airtime+0xda/0x120 [mac80211]
 ieee80211_calc_tx_airtime+0xb4/0x100 [mac80211]
 mt76x02_send_tx_status+0x266/0x480 [mt76x02_lib]
 mt76x02_tx_status_data+0x52/0x80 [mt76x02_lib]
 mt76u_tx_status_data+0x67/0xd0 [mt76_usb]
 process_one_work+0x225/0x400
 worker_thread+0x50/0x3e0
 ? process_one_work+0x400/0x400
 kthread+0xe9/0x110
 ? kthread_complete_and_exit+0x20/0x20
 ret_from_fork+0x22/0x30
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-49022

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-49023
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

wifi: cfg80211: fix buffer overflow in elem comparison

For vendor elements, the code here assumes that 5 octets
are present without checking. Since the element itself is
already checked to fit, we only need to check the length.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-49023

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-49024
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

can: m_can: pci: add missing m_can_class_free_dev() in probe/remove methods

In m_can_pci_remove() and error handling path of m_can_pci_probe(),
m_can_class_free_dev() should be called to free resource allocated by
m_can_class_allocate_dev(), otherwise there will be memleak.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-49024

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-49025
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net/mlx5e: Fix use-after-free when reverting termination table

When having multiple dests with termination tables and second one
or afterwards fails the driver reverts usage of term tables but
doesn't reset the assignment in attr->dests[num_vport_dests].termtbl
which case a use-after-free when releasing the rule.
Fix by resetting the assignment of termtbl to null.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-49025

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-49026
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

e100: Fix possible use after free in e100_xmit_prepare

In e100_xmit_prepare(), if we can't map the skb, then return -ENOMEM, so
e100_xmit_frame() will return NETDEV_TX_BUSY and the upper layer will
resend the skb. But the skb is already freed, which will cause UAF bug
when the upper layer resends the skb.

Remove the harmful free.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-49026

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-49027
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

iavf: Fix error handling in iavf_init_module()

The iavf_init_module() won't destroy workqueue when pci_register_driver()
failed. Call destroy_workqueue() when pci_register_driver() failed to
prevent the resource leak.

Similar to the handling of u132_hcd_init in commit f276e002793c
("usb: u132-hcd: fix resource leak")
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-49027

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-49028
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ixgbevf: Fix resource leak in ixgbevf_init_module()

ixgbevf_init_module() won't destroy the workqueue created by
create_singlethread_workqueue() when pci_register_driver() failed. Add
destroy_workqueue() in fail path to prevent the resource leak.

Similar to the handling of u132_hcd_init in commit f276e002793c
("usb: u132-hcd: fix resource leak")
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-49028

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-49029
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

hwmon: (ibmpex) Fix possible UAF when ibmpex_register_bmc() fails

Smatch report warning as follows:

drivers/hwmon/ibmpex.c:509 ibmpex_register_bmc() warn:
  '&data->list' not removed from list

If ibmpex_find_sensors() fails in ibmpex_register_bmc(), data will
be freed, but data->list will not be removed from driver_data.bmc_data,
then list traversal may cause UAF.

Fix by removeing it from driver_data.bmc_data before free().
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-49029

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-49030
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

libbpf: Handle size overflow for ringbuf mmap

The maximum size of ringbuf is 2GB on x86-64 host, so 2 * max_entries
will overflow u32 when mapping producer page and data pages. Only
casting max_entries to size_t is not enough, because for 32-bits
application on 64-bits kernel the size of read-only mmap region
also could overflow size_t.

So fixing it by casting the size of read-only mmap region into a __u64
and checking whether or not there will be overflow during mmap.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-49030

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-49031
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

iio: health: afe4403: Fix oob read in afe4403_read_raw

KASAN report out-of-bounds read as follows:

BUG: KASAN: global-out-of-bounds in afe4403_read_raw+0x42e/0x4c0
Read of size 4 at addr ffffffffc02ac638 by task cat/279

Call Trace:
 afe4403_read_raw
 iio_read_channel_info
 dev_attr_show

The buggy address belongs to the variable:
 afe4403_channel_leds+0x18/0xffffffffffffe9e0

This issue can be reproduced by singe command:

 $ cat /sys/bus/spi/devices/spi0.0/iio\:device0/in_intensity6_raw

The array size of afe4403_channel_leds is less than channels, so access
with chan->address cause OOB read in afe4403_read_raw. Fix it by moving
access before use it.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-49031

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-49032
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

iio: health: afe4404: Fix oob read in afe4404_[read|write]_raw

KASAN report out-of-bounds read as follows:

BUG: KASAN: global-out-of-bounds in afe4404_read_raw+0x2ce/0x380
Read of size 4 at addr ffffffffc00e4658 by task cat/278

Call Trace:
 afe4404_read_raw
 iio_read_channel_info
 dev_attr_show

The buggy address belongs to the variable:
 afe4404_channel_leds+0x18/0xffffffffffffe9c0

This issue can be reproduce by singe command:

 $ cat /sys/bus/i2c/devices/0-0058/iio\:device0/in_intensity6_raw

The array size of afe4404_channel_leds and afe4404_channel_offdacs
are less than channels, so access with chan->address cause OOB read
in afe4404_[read|write]_raw. Fix it by moving access before use them.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-49032

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2022-49033
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

btrfs: qgroup: fix sleep from invalid context bug in btrfs_qgroup_inherit()

Syzkaller reported BUG as follows:

  BUG: sleeping function called from invalid context at
       include/linux/sched/mm.h:274
  Call Trace:
   <TASK>
   dump_stack_lvl+0xcd/0x134
   __might_resched.cold+0x222/0x26b
   kmem_cache_alloc+0x2e7/0x3c0
   update_qgroup_limit_item+0xe1/0x390
   btrfs_qgroup_inherit+0x147b/0x1ee0
   create_subvol+0x4eb/0x1710
   btrfs_mksubvol+0xfe5/0x13f0
   __btrfs_ioctl_snap_create+0x2b0/0x430
   btrfs_ioctl_snap_create_v2+0x25a/0x520
   btrfs_ioctl+0x2a1c/0x5ce0
   __x64_sys_ioctl+0x193/0x200
   do_syscall_64+0x35/0x80

Fix this by calling qgroup_dirty() on @dstqgroup, and update limit item in
btrfs_run_qgroups() later outside of the spinlock context.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-49033

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-0030
CVE STATUS: Patched
CVE SUMMARY: A use-after-free flaw was found in the Linux kernel’s nouveau driver in how a user triggers a memory overflow that causes the nvkm_vma_tail function to fail. This flaw allows a local user to crash or potentially escalate their privileges on the system.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-0030

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-0045
CVE STATUS: Patched
CVE SUMMARY: The current implementation of the prctl syscall does not issue an IBPB immediately during the syscall. The ib_prctl_set  function updates the Thread Information Flags (TIFs) for the task and updates the SPEC_CTRL MSR on the function __speculation_ctrl_update, but the IBPB is only issued on the next schedule, when the TIF bits are checked. This leaves the victim vulnerable to values already injected on the BTB, prior to the prctl syscall.  The patch that added the support for the conditional mitigation via prctl (ib_prctl_set) dates back to the kernel 4.9.176.

We recommend upgrading past commit a664ec9158eeddd75121d39c9a0758016097fa96


CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-0045

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-0122
CVE STATUS: Patched
CVE SUMMARY: A NULL pointer dereference vulnerability in the Linux kernel NVMe functionality, in nvmet_setup_auth(), allows an attacker to perform a Pre-Auth Denial of Service (DoS) attack on a remote machine. Affected versions v6.0-rc1 to v6.0-rc3, fixed in v6.0-rc4.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-0122

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-0160
CVE STATUS: Patched
CVE SUMMARY: A deadlock flaw was found in the Linux kernel’s BPF subsystem. This flaw allows a local user to potentially crash the system.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-0160

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-0179
CVE STATUS: Patched
CVE SUMMARY: A buffer overflow vulnerability was found in the Netfilter subsystem in the Linux Kernel. This issue could allow the leakage of both stack and heap addresses, and potentially allow Local Privilege Escalation to the root user via arbitrary code execution.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-0179

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-0210
CVE STATUS: Patched
CVE SUMMARY: A bug affects the Linux kernel’s ksmbd NTLMv2 authentication and is known to crash the OS immediately in Linux-based systems.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-0210

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-0240
CVE STATUS: Patched
CVE SUMMARY: There is a logic error in io_uring's implementation which can be used to trigger a use-after-free vulnerability leading to privilege escalation.

In the io_prep_async_work function the assumption that the last io_grab_identity call cannot return false is not true, and in this case the function will use the init_cred or the previous linked requests identity to do operations instead of using the current identity. This can lead to reference counting issues causing use-after-free. We recommend upgrading past version 5.10.161.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-0240

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-0266
CVE STATUS: Patched
CVE SUMMARY: A use after free vulnerability exists in the ALSA PCM package in the Linux Kernel. SNDRV_CTL_IOCTL_ELEM_{READ|WRITE}32 is missing locks that can be used in a use-after-free that can result in a priviledge escalation to gain ring0 access from the system user. We recommend upgrading past commit 56b88b50565cd8b946a2d00b0c83927b7ebb055e

CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.9
VECTOR: ADJACENT_NETWORK
VECTORSTRING: CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-0266

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-0386
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the Linux kernel, where unauthorized access to the execution of the setuid file with capabilities was found in the Linux kernel’s OverlayFS subsystem in how a user copies a capable file from a nosuid mount into another mount. This uid mapping bug allows a local user to escalate their privileges on the system.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-0386

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-0394
CVE STATUS: Patched
CVE SUMMARY: A NULL pointer dereference flaw was found in rawv6_push_pending_frames in net/ipv6/raw.c in the network subcomponent in the Linux kernel. This flaw causes the system to crash.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-0394

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-0458
CVE STATUS: Patched
CVE SUMMARY: A speculative pointer dereference problem exists in the Linux Kernel on the do_prlimit() function. The resource argument value is controlled and is used in pointer arithmetic for the 'rlim' variable and can be used to leak the contents. We recommend upgrading past version 6.1.8 or commit 739790605705ddcf18f21782b9c99ad7d53a8c11
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-0458

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-0459
CVE STATUS: Patched
CVE SUMMARY: Copy_from_user on 64-bit versions of the Linux kernel does not implement the __uaccess_begin_nospec allowing a user to bypass the "access_ok" check and pass a kernel pointer to copy_from_user(). This would allow an attacker to leak information. We recommend upgrading beyond commit 74e19ef0ff8061ef55957c3abd71614ef0f42f47
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-0459

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-0461
CVE STATUS: Patched
CVE SUMMARY: There is a use-after-free vulnerability in the Linux Kernel which can be exploited to achieve local privilege escalation. To reach the vulnerability kernel configuration flag CONFIG_TLS or CONFIG_XFRM_ESPINTCP has to be configured, but the operation does not require any privilege.

There is a use-after-free bug of icsk_ulp_data of a struct inet_connection_sock.

When CONFIG_TLS is enabled, user can install a tls context (struct tls_context) on a connected tcp socket. The context is not cleared if this socket is disconnected and reused as a listener. If a new socket is created from the listener, the context is inherited and vulnerable.

The setsockopt TCP_ULP operation does not require any privilege.

We recommend upgrading past commit 2c02d41d71f90a5168391b6a5f2954112ba2307c
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-0461

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-0468
CVE STATUS: Patched
CVE SUMMARY: A use-after-free flaw was found in io_uring/poll.c in io_poll_check_events in the io_uring subcomponent in the Linux Kernel due to a race condition of poll_refs. This flaw may cause a NULL pointer dereference.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-0468

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-0469
CVE STATUS: Patched
CVE SUMMARY: A use-after-free flaw was found in io_uring/filetable.c in io_install_fixed_file in the io_uring subcomponent in the Linux Kernel during call cleanup. This flaw may lead to a denial of service.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-0469

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-0590
CVE STATUS: Patched
CVE SUMMARY: A use-after-free flaw was found in qdisc_graft in net/sched/sch_api.c in the Linux Kernel due to a race problem. This flaw leads to a denial of service issue. If patch ebda44da44f6 ("net: sched: fix race condition in qdisc_graft()") not applied yet, then kernel could be affected.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-0590

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-0597
CVE STATUS: Patched
CVE SUMMARY: A flaw possibility of memory leak in the Linux kernel cpu_entry_area mapping of X86 CPU data to memory was found in the way user can guess location of exception stack(s) or other important data. A local user could use this flaw to get access to some important data with expected location in memory.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-0597

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-0615
CVE STATUS: Patched
CVE SUMMARY: A memory leak flaw and potential divide by zero and Integer overflow was found in the Linux kernel V4L2 and vivid test code functionality. This issue occurs when a user triggers ioctls, such as VIDIOC_S_DV_TIMINGS ioctl. This could allow a local user to crash the system if vivid test code enabled.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-0615

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-1032
CVE STATUS: Patched
CVE SUMMARY: The Linux kernel io_uring IORING_OP_SOCKET operation contained a double free in function __sys_socket_file() in file net/socket.c. This issue was introduced in da214a475f8bd1d3e9e7a19ddfeb4d1617551bab and fixed in 649c15c7691e9b13cbe9bf6c65c365350e056067.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-1032

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-1073
CVE STATUS: Unpatched
CVE SUMMARY: A memory corruption flaw was found in the Linux kernel’s human interface device (HID) subsystem in how a user inserts a malicious USB device. This flaw allows a local user to crash or potentially escalate their privileges on the system.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.6
VECTOR: PHYSICAL
VECTORSTRING: CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-1073

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-1074
CVE STATUS: Unpatched
CVE SUMMARY: A memory leak flaw was found in the Linux kernel's Stream Control Transmission Protocol. This issue may occur when a user starts a malicious networking service and someone connects to this service. This could allow a local user to starve resources, causing a denial of service.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-1074

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-1075
CVE STATUS: Unpatched
CVE SUMMARY: A flaw was found in the Linux Kernel. The tls_is_tx_ready() incorrectly checks for list emptiness, potentially accessing a type confused entry to the list_head, leaking the last byte of the confused field that overlaps with rec->tx_ready.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 3.3
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-1075

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-1076
CVE STATUS: Unpatched
CVE SUMMARY: A flaw was found in the Linux Kernel. The tun/tap sockets have their socket UID hardcoded to 0 due to a type confusion in their initialization function. While it will be often correct, as tuntap devices require CAP_NET_ADMIN, it may not always be the case, e.g., a non-root user only having that capability. This would make tun/tap sockets being incorrectly treated in filtering/routing decisions, possibly bypassing network filters.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-1076

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-1077
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, pick_next_rt_entity() may return a type confused entry, not detected by the BUG_ON condition, as the confused entry will not be NULL, but list_head.The buggy error condition would lead to a type confused entry with the list head,which would then be used as a type confused sched_rt_entity,causing memory corruption.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-1077

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-1078
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the Linux Kernel in RDS (Reliable Datagram Sockets) protocol. The rds_rm_zerocopy_callback() uses list_entry() on the head of a list causing a type confusion. Local user can trigger this with rds_message_put(). Type confusion leads to `struct rds_msg_zcopy_info *info` actually points to something else that is potentially controlled by local user. It is known how to trigger this, which causes an out of bounds access, and a lock corruption.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-1078

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-1079
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the Linux kernel. A use-after-free may be triggered in asus_kbd_backlight_set when plugging/disconnecting in a malicious USB device, which advertises itself as an Asus device. Similarly to the previous known CVE-2023-25012, but in asus devices, the work_struct may be scheduled by the LED controller while the device is disconnecting, triggering a use-after-free on the struct asus_kbd_leds *led structure. A malicious USB device may exploit the issue to cause memory corruption with controlled data.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.8
VECTOR: PHYSICAL
VECTORSTRING: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-1079

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-1095
CVE STATUS: Patched
CVE SUMMARY: In nf_tables_updtable, if nf_tables_table_enable returns an error, nft_trans_destroy is called to free the transaction object. nft_trans_destroy() calls list_del(), but the transaction was never placed on a list -- the list head is all zeroes, this results in a NULL pointer dereference.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-1095

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-1118
CVE STATUS: Patched
CVE SUMMARY: A flaw use after free in the Linux kernel integrated infrared receiver/transceiver driver was found in the way user detaching rc device. A local user could use this flaw to crash the system or potentially escalate their privileges on the system.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-1118

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-1192
CVE STATUS: Patched
CVE SUMMARY: A use-after-free flaw was found in smb2_is_status_io_timeout() in CIFS in the Linux Kernel. After CIFS transfers response data to a system call, there are still local variable points to the memory region, and if the system call frees it faster than CIFS uses it, CIFS will access a free memory region, leading to a denial of service.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-1192

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-1193
CVE STATUS: Patched
CVE SUMMARY: A use-after-free flaw was found in setup_async_work in the KSMBD implementation of the in-kernel samba server and CIFS in the Linux kernel. This issue could allow an attacker to crash the system by accessing freed work.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-1193

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-1194
CVE STATUS: Patched
CVE SUMMARY: An out-of-bounds (OOB) memory read flaw was found in parse_lease_state in the KSMBD implementation of the in-kernel samba server and CIFS in the Linux kernel. When an attacker sends the CREATE command with a malformed payload to KSMBD, due to a missing check of `NameOffset` in the `parse_lease_state()` function, the `create_context` object can access invalid memory.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-1194

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-1195
CVE STATUS: Patched
CVE SUMMARY: A use-after-free flaw was found in reconn_set_ipaddr_from_hostname in fs/cifs/connect.c in the Linux kernel. The issue occurs when it forgets to set the free pointer server->hostname to NULL, leading to an invalid pointer request.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-1195

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-1206
CVE STATUS: Patched
CVE SUMMARY: A hash collision flaw was found in the IPv6 connection lookup table in the Linux kernel’s IPv6 functionality when a user makes a new kind of SYN flood attack. A user located in the local network or with a high bandwidth connection can increase the CPU usage of the server that accepts IPV6 connections up to 95%.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.7
VECTOR: ADJACENT_NETWORK
VECTORSTRING: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-1206

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-1249
CVE STATUS: Patched
CVE SUMMARY: A use-after-free flaw was found in the Linux kernel’s core dump subsystem. This flaw allows a local user to crash the system. Only if patch 390031c94211 ("coredump: Use the vma snapshot in fill_files_note") not applied yet, then kernel could be affected.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-1249

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-1252
CVE STATUS: Patched
CVE SUMMARY: A use-after-free flaw was found in the Linux kernel’s Ext4 File System in how a user triggers several file operations simultaneously with the overlay FS usage. This flaw allows a local user to crash or potentially escalate their privileges on the system. Only if patch 9a2544037600 ("ovl: fix use after free in struct ovl_aio_req") not applied yet, the kernel could be affected.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-1252

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-1281
CVE STATUS: Patched
CVE SUMMARY: Use After Free vulnerability in Linux kernel traffic control index filter (tcindex) allows Privilege Escalation. The imperfect hash area can be updated while packets are traversing, which will cause a use-after-free when 'tcf_exts_exec()' is called with the destroyed tcf_ext. A local attacker user can use this vulnerability to elevate its privileges to root.
This issue affects Linux Kernel: from 4.14 before git commit ee059170b1f7e94e55fa6cadee544e176a6e59c2.


CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-1281

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-1295
CVE STATUS: Patched
CVE SUMMARY: A time-of-check to time-of-use issue exists in io_uring subsystem's IORING_OP_CLOSE operation in the Linux kernel's versions 5.6 - 5.11 (inclusive), which allows a local user to elevate their privileges to root. Introduced in b5dba59e0cf7e2cc4d3b3b1ac5fe81ddf21959eb, patched in 9eac1904d3364254d622bf2c771c4f85cd435fc2, backported to stable in 788d0824269bef539fe31a785b1517882eafed93.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-1295

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-1380
CVE STATUS: Patched
CVE SUMMARY: A slab-out-of-bound read problem was found in brcmf_get_assoc_ies in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c in the Linux Kernel. This issue could occur when assoc_info->req_len data is bigger than the size of the buffer, defined as WL_EXTRA_BUF_MAX, leading to a denial of service.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-1380

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-1382
CVE STATUS: Patched
CVE SUMMARY: A data race flaw was found in the Linux kernel, between where con is allocated and con->sock is set. This issue leads to a NULL pointer dereference when accessing con->sock->sk in net/tipc/topsrv.c in the tipc protocol in the Linux kernel.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-1382

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-1390
CVE STATUS: Patched
CVE SUMMARY: A remote denial of service vulnerability was found in the Linux kernel’s TIPC kernel module. The while loop in tipc_link_xmit() hits an unknown state while attempting to parse SKBs, which are not in the queue. Sending two small UDP packets to a system with a UDP bearer results in the CPU utilization for the system to instantly spike to 100%, causing a denial of service condition.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-1390

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-1476
CVE STATUS: Patched
CVE SUMMARY: A use-after-free flaw was found in the Linux kernel’s mm/mremap memory address space accounting source code. This issue occurs due to a race condition between rmap walk and mremap, allowing a local user to crash the system or potentially escalate their privileges on the system.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-1476

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-1513
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in KVM. When calling the KVM_GET_DEBUGREGS ioctl, on 32-bit systems, there might be some uninitialized portions of the kvm_debugregs structure that could be copied to userspace, causing an information leak.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 3.3
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-1513

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-1582
CVE STATUS: Patched
CVE SUMMARY: A race problem was found in fs/proc/task_mmu.c in the memory management sub-component in the Linux kernel. This issue may allow a local attacker with user privilege to cause a denial of service.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-1582

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-1583
CVE STATUS: Patched
CVE SUMMARY: A NULL pointer dereference was found in io_file_bitmap_get in io_uring/filetable.c in the io_uring sub-component in the Linux Kernel. When fixed files are unregistered, some context information (file_alloc_{start,end} and alloc_hint) is not cleared. A subsequent request that has auto index selection enabled via IORING_FILE_INDEX_ALLOC can cause a NULL pointer dereference. An unprivileged user can use the flaw to cause a system crash.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-1583

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-1611
CVE STATUS: Patched
CVE SUMMARY: A use-after-free flaw was found in btrfs_search_slot in fs/btrfs/ctree.c in btrfs in the Linux Kernel.This flaw allows an attacker to crash the system and possibly cause a kernel information lea
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.3
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-1611

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-1637
CVE STATUS: Patched
CVE SUMMARY: A flaw that boot CPU could be vulnerable for the speculative execution behavior kind of attacks in the Linux kernel X86 CPU Power management options functionality was found in the way user resuming CPU from suspend-to-RAM. A local user could use this flaw to potentially get unauthorized access to some memory of the CPU similar to the speculative execution behavior kind of attacks.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-1637

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-1652
CVE STATUS: Patched
CVE SUMMARY: A use-after-free flaw was found in nfsd4_ssc_setup_dul in fs/nfsd/nfs4proc.c in the NFS filesystem in the Linux Kernel. This issue could allow a local attacker to crash the system or it may lead to a kernel information leak problem.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-1652

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-1670
CVE STATUS: Patched
CVE SUMMARY: A flaw use after free in the Linux kernel Xircom 16-bit PCMCIA (PC-card) Ethernet driver was found.A local user could use this flaw to crash the system or potentially escalate their privileges on the system.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-1670

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-1829
CVE STATUS: Patched
CVE SUMMARY: A use-after-free vulnerability in the Linux Kernel traffic control index filter (tcindex) can be exploited to achieve local privilege escalation. The tcindex_delete function which does not properly deactivate filters in case of a perfect hashes while deleting the underlying structure which can later lead to double freeing the structure. A local attacker user can use this vulnerability to elevate its privileges to root.
We recommend upgrading past commit 8c710f75256bb3cf05ac7b1672c82b92c43f3d28.


CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-1829

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-1838
CVE STATUS: Patched
CVE SUMMARY: A use-after-free flaw was found in vhost_net_set_backend in drivers/vhost/net.c in virtio network subcomponent in the Linux kernel due to a double fget. This flaw could allow a local attacker to crash the system, and could even lead to a kernel information leak problem.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-1838

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-1855
CVE STATUS: Patched
CVE SUMMARY: A use-after-free flaw was found in xgene_hwmon_remove in drivers/hwmon/xgene-hwmon.c in the Hardware Monitoring Linux Kernel Driver (xgene-hwmon). This flaw could allow a local attacker to crash the system due to a race problem. This vulnerability could even lead to a kernel information leak problem.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.3
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-1855

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-1859
CVE STATUS: Patched
CVE SUMMARY: A use-after-free flaw was found in xen_9pfs_front_removet in net/9p/trans_xen.c in Xen transport for 9pfs in the Linux Kernel. This flaw could allow a local attacker to crash the system due to a race problem, possibly leading to a kernel information leak.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-1859

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-1872
CVE STATUS: Patched
CVE SUMMARY: A use-after-free vulnerability in the Linux Kernel io_uring system can be exploited to achieve local privilege escalation.

The io_file_get_fixed function lacks the presence of ctx->uring_lock which can lead to a Use-After-Free vulnerability due a race condition with fixed files getting unregistered.

We recommend upgrading past commit da24142b1ef9fd5d36b76e36bab328a5b27523e8.


CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-1872

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-1989
CVE STATUS: Patched
CVE SUMMARY: A use-after-free flaw was found in btsdio_remove in drivers\bluetooth\btsdio.c in the Linux Kernel. In this flaw, a call to btsdio_remove with an unfinished job, may cause a race problem leading to a UAF on hdev devices.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-1989

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-1990
CVE STATUS: Patched
CVE SUMMARY: A use-after-free flaw was found in ndlc_remove in drivers/nfc/st-nci/ndlc.c in the Linux Kernel. This flaw could allow an attacker to crash the system due to a race problem.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-1990

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-1998
CVE STATUS: Patched
CVE SUMMARY: The Linux kernel allows userspace processes to enable mitigations by calling prctl with PR_SET_SPECULATION_CTRL which disables the speculation feature as well as by using seccomp. We had noticed that on VMs of at least one major cloud provider, the kernel still left the victim process exposed to attacks in some cases even after enabling the spectre-BTI mitigation with prctl. The same behavior can be observed on a bare-metal machine when forcing the mitigation to IBRS on boot command line.

This happened because when plain IBRS was enabled (not enhanced IBRS), the kernel had some logic that determined that STIBP was not needed. The IBRS bit implicitly protects against cross-thread branch target injection. However, with legacy IBRS, the IBRS bit was cleared on returning to userspace, due to performance reasons, which disabled the implicit STIBP and left userspace threads vulnerable to cross-thread branch target injection against which STIBP protects.



CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.6
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-1998

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-2002
CVE STATUS: Patched
CVE SUMMARY: A vulnerability was found in the HCI sockets implementation due to a missing capability check in net/bluetooth/hci_sock.c in the Linux Kernel. This flaw allows an attacker to unauthorized execution of management commands, compromising the confidentiality, integrity, and availability of Bluetooth communication.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.8
VECTOR: ADJACENT_NETWORK
VECTORSTRING: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-2002

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-2006
CVE STATUS: Patched
CVE SUMMARY: A race condition was found in the Linux kernel's RxRPC network protocol, within the processing of RxRPC bundles. This issue results from the lack of proper locking when performing operations on an object. This may allow an attacker to escalate privileges and execute arbitrary code in the context of the kernel.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-2006

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-2007
CVE STATUS: Patched
CVE SUMMARY: The specific flaw exists within the DPT I2O Controller driver. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this in conjunction with other vulnerabilities to escalate privileges and execute arbitrary code in the context of the kernel.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-2007

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-2008
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the Linux kernel's udmabuf device driver. The specific flaw exists within a fault handler. The issue results from the lack of proper validation of user-supplied data, which can result in a memory access past the end of an array. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the kernel.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-2008

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-2019
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the Linux kernel's netdevsim device driver, within the scheduling of events. This issue results from the improper management of a reference count. This may allow an attacker to create a denial of service condition on the system.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.4
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-2019

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-20659
CVE STATUS: Patched
CVE SUMMARY: In wlan, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07588413; Issue ID: ALPS07588413.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-20659

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-20660
CVE STATUS: Patched
CVE SUMMARY: In wlan, there is a possible out of bounds read due to an integer overflow. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07588383; Issue ID: ALPS07588383.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.4
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-20660

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-20661
CVE STATUS: Patched
CVE SUMMARY: In wlan, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07560782; Issue ID: ALPS07560782.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-20661

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-20662
CVE STATUS: Patched
CVE SUMMARY: In wlan, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07560765; Issue ID: ALPS07560765.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-20662

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-20663
CVE STATUS: Patched
CVE SUMMARY: In wlan, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07560741; Issue ID: ALPS07560741.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-20663

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-20674
CVE STATUS: Patched
CVE SUMMARY: In wlan, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07588569; Issue ID: ALPS07588552.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.4
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-20674

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-20675
CVE STATUS: Patched
CVE SUMMARY: In wlan, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07588569; Issue ID: ALPS07588569.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.4
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-20675

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-20676
CVE STATUS: Patched
CVE SUMMARY: In wlan, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07588569; Issue ID: ALPS07628518.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.4
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-20676

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-20677
CVE STATUS: Patched
CVE SUMMARY: In wlan, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07588413; Issue ID: ALPS07588436.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.4
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-20677

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-20679
CVE STATUS: Patched
CVE SUMMARY: In wlan, there is a possible out of bounds read due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07588413; Issue ID: ALPS07588453.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.4
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-20679

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-20682
CVE STATUS: Patched
CVE SUMMARY: In wlan, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07441605; Issue ID: ALPS07441605.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-20682

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-20712
CVE STATUS: Patched
CVE SUMMARY: In wlan, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07796914; Issue ID: ALPS07796914.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-20712

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-20715
CVE STATUS: Patched
CVE SUMMARY: In wlan, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07796900; Issue ID: ALPS07796900.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-20715

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-20716
CVE STATUS: Patched
CVE SUMMARY: In wlan, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07796883; Issue ID: ALPS07796883.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-20716

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-20810
CVE STATUS: Patched
CVE SUMMARY: In IOMMU, there is a possible information disclosure due to improper input validation. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: DTV03692061; Issue ID: DTV03692061.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.4
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-20810

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-20811
CVE STATUS: Patched
CVE SUMMARY: In IOMMU, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: DTV03692061; Issue ID: DTV03692061.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-20811

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-20838
CVE STATUS: Patched
CVE SUMMARY: In imgsys, there is a possible out of bounds read due to a race condition. This could lead to local information disclosure with System execution privileges needed. User interaction is needed for exploitation. Patch ID: ALPS07326455; Issue ID: ALPS07326418.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-20838

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-20839
CVE STATUS: Patched
CVE SUMMARY: In imgsys, there is a possible out of bounds read due to a missing valid range checking. This could lead to local information disclosure with System execution privileges needed. User interaction is needed for exploitation. Patch ID: ALPS07326455; Issue ID: ALPS07326409.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.2
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-20839

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-20840
CVE STATUS: Patched
CVE SUMMARY: In imgsys, there is a possible out of bounds read and write due to a missing valid range checking. This could lead to local escalation of privilege with System execution privileges needed. User interaction is needed for exploitation. Patch ID: ALPS07326430; Issue ID: ALPS07326430.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-20840

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-20841
CVE STATUS: Patched
CVE SUMMARY: In imgsys, there is a possible out of bounds write due to a missing valid range checking. This could lead to local escalation of privilege with System execution privileges needed. User interaction is needed for exploitation. Patch ID: ALPS07326455; Issue ID: ALPS07326441.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-20841

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-20842
CVE STATUS: Patched
CVE SUMMARY: In imgsys_cmdq, there is a possible out of bounds write due to a missing valid range checking. This could lead to local escalation of privilege with System execution privileges needed. User interaction is needed for exploitation. Patch ID: ALPS07354259; Issue ID: ALPS07340477.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-20842

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-20843
CVE STATUS: Patched
CVE SUMMARY: In imgsys_cmdq, there is a possible out of bounds read due to a missing valid range checking. This could lead to local information disclosure with System execution privileges needed. User interaction is needed for exploitation. Patch ID: ALPS07340119; Issue ID: ALPS07340119.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.2
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-20843

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-20844
CVE STATUS: Patched
CVE SUMMARY: In imgsys_cmdq, there is a possible out of bounds read due to a missing valid range checking. This could lead to local information disclosure with System execution privileges needed. User interaction is needed for exploitation. Patch ID: ALPS07354058; Issue ID: ALPS07340121.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.2
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-20844

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-20845
CVE STATUS: Patched
CVE SUMMARY: In imgsys, there is a possible out of bounds read due to a missing valid range checking. This could lead to local information disclosure with System execution privileges needed. User interaction is needed for exploitation. Patch ID: ALPS07197795; Issue ID: ALPS07340357.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.2
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-20845

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-20846
CVE STATUS: Patched
CVE SUMMARY: In imgsys_cmdq, there is a possible out of bounds read due to a missing valid range checking. This could lead to local information disclosure with System execution privileges needed. User interaction is needed for exploitation. Patch ID: ALPS07354023; Issue ID: ALPS07340098.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.2
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-20846

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-20847
CVE STATUS: Patched
CVE SUMMARY: In imgsys_cmdq, there is a possible out of bounds read due to a missing valid range checking. This could lead to local denial of service with System execution privileges needed. User interaction is needed for exploitation. Patch ID: ALPS07354025; Issue ID: ALPS07340108.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.2
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-20847

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-20848
CVE STATUS: Patched
CVE SUMMARY: In imgsys_cmdq, there is a possible out of bounds read due to a missing valid range checking. This could lead to local escalation of privilege with System execution privileges needed. User interaction is needed for exploitation. Patch ID: ALPS07340433; Issue ID: ALPS07340433.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-20848

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-20849
CVE STATUS: Patched
CVE SUMMARY: In imgsys_cmdq, there is a possible use after free due to a missing valid range checking. This could lead to local escalation of privilege with System execution privileges needed. User interaction is needed for exploitation. Patch ID: ALPS07340433; Issue ID: ALPS07340350.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-20849

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-20850
CVE STATUS: Patched
CVE SUMMARY: In imgsys_cmdq, there is a possible out of bounds write due to a missing valid range checking. This could lead to local escalation of privilege with System execution privileges needed. User interaction is needed for exploitation. Patch ID: ALPS07340433; Issue ID: ALPS07340381.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-20850

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-2124
CVE STATUS: Patched
CVE SUMMARY: An out-of-bounds memory access flaw was found in the Linux kernel’s XFS file system in how a user restores an XFS image after failure (with a dirty log journal). This flaw allows a local user to crash or potentially escalate their privileges on the system.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-2124

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-2156
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the networking subsystem of the Linux kernel within the handling of the RPL protocol. This issue results from the lack of proper handling of user-supplied data, which can lead to an assertion failure. This may allow an unauthenticated remote attacker to create a denial of service condition on the system.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-2156

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-2162
CVE STATUS: Patched
CVE SUMMARY: A use-after-free vulnerability was found in iscsi_sw_tcp_session_create in drivers/scsi/iscsi_tcp.c in SCSI sub-component in the Linux Kernel. In this flaw an attacker could leak kernel internal information.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-2162

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-2163
CVE STATUS: Patched
CVE SUMMARY: Incorrect verifier pruning in BPF in Linux Kernel >=5.4 leads to unsafe
code paths being incorrectly marked as safe, resulting in arbitrary read/write in
kernel memory, lateral privilege escalation, and container escape.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 10.0
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-2163

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-2166
CVE STATUS: Patched
CVE SUMMARY: A null pointer dereference issue was found in can protocol in net/can/af_can.c in the Linux before Linux. ml_priv may not be initialized in the receive path of CAN frames. A local user could use this flaw to crash the system or potentially cause a denial of service.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-2166

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-2176
CVE STATUS: Patched
CVE SUMMARY: A vulnerability was found in compare_netdev_and_ip in drivers/infiniband/core/cma.c in RDMA in the Linux Kernel. The improper cleanup results in out-of-boundary read, where a local user can utilize this problem to crash the system or escalation of privilege.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-2176

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-2177
CVE STATUS: Patched
CVE SUMMARY: A null pointer dereference issue was found in the sctp network protocol in net/sctp/stream_sched.c in Linux Kernel. If stream_in allocation is failed, stream_out is freed which would further be accessed. A local user could use this flaw to crash the system or potentially cause a denial of service.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-2177

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-2194
CVE STATUS: Patched
CVE SUMMARY: An out-of-bounds write vulnerability was found in the Linux kernel's SLIMpro I2C device driver. The userspace "data->block[0]" variable was not capped to a number between 0-255 and was used as the size of a memcpy, possibly writing beyond the end of dma_buffer. This flaw could allow a local privileged user to crash the system or potentially achieve code execution.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-2194

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-2235
CVE STATUS: Patched
CVE SUMMARY: A use-after-free vulnerability in the Linux Kernel Performance Events system can be exploited to achieve local privilege escalation.

The perf_group_detach function did not check the event's siblings' attach_state before calling add_event_to_groups(), but remove_on_exec made it possible to call list_del_event() on before detaching from their group, making it possible to use a dangling pointer causing a use-after-free vulnerability.

We recommend upgrading past commit fd0815f632c24878e325821943edccc7fde947a2.


CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-2235

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-2236
CVE STATUS: Patched
CVE SUMMARY: A use-after-free vulnerability in the Linux Kernel io_uring subsystem can be exploited to achieve local privilege escalation.

Both io_install_fixed_file and its callers call fput in a file in case of an error, causing a reference underflow which leads to a use-after-free vulnerability.

We recommend upgrading past commit 9d94c04c0db024922e886c9fd429659f22f48ea4.


CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-2236

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-2269
CVE STATUS: Patched
CVE SUMMARY: A denial of service problem was found, due to a possible recursive locking scenario, resulting in a deadlock in table_clear in drivers/md/dm-ioctl.c in the Linux Kernel Device Mapper-Multipathing sub-component.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.4
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-2269

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-22995
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel before 5.17, an error path in dwc3_qcom_acpi_register_core in drivers/usb/dwc3/dwc3-qcom.c lacks certain platform_device_put and kfree calls.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-22995

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-22996
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel before 5.17.2, drivers/soc/qcom/qcom_aoss.c does not release an of_find_device_by_node reference after use, e.g., with put_device.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-22996

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-22997
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel before 6.1.2, kernel/module/decompress.c misinterprets the module_get_next_page return value (expects it to be NULL in the error case, whereas it is actually an error pointer).
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-22997

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-22998
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel before 6.0.3, drivers/gpu/drm/virtio/virtgpu_object.c misinterprets the drm_gem_shmem_get_sg_table return value (expects it to be NULL in the error case, whereas it is actually an error pointer).
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-22998

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-22999
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel before 5.16.3, drivers/usb/dwc3/dwc3-qcom.c misinterprets the dwc3_qcom_create_urs_usb_platdev return value (expects it to be NULL in the error case, whereas it is actually an error pointer).
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-22999

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-23000
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel before 5.17, drivers/phy/tegra/xusb.c mishandles the tegra_xusb_find_port_node return value. Callers expect NULL in the error case, but an error pointer is used.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-23000

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-23001
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel before 5.16.3, drivers/scsi/ufs/ufs-mediatek.c misinterprets the regulator_get return value (expects it to be NULL in the error case, whereas it is actually an error pointer).
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-23001

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-23002
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel before 5.16.3, drivers/bluetooth/hci_qca.c misinterprets the devm_gpiod_get_index_optional return value (expects it to be NULL in the error case, whereas it is actually an error pointer).
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-23002

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-23003
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel before 5.16, tools/perf/util/expr.c lacks a check for the hashmap__new return value.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-23003

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-23004
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel before 5.19, drivers/gpu/drm/arm/malidp_planes.c misinterprets the get_sg_table return value (expects it to be NULL in the error case, whereas it is actually an error pointer).
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-23004

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-23005
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel before 6.2, mm/memory-tiers.c misinterprets the alloc_memory_type return value (expects it to be NULL in the error case, whereas it is actually an error pointer). NOTE: this is disputed by third parties because there are no realistic cases in which a user can cause the alloc_memory_type error case to be reached.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-23005

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-23006
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel before 5.15.13, drivers/net/ethernet/mellanox/mlx5/core/steering/dr_domain.c misinterprets the mlx5_get_uars_page return value (expects it to be NULL in the error case, whereas it is actually an error pointer).
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-23006

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-23039
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel through 6.2.0-rc2. drivers/tty/vcc.c has a race condition and resultant use-after-free if a physically proximate attacker removes a VCC device while calling open(), aka a race condition between vcc_open() and vcc_remove().
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.7
VECTOR: PHYSICAL
VECTORSTRING: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-23039

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-23454
CVE STATUS: Patched
CVE SUMMARY: cbq_classify in net/sched/sch_cbq.c in the Linux kernel through 6.1.4 allows attackers to cause a denial of service (slab-out-of-bounds read) because of type confusion (non-negative numbers can sometimes indicate a TC_ACT_SHOT condition rather than valid classification results).
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-23454

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-23455
CVE STATUS: Patched
CVE SUMMARY: atm_tc_enqueue in net/sched/sch_atm.c in the Linux kernel through 6.1.4 allows attackers to cause a denial of service because of type confusion (non-negative numbers can sometimes indicate a TC_ACT_SHOT condition rather than valid classification results).
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-23455

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-23559
CVE STATUS: Patched
CVE SUMMARY: In rndis_query_oid in drivers/net/wireless/rndis_wlan.c in the Linux kernel through 6.1.5, there is an integer overflow in an addition.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-23559

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-23586
CVE STATUS: Patched
CVE SUMMARY: Due to a vulnerability in the io_uring subsystem, it is possible to leak kernel memory information to the user process. timens_install calls current_is_single_threaded to determine if the current process is single-threaded, but this call does not consider io_uring's io_worker threads, thus it is possible to insert a time namespace's vvar page to process's memory space via a page fault. When this time namespace is destroyed, the vvar page is also freed, but not removed from the process' memory, and a next page allocated by the kernel will be still available from the user-space process and can leak memory contents via this (read-only) use-after-free vulnerability. We recommend upgrading past version 5.10.161 or commit  788d0824269bef539fe31a785b1517882eafed93 https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/io_uring 

CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-23586

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-2430
CVE STATUS: Patched
CVE SUMMARY: A vulnerability was found due to missing lock for IOPOLL flaw in io_cqring_event_overflow() in io_uring.c in Linux Kernel. This flaw allows a local attacker with user privilege to trigger a Denial of Service threat.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-2430

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-25012
CVE STATUS: Patched
CVE SUMMARY: The Linux kernel through 6.1.9 has a Use-After-Free in bigben_remove in drivers/hid/hid-bigbenff.c via a crafted USB device because the LED controllers remain registered for too long.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.6
VECTOR: PHYSICAL
VECTORSTRING: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-25012

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-2513
CVE STATUS: Patched
CVE SUMMARY: A use-after-free vulnerability was found in the Linux kernel's ext4 filesystem in the way it handled the extra inode size for extended attributes. This flaw could allow a privileged local user to cause a system crash or other undefined behaviors.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-2513

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-2598
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the fixed buffer registration code for io_uring (io_sqe_buffer_register in io_uring/rsrc.c) in the Linux kernel that allows out-of-bounds access to physical memory beyond the end of the buffer. This flaw enables full local privilege escalation.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-2598

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-26242
CVE STATUS: Patched
CVE SUMMARY: afu_mmio_region_get_by_offset in drivers/fpga/dfl-afu-region.c in the Linux kernel through 6.1.12 has an integer overflow.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-26242

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-26544
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel 6.0.8, there is a use-after-free in run_unpack in fs/ntfs3/run.c, related to a difference between NTFS sector size and media sector size.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-26544

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-26545
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel before 6.1.13, there is a double free in net/mpls/af_mpls.c upon an allocation failure (for registering the sysctl table under a new location) during the renaming of a device.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-26545

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-26605
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel 6.0.8, there is a use-after-free in inode_cgwb_move_to_attached in fs/fs-writeback.c, related to __list_del_entry_valid.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-26605

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-26606
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel 6.0.8, there is a use-after-free in ntfs_trim_fs in fs/ntfs3/bitmap.c.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-26606

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-26607
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel 6.0.8, there is an out-of-bounds read in ntfs_attr_find in fs/ntfs/attrib.c.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-26607

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-28327
CVE STATUS: Patched
CVE SUMMARY: A NULL pointer dereference flaw was found in the UNIX protocol in net/unix/diag.c In unix_diag_get_exact in the Linux Kernel. The newly allocated skb does not have sk, leading to a NULL pointer. This flaw allows a local user to crash or potentially cause a denial of service.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-28327

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-28328
CVE STATUS: Patched
CVE SUMMARY: A NULL pointer dereference flaw was found in the az6027 driver in drivers/media/usb/dev-usb/az6027.c in the Linux Kernel. The message from user space is not checked properly before transferring into the device. This flaw allows a local user to crash the system or potentially cause a denial of service.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-28328

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-28464
CVE STATUS: Patched
CVE SUMMARY: hci_conn_cleanup in net/bluetooth/hci_conn.c in the Linux kernel through 6.2.9 has a use-after-free (observed in hci_conn_hash_flush) because of calls to hci_dev_put and hci_conn_put. There is a double free that may lead to privilege escalation.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-28464

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-28466
CVE STATUS: Patched
CVE SUMMARY: do_tls_getsockopt in net/tls/tls_main.c in the Linux kernel through 6.2.6 lacks a lock_sock call, leading to a race condition (with a resultant use-after-free or NULL pointer dereference).
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-28466

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-2860
CVE STATUS: Patched
CVE SUMMARY: An out-of-bounds read vulnerability was found in the SR-IPv6 implementation in the Linux kernel. The flaw exists within the processing of seg6 attributes. The issue results from the improper validation of user-supplied data, which can result in a read past the end of an allocated buffer. This flaw allows a privileged local user to disclose sensitive information on affected installations of the Linux kernel.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.4
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-2860

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-28772
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 5.13.3. lib/seq_buf.c has a seq_buf_putmem_hex buffer overflow.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-28772

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-28866
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel through 6.2.8, net/bluetooth/hci_sync.c allows out-of-bounds access because amp_init1[] and amp_init2[] are supposed to have an intentionally invalid element, but do not.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-28866

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-2898
CVE STATUS: Unpatched
CVE SUMMARY: There is a null-pointer-dereference flaw found in f2fs_write_end_io in fs/f2fs/data.c in the Linux kernel. This flaw allows a local privileged user to cause a denial of service problem.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-2898

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-2985
CVE STATUS: Patched
CVE SUMMARY: A use after free flaw was found in hfsplus_put_super in fs/hfsplus/super.c in the Linux Kernel. This flaw could allow a local user to cause a denial of service problem.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-2985

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-3006
CVE STATUS: Patched
CVE SUMMARY: A known cache speculation vulnerability, known as Branch History Injection (BHI) or Spectre-BHB, becomes actual again for the new hw AmpereOne. Spectre-BHB is similar to Spectre v2, except that malicious code uses the shared branch history (stored in the CPU Branch History Buffer, or BHB) to influence mispredicted branches within the victim's hardware context. Once that occurs, speculation caused by the mispredicted branches can cause cache allocation. This issue leads to obtaining information that should not be accessible.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-3006

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-3022
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the IPv6 module of the Linux kernel. The arg.result was not used consistently in fib6_rule_lookup, sometimes holding rt6_info and other times fib6_info. This was not accounted for in other parts of the code where rt6_info was expected unconditionally, potentially leading to a kernel panic in fib6_rule_suppress.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-3022

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-30456
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in arch/x86/kvm/vmx/nested.c in the Linux kernel before 6.2.8. nVMX on x86_64 lacks consistency checks for CR0 and CR4.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-30456

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-30772
CVE STATUS: Patched
CVE SUMMARY: The Linux kernel before 6.2.9 has a race condition and resultant use-after-free in drivers/power/supply/da9150-charger.c if a physically proximate attacker unplugs a device.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.4
VECTOR: PHYSICAL
VECTORSTRING: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-30772

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-3090
CVE STATUS: Patched
CVE SUMMARY: A heap out-of-bounds write vulnerability in the Linux Kernel ipvlan network driver can be exploited to achieve local privilege escalation.

The out-of-bounds write is caused by missing skb->cb  initialization in the ipvlan network driver. The vulnerability is reachable if CONFIG_IPVLAN is enabled.


We recommend upgrading past commit 90cbed5247439a966b645b34eb0a2e037836ea8e.


CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-3090

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-3106
CVE STATUS: Patched
CVE SUMMARY: A NULL pointer dereference vulnerability was found in netlink_dump. This issue can occur when the Netlink socket receives the message(sendmsg) for the XFRM_MSG_GETSA, XFRM_MSG_GETPOLICY type message, and the DUMP flag is set and can cause a denial of service or possibly another unspecified impact. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although it is unlikely.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.6
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-3106

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-3108
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the subsequent get_user_pages_fast in the Linux kernel’s interface for symmetric key cipher algorithms in the skcipher_recvmsg of crypto/algif_skcipher.c function. This flaw allows a local user to crash the system.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.2
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-3108

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-31081
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in drivers/media/test-drivers/vidtv/vidtv_bridge.c in the Linux kernel 6.2. There is a NULL pointer dereference in vidtv_mux_stop_thread. In vidtv_stop_streaming, after dvb->mux=NULL occurs, it executes vidtv_mux_stop_thread(dvb->mux).
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-31081

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-31082
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in drivers/tty/n_gsm.c in the Linux kernel 6.2. There is a sleeping function called from an invalid context in gsmld_write, which will block the kernel. Note: This has been disputed by 3rd parties as not a valid vulnerability.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-31082

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-31083
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in drivers/bluetooth/hci_ldisc.c in the Linux kernel 6.2. In hci_uart_tty_ioctl, there is a race condition between HCIUARTSETPROTO and HCIUARTGETPROTO. HCI_UART_PROTO_SET is set before hu->proto is set. A NULL pointer dereference may occur.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-31083

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-31084
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in drivers/media/dvb-core/dvb_frontend.c in the Linux kernel 6.2. There is a blocking operation when a task is in !TASK_RUNNING. In dvb_frontend_get_event, wait_event_interruptible is called; the condition is dvb_frontend_test_event(fepriv,events). In dvb_frontend_test_event, down(&fepriv->sem) is called. However, wait_event_interruptible would put the process to sleep, and down(&fepriv->sem) may block the process.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-31084

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-31085
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in drivers/mtd/ubi/cdev.c in the Linux kernel 6.2. There is a divide-by-zero error in do_div(sz,mtd->erasesize), used indirectly by ctrl_cdev_ioctl, when mtd->erasesize is 0.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-31085

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-3111
CVE STATUS: Patched
CVE SUMMARY: A use after free vulnerability was found in prepare_to_relocate in fs/btrfs/relocation.c in btrfs in the Linux Kernel. This possible flaw can be triggered by calling btrfs_ioctl_balance() before calling btrfs_ioctl_defrag().
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-3111

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-31248
CVE STATUS: Patched
CVE SUMMARY: Linux Kernel nftables Use-After-Free Local Privilege Escalation Vulnerability; `nft_chain_lookup_byid()` failed to check whether a chain was active and CAP_NET_ADMIN is in any user or network namespace
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-31248

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-3141
CVE STATUS: Patched
CVE SUMMARY: A use-after-free flaw was found in r592_remove in drivers/memstick/host/r592.c in media access in the Linux Kernel. This flaw allows a local attacker to crash the system at device disconnect, possibly leading to a kernel information leak.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-3141

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-31436
CVE STATUS: Patched
CVE SUMMARY: qfq_change_class in net/sched/sch_qfq.c in the Linux kernel before 6.2.13 allows an out-of-bounds write because lmax can exceed QFQ_MIN_LMAX.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-31436

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-3159
CVE STATUS: Patched
CVE SUMMARY: A use after free issue was discovered in driver/firewire in outbound_phy_packet_callback in the Linux Kernel. In this flaw a local attacker with special privilege may cause a use after free problem when queue_event() fails.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-3159

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-3161
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the Framebuffer Console (fbcon) in the Linux Kernel. When providing font->width and font->height greater than 32 to fbcon_set_font, since there are no checks in place, a shift-out-of-bounds occurs leading to undefined behavior and possible denial of service.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-3161

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-3212
CVE STATUS: Patched
CVE SUMMARY: A NULL pointer dereference issue was found in the gfs2 file system in the Linux kernel. It occurs on corrupt gfs2 file systems when the evict code tries to reference the journal descriptor structure after it has been freed and set to NULL. A privileged local user could use this flaw to cause a kernel panic.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.4
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-3212

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-3220
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel through 6.1-rc8. dpu_crtc_atomic_check in drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c lacks check of the return value of kzalloc() and will cause the NULL Pointer Dereference.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-3220

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-32233
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel through 6.3.1, a use-after-free in Netfilter nf_tables when processing batch requests can be abused to perform arbitrary read and write operations on kernel memory. Unprivileged local users can obtain root privileges. This occurs because anonymous sets are mishandled.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-32233

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-32247
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the Linux kernel's ksmbd, a high-performance in-kernel SMB server. The specific flaw exists within the handling of SMB2_SESSION_SETUP commands. The issue results from the lack of control of resource consumption. An attacker can leverage this vulnerability to create a denial-of-service condition on the system.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-32247

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-32248
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the Linux kernel's ksmbd, a high-performance in-kernel SMB server. The specific flaw exists within the handling of SMB2_TREE_CONNECT and SMB2_QUERY_INFO commands. The issue results from the lack of proper validation of a pointer prior to accessing it. An attacker can leverage this vulnerability to create a denial-of-service condition on the system.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-32248

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-32250
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the Linux kernel's ksmbd, a high-performance in-kernel SMB server. The specific flaw exists within the processing of SMB2_SESSION_SETUP commands. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this vulnerability to execute code in the context of the kernel.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 9.0
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-32250

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-32252
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the Linux kernel's ksmbd, a high-performance in-kernel SMB server. The specific flaw exists within the handling of SMB2_LOGOFF commands. The issue results from the lack of proper validation of a pointer prior to accessing it. An attacker can leverage this vulnerability to create a denial-of-service condition on the system.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-32252

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-32254
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the Linux kernel's ksmbd, a high-performance in-kernel SMB server. The specific flaw exists within the processing of SMB2_TREE_DISCONNECT commands. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this vulnerability to execute code in the context of the kernel.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-32254

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-32257
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the Linux kernel's ksmbd, a high-performance in-kernel SMB server. The specific flaw exists within the processing of SMB2_SESSION_SETUP and SMB2_LOGOFF commands. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this vulnerability to execute code in the context of the kernel.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.1
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-32257

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-32258
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the Linux kernel's ksmbd, a high-performance in-kernel SMB server. The specific flaw exists within the processing of SMB2_LOGOFF and SMB2_CLOSE commands. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this vulnerability to execute code in the context of the kernel.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.1
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-32258

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-32269
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 6.1.11. In net/netrom/af_netrom.c, there is a use-after-free because accept is also allowed for a successfully connected AF_NETROM socket. However, in order for an attacker to exploit this, the system must have netrom routing configured or the attacker must have the CAP_NET_ADMIN capability.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-32269

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-3268
CVE STATUS: Patched
CVE SUMMARY: An out of bounds (OOB) memory access flaw was found in the Linux kernel in relay_file_read_start_pos in kernel/relay.c in the relayfs. This flaw could allow a local attacker to crash the system or leak kernel internal information.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-3268

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-3269
CVE STATUS: Patched
CVE SUMMARY: A vulnerability exists in the memory management subsystem of the Linux kernel. The lock handling for accessing and updating virtual memory areas (VMAs) is incorrect, leading to use-after-free problems. This issue can be successfully exploited to execute arbitrary kernel code, escalate containers, and gain root privileges.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-3269

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-32810
CVE STATUS: Patched
CVE SUMMARY: In bluetooth driver, there is a possible out of bounds read due to improper input validation. This could lead to local information leak with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07867212; Issue ID: ALPS07867212.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.4
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-32810

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-32820
CVE STATUS: Patched
CVE SUMMARY: In wlan firmware, there is a possible firmware assertion due to improper input handling. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07932637; Issue ID: ALPS07932637.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-32820

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-3312
CVE STATUS: Patched
CVE SUMMARY: A vulnerability was found in drivers/cpufreq/qcom-cpufreq-hw.c in cpufreq subsystem in the Linux Kernel. This flaw, during device unbind will lead to double release problem leading to denial of service.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-3312

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-3317
CVE STATUS: Patched
CVE SUMMARY: A use-after-free flaw was found in mt7921_check_offload_capability in drivers/net/wireless/mediatek/mt76/mt7921/init.c in wifi mt76/mt7921 sub-component in the Linux Kernel. This flaw could allow an attacker to crash the system after 'features' memory release. This vulnerability could even lead to a kernel information leak problem.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-3317

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-33203
CVE STATUS: Patched
CVE SUMMARY: The Linux kernel before 6.2.9 has a race condition and resultant use-after-free in drivers/net/ethernet/qualcomm/emac/emac.c if a physically proximate attacker unplugs an emac based device.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.4
VECTOR: PHYSICAL
VECTORSTRING: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-33203

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-33250
CVE STATUS: Patched
CVE SUMMARY: The Linux kernel 6.3 has a use-after-free in iopt_unmap_iova_range in drivers/iommu/iommufd/io_pagetable.c.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.4
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-33250

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-33288
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 6.2.9. A use-after-free was found in bq24190_remove in drivers/power/supply/bq24190_charger.c. It could allow a local attacker to crash the system due to a race condition.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-33288

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-3338
CVE STATUS: Patched
CVE SUMMARY: A null pointer dereference flaw was found in the Linux kernel's DECnet networking protocol. This issue could allow a remote user to crash the system.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-3338

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-3355
CVE STATUS: Patched
CVE SUMMARY: A NULL pointer dereference flaw was found in the Linux kernel's drivers/gpu/drm/msm/msm_gem_submit.c code in the submit_lookup_cmds function, which fails because it lacks a check of the return value of kmalloc(). This issue allows a local user to crash the system.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-3355

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-3357
CVE STATUS: Patched
CVE SUMMARY: A NULL pointer dereference flaw was found in the Linux kernel AMD Sensor Fusion Hub driver. This flaw allows a local user to crash the system.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-3357

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-3358
CVE STATUS: Patched
CVE SUMMARY: A null pointer dereference was found in the Linux kernel's Integrated Sensor Hub (ISH) driver. This issue could allow a local user to crash the system.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-3358

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-3359
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel brcm_nvram_parse in drivers/nvmem/brcm_nvram.c. Lacks for the check of the return value of kzalloc() can cause the NULL Pointer Dereference.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-3359

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-3389
CVE STATUS: Patched
CVE SUMMARY: A use-after-free vulnerability in the Linux Kernel io_uring subsystem can be exploited to achieve local privilege escalation.

Racing a io_uring cancel poll request with a linked timeout can cause a UAF in a hrtimer.

We recommend upgrading past commit ef7dfac51d8ed961b742218f526bd589f3900a59 (4716c73b188566865bdd79c3a6709696a224ac04 for 5.10 stable and 0e388fce7aec40992eadee654193cad345d62663 for 5.15 stable).


CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-3389

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-3390
CVE STATUS: Patched
CVE SUMMARY: A use-after-free vulnerability was found in the Linux kernel's netfilter subsystem in net/netfilter/nf_tables_api.c.

Mishandled error handling with NFT_MSG_NEWRULE makes it possible to use a dangling pointer in the same transaction causing a use-after-free vulnerability. This flaw allows a local attacker with user access to cause a privilege escalation issue.

We recommend upgrading past commit 1240eb93f0616b21c675416516ff3d74798fdc97.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-3390

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-33951
CVE STATUS: Patched
CVE SUMMARY: A race condition vulnerability was found in the vmwgfx driver in the Linux kernel. The flaw exists within the handling of GEM objects. The issue results from improper locking when performing operations on an object. This flaw allows a local privileged user to disclose information in the context of the kernel.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-33951

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-33952
CVE STATUS: Patched
CVE SUMMARY: A double-free vulnerability was found in handling vmw_buffer_object objects in the vmwgfx driver in the Linux kernel. This issue occurs due to the lack of validating the existence of an object prior to performing further free operations on the object, which may allow a local privileged user to escalate privileges and execute code in the context of the kernel.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-33952

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-3397
CVE STATUS: Unpatched
CVE SUMMARY: A race condition occurred between the functions lmLogClose and txEnd in JFS, in the Linux Kernel, executed in different threads. This flaw allows a local attacker with normal user privileges to crash the system or leak internal kernel information.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-3397

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-34256
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 6.3.3. There is an out-of-bounds read in crc16 in lib/crc16.c when called from fs/ext4/super.c because ext4_group_desc_csum does not properly check an offset. NOTE: this is disputed by third parties because the kernel is not intended to defend against attackers with the stated "When modifying the block device while it is mounted by the filesystem" access.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-34256

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-34319
CVE STATUS: Patched
CVE SUMMARY: The fix for XSA-423 added logic to Linux'es netback driver to deal with
a frontend splitting a packet in a way such that not all of the headers
would come in one piece.  Unfortunately the logic introduced there
didn't account for the extreme case of the entire packet being split
into as many pieces as permitted by the protocol, yet still being
smaller than the area that's specially dealt with to keep all (possible)
headers together.  Such an unusual packet would therefore trigger a
buffer overrun in the driver.

CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-34319

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-34324
CVE STATUS: Patched
CVE SUMMARY: Closing of an event channel in the Linux kernel can result in a deadlock.
This happens when the close is being performed in parallel to an unrelated
Xen console action and the handling of a Xen console interrupt in an
unprivileged guest.

The closing of an event channel is e.g. triggered by removal of a
paravirtual device on the other side. As this action will cause console
messages to be issued on the other side quite often, the chance of
triggering the deadlock is not neglectable.

Note that 32-bit Arm-guests are not affected, as the 32-bit Linux kernel
on Arm doesn't use queued-RW-locks, which are required to trigger the
issue (on Arm32 a waiting writer doesn't block further readers to get
the lock).

CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.9
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-34324

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-3439
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the MCTP protocol in the Linux kernel. The function mctp_unregister() reclaims the device's relevant resource when a netcard detaches. However, a running routine may be unaware of this and cause the use-after-free of the mdev->addrs object, potentially leading to a denial of service.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-3439

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-35001
CVE STATUS: Patched
CVE SUMMARY: Linux Kernel nftables Out-Of-Bounds Read/Write Vulnerability; nft_byteorder poorly handled vm register contents when CAP_NET_ADMIN is in any user or network namespace
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-35001

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-3567
CVE STATUS: Patched
CVE SUMMARY: A use-after-free flaw was found in vcs_read in drivers/tty/vt/vc_screen.c in vc_screen in the Linux Kernel. This issue may allow an attacker with local user access to cause a system crash or leak internal kernel information.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-3567

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-35788
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in fl_set_geneve_opt in net/sched/cls_flower.c in the Linux kernel before 6.3.7. It allows an out-of-bounds write in the flower classifier code via TCA_FLOWER_KEY_ENC_OPTS_GENEVE packets. This may result in denial of service or privilege escalation.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-35788

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-35823
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in saa7134_finidev in drivers/media/pci/saa7134/saa7134-core.c.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-35823

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-35824
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in dm1105_remove in drivers/media/pci/dm1105/dm1105.c.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-35824

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-35826
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in cedrus_remove in drivers/staging/media/sunxi/cedrus/cedrus.c.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-35826

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-35827
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel through 6.3.8. A use-after-free was found in ravb_remove in drivers/net/ethernet/renesas/ravb_main.c.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-35827

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-35828
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in renesas_usb3_remove in drivers/usb/gadget/udc/renesas_usb3.c.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-35828

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-35829
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in rkvdec_remove in drivers/staging/media/rkvdec/rkvdec.c.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-35829

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-3609
CVE STATUS: Patched
CVE SUMMARY: A use-after-free vulnerability in the Linux kernel's net/sched: cls_u32 component can be exploited to achieve local privilege escalation.

If tcf_change_indev() fails, u32_set_parms() will immediately return an error after incrementing or decrementing the reference counter in tcf_bind_filter(). If an attacker can control the reference counter and set it to zero, they can cause the reference to be freed, leading to a use-after-free vulnerability.

We recommend upgrading past commit 04c55383fa5689357bcdd2c8036725a55ed632bc.


CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-3609

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-3610
CVE STATUS: Patched
CVE SUMMARY: A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation.

Flaw in the error handling of bound chains causes a use-after-free in the abort path of NFT_MSG_NEWRULE. The vulnerability requires CAP_NET_ADMIN to be triggered.

We recommend upgrading past commit 4bedf9eee016286c835e3d8fa981ddece5338795.


CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-3610

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-3611
CVE STATUS: Patched
CVE SUMMARY: An out-of-bounds write vulnerability in the Linux kernel's net/sched: sch_qfq component can be exploited to achieve local privilege escalation.

The qfq_change_agg() function in net/sched/sch_qfq.c allows an out-of-bounds write because lmax is updated according to packet sizes without bounds checks.

We recommend upgrading past commit 3e337087c3b5805fe0b8a46ba622a962880b5d64.


CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-3611

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-3640
CVE STATUS: Unpatched
CVE SUMMARY: A possible unauthorized memory access flaw was found in the Linux kernel's cpu_entry_area mapping of X86 CPU data to memory, where a user may guess the location of exception stacks or other important data. Based on the previous CVE-2023-0597, the 'Randomize per-cpu entry area' feature was implemented in /arch/x86/mm/cpu_entry_area.c, which works through the init_cea_offsets() function when KASLR is enabled. However, despite this feature, there is still a risk of per-cpu entry area leaks. This issue could allow a local user to gain access to some important data with memory in an expected location and potentially escalate their privileges on the system.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-3640

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-37453
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the USB subsystem in the Linux kernel through 6.4.2. There is an out-of-bounds and crash in read_descriptors in drivers/usb/core/sysfs.c.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.6
VECTOR: PHYSICAL
VECTORSTRING: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-37453

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-37454
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel through 6.4.2. A crafted UDF filesystem image causes a use-after-free write operation in the udf_put_super and udf_close_lvid functions in fs/udf/super.c. NOTE: the suse.com reference has a different perspective about this.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-37454

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-3772
CVE STATUS: Unpatched
CVE SUMMARY: A flaw was found in the Linux kernel’s IP framework for transforming packets (XFRM subsystem). This issue may allow a malicious user with CAP_NET_ADMIN privileges to directly dereference a NULL pointer in xfrm_update_ae_params(), leading to a possible kernel crash and denial of service.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-3772

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-3773
CVE STATUS: Unpatched
CVE SUMMARY: A flaw was found in the Linux kernel’s IP framework for transforming packets (XFRM subsystem). This issue may allow a malicious user with CAP_NET_ADMIN privileges to cause a 4 byte out-of-bounds read of XFRMA_MTIMER_THRESH when parsing netlink attributes, leading to potential leakage of sensitive heap data to userspace.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-3773

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-3776
CVE STATUS: Patched
CVE SUMMARY: A use-after-free vulnerability in the Linux kernel's net/sched: cls_fw component can be exploited to achieve local privilege escalation.

If tcf_change_indev() fails, fw_set_parms() will immediately return an error after incrementing or decrementing the reference counter in tcf_bind_filter(). If an attacker can control the reference counter and set it to zero, they can cause the reference to be freed, leading to a use-after-free vulnerability.

We recommend upgrading past commit 0323bce598eea038714f941ce2b22541c46d488f.


CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-3776

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-3777
CVE STATUS: Patched
CVE SUMMARY: A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation.

When nf_tables_delrule() is flushing table rules, it is not checked whether the chain is bound and the chain's owner rule can also release the objects in certain circumstances.

We recommend upgrading past commit 6eaf41e87a223ae6f8e7a28d6e78384ad7e407f8.


CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-3777

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-3812
CVE STATUS: Patched
CVE SUMMARY: An out-of-bounds memory access flaw was found in the Linux kernel’s TUN/TAP device driver functionality in how a user generates a malicious (too big) networking packet when napi frags is enabled. This flaw allows a local user to crash or potentially escalate their privileges on the system.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-3812

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-38409
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in set_con2fb_map in drivers/video/fbdev/core/fbcon.c in the Linux kernel before 6.2.12. Because an assignment occurs only for the first vc, the fbcon_registered_fb and fbcon_display arrays can be desynchronized in fbcon_mode_deleted (the con2fb_map points at the old fb_info).
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-38409

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-38426
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 6.3.4. ksmbd has an out-of-bounds read in smb2_find_context_vals when create_context's name_len is larger than the tag length.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 9.1
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-38426

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-38427
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 6.3.8. fs/smb/server/smb2pdu.c in ksmbd has an integer underflow and out-of-bounds read in deassemble_neg_contexts.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-38427

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-38428
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 6.3.4. fs/ksmbd/smb2pdu.c in ksmbd does not properly check the UserName value because it does not consider the address of security buffer, leading to an out-of-bounds read.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 9.1
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-38428

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-38429
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 6.3.4. fs/ksmbd/connection.c in ksmbd has an off-by-one error in memory allocation (because of ksmbd_smb2_check_message) that may lead to out-of-bounds access.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-38429

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-38430
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 6.3.9. ksmbd does not validate the SMB request protocol ID, leading to an out-of-bounds read.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 9.1
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-38430

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-38431
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 6.3.8. fs/smb/server/connection.c in ksmbd does not validate the relationship between the NetBIOS header's length field and the SMB header sizes, via pdu_size in ksmbd_conn_handler_loop, leading to an out-of-bounds read.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 9.1
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-38431

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-38432
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 6.3.10. fs/smb/server/smb2misc.c in ksmbd does not validate the relationship between the command payload size and the RFC1002 length specification, leading to an out-of-bounds read.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 9.1
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-38432

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-3863
CVE STATUS: Patched
CVE SUMMARY: A use-after-free flaw was found in nfc_llcp_find_local in net/nfc/llcp_core.c in NFC in the Linux kernel. This flaw allows a local user with special privileges to impact a kernel information leak issue.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.4
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-3863

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-39189
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the Netfilter subsystem in the Linux kernel. The nfnl_osf_add_callback function did not validate the user mode controlled opt_num field. This flaw allows a local privileged (CAP_NET_ADMIN) attacker to trigger an out-of-bounds read, leading to a crash or information disclosure.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-39189

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-39191
CVE STATUS: Patched
CVE SUMMARY: An improper input validation flaw was found in the eBPF subsystem in the Linux kernel. The issue occurs due to a lack of proper validation of dynamic pointers within user-supplied eBPF programs prior to executing them. This may allow an attacker with CAP_BPF privileges to escalate privileges and execute arbitrary code in the context of the kernel.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.2
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-39191

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-39192
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the Netfilter subsystem in the Linux kernel. The xt_u32 module did not validate the fields in the xt_u32 structure. This flaw allows a local privileged attacker to trigger an out-of-bounds read by setting the size fields with a value beyond the array boundaries, leading to a crash or information disclosure.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-39192

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-39193
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the Netfilter subsystem in the Linux kernel. The sctp_mt_check did not validate the flag_count field. This flaw allows a local privileged (CAP_NET_ADMIN) attacker to trigger an out-of-bounds read, leading to a crash or information disclosure.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-39193

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-39194
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the XFRM subsystem in the Linux kernel. The specific flaw exists within the processing of state filters, which can result in a read past the end of an allocated buffer. This flaw allows a local privileged (CAP_NET_ADMIN) attacker to trigger an out-of-bounds read, potentially leading to an information disclosure.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 3.2
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-39194

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-39197
CVE STATUS: Patched
CVE SUMMARY: An out-of-bounds read vulnerability was found in Netfilter Connection Tracking (conntrack) in the Linux kernel. This flaw allows a remote user to disclose sensitive information via the DCCP protocol.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.0
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-39197

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-39198
CVE STATUS: Patched
CVE SUMMARY: A race condition was found in the QXL driver in the Linux kernel. The qxl_mode_dumb_create() function dereferences the qobj returned by the qxl_gem_object_create_with_handle(), but the handle is the only one holding a reference to it. This flaw allows an attacker to guess the returned handle value and trigger a use-after-free issue, potentially leading to a denial of service or privilege escalation.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-39198

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-4004
CVE STATUS: Patched
CVE SUMMARY: A use-after-free flaw was found in the Linux kernel's netfilter in the way a user triggers the nft_pipapo_remove function with the element, without a NFT_SET_EXT_KEY_END. This issue could allow a local user to crash the system or potentially escalate their privileges on the system.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-4004

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-4010
CVE STATUS: Unpatched
CVE SUMMARY: A flaw was found in the USB Host Controller Driver framework in the Linux kernel. The usb_giveback_urb function has a logic loophole in its implementation. Due to the inappropriate judgment condition of the goto statement, the function cannot return under the input of a specific malformed descriptor file, so it falls into an endless loop, resulting in a denial of service.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.6
VECTOR: PHYSICAL
VECTORSTRING: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-4010

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-4015
CVE STATUS: Patched
CVE SUMMARY: A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation.

On an error when building a nftables rule, deactivating immediate expressions in nft_immediate_deactivate() can lead unbinding the chain and objects be deactivated but later used.

We recommend upgrading past commit 0a771f7b266b02d262900c75f1e175c7fe76fec2.


CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-4015

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-40283
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in l2cap_sock_release in net/bluetooth/l2cap_sock.c in the Linux kernel before 6.4.10. There is a use-after-free because the children of an sk are mishandled.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-40283

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-40791
CVE STATUS: Patched
CVE SUMMARY: extract_user_to_sg in lib/scatterlist.c in the Linux kernel before 6.4.12 fails to unpin pages in a certain situation, as demonstrated by a WARNING for try_grab_page.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.3
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-40791

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-4132
CVE STATUS: Patched
CVE SUMMARY: A use-after-free vulnerability was found in the siano smsusb module in the Linux kernel. The bug occurs during device initialization when the siano device is plugged in. This flaw allows a local user to crash the system, causing a denial of service condition.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-4132

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-4133
CVE STATUS: Patched
CVE SUMMARY: A use-after-free vulnerability was found in the cxgb4 driver in the Linux kernel. The bug occurs when the cxgb4 device is detaching due to a possible rearming of the flower_stats_timer from the work queue. This flaw allows a local user to crash the system, causing a denial of service condition.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-4133

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-4134
CVE STATUS: Patched
CVE SUMMARY: A use-after-free vulnerability was found in the cyttsp4_core driver in the Linux kernel. This issue occurs in the device cleanup routine due to a possible rearming of the watchdog_timer from the workqueue. This could allow a local user to crash the system, causing a denial of service.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-4134

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-4147
CVE STATUS: Patched
CVE SUMMARY: A use-after-free flaw was found in the Linux kernel’s Netfilter functionality when adding a rule with NFTA_RULE_CHAIN_ID. This flaw allows a local user to crash or escalate their privileges on the system.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-4147

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-4155
CVE STATUS: Unpatched
CVE SUMMARY: A flaw was found in KVM AMD Secure Encrypted Virtualization (SEV) in the Linux kernel. A KVM guest using SEV-ES or SEV-SNP with multiple vCPUs can trigger a double fetch race condition vulnerability and invoke the `VMGEXIT` handler recursively. If an attacker manages to call the handler multiple times, they can trigger a stack overflow and cause a denial of service or potentially guest-to-host escape in kernel configurations without stack guard pages (`CONFIG_VMAP_STACK`).
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.3
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-4155

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-4194
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the Linux kernel's TUN/TAP functionality. This issue could allow a local user to bypass network filters and gain unauthorized access to some resources. The original patches fixing CVE-2023-1076 are incorrect or incomplete. The problem is that the following upstream commits - a096ccca6e50 ("tun: tun_chr_open(): correctly initialize socket uid"), - 66b2c338adce ("tap: tap_open(): correctly initialize socket uid"), pass "inode->i_uid" to sock_init_data_uid() as the last parameter and that turns out to not be accurate.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-4194

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-4206
CVE STATUS: Patched
CVE SUMMARY: A use-after-free vulnerability in the Linux kernel's net/sched: cls_route component can be exploited to achieve local privilege escalation.

When route4_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free.

We recommend upgrading past commit b80b829e9e2c1b3f7aae34855e04d8f6ecaf13c8.


CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-4206

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-4207
CVE STATUS: Patched
CVE SUMMARY: A use-after-free vulnerability in the Linux kernel's net/sched: cls_fw component can be exploited to achieve local privilege escalation.

When fw_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free.

We recommend upgrading past commit 76e42ae831991c828cffa8c37736ebfb831ad5ec.


CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-4207

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-4208
CVE STATUS: Patched
CVE SUMMARY: A use-after-free vulnerability in the Linux kernel's net/sched: cls_u32 component can be exploited to achieve local privilege escalation.

When u32_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free.

We recommend upgrading past commit 3044b16e7c6fe5d24b1cdbcf1bd0a9d92d1ebd81.


CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-4208

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-4244
CVE STATUS: Patched
CVE SUMMARY: A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation.

Due to a race condition between nf_tables netlink control plane transaction and nft_set element garbage collection, it is possible to underflow the reference counter causing a use-after-free vulnerability.

We recommend upgrading past commit 3e91b0ebd994635df2346353322ac51ce84ce6d8.


CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-4244

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-4273
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the exFAT driver of the Linux kernel. The vulnerability exists in the implementation of the file name reconstruction function, which is responsible for reading file name entries from a directory index and merging file name parts belonging to one file into a single long file name. Since the file name characters are copied into a stack variable, a local privileged attacker could use this flaw to overflow the kernel stack.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-4273

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-42752
CVE STATUS: Patched
CVE SUMMARY: An integer overflow flaw was found in the Linux kernel. This issue leads to the kernel allocating `skb_shared_info` in the userspace, which is exploitable in systems without SMAP protection since `skb_shared_info` contains references to function pointers.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-42752

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-42753
CVE STATUS: Patched
CVE SUMMARY: An array indexing vulnerability was found in the netfilter subsystem of the Linux kernel. A missing macro could lead to a miscalculation of the `h->nets` array offset, providing attackers with the primitive to arbitrarily increment/decrement a memory buffer out-of-bound. This issue may allow a local user to crash the system or potentially escalate their privileges on the system.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-42753

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-42754
CVE STATUS: Patched
CVE SUMMARY: A NULL pointer dereference flaw was found in the Linux kernel ipv4 stack. The socket buffer (skb) was assumed to be associated with a device before calling __ip_options_compile, which is not always the case if the skb is re-routed by ipvs. This issue may allow a local user with CAP_NET_ADMIN privileges to crash the system.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-42754

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-42755
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the IPv4 Resource Reservation Protocol (RSVP) classifier in the Linux kernel. The xprt pointer may go beyond the linear part of the skb, leading to an out-of-bounds read in the `rsvp_classify` function. This issue may allow a local user to crash the system and cause a denial of service.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-42755

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-42756
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the Netfilter subsystem of the Linux kernel. A race condition between IPSET_CMD_ADD and IPSET_CMD_SWAP can lead to a kernel panic due to the invocation of `__ip_set_put` on a wrong `set`. This issue may allow a local user to crash the system.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.4
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-42756

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-4385
CVE STATUS: Patched
CVE SUMMARY: A NULL pointer dereference flaw was found in dbFree in fs/jfs/jfs_dmap.c in the journaling file system (JFS) in the Linux Kernel. This issue may allow a local attacker to crash the system due to a missing sanity check.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-4385

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-4387
CVE STATUS: Patched
CVE SUMMARY: A use-after-free flaw was found in vmxnet3_rq_alloc_rx_buf in drivers/net/vmxnet3/vmxnet3_drv.c in VMware's vmxnet3 ethernet NIC driver in the Linux Kernel. This issue could allow a local attacker to crash the system due to a double-free while cleaning up vmxnet3_rq_cleanup_all, which could also lead to a kernel information leak problem.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-4387

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-4389
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in btrfs_get_root_ref in fs/btrfs/disk-io.c in the btrfs filesystem in the Linux Kernel due to a double decrement of the reference count. This issue may allow a local attacker with user privilege to crash the system or may lead to leaked internal kernel information.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-4389

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-4394
CVE STATUS: Patched
CVE SUMMARY: A use-after-free flaw was found in btrfs_get_dev_args_from_path in fs/btrfs/volumes.c in btrfs file-system in the Linux Kernel. This flaw allows a local attacker with special privileges to cause a system crash or leak internal kernel information
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-4394

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-44466
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in net/ceph/messenger_v2.c in the Linux kernel before 6.4.5. There is an integer signedness error, leading to a buffer overflow and remote code execution via HELLO or one of the AUTH frames. This occurs because of an untrusted length taken from a TCP packet in ceph_decode_32.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-44466

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-4459
CVE STATUS: Patched
CVE SUMMARY: A NULL pointer dereference flaw was found in vmxnet3_rq_cleanup in drivers/net/vmxnet3/vmxnet3_drv.c in the networking sub-component in vmxnet3 in the Linux Kernel. This issue may allow a local attacker with normal user privilege to cause a denial of service due to a missing sanity check during cleanup.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-4459

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-4569
CVE STATUS: Patched
CVE SUMMARY: A memory leak flaw was found in nft_set_catchall_flush in net/netfilter/nf_tables_api.c in the Linux Kernel. This issue may allow a local attacker to cause double-deactivations of catchall elements, which can result in a memory leak.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-4569

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-45862
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in drivers/usb/storage/ene_ub6250.c for the ENE UB6250 reader driver in the Linux kernel before 6.2.5. An object could potentially extend beyond the end of an allocation.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-45862

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-45863
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in lib/kobject.c in the Linux kernel before 6.2.3. With root access, an attacker can trigger a race condition that results in a fill_kobj_path out-of-bounds write.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.4
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-45863

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-45871
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in drivers/net/ethernet/intel/igb/igb_main.c in the IGB driver in the Linux kernel before 6.5.3. A buffer size may not be adequate for frames larger than the MTU.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: ADJACENT_NETWORK
VECTORSTRING: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-45871

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-45898
CVE STATUS: Patched
CVE SUMMARY: The Linux kernel before 6.5.4 has an es1 use-after-free in fs/ext4/extents_status.c, related to ext4_es_insert_extent.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-45898

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-4611
CVE STATUS: Patched
CVE SUMMARY: A use-after-free flaw was found in mm/mempolicy.c in the memory management subsystem in the Linux Kernel. This issue is caused by a race between mbind() and VMA-locked page fault, and may allow a local attacker to crash the system or lead to a kernel information leak.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-4611

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-4622
CVE STATUS: Patched
CVE SUMMARY: A use-after-free vulnerability in the Linux kernel's af_unix component can be exploited to achieve local privilege escalation.

The unix_stream_sendpage() function tries to add data to the last skb in the peer's recv queue without locking the queue. Thus there is a race where unix_stream_sendpage() could access an skb locklessly that is being released by garbage collection, resulting in use-after-free.

We recommend upgrading past commit 790c2f9d15b594350ae9bca7b236f2b1859de02c.


CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-4622

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-4623
CVE STATUS: Patched
CVE SUMMARY: A use-after-free vulnerability in the Linux kernel's net/sched: sch_hfsc (HFSC qdisc traffic control) component can be exploited to achieve local privilege escalation.

If a class with a link-sharing curve (i.e. with the HFSC_FSC flag set) has a parent without a link-sharing curve, then init_vf() will call vttree_insert() on the parent, but vttree_remove() will be skipped in update_vf(). This leaves a dangling pointer that can cause a use-after-free.

We recommend upgrading past commit b3d26c5702c7d6c45456326e56d2ccf3f103e60f.


CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-4623

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-46343
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel before 6.5.9, there is a NULL pointer dereference in send_acknowledge in net/nfc/nci/spi.c.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-46343

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-46813
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 6.5.9, exploitable by local users with userspace access to MMIO registers. Incorrect access checking in the #VC handler and instruction emulation of the SEV-ES emulation of MMIO accesses could lead to arbitrary write access to kernel memory (and thus privilege escalation). This depends on a race condition through which userspace can replace an instruction before the #VC handler reads it.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-46813

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-46838
CVE STATUS: Patched
CVE SUMMARY: Transmit requests in Xen's virtual network protocol can consist of
multiple parts.  While not really useful, except for the initial part
any of them may be of zero length, i.e. carry no data at all.  Besides a
certain initial portion of the to be transferred data, these parts are
directly translated into what Linux calls SKB fragments.  Such converted
request parts can, when for a particular SKB they are all of length
zero, lead to a de-reference of NULL in core networking code.

CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-46838

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-46862
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel through 6.5.9. During a race with SQ thread exit, an io_uring/fdinfo.c io_uring_show_fdinfo NULL pointer dereference can occur.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-46862

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-47233
CVE STATUS: Patched
CVE SUMMARY: The brcm80211 component in the Linux kernel through 6.5.10 has a brcmf_cfg80211_detach use-after-free in the device unplugging (disconnect the USB by hotplug) code. For physically proximate attackers with local access, this "could be exploited in a real world scenario." This is related to brcmf_cfg80211_escan_timeout_worker in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.3
VECTOR: PHYSICAL
VECTORSTRING: CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-47233

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-4732
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in pfn_swap_entry_to_page in memory management subsystem in the Linux Kernel. In this flaw, an attacker with a local user privilege may cause a denial of service problem due to a BUG statement referencing pmd_t x.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-4732

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-4921
CVE STATUS: Patched
CVE SUMMARY: A use-after-free vulnerability in the Linux kernel's net/sched: sch_qfq component can be exploited to achieve local privilege escalation.

When the plug qdisc is used as a class of the qfq qdisc, sending network packets triggers use-after-free in qfq_dequeue() due to the incorrect .peek handler of sch_plug and lack of error checking in agg_dequeue().

We recommend upgrading past commit 8fc134fee27f2263988ae38920bc03da416b03d8.


CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-4921

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-50431
CVE STATUS: Patched
CVE SUMMARY: sec_attest_info in drivers/accel/habanalabs/common/habanalabs_ioctl.c in the Linux kernel through 6.6.5 allows an information leak to user space because info->pad0 is not initialized.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-50431

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-5090
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in KVM. An improper check in svm_set_x2apic_msr_interception() may allow direct access to host x2apic msrs when the guest resets its apic, potentially leading to a denial of service condition.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-5090

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-51042
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel before 6.4.12, amdgpu_cs_wait_all_fences in drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c has a fence use-after-free.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-51042

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-51043
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel before 6.4.5, drivers/gpu/drm/drm_atomic.c has a use-after-free during a race condition between a nonblocking atomic commit and a driver unload.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-51043

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-5158
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in vringh_kiov_advance in drivers/vhost/vringh.c in the host side of a virtio ring in the Linux Kernel. This issue may result in a denial of service from guest to host via zero length descriptor.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-5158

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-5178
CVE STATUS: Patched
CVE SUMMARY: A use-after-free vulnerability was found in drivers/nvme/target/tcp.c` in `nvmet_tcp_free_crypto` due to a logical bug in the NVMe/TCP subsystem in the Linux kernel. This issue may allow a malicious user to cause a use-after-free and double-free problem, which may permit remote code execution or lead to local privilege escalation.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-5178

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-51780
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 6.6.8. do_vcc_ioctl in net/atm/ioctl.c has a use-after-free because of a vcc_recvmsg race condition.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-51780

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-51781
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 6.6.8. atalk_ioctl in net/appletalk/ddp.c has a use-after-free because of an atalk_recvmsg race condition.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-51781

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-51782
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the Linux kernel before 6.6.8. rose_ioctl in net/rose/af_rose.c has a use-after-free because of a rose_accept race condition.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-51782

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-5197
CVE STATUS: Patched
CVE SUMMARY: A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation.

Addition and removal of rules from chain bindings within the same transaction causes leads to use-after-free.

We recommend upgrading past commit f15f29fd4779be8a418b66e9d52979bb6d6c2325.


CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-5197

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-52340
CVE STATUS: Patched
CVE SUMMARY: The IPv6 implementation in the Linux kernel before 6.3 has a net/ipv6/route.c max_size threshold that can be consumed easily, e.g., leading to a denial of service (network is unreachable errors) when IPv6 packets are sent in a loop via a raw socket.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-52340

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-52429
CVE STATUS: Patched
CVE SUMMARY: dm_table_create in drivers/md/dm-table.c in the Linux kernel through 6.7.4 can attempt to (in alloc_targets) allocate more than INT_MAX bytes, and crash, because of a missing check for struct dm_ioctl.target_count.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-52429

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-52434
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

smb: client: fix potential OOBs in smb2_parse_contexts()

Validate offsets and lengths before dereferencing create contexts in
smb2_parse_contexts().

This fixes following oops when accessing invalid create contexts from
server:

  BUG: unable to handle page fault for address: ffff8881178d8cc3
  #PF: supervisor read access in kernel mode
  #PF: error_code(0x0000) - not-present page
  PGD 4a01067 P4D 4a01067 PUD 0
  Oops: 0000 [#1] PREEMPT SMP NOPTI
  CPU: 3 PID: 1736 Comm: mount.cifs Not tainted 6.7.0-rc4 #1
  Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
  rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014
  RIP: 0010:smb2_parse_contexts+0xa0/0x3a0 [cifs]
  Code: f8 10 75 13 48 b8 93 ad 25 50 9c b4 11 e7 49 39 06 0f 84 d2 00
  00 00 8b 45 00 85 c0 74 61 41 29 c5 48 01 c5 41 83 fd 0f 76 55 <0f> b7
  7d 04 0f b7 45 06 4c 8d 74 3d 00 66 83 f8 04 75 bc ba 04 00
  RSP: 0018:ffffc900007939e0 EFLAGS: 00010216
  RAX: ffffc90000793c78 RBX: ffff8880180cc000 RCX: ffffc90000793c90
  RDX: ffffc90000793cc0 RSI: ffff8880178d8cc0 RDI: ffff8880180cc000
  RBP: ffff8881178d8cbf R08: ffffc90000793c22 R09: 0000000000000000
  R10: ffff8880180cc000 R11: 0000000000000024 R12: 0000000000000000
  R13: 0000000000000020 R14: 0000000000000000 R15: ffffc90000793c22
  FS: 00007f873753cbc0(0000) GS:ffff88806bc00000(0000)
  knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  CR2: ffff8881178d8cc3 CR3: 00000000181ca000 CR4: 0000000000750ef0
  PKRU: 55555554
  Call Trace:
   <TASK>
   ? __die+0x23/0x70
   ? page_fault_oops+0x181/0x480
   ? search_module_extables+0x19/0x60
   ? srso_alias_return_thunk+0x5/0xfbef5
   ? exc_page_fault+0x1b6/0x1c0
   ? asm_exc_page_fault+0x26/0x30
   ? smb2_parse_contexts+0xa0/0x3a0 [cifs]
   SMB2_open+0x38d/0x5f0 [cifs]
   ? smb2_is_path_accessible+0x138/0x260 [cifs]
   smb2_is_path_accessible+0x138/0x260 [cifs]
   cifs_is_path_remote+0x8d/0x230 [cifs]
   cifs_mount+0x7e/0x350 [cifs]
   cifs_smb3_do_mount+0x128/0x780 [cifs]
   smb3_get_tree+0xd9/0x290 [cifs]
   vfs_get_tree+0x2c/0x100
   ? capable+0x37/0x70
   path_mount+0x2d7/0xb80
   ? srso_alias_return_thunk+0x5/0xfbef5
   ? _raw_spin_unlock_irqrestore+0x44/0x60
   __x64_sys_mount+0x11a/0x150
   do_syscall_64+0x47/0xf0
   entry_SYSCALL_64_after_hwframe+0x6f/0x77
  RIP: 0033:0x7f8737657b1e
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.0
VECTOR: ADJACENT_NETWORK
VECTORSTRING: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-52434

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-52435
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: prevent mss overflow in skb_segment()

Once again syzbot is able to crash the kernel in skb_segment() [1]

GSO_BY_FRAGS is a forbidden value, but unfortunately the following
computation in skb_segment() can reach it quite easily :

	mss = mss * partial_segs;

65535 = 3 * 5 * 17 * 257, so many initial values of mss can lead to
a bad final result.

Make sure to limit segmentation so that the new mss value is smaller
than GSO_BY_FRAGS.

[1]

general protection fault, probably for non-canonical address 0xdffffc000000000e: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077]
CPU: 1 PID: 5079 Comm: syz-executor993 Not tainted 6.7.0-rc4-syzkaller-00141-g1ae4cd3cbdd0 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023
RIP: 0010:skb_segment+0x181d/0x3f30 net/core/skbuff.c:4551
Code: 83 e3 02 e9 fb ed ff ff e8 90 68 1c f9 48 8b 84 24 f8 00 00 00 48 8d 78 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 8a 21 00 00 48 8b 84 24 f8 00
RSP: 0018:ffffc900043473d0 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 0000000000010046 RCX: ffffffff886b1597
RDX: 000000000000000e RSI: ffffffff886b2520 RDI: 0000000000000070
RBP: ffffc90004347578 R08: 0000000000000005 R09: 000000000000ffff
R10: 000000000000ffff R11: 0000000000000002 R12: ffff888063202ac0
R13: 0000000000010000 R14: 000000000000ffff R15: 0000000000000046
FS: 0000555556e7e380(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020010000 CR3: 0000000027ee2000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
udp6_ufo_fragment+0xa0e/0xd00 net/ipv6/udp_offload.c:109
ipv6_gso_segment+0x534/0x17e0 net/ipv6/ip6_offload.c:120
skb_mac_gso_segment+0x290/0x610 net/core/gso.c:53
__skb_gso_segment+0x339/0x710 net/core/gso.c:124
skb_gso_segment include/net/gso.h:83 [inline]
validate_xmit_skb+0x36c/0xeb0 net/core/dev.c:3626
__dev_queue_xmit+0x6f3/0x3d60 net/core/dev.c:4338
dev_queue_xmit include/linux/netdevice.h:3134 [inline]
packet_xmit+0x257/0x380 net/packet/af_packet.c:276
packet_snd net/packet/af_packet.c:3087 [inline]
packet_sendmsg+0x24c6/0x5220 net/packet/af_packet.c:3119
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg+0xd5/0x180 net/socket.c:745
__sys_sendto+0x255/0x340 net/socket.c:2190
__do_sys_sendto net/socket.c:2202 [inline]
__se_sys_sendto net/socket.c:2198 [inline]
__x64_sys_sendto+0xe0/0x1b0 net/socket.c:2198
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b
RIP: 0033:0x7f8692032aa9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 d1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff8d685418 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f8692032aa9
RDX: 0000000000010048 RSI: 00000000200000c0 RDI: 0000000000000003
RBP: 00000000000f4240 R08: 0000000020000540 R09: 0000000000000014
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fff8d685480
R13: 0000000000000001 R14: 00007fff8d685480 R15: 0000000000000003
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:skb_segment+0x181d/0x3f30 net/core/skbuff.c:4551
Code: 83 e3 02 e9 fb ed ff ff e8 90 68 1c f9 48 8b 84 24 f8 00 00 00 48 8d 78 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 8a 21 00 00 48 8b 84 24 f8 00
RSP: 0018:ffffc900043473d0 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 0000000000010046 RCX: ffffffff886b1597
RDX: 000000000000000e RSI: ffffffff886b2520 RDI: 0000000000000070
RBP: ffffc90004347578 R0
---truncated---
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-52435

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-52436
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

f2fs: explicitly null-terminate the xattr list

When setting an xattr, explicitly null-terminate the xattr list.  This
eliminates the fragile assumption that the unused xattr space is always
zeroed.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-52436

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-52438
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

binder: fix use-after-free in shinker's callback

The mmap read lock is used during the shrinker's callback, which means
that using alloc->vma pointer isn't safe as it can race with munmap().
As of commit dd2283f2605e ("mm: mmap: zap pages with read mmap_sem in
munmap") the mmap lock is downgraded after the vma has been isolated.

I was able to reproduce this issue by manually adding some delays and
triggering page reclaiming through the shrinker's debug sysfs. The
following KASAN report confirms the UAF:

  ==================================================================
  BUG: KASAN: slab-use-after-free in zap_page_range_single+0x470/0x4b8
  Read of size 8 at addr ffff356ed50e50f0 by task bash/478

  CPU: 1 PID: 478 Comm: bash Not tainted 6.6.0-rc5-00055-g1c8b86a3799f-dirty #70
  Hardware name: linux,dummy-virt (DT)
  Call trace:
   zap_page_range_single+0x470/0x4b8
   binder_alloc_free_page+0x608/0xadc
   __list_lru_walk_one+0x130/0x3b0
   list_lru_walk_node+0xc4/0x22c
   binder_shrink_scan+0x108/0x1dc
   shrinker_debugfs_scan_write+0x2b4/0x500
   full_proxy_write+0xd4/0x140
   vfs_write+0x1ac/0x758
   ksys_write+0xf0/0x1dc
   __arm64_sys_write+0x6c/0x9c

  Allocated by task 492:
   kmem_cache_alloc+0x130/0x368
   vm_area_alloc+0x2c/0x190
   mmap_region+0x258/0x18bc
   do_mmap+0x694/0xa60
   vm_mmap_pgoff+0x170/0x29c
   ksys_mmap_pgoff+0x290/0x3a0
   __arm64_sys_mmap+0xcc/0x144

  Freed by task 491:
   kmem_cache_free+0x17c/0x3c8
   vm_area_free_rcu_cb+0x74/0x98
   rcu_core+0xa38/0x26d4
   rcu_core_si+0x10/0x1c
   __do_softirq+0x2fc/0xd24

  Last potentially related work creation:
   __call_rcu_common.constprop.0+0x6c/0xba0
   call_rcu+0x10/0x1c
   vm_area_free+0x18/0x24
   remove_vma+0xe4/0x118
   do_vmi_align_munmap.isra.0+0x718/0xb5c
   do_vmi_munmap+0xdc/0x1fc
   __vm_munmap+0x10c/0x278
   __arm64_sys_munmap+0x58/0x7c

Fix this issue by performing instead a vma_lookup() which will fail to
find the vma that was isolated before the mmap lock downgrade. Note that
this option has better performance than upgrading to a mmap write lock
which would increase contention. Plus, mmap_write_trylock() has been
recently removed anyway.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-52438

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-52439
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

uio: Fix use-after-free in uio_open

core-1				core-2
-------------------------------------------------------
uio_unregister_device		uio_open
				idev = idr_find()
device_unregister(&idev->dev)
put_device(&idev->dev)
uio_device_release
				get_device(&idev->dev)
kfree(idev)
uio_free_minor(minor)
				uio_release
				put_device(&idev->dev)
				kfree(idev)
-------------------------------------------------------

In the core-1 uio_unregister_device(), the device_unregister will kfree
idev when the idev->dev kobject ref is 1. But after core-1
device_unregister, put_device and before doing kfree, the core-2 may
get_device. Then:
1. After core-1 kfree idev, the core-2 will do use-after-free for idev.
2. When core-2 do uio_release and put_device, the idev will be double
   freed.

To address this issue, we can get idev atomic & inc idev reference with
minor_lock.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-52439

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-52440
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ksmbd: fix slub overflow in ksmbd_decode_ntlmssp_auth_blob()

If authblob->SessionKey.Length is bigger than session key
size(CIFS_KEY_SIZE), slub overflow can happen in key exchange codes.
cifs_arc4_crypt copy to session key array from SessionKey from client.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-52440

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-52441
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ksmbd: fix out of bounds in init_smb2_rsp_hdr()

If client send smb2 negotiate request and then send smb1 negotiate
request, init_smb2_rsp_hdr is called for smb1 negotiate request since
need_neg is set to false. This patch ignore smb1 packets after ->need_neg
is set to false.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-52441

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-52443
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

apparmor: avoid crash when parsed profile name is empty

When processing a packed profile in unpack_profile() described like

 "profile :ns::samba-dcerpcd /usr/lib*/samba/{,samba/}samba-dcerpcd {...}"

a string ":samba-dcerpcd" is unpacked as a fully-qualified name and then
passed to aa_splitn_fqname().

aa_splitn_fqname() treats ":samba-dcerpcd" as only containing a namespace.
Thus it returns NULL for tmpname, meanwhile tmpns is non-NULL. Later
aa_alloc_profile() crashes as the new profile name is NULL now.

general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 6 PID: 1657 Comm: apparmor_parser Not tainted 6.7.0-rc2-dirty #16
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014
RIP: 0010:strlen+0x1e/0xa0
Call Trace:
 <TASK>
 ? strlen+0x1e/0xa0
 aa_policy_init+0x1bb/0x230
 aa_alloc_profile+0xb1/0x480
 unpack_profile+0x3bc/0x4960
 aa_unpack+0x309/0x15e0
 aa_replace_profiles+0x213/0x33c0
 policy_update+0x261/0x370
 profile_replace+0x20e/0x2a0
 vfs_write+0x2af/0xe00
 ksys_write+0x126/0x250
 do_syscall_64+0x46/0xf0
 entry_SYSCALL_64_after_hwframe+0x6e/0x76
 </TASK>
---[ end trace 0000000000000000 ]---
RIP: 0010:strlen+0x1e/0xa0

It seems such behaviour of aa_splitn_fqname() is expected and checked in
other places where it is called (e.g. aa_remove_profiles). Well, there
is an explicit comment "a ns name without a following profile is allowed"
inside.

AFAICS, nothing can prevent unpacked "name" to be in form like
":samba-dcerpcd" - it is passed from userspace.

Deny the whole profile set replacement in such case and inform user with
EPROTO and an explaining message.

Found by Linux Verification Center (linuxtesting.org).
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-52443

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-52444
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

f2fs: fix to avoid dirent corruption

As Al reported in link[1]:

f2fs_rename()
...
	if (old_dir != new_dir && !whiteout)
		f2fs_set_link(old_inode, old_dir_entry,
					old_dir_page, new_dir);
	else
		f2fs_put_page(old_dir_page, 0);

You want correct inumber in the ".." link.  And cross-directory
rename does move the source to new parent, even if you'd been asked
to leave a whiteout in the old place.

[1] https://lore.kernel.org/all/20231017055040.GN800259@ZenIV/

With below testcase, it may cause dirent corruption, due to it missed
to call f2fs_set_link() to update ".." link to new directory.
- mkdir -p dir/foo
- renameat2 -w dir/foo bar

[ASSERT] (__chk_dots_dentries:1421)  --> Bad inode number[0x4] for '..', parent parent ino is [0x3]
[FSCK] other corrupted bugs                           [Fail]
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-52444

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-52445
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

media: pvrusb2: fix use after free on context disconnection

Upon module load, a kthread is created targeting the
pvr2_context_thread_func function, which may call pvr2_context_destroy
and thus call kfree() on the context object. However, that might happen
before the usb hub_event handler is able to notify the driver. This
patch adds a sanity check before the invalid read reported by syzbot,
within the context disconnection call stack.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-52445

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-52446
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix a race condition between btf_put() and map_free()

When running `./test_progs -j` in my local vm with latest kernel,
I once hit a kasan error like below:

  [ 1887.184724] BUG: KASAN: slab-use-after-free in bpf_rb_root_free+0x1f8/0x2b0
  [ 1887.185599] Read of size 4 at addr ffff888106806910 by task kworker/u12:2/2830
  [ 1887.186498]
  [ 1887.186712] CPU: 3 PID: 2830 Comm: kworker/u12:2 Tainted: G           OEL     6.7.0-rc3-00699-g90679706d486-dirty #494
  [ 1887.188034] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
  [ 1887.189618] Workqueue: events_unbound bpf_map_free_deferred
  [ 1887.190341] Call Trace:
  [ 1887.190666]  <TASK>
  [ 1887.190949]  dump_stack_lvl+0xac/0xe0
  [ 1887.191423]  ? nf_tcp_handle_invalid+0x1b0/0x1b0
  [ 1887.192019]  ? panic+0x3c0/0x3c0
  [ 1887.192449]  print_report+0x14f/0x720
  [ 1887.192930]  ? preempt_count_sub+0x1c/0xd0
  [ 1887.193459]  ? __virt_addr_valid+0xac/0x120
  [ 1887.194004]  ? bpf_rb_root_free+0x1f8/0x2b0
  [ 1887.194572]  kasan_report+0xc3/0x100
  [ 1887.195085]  ? bpf_rb_root_free+0x1f8/0x2b0
  [ 1887.195668]  bpf_rb_root_free+0x1f8/0x2b0
  [ 1887.196183]  ? __bpf_obj_drop_impl+0xb0/0xb0
  [ 1887.196736]  ? preempt_count_sub+0x1c/0xd0
  [ 1887.197270]  ? preempt_count_sub+0x1c/0xd0
  [ 1887.197802]  ? _raw_spin_unlock+0x1f/0x40
  [ 1887.198319]  bpf_obj_free_fields+0x1d4/0x260
  [ 1887.198883]  array_map_free+0x1a3/0x260
  [ 1887.199380]  bpf_map_free_deferred+0x7b/0xe0
  [ 1887.199943]  process_scheduled_works+0x3a2/0x6c0
  [ 1887.200549]  worker_thread+0x633/0x890
  [ 1887.201047]  ? __kthread_parkme+0xd7/0xf0
  [ 1887.201574]  ? kthread+0x102/0x1d0
  [ 1887.202020]  kthread+0x1ab/0x1d0
  [ 1887.202447]  ? pr_cont_work+0x270/0x270
  [ 1887.202954]  ? kthread_blkcg+0x50/0x50
  [ 1887.203444]  ret_from_fork+0x34/0x50
  [ 1887.203914]  ? kthread_blkcg+0x50/0x50
  [ 1887.204397]  ret_from_fork_asm+0x11/0x20
  [ 1887.204913]  </TASK>
  [ 1887.204913]  </TASK>
  [ 1887.205209]
  [ 1887.205416] Allocated by task 2197:
  [ 1887.205881]  kasan_set_track+0x3f/0x60
  [ 1887.206366]  __kasan_kmalloc+0x6e/0x80
  [ 1887.206856]  __kmalloc+0xac/0x1a0
  [ 1887.207293]  btf_parse_fields+0xa15/0x1480
  [ 1887.207836]  btf_parse_struct_metas+0x566/0x670
  [ 1887.208387]  btf_new_fd+0x294/0x4d0
  [ 1887.208851]  __sys_bpf+0x4ba/0x600
  [ 1887.209292]  __x64_sys_bpf+0x41/0x50
  [ 1887.209762]  do_syscall_64+0x4c/0xf0
  [ 1887.210222]  entry_SYSCALL_64_after_hwframe+0x63/0x6b
  [ 1887.210868]
  [ 1887.211074] Freed by task 36:
  [ 1887.211460]  kasan_set_track+0x3f/0x60
  [ 1887.211951]  kasan_save_free_info+0x28/0x40
  [ 1887.212485]  ____kasan_slab_free+0x101/0x180
  [ 1887.213027]  __kmem_cache_free+0xe4/0x210
  [ 1887.213514]  btf_free+0x5b/0x130
  [ 1887.213918]  rcu_core+0x638/0xcc0
  [ 1887.214347]  __do_softirq+0x114/0x37e

The error happens at bpf_rb_root_free+0x1f8/0x2b0:

  00000000000034c0 <bpf_rb_root_free>:
  ; {
    34c0: f3 0f 1e fa                   endbr64
    34c4: e8 00 00 00 00                callq   0x34c9 <bpf_rb_root_free+0x9>
    34c9: 55                            pushq   %rbp
    34ca: 48 89 e5                      movq    %rsp, %rbp
  ...
  ;       if (rec && rec->refcount_off >= 0 &&
    36aa: 4d 85 ed                      testq   %r13, %r13
    36ad: 74 a9                         je      0x3658 <bpf_rb_root_free+0x198>
    36af: 49 8d 7d 10                   leaq    0x10(%r13), %rdi
    36b3: e8 00 00 00 00                callq   0x36b8 <bpf_rb_root_free+0x1f8>
                                        <==== kasan function
    36b8: 45 8b 7d 10                   movl    0x10(%r13), %r15d
                                        <==== use-after-free load
    36bc: 45 85 ff                      testl   %r15d, %r15d
    36bf: 78 8c                         js      0x364d <bpf_rb_root_free+0x18d>

So the problem 
---truncated---
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-52446

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-52447
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

bpf: Defer the free of inner map when necessary

When updating or deleting an inner map in map array or map htab, the map
may still be accessed by non-sleepable program or sleepable program.
However bpf_map_fd_put_ptr() decreases the ref-counter of the inner map
directly through bpf_map_put(), if the ref-counter is the last one
(which is true for most cases), the inner map will be freed by
ops->map_free() in a kworker. But for now, most .map_free() callbacks
don't use synchronize_rcu() or its variants to wait for the elapse of a
RCU grace period, so after the invocation of ops->map_free completes,
the bpf program which is accessing the inner map may incur
use-after-free problem.

Fix the free of inner map by invoking bpf_map_free_deferred() after both
one RCU grace period and one tasks trace RCU grace period if the inner
map has been removed from the outer map before. The deferment is
accomplished by using call_rcu() or call_rcu_tasks_trace() when
releasing the last ref-counter of bpf map. The newly-added rcu_head
field in bpf_map shares the same storage space with work field to
reduce the size of bpf_map.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-52447

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-52448
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

gfs2: Fix kernel NULL pointer dereference in gfs2_rgrp_dump

Syzkaller has reported a NULL pointer dereference when accessing
rgd->rd_rgl in gfs2_rgrp_dump().  This can happen when creating
rgd->rd_gl fails in read_rindex_entry().  Add a NULL pointer check in
gfs2_rgrp_dump() to prevent that.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-52448

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-52449
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

mtd: Fix gluebi NULL pointer dereference caused by ftl notifier

If both ftl.ko and gluebi.ko are loaded, the notifier of ftl
triggers NULL pointer dereference when trying to access
‘gluebi->desc’ in gluebi_read().

ubi_gluebi_init
  ubi_register_volume_notifier
    ubi_enumerate_volumes
      ubi_notify_all
        gluebi_notify    nb->notifier_call()
          gluebi_create
            mtd_device_register
              mtd_device_parse_register
                add_mtd_device
                  blktrans_notify_add   not->add()
                    ftl_add_mtd         tr->add_mtd()
                      scan_header
                        mtd_read
                          mtd_read_oob
                            mtd_read_oob_std
                              gluebi_read   mtd->read()
                                gluebi->desc - NULL

Detailed reproduction information available at the Link [1],

In the normal case, obtain gluebi->desc in the gluebi_get_device(),
and access gluebi->desc in the gluebi_read(). However,
gluebi_get_device() is not executed in advance in the
ftl_add_mtd() process, which leads to NULL pointer dereference.

The solution for the gluebi module is to run jffs2 on the UBI
volume without considering working with ftl or mtdblock [2].
Therefore, this problem can be avoided by preventing gluebi from
creating the mtdblock device after creating mtd partition of the
type MTD_UBIVOLUME.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-52449

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-52450
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

perf/x86/intel/uncore: Fix NULL pointer dereference issue in upi_fill_topology()

Get logical socket id instead of physical id in discover_upi_topology()
to avoid out-of-bound access on 'upi = &type->topology[nid][idx];' line
that leads to NULL pointer dereference in upi_fill_topology()
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-52450

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-52451
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

powerpc/pseries/memhp: Fix access beyond end of drmem array

dlpar_memory_remove_by_index() may access beyond the bounds of the
drmem lmb array when the LMB lookup fails to match an entry with the
given DRC index. When the search fails, the cursor is left pointing to
&drmem_info->lmbs[drmem_info->n_lmbs], which is one element past the
last valid entry in the array. The debug message at the end of the
function then dereferences this pointer:

        pr_debug("Failed to hot-remove memory at %llx\n",
                 lmb->base_addr);

This was found by inspection and confirmed with KASAN:

  pseries-hotplug-mem: Attempting to hot-remove LMB, drc index 1234
  ==================================================================
  BUG: KASAN: slab-out-of-bounds in dlpar_memory+0x298/0x1658
  Read of size 8 at addr c000000364e97fd0 by task bash/949

  dump_stack_lvl+0xa4/0xfc (unreliable)
  print_report+0x214/0x63c
  kasan_report+0x140/0x2e0
  __asan_load8+0xa8/0xe0
  dlpar_memory+0x298/0x1658
  handle_dlpar_errorlog+0x130/0x1d0
  dlpar_store+0x18c/0x3e0
  kobj_attr_store+0x68/0xa0
  sysfs_kf_write+0xc4/0x110
  kernfs_fop_write_iter+0x26c/0x390
  vfs_write+0x2d4/0x4e0
  ksys_write+0xac/0x1a0
  system_call_exception+0x268/0x530
  system_call_vectored_common+0x15c/0x2ec

  Allocated by task 1:
   kasan_save_stack+0x48/0x80
   kasan_set_track+0x34/0x50
   kasan_save_alloc_info+0x34/0x50
   __kasan_kmalloc+0xd0/0x120
   __kmalloc+0x8c/0x320
   kmalloc_array.constprop.0+0x48/0x5c
   drmem_init+0x2a0/0x41c
   do_one_initcall+0xe0/0x5c0
   kernel_init_freeable+0x4ec/0x5a0
   kernel_init+0x30/0x1e0
   ret_from_kernel_user_thread+0x14/0x1c

  The buggy address belongs to the object at c000000364e80000
   which belongs to the cache kmalloc-128k of size 131072
  The buggy address is located 0 bytes to the right of
   allocated 98256-byte region [c000000364e80000, c000000364e97fd0)

  ==================================================================
  pseries-hotplug-mem: Failed to hot-remove memory at 0

Log failed lookups with a separate message and dereference the
cursor only when it points to a valid entry.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-52451

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-52452
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix accesses to uninit stack slots

Privileged programs are supposed to be able to read uninitialized stack
memory (ever since 6715df8d5) but, before this patch, these accesses
were permitted inconsistently. In particular, accesses were permitted
above state->allocated_stack, but not below it. In other words, if the
stack was already "large enough", the access was permitted, but
otherwise the access was rejected instead of being allowed to "grow the
stack". This undesired rejection was happening in two places:
- in check_stack_slot_within_bounds()
- in check_stack_range_initialized()
This patch arranges for these accesses to be permitted. A bunch of tests
that were relying on the old rejection had to change; all of them were
changed to add also run unprivileged, in which case the old behavior
persists. One tests couldn't be updated - global_func16 - because it
can't run unprivileged for other reasons.

This patch also fixes the tracking of the stack size for variable-offset
reads. This second fix is bundled in the same commit as the first one
because they're inter-related. Before this patch, writes to the stack
using registers containing a variable offset (as opposed to registers
with fixed, known values) were not properly contributing to the
function's needed stack size. As a result, it was possible for a program
to verify, but then to attempt to read out-of-bounds data at runtime
because a too small stack had been allocated for it.

Each function tracks the size of the stack it needs in
bpf_subprog_info.stack_depth, which is maintained by
update_stack_depth(). For regular memory accesses, check_mem_access()
was calling update_state_depth() but it was passing in only the fixed
part of the offset register, ignoring the variable offset. This was
incorrect; the minimum possible value of that register should be used
instead.

This tracking is now fixed by centralizing the tracking of stack size in
grow_stack_state(), and by lifting the calls to grow_stack_state() to
check_stack_access_within_bounds() as suggested by Andrii. The code is
now simpler and more convincingly tracks the correct maximum stack size.
check_stack_range_initialized() can now rely on enough stack having been
allocated for the access; this helps with the fix for the first issue.

A few tests were changed to also check the stack depth computation. The
one that fails without this patch is verifier_var_off:stack_write_priv_vs_unpriv.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-52452

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-52454
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length

If the host sends an H2CData command with an invalid DATAL,
the kernel may crash in nvmet_tcp_build_pdu_iovec().

Unable to handle kernel NULL pointer dereference at
virtual address 0000000000000000
lr : nvmet_tcp_io_work+0x6ac/0x718 [nvmet_tcp]
Call trace:
  process_one_work+0x174/0x3c8
  worker_thread+0x2d0/0x3e8
  kthread+0x104/0x110

Fix the bug by raising a fatal error if DATAL isn't coherent
with the packet size.
Also, the PDU length should never exceed the MAXH2CDATA parameter which
has been communicated to the host in nvmet_tcp_handle_icreq().
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-52454

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-52455
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

iommu: Don't reserve 0-length IOVA region

When the bootloader/firmware doesn't setup the framebuffers, their
address and size are 0 in "iommu-addresses" property. If IOVA region is
reserved with 0 length, then it ends up corrupting the IOVA rbtree with
an entry which has pfn_hi < pfn_lo.
If we intend to use display driver in kernel without framebuffer then
it's causing the display IOMMU mappings to fail as entire valid IOVA
space is reserved when address and length are passed as 0.
An ideal solution would be firmware removing the "iommu-addresses"
property and corresponding "memory-region" if display is not present.
But the kernel should be able to handle this by checking for size of
IOVA region and skipping the IOVA reservation if size is 0. Also, add
a warning if firmware is requesting 0-length IOVA region reservation.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-52455

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-52456
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

serial: imx: fix tx statemachine deadlock

When using the serial port as RS485 port, the tx statemachine is used to
control the RTS pin to drive the RS485 transceiver TX_EN pin. When the
TTY port is closed in the middle of a transmission (for instance during
userland application crash), imx_uart_shutdown disables the interface
and disables the Transmission Complete interrupt. afer that,
imx_uart_stop_tx bails on an incomplete transmission, to be retriggered
by the TC interrupt. This interrupt is disabled and therefore the tx
statemachine never transitions out of SEND. The statemachine is in
deadlock now, and the TX_EN remains low, making the interface useless.

imx_uart_stop_tx now checks for incomplete transmission AND whether TC
interrupts are enabled before bailing to be retriggered. This makes sure
the state machine handling is reached, and is properly set to
WAIT_AFTER_SEND.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-52456

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-52457
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

serial: 8250: omap: Don't skip resource freeing if pm_runtime_resume_and_get() failed

Returning an error code from .remove() makes the driver core emit the
little helpful error message:

	remove callback returned a non-zero value. This will be ignored.

and then remove the device anyhow. So all resources that were not freed
are leaked in this case. Skipping serial8250_unregister_port() has the
potential to keep enough of the UART around to trigger a use-after-free.

So replace the error return (and with it the little helpful error
message) by a more useful error message and continue to cleanup.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-52457

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-52458
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

block: add check that partition length needs to be aligned with block size

Before calling add partition or resize partition, there is no check
on whether the length is aligned with the logical block size.
If the logical block size of the disk is larger than 512 bytes,
then the partition size maybe not the multiple of the logical block size,
and when the last sector is read, bio_truncate() will adjust the bio size,
resulting in an IO error if the size of the read command is smaller than
the logical block size.If integrity data is supported, this will also
result in a null pointer dereference when calling bio_integrity_free.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-52458

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-52459
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

media: v4l: async: Fix duplicated list deletion

The list deletion call dropped here is already called from the
helper function in the line before. Having a second list_del()
call results in either a warning (with CONFIG_DEBUG_LIST=y):

list_del corruption, c46c8198->next is LIST_POISON1 (00000100)

If CONFIG_DEBUG_LIST is disabled the operation results in a
kernel error due to NULL pointer dereference.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-52459

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-52460
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Fix NULL pointer dereference at hibernate

During hibernate sequence the source context might not have a clk_mgr.
So don't use it to look for DML2 support.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-52460

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-52462
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

bpf: fix check for attempt to corrupt spilled pointer

When register is spilled onto a stack as a 1/2/4-byte register, we set
slot_type[BPF_REG_SIZE - 1] (plus potentially few more below it,
depending on actual spill size). So to check if some stack slot has
spilled register we need to consult slot_type[7], not slot_type[0].

To avoid the need to remember and double-check this in the future, just
use is_spilled_reg() helper.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-52462

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-52463
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

efivarfs: force RO when remounting if SetVariable is not supported

If SetVariable at runtime is not supported by the firmware we never assign
a callback for that function. At the same time mount the efivarfs as
RO so no one can call that.  However, we never check the permission flags
when someone remounts the filesystem as RW. As a result this leads to a
crash looking like this:

$ mount -o remount,rw /sys/firmware/efi/efivars
$ efi-updatevar -f PK.auth PK

[  303.279166] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
[  303.280482] Mem abort info:
[  303.280854]   ESR = 0x0000000086000004
[  303.281338]   EC = 0x21: IABT (current EL), IL = 32 bits
[  303.282016]   SET = 0, FnV = 0
[  303.282414]   EA = 0, S1PTW = 0
[  303.282821]   FSC = 0x04: level 0 translation fault
[  303.283771] user pgtable: 4k pages, 48-bit VAs, pgdp=000000004258c000
[  303.284913] [0000000000000000] pgd=0000000000000000, p4d=0000000000000000
[  303.286076] Internal error: Oops: 0000000086000004 [#1] PREEMPT SMP
[  303.286936] Modules linked in: qrtr tpm_tis tpm_tis_core crct10dif_ce arm_smccc_trng rng_core drm fuse ip_tables x_tables ipv6
[  303.288586] CPU: 1 PID: 755 Comm: efi-updatevar Not tainted 6.3.0-rc1-00108-gc7d0c4695c68 #1
[  303.289748] Hardware name: Unknown Unknown Product/Unknown Product, BIOS 2023.04-00627-g88336918701d 04/01/2023
[  303.291150] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[  303.292123] pc : 0x0
[  303.292443] lr : efivar_set_variable_locked+0x74/0xec
[  303.293156] sp : ffff800008673c10
[  303.293619] x29: ffff800008673c10 x28: ffff0000037e8000 x27: 0000000000000000
[  303.294592] x26: 0000000000000800 x25: ffff000002467400 x24: 0000000000000027
[  303.295572] x23: ffffd49ea9832000 x22: ffff0000020c9800 x21: ffff000002467000
[  303.296566] x20: 0000000000000001 x19: 00000000000007fc x18: 0000000000000000
[  303.297531] x17: 0000000000000000 x16: 0000000000000000 x15: 0000aaaac807ab54
[  303.298495] x14: ed37489f673633c0 x13: 71c45c606de13f80 x12: 47464259e219acf4
[  303.299453] x11: ffff000002af7b01 x10: 0000000000000003 x9 : 0000000000000002
[  303.300431] x8 : 0000000000000010 x7 : ffffd49ea8973230 x6 : 0000000000a85201
[  303.301412] x5 : 0000000000000000 x4 : ffff0000020c9800 x3 : 00000000000007fc
[  303.302370] x2 : 0000000000000027 x1 : ffff000002467400 x0 : ffff000002467000
[  303.303341] Call trace:
[  303.303679]  0x0
[  303.303938]  efivar_entry_set_get_size+0x98/0x16c
[  303.304585]  efivarfs_file_write+0xd0/0x1a4
[  303.305148]  vfs_write+0xc4/0x2e4
[  303.305601]  ksys_write+0x70/0x104
[  303.306073]  __arm64_sys_write+0x1c/0x28
[  303.306622]  invoke_syscall+0x48/0x114
[  303.307156]  el0_svc_common.constprop.0+0x44/0xec
[  303.307803]  do_el0_svc+0x38/0x98
[  303.308268]  el0_svc+0x2c/0x84
[  303.308702]  el0t_64_sync_handler+0xf4/0x120
[  303.309293]  el0t_64_sync+0x190/0x194
[  303.309794] Code: ???????? ???????? ???????? ???????? (????????)
[  303.310612] ---[ end trace 0000000000000000 ]---

Fix this by adding a .reconfigure() function to the fs operations which
we can use to check the requested flags and deny anything that's not RO
if the firmware doesn't implement SetVariable at runtime.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-52463

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-52464
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

EDAC/thunderx: Fix possible out-of-bounds string access

Enabling -Wstringop-overflow globally exposes a warning for a common bug
in the usage of strncat():

  drivers/edac/thunderx_edac.c: In function 'thunderx_ocx_com_threaded_isr':
  drivers/edac/thunderx_edac.c:1136:17: error: 'strncat' specified bound 1024 equals destination size [-Werror=stringop-overflow=]
   1136 |                 strncat(msg, other, OCX_MESSAGE_SIZE);
        |                 ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   ...
   1145 |                                 strncat(msg, other, OCX_MESSAGE_SIZE);
   ...
   1150 |                                 strncat(msg, other, OCX_MESSAGE_SIZE);

   ...

Apparently the author of this driver expected strncat() to behave the
way that strlcat() does, which uses the size of the destination buffer
as its third argument rather than the length of the source buffer. The
result is that there is no check on the size of the allocated buffer.

Change it to strlcat().

  [ bp: Trim compiler output, fixup commit message. ]
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-52464

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-52465
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

power: supply: Fix null pointer dereference in smb2_probe

devm_kasprintf and devm_kzalloc return a pointer to dynamically
allocated memory which can be NULL upon failure.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-52465

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-52467
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

mfd: syscon: Fix null pointer dereference in of_syscon_register()

kasprintf() returns a pointer to dynamically allocated memory
which can be NULL upon failure.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-52467

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-52468
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

class: fix use-after-free in class_register()

The lock_class_key is still registered and can be found in
lock_keys_hash hlist after subsys_private is freed in error
handler path.A task who iterate over the lock_keys_hash
later may cause use-after-free.So fix that up and unregister
the lock_class_key before kfree(cp).

On our platform, a driver fails to kset_register because of
creating duplicate filename '/class/xxx'.With Kasan enabled,
it prints a invalid-access bug report.

KASAN bug report:

BUG: KASAN: invalid-access in lockdep_register_key+0x19c/0x1bc
Write of size 8 at addr 15ffff808b8c0368 by task modprobe/252
Pointer tag: [15], memory tag: [fe]

CPU: 7 PID: 252 Comm: modprobe Tainted: G        W
 6.6.0-mainline-maybe-dirty #1

Call trace:
dump_backtrace+0x1b0/0x1e4
show_stack+0x2c/0x40
dump_stack_lvl+0xac/0xe0
print_report+0x18c/0x4d8
kasan_report+0xe8/0x148
__hwasan_store8_noabort+0x88/0x98
lockdep_register_key+0x19c/0x1bc
class_register+0x94/0x1ec
init_module+0xbc/0xf48 [rfkill]
do_one_initcall+0x17c/0x72c
do_init_module+0x19c/0x3f8
...
Memory state around the buggy address:
ffffff808b8c0100: 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a
ffffff808b8c0200: 8a 8a 8a 8a 8a 8a 8a 8a fe fe fe fe fe fe fe fe
>ffffff808b8c0300: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
                                     ^
ffffff808b8c0400: 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03

As CONFIG_KASAN_GENERIC is not set, Kasan reports invalid-access
not use-after-free here.In this case, modprobe is manipulating
the corrupted lock_keys_hash hlish where lock_class_key is already
freed before.

It's worth noting that this only can happen if lockdep is enabled,
which is not true for normal system.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-52468

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-52469
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drivers/amd/pm: fix a use-after-free in kv_parse_power_table

When ps allocated by kzalloc equals to NULL, kv_parse_power_table
frees adev->pm.dpm.ps that allocated before. However, after the control
flow goes through the following call chains:

kv_parse_power_table
  |-> kv_dpm_init
        |-> kv_dpm_sw_init
	      |-> kv_dpm_fini

The adev->pm.dpm.ps is used in the for loop of kv_dpm_fini after its
first free in kv_parse_power_table and causes a use-after-free bug.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-52469

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-52470
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/radeon: check the alloc_workqueue return value in radeon_crtc_init()

check the alloc_workqueue return value in radeon_crtc_init()
to avoid null-ptr-deref.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-52470

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-52471
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ice: Fix some null pointer dereference issues in ice_ptp.c

devm_kasprintf() returns a pointer to dynamically allocated memory
which can be NULL upon failure.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-52471

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-52472
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

crypto: rsa - add a check for allocation failure

Static checkers insist that the mpi_alloc() allocation can fail so add
a check to prevent a NULL dereference.  Small allocations like this
can't actually fail in current kernels, but adding a check is very
simple and makes the static checkers happy.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-52472

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-52473
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

thermal: core: Fix NULL pointer dereference in zone registration error path

If device_register() in thermal_zone_device_register_with_trips()
returns an error, the tz variable is set to NULL and subsequently
dereferenced in kfree(tz->tzp).

Commit adc8749b150c ("thermal/drivers/core: Use put_device() if
device_register() fails") added the tz = NULL assignment in question to
avoid a possible double-free after dropping the reference to the zone
device.  However, after commit 4649620d9404 ("thermal: core: Make
thermal_zone_device_unregister() return after freeing the zone"), that
assignment has become redundant, because dropping the reference to the
zone device does not cause the zone object to be freed any more.

Drop it to address the NULL pointer dereference.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-52473

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-52474
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

IB/hfi1: Fix bugs with non-PAGE_SIZE-end multi-iovec user SDMA requests

hfi1 user SDMA request processing has two bugs that can cause data
corruption for user SDMA requests that have multiple payload iovecs
where an iovec other than the tail iovec does not run up to the page
boundary for the buffer pointed to by that iovec.a

Here are the specific bugs:
1. user_sdma_txadd() does not use struct user_sdma_iovec->iov.iov_len.
   Rather, user_sdma_txadd() will add up to PAGE_SIZE bytes from iovec
   to the packet, even if some of those bytes are past
   iovec->iov.iov_len and are thus not intended to be in the packet.
2. user_sdma_txadd() and user_sdma_send_pkts() fail to advance to the
   next iovec in user_sdma_request->iovs when the current iovec
   is not PAGE_SIZE and does not contain enough data to complete the
   packet. The transmitted packet will contain the wrong data from the
   iovec pages.

This has not been an issue with SDMA packets from hfi1 Verbs or PSM2
because they only produce iovecs that end short of PAGE_SIZE as the tail
iovec of an SDMA request.

Fixing these bugs exposes other bugs with the SDMA pin cache
(struct mmu_rb_handler) that get in way of supporting user SDMA requests
with multiple payload iovecs whose buffers do not end at PAGE_SIZE. So
this commit fixes those issues as well.

Here are the mmu_rb_handler bugs that non-PAGE_SIZE-end multi-iovec
payload user SDMA requests can hit:
1. Overlapping memory ranges in mmu_rb_handler will result in duplicate
   pinnings.
2. When extending an existing mmu_rb_handler entry (struct mmu_rb_node),
   the mmu_rb code (1) removes the existing entry under a lock, (2)
   releases that lock, pins the new pages, (3) then reacquires the lock
   to insert the extended mmu_rb_node.

   If someone else comes in and inserts an overlapping entry between (2)
   and (3), insert in (3) will fail.

   The failure path code in this case unpins _all_ pages in either the
   original mmu_rb_node or the new mmu_rb_node that was inserted between
   (2) and (3).
3. In hfi1_mmu_rb_remove_unless_exact(), mmu_rb_node->refcount is
   incremented outside of mmu_rb_handler->lock. As a result, mmu_rb_node
   could be evicted by another thread that gets mmu_rb_handler->lock and
   checks mmu_rb_node->refcount before mmu_rb_node->refcount is
   incremented.
4. Related to #2 above, SDMA request submission failure path does not
   check mmu_rb_node->refcount before freeing mmu_rb_node object.

   If there are other SDMA requests in progress whose iovecs have
   pointers to the now-freed mmu_rb_node(s), those pointers to the
   now-freed mmu_rb nodes will be dereferenced when those SDMA requests
   complete.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-52474

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-52645
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

pmdomain: mediatek: fix race conditions with genpd

If the power domains are registered first with genpd and *after that*
the driver attempts to power them on in the probe sequence, then it is
possible that a race condition occurs if genpd tries to power them on
in the same time.
The same is valid for powering them off before unregistering them
from genpd.
Attempt to fix race conditions by first removing the domains from genpd
and *after that* powering down domains.
Also first power up the domains and *after that* register them
to genpd.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-52645

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-52752
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

smb: client: fix use-after-free bug in cifs_debug_data_proc_show()

Skip SMB sessions that are being teared down
(e.g. @ses->ses_status == SES_EXITING) in cifs_debug_data_proc_show()
to avoid use-after-free in @ses.

This fixes the following GPF when reading from /proc/fs/cifs/DebugData
while mounting and umounting

  [ 816.251274] general protection fault, probably for non-canonical
  address 0x6b6b6b6b6b6b6d81: 0000 [#1] PREEMPT SMP NOPTI
  ...
  [  816.260138] Call Trace:
  [  816.260329]  <TASK>
  [  816.260499]  ? die_addr+0x36/0x90
  [  816.260762]  ? exc_general_protection+0x1b3/0x410
  [  816.261126]  ? asm_exc_general_protection+0x26/0x30
  [  816.261502]  ? cifs_debug_tcon+0xbd/0x240 [cifs]
  [  816.261878]  ? cifs_debug_tcon+0xab/0x240 [cifs]
  [  816.262249]  cifs_debug_data_proc_show+0x516/0xdb0 [cifs]
  [  816.262689]  ? seq_read_iter+0x379/0x470
  [  816.262995]  seq_read_iter+0x118/0x470
  [  816.263291]  proc_reg_read_iter+0x53/0x90
  [  816.263596]  ? srso_alias_return_thunk+0x5/0x7f
  [  816.263945]  vfs_read+0x201/0x350
  [  816.264211]  ksys_read+0x75/0x100
  [  816.264472]  do_syscall_64+0x3f/0x90
  [  816.264750]  entry_SYSCALL_64_after_hwframe+0x6e/0xd8
  [  816.265135] RIP: 0033:0x7fd5e669d381
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-52752

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-52753
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Avoid NULL dereference of timing generator

[Why & How]
Check whether assigned timing generator is NULL or not before
accessing its funcs to prevent NULL dereference.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-52753

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-52760
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

gfs2: Fix slab-use-after-free in gfs2_qd_dealloc

In gfs2_put_super(), whether withdrawn or not, the quota should
be cleaned up by gfs2_quota_cleanup().

Otherwise, struct gfs2_sbd will be freed before gfs2_qd_dealloc (rcu
callback) has run for all gfs2_quota_data objects, resulting in
use-after-free.

Also, gfs2_destroy_threads() and gfs2_quota_cleanup() is already called
by gfs2_make_fs_ro(), so in gfs2_put_super(), after calling
gfs2_make_fs_ro(), there is no need to call them again.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-52760

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-52769
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

wifi: ath12k: fix htt mlo-offset event locking

The ath12k active pdevs are protected by RCU but the htt mlo-offset
event handling code calling ath12k_mac_get_ar_by_pdev_id() was not
marked as a read-side critical section.

Mark the code in question as an RCU read-side critical section to avoid
any potential use-after-free issues.

Compile tested only.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-52769

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-52772
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

af_unix: fix use-after-free in unix_stream_read_actor()

syzbot reported the following crash [1]

After releasing unix socket lock, u->oob_skb can be changed
by another thread. We must temporarily increase skb refcount
to make sure this other thread will not free the skb under us.

[1]

BUG: KASAN: slab-use-after-free in unix_stream_read_actor+0xa7/0xc0 net/unix/af_unix.c:2866
Read of size 4 at addr ffff88801f3b9cc4 by task syz-executor107/5297

CPU: 1 PID: 5297 Comm: syz-executor107 Not tainted 6.6.0-syzkaller-15910-gb8e3a87a627b #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:364 [inline]
print_report+0xc4/0x620 mm/kasan/report.c:475
kasan_report+0xda/0x110 mm/kasan/report.c:588
unix_stream_read_actor+0xa7/0xc0 net/unix/af_unix.c:2866
unix_stream_recv_urg net/unix/af_unix.c:2587 [inline]
unix_stream_read_generic+0x19a5/0x2480 net/unix/af_unix.c:2666
unix_stream_recvmsg+0x189/0x1b0 net/unix/af_unix.c:2903
sock_recvmsg_nosec net/socket.c:1044 [inline]
sock_recvmsg+0xe2/0x170 net/socket.c:1066
____sys_recvmsg+0x21f/0x5c0 net/socket.c:2803
___sys_recvmsg+0x115/0x1a0 net/socket.c:2845
__sys_recvmsg+0x114/0x1e0 net/socket.c:2875
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x63/0x6b
RIP: 0033:0x7fc67492c559
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fc6748ab228 EFLAGS: 00000246 ORIG_RAX: 000000000000002f
RAX: ffffffffffffffda RBX: 000000000000001c RCX: 00007fc67492c559
RDX: 0000000040010083 RSI: 0000000020000140 RDI: 0000000000000004
RBP: 00007fc6749b6348 R08: 00007fc6748ab6c0 R09: 00007fc6748ab6c0
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fc6749b6340
R13: 00007fc6749b634c R14: 00007ffe9fac52a0 R15: 00007ffe9fac5388
</TASK>

Allocated by task 5295:
kasan_save_stack+0x33/0x50 mm/kasan/common.c:45
kasan_set_track+0x25/0x30 mm/kasan/common.c:52
__kasan_slab_alloc+0x81/0x90 mm/kasan/common.c:328
kasan_slab_alloc include/linux/kasan.h:188 [inline]
slab_post_alloc_hook mm/slab.h:763 [inline]
slab_alloc_node mm/slub.c:3478 [inline]
kmem_cache_alloc_node+0x180/0x3c0 mm/slub.c:3523
__alloc_skb+0x287/0x330 net/core/skbuff.c:641
alloc_skb include/linux/skbuff.h:1286 [inline]
alloc_skb_with_frags+0xe4/0x710 net/core/skbuff.c:6331
sock_alloc_send_pskb+0x7e4/0x970 net/core/sock.c:2780
sock_alloc_send_skb include/net/sock.h:1884 [inline]
queue_oob net/unix/af_unix.c:2147 [inline]
unix_stream_sendmsg+0xb5f/0x10a0 net/unix/af_unix.c:2301
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg+0xd5/0x180 net/socket.c:745
____sys_sendmsg+0x6ac/0x940 net/socket.c:2584
___sys_sendmsg+0x135/0x1d0 net/socket.c:2638
__sys_sendmsg+0x117/0x1e0 net/socket.c:2667
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x63/0x6b

Freed by task 5295:
kasan_save_stack+0x33/0x50 mm/kasan/common.c:45
kasan_set_track+0x25/0x30 mm/kasan/common.c:52
kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:522
____kasan_slab_free mm/kasan/common.c:236 [inline]
____kasan_slab_free+0x15b/0x1b0 mm/kasan/common.c:200
kasan_slab_free include/linux/kasan.h:164 [inline]
slab_free_hook mm/slub.c:1800 [inline]
slab_free_freelist_hook+0x114/0x1e0 mm/slub.c:1826
slab_free mm/slub.c:3809 [inline]
kmem_cache_free+0xf8/0x340 mm/slub.c:3831
kfree_skbmem+0xef/0x1b0 net/core/skbuff.c:1015
__kfree_skb net/core/skbuff.c:1073 [inline]
consume_skb net/core/skbuff.c:1288 [inline]
consume_skb+0xdf/0x170 net/core/skbuff.c:1282
queue_oob net/unix/af_unix.c:2178 [inline]
u
---truncated---
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-52772

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-52773
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: fix a NULL pointer dereference in amdgpu_dm_i2c_xfer()

When ddc_service_construct() is called, it explicitly checks both the
link type and whether there is something on the link which will
dictate whether the pin is marked as hw_supported.

If the pin isn't set or the link is not set (such as from
unloading/reloading amdgpu in an IGT test) then fail the
amdgpu_dm_i2c_xfer() call.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-52773

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-52783
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: wangxun: fix kernel panic due to null pointer

When the device uses a custom subsystem vendor ID, the function
wx_sw_init() returns before the memory of 'wx->mac_table' is allocated.
The null pointer will causes the kernel panic.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-52783

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-52806
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ALSA: hda: Fix possible null-ptr-deref when assigning a stream

While AudioDSP drivers assign streams exclusively of HOST or LINK type,
nothing blocks a user to attempt to assign a COUPLED stream. As
supplied substream instance may be a stub, what is the case when
code-loading, such scenario ends with null-ptr-deref.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-52806

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-52809
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

scsi: libfc: Fix potential NULL pointer dereference in fc_lport_ptp_setup()

fc_lport_ptp_setup() did not check the return value of fc_rport_create()
which can return NULL and would cause a NULL pointer dereference. Address
this issue by checking return value of fc_rport_create() and log error
message on fc_rport_create() failed.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-52809

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-52814
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amdgpu: Fix potential null pointer derefernce

The amdgpu_ras_get_context may return NULL if device
not support ras feature, so add check before using.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-52814

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-52815
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amdgpu/vkms: fix a possible null pointer dereference

In amdgpu_vkms_conn_get_modes(), the return value of drm_cvt_mode()
is assigned to mode, which will lead to a NULL pointer dereference
on failure of drm_cvt_mode(). Add a check to avoid null pointer
dereference.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-52815

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-52817
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amdgpu: Fix a null pointer access when the smc_rreg pointer is NULL

In certain types of chips, such as VEGA20, reading the amdgpu_regs_smc file could result in an abnormal null pointer access when the smc_rreg pointer is NULL. Below are the steps to reproduce this issue and the corresponding exception log:

1. Navigate to the directory: /sys/kernel/debug/dri/0
2. Execute command: cat amdgpu_regs_smc
3. Exception Log::
[4005007.702554] BUG: kernel NULL pointer dereference, address: 0000000000000000
[4005007.702562] #PF: supervisor instruction fetch in kernel mode
[4005007.702567] #PF: error_code(0x0010) - not-present page
[4005007.702570] PGD 0 P4D 0
[4005007.702576] Oops: 0010 [#1] SMP NOPTI
[4005007.702581] CPU: 4 PID: 62563 Comm: cat Tainted: G           OE     5.15.0-43-generic #46-Ubunt       u
[4005007.702590] RIP: 0010:0x0
[4005007.702598] Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6.
[4005007.702600] RSP: 0018:ffffa82b46d27da0 EFLAGS: 00010206
[4005007.702605] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffa82b46d27e68
[4005007.702609] RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff9940656e0000
[4005007.702612] RBP: ffffa82b46d27dd8 R08: 0000000000000000 R09: ffff994060c07980
[4005007.702615] R10: 0000000000020000 R11: 0000000000000000 R12: 00007f5e06753000
[4005007.702618] R13: ffff9940656e0000 R14: ffffa82b46d27e68 R15: 00007f5e06753000
[4005007.702622] FS:  00007f5e0755b740(0000) GS:ffff99479d300000(0000) knlGS:0000000000000000
[4005007.702626] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[4005007.702629] CR2: ffffffffffffffd6 CR3: 00000003253fc000 CR4: 00000000003506e0
[4005007.702633] Call Trace:
[4005007.702636]  <TASK>
[4005007.702640]  amdgpu_debugfs_regs_smc_read+0xb0/0x120 [amdgpu]
[4005007.703002]  full_proxy_read+0x5c/0x80
[4005007.703011]  vfs_read+0x9f/0x1a0
[4005007.703019]  ksys_read+0x67/0xe0
[4005007.703023]  __x64_sys_read+0x19/0x20
[4005007.703028]  do_syscall_64+0x5c/0xc0
[4005007.703034]  ? do_user_addr_fault+0x1e3/0x670
[4005007.703040]  ? exit_to_user_mode_prepare+0x37/0xb0
[4005007.703047]  ? irqentry_exit_to_user_mode+0x9/0x20
[4005007.703052]  ? irqentry_exit+0x19/0x30
[4005007.703057]  ? exc_page_fault+0x89/0x160
[4005007.703062]  ? asm_exc_page_fault+0x8/0x30
[4005007.703068]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[4005007.703075] RIP: 0033:0x7f5e07672992
[4005007.703079] Code: c0 e9 b2 fe ff ff 50 48 8d 3d fa b2 0c 00 e8 c5 1d 02 00 0f 1f 44 00 00 f3 0f        1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 0f 05 <48> 3d 00 f0 ff ff 77 56 c3 0f 1f 44 00 00 48 83 e       c 28 48 89 54 24
[4005007.703083] RSP: 002b:00007ffe03097898 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[4005007.703088] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007f5e07672992
[4005007.703091] RDX: 0000000000020000 RSI: 00007f5e06753000 RDI: 0000000000000003
[4005007.703094] RBP: 00007f5e06753000 R08: 00007f5e06752010 R09: 00007f5e06752010
[4005007.703096] R10: 0000000000000022 R11: 0000000000000246 R12: 0000000000022000
[4005007.703099] R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000
[4005007.703105]  </TASK>
[4005007.703107] Modules linked in: nf_tables libcrc32c nfnetlink algif_hash af_alg binfmt_misc nls_       iso8859_1 ipmi_ssif ast intel_rapl_msr intel_rapl_common drm_vram_helper drm_ttm_helper amd64_edac t       tm edac_mce_amd kvm_amd ccp mac_hid k10temp kvm acpi_ipmi ipmi_si rapl sch_fq_codel ipmi_devintf ipm       i_msghandler msr parport_pc ppdev lp parport mtd pstore_blk efi_pstore ramoops pstore_zone reed_solo       mon ip_tables x_tables autofs4 ib_uverbs ib_core amdgpu(OE) amddrm_ttm_helper(OE) amdttm(OE) iommu_v       2 amd_sched(OE) amdkcl(OE) drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops cec rc_core        drm igb ahci xhci_pci libahci i2c_piix4 i2c_algo_bit xhci_pci_renesas dca
[4005007.703184] CR2: 0000000000000000
[4005007.703188] ---[ en
---truncated---
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-52817

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-52821
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/panel: fix a possible null pointer dereference

In versatile_panel_get_modes(), the return value of drm_mode_duplicate()
is assigned to mode, which will lead to a NULL pointer dereference
on failure of drm_mode_duplicate(). Add a check to avoid npd.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-52821

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-52827
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

wifi: ath12k: fix possible out-of-bound read in ath12k_htt_pull_ppdu_stats()

len is extracted from HTT message and could be an unexpected value in
case errors happen, so add validation before using to avoid possible
out-of-bound read in the following message iteration and parsing.

The same issue also applies to ppdu_info->ppdu_stats.common.num_users,
so validate it before using too.

These are found during code review.

Compile test only.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-52827

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-52885
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

SUNRPC: Fix UAF in svc_tcp_listen_data_ready()

After the listener svc_sock is freed, and before invoking svc_tcp_accept()
for the established child sock, there is a window that the newsock
retaining a freed listener svc_sock in sk_user_data which cloning from
parent. In the race window, if data is received on the newsock, we will
observe use-after-free report in svc_tcp_listen_data_ready().

Reproduce by two tasks:

1. while :; do rpc.nfsd 0 ; rpc.nfsd; done
2. while :; do echo "" | ncat -4 127.0.0.1 2049 ; done

KASAN report:

  ==================================================================
  BUG: KASAN: slab-use-after-free in svc_tcp_listen_data_ready+0x1cf/0x1f0 [sunrpc]
  Read of size 8 at addr ffff888139d96228 by task nc/102553
  CPU: 7 PID: 102553 Comm: nc Not tainted 6.3.0+ #18
  Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020
  Call Trace:
   <IRQ>
   dump_stack_lvl+0x33/0x50
   print_address_description.constprop.0+0x27/0x310
   print_report+0x3e/0x70
   kasan_report+0xae/0xe0
   svc_tcp_listen_data_ready+0x1cf/0x1f0 [sunrpc]
   tcp_data_queue+0x9f4/0x20e0
   tcp_rcv_established+0x666/0x1f60
   tcp_v4_do_rcv+0x51c/0x850
   tcp_v4_rcv+0x23fc/0x2e80
   ip_protocol_deliver_rcu+0x62/0x300
   ip_local_deliver_finish+0x267/0x350
   ip_local_deliver+0x18b/0x2d0
   ip_rcv+0x2fb/0x370
   __netif_receive_skb_one_core+0x166/0x1b0
   process_backlog+0x24c/0x5e0
   __napi_poll+0xa2/0x500
   net_rx_action+0x854/0xc90
   __do_softirq+0x1bb/0x5de
   do_softirq+0xcb/0x100
   </IRQ>
   <TASK>
   ...
   </TASK>

  Allocated by task 102371:
   kasan_save_stack+0x1e/0x40
   kasan_set_track+0x21/0x30
   __kasan_kmalloc+0x7b/0x90
   svc_setup_socket+0x52/0x4f0 [sunrpc]
   svc_addsock+0x20d/0x400 [sunrpc]
   __write_ports_addfd+0x209/0x390 [nfsd]
   write_ports+0x239/0x2c0 [nfsd]
   nfsctl_transaction_write+0xac/0x110 [nfsd]
   vfs_write+0x1c3/0xae0
   ksys_write+0xed/0x1c0
   do_syscall_64+0x38/0x90
   entry_SYSCALL_64_after_hwframe+0x72/0xdc

  Freed by task 102551:
   kasan_save_stack+0x1e/0x40
   kasan_set_track+0x21/0x30
   kasan_save_free_info+0x2a/0x50
   __kasan_slab_free+0x106/0x190
   __kmem_cache_free+0x133/0x270
   svc_xprt_free+0x1e2/0x350 [sunrpc]
   svc_xprt_destroy_all+0x25a/0x440 [sunrpc]
   nfsd_put+0x125/0x240 [nfsd]
   nfsd_svc+0x2cb/0x3c0 [nfsd]
   write_threads+0x1ac/0x2a0 [nfsd]
   nfsctl_transaction_write+0xac/0x110 [nfsd]
   vfs_write+0x1c3/0xae0
   ksys_write+0xed/0x1c0
   do_syscall_64+0x38/0x90
   entry_SYSCALL_64_after_hwframe+0x72/0xdc

Fix the UAF by simply doing nothing in svc_tcp_listen_data_ready()
if state != TCP_LISTEN, that will avoid dereferencing svsk for all
child socket.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-52885

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-52886
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

USB: core: Fix race by not overwriting udev->descriptor in hub_port_init()

Syzbot reported an out-of-bounds read in sysfs.c:read_descriptors():

BUG: KASAN: slab-out-of-bounds in read_descriptors+0x263/0x280 drivers/usb/core/sysfs.c:883
Read of size 8 at addr ffff88801e78b8c8 by task udevd/5011

CPU: 0 PID: 5011 Comm: udevd Not tainted 6.4.0-rc6-syzkaller-00195-g40f71e7cd3c6 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106
 print_address_description.constprop.0+0x2c/0x3c0 mm/kasan/report.c:351
 print_report mm/kasan/report.c:462 [inline]
 kasan_report+0x11c/0x130 mm/kasan/report.c:572
 read_descriptors+0x263/0x280 drivers/usb/core/sysfs.c:883
...
Allocated by task 758:
...
 __do_kmalloc_node mm/slab_common.c:966 [inline]
 __kmalloc+0x5e/0x190 mm/slab_common.c:979
 kmalloc include/linux/slab.h:563 [inline]
 kzalloc include/linux/slab.h:680 [inline]
 usb_get_configuration+0x1f7/0x5170 drivers/usb/core/config.c:887
 usb_enumerate_device drivers/usb/core/hub.c:2407 [inline]
 usb_new_device+0x12b0/0x19d0 drivers/usb/core/hub.c:2545

As analyzed by Khazhy Kumykov, the cause of this bug is a race between
read_descriptors() and hub_port_init(): The first routine uses a field
in udev->descriptor, not expecting it to change, while the second
overwrites it.

Prior to commit 45bf39f8df7f ("USB: core: Don't hold device lock while
reading the "descriptors" sysfs file") this race couldn't occur,
because the routines were mutually exclusive thanks to the device
locking.  Removing that locking from read_descriptors() exposed it to
the race.

The best way to fix the bug is to keep hub_port_init() from changing
udev->descriptor once udev has been initialized and registered.
Drivers expect the descriptors stored in the kernel to be immutable;
we should not undermine this expectation.  In fact, this change should
have been made long ago.

So now hub_port_init() will take an additional argument, specifying a
buffer in which to store the device descriptor it reads.  (If udev has
not yet been initialized, the buffer pointer will be NULL and then
hub_port_init() will store the device descriptor in udev as before.)
This eliminates the data race responsible for the out-of-bounds read.

The changes to hub_port_init() appear more extensive than they really
are, because of indentation changes resulting from an attempt to avoid
writing to other parts of the usb_device structure after it has been
initialized.  Similar changes should be made to the code that reads
the BOS descriptor, but that can be handled in a separate patch later
on.  This patch is sufficient to fix the bug found by syzbot.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.4
VECTOR: PHYSICAL
VECTORSTRING: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-52886

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-52889
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

apparmor: Fix null pointer deref when receiving skb during sock creation

The panic below is observed when receiving ICMP packets with secmark set
while an ICMP raw socket is being created. SK_CTX(sk)->label is updated
in apparmor_socket_post_create(), but the packet is delivered to the
socket before that, causing the null pointer dereference.
Drop the packet if label context is not set.

    BUG: kernel NULL pointer dereference, address: 000000000000004c
    #PF: supervisor read access in kernel mode
    #PF: error_code(0x0000) - not-present page
    PGD 0 P4D 0
    Oops: 0000 [#1] PREEMPT SMP NOPTI
    CPU: 0 PID: 407 Comm: a.out Not tainted 6.4.12-arch1-1 #1 3e6fa2753a2d75925c34ecb78e22e85a65d083df
    Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 05/28/2020
    RIP: 0010:aa_label_next_confined+0xb/0x40
    Code: 00 00 48 89 ef e8 d5 25 0c 00 e9 66 ff ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 0f 1f 00 0f 1f 44 00 00 89 f0 <8b> 77 4c 39 c6 7e 1f 48 63 d0 48 8d 14 d7 eb 0b 83 c0 01 48 83 c2
    RSP: 0018:ffffa92940003b08 EFLAGS: 00010246
    RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000000000000e
    RDX: ffffa92940003be8 RSI: 0000000000000000 RDI: 0000000000000000
    RBP: ffff8b57471e7800 R08: ffff8b574c642400 R09: 0000000000000002
    R10: ffffffffbd820eeb R11: ffffffffbeb7ff00 R12: ffff8b574c642400
    R13: 0000000000000001 R14: 0000000000000001 R15: 0000000000000000
    FS:  00007fb092ea7640(0000) GS:ffff8b577bc00000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 000000000000004c CR3: 00000001020f2005 CR4: 00000000007706f0
    PKRU: 55555554
    Call Trace:
     <IRQ>
     ? __die+0x23/0x70
     ? page_fault_oops+0x171/0x4e0
     ? exc_page_fault+0x7f/0x180
     ? asm_exc_page_fault+0x26/0x30
     ? aa_label_next_confined+0xb/0x40
     apparmor_secmark_check+0xec/0x330
     security_sock_rcv_skb+0x35/0x50
     sk_filter_trim_cap+0x47/0x250
     sock_queue_rcv_skb_reason+0x20/0x60
     raw_rcv+0x13c/0x210
     raw_local_deliver+0x1f3/0x250
     ip_protocol_deliver_rcu+0x4f/0x2f0
     ip_local_deliver_finish+0x76/0xa0
     __netif_receive_skb_one_core+0x89/0xa0
     netif_receive_skb+0x119/0x170
     ? __netdev_alloc_skb+0x3d/0x140
     vmxnet3_rq_rx_complete+0xb23/0x1010 [vmxnet3 56a84f9c97178c57a43a24ec073b45a9d6f01f3a]
     vmxnet3_poll_rx_only+0x36/0xb0 [vmxnet3 56a84f9c97178c57a43a24ec073b45a9d6f01f3a]
     __napi_poll+0x28/0x1b0
     net_rx_action+0x2a4/0x380
     __do_softirq+0xd1/0x2c8
     __irq_exit_rcu+0xbb/0xf0
     common_interrupt+0x86/0xa0
     </IRQ>
     <TASK>
     asm_common_interrupt+0x26/0x40
    RIP: 0010:apparmor_socket_post_create+0xb/0x200
    Code: 08 48 85 ff 75 a1 eb b1 0f 1f 80 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 41 54 <55> 48 89 fd 53 45 85 c0 0f 84 b2 00 00 00 48 8b 1d 80 56 3f 02 48
    RSP: 0018:ffffa92940ce7e50 EFLAGS: 00000286
    RAX: ffffffffbc756440 RBX: 0000000000000000 RCX: 0000000000000001
    RDX: 0000000000000003 RSI: 0000000000000002 RDI: ffff8b574eaab740
    RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
    R10: ffff8b57444cec70 R11: 0000000000000000 R12: 0000000000000003
    R13: 0000000000000002 R14: ffff8b574eaab740 R15: ffffffffbd8e4748
     ? __pfx_apparmor_socket_post_create+0x10/0x10
     security_socket_post_create+0x4b/0x80
     __sock_create+0x176/0x1f0
     __sys_socket+0x89/0x100
     __x64_sys_socket+0x17/0x20
     do_syscall_64+0x5d/0x90
     ? do_syscall_64+0x6c/0x90
     ? do_syscall_64+0x6c/0x90
     ? do_syscall_64+0x6c/0x90
     entry_SYSCALL_64_after_hwframe+0x72/0xdc
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-52889

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-52893
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

gsmi: fix null-deref in gsmi_get_variable

We can get EFI variables without fetching the attribute, so we must
allow for that in gsmi.

commit 859748255b43 ("efi: pstore: Omit efivars caching EFI varstore
access layer") added a new get_variable call with attr=NULL, which
triggers panic in gsmi.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-52893

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-52894
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

usb: gadget: f_ncm: fix potential NULL ptr deref in ncm_bitrate()

In Google internal bug 265639009 we've received an (as yet) unreproducible
crash report from an aarch64 GKI 5.10.149-android13 running device.

AFAICT the source code is at:
  https://android.googlesource.com/kernel/common/+/refs/tags/ASB-2022-12-05_13-5.10

The call stack is:
  ncm_close() -> ncm_notify() -> ncm_do_notify()
with the crash at:
  ncm_do_notify+0x98/0x270
Code: 79000d0b b9000a6c f940012a f9400269 (b9405d4b)

Which I believe disassembles to (I don't know ARM assembly, but it looks sane enough to me...):

  // halfword (16-bit) store presumably to event->wLength (at offset 6 of struct usb_cdc_notification)
  0B 0D 00 79    strh w11, [x8, #6]

  // word (32-bit) store presumably to req->Length (at offset 8 of struct usb_request)
  6C 0A 00 B9    str  w12, [x19, #8]

  // x10 (NULL) was read here from offset 0 of valid pointer x9
  // IMHO we're reading 'cdev->gadget' and getting NULL
  // gadget is indeed at offset 0 of struct usb_composite_dev
  2A 01 40 F9    ldr  x10, [x9]

  // loading req->buf pointer, which is at offset 0 of struct usb_request
  69 02 40 F9    ldr  x9, [x19]

  // x10 is null, crash, appears to be attempt to read cdev->gadget->max_speed
  4B 5D 40 B9    ldr  w11, [x10, #0x5c]

which seems to line up with ncm_do_notify() case NCM_NOTIFY_SPEED code fragment:

  event->wLength = cpu_to_le16(8);
  req->length = NCM_STATUS_BYTECOUNT;

  /* SPEED_CHANGE data is up/down speeds in bits/sec */
  data = req->buf + sizeof *event;
  data[0] = cpu_to_le32(ncm_bitrate(cdev->gadget));

My analysis of registers and NULL ptr deref crash offset
  (Unable to handle kernel NULL pointer dereference at virtual address 000000000000005c)
heavily suggests that the crash is due to 'cdev->gadget' being NULL when executing:
  data[0] = cpu_to_le32(ncm_bitrate(cdev->gadget));
which calls:
  ncm_bitrate(NULL)
which then calls:
  gadget_is_superspeed(NULL)
which reads
  ((struct usb_gadget *)NULL)->max_speed
and hits a panic.

AFAICT, if I'm counting right, the offset of max_speed is indeed 0x5C.
(remember there's a GKI KABI reservation of 16 bytes in struct work_struct)

It's not at all clear to me how this is all supposed to work...
but returning 0 seems much better than panic-ing...
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-52894

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-52895
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

io_uring/poll: don't reissue in case of poll race on multishot request

A previous commit fixed a poll race that can occur, but it's only
applicable for multishot requests. For a multishot request, we can safely
ignore a spurious wakeup, as we never leave the waitqueue to begin with.

A blunt reissue of a multishot armed request can cause us to leak a
buffer, if they are ring provided. While this seems like a bug in itself,
it's not really defined behavior to reissue a multishot request directly.
It's less efficient to do so as well, and not required to rearm anything
like it is for singleshot poll requests.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-52895

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-52896
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix race between quota rescan and disable leading to NULL pointer deref

If we have one task trying to start the quota rescan worker while another
one is trying to disable quotas, we can end up hitting a race that results
in the quota rescan worker doing a NULL pointer dereference. The steps for
this are the following:

1) Quotas are enabled;

2) Task A calls the quota rescan ioctl and enters btrfs_qgroup_rescan().
   It calls qgroup_rescan_init() which returns 0 (success) and then joins a
   transaction and commits it;

3) Task B calls the quota disable ioctl and enters btrfs_quota_disable().
   It clears the bit BTRFS_FS_QUOTA_ENABLED from fs_info->flags and calls
   btrfs_qgroup_wait_for_completion(), which returns immediately since the
   rescan worker is not yet running.
   Then it starts a transaction and locks fs_info->qgroup_ioctl_lock;

4) Task A queues the rescan worker, by calling btrfs_queue_work();

5) The rescan worker starts, and calls rescan_should_stop() at the start
   of its while loop, which results in 0 iterations of the loop, since
   the flag BTRFS_FS_QUOTA_ENABLED was cleared from fs_info->flags by
   task B at step 3);

6) Task B sets fs_info->quota_root to NULL;

7) The rescan worker tries to start a transaction and uses
   fs_info->quota_root as the root argument for btrfs_start_transaction().
   This results in a NULL pointer dereference down the call chain of
   btrfs_start_transaction(). The stack trace is something like the one
   reported in Link tag below:

   general protection fault, probably for non-canonical address 0xdffffc0000000041: 0000 [#1] PREEMPT SMP KASAN
   KASAN: null-ptr-deref in range [0x0000000000000208-0x000000000000020f]
   CPU: 1 PID: 34 Comm: kworker/u4:2 Not tainted 6.1.0-syzkaller-13872-gb6bb9676f216 #0
   Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
   Workqueue: btrfs-qgroup-rescan btrfs_work_helper
   RIP: 0010:start_transaction+0x48/0x10f0 fs/btrfs/transaction.c:564
   Code: 48 89 fb 48 (...)
   RSP: 0018:ffffc90000ab7ab0 EFLAGS: 00010206
   RAX: 0000000000000041 RBX: 0000000000000208 RCX: ffff88801779ba80
   RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
   RBP: dffffc0000000000 R08: 0000000000000001 R09: fffff52000156f5d
   R10: fffff52000156f5d R11: 1ffff92000156f5c R12: 0000000000000000
   R13: 0000000000000001 R14: 0000000000000001 R15: 0000000000000003
   FS:  0000000000000000(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
   CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
   CR2: 00007f2bea75b718 CR3: 000000001d0cc000 CR4: 00000000003506e0
   DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
   DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
   Call Trace:
    <TASK>
    btrfs_qgroup_rescan_worker+0x3bb/0x6a0 fs/btrfs/qgroup.c:3402
    btrfs_work_helper+0x312/0x850 fs/btrfs/async-thread.c:280
    process_one_work+0x877/0xdb0 kernel/workqueue.c:2289
    worker_thread+0xb14/0x1330 kernel/workqueue.c:2436
    kthread+0x266/0x300 kernel/kthread.c:376
    ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308
    </TASK>
   Modules linked in:

So fix this by having the rescan worker function not attempt to start a
transaction if it didn't do any rescan work.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-52896

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-52897
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

btrfs: qgroup: do not warn on record without old_roots populated

[BUG]
There are some reports from the mailing list that since v6.1 kernel, the
WARN_ON() inside btrfs_qgroup_account_extent() gets triggered during
rescan:

  WARNING: CPU: 3 PID: 6424 at fs/btrfs/qgroup.c:2756 btrfs_qgroup_account_extents+0x1ae/0x260 [btrfs]
  CPU: 3 PID: 6424 Comm: snapperd Tainted: P           OE      6.1.2-1-default #1 openSUSE Tumbleweed 05c7a1b1b61d5627475528f71f50444637b5aad7
  RIP: 0010:btrfs_qgroup_account_extents+0x1ae/0x260 [btrfs]
  Call Trace:
   <TASK>
  btrfs_commit_transaction+0x30c/0xb40 [btrfs c39c9c546c241c593f03bd6d5f39ea1b676250f6]
   ? start_transaction+0xc3/0x5b0 [btrfs c39c9c546c241c593f03bd6d5f39ea1b676250f6]
  btrfs_qgroup_rescan+0x42/0xc0 [btrfs c39c9c546c241c593f03bd6d5f39ea1b676250f6]
   btrfs_ioctl+0x1ab9/0x25c0 [btrfs c39c9c546c241c593f03bd6d5f39ea1b676250f6]
   ? __rseq_handle_notify_resume+0xa9/0x4a0
   ? mntput_no_expire+0x4a/0x240
   ? __seccomp_filter+0x319/0x4d0
   __x64_sys_ioctl+0x90/0xd0
   do_syscall_64+0x5b/0x80
   ? syscall_exit_to_user_mode+0x17/0x40
   ? do_syscall_64+0x67/0x80
  entry_SYSCALL_64_after_hwframe+0x63/0xcd
  RIP: 0033:0x7fd9b790d9bf
   </TASK>

[CAUSE]
Since commit e15e9f43c7ca ("btrfs: introduce
BTRFS_QGROUP_RUNTIME_FLAG_NO_ACCOUNTING to skip qgroup accounting"), if
our qgroup is already in inconsistent state, we will no longer do the
time-consuming backref walk.

This can leave some qgroup records without a valid old_roots ulist.
Normally this is fine, as btrfs_qgroup_account_extents() would also skip
those records if we have NO_ACCOUNTING flag set.

But there is a small window, if we have NO_ACCOUNTING flag set, and
inserted some qgroup_record without a old_roots ulist, but then the user
triggered a qgroup rescan.

During btrfs_qgroup_rescan(), we firstly clear NO_ACCOUNTING flag, then
commit current transaction.

And since we have a qgroup_record with old_roots = NULL, we trigger the
WARN_ON() during btrfs_qgroup_account_extents().

[FIX]
Unfortunately due to the introduction of NO_ACCOUNTING flag, the
assumption that every qgroup_record would have its old_roots populated
is no longer correct.

Fix the false alerts and drop the WARN_ON().
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-52897

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-52898
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

xhci: Fix null pointer dereference when host dies

Make sure xhci_free_dev() and xhci_kill_endpoint_urbs() do not race
and cause null pointer dereference when host suddenly dies.

Usb core may call xhci_free_dev() which frees the xhci->devs[slot_id]
virt device at the same time that xhci_kill_endpoint_urbs() tries to
loop through all the device's endpoints, checking if there are any
cancelled urbs left to give back.

hold the xhci spinlock while freeing the virt device
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-52898

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-52899
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

Add exception protection processing for vd in axi_chan_handle_err function

Since there is no protection for vd, a kernel panic will be
triggered here in exceptional cases.

You can refer to the processing of axi_chan_block_xfer_complete function

The triggered kernel panic is as follows:

[   67.848444] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000060
[   67.848447] Mem abort info:
[   67.848449]   ESR = 0x96000004
[   67.848451]   EC = 0x25: DABT (current EL), IL = 32 bits
[   67.848454]   SET = 0, FnV = 0
[   67.848456]   EA = 0, S1PTW = 0
[   67.848458] Data abort info:
[   67.848460]   ISV = 0, ISS = 0x00000004
[   67.848462]   CM = 0, WnR = 0
[   67.848465] user pgtable: 4k pages, 48-bit VAs, pgdp=00000800c4c0b000
[   67.848468] [0000000000000060] pgd=0000000000000000, p4d=0000000000000000
[   67.848472] Internal error: Oops: 96000004 [#1] SMP
[   67.848475] Modules linked in: dmatest
[   67.848479] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.10.100-emu_x2rc+ #11
[   67.848483] pstate: 62000085 (nZCv daIf -PAN -UAO +TCO BTYPE=--)
[   67.848487] pc : axi_chan_handle_err+0xc4/0x230
[   67.848491] lr : axi_chan_handle_err+0x30/0x230
[   67.848493] sp : ffff0803fe55ae50
[   67.848495] x29: ffff0803fe55ae50 x28: ffff800011212200
[   67.848500] x27: ffff0800c42c0080 x26: ffff0800c097c080
[   67.848504] x25: ffff800010d33880 x24: ffff80001139d850
[   67.848508] x23: ffff0800c097c168 x22: 0000000000000000
[   67.848512] x21: 0000000000000080 x20: 0000000000002000
[   67.848517] x19: ffff0800c097c080 x18: 0000000000000000
[   67.848521] x17: 0000000000000000 x16: 0000000000000000
[   67.848525] x15: 0000000000000000 x14: 0000000000000000
[   67.848529] x13: 0000000000000000 x12: 0000000000000040
[   67.848533] x11: ffff0800c0400248 x10: ffff0800c040024a
[   67.848538] x9 : ffff800010576cd4 x8 : ffff0800c0400270
[   67.848542] x7 : 0000000000000000 x6 : ffff0800c04003e0
[   67.848546] x5 : ffff0800c0400248 x4 : ffff0800c4294480
[   67.848550] x3 : dead000000000100 x2 : dead000000000122
[   67.848555] x1 : 0000000000000100 x0 : ffff0800c097c168
[   67.848559] Call trace:
[   67.848562]  axi_chan_handle_err+0xc4/0x230
[   67.848566]  dw_axi_dma_interrupt+0xf4/0x590
[   67.848569]  __handle_irq_event_percpu+0x60/0x220
[   67.848573]  handle_irq_event+0x64/0x120
[   67.848576]  handle_fasteoi_irq+0xc4/0x220
[   67.848580]  __handle_domain_irq+0x80/0xe0
[   67.848583]  gic_handle_irq+0xc0/0x138
[   67.848585]  el1_irq+0xc8/0x180
[   67.848588]  arch_cpu_idle+0x14/0x2c
[   67.848591]  default_idle_call+0x40/0x16c
[   67.848594]  do_idle+0x1f0/0x250
[   67.848597]  cpu_startup_entry+0x2c/0x60
[   67.848600]  rest_init+0xc0/0xcc
[   67.848603]  arch_call_rest_init+0x14/0x1c
[   67.848606]  start_kernel+0x4cc/0x500
[   67.848610] Code: eb0002ff 9a9f12d6 f2fbd5a2 f2fbd5a3 (a94602c1)
[   67.848613] ---[ end trace 585a97036f88203a ]---
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-52899

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-52900
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

nilfs2: fix general protection fault in nilfs_btree_insert()

If nilfs2 reads a corrupted disk image and tries to reads a b-tree node
block by calling __nilfs_btree_get_block() against an invalid virtual
block address, it returns -ENOENT because conversion of the virtual block
address to a disk block address fails.  However, this return value is the
same as the internal code that b-tree lookup routines return to indicate
that the block being searched does not exist, so functions that operate on
that b-tree may misbehave.

When nilfs_btree_insert() receives this spurious 'not found' code from
nilfs_btree_do_lookup(), it misunderstands that the 'not found' check was
successful and continues the insert operation using incomplete lookup path
data, causing the following crash:

 general protection fault, probably for non-canonical address
 0xdffffc0000000005: 0000 [#1] PREEMPT SMP KASAN
 KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]
 ...
 RIP: 0010:nilfs_btree_get_nonroot_node fs/nilfs2/btree.c:418 [inline]
 RIP: 0010:nilfs_btree_prepare_insert fs/nilfs2/btree.c:1077 [inline]
 RIP: 0010:nilfs_btree_insert+0x6d3/0x1c10 fs/nilfs2/btree.c:1238
 Code: bc 24 80 00 00 00 4c 89 f8 48 c1 e8 03 42 80 3c 28 00 74 08 4c 89
 ff e8 4b 02 92 fe 4d 8b 3f 49 83 c7 28 4c 89 f8 48 c1 e8 03 <42> 80 3c
 28 00 74 08 4c 89 ff e8 2e 02 92 fe 4d 8b 3f 49 83 c7 02
 ...
 Call Trace:
 <TASK>
  nilfs_bmap_do_insert fs/nilfs2/bmap.c:121 [inline]
  nilfs_bmap_insert+0x20d/0x360 fs/nilfs2/bmap.c:147
  nilfs_get_block+0x414/0x8d0 fs/nilfs2/inode.c:101
  __block_write_begin_int+0x54c/0x1a80 fs/buffer.c:1991
  __block_write_begin fs/buffer.c:2041 [inline]
  block_write_begin+0x93/0x1e0 fs/buffer.c:2102
  nilfs_write_begin+0x9c/0x110 fs/nilfs2/inode.c:261
  generic_perform_write+0x2e4/0x5e0 mm/filemap.c:3772
  __generic_file_write_iter+0x176/0x400 mm/filemap.c:3900
  generic_file_write_iter+0xab/0x310 mm/filemap.c:3932
  call_write_iter include/linux/fs.h:2186 [inline]
  new_sync_write fs/read_write.c:491 [inline]
  vfs_write+0x7dc/0xc50 fs/read_write.c:584
  ksys_write+0x177/0x2a0 fs/read_write.c:637
  do_syscall_x64 arch/x86/entry/common.c:50 [inline]
  do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
  entry_SYSCALL_64_after_hwframe+0x63/0xcd
 ...
 </TASK>

This patch fixes the root cause of this problem by replacing the error
code that __nilfs_btree_get_block() returns on block address conversion
failure from -ENOENT to another internal code -EINVAL which means that the
b-tree metadata is corrupted.

By returning -EINVAL, it propagates without glitches, and for all relevant
b-tree operations, functions in the upper bmap layer output an error
message indicating corrupted b-tree metadata via
nilfs_bmap_convert_error(), and code -EIO will be eventually returned as
it should be.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-52900

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-52901
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

usb: xhci: Check endpoint is valid before dereferencing it

When the host controller is not responding, all URBs queued to all
endpoints need to be killed. This can cause a kernel panic if we
dereference an invalid endpoint.

Fix this by using xhci_get_virt_ep() helper to find the endpoint and
checking if the endpoint is valid before dereferencing it.

[233311.853271] xhci-hcd xhci-hcd.1.auto: xHCI host controller not responding, assume dead
[233311.853393] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000e8

[233311.853964] pc : xhci_hc_died+0x10c/0x270
[233311.853971] lr : xhci_hc_died+0x1ac/0x270

[233311.854077] Call trace:
[233311.854085]  xhci_hc_died+0x10c/0x270
[233311.854093]  xhci_stop_endpoint_command_watchdog+0x100/0x1a4
[233311.854105]  call_timer_fn+0x50/0x2d4
[233311.854112]  expire_timers+0xac/0x2e4
[233311.854118]  run_timer_softirq+0x300/0xabc
[233311.854127]  __do_softirq+0x148/0x528
[233311.854135]  irq_exit+0x194/0x1a8
[233311.854143]  __handle_domain_irq+0x164/0x1d0
[233311.854149]  gic_handle_irq.22273+0x10c/0x188
[233311.854156]  el1_irq+0xfc/0x1a8
[233311.854175]  lpm_cpuidle_enter+0x25c/0x418 [msm_pm]
[233311.854185]  cpuidle_enter_state+0x1f0/0x764
[233311.854194]  do_idle+0x594/0x6ac
[233311.854201]  cpu_startup_entry+0x7c/0x80
[233311.854209]  secondary_start_kernel+0x170/0x198
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-52901

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-52902
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

nommu: fix memory leak in do_mmap() error path

The preallocation of the maple tree nodes may leak if the error path to
"error_just_free" is taken.  Fix this by moving the freeing of the maple
tree nodes to a shared location for all error paths.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-52902

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-52903
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

io_uring: lock overflowing for IOPOLL

syzbot reports an issue with overflow filling for IOPOLL:

WARNING: CPU: 0 PID: 28 at io_uring/io_uring.c:734 io_cqring_event_overflow+0x1c0/0x230 io_uring/io_uring.c:734
CPU: 0 PID: 28 Comm: kworker/u4:1 Not tainted 6.2.0-rc3-syzkaller-16369-g358a161a6a9e #0
Workqueue: events_unbound io_ring_exit_work
Call trace:
 io_cqring_event_overflow+0x1c0/0x230 io_uring/io_uring.c:734
 io_req_cqe_overflow+0x5c/0x70 io_uring/io_uring.c:773
 io_fill_cqe_req io_uring/io_uring.h:168 [inline]
 io_do_iopoll+0x474/0x62c io_uring/rw.c:1065
 io_iopoll_try_reap_events+0x6c/0x108 io_uring/io_uring.c:1513
 io_uring_try_cancel_requests+0x13c/0x258 io_uring/io_uring.c:3056
 io_ring_exit_work+0xec/0x390 io_uring/io_uring.c:2869
 process_one_work+0x2d8/0x504 kernel/workqueue.c:2289
 worker_thread+0x340/0x610 kernel/workqueue.c:2436
 kthread+0x12c/0x158 kernel/kthread.c:376
 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:863

There is no real problem for normal IOPOLL as flush is also called with
uring_lock taken, but it's getting more complicated for IOPOLL|SQPOLL,
for which __io_cqring_overflow_flush() happens from the CQ waiting path.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-52903

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-52904
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ALSA: usb-audio: Fix possible NULL pointer dereference in snd_usb_pcm_has_fixed_rate()

The subs function argument may be NULL, so do not use it before the NULL check.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-52904

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-52905
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

octeontx2-pf: Fix resource leakage in VF driver unbind

resources allocated like mcam entries to support the Ntuple feature
and hash tables for the tc feature are not getting freed in driver
unbind. This patch fixes the issue.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-52905

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-52906
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net/sched: act_mpls: Fix warning during failed attribute validation

The 'TCA_MPLS_LABEL' attribute is of 'NLA_U32' type, but has a
validation type of 'NLA_VALIDATE_FUNCTION'. This is an invalid
combination according to the comment above 'struct nla_policy':

"
Meaning of `validate' field, use via NLA_POLICY_VALIDATE_FN:
   NLA_BINARY           Validation function called for the attribute.
   All other            Unused - but note that it's a union
"

This can trigger the warning [1] in nla_get_range_unsigned() when
validation of the attribute fails. Despite being of 'NLA_U32' type, the
associated 'min'/'max' fields in the policy are negative as they are
aliased by the 'validate' field.

Fix by changing the attribute type to 'NLA_BINARY' which is consistent
with the above comment and all other users of NLA_POLICY_VALIDATE_FN().
As a result, move the length validation to the validation function.

No regressions in MPLS tests:

 # ./tdc.py -f tc-tests/actions/mpls.json
 [...]
 # echo $?
 0

[1]
WARNING: CPU: 0 PID: 17743 at lib/nlattr.c:118
nla_get_range_unsigned+0x1d8/0x1e0 lib/nlattr.c:117
Modules linked in:
CPU: 0 PID: 17743 Comm: syz-executor.0 Not tainted 6.1.0-rc8 #3
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.13.0-48-gd9c812dda519-prebuilt.qemu.org 04/01/2014
RIP: 0010:nla_get_range_unsigned+0x1d8/0x1e0 lib/nlattr.c:117
[...]
Call Trace:
 <TASK>
 __netlink_policy_dump_write_attr+0x23d/0x990 net/netlink/policy.c:310
 netlink_policy_dump_write_attr+0x22/0x30 net/netlink/policy.c:411
 netlink_ack_tlv_fill net/netlink/af_netlink.c:2454 [inline]
 netlink_ack+0x546/0x760 net/netlink/af_netlink.c:2506
 netlink_rcv_skb+0x1b7/0x240 net/netlink/af_netlink.c:2546
 rtnetlink_rcv+0x18/0x20 net/core/rtnetlink.c:6109
 netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]
 netlink_unicast+0x5e9/0x6b0 net/netlink/af_netlink.c:1345
 netlink_sendmsg+0x739/0x860 net/netlink/af_netlink.c:1921
 sock_sendmsg_nosec net/socket.c:714 [inline]
 sock_sendmsg net/socket.c:734 [inline]
 ____sys_sendmsg+0x38f/0x500 net/socket.c:2482
 ___sys_sendmsg net/socket.c:2536 [inline]
 __sys_sendmsg+0x197/0x230 net/socket.c:2565
 __do_sys_sendmsg net/socket.c:2574 [inline]
 __se_sys_sendmsg net/socket.c:2572 [inline]
 __x64_sys_sendmsg+0x42/0x50 net/socket.c:2572
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-52906

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-52907
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

nfc: pn533: Wait for out_urb's completion in pn533_usb_send_frame()

Fix a use-after-free that occurs in hcd when in_urb sent from
pn533_usb_send_frame() is completed earlier than out_urb. Its callback
frees the skb data in pn533_send_async_complete() that is used as a
transfer buffer of out_urb. Wait before sending in_urb until the
callback of out_urb is called. To modify the callback of out_urb alone,
separate the complete function of out_urb and ack_urb.

Found by a modified version of syzkaller.

BUG: KASAN: use-after-free in dummy_timer
Call Trace:
 memcpy (mm/kasan/shadow.c:65)
 dummy_perform_transfer (drivers/usb/gadget/udc/dummy_hcd.c:1352)
 transfer (drivers/usb/gadget/udc/dummy_hcd.c:1453)
 dummy_timer (drivers/usb/gadget/udc/dummy_hcd.c:1972)
 arch_static_branch (arch/x86/include/asm/jump_label.h:27)
 static_key_false (include/linux/jump_label.h:207)
 timer_expire_exit (include/trace/events/timer.h:127)
 call_timer_fn (kernel/time/timer.c:1475)
 expire_timers (kernel/time/timer.c:1519)
 __run_timers (kernel/time/timer.c:1790)
 run_timer_softirq (kernel/time/timer.c:1803)
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-52907

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-52908
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amdgpu: Fix potential NULL dereference

Fix potential NULL dereference, in the case when "man", the resource manager
might be NULL, when/if we print debug information.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-52908

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-52909
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

nfsd: fix handling of cached open files in nfsd4_open codepath

Commit fb70bf124b05 ("NFSD: Instantiate a struct file when creating a
regular NFSv4 file") added the ability to cache an open fd over a
compound. There are a couple of problems with the way this currently
works:

It's racy, as a newly-created nfsd_file can end up with its PENDING bit
cleared while the nf is hashed, and the nf_file pointer is still zeroed
out. Other tasks can find it in this state and they expect to see a
valid nf_file, and can oops if nf_file is NULL.

Also, there is no guarantee that we'll end up creating a new nfsd_file
if one is already in the hash. If an extant entry is in the hash with a
valid nf_file, nfs4_get_vfs_file will clobber its nf_file pointer with
the value of op_file and the old nf_file will leak.

Fix both issues by making a new nfsd_file_acquirei_opened variant that
takes an optional file pointer. If one is present when this is called,
we'll take a new reference to it instead of trying to open the file. If
the nfsd_file already has a valid nf_file, we'll just ignore the
optional file and pass the nfsd_file back as-is.

Also rework the tracepoints a bit to allow for an "opened" variant and
don't try to avoid counting acquisitions in the case where we already
have a cached open file.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-52909

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-52910
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

iommu/iova: Fix alloc iova overflows issue

In __alloc_and_insert_iova_range, there is an issue that retry_pfn
overflows. The value of iovad->anchor.pfn_hi is ~0UL, then when
iovad->cached_node is iovad->anchor, curr_iova->pfn_hi + 1 will
overflow. As a result, if the retry logic is executed, low_pfn is
updated to 0, and then new_pfn < low_pfn returns false to make the
allocation successful.

This issue occurs in the following two situations:
1. The first iova size exceeds the domain size. When initializing
iova domain, iovad->cached_node is assigned as iovad->anchor. For
example, the iova domain size is 10M, start_pfn is 0x1_F000_0000,
and the iova size allocated for the first time is 11M. The
following is the log information, new->pfn_lo is smaller than
iovad->cached_node.

Example log as follows:
[  223.798112][T1705487] sh: [name:iova&]__alloc_and_insert_iova_range
start_pfn:0x1f0000,retry_pfn:0x0,size:0xb00,limit_pfn:0x1f0a00
[  223.799590][T1705487] sh: [name:iova&]__alloc_and_insert_iova_range
success start_pfn:0x1f0000,new->pfn_lo:0x1efe00,new->pfn_hi:0x1f08ff

2. The node with the largest iova->pfn_lo value in the iova domain
is deleted, iovad->cached_node will be updated to iovad->anchor,
and then the alloc iova size exceeds the maximum iova size that can
be allocated in the domain.

After judging that retry_pfn is less than limit_pfn, call retry_pfn+1
to fix the overflow issue.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-52910

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-52911
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/msm: another fix for the headless Adreno GPU

Fix another oops reproducible when rebooting the board with the Adreno
GPU working in the headless mode (e.g. iMX platforms).

Unable to handle kernel NULL pointer dereference at virtual address 00000000 when read
[00000000] *pgd=74936831, *pte=00000000, *ppte=00000000
Internal error: Oops: 17 [#1] ARM
CPU: 0 PID: 51 Comm: reboot Not tainted 6.2.0-rc1-dirty #11
Hardware name: Freescale i.MX53 (Device Tree Support)
PC is at msm_atomic_commit_tail+0x50/0x970
LR is at commit_tail+0x9c/0x188
pc : [<c06aa430>]    lr : [<c067a214>]    psr: 600e0013
sp : e0851d30  ip : ee4eb7eb  fp : 00090acc
r10: 00000058  r9 : c2193014  r8 : c4310000
r7 : c4759380  r6 : 07bef61d  r5 : 00000000  r4 : 00000000
r3 : c44cc440  r2 : 00000000  r1 : 00000000  r0 : 00000000
Flags: nZCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none
Control: 10c5387d  Table: 74910019  DAC: 00000051
Register r0 information: NULL pointer
Register r1 information: NULL pointer
Register r2 information: NULL pointer
Register r3 information: slab kmalloc-1k start c44cc400 pointer offset 64 size 1024
Register r4 information: NULL pointer
Register r5 information: NULL pointer
Register r6 information: non-paged memory
Register r7 information: slab kmalloc-128 start c4759380 pointer offset 0 size 128
Register r8 information: slab kmalloc-2k start c4310000 pointer offset 0 size 2048
Register r9 information: non-slab/vmalloc memory
Register r10 information: non-paged memory
Register r11 information: non-paged memory
Register r12 information: non-paged memory
Process reboot (pid: 51, stack limit = 0xc80046d9)
Stack: (0xe0851d30 to 0xe0852000)
1d20:                                     c4759380 fbd77200 000005ff 002b9c70
1d40: c4759380 c4759380 00000000 07bef61d 00000600 c0d6fe7c c2193014 00000058
1d60: 00090acc c067a214 00000000 c4759380 c4310000 00000000 c44cc854 c067a89c
1d80: 00000000 00000000 00000000 c4310468 00000000 c4759380 c4310000 c4310468
1da0: c4310470 c0643258 c4759380 00000000 00000000 c0c4ee24 00000000 c44cc810
1dc0: 00000000 c0c4ee24 00000000 c44cc810 00000000 0347d2a8 e0851e00 e0851e00
1de0: c4759380 c067ad20 c4310000 00000000 c44cc810 c27f8718 c44cc854 c067adb8
1e00: c4933000 00000002 00000001 00000000 00000000 c2130850 00000000 c2130854
1e20: c25fc488 00000000 c0ff162c 00000000 00000001 00000002 00000000 00000000
1e40: c43102c0 c43102c0 00000000 0347d2a8 c44cc810 c44cc814 c2133da8 c06d1a60
1e60: 00000000 00000000 00079028 c2012f24 fee1dead c4933000 00000058 c01431e4
1e80: 01234567 c0143a20 00000000 00000000 00000000 00000000 00000000 00000000
1ea0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
1ec0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
1ee0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
1f00: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
1f20: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
1f40: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
1f60: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
1f80: 00000000 00000000 00000000 0347d2a8 00000002 00000004 00000078 00000058
1fa0: c010028c c0100060 00000002 00000004 fee1dead 28121969 01234567 00079028
1fc0: 00000002 00000004 00000078 00000058 0002fdc5 00000000 00000000 00090acc
1fe0: 00000058 becc9c64 b6e97e05 b6e0e5f6 600e0030 fee1dead 00000000 00000000
 msm_atomic_commit_tail from commit_tail+0x9c/0x188
 commit_tail from drm_atomic_helper_commit+0x160/0x188
 drm_atomic_helper_commit from drm_atomic_commit+0xac/0xe0
 drm_atomic_commit from drm_atomic_helper_disable_all+0x1b0/0x1c0
 drm_atomic_helper_disable_all from drm_atomic_helper_shutdown+0x88/0x140
 drm_atomic_helper_shutdown from device_shutdown+0x16c/0x240
 device_shutdown from kernel_restart+0x38/0x90
 kernel_restart from __do_sys_reboot+0x
---truncated---
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-52911

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-52912
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amdgpu: Fixed bug on error when unloading amdgpu

Fixed bug on error when unloading amdgpu.

The error message is as follows:
[  377.706202] kernel BUG at drivers/gpu/drm/drm_buddy.c:278!
[  377.706215] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
[  377.706222] CPU: 4 PID: 8610 Comm: modprobe Tainted: G          IOE      6.0.0-thomas #1
[  377.706231] Hardware name: ASUS System Product Name/PRIME Z390-A, BIOS 2004 11/02/2021
[  377.706238] RIP: 0010:drm_buddy_free_block+0x26/0x30 [drm_buddy]
[  377.706264] Code: 00 00 00 90 0f 1f 44 00 00 48 8b 0e 89 c8 25 00 0c 00 00 3d 00 04 00 00 75 10 48 8b 47 18 48 d3 e0 48 01 47 28 e9 fa fe ff ff <0f> 0b 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 41 54 55 48 89 f5 53
[  377.706282] RSP: 0018:ffffad2dc4683cb8 EFLAGS: 00010287
[  377.706289] RAX: 0000000000000000 RBX: ffff8b1743bd5138 RCX: 0000000000000000
[  377.706297] RDX: ffff8b1743bd5160 RSI: ffff8b1743bd5c78 RDI: ffff8b16d1b25f70
[  377.706304] RBP: ffff8b1743bd59e0 R08: 0000000000000001 R09: 0000000000000001
[  377.706311] R10: ffff8b16c8572400 R11: ffffad2dc4683cf0 R12: ffff8b16d1b25f70
[  377.706318] R13: ffff8b16d1b25fd0 R14: ffff8b1743bd59c0 R15: ffff8b16d1b25f70
[  377.706325] FS:  00007fec56c72c40(0000) GS:ffff8b1836500000(0000) knlGS:0000000000000000
[  377.706334] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  377.706340] CR2: 00007f9b88c1ba50 CR3: 0000000110450004 CR4: 00000000003706e0
[  377.706347] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  377.706354] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[  377.706361] Call Trace:
[  377.706365]  <TASK>
[  377.706369]  drm_buddy_free_list+0x2a/0x60 [drm_buddy]
[  377.706376]  amdgpu_vram_mgr_fini+0xea/0x180 [amdgpu]
[  377.706572]  amdgpu_ttm_fini+0x12e/0x1a0 [amdgpu]
[  377.706650]  amdgpu_bo_fini+0x22/0x90 [amdgpu]
[  377.706727]  gmc_v11_0_sw_fini+0x26/0x30 [amdgpu]
[  377.706821]  amdgpu_device_fini_sw+0xa1/0x3c0 [amdgpu]
[  377.706897]  amdgpu_driver_release_kms+0x12/0x30 [amdgpu]
[  377.706975]  drm_dev_release+0x20/0x40 [drm]
[  377.707006]  release_nodes+0x35/0xb0
[  377.707014]  devres_release_all+0x8b/0xc0
[  377.707020]  device_unbind_cleanup+0xe/0x70
[  377.707027]  device_release_driver_internal+0xee/0x160
[  377.707033]  driver_detach+0x44/0x90
[  377.707039]  bus_remove_driver+0x55/0xe0
[  377.707045]  pci_unregister_driver+0x3b/0x90
[  377.707052]  amdgpu_exit+0x11/0x6c [amdgpu]
[  377.707194]  __x64_sys_delete_module+0x142/0x2b0
[  377.707201]  ? fpregs_assert_state_consistent+0x22/0x50
[  377.707208]  ? exit_to_user_mode_prepare+0x3e/0x190
[  377.707215]  do_syscall_64+0x38/0x90
[  377.707221]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-52912

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-52913
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/i915: Fix potential context UAFs

gem_context_register() makes the context visible to userspace, and which
point a separate thread can trigger the I915_GEM_CONTEXT_DESTROY ioctl.
So we need to ensure that nothing uses the ctx ptr after this.  And we
need to ensure that adding the ctx to the xarray is the *last* thing
that gem_context_register() does with the ctx pointer.

[tursulin: Stable and fixes tags add/tidy.]
(cherry picked from commit bed4b455cf5374e68879be56971c1da563bcd90c)
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-52913

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-52914
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

io_uring/poll: add hash if ready poll request can't complete inline

If we don't, then we may lose access to it completely, leading to a
request leak. This will eventually stall the ring exit process as
well.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-52914

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-52915
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

media: dvb-usb-v2: af9035: Fix null-ptr-deref in af9035_i2c_master_xfer

In af9035_i2c_master_xfer, msg is controlled by user. When msg[i].buf
is null and msg[i].len is zero, former checks on msg[i].buf would be
passed. Malicious data finally reach af9035_i2c_master_xfer. If accessing
msg[i].buf[0] without sanity check, null ptr deref would happen.
We add check on msg[i].len to prevent crash.

Similar commit:
commit 0ed554fd769a
("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()")
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-52915

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-52917
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ntb: intel: Fix the NULL vs IS_ERR() bug for debugfs_create_dir()

The debugfs_create_dir() function returns error pointers.
It never returns NULL. So use IS_ERR() to check it.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-52917

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-52918
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

media: pci: cx23885: check cx23885_vdev_init() return

cx23885_vdev_init() can return a NULL pointer, but that pointer
is used in the next line without a check.

Add a NULL pointer check and go to the error unwind if it is NULL.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-52918

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-52919
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

nfc: nci: fix possible NULL pointer dereference in send_acknowledge()

Handle memory allocation failure from nci_skb_alloc() (calling
alloc_skb()) to avoid possible NULL pointer dereference.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-52919

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-52920
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

bpf: support non-r10 register spill/fill to/from stack in precision tracking

Use instruction (jump) history to record instructions that performed
register spill/fill to/from stack, regardless if this was done through
read-only r10 register, or any other register after copying r10 into it
*and* potentially adjusting offset.

To make this work reliably, we push extra per-instruction flags into
instruction history, encoding stack slot index (spi) and stack frame
number in extra 10 bit flags we take away from prev_idx in instruction
history. We don't touch idx field for maximum performance, as it's
checked most frequently during backtracking.

This change removes basically the last remaining practical limitation of
precision backtracking logic in BPF verifier. It fixes known
deficiencies, but also opens up new opportunities to reduce number of
verified states, explored in the subsequent patches.

There are only three differences in selftests' BPF object files
according to veristat, all in the positive direction (less states).

File                                    Program        Insns (A)  Insns (B)  Insns  (DIFF)  States (A)  States (B)  States (DIFF)
--------------------------------------  -------------  ---------  ---------  -------------  ----------  ----------  -------------
test_cls_redirect_dynptr.bpf.linked3.o  cls_redirect        2987       2864  -123 (-4.12%)         240         231    -9 (-3.75%)
xdp_synproxy_kern.bpf.linked3.o         syncookie_tc       82848      82661  -187 (-0.23%)        5107        5073   -34 (-0.67%)
xdp_synproxy_kern.bpf.linked3.o         syncookie_xdp      85116      84964  -152 (-0.18%)        5162        5130   -32 (-0.62%)

Note, I avoided renaming jmp_history to more generic insn_hist to
minimize number of lines changed and potential merge conflicts between
bpf and bpf-next trees.

Notice also cur_hist_entry pointer reset to NULL at the beginning of
instruction verification loop. This pointer avoids the problem of
relying on last jump history entry's insn_idx to determine whether we
already have entry for current instruction or not. It can happen that we
added jump history entry because current instruction is_jmp_point(), but
also we need to add instruction flags for stack access. In this case, we
don't want to entries, so we need to reuse last added entry, if it is
present.

Relying on insn_idx comparison has the same ambiguity problem as the one
that was fixed recently in [0], so we avoid that.

  [0] https://patchwork.kernel.org/project/netdevbpf/patch/20231110002638.4168352-3-andrii@kernel.org/
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-52920

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-52921
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amdgpu: fix possible UAF in amdgpu_cs_pass1()

Since the gang_size check is outside of chunk parsing
loop, we need to reset i before we free the chunk data.

Suggested by Ye Zhang (@VAR10CK) of Baidu Security.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-52921

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-5345
CVE STATUS: Patched
CVE SUMMARY: A use-after-free vulnerability in the Linux kernel's fs/smb/client component can be exploited to achieve local privilege escalation.

In case of an error in smb3_fs_context_parse_param, ctx->password was freed but the field was not set to NULL which could lead to double free.

We recommend upgrading past commit e6e43b8aa7cd3c3af686caf0c2e11819a886d705.


CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-5345

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-5633
CVE STATUS: Patched
CVE SUMMARY: The reference count changes made as part of the CVE-2023-33951 and CVE-2023-33952 fixes exposed a use-after-free flaw in the way memory objects were handled when they were being used to store a surface. When running inside a VMware guest with 3D acceleration enabled, a local, unprivileged user could potentially use this flaw to escalate their privileges.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-5633

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-5717
CVE STATUS: Patched
CVE SUMMARY: A heap out-of-bounds write vulnerability in the Linux kernel's Linux Kernel Performance Events (perf) component can be exploited to achieve local privilege escalation.

If perf_read_group() is called while an event's sibling_list is smaller than its child's sibling_list, it can increment or write to memory locations outside of the allocated buffer.

We recommend upgrading past commit 32671e3799ca2e4590773fd0e63aaa4229e50c06.


CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-5717

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-5972
CVE STATUS: Patched
CVE SUMMARY: A null pointer dereference flaw was found in the nft_inner.c functionality of netfilter in the Linux kernel. This issue could allow a local user to crash the system or escalate their privileges on the system.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-5972

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-6039
CVE STATUS: Patched
CVE SUMMARY: A use-after-free flaw was found in lan78xx_disconnect in drivers/net/usb/lan78xx.c in the network sub-component, net/usb/lan78xx in the Linux Kernel. This flaw allows a local attacker to crash the system when the LAN78XX USB device detaches.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-6039

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-6040
CVE STATUS: Patched
CVE SUMMARY: An out-of-bounds access vulnerability involving netfilter was reported and fixed as: f1082dd31fe4 (netfilter: nf_tables: Reject tables of unsupported family); While creating a new netfilter table, lack of a safeguard against invalid nf_tables family (pf) values within `nf_tables_newtable` function enables an attacker to achieve out-of-bounds access.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-6040

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-6111
CVE STATUS: Patched
CVE SUMMARY: A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation.

The function nft_trans_gc_catchall did not remove the catchall set element from the catchall_list when the argument sync is true, making it possible to free a catchall set element many times.

We recommend upgrading past commit 93995bf4af2c5a99e2a87f0cd5ce547d31eb7630.


CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-6111

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-6176
CVE STATUS: Unpatched
CVE SUMMARY: A null pointer dereference flaw was found in the Linux kernel API for the cryptographic algorithm scatterwalk functionality. This issue occurs when a user constructs a malicious packet with specific socket configuration, which could allow a local user to crash the system or escalate their privileges on the system.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-6176

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-6200
CVE STATUS: Unpatched
CVE SUMMARY: A race condition was found in the Linux Kernel. Under certain conditions, an unauthenticated attacker from an adjacent network could send an ICMPv6 router advertisement packet, causing arbitrary code execution.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: ADJACENT_NETWORK
VECTORSTRING: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-6200

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-6238
CVE STATUS: Unpatched
CVE SUMMARY: A buffer overflow vulnerability was found in the NVM Express (NVMe) driver in the Linux kernel. Only privileged user could specify a small meta buffer and let the device perform larger Direct Memory Access (DMA) into the same buffer, overwriting unrelated kernel memory, causing random kernel crashes and memory corruption.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-6238

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-6240
CVE STATUS: Unpatched
CVE SUMMARY: A Marvin vulnerability side-channel leakage was found in the RSA decryption operation in the Linux Kernel. This issue may allow a network attacker to decrypt ciphertexts or forge signatures, limiting the services that use that private key.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-6240

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-6270
CVE STATUS: Unpatched
CVE SUMMARY: A flaw was found in the ATA over Ethernet (AoE) driver in the Linux kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on `struct net_device`, and a use-after-free can be triggered by racing between the free on the struct and the access through the `skbtxq` global queue. This could lead to a denial of service condition or potential code execution.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-6270

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-6356
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the Linux kernel's NVMe driver. This issue may allow an unauthenticated malicious actor to send a set of crafted TCP packages when using NVMe over TCP, leading the NVMe driver to a NULL pointer dereference in the NVMe driver and causing kernel panic and a denial of service.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-6356

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-6531
CVE STATUS: Unpatched
CVE SUMMARY: A use-after-free flaw was found in the Linux Kernel due to a race problem in the unix garbage collector's deletion of SKB races with unix_stream_read_generic() on the socket that the SKB is queued on.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-6531

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-6535
CVE STATUS: Unpatched
CVE SUMMARY: A flaw was found in the Linux kernel's NVMe driver. This issue may allow an unauthenticated malicious actor to send a set of crafted TCP packages when using NVMe over TCP, leading the NVMe driver to a NULL pointer dereference in the NVMe driver, causing kernel panic and a denial of service.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-6535

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-6536
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the Linux kernel's NVMe driver. This issue may allow an unauthenticated malicious actor to send a set of crafted TCP packages when using NVMe over TCP, leading the NVMe driver to a NULL pointer dereference in the NVMe driver, causing kernel panic and a denial of service.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-6536

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-6546
CVE STATUS: Patched
CVE SUMMARY: A race condition was found in the GSM 0710 tty multiplexor in the Linux kernel. This issue occurs when two threads execute the GSMIOC_SETCONF ioctl on the same tty file descriptor with the gsm line discipline enabled, and can lead to a use-after-free problem on a struct gsm_dlci while restarting the gsm mux. This could allow a local unprivileged user to escalate their privileges on the system.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-6546

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-6560
CVE STATUS: Patched
CVE SUMMARY: An out-of-bounds memory access flaw was found in the io_uring SQ/CQ rings functionality in the Linux kernel. This issue could allow a local user to crash the system.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-6560

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-6606
CVE STATUS: Unpatched
CVE SUMMARY: An out-of-bounds read vulnerability was found in smbCalcSize in fs/smb/client/netmisc.c in the Linux Kernel. This issue could allow a local attacker to crash the system or leak internal kernel information.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-6606

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-6610
CVE STATUS: Unpatched
CVE SUMMARY: An out-of-bounds read vulnerability was found in smb2_dump_detail in fs/smb/client/smb2ops.c in the Linux Kernel. This issue could allow a local attacker to crash the system or leak internal kernel information.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-6610

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-6622
CVE STATUS: Patched
CVE SUMMARY: A null pointer dereference vulnerability was found in nft_dynset_init() in net/netfilter/nft_dynset.c in nf_tables in the Linux kernel. This issue may allow a local attacker with CAP_NET_ADMIN user privilege to trigger a denial of service.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-6622

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-6679
CVE STATUS: Unpatched
CVE SUMMARY: A null pointer dereference vulnerability was found in dpll_pin_parent_pin_set() in drivers/dpll/dpll_netlink.c in the Digital Phase Locked Loop (DPLL) subsystem in the  Linux kernel. This issue could be exploited to trigger a denial of service.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-6679

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-6817
CVE STATUS: Patched
CVE SUMMARY: A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation.

The function nft_pipapo_walk did not skip inactive elements during set walk which could lead double deactivations of PIPAPO (Pile Packet Policies) elements, leading to use-after-free.

We recommend upgrading past commit 317eb9685095678f2c9f5a8189de698c5354316a.


CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-6817

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-6915
CVE STATUS: Unpatched
CVE SUMMARY: A Null pointer dereference problem was found in ida_free in lib/idr.c in the Linux Kernel. This issue may allow an attacker using this library to cause a denial of service problem due to a missing check at a function return.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.2
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-6915

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-6931
CVE STATUS: Unpatched
CVE SUMMARY: A heap out-of-bounds write vulnerability in the Linux kernel's Performance Events system component can be exploited to achieve local privilege escalation.

A perf_event's read_size can overflow, leading to an heap out-of-bounds increment or write in perf_read_group().

We recommend upgrading past commit 382c27f4ed28f803b1f1473ac2d8db0afc795a1b.


CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-6931

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-6932
CVE STATUS: Unpatched
CVE SUMMARY: A use-after-free vulnerability in the Linux kernel's ipv4: igmp component can be exploited to achieve local privilege escalation.

A race condition can be exploited to cause a timer be mistakenly registered on a RCU read locked object which is freed by another thread.

We recommend upgrading past commit e2b706c691905fe78468c361aaabc719d0a496f1.


CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-6932

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-7042
CVE STATUS: Unpatched
CVE SUMMARY: A null pointer dereference vulnerability was found in ath10k_wmi_tlv_op_pull_mgmt_tx_compl_ev() in drivers/net/wireless/ath/ath10k/wmi-tlv.c in the Linux kernel. This issue could be exploited to trigger a denial of service.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.4
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-7042

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2023-7192
CVE STATUS: Patched
CVE SUMMARY: A memory leak problem was found in ctnetlink_create_conntrack in net/netfilter/nf_conntrack_netlink.c in the Linux Kernel. This issue may allow a local attacker with CAP_NET_ADMIN privileges to cause a denial of service (DoS) attack due to a refcount overflow.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-7192

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-0193
CVE STATUS: Unpatched
CVE SUMMARY: A use-after-free flaw was found in the netfilter subsystem of the Linux kernel. If the catchall element is garbage-collected when the pipapo set is removed, the element can be deactivated twice. This can cause a use-after-free issue on an NFT_CHAIN object or NFT_OBJECT object, allowing a local unprivileged user with CAP_NET_ADMIN capability to escalate their privileges on the system.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-0193

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-0340
CVE STATUS: Patched
CVE SUMMARY: A vulnerability was found in vhost_new_msg in drivers/vhost/vhost.c in the Linux kernel, which does not properly initialize memory in messages passed between virtual guests and the host operating system in the vhost/vhost.c:vhost_new_msg() function. This issue can allow local privileged users to read some kernel memory contents when reading from the /dev/vhost-net device file.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.4
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-0340

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-0443
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the blkgs destruction path in block/blk-cgroup.c in the Linux kernel, leading to a cgroup blkio memory leakage problem. When a cgroup is being destroyed, cgroup_rstat_flush() is only called at css_release_work_fn(), which is called when the blkcg reference count reaches 0. This circular dependency will prevent blkcg and some blkgs from being freed after they are made offline. This issue may allow an attacker with a local access to cause system instability, such as an out of memory error.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-0443

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-0562
CVE STATUS: Patched
CVE SUMMARY: A use-after-free flaw was found in the Linux Kernel. When a disk is removed, bdi_unregister is called to stop further write-back and waits for associated delayed work to complete. However, wb_inode_writeback_end() may schedule bandwidth estimation work after this has completed, which can result in the timer attempting to access the recently freed bdi_writeback.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-0562

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-0564
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the Linux kernel's memory deduplication mechanism. The max page sharing of Kernel Samepage Merging (KSM), added in Linux kernel version 4.4.0-96.119, can create a side channel. When the attacker and the victim share the same host and the default setting of KSM is "max page sharing=256", it is possible for the attacker to time the unmap to merge with the victim's page. The unmapping time depends on whether it merges with the victim's page and additional physical pages are created beyond the KSM's "max page share". Through these operations, the attacker can leak the victim's page.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.3
VECTOR: ADJACENT_NETWORK
VECTORSTRING: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-0564

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-0565
CVE STATUS: Unpatched
CVE SUMMARY: An out-of-bounds memory read flaw was found in receive_encrypted_standard in fs/smb/client/smb2ops.c in the SMB Client sub-component in the Linux Kernel. This issue occurs due to integer underflow on the memcpy length, leading to a denial of service.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.8
VECTOR: ADJACENT_NETWORK
VECTORSTRING: CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-0565

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-0582
CVE STATUS: Patched
CVE SUMMARY: A memory leak flaw was found in the Linux kernel’s io_uring functionality in how a user registers a buffer ring with IORING_REGISTER_PBUF_RING, mmap() it, and then frees it. This flaw allows a local user to crash or potentially escalate their privileges on the system.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-0582

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-0607
CVE STATUS: Unpatched
CVE SUMMARY: A flaw was found in the Netfilter subsystem in the Linux kernel. The issue is in the nft_byteorder_eval() function, where the code iterates through a loop and writes to the `dst` array. On each iteration, 8 bytes are written, but `dst` is an array of u32, so each element only has space for 4 bytes. That means every iteration overwrites part of the previous element corrupting this array of u32. This flaw allows a local user to cause a denial of service or potentially break NetFilter functionality.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.6
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-0607

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-0639
CVE STATUS: Patched
CVE SUMMARY: A denial of service vulnerability due to a deadlock was found in sctp_auto_asconf_init in net/sctp/socket.c in the Linux kernel’s SCTP subsystem. This flaw allows guests with local user privileges to trigger a deadlock and potentially crash the system.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-0639

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-0641
CVE STATUS: Patched
CVE SUMMARY: A denial of service vulnerability was found in tipc_crypto_key_revoke in net/tipc/crypto.c in the Linux kernel’s TIPC subsystem. This flaw allows guests with local user privileges to trigger a deadlock and potentially crash the system.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-0641

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-0646
CVE STATUS: Patched
CVE SUMMARY: An out-of-bounds memory write flaw was found in the Linux kernel’s Transport Layer Security functionality in how a user calls a function splice with a ktls socket as the destination. This flaw allows a local user to crash or potentially escalate their privileges on the system.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-0646

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-0775
CVE STATUS: Patched
CVE SUMMARY: A use-after-free flaw was found in the __ext4_remount in fs/ext4/super.c in ext4 in the Linux kernel. This flaw allows a local user to cause an information leak problem while freeing the old quota file names before a potential failure, leading to a use-after-free.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-0775

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-0841
CVE STATUS: Patched
CVE SUMMARY: A null pointer dereference flaw was found in the hugetlbfs_fill_super function in the Linux kernel hugetlbfs (HugeTLB pages) functionality. This issue may allow a local user to crash the system or potentially escalate their privileges on the system.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.6
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-0841

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-1085
CVE STATUS: Patched
CVE SUMMARY: A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation.

The nft_setelem_catchall_deactivate() function checks whether the catch-all set element is active in the current generation instead of the next generation before freeing it, but only flags it inactive in the next generation, making it possible to free the element multiple times, leading to a double free vulnerability.

We recommend upgrading past commit b1db244ffd041a49ecc9618e8feb6b5c1afcdaa7.


CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-1085

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-1086
CVE STATUS: Patched
CVE SUMMARY: A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation.

The nft_verdict_init() function allows positive values as drop error within the hook verdict, and hence the nf_hook_slow() function can cause a double free vulnerability when NF_DROP is issued with a drop error which resembles NF_ACCEPT.

We recommend upgrading past commit f342de4e2f33e0e39165d8639387aa6c19dff660.


CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-1086

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-1151
CVE STATUS: Unpatched
CVE SUMMARY: A vulnerability was reported in the Open vSwitch sub-component in the Linux Kernel. The flaw occurs when a recursive operation of code push recursively calls into the code block. The OVS module does not validate the stack depth, pushing too many frames and causing a stack overflow. As a result, this can lead to a crash or other related issues.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-1151

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-1312
CVE STATUS: Patched
CVE SUMMARY: A use-after-free flaw was found in the Linux kernel's Memory Management subsystem when a user wins two races at the same time with a fail in the mas_prev_slot function. This issue could allow a local user to crash the system.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-1312

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-21803
CVE STATUS: Unpatched
CVE SUMMARY: Use After Free vulnerability in Linux Linux kernel kernel on Linux, x86, ARM (bluetooth modules) allows Local Execution of Code. This vulnerability is associated with program files https://gitee.Com/anolis/cloud-kernel/blob/devel-5.10/net/bluetooth/af_bluetooth.C.

This issue affects Linux kernel: from v2.6.12-rc2 before v6.8-rc1.


CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 3.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-21803

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-22099
CVE STATUS: Patched
CVE SUMMARY: NULL Pointer Dereference vulnerability in Linux Linux kernel kernel on Linux, x86, ARM (net, bluetooth modules) allows Overflow Buffers. This vulnerability is associated with program files /net/bluetooth/rfcomm/core.C.

This issue affects Linux kernel: v2.6.12-rc2.


CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.3
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-22099

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-22386
CVE STATUS: Patched
CVE SUMMARY: A race condition was found in the Linux kernel's drm/exynos device driver in exynos_drm_crtc_atomic_disable() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue.



CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.3
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-22386

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-22705
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in ksmbd in the Linux kernel before 6.6.10. smb2_get_data_area_len in fs/smb/server/smb2misc.c can cause an smb_strndup_from_utf16 out-of-bounds access because the relationship between Name data and CreateContexts data is mishandled.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-22705

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-23196
CVE STATUS: Patched
CVE SUMMARY: A race condition was found in the Linux kernel's sound/hda  device driver in snd_hdac_regmap_sync() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue.


CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.3
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-23196

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-23307
CVE STATUS: Unpatched
CVE SUMMARY: Integer Overflow or Wraparound vulnerability in Linux Linux kernel kernel on Linux, x86, ARM (md, raid, raid5 modules) allows Forced Integer Overflow.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.4
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-23307

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-23848
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel through 6.7.1, there is a use-after-free in cec_queue_msg_fh, related to drivers/media/cec/core/cec-adap.c and drivers/media/cec/core/cec-api.c.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-23848

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-23849
CVE STATUS: Unpatched
CVE SUMMARY: In rds_recv_track_latency in net/rds/af_rds.c in the Linux kernel through 6.7.1, there is an off-by-one error for an RDS_MSG_RX_DGRAM_TRACE_MAX comparison, resulting in out-of-bounds access.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-23849

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-23850
CVE STATUS: Unpatched
CVE SUMMARY: In btrfs_get_root_ref in fs/btrfs/disk-io.c in the Linux kernel through 6.7.1, there can be an assertion failure and crash because a subvolume can be read out too soon after its root item is inserted upon subvolume creation.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-23850

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-23851
CVE STATUS: Unpatched
CVE SUMMARY: copy_params in drivers/md/dm-ioctl.c in the Linux kernel through 6.7.1 can attempt to allocate more than INT_MAX bytes, and crash, because of a missing param_kernel->data_size check. This is related to ctl_ioctl.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-23851

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-24855
CVE STATUS: Patched
CVE SUMMARY: A race condition was found in the Linux kernel's scsi device driver in lpfc_unregister_fcf_rescan() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue.





CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-24855

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-24857
CVE STATUS: Unpatched
CVE SUMMARY: A race condition was found in the Linux kernel's net/bluetooth device driver in conn_info_{min,max}_age_set() function. This can result in integrity overflow issue, possibly leading to bluetooth connection abnormality or denial of service.





CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.6
VECTOR: ADJACENT_NETWORK
VECTORSTRING: CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-24857

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-24858
CVE STATUS: Unpatched
CVE SUMMARY: A race condition was found in the Linux kernel's net/bluetooth in {conn,adv}_{min,max}_interval_set() function. This can result in I2cap connection or broadcast abnormality issue, possibly leading to denial of service.





CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.6
VECTOR: ADJACENT_NETWORK
VECTORSTRING: CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-24858

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-24859
CVE STATUS: Unpatched
CVE SUMMARY: A race condition was found in the Linux kernel's net/bluetooth in sniff_{min,max}_interval_set() function. This can result in a bluetooth sniffing exception issue, possibly leading denial of service.








CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.6
VECTOR: ADJACENT_NETWORK
VECTORSTRING: CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-24859

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-24860
CVE STATUS: Unpatched
CVE SUMMARY: A race condition was found in the Linux kernel's bluetooth device driver in {min,max}_key_size_set() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue.





CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.6
VECTOR: ADJACENT_NETWORK
VECTORSTRING: CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:L/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-24860

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-24861
CVE STATUS: Unpatched
CVE SUMMARY: A race condition was found in the Linux kernel's media/xc4000 device driver in xc4000 xc4000_get_frequency() function. This can result in return value overflow issue, possibly leading to malfunction or denial of service issue.





CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 3.3
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-24861

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-24864
CVE STATUS: Unpatched
CVE SUMMARY: A race condition was found in the Linux kernel's media/dvb-core in dvbdmx_write() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue.





CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.3
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-24864

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-25739
CVE STATUS: Unpatched
CVE SUMMARY: create_empty_lvol in drivers/mtd/ubi/vtbl.c in the Linux kernel through 6.7.4 can attempt to allocate zero bytes, and crash, because of a missing check for ubi->leb_size.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-25739

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-25740
CVE STATUS: Unpatched
CVE SUMMARY: A memory leak flaw was found in the UBI driver in drivers/mtd/ubi/attach.c in the Linux kernel through 6.7.4 for UBI_IOCATT, because kobj->name is not released.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-25740

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-25741
CVE STATUS: Unpatched
CVE SUMMARY: printer_write in drivers/usb/gadget/function/f_printer.c in the Linux kernel through 6.7.4 does not properly call usb_ep_queue, which might allow attackers to cause a denial of service or have unspecified other impact.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-25741

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-25744
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel before 6.6.7, an untrusted VMM can trigger int80 syscall handling at any given point. This is related to arch/x86/coco/tdx/tdx.c and arch/x86/mm/mem_encrypt_amd.c.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-25744

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-26581
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

netfilter: nft_set_rbtree: skip end interval element from gc

rbtree lazy gc on insert might collect an end interval element that has
been just added in this transactions, skip end interval elements that
are not yet active.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-26581

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-26582
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: tls: fix use-after-free with partial reads and async decrypt

tls_decrypt_sg doesn't take a reference on the pages from clear_skb,
so the put_page() in tls_decrypt_done releases them, and we trigger
a use-after-free in process_rx_list when we try to read from the
partially-read skb.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-26582

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-26583
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

tls: fix race between async notify and socket close

The submitting thread (one which called recvmsg/sendmsg)
may exit as soon as the async crypto handler calls complete()
so any code past that point risks touching already freed data.

Try to avoid the locking and extra flags altogether.
Have the main thread hold an extra reference, this way
we can depend solely on the atomic ref counter for
synchronization.

Don't futz with reiniting the completion, either, we are now
tightly controlling when completion fires.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-26583

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-26584
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: tls: handle backlogging of crypto requests

Since we're setting the CRYPTO_TFM_REQ_MAY_BACKLOG flag on our
requests to the crypto API, crypto_aead_{encrypt,decrypt} can return
 -EBUSY instead of -EINPROGRESS in valid situations. For example, when
the cryptd queue for AESNI is full (easy to trigger with an
artificially low cryptd.cryptd_max_cpu_qlen), requests will be enqueued
to the backlog but still processed. In that case, the async callback
will also be called twice: first with err == -EINPROGRESS, which it
seems we can just ignore, then with err == 0.

Compared to Sabrina's original patch this version uses the new
tls_*crypt_async_wait() helpers and converts the EBUSY to
EINPROGRESS to avoid having to modify all the error handling
paths. The handling is identical.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-26584

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-26585
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

tls: fix race between tx work scheduling and socket close

Similarly to previous commit, the submitting thread (recvmsg/sendmsg)
may exit as soon as the async crypto handler calls complete().
Reorder scheduling the work before calling complete().
This seems more logical in the first place, as it's
the inverse order of what the submitting thread will do.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-26585

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-26586
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

mlxsw: spectrum_acl_tcam: Fix stack corruption

When tc filters are first added to a net device, the corresponding local
port gets bound to an ACL group in the device. The group contains a list
of ACLs. In turn, each ACL points to a different TCAM region where the
filters are stored. During forwarding, the ACLs are sequentially
evaluated until a match is found.

One reason to place filters in different regions is when they are added
with decreasing priorities and in an alternating order so that two
consecutive filters can never fit in the same region because of their
key usage.

In Spectrum-2 and newer ASICs the firmware started to report that the
maximum number of ACLs in a group is more than 16, but the layout of the
register that configures ACL groups (PAGT) was not updated to account
for that. It is therefore possible to hit stack corruption [1] in the
rare case where more than 16 ACLs in a group are required.

Fix by limiting the maximum ACL group size to the minimum between what
the firmware reports and the maximum ACLs that fit in the PAGT register.

Add a test case to make sure the machine does not crash when this
condition is hit.

[1]
Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: mlxsw_sp_acl_tcam_group_update+0x116/0x120
[...]
 dump_stack_lvl+0x36/0x50
 panic+0x305/0x330
 __stack_chk_fail+0x15/0x20
 mlxsw_sp_acl_tcam_group_update+0x116/0x120
 mlxsw_sp_acl_tcam_group_region_attach+0x69/0x110
 mlxsw_sp_acl_tcam_vchunk_get+0x492/0xa20
 mlxsw_sp_acl_tcam_ventry_add+0x25/0xe0
 mlxsw_sp_acl_rule_add+0x47/0x240
 mlxsw_sp_flower_replace+0x1a9/0x1d0
 tc_setup_cb_add+0xdc/0x1c0
 fl_hw_replace_filter+0x146/0x1f0
 fl_change+0xc17/0x1360
 tc_new_tfilter+0x472/0xb90
 rtnetlink_rcv_msg+0x313/0x3b0
 netlink_rcv_skb+0x58/0x100
 netlink_unicast+0x244/0x390
 netlink_sendmsg+0x1e4/0x440
 ____sys_sendmsg+0x164/0x260
 ___sys_sendmsg+0x9a/0xe0
 __sys_sendmsg+0x7a/0xc0
 do_syscall_64+0x40/0xe0
 entry_SYSCALL_64_after_hwframe+0x63/0x6b
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-26586

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-26587
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: netdevsim: don't try to destroy PHC on VFs

PHC gets initialized in nsim_init_netdevsim(), which
is only called if (nsim_dev_port_is_pf()).

Create a counterpart of nsim_init_netdevsim() and
move the mock_phc_destroy() there.

This fixes a crash trying to destroy netdevsim with
VFs instantiated, as caught by running the devlink.sh test:

    BUG: kernel NULL pointer dereference, address: 00000000000000b8
    RIP: 0010:mock_phc_destroy+0xd/0x30
    Call Trace:
     <TASK>
     nsim_destroy+0x4a/0x70 [netdevsim]
     __nsim_dev_port_del+0x47/0x70 [netdevsim]
     nsim_dev_reload_destroy+0x105/0x120 [netdevsim]
     nsim_drv_remove+0x2f/0xb0 [netdevsim]
     device_release_driver_internal+0x1a1/0x210
     bus_remove_device+0xd5/0x120
     device_del+0x159/0x490
     device_unregister+0x12/0x30
     del_device_store+0x11a/0x1a0 [netdevsim]
     kernfs_fop_write_iter+0x130/0x1d0
     vfs_write+0x30b/0x4b0
     ksys_write+0x69/0xf0
     do_syscall_64+0xcc/0x1e0
     entry_SYSCALL_64_after_hwframe+0x6f/0x77
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-26587

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-26588
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

LoongArch: BPF: Prevent out-of-bounds memory access

The test_tag test triggers an unhandled page fault:

  # ./test_tag
  [  130.640218] CPU 0 Unable to handle kernel paging request at virtual address ffff80001b898004, era == 9000000003137f7c, ra == 9000000003139e70
  [  130.640501] Oops[#3]:
  [  130.640553] CPU: 0 PID: 1326 Comm: test_tag Tainted: G      D    O       6.7.0-rc4-loong-devel-gb62ab1a397cf #47 61985c1d94084daa2432f771daa45b56b10d8d2a
  [  130.640764] Hardware name: QEMU QEMU Virtual Machine, BIOS unknown 2/2/2022
  [  130.640874] pc 9000000003137f7c ra 9000000003139e70 tp 9000000104cb4000 sp 9000000104cb7a40
  [  130.641001] a0 ffff80001b894000 a1 ffff80001b897ff8 a2 000000006ba210be a3 0000000000000000
  [  130.641128] a4 000000006ba210be a5 00000000000000f1 a6 00000000000000b3 a7 0000000000000000
  [  130.641256] t0 0000000000000000 t1 00000000000007f6 t2 0000000000000000 t3 9000000004091b70
  [  130.641387] t4 000000006ba210be t5 0000000000000004 t6 fffffffffffffff0 t7 90000000040913e0
  [  130.641512] t8 0000000000000005 u0 0000000000000dc0 s9 0000000000000009 s0 9000000104cb7ae0
  [  130.641641] s1 00000000000007f6 s2 0000000000000009 s3 0000000000000095 s4 0000000000000000
  [  130.641771] s5 ffff80001b894000 s6 ffff80001b897fb0 s7 9000000004090c50 s8 0000000000000000
  [  130.641900]    ra: 9000000003139e70 build_body+0x1fcc/0x4988
  [  130.642007]   ERA: 9000000003137f7c build_body+0xd8/0x4988
  [  130.642112]  CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE)
  [  130.642261]  PRMD: 00000004 (PPLV0 +PIE -PWE)
  [  130.642353]  EUEN: 00000003 (+FPE +SXE -ASXE -BTE)
  [  130.642458]  ECFG: 00071c1c (LIE=2-4,10-12 VS=7)
  [  130.642554] ESTAT: 00010000 [PIL] (IS= ECode=1 EsubCode=0)
  [  130.642658]  BADV: ffff80001b898004
  [  130.642719]  PRID: 0014c010 (Loongson-64bit, Loongson-3A5000)
  [  130.642815] Modules linked in: [last unloaded: bpf_testmod(O)]
  [  130.642924] Process test_tag (pid: 1326, threadinfo=00000000f7f4015f, task=000000006499f9fd)
  [  130.643062] Stack : 0000000000000000 9000000003380724 0000000000000000 0000000104cb7be8
  [  130.643213]         0000000000000000 25af8d9b6e600558 9000000106250ea0 9000000104cb7ae0
  [  130.643378]         0000000000000000 0000000000000000 9000000104cb7be8 90000000049f6000
  [  130.643538]         0000000000000090 9000000106250ea0 ffff80001b894000 ffff80001b894000
  [  130.643685]         00007ffffb917790 900000000313ca94 0000000000000000 0000000000000000
  [  130.643831]         ffff80001b894000 0000000000000ff7 0000000000000000 9000000100468000
  [  130.643983]         0000000000000000 0000000000000000 0000000000000040 25af8d9b6e600558
  [  130.644131]         0000000000000bb7 ffff80001b894048 0000000000000000 0000000000000000
  [  130.644276]         9000000104cb7be8 90000000049f6000 0000000000000090 9000000104cb7bdc
  [  130.644423]         ffff80001b894000 0000000000000000 00007ffffb917790 90000000032acfb0
  [  130.644572]         ...
  [  130.644629] Call Trace:
  [  130.644641] [<9000000003137f7c>] build_body+0xd8/0x4988
  [  130.644785] [<900000000313ca94>] bpf_int_jit_compile+0x228/0x4ec
  [  130.644891] [<90000000032acfb0>] bpf_prog_select_runtime+0x158/0x1b0
  [  130.645003] [<90000000032b3504>] bpf_prog_load+0x760/0xb44
  [  130.645089] [<90000000032b6744>] __sys_bpf+0xbb8/0x2588
  [  130.645175] [<90000000032b8388>] sys_bpf+0x20/0x2c
  [  130.645259] [<9000000003f6ab38>] do_syscall+0x7c/0x94
  [  130.645369] [<9000000003121c5c>] handle_syscall+0xbc/0x158
  [  130.645507]
  [  130.645539] Code: 380839f6  380831f9  28412bae <24000ca6> 004081ad  0014cb50  004083e8  02bff34c  58008e91
  [  130.645729]
  [  130.646418] ---[ end trace 0000000000000000 ]---

On my machine, which has CONFIG_PAGE_SIZE_16KB=y, the test failed at
loading a BPF prog with 2039 instructions:

  prog = (struct bpf_prog *)ffff80001b894000
  insn = (struct bpf_insn *)(prog->insnsi)fff
---truncated---
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-26588

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-26589
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

bpf: Reject variable offset alu on PTR_TO_FLOW_KEYS

For PTR_TO_FLOW_KEYS, check_flow_keys_access() only uses fixed off
for validation. However, variable offset ptr alu is not prohibited
for this ptr kind. So the variable offset is not checked.

The following prog is accepted:

  func#0 @0
  0: R1=ctx() R10=fp0
  0: (bf) r6 = r1                       ; R1=ctx() R6_w=ctx()
  1: (79) r7 = *(u64 *)(r6 +144)        ; R6_w=ctx() R7_w=flow_keys()
  2: (b7) r8 = 1024                     ; R8_w=1024
  3: (37) r8 /= 1                       ; R8_w=scalar()
  4: (57) r8 &= 1024                    ; R8_w=scalar(smin=smin32=0,
  smax=umax=smax32=umax32=1024,var_off=(0x0; 0x400))
  5: (0f) r7 += r8
  mark_precise: frame0: last_idx 5 first_idx 0 subseq_idx -1
  mark_precise: frame0: regs=r8 stack= before 4: (57) r8 &= 1024
  mark_precise: frame0: regs=r8 stack= before 3: (37) r8 /= 1
  mark_precise: frame0: regs=r8 stack= before 2: (b7) r8 = 1024
  6: R7_w=flow_keys(smin=smin32=0,smax=umax=smax32=umax32=1024,var_off
  =(0x0; 0x400)) R8_w=scalar(smin=smin32=0,smax=umax=smax32=umax32=1024,
  var_off=(0x0; 0x400))
  6: (79) r0 = *(u64 *)(r7 +0)          ; R0_w=scalar()
  7: (95) exit

This prog loads flow_keys to r7, and adds the variable offset r8
to r7, and finally causes out-of-bounds access:

  BUG: unable to handle page fault for address: ffffc90014c80038
  [...]
  Call Trace:
   <TASK>
   bpf_dispatcher_nop_func include/linux/bpf.h:1231 [inline]
   __bpf_prog_run include/linux/filter.h:651 [inline]
   bpf_prog_run include/linux/filter.h:658 [inline]
   bpf_prog_run_pin_on_cpu include/linux/filter.h:675 [inline]
   bpf_flow_dissect+0x15f/0x350 net/core/flow_dissector.c:991
   bpf_prog_test_run_flow_dissector+0x39d/0x620 net/bpf/test_run.c:1359
   bpf_prog_test_run kernel/bpf/syscall.c:4107 [inline]
   __sys_bpf+0xf8f/0x4560 kernel/bpf/syscall.c:5475
   __do_sys_bpf kernel/bpf/syscall.c:5561 [inline]
   __se_sys_bpf kernel/bpf/syscall.c:5559 [inline]
   __x64_sys_bpf+0x73/0xb0 kernel/bpf/syscall.c:5559
   do_syscall_x64 arch/x86/entry/common.c:52 [inline]
   do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:83
   entry_SYSCALL_64_after_hwframe+0x63/0x6b

Fix this by rejecting ptr alu with variable offset on flow_keys.
Applying the patch rejects the program with "R7 pointer arithmetic
on flow_keys prohibited".
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-26589

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-26590
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

erofs: fix inconsistent per-file compression format

EROFS can select compression algorithms on a per-file basis, and each
per-file compression algorithm needs to be marked in the on-disk
superblock for initialization.

However, syzkaller can generate inconsistent crafted images that use
an unsupported algorithmtype for specific inodes, e.g. use MicroLZMA
algorithmtype even it's not set in `sbi->available_compr_algs`.  This
can lead to an unexpected "BUG: kernel NULL pointer dereference" if
the corresponding decompressor isn't built-in.

Fix this by checking against `sbi->available_compr_algs` for each
m_algorithmformat request.  Incorrect !erofs_sb_has_compr_cfgs preset
bitmap is now fixed together since it was harmless previously.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-26590

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-26591
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix re-attachment branch in bpf_tracing_prog_attach

The following case can cause a crash due to missing attach_btf:

1) load rawtp program
2) load fentry program with rawtp as target_fd
3) create tracing link for fentry program with target_fd = 0
4) repeat 3

In the end we have:

- prog->aux->dst_trampoline == NULL
- tgt_prog == NULL (because we did not provide target_fd to link_create)
- prog->aux->attach_btf == NULL (the program was loaded with attach_prog_fd=X)
- the program was loaded for tgt_prog but we have no way to find out which one

    BUG: kernel NULL pointer dereference, address: 0000000000000058
    Call Trace:
     <TASK>
     ? __die+0x20/0x70
     ? page_fault_oops+0x15b/0x430
     ? fixup_exception+0x22/0x330
     ? exc_page_fault+0x6f/0x170
     ? asm_exc_page_fault+0x22/0x30
     ? bpf_tracing_prog_attach+0x279/0x560
     ? btf_obj_id+0x5/0x10
     bpf_tracing_prog_attach+0x439/0x560
     __sys_bpf+0x1cf4/0x2de0
     __x64_sys_bpf+0x1c/0x30
     do_syscall_64+0x41/0xf0
     entry_SYSCALL_64_after_hwframe+0x6e/0x76

Return -EINVAL in this situation.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-26591

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-26592
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ksmbd: fix UAF issue in ksmbd_tcp_new_connection()

The race is between the handling of a new TCP connection and
its disconnection. It leads to UAF on `struct tcp_transport` in
ksmbd_tcp_new_connection() function.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-26592

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-26593
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

i2c: i801: Fix block process call transactions

According to the Intel datasheets, software must reset the block
buffer index twice for block process call transactions: once before
writing the outgoing data to the buffer, and once again before
reading the incoming data from the buffer.

The driver is currently missing the second reset, causing the wrong
portion of the block buffer to be read.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-26593

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-26594
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ksmbd: validate mech token in session setup

If client send invalid mech token in session setup request, ksmbd
validate and make the error if it is invalid.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-26594

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-26595
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

mlxsw: spectrum_acl_tcam: Fix NULL pointer dereference in error path

When calling mlxsw_sp_acl_tcam_region_destroy() from an error path after
failing to attach the region to an ACL group, we hit a NULL pointer
dereference upon 'region->group->tcam' [1].

Fix by retrieving the 'tcam' pointer using mlxsw_sp_acl_to_tcam().

[1]
BUG: kernel NULL pointer dereference, address: 0000000000000000
[...]
RIP: 0010:mlxsw_sp_acl_tcam_region_destroy+0xa0/0xd0
[...]
Call Trace:
 mlxsw_sp_acl_tcam_vchunk_get+0x88b/0xa20
 mlxsw_sp_acl_tcam_ventry_add+0x25/0xe0
 mlxsw_sp_acl_rule_add+0x47/0x240
 mlxsw_sp_flower_replace+0x1a9/0x1d0
 tc_setup_cb_add+0xdc/0x1c0
 fl_hw_replace_filter+0x146/0x1f0
 fl_change+0xc17/0x1360
 tc_new_tfilter+0x472/0xb90
 rtnetlink_rcv_msg+0x313/0x3b0
 netlink_rcv_skb+0x58/0x100
 netlink_unicast+0x244/0x390
 netlink_sendmsg+0x1e4/0x440
 ____sys_sendmsg+0x164/0x260
 ___sys_sendmsg+0x9a/0xe0
 __sys_sendmsg+0x7a/0xc0
 do_syscall_64+0x40/0xe0
 entry_SYSCALL_64_after_hwframe+0x63/0x6b
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-26595

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-26596
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: dsa: fix netdev_priv() dereference before check on non-DSA netdevice events

After the blamed commit, we started doing this dereference for every
NETDEV_CHANGEUPPER and NETDEV_PRECHANGEUPPER event in the system.

static inline struct dsa_port *dsa_user_to_port(const struct net_device *dev)
{
	struct dsa_user_priv *p = netdev_priv(dev);

	return p->dp;
}

Which is obviously bogus, because not all net_devices have a netdev_priv()
of type struct dsa_user_priv. But struct dsa_user_priv is fairly small,
and p->dp means dereferencing 8 bytes starting with offset 16. Most
drivers allocate that much private memory anyway, making our access not
fault, and we discard the bogus data quickly afterwards, so this wasn't
caught.

But the dummy interface is somewhat special in that it calls
alloc_netdev() with a priv size of 0. So every netdev_priv() dereference
is invalid, and we get this when we emit a NETDEV_PRECHANGEUPPER event
with a VLAN as its new upper:

$ ip link add dummy1 type dummy
$ ip link add link dummy1 name dummy1.100 type vlan id 100
[   43.309174] ==================================================================
[   43.316456] BUG: KASAN: slab-out-of-bounds in dsa_user_prechangeupper+0x30/0xe8
[   43.323835] Read of size 8 at addr ffff3f86481d2990 by task ip/374
[   43.330058]
[   43.342436] Call trace:
[   43.366542]  dsa_user_prechangeupper+0x30/0xe8
[   43.371024]  dsa_user_netdevice_event+0xb38/0xee8
[   43.375768]  notifier_call_chain+0xa4/0x210
[   43.379985]  raw_notifier_call_chain+0x24/0x38
[   43.384464]  __netdev_upper_dev_link+0x3ec/0x5d8
[   43.389120]  netdev_upper_dev_link+0x70/0xa8
[   43.393424]  register_vlan_dev+0x1bc/0x310
[   43.397554]  vlan_newlink+0x210/0x248
[   43.401247]  rtnl_newlink+0x9fc/0xe30
[   43.404942]  rtnetlink_rcv_msg+0x378/0x580

Avoid the kernel oops by dereferencing after the type check, as customary.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-26596

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-26597
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: qualcomm: rmnet: fix global oob in rmnet_policy

The variable rmnet_link_ops assign a *bigger* maxtype which leads to a
global out-of-bounds read when parsing the netlink attributes. See bug
trace below:

==================================================================
BUG: KASAN: global-out-of-bounds in validate_nla lib/nlattr.c:386 [inline]
BUG: KASAN: global-out-of-bounds in __nla_validate_parse+0x24af/0x2750 lib/nlattr.c:600
Read of size 1 at addr ffffffff92c438d0 by task syz-executor.6/84207

CPU: 0 PID: 84207 Comm: syz-executor.6 Tainted: G                 N 6.1.0 #3
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x8b/0xb3 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:284 [inline]
 print_report+0x172/0x475 mm/kasan/report.c:395
 kasan_report+0xbb/0x1c0 mm/kasan/report.c:495
 validate_nla lib/nlattr.c:386 [inline]
 __nla_validate_parse+0x24af/0x2750 lib/nlattr.c:600
 __nla_parse+0x3e/0x50 lib/nlattr.c:697
 nla_parse_nested_deprecated include/net/netlink.h:1248 [inline]
 __rtnl_newlink+0x50a/0x1880 net/core/rtnetlink.c:3485
 rtnl_newlink+0x64/0xa0 net/core/rtnetlink.c:3594
 rtnetlink_rcv_msg+0x43c/0xd70 net/core/rtnetlink.c:6091
 netlink_rcv_skb+0x14f/0x410 net/netlink/af_netlink.c:2540
 netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]
 netlink_unicast+0x54e/0x800 net/netlink/af_netlink.c:1345
 netlink_sendmsg+0x930/0xe50 net/netlink/af_netlink.c:1921
 sock_sendmsg_nosec net/socket.c:714 [inline]
 sock_sendmsg+0x154/0x190 net/socket.c:734
 ____sys_sendmsg+0x6df/0x840 net/socket.c:2482
 ___sys_sendmsg+0x110/0x1b0 net/socket.c:2536
 __sys_sendmsg+0xf3/0x1c0 net/socket.c:2565
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fdcf2072359
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fdcf13e3168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007fdcf219ff80 RCX: 00007fdcf2072359
RDX: 0000000000000000 RSI: 0000000020000200 RDI: 0000000000000003
RBP: 00007fdcf20bd493 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fffbb8d7bdf R14: 00007fdcf13e3300 R15: 0000000000022000
 </TASK>

The buggy address belongs to the variable:
 rmnet_policy+0x30/0xe0

The buggy address belongs to the physical page:
page:0000000065bdeb3c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x155243
flags: 0x200000000001000(reserved|node=0|zone=2)
raw: 0200000000001000 ffffea00055490c8 ffffea00055490c8 0000000000000000
raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffffffff92c43780: f9 f9 f9 f9 00 00 00 02 f9 f9 f9 f9 00 00 00 07
 ffffffff92c43800: f9 f9 f9 f9 00 00 00 05 f9 f9 f9 f9 06 f9 f9 f9
>ffffffff92c43880: f9 f9 f9 f9 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9
                                                 ^
 ffffffff92c43900: 00 00 00 00 00 00 00 00 07 f9 f9 f9 f9 f9 f9 f9
 ffffffff92c43980: 00 00 00 07 f9 f9 f9 f9 00 00 00 05 f9 f9 f9 f9

According to the comment of `nla_parse_nested_deprecated`, the maxtype
should be len(destination array) - 1. Hence use `IFLA_RMNET_MAX` here.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-26597

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-26598
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

KVM: arm64: vgic-its: Avoid potential UAF in LPI translation cache

There is a potential UAF scenario in the case of an LPI translation
cache hit racing with an operation that invalidates the cache, such
as a DISCARD ITS command. The root of the problem is that
vgic_its_check_cache() does not elevate the refcount on the vgic_irq
before dropping the lock that serializes refcount changes.

Have vgic_its_check_cache() raise the refcount on the returned vgic_irq
and add the corresponding decrement after queueing the interrupt.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-26598

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-26599
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

pwm: Fix out-of-bounds access in of_pwm_single_xlate()

With args->args_count == 2 args->args[2] is not defined. Actually the
flags are contained in args->args[1].
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-26599

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-26600
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

phy: ti: phy-omap-usb2: Fix NULL pointer dereference for SRP

If the external phy working together with phy-omap-usb2 does not implement
send_srp(), we may still attempt to call it. This can happen on an idle
Ethernet gadget triggering a wakeup for example:

configfs-gadget.g1 gadget.0: ECM Suspend
configfs-gadget.g1 gadget.0: Port suspended. Triggering wakeup
...
Unable to handle kernel NULL pointer dereference at virtual address
00000000 when execute
...
PC is at 0x0
LR is at musb_gadget_wakeup+0x1d4/0x254 [musb_hdrc]
...
musb_gadget_wakeup [musb_hdrc] from usb_gadget_wakeup+0x1c/0x3c [udc_core]
usb_gadget_wakeup [udc_core] from eth_start_xmit+0x3b0/0x3d4 [u_ether]
eth_start_xmit [u_ether] from dev_hard_start_xmit+0x94/0x24c
dev_hard_start_xmit from sch_direct_xmit+0x104/0x2e4
sch_direct_xmit from __dev_queue_xmit+0x334/0xd88
__dev_queue_xmit from arp_solicit+0xf0/0x268
arp_solicit from neigh_probe+0x54/0x7c
neigh_probe from __neigh_event_send+0x22c/0x47c
__neigh_event_send from neigh_resolve_output+0x14c/0x1c0
neigh_resolve_output from ip_finish_output2+0x1c8/0x628
ip_finish_output2 from ip_send_skb+0x40/0xd8
ip_send_skb from udp_send_skb+0x124/0x340
udp_send_skb from udp_sendmsg+0x780/0x984
udp_sendmsg from __sys_sendto+0xd8/0x158
__sys_sendto from ret_fast_syscall+0x0/0x58

Let's fix the issue by checking for send_srp() and set_vbus() before
calling them. For USB peripheral only cases these both could be NULL.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-26600

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-26601
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ext4: regenerate buddy after block freeing failed if under fc replay

This mostly reverts commit 6bd97bf273bd ("ext4: remove redundant
mb_regenerate_buddy()") and reintroduces mb_regenerate_buddy(). Based on
code in mb_free_blocks(), fast commit replay can end up marking as free
blocks that are already marked as such. This causes corruption of the
buddy bitmap so we need to regenerate it in that case.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-26601

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-26602
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

sched/membarrier: reduce the ability to hammer on sys_membarrier

On some systems, sys_membarrier can be very expensive, causing overall
slowdowns for everything.  So put a lock on the path in order to
serialize the accesses to prevent the ability for this to be called at
too high of a frequency and saturate the machine.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-26602

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-26603
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

x86/fpu: Stop relying on userspace for info to fault in xsave buffer

Before this change, the expected size of the user space buffer was
taken from fx_sw->xstate_size. fx_sw->xstate_size can be changed
from user-space, so it is possible construct a sigreturn frame where:

 * fx_sw->xstate_size is smaller than the size required by valid bits in
   fx_sw->xfeatures.
 * user-space unmaps parts of the sigrame fpu buffer so that not all of
   the buffer required by xrstor is accessible.

In this case, xrstor tries to restore and accesses the unmapped area
which results in a fault. But fault_in_readable succeeds because buf +
fx_sw->xstate_size is within the still mapped area, so it goes back and
tries xrstor again. It will spin in this loop forever.

Instead, fault in the maximum size which can be touched by XRSTOR (taken
from fpstate->user_size).

[ dhansen: tweak subject / changelog ]
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-26603

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-26604
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

Revert "kobject: Remove redundant checks for whether ktype is NULL"

This reverts commit 1b28cb81dab7c1eedc6034206f4e8d644046ad31.

It is reported to cause problems, so revert it for now until the root
cause can be found.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-26604

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-26605
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

PCI/ASPM: Fix deadlock when enabling ASPM

A last minute revert in 6.7-final introduced a potential deadlock when
enabling ASPM during probe of Qualcomm PCIe controllers as reported by
lockdep:

  ============================================
  WARNING: possible recursive locking detected
  6.7.0 #40 Not tainted
  --------------------------------------------
  kworker/u16:5/90 is trying to acquire lock:
  ffffacfa78ced000 (pci_bus_sem){++++}-{3:3}, at: pcie_aspm_pm_state_change+0x58/0xdc

              but task is already holding lock:
  ffffacfa78ced000 (pci_bus_sem){++++}-{3:3}, at: pci_walk_bus+0x34/0xbc

              other info that might help us debug this:
   Possible unsafe locking scenario:

         CPU0
         ----
    lock(pci_bus_sem);
    lock(pci_bus_sem);

               *** DEADLOCK ***

  Call trace:
   print_deadlock_bug+0x25c/0x348
   __lock_acquire+0x10a4/0x2064
   lock_acquire+0x1e8/0x318
   down_read+0x60/0x184
   pcie_aspm_pm_state_change+0x58/0xdc
   pci_set_full_power_state+0xa8/0x114
   pci_set_power_state+0xc4/0x120
   qcom_pcie_enable_aspm+0x1c/0x3c [pcie_qcom]
   pci_walk_bus+0x64/0xbc
   qcom_pcie_host_post_init_2_7_0+0x28/0x34 [pcie_qcom]

The deadlock can easily be reproduced on machines like the Lenovo ThinkPad
X13s by adding a delay to increase the race window during asynchronous
probe where another thread can take a write lock.

Add a new pci_set_power_state_locked() and associated helper functions that
can be called with the PCI bus semaphore held to avoid taking the read lock
twice.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-26605

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-26606
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

binder: signal epoll threads of self-work

In (e)poll mode, threads often depend on I/O events to determine when
data is ready for consumption. Within binder, a thread may initiate a
command via BINDER_WRITE_READ without a read buffer and then make use
of epoll_wait() or similar to consume any responses afterwards.

It is then crucial that epoll threads are signaled via wakeup when they
queue their own work. Otherwise, they risk waiting indefinitely for an
event leaving their work unhandled. What is worse, subsequent commands
won't trigger a wakeup either as the thread has pending work.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-26606

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-26881
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: hns3: fix kernel crash when 1588 is received on HIP08 devices

The HIP08 devices does not register the ptp devices, so the
hdev->ptp is NULL, but the hardware can receive 1588 messages,
and set the HNS3_RXD_TS_VLD_B bit, so, if match this case, the
access of hdev->ptp->flags will cause a kernel crash:

[ 5888.946472] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000018
[ 5888.946475] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000018
...
[ 5889.266118] pc : hclge_ptp_get_rx_hwts+0x40/0x170 [hclge]
[ 5889.272612] lr : hclge_ptp_get_rx_hwts+0x34/0x170 [hclge]
[ 5889.279101] sp : ffff800012c3bc50
[ 5889.283516] x29: ffff800012c3bc50 x28: ffff2040002be040
[ 5889.289927] x27: ffff800009116484 x26: 0000000080007500
[ 5889.296333] x25: 0000000000000000 x24: ffff204001c6f000
[ 5889.302738] x23: ffff204144f53c00 x22: 0000000000000000
[ 5889.309134] x21: 0000000000000000 x20: ffff204004220080
[ 5889.315520] x19: ffff204144f53c00 x18: 0000000000000000
[ 5889.321897] x17: 0000000000000000 x16: 0000000000000000
[ 5889.328263] x15: 0000004000140ec8 x14: 0000000000000000
[ 5889.334617] x13: 0000000000000000 x12: 00000000010011df
[ 5889.340965] x11: bbfeff4d22000000 x10: 0000000000000000
[ 5889.347303] x9 : ffff800009402124 x8 : 0200f78811dfbb4d
[ 5889.353637] x7 : 2200000000191b01 x6 : ffff208002a7d480
[ 5889.359959] x5 : 0000000000000000 x4 : 0000000000000000
[ 5889.366271] x3 : 0000000000000000 x2 : 0000000000000000
[ 5889.372567] x1 : 0000000000000000 x0 : ffff20400095c080
[ 5889.378857] Call trace:
[ 5889.382285] hclge_ptp_get_rx_hwts+0x40/0x170 [hclge]
[ 5889.388304] hns3_handle_bdinfo+0x324/0x410 [hns3]
[ 5889.394055] hns3_handle_rx_bd+0x60/0x150 [hns3]
[ 5889.399624] hns3_clean_rx_ring+0x84/0x170 [hns3]
[ 5889.405270] hns3_nic_common_poll+0xa8/0x220 [hns3]
[ 5889.411084] napi_poll+0xcc/0x264
[ 5889.415329] net_rx_action+0xd4/0x21c
[ 5889.419911] __do_softirq+0x130/0x358
[ 5889.424484] irq_exit+0x134/0x154
[ 5889.428700] __handle_domain_irq+0x88/0xf0
[ 5889.433684] gic_handle_irq+0x78/0x2c0
[ 5889.438319] el1_irq+0xb8/0x140
[ 5889.442354] arch_cpu_idle+0x18/0x40
[ 5889.446816] default_idle_call+0x5c/0x1c0
[ 5889.451714] cpuidle_idle_call+0x174/0x1b0
[ 5889.456692] do_idle+0xc8/0x160
[ 5889.460717] cpu_startup_entry+0x30/0xfc
[ 5889.465523] secondary_start_kernel+0x158/0x1ec
[ 5889.470936] Code: 97ffab78 f9411c14 91408294 f9457284 (f9400c80)
[ 5889.477950] SMP: stopping secondary CPUs
[ 5890.514626] SMP: failed to stop secondary CPUs 0-69,71-95
[ 5890.522951] Starting crashdump kernel...
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-26881

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-26882
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: ip_tunnel: make sure to pull inner header in ip_tunnel_rcv()

Apply the same fix than ones found in :

8d975c15c0cd ("ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()")
1ca1ba465e55 ("geneve: make sure to pull inner header in geneve_rx()")

We have to save skb->network_header in a temporary variable
in order to be able to recompute the network_header pointer
after a pskb_inet_may_pull() call.

pskb_inet_may_pull() makes sure the needed headers are in skb->head.

syzbot reported:
BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline]
 BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline]
 BUG: KMSAN: uninit-value in IP_ECN_decapsulate include/net/inet_ecn.h:302 [inline]
 BUG: KMSAN: uninit-value in ip_tunnel_rcv+0xed9/0x2ed0 net/ipv4/ip_tunnel.c:409
  __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline]
  INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline]
  IP_ECN_decapsulate include/net/inet_ecn.h:302 [inline]
  ip_tunnel_rcv+0xed9/0x2ed0 net/ipv4/ip_tunnel.c:409
  __ipgre_rcv+0x9bc/0xbc0 net/ipv4/ip_gre.c:389
  ipgre_rcv net/ipv4/ip_gre.c:411 [inline]
  gre_rcv+0x423/0x19f0 net/ipv4/ip_gre.c:447
  gre_rcv+0x2a4/0x390 net/ipv4/gre_demux.c:163
  ip_protocol_deliver_rcu+0x264/0x1300 net/ipv4/ip_input.c:205
  ip_local_deliver_finish+0x2b8/0x440 net/ipv4/ip_input.c:233
  NF_HOOK include/linux/netfilter.h:314 [inline]
  ip_local_deliver+0x21f/0x490 net/ipv4/ip_input.c:254
  dst_input include/net/dst.h:461 [inline]
  ip_rcv_finish net/ipv4/ip_input.c:449 [inline]
  NF_HOOK include/linux/netfilter.h:314 [inline]
  ip_rcv+0x46f/0x760 net/ipv4/ip_input.c:569
  __netif_receive_skb_one_core net/core/dev.c:5534 [inline]
  __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5648
  netif_receive_skb_internal net/core/dev.c:5734 [inline]
  netif_receive_skb+0x58/0x660 net/core/dev.c:5793
  tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1556
  tun_get_user+0x53b9/0x66e0 drivers/net/tun.c:2009
  tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2055
  call_write_iter include/linux/fs.h:2087 [inline]
  new_sync_write fs/read_write.c:497 [inline]
  vfs_write+0xb6b/0x1520 fs/read_write.c:590
  ksys_write+0x20f/0x4c0 fs/read_write.c:643
  __do_sys_write fs/read_write.c:655 [inline]
  __se_sys_write fs/read_write.c:652 [inline]
  __x64_sys_write+0x93/0xd0 fs/read_write.c:652
  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
  do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x63/0x6b

Uninit was created at:
  __alloc_pages+0x9a6/0xe00 mm/page_alloc.c:4590
  alloc_pages_mpol+0x62b/0x9d0 mm/mempolicy.c:2133
  alloc_pages+0x1be/0x1e0 mm/mempolicy.c:2204
  skb_page_frag_refill+0x2bf/0x7c0 net/core/sock.c:2909
  tun_build_skb drivers/net/tun.c:1686 [inline]
  tun_get_user+0xe0a/0x66e0 drivers/net/tun.c:1826
  tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2055
  call_write_iter include/linux/fs.h:2087 [inline]
  new_sync_write fs/read_write.c:497 [inline]
  vfs_write+0xb6b/0x1520 fs/read_write.c:590
  ksys_write+0x20f/0x4c0 fs/read_write.c:643
  __do_sys_write fs/read_write.c:655 [inline]
  __se_sys_write fs/read_write.c:652 [inline]
  __x64_sys_write+0x93/0xd0 fs/read_write.c:652
  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
  do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x63/0x6b
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-26882

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-26883
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix stackmap overflow check on 32-bit arches

The stackmap code relies on roundup_pow_of_two() to compute the number
of hash buckets, and contains an overflow check by checking if the
resulting value is 0. However, on 32-bit arches, the roundup code itself
can overflow by doing a 32-bit left-shift of an unsigned long value,
which is undefined behaviour, so it is not guaranteed to truncate
neatly. This was triggered by syzbot on the DEVMAP_HASH type, which
contains the same check, copied from the hashtab code.

The commit in the fixes tag actually attempted to fix this, but the fix
did not account for the UB, so the fix only works on CPUs where an
overflow does result in a neat truncation to zero, which is not
guaranteed. Checking the value before rounding does not have this
problem.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-26883

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-26884
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix hashtab overflow check on 32-bit arches

The hashtab code relies on roundup_pow_of_two() to compute the number of
hash buckets, and contains an overflow check by checking if the
resulting value is 0. However, on 32-bit arches, the roundup code itself
can overflow by doing a 32-bit left-shift of an unsigned long value,
which is undefined behaviour, so it is not guaranteed to truncate
neatly. This was triggered by syzbot on the DEVMAP_HASH type, which
contains the same check, copied from the hashtab code. So apply the same
fix to hashtab, by moving the overflow check to before the roundup.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-26884

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-26885
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix DEVMAP_HASH overflow check on 32-bit arches

The devmap code allocates a number hash buckets equal to the next power
of two of the max_entries value provided when creating the map. When
rounding up to the next power of two, the 32-bit variable storing the
number of buckets can overflow, and the code checks for overflow by
checking if the truncated 32-bit value is equal to 0. However, on 32-bit
arches the rounding up itself can overflow mid-way through, because it
ends up doing a left-shift of 32 bits on an unsigned long value. If the
size of an unsigned long is four bytes, this is undefined behaviour, so
there is no guarantee that we'll end up with a nice and tidy 0-value at
the end.

Syzbot managed to turn this into a crash on arm32 by creating a
DEVMAP_HASH with max_entries > 0x80000000 and then trying to update it.
Fix this by moving the overflow check to before the rounding up
operation.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-26885

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-26898
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

aoe: fix the potential use-after-free problem in aoecmd_cfg_pkts

This patch is against CVE-2023-6270. The description of cve is:

  A flaw was found in the ATA over Ethernet (AoE) driver in the Linux
  kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on
  `struct net_device`, and a use-after-free can be triggered by racing
  between the free on the struct and the access through the `skbtxq`
  global queue. This could lead to a denial of service condition or
  potential code execution.

In aoecmd_cfg_pkts(), it always calls dev_put(ifp) when skb initial
code is finished. But the net_device ifp will still be used in
later tx()->dev_queue_xmit() in kthread. Which means that the
dev_put(ifp) should NOT be called in the success path of skb
initial code in aoecmd_cfg_pkts(). Otherwise tx() may run into
use-after-free because the net_device is freed.

This patch removed the dev_put(ifp) in the success path in
aoecmd_cfg_pkts(), and added dev_put() after skb xmit in tx().
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-26898

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-26899
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

block: fix deadlock between bd_link_disk_holder and partition scan

'open_mutex' of gendisk is used to protect open/close block devices. But
in bd_link_disk_holder(), it is used to protect the creation of symlink
between holding disk and slave bdev, which introduces some issues.

When bd_link_disk_holder() is called, the driver is usually in the process
of initialization/modification and may suspend submitting io. At this
time, any io hold 'open_mutex', such as scanning partitions, can cause
deadlocks. For example, in raid:

T1                              T2
bdev_open_by_dev
 lock open_mutex [1]
 ...
  efi_partition
  ...
   md_submit_bio
				md_ioctl mddev_syspend
				  -> suspend all io
				 md_add_new_disk
				  bind_rdev_to_array
				   bd_link_disk_holder
				    try lock open_mutex [2]
    md_handle_request
     -> wait mddev_resume

T1 scan partition, T2 add a new device to raid. T1 waits for T2 to resume
mddev, but T2 waits for open_mutex held by T1. Deadlock occurs.

Fix it by introducing a local mutex 'blk_holder_mutex' to replace
'open_mutex'.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-26899

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-26900
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

md: fix kmemleak of rdev->serial

If kobject_add() is fail in bind_rdev_to_array(), 'rdev->serial' will be
alloc not be freed, and kmemleak occurs.

unreferenced object 0xffff88815a350000 (size 49152):
  comm "mdadm", pid 789, jiffies 4294716910
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace (crc f773277a):
    [<0000000058b0a453>] kmemleak_alloc+0x61/0xe0
    [<00000000366adf14>] __kmalloc_large_node+0x15e/0x270
    [<000000002e82961b>] __kmalloc_node.cold+0x11/0x7f
    [<00000000f206d60a>] kvmalloc_node+0x74/0x150
    [<0000000034bf3363>] rdev_init_serial+0x67/0x170
    [<0000000010e08fe9>] mddev_create_serial_pool+0x62/0x220
    [<00000000c3837bf0>] bind_rdev_to_array+0x2af/0x630
    [<0000000073c28560>] md_add_new_disk+0x400/0x9f0
    [<00000000770e30ff>] md_ioctl+0x15bf/0x1c10
    [<000000006cfab718>] blkdev_ioctl+0x191/0x3f0
    [<0000000085086a11>] vfs_ioctl+0x22/0x60
    [<0000000018b656fe>] __x64_sys_ioctl+0xba/0xe0
    [<00000000e54e675e>] do_syscall_64+0x71/0x150
    [<000000008b0ad622>] entry_SYSCALL_64_after_hwframe+0x6c/0x74
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-26900

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-26901
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

do_sys_name_to_handle(): use kzalloc() to fix kernel-infoleak

syzbot identified a kernel information leak vulnerability in
do_sys_name_to_handle() and issued the following report [1].

[1]
"BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]
BUG: KMSAN: kernel-infoleak in _copy_to_user+0xbc/0x100 lib/usercopy.c:40
 instrument_copy_to_user include/linux/instrumented.h:114 [inline]
 _copy_to_user+0xbc/0x100 lib/usercopy.c:40
 copy_to_user include/linux/uaccess.h:191 [inline]
 do_sys_name_to_handle fs/fhandle.c:73 [inline]
 __do_sys_name_to_handle_at fs/fhandle.c:112 [inline]
 __se_sys_name_to_handle_at+0x949/0xb10 fs/fhandle.c:94
 __x64_sys_name_to_handle_at+0xe4/0x140 fs/fhandle.c:94
 ...

Uninit was created at:
 slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768
 slab_alloc_node mm/slub.c:3478 [inline]
 __kmem_cache_alloc_node+0x5c9/0x970 mm/slub.c:3517
 __do_kmalloc_node mm/slab_common.c:1006 [inline]
 __kmalloc+0x121/0x3c0 mm/slab_common.c:1020
 kmalloc include/linux/slab.h:604 [inline]
 do_sys_name_to_handle fs/fhandle.c:39 [inline]
 __do_sys_name_to_handle_at fs/fhandle.c:112 [inline]
 __se_sys_name_to_handle_at+0x441/0xb10 fs/fhandle.c:94
 __x64_sys_name_to_handle_at+0xe4/0x140 fs/fhandle.c:94
 ...

Bytes 18-19 of 20 are uninitialized
Memory access of size 20 starts at ffff888128a46380
Data copied to user address 0000000020000240"

Per Chuck Lever's suggestion, use kzalloc() instead of kmalloc() to
solve the problem.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-26901

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-26902
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

perf: RISCV: Fix panic on pmu overflow handler

(1 << idx) of int is not desired when setting bits in unsigned long
overflowed_ctrs, use BIT() instead. This panic happens when running
'perf record -e branches' on sophgo sg2042.

[  273.311852] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000098
[  273.320851] Oops [#1]
[  273.323179] Modules linked in:
[  273.326303] CPU: 0 PID: 1475 Comm: perf Not tainted 6.6.0-rc3+ #9
[  273.332521] Hardware name: Sophgo Mango (DT)
[  273.336878] epc : riscv_pmu_ctr_get_width_mask+0x8/0x62
[  273.342291]  ra : pmu_sbi_ovf_handler+0x2e0/0x34e
[  273.347091] epc : ffffffff80aecd98 ra : ffffffff80aee056 sp : fffffff6e36928b0
[  273.354454]  gp : ffffffff821f82d0 tp : ffffffd90c353200 t0 : 0000002ade4f9978
[  273.361815]  t1 : 0000000000504d55 t2 : ffffffff8016cd8c s0 : fffffff6e3692a70
[  273.369180]  s1 : 0000000000000020 a0 : 0000000000000000 a1 : 00001a8e81800000
[  273.376540]  a2 : 0000003c00070198 a3 : 0000003c00db75a4 a4 : 0000000000000015
[  273.383901]  a5 : ffffffd7ff8804b0 a6 : 0000000000000015 a7 : 000000000000002a
[  273.391327]  s2 : 000000000000ffff s3 : 0000000000000000 s4 : ffffffd7ff8803b0
[  273.398773]  s5 : 0000000000504d55 s6 : ffffffd905069800 s7 : ffffffff821fe210
[  273.406139]  s8 : 000000007fffffff s9 : ffffffd7ff8803b0 s10: ffffffd903f29098
[  273.413660]  s11: 0000000080000000 t3 : 0000000000000003 t4 : ffffffff8017a0ca
[  273.421022]  t5 : ffffffff8023cfc2 t6 : ffffffd9040780e8
[  273.426437] status: 0000000200000100 badaddr: 0000000000000098 cause: 000000000000000d
[  273.434512] [<ffffffff80aecd98>] riscv_pmu_ctr_get_width_mask+0x8/0x62
[  273.441169] [<ffffffff80076bd8>] handle_percpu_devid_irq+0x98/0x1ee
[  273.447562] [<ffffffff80071158>] generic_handle_domain_irq+0x28/0x36
[  273.454151] [<ffffffff8047a99a>] riscv_intc_irq+0x36/0x4e
[  273.459659] [<ffffffff80c944de>] handle_riscv_irq+0x4a/0x74
[  273.465442] [<ffffffff80c94c48>] do_irq+0x62/0x92
[  273.470360] Code: 0420 60a2 6402 5529 0141 8082 0013 0000 0013 0000 (6d5c) b783
[  273.477921] ---[ end trace 0000000000000000 ]---
[  273.482630] Kernel panic - not syncing: Fatal exception in interrupt
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-26902

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-26903
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: rfcomm: Fix null-ptr-deref in rfcomm_check_security

During our fuzz testing of the connection and disconnection process at the
RFCOMM layer, we discovered this bug. By comparing the packets from a
normal connection and disconnection process with the testcase that
triggered a KASAN report. We analyzed the cause of this bug as follows:

1. In the packets captured during a normal connection, the host sends a
`Read Encryption Key Size` type of `HCI_CMD` packet
(Command Opcode: 0x1408) to the controller to inquire the length of
encryption key.After receiving this packet, the controller immediately
replies with a Command Completepacket (Event Code: 0x0e) to return the
Encryption Key Size.

2. In our fuzz test case, the timing of the controller's response to this
packet was delayed to an unexpected point: after the RFCOMM and L2CAP
layers had disconnected but before the HCI layer had disconnected.

3. After receiving the Encryption Key Size Response at the time described
in point 2, the host still called the rfcomm_check_security function.
However, by this time `struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;`
had already been released, and when the function executed
`return hci_conn_security(conn->hcon, d->sec_level, auth_type, d->out);`,
specifically when accessing `conn->hcon`, a null-ptr-deref error occurred.

To fix this bug, check if `sk->sk_state` is BT_CLOSED before calling
rfcomm_recv_frame in rfcomm_process_rx.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-26903

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-26907
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

RDMA/mlx5: Fix fortify source warning while accessing Eth segment

 ------------[ cut here ]------------
 memcpy: detected field-spanning write (size 56) of single field "eseg->inline_hdr.start" at /var/lib/dkms/mlnx-ofed-kernel/5.8/build/drivers/infiniband/hw/mlx5/wr.c:131 (size 2)
 WARNING: CPU: 0 PID: 293779 at /var/lib/dkms/mlnx-ofed-kernel/5.8/build/drivers/infiniband/hw/mlx5/wr.c:131 mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib]
 Modules linked in: 8021q garp mrp stp llc rdma_ucm(OE) rdma_cm(OE) iw_cm(OE) ib_ipoib(OE) ib_cm(OE) ib_umad(OE) mlx5_ib(OE) ib_uverbs(OE) ib_core(OE) mlx5_core(OE) pci_hyperv_intf mlxdevm(OE) mlx_compat(OE) tls mlxfw(OE) psample nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables libcrc32c nfnetlink mst_pciconf(OE) knem(OE) vfio_pci vfio_pci_core vfio_iommu_type1 vfio iommufd irqbypass cuse nfsv3 nfs fscache netfs xfrm_user xfrm_algo ipmi_devintf ipmi_msghandler binfmt_misc crct10dif_pclmul crc32_pclmul polyval_clmulni polyval_generic ghash_clmulni_intel sha512_ssse3 snd_pcsp aesni_intel crypto_simd cryptd snd_pcm snd_timer joydev snd soundcore input_leds serio_raw evbug nfsd auth_rpcgss nfs_acl lockd grace sch_fq_codel sunrpc drm efi_pstore ip_tables x_tables autofs4 psmouse virtio_net net_failover failover floppy
  [last unloaded: mlx_compat(OE)]
 CPU: 0 PID: 293779 Comm: ssh Tainted: G           OE      6.2.0-32-generic #32~22.04.1-Ubuntu
 Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
 RIP: 0010:mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib]
 Code: 0c 01 00 a8 01 75 25 48 8b 75 a0 b9 02 00 00 00 48 c7 c2 10 5b fd c0 48 c7 c7 80 5b fd c0 c6 05 57 0c 03 00 01 e8 95 4d 93 da <0f> 0b 44 8b 4d b0 4c 8b 45 c8 48 8b 4d c0 e9 49 fb ff ff 41 0f b7
 RSP: 0018:ffffb5b48478b570 EFLAGS: 00010046
 RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000
 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
 RBP: ffffb5b48478b628 R08: 0000000000000000 R09: 0000000000000000
 R10: 0000000000000000 R11: 0000000000000000 R12: ffffb5b48478b5e8
 R13: ffff963a3c609b5e R14: ffff9639c3fbd800 R15: ffffb5b480475a80
 FS:  00007fc03b444c80(0000) GS:ffff963a3dc00000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 0000556f46bdf000 CR3: 0000000006ac6003 CR4: 00000000003706f0
 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
 Call Trace:
  <TASK>
  ? show_regs+0x72/0x90
  ? mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib]
  ? __warn+0x8d/0x160
  ? mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib]
  ? report_bug+0x1bb/0x1d0
  ? handle_bug+0x46/0x90
  ? exc_invalid_op+0x19/0x80
  ? asm_exc_invalid_op+0x1b/0x20
  ? mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib]
  mlx5_ib_post_send_nodrain+0xb/0x20 [mlx5_ib]
  ipoib_send+0x2ec/0x770 [ib_ipoib]
  ipoib_start_xmit+0x5a0/0x770 [ib_ipoib]
  dev_hard_start_xmit+0x8e/0x1e0
  ? validate_xmit_skb_list+0x4d/0x80
  sch_direct_xmit+0x116/0x3a0
  __dev_xmit_skb+0x1fd/0x580
  __dev_queue_xmit+0x284/0x6b0
  ? _raw_spin_unlock_irq+0xe/0x50
  ? __flush_work.isra.0+0x20d/0x370
  ? push_pseudo_header+0x17/0x40 [ib_ipoib]
  neigh_connected_output+0xcd/0x110
  ip_finish_output2+0x179/0x480
  ? __smp_call_single_queue+0x61/0xa0
  __ip_finish_output+0xc3/0x190
  ip_finish_output+0x2e/0xf0
  ip_output+0x78/0x110
  ? __pfx_ip_finish_output+0x10/0x10
  ip_local_out+0x64/0x70
  __ip_queue_xmit+0x18a/0x460
  ip_queue_xmit+0x15/0x30
  __tcp_transmit_skb+0x914/0x9c0
  tcp_write_xmit+0x334/0x8d0
  tcp_push_one+0x3c/0x60
  tcp_sendmsg_locked+0x2e1/0xac0
  tcp_sendmsg+0x2d/0x50
  inet_sendmsg+0x43/0x90
  sock_sendmsg+0x68/0x80
  sock_write_iter+0x93/0x100
  vfs_write+0x326/0x3c0
  ksys_write+0xbd/0xf0
  ? do_syscall_64+0x69/0x90
  __x64_sys_write+0x19/0x30
  do_syscall_
---truncated---
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-26907

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-26909
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

soc: qcom: pmic_glink_altmode: fix drm bridge use-after-free

A recent DRM series purporting to simplify support for "transparent
bridges" and handling of probe deferrals ironically exposed a
use-after-free issue on pmic_glink_altmode probe deferral.

This has manifested itself as the display subsystem occasionally failing
to initialise and NULL-pointer dereferences during boot of machines like
the Lenovo ThinkPad X13s.

Specifically, the dp-hpd bridge is currently registered before all
resources have been acquired which means that it can also be
deregistered on probe deferrals.

In the meantime there is a race window where the new aux bridge driver
(or PHY driver previously) may have looked up the dp-hpd bridge and
stored a (non-reference-counted) pointer to the bridge which is about to
be deallocated.

When the display controller is later initialised, this triggers a
use-after-free when attaching the bridges:

	dp -> aux -> dp-hpd (freed)

which may, for example, result in the freed bridge failing to attach:

	[drm:drm_bridge_attach [drm]] *ERROR* failed to attach bridge /soc@0/phy@88eb000 to encoder TMDS-31: -16

or a NULL-pointer dereference:

	Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
	...
	Call trace:
	  drm_bridge_attach+0x70/0x1a8 [drm]
	  drm_aux_bridge_attach+0x24/0x38 [aux_bridge]
	  drm_bridge_attach+0x80/0x1a8 [drm]
	  dp_bridge_init+0xa8/0x15c [msm]
	  msm_dp_modeset_init+0x28/0xc4 [msm]

The DRM bridge implementation is clearly fragile and implicitly built on
the assumption that bridges may never go away. In this case, the fix is
to move the bridge registration in the pmic_glink_altmode driver to
after all resources have been looked up.

Incidentally, with the new dp-hpd bridge implementation, which registers
child devices, this is also a requirement due to a long-standing issue
in driver core that can otherwise lead to a probe deferral loop (see
commit fbc35b45f9f6 ("Add documentation on meaning of -EPROBE_DEFER")).

[DB: slightly fixed commit message by adding the word 'commit']
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-26909

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-26910
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

netfilter: ipset: fix performance regression in swap operation

The patch "netfilter: ipset: fix race condition between swap/destroy
and kernel side add/del/test", commit 28628fa9 fixes a race condition.
But the synchronize_rcu() added to the swap function unnecessarily slows
it down: it can safely be moved to destroy and use call_rcu() instead.

Eric Dumazet pointed out that simply calling the destroy functions as
rcu callback does not work: sets with timeout use garbage collectors
which need cancelling at destroy which can wait. Therefore the destroy
functions are split into two: cancelling garbage collectors safely at
executing the command received by netlink and moving the remaining
part only into the rcu callback.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-26910

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-26911
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/buddy: Fix alloc_range() error handling code

Few users have observed display corruption when they boot
the machine to KDE Plasma or playing games. We have root
caused the problem that whenever alloc_range() couldn't
find the required memory blocks the function was returning
SUCCESS in some of the corner cases.

The right approach would be if the total allocated size
is less than the required size, the function should
return -ENOSPC.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 3.3
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-26911

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-26912
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/nouveau: fix several DMA buffer leaks

Nouveau manages GSP-RM DMA buffers with nvkm_gsp_mem objects.  Several of
these buffers are never dealloced.  Some of them can be deallocated
right after GSP-RM is initialized, but the rest need to stay until the
driver unloads.

Also futher bullet-proof these objects by poisoning the buffer and
clearing the nvkm_gsp_mem object when it is deallocated.  Poisoning
the buffer should trigger an error (or crash) from GSP-RM if it tries
to access the buffer after we've deallocated it, because we were wrong
about when it is safe to deallocate.

Finally, change the mem->size field to a size_t because that's the same
type that dma_alloc_coherent expects.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-26912

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-26913
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Fix dcn35 8k30 Underflow/Corruption Issue

[why]
odm calculation is missing for pipe split policy determination
and cause Underflow/Corruption issue.

[how]
Add the odm calculation.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-26913

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-26929
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

scsi: qla2xxx: Fix double free of fcport

The server was crashing after LOGO because fcport was getting freed twice.

 -----------[ cut here ]-----------
 kernel BUG at mm/slub.c:371!
 invalid opcode: 0000 1 SMP PTI
 CPU: 35 PID: 4610 Comm: bash Kdump: loaded Tainted: G OE --------- - - 4.18.0-425.3.1.el8.x86_64 #1
 Hardware name: HPE ProLiant DL360 Gen10/ProLiant DL360 Gen10, BIOS U32 09/03/2021
 RIP: 0010:set_freepointer.part.57+0x0/0x10
 RSP: 0018:ffffb07107027d90 EFLAGS: 00010246
 RAX: ffff9cb7e3150000 RBX: ffff9cb7e332b9c0 RCX: ffff9cb7e3150400
 RDX: 0000000000001f37 RSI: 0000000000000000 RDI: ffff9cb7c0005500
 RBP: fffff693448c5400 R08: 0000000080000000 R09: 0000000000000009
 R10: 0000000000000000 R11: 0000000000132af0 R12: ffff9cb7c0005500
 R13: ffff9cb7e3150000 R14: ffffffffc06990e0 R15: ffff9cb7ea85ea58
 FS: 00007ff6b79c2740(0000) GS:ffff9cb8f7ec0000(0000) knlGS:0000000000000000
 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 000055b426b7d700 CR3: 0000000169c18002 CR4: 00000000007706e0
 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
 PKRU: 55555554
 Call Trace:
 kfree+0x238/0x250
 qla2x00_els_dcmd_sp_free+0x20/0x230 [qla2xxx]
 ? qla24xx_els_dcmd_iocb+0x607/0x690 [qla2xxx]
 qla2x00_issue_logo+0x28c/0x2a0 [qla2xxx]
 ? qla2x00_issue_logo+0x28c/0x2a0 [qla2xxx]
 ? kernfs_fop_write+0x11e/0x1a0

Remove one of the free calls and add check for valid fcport. Also use
function qla2x00_free_fcport() instead of kfree().
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-26929

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-26930
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

scsi: qla2xxx: Fix double free of the ha->vp_map pointer

Coverity scan reported potential risk of double free of the pointer
ha->vp_map.  ha->vp_map was freed in qla2x00_mem_alloc(), and again freed
in function qla2x00_mem_free(ha).

Assign NULL to vp_map and kfree take care of NULL.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-26930

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-26932
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

usb: typec: tcpm: fix double-free issue in tcpm_port_unregister_pd()

When unregister pd capabilitie in tcpm, KASAN will capture below double
-free issue. The root cause is the same capabilitiy will be kfreed twice,
the first time is kfreed by pd_capabilities_release() and the second time
is explicitly kfreed by tcpm_port_unregister_pd().

[    3.988059] BUG: KASAN: double-free in tcpm_port_unregister_pd+0x1a4/0x3dc
[    3.995001] Free of addr ffff0008164d3000 by task kworker/u16:0/10
[    4.001206]
[    4.002712] CPU: 2 PID: 10 Comm: kworker/u16:0 Not tainted 6.8.0-rc5-next-20240220-05616-g52728c567a55 #53
[    4.012402] Hardware name: Freescale i.MX8QXP MEK (DT)
[    4.017569] Workqueue: events_unbound deferred_probe_work_func
[    4.023456] Call trace:
[    4.025920]  dump_backtrace+0x94/0xec
[    4.029629]  show_stack+0x18/0x24
[    4.032974]  dump_stack_lvl+0x78/0x90
[    4.036675]  print_report+0xfc/0x5c0
[    4.040289]  kasan_report_invalid_free+0xa0/0xc0
[    4.044937]  __kasan_slab_free+0x124/0x154
[    4.049072]  kfree+0xb4/0x1e8
[    4.052069]  tcpm_port_unregister_pd+0x1a4/0x3dc
[    4.056725]  tcpm_register_port+0x1dd0/0x2558
[    4.061121]  tcpci_register_port+0x420/0x71c
[    4.065430]  tcpci_probe+0x118/0x2e0

To fix the issue, this will remove kree() from tcpm_port_unregister_pd().
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-26932

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-26933
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

USB: core: Fix deadlock in port "disable" sysfs attribute

The show and store callback routines for the "disable" sysfs attribute
file in port.c acquire the device lock for the port's parent hub
device.  This can cause problems if another process has locked the hub
to remove it or change its configuration:

	Removing the hub or changing its configuration requires the
	hub interface to be removed, which requires the port device
	to be removed, and device_del() waits until all outstanding
	sysfs attribute callbacks for the ports have returned.  The
	lock can't be released until then.

	But the disable_show() or disable_store() routine can't return
	until after it has acquired the lock.

The resulting deadlock can be avoided by calling
sysfs_break_active_protection().  This will cause the sysfs core not
to wait for the attribute's callback routine to return, allowing the
removal to proceed.  The disadvantage is that after making this call,
there is no guarantee that the hub structure won't be deallocated at
any moment.  To prevent this, we have to acquire a reference to it
first by calling hub_get().
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-26933

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-26934
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

USB: core: Fix deadlock in usb_deauthorize_interface()

Among the attribute file callback routines in
drivers/usb/core/sysfs.c, the interface_authorized_store() function is
the only one which acquires a device lock on an ancestor device: It
calls usb_deauthorize_interface(), which locks the interface's parent
USB device.

The will lead to deadlock if another process already owns that lock
and tries to remove the interface, whether through a configuration
change or because the device has been disconnected.  As part of the
removal procedure, device_del() waits for all ongoing sysfs attribute
callbacks to complete.  But usb_deauthorize_interface() can't complete
until the device lock has been released, and the lock won't be
released until the removal has finished.

The mechanism provided by sysfs to prevent this kind of deadlock is
to use the sysfs_break_active_protection() function, which tells sysfs
not to wait for the attribute callback.

Reported-and-tested by: Yue Sun <samsun1006219@gmail.com>
Reported by: xingwei lee <xrivendell7@gmail.com>
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-26934

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-26942
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: phy: qcom: at803x: fix kernel panic with at8031_probe

On reworking and splitting the at803x driver, in splitting function of
at803x PHYs it was added a NULL dereference bug where priv is referenced
before it's actually allocated and then is tried to write to for the
is_1000basex and is_fiber variables in the case of at8031, writing on
the wrong address.

Fix this by correctly setting priv local variable only after
at803x_probe is called and actually allocates priv in the phydev struct.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-26942

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-26949
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amdgpu/pm: Fix NULL pointer dereference when get power limit

Because powerplay_table initialization is skipped under
sriov case, We check and set default lower and upper OD
value if powerplay_table is NULL.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-26949

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-26952
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ksmbd: fix potencial out-of-bounds when buffer offset is invalid

I found potencial out-of-bounds when buffer offset fields of a few requests
is invalid. This patch set the minimum value of buffer offset field to
->Buffer offset to validate buffer length.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-26952

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-26978
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

serial: max310x: fix NULL pointer dereference in I2C instantiation

When trying to instantiate a max14830 device from userspace:

    echo max14830 0x60 > /sys/bus/i2c/devices/i2c-2/new_device

we get the following error:

    Unable to handle kernel NULL pointer dereference at virtual address...
    ...
    Call trace:
        max310x_i2c_probe+0x48/0x170 [max310x]
        i2c_device_probe+0x150/0x2a0
    ...

Add check for validity of devtype to prevent the error, and abort probe
with a meaningful error message.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-26978

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-26986
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amdkfd: Fix memory leak in create_process failure

Fix memory leak due to a leaked mmget reference on an error handling
code path that is triggered when attempting to create KFD processes
while a GPU reset is in progress.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-26986

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-26987
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

mm/memory-failure: fix deadlock when hugetlb_optimize_vmemmap is enabled

When I did hard offline test with hugetlb pages, below deadlock occurs:

======================================================
WARNING: possible circular locking dependency detected
6.8.0-11409-gf6cef5f8c37f #1 Not tainted
------------------------------------------------------
bash/46904 is trying to acquire lock:
ffffffffabe68910 (cpu_hotplug_lock){++++}-{0:0}, at: static_key_slow_dec+0x16/0x60

but task is already holding lock:
ffffffffabf92ea8 (pcp_batch_high_lock){+.+.}-{3:3}, at: zone_pcp_disable+0x16/0x40

which lock already depends on the new lock.

the existing dependency chain (in reverse order) is:

-> #1 (pcp_batch_high_lock){+.+.}-{3:3}:
       __mutex_lock+0x6c/0x770
       page_alloc_cpu_online+0x3c/0x70
       cpuhp_invoke_callback+0x397/0x5f0
       __cpuhp_invoke_callback_range+0x71/0xe0
       _cpu_up+0xeb/0x210
       cpu_up+0x91/0xe0
       cpuhp_bringup_mask+0x49/0xb0
       bringup_nonboot_cpus+0xb7/0xe0
       smp_init+0x25/0xa0
       kernel_init_freeable+0x15f/0x3e0
       kernel_init+0x15/0x1b0
       ret_from_fork+0x2f/0x50
       ret_from_fork_asm+0x1a/0x30

-> #0 (cpu_hotplug_lock){++++}-{0:0}:
       __lock_acquire+0x1298/0x1cd0
       lock_acquire+0xc0/0x2b0
       cpus_read_lock+0x2a/0xc0
       static_key_slow_dec+0x16/0x60
       __hugetlb_vmemmap_restore_folio+0x1b9/0x200
       dissolve_free_huge_page+0x211/0x260
       __page_handle_poison+0x45/0xc0
       memory_failure+0x65e/0xc70
       hard_offline_page_store+0x55/0xa0
       kernfs_fop_write_iter+0x12c/0x1d0
       vfs_write+0x387/0x550
       ksys_write+0x64/0xe0
       do_syscall_64+0xca/0x1e0
       entry_SYSCALL_64_after_hwframe+0x6d/0x75

other info that might help us debug this:

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(pcp_batch_high_lock);
                               lock(cpu_hotplug_lock);
                               lock(pcp_batch_high_lock);
  rlock(cpu_hotplug_lock);

 *** DEADLOCK ***

5 locks held by bash/46904:
 #0: ffff98f6c3bb23f0 (sb_writers#5){.+.+}-{0:0}, at: ksys_write+0x64/0xe0
 #1: ffff98f6c328e488 (&of->mutex){+.+.}-{3:3}, at: kernfs_fop_write_iter+0xf8/0x1d0
 #2: ffff98ef83b31890 (kn->active#113){.+.+}-{0:0}, at: kernfs_fop_write_iter+0x100/0x1d0
 #3: ffffffffabf9db48 (mf_mutex){+.+.}-{3:3}, at: memory_failure+0x44/0xc70
 #4: ffffffffabf92ea8 (pcp_batch_high_lock){+.+.}-{3:3}, at: zone_pcp_disable+0x16/0x40

stack backtrace:
CPU: 10 PID: 46904 Comm: bash Kdump: loaded Not tainted 6.8.0-11409-gf6cef5f8c37f #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
Call Trace:
 <TASK>
 dump_stack_lvl+0x68/0xa0
 check_noncircular+0x129/0x140
 __lock_acquire+0x1298/0x1cd0
 lock_acquire+0xc0/0x2b0
 cpus_read_lock+0x2a/0xc0
 static_key_slow_dec+0x16/0x60
 __hugetlb_vmemmap_restore_folio+0x1b9/0x200
 dissolve_free_huge_page+0x211/0x260
 __page_handle_poison+0x45/0xc0
 memory_failure+0x65e/0xc70
 hard_offline_page_store+0x55/0xa0
 kernfs_fop_write_iter+0x12c/0x1d0
 vfs_write+0x387/0x550
 ksys_write+0x64/0xe0
 do_syscall_64+0xca/0x1e0
 entry_SYSCALL_64_after_hwframe+0x6d/0x75
RIP: 0033:0x7fc862314887
Code: 10 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74 24
RSP: 002b:00007fff19311268 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 000000000000000c RCX: 00007fc862314887
RDX: 000000000000000c RSI: 000056405645fe10 RDI: 0000000000000001
RBP: 000056405645fe10 R08: 00007fc8623d1460 R09: 000000007fffffff
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000000c
R13: 00007fc86241b780 R14: 00007fc862417600 R15: 00007fc862416a00

In short, below scene breaks the 
---truncated---
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-26987

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-27012
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

netfilter: nf_tables: restore set elements when delete set fails

From abort path, nft_mapelem_activate() needs to restore refcounters to
the original state. Currently, it uses the set->ops->walk() to iterate
over these set elements. The existing set iterator skips inactive
elements in the next generation, this does not work from the abort path
to restore the original state since it has to skip active elements
instead (not inactive ones).

This patch moves the check for inactive elements to the set iterator
callback, then it reverses the logic for the .activate case which
needs to skip active elements.

Toggle next generation bit for elements when delete set command is
invoked and call nft_clear() from .activate (abort) path to restore the
next generation bit.

The splat below shows an object in mappings memleak:

[43929.457523] ------------[ cut here ]------------
[43929.457532] WARNING: CPU: 0 PID: 1139 at include/net/netfilter/nf_tables.h:1237 nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables]
[...]
[43929.458014] RIP: 0010:nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables]
[43929.458076] Code: 83 f8 01 77 ab 49 8d 7c 24 08 e8 37 5e d0 de 49 8b 6c 24 08 48 8d 7d 50 e8 e9 5c d0 de 8b 45 50 8d 50 ff 89 55 50 85 c0 75 86 <0f> 0b eb 82 0f 0b eb b3 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90
[43929.458081] RSP: 0018:ffff888140f9f4b0 EFLAGS: 00010246
[43929.458086] RAX: 0000000000000000 RBX: ffff8881434f5288 RCX: dffffc0000000000
[43929.458090] RDX: 00000000ffffffff RSI: ffffffffa26d28a7 RDI: ffff88810ecc9550
[43929.458093] RBP: ffff88810ecc9500 R08: 0000000000000001 R09: ffffed10281f3e8f
[43929.458096] R10: 0000000000000003 R11: ffff0000ffff0000 R12: ffff8881434f52a0
[43929.458100] R13: ffff888140f9f5f4 R14: ffff888151c7a800 R15: 0000000000000002
[43929.458103] FS:  00007f0c687c4740(0000) GS:ffff888390800000(0000) knlGS:0000000000000000
[43929.458107] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[43929.458111] CR2: 00007f58dbe5b008 CR3: 0000000123602005 CR4: 00000000001706f0
[43929.458114] Call Trace:
[43929.458118]  <TASK>
[43929.458121]  ? __warn+0x9f/0x1a0
[43929.458127]  ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables]
[43929.458188]  ? report_bug+0x1b1/0x1e0
[43929.458196]  ? handle_bug+0x3c/0x70
[43929.458200]  ? exc_invalid_op+0x17/0x40
[43929.458211]  ? nft_setelem_data_deactivate+0xd7/0xf0 [nf_tables]
[43929.458271]  ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables]
[43929.458332]  nft_mapelem_deactivate+0x24/0x30 [nf_tables]
[43929.458392]  nft_rhash_walk+0xdd/0x180 [nf_tables]
[43929.458453]  ? __pfx_nft_rhash_walk+0x10/0x10 [nf_tables]
[43929.458512]  ? rb_insert_color+0x2e/0x280
[43929.458520]  nft_map_deactivate+0xdc/0x1e0 [nf_tables]
[43929.458582]  ? __pfx_nft_map_deactivate+0x10/0x10 [nf_tables]
[43929.458642]  ? __pfx_nft_mapelem_deactivate+0x10/0x10 [nf_tables]
[43929.458701]  ? __rcu_read_unlock+0x46/0x70
[43929.458709]  nft_delset+0xff/0x110 [nf_tables]
[43929.458769]  nft_flush_table+0x16f/0x460 [nf_tables]
[43929.458830]  nf_tables_deltable+0x501/0x580 [nf_tables]
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-27012

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-27013
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

tun: limit printing rate when illegal packet received by tun dev

vhost_worker will call tun call backs to receive packets. If too many
illegal packets arrives, tun_do_read will keep dumping packet contents.
When console is enabled, it will costs much more cpu time to dump
packet and soft lockup will be detected.

net_ratelimit mechanism can be used to limit the dumping rate.

PID: 33036    TASK: ffff949da6f20000  CPU: 23   COMMAND: "vhost-32980"
 #0 [fffffe00003fce50] crash_nmi_callback at ffffffff89249253
 #1 [fffffe00003fce58] nmi_handle at ffffffff89225fa3
 #2 [fffffe00003fceb0] default_do_nmi at ffffffff8922642e
 #3 [fffffe00003fced0] do_nmi at ffffffff8922660d
 #4 [fffffe00003fcef0] end_repeat_nmi at ffffffff89c01663
    [exception RIP: io_serial_in+20]
    RIP: ffffffff89792594  RSP: ffffa655314979e8  RFLAGS: 00000002
    RAX: ffffffff89792500  RBX: ffffffff8af428a0  RCX: 0000000000000000
    RDX: 00000000000003fd  RSI: 0000000000000005  RDI: ffffffff8af428a0
    RBP: 0000000000002710   R8: 0000000000000004   R9: 000000000000000f
    R10: 0000000000000000  R11: ffffffff8acbf64f  R12: 0000000000000020
    R13: ffffffff8acbf698  R14: 0000000000000058  R15: 0000000000000000
    ORIG_RAX: ffffffffffffffff  CS: 0010  SS: 0018
 #5 [ffffa655314979e8] io_serial_in at ffffffff89792594
 #6 [ffffa655314979e8] wait_for_xmitr at ffffffff89793470
 #7 [ffffa65531497a08] serial8250_console_putchar at ffffffff897934f6
 #8 [ffffa65531497a20] uart_console_write at ffffffff8978b605
 #9 [ffffa65531497a48] serial8250_console_write at ffffffff89796558
 #10 [ffffa65531497ac8] console_unlock at ffffffff89316124
 #11 [ffffa65531497b10] vprintk_emit at ffffffff89317c07
 #12 [ffffa65531497b68] printk at ffffffff89318306
 #13 [ffffa65531497bc8] print_hex_dump at ffffffff89650765
 #14 [ffffa65531497ca8] tun_do_read at ffffffffc0b06c27 [tun]
 #15 [ffffa65531497d38] tun_recvmsg at ffffffffc0b06e34 [tun]
 #16 [ffffa65531497d68] handle_rx at ffffffffc0c5d682 [vhost_net]
 #17 [ffffa65531497ed0] vhost_worker at ffffffffc0c644dc [vhost]
 #18 [ffffa65531497f10] kthread at ffffffff892d2e72
 #19 [ffffa65531497f50] ret_from_fork at ffffffff89c0022f
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-27013

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-27014
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net/mlx5e: Prevent deadlock while disabling aRFS

When disabling aRFS under the `priv->state_lock`, any scheduled
aRFS works are canceled using the `cancel_work_sync` function,
which waits for the work to end if it has already started.
However, while waiting for the work handler, the handler will
try to acquire the `state_lock` which is already acquired.

The worker acquires the lock to delete the rules if the state
is down, which is not the worker's responsibility since
disabling aRFS deletes the rules.

Add an aRFS state variable, which indicates whether the aRFS is
enabled and prevent adding rules when the aRFS is disabled.

Kernel log:

======================================================
WARNING: possible circular locking dependency detected
6.7.0-rc4_net_next_mlx5_5483eb2 #1 Tainted: G          I
------------------------------------------------------
ethtool/386089 is trying to acquire lock:
ffff88810f21ce68 ((work_completion)(&rule->arfs_work)){+.+.}-{0:0}, at: __flush_work+0x74/0x4e0

but task is already holding lock:
ffff8884a1808cc0 (&priv->state_lock){+.+.}-{3:3}, at: mlx5e_ethtool_set_channels+0x53/0x200 [mlx5_core]

which lock already depends on the new lock.

the existing dependency chain (in reverse order) is:

-> #1 (&priv->state_lock){+.+.}-{3:3}:
       __mutex_lock+0x80/0xc90
       arfs_handle_work+0x4b/0x3b0 [mlx5_core]
       process_one_work+0x1dc/0x4a0
       worker_thread+0x1bf/0x3c0
       kthread+0xd7/0x100
       ret_from_fork+0x2d/0x50
       ret_from_fork_asm+0x11/0x20

-> #0 ((work_completion)(&rule->arfs_work)){+.+.}-{0:0}:
       __lock_acquire+0x17b4/0x2c80
       lock_acquire+0xd0/0x2b0
       __flush_work+0x7a/0x4e0
       __cancel_work_timer+0x131/0x1c0
       arfs_del_rules+0x143/0x1e0 [mlx5_core]
       mlx5e_arfs_disable+0x1b/0x30 [mlx5_core]
       mlx5e_ethtool_set_channels+0xcb/0x200 [mlx5_core]
       ethnl_set_channels+0x28f/0x3b0
       ethnl_default_set_doit+0xec/0x240
       genl_family_rcv_msg_doit+0xd0/0x120
       genl_rcv_msg+0x188/0x2c0
       netlink_rcv_skb+0x54/0x100
       genl_rcv+0x24/0x40
       netlink_unicast+0x1a1/0x270
       netlink_sendmsg+0x214/0x460
       __sock_sendmsg+0x38/0x60
       __sys_sendto+0x113/0x170
       __x64_sys_sendto+0x20/0x30
       do_syscall_64+0x40/0xe0
       entry_SYSCALL_64_after_hwframe+0x46/0x4e

other info that might help us debug this:

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(&priv->state_lock);
                               lock((work_completion)(&rule->arfs_work));
                               lock(&priv->state_lock);
  lock((work_completion)(&rule->arfs_work));

 *** DEADLOCK ***

3 locks held by ethtool/386089:
 #0: ffffffff82ea7210 (cb_lock){++++}-{3:3}, at: genl_rcv+0x15/0x40
 #1: ffffffff82e94c88 (rtnl_mutex){+.+.}-{3:3}, at: ethnl_default_set_doit+0xd3/0x240
 #2: ffff8884a1808cc0 (&priv->state_lock){+.+.}-{3:3}, at: mlx5e_ethtool_set_channels+0x53/0x200 [mlx5_core]

stack backtrace:
CPU: 15 PID: 386089 Comm: ethtool Tainted: G          I        6.7.0-rc4_net_next_mlx5_5483eb2 #1
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
Call Trace:
 <TASK>
 dump_stack_lvl+0x60/0xa0
 check_noncircular+0x144/0x160
 __lock_acquire+0x17b4/0x2c80
 lock_acquire+0xd0/0x2b0
 ? __flush_work+0x74/0x4e0
 ? save_trace+0x3e/0x360
 ? __flush_work+0x74/0x4e0
 __flush_work+0x7a/0x4e0
 ? __flush_work+0x74/0x4e0
 ? __lock_acquire+0xa78/0x2c80
 ? lock_acquire+0xd0/0x2b0
 ? mark_held_locks+0x49/0x70
 __cancel_work_timer+0x131/0x1c0
 ? mark_held_locks+0x49/0x70
 arfs_del_rules+0x143/0x1e0 [mlx5_core]
 mlx5e_arfs_disable+0x1b/0x30 [mlx5_core]
 mlx5e_ethtool_set_channels+0xcb/0x200 [mlx5_core]
 ethnl_set_channels+0x28f/0x3b0
 ethnl_default_set_doit+0xec/0x240
 genl_family_rcv_msg_doit+0xd0/0x120
 genl_rcv_msg+0x188/0x2c0
 ? ethn
---truncated---
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-27014

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-27015
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

netfilter: flowtable: incorrect pppoe tuple

pppoe traffic reaching ingress path does not match the flowtable entry
because the pppoe header is expected to be at the network header offset.
This bug causes a mismatch in the flow table lookup, so pppoe packets
enter the classical forwarding path.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-27015

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-27016
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

netfilter: flowtable: validate pppoe header

Ensure there is sufficient room to access the protocol field of the
PPPoe header. Validate it once before the flowtable lookup, then use a
helper function to access protocol field.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-27016

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-27017
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

netfilter: nft_set_pipapo: walk over current view on netlink dump

The generation mask can be updated while netlink dump is in progress.
The pipapo set backend walk iterator cannot rely on it to infer what
view of the datastructure is to be used. Add notation to specify if user
wants to read/update the set.

Based on patch from Florian Westphal.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-27017

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-27018
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

netfilter: br_netfilter: skip conntrack input hook for promisc packets

For historical reasons, when bridge device is in promisc mode, packets
that are directed to the taps follow bridge input hook path. This patch
adds a workaround to reset conntrack for these packets.

Jianbo Liu reports warning splats in their test infrastructure where
cloned packets reach the br_netfilter input hook to confirm the
conntrack object.

Scratch one bit from BR_INPUT_SKB_CB to annotate that this packet has
reached the input hook because it is passed up to the bridge device to
reach the taps.

[   57.571874] WARNING: CPU: 1 PID: 0 at net/bridge/br_netfilter_hooks.c:616 br_nf_local_in+0x157/0x180 [br_netfilter]
[   57.572749] Modules linked in: xt_MASQUERADE nf_conntrack_netlink nfnetlink iptable_nat xt_addrtype xt_conntrack nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcgss oid_registry overlay rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_isc si ib_umad rdma_cm ib_ipoib iw_cm ib_cm mlx5_ib ib_uverbs ib_core mlx5ctl mlx5_core
[   57.575158] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.8.0+ #19
[   57.575700] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
[   57.576662] RIP: 0010:br_nf_local_in+0x157/0x180 [br_netfilter]
[   57.577195] Code: fe ff ff 41 bd 04 00 00 00 be 04 00 00 00 e9 4a ff ff ff be 04 00 00 00 48 89 ef e8 f3 a9 3c e1 66 83 ad b4 00 00 00 04 eb 91 <0f> 0b e9 f1 fe ff ff 0f 0b e9 df fe ff ff 48 89 df e8 b3 53 47 e1
[   57.578722] RSP: 0018:ffff88885f845a08 EFLAGS: 00010202
[   57.579207] RAX: 0000000000000002 RBX: ffff88812dfe8000 RCX: 0000000000000000
[   57.579830] RDX: ffff88885f845a60 RSI: ffff8881022dc300 RDI: 0000000000000000
[   57.580454] RBP: ffff88885f845a60 R08: 0000000000000001 R09: 0000000000000003
[   57.581076] R10: 00000000ffff1300 R11: 0000000000000002 R12: 0000000000000000
[   57.581695] R13: ffff8881047ffe00 R14: ffff888108dbee00 R15: ffff88814519b800
[   57.582313] FS:  0000000000000000(0000) GS:ffff88885f840000(0000) knlGS:0000000000000000
[   57.583040] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   57.583564] CR2: 000000c4206aa000 CR3: 0000000103847001 CR4: 0000000000370eb0
[   57.584194] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
0000000000000000
[   57.584820] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:
0000000000000400
[   57.585440] Call Trace:
[   57.585721]  <IRQ>
[   57.585976]  ? __warn+0x7d/0x130
[   57.586323]  ? br_nf_local_in+0x157/0x180 [br_netfilter]
[   57.586811]  ? report_bug+0xf1/0x1c0
[   57.587177]  ? handle_bug+0x3f/0x70
[   57.587539]  ? exc_invalid_op+0x13/0x60
[   57.587929]  ? asm_exc_invalid_op+0x16/0x20
[   57.588336]  ? br_nf_local_in+0x157/0x180 [br_netfilter]
[   57.588825]  nf_hook_slow+0x3d/0xd0
[   57.589188]  ? br_handle_vlan+0x4b/0x110
[   57.589579]  br_pass_frame_up+0xfc/0x150
[   57.589970]  ? br_port_flags_change+0x40/0x40
[   57.590396]  br_handle_frame_finish+0x346/0x5e0
[   57.590837]  ? ipt_do_table+0x32e/0x430
[   57.591221]  ? br_handle_local_finish+0x20/0x20
[   57.591656]  br_nf_hook_thresh+0x4b/0xf0 [br_netfilter]
[   57.592286]  ? br_handle_local_finish+0x20/0x20
[   57.592802]  br_nf_pre_routing_finish+0x178/0x480 [br_netfilter]
[   57.593348]  ? br_handle_local_finish+0x20/0x20
[   57.593782]  ? nf_nat_ipv4_pre_routing+0x25/0x60 [nf_nat]
[   57.594279]  br_nf_pre_routing+0x24c/0x550 [br_netfilter]
[   57.594780]  ? br_nf_hook_thresh+0xf0/0xf0 [br_netfilter]
[   57.595280]  br_handle_frame+0x1f3/0x3d0
[   57.595676]  ? br_handle_local_finish+0x20/0x20
[   57.596118]  ? br_handle_frame_finish+0x5e0/0x5e0
[   57.596566]  __netif_receive_skb_core+0x25b/0xfc0
[   57.597017]  ? __napi_build_skb+0x37/0x40
[   57.597418]  __netif_receive_skb_list_core+0xfb/0x220
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-27018

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-27019
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

netfilter: nf_tables: Fix potential data-race in __nft_obj_type_get()

nft_unregister_obj() can concurrent with __nft_obj_type_get(),
and there is not any protection when iterate over nf_tables_objects
list in __nft_obj_type_get(). Therefore, there is potential data-race
of nf_tables_objects list entry.

Use list_for_each_entry_rcu() to iterate over nf_tables_objects
list in __nft_obj_type_get(), and use rcu_read_lock() in the caller
nft_obj_type_get() to protect the entire type query process.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-27019

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-27020
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

netfilter: nf_tables: Fix potential data-race in __nft_expr_type_get()

nft_unregister_expr() can concurrent with __nft_expr_type_get(),
and there is not any protection when iterate over nf_tables_expressions
list in __nft_expr_type_get(). Therefore, there is potential data-race
of nf_tables_expressions list entry.

Use list_for_each_entry_rcu() to iterate over nf_tables_expressions
list in __nft_expr_type_get(), and use rcu_read_lock() in the caller
nft_expr_type_get() to protect the entire type query process.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-27020

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-27021
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

r8169: fix LED-related deadlock on module removal

Binding devm_led_classdev_register() to the netdev is problematic
because on module removal we get a RTNL-related deadlock. Fix this
by avoiding the device-managed LED functions.

Note: We can safely call led_classdev_unregister() for a LED even
if registering it failed, because led_classdev_unregister() detects
this and is a no-op in this case.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-27021

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-27022
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

fork: defer linking file vma until vma is fully initialized

Thorvald reported a WARNING [1]. And the root cause is below race:

 CPU 1					CPU 2
 fork					hugetlbfs_fallocate
  dup_mmap				 hugetlbfs_punch_hole
   i_mmap_lock_write(mapping);
   vma_interval_tree_insert_after -- Child vma is visible through i_mmap tree.
   i_mmap_unlock_write(mapping);
   hugetlb_dup_vma_private -- Clear vma_lock outside i_mmap_rwsem!
					 i_mmap_lock_write(mapping);
   					 hugetlb_vmdelete_list
					  vma_interval_tree_foreach
					   hugetlb_vma_trylock_write -- Vma_lock is cleared.
   tmp->vm_ops->open -- Alloc new vma_lock outside i_mmap_rwsem!
					   hugetlb_vma_unlock_write -- Vma_lock is assigned!!!
					 i_mmap_unlock_write(mapping);

hugetlb_dup_vma_private() and hugetlb_vm_op_open() are called outside
i_mmap_rwsem lock while vma lock can be used in the same time.  Fix this
by deferring linking file vma until vma is fully initialized.  Those vmas
should be initialized first before they can be used.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-27022

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-35972
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

bnxt_en: Fix possible memory leak in bnxt_rdma_aux_device_init()

If ulp = kzalloc() fails, the allocated edev will leak because it is
not properly assigned and the cleanup path will not be able to free it.
Fix it by assigning it properly immediately after allocation.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-35972

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-35978
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: Fix memory leak in hci_req_sync_complete()

In 'hci_req_sync_complete()', always free the previous sync
request state before assigning reference to a new one.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-35978

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-35982
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

batman-adv: Avoid infinite loop trying to resize local TT

If the MTU of one of an attached interface becomes too small to transmit
the local translation table then it must be resized to fit inside all
fragments (when enabled) or a single packet.

But if the MTU becomes too low to transmit even the header + the VLAN
specific part then the resizing of the local TT will never succeed. This
can for example happen when the usable space is 110 bytes and 11 VLANs are
on top of batman-adv. In this case, at least 116 byte would be needed.
There will just be an endless spam of

   batman_adv: batadv0: Forced to purge local tt entries to fit new maximum fragment MTU (110)

in the log but the function will never finish. Problem here is that the
timeout will be halved all the time and will then stagnate at 0 and
therefore never be able to reduce the table even more.

There are other scenarios possible with a similar result. The number of
BATADV_TT_CLIENT_NOPURGE entries in the local TT can for example be too
high to fit inside a packet. Such a scenario can therefore happen also with
only a single VLAN + 7 non-purgable addresses - requiring at least 120
bytes.

While this should be handled proactively when:

* interface with too low MTU is added
* VLAN is added
* non-purgeable local mac is added
* MTU of an attached interface is reduced
* fragmentation setting gets disabled (which most likely requires dropping
  attached interfaces)

not all of these scenarios can be prevented because batman-adv is only
consuming events without the the possibility to prevent these actions
(non-purgable MAC address added, MTU of an attached interface is reduced).
It is therefore necessary to also make sure that the code is able to handle
also the situations when there were already incompatible system
configuration are present.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-35982

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-35984
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

i2c: smbus: fix NULL function pointer dereference

Baruch reported an OOPS when using the designware controller as target
only. Target-only modes break the assumption of one transfer function
always being available. Fix this by always checking the pointer in
__i2c_transfer.

[wsa: dropped the simplification in core-smbus to avoid theoretical regressions]
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-35984

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-35990
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

dma: xilinx_dpdma: Fix locking

There are several places where either chan->lock or chan->vchan.lock was
not held. Add appropriate locking. This fixes lockdep warnings like

[   31.077578] ------------[ cut here ]------------
[   31.077831] WARNING: CPU: 2 PID: 40 at drivers/dma/xilinx/xilinx_dpdma.c:834 xilinx_dpdma_chan_queue_transfer+0x274/0x5e0
[   31.077953] Modules linked in:
[   31.078019] CPU: 2 PID: 40 Comm: kworker/u12:1 Not tainted 6.6.20+ #98
[   31.078102] Hardware name: xlnx,zynqmp (DT)
[   31.078169] Workqueue: events_unbound deferred_probe_work_func
[   31.078272] pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[   31.078377] pc : xilinx_dpdma_chan_queue_transfer+0x274/0x5e0
[   31.078473] lr : xilinx_dpdma_chan_queue_transfer+0x270/0x5e0
[   31.078550] sp : ffffffc083bb2e10
[   31.078590] x29: ffffffc083bb2e10 x28: 0000000000000000 x27: ffffff880165a168
[   31.078754] x26: ffffff880164e920 x25: ffffff880164eab8 x24: ffffff880164d480
[   31.078920] x23: ffffff880165a148 x22: ffffff880164e988 x21: 0000000000000000
[   31.079132] x20: ffffffc082aa3000 x19: ffffff880164e880 x18: 0000000000000000
[   31.079295] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000
[   31.079453] x14: 0000000000000000 x13: ffffff8802263dc0 x12: 0000000000000001
[   31.079613] x11: 0001ffc083bb2e34 x10: 0001ff880164e98f x9 : 0001ffc082aa3def
[   31.079824] x8 : 0001ffc082aa3dec x7 : 0000000000000000 x6 : 0000000000000516
[   31.079982] x5 : ffffffc7f8d43000 x4 : ffffff88003c9c40 x3 : ffffffffffffffff
[   31.080147] x2 : ffffffc7f8d43000 x1 : 00000000000000c0 x0 : 0000000000000000
[   31.080307] Call trace:
[   31.080340]  xilinx_dpdma_chan_queue_transfer+0x274/0x5e0
[   31.080518]  xilinx_dpdma_issue_pending+0x11c/0x120
[   31.080595]  zynqmp_disp_layer_update+0x180/0x3ac
[   31.080712]  zynqmp_dpsub_plane_atomic_update+0x11c/0x21c
[   31.080825]  drm_atomic_helper_commit_planes+0x20c/0x684
[   31.080951]  drm_atomic_helper_commit_tail+0x5c/0xb0
[   31.081139]  commit_tail+0x234/0x294
[   31.081246]  drm_atomic_helper_commit+0x1f8/0x210
[   31.081363]  drm_atomic_commit+0x100/0x140
[   31.081477]  drm_client_modeset_commit_atomic+0x318/0x384
[   31.081634]  drm_client_modeset_commit_locked+0x8c/0x24c
[   31.081725]  drm_client_modeset_commit+0x34/0x5c
[   31.081812]  __drm_fb_helper_restore_fbdev_mode_unlocked+0x104/0x168
[   31.081899]  drm_fb_helper_set_par+0x50/0x70
[   31.081971]  fbcon_init+0x538/0xc48
[   31.082047]  visual_init+0x16c/0x23c
[   31.082207]  do_bind_con_driver.isra.0+0x2d0/0x634
[   31.082320]  do_take_over_console+0x24c/0x33c
[   31.082429]  do_fbcon_takeover+0xbc/0x1b0
[   31.082503]  fbcon_fb_registered+0x2d0/0x34c
[   31.082663]  register_framebuffer+0x27c/0x38c
[   31.082767]  __drm_fb_helper_initial_config_and_unlock+0x5c0/0x91c
[   31.082939]  drm_fb_helper_initial_config+0x50/0x74
[   31.083012]  drm_fbdev_dma_client_hotplug+0xb8/0x108
[   31.083115]  drm_client_register+0xa0/0xf4
[   31.083195]  drm_fbdev_dma_setup+0xb0/0x1cc
[   31.083293]  zynqmp_dpsub_drm_init+0x45c/0x4e0
[   31.083431]  zynqmp_dpsub_probe+0x444/0x5e0
[   31.083616]  platform_probe+0x8c/0x13c
[   31.083713]  really_probe+0x258/0x59c
[   31.083793]  __driver_probe_device+0xc4/0x224
[   31.083878]  driver_probe_device+0x70/0x1c0
[   31.083961]  __device_attach_driver+0x108/0x1e0
[   31.084052]  bus_for_each_drv+0x9c/0x100
[   31.084125]  __device_attach+0x100/0x298
[   31.084207]  device_initial_probe+0x14/0x20
[   31.084292]  bus_probe_device+0xd8/0xdc
[   31.084368]  deferred_probe_work_func+0x11c/0x180
[   31.084451]  process_one_work+0x3ac/0x988
[   31.084643]  worker_thread+0x398/0x694
[   31.084752]  kthread+0x1bc/0x1c0
[   31.084848]  ret_from_fork+0x10/0x20
[   31.084932] irq event stamp: 64549
[   31.084970] hardirqs last  enabled at (64548): [<ffffffc081adf35c>] _raw_spin_unlock_irqrestore+0x80/0x90
[   31.085157]
---truncated---
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-35990

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-35992
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

phy: marvell: a3700-comphy: Fix out of bounds read

There is an out of bounds read access of 'gbe_phy_init_fix[fix_idx].addr'
every iteration after 'fix_idx' reaches 'ARRAY_SIZE(gbe_phy_init_fix)'.

Make sure 'gbe_phy_init[addr]' is used when all elements of
'gbe_phy_init_fix' array are handled.

Found by Linux Verification Center (linuxtesting.org) with SVACE.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-35992

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-35997
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

HID: i2c-hid: remove I2C_HID_READ_PENDING flag to prevent lock-up

The flag I2C_HID_READ_PENDING is used to serialize I2C operations.
However, this is not necessary, because I2C core already has its own
locking for that.

More importantly, this flag can cause a lock-up: if the flag is set in
i2c_hid_xfer() and an interrupt happens, the interrupt handler
(i2c_hid_irq) will check this flag and return immediately without doing
anything, then the interrupt handler will be invoked again in an
infinite loop.

Since interrupt handler is an RT task, it takes over the CPU and the
flag-clearing task never gets scheduled, thus we have a lock-up.

Delete this unnecessary flag.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-35997

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-36008
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ipv4: check for NULL idev in ip_route_use_hint()

syzbot was able to trigger a NULL deref in fib_validate_source()
in an old tree [1].

It appears the bug exists in latest trees.

All calls to __in_dev_get_rcu() must be checked for a NULL result.

[1]
general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 2 PID: 3257 Comm: syz-executor.3 Not tainted 5.10.0-syzkaller #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
 RIP: 0010:fib_validate_source+0xbf/0x15a0 net/ipv4/fib_frontend.c:425
Code: 18 f2 f2 f2 f2 42 c7 44 20 23 f3 f3 f3 f3 48 89 44 24 78 42 c6 44 20 27 f3 e8 5d 88 48 fc 4c 89 e8 48 c1 e8 03 48 89 44 24 18 <42> 80 3c 20 00 74 08 4c 89 ef e8 d2 15 98 fc 48 89 5c 24 10 41 bf
RSP: 0018:ffffc900015fee40 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff88800f7a4000 RCX: ffff88800f4f90c0
RDX: 0000000000000000 RSI: 0000000004001eac RDI: ffff8880160c64c0
RBP: ffffc900015ff060 R08: 0000000000000000 R09: ffff88800f7a4000
R10: 0000000000000002 R11: ffff88800f4f90c0 R12: dffffc0000000000
R13: 0000000000000000 R14: 0000000000000000 R15: ffff88800f7a4000
FS:  00007f938acfe6c0(0000) GS:ffff888058c00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f938acddd58 CR3: 000000001248e000 CR4: 0000000000352ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
  ip_route_use_hint+0x410/0x9b0 net/ipv4/route.c:2231
  ip_rcv_finish_core+0x2c4/0x1a30 net/ipv4/ip_input.c:327
  ip_list_rcv_finish net/ipv4/ip_input.c:612 [inline]
  ip_sublist_rcv+0x3ed/0xe50 net/ipv4/ip_input.c:638
  ip_list_rcv+0x422/0x470 net/ipv4/ip_input.c:673
  __netif_receive_skb_list_ptype net/core/dev.c:5572 [inline]
  __netif_receive_skb_list_core+0x6b1/0x890 net/core/dev.c:5620
  __netif_receive_skb_list net/core/dev.c:5672 [inline]
  netif_receive_skb_list_internal+0x9f9/0xdc0 net/core/dev.c:5764
  netif_receive_skb_list+0x55/0x3e0 net/core/dev.c:5816
  xdp_recv_frames net/bpf/test_run.c:257 [inline]
  xdp_test_run_batch net/bpf/test_run.c:335 [inline]
  bpf_test_run_xdp_live+0x1818/0x1d00 net/bpf/test_run.c:363
  bpf_prog_test_run_xdp+0x81f/0x1170 net/bpf/test_run.c:1376
  bpf_prog_test_run+0x349/0x3c0 kernel/bpf/syscall.c:3736
  __sys_bpf+0x45c/0x710 kernel/bpf/syscall.c:5115
  __do_sys_bpf kernel/bpf/syscall.c:5201 [inline]
  __se_sys_bpf kernel/bpf/syscall.c:5199 [inline]
  __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5199
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-36008

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-36023
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

Julia Lawall reported this null pointer dereference, this should fix it.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-36023

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-36270
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

netfilter: tproxy: bail out if IP has been disabled on the device

syzbot reports:
general protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]
[..]
RIP: 0010:nf_tproxy_laddr4+0xb7/0x340 net/ipv4/netfilter/nf_tproxy_ipv4.c:62
Call Trace:
 nft_tproxy_eval_v4 net/netfilter/nft_tproxy.c:56 [inline]
 nft_tproxy_eval+0xa9a/0x1a00 net/netfilter/nft_tproxy.c:168

__in_dev_get_rcu() can return NULL, so check for this.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-36270

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-36281
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net/mlx5: Use mlx5_ipsec_rx_status_destroy to correctly delete status rules

rx_create no longer allocates a modify_hdr instance that needs to be
cleaned up. The mlx5_modify_header_dealloc call will lead to a NULL pointer
dereference. A leak in the rules also previously occurred since there are
now two rules populated related to status.

  BUG: kernel NULL pointer dereference, address: 0000000000000000
  #PF: supervisor read access in kernel mode
  #PF: error_code(0x0000) - not-present page
  PGD 109907067 P4D 109907067 PUD 116890067 PMD 0
  Oops: 0000 [#1] SMP
  CPU: 1 PID: 484 Comm: ip Not tainted 6.9.0-rc2-rrameshbabu+ #254
  Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS Arch Linux 1.16.3-1-1 04/01/2014
  RIP: 0010:mlx5_modify_header_dealloc+0xd/0x70
  <snip>
  Call Trace:
   <TASK>
   ? show_regs+0x60/0x70
   ? __die+0x24/0x70
   ? page_fault_oops+0x15f/0x430
   ? free_to_partial_list.constprop.0+0x79/0x150
   ? do_user_addr_fault+0x2c9/0x5c0
   ? exc_page_fault+0x63/0x110
   ? asm_exc_page_fault+0x27/0x30
   ? mlx5_modify_header_dealloc+0xd/0x70
   rx_create+0x374/0x590
   rx_add_rule+0x3ad/0x500
   ? rx_add_rule+0x3ad/0x500
   ? mlx5_cmd_exec+0x2c/0x40
   ? mlx5_create_ipsec_obj+0xd6/0x200
   mlx5e_accel_ipsec_fs_add_rule+0x31/0xf0
   mlx5e_xfrm_add_state+0x426/0xc00
  <snip>
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-36281

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-36288
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

SUNRPC: Fix loop termination condition in gss_free_in_token_pages()

The in_token->pages[] array is not NULL terminated. This results in
the following KASAN splat:

  KASAN: maybe wild-memory-access in range [0x04a2013400000008-0x04a201340000000f]
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-36288

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-36477
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

tpm_tis_spi: Account for SPI header when allocating TPM SPI xfer buffer

The TPM SPI transfer mechanism uses MAX_SPI_FRAMESIZE for computing the
maximum transfer length and the size of the transfer buffer. As such, it
does not account for the 4 bytes of header that prepends the SPI data
frame. This can result in out-of-bounds accesses and was confirmed with
KASAN.

Introduce SPI_HDRSIZE to account for the header and use to allocate the
transfer buffer.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-36477

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-36478
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

null_blk: fix null-ptr-dereference while configuring 'power' and 'submit_queues'

Writing 'power' and 'submit_queues' concurrently will trigger kernel
panic:

Test script:

modprobe null_blk nr_devices=0
mkdir -p /sys/kernel/config/nullb/nullb0
while true; do echo 1 > submit_queues; echo 4 > submit_queues; done &
while true; do echo 1 > power; echo 0 > power; done

Test result:

BUG: kernel NULL pointer dereference, address: 0000000000000148
Oops: 0000 [#1] PREEMPT SMP
RIP: 0010:__lock_acquire+0x41d/0x28f0
Call Trace:
 <TASK>
 lock_acquire+0x121/0x450
 down_write+0x5f/0x1d0
 simple_recursive_removal+0x12f/0x5c0
 blk_mq_debugfs_unregister_hctxs+0x7c/0x100
 blk_mq_update_nr_hw_queues+0x4a3/0x720
 nullb_update_nr_hw_queues+0x71/0xf0 [null_blk]
 nullb_device_submit_queues_store+0x79/0xf0 [null_blk]
 configfs_write_iter+0x119/0x1e0
 vfs_write+0x326/0x730
 ksys_write+0x74/0x150

This is because del_gendisk() can concurrent with
blk_mq_update_nr_hw_queues():

nullb_device_power_store	nullb_apply_submit_queues
 null_del_dev
 del_gendisk
				 nullb_update_nr_hw_queues
				  if (!dev->nullb)
				  // still set while gendisk is deleted
				   return 0
				  blk_mq_update_nr_hw_queues
 dev->nullb = NULL

Fix this problem by resuing the global mutex to protect
nullb_device_power_store() and nullb_update_nr_hw_queues() from configfs.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-36478

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-36481
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

tracing/probes: fix error check in parse_btf_field()

btf_find_struct_member() might return NULL or an error via the
ERR_PTR() macro. However, its caller in parse_btf_field() only checks
for the NULL condition. Fix this by using IS_ERR() and returning the
error up the stack.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-36481

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-36489
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

tls: fix missing memory barrier in tls_init

In tls_init(), a write memory barrier is missing, and store-store
reordering may cause NULL dereference in tls_{setsockopt,getsockopt}.

CPU0                               CPU1
-----                              -----
// In tls_init()
// In tls_ctx_create()
ctx = kzalloc()
ctx->sk_proto = READ_ONCE(sk->sk_prot) -(1)

// In update_sk_prot()
WRITE_ONCE(sk->sk_prot, tls_prots)     -(2)

                                   // In sock_common_setsockopt()
                                   READ_ONCE(sk->sk_prot)->setsockopt()

                                   // In tls_{setsockopt,getsockopt}()
                                   ctx->sk_proto->setsockopt()    -(3)

In the above scenario, when (1) and (2) are reordered, (3) can observe
the NULL value of ctx->sk_proto, causing NULL dereference.

To fix it, we rely on rcu_assign_pointer() which implies the release
barrier semantic. By moving rcu_assign_pointer() after ctx->sk_proto is
initialized, we can ensure that ctx->sk_proto are visible when
changing sk->sk_prot.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-36489

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-36884
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

iommu/arm-smmu: Use the correct type in nvidia_smmu_context_fault()

This was missed because of the function pointer indirection.

nvidia_smmu_context_fault() is also installed as a irq function, and the
'void *' was changed to a struct arm_smmu_domain. Since the iommu_domain
is embedded at a non-zero offset this causes nvidia_smmu_context_fault()
to miscompute the offset. Fixup the types.

  Unable to handle kernel NULL pointer dereference at virtual address 0000000000000120
  Mem abort info:
    ESR = 0x0000000096000004
    EC = 0x25: DABT (current EL), IL = 32 bits
    SET = 0, FnV = 0
    EA = 0, S1PTW = 0
    FSC = 0x04: level 0 translation fault
  Data abort info:
    ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
    CM = 0, WnR = 0, TnD = 0, TagAccess = 0
    GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
  user pgtable: 4k pages, 48-bit VAs, pgdp=0000000107c9f000
  [0000000000000120] pgd=0000000000000000, p4d=0000000000000000
  Internal error: Oops: 0000000096000004 [#1] SMP
  Modules linked in:
  CPU: 1 PID: 47 Comm: kworker/u25:0 Not tainted 6.9.0-0.rc7.58.eln136.aarch64 #1
  Hardware name: Unknown NVIDIA Jetson Orin NX/NVIDIA Jetson Orin NX, BIOS 3.1-32827747 03/19/2023
  Workqueue: events_unbound deferred_probe_work_func
  pstate: 604000c9 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
  pc : nvidia_smmu_context_fault+0x1c/0x158
  lr : __free_irq+0x1d4/0x2e8
  sp : ffff80008044b6f0
  x29: ffff80008044b6f0 x28: ffff000080a60b18 x27: ffffd32b5172e970
  x26: 0000000000000000 x25: ffff0000802f5aac x24: ffff0000802f5a30
  x23: ffff0000802f5b60 x22: 0000000000000057 x21: 0000000000000000
  x20: ffff0000802f5a00 x19: ffff000087d4cd80 x18: ffffffffffffffff
  x17: 6234362066666666 x16: 6630303078302d30 x15: ffff00008156d888
  x14: 0000000000000000 x13: ffff0000801db910 x12: ffff00008156d6d0
  x11: 0000000000000003 x10: ffff0000801db918 x9 : ffffd32b50f94d9c
  x8 : 1fffe0001032fda1 x7 : ffff00008197ed00 x6 : 000000000000000f
  x5 : 000000000000010e x4 : 000000000000010e x3 : 0000000000000000
  x2 : ffffd32b51720cd8 x1 : ffff000087e6f700 x0 : 0000000000000057
  Call trace:
   nvidia_smmu_context_fault+0x1c/0x158
   __free_irq+0x1d4/0x2e8
   free_irq+0x3c/0x80
   devm_free_irq+0x64/0xa8
   arm_smmu_domain_free+0xc4/0x158
   iommu_domain_free+0x44/0xa0
   iommu_deinit_device+0xd0/0xf8
   __iommu_group_remove_device+0xcc/0xe0
   iommu_bus_notifier+0x64/0xa8
   notifier_call_chain+0x78/0x148
   blocking_notifier_call_chain+0x4c/0x90
   bus_notify+0x44/0x70
   device_del+0x264/0x3e8
   pci_remove_bus_device+0x84/0x120
   pci_remove_root_bus+0x5c/0xc0
   dw_pcie_host_deinit+0x38/0xe0
   tegra_pcie_config_rp+0xc0/0x1f0
   tegra_pcie_dw_probe+0x34c/0x700
   platform_probe+0x70/0xe8
   really_probe+0xc8/0x3a0
   __driver_probe_device+0x84/0x160
   driver_probe_device+0x44/0x130
   __device_attach_driver+0xc4/0x170
   bus_for_each_drv+0x90/0x100
   __device_attach+0xa8/0x1c8
   device_initial_probe+0x1c/0x30
   bus_probe_device+0xb0/0xc0
   deferred_probe_work_func+0xbc/0x120
   process_one_work+0x194/0x490
   worker_thread+0x284/0x3b0
   kthread+0xf4/0x108
   ret_from_fork+0x10/0x20
  Code: a9b97bfd 910003fd a9025bf5 f85a0035 (b94122a1)
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-36884

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-36891
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

maple_tree: fix mas_empty_area_rev() null pointer dereference

Currently the code calls mas_start() followed by mas_data_end() if the
maple state is MA_START, but mas_start() may return with the maple state
node == NULL.  This will lead to a null pointer dereference when checking
information in the NULL node, which is done in mas_data_end().

Avoid setting the offset if there is no node by waiting until after the
maple state is checked for an empty or single entry state.

A user could trigger the events to cause a kernel oops by unmapping all
vmas to produce an empty maple tree, then mapping a vma that would cause
the scenario described above.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-36891

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-36893
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

usb: typec: tcpm: Check for port partner validity before consuming it

typec_register_partner() does not guarantee partner registration
to always succeed. In the event of failure, port->partner is set
to the error value or NULL. Given that port->partner validity is
not checked, this results in the following crash:

Unable to handle kernel NULL pointer dereference at virtual address xx
 pc : run_state_machine+0x1bc8/0x1c08
 lr : run_state_machine+0x1b90/0x1c08
..
 Call trace:
   run_state_machine+0x1bc8/0x1c08
   tcpm_state_machine_work+0x94/0xe4
   kthread_worker_fn+0x118/0x328
   kthread+0x1d0/0x23c
   ret_from_fork+0x10/0x20

To prevent the crash, check for port->partner validity before
derefencing it in all the call sites.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-36893

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-36897
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Atom Integrated System Info v2_2 for DCN35

New request from KMD/VBIOS in order to support new UMA carveout
model. This fixes a null dereference from accessing
Ctx->dc_bios->integrated_info while it was NULL.

DAL parses through the BIOS and extracts the necessary
integrated_info but was missing a case for the new BIOS
version 2.3.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-36897

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-36901
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ipv6: prevent NULL dereference in ip6_output()

According to syzbot, there is a chance that ip6_dst_idev()
returns NULL in ip6_output(). Most places in IPv6 stack
deal with a NULL idev just fine, but not here.

syzbot reported:

general protection fault, probably for non-canonical address 0xdffffc00000000bc: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x00000000000005e0-0x00000000000005e7]
CPU: 0 PID: 9775 Comm: syz-executor.4 Not tainted 6.9.0-rc5-syzkaller-00157-g6a30653b604a #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
 RIP: 0010:ip6_output+0x231/0x3f0 net/ipv6/ip6_output.c:237
Code: 3c 1e 00 49 89 df 74 08 4c 89 ef e8 19 58 db f7 48 8b 44 24 20 49 89 45 00 49 89 c5 48 8d 9d e0 05 00 00 48 89 d8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 4c 8b 74 24 28 0f 85 61 01 00 00 8b 1b 31 ff
RSP: 0018:ffffc9000927f0d8 EFLAGS: 00010202
RAX: 00000000000000bc RBX: 00000000000005e0 RCX: 0000000000040000
RDX: ffffc900131f9000 RSI: 0000000000004f47 RDI: 0000000000004f48
RBP: 0000000000000000 R08: ffffffff8a1f0b9a R09: 1ffffffff1f51fad
R10: dffffc0000000000 R11: fffffbfff1f51fae R12: ffff8880293ec8c0
R13: ffff88805d7fc000 R14: 1ffff1100527d91a R15: dffffc0000000000
FS:  00007f135c6856c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000080 CR3: 0000000064096000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
  NF_HOOK include/linux/netfilter.h:314 [inline]
  ip6_xmit+0xefe/0x17f0 net/ipv6/ip6_output.c:358
  sctp_v6_xmit+0x9f2/0x13f0 net/sctp/ipv6.c:248
  sctp_packet_transmit+0x26ad/0x2ca0 net/sctp/output.c:653
  sctp_packet_singleton+0x22c/0x320 net/sctp/outqueue.c:783
  sctp_outq_flush_ctrl net/sctp/outqueue.c:914 [inline]
  sctp_outq_flush+0x6d5/0x3e20 net/sctp/outqueue.c:1212
  sctp_side_effects net/sctp/sm_sideeffect.c:1198 [inline]
  sctp_do_sm+0x59cc/0x60c0 net/sctp/sm_sideeffect.c:1169
  sctp_primitive_ASSOCIATE+0x95/0xc0 net/sctp/primitive.c:73
  __sctp_connect+0x9cd/0xe30 net/sctp/socket.c:1234
  sctp_connect net/sctp/socket.c:4819 [inline]
  sctp_inet_connect+0x149/0x1f0 net/sctp/socket.c:4834
  __sys_connect_file net/socket.c:2048 [inline]
  __sys_connect+0x2df/0x310 net/socket.c:2065
  __do_sys_connect net/socket.c:2075 [inline]
  __se_sys_connect net/socket.c:2072 [inline]
  __x64_sys_connect+0x7a/0x90 net/socket.c:2072
  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
  do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-36901

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-36902
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ipv6: fib6_rules: avoid possible NULL dereference in fib6_rule_action()

syzbot is able to trigger the following crash [1],
caused by unsafe ip6_dst_idev() use.

Indeed ip6_dst_idev() can return NULL, and must always be checked.

[1]

Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 0 PID: 31648 Comm: syz-executor.0 Not tainted 6.9.0-rc4-next-20240417-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
 RIP: 0010:__fib6_rule_action net/ipv6/fib6_rules.c:237 [inline]
 RIP: 0010:fib6_rule_action+0x241/0x7b0 net/ipv6/fib6_rules.c:267
Code: 02 00 00 49 8d 9f d8 00 00 00 48 89 d8 48 c1 e8 03 42 80 3c 20 00 74 08 48 89 df e8 f9 32 bf f7 48 8b 1b 48 89 d8 48 c1 e8 03 <42> 80 3c 20 00 74 08 48 89 df e8 e0 32 bf f7 4c 8b 03 48 89 ef 4c
RSP: 0018:ffffc9000fc1f2f0 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 1a772f98c8186700
RDX: 0000000000000003 RSI: ffffffff8bcac4e0 RDI: ffffffff8c1f9760
RBP: ffff8880673fb980 R08: ffffffff8fac15ef R09: 1ffffffff1f582bd
R10: dffffc0000000000 R11: fffffbfff1f582be R12: dffffc0000000000
R13: 0000000000000080 R14: ffff888076509000 R15: ffff88807a029a00
FS:  00007f55e82ca6c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b31d23000 CR3: 0000000022b66000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
  fib_rules_lookup+0x62c/0xdb0 net/core/fib_rules.c:317
  fib6_rule_lookup+0x1fd/0x790 net/ipv6/fib6_rules.c:108
  ip6_route_output_flags_noref net/ipv6/route.c:2637 [inline]
  ip6_route_output_flags+0x38e/0x610 net/ipv6/route.c:2649
  ip6_route_output include/net/ip6_route.h:93 [inline]
  ip6_dst_lookup_tail+0x189/0x11a0 net/ipv6/ip6_output.c:1120
  ip6_dst_lookup_flow+0xb9/0x180 net/ipv6/ip6_output.c:1250
  sctp_v6_get_dst+0x792/0x1e20 net/sctp/ipv6.c:326
  sctp_transport_route+0x12c/0x2e0 net/sctp/transport.c:455
  sctp_assoc_add_peer+0x614/0x15c0 net/sctp/associola.c:662
  sctp_connect_new_asoc+0x31d/0x6c0 net/sctp/socket.c:1099
  __sctp_connect+0x66d/0xe30 net/sctp/socket.c:1197
  sctp_connect net/sctp/socket.c:4819 [inline]
  sctp_inet_connect+0x149/0x1f0 net/sctp/socket.c:4834
  __sys_connect_file net/socket.c:2048 [inline]
  __sys_connect+0x2df/0x310 net/socket.c:2065
  __do_sys_connect net/socket.c:2075 [inline]
  __se_sys_connect net/socket.c:2072 [inline]
  __x64_sys_connect+0x7a/0x90 net/socket.c:2072
  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
  do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-36902

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-36925
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

swiotlb: initialise restricted pool list_head when SWIOTLB_DYNAMIC=y

Using restricted DMA pools (CONFIG_DMA_RESTRICTED_POOL=y) in conjunction
with dynamic SWIOTLB (CONFIG_SWIOTLB_DYNAMIC=y) leads to the following
crash when initialising the restricted pools at boot-time:

  | Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008
  | Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP
  | pc : rmem_swiotlb_device_init+0xfc/0x1ec
  | lr : rmem_swiotlb_device_init+0xf0/0x1ec
  | Call trace:
  |  rmem_swiotlb_device_init+0xfc/0x1ec
  |  of_reserved_mem_device_init_by_idx+0x18c/0x238
  |  of_dma_configure_id+0x31c/0x33c
  |  platform_dma_configure+0x34/0x80

faddr2line reveals that the crash is in the list validation code:

  include/linux/list.h:83
  include/linux/rculist.h:79
  include/linux/rculist.h:106
  kernel/dma/swiotlb.c:306
  kernel/dma/swiotlb.c:1695

because add_mem_pool() is trying to list_add_rcu() to a NULL
'mem->pools'.

Fix the crash by initialising the 'mem->pools' list_head in
rmem_swiotlb_device_init() before calling add_mem_pool().
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-36925

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-36926
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

powerpc/pseries/iommu: LPAR panics during boot up with a frozen PE

At the time of LPAR boot up, partition firmware provides Open Firmware
property ibm,dma-window for the PE. This property is provided on the PCI
bus the PE is attached to.

There are execptions where the partition firmware might not provide this
property for the PE at the time of LPAR boot up. One of the scenario is
where the firmware has frozen the PE due to some error condition. This
PE is frozen for 24 hours or unless the whole system is reinitialized.

Within this time frame, if the LPAR is booted, the frozen PE will be
presented to the LPAR but ibm,dma-window property could be missing.

Today, under these circumstances, the LPAR oopses with NULL pointer
dereference, when configuring the PCI bus the PE is attached to.

  BUG: Kernel NULL pointer dereference on read at 0x000000c8
  Faulting instruction address: 0xc0000000001024c0
  Oops: Kernel access of bad area, sig: 7 [#1]
  LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries
  Modules linked in:
  Supported: Yes
  CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.4.0-150600.9-default #1
  Hardware name: IBM,9043-MRX POWER10 (raw) 0x800200 0xf000006 of:IBM,FW1060.00 (NM1060_023) hv:phyp pSeries
  NIP:  c0000000001024c0 LR: c0000000001024b0 CTR: c000000000102450
  REGS: c0000000037db5c0 TRAP: 0300   Not tainted  (6.4.0-150600.9-default)
  MSR:  8000000002009033 <SF,VEC,EE,ME,IR,DR,RI,LE>  CR: 28000822  XER: 00000000
  CFAR: c00000000010254c DAR: 00000000000000c8 DSISR: 00080000 IRQMASK: 0
  ...
  NIP [c0000000001024c0] pci_dma_bus_setup_pSeriesLP+0x70/0x2a0
  LR [c0000000001024b0] pci_dma_bus_setup_pSeriesLP+0x60/0x2a0
  Call Trace:
    pci_dma_bus_setup_pSeriesLP+0x60/0x2a0 (unreliable)
    pcibios_setup_bus_self+0x1c0/0x370
    __of_scan_bus+0x2f8/0x330
    pcibios_scan_phb+0x280/0x3d0
    pcibios_init+0x88/0x12c
    do_one_initcall+0x60/0x320
    kernel_init_freeable+0x344/0x3e4
    kernel_init+0x34/0x1d0
    ret_from_kernel_user_thread+0x14/0x1c
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-36926

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-36930
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

spi: fix null pointer dereference within spi_sync

If spi_sync() is called with the non-empty queue and the same spi_message
is then reused, the complete callback for the message remains set while
the context is cleared, leading to a null pointer dereference when the
callback is invoked from spi_finalize_current_message().

With function inlining disabled, the call stack might look like this:

  _raw_spin_lock_irqsave from complete_with_flags+0x18/0x58
  complete_with_flags from spi_complete+0x8/0xc
  spi_complete from spi_finalize_current_message+0xec/0x184
  spi_finalize_current_message from spi_transfer_one_message+0x2a8/0x474
  spi_transfer_one_message from __spi_pump_transfer_message+0x104/0x230
  __spi_pump_transfer_message from __spi_transfer_message_noqueue+0x30/0xc4
  __spi_transfer_message_noqueue from __spi_sync+0x204/0x248
  __spi_sync from spi_sync+0x24/0x3c
  spi_sync from mcp251xfd_regmap_crc_read+0x124/0x28c [mcp251xfd]
  mcp251xfd_regmap_crc_read [mcp251xfd] from _regmap_raw_read+0xf8/0x154
  _regmap_raw_read from _regmap_bus_read+0x44/0x70
  _regmap_bus_read from _regmap_read+0x60/0xd8
  _regmap_read from regmap_read+0x3c/0x5c
  regmap_read from mcp251xfd_alloc_can_err_skb+0x1c/0x54 [mcp251xfd]
  mcp251xfd_alloc_can_err_skb [mcp251xfd] from mcp251xfd_irq+0x194/0xe70 [mcp251xfd]
  mcp251xfd_irq [mcp251xfd] from irq_thread_fn+0x1c/0x78
  irq_thread_fn from irq_thread+0x118/0x1f4
  irq_thread from kthread+0xd8/0xf4
  kthread from ret_from_fork+0x14/0x28

Fix this by also setting message->complete to NULL when the transfer is
complete.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-36930

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-36932
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

thermal/debugfs: Prevent use-after-free from occurring after cdev removal

Since thermal_debug_cdev_remove() does not run under cdev->lock, it can
run in parallel with thermal_debug_cdev_state_update() and it may free
the struct thermal_debugfs object used by the latter after it has been
checked against NULL.

If that happens, thermal_debug_cdev_state_update() will access memory
that has been freed already causing the kernel to crash.

Address this by using cdev->lock in thermal_debug_cdev_remove() around
the cdev->debugfs value check (in case the same cdev is removed at the
same time in two different threads) and its reset to NULL.

Cc :6.8+ <stable@vger.kernel.org> # 6.8+
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-36932

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-36938
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

bpf, skmsg: Fix NULL pointer dereference in sk_psock_skb_ingress_enqueue

Fix NULL pointer data-races in sk_psock_skb_ingress_enqueue() which
syzbot reported [1].

[1]
BUG: KCSAN: data-race in sk_psock_drop / sk_psock_skb_ingress_enqueue

write to 0xffff88814b3278b8 of 8 bytes by task 10724 on cpu 1:
 sk_psock_stop_verdict net/core/skmsg.c:1257 [inline]
 sk_psock_drop+0x13e/0x1f0 net/core/skmsg.c:843
 sk_psock_put include/linux/skmsg.h:459 [inline]
 sock_map_close+0x1a7/0x260 net/core/sock_map.c:1648
 unix_release+0x4b/0x80 net/unix/af_unix.c:1048
 __sock_release net/socket.c:659 [inline]
 sock_close+0x68/0x150 net/socket.c:1421
 __fput+0x2c1/0x660 fs/file_table.c:422
 __fput_sync+0x44/0x60 fs/file_table.c:507
 __do_sys_close fs/open.c:1556 [inline]
 __se_sys_close+0x101/0x1b0 fs/open.c:1541
 __x64_sys_close+0x1f/0x30 fs/open.c:1541
 do_syscall_64+0xd3/0x1d0
 entry_SYSCALL_64_after_hwframe+0x6d/0x75

read to 0xffff88814b3278b8 of 8 bytes by task 10713 on cpu 0:
 sk_psock_data_ready include/linux/skmsg.h:464 [inline]
 sk_psock_skb_ingress_enqueue+0x32d/0x390 net/core/skmsg.c:555
 sk_psock_skb_ingress_self+0x185/0x1e0 net/core/skmsg.c:606
 sk_psock_verdict_apply net/core/skmsg.c:1008 [inline]
 sk_psock_verdict_recv+0x3e4/0x4a0 net/core/skmsg.c:1202
 unix_read_skb net/unix/af_unix.c:2546 [inline]
 unix_stream_read_skb+0x9e/0xf0 net/unix/af_unix.c:2682
 sk_psock_verdict_data_ready+0x77/0x220 net/core/skmsg.c:1223
 unix_stream_sendmsg+0x527/0x860 net/unix/af_unix.c:2339
 sock_sendmsg_nosec net/socket.c:730 [inline]
 __sock_sendmsg+0x140/0x180 net/socket.c:745
 ____sys_sendmsg+0x312/0x410 net/socket.c:2584
 ___sys_sendmsg net/socket.c:2638 [inline]
 __sys_sendmsg+0x1e9/0x280 net/socket.c:2667
 __do_sys_sendmsg net/socket.c:2676 [inline]
 __se_sys_sendmsg net/socket.c:2674 [inline]
 __x64_sys_sendmsg+0x46/0x50 net/socket.c:2674
 do_syscall_64+0xd3/0x1d0
 entry_SYSCALL_64_after_hwframe+0x6d/0x75

value changed: 0xffffffff83d7feb0 -> 0x0000000000000000

Reported by Kernel Concurrency Sanitizer on:
CPU: 0 PID: 10713 Comm: syz-executor.4 Tainted: G        W          6.8.0-syzkaller-08951-gfe46a7dd189e #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024

Prior to this, commit 4cd12c6065df ("bpf, sockmap: Fix NULL pointer
dereference in sk_psock_verdict_data_ready()") fixed one NULL pointer
similarly due to no protection of saved_data_ready. Here is another
different caller causing the same issue because of the same reason. So
we should protect it with sk_callback_lock read lock because the writer
side in the sk_psock_drop() uses "write_lock_bh(&sk->sk_callback_lock);".

To avoid errors that could happen in future, I move those two pairs of
lock into the sk_psock_data_ready(), which is suggested by John Fastabend.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-36938

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-36965
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

remoteproc: mediatek: Make sure IPI buffer fits in L2TCM

The IPI buffer location is read from the firmware that we load to the
System Companion Processor, and it's not granted that both the SRAM
(L2TCM) size that is defined in the devicetree node is large enough
for that, and while this is especially true for multi-core SCP, it's
still useful to check on single-core variants as well.

Failing to perform this check may make this driver perform R/W
operations out of the L2TCM boundary, resulting (at best) in a
kernel panic.

To fix that, check that the IPI buffer fits, otherwise return a
failure and refuse to boot the relevant SCP core (or the SCP at
all, if this is single core).
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-36965

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-36967
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

KEYS: trusted: Fix memory leak in tpm2_key_encode()

'scratch' is never freed. Fix this by calling kfree() in the success, and
in the error case.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-36967

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-36968
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: L2CAP: Fix div-by-zero in l2cap_le_flowctl_init()

l2cap_le_flowctl_init() can cause both div-by-zero and an integer
overflow since hdev->le_mtu may not fall in the valid range.

Move MTU from hci_dev to hci_conn to validate MTU and stop the connection
process earlier if MTU is invalid.
Also, add a missing validation in read_buffer_size() and make it return
an error value if the validation fails.
Now hci_conn_add() returns ERR_PTR() as it can fail due to the both a
kzalloc failure and invalid MTU value.

divide error: 0000 [#1] PREEMPT SMP KASAN NOPTI
CPU: 0 PID: 67 Comm: kworker/u5:0 Tainted: G        W          6.9.0-rc5+ #20
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Workqueue: hci0 hci_rx_work
RIP: 0010:l2cap_le_flowctl_init+0x19e/0x3f0 net/bluetooth/l2cap_core.c:547
Code: e8 17 17 0c 00 66 41 89 9f 84 00 00 00 bf 01 00 00 00 41 b8 02 00 00 00 4c
89 fe 4c 89 e2 89 d9 e8 27 17 0c 00 44 89 f0 31 d2 <66> f7 f3 89 c3 ff c3 4d 8d
b7 88 00 00 00 4c 89 f0 48 c1 e8 03 42
RSP: 0018:ffff88810bc0f858 EFLAGS: 00010246
RAX: 00000000000002a0 RBX: 0000000000000000 RCX: dffffc0000000000
RDX: 0000000000000000 RSI: ffff88810bc0f7c0 RDI: ffffc90002dcb66f
RBP: ffff88810bc0f880 R08: aa69db2dda70ff01 R09: 0000ffaaaaaaaaaa
R10: 0084000000ffaaaa R11: 0000000000000000 R12: ffff88810d65a084
R13: dffffc0000000000 R14: 00000000000002a0 R15: ffff88810d65a000
FS:  0000000000000000(0000) GS:ffff88811ac00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000100 CR3: 0000000103268003 CR4: 0000000000770ef0
PKRU: 55555554
Call Trace:
 <TASK>
 l2cap_le_connect_req net/bluetooth/l2cap_core.c:4902 [inline]
 l2cap_le_sig_cmd net/bluetooth/l2cap_core.c:5420 [inline]
 l2cap_le_sig_channel net/bluetooth/l2cap_core.c:5486 [inline]
 l2cap_recv_frame+0xe59d/0x11710 net/bluetooth/l2cap_core.c:6809
 l2cap_recv_acldata+0x544/0x10a0 net/bluetooth/l2cap_core.c:7506
 hci_acldata_packet net/bluetooth/hci_core.c:3939 [inline]
 hci_rx_work+0x5e5/0xb20 net/bluetooth/hci_core.c:4176
 process_one_work kernel/workqueue.c:3254 [inline]
 process_scheduled_works+0x90f/0x1530 kernel/workqueue.c:3335
 worker_thread+0x926/0xe70 kernel/workqueue.c:3416
 kthread+0x2e3/0x380 kernel/kthread.c:388
 ret_from_fork+0x5c/0x90 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-36968

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-36969
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Fix division by zero in setup_dsc_config

When slice_height is 0, the division by slice_height in the calculation
of the number of slices will cause a division by zero driver crash. This
leaves the kernel in a state that requires a reboot. This patch adds a
check to avoid the division by zero.

The stack trace below is for the 6.8.4 Kernel. I reproduced the issue on
a Z16 Gen 2 Lenovo Thinkpad with a Apple Studio Display monitor
connected via Thunderbolt. The amdgpu driver crashed with this exception
when I rebooted the system with the monitor connected.

kernel: ? die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434 arch/x86/kernel/dumpstack.c:447)
kernel: ? do_trap (arch/x86/kernel/traps.c:113 arch/x86/kernel/traps.c:154)
kernel: ? setup_dsc_config (drivers/gpu/drm/amd/amdgpu/../display/dc/dsc/dc_dsc.c:1053) amdgpu
kernel: ? do_error_trap (./arch/x86/include/asm/traps.h:58 arch/x86/kernel/traps.c:175)
kernel: ? setup_dsc_config (drivers/gpu/drm/amd/amdgpu/../display/dc/dsc/dc_dsc.c:1053) amdgpu
kernel: ? exc_divide_error (arch/x86/kernel/traps.c:194 (discriminator 2))
kernel: ? setup_dsc_config (drivers/gpu/drm/amd/amdgpu/../display/dc/dsc/dc_dsc.c:1053) amdgpu
kernel: ? asm_exc_divide_error (./arch/x86/include/asm/idtentry.h:548)
kernel: ? setup_dsc_config (drivers/gpu/drm/amd/amdgpu/../display/dc/dsc/dc_dsc.c:1053) amdgpu
kernel: dc_dsc_compute_config (drivers/gpu/drm/amd/amdgpu/../display/dc/dsc/dc_dsc.c:1109) amdgpu

After applying this patch, the driver no longer crashes when the monitor
is connected and the system is rebooted. I believe this is the same
issue reported for 3113.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-36969

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-36971
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: fix __dst_negative_advice() race

__dst_negative_advice() does not enforce proper RCU rules when
sk->dst_cache must be cleared, leading to possible UAF.

RCU rules are that we must first clear sk->sk_dst_cache,
then call dst_release(old_dst).

Note that sk_dst_reset(sk) is implementing this protocol correctly,
while __dst_negative_advice() uses the wrong order.

Given that ip6_negative_advice() has special logic
against RTF_CACHE, this means each of the three ->negative_advice()
existing methods must perform the sk_dst_reset() themselves.

Note the check against NULL dst is centralized in
__dst_negative_advice(), there is no need to duplicate
it in various callbacks.

Many thanks to Clement Lecigne for tracking this issue.

This old bug became visible after the blamed commit, using UDP sockets.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-36971

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-36976
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

Revert "media: v4l2-ctrls: show all owned controls in log_status"

This reverts commit 9801b5b28c6929139d6fceeee8d739cc67bb2739.

This patch introduced a potential deadlock scenario:

[Wed May  8 10:02:06 2024]  Possible unsafe locking scenario:

[Wed May  8 10:02:06 2024]        CPU0                    CPU1
[Wed May  8 10:02:06 2024]        ----                    ----
[Wed May  8 10:02:06 2024]   lock(vivid_ctrls:1620:(hdl_vid_cap)->_lock);
[Wed May  8 10:02:06 2024]                                lock(vivid_ctrls:1608:(hdl_user_vid)->_lock);
[Wed May  8 10:02:06 2024]                                lock(vivid_ctrls:1620:(hdl_vid_cap)->_lock);
[Wed May  8 10:02:06 2024]   lock(vivid_ctrls:1608:(hdl_user_vid)->_lock);

For now just revert.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-36976

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-36978
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: sched: sch_multiq: fix possible OOB write in multiq_tune()

q->bands will be assigned to qopt->bands to execute subsequent code logic
after kmalloc. So the old q->bands should not be used in kmalloc.
Otherwise, an out-of-bounds write will occur.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-36978

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-36979
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: bridge: mst: fix vlan use-after-free

syzbot reported a suspicious rcu usage[1] in bridge's mst code. While
fixing it I noticed that nothing prevents a vlan to be freed while
walking the list from the same path (br forward delay timer). Fix the rcu
usage and also make sure we are not accessing freed memory by making
br_mst_vlan_set_state use rcu read lock.

[1]
 WARNING: suspicious RCU usage
 6.9.0-rc6-syzkaller #0 Not tainted
 -----------------------------
 net/bridge/br_private.h:1599 suspicious rcu_dereference_protected() usage!
 ...
 stack backtrace:
 CPU: 1 PID: 8017 Comm: syz-executor.1 Not tainted 6.9.0-rc6-syzkaller #0
 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
 Call Trace:
  <IRQ>
  __dump_stack lib/dump_stack.c:88 [inline]
  dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
  lockdep_rcu_suspicious+0x221/0x340 kernel/locking/lockdep.c:6712
  nbp_vlan_group net/bridge/br_private.h:1599 [inline]
  br_mst_set_state+0x1ea/0x650 net/bridge/br_mst.c:105
  br_set_state+0x28a/0x7b0 net/bridge/br_stp.c:47
  br_forward_delay_timer_expired+0x176/0x440 net/bridge/br_stp_timer.c:88
  call_timer_fn+0x18e/0x650 kernel/time/timer.c:1793
  expire_timers kernel/time/timer.c:1844 [inline]
  __run_timers kernel/time/timer.c:2418 [inline]
  __run_timer_base+0x66a/0x8e0 kernel/time/timer.c:2429
  run_timer_base kernel/time/timer.c:2438 [inline]
  run_timer_softirq+0xb7/0x170 kernel/time/timer.c:2448
  __do_softirq+0x2c6/0x980 kernel/softirq.c:554
  invoke_softirq kernel/softirq.c:428 [inline]
  __irq_exit_rcu+0xf2/0x1c0 kernel/softirq.c:633
  irq_exit_rcu+0x9/0x30 kernel/softirq.c:645
  instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
  sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043
  </IRQ>
  <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
 RIP: 0010:lock_acquire+0x264/0x550 kernel/locking/lockdep.c:5758
 Code: 2b 00 74 08 4c 89 f7 e8 ba d1 84 00 f6 44 24 61 02 0f 85 85 01 00 00 41 f7 c7 00 02 00 00 74 01 fb 48 c7 44 24 40 0e 36 e0 45 <4b> c7 44 25 00 00 00 00 00 43 c7 44 25 09 00 00 00 00 43 c7 44 25
 RSP: 0018:ffffc90013657100 EFLAGS: 00000206
 RAX: 0000000000000001 RBX: 1ffff920026cae2c RCX: 0000000000000001
 RDX: dffffc0000000000 RSI: ffffffff8bcaca00 RDI: ffffffff8c1eaa60
 RBP: ffffc90013657260 R08: ffffffff92efe507 R09: 1ffffffff25dfca0
 R10: dffffc0000000000 R11: fffffbfff25dfca1 R12: 1ffff920026cae28
 R13: dffffc0000000000 R14: ffffc90013657160 R15: 0000000000000246
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-36979

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-38381
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

nfc: nci: Fix uninit-value in nci_rx_work

syzbot reported the following uninit-value access issue [1]

nci_rx_work() parses received packet from ndev->rx_q. It should be
validated header size, payload size and total packet size before
processing the packet. If an invalid packet is detected, it should be
silently discarded.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-38381

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-38385
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

genirq/irqdesc: Prevent use-after-free in irq_find_at_or_after()

irq_find_at_or_after() dereferences the interrupt descriptor which is
returned by mt_find() while neither holding sparse_irq_lock nor RCU read
lock, which means the descriptor can be freed between mt_find() and the
dereference:

    CPU0                            CPU1
    desc = mt_find()
                                    delayed_free_desc(desc)
    irq_desc_get_irq(desc)

The use-after-free is reported by KASAN:

    Call trace:
     irq_get_next_irq+0x58/0x84
     show_stat+0x638/0x824
     seq_read_iter+0x158/0x4ec
     proc_reg_read_iter+0x94/0x12c
     vfs_read+0x1e0/0x2c8

    Freed by task 4471:
     slab_free_freelist_hook+0x174/0x1e0
     __kmem_cache_free+0xa4/0x1dc
     kfree+0x64/0x128
     irq_kobj_release+0x28/0x3c
     kobject_put+0xcc/0x1e0
     delayed_free_desc+0x14/0x2c
     rcu_do_batch+0x214/0x720

Guard the access with a RCU read lock section.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-38385

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-38390
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/msm/a6xx: Avoid a nullptr dereference when speedbin setting fails

Calling a6xx_destroy() before adreno_gpu_init() leads to a null pointer
dereference on:

msm_gpu_cleanup() : platform_set_drvdata(gpu->pdev, NULL);

as gpu->pdev is only assigned in:

a6xx_gpu_init()
|_ adreno_gpu_init
    |_ msm_gpu_init()

Instead of relying on handwavy null checks down the cleanup chain,
explicitly de-allocate the LLC data and free a6xx_gpu instead.

Patchwork: https://patchwork.freedesktop.org/patch/588919/
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-38390

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-38538
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: bridge: xmit: make sure we have at least eth header len bytes

syzbot triggered an uninit value[1] error in bridge device's xmit path
by sending a short (less than ETH_HLEN bytes) skb. To fix it check if
we can actually pull that amount instead of assuming.

Tested with dropwatch:
 drop at: br_dev_xmit+0xb93/0x12d0 [bridge] (0xffffffffc06739b3)
 origin: software
 timestamp: Mon May 13 11:31:53 2024 778214037 nsec
 protocol: 0x88a8
 length: 2
 original length: 2
 drop reason: PKT_TOO_SMALL

[1]
BUG: KMSAN: uninit-value in br_dev_xmit+0x61d/0x1cb0 net/bridge/br_device.c:65
 br_dev_xmit+0x61d/0x1cb0 net/bridge/br_device.c:65
 __netdev_start_xmit include/linux/netdevice.h:4903 [inline]
 netdev_start_xmit include/linux/netdevice.h:4917 [inline]
 xmit_one net/core/dev.c:3531 [inline]
 dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3547
 __dev_queue_xmit+0x34db/0x5350 net/core/dev.c:4341
 dev_queue_xmit include/linux/netdevice.h:3091 [inline]
 __bpf_tx_skb net/core/filter.c:2136 [inline]
 __bpf_redirect_common net/core/filter.c:2180 [inline]
 __bpf_redirect+0x14a6/0x1620 net/core/filter.c:2187
 ____bpf_clone_redirect net/core/filter.c:2460 [inline]
 bpf_clone_redirect+0x328/0x470 net/core/filter.c:2432
 ___bpf_prog_run+0x13fe/0xe0f0 kernel/bpf/core.c:1997
 __bpf_prog_run512+0xb5/0xe0 kernel/bpf/core.c:2238
 bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline]
 __bpf_prog_run include/linux/filter.h:657 [inline]
 bpf_prog_run include/linux/filter.h:664 [inline]
 bpf_test_run+0x499/0xc30 net/bpf/test_run.c:425
 bpf_prog_test_run_skb+0x14ea/0x1f20 net/bpf/test_run.c:1058
 bpf_prog_test_run+0x6b7/0xad0 kernel/bpf/syscall.c:4269
 __sys_bpf+0x6aa/0xd90 kernel/bpf/syscall.c:5678
 __do_sys_bpf kernel/bpf/syscall.c:5767 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5765 [inline]
 __x64_sys_bpf+0xa0/0xe0 kernel/bpf/syscall.c:5765
 x64_sys_call+0x96b/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:322
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-38538

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-38539
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

RDMA/cma: Fix kmemleak in rdma_core observed during blktests nvme/rdma use siw

When running blktests nvme/rdma, the following kmemleak issue will appear.

kmemleak: Kernel memory leak detector initialized (mempool available:36041)
kmemleak: Automatic memory scanning thread started
kmemleak: 2 new suspected memory leaks (see /sys/kernel/debug/kmemleak)
kmemleak: 8 new suspected memory leaks (see /sys/kernel/debug/kmemleak)
kmemleak: 17 new suspected memory leaks (see /sys/kernel/debug/kmemleak)
kmemleak: 4 new suspected memory leaks (see /sys/kernel/debug/kmemleak)

unreferenced object 0xffff88855da53400 (size 192):
  comm "rdma", pid 10630, jiffies 4296575922
  hex dump (first 32 bytes):
    37 00 00 00 00 00 00 00 c0 ff ff ff 1f 00 00 00  7...............
    10 34 a5 5d 85 88 ff ff 10 34 a5 5d 85 88 ff ff  .4.].....4.]....
  backtrace (crc 47f66721):
    [<ffffffff911251bd>] kmalloc_trace+0x30d/0x3b0
    [<ffffffffc2640ff7>] alloc_gid_entry+0x47/0x380 [ib_core]
    [<ffffffffc2642206>] add_modify_gid+0x166/0x930 [ib_core]
    [<ffffffffc2643468>] ib_cache_update.part.0+0x6d8/0x910 [ib_core]
    [<ffffffffc2644e1a>] ib_cache_setup_one+0x24a/0x350 [ib_core]
    [<ffffffffc263949e>] ib_register_device+0x9e/0x3a0 [ib_core]
    [<ffffffffc2a3d389>] 0xffffffffc2a3d389
    [<ffffffffc2688cd8>] nldev_newlink+0x2b8/0x520 [ib_core]
    [<ffffffffc2645fe3>] rdma_nl_rcv_msg+0x2c3/0x520 [ib_core]
    [<ffffffffc264648c>]
rdma_nl_rcv_skb.constprop.0.isra.0+0x23c/0x3a0 [ib_core]
    [<ffffffff9270e7b5>] netlink_unicast+0x445/0x710
    [<ffffffff9270f1f1>] netlink_sendmsg+0x761/0xc40
    [<ffffffff9249db29>] __sys_sendto+0x3a9/0x420
    [<ffffffff9249dc8c>] __x64_sys_sendto+0xdc/0x1b0
    [<ffffffff92db0ad3>] do_syscall_64+0x93/0x180
    [<ffffffff92e00126>] entry_SYSCALL_64_after_hwframe+0x71/0x79

The root cause: rdma_put_gid_attr is not called when sgid_attr is set
to ERR_PTR(-ENODEV).
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-38539

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-38543
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

lib/test_hmm.c: handle src_pfns and dst_pfns allocation failure

The kcalloc() in dmirror_device_evict_chunk() will return null if the
physical memory has run out.  As a result, if src_pfns or dst_pfns is
dereferenced, the null pointer dereference bug will happen.

Moreover, the device is going away.  If the kcalloc() fails, the pages
mapping a chunk could not be evicted.  So add a __GFP_NOFAIL flag in
kcalloc().

Finally, as there is no need to have physically contiguous memory, Switch
kcalloc() to kvcalloc() in order to avoid failing allocations.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-38543

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-38545
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

RDMA/hns: Fix UAF for cq async event

The refcount of CQ is not protected by locks. When CQ asynchronous
events and CQ destruction are concurrent, CQ may have been released,
which will cause UAF.

Use the xa_lock() to protect the CQ refcount.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-38545

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-38546
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm: vc4: Fix possible null pointer dereference

In vc4_hdmi_audio_init() of_get_address() may return
NULL which is later dereferenced. Fix this bug by adding NULL check.

Found by Linux Verification Center (linuxtesting.org) with SVACE.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-38546

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-38547
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

media: atomisp: ssh_css: Fix a null-pointer dereference in load_video_binaries

The allocation failure of mycs->yuv_scaler_binary in load_video_binaries()
is followed with a dereference of mycs->yuv_scaler_binary after the
following call chain:

sh_css_pipe_load_binaries()
  |-> load_video_binaries(mycs->yuv_scaler_binary == NULL)
  |
  |-> sh_css_pipe_unload_binaries()
        |-> unload_video_binaries()

In unload_video_binaries(), it calls to ia_css_binary_unload with argument
&pipe->pipe_settings.video.yuv_scaler_binary[i], which refers to the
same memory slot as mycs->yuv_scaler_binary. Thus, a null-pointer
dereference is triggered.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-38547

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-38549
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/mediatek: Add 0 size check to mtk_drm_gem_obj

Add a check to mtk_drm_gem_init if we attempt to allocate a GEM object
of 0 bytes. Currently, no such check exists and the kernel will panic if
a userspace application attempts to allocate a 0x0 GBM buffer.

Tested by attempting to allocate a 0x0 GBM buffer on an MT8188 and
verifying that we now return EINVAL.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-38549

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-38551
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ASoC: mediatek: Assign dummy when codec not specified for a DAI link

MediaTek sound card drivers are checking whether a DAI link is present
and used on a board to assign the correct parameters and this is done
by checking the codec DAI names at probe time.

If no real codec is present, assign the dummy codec to the DAI link
to avoid NULL pointer during string comparison.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-38551

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-38552
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Fix potential index out of bounds in color transformation function

Fixes index out of bounds issue in the color transformation function.
The issue could occur when the index 'i' exceeds the number of transfer
function points (TRANSFER_FUNC_POINTS).

The fix adds a check to ensure 'i' is within bounds before accessing the
transfer function points. If 'i' is out of bounds, an error message is
logged and the function returns false to indicate an error.

Reported by smatch:
drivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:405 cm_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.red' 1025 <= s32max
drivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:406 cm_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.green' 1025 <= s32max
drivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:407 cm_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.blue' 1025 <= s32max
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-38552

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-38553
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: fec: remove .ndo_poll_controller to avoid deadlocks

There is a deadlock issue found in sungem driver, please refer to the
commit ac0a230f719b ("eth: sungem: remove .ndo_poll_controller to avoid
deadlocks"). The root cause of the issue is that netpoll is in atomic
context and disable_irq() is called by .ndo_poll_controller interface
of sungem driver, however, disable_irq() might sleep. After analyzing
the implementation of fec_poll_controller(), the fec driver should have
the same issue. Due to the fec driver uses NAPI for TX completions, the
.ndo_poll_controller is unnecessary to be implemented in the fec driver,
so fec_poll_controller() can be safely removed.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-38553

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-38554
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ax25: Fix reference count leak issue of net_device

There is a reference count leak issue of the object "net_device" in
ax25_dev_device_down(). When the ax25 device is shutting down, the
ax25_dev_device_down() drops the reference count of net_device one
or zero times depending on if we goto unlock_put or not, which will
cause memory leak.

In order to solve the above issue, decrease the reference count of
net_device after dev->ax25_ptr is set to null.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-38554

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-38555
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net/mlx5: Discard command completions in internal error

Fix use after free when FW completion arrives while device is in
internal error state. Avoid calling completion handler in this case,
since the device will flush the command interface and trigger all
completions manually.

Kernel log:
------------[ cut here ]------------
refcount_t: underflow; use-after-free.
...
RIP: 0010:refcount_warn_saturate+0xd8/0xe0
...
Call Trace:
<IRQ>
? __warn+0x79/0x120
? refcount_warn_saturate+0xd8/0xe0
? report_bug+0x17c/0x190
? handle_bug+0x3c/0x60
? exc_invalid_op+0x14/0x70
? asm_exc_invalid_op+0x16/0x20
? refcount_warn_saturate+0xd8/0xe0
cmd_ent_put+0x13b/0x160 [mlx5_core]
mlx5_cmd_comp_handler+0x5f9/0x670 [mlx5_core]
cmd_comp_notifier+0x1f/0x30 [mlx5_core]
notifier_call_chain+0x35/0xb0
atomic_notifier_call_chain+0x16/0x20
mlx5_eq_async_int+0xf6/0x290 [mlx5_core]
notifier_call_chain+0x35/0xb0
atomic_notifier_call_chain+0x16/0x20
irq_int_handler+0x19/0x30 [mlx5_core]
__handle_irq_event_percpu+0x4b/0x160
handle_irq_event+0x2e/0x80
handle_edge_irq+0x98/0x230
__common_interrupt+0x3b/0xa0
common_interrupt+0x7b/0xa0
</IRQ>
<TASK>
asm_common_interrupt+0x22/0x40
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-38555

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-38557
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net/mlx5: Reload only IB representors upon lag disable/enable

On lag disable, the bond IB device along with all of its
representors are destroyed, and then the slaves' representors get reloaded.

In case the slave IB representor load fails, the eswitch error flow
unloads all representors, including ethernet representors, where the
netdevs get detached and removed from lag bond. Such flow is inaccurate
as the lag driver is not responsible for loading/unloading ethernet
representors. Furthermore, the flow described above begins by holding
lag lock to prevent bond changes during disable flow. However, when
reaching the ethernet representors detachment from lag, the lag lock is
required again, triggering the following deadlock:

Call trace:
__switch_to+0xf4/0x148
__schedule+0x2c8/0x7d0
schedule+0x50/0xe0
schedule_preempt_disabled+0x18/0x28
__mutex_lock.isra.13+0x2b8/0x570
__mutex_lock_slowpath+0x1c/0x28
mutex_lock+0x4c/0x68
mlx5_lag_remove_netdev+0x3c/0x1a0 [mlx5_core]
mlx5e_uplink_rep_disable+0x70/0xa0 [mlx5_core]
mlx5e_detach_netdev+0x6c/0xb0 [mlx5_core]
mlx5e_netdev_change_profile+0x44/0x138 [mlx5_core]
mlx5e_netdev_attach_nic_profile+0x28/0x38 [mlx5_core]
mlx5e_vport_rep_unload+0x184/0x1b8 [mlx5_core]
mlx5_esw_offloads_rep_load+0xd8/0xe0 [mlx5_core]
mlx5_eswitch_reload_reps+0x74/0xd0 [mlx5_core]
mlx5_disable_lag+0x130/0x138 [mlx5_core]
mlx5_lag_disable_change+0x6c/0x70 [mlx5_core] // hold ldev->lock
mlx5_devlink_eswitch_mode_set+0xc0/0x410 [mlx5_core]
devlink_nl_cmd_eswitch_set_doit+0xdc/0x180
genl_family_rcv_msg_doit.isra.17+0xe8/0x138
genl_rcv_msg+0xe4/0x220
netlink_rcv_skb+0x44/0x108
genl_rcv+0x40/0x58
netlink_unicast+0x198/0x268
netlink_sendmsg+0x1d4/0x418
sock_sendmsg+0x54/0x60
__sys_sendto+0xf4/0x120
__arm64_sys_sendto+0x30/0x40
el0_svc_common+0x8c/0x120
do_el0_svc+0x30/0xa0
el0_svc+0x20/0x30
el0_sync_handler+0x90/0xb8
el0_sync+0x160/0x180

Thus, upon lag enable/disable, load and unload only the IB representors
of the slaves preventing the deadlock mentioned above.

While at it, refactor the mlx5_esw_offloads_rep_load() function to have
a static helper method for its internal logic, in symmetry with the
representor unload design.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-38557

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-38561
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

kunit: Fix kthread reference

There is a race condition when a kthread finishes after the deadline and
before the call to kthread_stop(), which may lead to use after free.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-38561

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-38562
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

wifi: nl80211: Avoid address calculations via out of bounds array indexing

Before request->channels[] can be used, request->n_channels must be set.
Additionally, address calculations for memory after the "channels" array
need to be calculated from the allocation base ("request") rather than
via the first "out of bounds" index of "channels", otherwise run-time
bounds checking will throw a warning.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-38562

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-38563
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

wifi: mt76: mt7996: fix potential memory leakage when reading chip temperature

Without this commit, reading chip temperature will cause memory leakage.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-38563

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-38568
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drivers/perf: hisi: hns3: Fix out-of-bound access when valid event group

The perf tool allows users to create event groups through following
cmd [1], but the driver does not check whether the array index is out
of bounds when writing data to the event_group array. If the number of
events in an event_group is greater than HNS3_PMU_MAX_HW_EVENTS, the
memory write overflow of event_group array occurs.

Add array index check to fix the possible array out of bounds violation,
and return directly when write new events are written to array bounds.

There are 9 different events in an event_group.
[1] perf stat -e '{pmu/event1/, ... ,pmu/event9/}
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-38568

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-38569
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drivers/perf: hisi_pcie: Fix out-of-bound access when valid event group

The perf tool allows users to create event groups through following
cmd [1], but the driver does not check whether the array index is out of
bounds when writing data to the event_group array. If the number of events
in an event_group is greater than HISI_PCIE_MAX_COUNTERS, the memory write
overflow of event_group array occurs.

Add array index check to fix the possible array out of bounds violation,
and return directly when write new events are written to array bounds.

There are 9 different events in an event_group.
[1] perf stat -e '{pmu/event1/, ... ,pmu/event9/}'
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-38569

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-38570
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

gfs2: Fix potential glock use-after-free on unmount

When a DLM lockspace is released and there ares still locks in that
lockspace, DLM will unlock those locks automatically.  Commit
fb6791d100d1b started exploiting this behavior to speed up filesystem
unmount: gfs2 would simply free glocks it didn't want to unlock and then
release the lockspace.  This didn't take the bast callbacks for
asynchronous lock contention notifications into account, which remain
active until until a lock is unlocked or its lockspace is released.

To prevent those callbacks from accessing deallocated objects, put the
glocks that should not be unlocked on the sd_dead_glocks list, release
the lockspace, and only then free those glocks.

As an additional measure, ignore unexpected ast and bast callbacks if
the receiving glock is dead.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-38570

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-38571
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

thermal/drivers/tsens: Fix null pointer dereference

compute_intercept_slope() is called from calibrate_8960() (in tsens-8960.c)
as compute_intercept_slope(priv, p1, NULL, ONE_PT_CALIB) which lead to null
pointer dereference (if DEBUG or DYNAMIC_DEBUG set).
Fix this bug by adding null pointer check.

Found by Linux Verification Center (linuxtesting.org) with SVACE.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-38571

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-38577
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

rcu-tasks: Fix show_rcu_tasks_trace_gp_kthread buffer overflow

There is a possibility of buffer overflow in
show_rcu_tasks_trace_gp_kthread() if counters, passed
to sprintf() are huge. Counter numbers, needed for this
are unrealistically high, but buffer overflow is still
possible.

Use snprintf() with buffer size instead of sprintf().

Found by Linux Verification Center (linuxtesting.org) with SVACE.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-38577

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-38581
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amdgpu/mes: fix use-after-free issue

Delete fence fallback timer to fix the ramdom
use-after-free issue.

v2: move to amdgpu_mes.c
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-38581

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-38583
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

nilfs2: fix use-after-free of timer for log writer thread

Patch series "nilfs2: fix log writer related issues".

This bug fix series covers three nilfs2 log writer-related issues,
including a timer use-after-free issue and potential deadlock issue on
unmount, and a potential freeze issue in event synchronization found
during their analysis.  Details are described in each commit log.


This patch (of 3):

A use-after-free issue has been reported regarding the timer sc_timer on
the nilfs_sc_info structure.

The problem is that even though it is used to wake up a sleeping log
writer thread, sc_timer is not shut down until the nilfs_sc_info structure
is about to be freed, and is used regardless of the thread's lifetime.

Fix this issue by limiting the use of sc_timer only while the log writer
thread is alive.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-38583

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-38584
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: ti: icssg_prueth: Fix NULL pointer dereference in prueth_probe()

In the prueth_probe() function, if one of the calls to emac_phy_connect()
fails due to of_phy_connect() returning NULL, then the subsequent call to
phy_attached_info() will dereference a NULL pointer.

Check the return code of emac_phy_connect and fail cleanly if there is an
error.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-38584

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-38588
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ftrace: Fix possible use-after-free issue in ftrace_location()

KASAN reports a bug:

  BUG: KASAN: use-after-free in ftrace_location+0x90/0x120
  Read of size 8 at addr ffff888141d40010 by task insmod/424
  CPU: 8 PID: 424 Comm: insmod Tainted: G        W          6.9.0-rc2+
  [...]
  Call Trace:
   <TASK>
   dump_stack_lvl+0x68/0xa0
   print_report+0xcf/0x610
   kasan_report+0xb5/0xe0
   ftrace_location+0x90/0x120
   register_kprobe+0x14b/0xa40
   kprobe_init+0x2d/0xff0 [kprobe_example]
   do_one_initcall+0x8f/0x2d0
   do_init_module+0x13a/0x3c0
   load_module+0x3082/0x33d0
   init_module_from_file+0xd2/0x130
   __x64_sys_finit_module+0x306/0x440
   do_syscall_64+0x68/0x140
   entry_SYSCALL_64_after_hwframe+0x71/0x79

The root cause is that, in lookup_rec(), ftrace record of some address
is being searched in ftrace pages of some module, but those ftrace pages
at the same time is being freed in ftrace_release_mod() as the
corresponding module is being deleted:

           CPU1                       |      CPU2
  register_kprobes() {                | delete_module() {
    check_kprobe_address_safe() {     |
      arch_check_ftrace_location() {  |
        ftrace_location() {           |
          lookup_rec() // USE!        |   ftrace_release_mod() // Free!

To fix this issue:
  1. Hold rcu lock as accessing ftrace pages in ftrace_location_range();
  2. Use ftrace_location_range() instead of lookup_rec() in
     ftrace_location();
  3. Call synchronize_rcu() before freeing any ftrace pages both in
     ftrace_process_locs()/ftrace_release_mod()/ftrace_free_mem().
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-38588

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-38590
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

RDMA/hns: Modify the print level of CQE error

Too much print may lead to a panic in kernel. Change ibdev_err() to
ibdev_err_ratelimited(), and change the printing level of cqe dump
to debug level.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-38590

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-38591
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

RDMA/hns: Fix deadlock on SRQ async events.

xa_lock for SRQ table may be required in AEQ. Use xa_store_irq()/
xa_erase_irq() to avoid deadlock.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-38591

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-38597
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

eth: sungem: remove .ndo_poll_controller to avoid deadlocks

Erhard reports netpoll warnings from sungem:

  netpoll_send_skb_on_dev(): eth0 enabled interrupts in poll (gem_start_xmit+0x0/0x398)
  WARNING: CPU: 1 PID: 1 at net/core/netpoll.c:370 netpoll_send_skb+0x1fc/0x20c

gem_poll_controller() disables interrupts, which may sleep.
We can't sleep in netpoll, it has interrupts disabled completely.
Strangely, gem_poll_controller() doesn't even poll the completions,
and instead acts as if an interrupt has fired so it just schedules
NAPI and exits. None of this has been necessary for years, since
netpoll invokes NAPI directly.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-38597

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-38598
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

md: fix resync softlockup when bitmap size is less than array size

Is is reported that for dm-raid10, lvextend + lvchange --syncaction will
trigger following softlockup:

kernel:watchdog: BUG: soft lockup - CPU#3 stuck for 26s! [mdX_resync:6976]
CPU: 7 PID: 3588 Comm: mdX_resync Kdump: loaded Not tainted 6.9.0-rc4-next-20240419 #1
RIP: 0010:_raw_spin_unlock_irq+0x13/0x30
Call Trace:
 <TASK>
 md_bitmap_start_sync+0x6b/0xf0
 raid10_sync_request+0x25c/0x1b40 [raid10]
 md_do_sync+0x64b/0x1020
 md_thread+0xa7/0x170
 kthread+0xcf/0x100
 ret_from_fork+0x30/0x50
 ret_from_fork_asm+0x1a/0x30

And the detailed process is as follows:

md_do_sync
 j = mddev->resync_min
 while (j < max_sectors)
  sectors = raid10_sync_request(mddev, j, &skipped)
   if (!md_bitmap_start_sync(..., &sync_blocks))
    // md_bitmap_start_sync set sync_blocks to 0
    return sync_blocks + sectors_skippe;
  // sectors = 0;
  j += sectors;
  // j never change

Root cause is that commit 301867b1c168 ("md/raid10: check
slab-out-of-bounds in md_bitmap_get_counter") return early from
md_bitmap_get_counter(), without setting returned blocks.

Fix this problem by always set returned blocks from
md_bitmap_get_counter"(), as it used to be.

Noted that this patch just fix the softlockup problem in kernel, the
case that bitmap size doesn't match array size still need to be fixed.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-38598

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-38600
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ALSA: Fix deadlocks with kctl removals at disconnection

In snd_card_disconnect(), we set card->shutdown flag at the beginning,
call callbacks and do sync for card->power_ref_sleep waiters at the
end.  The callback may delete a kctl element, and this can lead to a
deadlock when the device was in the suspended state.  Namely:

* A process waits for the power up at snd_power_ref_and_wait() in
  snd_ctl_info() or read/write() inside card->controls_rwsem.

* The system gets disconnected meanwhile, and the driver tries to
  delete a kctl via snd_ctl_remove*(); it tries to take
  card->controls_rwsem again, but this is already locked by the
  above.  Since the sleeper isn't woken up, this deadlocks.

An easy fix is to wake up sleepers before processing the driver
disconnect callbacks but right after setting the card->shutdown flag.
Then all sleepers will abort immediately, and the code flows again.

So, basically this patch moves the wait_event() call at the right
timing.  While we're at it, just to be sure, call wait_event_all()
instead of wait_event(), although we don't use exclusive events on
this queue for now.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-38600

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-38602
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ax25: Fix reference count leak issues of ax25_dev

The ax25_addr_ax25dev() and ax25_dev_device_down() exist a reference
count leak issue of the object "ax25_dev".

Memory leak issue in ax25_addr_ax25dev():

The reference count of the object "ax25_dev" can be increased multiple
times in ax25_addr_ax25dev(). This will cause a memory leak.

Memory leak issues in ax25_dev_device_down():

The reference count of ax25_dev is set to 1 in ax25_dev_device_up() and
then increase the reference count when ax25_dev is added to ax25_dev_list.
As a result, the reference count of ax25_dev is 2. But when the device is
shutting down. The ax25_dev_device_down() drops the reference count once
or twice depending on if we goto unlock_put or not, which will cause
memory leak.

As for the issue of ax25_addr_ax25dev(), it is impossible for one pointer
to be on a list twice. So add a break in ax25_addr_ax25dev(). As for the
issue of ax25_dev_device_down(), increase the reference count of ax25_dev
once in ax25_dev_device_up() and decrease the reference count of ax25_dev
after it is removed from the ax25_dev_list.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-38602

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-38603
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drivers/perf: hisi: hns3: Actually use devm_add_action_or_reset()

pci_alloc_irq_vectors() allocates an irq vector. When devm_add_action()
fails, the irq vector is not freed, which leads to a memory leak.

Replace the devm_add_action with devm_add_action_or_reset to ensure
the irq vector can be destroyed when it fails.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-38603

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-38608
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net/mlx5e: Fix netif state handling

mlx5e_suspend cleans resources only if netif_device_present() returns
true. However, mlx5e_resume changes the state of netif, via
mlx5e_nic_enable, only if reg_state == NETREG_REGISTERED.
In the below case, the above leads to NULL-ptr Oops[1] and memory
leaks:

mlx5e_probe
 _mlx5e_resume
  mlx5e_attach_netdev
   mlx5e_nic_enable  <-- netdev not reg, not calling netif_device_attach()
  register_netdev <-- failed for some reason.
ERROR_FLOW:
 _mlx5e_suspend <-- netif_device_present return false, resources aren't freed :(

Hence, clean resources in this case as well.

[1]
BUG: kernel NULL pointer dereference, address: 0000000000000000
PGD 0 P4D 0
Oops: 0010 [#1] SMP
CPU: 2 PID: 9345 Comm: test-ovs-ct-gen Not tainted 6.5.0_for_upstream_min_debug_2023_09_05_16_01 #1
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
RIP: 0010:0x0
Code: Unable to access opcode bytes at0xffffffffffffffd6.
RSP: 0018:ffff888178aaf758 EFLAGS: 00010246
Call Trace:
 <TASK>
 ? __die+0x20/0x60
 ? page_fault_oops+0x14c/0x3c0
 ? exc_page_fault+0x75/0x140
 ? asm_exc_page_fault+0x22/0x30
 notifier_call_chain+0x35/0xb0
 blocking_notifier_call_chain+0x3d/0x60
 mlx5_blocking_notifier_call_chain+0x22/0x30 [mlx5_core]
 mlx5_core_uplink_netdev_event_replay+0x3e/0x60 [mlx5_core]
 mlx5_mdev_netdev_track+0x53/0x60 [mlx5_ib]
 mlx5_ib_roce_init+0xc3/0x340 [mlx5_ib]
 __mlx5_ib_add+0x34/0xd0 [mlx5_ib]
 mlx5r_probe+0xe1/0x210 [mlx5_ib]
 ? auxiliary_match_id+0x6a/0x90
 auxiliary_bus_probe+0x38/0x80
 ? driver_sysfs_add+0x51/0x80
 really_probe+0xc9/0x3e0
 ? driver_probe_device+0x90/0x90
 __driver_probe_device+0x80/0x160
 driver_probe_device+0x1e/0x90
 __device_attach_driver+0x7d/0x100
 bus_for_each_drv+0x80/0xd0
 __device_attach+0xbc/0x1f0
 bus_probe_device+0x86/0xa0
 device_add+0x637/0x840
 __auxiliary_device_add+0x3b/0xa0
 add_adev+0xc9/0x140 [mlx5_core]
 mlx5_rescan_drivers_locked+0x22a/0x310 [mlx5_core]
 mlx5_register_device+0x53/0xa0 [mlx5_core]
 mlx5_init_one_devl_locked+0x5c4/0x9c0 [mlx5_core]
 mlx5_init_one+0x3b/0x60 [mlx5_core]
 probe_one+0x44c/0x730 [mlx5_core]
 local_pci_probe+0x3e/0x90
 pci_device_probe+0xbf/0x210
 ? kernfs_create_link+0x5d/0xa0
 ? sysfs_do_create_link_sd+0x60/0xc0
 really_probe+0xc9/0x3e0
 ? driver_probe_device+0x90/0x90
 __driver_probe_device+0x80/0x160
 driver_probe_device+0x1e/0x90
 __device_attach_driver+0x7d/0x100
 bus_for_each_drv+0x80/0xd0
 __device_attach+0xbc/0x1f0
 pci_bus_add_device+0x54/0x80
 pci_iov_add_virtfn+0x2e6/0x320
 sriov_enable+0x208/0x420
 mlx5_core_sriov_configure+0x9e/0x200 [mlx5_core]
 sriov_numvfs_store+0xae/0x1a0
 kernfs_fop_write_iter+0x10c/0x1a0
 vfs_write+0x291/0x3c0
 ksys_write+0x5f/0xe0
 do_syscall_64+0x3d/0x90
 entry_SYSCALL_64_after_hwframe+0x46/0xb0
 CR2: 0000000000000000
 ---[ end trace 0000000000000000  ]---
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-38608

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-38627
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

stm class: Fix a double free in stm_register_device()

The put_device(&stm->dev) call will trigger stm_device_release() which
frees "stm" so the vfree(stm) on the next line is a double free.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-38627

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-38630
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

watchdog: cpu5wdt.c: Fix use-after-free bug caused by cpu5wdt_trigger

When the cpu5wdt module is removing, the origin code uses del_timer() to
de-activate the timer. If the timer handler is running, del_timer() could
not stop it and will return directly. If the port region is released by
release_region() and then the timer handler cpu5wdt_trigger() calls outb()
to write into the region that is released, the use-after-free bug will
happen.

Change del_timer() to timer_shutdown_sync() in order that the timer handler
could be finished before the port region is released.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-38630

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-38631
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

iio: adc: PAC1934: fix accessing out of bounds array index

Fix accessing out of bounds array index for average
current and voltage measurements. The device itself has
only 4 channels, but in sysfs there are "fake"
channels for the average voltages and currents too.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-38631

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-38632
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

vfio/pci: fix potential memory leak in vfio_intx_enable()

If vfio_irq_ctx_alloc() failed will lead to 'name' memory leak.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-38632

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-38633
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

serial: max3100: Update uart_driver_registered on driver removal

The removal of the last MAX3100 device triggers the removal of
the driver. However, code doesn't update the respective global
variable and after insmod — rmmod — insmod cycle the kernel
oopses:

  max3100 spi-PRP0001:01: max3100_probe: adding port 0
  BUG: kernel NULL pointer dereference, address: 0000000000000408
  ...
  RIP: 0010:serial_core_register_port+0xa0/0x840
  ...
   max3100_probe+0x1b6/0x280 [max3100]
   spi_probe+0x8d/0xb0

Update the actual state so next time UART driver will be registered
again.

Hugo also noticed, that the error path in the probe also affected
by having the variable set, and not cleared. Instead of clearing it
move the assignment after the successfull uart_register_driver() call.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-38633

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-38661
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

s390/ap: Fix crash in AP internal function modify_bitmap()

A system crash like this

  Failing address: 200000cb7df6f000 TEID: 200000cb7df6f403
  Fault in home space mode while using kernel ASCE.
  AS:00000002d71bc007 R3:00000003fe5b8007 S:000000011a446000 P:000000015660c13d
  Oops: 0038 ilc:3 [#1] PREEMPT SMP
  Modules linked in: mlx5_ib ...
  CPU: 8 PID: 7556 Comm: bash Not tainted 6.9.0-rc7 #8
  Hardware name: IBM 3931 A01 704 (LPAR)
  Krnl PSW : 0704e00180000000 0000014b75e7b606 (ap_parse_bitmap_str+0x10e/0x1f8)
  R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0 RI:0 EA:3
  Krnl GPRS: 0000000000000001 ffffffffffffffc0 0000000000000001 00000048f96b75d3
  000000cb00000100 ffffffffffffffff ffffffffffffffff 000000cb7df6fce0
  000000cb7df6fce0 00000000ffffffff 000000000000002b 00000048ffffffff
  000003ff9b2dbc80 200000cb7df6fcd8 0000014bffffffc0 000000cb7df6fbc8
  Krnl Code: 0000014b75e7b5fc: a7840047            brc     8,0000014b75e7b68a
  0000014b75e7b600: 18b2                lr      %r11,%r2
  #0000014b75e7b602: a7f4000a            brc     15,0000014b75e7b616
  >0000014b75e7b606: eb22d00000e6        laog    %r2,%r2,0(%r13)
  0000014b75e7b60c: a7680001            lhi     %r6,1
  0000014b75e7b610: 187b                lr      %r7,%r11
  0000014b75e7b612: 84960021            brxh    %r9,%r6,0000014b75e7b654
  0000014b75e7b616: 18e9                lr      %r14,%r9
  Call Trace:
  [<0000014b75e7b606>] ap_parse_bitmap_str+0x10e/0x1f8
  ([<0000014b75e7b5dc>] ap_parse_bitmap_str+0xe4/0x1f8)
  [<0000014b75e7b758>] apmask_store+0x68/0x140
  [<0000014b75679196>] kernfs_fop_write_iter+0x14e/0x1e8
  [<0000014b75598524>] vfs_write+0x1b4/0x448
  [<0000014b7559894c>] ksys_write+0x74/0x100
  [<0000014b7618a440>] __do_syscall+0x268/0x328
  [<0000014b761a3558>] system_call+0x70/0x98
  INFO: lockdep is turned off.
  Last Breaking-Event-Address:
  [<0000014b75e7b636>] ap_parse_bitmap_str+0x13e/0x1f8
  Kernel panic - not syncing: Fatal exception: panic_on_oops

occured when /sys/bus/ap/a[pq]mask was updated with a relative mask value
(like +0x10-0x12,+60,-90) with one of the numeric values exceeding INT_MAX.

The fix is simple: use unsigned long values for the internal variables. The
correct checks are already in place in the function but a simple int for
the internal variables was used with the possibility to overflow.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-38661

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-38662
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

bpf: Allow delete from sockmap/sockhash only if update is allowed

We have seen an influx of syzkaller reports where a BPF program attached to
a tracepoint triggers a locking rule violation by performing a map_delete
on a sockmap/sockhash.

We don't intend to support this artificial use scenario. Extend the
existing verifier allowed-program-type check for updating sockmap/sockhash
to also cover deleting from a map.

From now on only BPF programs which were previously allowed to update
sockmap/sockhash can delete from these map types.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-38662

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-38664
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm: zynqmp_dpsub: Always register bridge

We must always register the DRM bridge, since zynqmp_dp_hpd_work_func
calls drm_bridge_hpd_notify, which in turn expects hpd_mutex to be
initialized. We do this before zynqmp_dpsub_drm_init since that calls
drm_bridge_attach. This fixes the following lockdep warning:

[   19.217084] ------------[ cut here ]------------
[   19.227530] DEBUG_LOCKS_WARN_ON(lock->magic != lock)
[   19.227768] WARNING: CPU: 0 PID: 140 at kernel/locking/mutex.c:582 __mutex_lock+0x4bc/0x550
[   19.241696] Modules linked in:
[   19.244937] CPU: 0 PID: 140 Comm: kworker/0:4 Not tainted 6.6.20+ #96
[   19.252046] Hardware name: xlnx,zynqmp (DT)
[   19.256421] Workqueue: events zynqmp_dp_hpd_work_func
[   19.261795] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[   19.269104] pc : __mutex_lock+0x4bc/0x550
[   19.273364] lr : __mutex_lock+0x4bc/0x550
[   19.277592] sp : ffffffc085c5bbe0
[   19.281066] x29: ffffffc085c5bbe0 x28: 0000000000000000 x27: ffffff88009417f8
[   19.288624] x26: ffffff8800941788 x25: ffffff8800020008 x24: ffffffc082aa3000
[   19.296227] x23: ffffffc080d90e3c x22: 0000000000000002 x21: 0000000000000000
[   19.303744] x20: 0000000000000000 x19: ffffff88002f5210 x18: 0000000000000000
[   19.311295] x17: 6c707369642e3030 x16: 3030613464662072 x15: 0720072007200720
[   19.318922] x14: 0000000000000000 x13: 284e4f5f4e524157 x12: 0000000000000001
[   19.326442] x11: 0001ffc085c5b940 x10: 0001ff88003f388b x9 : 0001ff88003f3888
[   19.334003] x8 : 0001ff88003f3888 x7 : 0000000000000000 x6 : 0000000000000000
[   19.341537] x5 : 0000000000000000 x4 : 0000000000001668 x3 : 0000000000000000
[   19.349054] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffffff88003f3880
[   19.356581] Call trace:
[   19.359160]  __mutex_lock+0x4bc/0x550
[   19.363032]  mutex_lock_nested+0x24/0x30
[   19.367187]  drm_bridge_hpd_notify+0x2c/0x6c
[   19.371698]  zynqmp_dp_hpd_work_func+0x44/0x54
[   19.376364]  process_one_work+0x3ac/0x988
[   19.380660]  worker_thread+0x398/0x694
[   19.384736]  kthread+0x1bc/0x1c0
[   19.388241]  ret_from_fork+0x10/0x20
[   19.392031] irq event stamp: 183
[   19.395450] hardirqs last  enabled at (183): [<ffffffc0800b9278>] finish_task_switch.isra.0+0xa8/0x2d4
[   19.405140] hardirqs last disabled at (182): [<ffffffc081ad3754>] __schedule+0x714/0xd04
[   19.413612] softirqs last  enabled at (114): [<ffffffc080133de8>] srcu_invoke_callbacks+0x158/0x23c
[   19.423128] softirqs last disabled at (110): [<ffffffc080133de8>] srcu_invoke_callbacks+0x158/0x23c
[   19.432614] ---[ end trace 0000000000000000 ]---

(cherry picked from commit 61ba791c4a7a09a370c45b70a81b8c7d4cf6b2ae)
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-38664

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-38667
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

riscv: prevent pt_regs corruption for secondary idle threads

Top of the kernel thread stack should be reserved for pt_regs. However
this is not the case for the idle threads of the secondary boot harts.
Their stacks overlap with their pt_regs, so both may get corrupted.

Similar issue has been fixed for the primary hart, see c7cdd96eca28
("riscv: prevent stack corruption by reserving task_pt_regs(p) early").
However that fix was not propagated to the secondary harts. The problem
has been noticed in some CPU hotplug tests with V enabled. The function
smp_callin stored several registers on stack, corrupting top of pt_regs
structure including status field. As a result, kernel attempted to save
or restore inexistent V context.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-38667

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-38780
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

dma-buf/sw-sync: don't enable IRQ from sync_print_obj()

Since commit a6aa8fca4d79 ("dma-buf/sw-sync: Reduce irqsave/irqrestore from
known context") by error replaced spin_unlock_irqrestore() with
spin_unlock_irq() for both sync_debugfs_show() and sync_print_obj() despite
sync_print_obj() is called from sync_debugfs_show(), lockdep complains
inconsistent lock state warning.

Use plain spin_{lock,unlock}() for sync_print_obj(), for
sync_debugfs_show() is already using spin_{lock,unlock}_irq().
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-38780

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-39277
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

dma-mapping: benchmark: handle NUMA_NO_NODE correctly

cpumask_of_node() can be called for NUMA_NO_NODE inside do_map_benchmark()
resulting in the following sanitizer report:

UBSAN: array-index-out-of-bounds in ./arch/x86/include/asm/topology.h:72:28
index -1 is out of range for type 'cpumask [64][1]'
CPU: 1 PID: 990 Comm: dma_map_benchma Not tainted 6.9.0-rc6 #29
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)
Call Trace:
 <TASK>
dump_stack_lvl (lib/dump_stack.c:117)
ubsan_epilogue (lib/ubsan.c:232)
__ubsan_handle_out_of_bounds (lib/ubsan.c:429)
cpumask_of_node (arch/x86/include/asm/topology.h:72) [inline]
do_map_benchmark (kernel/dma/map_benchmark.c:104)
map_benchmark_ioctl (kernel/dma/map_benchmark.c:246)
full_proxy_unlocked_ioctl (fs/debugfs/file.c:333)
__x64_sys_ioctl (fs/ioctl.c:890)
do_syscall_64 (arch/x86/entry/common.c:83)
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)

Use cpumask_of_node() in place when binding a kernel thread to a cpuset
of a particular node.

Note that the provided node id is checked inside map_benchmark_ioctl().
It's just a NUMA_NO_NODE case which is not handled properly later.

Found by Linux Verification Center (linuxtesting.org).
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-39277

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-39291
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amdgpu: Fix buffer size in gfx_v9_4_3_init_ cp_compute_microcode() and rlc_microcode()

The function gfx_v9_4_3_init_microcode in gfx_v9_4_3.c was generating
about potential truncation of output when using the snprintf function.
The issue was due to the size of the buffer 'ucode_prefix' being too
small to accommodate the maximum possible length of the string being
written into it.

The string being written is "amdgpu/%s_mec.bin" or "amdgpu/%s_rlc.bin",
where %s is replaced by the value of 'chip_name'. The length of this
string without the %s is 16 characters. The warning message indicated
that 'chip_name' could be up to 29 characters long, resulting in a total
of 45 characters, which exceeds the buffer size of 30 characters.

To resolve this issue, the size of the 'ucode_prefix' buffer has been
reduced from 30 to 15. This ensures that the maximum possible length of
the string being written into the buffer will not exceed its size, thus
preventing potential buffer overflow and truncation issues.

Fixes the below with gcc W=1:
drivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c: In function ‘gfx_v9_4_3_early_init’:
drivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c:379:52: warning: ‘%s’ directive output may be truncated writing up to 29 bytes into a region of size 23 [-Wformat-truncation=]
  379 |         snprintf(fw_name, sizeof(fw_name), "amdgpu/%s_rlc.bin", chip_name);
      |                                                    ^~
......
  439 |         r = gfx_v9_4_3_init_rlc_microcode(adev, ucode_prefix);
      |                                                 ~~~~~~~~~~~~
drivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c:379:9: note: ‘snprintf’ output between 16 and 45 bytes into a destination of size 30
  379 |         snprintf(fw_name, sizeof(fw_name), "amdgpu/%s_rlc.bin", chip_name);
      |         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c:413:52: warning: ‘%s’ directive output may be truncated writing up to 29 bytes into a region of size 23 [-Wformat-truncation=]
  413 |         snprintf(fw_name, sizeof(fw_name), "amdgpu/%s_mec.bin", chip_name);
      |                                                    ^~
......
  443 |         r = gfx_v9_4_3_init_cp_compute_microcode(adev, ucode_prefix);
      |                                                        ~~~~~~~~~~~~
drivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c:413:9: note: ‘snprintf’ output between 16 and 45 bytes into a destination of size 30
  413 |         snprintf(fw_name, sizeof(fw_name), "amdgpu/%s_mec.bin", chip_name);
      |         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-39291

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-39292
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

um: Add winch to winch_handlers before registering winch IRQ

Registering a winch IRQ is racy, an interrupt may occur before the winch is
added to the winch_handlers list.

If that happens, register_winch_irq() adds to that list a winch that is
scheduled to be (or has already been) freed, causing a panic later in
winch_cleanup().

Avoid the race by adding the winch to the winch_handlers list before
registering the IRQ, and rolling back if um_request_irq() fails.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-39292

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-39301
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net/9p: fix uninit-value in p9_client_rpc()

Syzbot with the help of KMSAN reported the following error:

BUG: KMSAN: uninit-value in trace_9p_client_res include/trace/events/9p.h:146 [inline]
BUG: KMSAN: uninit-value in p9_client_rpc+0x1314/0x1340 net/9p/client.c:754
 trace_9p_client_res include/trace/events/9p.h:146 [inline]
 p9_client_rpc+0x1314/0x1340 net/9p/client.c:754
 p9_client_create+0x1551/0x1ff0 net/9p/client.c:1031
 v9fs_session_init+0x1b9/0x28e0 fs/9p/v9fs.c:410
 v9fs_mount+0xe2/0x12b0 fs/9p/vfs_super.c:122
 legacy_get_tree+0x114/0x290 fs/fs_context.c:662
 vfs_get_tree+0xa7/0x570 fs/super.c:1797
 do_new_mount+0x71f/0x15e0 fs/namespace.c:3352
 path_mount+0x742/0x1f20 fs/namespace.c:3679
 do_mount fs/namespace.c:3692 [inline]
 __do_sys_mount fs/namespace.c:3898 [inline]
 __se_sys_mount+0x725/0x810 fs/namespace.c:3875
 __x64_sys_mount+0xe4/0x150 fs/namespace.c:3875
 do_syscall_64+0xd5/0x1f0
 entry_SYSCALL_64_after_hwframe+0x6d/0x75

Uninit was created at:
 __alloc_pages+0x9d6/0xe70 mm/page_alloc.c:4598
 __alloc_pages_node include/linux/gfp.h:238 [inline]
 alloc_pages_node include/linux/gfp.h:261 [inline]
 alloc_slab_page mm/slub.c:2175 [inline]
 allocate_slab mm/slub.c:2338 [inline]
 new_slab+0x2de/0x1400 mm/slub.c:2391
 ___slab_alloc+0x1184/0x33d0 mm/slub.c:3525
 __slab_alloc mm/slub.c:3610 [inline]
 __slab_alloc_node mm/slub.c:3663 [inline]
 slab_alloc_node mm/slub.c:3835 [inline]
 kmem_cache_alloc+0x6d3/0xbe0 mm/slub.c:3852
 p9_tag_alloc net/9p/client.c:278 [inline]
 p9_client_prepare_req+0x20a/0x1770 net/9p/client.c:641
 p9_client_rpc+0x27e/0x1340 net/9p/client.c:688
 p9_client_create+0x1551/0x1ff0 net/9p/client.c:1031
 v9fs_session_init+0x1b9/0x28e0 fs/9p/v9fs.c:410
 v9fs_mount+0xe2/0x12b0 fs/9p/vfs_super.c:122
 legacy_get_tree+0x114/0x290 fs/fs_context.c:662
 vfs_get_tree+0xa7/0x570 fs/super.c:1797
 do_new_mount+0x71f/0x15e0 fs/namespace.c:3352
 path_mount+0x742/0x1f20 fs/namespace.c:3679
 do_mount fs/namespace.c:3692 [inline]
 __do_sys_mount fs/namespace.c:3898 [inline]
 __se_sys_mount+0x725/0x810 fs/namespace.c:3875
 __x64_sys_mount+0xe4/0x150 fs/namespace.c:3875
 do_syscall_64+0xd5/0x1f0
 entry_SYSCALL_64_after_hwframe+0x6d/0x75

If p9_check_errors() fails early in p9_client_rpc(), req->rc.tag
will not be properly initialized. However, trace_9p_client_res()
ends up trying to print it out anyway before p9_client_rpc()
finishes.

Fix this issue by assigning default values to p9_fcall fields
such as 'tag' and (just in case KMSAN unearths something new) 'id'
during the tag allocation stage.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-39301

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-39371
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

io_uring: check for non-NULL file pointer in io_file_can_poll()

In earlier kernels, it was possible to trigger a NULL pointer
dereference off the forced async preparation path, if no file had
been assigned. The trace leading to that looks as follows:

BUG: kernel NULL pointer dereference, address: 00000000000000b0
PGD 0 P4D 0
Oops: 0000 [#1] PREEMPT SMP
CPU: 67 PID: 1633 Comm: buf-ring-invali Not tainted 6.8.0-rc3+ #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS unknown 2/2/2022
RIP: 0010:io_buffer_select+0xc3/0x210
Code: 00 00 48 39 d1 0f 82 ae 00 00 00 48 81 4b 48 00 00 01 00 48 89 73 70 0f b7 50 0c 66 89 53 42 85 ed 0f 85 d2 00 00 00 48 8b 13 <48> 8b 92 b0 00 00 00 48 83 7a 40 00 0f 84 21 01 00 00 4c 8b 20 5b
RSP: 0018:ffffb7bec38c7d88 EFLAGS: 00010246
RAX: ffff97af2be61000 RBX: ffff97af234f1700 RCX: 0000000000000040
RDX: 0000000000000000 RSI: ffff97aecfb04820 RDI: ffff97af234f1700
RBP: 0000000000000000 R08: 0000000000200030 R09: 0000000000000020
R10: ffffb7bec38c7dc8 R11: 000000000000c000 R12: ffffb7bec38c7db8
R13: ffff97aecfb05800 R14: ffff97aecfb05800 R15: ffff97af2be5e000
FS:  00007f852f74b740(0000) GS:ffff97b1eeec0000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000000000b0 CR3: 000000016deab005 CR4: 0000000000370ef0
Call Trace:
 <TASK>
 ? __die+0x1f/0x60
 ? page_fault_oops+0x14d/0x420
 ? do_user_addr_fault+0x61/0x6a0
 ? exc_page_fault+0x6c/0x150
 ? asm_exc_page_fault+0x22/0x30
 ? io_buffer_select+0xc3/0x210
 __io_import_iovec+0xb5/0x120
 io_readv_prep_async+0x36/0x70
 io_queue_sqe_fallback+0x20/0x260
 io_submit_sqes+0x314/0x630
 __do_sys_io_uring_enter+0x339/0xbc0
 ? __do_sys_io_uring_register+0x11b/0xc50
 ? vm_mmap_pgoff+0xce/0x160
 do_syscall_64+0x5f/0x180
 entry_SYSCALL_64_after_hwframe+0x46/0x4e
RIP: 0033:0x55e0a110a67e
Code: ba cc 00 00 00 45 31 c0 44 0f b6 92 d0 00 00 00 31 d2 41 b9 08 00 00 00 41 83 e2 01 41 c1 e2 04 41 09 c2 b8 aa 01 00 00 0f 05 <c3> 90 89 30 eb a9 0f 1f 40 00 48 8b 42 20 8b 00 a8 06 75 af 85 f6

because the request is marked forced ASYNC and has a bad file fd, and
hence takes the forced async prep path.

Current kernels with the request async prep cleaned up can no longer hit
this issue, but for ease of backporting, let's add this safety check in
here too as it really doesn't hurt. For both cases, this will inevitably
end with a CQE posted with -EBADF.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-39371

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-39461
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

clk: bcm: rpi: Assign ->num before accessing ->hws

Commit f316cdff8d67 ("clk: Annotate struct clk_hw_onecell_data with
__counted_by") annotated the hws member of 'struct clk_hw_onecell_data'
with __counted_by, which informs the bounds sanitizer about the number
of elements in hws, so that it can warn when hws is accessed out of
bounds. As noted in that change, the __counted_by member must be
initialized with the number of elements before the first array access
happens, otherwise there will be a warning from each access prior to the
initialization because the number of elements is zero. This occurs in
raspberrypi_discover_clocks() due to ->num being assigned after ->hws
has been accessed:

  UBSAN: array-index-out-of-bounds in drivers/clk/bcm/clk-raspberrypi.c:374:4
  index 3 is out of range for type 'struct clk_hw *[] __counted_by(num)' (aka 'struct clk_hw *[]')

Move the ->num initialization to before the first access of ->hws, which
clears up the warning.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-39461

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-39463
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

9p: add missing locking around taking dentry fid list

Fix a use-after-free on dentry's d_fsdata fid list when a thread
looks up a fid through dentry while another thread unlinks it:

UAF thread:
refcount_t: addition on 0; use-after-free.
 p9_fid_get linux/./include/net/9p/client.h:262
 v9fs_fid_find+0x236/0x280 linux/fs/9p/fid.c:129
 v9fs_fid_lookup_with_uid linux/fs/9p/fid.c:181
 v9fs_fid_lookup+0xbf/0xc20 linux/fs/9p/fid.c:314
 v9fs_vfs_getattr_dotl+0xf9/0x360 linux/fs/9p/vfs_inode_dotl.c:400
 vfs_statx+0xdd/0x4d0 linux/fs/stat.c:248

Freed by:
 p9_fid_destroy (inlined)
 p9_client_clunk+0xb0/0xe0 linux/net/9p/client.c:1456
 p9_fid_put linux/./include/net/9p/client.h:278
 v9fs_dentry_release+0xb5/0x140 linux/fs/9p/vfs_dentry.c:55
 v9fs_remove+0x38f/0x620 linux/fs/9p/vfs_inode.c:518
 vfs_unlink+0x29a/0x810 linux/fs/namei.c:4335

The problem is that d_fsdata was not accessed under d_lock, because
d_release() normally is only called once the dentry is otherwise no
longer accessible but since we also call it explicitly in v9fs_remove
that lock is required:
move the hlist out of the dentry under lock then unref its fids once
they are no longer accessible.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-39463

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-39464
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

media: v4l: async: Fix notifier list entry init

struct v4l2_async_notifier has several list_head members, but only
waiting_list and done_list are initialized. notifier_entry was kept
'zeroed' leading to an uninitialized list_head.
This results in a NULL-pointer dereference if csi2_async_register() fails,
e.g. node for remote endpoint is disabled, and returns -ENOTCONN.
The following calls to v4l2_async_nf_unregister() results in a NULL
pointer dereference.
Add the missing list head initializer.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-39464

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-39465
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

media: mgb4: Fix double debugfs remove

Fixes an error where debugfs_remove_recursive() is called first on a parent
directory and then again on a child which causes a kernel panic.

[hverkuil: added Fixes/Cc tags]
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-39465

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-39466
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

thermal/drivers/qcom/lmh: Check for SCM availability at probe

Up until now, the necessary scm availability check has not been
performed, leading to possible null pointer dereferences (which did
happen for me on RB1).

Fix that.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-39466

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-39468
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

smb: client: fix deadlock in smb2_find_smb_tcon()

Unlock cifs_tcp_ses_lock before calling cifs_put_smb_ses() to avoid such
deadlock.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-39468

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-39470
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

eventfs: Fix a possible null pointer dereference in eventfs_find_events()

In function eventfs_find_events,there is a potential null pointer
that may be caused by calling update_events_attr which will perform
some operations on the members of the ei struct when ei is NULL.

Hence,When ei->is_freed is set,return NULL directly.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-39470

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-39471
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amdgpu: add error handle to avoid out-of-bounds

if the sdma_v4_0_irq_id_to_seq return -EINVAL, the process should
be stop to avoid out-of-bounds read, so directly return -EINVAL.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-39471

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-39472
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

xfs: fix log recovery buffer allocation for the legacy h_size fixup

Commit a70f9fe52daa ("xfs: detect and handle invalid iclog size set by
mkfs") added a fixup for incorrect h_size values used for the initial
umount record in old xfsprogs versions.  Later commit 0c771b99d6c9
("xfs: clean up calculation of LR header blocks") cleaned up the log
reover buffer calculation, but stoped using the fixed up h_size value
to size the log recovery buffer, which can lead to an out of bounds
access when the incorrect h_size does not come from the old mkfs
tool, but a fuzzer.

Fix this by open coding xlog_logrec_hblks and taking the fixed h_size
into account for this calculation.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-39472

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-39473
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ASoC: SOF: ipc4-topology: Fix input format query of process modules without base extension

If a process module does not have base config extension then the same
format applies to all of it's inputs and the process->base_config_ext is
NULL, causing NULL dereference when specifically crafted topology and
sequences used.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-39473

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-39474
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

mm/vmalloc: fix vmalloc which may return null if called with __GFP_NOFAIL

commit a421ef303008 ("mm: allow !GFP_KERNEL allocations for kvmalloc")
includes support for __GFP_NOFAIL, but it presents a conflict with commit
dd544141b9eb ("vmalloc: back off when the current task is OOM-killed").  A
possible scenario is as follows:

process-a
__vmalloc_node_range(GFP_KERNEL | __GFP_NOFAIL)
    __vmalloc_area_node()
        vm_area_alloc_pages()
		--> oom-killer send SIGKILL to process-a
        if (fatal_signal_pending(current)) break;
--> return NULL;

To fix this, do not check fatal_signal_pending() in vm_area_alloc_pages()
if __GFP_NOFAIL set.

This issue occurred during OPLUS KASAN TEST. Below is part of the log
-> oom-killer sends signal to process
[65731.222840] [ T1308] oom-kill:constraint=CONSTRAINT_NONE,nodemask=(null),cpuset=/,mems_allowed=0,global_oom,task_memcg=/apps/uid_10198,task=gs.intelligence,pid=32454,uid=10198

[65731.259685] [T32454] Call trace:
[65731.259698] [T32454]  dump_backtrace+0xf4/0x118
[65731.259734] [T32454]  show_stack+0x18/0x24
[65731.259756] [T32454]  dump_stack_lvl+0x60/0x7c
[65731.259781] [T32454]  dump_stack+0x18/0x38
[65731.259800] [T32454]  mrdump_common_die+0x250/0x39c [mrdump]
[65731.259936] [T32454]  ipanic_die+0x20/0x34 [mrdump]
[65731.260019] [T32454]  atomic_notifier_call_chain+0xb4/0xfc
[65731.260047] [T32454]  notify_die+0x114/0x198
[65731.260073] [T32454]  die+0xf4/0x5b4
[65731.260098] [T32454]  die_kernel_fault+0x80/0x98
[65731.260124] [T32454]  __do_kernel_fault+0x160/0x2a8
[65731.260146] [T32454]  do_bad_area+0x68/0x148
[65731.260174] [T32454]  do_mem_abort+0x151c/0x1b34
[65731.260204] [T32454]  el1_abort+0x3c/0x5c
[65731.260227] [T32454]  el1h_64_sync_handler+0x54/0x90
[65731.260248] [T32454]  el1h_64_sync+0x68/0x6c

[65731.260269] [T32454]  z_erofs_decompress_queue+0x7f0/0x2258
--> be->decompressed_pages = kvcalloc(be->nr_pages, sizeof(struct page *), GFP_KERNEL | __GFP_NOFAIL);
	kernel panic by NULL pointer dereference.
	erofs assume kvmalloc with __GFP_NOFAIL never return NULL.
[65731.260293] [T32454]  z_erofs_runqueue+0xf30/0x104c
[65731.260314] [T32454]  z_erofs_readahead+0x4f0/0x968
[65731.260339] [T32454]  read_pages+0x170/0xadc
[65731.260364] [T32454]  page_cache_ra_unbounded+0x874/0xf30
[65731.260388] [T32454]  page_cache_ra_order+0x24c/0x714
[65731.260411] [T32454]  filemap_fault+0xbf0/0x1a74
[65731.260437] [T32454]  __do_fault+0xd0/0x33c
[65731.260462] [T32454]  handle_mm_fault+0xf74/0x3fe0
[65731.260486] [T32454]  do_mem_abort+0x54c/0x1b34
[65731.260509] [T32454]  el0_da+0x44/0x94
[65731.260531] [T32454]  el0t_64_sync_handler+0x98/0xb4
[65731.260553] [T32454]  el0t_64_sync+0x198/0x19c
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-39474

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-39475
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

fbdev: savage: Handle err return when savagefb_check_var failed

The commit 04e5eac8f3ab("fbdev: savage: Error out if pixclock equals zero")
checks the value of pixclock to avoid divide-by-zero error. However
the function savagefb_probe doesn't handle the error return of
savagefb_check_var. When pixclock is 0, it will cause divide-by-zero error.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-39475

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-39476
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

md/raid5: fix deadlock that raid5d() wait for itself to clear MD_SB_CHANGE_PENDING

Xiao reported that lvm2 test lvconvert-raid-takeover.sh can hang with
small possibility, the root cause is exactly the same as commit
bed9e27baf52 ("Revert "md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d"")

However, Dan reported another hang after that, and junxiao investigated
the problem and found out that this is caused by plugged bio can't issue
from raid5d().

Current implementation in raid5d() has a weird dependence:

1) md_check_recovery() from raid5d() must hold 'reconfig_mutex' to clear
   MD_SB_CHANGE_PENDING;
2) raid5d() handles IO in a deadloop, until all IO are issued;
3) IO from raid5d() must wait for MD_SB_CHANGE_PENDING to be cleared;

This behaviour is introduce before v2.6, and for consequence, if other
context hold 'reconfig_mutex', and md_check_recovery() can't update
super_block, then raid5d() will waste one cpu 100% by the deadloop, until
'reconfig_mutex' is released.

Refer to the implementation from raid1 and raid10, fix this problem by
skipping issue IO if MD_SB_CHANGE_PENDING is still set after
md_check_recovery(), daemon thread will be woken up when 'reconfig_mutex'
is released. Meanwhile, the hang problem will be fixed as well.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-39476

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-39477
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

mm/hugetlb: do not call vma_add_reservation upon ENOMEM

sysbot reported a splat [1] on __unmap_hugepage_range().  This is because
vma_needs_reservation() can return -ENOMEM if
allocate_file_region_entries() fails to allocate the file_region struct
for the reservation.

Check for that and do not call vma_add_reservation() if that is the case,
otherwise region_abort() and region_del() will see that we do not have any
file_regions.

If we detect that vma_needs_reservation() returned -ENOMEM, we clear the
hugetlb_restore_reserve flag as if this reservation was still consumed, so
free_huge_folio() will not increment the resv count.

[1] https://lore.kernel.org/linux-mm/0000000000004096100617c58d54@google.com/T/#ma5983bc1ab18a54910da83416b3f89f3c7ee43aa
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-39477

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-39478
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

crypto: starfive - Do not free stack buffer

RSA text data uses variable length buffer allocated in software stack.
Calling kfree on it causes undefined behaviour in subsequent operations.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-39478

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-39479
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/i915/hwmon: Get rid of devm

When both hwmon and hwmon drvdata (on which hwmon depends) are device
managed resources, the expectation, on device unbind, is that hwmon will be
released before drvdata. However, in i915 there are two separate code
paths, which both release either drvdata or hwmon and either can be
released before the other. These code paths (for device unbind) are as
follows (see also the bug referenced below):

Call Trace:
release_nodes+0x11/0x70
devres_release_group+0xb2/0x110
component_unbind_all+0x8d/0xa0
component_del+0xa5/0x140
intel_pxp_tee_component_fini+0x29/0x40 [i915]
intel_pxp_fini+0x33/0x80 [i915]
i915_driver_remove+0x4c/0x120 [i915]
i915_pci_remove+0x19/0x30 [i915]
pci_device_remove+0x32/0xa0
device_release_driver_internal+0x19c/0x200
unbind_store+0x9c/0xb0

and

Call Trace:
release_nodes+0x11/0x70
devres_release_all+0x8a/0xc0
device_unbind_cleanup+0x9/0x70
device_release_driver_internal+0x1c1/0x200
unbind_store+0x9c/0xb0

This means that in i915, if use devm, we cannot gurantee that hwmon will
always be released before drvdata. Which means that we have a uaf if hwmon
sysfs is accessed when drvdata has been released but hwmon hasn't.

The only way out of this seems to be do get rid of devm_ and release/free
everything explicitly during device unbind.

v2: Change commit message and other minor code changes
v3: Cleanup from i915_hwmon_register on error (Armin Wolf)
v4: Eliminate potential static analyzer warning (Rodrigo)
    Eliminate fetch_and_zero (Jani)
v5: Restore previous logic for ddat_gt->hwmon_dev error return (Andi)
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-39479

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-39480
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

kdb: Fix buffer overflow during tab-complete

Currently, when the user attempts symbol completion with the Tab key, kdb
will use strncpy() to insert the completed symbol into the command buffer.
Unfortunately it passes the size of the source buffer rather than the
destination to strncpy() with predictably horrible results. Most obviously
if the command buffer is already full but cp, the cursor position, is in
the middle of the buffer, then we will write past the end of the supplied
buffer.

Fix this by replacing the dubious strncpy() calls with memmove()/memcpy()
calls plus explicit boundary checks to make sure we have enough space
before we start moving characters around.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-39480

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-39481
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

media: mc: Fix graph walk in media_pipeline_start

The graph walk tries to follow all links, even if they are not between
pads. This causes a crash with, e.g. a MEDIA_LNK_FL_ANCILLARY_LINK link.

Fix this by allowing the walk to proceed only for MEDIA_LNK_FL_DATA_LINK
links.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-39481

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-39482
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

bcache: fix variable length array abuse in btree_iter

btree_iter is used in two ways: either allocated on the stack with a
fixed size MAX_BSETS, or from a mempool with a dynamic size based on the
specific cache set. Previously, the struct had a fixed-length array of
size MAX_BSETS which was indexed out-of-bounds for the dynamically-sized
iterators, which causes UBSAN to complain.

This patch uses the same approach as in bcachefs's sort_iter and splits
the iterator into a btree_iter with a flexible array member and a
btree_iter_stack which embeds a btree_iter as well as a fixed-length
data array.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-39482

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-39483
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

KVM: SVM: WARN on vNMI + NMI window iff NMIs are outright masked

When requesting an NMI window, WARN on vNMI support being enabled if and
only if NMIs are actually masked, i.e. if the vCPU is already handling an
NMI.  KVM's ABI for NMIs that arrive simultanesouly (from KVM's point of
view) is to inject one NMI and pend the other.  When using vNMI, KVM pends
the second NMI simply by setting V_NMI_PENDING, and lets the CPU do the
rest (hardware automatically sets V_NMI_BLOCKING when an NMI is injected).

However, if KVM can't immediately inject an NMI, e.g. because the vCPU is
in an STI shadow or is running with GIF=0, then KVM will request an NMI
window and trigger the WARN (but still function correctly).

Whether or not the GIF=0 case makes sense is debatable, as the intent of
KVM's behavior is to provide functionality that is as close to real
hardware as possible.  E.g. if two NMIs are sent in quick succession, the
probability of both NMIs arriving in an STI shadow is infinitesimally low
on real hardware, but significantly larger in a virtual environment, e.g.
if the vCPU is preempted in the STI shadow.  For GIF=0, the argument isn't
as clear cut, because the window where two NMIs can collide is much larger
in bare metal (though still small).

That said, KVM should not have divergent behavior for the GIF=0 case based
on whether or not vNMI support is enabled.  And KVM has allowed
simultaneous NMIs with GIF=0 for over a decade, since commit 7460fb4a3400
("KVM: Fix simultaneous NMIs").  I.e. KVM's GIF=0 handling shouldn't be
modified without a *really* good reason to do so, and if KVM's behavior
were to be modified, it should be done irrespective of vNMI support.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-39483

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-39484
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

mmc: davinci: Don't strip remove function when driver is builtin

Using __exit for the remove function results in the remove callback being
discarded with CONFIG_MMC_DAVINCI=y. When such a device gets unbound (e.g.
using sysfs or hotplug), the driver is just removed without the cleanup
being performed. This results in resource leaks. Fix it by compiling in the
remove callback unconditionally.

This also fixes a W=1 modpost warning:

WARNING: modpost: drivers/mmc/host/davinci_mmc: section mismatch in
reference: davinci_mmcsd_driver+0x10 (section: .data) ->
davinci_mmcsd_remove (section: .exit.text)
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-39484

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-39485
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

media: v4l: async: Properly re-initialise notifier entry in unregister

The notifier_entry of a notifier is not re-initialised after unregistering
the notifier. This leads to dangling pointers being left there so use
list_del_init() to return the notifier_entry an empty list.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-39485

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-39486
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/drm_file: Fix pid refcounting race

<maarten.lankhorst@linux.intel.com>, Maxime Ripard
<mripard@kernel.org>, Thomas Zimmermann <tzimmermann@suse.de>

filp->pid is supposed to be a refcounted pointer; however, before this
patch, drm_file_update_pid() only increments the refcount of a struct
pid after storing a pointer to it in filp->pid and dropping the
dev->filelist_mutex, making the following race possible:

process A               process B
=========               =========
                        begin drm_file_update_pid
                        mutex_lock(&dev->filelist_mutex)
                        rcu_replace_pointer(filp->pid, <pid B>, 1)
                        mutex_unlock(&dev->filelist_mutex)
begin drm_file_update_pid
mutex_lock(&dev->filelist_mutex)
rcu_replace_pointer(filp->pid, <pid A>, 1)
mutex_unlock(&dev->filelist_mutex)
get_pid(<pid A>)
synchronize_rcu()
put_pid(<pid B>)   *** pid B reaches refcount 0 and is freed here ***
                        get_pid(<pid B>)   *** UAF ***
                        synchronize_rcu()
                        put_pid(<pid A>)

As far as I know, this race can only occur with CONFIG_PREEMPT_RCU=y
because it requires RCU to detect a quiescent state in code that is not
explicitly calling into the scheduler.

This race leads to use-after-free of a "struct pid".
It is probably somewhat hard to hit because process A has to pass
through a synchronize_rcu() operation while process B is between
mutex_unlock() and get_pid().

Fix it by ensuring that by the time a pointer to the current task's pid
is stored in the file, an extra reference to the pid has been taken.

This fix also removes the condition for synchronize_rcu(); I think
that optimization is unnecessary complexity, since in that case we
would usually have bailed out on the lockless check above.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-39486

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-39487
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

bonding: Fix out-of-bounds read in bond_option_arp_ip_targets_set()

In function bond_option_arp_ip_targets_set(), if newval->string is an
empty string, newval->string+1 will point to the byte after the
string, causing an out-of-bound read.

BUG: KASAN: slab-out-of-bounds in strlen+0x7d/0xa0 lib/string.c:418
Read of size 1 at addr ffff8881119c4781 by task syz-executor665/8107
CPU: 1 PID: 8107 Comm: syz-executor665 Not tainted 6.7.0-rc7 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:364 [inline]
 print_report+0xc1/0x5e0 mm/kasan/report.c:475
 kasan_report+0xbe/0xf0 mm/kasan/report.c:588
 strlen+0x7d/0xa0 lib/string.c:418
 __fortify_strlen include/linux/fortify-string.h:210 [inline]
 in4_pton+0xa3/0x3f0 net/core/utils.c:130
 bond_option_arp_ip_targets_set+0xc2/0x910
drivers/net/bonding/bond_options.c:1201
 __bond_opt_set+0x2a4/0x1030 drivers/net/bonding/bond_options.c:767
 __bond_opt_set_notify+0x48/0x150 drivers/net/bonding/bond_options.c:792
 bond_opt_tryset_rtnl+0xda/0x160 drivers/net/bonding/bond_options.c:817
 bonding_sysfs_store_option+0xa1/0x120 drivers/net/bonding/bond_sysfs.c:156
 dev_attr_store+0x54/0x80 drivers/base/core.c:2366
 sysfs_kf_write+0x114/0x170 fs/sysfs/file.c:136
 kernfs_fop_write_iter+0x337/0x500 fs/kernfs/file.c:334
 call_write_iter include/linux/fs.h:2020 [inline]
 new_sync_write fs/read_write.c:491 [inline]
 vfs_write+0x96a/0xd80 fs/read_write.c:584
 ksys_write+0x122/0x250 fs/read_write.c:637
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x63/0x6b
---[ end trace ]---

Fix it by adding a check of string length before using it.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-39487

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-39489
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ipv6: sr: fix memleak in seg6_hmac_init_algo

seg6_hmac_init_algo returns without cleaning up the previous allocations
if one fails, so it's going to leak all that memory and the crypto tfms.

Update seg6_hmac_exit to only free the memory when allocated, so we can
reuse the code directly.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-39489

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-39493
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

crypto: qat - Fix ADF_DEV_RESET_SYNC memory leak

Using completion_done to determine whether the caller has gone
away only works after a complete call.  Furthermore it's still
possible that the caller has not yet called wait_for_completion,
resulting in another potential UAF.

Fix this by making the caller use cancel_work_sync and then freeing
the memory safely.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-39493

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-39494
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ima: Fix use-after-free on a dentry's dname.name

->d_name.name can change on rename and the earlier value can be freed;
there are conditions sufficient to stabilize it (->d_lock on dentry,
->d_lock on its parent, ->i_rwsem exclusive on the parent's inode,
rename_lock), but none of those are met at any of the sites. Take a stable
snapshot of the name instead.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-39494

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-39495
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

greybus: Fix use-after-free bug in gb_interface_release due to race condition.

In gb_interface_create, &intf->mode_switch_completion is bound with
gb_interface_mode_switch_work. Then it will be started by
gb_interface_request_mode_switch. Here is the relevant code.
if (!queue_work(system_long_wq, &intf->mode_switch_work)) {
	...
}

If we call gb_interface_release to make cleanup, there may be an
unfinished work. This function will call kfree to free the object
"intf". However, if gb_interface_mode_switch_work is scheduled to
run after kfree, it may cause use-after-free error as
gb_interface_mode_switch_work will use the object "intf".
The possible execution flow that may lead to the issue is as follows:

CPU0                            CPU1

                            |   gb_interface_create
                            |   gb_interface_request_mode_switch
gb_interface_release        |
kfree(intf) (free)          |
                            |   gb_interface_mode_switch_work
                            |   mutex_lock(&intf->mutex) (use)

Fix it by canceling the work before kfree.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-39495

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-39496
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

btrfs: zoned: fix use-after-free due to race with dev replace

While loading a zone's info during creation of a block group, we can race
with a device replace operation and then trigger a use-after-free on the
device that was just replaced (source device of the replace operation).

This happens because at btrfs_load_zone_info() we extract a device from
the chunk map into a local variable and then use the device while not
under the protection of the device replace rwsem. So if there's a device
replace operation happening when we extract the device and that device
is the source of the replace operation, we will trigger a use-after-free
if before we finish using the device the replace operation finishes and
frees the device.

Fix this by enlarging the critical section under the protection of the
device replace rwsem so that all uses of the device are done inside the
critical section.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-39496

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-39498
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/mst: Fix NULL pointer dereference at drm_dp_add_payload_part2

[Why]
Commit:
- commit 5aa1dfcdf0a4 ("drm/mst: Refactor the flow for payload allocation/removement")
accidently overwrite the commit
- commit 54d217406afe ("drm: use mgr->dev in drm_dbg_kms in drm_dp_add_payload_part2")
which cause regression.

[How]
Recover the original NULL fix and remove the unnecessary input parameter 'state' for
drm_dp_add_payload_part2().

(cherry picked from commit 4545614c1d8da603e57b60dd66224d81b6ffc305)
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-39498

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-39504
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

netfilter: nft_inner: validate mandatory meta and payload

Check for mandatory netlink attributes in payload and meta expression
when used embedded from the inner expression, otherwise NULL pointer
dereference is possible from userspace.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-39504

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-39506
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

liquidio: Adjust a NULL pointer handling path in lio_vf_rep_copy_packet

In lio_vf_rep_copy_packet() pg_info->page is compared to a NULL value,
but then it is unconditionally passed to skb_add_rx_frag() which looks
strange and could lead to null pointer dereference.

lio_vf_rep_copy_packet() call trace looks like:
	octeon_droq_process_packets
	 octeon_droq_fast_process_packets
	  octeon_droq_dispatch_pkt
	   octeon_create_recv_info
	    ...search in the dispatch_list...
	     ->disp_fn(rdisp->rinfo, ...)
	      lio_vf_rep_pkt_recv(struct octeon_recv_info *recv_info, ...)
In this path there is no code which sets pg_info->page to NULL.
So this check looks unneeded and doesn't solve potential problem.
But I guess the author had reason to add a check and I have no such card
and can't do real test.
In addition, the code in the function liquidio_push_packet() in
liquidio/lio_core.c does exactly the same.

Based on this, I consider the most acceptable compromise solution to
adjust this issue by moving skb_add_rx_frag() into conditional scope.

Found by Linux Verification Center (linuxtesting.org) with SVACE.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-39506

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-39510
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

cachefiles: fix slab-use-after-free in cachefiles_ondemand_daemon_read()

We got the following issue in a fuzz test of randomly issuing the restore
command:

==================================================================
BUG: KASAN: slab-use-after-free in cachefiles_ondemand_daemon_read+0xb41/0xb60
Read of size 8 at addr ffff888122e84088 by task ondemand-04-dae/963

CPU: 13 PID: 963 Comm: ondemand-04-dae Not tainted 6.8.0-dirty #564
Call Trace:
 kasan_report+0x93/0xc0
 cachefiles_ondemand_daemon_read+0xb41/0xb60
 vfs_read+0x169/0xb50
 ksys_read+0xf5/0x1e0

Allocated by task 116:
 kmem_cache_alloc+0x140/0x3a0
 cachefiles_lookup_cookie+0x140/0xcd0
 fscache_cookie_state_machine+0x43c/0x1230
 [...]

Freed by task 792:
 kmem_cache_free+0xfe/0x390
 cachefiles_put_object+0x241/0x480
 fscache_cookie_state_machine+0x5c8/0x1230
 [...]
==================================================================

Following is the process that triggers the issue:

     mount  |   daemon_thread1    |    daemon_thread2
------------------------------------------------------------
cachefiles_withdraw_cookie
 cachefiles_ondemand_clean_object(object)
  cachefiles_ondemand_send_req
   REQ_A = kzalloc(sizeof(*req) + data_len)
   wait_for_completion(&REQ_A->done)

            cachefiles_daemon_read
             cachefiles_ondemand_daemon_read
              REQ_A = cachefiles_ondemand_select_req
              msg->object_id = req->object->ondemand->ondemand_id
                                  ------ restore ------
                                  cachefiles_ondemand_restore
                                  xas_for_each(&xas, req, ULONG_MAX)
                                   xas_set_mark(&xas, CACHEFILES_REQ_NEW)

                                  cachefiles_daemon_read
                                   cachefiles_ondemand_daemon_read
                                    REQ_A = cachefiles_ondemand_select_req
              copy_to_user(_buffer, msg, n)
               xa_erase(&cache->reqs, id)
               complete(&REQ_A->done)
              ------ close(fd) ------
              cachefiles_ondemand_fd_release
               cachefiles_put_object
 cachefiles_put_object
  kmem_cache_free(cachefiles_object_jar, object)
                                    REQ_A->object->ondemand->ondemand_id
                                     // object UAF !!!

When we see the request within xa_lock, req->object must not have been
freed yet, so grab the reference count of object before xa_unlock to
avoid the above issue.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-39510

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-40899
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

cachefiles: fix slab-use-after-free in cachefiles_ondemand_get_fd()

We got the following issue in a fuzz test of randomly issuing the restore
command:

==================================================================
BUG: KASAN: slab-use-after-free in cachefiles_ondemand_daemon_read+0x609/0xab0
Write of size 4 at addr ffff888109164a80 by task ondemand-04-dae/4962

CPU: 11 PID: 4962 Comm: ondemand-04-dae Not tainted 6.8.0-rc7-dirty #542
Call Trace:
 kasan_report+0x94/0xc0
 cachefiles_ondemand_daemon_read+0x609/0xab0
 vfs_read+0x169/0xb50
 ksys_read+0xf5/0x1e0

Allocated by task 626:
 __kmalloc+0x1df/0x4b0
 cachefiles_ondemand_send_req+0x24d/0x690
 cachefiles_create_tmpfile+0x249/0xb30
 cachefiles_create_file+0x6f/0x140
 cachefiles_look_up_object+0x29c/0xa60
 cachefiles_lookup_cookie+0x37d/0xca0
 fscache_cookie_state_machine+0x43c/0x1230
 [...]

Freed by task 626:
 kfree+0xf1/0x2c0
 cachefiles_ondemand_send_req+0x568/0x690
 cachefiles_create_tmpfile+0x249/0xb30
 cachefiles_create_file+0x6f/0x140
 cachefiles_look_up_object+0x29c/0xa60
 cachefiles_lookup_cookie+0x37d/0xca0
 fscache_cookie_state_machine+0x43c/0x1230
 [...]
==================================================================

Following is the process that triggers the issue:

     mount  |   daemon_thread1    |    daemon_thread2
------------------------------------------------------------
 cachefiles_ondemand_init_object
  cachefiles_ondemand_send_req
   REQ_A = kzalloc(sizeof(*req) + data_len)
   wait_for_completion(&REQ_A->done)

            cachefiles_daemon_read
             cachefiles_ondemand_daemon_read
              REQ_A = cachefiles_ondemand_select_req
              cachefiles_ondemand_get_fd
              copy_to_user(_buffer, msg, n)
            process_open_req(REQ_A)
                                  ------ restore ------
                                  cachefiles_ondemand_restore
                                  xas_for_each(&xas, req, ULONG_MAX)
                                   xas_set_mark(&xas, CACHEFILES_REQ_NEW);

                                  cachefiles_daemon_read
                                   cachefiles_ondemand_daemon_read
                                    REQ_A = cachefiles_ondemand_select_req

             write(devfd, ("copen %u,%llu", msg->msg_id, size));
             cachefiles_ondemand_copen
              xa_erase(&cache->reqs, id)
              complete(&REQ_A->done)
   kfree(REQ_A)
                                    cachefiles_ondemand_get_fd(REQ_A)
                                     fd = get_unused_fd_flags
                                     file = anon_inode_getfile
                                     fd_install(fd, file)
                                     load = (void *)REQ_A->msg.data;
                                     load->fd = fd;
                                     // load UAF !!!

This issue is caused by issuing a restore command when the daemon is still
alive, which results in a request being processed multiple times thus
triggering a UAF. So to avoid this problem, add an additional reference
count to cachefiles_req, which is held while waiting and reading, and then
released when the waiting and reading is over.

Note that since there is only one reference count for waiting, we need to
avoid the same request being completed multiple times, so we can only
complete the request if it is successfully removed from the xarray.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-40899

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-40902
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

jfs: xattr: fix buffer overflow for invalid xattr

When an xattr size is not what is expected, it is printed out to the
kernel log in hex format as a form of debugging.  But when that xattr
size is bigger than the expected size, printing it out can cause an
access off the end of the buffer.

Fix this all up by properly restricting the size of the debug hex dump
in the kernel log.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-40902

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-40903
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

usb: typec: tcpm: fix use-after-free case in tcpm_register_source_caps

There could be a potential use-after-free case in
tcpm_register_source_caps(). This could happen when:
 * new (say invalid) source caps are advertised
 * the existing source caps are unregistered
 * tcpm_register_source_caps() returns with an error as
   usb_power_delivery_register_capabilities() fails

This causes port->partner_source_caps to hold on to the now freed source
caps.

Reset port->partner_source_caps value to NULL after unregistering
existing source caps.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-40903

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-40904
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

USB: class: cdc-wdm: Fix CPU lockup caused by excessive log messages

The syzbot fuzzer found that the interrupt-URB completion callback in
the cdc-wdm driver was taking too long, and the driver's immediate
resubmission of interrupt URBs with -EPROTO status combined with the
dummy-hcd emulation to cause a CPU lockup:

cdc_wdm 1-1:1.0: nonzero urb status received: -71
cdc_wdm 1-1:1.0: wdm_int_callback - 0 bytes
watchdog: BUG: soft lockup - CPU#0 stuck for 26s! [syz-executor782:6625]
CPU#0 Utilization every 4s during lockup:
	#1:  98% system,	  0% softirq,	  3% hardirq,	  0% idle
	#2:  98% system,	  0% softirq,	  3% hardirq,	  0% idle
	#3:  98% system,	  0% softirq,	  3% hardirq,	  0% idle
	#4:  98% system,	  0% softirq,	  3% hardirq,	  0% idle
	#5:  98% system,	  1% softirq,	  3% hardirq,	  0% idle
Modules linked in:
irq event stamp: 73096
hardirqs last  enabled at (73095): [<ffff80008037bc00>] console_emit_next_record kernel/printk/printk.c:2935 [inline]
hardirqs last  enabled at (73095): [<ffff80008037bc00>] console_flush_all+0x650/0xb74 kernel/printk/printk.c:2994
hardirqs last disabled at (73096): [<ffff80008af10b00>] __el1_irq arch/arm64/kernel/entry-common.c:533 [inline]
hardirqs last disabled at (73096): [<ffff80008af10b00>] el1_interrupt+0x24/0x68 arch/arm64/kernel/entry-common.c:551
softirqs last  enabled at (73048): [<ffff8000801ea530>] softirq_handle_end kernel/softirq.c:400 [inline]
softirqs last  enabled at (73048): [<ffff8000801ea530>] handle_softirqs+0xa60/0xc34 kernel/softirq.c:582
softirqs last disabled at (73043): [<ffff800080020de8>] __do_softirq+0x14/0x20 kernel/softirq.c:588
CPU: 0 PID: 6625 Comm: syz-executor782 Tainted: G        W          6.10.0-rc2-syzkaller-g8867bbd4a056 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024

Testing showed that the problem did not occur if the two error
messages -- the first two lines above -- were removed; apparently adding
material to the kernel log takes a surprisingly large amount of time.

In any case, the best approach for preventing these lockups and to
avoid spamming the log with thousands of error messages per second is
to ratelimit the two dev_err() calls.  Therefore we replace them with
dev_err_ratelimited().
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-40904

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-40905
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ipv6: fix possible race in __fib6_drop_pcpu_from()

syzbot found a race in __fib6_drop_pcpu_from() [1]

If compiler reads more than once (*ppcpu_rt),
second read could read NULL, if another cpu clears
the value in rt6_get_pcpu_route().

Add a READ_ONCE() to prevent this race.

Also add rcu_read_lock()/rcu_read_unlock() because
we rely on RCU protection while dereferencing pcpu_rt.

[1]

Oops: general protection fault, probably for non-canonical address 0xdffffc0000000012: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000090-0x0000000000000097]
CPU: 0 PID: 7543 Comm: kworker/u8:17 Not tainted 6.10.0-rc1-syzkaller-00013-g2bfcfd584ff5 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
Workqueue: netns cleanup_net
 RIP: 0010:__fib6_drop_pcpu_from.part.0+0x10a/0x370 net/ipv6/ip6_fib.c:984
Code: f8 48 c1 e8 03 80 3c 28 00 0f 85 16 02 00 00 4d 8b 3f 4d 85 ff 74 31 e8 74 a7 fa f7 49 8d bf 90 00 00 00 48 89 f8 48 c1 e8 03 <80> 3c 28 00 0f 85 1e 02 00 00 49 8b 87 90 00 00 00 48 8b 0c 24 48
RSP: 0018:ffffc900040df070 EFLAGS: 00010206
RAX: 0000000000000012 RBX: 0000000000000001 RCX: ffffffff89932e16
RDX: ffff888049dd1e00 RSI: ffffffff89932d7c RDI: 0000000000000091
RBP: dffffc0000000000 R08: 0000000000000005 R09: 0000000000000007
R10: 0000000000000001 R11: 0000000000000006 R12: ffff88807fa080b8
R13: fffffbfff1a9a07d R14: ffffed100ff41022 R15: 0000000000000001
FS:  0000000000000000(0000) GS:ffff8880b9200000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b32c26000 CR3: 000000005d56e000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
  __fib6_drop_pcpu_from net/ipv6/ip6_fib.c:966 [inline]
  fib6_drop_pcpu_from net/ipv6/ip6_fib.c:1027 [inline]
  fib6_purge_rt+0x7f2/0x9f0 net/ipv6/ip6_fib.c:1038
  fib6_del_route net/ipv6/ip6_fib.c:1998 [inline]
  fib6_del+0xa70/0x17b0 net/ipv6/ip6_fib.c:2043
  fib6_clean_node+0x426/0x5b0 net/ipv6/ip6_fib.c:2205
  fib6_walk_continue+0x44f/0x8d0 net/ipv6/ip6_fib.c:2127
  fib6_walk+0x182/0x370 net/ipv6/ip6_fib.c:2175
  fib6_clean_tree+0xd7/0x120 net/ipv6/ip6_fib.c:2255
  __fib6_clean_all+0x100/0x2d0 net/ipv6/ip6_fib.c:2271
  rt6_sync_down_dev net/ipv6/route.c:4906 [inline]
  rt6_disable_ip+0x7ed/0xa00 net/ipv6/route.c:4911
  addrconf_ifdown.isra.0+0x117/0x1b40 net/ipv6/addrconf.c:3855
  addrconf_notify+0x223/0x19e0 net/ipv6/addrconf.c:3778
  notifier_call_chain+0xb9/0x410 kernel/notifier.c:93
  call_netdevice_notifiers_info+0xbe/0x140 net/core/dev.c:1992
  call_netdevice_notifiers_extack net/core/dev.c:2030 [inline]
  call_netdevice_notifiers net/core/dev.c:2044 [inline]
  dev_close_many+0x333/0x6a0 net/core/dev.c:1585
  unregister_netdevice_many_notify+0x46d/0x19f0 net/core/dev.c:11193
  unregister_netdevice_many net/core/dev.c:11276 [inline]
  default_device_exit_batch+0x85b/0xae0 net/core/dev.c:11759
  ops_exit_list+0x128/0x180 net/core/net_namespace.c:178
  cleanup_net+0x5b7/0xbf0 net/core/net_namespace.c:640
  process_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231
  process_scheduled_works kernel/workqueue.c:3312 [inline]
  worker_thread+0x6c8/0xf70 kernel/workqueue.c:3393
  kthread+0x2c1/0x3a0 kernel/kthread.c:389
  ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
  ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-40905

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-40906
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net/mlx5: Always stop health timer during driver removal

Currently, if teardown_hca fails to execute during driver removal, mlx5
does not stop the health timer. Afterwards, mlx5 continue with driver
teardown. This may lead to a UAF bug, which results in page fault
Oops[1], since the health timer invokes after resources were freed.

Hence, stop the health monitor even if teardown_hca fails.

[1]
mlx5_core 0000:18:00.0: E-Switch: Unload vfs: mode(LEGACY), nvfs(0), necvfs(0), active vports(0)
mlx5_core 0000:18:00.0: E-Switch: Disable: mode(LEGACY), nvfs(0), necvfs(0), active vports(0)
mlx5_core 0000:18:00.0: E-Switch: Disable: mode(LEGACY), nvfs(0), necvfs(0), active vports(0)
mlx5_core 0000:18:00.0: E-Switch: cleanup
mlx5_core 0000:18:00.0: wait_func:1155:(pid 1967079): TEARDOWN_HCA(0x103) timeout. Will cause a leak of a command resource
mlx5_core 0000:18:00.0: mlx5_function_close:1288:(pid 1967079): tear_down_hca failed, skip cleanup
BUG: unable to handle page fault for address: ffffa26487064230
PGD 100c00067 P4D 100c00067 PUD 100e5a067 PMD 105ed7067 PTE 0
Oops: 0000 [#1] PREEMPT SMP PTI
CPU: 0 PID: 0 Comm: swapper/0 Tainted: G           OE     -------  ---  6.7.0-68.fc38.x86_64 #1
Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0013.121520200651 12/15/2020
RIP: 0010:ioread32be+0x34/0x60
RSP: 0018:ffffa26480003e58 EFLAGS: 00010292
RAX: ffffa26487064200 RBX: ffff9042d08161a0 RCX: ffff904c108222c0
RDX: 000000010bbf1b80 RSI: ffffffffc055ddb0 RDI: ffffa26487064230
RBP: ffff9042d08161a0 R08: 0000000000000022 R09: ffff904c108222e8
R10: 0000000000000004 R11: 0000000000000441 R12: ffffffffc055ddb0
R13: ffffa26487064200 R14: ffffa26480003f00 R15: ffff904c108222c0
FS:  0000000000000000(0000) GS:ffff904c10800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffa26487064230 CR3: 00000002c4420006 CR4: 00000000007706f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
 <IRQ>
 ? __die+0x23/0x70
 ? page_fault_oops+0x171/0x4e0
 ? exc_page_fault+0x175/0x180
 ? asm_exc_page_fault+0x26/0x30
 ? __pfx_poll_health+0x10/0x10 [mlx5_core]
 ? __pfx_poll_health+0x10/0x10 [mlx5_core]
 ? ioread32be+0x34/0x60
 mlx5_health_check_fatal_sensors+0x20/0x100 [mlx5_core]
 ? __pfx_poll_health+0x10/0x10 [mlx5_core]
 poll_health+0x42/0x230 [mlx5_core]
 ? __next_timer_interrupt+0xbc/0x110
 ? __pfx_poll_health+0x10/0x10 [mlx5_core]
 call_timer_fn+0x21/0x130
 ? __pfx_poll_health+0x10/0x10 [mlx5_core]
 __run_timers+0x222/0x2c0
 run_timer_softirq+0x1d/0x40
 __do_softirq+0xc9/0x2c8
 __irq_exit_rcu+0xa6/0xc0
 sysvec_apic_timer_interrupt+0x72/0x90
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20
RIP: 0010:cpuidle_enter_state+0xcc/0x440
 ? cpuidle_enter_state+0xbd/0x440
 cpuidle_enter+0x2d/0x40
 do_idle+0x20d/0x270
 cpu_startup_entry+0x2a/0x30
 rest_init+0xd0/0xd0
 arch_call_rest_init+0xe/0x30
 start_kernel+0x709/0xa90
 x86_64_start_reservations+0x18/0x30
 x86_64_start_kernel+0x96/0xa0
 secondary_startup_64_no_verify+0x18f/0x19b
---[ end trace 0000000000000000 ]---
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-40906

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-40907
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ionic: fix kernel panic in XDP_TX action

In the XDP_TX path, ionic driver sends a packet to the TX path with rx
page and corresponding dma address.
After tx is done, ionic_tx_clean() frees that page.
But RX ring buffer isn't reset to NULL.
So, it uses a freed page, which causes kernel panic.

BUG: unable to handle page fault for address: ffff8881576c110c
PGD 773801067 P4D 773801067 PUD 87f086067 PMD 87efca067 PTE 800ffffea893e060
Oops: Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC KASAN NOPTI
CPU: 1 PID: 25 Comm: ksoftirqd/1 Not tainted 6.9.0+ #11
Hardware name: ASUS System Product Name/PRIME Z690-P D4, BIOS 0603 11/01/2021
RIP: 0010:bpf_prog_f0b8caeac1068a55_balancer_ingress+0x3b/0x44f
Code: 00 53 41 55 41 56 41 57 b8 01 00 00 00 48 8b 5f 08 4c 8b 77 00 4c 89 f7 48 83 c7 0e 48 39 d8
RSP: 0018:ffff888104e6fa28 EFLAGS: 00010283
RAX: 0000000000000002 RBX: ffff8881576c1140 RCX: 0000000000000002
RDX: ffffffffc0051f64 RSI: ffffc90002d33048 RDI: ffff8881576c110e
RBP: ffff888104e6fa88 R08: 0000000000000000 R09: ffffed1027a04a23
R10: 0000000000000000 R11: 0000000000000000 R12: ffff8881b03a21a8
R13: ffff8881589f800f R14: ffff8881576c1100 R15: 00000001576c1100
FS: 0000000000000000(0000) GS:ffff88881ae00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff8881576c110c CR3: 0000000767a90000 CR4: 00000000007506f0
PKRU: 55555554
Call Trace:
<TASK>
? __die+0x20/0x70
? page_fault_oops+0x254/0x790
? __pfx_page_fault_oops+0x10/0x10
? __pfx_is_prefetch.constprop.0+0x10/0x10
? search_bpf_extables+0x165/0x260
? fixup_exception+0x4a/0x970
? exc_page_fault+0xcb/0xe0
? asm_exc_page_fault+0x22/0x30
? 0xffffffffc0051f64
? bpf_prog_f0b8caeac1068a55_balancer_ingress+0x3b/0x44f
? do_raw_spin_unlock+0x54/0x220
ionic_rx_service+0x11ab/0x3010 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]
? ionic_tx_clean+0x29b/0xc60 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]
? __pfx_ionic_tx_clean+0x10/0x10 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]
? __pfx_ionic_rx_service+0x10/0x10 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]
? ionic_tx_cq_service+0x25d/0xa00 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]
? __pfx_ionic_rx_service+0x10/0x10 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]
ionic_cq_service+0x69/0x150 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]
ionic_txrx_napi+0x11a/0x540 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]
__napi_poll.constprop.0+0xa0/0x440
net_rx_action+0x7e7/0xc30
? __pfx_net_rx_action+0x10/0x10
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-40907

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-40909
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix a potential use-after-free in bpf_link_free()

After commit 1a80dbcb2dba, bpf_link can be freed by
link->ops->dealloc_deferred, but the code still tests and uses
link->ops->dealloc afterward, which leads to a use-after-free as
reported by syzbot. Actually, one of them should be sufficient, so
just call one of them instead of both. Also add a WARN_ON() in case
of any problematic implementation.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-40909

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-40910
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ax25: Fix refcount imbalance on inbound connections

When releasing a socket in ax25_release(), we call netdev_put() to
decrease the refcount on the associated ax.25 device. However, the
execution path for accepting an incoming connection never calls
netdev_hold(). This imbalance leads to refcount errors, and ultimately
to kernel crashes.

A typical call trace for the above situation will start with one of the
following errors:

    refcount_t: decrement hit 0; leaking memory.
    refcount_t: underflow; use-after-free.

And will then have a trace like:

    Call Trace:
    <TASK>
    ? show_regs+0x64/0x70
    ? __warn+0x83/0x120
    ? refcount_warn_saturate+0xb2/0x100
    ? report_bug+0x158/0x190
    ? prb_read_valid+0x20/0x30
    ? handle_bug+0x3e/0x70
    ? exc_invalid_op+0x1c/0x70
    ? asm_exc_invalid_op+0x1f/0x30
    ? refcount_warn_saturate+0xb2/0x100
    ? refcount_warn_saturate+0xb2/0x100
    ax25_release+0x2ad/0x360
    __sock_release+0x35/0xa0
    sock_close+0x19/0x20
    [...]

On reboot (or any attempt to remove the interface), the kernel gets
stuck in an infinite loop:

    unregister_netdevice: waiting for ax0 to become free. Usage count = 0

This patch corrects these issues by ensuring that we call netdev_hold()
and ax25_dev_hold() for new connections in ax25_accept(). This makes the
logic leading to ax25_accept() match the logic for ax25_bind(): in both
cases we increment the refcount, which is ultimately decremented in
ax25_release().
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-40910

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-40911
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

wifi: cfg80211: Lock wiphy in cfg80211_get_station

Wiphy should be locked before calling rdev_get_station() (see lockdep
assert in ieee80211_get_station()).

This fixes the following kernel NULL dereference:

 Unable to handle kernel NULL pointer dereference at virtual address 0000000000000050
 Mem abort info:
   ESR = 0x0000000096000006
   EC = 0x25: DABT (current EL), IL = 32 bits
   SET = 0, FnV = 0
   EA = 0, S1PTW = 0
   FSC = 0x06: level 2 translation fault
 Data abort info:
   ISV = 0, ISS = 0x00000006
   CM = 0, WnR = 0
 user pgtable: 4k pages, 48-bit VAs, pgdp=0000000003001000
 [0000000000000050] pgd=0800000002dca003, p4d=0800000002dca003, pud=08000000028e9003, pmd=0000000000000000
 Internal error: Oops: 0000000096000006 [#1] SMP
 Modules linked in: netconsole dwc3_meson_g12a dwc3_of_simple dwc3 ip_gre gre ath10k_pci ath10k_core ath9k ath9k_common ath9k_hw ath
 CPU: 0 PID: 1091 Comm: kworker/u8:0 Not tainted 6.4.0-02144-g565f9a3a7911-dirty #705
 Hardware name: RPT (r1) (DT)
 Workqueue: bat_events batadv_v_elp_throughput_metric_update
 pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
 pc : ath10k_sta_statistics+0x10/0x2dc [ath10k_core]
 lr : sta_set_sinfo+0xcc/0xbd4
 sp : ffff000007b43ad0
 x29: ffff000007b43ad0 x28: ffff0000071fa900 x27: ffff00000294ca98
 x26: ffff000006830880 x25: ffff000006830880 x24: ffff00000294c000
 x23: 0000000000000001 x22: ffff000007b43c90 x21: ffff800008898acc
 x20: ffff00000294c6e8 x19: ffff000007b43c90 x18: 0000000000000000
 x17: 445946354d552d78 x16: 62661f7200000000 x15: 57464f445946354d
 x14: 0000000000000000 x13: 00000000000000e3 x12: d5f0acbcebea978e
 x11: 00000000000000e3 x10: 000000010048fe41 x9 : 0000000000000000
 x8 : ffff000007b43d90 x7 : 000000007a1e2125 x6 : 0000000000000000
 x5 : ffff0000024e0900 x4 : ffff800000a0250c x3 : ffff000007b43c90
 x2 : ffff00000294ca98 x1 : ffff000006831920 x0 : 0000000000000000
 Call trace:
  ath10k_sta_statistics+0x10/0x2dc [ath10k_core]
  sta_set_sinfo+0xcc/0xbd4
  ieee80211_get_station+0x2c/0x44
  cfg80211_get_station+0x80/0x154
  batadv_v_elp_get_throughput+0x138/0x1fc
  batadv_v_elp_throughput_metric_update+0x1c/0xa4
  process_one_work+0x1ec/0x414
  worker_thread+0x70/0x46c
  kthread+0xdc/0xe0
  ret_from_fork+0x10/0x20
 Code: a9bb7bfd 910003fd a90153f3 f9411c40 (f9402814)

This happens because STA has time to disconnect and reconnect before
batadv_v_elp_throughput_metric_update() delayed work gets scheduled. In
this situation, ath10k_sta_state() can be in the middle of resetting
arsta data when the work queue get chance to be scheduled and ends up
accessing it. Locking wiphy prevents that.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-40911

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-40912
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

wifi: mac80211: Fix deadlock in ieee80211_sta_ps_deliver_wakeup()

The ieee80211_sta_ps_deliver_wakeup() function takes sta->ps_lock to
synchronizes with ieee80211_tx_h_unicast_ps_buf() which is called from
softirq context. However using only spin_lock() to get sta->ps_lock in
ieee80211_sta_ps_deliver_wakeup() does not prevent softirq to execute
on this same CPU, to run ieee80211_tx_h_unicast_ps_buf() and try to
take this same lock ending in deadlock. Below is an example of rcu stall
that arises in such situation.

 rcu: INFO: rcu_sched self-detected stall on CPU
 rcu:    2-....: (42413413 ticks this GP) idle=b154/1/0x4000000000000000 softirq=1763/1765 fqs=21206996
 rcu:    (t=42586894 jiffies g=2057 q=362405 ncpus=4)
 CPU: 2 PID: 719 Comm: wpa_supplicant Tainted: G        W          6.4.0-02158-g1b062f552873 #742
 Hardware name: RPT (r1) (DT)
 pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
 pc : queued_spin_lock_slowpath+0x58/0x2d0
 lr : invoke_tx_handlers_early+0x5b4/0x5c0
 sp : ffff00001ef64660
 x29: ffff00001ef64660 x28: ffff000009bc1070 x27: ffff000009bc0ad8
 x26: ffff000009bc0900 x25: ffff00001ef647a8 x24: 0000000000000000
 x23: ffff000009bc0900 x22: ffff000009bc0900 x21: ffff00000ac0e000
 x20: ffff00000a279e00 x19: ffff00001ef646e8 x18: 0000000000000000
 x17: ffff800016468000 x16: ffff00001ef608c0 x15: 0010533c93f64f80
 x14: 0010395c9faa3946 x13: 0000000000000000 x12: 00000000fa83b2da
 x11: 000000012edeceea x10: ffff0000010fbe00 x9 : 0000000000895440
 x8 : 000000000010533c x7 : ffff00000ad8b740 x6 : ffff00000c350880
 x5 : 0000000000000007 x4 : 0000000000000001 x3 : 0000000000000000
 x2 : 0000000000000000 x1 : 0000000000000001 x0 : ffff00000ac0e0e8
 Call trace:
  queued_spin_lock_slowpath+0x58/0x2d0
  ieee80211_tx+0x80/0x12c
  ieee80211_tx_pending+0x110/0x278
  tasklet_action_common.constprop.0+0x10c/0x144
  tasklet_action+0x20/0x28
  _stext+0x11c/0x284
  ____do_softirq+0xc/0x14
  call_on_irq_stack+0x24/0x34
  do_softirq_own_stack+0x18/0x20
  do_softirq+0x74/0x7c
  __local_bh_enable_ip+0xa0/0xa4
  _ieee80211_wake_txqs+0x3b0/0x4b8
  __ieee80211_wake_queue+0x12c/0x168
  ieee80211_add_pending_skbs+0xec/0x138
  ieee80211_sta_ps_deliver_wakeup+0x2a4/0x480
  ieee80211_mps_sta_status_update.part.0+0xd8/0x11c
  ieee80211_mps_sta_status_update+0x18/0x24
  sta_apply_parameters+0x3bc/0x4c0
  ieee80211_change_station+0x1b8/0x2dc
  nl80211_set_station+0x444/0x49c
  genl_family_rcv_msg_doit.isra.0+0xa4/0xfc
  genl_rcv_msg+0x1b0/0x244
  netlink_rcv_skb+0x38/0x10c
  genl_rcv+0x34/0x48
  netlink_unicast+0x254/0x2bc
  netlink_sendmsg+0x190/0x3b4
  ____sys_sendmsg+0x1e8/0x218
  ___sys_sendmsg+0x68/0x8c
  __sys_sendmsg+0x44/0x84
  __arm64_sys_sendmsg+0x20/0x28
  do_el0_svc+0x6c/0xe8
  el0_svc+0x14/0x48
  el0t_64_sync_handler+0xb0/0xb4
  el0t_64_sync+0x14c/0x150

Using spin_lock_bh()/spin_unlock_bh() instead prevents softirq to raise
on the same CPU that is holding the lock.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-40912

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-40932
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/exynos/vidi: fix memory leak in .get_modes()

The duplicated EDID is never freed. Fix it.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-40932

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-40934
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

HID: logitech-dj: Fix memory leak in logi_dj_recv_switch_to_dj_mode()

Fix a memory leak on logi_dj_recv_send_report() error path.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-40934

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-40951
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ocfs2: fix NULL pointer dereference in ocfs2_abort_trigger()

bdev->bd_super has been removed and commit 8887b94d9322 change the usage
from bdev->bd_super to b_assoc_map->host->i_sb.  Since ocfs2 hasn't set
bh->b_assoc_map, it will trigger NULL pointer dereference when calling
into ocfs2_abort_trigger().

Actually this was pointed out in history, see commit 74e364ad1b13.  But
I've made a mistake when reviewing commit 8887b94d9322 and then
re-introduce this regression.

Since we cannot revive bdev in buffer head, so fix this issue by
initializing all types of ocfs2 triggers when fill super, and then get the
specific ocfs2 trigger from ocfs2_caching_info when access journal.

[joseph.qi@linux.alibaba.com: v2]
  Link: https://lkml.kernel.org/r/20240602112045.1112708-1-joseph.qi@linux.alibaba.com
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-40951

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-40952
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ocfs2: fix NULL pointer dereference in ocfs2_journal_dirty()

bdev->bd_super has been removed and commit 8887b94d9322 change the usage
from bdev->bd_super to b_assoc_map->host->i_sb.  This introduces the
following NULL pointer dereference in ocfs2_journal_dirty() since
b_assoc_map is still not initialized.  This can be easily reproduced by
running xfstests generic/186, which simulate no more credits.

[  134.351592] BUG: kernel NULL pointer dereference, address: 0000000000000000
...
[  134.355341] RIP: 0010:ocfs2_journal_dirty+0x14f/0x160 [ocfs2]
...
[  134.365071] Call Trace:
[  134.365312]  <TASK>
[  134.365524]  ? __die_body+0x1e/0x60
[  134.365868]  ? page_fault_oops+0x13d/0x4f0
[  134.366265]  ? __pfx_bit_wait_io+0x10/0x10
[  134.366659]  ? schedule+0x27/0xb0
[  134.366981]  ? exc_page_fault+0x6a/0x140
[  134.367356]  ? asm_exc_page_fault+0x26/0x30
[  134.367762]  ? ocfs2_journal_dirty+0x14f/0x160 [ocfs2]
[  134.368305]  ? ocfs2_journal_dirty+0x13d/0x160 [ocfs2]
[  134.368837]  ocfs2_create_new_meta_bhs.isra.51+0x139/0x2e0 [ocfs2]
[  134.369454]  ocfs2_grow_tree+0x688/0x8a0 [ocfs2]
[  134.369927]  ocfs2_split_and_insert.isra.67+0x35c/0x4a0 [ocfs2]
[  134.370521]  ocfs2_split_extent+0x314/0x4d0 [ocfs2]
[  134.371019]  ocfs2_change_extent_flag+0x174/0x410 [ocfs2]
[  134.371566]  ocfs2_add_refcount_flag+0x3fa/0x630 [ocfs2]
[  134.372117]  ocfs2_reflink_remap_extent+0x21b/0x4c0 [ocfs2]
[  134.372994]  ? inode_update_timestamps+0x4a/0x120
[  134.373692]  ? __pfx_ocfs2_journal_access_di+0x10/0x10 [ocfs2]
[  134.374545]  ? __pfx_ocfs2_journal_access_di+0x10/0x10 [ocfs2]
[  134.375393]  ocfs2_reflink_remap_blocks+0xe4/0x4e0 [ocfs2]
[  134.376197]  ocfs2_remap_file_range+0x1de/0x390 [ocfs2]
[  134.376971]  ? security_file_permission+0x29/0x50
[  134.377644]  vfs_clone_file_range+0xfe/0x320
[  134.378268]  ioctl_file_clone+0x45/0xa0
[  134.378853]  do_vfs_ioctl+0x457/0x990
[  134.379422]  __x64_sys_ioctl+0x6e/0xd0
[  134.379987]  do_syscall_64+0x5d/0x170
[  134.380550]  entry_SYSCALL_64_after_hwframe+0x76/0x7e
[  134.381231] RIP: 0033:0x7fa4926397cb
[  134.381786] Code: 73 01 c3 48 8b 0d bd 56 38 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 8d 56 38 00 f7 d8 64 89 01 48
[  134.383930] RSP: 002b:00007ffc2b39f7b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[  134.384854] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007fa4926397cb
[  134.385734] RDX: 00007ffc2b39f7f0 RSI: 000000004020940d RDI: 0000000000000003
[  134.386606] RBP: 0000000000000000 R08: 00111a82a4f015bb R09: 00007fa494221000
[  134.387476] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[  134.388342] R13: 0000000000f10000 R14: 0000558e844e2ac8 R15: 0000000000f10000
[  134.389207]  </TASK>

Fix it by only aborting transaction and journal in ocfs2_journal_dirty()
now, and leave ocfs2_abort() later when detecting an aborted handle,
e.g. start next transaction. Also log the handle details in this case.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-40952

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-40954
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: do not leave a dangling sk pointer, when socket creation fails

It is possible to trigger a use-after-free by:
  * attaching an fentry probe to __sock_release() and the probe calling the
    bpf_get_socket_cookie() helper
  * running traceroute -I 1.1.1.1 on a freshly booted VM

A KASAN enabled kernel will log something like below (decoded and stripped):
==================================================================
BUG: KASAN: slab-use-after-free in __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29)
Read of size 8 at addr ffff888007110dd8 by task traceroute/299

CPU: 2 PID: 299 Comm: traceroute Tainted: G            E      6.10.0-rc2+ #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
Call Trace:
 <TASK>
dump_stack_lvl (lib/dump_stack.c:117 (discriminator 1))
print_report (mm/kasan/report.c:378 mm/kasan/report.c:488)
? __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29)
kasan_report (mm/kasan/report.c:603)
? __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29)
kasan_check_range (mm/kasan/generic.c:183 mm/kasan/generic.c:189)
__sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29)
bpf_get_socket_ptr_cookie (./arch/x86/include/asm/preempt.h:94 ./include/linux/sock_diag.h:42 net/core/filter.c:5094 net/core/filter.c:5092)
bpf_prog_875642cf11f1d139___sock_release+0x6e/0x8e
bpf_trampoline_6442506592+0x47/0xaf
__sock_release (net/socket.c:652)
__sock_create (net/socket.c:1601)
...
Allocated by task 299 on cpu 2 at 78.328492s:
kasan_save_stack (mm/kasan/common.c:48)
kasan_save_track (mm/kasan/common.c:68)
__kasan_slab_alloc (mm/kasan/common.c:312 mm/kasan/common.c:338)
kmem_cache_alloc_noprof (mm/slub.c:3941 mm/slub.c:4000 mm/slub.c:4007)
sk_prot_alloc (net/core/sock.c:2075)
sk_alloc (net/core/sock.c:2134)
inet_create (net/ipv4/af_inet.c:327 net/ipv4/af_inet.c:252)
__sock_create (net/socket.c:1572)
__sys_socket (net/socket.c:1660 net/socket.c:1644 net/socket.c:1706)
__x64_sys_socket (net/socket.c:1718)
do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)

Freed by task 299 on cpu 2 at 78.328502s:
kasan_save_stack (mm/kasan/common.c:48)
kasan_save_track (mm/kasan/common.c:68)
kasan_save_free_info (mm/kasan/generic.c:582)
poison_slab_object (mm/kasan/common.c:242)
__kasan_slab_free (mm/kasan/common.c:256)
kmem_cache_free (mm/slub.c:4437 mm/slub.c:4511)
__sk_destruct (net/core/sock.c:2117 net/core/sock.c:2208)
inet_create (net/ipv4/af_inet.c:397 net/ipv4/af_inet.c:252)
__sock_create (net/socket.c:1572)
__sys_socket (net/socket.c:1660 net/socket.c:1644 net/socket.c:1706)
__x64_sys_socket (net/socket.c:1718)
do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)

Fix this by clearing the struct socket reference in sk_common_release() to cover
all protocol families create functions, which may already attached the
reference to the sk object with sock_init_data().
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-40954

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-40955
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ext4: fix slab-out-of-bounds in ext4_mb_find_good_group_avg_frag_lists()

We can trigger a slab-out-of-bounds with the following commands:

    mkfs.ext4 -F /dev/$disk 10G
    mount /dev/$disk /tmp/test
    echo 2147483647 > /sys/fs/ext4/$disk/mb_group_prealloc
    echo test > /tmp/test/file && sync

==================================================================
BUG: KASAN: slab-out-of-bounds in ext4_mb_find_good_group_avg_frag_lists+0x8a/0x200 [ext4]
Read of size 8 at addr ffff888121b9d0f0 by task kworker/u2:0/11
CPU: 0 PID: 11 Comm: kworker/u2:0 Tainted: GL 6.7.0-next-20240118 #521
Call Trace:
 dump_stack_lvl+0x2c/0x50
 kasan_report+0xb6/0xf0
 ext4_mb_find_good_group_avg_frag_lists+0x8a/0x200 [ext4]
 ext4_mb_regular_allocator+0x19e9/0x2370 [ext4]
 ext4_mb_new_blocks+0x88a/0x1370 [ext4]
 ext4_ext_map_blocks+0x14f7/0x2390 [ext4]
 ext4_map_blocks+0x569/0xea0 [ext4]
 ext4_do_writepages+0x10f6/0x1bc0 [ext4]
[...]
==================================================================

The flow of issue triggering is as follows:

// Set s_mb_group_prealloc to 2147483647 via sysfs
ext4_mb_new_blocks
  ext4_mb_normalize_request
    ext4_mb_normalize_group_request
      ac->ac_g_ex.fe_len = EXT4_SB(sb)->s_mb_group_prealloc
  ext4_mb_regular_allocator
    ext4_mb_choose_next_group
      ext4_mb_choose_next_group_best_avail
        mb_avg_fragment_size_order
          order = fls(len) - 2 = 29
        ext4_mb_find_good_group_avg_frag_lists
          frag_list = &sbi->s_mb_avg_fragment_size[order]
          if (list_empty(frag_list)) // Trigger SOOB!

At 4k block size, the length of the s_mb_avg_fragment_size list is 14,
but an oversized s_mb_group_prealloc is set, causing slab-out-of-bounds
to be triggered by an attempt to access an element at index 29.

Add a new attr_id attr_clusters_in_group with values in the range
[0, sbi->s_clusters_per_group] and declare mb_group_prealloc as
that type to fix the issue. In addition avoid returning an order
from mb_avg_fragment_size_order() greater than MB_NUM_ORDERS(sb)
and reduce some useless loops.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-40955

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-40956
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

dmaengine: idxd: Fix possible Use-After-Free in irq_process_work_list

Use list_for_each_entry_safe() to allow iterating through the list and
deleting the entry in the iteration process. The descriptor is freed via
idxd_desc_complete() and there's a slight chance may cause issue for
the list iterator when the descriptor is reused by another thread
without it being deleted from the list.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-40956

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-40957
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

seg6: fix parameter passing when calling NF_HOOK() in End.DX4 and End.DX6 behaviors

input_action_end_dx4() and input_action_end_dx6() are called NF_HOOK() for
PREROUTING hook, in PREROUTING hook, we should passing a valid indev,
and a NULL outdev to NF_HOOK(), otherwise may trigger a NULL pointer
dereference, as below:

    [74830.647293] BUG: kernel NULL pointer dereference, address: 0000000000000090
    [74830.655633] #PF: supervisor read access in kernel mode
    [74830.657888] #PF: error_code(0x0000) - not-present page
    [74830.659500] PGD 0 P4D 0
    [74830.660450] Oops: 0000 [#1] PREEMPT SMP PTI
    ...
    [74830.664953] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
    [74830.666569] RIP: 0010:rpfilter_mt+0x44/0x15e [ipt_rpfilter]
    ...
    [74830.689725] Call Trace:
    [74830.690402]  <IRQ>
    [74830.690953]  ? show_trace_log_lvl+0x1c4/0x2df
    [74830.692020]  ? show_trace_log_lvl+0x1c4/0x2df
    [74830.693095]  ? ipt_do_table+0x286/0x710 [ip_tables]
    [74830.694275]  ? __die_body.cold+0x8/0xd
    [74830.695205]  ? page_fault_oops+0xac/0x140
    [74830.696244]  ? exc_page_fault+0x62/0x150
    [74830.697225]  ? asm_exc_page_fault+0x22/0x30
    [74830.698344]  ? rpfilter_mt+0x44/0x15e [ipt_rpfilter]
    [74830.699540]  ipt_do_table+0x286/0x710 [ip_tables]
    [74830.700758]  ? ip6_route_input+0x19d/0x240
    [74830.701752]  nf_hook_slow+0x3f/0xb0
    [74830.702678]  input_action_end_dx4+0x19b/0x1e0
    [74830.703735]  ? input_action_end_t+0xe0/0xe0
    [74830.704734]  seg6_local_input_core+0x2d/0x60
    [74830.705782]  lwtunnel_input+0x5b/0xb0
    [74830.706690]  __netif_receive_skb_one_core+0x63/0xa0
    [74830.707825]  process_backlog+0x99/0x140
    [74830.709538]  __napi_poll+0x2c/0x160
    [74830.710673]  net_rx_action+0x296/0x350
    [74830.711860]  __do_softirq+0xcb/0x2ac
    [74830.713049]  do_softirq+0x63/0x90

input_action_end_dx4() passing a NULL indev to NF_HOOK(), and finally
trigger a NULL dereference in rpfilter_mt()->rpfilter_is_loopback():

    static bool
    rpfilter_is_loopback(const struct sk_buff *skb,
          	       const struct net_device *in)
    {
            // in is NULL
            return skb->pkt_type == PACKET_LOOPBACK ||
          	 in->flags & IFF_LOOPBACK;
    }
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-40957

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-40958
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

netns: Make get_net_ns() handle zero refcount net

Syzkaller hit a warning:
refcount_t: addition on 0; use-after-free.
WARNING: CPU: 3 PID: 7890 at lib/refcount.c:25 refcount_warn_saturate+0xdf/0x1d0
Modules linked in:
CPU: 3 PID: 7890 Comm: tun Not tainted 6.10.0-rc3-00100-gcaa4f9578aba-dirty #310
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:refcount_warn_saturate+0xdf/0x1d0
Code: 41 49 04 31 ff 89 de e8 9f 1e cd fe 84 db 75 9c e8 76 26 cd fe c6 05 b6 41 49 04 01 90 48 c7 c7 b8 8e 25 86 e8 d2 05 b5 fe 90 <0f> 0b 90 90 e9 79 ff ff ff e8 53 26 cd fe 0f b6 1
RSP: 0018:ffff8881067b7da0 EFLAGS: 00010286
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff811c72ac
RDX: ffff8881026a2140 RSI: ffffffff811c72b5 RDI: 0000000000000001
RBP: ffff8881067b7db0 R08: 0000000000000000 R09: 205b5d3730353139
R10: 0000000000000000 R11: 205d303938375420 R12: ffff8881086500c4
R13: ffff8881086500c4 R14: ffff8881086500b0 R15: ffff888108650040
FS:  00007f5b2961a4c0(0000) GS:ffff88823bd00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055d7ed36fd18 CR3: 00000001482f6000 CR4: 00000000000006f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 ? show_regs+0xa3/0xc0
 ? __warn+0xa5/0x1c0
 ? refcount_warn_saturate+0xdf/0x1d0
 ? report_bug+0x1fc/0x2d0
 ? refcount_warn_saturate+0xdf/0x1d0
 ? handle_bug+0xa1/0x110
 ? exc_invalid_op+0x3c/0xb0
 ? asm_exc_invalid_op+0x1f/0x30
 ? __warn_printk+0xcc/0x140
 ? __warn_printk+0xd5/0x140
 ? refcount_warn_saturate+0xdf/0x1d0
 get_net_ns+0xa4/0xc0
 ? __pfx_get_net_ns+0x10/0x10
 open_related_ns+0x5a/0x130
 __tun_chr_ioctl+0x1616/0x2370
 ? __sanitizer_cov_trace_switch+0x58/0xa0
 ? __sanitizer_cov_trace_const_cmp2+0x1c/0x30
 ? __pfx_tun_chr_ioctl+0x10/0x10
 tun_chr_ioctl+0x2f/0x40
 __x64_sys_ioctl+0x11b/0x160
 x64_sys_call+0x1211/0x20d0
 do_syscall_64+0x9e/0x1d0
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f5b28f165d7
Code: b3 66 90 48 8b 05 b1 48 2d 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 81 48 2d 00 8
RSP: 002b:00007ffc2b59c5e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f5b28f165d7
RDX: 0000000000000000 RSI: 00000000000054e3 RDI: 0000000000000003
RBP: 00007ffc2b59c650 R08: 00007f5b291ed8c0 R09: 00007f5b2961a4c0
R10: 0000000029690010 R11: 0000000000000246 R12: 0000000000400730
R13: 00007ffc2b59cf40 R14: 0000000000000000 R15: 0000000000000000
 </TASK>
Kernel panic - not syncing: kernel: panic_on_warn set ...

This is trigger as below:
          ns0                                    ns1
tun_set_iff() //dev is tun0
   tun->dev = dev
//ip link set tun0 netns ns1
                                       put_net() //ref is 0
__tun_chr_ioctl() //TUNGETDEVNETNS
   net = dev_net(tun->dev);
   open_related_ns(&net->ns, get_net_ns); //ns1
     get_net_ns()
        get_net() //addition on 0

Use maybe_get_net() in get_net_ns in case net's ref is zero to fix this
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-40958

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-40959
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

xfrm6: check ip6_dst_idev() return value in xfrm6_get_saddr()

ip6_dst_idev() can return NULL, xfrm6_get_saddr() must act accordingly.

syzbot reported:

Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 1 PID: 12 Comm: kworker/u8:1 Not tainted 6.10.0-rc2-syzkaller-00383-gb8481381d4e2 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
Workqueue: wg-kex-wg1 wg_packet_handshake_send_worker
 RIP: 0010:xfrm6_get_saddr+0x93/0x130 net/ipv6/xfrm6_policy.c:64
Code: df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 97 00 00 00 4c 8b ab d8 00 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 ea 48 c1 ea 03 <80> 3c 02 00 0f 85 86 00 00 00 4d 8b 6d 00 e8 ca 13 47 01 48 b8 00
RSP: 0018:ffffc90000117378 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: ffff88807b079dc0 RCX: ffffffff89a0d6d7
RDX: 0000000000000000 RSI: ffffffff89a0d6e9 RDI: ffff88807b079e98
RBP: ffff88807ad73248 R08: 0000000000000007 R09: fffffffffffff000
R10: ffff88807b079dc0 R11: 0000000000000007 R12: ffffc90000117480
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff8880b9300000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f4586d00440 CR3: 0000000079042000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
  xfrm_get_saddr net/xfrm/xfrm_policy.c:2452 [inline]
  xfrm_tmpl_resolve_one net/xfrm/xfrm_policy.c:2481 [inline]
  xfrm_tmpl_resolve+0xa26/0xf10 net/xfrm/xfrm_policy.c:2541
  xfrm_resolve_and_create_bundle+0x140/0x2570 net/xfrm/xfrm_policy.c:2835
  xfrm_bundle_lookup net/xfrm/xfrm_policy.c:3070 [inline]
  xfrm_lookup_with_ifid+0x4d1/0x1e60 net/xfrm/xfrm_policy.c:3201
  xfrm_lookup net/xfrm/xfrm_policy.c:3298 [inline]
  xfrm_lookup_route+0x3b/0x200 net/xfrm/xfrm_policy.c:3309
  ip6_dst_lookup_flow+0x15c/0x1d0 net/ipv6/ip6_output.c:1256
  send6+0x611/0xd20 drivers/net/wireguard/socket.c:139
  wg_socket_send_skb_to_peer+0xf9/0x220 drivers/net/wireguard/socket.c:178
  wg_socket_send_buffer_to_peer+0x12b/0x190 drivers/net/wireguard/socket.c:200
  wg_packet_send_handshake_initiation+0x227/0x360 drivers/net/wireguard/send.c:40
  wg_packet_handshake_send_worker+0x1c/0x30 drivers/net/wireguard/send.c:51
  process_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231
  process_scheduled_works kernel/workqueue.c:3312 [inline]
  worker_thread+0x6c8/0xf70 kernel/workqueue.c:3393
  kthread+0x2c1/0x3a0 kernel/kthread.c:389
  ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
  ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-40959

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-40960
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ipv6: prevent possible NULL dereference in rt6_probe()

syzbot caught a NULL dereference in rt6_probe() [1]

Bail out if  __in6_dev_get() returns NULL.

[1]
Oops: general protection fault, probably for non-canonical address 0xdffffc00000000cb: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000658-0x000000000000065f]
CPU: 1 PID: 22444 Comm: syz-executor.0 Not tainted 6.10.0-rc2-syzkaller-00383-gb8481381d4e2 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
 RIP: 0010:rt6_probe net/ipv6/route.c:656 [inline]
 RIP: 0010:find_match+0x8c4/0xf50 net/ipv6/route.c:758
Code: 14 fd f7 48 8b 85 38 ff ff ff 48 c7 45 b0 00 00 00 00 48 8d b8 5c 06 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 19
RSP: 0018:ffffc900034af070 EFLAGS: 00010203
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffc90004521000
RDX: 00000000000000cb RSI: ffffffff8990d0cd RDI: 000000000000065c
RBP: ffffc900034af150 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000002 R12: 000000000000000a
R13: 1ffff92000695e18 R14: ffff8880244a1d20 R15: 0000000000000000
FS:  00007f4844a5a6c0(0000) GS:ffff8880b9300000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b31b27000 CR3: 000000002d42c000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
  rt6_nh_find_match+0xfa/0x1a0 net/ipv6/route.c:784
  nexthop_for_each_fib6_nh+0x26d/0x4a0 net/ipv4/nexthop.c:1496
  __find_rr_leaf+0x6e7/0xe00 net/ipv6/route.c:825
  find_rr_leaf net/ipv6/route.c:853 [inline]
  rt6_select net/ipv6/route.c:897 [inline]
  fib6_table_lookup+0x57e/0xa30 net/ipv6/route.c:2195
  ip6_pol_route+0x1cd/0x1150 net/ipv6/route.c:2231
  pol_lookup_func include/net/ip6_fib.h:616 [inline]
  fib6_rule_lookup+0x386/0x720 net/ipv6/fib6_rules.c:121
  ip6_route_output_flags_noref net/ipv6/route.c:2639 [inline]
  ip6_route_output_flags+0x1d0/0x640 net/ipv6/route.c:2651
  ip6_dst_lookup_tail.constprop.0+0x961/0x1760 net/ipv6/ip6_output.c:1147
  ip6_dst_lookup_flow+0x99/0x1d0 net/ipv6/ip6_output.c:1250
  rawv6_sendmsg+0xdab/0x4340 net/ipv6/raw.c:898
  inet_sendmsg+0x119/0x140 net/ipv4/af_inet.c:853
  sock_sendmsg_nosec net/socket.c:730 [inline]
  __sock_sendmsg net/socket.c:745 [inline]
  sock_write_iter+0x4b8/0x5c0 net/socket.c:1160
  new_sync_write fs/read_write.c:497 [inline]
  vfs_write+0x6b6/0x1140 fs/read_write.c:590
  ksys_write+0x1f8/0x260 fs/read_write.c:643
  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
  do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-40960

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-40961
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ipv6: prevent possible NULL deref in fib6_nh_init()

syzbot reminds us that in6_dev_get() can return NULL.

fib6_nh_init()
    ip6_validate_gw(  &idev  )
        ip6_route_check_nh(  idev  )
            *idev = in6_dev_get(dev); // can be NULL

Oops: general protection fault, probably for non-canonical address 0xdffffc00000000bc: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x00000000000005e0-0x00000000000005e7]
CPU: 0 PID: 11237 Comm: syz-executor.3 Not tainted 6.10.0-rc2-syzkaller-00249-gbe27b8965297 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
 RIP: 0010:fib6_nh_init+0x640/0x2160 net/ipv6/route.c:3606
Code: 00 00 fc ff df 4c 8b 64 24 58 48 8b 44 24 28 4c 8b 74 24 30 48 89 c1 48 89 44 24 28 48 8d 98 e0 05 00 00 48 89 d8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 0f 85 b3 17 00 00 8b 1b 31 ff 89 de e8 b8 8b
RSP: 0018:ffffc900032775a0 EFLAGS: 00010202
RAX: 00000000000000bc RBX: 00000000000005e0 RCX: 0000000000000000
RDX: 0000000000000010 RSI: ffffc90003277a54 RDI: ffff88802b3a08d8
RBP: ffffc900032778b0 R08: 00000000000002fc R09: 0000000000000000
R10: 00000000000002fc R11: 0000000000000000 R12: ffff88802b3a08b8
R13: 1ffff9200064eec8 R14: ffffc90003277a00 R15: dffffc0000000000
FS:  00007f940feb06c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 00000000245e8000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
  ip6_route_info_create+0x99e/0x12b0 net/ipv6/route.c:3809
  ip6_route_add+0x28/0x160 net/ipv6/route.c:3853
  ipv6_route_ioctl+0x588/0x870 net/ipv6/route.c:4483
  inet6_ioctl+0x21a/0x280 net/ipv6/af_inet6.c:579
  sock_do_ioctl+0x158/0x460 net/socket.c:1222
  sock_ioctl+0x629/0x8e0 net/socket.c:1341
  vfs_ioctl fs/ioctl.c:51 [inline]
  __do_sys_ioctl fs/ioctl.c:907 [inline]
  __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893
  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
  do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f940f07cea9
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-40961

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-40964
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ALSA: hda: cs35l41: Possible null pointer dereference in cs35l41_hda_unbind()

The cs35l41_hda_unbind() function clears the hda_component entry
matching it's index and then dereferences the codec pointer held in the
first element of the hda_component array, this is an issue when the
device index was 0.

Instead use the codec pointer stashed in the cs35l41_hda structure as it
will still be valid.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-40964

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-40965
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

i2c: lpi2c: Avoid calling clk_get_rate during transfer

Instead of repeatedly calling clk_get_rate for each transfer, lock
the clock rate and cache the value.
A deadlock has been observed while adding tlv320aic32x4 audio codec to
the system. When this clock provider adds its clock, the clk mutex is
locked already, it needs to access i2c, which in return needs the mutex
for clk_get_rate as well.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-40965

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-40967
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

serial: imx: Introduce timeout when waiting on transmitter empty

By waiting at most 1 second for USR2_TXDC to be set, we avoid a potential
deadlock.

In case of the timeout, there is not much we can do, so we simply ignore
the transmitter state and optimistically try to continue.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-40967

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-40969
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

f2fs: don't set RO when shutting down f2fs

Shutdown does not check the error of thaw_super due to readonly, which
causes a deadlock like below.

f2fs_ioc_shutdown(F2FS_GOING_DOWN_FULLSYNC)        issue_discard_thread
 - bdev_freeze
  - freeze_super
 - f2fs_stop_checkpoint()
  - f2fs_handle_critical_error                     - sb_start_write
    - set RO                                         - waiting
 - bdev_thaw
  - thaw_super_locked
    - return -EINVAL, if sb_rdonly()
 - f2fs_stop_discard_thread
  -> wait for kthread_stop(discard_thread);
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-40969

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-40970
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

Avoid hw_desc array overrun in dw-axi-dmac

I have a use case where nr_buffers = 3 and in which each descriptor is composed by 3
segments, resulting in the DMA channel descs_allocated to be 9. Since axi_desc_put()
handles the hw_desc considering the descs_allocated, this scenario would result in a
kernel panic (hw_desc array will be overrun).

To fix this, the proposal is to add a new member to the axi_dma_desc structure,
where we keep the number of allocated hw_descs (axi_desc_alloc()) and use it in
axi_desc_put() to handle the hw_desc array correctly.

Additionally I propose to remove the axi_chan_start_first_queued() call after completing
the transfer, since it was identified that unbalance can occur (started descriptors can
be interrupted and transfer ignored due to DMA channel not being enabled).
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-40970

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-40973
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

media: mtk-vcodec: potential null pointer deference in SCP

The return value of devm_kzalloc() needs to be checked to avoid
NULL pointer deference. This is similar to CVE-2022-3113.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-40973

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-40977
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

wifi: mt76: mt7921s: fix potential hung tasks during chip recovery

During chip recovery (e.g. chip reset), there is a possible situation that
kernel worker reset_work is holding the lock and waiting for kernel thread
stat_worker to be parked, while stat_worker is waiting for the release of
the same lock.
It causes a deadlock resulting in the dumping of hung tasks messages and
possible rebooting of the device.

This patch prevents the execution of stat_worker during the chip recovery.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-40977

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-40980
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drop_monitor: replace spin_lock by raw_spin_lock

trace_drop_common() is called with preemption disabled, and it acquires
a spin_lock. This is problematic for RT kernels because spin_locks are
sleeping locks in this configuration, which causes the following splat:

BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48
in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 449, name: rcuc/47
preempt_count: 1, expected: 0
RCU nest depth: 2, expected: 2
5 locks held by rcuc/47/449:
 #0: ff1100086ec30a60 ((softirq_ctrl.lock)){+.+.}-{2:2}, at: __local_bh_disable_ip+0x105/0x210
 #1: ffffffffb394a280 (rcu_read_lock){....}-{1:2}, at: rt_spin_lock+0xbf/0x130
 #2: ffffffffb394a280 (rcu_read_lock){....}-{1:2}, at: __local_bh_disable_ip+0x11c/0x210
 #3: ffffffffb394a160 (rcu_callback){....}-{0:0}, at: rcu_do_batch+0x360/0xc70
 #4: ff1100086ee07520 (&data->lock){+.+.}-{2:2}, at: trace_drop_common.constprop.0+0xb5/0x290
irq event stamp: 139909
hardirqs last  enabled at (139908): [<ffffffffb1df2b33>] _raw_spin_unlock_irqrestore+0x63/0x80
hardirqs last disabled at (139909): [<ffffffffb19bd03d>] trace_drop_common.constprop.0+0x26d/0x290
softirqs last  enabled at (139892): [<ffffffffb07a1083>] __local_bh_enable_ip+0x103/0x170
softirqs last disabled at (139898): [<ffffffffb0909b33>] rcu_cpu_kthread+0x93/0x1f0
Preemption disabled at:
[<ffffffffb1de786b>] rt_mutex_slowunlock+0xab/0x2e0
CPU: 47 PID: 449 Comm: rcuc/47 Not tainted 6.9.0-rc2-rt1+ #7
Hardware name: Dell Inc. PowerEdge R650/0Y2G81, BIOS 1.6.5 04/15/2022
Call Trace:
 <TASK>
 dump_stack_lvl+0x8c/0xd0
 dump_stack+0x14/0x20
 __might_resched+0x21e/0x2f0
 rt_spin_lock+0x5e/0x130
 ? trace_drop_common.constprop.0+0xb5/0x290
 ? skb_queue_purge_reason.part.0+0x1bf/0x230
 trace_drop_common.constprop.0+0xb5/0x290
 ? preempt_count_sub+0x1c/0xd0
 ? _raw_spin_unlock_irqrestore+0x4a/0x80
 ? __pfx_trace_drop_common.constprop.0+0x10/0x10
 ? rt_mutex_slowunlock+0x26a/0x2e0
 ? skb_queue_purge_reason.part.0+0x1bf/0x230
 ? __pfx_rt_mutex_slowunlock+0x10/0x10
 ? skb_queue_purge_reason.part.0+0x1bf/0x230
 trace_kfree_skb_hit+0x15/0x20
 trace_kfree_skb+0xe9/0x150
 kfree_skb_reason+0x7b/0x110
 skb_queue_purge_reason.part.0+0x1bf/0x230
 ? __pfx_skb_queue_purge_reason.part.0+0x10/0x10
 ? mark_lock.part.0+0x8a/0x520
...

trace_drop_common() also disables interrupts, but this is a minor issue
because we could easily replace it with a local_lock.

Replace the spin_lock with raw_spin_lock to avoid sleeping in atomic
context.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-40980

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-40981
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

batman-adv: bypass empty buckets in batadv_purge_orig_ref()

Many syzbot reports are pointing to soft lockups in
batadv_purge_orig_ref() [1]

Root cause is unknown, but we can avoid spending too much
time there and perhaps get more interesting reports.

[1]

watchdog: BUG: soft lockup - CPU#0 stuck for 27s! [kworker/u4:6:621]
Modules linked in:
irq event stamp: 6182794
 hardirqs last  enabled at (6182793): [<ffff8000801dae10>] __local_bh_enable_ip+0x224/0x44c kernel/softirq.c:386
 hardirqs last disabled at (6182794): [<ffff80008ad66a78>] __el1_irq arch/arm64/kernel/entry-common.c:533 [inline]
 hardirqs last disabled at (6182794): [<ffff80008ad66a78>] el1_interrupt+0x24/0x68 arch/arm64/kernel/entry-common.c:551
 softirqs last  enabled at (6182792): [<ffff80008aab71c4>] spin_unlock_bh include/linux/spinlock.h:396 [inline]
 softirqs last  enabled at (6182792): [<ffff80008aab71c4>] batadv_purge_orig_ref+0x114c/0x1228 net/batman-adv/originator.c:1287
 softirqs last disabled at (6182790): [<ffff80008aab61dc>] spin_lock_bh include/linux/spinlock.h:356 [inline]
 softirqs last disabled at (6182790): [<ffff80008aab61dc>] batadv_purge_orig_ref+0x164/0x1228 net/batman-adv/originator.c:1271
CPU: 0 PID: 621 Comm: kworker/u4:6 Not tainted 6.8.0-rc7-syzkaller-g707081b61156 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024
Workqueue: bat_events batadv_purge_orig
pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
 pc : should_resched arch/arm64/include/asm/preempt.h:79 [inline]
 pc : __local_bh_enable_ip+0x228/0x44c kernel/softirq.c:388
 lr : __local_bh_enable_ip+0x224/0x44c kernel/softirq.c:386
sp : ffff800099007970
x29: ffff800099007980 x28: 1fffe00018fce1bd x27: dfff800000000000
x26: ffff0000d2620008 x25: ffff0000c7e70de8 x24: 0000000000000001
x23: 1fffe00018e57781 x22: dfff800000000000 x21: ffff80008aab71c4
x20: ffff0001b40136c0 x19: ffff0000c72bbc08 x18: 1fffe0001a817bb0
x17: ffff800125414000 x16: ffff80008032116c x15: 0000000000000001
x14: 1fffe0001ee9d610 x13: 0000000000000000 x12: 0000000000000003
x11: 0000000000000000 x10: 0000000000ff0100 x9 : 0000000000000000
x8 : 00000000005e5789 x7 : ffff80008aab61dc x6 : 0000000000000000
x5 : 0000000000000000 x4 : 0000000000000001 x3 : 0000000000000000
x2 : 0000000000000006 x1 : 0000000000000080 x0 : ffff800125414000
Call trace:
  __daif_local_irq_enable arch/arm64/include/asm/irqflags.h:27 [inline]
  arch_local_irq_enable arch/arm64/include/asm/irqflags.h:49 [inline]
  __local_bh_enable_ip+0x228/0x44c kernel/softirq.c:386
  __raw_spin_unlock_bh include/linux/spinlock_api_smp.h:167 [inline]
  _raw_spin_unlock_bh+0x3c/0x4c kernel/locking/spinlock.c:210
  spin_unlock_bh include/linux/spinlock.h:396 [inline]
  batadv_purge_orig_ref+0x114c/0x1228 net/batman-adv/originator.c:1287
  batadv_purge_orig+0x20/0x70 net/batman-adv/originator.c:1300
  process_one_work+0x694/0x1204 kernel/workqueue.c:2633
  process_scheduled_works kernel/workqueue.c:2706 [inline]
  worker_thread+0x938/0xef4 kernel/workqueue.c:2787
  kthread+0x288/0x310 kernel/kthread.c:388
  ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1
CPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.8.0-rc7-syzkaller-g707081b61156 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024
pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
 pc : arch_local_irq_enable+0x8/0xc arch/arm64/include/asm/irqflags.h:51
 lr : default_idle_call+0xf8/0x128 kernel/sched/idle.c:103
sp : ffff800093a17d30
x29: ffff800093a17d30 x28: dfff800000000000 x27: 1ffff00012742fb4
x26: ffff80008ec9d000 x25: 0000000000000000 x24: 0000000000000002
x23: 1ffff00011d93a74 x22: ffff80008ec9d3a0 x21: 0000000000000000
x20: ffff0000c19dbc00 x19: ffff8000802d0fd8 x18: 1fffe00036804396
x17: ffff80008ec9d000 x16: ffff8000802d089c x15: 0000000000000001
---truncated---
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-40981

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-40982
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ssb: Fix potential NULL pointer dereference in ssb_device_uevent()

The ssb_device_uevent() function first attempts to convert the 'dev' pointer
to 'struct ssb_device *'. However, it mistakenly dereferences 'dev' before
performing the NULL check, potentially leading to a NULL pointer
dereference if 'dev' is NULL.

To fix this issue, move the NULL check before dereferencing the 'dev' pointer,
ensuring that the pointer is valid before attempting to use it.

Found by Linux Verification Center (linuxtesting.org) with SVACE.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-40982

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-40994
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ptp: fix integer overflow in max_vclocks_store

On 32bit systems, the "4 * max" multiply can overflow.  Use kcalloc()
to do the allocation to prevent this.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-40994

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-40995
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net/sched: act_api: fix possible infinite loop in tcf_idr_check_alloc()

syzbot found hanging tasks waiting on rtnl_lock [1]

A reproducer is available in the syzbot bug.

When a request to add multiple actions with the same index is sent, the
second request will block forever on the first request. This holds
rtnl_lock, and causes tasks to hang.

Return -EAGAIN to prevent infinite looping, while keeping documented
behavior.

[1]

INFO: task kworker/1:0:5088 blocked for more than 143 seconds.
Not tainted 6.9.0-rc4-syzkaller-00173-g3cdb45594619 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/1:0 state:D stack:23744 pid:5088 tgid:5088 ppid:2 flags:0x00004000
Workqueue: events_power_efficient reg_check_chans_work
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5409 [inline]
__schedule+0xf15/0x5d00 kernel/sched/core.c:6746
__schedule_loop kernel/sched/core.c:6823 [inline]
schedule+0xe7/0x350 kernel/sched/core.c:6838
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6895
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752
wiphy_lock include/net/cfg80211.h:5953 [inline]
reg_leave_invalid_chans net/wireless/reg.c:2466 [inline]
reg_check_chans_work+0x10a/0x10e0 net/wireless/reg.c:2481
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-40995

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-40996
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

bpf: Avoid splat in pskb_pull_reason

syzkaller builds (CONFIG_DEBUG_NET=y) frequently trigger a debug
hint in pskb_may_pull.

We'd like to retain this debug check because it might hint at integer
overflows and other issues (kernel code should pull headers, not huge
value).

In bpf case, this splat isn't interesting at all: such (nonsensical)
bpf programs are typically generated by a fuzzer anyway.

Do what Eric suggested and suppress such warning.

For CONFIG_DEBUG_NET=n we don't need the extra check because
pskb_may_pull will do the right thing: return an error without the
WARN() backtrace.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-40996

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-40997
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

cpufreq: amd-pstate: fix memory leak on CPU EPP exit

The cpudata memory from kzalloc() in amd_pstate_epp_cpu_init() is
not freed in the analogous exit function, so fix that.

[ rjw: Subject and changelog edits ]
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-40997

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-41000
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

block/ioctl: prefer different overflow check

Running syzkaller with the newly reintroduced signed integer overflow
sanitizer shows this report:

[   62.982337] ------------[ cut here ]------------
[   62.985692] cgroup: Invalid name
[   62.986211] UBSAN: signed-integer-overflow in ../block/ioctl.c:36:46
[   62.989370] 9pnet_fd: p9_fd_create_tcp (7343): problem connecting socket to 127.0.0.1
[   62.992992] 9223372036854775807 + 4095 cannot be represented in type 'long long'
[   62.997827] 9pnet_fd: p9_fd_create_tcp (7345): problem connecting socket to 127.0.0.1
[   62.999369] random: crng reseeded on system resumption
[   63.000634] GUP no longer grows the stack in syz-executor.2 (7353): 20002000-20003000 (20001000)
[   63.000668] CPU: 0 PID: 7353 Comm: syz-executor.2 Not tainted 6.8.0-rc2-00035-gb3ef86b5a957 #1
[   63.000677] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   63.000682] Call Trace:
[   63.000686]  <TASK>
[   63.000731]  dump_stack_lvl+0x93/0xd0
[   63.000919]  __get_user_pages+0x903/0xd30
[   63.001030]  __gup_longterm_locked+0x153e/0x1ba0
[   63.001041]  ? _raw_read_unlock_irqrestore+0x17/0x50
[   63.001072]  ? try_get_folio+0x29c/0x2d0
[   63.001083]  internal_get_user_pages_fast+0x1119/0x1530
[   63.001109]  iov_iter_extract_pages+0x23b/0x580
[   63.001206]  bio_iov_iter_get_pages+0x4de/0x1220
[   63.001235]  iomap_dio_bio_iter+0x9b6/0x1410
[   63.001297]  __iomap_dio_rw+0xab4/0x1810
[   63.001316]  iomap_dio_rw+0x45/0xa0
[   63.001328]  ext4_file_write_iter+0xdde/0x1390
[   63.001372]  vfs_write+0x599/0xbd0
[   63.001394]  ksys_write+0xc8/0x190
[   63.001403]  do_syscall_64+0xd4/0x1b0
[   63.001421]  ? arch_exit_to_user_mode_prepare+0x3a/0x60
[   63.001479]  entry_SYSCALL_64_after_hwframe+0x6f/0x77
[   63.001535] RIP: 0033:0x7f7fd3ebf539
[   63.001551] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[   63.001562] RSP: 002b:00007f7fd32570c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[   63.001584] RAX: ffffffffffffffda RBX: 00007f7fd3ff3f80 RCX: 00007f7fd3ebf539
[   63.001590] RDX: 4db6d1e4f7e43360 RSI: 0000000020000000 RDI: 0000000000000004
[   63.001595] RBP: 00007f7fd3f1e496 R08: 0000000000000000 R09: 0000000000000000
[   63.001599] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   63.001604] R13: 0000000000000006 R14: 00007f7fd3ff3f80 R15: 00007ffd415ad2b8
...
[   63.018142] ---[ end trace ]---

Historically, the signed integer overflow sanitizer did not work in the
kernel due to its interaction with `-fwrapv` but this has since been
changed [1] in the newest version of Clang; It was re-enabled in the
kernel with Commit 557f8c582a9ba8ab ("ubsan: Reintroduce signed overflow
sanitizer").

Let's rework this overflow checking logic to not actually perform an
overflow during the check itself, thus avoiding the UBSAN splat.

[1]: https://github.com/llvm/llvm-project/pull/82432
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-41000

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-41001
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

io_uring/sqpoll: work around a potential audit memory leak

kmemleak complains that there's a memory leak related to connect
handling:

unreferenced object 0xffff0001093bdf00 (size 128):
comm "iou-sqp-455", pid 457, jiffies 4294894164
hex dump (first 32 bytes):
02 00 fa ea 7f 00 00 01 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
backtrace (crc 2e481b1a):
[<00000000c0a26af4>] kmemleak_alloc+0x30/0x38
[<000000009c30bb45>] kmalloc_trace+0x228/0x358
[<000000009da9d39f>] __audit_sockaddr+0xd0/0x138
[<0000000089a93e34>] move_addr_to_kernel+0x1a0/0x1f8
[<000000000b4e80e6>] io_connect_prep+0x1ec/0x2d4
[<00000000abfbcd99>] io_submit_sqes+0x588/0x1e48
[<00000000e7c25e07>] io_sq_thread+0x8a4/0x10e4
[<00000000d999b491>] ret_from_fork+0x10/0x20

which can can happen if:

1) The command type does something on the prep side that triggers an
   audit call.
2) The thread hasn't done any operations before this that triggered
   an audit call inside ->issue(), where we have audit_uring_entry()
   and audit_uring_exit().

Work around this by issuing a blanket NOP operation before the SQPOLL
does anything.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-41001

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-41002
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

crypto: hisilicon/sec - Fix memory leak for sec resource release

The AIV is one of the SEC resources. When releasing resources,
it need to release the AIV resources at the same time.
Otherwise, memory leakage occurs.

The aiv resource release is added to the sec resource release
function.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-41002

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-41006
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

netrom: Fix a memory leak in nr_heartbeat_expiry()

syzbot reported a memory leak in nr_create() [0].

Commit 409db27e3a2e ("netrom: Fix use-after-free of a listening socket.")
added sock_hold() to the nr_heartbeat_expiry() function, where
a) a socket has a SOCK_DESTROY flag or
b) a listening socket has a SOCK_DEAD flag.

But in the case "a," when the SOCK_DESTROY flag is set, the file descriptor
has already been closed and the nr_release() function has been called.
So it makes no sense to hold the reference count because no one will
call another nr_destroy_socket() and put it as in the case "b."

nr_connect
  nr_establish_data_link
    nr_start_heartbeat

nr_release
  switch (nr->state)
  case NR_STATE_3
    nr->state = NR_STATE_2
    sock_set_flag(sk, SOCK_DESTROY);

                        nr_rx_frame
                          nr_process_rx_frame
                            switch (nr->state)
                            case NR_STATE_2
                              nr_state2_machine()
                                nr_disconnect()
                                  nr_sk(sk)->state = NR_STATE_0
                                  sock_set_flag(sk, SOCK_DEAD)

                        nr_heartbeat_expiry
                          switch (nr->state)
                          case NR_STATE_0
                            if (sock_flag(sk, SOCK_DESTROY) ||
                               (sk->sk_state == TCP_LISTEN
                                 && sock_flag(sk, SOCK_DEAD)))
                               sock_hold()  // ( !!! )
                               nr_destroy_socket()

To fix the memory leak, let's call sock_hold() only for a listening socket.

Found by InfoTeCS on behalf of Linux Verification Center
(linuxtesting.org) with Syzkaller.

[0]: https://syzkaller.appspot.com/bug?extid=d327a1f3b12e1e206c16
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-41006

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-41007
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

tcp: avoid too many retransmit packets

If a TCP socket is using TCP_USER_TIMEOUT, and the other peer
retracted its window to zero, tcp_retransmit_timer() can
retransmit a packet every two jiffies (2 ms for HZ=1000),
for about 4 minutes after TCP_USER_TIMEOUT has 'expired'.

The fix is to make sure tcp_rtx_probe0_timed_out() takes
icsk->icsk_user_timeout into account.

Before blamed commit, the socket would not timeout after
icsk->icsk_user_timeout, but would use standard exponential
backoff for the retransmits.

Also worth noting that before commit e89688e3e978 ("net: tcp:
fix unexcepted socket die when snd_wnd is 0"), the issue
would last 2 minutes instead of 4.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 3.3
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-41007

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-41009
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix overrunning reservations in ringbuf

The BPF ring buffer internally is implemented as a power-of-2 sized circular
buffer, with two logical and ever-increasing counters: consumer_pos is the
consumer counter to show which logical position the consumer consumed the
data, and producer_pos which is the producer counter denoting the amount of
data reserved by all producers.

Each time a record is reserved, the producer that "owns" the record will
successfully advance producer counter. In user space each time a record is
read, the consumer of the data advanced the consumer counter once it finished
processing. Both counters are stored in separate pages so that from user
space, the producer counter is read-only and the consumer counter is read-write.

One aspect that simplifies and thus speeds up the implementation of both
producers and consumers is how the data area is mapped twice contiguously
back-to-back in the virtual memory, allowing to not take any special measures
for samples that have to wrap around at the end of the circular buffer data
area, because the next page after the last data page would be first data page
again, and thus the sample will still appear completely contiguous in virtual
memory.

Each record has a struct bpf_ringbuf_hdr { u32 len; u32 pg_off; } header for
book-keeping the length and offset, and is inaccessible to the BPF program.
Helpers like bpf_ringbuf_reserve() return `(void *)hdr + BPF_RINGBUF_HDR_SZ`
for the BPF program to use. Bing-Jhong and Muhammad reported that it is however
possible to make a second allocated memory chunk overlapping with the first
chunk and as a result, the BPF program is now able to edit first chunk's
header.

For example, consider the creation of a BPF_MAP_TYPE_RINGBUF map with size
of 0x4000. Next, the consumer_pos is modified to 0x3000 /before/ a call to
bpf_ringbuf_reserve() is made. This will allocate a chunk A, which is in
[0x0,0x3008], and the BPF program is able to edit [0x8,0x3008]. Now, lets
allocate a chunk B with size 0x3000. This will succeed because consumer_pos
was edited ahead of time to pass the `new_prod_pos - cons_pos > rb->mask`
check. Chunk B will be in range [0x3008,0x6010], and the BPF program is able
to edit [0x3010,0x6010]. Due to the ring buffer memory layout mentioned
earlier, the ranges [0x0,0x4000] and [0x4000,0x8000] point to the same data
pages. This means that chunk B at [0x4000,0x4008] is chunk A's header.
bpf_ringbuf_submit() / bpf_ringbuf_discard() use the header's pg_off to then
locate the bpf_ringbuf itself via bpf_ringbuf_restore_from_rec(). Once chunk
B modified chunk A's header, then bpf_ringbuf_commit() refers to the wrong
page and could cause a crash.

Fix it by calculating the oldest pending_pos and check whether the range
from the oldest outstanding record to the newest would span beyond the ring
buffer size. If that is the case, then reject the request. We've tested with
the ring buffer benchmark in BPF selftests (./benchs/run_bench_ringbufs.sh)
before/after the fix and while it seems a bit slower on some benchmarks, it
is still not significantly enough to matter.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-41009

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-41010
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix too early release of tcx_entry

Pedro Pinto and later independently also Hyunwoo Kim and Wongi Lee reported
an issue that the tcx_entry can be released too early leading to a use
after free (UAF) when an active old-style ingress or clsact qdisc with a
shared tc block is later replaced by another ingress or clsact instance.

Essentially, the sequence to trigger the UAF (one example) can be as follows:

  1. A network namespace is created
  2. An ingress qdisc is created. This allocates a tcx_entry, and
     &tcx_entry->miniq is stored in the qdisc's miniqp->p_miniq. At the
     same time, a tcf block with index 1 is created.
  3. chain0 is attached to the tcf block. chain0 must be connected to
     the block linked to the ingress qdisc to later reach the function
     tcf_chain0_head_change_cb_del() which triggers the UAF.
  4. Create and graft a clsact qdisc. This causes the ingress qdisc
     created in step 1 to be removed, thus freeing the previously linked
     tcx_entry:

     rtnetlink_rcv_msg()
       => tc_modify_qdisc()
         => qdisc_create()
           => clsact_init() [a]
         => qdisc_graft()
           => qdisc_destroy()
             => __qdisc_destroy()
               => ingress_destroy() [b]
                 => tcx_entry_free()
                   => kfree_rcu() // tcx_entry freed

  5. Finally, the network namespace is closed. This registers the
     cleanup_net worker, and during the process of releasing the
     remaining clsact qdisc, it accesses the tcx_entry that was
     already freed in step 4, causing the UAF to occur:

     cleanup_net()
       => ops_exit_list()
         => default_device_exit_batch()
           => unregister_netdevice_many()
             => unregister_netdevice_many_notify()
               => dev_shutdown()
                 => qdisc_put()
                   => clsact_destroy() [c]
                     => tcf_block_put_ext()
                       => tcf_chain0_head_change_cb_del()
                         => tcf_chain_head_change_item()
                           => clsact_chain_head_change()
                             => mini_qdisc_pair_swap() // UAF

There are also other variants, the gist is to add an ingress (or clsact)
qdisc with a specific shared block, then to replace that qdisc, waiting
for the tcx_entry kfree_rcu() to be executed and subsequently accessing
the current active qdisc's miniq one way or another.

The correct fix is to turn the miniq_active boolean into a counter. What
can be observed, at step 2 above, the counter transitions from 0->1, at
step [a] from 1->2 (in order for the miniq object to remain active during
the replacement), then in [b] from 2->1 and finally [c] 1->0 with the
eventual release. The reference counter in general ranges from [0,2] and
it does not need to be atomic since all access to the counter is protected
by the rtnl mutex. With this in place, there is no longer a UAF happening
and the tcx_entry is freed at the correct time.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-41010

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-41011
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amdkfd: don't allow mapping the MMIO HDP page with large pages

We don't get the right offset in that case.  The GPU has
an unused 4K area of the register BAR space into which you can
remap registers.  We remap the HDP flush registers into this
space to allow userspace (CPU or GPU) to flush the HDP when it
updates VRAM.  However, on systems with >4K pages, we end up
exposing PAGE_SIZE of MMIO space.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-41011

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-41012
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

filelock: Remove locks reliably when fcntl/close race is detected

When fcntl_setlk() races with close(), it removes the created lock with
do_lock_file_wait().
However, LSMs can allow the first do_lock_file_wait() that created the lock
while denying the second do_lock_file_wait() that tries to remove the lock.
Separately, posix_lock_file() could also fail to
remove a lock due to GFP_KERNEL allocation failure (when splitting a range
in the middle).

After the bug has been triggered, use-after-free reads will occur in
lock_get_status() when userspace reads /proc/locks. This can likely be used
to read arbitrary kernel memory, but can't corrupt kernel memory.

Fix it by calling locks_remove_posix() instead, which is designed to
reliably get rid of POSIX locks associated with the given file and
files_struct and is also used by filp_flush().
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.3
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-41012

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-41036
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: ks8851: Fix deadlock with the SPI chip variant

When SMP is enabled and spinlocks are actually functional then there is
a deadlock with the 'statelock' spinlock between ks8851_start_xmit_spi
and ks8851_irq:

    watchdog: BUG: soft lockup - CPU#0 stuck for 27s!
    call trace:
      queued_spin_lock_slowpath+0x100/0x284
      do_raw_spin_lock+0x34/0x44
      ks8851_start_xmit_spi+0x30/0xb8
      ks8851_start_xmit+0x14/0x20
      netdev_start_xmit+0x40/0x6c
      dev_hard_start_xmit+0x6c/0xbc
      sch_direct_xmit+0xa4/0x22c
      __qdisc_run+0x138/0x3fc
      qdisc_run+0x24/0x3c
      net_tx_action+0xf8/0x130
      handle_softirqs+0x1ac/0x1f0
      __do_softirq+0x14/0x20
      ____do_softirq+0x10/0x1c
      call_on_irq_stack+0x3c/0x58
      do_softirq_own_stack+0x1c/0x28
      __irq_exit_rcu+0x54/0x9c
      irq_exit_rcu+0x10/0x1c
      el1_interrupt+0x38/0x50
      el1h_64_irq_handler+0x18/0x24
      el1h_64_irq+0x64/0x68
      __netif_schedule+0x6c/0x80
      netif_tx_wake_queue+0x38/0x48
      ks8851_irq+0xb8/0x2c8
      irq_thread_fn+0x2c/0x74
      irq_thread+0x10c/0x1b0
      kthread+0xc8/0xd8
      ret_from_fork+0x10/0x20

This issue has not been identified earlier because tests were done on
a device with SMP disabled and so spinlocks were actually NOPs.

Now use spin_(un)lock_bh for TX queue related locking to avoid execution
of softirq work synchronously that would lead to a deadlock.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-41036

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-41037
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ASoC: SOF: Intel: hda: fix null deref on system suspend entry

When system enters suspend with an active stream, SOF core
calls hw_params_upon_resume(). On Intel platforms with HDA DMA used
to manage the link DMA, this leads to call chain of

   hda_dsp_set_hw_params_upon_resume()
 -> hda_dsp_dais_suspend()
 -> hda_dai_suspend()
 -> hda_ipc4_post_trigger()

A bug is hit in hda_dai_suspend() as hda_link_dma_cleanup() is run first,
which clears hext_stream->link_substream, and then hda_ipc4_post_trigger()
is called with a NULL snd_pcm_substream pointer.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-41037

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-41038
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

firmware: cs_dsp: Prevent buffer overrun when processing V2 alg headers

Check that all fields of a V2 algorithm header fit into the available
firmware data buffer.

The wmfw V2 format introduced variable-length strings in the algorithm
block header. This means the overall header length is variable, and the
position of most fields varies depending on the length of the string
fields. Each field must be checked to ensure that it does not overflow
the firmware data buffer.

As this ia bugfix patch, the fixes avoid making any significant change to
the existing code. This makes it easier to review and less likely to
introduce new bugs.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-41038

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-41039
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

firmware: cs_dsp: Fix overflow checking of wmfw header

Fix the checking that firmware file buffer is large enough for the
wmfw header, to prevent overrunning the buffer.

The original code tested that the firmware data buffer contained
enough bytes for the sums of the size of the structs

	wmfw_header + wmfw_adsp1_sizes + wmfw_footer

But wmfw_adsp1_sizes is only used on ADSP1 firmware. For ADSP2 and
Halo Core the equivalent struct is wmfw_adsp2_sizes, which is
4 bytes longer. So the length check didn't guarantee that there
are enough bytes in the firmware buffer for a header with
wmfw_adsp2_sizes.

This patch splits the length check into three separate parts. Each
of the wmfw_header, wmfw_adsp?_sizes and wmfw_footer are checked
separately before they are used.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-41039

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-41040
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net/sched: Fix UAF when resolving a clash

KASAN reports the following UAF:

 BUG: KASAN: slab-use-after-free in tcf_ct_flow_table_process_conn+0x12b/0x380 [act_ct]
 Read of size 1 at addr ffff888c07603600 by task handler130/6469

 Call Trace:
  <IRQ>
  dump_stack_lvl+0x48/0x70
  print_address_description.constprop.0+0x33/0x3d0
  print_report+0xc0/0x2b0
  kasan_report+0xd0/0x120
  __asan_load1+0x6c/0x80
  tcf_ct_flow_table_process_conn+0x12b/0x380 [act_ct]
  tcf_ct_act+0x886/0x1350 [act_ct]
  tcf_action_exec+0xf8/0x1f0
  fl_classify+0x355/0x360 [cls_flower]
  __tcf_classify+0x1fd/0x330
  tcf_classify+0x21c/0x3c0
  sch_handle_ingress.constprop.0+0x2c5/0x500
  __netif_receive_skb_core.constprop.0+0xb25/0x1510
  __netif_receive_skb_list_core+0x220/0x4c0
  netif_receive_skb_list_internal+0x446/0x620
  napi_complete_done+0x157/0x3d0
  gro_cell_poll+0xcf/0x100
  __napi_poll+0x65/0x310
  net_rx_action+0x30c/0x5c0
  __do_softirq+0x14f/0x491
  __irq_exit_rcu+0x82/0xc0
  irq_exit_rcu+0xe/0x20
  common_interrupt+0xa1/0xb0
  </IRQ>
  <TASK>
  asm_common_interrupt+0x27/0x40

 Allocated by task 6469:
  kasan_save_stack+0x38/0x70
  kasan_set_track+0x25/0x40
  kasan_save_alloc_info+0x1e/0x40
  __kasan_krealloc+0x133/0x190
  krealloc+0xaa/0x130
  nf_ct_ext_add+0xed/0x230 [nf_conntrack]
  tcf_ct_act+0x1095/0x1350 [act_ct]
  tcf_action_exec+0xf8/0x1f0
  fl_classify+0x355/0x360 [cls_flower]
  __tcf_classify+0x1fd/0x330
  tcf_classify+0x21c/0x3c0
  sch_handle_ingress.constprop.0+0x2c5/0x500
  __netif_receive_skb_core.constprop.0+0xb25/0x1510
  __netif_receive_skb_list_core+0x220/0x4c0
  netif_receive_skb_list_internal+0x446/0x620
  napi_complete_done+0x157/0x3d0
  gro_cell_poll+0xcf/0x100
  __napi_poll+0x65/0x310
  net_rx_action+0x30c/0x5c0
  __do_softirq+0x14f/0x491

 Freed by task 6469:
  kasan_save_stack+0x38/0x70
  kasan_set_track+0x25/0x40
  kasan_save_free_info+0x2b/0x60
  ____kasan_slab_free+0x180/0x1f0
  __kasan_slab_free+0x12/0x30
  slab_free_freelist_hook+0xd2/0x1a0
  __kmem_cache_free+0x1a2/0x2f0
  kfree+0x78/0x120
  nf_conntrack_free+0x74/0x130 [nf_conntrack]
  nf_ct_destroy+0xb2/0x140 [nf_conntrack]
  __nf_ct_resolve_clash+0x529/0x5d0 [nf_conntrack]
  nf_ct_resolve_clash+0xf6/0x490 [nf_conntrack]
  __nf_conntrack_confirm+0x2c6/0x770 [nf_conntrack]
  tcf_ct_act+0x12ad/0x1350 [act_ct]
  tcf_action_exec+0xf8/0x1f0
  fl_classify+0x355/0x360 [cls_flower]
  __tcf_classify+0x1fd/0x330
  tcf_classify+0x21c/0x3c0
  sch_handle_ingress.constprop.0+0x2c5/0x500
  __netif_receive_skb_core.constprop.0+0xb25/0x1510
  __netif_receive_skb_list_core+0x220/0x4c0
  netif_receive_skb_list_internal+0x446/0x620
  napi_complete_done+0x157/0x3d0
  gro_cell_poll+0xcf/0x100
  __napi_poll+0x65/0x310
  net_rx_action+0x30c/0x5c0
  __do_softirq+0x14f/0x491

The ct may be dropped if a clash has been resolved but is still passed to
the tcf_ct_flow_table_process_conn function for further usage. This issue
can be fixed by retrieving ct from skb again after confirming conntrack.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-41040

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-41046
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: ethernet: lantiq_etop: fix double free in detach

The number of the currently released descriptor is never incremented
which results in the same skb being released multiple times.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-41046

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-41049
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

filelock: fix potential use-after-free in posix_lock_inode

Light Hsieh reported a KASAN UAF warning in trace_posix_lock_inode().
The request pointer had been changed earlier to point to a lock entry
that was added to the inode's list. However, before the tracepoint could
fire, another task raced in and freed that lock.

Fix this by moving the tracepoint inside the spinlock, which should
ensure that this doesn't happen.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-41049

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-41052
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

vfio/pci: Init the count variable in collecting hot-reset devices

The count variable is used without initialization, it results in mistakes
in the device counting and crashes the userspace if the get hot reset info
path is triggered.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-41052

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-41053
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

scsi: ufs: core: Fix ufshcd_abort_one racing issue

When ufshcd_abort_one is racing with the completion ISR, the completed tag
of the request's mq_hctx pointer will be set to NULL by ISR.  Return
success when request is completed by ISR because ufshcd_abort_one does not
need to do anything.

The racing flow is:

Thread A
ufshcd_err_handler					step 1
	...
	ufshcd_abort_one
		ufshcd_try_to_abort_task
			ufshcd_cmd_inflight(true)	step 3
		ufshcd_mcq_req_to_hwq
			blk_mq_unique_tag
				rq->mq_hctx->queue_num	step 5

Thread B
ufs_mtk_mcq_intr(cq complete ISR)			step 2
	scsi_done
		...
		__blk_mq_free_request
			rq->mq_hctx = NULL;		step 4

Below is KE back trace.
  ufshcd_try_to_abort_task: cmd at tag 41 not pending in the device.
  ufshcd_try_to_abort_task: cmd at tag=41 is cleared.
  Aborting tag 41 / CDB 0x28 succeeded
  Unable to handle kernel NULL pointer dereference at virtual address 0000000000000194
  pc : [0xffffffddd7a79bf8] blk_mq_unique_tag+0x8/0x14
  lr : [0xffffffddd6155b84] ufshcd_mcq_req_to_hwq+0x1c/0x40 [ufs_mediatek_mod_ise]
   do_mem_abort+0x58/0x118
   el1_abort+0x3c/0x5c
   el1h_64_sync_handler+0x54/0x90
   el1h_64_sync+0x68/0x6c
   blk_mq_unique_tag+0x8/0x14
   ufshcd_err_handler+0xae4/0xfa8 [ufs_mediatek_mod_ise]
   process_one_work+0x208/0x4fc
   worker_thread+0x228/0x438
   kthread+0x104/0x1d4
   ret_from_fork+0x10/0x20
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-41053

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-41054
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

scsi: ufs: core: Fix ufshcd_clear_cmd racing issue

When ufshcd_clear_cmd is racing with the completion ISR, the completed tag
of the request's mq_hctx pointer will be set to NULL by the ISR.  And
ufshcd_clear_cmd's call to ufshcd_mcq_req_to_hwq will get NULL pointer KE.
Return success when the request is completed by ISR because sq does not
need cleanup.

The racing flow is:

Thread A
ufshcd_err_handler					step 1
	ufshcd_try_to_abort_task
		ufshcd_cmd_inflight(true)		step 3
		ufshcd_clear_cmd
			...
			ufshcd_mcq_req_to_hwq
			blk_mq_unique_tag
				rq->mq_hctx->queue_num	step 5

Thread B
ufs_mtk_mcq_intr(cq complete ISR)			step 2
	scsi_done
		...
		__blk_mq_free_request
			rq->mq_hctx = NULL;		step 4

Below is KE back trace:

  ufshcd_try_to_abort_task: cmd pending in the device. tag = 6
  Unable to handle kernel NULL pointer dereference at virtual address 0000000000000194
   pc : [0xffffffd589679bf8] blk_mq_unique_tag+0x8/0x14
   lr : [0xffffffd5862f95b4] ufshcd_mcq_sq_cleanup+0x6c/0x1cc [ufs_mediatek_mod_ise]
   Workqueue: ufs_eh_wq_0 ufshcd_err_handler [ufs_mediatek_mod_ise]
   Call trace:
    dump_backtrace+0xf8/0x148
    show_stack+0x18/0x24
    dump_stack_lvl+0x60/0x7c
    dump_stack+0x18/0x3c
    mrdump_common_die+0x24c/0x398 [mrdump]
    ipanic_die+0x20/0x34 [mrdump]
    notify_die+0x80/0xd8
    die+0x94/0x2b8
    __do_kernel_fault+0x264/0x298
    do_page_fault+0xa4/0x4b8
    do_translation_fault+0x38/0x54
    do_mem_abort+0x58/0x118
    el1_abort+0x3c/0x5c
    el1h_64_sync_handler+0x54/0x90
    el1h_64_sync+0x68/0x6c
    blk_mq_unique_tag+0x8/0x14
    ufshcd_clear_cmd+0x34/0x118 [ufs_mediatek_mod_ise]
    ufshcd_try_to_abort_task+0x2c8/0x5b4 [ufs_mediatek_mod_ise]
    ufshcd_err_handler+0xa7c/0xfa8 [ufs_mediatek_mod_ise]
    process_one_work+0x208/0x4fc
    worker_thread+0x228/0x438
    kthread+0x104/0x1d4
    ret_from_fork+0x10/0x20
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-41054

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-41055
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

mm: prevent derefencing NULL ptr in pfn_section_valid()

Commit 5ec8e8ea8b77 ("mm/sparsemem: fix race in accessing
memory_section->usage") changed pfn_section_valid() to add a READ_ONCE()
call around "ms->usage" to fix a race with section_deactivate() where
ms->usage can be cleared.  The READ_ONCE() call, by itself, is not enough
to prevent NULL pointer dereference.  We need to check its value before
dereferencing it.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-41055

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-41057
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

cachefiles: fix slab-use-after-free in cachefiles_withdraw_cookie()

We got the following issue in our fault injection stress test:

==================================================================
BUG: KASAN: slab-use-after-free in cachefiles_withdraw_cookie+0x4d9/0x600
Read of size 8 at addr ffff888118efc000 by task kworker/u78:0/109

CPU: 13 PID: 109 Comm: kworker/u78:0 Not tainted 6.8.0-dirty #566
Call Trace:
 <TASK>
 kasan_report+0x93/0xc0
 cachefiles_withdraw_cookie+0x4d9/0x600
 fscache_cookie_state_machine+0x5c8/0x1230
 fscache_cookie_worker+0x91/0x1c0
 process_one_work+0x7fa/0x1800
 [...]

Allocated by task 117:
 kmalloc_trace+0x1b3/0x3c0
 cachefiles_acquire_volume+0xf3/0x9c0
 fscache_create_volume_work+0x97/0x150
 process_one_work+0x7fa/0x1800
 [...]

Freed by task 120301:
 kfree+0xf1/0x2c0
 cachefiles_withdraw_cache+0x3fa/0x920
 cachefiles_put_unbind_pincount+0x1f6/0x250
 cachefiles_daemon_release+0x13b/0x290
 __fput+0x204/0xa00
 task_work_run+0x139/0x230
 do_exit+0x87a/0x29b0
 [...]
==================================================================

Following is the process that triggers the issue:

           p1                |             p2
------------------------------------------------------------
                              fscache_begin_lookup
                               fscache_begin_volume_access
                                fscache_cache_is_live(fscache_cache)
cachefiles_daemon_release
 cachefiles_put_unbind_pincount
  cachefiles_daemon_unbind
   cachefiles_withdraw_cache
    fscache_withdraw_cache
     fscache_set_cache_state(cache, FSCACHE_CACHE_IS_WITHDRAWN);
    cachefiles_withdraw_objects(cache)
    fscache_wait_for_objects(fscache)
      atomic_read(&fscache_cache->object_count) == 0
                              fscache_perform_lookup
                               cachefiles_lookup_cookie
                                cachefiles_alloc_object
                                 refcount_set(&object->ref, 1);
                                 object->volume = volume
                                 fscache_count_object(vcookie->cache);
                                  atomic_inc(&fscache_cache->object_count)
    cachefiles_withdraw_volumes
     cachefiles_withdraw_volume
      fscache_withdraw_volume
      __cachefiles_free_volume
       kfree(cachefiles_volume)
                              fscache_cookie_state_machine
                               cachefiles_withdraw_cookie
                                cache = object->volume->cache;
                                // cachefiles_volume UAF !!!

After setting FSCACHE_CACHE_IS_WITHDRAWN, wait for all the cookie lookups
to complete first, and then wait for fscache_cache->object_count == 0 to
avoid the cookie exiting after the volume has been freed and triggering
the above issue. Therefore call fscache_withdraw_volume() before calling
cachefiles_withdraw_objects().

This way, after setting FSCACHE_CACHE_IS_WITHDRAWN, only the following two
cases will occur:
1) fscache_begin_lookup fails in fscache_begin_volume_access().
2) fscache_withdraw_volume() will ensure that fscache_count_object() has
   been executed before calling fscache_wait_for_objects().
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-41057

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-41058
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

cachefiles: fix slab-use-after-free in fscache_withdraw_volume()

We got the following issue in our fault injection stress test:

==================================================================
BUG: KASAN: slab-use-after-free in fscache_withdraw_volume+0x2e1/0x370
Read of size 4 at addr ffff88810680be08 by task ondemand-04-dae/5798

CPU: 0 PID: 5798 Comm: ondemand-04-dae Not tainted 6.8.0-dirty #565
Call Trace:
 kasan_check_range+0xf6/0x1b0
 fscache_withdraw_volume+0x2e1/0x370
 cachefiles_withdraw_volume+0x31/0x50
 cachefiles_withdraw_cache+0x3ad/0x900
 cachefiles_put_unbind_pincount+0x1f6/0x250
 cachefiles_daemon_release+0x13b/0x290
 __fput+0x204/0xa00
 task_work_run+0x139/0x230

Allocated by task 5820:
 __kmalloc+0x1df/0x4b0
 fscache_alloc_volume+0x70/0x600
 __fscache_acquire_volume+0x1c/0x610
 erofs_fscache_register_volume+0x96/0x1a0
 erofs_fscache_register_fs+0x49a/0x690
 erofs_fc_fill_super+0x6c0/0xcc0
 vfs_get_super+0xa9/0x140
 vfs_get_tree+0x8e/0x300
 do_new_mount+0x28c/0x580
 [...]

Freed by task 5820:
 kfree+0xf1/0x2c0
 fscache_put_volume.part.0+0x5cb/0x9e0
 erofs_fscache_unregister_fs+0x157/0x1b0
 erofs_kill_sb+0xd9/0x1c0
 deactivate_locked_super+0xa3/0x100
 vfs_get_super+0x105/0x140
 vfs_get_tree+0x8e/0x300
 do_new_mount+0x28c/0x580
 [...]
==================================================================

Following is the process that triggers the issue:

        mount failed         |         daemon exit
------------------------------------------------------------
 deactivate_locked_super        cachefiles_daemon_release
  erofs_kill_sb
   erofs_fscache_unregister_fs
    fscache_relinquish_volume
     __fscache_relinquish_volume
      fscache_put_volume(fscache_volume, fscache_volume_put_relinquish)
       zero = __refcount_dec_and_test(&fscache_volume->ref, &ref);
                                 cachefiles_put_unbind_pincount
                                  cachefiles_daemon_unbind
                                   cachefiles_withdraw_cache
                                    cachefiles_withdraw_volumes
                                     list_del_init(&volume->cache_link)
       fscache_free_volume(fscache_volume)
        cache->ops->free_volume
         cachefiles_free_volume
          list_del_init(&cachefiles_volume->cache_link);
        kfree(fscache_volume)
                                     cachefiles_withdraw_volume
                                      fscache_withdraw_volume
                                       fscache_volume->n_accesses
                                       // fscache_volume UAF !!!

The fscache_volume in cache->volumes must not have been freed yet, but its
reference count may be 0. So use the new fscache_try_get_volume() helper
function try to get its reference count.

If the reference count of fscache_volume is 0, fscache_put_volume() is
freeing it, so wait for it to be removed from cache->volumes.

If its reference count is not 0, call cachefiles_withdraw_volume() with
reference count protection to avoid the above issue.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-41058

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-41059
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

hfsplus: fix uninit-value in copy_name

[syzbot reported]
BUG: KMSAN: uninit-value in sized_strscpy+0xc4/0x160
 sized_strscpy+0xc4/0x160
 copy_name+0x2af/0x320 fs/hfsplus/xattr.c:411
 hfsplus_listxattr+0x11e9/0x1a50 fs/hfsplus/xattr.c:750
 vfs_listxattr fs/xattr.c:493 [inline]
 listxattr+0x1f3/0x6b0 fs/xattr.c:840
 path_listxattr fs/xattr.c:864 [inline]
 __do_sys_listxattr fs/xattr.c:876 [inline]
 __se_sys_listxattr fs/xattr.c:873 [inline]
 __x64_sys_listxattr+0x16b/0x2f0 fs/xattr.c:873
 x64_sys_call+0x2ba0/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:195
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was created at:
 slab_post_alloc_hook mm/slub.c:3877 [inline]
 slab_alloc_node mm/slub.c:3918 [inline]
 kmalloc_trace+0x57b/0xbe0 mm/slub.c:4065
 kmalloc include/linux/slab.h:628 [inline]
 hfsplus_listxattr+0x4cc/0x1a50 fs/hfsplus/xattr.c:699
 vfs_listxattr fs/xattr.c:493 [inline]
 listxattr+0x1f3/0x6b0 fs/xattr.c:840
 path_listxattr fs/xattr.c:864 [inline]
 __do_sys_listxattr fs/xattr.c:876 [inline]
 __se_sys_listxattr fs/xattr.c:873 [inline]
 __x64_sys_listxattr+0x16b/0x2f0 fs/xattr.c:873
 x64_sys_call+0x2ba0/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:195
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
[Fix]
When allocating memory to strbuf, initialize memory to 0.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-41059

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-41060
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/radeon: check bo_va->bo is non-NULL before using it

The call to radeon_vm_clear_freed might clear bo_va->bo, so
we have to check it before dereferencing it.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-41060

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-41061
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Fix array-index-out-of-bounds in dml2/FCLKChangeSupport

[Why]
Potential out of bounds access in dml2_calculate_rq_and_dlg_params()
because the value of out_lowest_state_idx used as an index for FCLKChangeSupport
array can be greater than 1.

[How]
Currently dml2 core specifies identical values for all FCLKChangeSupport
elements. Always use index 0 in the condition to avoid out of bounds access.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-41061

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-41063
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: hci_core: cancel all works upon hci_unregister_dev()

syzbot is reporting that calling hci_release_dev() from hci_error_reset()
due to hci_dev_put() from hci_error_reset() can cause deadlock at
destroy_workqueue(), for hci_error_reset() is called from
hdev->req_workqueue which destroy_workqueue() needs to flush.

We need to make sure that hdev->{rx_work,cmd_work,tx_work} which are
queued into hdev->workqueue and hdev->{power_on,error_reset} which are
queued into hdev->req_workqueue are no longer running by the moment

       destroy_workqueue(hdev->workqueue);
       destroy_workqueue(hdev->req_workqueue);

are called from hci_release_dev().

Call cancel_work_sync() on these work items from hci_unregister_dev()
as soon as hdev->list is removed from hci_dev_list.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-41063

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-41064
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

powerpc/eeh: avoid possible crash when edev->pdev changes

If a PCI device is removed during eeh_pe_report_edev(), edev->pdev
will change and can cause a crash, hold the PCI rescan/remove lock
while taking a copy of edev->pdev->bus.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-41064

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-41066
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ibmvnic: Add tx check to prevent skb leak

Below is a summary of how the driver stores a reference to an skb during
transmit:
    tx_buff[free_map[consumer_index]]->skb = new_skb;
    free_map[consumer_index] = IBMVNIC_INVALID_MAP;
    consumer_index ++;
Where variable data looks like this:
    free_map == [4, IBMVNIC_INVALID_MAP, IBMVNIC_INVALID_MAP, 0, 3]
                                               	consumer_index^
    tx_buff == [skb=null, skb=<ptr>, skb=<ptr>, skb=null, skb=null]

The driver has checks to ensure that free_map[consumer_index] pointed to
a valid index but there was no check to ensure that this index pointed
to an unused/null skb address. So, if, by some chance, our free_map and
tx_buff lists become out of sync then we were previously risking an
skb memory leak. This could then cause tcp congestion control to stop
sending packets, eventually leading to ETIMEDOUT.

Therefore, add a conditional to ensure that the skb address is null. If
not then warn the user (because this is still a bug that should be
patched) and free the old pointer to prevent memleak/tcp problems.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-41066

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-41070
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

KVM: PPC: Book3S HV: Prevent UAF in kvm_spapr_tce_attach_iommu_group()

Al reported a possible use-after-free (UAF) in kvm_spapr_tce_attach_iommu_group().

It looks up `stt` from tablefd, but then continues to use it after doing
fdput() on the returned fd. After the fdput() the tablefd is free to be
closed by another thread. The close calls kvm_spapr_tce_release() and
then release_spapr_tce_table() (via call_rcu()) which frees `stt`.

Although there are calls to rcu_read_lock() in
kvm_spapr_tce_attach_iommu_group() they are not sufficient to prevent
the UAF, because `stt` is used outside the locked regions.

With an artifcial delay after the fdput() and a userspace program which
triggers the race, KASAN detects the UAF:

  BUG: KASAN: slab-use-after-free in kvm_spapr_tce_attach_iommu_group+0x298/0x720 [kvm]
  Read of size 4 at addr c000200027552c30 by task kvm-vfio/2505
  CPU: 54 PID: 2505 Comm: kvm-vfio Not tainted 6.10.0-rc3-next-20240612-dirty #1
  Hardware name: 8335-GTH POWER9 0x4e1202 opal:skiboot-v6.5.3-35-g1851b2a06 PowerNV
  Call Trace:
    dump_stack_lvl+0xb4/0x108 (unreliable)
    print_report+0x2b4/0x6ec
    kasan_report+0x118/0x2b0
    __asan_load4+0xb8/0xd0
    kvm_spapr_tce_attach_iommu_group+0x298/0x720 [kvm]
    kvm_vfio_set_attr+0x524/0xac0 [kvm]
    kvm_device_ioctl+0x144/0x240 [kvm]
    sys_ioctl+0x62c/0x1810
    system_call_exception+0x190/0x440
    system_call_vectored_common+0x15c/0x2ec
  ...
  Freed by task 0:
   ...
   kfree+0xec/0x3e0
   release_spapr_tce_table+0xd4/0x11c [kvm]
   rcu_core+0x568/0x16a0
   handle_softirqs+0x23c/0x920
   do_softirq_own_stack+0x6c/0x90
   do_softirq_own_stack+0x58/0x90
   __irq_exit_rcu+0x218/0x2d0
   irq_exit+0x30/0x80
   arch_local_irq_restore+0x128/0x230
   arch_local_irq_enable+0x1c/0x30
   cpuidle_enter_state+0x134/0x5cc
   cpuidle_enter+0x6c/0xb0
   call_cpuidle+0x7c/0x100
   do_idle+0x394/0x410
   cpu_startup_entry+0x60/0x70
   start_secondary+0x3fc/0x410
   start_secondary_prolog+0x10/0x14

Fix it by delaying the fdput() until `stt` is no longer in use, which
is effectively the entire function. To keep the patch minimal add a call
to fdput() at each of the existing return paths. Future work can convert
the function to goto or __cleanup style cleanup.

With the fix in place the test case no longer triggers the UAF.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-41070

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-41071
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

wifi: mac80211: Avoid address calculations via out of bounds array indexing

req->n_channels must be set before req->channels[] can be used.

This patch fixes one of the issues encountered in [1].

[   83.964255] UBSAN: array-index-out-of-bounds in net/mac80211/scan.c:364:4
[   83.964258] index 0 is out of range for type 'struct ieee80211_channel *[]'
[...]
[   83.964264] Call Trace:
[   83.964267]  <TASK>
[   83.964269]  dump_stack_lvl+0x3f/0xc0
[   83.964274]  __ubsan_handle_out_of_bounds+0xec/0x110
[   83.964278]  ieee80211_prep_hw_scan+0x2db/0x4b0
[   83.964281]  __ieee80211_start_scan+0x601/0x990
[   83.964291]  nl80211_trigger_scan+0x874/0x980
[   83.964295]  genl_family_rcv_msg_doit+0xe8/0x160
[   83.964298]  genl_rcv_msg+0x240/0x270
[...]

[1] https://bugzilla.kernel.org/show_bug.cgi?id=218810
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-41071

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-41073
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

nvme: avoid double free special payload

If a discard request needs to be retried, and that retry may fail before
a new special payload is added, a double free will result. Clear the
RQF_SPECIAL_LOAD when the request is cleaned.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-41073

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-41076
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

NFSv4: Fix memory leak in nfs4_set_security_label

We leak nfs_fattr and nfs4_label every time we set a security xattr.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-41076

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-41080
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

io_uring: fix possible deadlock in io_register_iowq_max_workers()

The io_register_iowq_max_workers() function calls io_put_sq_data(),
which acquires the sqd->lock without releasing the uring_lock.
Similar to the commit 009ad9f0c6ee ("io_uring: drop ctx->uring_lock
before acquiring sqd->lock"), this can lead to a potential deadlock
situation.

To resolve this issue, the uring_lock is released before calling
io_put_sq_data(), and then it is re-acquired after the function call.

This change ensures that the locks are acquired in the correct
order, preventing the possibility of a deadlock.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-41080

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-41083
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

netfs: Fix netfs_page_mkwrite() to check folio->mapping is valid

Fix netfs_page_mkwrite() to check that folio->mapping is valid once it has
taken the folio lock (as filemap_page_mkwrite() does).  Without this,
generic/247 occasionally oopses with something like the following:

    BUG: kernel NULL pointer dereference, address: 0000000000000000
    #PF: supervisor read access in kernel mode
    #PF: error_code(0x0000) - not-present page

    RIP: 0010:trace_event_raw_event_netfs_folio+0x61/0xc0
    ...
    Call Trace:
     <TASK>
     ? __die_body+0x1a/0x60
     ? page_fault_oops+0x6e/0xa0
     ? exc_page_fault+0xc2/0xe0
     ? asm_exc_page_fault+0x22/0x30
     ? trace_event_raw_event_netfs_folio+0x61/0xc0
     trace_netfs_folio+0x39/0x40
     netfs_page_mkwrite+0x14c/0x1d0
     do_page_mkwrite+0x50/0x90
     do_pte_missing+0x184/0x200
     __handle_mm_fault+0x42d/0x500
     handle_mm_fault+0x121/0x1f0
     do_user_addr_fault+0x23e/0x3c0
     exc_page_fault+0xc2/0xe0
     asm_exc_page_fault+0x22/0x30

This is due to the invalidate_inode_pages2_range() issued at the end of the
DIO write interfering with the mmap'd writes.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-41083

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-41084
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

cxl/region: Avoid null pointer dereference in region lookup

cxl_dpa_to_region() looks up a region based on a memdev and DPA.
It wrongly assumes an endpoint found mapping the DPA is also of
a fully assembled region. When not true it leads to a null pointer
dereference looking up the region name.

This appears during testing of region lookup after a failure to
assemble a BIOS defined region or if the lookup raced with the
assembly of the BIOS defined region.

Failure to clean up BIOS defined regions that fail assembly is an
issue in itself and a fix to that problem will alleviate some of
the impact. It will not alleviate the race condition so let's harden
this path.

The behavior change is that the kernel oops due to a null pointer
dereference is replaced with a dev_dbg() message noting that an
endpoint was mapped.

Additional comments are added so that future users of this function
can more clearly understand what it provides.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-41084

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-41085
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

cxl/mem: Fix no cxl_nvd during pmem region auto-assembling

When CXL subsystem is auto-assembling a pmem region during cxl
endpoint port probing, always hit below calltrace.

 BUG: kernel NULL pointer dereference, address: 0000000000000078
 #PF: supervisor read access in kernel mode
 #PF: error_code(0x0000) - not-present page
 RIP: 0010:cxl_pmem_region_probe+0x22e/0x360 [cxl_pmem]
 Call Trace:
  <TASK>
  ? __die+0x24/0x70
  ? page_fault_oops+0x82/0x160
  ? do_user_addr_fault+0x65/0x6b0
  ? exc_page_fault+0x7d/0x170
  ? asm_exc_page_fault+0x26/0x30
  ? cxl_pmem_region_probe+0x22e/0x360 [cxl_pmem]
  ? cxl_pmem_region_probe+0x1ac/0x360 [cxl_pmem]
  cxl_bus_probe+0x1b/0x60 [cxl_core]
  really_probe+0x173/0x410
  ? __pfx___device_attach_driver+0x10/0x10
  __driver_probe_device+0x80/0x170
  driver_probe_device+0x1e/0x90
  __device_attach_driver+0x90/0x120
  bus_for_each_drv+0x84/0xe0
  __device_attach+0xbc/0x1f0
  bus_probe_device+0x90/0xa0
  device_add+0x51c/0x710
  devm_cxl_add_pmem_region+0x1b5/0x380 [cxl_core]
  cxl_bus_probe+0x1b/0x60 [cxl_core]

The cxl_nvd of the memdev needs to be available during the pmem region
probe. Currently the cxl_nvd is registered after the endpoint port probe.
The endpoint probe, in the case of autoassembly of regions, can cause a
pmem region probe requiring the not yet available cxl_nvd. Adjust the
sequence so this dependency is met.

This requires adding a port parameter to cxl_find_nvdimm_bridge() that
can be used to query the ancestor root port. The endpoint port is not
yet available, but will share a common ancestor with its parent, so
start the query from there instead.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-41085

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-41087
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ata: libata-core: Fix double free on error

If e.g. the ata_port_alloc() call in ata_host_alloc() fails, we will jump
to the err_out label, which will call devres_release_group().
devres_release_group() will trigger a call to ata_host_release().
ata_host_release() calls kfree(host), so executing the kfree(host) in
ata_host_alloc() will lead to a double free:

kernel BUG at mm/slub.c:553!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
CPU: 11 PID: 599 Comm: (udev-worker) Not tainted 6.10.0-rc5 #47
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014
RIP: 0010:kfree+0x2cf/0x2f0
Code: 5d 41 5e 41 5f 5d e9 80 d6 ff ff 4d 89 f1 41 b8 01 00 00 00 48 89 d9 48 89 da
RSP: 0018:ffffc90000f377f0 EFLAGS: 00010246
RAX: ffff888112b1f2c0 RBX: ffff888112b1f2c0 RCX: ffff888112b1f320
RDX: 000000000000400b RSI: ffffffffc02c9de5 RDI: ffff888112b1f2c0
RBP: ffffc90000f37830 R08: 0000000000000000 R09: 0000000000000000
R10: ffffc90000f37610 R11: 617461203a736b6e R12: ffffea00044ac780
R13: ffff888100046400 R14: ffffffffc02c9de5 R15: 0000000000000006
FS:  00007f2f1cabe980(0000) GS:ffff88813b380000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f2f1c3acf75 CR3: 0000000111724000 CR4: 0000000000750ef0
PKRU: 55555554
Call Trace:
 <TASK>
 ? __die_body.cold+0x19/0x27
 ? die+0x2e/0x50
 ? do_trap+0xca/0x110
 ? do_error_trap+0x6a/0x90
 ? kfree+0x2cf/0x2f0
 ? exc_invalid_op+0x50/0x70
 ? kfree+0x2cf/0x2f0
 ? asm_exc_invalid_op+0x1a/0x20
 ? ata_host_alloc+0xf5/0x120 [libata]
 ? ata_host_alloc+0xf5/0x120 [libata]
 ? kfree+0x2cf/0x2f0
 ata_host_alloc+0xf5/0x120 [libata]
 ata_host_alloc_pinfo+0x14/0xa0 [libata]
 ahci_init_one+0x6c9/0xd20 [ahci]

Ensure that we will not call kfree(host) twice, by performing the kfree()
only if the devres_open_group() call failed.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-41087

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-41088
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

can: mcp251xfd: fix infinite loop when xmit fails

When the mcp251xfd_start_xmit() function fails, the driver stops
processing messages, and the interrupt routine does not return,
running indefinitely even after killing the running application.

Error messages:
[  441.298819] mcp251xfd spi2.0 can0: ERROR in mcp251xfd_start_xmit: -16
[  441.306498] mcp251xfd spi2.0 can0: Transmit Event FIFO buffer not empty. (seq=0x000017c7, tef_tail=0x000017cf, tef_head=0x000017d0, tx_head=0x000017d3).
... and repeat forever.

The issue can be triggered when multiple devices share the same SPI
interface. And there is concurrent access to the bus.

The problem occurs because tx_ring->head increments even if
mcp251xfd_start_xmit() fails. Consequently, the driver skips one TX
package while still expecting a response in
mcp251xfd_handle_tefif_one().

Resolve the issue by starting a workqueue to write the tx obj
synchronously if err = -EBUSY. In case of another error, decrement
tx_ring->head, remove skb from the echo stack, and drop the message.

[mkl: use more imperative wording in patch description]
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-41088

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-41089
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_hd_modes

In nv17_tv_get_hd_modes(), the return value of drm_mode_duplicate() is
assigned to mode, which will lead to a possible NULL pointer dereference
on failure of drm_mode_duplicate(). The same applies to drm_cvt_mode().
Add a check to avoid null pointer dereference.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-41089

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-41092
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/i915/gt: Fix potential UAF by revoke of fence registers

CI has been sporadically reporting the following issue triggered by
igt@i915_selftest@live@hangcheck on ADL-P and similar machines:

<6> [414.049203] i915: Running intel_hangcheck_live_selftests/igt_reset_evict_fence
...
<6> [414.068804] i915 0000:00:02.0: [drm] GT0: GUC: submission enabled
<6> [414.068812] i915 0000:00:02.0: [drm] GT0: GUC: SLPC enabled
<3> [414.070354] Unable to pin Y-tiled fence; err:-4
<3> [414.071282] i915_vma_revoke_fence:301 GEM_BUG_ON(!i915_active_is_idle(&fence->active))
...
<4>[  609.603992] ------------[ cut here ]------------
<2>[  609.603995] kernel BUG at drivers/gpu/drm/i915/gt/intel_ggtt_fencing.c:301!
<4>[  609.604003] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
<4>[  609.604006] CPU: 0 PID: 268 Comm: kworker/u64:3 Tainted: G     U  W          6.9.0-CI_DRM_14785-g1ba62f8cea9c+ #1
<4>[  609.604008] Hardware name: Intel Corporation Alder Lake Client Platform/AlderLake-P DDR4 RVP, BIOS RPLPFWI1.R00.4035.A00.2301200723 01/20/2023
<4>[  609.604010] Workqueue: i915 __i915_gem_free_work [i915]
<4>[  609.604149] RIP: 0010:i915_vma_revoke_fence+0x187/0x1f0 [i915]
...
<4>[  609.604271] Call Trace:
<4>[  609.604273]  <TASK>
...
<4>[  609.604716]  __i915_vma_evict+0x2e9/0x550 [i915]
<4>[  609.604852]  __i915_vma_unbind+0x7c/0x160 [i915]
<4>[  609.604977]  force_unbind+0x24/0xa0 [i915]
<4>[  609.605098]  i915_vma_destroy+0x2f/0xa0 [i915]
<4>[  609.605210]  __i915_gem_object_pages_fini+0x51/0x2f0 [i915]
<4>[  609.605330]  __i915_gem_free_objects.isra.0+0x6a/0xc0 [i915]
<4>[  609.605440]  process_scheduled_works+0x351/0x690
...

In the past, there were similar failures reported by CI from other IGT
tests, observed on other platforms.

Before commit 63baf4f3d587 ("drm/i915/gt: Only wait for GPU activity
before unbinding a GGTT fence"), i915_vma_revoke_fence() was waiting for
idleness of vma->active via fence_update().   That commit introduced
vma->fence->active in order for the fence_update() to be able to wait
selectively on that one instead of vma->active since only idleness of
fence registers was needed.  But then, another commit 0d86ee35097a
("drm/i915/gt: Make fence revocation unequivocal") replaced the call to
fence_update() in i915_vma_revoke_fence() with only fence_write(), and
also added that GEM_BUG_ON(!i915_active_is_idle(&fence->active)) in front.
No justification was provided on why we might then expect idleness of
vma->fence->active without first waiting on it.

The issue can be potentially caused by a race among revocation of fence
registers on one side and sequential execution of signal callbacks invoked
on completion of a request that was using them on the other, still
processed in parallel to revocation of those fence registers.  Fix it by
waiting for idleness of vma->fence->active in i915_vma_revoke_fence().

(cherry picked from commit 24bb052d3dd499c5956abad5f7d8e4fd07da7fb1)
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-41092

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-41093
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amdgpu: avoid using null object of framebuffer

Instead of using state->fb->obj[0] directly, get object from framebuffer
by calling drm_gem_fb_get_obj() and return error code when object is
null to avoid using null object of framebuffer.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-41093

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-41094
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/fbdev-dma: Only set smem_start is enable per module option

Only export struct fb_info.fix.smem_start if that is required by the
user and the memory does not come from vmalloc().

Setting struct fb_info.fix.smem_start breaks systems where DMA
memory is backed by vmalloc address space. An example error is
shown below.

[    3.536043] ------------[ cut here ]------------
[    3.540716] virt_to_phys used for non-linear address: 000000007fc4f540 (0xffff800086001000)
[    3.552628] WARNING: CPU: 4 PID: 61 at arch/arm64/mm/physaddr.c:12 __virt_to_phys+0x68/0x98
[    3.565455] Modules linked in:
[    3.568525] CPU: 4 PID: 61 Comm: kworker/u12:5 Not tainted 6.6.23-06226-g4986cc3e1b75-dirty #250
[    3.577310] Hardware name: NXP i.MX95 19X19 board (DT)
[    3.582452] Workqueue: events_unbound deferred_probe_work_func
[    3.588291] pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[    3.595233] pc : __virt_to_phys+0x68/0x98
[    3.599246] lr : __virt_to_phys+0x68/0x98
[    3.603276] sp : ffff800083603990
[    3.677939] Call trace:
[    3.680393]  __virt_to_phys+0x68/0x98
[    3.684067]  drm_fbdev_dma_helper_fb_probe+0x138/0x238
[    3.689214]  __drm_fb_helper_initial_config_and_unlock+0x2b0/0x4c0
[    3.695385]  drm_fb_helper_initial_config+0x4c/0x68
[    3.700264]  drm_fbdev_dma_client_hotplug+0x8c/0xe0
[    3.705161]  drm_client_register+0x60/0xb0
[    3.709269]  drm_fbdev_dma_setup+0x94/0x148

Additionally, DMA memory is assumed to by contiguous in physical
address space, which is not guaranteed by vmalloc().

Resolve this by checking the module flag drm_leak_fbdev_smem when
DRM allocated the instance of struct fb_info. Fbdev-dma then only
sets smem_start only if required (via FBINFO_HIDE_SMEM_START). Also
guarantee that the framebuffer is not located in vmalloc address
space.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-41094

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-41095
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_ld_modes

In nv17_tv_get_ld_modes(), the return value of drm_mode_duplicate() is
assigned to mode, which will lead to a possible NULL pointer dereference
on failure of drm_mode_duplicate(). Add a check to avoid npd.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-41095

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-41096
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

PCI/MSI: Fix UAF in msi_capability_init

KFENCE reports the following UAF:

 BUG: KFENCE: use-after-free read in __pci_enable_msi_range+0x2c0/0x488

 Use-after-free read at 0x0000000024629571 (in kfence-#12):
  __pci_enable_msi_range+0x2c0/0x488
  pci_alloc_irq_vectors_affinity+0xec/0x14c
  pci_alloc_irq_vectors+0x18/0x28

 kfence-#12: 0x0000000008614900-0x00000000e06c228d, size=104, cache=kmalloc-128

 allocated by task 81 on cpu 7 at 10.808142s:
  __kmem_cache_alloc_node+0x1f0/0x2bc
  kmalloc_trace+0x44/0x138
  msi_alloc_desc+0x3c/0x9c
  msi_domain_insert_msi_desc+0x30/0x78
  msi_setup_msi_desc+0x13c/0x184
  __pci_enable_msi_range+0x258/0x488
  pci_alloc_irq_vectors_affinity+0xec/0x14c
  pci_alloc_irq_vectors+0x18/0x28

 freed by task 81 on cpu 7 at 10.811436s:
  msi_domain_free_descs+0xd4/0x10c
  msi_domain_free_locked.part.0+0xc0/0x1d8
  msi_domain_alloc_irqs_all_locked+0xb4/0xbc
  pci_msi_setup_msi_irqs+0x30/0x4c
  __pci_enable_msi_range+0x2a8/0x488
  pci_alloc_irq_vectors_affinity+0xec/0x14c
  pci_alloc_irq_vectors+0x18/0x28

Descriptor allocation done in:
__pci_enable_msi_range
    msi_capability_init
        msi_setup_msi_desc
            msi_insert_msi_desc
                msi_domain_insert_msi_desc
                    msi_alloc_desc
                        ...

Freed in case of failure in __msi_domain_alloc_locked()
__pci_enable_msi_range
    msi_capability_init
        pci_msi_setup_msi_irqs
            msi_domain_alloc_irqs_all_locked
                msi_domain_alloc_locked
                    __msi_domain_alloc_locked => fails
                    msi_domain_free_locked
                        ...

That failure propagates back to pci_msi_setup_msi_irqs() in
msi_capability_init() which accesses the descriptor for unmasking in the
error exit path.

Cure it by copying the descriptor and using the copy for the error exit path
unmask operation.

[ tglx: Massaged change log ]
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-41096

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-41097
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

usb: atm: cxacru: fix endpoint checking in cxacru_bind()

Syzbot is still reporting quite an old issue [1] that occurs due to
incomplete checking of present usb endpoints. As such, wrong
endpoints types may be used at urb sumbitting stage which in turn
triggers a warning in usb_submit_urb().

Fix the issue by verifying that required endpoint types are present
for both in and out endpoints, taking into account cmd endpoint type.

Unfortunately, this patch has not been tested on real hardware.

[1] Syzbot report:
usb 1-1: BOGUS urb xfer, pipe 1 != type 3
WARNING: CPU: 0 PID: 8667 at drivers/usb/core/urb.c:502 usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502
Modules linked in:
CPU: 0 PID: 8667 Comm: kworker/0:4 Not tainted 5.14.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: usb_hub_wq hub_event
RIP: 0010:usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502
...
Call Trace:
 cxacru_cm+0x3c0/0x8e0 drivers/usb/atm/cxacru.c:649
 cxacru_card_status+0x22/0xd0 drivers/usb/atm/cxacru.c:760
 cxacru_bind+0x7ac/0x11a0 drivers/usb/atm/cxacru.c:1209
 usbatm_usb_probe+0x321/0x1ae0 drivers/usb/atm/usbatm.c:1055
 cxacru_usb_probe+0xdf/0x1e0 drivers/usb/atm/cxacru.c:1363
 usb_probe_interface+0x315/0x7f0 drivers/usb/core/driver.c:396
 call_driver_probe drivers/base/dd.c:517 [inline]
 really_probe+0x23c/0xcd0 drivers/base/dd.c:595
 __driver_probe_device+0x338/0x4d0 drivers/base/dd.c:747
 driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:777
 __device_attach_driver+0x20b/0x2f0 drivers/base/dd.c:894
 bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:427
 __device_attach+0x228/0x4a0 drivers/base/dd.c:965
 bus_probe_device+0x1e4/0x290 drivers/base/bus.c:487
 device_add+0xc2f/0x2180 drivers/base/core.c:3354
 usb_set_configuration+0x113a/0x1910 drivers/usb/core/message.c:2170
 usb_generic_driver_probe+0xba/0x100 drivers/usb/core/generic.c:238
 usb_probe_device+0xd9/0x2c0 drivers/usb/core/driver.c:293
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-41097

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-41098
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ata: libata-core: Fix null pointer dereference on error

If the ata_port_alloc() call in ata_host_alloc() fails,
ata_host_release() will get called.

However, the code in ata_host_release() tries to free ata_port struct
members unconditionally, which can lead to the following:

BUG: unable to handle page fault for address: 0000000000003990
PGD 0 P4D 0
Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI
CPU: 10 PID: 594 Comm: (udev-worker) Not tainted 6.10.0-rc5 #44
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014
RIP: 0010:ata_host_release.cold+0x2f/0x6e [libata]
Code: e4 4d 63 f4 44 89 e2 48 c7 c6 90 ad 32 c0 48 c7 c7 d0 70 33 c0 49 83 c6 0e 41
RSP: 0018:ffffc90000ebb968 EFLAGS: 00010246
RAX: 0000000000000041 RBX: ffff88810fb52e78 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffff88813b3218c0 RDI: ffff88813b3218c0
RBP: ffff88810fb52e40 R08: 0000000000000000 R09: 6c65725f74736f68
R10: ffffc90000ebb738 R11: 73692033203a746e R12: 0000000000000004
R13: 0000000000000000 R14: 0000000000000011 R15: 0000000000000006
FS:  00007f6cc55b9980(0000) GS:ffff88813b300000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000003990 CR3: 00000001122a2000 CR4: 0000000000750ef0
PKRU: 55555554
Call Trace:
 <TASK>
 ? __die_body.cold+0x19/0x27
 ? page_fault_oops+0x15a/0x2f0
 ? exc_page_fault+0x7e/0x180
 ? asm_exc_page_fault+0x26/0x30
 ? ata_host_release.cold+0x2f/0x6e [libata]
 ? ata_host_release.cold+0x2f/0x6e [libata]
 release_nodes+0x35/0xb0
 devres_release_group+0x113/0x140
 ata_host_alloc+0xed/0x120 [libata]
 ata_host_alloc_pinfo+0x14/0xa0 [libata]
 ahci_init_one+0x6c9/0xd20 [ahci]

Do not access ata_port struct members unconditionally.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-41098

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42063
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

bpf: Mark bpf prog stack with kmsan_unposion_memory in interpreter mode

syzbot reported uninit memory usages during map_{lookup,delete}_elem.

==========
BUG: KMSAN: uninit-value in __dev_map_lookup_elem kernel/bpf/devmap.c:441 [inline]
BUG: KMSAN: uninit-value in dev_map_lookup_elem+0xf3/0x170 kernel/bpf/devmap.c:796
__dev_map_lookup_elem kernel/bpf/devmap.c:441 [inline]
dev_map_lookup_elem+0xf3/0x170 kernel/bpf/devmap.c:796
____bpf_map_lookup_elem kernel/bpf/helpers.c:42 [inline]
bpf_map_lookup_elem+0x5c/0x80 kernel/bpf/helpers.c:38
___bpf_prog_run+0x13fe/0xe0f0 kernel/bpf/core.c:1997
__bpf_prog_run256+0xb5/0xe0 kernel/bpf/core.c:2237
==========

The reproducer should be in the interpreter mode.

The C reproducer is trying to run the following bpf prog:

    0: (18) r0 = 0x0
    2: (18) r1 = map[id:49]
    4: (b7) r8 = 16777216
    5: (7b) *(u64 *)(r10 -8) = r8
    6: (bf) r2 = r10
    7: (07) r2 += -229
            ^^^^^^^^^^

    8: (b7) r3 = 8
    9: (b7) r4 = 0
   10: (85) call dev_map_lookup_elem#1543472
   11: (95) exit

It is due to the "void *key" (r2) passed to the helper. bpf allows uninit
stack memory access for bpf prog with the right privileges. This patch
uses kmsan_unpoison_memory() to mark the stack as initialized.

This should address different syzbot reports on the uninit "void *key"
argument during map_{lookup,delete}_elem.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42063

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42064
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Skip pipe if the pipe idx not set properly

[why]
Driver crashes when pipe idx not set properly

[how]
Add code to skip the pipe that idx not set properly
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42064

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42065
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/xe: Add a NULL check in xe_ttm_stolen_mgr_init

Add an explicit check to ensure that the mgr is not NULL.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42065

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42066
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/xe: Fix potential integer overflow in page size calculation

Explicitly cast tbo->page_alignment to u64 before bit-shifting to
prevent overflow when assigning to min_page_size.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42066

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42067
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

bpf: Take return from set_memory_rox() into account with bpf_jit_binary_lock_ro()

set_memory_rox() can fail, leaving memory unprotected.

Check return and bail out when bpf_jit_binary_lock_ro() returns
an error.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42067

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42068
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

bpf: Take return from set_memory_ro() into account with bpf_prog_lock_ro()

set_memory_ro() can fail, leaving memory unprotected.

Check its return and take it into account as an error.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42068

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42069
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: mana: Fix possible double free in error handling path

When auxiliary_device_add() returns error and then calls
auxiliary_device_uninit(), callback function adev_release
calls kfree(madev). We shouldn't call kfree(madev) again
in the error handling path. Set 'madev' to NULL.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42069

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42070
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

netfilter: nf_tables: fully validate NFT_DATA_VALUE on store to data registers

register store validation for NFT_DATA_VALUE is conditional, however,
the datatype is always either NFT_DATA_VALUE or NFT_DATA_VERDICT. This
only requires a new helper function to infer the register type from the
set datatype so this conditional check can be removed. Otherwise,
pointer to chain object can be leaked through the registers.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42070

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42071
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ionic: use dev_consume_skb_any outside of napi

If we're not in a NAPI softirq context, we need to be careful
about how we call napi_consume_skb(), specifically we need to
call it with budget==0 to signal to it that we're not in a
safe context.

This was found while running some configuration stress testing
of traffic and a change queue config loop running, and this
curious note popped out:

[ 4371.402645] BUG: using smp_processor_id() in preemptible [00000000] code: ethtool/20545
[ 4371.402897] caller is napi_skb_cache_put+0x16/0x80
[ 4371.403120] CPU: 25 PID: 20545 Comm: ethtool Kdump: loaded Tainted: G           OE      6.10.0-rc3-netnext+ #8
[ 4371.403302] Hardware name: HPE ProLiant DL360 Gen10/ProLiant DL360 Gen10, BIOS U32 01/23/2021
[ 4371.403460] Call Trace:
[ 4371.403613]  <TASK>
[ 4371.403758]  dump_stack_lvl+0x4f/0x70
[ 4371.403904]  check_preemption_disabled+0xc1/0xe0
[ 4371.404051]  napi_skb_cache_put+0x16/0x80
[ 4371.404199]  ionic_tx_clean+0x18a/0x240 [ionic]
[ 4371.404354]  ionic_tx_cq_service+0xc4/0x200 [ionic]
[ 4371.404505]  ionic_tx_flush+0x15/0x70 [ionic]
[ 4371.404653]  ? ionic_lif_qcq_deinit.isra.23+0x5b/0x70 [ionic]
[ 4371.404805]  ionic_txrx_deinit+0x71/0x190 [ionic]
[ 4371.404956]  ionic_reconfigure_queues+0x5f5/0xff0 [ionic]
[ 4371.405111]  ionic_set_ringparam+0x2e8/0x3e0 [ionic]
[ 4371.405265]  ethnl_set_rings+0x1f1/0x300
[ 4371.405418]  ethnl_default_set_doit+0xbb/0x160
[ 4371.405571]  genl_family_rcv_msg_doit+0xff/0x130
	[...]

I found that ionic_tx_clean() calls napi_consume_skb() which calls
napi_skb_cache_put(), but before that last call is the note
    /* Zero budget indicate non-NAPI context called us, like netpoll */
and
    DEBUG_NET_WARN_ON_ONCE(!in_softirq());

Those are pretty big hints that we're doing it wrong.  We can pass a
context hint down through the calls to let ionic_tx_clean() know what
we're doing so it can call napi_consume_skb() correctly.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42071

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42072
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix may_goto with negative offset.

Zac's syzbot crafted a bpf prog that exposed two bugs in may_goto.
The 1st bug is the way may_goto is patched. When offset is negative
it should be patched differently.
The 2nd bug is in the verifier:
when current state may_goto_depth is equal to visited state may_goto_depth
it means there is an actual infinite loop. It's not correct to prune
exploration of the program at this point.
Note, that this check doesn't limit the program to only one may_goto insn,
since 2nd and any further may_goto will increment may_goto_depth only
in the queued state pushed for future exploration. The current state
will have may_goto_depth == 0 regardless of number of may_goto insns
and the verifier has to explore the program until bpf_exit.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42072

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42073
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

mlxsw: spectrum_buffers: Fix memory corruptions on Spectrum-4 systems

The following two shared buffer operations make use of the Shared Buffer
Status Register (SBSR):

 # devlink sb occupancy snapshot pci/0000:01:00.0
 # devlink sb occupancy clearmax pci/0000:01:00.0

The register has two masks of 256 bits to denote on which ingress /
egress ports the register should operate on. Spectrum-4 has more than
256 ports, so the register was extended by cited commit with a new
'port_page' field.

However, when filling the register's payload, the driver specifies the
ports as absolute numbers and not relative to the first port of the port
page, resulting in memory corruptions [1].

Fix by specifying the ports relative to the first port of the port page.

[1]
BUG: KASAN: slab-use-after-free in mlxsw_sp_sb_occ_snapshot+0xb6d/0xbc0
Read of size 1 at addr ffff8881068cb00f by task devlink/1566
[...]
Call Trace:
 <TASK>
 dump_stack_lvl+0xc6/0x120
 print_report+0xce/0x670
 kasan_report+0xd7/0x110
 mlxsw_sp_sb_occ_snapshot+0xb6d/0xbc0
 mlxsw_devlink_sb_occ_snapshot+0x75/0xb0
 devlink_nl_sb_occ_snapshot_doit+0x1f9/0x2a0
 genl_family_rcv_msg_doit+0x20c/0x300
 genl_rcv_msg+0x567/0x800
 netlink_rcv_skb+0x170/0x450
 genl_rcv+0x2d/0x40
 netlink_unicast+0x547/0x830
 netlink_sendmsg+0x8d4/0xdb0
 __sys_sendto+0x49b/0x510
 __x64_sys_sendto+0xe5/0x1c0
 do_syscall_64+0xc1/0x1d0
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
[...]
Allocated by task 1:
 kasan_save_stack+0x33/0x60
 kasan_save_track+0x14/0x30
 __kasan_kmalloc+0x8f/0xa0
 copy_verifier_state+0xbc2/0xfb0
 do_check_common+0x2c51/0xc7e0
 bpf_check+0x5107/0x9960
 bpf_prog_load+0xf0e/0x2690
 __sys_bpf+0x1a61/0x49d0
 __x64_sys_bpf+0x7d/0xc0
 do_syscall_64+0xc1/0x1d0
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 1:
 kasan_save_stack+0x33/0x60
 kasan_save_track+0x14/0x30
 kasan_save_free_info+0x3b/0x60
 poison_slab_object+0x109/0x170
 __kasan_slab_free+0x14/0x30
 kfree+0xca/0x2b0
 free_verifier_state+0xce/0x270
 do_check_common+0x4828/0xc7e0
 bpf_check+0x5107/0x9960
 bpf_prog_load+0xf0e/0x2690
 __sys_bpf+0x1a61/0x49d0
 __x64_sys_bpf+0x7d/0xc0
 do_syscall_64+0xc1/0x1d0
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42073

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42074
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ASoC: amd: acp: add a null check for chip_pdev structure

When acp platform device creation is skipped, chip->chip_pdev value will
remain NULL. Add NULL check for chip->chip_pdev structure in
snd_acp_resume() function to avoid null pointer dereference.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42074

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42075
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix remap of arena.

The bpf arena logic didn't account for mremap operation. Add a refcnt for
multiple mmap events to prevent use-after-free in arena_vm_close.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42075

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42076
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: can: j1939: Initialize unused data in j1939_send_one()

syzbot reported kernel-infoleak in raw_recvmsg() [1]. j1939_send_one()
creates full frame including unused data, but it doesn't initialize
it. This causes the kernel-infoleak issue. Fix this by initializing
unused data.

[1]
BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]
BUG: KMSAN: kernel-infoleak in copy_to_user_iter lib/iov_iter.c:24 [inline]
BUG: KMSAN: kernel-infoleak in iterate_ubuf include/linux/iov_iter.h:29 [inline]
BUG: KMSAN: kernel-infoleak in iterate_and_advance2 include/linux/iov_iter.h:245 [inline]
BUG: KMSAN: kernel-infoleak in iterate_and_advance include/linux/iov_iter.h:271 [inline]
BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185
 instrument_copy_to_user include/linux/instrumented.h:114 [inline]
 copy_to_user_iter lib/iov_iter.c:24 [inline]
 iterate_ubuf include/linux/iov_iter.h:29 [inline]
 iterate_and_advance2 include/linux/iov_iter.h:245 [inline]
 iterate_and_advance include/linux/iov_iter.h:271 [inline]
 _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185
 copy_to_iter include/linux/uio.h:196 [inline]
 memcpy_to_msg include/linux/skbuff.h:4113 [inline]
 raw_recvmsg+0x2b8/0x9e0 net/can/raw.c:1008
 sock_recvmsg_nosec net/socket.c:1046 [inline]
 sock_recvmsg+0x2c4/0x340 net/socket.c:1068
 ____sys_recvmsg+0x18a/0x620 net/socket.c:2803
 ___sys_recvmsg+0x223/0x840 net/socket.c:2845
 do_recvmmsg+0x4fc/0xfd0 net/socket.c:2939
 __sys_recvmmsg net/socket.c:3018 [inline]
 __do_sys_recvmmsg net/socket.c:3041 [inline]
 __se_sys_recvmmsg net/socket.c:3034 [inline]
 __x64_sys_recvmmsg+0x397/0x490 net/socket.c:3034
 x64_sys_call+0xf6c/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:300
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was created at:
 slab_post_alloc_hook mm/slub.c:3804 [inline]
 slab_alloc_node mm/slub.c:3845 [inline]
 kmem_cache_alloc_node+0x613/0xc50 mm/slub.c:3888
 kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:577
 __alloc_skb+0x35b/0x7a0 net/core/skbuff.c:668
 alloc_skb include/linux/skbuff.h:1313 [inline]
 alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6504
 sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2795
 sock_alloc_send_skb include/net/sock.h:1842 [inline]
 j1939_sk_alloc_skb net/can/j1939/socket.c:878 [inline]
 j1939_sk_send_loop net/can/j1939/socket.c:1142 [inline]
 j1939_sk_sendmsg+0xc0a/0x2730 net/can/j1939/socket.c:1277
 sock_sendmsg_nosec net/socket.c:730 [inline]
 __sock_sendmsg+0x30f/0x380 net/socket.c:745
 ____sys_sendmsg+0x877/0xb60 net/socket.c:2584
 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638
 __sys_sendmsg net/socket.c:2667 [inline]
 __do_sys_sendmsg net/socket.c:2676 [inline]
 __se_sys_sendmsg net/socket.c:2674 [inline]
 __x64_sys_sendmsg+0x307/0x4a0 net/socket.c:2674
 x64_sys_call+0xc4b/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:47
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Bytes 12-15 of 16 are uninitialized
Memory access of size 16 starts at ffff888120969690
Data copied to user address 00000000200017c0

CPU: 1 PID: 5050 Comm: syz-executor198 Not tainted 6.9.0-rc5-syzkaller-00031-g71b1543c83d6 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42076

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42077
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ocfs2: fix DIO failure due to insufficient transaction credits

The code in ocfs2_dio_end_io_write() estimates number of necessary
transaction credits using ocfs2_calc_extend_credits().  This however does
not take into account that the IO could be arbitrarily large and can
contain arbitrary number of extents.

Extent tree manipulations do often extend the current transaction but not
in all of the cases.  For example if we have only single block extents in
the tree, ocfs2_mark_extent_written() will end up calling
ocfs2_replace_extent_rec() all the time and we will never extend the
current transaction and eventually exhaust all the transaction credits if
the IO contains many single block extents.  Once that happens a
WARN_ON(jbd2_handle_buffer_credits(handle) <= 0) is triggered in
jbd2_journal_dirty_metadata() and subsequently OCFS2 aborts in response to
this error.  This was actually triggered by one of our customers on a
heavily fragmented OCFS2 filesystem.

To fix the issue make sure the transaction always has enough credits for
one extent insert before each call of ocfs2_mark_extent_written().

Heming Zhao said:

------
PANIC: "Kernel panic - not syncing: OCFS2: (device dm-1): panic forced after error"

PID: xxx  TASK: xxxx  CPU: 5  COMMAND: "SubmitThread-CA"
  #0 machine_kexec at ffffffff8c069932
  #1 __crash_kexec at ffffffff8c1338fa
  #2 panic at ffffffff8c1d69b9
  #3 ocfs2_handle_error at ffffffffc0c86c0c [ocfs2]
  #4 __ocfs2_abort at ffffffffc0c88387 [ocfs2]
  #5 ocfs2_journal_dirty at ffffffffc0c51e98 [ocfs2]
  #6 ocfs2_split_extent at ffffffffc0c27ea3 [ocfs2]
  #7 ocfs2_change_extent_flag at ffffffffc0c28053 [ocfs2]
  #8 ocfs2_mark_extent_written at ffffffffc0c28347 [ocfs2]
  #9 ocfs2_dio_end_io_write at ffffffffc0c2bef9 [ocfs2]
#10 ocfs2_dio_end_io at ffffffffc0c2c0f5 [ocfs2]
#11 dio_complete at ffffffff8c2b9fa7
#12 do_blockdev_direct_IO at ffffffff8c2bc09f
#13 ocfs2_direct_IO at ffffffffc0c2b653 [ocfs2]
#14 generic_file_direct_write at ffffffff8c1dcf14
#15 __generic_file_write_iter at ffffffff8c1dd07b
#16 ocfs2_file_write_iter at ffffffffc0c49f1f [ocfs2]
#17 aio_write at ffffffff8c2cc72e
#18 kmem_cache_alloc at ffffffff8c248dde
#19 do_io_submit at ffffffff8c2ccada
#20 do_syscall_64 at ffffffff8c004984
#21 entry_SYSCALL_64_after_hwframe at ffffffff8c8000ba
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42077

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42078
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

nfsd: initialise nfsd_info.mutex early.

nfsd_info.mutex can be dereferenced by svc_pool_stats_start()
immediately after the new netns is created.  Currently this can
trigger an oops.

Move the initialisation earlier before it can possibly be dereferenced.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42078

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42079
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

gfs2: Fix NULL pointer dereference in gfs2_log_flush

In gfs2_jindex_free(), set sdp->sd_jdesc to NULL under the log flush
lock to provide exclusion against gfs2_log_flush().

In gfs2_log_flush(), check if sdp->sd_jdesc is non-NULL before
dereferencing it.  Otherwise, we could run into a NULL pointer
dereference when outstanding glock work races with an unmount
(glock_work_func -> run_queue -> do_xmote -> inode_go_sync ->
gfs2_log_flush).
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42079

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42080
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

RDMA/restrack: Fix potential invalid address access

struct rdma_restrack_entry's kern_name was set to KBUILD_MODNAME
in ib_create_cq(), while if the module exited but forgot del this
rdma_restrack_entry, it would cause a invalid address access in
rdma_restrack_clean() when print the owner of this rdma_restrack_entry.

These code is used to help find one forgotten PD release in one of the
ULPs. But it is not needed anymore, so delete them.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42080

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42081
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/xe/xe_devcoredump: Check NULL before assignments

Assign 'xe_devcoredump_snapshot *' and 'xe_device *' only if
'coredump' is not NULL.

v2
- Fix commit messages.

v3
- Define variables before code.(Ashutosh/Jose)

v4
- Drop return check for coredump_to_xe. (Jose/Rodrigo)

v5
- Modify misleading commit message. (Matt)
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42081

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42082
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

xdp: Remove WARN() from __xdp_reg_mem_model()

syzkaller reports a warning in __xdp_reg_mem_model().

The warning occurs only if __mem_id_init_hash_table() returns an error. It
returns the error in two cases:

  1. memory allocation fails;
  2. rhashtable_init() fails when some fields of rhashtable_params
     struct are not initialized properly.

The second case cannot happen since there is a static const rhashtable_params
struct with valid fields. So, warning is only triggered when there is a
problem with memory allocation.

Thus, there is no sense in using WARN() to handle this error and it can be
safely removed.

WARNING: CPU: 0 PID: 5065 at net/core/xdp.c:299 __xdp_reg_mem_model+0x2d9/0x650 net/core/xdp.c:299

CPU: 0 PID: 5065 Comm: syz-executor883 Not tainted 6.8.0-syzkaller-05271-gf99c5f563c17 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
RIP: 0010:__xdp_reg_mem_model+0x2d9/0x650 net/core/xdp.c:299

Call Trace:
 xdp_reg_mem_model+0x22/0x40 net/core/xdp.c:344
 xdp_test_run_setup net/bpf/test_run.c:188 [inline]
 bpf_test_run_xdp_live+0x365/0x1e90 net/bpf/test_run.c:377
 bpf_prog_test_run_xdp+0x813/0x11b0 net/bpf/test_run.c:1267
 bpf_prog_test_run+0x33a/0x3b0 kernel/bpf/syscall.c:4240
 __sys_bpf+0x48d/0x810 kernel/bpf/syscall.c:5649
 __do_sys_bpf kernel/bpf/syscall.c:5738 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5736 [inline]
 __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5736
 do_syscall_64+0xfb/0x240
 entry_SYSCALL_64_after_hwframe+0x6d/0x75

Found by Linux Verification Center (linuxtesting.org) with syzkaller.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42082

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42083
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ionic: fix kernel panic due to multi-buffer handling

Currently, the ionic_run_xdp() doesn't handle multi-buffer packets
properly for XDP_TX and XDP_REDIRECT.
When a jumbo frame is received, the ionic_run_xdp() first makes xdp
frame with all necessary pages in the rx descriptor.
And if the action is either XDP_TX or XDP_REDIRECT, it should unmap
dma-mapping and reset page pointer to NULL for all pages, not only the
first page.
But it doesn't for SG pages. So, SG pages unexpectedly will be reused.
It eventually causes kernel panic.

Oops: general protection fault, probably for non-canonical address 0x504f4e4dbebc64ff: 0000 [#1] PREEMPT SMP NOPTI
CPU: 3 PID: 0 Comm: swapper/3 Not tainted 6.10.0-rc3+ #25
RIP: 0010:xdp_return_frame+0x42/0x90
Code: 01 75 12 5b 4c 89 e6 5d 31 c9 41 5c 31 d2 41 5d e9 73 fd ff ff 44 8b 6b 20 0f b7 43 0a 49 81 ed 68 01 00 00 49 29 c5 49 01 fd <41> 80 7d0
RSP: 0018:ffff99d00122ce08 EFLAGS: 00010202
RAX: 0000000000005453 RBX: ffff8d325f904000 RCX: 0000000000000001
RDX: 00000000670e1000 RSI: 000000011f90d000 RDI: 504f4e4d4c4b4a49
RBP: ffff99d003907740 R08: 0000000000000000 R09: 0000000000000000
R10: 000000011f90d000 R11: 0000000000000000 R12: ffff8d325f904010
R13: 504f4e4dbebc64fd R14: ffff8d3242b070c8 R15: ffff99d0039077c0
FS:  0000000000000000(0000) GS:ffff8d399f780000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f41f6c85e38 CR3: 000000037ac30000 CR4: 00000000007506f0
PKRU: 55555554
Call Trace:
 <IRQ>
 ? die_addr+0x33/0x90
 ? exc_general_protection+0x251/0x2f0
 ? asm_exc_general_protection+0x22/0x30
 ? xdp_return_frame+0x42/0x90
 ionic_tx_clean+0x211/0x280 [ionic 15881354510e6a9c655c59c54812b319ed2cd015]
 ionic_tx_cq_service+0xd3/0x210 [ionic 15881354510e6a9c655c59c54812b319ed2cd015]
 ionic_txrx_napi+0x41/0x1b0 [ionic 15881354510e6a9c655c59c54812b319ed2cd015]
 __napi_poll.constprop.0+0x29/0x1b0
 net_rx_action+0x2c4/0x350
 handle_softirqs+0xf4/0x320
 irq_exit_rcu+0x78/0xa0
 common_interrupt+0x77/0x90
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42083

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42085
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

usb: dwc3: core: remove lock of otg mode during gadget suspend/resume to avoid deadlock

When config CONFIG_USB_DWC3_DUAL_ROLE is selected, and trigger system
to enter suspend status with below command:
echo mem > /sys/power/state
There will be a deadlock issue occurring. Detailed invoking path as
below:
dwc3_suspend_common()
    spin_lock_irqsave(&dwc->lock, flags);              <-- 1st
    dwc3_gadget_suspend(dwc);
        dwc3_gadget_soft_disconnect(dwc);
            spin_lock_irqsave(&dwc->lock, flags);      <-- 2nd
This issue is exposed by commit c7ebd8149ee5 ("usb: dwc3: gadget: Fix
NULL pointer dereference in dwc3_gadget_suspend") that removes the code
of checking whether dwc->gadget_driver is NULL or not. It causes the
following code is executed and deadlock occurs when trying to get the
spinlock. In fact, the root cause is the commit 5265397f9442("usb: dwc3:
Remove DWC3 locking during gadget suspend/resume") that forgot to remove
the lock of otg mode. So, remove the redundant lock of otg mode during
gadget suspend/resume.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42085

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42090
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

pinctrl: fix deadlock in create_pinctrl() when handling -EPROBE_DEFER

In create_pinctrl(), pinctrl_maps_mutex is acquired before calling
add_setting(). If add_setting() returns -EPROBE_DEFER, create_pinctrl()
calls pinctrl_free(). However, pinctrl_free() attempts to acquire
pinctrl_maps_mutex, which is already held by create_pinctrl(), leading to
a potential deadlock.

This patch resolves the issue by releasing pinctrl_maps_mutex before
calling pinctrl_free(), preventing the deadlock.

This bug was discovered and resolved using Coverity Static Analysis
Security Testing (SAST) by Synopsys, Inc.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42090

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42093
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net/dpaa2: Avoid explicit cpumask var allocation on stack

For CONFIG_CPUMASK_OFFSTACK=y kernel, explicit allocation of cpumask
variable on stack is not recommended since it can cause potential stack
overflow.

Instead, kernel code should always use *cpumask_var API(s) to allocate
cpumask var in config-neutral way, leaving allocation strategy to
CONFIG_CPUMASK_OFFSTACK.

Use *cpumask_var API(s) to address it.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42093

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42094
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net/iucv: Avoid explicit cpumask var allocation on stack

For CONFIG_CPUMASK_OFFSTACK=y kernel, explicit allocation of cpumask
variable on stack is not recommended since it can cause potential stack
overflow.

Instead, kernel code should always use *cpumask_var API(s) to allocate
cpumask var in config-neutral way, leaving allocation strategy to
CONFIG_CPUMASK_OFFSTACK.

Use *cpumask_var API(s) to address it.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42094

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42101
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/nouveau: fix null pointer dereference in nouveau_connector_get_modes

In nouveau_connector_get_modes(), the return value of drm_mode_duplicate()
is assigned to mode, which will lead to a possible NULL pointer
dereference on failure of drm_mode_duplicate(). Add a check to avoid npd.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42101

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42102
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

Revert "mm/writeback: fix possible divide-by-zero in wb_dirty_limits(), again"

Patch series "mm: Avoid possible overflows in dirty throttling".

Dirty throttling logic assumes dirty limits in page units fit into
32-bits.  This patch series makes sure this is true (see patch 2/2 for
more details).


This patch (of 2):

This reverts commit 9319b647902cbd5cc884ac08a8a6d54ce111fc78.

The commit is broken in several ways.  Firstly, the removed (u64) cast
from the multiplication will introduce a multiplication overflow on 32-bit
archs if wb_thresh * bg_thresh >= 1<<32 (which is actually common - the
default settings with 4GB of RAM will trigger this).  Secondly, the
div64_u64() is unnecessarily expensive on 32-bit archs.  We have
div64_ul() in case we want to be safe & cheap.  Thirdly, if dirty
thresholds are larger than 1<<32 pages, then dirty balancing is going to
blow up in many other spectacular ways anyway so trying to fix one
possible overflow is just moot.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42102

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42104
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

nilfs2: add missing check for inode numbers on directory entries

Syzbot reported that mounting and unmounting a specific pattern of
corrupted nilfs2 filesystem images causes a use-after-free of metadata
file inodes, which triggers a kernel bug in lru_add_fn().

As Jan Kara pointed out, this is because the link count of a metadata file
gets corrupted to 0, and nilfs_evict_inode(), which is called from iput(),
tries to delete that inode (ifile inode in this case).

The inconsistency occurs because directories containing the inode numbers
of these metadata files that should not be visible in the namespace are
read without checking.

Fix this issue by treating the inode numbers of these internal files as
errors in the sanity check helper when reading directory folios/pages.

Also thanks to Hillf Danton and Matthew Wilcox for their initial mm-layer
analysis.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42104

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42108
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: rswitch: Avoid use-after-free in rswitch_poll()

The use-after-free is actually in rswitch_tx_free(), which is inlined in
rswitch_poll(). Since `skb` and `gq->skbs[gq->dirty]` are in fact the
same pointer, the skb is first freed using dev_kfree_skb_any(), then the
value in skb->len is used to update the interface statistics.

Let's move around the instructions to use skb->len before the skb is
freed.

This bug is trivial to reproduce using KFENCE. It will trigger a splat
every few packets. A simple ARP request or ICMP echo request is enough.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42108

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42109
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

netfilter: nf_tables: unconditionally flush pending work before notifier

syzbot reports:

KASAN: slab-uaf in nft_ctx_update include/net/netfilter/nf_tables.h:1831
KASAN: slab-uaf in nft_commit_release net/netfilter/nf_tables_api.c:9530
KASAN: slab-uaf int nf_tables_trans_destroy_work+0x152b/0x1750 net/netfilter/nf_tables_api.c:9597
Read of size 2 at addr ffff88802b0051c4 by task kworker/1:1/45
[..]
Workqueue: events nf_tables_trans_destroy_work
Call Trace:
 nft_ctx_update include/net/netfilter/nf_tables.h:1831 [inline]
 nft_commit_release net/netfilter/nf_tables_api.c:9530 [inline]
 nf_tables_trans_destroy_work+0x152b/0x1750 net/netfilter/nf_tables_api.c:9597

Problem is that the notifier does a conditional flush, but its possible
that the table-to-be-removed is still referenced by transactions being
processed by the worker, so we need to flush unconditionally.

We could make the flush_work depend on whether we found a table to delete
in nf-next to avoid the flush for most cases.

AFAICS this problem is only exposed in nf-next, with
commit e169285f8c56 ("netfilter: nf_tables: do not store nft_ctx in transaction objects"),
with this commit applied there is an unconditional fetch of
table->family which is whats triggering the above splat.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42109

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42114
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

wifi: cfg80211: restrict NL80211_ATTR_TXQ_QUANTUM values

syzbot is able to trigger softlockups, setting NL80211_ATTR_TXQ_QUANTUM
to 2^31.

We had a similar issue in sch_fq, fixed with commit
d9e15a273306 ("pkt_sched: fq: do not accept silly TCA_FQ_QUANTUM")

watchdog: BUG: soft lockup - CPU#1 stuck for 26s! [kworker/1:0:24]
Modules linked in:
irq event stamp: 131135
 hardirqs last  enabled at (131134): [<ffff80008ae8778c>] __exit_to_kernel_mode arch/arm64/kernel/entry-common.c:85 [inline]
 hardirqs last  enabled at (131134): [<ffff80008ae8778c>] exit_to_kernel_mode+0xdc/0x10c arch/arm64/kernel/entry-common.c:95
 hardirqs last disabled at (131135): [<ffff80008ae85378>] __el1_irq arch/arm64/kernel/entry-common.c:533 [inline]
 hardirqs last disabled at (131135): [<ffff80008ae85378>] el1_interrupt+0x24/0x68 arch/arm64/kernel/entry-common.c:551
 softirqs last  enabled at (125892): [<ffff80008907e82c>] neigh_hh_init net/core/neighbour.c:1538 [inline]
 softirqs last  enabled at (125892): [<ffff80008907e82c>] neigh_resolve_output+0x268/0x658 net/core/neighbour.c:1553
 softirqs last disabled at (125896): [<ffff80008904166c>] local_bh_disable+0x10/0x34 include/linux/bottom_half.h:19
CPU: 1 PID: 24 Comm: kworker/1:0 Not tainted 6.9.0-rc7-syzkaller-gfda5695d692c #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Workqueue: mld mld_ifc_work
pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
 pc : __list_del include/linux/list.h:195 [inline]
 pc : __list_del_entry include/linux/list.h:218 [inline]
 pc : list_move_tail include/linux/list.h:310 [inline]
 pc : fq_tin_dequeue include/net/fq_impl.h:112 [inline]
 pc : ieee80211_tx_dequeue+0x6b8/0x3b4c net/mac80211/tx.c:3854
 lr : __list_del_entry include/linux/list.h:218 [inline]
 lr : list_move_tail include/linux/list.h:310 [inline]
 lr : fq_tin_dequeue include/net/fq_impl.h:112 [inline]
 lr : ieee80211_tx_dequeue+0x67c/0x3b4c net/mac80211/tx.c:3854
sp : ffff800093d36700
x29: ffff800093d36a60 x28: ffff800093d36960 x27: dfff800000000000
x26: ffff0000d800ad50 x25: ffff0000d800abe0 x24: ffff0000d800abf0
x23: ffff0000e0032468 x22: ffff0000e00324d4 x21: ffff0000d800abf0
x20: ffff0000d800abf8 x19: ffff0000d800abf0 x18: ffff800093d363c0
x17: 000000000000d476 x16: ffff8000805519dc x15: ffff7000127a6cc8
x14: 1ffff000127a6cc8 x13: 0000000000000004 x12: ffffffffffffffff
x11: ffff7000127a6cc8 x10: 0000000000ff0100 x9 : 0000000000000000
x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000
x5 : ffff80009287aa08 x4 : 0000000000000008 x3 : ffff80008034c7fc
x2 : ffff0000e0032468 x1 : 00000000da0e46b8 x0 : ffff0000e0032470
Call trace:
  __list_del include/linux/list.h:195 [inline]
  __list_del_entry include/linux/list.h:218 [inline]
  list_move_tail include/linux/list.h:310 [inline]
  fq_tin_dequeue include/net/fq_impl.h:112 [inline]
  ieee80211_tx_dequeue+0x6b8/0x3b4c net/mac80211/tx.c:3854
  wake_tx_push_queue net/mac80211/util.c:294 [inline]
  ieee80211_handle_wake_tx_queue+0x118/0x274 net/mac80211/util.c:315
  drv_wake_tx_queue net/mac80211/driver-ops.h:1350 [inline]
  schedule_and_wake_txq net/mac80211/driver-ops.h:1357 [inline]
  ieee80211_queue_skb+0x18e8/0x2244 net/mac80211/tx.c:1664
  ieee80211_tx+0x260/0x400 net/mac80211/tx.c:1966
  ieee80211_xmit+0x278/0x354 net/mac80211/tx.c:2062
  __ieee80211_subif_start_xmit+0xab8/0x122c net/mac80211/tx.c:4338
  ieee80211_subif_start_xmit+0xe0/0x438 net/mac80211/tx.c:4532
  __netdev_start_xmit include/linux/netdevice.h:4903 [inline]
  netdev_start_xmit include/linux/netdevice.h:4917 [inline]
  xmit_one net/core/dev.c:3531 [inline]
  dev_hard_start_xmit+0x27c/0x938 net/core/dev.c:3547
  __dev_queue_xmit+0x1678/0x33fc net/core/dev.c:4341
  dev_queue_xmit include/linux/netdevice.h:3091 [inline]
  neigh_resolve_output+0x558/0x658 net/core/neighbour.c:1563
  neigh_output include/net/neighbour.h:542 [inline]
  ip6_fini
---truncated---
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.4
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42114

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42122
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Add NULL pointer check for kzalloc

[Why & How]
Check return pointer of kzalloc before using it.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42122

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42123
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amdgpu: fix double free err_addr pointer warnings

In amdgpu_umc_bad_page_polling_timeout, the amdgpu_umc_handle_bad_pages
will be run many times so that double free err_addr in some special case.
So set the err_addr to NULL to avoid the warnings.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.4
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42123

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42131
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

mm: avoid overflows in dirty throttling logic

The dirty throttling logic is interspersed with assumptions that dirty
limits in PAGE_SIZE units fit into 32-bit (so that various multiplications
fit into 64-bits).  If limits end up being larger, we will hit overflows,
possible divisions by 0 etc.  Fix these problems by never allowing so
large dirty limits as they have dubious practical value anyway.  For
dirty_bytes / dirty_background_bytes interfaces we can just refuse to set
so large limits.  For dirty_ratio / dirty_background_ratio it isn't so
simple as the dirty limit is computed from the amount of available memory
which can change due to memory hotplug etc.  So when converting dirty
limits from ratios to numbers of pages, we just don't allow the result to
exceed UINT_MAX.

This is root-only triggerable problem which occurs when the operator
sets dirty limits to >16 TB.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.4
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42131

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42136
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

cdrom: rearrange last_media_change check to avoid unintentional overflow

When running syzkaller with the newly reintroduced signed integer wrap
sanitizer we encounter this splat:

[  366.015950] UBSAN: signed-integer-overflow in ../drivers/cdrom/cdrom.c:2361:33
[  366.021089] -9223372036854775808 - 346321 cannot be represented in type '__s64' (aka 'long long')
[  366.025894] program syz-executor.4 is using a deprecated SCSI ioctl, please convert it to SG_IO
[  366.027502] CPU: 5 PID: 28472 Comm: syz-executor.7 Not tainted 6.8.0-rc2-00035-gb3ef86b5a957 #1
[  366.027512] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[  366.027518] Call Trace:
[  366.027523]  <TASK>
[  366.027533]  dump_stack_lvl+0x93/0xd0
[  366.027899]  handle_overflow+0x171/0x1b0
[  366.038787] ata1.00: invalid multi_count 32 ignored
[  366.043924]  cdrom_ioctl+0x2c3f/0x2d10
[  366.063932]  ? __pm_runtime_resume+0xe6/0x130
[  366.071923]  sr_block_ioctl+0x15d/0x1d0
[  366.074624]  ? __pfx_sr_block_ioctl+0x10/0x10
[  366.077642]  blkdev_ioctl+0x419/0x500
[  366.080231]  ? __pfx_blkdev_ioctl+0x10/0x10
...

Historically, the signed integer overflow sanitizer did not work in the
kernel due to its interaction with `-fwrapv` but this has since been
changed [1] in the newest version of Clang. It was re-enabled in the
kernel with Commit 557f8c582a9ba8ab ("ubsan: Reintroduce signed overflow
sanitizer").

Let's rearrange the check to not perform any arithmetic, thus not
tripping the sanitizer.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42136

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42137
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: qca: Fix BT enable failure again for QCA6390 after warm reboot

Commit 272970be3dab ("Bluetooth: hci_qca: Fix driver shutdown on closed
serdev") will cause below regression issue:

BT can't be enabled after below steps:
cold boot -> enable BT -> disable BT -> warm reboot -> BT enable failure
if property enable-gpios is not configured within DT|ACPI for QCA6390.

The commit is to fix a use-after-free issue within qca_serdev_shutdown()
by adding condition to avoid the serdev is flushed or wrote after closed
but also introduces this regression issue regarding above steps since the
VSC is not sent to reset controller during warm reboot.

Fixed by sending the VSC to reset controller within qca_serdev_shutdown()
once BT was ever enabled, and the use-after-free issue is also fixed by
this change since the serdev is still opened before it is flushed or wrote.

Verified by the reported machine Dell XPS 13 9310 laptop over below two
kernel commits:
commit e00fc2700a3f ("Bluetooth: btusb: Fix triggering coredump
implementation for QCA") of bluetooth-next tree.
commit b23d98d46d28 ("Bluetooth: btusb: Fix triggering coredump
implementation for QCA") of linus mainline tree.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42137

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42140
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

riscv: kexec: Avoid deadlock in kexec crash path

If the kexec crash code is called in the interrupt context, the
machine_kexec_mask_interrupts() function will trigger a deadlock while
trying to acquire the irqdesc spinlock and then deactivate irqchip in
irq_set_irqchip_state() function.

Unlike arm64, riscv only requires irq_eoi handler to complete EOI and
keeping irq_set_irqchip_state() will only leave this possible deadlock
without any use. So we simply remove it.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42140

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42144
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

thermal/drivers/mediatek/lvts_thermal: Check NULL ptr on lvts_data

Verify that lvts_data is not NULL before using it.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42144

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42148
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

bnx2x: Fix multiple UBSAN array-index-out-of-bounds

Fix UBSAN warnings that occur when using a system with 32 physical
cpu cores or more, or when the user defines a number of Ethernet
queues greater than or equal to FP_SB_MAX_E1x using the num_queues
module parameter.

Currently there is a read/write out of bounds that occurs on the array
"struct stats_query_entry query" present inside the "bnx2x_fw_stats_req"
struct in "drivers/net/ethernet/broadcom/bnx2x/bnx2x.h".
Looking at the definition of the "struct stats_query_entry query" array:

struct stats_query_entry query[FP_SB_MAX_E1x+
         BNX2X_FIRST_QUEUE_QUERY_IDX];

FP_SB_MAX_E1x is defined as the maximum number of fast path interrupts and
has a value of 16, while BNX2X_FIRST_QUEUE_QUERY_IDX has a value of 3
meaning the array has a total size of 19.
Since accesses to "struct stats_query_entry query" are offset-ted by
BNX2X_FIRST_QUEUE_QUERY_IDX, that means that the total number of Ethernet
queues should not exceed FP_SB_MAX_E1x (16). However one of these queues
is reserved for FCOE and thus the number of Ethernet queues should be set
to [FP_SB_MAX_E1x -1] (15) if FCOE is enabled or [FP_SB_MAX_E1x] (16) if
it is not.

This is also described in a comment in the source code in
drivers/net/ethernet/broadcom/bnx2x/bnx2x.h just above the Macro definition
of FP_SB_MAX_E1x. Below is the part of this explanation that it important
for this patch

/*
  * The total number of L2 queues, MSIX vectors and HW contexts (CIDs) is
  * control by the number of fast-path status blocks supported by the
  * device (HW/FW). Each fast-path status block (FP-SB) aka non-default
  * status block represents an independent interrupts context that can
  * serve a regular L2 networking queue. However special L2 queues such
  * as the FCoE queue do not require a FP-SB and other components like
  * the CNIC may consume FP-SB reducing the number of possible L2 queues
  *
  * If the maximum number of FP-SB available is X then:
  * a. If CNIC is supported it consumes 1 FP-SB thus the max number of
  *    regular L2 queues is Y=X-1
  * b. In MF mode the actual number of L2 queues is Y= (X-1/MF_factor)
  * c. If the FCoE L2 queue is supported the actual number of L2 queues
  *    is Y+1
  * d. The number of irqs (MSIX vectors) is either Y+1 (one extra for
  *    slow-path interrupts) or Y+2 if CNIC is supported (one additional
  *    FP interrupt context for the CNIC).
  * e. The number of HW context (CID count) is always X or X+1 if FCoE
  *    L2 queue is supported. The cid for the FCoE L2 queue is always X.
  */

However this driver also supports NICs that use the E2 controller which can
handle more queues due to having more FP-SB represented by FP_SB_MAX_E2.
Looking at the commits when the E2 support was added, it was originally
using the E1x parameters: commit f2e0899f0f27 ("bnx2x: Add 57712 support").
Back then FP_SB_MAX_E2 was set to 16 the same as E1x. However the driver
was later updated to take full advantage of the E2 instead of having it be
limited to the capabilities of the E1x. But as far as we can tell, the
array "stats_query_entry query" was still limited to using the FP-SB
available to the E1x cards as part of an oversignt when the driver was
updated to take full advantage of the E2, and now with the driver being
aware of the greater queue size supported by E2 NICs, it causes the UBSAN
warnings seen in the stack traces below.

This patch increases the size of the "stats_query_entry query" array by
replacing FP_SB_MAX_E1x with FP_SB_MAX_E2 to be large enough to handle
both types of NICs.

Stack traces:

UBSAN: array-index-out-of-bounds in
       drivers/net/ethernet/broadcom/bnx2x/bnx2x_stats.c:1529:11
index 20 is out of range for type 'stats_query_entry [19]'
CPU: 12 PID: 858 Comm: systemd-network Not tainted 6.9.0-060900rc7-generic
	     #202405052133
Hardware name: HP ProLiant DL360 Gen9/ProLiant DL360 
---truncated---
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42148

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42152
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

nvmet: fix a possible leak when destroy a ctrl during qp establishment

In nvmet_sq_destroy we capture sq->ctrl early and if it is non-NULL we
know that a ctrl was allocated (in the admin connect request handler)
and we need to release pending AERs, clear ctrl->sqs and sq->ctrl
(for nvme-loop primarily), and drop the final reference on the ctrl.

However, a small window is possible where nvmet_sq_destroy starts (as
a result of the client giving up and disconnecting) concurrently with
the nvme admin connect cmd (which may be in an early stage). But *before*
kill_and_confirm of sq->ref (i.e. the admin connect managed to get an sq
live reference). In this case, sq->ctrl was allocated however after it was
captured in a local variable in nvmet_sq_destroy.
This prevented the final reference drop on the ctrl.

Solve this by re-capturing the sq->ctrl after all inflight request has
completed, where for sure sq->ctrl reference is final, and move forward
based on that.

This issue was observed in an environment with many hosts connecting
multiple ctrls simoutanuosly, creating a delay in allocating a ctrl
leading up to this race window.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42152

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42153
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

i2c: pnx: Fix potential deadlock warning from del_timer_sync() call in isr

When del_timer_sync() is called in an interrupt context it throws a warning
because of potential deadlock. The timer is used only to exit from
wait_for_completion() after a timeout so replacing the call with
wait_for_completion_timeout() allows to remove the problematic timer and
its related functions altogether.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42153

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42154
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

tcp_metrics: validate source addr length

I don't see anything checking that TCP_METRICS_ATTR_SADDR_IPV4
is at least 4 bytes long, and the policy doesn't have an entry
for this attribute at all (neither does it for IPv6 but v6 is
manually validated).
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.4
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42154

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42155
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

s390/pkey: Wipe copies of protected- and secure-keys

Although the clear-key of neither protected- nor secure-keys is
accessible, this key material should only be visible to the calling
process. So wipe all copies of protected- or secure-keys from stack,
even in case of an error.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 1.9
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42155

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42156
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

s390/pkey: Wipe copies of clear-key structures on failure

Wipe all sensitive data from stack for all IOCTLs, which convert a
clear-key into a protected- or secure-key.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42156

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42157
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

s390/pkey: Wipe sensitive data on failure

Wipe sensitive data from stack also if the copy_to_user() fails.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42157

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42158
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

s390/pkey: Use kfree_sensitive() to fix Coccinelle warnings

Replace memzero_explicit() and kfree() with kfree_sensitive() to fix
warnings reported by Coccinelle:

WARNING opportunity for kfree_sensitive/kvfree_sensitive (line 1506)
WARNING opportunity for kfree_sensitive/kvfree_sensitive (line 1643)
WARNING opportunity for kfree_sensitive/kvfree_sensitive (line 1770)
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42158

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42159
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

scsi: mpi3mr: Sanitise num_phys

Information is stored in mr_sas_port->phy_mask, values larger then size of
this field shouldn't be allowed.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42159

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42160
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

f2fs: check validation of fault attrs in f2fs_build_fault_attr()

- It missed to check validation of fault attrs in parse_options(),
let's fix to add check condition in f2fs_build_fault_attr().
- Use f2fs_build_fault_attr() in __sbi_store() to clean up code.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42160

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42161
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

bpf: Avoid uninitialized value in BPF_CORE_READ_BITFIELD

[Changes from V1:
 - Use a default branch in the switch statement to initialize `val'.]

GCC warns that `val' may be used uninitialized in the
BPF_CRE_READ_BITFIELD macro, defined in bpf_core_read.h as:

	[...]
	unsigned long long val;						      \
	[...]								      \
	switch (__CORE_RELO(s, field, BYTE_SIZE)) {			      \
	case 1: val = *(const unsigned char *)p; break;			      \
	case 2: val = *(const unsigned short *)p; break;		      \
	case 4: val = *(const unsigned int *)p; break;			      \
	case 8: val = *(const unsigned long long *)p; break;		      \
        }       							      \
	[...]
	val;								      \
	}								      \

This patch adds a default entry in the switch statement that sets
`val' to zero in order to avoid the warning, and random values to be
used in case __builtin_preserve_field_info returns unexpected values
for BPF_FIELD_BYTE_SIZE.

Tested in bpf-next master.
No regressions.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.3
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42161

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42162
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

gve: Account for stopped queues when reading NIC stats

We now account for the fact that the NIC might send us stats for a
subset of queues. Without this change, gve_get_ethtool_stats might make
an invalid access on the priv->stats_report->stats array.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42162

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42223
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

media: dvb-frontends: tda10048: Fix integer overflow

state->xtal_hz can be up to 16M, so it can overflow a 32 bit integer
when multiplied by pll_mfactor.

Create a new 64 bit variable to hold the calculations.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42223

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42224
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: dsa: mv88e6xxx: Correct check for empty list

Since commit a3c53be55c95 ("net: dsa: mv88e6xxx: Support multiple MDIO
busses") mv88e6xxx_default_mdio_bus() has checked that the
return value of list_first_entry() is non-NULL.

This appears to be intended to guard against the list chip->mdios being
empty.  However, it is not the correct check as the implementation of
list_first_entry is not designed to return NULL for empty lists.

Instead, use list_first_entry_or_null() which does return NULL if the
list is empty.

Flagged by Smatch.
Compile tested only.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42224

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42225
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

wifi: mt76: replace skb_put with skb_put_zero

Avoid potentially reusing uninitialized data
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: ADJACENT_NETWORK
VECTORSTRING: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42225

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42227
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Fix overlapping copy within dml_core_mode_programming

[WHY]
&mode_lib->mp.Watermark and &locals->Watermark are
the same address. memcpy may lead to unexpected behavior.

[HOW]
memmove should be used.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42227

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42228
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc

Initialize the size before calling amdgpu_vce_cs_reloc, such as case 0x03000001.
V2: To really improve the handling we would actually
   need to have a separate value of 0xffffffff.(Christian)
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42228

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42229
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

crypto: aead,cipher - zeroize key buffer after use

I.G 9.7.B for FIPS 140-3 specifies that variables temporarily holding
cryptographic information should be zeroized once they are no longer
needed. Accomplish this by using kfree_sensitive for buffers that
previously held the private key.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42229

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42230
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

powerpc/pseries: Fix scv instruction crash with kexec

kexec on pseries disables AIL (reloc_on_exc), required for scv
instruction support, before other CPUs have been shut down. This means
they can execute scv instructions after AIL is disabled, which causes an
interrupt at an unexpected entry location that crashes the kernel.

Change the kexec sequence to disable AIL after other CPUs have been
brought down.

As a refresher, the real-mode scv interrupt vector is 0x17000, and the
fixed-location head code probably couldn't easily deal with implementing
such high addresses so it was just decided not to support that interrupt
at all.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.4
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42230

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42231
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

btrfs: zoned: fix calc_available_free_space() for zoned mode

calc_available_free_space() returns the total size of metadata (or
system) block groups, which can be allocated from unallocated disk
space. The logic is wrong on zoned mode in two places.

First, the calculation of data_chunk_size is wrong. We always allocate
one zone as one chunk, and no partial allocation of a zone. So, we
should use zone_size (= data_sinfo->chunk_size) as it is.

Second, the result "avail" may not be zone aligned. Since we always
allocate one zone as one chunk on zoned mode, returning non-zone size
aligned bytes will result in less pressure on the async metadata reclaim
process.

This is serious for the nearly full state with a large zone size device.
Allowing over-commit too much will result in less async reclaim work and
end up in ENOSPC. We can align down to the zone size to avoid that.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42231

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42232
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

libceph: fix race between delayed_work() and ceph_monc_stop()

The way the delayed work is handled in ceph_monc_stop() is prone to
races with mon_fault() and possibly also finish_hunting().  Both of
these can requeue the delayed work which wouldn't be canceled by any of
the following code in case that happens after cancel_delayed_work_sync()
runs -- __close_session() doesn't mess with the delayed work in order
to avoid interfering with the hunting interval logic.  This part was
missed in commit b5d91704f53e ("libceph: behave in mon_fault() if
cur_mon < 0") and use-after-free can still ensue on monc and objects
that hang off of it, with monc->auth and monc->monmap being
particularly susceptible to quickly being reused.

To fix this:

- clear monc->cur_mon and monc->hunting as part of closing the session
  in ceph_monc_stop()
- bail from delayed_work() if monc->cur_mon is cleared, similar to how
  it's done in mon_fault() and finish_hunting() (based on monc->hunting)
- call cancel_delayed_work_sync() after the session is closed
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42232

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42233
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

filemap: replace pte_offset_map() with pte_offset_map_nolock()

The vmf->ptl in filemap_fault_recheck_pte_none() is still set from
handle_pte_fault().  But at the same time, we did a pte_unmap(vmf->pte). 
After a pte_unmap(vmf->pte) unmap and rcu_read_unlock(), the page table
may be racily changed and vmf->ptl maybe fails to protect the actual page
table.  Fix this by replacing pte_offset_map() with
pte_offset_map_nolock().

As David said, the PTL pointer might be stale so if we continue to use
it infilemap_fault_recheck_pte_none(), it might trigger UAF.  Also, if
the PTL fails, the issue fixed by commit 58f327f2ce80 ("filemap: avoid
unnecessary major faults in filemap_fault()") might reappear.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 3.3
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42233

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42234
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

mm: fix crashes from deferred split racing folio migration

Even on 6.10-rc6, I've been seeing elusive "Bad page state"s (often on
flags when freeing, yet the flags shown are not bad: PG_locked had been
set and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s from
deferred_split_scan()'s folio_put(), and a variety of other BUG and WARN
symptoms implying double free by deferred split and large folio migration.

6.7 commit 9bcef5973e31 ("mm: memcg: fix split queue list crash when large
folio migration") was right to fix the memcg-dependent locking broken in
85ce2c517ade ("memcontrol: only transfer the memcg data for migration"),
but missed a subtlety of deferred_split_scan(): it moves folios to its own
local list to work on them without split_queue_lock, during which time
folio->_deferred_list is not empty, but even the "right" lock does nothing
to secure the folio and the list it is on.

Fortunately, deferred_split_scan() is careful to use folio_try_get(): so
folio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()
while the old folio's reference count is temporarily frozen to 0 - adding
such a freeze in the !mapping case too (originally, folio lock and
unmapping and no swap cache left an anon folio unreachable, so no freezing
was needed there: but the deferred split queue offers a way to reach it).
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42234

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42235
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

s390/mm: Add NULL pointer check to crst_table_free() base_crst_free()

crst_table_free() used to work with NULL pointers before the conversion
to ptdescs.  Since crst_table_free() can be called with a NULL pointer
(error handling in crst_table_upgrade() add an explicit check.

Also add the same check to base_crst_free() for consistency reasons.

In real life this should not happen, since order two GFP_KERNEL
allocations will not fail, unless FAIL_PAGE_ALLOC is enabled and used.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42235

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42236
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

usb: gadget: configfs: Prevent OOB read/write in usb_string_copy()

Userspace provided string 's' could trivially have the length zero. Left
unchecked this will firstly result in an OOB read in the form
`if (str[0 - 1] == '\n') followed closely by an OOB write in the form
`str[0 - 1] = '\0'`.

There is already a validating check to catch strings that are too long.
Let's supply an additional check for invalid strings that are too short.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42236

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42237
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

firmware: cs_dsp: Validate payload length before processing block

Move the payload length check in cs_dsp_load() and cs_dsp_coeff_load()
to be done before the block is processed.

The check that the length of a block payload does not exceed the number
of remaining bytes in the firwmware file buffer was being done near the
end of the loop iteration. However, some code before that check used the
length field without validating it.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42237

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42238
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

firmware: cs_dsp: Return error if block header overflows file

Return an error from cs_dsp_power_up() if a block header is longer
than the amount of data left in the file.

The previous code in cs_dsp_load() and cs_dsp_load_coeff() would loop
while there was enough data left in the file for a valid region. This
protected against overrunning the end of the file data, but it didn't
abort the file processing with an error.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42238

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42239
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

bpf: Fail bpf_timer_cancel when callback is being cancelled

Given a schedule:

timer1 cb			timer2 cb

bpf_timer_cancel(timer2);	bpf_timer_cancel(timer1);

Both bpf_timer_cancel calls would wait for the other callback to finish
executing, introducing a lockup.

Add an atomic_t count named 'cancelling' in bpf_hrtimer. This keeps
track of all in-flight cancellation requests for a given BPF timer.
Whenever cancelling a BPF timer, we must check if we have outstanding
cancellation requests, and if so, we must fail the operation with an
error (-EDEADLK) since cancellation is synchronous and waits for the
callback to finish executing. This implies that we can enter a deadlock
situation involving two or more timer callbacks executing in parallel
and attempting to cancel one another.

Note that we avoid incrementing the cancelling counter for the target
timer (the one being cancelled) if bpf_timer_cancel is not invoked from
a callback, to avoid spurious errors. The whole point of detecting
cur->cancelling and returning -EDEADLK is to not enter a busy wait loop
(which may or may not lead to a lockup). This does not apply in case the
caller is in a non-callback context, the other side can continue to
cancel as it sees fit without running into errors.

Background on prior attempts:

Earlier versions of this patch used a bool 'cancelling' bit and used the
following pattern under timer->lock to publish cancellation status.

lock(t->lock);
t->cancelling = true;
mb();
if (cur->cancelling)
	return -EDEADLK;
unlock(t->lock);
hrtimer_cancel(t->timer);
t->cancelling = false;

The store outside the critical section could overwrite a parallel
requests t->cancelling assignment to true, to ensure the parallely
executing callback observes its cancellation status.

It would be necessary to clear this cancelling bit once hrtimer_cancel
is done, but lack of serialization introduced races. Another option was
explored where bpf_timer_start would clear the bit when (re)starting the
timer under timer->lock. This would ensure serialized access to the
cancelling bit, but may allow it to be cleared before in-flight
hrtimer_cancel has finished executing, such that lockups can occur
again.

Thus, we choose an atomic counter to keep track of all outstanding
cancellation requests and use it to prevent lockups in case callbacks
attempt to cancel each other while executing in parallel.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42239

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42240
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

x86/bhi: Avoid warning in #DB handler due to BHI mitigation

When BHI mitigation is enabled, if SYSENTER is invoked with the TF flag set
then entry_SYSENTER_compat() uses CLEAR_BRANCH_HISTORY and calls the
clear_bhb_loop() before the TF flag is cleared. This causes the #DB handler
(exc_debug_kernel()) to issue a warning because single-step is used outside the
entry_SYSENTER_compat() function.

To address this issue, entry_SYSENTER_compat() should use CLEAR_BRANCH_HISTORY
after making sure the TF flag is cleared.

The problem can be reproduced with the following sequence:

  $ cat sysenter_step.c
  int main()
  { asm("pushf; pop %ax; bts $8,%ax; push %ax; popf; sysenter"); }

  $ gcc -o sysenter_step sysenter_step.c

  $ ./sysenter_step
  Segmentation fault (core dumped)

The program is expected to crash, and the #DB handler will issue a warning.

Kernel log:

  WARNING: CPU: 27 PID: 7000 at arch/x86/kernel/traps.c:1009 exc_debug_kernel+0xd2/0x160
  ...
  RIP: 0010:exc_debug_kernel+0xd2/0x160
  ...
  Call Trace:
  <#DB>
   ? show_regs+0x68/0x80
   ? __warn+0x8c/0x140
   ? exc_debug_kernel+0xd2/0x160
   ? report_bug+0x175/0x1a0
   ? handle_bug+0x44/0x90
   ? exc_invalid_op+0x1c/0x70
   ? asm_exc_invalid_op+0x1f/0x30
   ? exc_debug_kernel+0xd2/0x160
   exc_debug+0x43/0x50
   asm_exc_debug+0x1e/0x40
  RIP: 0010:clear_bhb_loop+0x0/0xb0
  ...
  </#DB>
  <TASK>
   ? entry_SYSENTER_compat_after_hwframe+0x6e/0x8d
  </TASK>

  [ bp: Massage commit message. ]
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42240

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42241
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

mm/shmem: disable PMD-sized page cache if needed

For shmem files, it's possible that PMD-sized page cache can't be
supported by xarray.  For example, 512MB page cache on ARM64 when the base
page size is 64KB can't be supported by xarray.  It leads to errors as the
following messages indicate when this sort of xarray entry is split.

WARNING: CPU: 34 PID: 7578 at lib/xarray.c:1025 xas_split_alloc+0xf8/0x128
Modules linked in: binfmt_misc nft_fib_inet nft_fib_ipv4 nft_fib_ipv6   \
nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject        \
nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4  \
ip_set rfkill nf_tables nfnetlink vfat fat virtio_balloon drm fuse xfs  \
libcrc32c crct10dif_ce ghash_ce sha2_ce sha256_arm64 sha1_ce virtio_net \
net_failover virtio_console virtio_blk failover dimlib virtio_mmio
CPU: 34 PID: 7578 Comm: test Kdump: loaded Tainted: G W 6.10.0-rc5-gavin+ #9
Hardware name: QEMU KVM Virtual Machine, BIOS edk2-20240524-1.el9 05/24/2024
pstate: 83400005 (Nzcv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--)
pc : xas_split_alloc+0xf8/0x128
lr : split_huge_page_to_list_to_order+0x1c4/0x720
sp : ffff8000882af5f0
x29: ffff8000882af5f0 x28: ffff8000882af650 x27: ffff8000882af768
x26: 0000000000000cc0 x25: 000000000000000d x24: ffff00010625b858
x23: ffff8000882af650 x22: ffffffdfc0900000 x21: 0000000000000000
x20: 0000000000000000 x19: ffffffdfc0900000 x18: 0000000000000000
x17: 0000000000000000 x16: 0000018000000000 x15: 52f8004000000000
x14: 0000e00000000000 x13: 0000000000002000 x12: 0000000000000020
x11: 52f8000000000000 x10: 52f8e1c0ffff6000 x9 : ffffbeb9619a681c
x8 : 0000000000000003 x7 : 0000000000000000 x6 : ffff00010b02ddb0
x5 : ffffbeb96395e378 x4 : 0000000000000000 x3 : 0000000000000cc0
x2 : 000000000000000d x1 : 000000000000000c x0 : 0000000000000000
Call trace:
 xas_split_alloc+0xf8/0x128
 split_huge_page_to_list_to_order+0x1c4/0x720
 truncate_inode_partial_folio+0xdc/0x160
 shmem_undo_range+0x2bc/0x6a8
 shmem_fallocate+0x134/0x430
 vfs_fallocate+0x124/0x2e8
 ksys_fallocate+0x4c/0xa0
 __arm64_sys_fallocate+0x24/0x38
 invoke_syscall.constprop.0+0x7c/0xd8
 do_el0_svc+0xb4/0xd0
 el0_svc+0x44/0x1d8
 el0t_64_sync_handler+0x134/0x150
 el0t_64_sync+0x17c/0x180

Fix it by disabling PMD-sized page cache when HPAGE_PMD_ORDER is larger
than MAX_PAGECACHE_ORDER.  As Matthew Wilcox pointed, the page cache in a
shmem file isn't represented by a multi-index entry and doesn't have this
limitation when the xarry entry is split until commit 6b24ca4a1a8d ("mm:
Use multi-index entries in the page cache").
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42241

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42242
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

mmc: sdhci: Fix max_seg_size for 64KiB PAGE_SIZE

blk_queue_max_segment_size() ensured:

	if (max_size < PAGE_SIZE)
		max_size = PAGE_SIZE;

whereas:

blk_validate_limits() makes it an error:

	if (WARN_ON_ONCE(lim->max_segment_size < PAGE_SIZE))
		return -EINVAL;

The change from one to the other, exposed sdhci which was setting maximum
segment size too low in some circumstances.

Fix the maximum segment size when it is too low.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42242

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42243
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

mm/filemap: make MAX_PAGECACHE_ORDER acceptable to xarray

Patch series "mm/filemap: Limit page cache size to that supported by
xarray", v2.

Currently, xarray can't support arbitrary page cache size.  More details
can be found from the WARN_ON() statement in xas_split_alloc().  In our
test whose code is attached below, we hit the WARN_ON() on ARM64 system
where the base page size is 64KB and huge page size is 512MB.  The issue
was reported long time ago and some discussions on it can be found here
[1].

[1] https://www.spinics.net/lists/linux-xfs/msg75404.html

In order to fix the issue, we need to adjust MAX_PAGECACHE_ORDER to one
supported by xarray and avoid PMD-sized page cache if needed.  The code
changes are suggested by David Hildenbrand.

PATCH[1] adjusts MAX_PAGECACHE_ORDER to that supported by xarray
PATCH[2-3] avoids PMD-sized page cache in the synchronous readahead path
PATCH[4] avoids PMD-sized page cache for shmem files if needed

Test program
============
# cat test.c
#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <fcntl.h>
#include <errno.h>
#include <sys/syscall.h>
#include <sys/mman.h>

#define TEST_XFS_FILENAME	"/tmp/data"
#define TEST_SHMEM_FILENAME	"/dev/shm/data"
#define TEST_MEM_SIZE		0x20000000

int main(int argc, char **argv)
{
	const char *filename;
	int fd = 0;
	void *buf = (void *)-1, *p;
	int pgsize = getpagesize();
	int ret;

	if (pgsize != 0x10000) {
		fprintf(stderr, "64KB base page size is required\n");
		return -EPERM;
	}

	system("echo force > /sys/kernel/mm/transparent_hugepage/shmem_enabled");
	system("rm -fr /tmp/data");
	system("rm -fr /dev/shm/data");
	system("echo 1 > /proc/sys/vm/drop_caches");

	/* Open xfs or shmem file */
	filename = TEST_XFS_FILENAME;
	if (argc > 1 && !strcmp(argv[1], "shmem"))
		filename = TEST_SHMEM_FILENAME;

	fd = open(filename, O_CREAT | O_RDWR | O_TRUNC);
	if (fd < 0) {
		fprintf(stderr, "Unable to open <%s>\n", filename);
		return -EIO;
	}

	/* Extend file size */
	ret = ftruncate(fd, TEST_MEM_SIZE);
	if (ret) {
		fprintf(stderr, "Error %d to ftruncate()\n", ret);
		goto cleanup;
	}

	/* Create VMA */
	buf = mmap(NULL, TEST_MEM_SIZE,
		   PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);
	if (buf == (void *)-1) {
		fprintf(stderr, "Unable to mmap <%s>\n", filename);
		goto cleanup;
	}

	fprintf(stdout, "mapped buffer at 0x%p\n", buf);
	ret = madvise(buf, TEST_MEM_SIZE, MADV_HUGEPAGE);
        if (ret) {
		fprintf(stderr, "Unable to madvise(MADV_HUGEPAGE)\n");
		goto cleanup;
	}

	/* Populate VMA */
	ret = madvise(buf, TEST_MEM_SIZE, MADV_POPULATE_WRITE);
	if (ret) {
		fprintf(stderr, "Error %d to madvise(MADV_POPULATE_WRITE)\n", ret);
		goto cleanup;
	}

	/* Punch the file to enforce xarray split */
	ret = fallocate(fd, FALLOC_FL_KEEP_SIZE | FALLOC_FL_PUNCH_HOLE,
        		TEST_MEM_SIZE - pgsize, pgsize);
	if (ret)
		fprintf(stderr, "Error %d to fallocate()\n", ret);

cleanup:
	if (buf != (void *)-1)
		munmap(buf, TEST_MEM_SIZE);
	if (fd > 0)
		close(fd);

	return 0;
}

# gcc test.c -o test
# cat /proc/1/smaps | grep KernelPageSize | head -n 1
KernelPageSize:       64 kB
# ./test shmem
   :
------------[ cut here ]------------
WARNING: CPU: 17 PID: 5253 at lib/xarray.c:1025 xas_split_alloc+0xf8/0x128
Modules linked in: nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib  \
nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct    \
nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4    \
ip_set nf_tables rfkill nfnetlink vfat fat virtio_balloon          \
drm fuse xfs libcrc32c crct10dif_ce ghash_ce sha2_ce sha256_arm64  \
virtio_net sha1_ce net_failover failover virtio_console virtio_blk \
dimlib virtio_mmio
CPU: 17 PID: 5253 Comm: test Kdump: loaded Tainted: G W 6.10.0-rc5-gavin+ #12
Hardware name: QEMU KVM Virtual Machine, BIOS edk2-20240524-1.el9 05/24/2024
pstate: 83400005 (Nzcv daif +PAN -UAO +TC
---truncated---
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42243

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42244
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

USB: serial: mos7840: fix crash on resume

Since commit c49cfa917025 ("USB: serial: use generic method if no
alternative is provided in usb serial layer"), USB serial core calls the
generic resume implementation when the driver has not provided one.

This can trigger a crash on resume with mos7840 since support for
multiple read URBs was added back in 2011. Specifically, both port read
URBs are now submitted on resume for open ports, but the context pointer
of the second URB is left set to the core rather than mos7840 port
structure.

Fix this by implementing dedicated suspend and resume functions for
mos7840.

Tested with Delock 87414 USB 2.0 to 4x serial adapter.

[ johan: analyse crash and rewrite commit message; set busy flag on
         resume; drop bulk-in check; drop unnecessary usb_kill_urb() ]
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42244

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42245
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

Revert "sched/fair: Make sure to try to detach at least one movable task"

This reverts commit b0defa7ae03ecf91b8bfd10ede430cff12fcbd06.

b0defa7ae03ec changed the load balancing logic to ignore env.max_loop if
all tasks examined to that point were pinned. The goal of the patch was
to make it more likely to be able to detach a task buried in a long list
of pinned tasks. However, this has the unfortunate side effect of
creating an O(n) iteration in detach_tasks(), as we now must fully
iterate every task on a cpu if all or most are pinned. Since this load
balance code is done with rq lock held, and often in softirq context, it
is very easy to trigger hard lockups. We observed such hard lockups with
a user who affined O(10k) threads to a single cpu.

When I discussed this with Vincent he initially suggested that we keep
the limit on the number of tasks to detach, but increase the number of
tasks we can search. However, after some back and forth on the mailing
list, he recommended we instead revert the original patch, as it seems
likely no one was actually getting hit by the original issue.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42245

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42246
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net, sunrpc: Remap EPERM in case of connection failure in xs_tcp_setup_socket

When using a BPF program on kernel_connect(), the call can return -EPERM. This
causes xs_tcp_setup_socket() to loop forever, filling up the syslog and causing
the kernel to potentially freeze up.

Neil suggested:

  This will propagate -EPERM up into other layers which might not be ready
  to handle it. It might be safer to map EPERM to an error we would be more
  likely to expect from the network system - such as ECONNREFUSED or ENETDOWN.

ECONNREFUSED as error seems reasonable. For programs setting a different error
can be out of reach (see handling in 4fbac77d2d09) in particular on kernels
which do not have f10d05966196 ("bpf: Make BPF_PROG_RUN_ARRAY return -err
instead of allow boolean"), thus given that it is better to simply remap for
consistent behavior. UDP does handle EPERM in xs_udp_send_request().
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42246

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42247
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

wireguard: allowedips: avoid unaligned 64-bit memory accesses

On the parisc platform, the kernel issues kernel warnings because
swap_endian() tries to load a 128-bit IPv6 address from an unaligned
memory location:

 Kernel: unaligned access to 0x55f4688c in wg_allowedips_insert_v6+0x2c/0x80 [wireguard] (iir 0xf3010df)
 Kernel: unaligned access to 0x55f46884 in wg_allowedips_insert_v6+0x38/0x80 [wireguard] (iir 0xf2010dc)

Avoid such unaligned memory accesses by instead using the
get_unaligned_be64() helper macro.

[Jason: replace src[8] in original patch with src+8]
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42247

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42248
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

tty: serial: ma35d1: Add a NULL check for of_node

The pdev->dev.of_node can be NULL if the "serial" node is absent.
Add a NULL check to return an error in such cases.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42248

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42249
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

spi: don't unoptimize message in spi_async()

Calling spi_maybe_unoptimize_message() in spi_async() is wrong because
the message is likely to be in the queue and not transferred yet. This
can corrupt the message while it is being used by the controller driver.

spi_maybe_unoptimize_message() is already called in the correct place
in spi_finalize_current_message() to balance the call to
spi_maybe_optimize_message() in spi_async().
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 3.3
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42249

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42250
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

cachefiles: add missing lock protection when polling

Add missing lock protection in poll routine when iterating xarray,
otherwise:

Even with RCU read lock held, only the slot of the radix tree is
ensured to be pinned there, while the data structure (e.g. struct
cachefiles_req) stored in the slot has no such guarantee.  The poll
routine will iterate the radix tree and dereference cachefiles_req
accordingly.  Thus RCU read lock is not adequate in this case and
spinlock is needed here.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42250

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42251
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

mm: page_ref: remove folio_try_get_rcu()

The below bug was reported on a non-SMP kernel:

[  275.267158][ T4335] ------------[ cut here ]------------
[  275.267949][ T4335] kernel BUG at include/linux/page_ref.h:275!
[  275.268526][ T4335] invalid opcode: 0000 [#1] KASAN PTI
[  275.269001][ T4335] CPU: 0 PID: 4335 Comm: trinity-c3 Not tainted 6.7.0-rc4-00061-gefa7df3e3bb5 #1
[  275.269787][ T4335] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
[  275.270679][ T4335] RIP: 0010:try_get_folio (include/linux/page_ref.h:275 (discriminator 3) mm/gup.c:79 (discriminator 3))
[  275.272813][ T4335] RSP: 0018:ffffc90005dcf650 EFLAGS: 00010202
[  275.273346][ T4335] RAX: 0000000000000246 RBX: ffffea00066e0000 RCX: 0000000000000000
[  275.274032][ T4335] RDX: fffff94000cdc007 RSI: 0000000000000004 RDI: ffffea00066e0034
[  275.274719][ T4335] RBP: ffffea00066e0000 R08: 0000000000000000 R09: fffff94000cdc006
[  275.275404][ T4335] R10: ffffea00066e0037 R11: 0000000000000000 R12: 0000000000000136
[  275.276106][ T4335] R13: ffffea00066e0034 R14: dffffc0000000000 R15: ffffea00066e0008
[  275.276790][ T4335] FS:  00007fa2f9b61740(0000) GS:ffffffff89d0d000(0000) knlGS:0000000000000000
[  275.277570][ T4335] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  275.278143][ T4335] CR2: 00007fa2f6c00000 CR3: 0000000134b04000 CR4: 00000000000406f0
[  275.278833][ T4335] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  275.279521][ T4335] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[  275.280201][ T4335] Call Trace:
[  275.280499][ T4335]  <TASK>
[ 275.280751][ T4335] ? die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434 arch/x86/kernel/dumpstack.c:447)
[ 275.281087][ T4335] ? do_trap (arch/x86/kernel/traps.c:112 arch/x86/kernel/traps.c:153)
[ 275.281463][ T4335] ? try_get_folio (include/linux/page_ref.h:275 (discriminator 3) mm/gup.c:79 (discriminator 3))
[ 275.281884][ T4335] ? try_get_folio (include/linux/page_ref.h:275 (discriminator 3) mm/gup.c:79 (discriminator 3))
[ 275.282300][ T4335] ? do_error_trap (arch/x86/kernel/traps.c:174)
[ 275.282711][ T4335] ? try_get_folio (include/linux/page_ref.h:275 (discriminator 3) mm/gup.c:79 (discriminator 3))
[ 275.283129][ T4335] ? handle_invalid_op (arch/x86/kernel/traps.c:212)
[ 275.283561][ T4335] ? try_get_folio (include/linux/page_ref.h:275 (discriminator 3) mm/gup.c:79 (discriminator 3))
[ 275.283990][ T4335] ? exc_invalid_op (arch/x86/kernel/traps.c:264)
[ 275.284415][ T4335] ? asm_exc_invalid_op (arch/x86/include/asm/idtentry.h:568)
[ 275.284859][ T4335] ? try_get_folio (include/linux/page_ref.h:275 (discriminator 3) mm/gup.c:79 (discriminator 3))
[ 275.285278][ T4335] try_grab_folio (mm/gup.c:148)
[ 275.285684][ T4335] __get_user_pages (mm/gup.c:1297 (discriminator 1))
[ 275.286111][ T4335] ? __pfx___get_user_pages (mm/gup.c:1188)
[ 275.286579][ T4335] ? __pfx_validate_chain (kernel/locking/lockdep.c:3825)
[ 275.287034][ T4335] ? mark_lock (kernel/locking/lockdep.c:4656 (discriminator 1))
[ 275.287416][ T4335] __gup_longterm_locked (mm/gup.c:1509 mm/gup.c:2209)
[ 275.288192][ T4335] ? __pfx___gup_longterm_locked (mm/gup.c:2204)
[ 275.288697][ T4335] ? __pfx_lock_acquire (kernel/locking/lockdep.c:5722)
[ 275.289135][ T4335] ? __pfx___might_resched (kernel/sched/core.c:10106)
[ 275.289595][ T4335] pin_user_pages_remote (mm/gup.c:3350)
[ 275.290041][ T4335] ? __pfx_pin_user_pages_remote (mm/gup.c:3350)
[ 275.290545][ T4335] ? find_held_lock (kernel/locking/lockdep.c:5244 (discriminator 1))
[ 275.290961][ T4335] ? mm_access (kernel/fork.c:1573)
[ 275.291353][ T4335] process_vm_rw_single_vec+0x142/0x360
[ 275.291900][ T4335] ? __pfx_process_vm_rw_single_vec+0x10/0x10
[ 275.292471][ T4335] ? mm_access (kernel/fork.c:1573)
[ 275.292859][ T4335] process_vm_rw_core+0x272/0x4e0
[ 275.293384][ T4335] ? hlock_class (a
---truncated---
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42251

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42252
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

closures: Change BUG_ON() to WARN_ON()

If a BUG_ON() can be hit in the wild, it shouldn't be a BUG_ON()

For reference, this has popped up once in the CI, and we'll need more
info to debug it:

03240 ------------[ cut here ]------------
03240 kernel BUG at lib/closure.c:21!
03240 kernel BUG at lib/closure.c:21!
03240 Internal error: Oops - BUG: 00000000f2000800 [#1] SMP
03240 Modules linked in:
03240 CPU: 15 PID: 40534 Comm: kworker/u80:1 Not tainted 6.10.0-rc4-ktest-ga56da69799bd #25570
03240 Hardware name: linux,dummy-virt (DT)
03240 Workqueue: btree_update btree_interior_update_work
03240 pstate: 00001005 (nzcv daif -PAN -UAO -TCO -DIT +SSBS BTYPE=--)
03240 pc : closure_put+0x224/0x2a0
03240 lr : closure_put+0x24/0x2a0
03240 sp : ffff0000d12071c0
03240 x29: ffff0000d12071c0 x28: dfff800000000000 x27: ffff0000d1207360
03240 x26: 0000000000000040 x25: 0000000000000040 x24: 0000000000000040
03240 x23: ffff0000c1f20180 x22: 0000000000000000 x21: ffff0000c1f20168
03240 x20: 0000000040000000 x19: ffff0000c1f20140 x18: 0000000000000001
03240 x17: 0000000000003aa0 x16: 0000000000003ad0 x15: 1fffe0001c326974
03240 x14: 0000000000000a1e x13: 0000000000000000 x12: 1fffe000183e402d
03240 x11: ffff6000183e402d x10: dfff800000000000 x9 : ffff6000183e402e
03240 x8 : 0000000000000001 x7 : 00009fffe7c1bfd3 x6 : ffff0000c1f2016b
03240 x5 : ffff0000c1f20168 x4 : ffff6000183e402e x3 : ffff800081391954
03240 x2 : 0000000000000001 x1 : 0000000000000000 x0 : 00000000a8000000
03240 Call trace:
03240  closure_put+0x224/0x2a0
03240  bch2_check_for_deadlock+0x910/0x1028
03240  bch2_six_check_for_deadlock+0x1c/0x30
03240  six_lock_slowpath.isra.0+0x29c/0xed0
03240  six_lock_ip_waiter+0xa8/0xf8
03240  __bch2_btree_node_lock_write+0x14c/0x298
03240  bch2_trans_lock_write+0x6d4/0xb10
03240  __bch2_trans_commit+0x135c/0x5520
03240  btree_interior_update_work+0x1248/0x1c10
03240  process_scheduled_works+0x53c/0xd90
03240  worker_thread+0x370/0x8c8
03240  kthread+0x258/0x2e8
03240  ret_from_fork+0x10/0x20
03240 Code: aa1303e0 d63f0020 a94363f7 17ffff8c (d4210000)
03240 ---[ end trace 0000000000000000 ]---
03240 Kernel panic - not syncing: Oops - BUG: Fatal exception
03240 SMP: stopping secondary CPUs
03241 SMP: failed to stop secondary CPUs 13,15
03241 Kernel Offset: disabled
03241 CPU features: 0x00,00000003,80000008,4240500b
03241 Memory Limit: none
03241 ---[ end Kernel panic - not syncing: Oops - BUG: Fatal exception ]---
03246 ========= FAILED TIMEOUT copygc_torture_no_checksum in 7200s
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42252

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42253
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

gpio: pca953x: fix pca953x_irq_bus_sync_unlock race

Ensure that `i2c_lock' is held when setting interrupt latch and mask in
pca953x_irq_bus_sync_unlock() in order to avoid races.

The other (non-probe) call site pca953x_gpio_set_multiple() ensures the
lock is held before calling pca953x_write_regs().

The problem occurred when a request raced against irq_bus_sync_unlock()
approximately once per thousand reboots on an i.MX8MP based system.

 * Normal case

   0-0022: write register AI|3a {03,02,00,00,01} Input latch P0
   0-0022: write register AI|49 {fc,fd,ff,ff,fe} Interrupt mask P0
   0-0022: write register AI|08 {ff,00,00,00,00} Output P3
   0-0022: write register AI|12 {fc,00,00,00,00} Config P3

 * Race case

   0-0022: write register AI|08 {ff,00,00,00,00} Output P3
   0-0022: write register AI|08 {03,02,00,00,01} *** Wrong register ***
   0-0022: write register AI|12 {fc,00,00,00,00} Config P3
   0-0022: write register AI|49 {fc,fd,ff,ff,fe} Interrupt mask P0
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42253

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42254
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

io_uring: fix error pbuf checking

Syz reports a problem, which boils down to NULL vs IS_ERR inconsistent
error handling in io_alloc_pbuf_ring().

KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
RIP: 0010:__io_remove_buffers+0xac/0x700 io_uring/kbuf.c:341
Call Trace:
 <TASK>
 io_put_bl io_uring/kbuf.c:378 [inline]
 io_destroy_buffers+0x14e/0x490 io_uring/kbuf.c:392
 io_ring_ctx_free+0xa00/0x1070 io_uring/io_uring.c:2613
 io_ring_exit_work+0x80f/0x8a0 io_uring/io_uring.c:2844
 process_one_work kernel/workqueue.c:3231 [inline]
 process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3312
 worker_thread+0x86d/0xd40 kernel/workqueue.c:3390
 kthread+0x2f0/0x390 kernel/kthread.c:389
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42254

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42255
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

tpm: Use auth only after NULL check in tpm_buf_check_hmac_response()

Dereference auth after NULL check in tpm_buf_check_hmac_response().
Otherwise, unless tpm2_sessions_init() was called, a call can cause NULL
dereference, when TCG_TPM2_HMAC is enabled.

[jarkko: adjusted the commit message.]
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42255

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42256
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

cifs: Fix server re-repick on subrequest retry

When a subrequest is marked for needing retry, netfs will call
cifs_prepare_write() which will make cifs repick the server for the op
before renegotiating credits; it then calls cifs_issue_write() which
invokes smb2_async_writev() - which re-repicks the server.

If a different server is then selected, this causes the increment of
server->in_flight to happen against one record and the decrement to happen
against another, leading to misaccounting.

Fix this by just removing the repick code in smb2_async_writev().  As this
is only called from netfslib-driven code, cifs_prepare_write() should
always have been called first, and so server should never be NULL and the
preparatory step is repeated in the event that we do a retry.

The problem manifests as a warning looking something like:

 WARNING: CPU: 4 PID: 72896 at fs/smb/client/smb2ops.c:97 smb2_add_credits+0x3f0/0x9e0 [cifs]
 ...
 RIP: 0010:smb2_add_credits+0x3f0/0x9e0 [cifs]
 ...
  smb2_writev_callback+0x334/0x560 [cifs]
  cifs_demultiplex_thread+0x77a/0x11b0 [cifs]
  kthread+0x187/0x1d0
  ret_from_fork+0x34/0x60
  ret_from_fork_asm+0x1a/0x30

Which may be triggered by a number of different xfstests running against an
Azure server in multichannel mode.  generic/249 seems the most repeatable,
but generic/215, generic/249 and generic/308 may also show it.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42256

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42257
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ext4: use memtostr_pad() for s_volume_name

As with the other strings in struct ext4_super_block, s_volume_name is
not NUL terminated. The other strings were marked in commit 072ebb3bffe6
("ext4: add nonstring annotations to ext4.h"). Using strscpy() isn't
the right replacement for strncpy(); it should use memtostr_pad()
instead.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42257

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42258
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

mm: huge_memory: use !CONFIG_64BIT to relax huge page alignment on 32 bit machines

Yves-Alexis Perez reported commit 4ef9ad19e176 ("mm: huge_memory: don't
force huge page alignment on 32 bit") didn't work for x86_32 [1].  It is
because x86_32 uses CONFIG_X86_32 instead of CONFIG_32BIT.

!CONFIG_64BIT should cover all 32 bit machines.

[1] https://lore.kernel.org/linux-mm/CAHbLzkr1LwH3pcTgM+aGQ31ip2bKqiqEQ8=FQB+t2c3dhNKNHA@mail.gmail.com/
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42258

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42259
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/i915/gem: Fix Virtual Memory mapping boundaries calculation

Calculating the size of the mapped area as the lesser value
between the requested size and the actual size does not consider
the partial mapping offset. This can cause page fault access.

Fix the calculation of the starting and ending addresses, the
total size is now deduced from the difference between the end and
start addresses.

Additionally, the calculations have been rewritten in a clearer
and more understandable form.

[Joonas: Add Requires: tag]
Requires: 60a2066c5005 ("drm/i915/gem: Adjust vma offset for framebuffer mmap offset")
(cherry picked from commit 97b6784753da06d9d40232328efc5c5367e53417)
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42259

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42262
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/v3d: Fix potential memory leak in the performance extension

If fetching of userspace memory fails during the main loop, all drm sync
objs looked up until that point will be leaked because of the missing
drm_syncobj_put.

Fix it by exporting and using a common cleanup helper.

(cherry picked from commit 484de39fa5f5b7bd0c5f2e2c5265167250ef7501)
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42262

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42263
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/v3d: Fix potential memory leak in the timestamp extension

If fetching of userspace memory fails during the main loop, all drm sync
objs looked up until that point will be leaked because of the missing
drm_syncobj_put.

Fix it by exporting and using a common cleanup helper.

(cherry picked from commit 753ce4fea62182c77e1691ab4f9022008f25b62e)
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42263

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42268
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net/mlx5: Fix missing lock on sync reset reload

On sync reset reload work, when remote host updates devlink on reload
actions performed on that host, it misses taking devlink lock before
calling devlink_remote_reload_actions_performed() which results in
triggering lock assert like the following:

WARNING: CPU: 4 PID: 1164 at net/devlink/core.c:261 devl_assert_locked+0x3e/0x50
…
 CPU: 4 PID: 1164 Comm: kworker/u96:6 Tainted: G S      W          6.10.0-rc2+ #116
 Hardware name: Supermicro SYS-2028TP-DECTR/X10DRT-PT, BIOS 2.0 12/18/2015
 Workqueue: mlx5_fw_reset_events mlx5_sync_reset_reload_work [mlx5_core]
 RIP: 0010:devl_assert_locked+0x3e/0x50
…
 Call Trace:
  <TASK>
  ? __warn+0xa4/0x210
  ? devl_assert_locked+0x3e/0x50
  ? report_bug+0x160/0x280
  ? handle_bug+0x3f/0x80
  ? exc_invalid_op+0x17/0x40
  ? asm_exc_invalid_op+0x1a/0x20
  ? devl_assert_locked+0x3e/0x50
  devlink_notify+0x88/0x2b0
  ? mlx5_attach_device+0x20c/0x230 [mlx5_core]
  ? __pfx_devlink_notify+0x10/0x10
  ? process_one_work+0x4b6/0xbb0
  process_one_work+0x4b6/0xbb0
[…]
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42268

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42269
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

netfilter: iptables: Fix potential null-ptr-deref in ip6table_nat_table_init().

ip6table_nat_table_init() accesses net->gen->ptr[ip6table_nat_net_ops.id],
but the function is exposed to user space before the entry is allocated
via register_pernet_subsys().

Let's call register_pernet_subsys() before xt_register_template().
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42269

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42270
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

netfilter: iptables: Fix null-ptr-deref in iptable_nat_table_init().

We had a report that iptables-restore sometimes triggered null-ptr-deref
at boot time. [0]

The problem is that iptable_nat_table_init() is exposed to user space
before the kernel fully initialises netns.

In the small race window, a user could call iptable_nat_table_init()
that accesses net_generic(net, iptable_nat_net_id), which is available
only after registering iptable_nat_net_ops.

Let's call register_pernet_subsys() before xt_register_template().

[0]:
bpfilter: Loaded bpfilter_umh pid 11702
Started bpfilter
BUG: kernel NULL pointer dereference, address: 0000000000000013
 PF: supervisor write access in kernel mode
 PF: error_code(0x0002) - not-present page
PGD 0 P4D 0
PREEMPT SMP NOPTI
CPU: 2 PID: 11879 Comm: iptables-restor Not tainted 6.1.92-99.174.amzn2023.x86_64 #1
Hardware name: Amazon EC2 c6i.4xlarge/, BIOS 1.0 10/16/2017
RIP: 0010:iptable_nat_table_init (net/ipv4/netfilter/iptable_nat.c:87 net/ipv4/netfilter/iptable_nat.c:121) iptable_nat
Code: 10 4c 89 f6 48 89 ef e8 0b 19 bb ff 41 89 c4 85 c0 75 38 41 83 c7 01 49 83 c6 28 41 83 ff 04 75 dc 48 8b 44 24 08 48 8b 0c 24 <48> 89 08 4c 89 ef e8 a2 3b a2 cf 48 83 c4 10 44 89 e0 5b 5d 41 5c
RSP: 0018:ffffbef902843cd0 EFLAGS: 00010246
RAX: 0000000000000013 RBX: ffff9f4b052caa20 RCX: ffff9f4b20988d80
RDX: 0000000000000000 RSI: 0000000000000064 RDI: ffffffffc04201c0
RBP: ffff9f4b29394000 R08: ffff9f4b07f77258 R09: ffff9f4b07f77240
R10: 0000000000000000 R11: ffff9f4b09635388 R12: 0000000000000000
R13: ffff9f4b1a3c6c00 R14: ffff9f4b20988e20 R15: 0000000000000004
FS:  00007f6284340000(0000) GS:ffff9f51fe280000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000013 CR3: 00000001d10a6005 CR4: 00000000007706e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
 <TASK>
 ? show_trace_log_lvl (arch/x86/kernel/dumpstack.c:259)
 ? show_trace_log_lvl (arch/x86/kernel/dumpstack.c:259)
 ? xt_find_table_lock (net/netfilter/x_tables.c:1259)
 ? __die_body.cold (arch/x86/kernel/dumpstack.c:478 arch/x86/kernel/dumpstack.c:420)
 ? page_fault_oops (arch/x86/mm/fault.c:727)
 ? exc_page_fault (./arch/x86/include/asm/irqflags.h:40 ./arch/x86/include/asm/irqflags.h:75 arch/x86/mm/fault.c:1470 arch/x86/mm/fault.c:1518)
 ? asm_exc_page_fault (./arch/x86/include/asm/idtentry.h:570)
 ? iptable_nat_table_init (net/ipv4/netfilter/iptable_nat.c:87 net/ipv4/netfilter/iptable_nat.c:121) iptable_nat
 xt_find_table_lock (net/netfilter/x_tables.c:1259)
 xt_request_find_table_lock (net/netfilter/x_tables.c:1287)
 get_info (net/ipv4/netfilter/ip_tables.c:965)
 ? security_capable (security/security.c:809 (discriminator 13))
 ? ns_capable (kernel/capability.c:376 kernel/capability.c:397)
 ? do_ipt_get_ctl (net/ipv4/netfilter/ip_tables.c:1656)
 ? bpfilter_send_req (net/bpfilter/bpfilter_kern.c:52) bpfilter
 nf_getsockopt (net/netfilter/nf_sockopt.c:116)
 ip_getsockopt (net/ipv4/ip_sockglue.c:1827)
 __sys_getsockopt (net/socket.c:2327)
 __x64_sys_getsockopt (net/socket.c:2342 net/socket.c:2339 net/socket.c:2339)
 do_syscall_64 (arch/x86/entry/common.c:51 arch/x86/entry/common.c:81)
 entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:121)
RIP: 0033:0x7f62844685ee
Code: 48 8b 0d 45 28 0f 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 37 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 0a c3 66 0f 1f 84 00 00 00 00 00 48 8b 15 09
RSP: 002b:00007ffd1f83d638 EFLAGS: 00000246 ORIG_RAX: 0000000000000037
RAX: ffffffffffffffda RBX: 00007ffd1f83d680 RCX: 00007f62844685ee
RDX: 0000000000000040 RSI: 0000000000000000 RDI: 0000000000000004
RBP: 0000000000000004 R08: 00007ffd1f83d670 R09: 0000558798ffa2a0
R10: 00007ffd1f83d680 R11: 0000000000000246 R12: 00007ffd1f83e3b2
R13: 00007f6284
---truncated---
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42270

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42271
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net/iucv: fix use after free in iucv_sock_close()

iucv_sever_path() is called from process context and from bh context.
iucv->path is used as indicator whether somebody else is taking care of
severing the path (or it is already removed / never existed).
This needs to be done with atomic compare and swap, otherwise there is a
small window where iucv_sock_close() will try to work with a path that has
already been severed and freed by iucv_callback_connrej() called by
iucv_tasklet_fn().

Example:
[452744.123844] Call Trace:
[452744.123845] ([<0000001e87f03880>] 0x1e87f03880)
[452744.123966]  [<00000000d593001e>] iucv_path_sever+0x96/0x138
[452744.124330]  [<000003ff801ddbca>] iucv_sever_path+0xc2/0xd0 [af_iucv]
[452744.124336]  [<000003ff801e01b6>] iucv_sock_close+0xa6/0x310 [af_iucv]
[452744.124341]  [<000003ff801e08cc>] iucv_sock_release+0x3c/0xd0 [af_iucv]
[452744.124345]  [<00000000d574794e>] __sock_release+0x5e/0xe8
[452744.124815]  [<00000000d5747a0c>] sock_close+0x34/0x48
[452744.124820]  [<00000000d5421642>] __fput+0xba/0x268
[452744.124826]  [<00000000d51b382c>] task_work_run+0xbc/0xf0
[452744.124832]  [<00000000d5145710>] do_notify_resume+0x88/0x90
[452744.124841]  [<00000000d5978096>] system_call+0xe2/0x2c8
[452744.125319] Last Breaking-Event-Address:
[452744.125321]  [<00000000d5930018>] iucv_path_sever+0x90/0x138
[452744.125324]
[452744.125325] Kernel panic - not syncing: Fatal exception in interrupt

Note that bh_lock_sock() is not serializing the tasklet context against
process context, because the check for sock_owned_by_user() and
corresponding handling is missing.

Ideas for a future clean-up patch:
A) Correct usage of bh_lock_sock() in tasklet context, as described in
Re-enqueue, if needed. This may require adding return values to the
tasklet functions and thus changes to all users of iucv.

B) Change iucv tasklet into worker and use only lock_sock() in af_iucv.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42271

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42272
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

sched: act_ct: take care of padding in struct zones_ht_key

Blamed commit increased lookup key size from 2 bytes to 16 bytes,
because zones_ht_key got a struct net pointer.

Make sure rhashtable_lookup() is not using the padding bytes
which are not initialized.

 BUG: KMSAN: uninit-value in rht_ptr_rcu include/linux/rhashtable.h:376 [inline]
 BUG: KMSAN: uninit-value in __rhashtable_lookup include/linux/rhashtable.h:607 [inline]
 BUG: KMSAN: uninit-value in rhashtable_lookup include/linux/rhashtable.h:646 [inline]
 BUG: KMSAN: uninit-value in rhashtable_lookup_fast include/linux/rhashtable.h:672 [inline]
 BUG: KMSAN: uninit-value in tcf_ct_flow_table_get+0x611/0x2260 net/sched/act_ct.c:329
  rht_ptr_rcu include/linux/rhashtable.h:376 [inline]
  __rhashtable_lookup include/linux/rhashtable.h:607 [inline]
  rhashtable_lookup include/linux/rhashtable.h:646 [inline]
  rhashtable_lookup_fast include/linux/rhashtable.h:672 [inline]
  tcf_ct_flow_table_get+0x611/0x2260 net/sched/act_ct.c:329
  tcf_ct_init+0xa67/0x2890 net/sched/act_ct.c:1408
  tcf_action_init_1+0x6cc/0xb30 net/sched/act_api.c:1425
  tcf_action_init+0x458/0xf00 net/sched/act_api.c:1488
  tcf_action_add net/sched/act_api.c:2061 [inline]
  tc_ctl_action+0x4be/0x19d0 net/sched/act_api.c:2118
  rtnetlink_rcv_msg+0x12fc/0x1410 net/core/rtnetlink.c:6647
  netlink_rcv_skb+0x375/0x650 net/netlink/af_netlink.c:2550
  rtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6665
  netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline]
  netlink_unicast+0xf52/0x1260 net/netlink/af_netlink.c:1357
  netlink_sendmsg+0x10da/0x11e0 net/netlink/af_netlink.c:1901
  sock_sendmsg_nosec net/socket.c:730 [inline]
  __sock_sendmsg+0x30f/0x380 net/socket.c:745
  ____sys_sendmsg+0x877/0xb60 net/socket.c:2597
  ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2651
  __sys_sendmsg net/socket.c:2680 [inline]
  __do_sys_sendmsg net/socket.c:2689 [inline]
  __se_sys_sendmsg net/socket.c:2687 [inline]
  __x64_sys_sendmsg+0x307/0x4a0 net/socket.c:2687
  x64_sys_call+0x2dd6/0x3c10 arch/x86/include/generated/asm/syscalls_64.h:47
  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
  do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Local variable key created at:
  tcf_ct_flow_table_get+0x4a/0x2260 net/sched/act_ct.c:324
  tcf_ct_init+0xa67/0x2890 net/sched/act_ct.c:1408
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42272

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42277
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

iommu: sprd: Avoid NULL deref in sprd_iommu_hw_en

In sprd_iommu_cleanup() before calling function sprd_iommu_hw_en()
dom->sdev is equal to NULL, which leads to null dereference.

Found by Linux Verification Center (linuxtesting.org) with SVACE.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42277

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42278
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ASoC: TAS2781: Fix tasdev_load_calibrated_data()

This function has a reversed if statement so it's either a no-op or it
leads to a NULL dereference.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42278

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42280
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

mISDN: Fix a use after free in hfcmulti_tx()

Don't dereference *sp after calling dev_kfree_skb(*sp).
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42280

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42282
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: mediatek: Fix potential NULL pointer dereference in dummy net_device handling

Move the freeing of the dummy net_device from mtk_free_dev() to
mtk_remove().

Previously, if alloc_netdev_dummy() failed in mtk_probe(),
eth->dummy_dev would be NULL. The error path would then call
mtk_free_dev(), which in turn called free_netdev() assuming dummy_dev
was allocated (but it was not), potentially causing a NULL pointer
dereference.

By moving free_netdev() to mtk_remove(), we ensure it's only called when
mtk_probe() has succeeded and dummy_dev is fully allocated. This
addresses a potential NULL pointer dereference detected by Smatch[1].
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42282

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42283
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: nexthop: Initialize all fields in dumped nexthops

struct nexthop_grp contains two reserved fields that are not initialized by
nla_put_nh_group(), and carry garbage. This can be observed e.g. with
strace (edited for clarity):

    # ip nexthop add id 1 dev lo
    # ip nexthop add id 101 group 1
    # strace -e recvmsg ip nexthop get id 101
    ...
    recvmsg(... [{nla_len=12, nla_type=NHA_GROUP},
                 [{id=1, weight=0, resvd1=0x69, resvd2=0x67}]] ...) = 52

The fields are reserved and therefore not currently used. But as they are, they
leak kernel memory, and the fact they are not just zero complicates repurposing
of the fields for new ends. Initialize the full structure.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42283

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42284
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

tipc: Return non-zero value from tipc_udp_addr2str() on error

tipc_udp_addr2str() should return non-zero value if the UDP media
address is invalid. Otherwise, a buffer overflow access can occur in
tipc_media_addr_printf(). Fix this by returning 1 on an invalid UDP
media address.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42284

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42285
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

RDMA/iwcm: Fix a use-after-free related to destroying CM IDs

iw_conn_req_handler() associates a new struct rdma_id_private (conn_id) with
an existing struct iw_cm_id (cm_id) as follows:

        conn_id->cm_id.iw = cm_id;
        cm_id->context = conn_id;
        cm_id->cm_handler = cma_iw_handler;

rdma_destroy_id() frees both the cm_id and the struct rdma_id_private. Make
sure that cm_work_handler() does not trigger a use-after-free by only
freeing of the struct rdma_id_private after all pending work has finished.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42285

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42286
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

scsi: qla2xxx: validate nvme_local_port correctly

The driver load failed with error message,

qla2xxx [0000:04:00.0]-ffff:0: register_localport failed: ret=ffffffef

and with a kernel crash,

	BUG: unable to handle kernel NULL pointer dereference at 0000000000000070
	Workqueue: events_unbound qla_register_fcport_fn [qla2xxx]
	RIP: 0010:nvme_fc_register_remoteport+0x16/0x430 [nvme_fc]
	RSP: 0018:ffffaaa040eb3d98 EFLAGS: 00010282
	RAX: 0000000000000000 RBX: ffff9dfb46b78c00 RCX: 0000000000000000
	RDX: ffff9dfb46b78da8 RSI: ffffaaa040eb3e08 RDI: 0000000000000000
	RBP: ffff9dfb612a0a58 R08: ffffffffaf1d6270 R09: 3a34303a30303030
	R10: 34303a303030305b R11: 2078787832616c71 R12: ffff9dfb46b78dd4
	R13: ffff9dfb46b78c24 R14: ffff9dfb41525300 R15: ffff9dfb46b78da8
	FS:  0000000000000000(0000) GS:ffff9dfc67c00000(0000) knlGS:0000000000000000
	CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	CR2: 0000000000000070 CR3: 000000018da10004 CR4: 00000000000206f0
	Call Trace:
	qla_nvme_register_remote+0xeb/0x1f0 [qla2xxx]
	? qla2x00_dfs_create_rport+0x231/0x270 [qla2xxx]
	qla2x00_update_fcport+0x2a1/0x3c0 [qla2xxx]
	qla_register_fcport_fn+0x54/0xc0 [qla2xxx]

Exit the qla_nvme_register_remote() function when qla_nvme_register_hba()
fails and correctly validate nvme_local_port.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42286

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42287
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

scsi: qla2xxx: Complete command early within lock

A crash was observed while performing NPIV and FW reset,

 BUG: kernel NULL pointer dereference, address: 000000000000001c
 #PF: supervisor read access in kernel mode
 #PF: error_code(0x0000) - not-present page
 PGD 0 P4D 0
 Oops: 0000 1 PREEMPT_RT SMP NOPTI
 RIP: 0010:dma_direct_unmap_sg+0x51/0x1e0
 RSP: 0018:ffffc90026f47b88 EFLAGS: 00010246
 RAX: 0000000000000000 RBX: 0000000000000021 RCX: 0000000000000002
 RDX: 0000000000000021 RSI: 0000000000000000 RDI: ffff8881041130d0
 RBP: ffff8881041130d0 R08: 0000000000000000 R09: 0000000000000034
 R10: ffffc90026f47c48 R11: 0000000000000031 R12: 0000000000000000
 R13: 0000000000000000 R14: ffff8881565e4a20 R15: 0000000000000000
 FS: 00007f4c69ed3d00(0000) GS:ffff889faac80000(0000) knlGS:0000000000000000
 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 000000000000001c CR3: 0000000288a50002 CR4: 00000000007706e0
 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
 PKRU: 55555554
 Call Trace:
 <TASK>
 ? __die_body+0x1a/0x60
 ? page_fault_oops+0x16f/0x4a0
 ? do_user_addr_fault+0x174/0x7f0
 ? exc_page_fault+0x69/0x1a0
 ? asm_exc_page_fault+0x22/0x30
 ? dma_direct_unmap_sg+0x51/0x1e0
 ? preempt_count_sub+0x96/0xe0
 qla2xxx_qpair_sp_free_dma+0x29f/0x3b0 [qla2xxx]
 qla2xxx_qpair_sp_compl+0x60/0x80 [qla2xxx]
 __qla2x00_abort_all_cmds+0xa2/0x450 [qla2xxx]

The command completion was done early while aborting the commands in driver
unload path but outside lock to avoid the WARN_ON condition of performing
dma_free_attr within the lock. However this caused race condition while
command completion via multiple paths causing system crash.

Hence complete the command early in unload path but within the lock to
avoid race condition.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42287

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42288
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

scsi: qla2xxx: Fix for possible memory corruption

Init Control Block is dereferenced incorrectly.  Correctly dereference ICB
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42288

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42289
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

scsi: qla2xxx: During vport delete send async logout explicitly

During vport delete, it is observed that during unload we hit a crash
because of stale entries in outstanding command array.  For all these stale
I/O entries, eh_abort was issued and aborted (fast_fail_io = 2009h) but
I/Os could not complete while vport delete is in process of deleting.

  BUG: kernel NULL pointer dereference, address: 000000000000001c
  #PF: supervisor read access in kernel mode
  #PF: error_code(0x0000) - not-present page
  PGD 0 P4D 0
  Oops: 0000 [#1] PREEMPT SMP NOPTI
  Workqueue: qla2xxx_wq qla_do_work [qla2xxx]
  RIP: 0010:dma_direct_unmap_sg+0x51/0x1e0
  RSP: 0018:ffffa1e1e150fc68 EFLAGS: 00010046
  RAX: 0000000000000000 RBX: 0000000000000021 RCX: 0000000000000001
  RDX: 0000000000000021 RSI: 0000000000000000 RDI: ffff8ce208a7a0d0
  RBP: ffff8ce208a7a0d0 R08: 0000000000000000 R09: ffff8ce378aac9c8
  R10: ffff8ce378aac8a0 R11: ffffa1e1e150f9d8 R12: 0000000000000000
  R13: 0000000000000000 R14: ffff8ce378aac9c8 R15: 0000000000000000
  FS:  0000000000000000(0000) GS:ffff8d217f000000(0000) knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  CR2: 000000000000001c CR3: 0000002089acc000 CR4: 0000000000350ee0
  Call Trace:
  <TASK>
  qla2xxx_qpair_sp_free_dma+0x417/0x4e0
  ? qla2xxx_qpair_sp_compl+0x10d/0x1a0
  ? qla2x00_status_entry+0x768/0x2830
  ? newidle_balance+0x2f0/0x430
  ? dequeue_entity+0x100/0x3c0
  ? qla24xx_process_response_queue+0x6a1/0x19e0
  ? __schedule+0x2d5/0x1140
  ? qla_do_work+0x47/0x60
  ? process_one_work+0x267/0x440
  ? process_one_work+0x440/0x440
  ? worker_thread+0x2d/0x3d0
  ? process_one_work+0x440/0x440
  ? kthread+0x156/0x180
  ? set_kthread_struct+0x50/0x50
  ? ret_from_fork+0x22/0x30
  </TASK>

Send out async logout explicitly for all the ports during vport delete.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42289

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42294
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

block: fix deadlock between sd_remove & sd_release

Our test report the following hung task:

[ 2538.459400] INFO: task "kworker/0:0":7 blocked for more than 188 seconds.
[ 2538.459427] Call trace:
[ 2538.459430]  __switch_to+0x174/0x338
[ 2538.459436]  __schedule+0x628/0x9c4
[ 2538.459442]  schedule+0x7c/0xe8
[ 2538.459447]  schedule_preempt_disabled+0x24/0x40
[ 2538.459453]  __mutex_lock+0x3ec/0xf04
[ 2538.459456]  __mutex_lock_slowpath+0x14/0x24
[ 2538.459459]  mutex_lock+0x30/0xd8
[ 2538.459462]  del_gendisk+0xdc/0x350
[ 2538.459466]  sd_remove+0x30/0x60
[ 2538.459470]  device_release_driver_internal+0x1c4/0x2c4
[ 2538.459474]  device_release_driver+0x18/0x28
[ 2538.459478]  bus_remove_device+0x15c/0x174
[ 2538.459483]  device_del+0x1d0/0x358
[ 2538.459488]  __scsi_remove_device+0xa8/0x198
[ 2538.459493]  scsi_forget_host+0x50/0x70
[ 2538.459497]  scsi_remove_host+0x80/0x180
[ 2538.459502]  usb_stor_disconnect+0x68/0xf4
[ 2538.459506]  usb_unbind_interface+0xd4/0x280
[ 2538.459510]  device_release_driver_internal+0x1c4/0x2c4
[ 2538.459514]  device_release_driver+0x18/0x28
[ 2538.459518]  bus_remove_device+0x15c/0x174
[ 2538.459523]  device_del+0x1d0/0x358
[ 2538.459528]  usb_disable_device+0x84/0x194
[ 2538.459532]  usb_disconnect+0xec/0x300
[ 2538.459537]  hub_event+0xb80/0x1870
[ 2538.459541]  process_scheduled_works+0x248/0x4dc
[ 2538.459545]  worker_thread+0x244/0x334
[ 2538.459549]  kthread+0x114/0x1bc

[ 2538.461001] INFO: task "fsck.":15415 blocked for more than 188 seconds.
[ 2538.461014] Call trace:
[ 2538.461016]  __switch_to+0x174/0x338
[ 2538.461021]  __schedule+0x628/0x9c4
[ 2538.461025]  schedule+0x7c/0xe8
[ 2538.461030]  blk_queue_enter+0xc4/0x160
[ 2538.461034]  blk_mq_alloc_request+0x120/0x1d4
[ 2538.461037]  scsi_execute_cmd+0x7c/0x23c
[ 2538.461040]  ioctl_internal_command+0x5c/0x164
[ 2538.461046]  scsi_set_medium_removal+0x5c/0xb0
[ 2538.461051]  sd_release+0x50/0x94
[ 2538.461054]  blkdev_put+0x190/0x28c
[ 2538.461058]  blkdev_release+0x28/0x40
[ 2538.461063]  __fput+0xf8/0x2a8
[ 2538.461066]  __fput_sync+0x28/0x5c
[ 2538.461070]  __arm64_sys_close+0x84/0xe8
[ 2538.461073]  invoke_syscall+0x58/0x114
[ 2538.461078]  el0_svc_common+0xac/0xe0
[ 2538.461082]  do_el0_svc+0x1c/0x28
[ 2538.461087]  el0_svc+0x38/0x68
[ 2538.461090]  el0t_64_sync_handler+0x68/0xbc
[ 2538.461093]  el0t_64_sync+0x1a8/0x1ac

  T1:				T2:
  sd_remove
  del_gendisk
  __blk_mark_disk_dead
  blk_freeze_queue_start
  ++q->mq_freeze_depth
  				bdev_release
 				mutex_lock(&disk->open_mutex)
  				sd_release
 				scsi_execute_cmd
 				blk_queue_enter
 				wait_event(!q->mq_freeze_depth)
  mutex_lock(&disk->open_mutex)

SCSI does not set GD_OWNS_QUEUE, so QUEUE_FLAG_DYING is not set in
this scenario. This is a classic ABBA deadlock. To fix the deadlock,
make sure we don't try to acquire disk->open_mutex after freezing
the queue.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42294

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42297
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

f2fs: fix to don't dirty inode for readonly filesystem

syzbot reports f2fs bug as below:

kernel BUG at fs/f2fs/inode.c:933!
RIP: 0010:f2fs_evict_inode+0x1576/0x1590 fs/f2fs/inode.c:933
Call Trace:
 evict+0x2a4/0x620 fs/inode.c:664
 dispose_list fs/inode.c:697 [inline]
 evict_inodes+0x5f8/0x690 fs/inode.c:747
 generic_shutdown_super+0x9d/0x2c0 fs/super.c:675
 kill_block_super+0x44/0x90 fs/super.c:1667
 kill_f2fs_super+0x303/0x3b0 fs/f2fs/super.c:4894
 deactivate_locked_super+0xc1/0x130 fs/super.c:484
 cleanup_mnt+0x426/0x4c0 fs/namespace.c:1256
 task_work_run+0x24a/0x300 kernel/task_work.c:180
 ptrace_notify+0x2cd/0x380 kernel/signal.c:2399
 ptrace_report_syscall include/linux/ptrace.h:411 [inline]
 ptrace_report_syscall_exit include/linux/ptrace.h:473 [inline]
 syscall_exit_work kernel/entry/common.c:251 [inline]
 syscall_exit_to_user_mode_prepare kernel/entry/common.c:278 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline]
 syscall_exit_to_user_mode+0x15c/0x280 kernel/entry/common.c:296
 do_syscall_64+0x50/0x110 arch/x86/entry/common.c:88
 entry_SYSCALL_64_after_hwframe+0x63/0x6b

The root cause is:
- do_sys_open
 - f2fs_lookup
  - __f2fs_find_entry
   - f2fs_i_depth_write
    - f2fs_mark_inode_dirty_sync
     - f2fs_dirty_inode
      - set_inode_flag(inode, FI_DIRTY_INODE)

- umount
 - kill_f2fs_super
  - kill_block_super
   - generic_shutdown_super
    - sync_filesystem
    : sb is readonly, skip sync_filesystem()
    - evict_inodes
     - iput
      - f2fs_evict_inode
       - f2fs_bug_on(sbi, is_inode_flag_set(inode, FI_DIRTY_INODE))
       : trigger kernel panic

When we try to repair i_current_depth in readonly filesystem, let's
skip dirty inode to avoid panic in later f2fs_evict_inode().
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42297

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42298
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ASoC: fsl: fsl_qmc_audio: Check devm_kasprintf() returned value

devm_kasprintf() can return a NULL pointer on failure but this returned
value is not checked.

Fix this lack and check the returned value.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42298

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42301
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

dev/parport: fix the array out-of-bounds risk

Fixed array out-of-bounds issues caused by sprintf
by replacing it with snprintf for safer data copying,
ensuring the destination buffer is not overflowed.

Below is the stack trace I encountered during the actual issue:

[ 66.575408s] [pid:5118,cpu4,QThread,4]Kernel panic - not syncing: stack-protector:
Kernel stack is corrupted in: do_hardware_base_addr+0xcc/0xd0 [parport]
[ 66.575408s] [pid:5118,cpu4,QThread,5]CPU: 4 PID: 5118 Comm:
QThread Tainted: G S W O 5.10.97-arm64-desktop #7100.57021.2
[ 66.575439s] [pid:5118,cpu4,QThread,6]TGID: 5087 Comm: EFileApp
[ 66.575439s] [pid:5118,cpu4,QThread,7]Hardware name: HUAWEI HUAWEI QingYun
PGUX-W515x-B081/SP1PANGUXM, BIOS 1.00.07 04/29/2024
[ 66.575439s] [pid:5118,cpu4,QThread,8]Call trace:
[ 66.575469s] [pid:5118,cpu4,QThread,9] dump_backtrace+0x0/0x1c0
[ 66.575469s] [pid:5118,cpu4,QThread,0] show_stack+0x14/0x20
[ 66.575469s] [pid:5118,cpu4,QThread,1] dump_stack+0xd4/0x10c
[ 66.575500s] [pid:5118,cpu4,QThread,2] panic+0x1d8/0x3bc
[ 66.575500s] [pid:5118,cpu4,QThread,3] __stack_chk_fail+0x2c/0x38
[ 66.575500s] [pid:5118,cpu4,QThread,4] do_hardware_base_addr+0xcc/0xd0 [parport]
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42301

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42302
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

PCI/DPC: Fix use-after-free on concurrent DPC and hot-removal

Keith reports a use-after-free when a DPC event occurs concurrently to
hot-removal of the same portion of the hierarchy:

The dpc_handler() awaits readiness of the secondary bus below the
Downstream Port where the DPC event occurred.  To do so, it polls the
config space of the first child device on the secondary bus.  If that
child device is concurrently removed, accesses to its struct pci_dev
cause the kernel to oops.

That's because pci_bridge_wait_for_secondary_bus() neglects to hold a
reference on the child device.  Before v6.3, the function was only
called on resume from system sleep or on runtime resume.  Holding a
reference wasn't necessary back then because the pciehp IRQ thread
could never run concurrently.  (On resume from system sleep, IRQs are
not enabled until after the resume_noirq phase.  And runtime resume is
always awaited before a PCI device is removed.)

However starting with v6.3, pci_bridge_wait_for_secondary_bus() is also
called on a DPC event.  Commit 53b54ad074de ("PCI/DPC: Await readiness
of secondary bus after reset"), which introduced that, failed to
appreciate that pci_bridge_wait_for_secondary_bus() now needs to hold a
reference on the child device because dpc_handler() and pciehp may
indeed run concurrently.  The commit was backported to v5.10+ stable
kernels, so that's the oldest one affected.

Add the missing reference acquisition.

Abridged stack trace:

  BUG: unable to handle page fault for address: 00000000091400c0
  CPU: 15 PID: 2464 Comm: irq/53-pcie-dpc 6.9.0
  RIP: pci_bus_read_config_dword+0x17/0x50
  pci_dev_wait()
  pci_bridge_wait_for_secondary_bus()
  dpc_reset_link()
  pcie_do_recovery()
  dpc_handler()
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42302

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42307
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

cifs: fix potential null pointer use in destroy_workqueue in init_cifs error path

Dan Carpenter reported a Smack static checker warning:
   fs/smb/client/cifsfs.c:1981 init_cifs()
   error: we previously assumed 'serverclose_wq' could be null (see line 1895)

The patch which introduced the serverclose workqueue used the wrong
oredering in error paths in init_cifs() for freeing it on errors.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42307

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42309
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/gma500: fix null pointer dereference in psb_intel_lvds_get_modes

In psb_intel_lvds_get_modes(), the return value of drm_mode_duplicate() is
assigned to mode, which will lead to a possible NULL pointer dereference
on failure of drm_mode_duplicate(). Add a check to avoid npd.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42309

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42310
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/gma500: fix null pointer dereference in cdv_intel_lvds_get_modes

In cdv_intel_lvds_get_modes(), the return value of drm_mode_duplicate()
is assigned to mode, which will lead to a NULL pointer dereference on
failure of drm_mode_duplicate(). Add a check to avoid npd.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42310

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42311
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

hfs: fix to initialize fields of hfs_inode_info after hfs_alloc_inode()

Syzbot reports uninitialized value access issue as below:

loop0: detected capacity change from 0 to 64
=====================================================
BUG: KMSAN: uninit-value in hfs_revalidate_dentry+0x307/0x3f0 fs/hfs/sysdep.c:30
 hfs_revalidate_dentry+0x307/0x3f0 fs/hfs/sysdep.c:30
 d_revalidate fs/namei.c:862 [inline]
 lookup_fast+0x89e/0x8e0 fs/namei.c:1649
 walk_component fs/namei.c:2001 [inline]
 link_path_walk+0x817/0x1480 fs/namei.c:2332
 path_lookupat+0xd9/0x6f0 fs/namei.c:2485
 filename_lookup+0x22e/0x740 fs/namei.c:2515
 user_path_at_empty+0x8b/0x390 fs/namei.c:2924
 user_path_at include/linux/namei.h:57 [inline]
 do_mount fs/namespace.c:3689 [inline]
 __do_sys_mount fs/namespace.c:3898 [inline]
 __se_sys_mount+0x66b/0x810 fs/namespace.c:3875
 __x64_sys_mount+0xe4/0x140 fs/namespace.c:3875
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x63/0x6b

BUG: KMSAN: uninit-value in hfs_ext_read_extent fs/hfs/extent.c:196 [inline]
BUG: KMSAN: uninit-value in hfs_get_block+0x92d/0x1620 fs/hfs/extent.c:366
 hfs_ext_read_extent fs/hfs/extent.c:196 [inline]
 hfs_get_block+0x92d/0x1620 fs/hfs/extent.c:366
 block_read_full_folio+0x4ff/0x11b0 fs/buffer.c:2271
 hfs_read_folio+0x55/0x60 fs/hfs/inode.c:39
 filemap_read_folio+0x148/0x4f0 mm/filemap.c:2426
 do_read_cache_folio+0x7c8/0xd90 mm/filemap.c:3553
 do_read_cache_page mm/filemap.c:3595 [inline]
 read_cache_page+0xfb/0x2f0 mm/filemap.c:3604
 read_mapping_page include/linux/pagemap.h:755 [inline]
 hfs_btree_open+0x928/0x1ae0 fs/hfs/btree.c:78
 hfs_mdb_get+0x260c/0x3000 fs/hfs/mdb.c:204
 hfs_fill_super+0x1fb1/0x2790 fs/hfs/super.c:406
 mount_bdev+0x628/0x920 fs/super.c:1359
 hfs_mount+0xcd/0xe0 fs/hfs/super.c:456
 legacy_get_tree+0x167/0x2e0 fs/fs_context.c:610
 vfs_get_tree+0xdc/0x5d0 fs/super.c:1489
 do_new_mount+0x7a9/0x16f0 fs/namespace.c:3145
 path_mount+0xf98/0x26a0 fs/namespace.c:3475
 do_mount fs/namespace.c:3488 [inline]
 __do_sys_mount fs/namespace.c:3697 [inline]
 __se_sys_mount+0x919/0x9e0 fs/namespace.c:3674
 __ia32_sys_mount+0x15b/0x1b0 fs/namespace.c:3674
 do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]
 __do_fast_syscall_32+0xa2/0x100 arch/x86/entry/common.c:178
 do_fast_syscall_32+0x37/0x80 arch/x86/entry/common.c:203
 do_SYSENTER_32+0x1f/0x30 arch/x86/entry/common.c:246
 entry_SYSENTER_compat_after_hwframe+0x70/0x82

Uninit was created at:
 __alloc_pages+0x9a6/0xe00 mm/page_alloc.c:4590
 __alloc_pages_node include/linux/gfp.h:238 [inline]
 alloc_pages_node include/linux/gfp.h:261 [inline]
 alloc_slab_page mm/slub.c:2190 [inline]
 allocate_slab mm/slub.c:2354 [inline]
 new_slab+0x2d7/0x1400 mm/slub.c:2407
 ___slab_alloc+0x16b5/0x3970 mm/slub.c:3540
 __slab_alloc mm/slub.c:3625 [inline]
 __slab_alloc_node mm/slub.c:3678 [inline]
 slab_alloc_node mm/slub.c:3850 [inline]
 kmem_cache_alloc_lru+0x64d/0xb30 mm/slub.c:3879
 alloc_inode_sb include/linux/fs.h:3018 [inline]
 hfs_alloc_inode+0x5a/0xc0 fs/hfs/super.c:165
 alloc_inode+0x83/0x440 fs/inode.c:260
 new_inode_pseudo fs/inode.c:1005 [inline]
 new_inode+0x38/0x4f0 fs/inode.c:1031
 hfs_new_inode+0x61/0x1010 fs/hfs/inode.c:186
 hfs_mkdir+0x54/0x250 fs/hfs/dir.c:228
 vfs_mkdir+0x49a/0x700 fs/namei.c:4126
 do_mkdirat+0x529/0x810 fs/namei.c:4149
 __do_sys_mkdirat fs/namei.c:4164 [inline]
 __se_sys_mkdirat fs/namei.c:4162 [inline]
 __x64_sys_mkdirat+0xc8/0x120 fs/namei.c:4162
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x63/0x6b

It missed to initialize .tz_secondswest, .cached_start and .cached_blocks
fields in struct hfs_inode_info after hfs_alloc_inode(), fix it.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42311

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42313
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

media: venus: fix use after free in vdec_close

There appears to be a possible use after free with vdec_close().
The firmware will add buffer release work to the work queue through
HFI callbacks as a normal part of decoding. Randomly closing the
decoder device from userspace during normal decoding can incur
a read after free for inst.

Fix it by cancelling the work in vdec_close.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42313

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42314
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix extent map use-after-free when adding pages to compressed bio

At add_ra_bio_pages() we are accessing the extent map to calculate
'add_size' after we dropped our reference on the extent map, resulting
in a use-after-free. Fix this by computing 'add_size' before dropping our
extent map reference.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42314

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42315
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

exfat: fix potential deadlock on __exfat_get_dentry_set

When accessing a file with more entries than ES_MAX_ENTRY_NUM, the bh-array
is allocated in __exfat_get_entry_set. The problem is that the bh-array is
allocated with GFP_KERNEL. It does not make sense. In the following cases,
a deadlock for sbi->s_lock between the two processes may occur.

       CPU0                CPU1
       ----                ----
  kswapd
   balance_pgdat
    lock(fs_reclaim)
                      exfat_iterate
                       lock(&sbi->s_lock)
                       exfat_readdir
                        exfat_get_uniname_from_ext_entry
                         exfat_get_dentry_set
                          __exfat_get_dentry_set
                           kmalloc_array
                            ...
                            lock(fs_reclaim)
    ...
    evict
     exfat_evict_inode
      lock(&sbi->s_lock)

To fix this, let's allocate bh-array with GFP_NOFS.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42315

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42316
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

mm/mglru: fix div-by-zero in vmpressure_calc_level()

evict_folios() uses a second pass to reclaim folios that have gone through
page writeback and become clean before it finishes the first pass, since
folio_rotate_reclaimable() cannot handle those folios due to the
isolation.

The second pass tries to avoid potential double counting by deducting
scan_control->nr_scanned.  However, this can result in underflow of
nr_scanned, under a condition where shrink_folio_list() does not increment
nr_scanned, i.e., when folio_trylock() fails.

The underflow can cause the divisor, i.e., scale=scanned+reclaimed in
vmpressure_calc_level(), to become zero, resulting in the following crash:

  [exception RIP: vmpressure_work_fn+101]
  process_one_work at ffffffffa3313f2b

Since scan_control->nr_scanned has no established semantics, the potential
double counting has minimal risks.  Therefore, fix the problem by not
deducting scan_control->nr_scanned in evict_folios().
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42316

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-42320
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

s390/dasd: fix error checks in dasd_copy_pair_store()

dasd_add_busid() can return an error via ERR_PTR() if an allocation
fails. However, two callsites in dasd_copy_pair_store() do not check
the result, potentially resulting in a NULL pointer dereference. Fix
this by checking the result with IS_ERR() and returning the error up
the stack.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42320

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-43817
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: missing check virtio

Two missing check in virtio_net_hdr_to_skb() allowed syzbot
to crash kernels again

1. After the skb_segment function the buffer may become non-linear
(nr_frags != 0), but since the SKBTX_SHARED_FRAG flag is not set anywhere
the __skb_linearize function will not be executed, then the buffer will
remain non-linear. Then the condition (offset >= skb_headlen(skb))
becomes true, which causes WARN_ON_ONCE in skb_checksum_help.

2. The struct sk_buff and struct virtio_net_hdr members must be
mathematically related.
(gso_size) must be greater than (needed) otherwise WARN_ON_ONCE.
(remainder) must be greater than (needed) otherwise WARN_ON_ONCE.
(remainder) may be 0 if division is without remainder.

offset+2 (4191) > skb_headlen() (1116)
WARNING: CPU: 1 PID: 5084 at net/core/dev.c:3303 skb_checksum_help+0x5e2/0x740 net/core/dev.c:3303
Modules linked in:
CPU: 1 PID: 5084 Comm: syz-executor336 Not tainted 6.7.0-rc3-syzkaller-00014-gdf60cee26a2e #0
Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023
RIP: 0010:skb_checksum_help+0x5e2/0x740 net/core/dev.c:3303
Code: 89 e8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 52 01 00 00 44 89 e2 2b 53 74 4c 89 ee 48 c7 c7 40 57 e9 8b e8 af 8f dd f8 90 <0f> 0b 90 90 e9 87 fe ff ff e8 40 0f 6e f9 e9 4b fa ff ff 48 89 ef
RSP: 0018:ffffc90003a9f338 EFLAGS: 00010286
RAX: 0000000000000000 RBX: ffff888025125780 RCX: ffffffff814db209
RDX: ffff888015393b80 RSI: ffffffff814db216 RDI: 0000000000000001
RBP: ffff8880251257f4 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: 000000000000045c
R13: 000000000000105f R14: ffff8880251257f0 R15: 000000000000105d
FS:  0000555555c24380(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000002000f000 CR3: 0000000023151000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 ip_do_fragment+0xa1b/0x18b0 net/ipv4/ip_output.c:777
 ip_fragment.constprop.0+0x161/0x230 net/ipv4/ip_output.c:584
 ip_finish_output_gso net/ipv4/ip_output.c:286 [inline]
 __ip_finish_output net/ipv4/ip_output.c:308 [inline]
 __ip_finish_output+0x49c/0x650 net/ipv4/ip_output.c:295
 ip_finish_output+0x31/0x310 net/ipv4/ip_output.c:323
 NF_HOOK_COND include/linux/netfilter.h:303 [inline]
 ip_output+0x13b/0x2a0 net/ipv4/ip_output.c:433
 dst_output include/net/dst.h:451 [inline]
 ip_local_out+0xaf/0x1a0 net/ipv4/ip_output.c:129
 iptunnel_xmit+0x5b4/0x9b0 net/ipv4/ip_tunnel_core.c:82
 ipip6_tunnel_xmit net/ipv6/sit.c:1034 [inline]
 sit_tunnel_xmit+0xed2/0x28f0 net/ipv6/sit.c:1076
 __netdev_start_xmit include/linux/netdevice.h:4940 [inline]
 netdev_start_xmit include/linux/netdevice.h:4954 [inline]
 xmit_one net/core/dev.c:3545 [inline]
 dev_hard_start_xmit+0x13d/0x6d0 net/core/dev.c:3561
 __dev_queue_xmit+0x7c1/0x3d60 net/core/dev.c:4346
 dev_queue_xmit include/linux/netdevice.h:3134 [inline]
 packet_xmit+0x257/0x380 net/packet/af_packet.c:276
 packet_snd net/packet/af_packet.c:3087 [inline]
 packet_sendmsg+0x24ca/0x5240 net/packet/af_packet.c:3119
 sock_sendmsg_nosec net/socket.c:730 [inline]
 __sock_sendmsg+0xd5/0x180 net/socket.c:745
 __sys_sendto+0x255/0x340 net/socket.c:2190
 __do_sys_sendto net/socket.c:2202 [inline]
 __se_sys_sendto net/socket.c:2198 [inline]
 __x64_sys_sendto+0xe0/0x1b0 net/socket.c:2198
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82
 entry_SYSCALL_64_after_hwframe+0x63/0x6b

Found by Linux Verification Center (linuxtesting.org) with Syzkaller
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-43817

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-43818
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ASoC: amd: Adjust error handling in case of absent codec device

acpi_get_first_physical_node() can return NULL in several cases (no such
device, ACPI table error, reference count drop to 0, etc).
Existing check just emit error message, but doesn't perform return.
Then this NULL pointer is passed to devm_acpi_dev_add_driver_gpios()
where it is dereferenced.

Adjust this error handling by adding error code return.

Found by Linux Verification Center (linuxtesting.org) with SVACE.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-43818

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-43819
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

kvm: s390: Reject memory region operations for ucontrol VMs

This change rejects the KVM_SET_USER_MEMORY_REGION and
KVM_SET_USER_MEMORY_REGION2 ioctls when called on a ucontrol VM.
This is necessary since ucontrol VMs have kvm->arch.gmap set to 0 and
would thus result in a null pointer dereference further in.
Memory management needs to be performed in userspace and using the
ioctls KVM_S390_UCAS_MAP and KVM_S390_UCAS_UNMAP.

Also improve s390 specific documentation for KVM_SET_USER_MEMORY_REGION
and KVM_SET_USER_MEMORY_REGION2.

[frankja@linux.ibm.com: commit message spelling fix, subject prefix fix]
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-43819

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-43821
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

scsi: lpfc: Fix a possible null pointer dereference

In function lpfc_xcvr_data_show, the memory allocation with kmalloc might
fail, thereby making rdp_context a null pointer. In the following context
and functions that use this pointer, there are dereferencing operations,
leading to null pointer dereference.

To fix this issue, a null pointer check should be added. If it is null,
use scnprintf to notify the user and return len.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-43821

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-43822
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ASoc: PCM6240: Return directly after a failed devm_kzalloc() in pcmdevice_i2c_probe()

The value “-ENOMEM” was assigned to the local variable “ret”
in one if branch after a devm_kzalloc() call failed at the beginning.
This error code will trigger then a pcmdevice_remove() call with a passed
null pointer so that an undesirable dereference will be performed.
Thus return the appropriate error code directly.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-43822

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-43823
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

PCI: keystone: Fix NULL pointer dereference in case of DT error in ks_pcie_setup_rc_app_regs()

If IORESOURCE_MEM is not provided in Device Tree due to
any error, resource_list_first_type() will return NULL and
pci_parse_request_of_pci_ranges() will just emit a warning.

This will cause a NULL pointer dereference. Fix this bug by adding NULL
return check.

Found by Linux Verification Center (linuxtesting.org) with SVACE.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-43823

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-43824
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

PCI: endpoint: pci-epf-test: Make use of cached 'epc_features' in pci_epf_test_core_init()

Instead of getting the epc_features from pci_epc_get_features() API, use
the cached pci_epf_test::epc_features value to avoid the NULL check. Since
the NULL check is already performed in pci_epf_test_bind(), having one more
check in pci_epf_test_core_init() is redundant and it is not possible to
hit the NULL pointer dereference.

Also with commit a01e7214bef9 ("PCI: endpoint: Remove "core_init_notifier"
flag"), 'epc_features' got dereferenced without the NULL check, leading to
the following false positive Smatch warning:

  drivers/pci/endpoint/functions/pci-epf-test.c:784 pci_epf_test_core_init() error: we previously assumed 'epc_features' could be null (see line 747)

Thus, remove the redundant NULL check and also use the epc_features::
{msix_capable/msi_capable} flags directly to avoid local variables.

[kwilczynski: commit log]
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-43824

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-43825
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

iio: Fix the sorting functionality in iio_gts_build_avail_time_table

The sorting in iio_gts_build_avail_time_table is not working as intended.
It could result in an out-of-bounds access when the time is zero.

Here are more details:

1. When the gts->itime_table[i].time_us is zero, e.g., the time
sequence is `3, 0, 1`, the inner for-loop will not terminate and do
out-of-bound writes. This is because once `times[j] > new`, the value
`new` will be added in the current position and the `times[j]` will be
moved to `j+1` position, which makes the if-condition always hold.
Meanwhile, idx will be added one, making the loop keep running without
termination and out-of-bound write.
2. If none of the gts->itime_table[i].time_us is zero, the elements
will just be copied without being sorted as described in the comment
"Sort times from all tables to one and remove duplicates".

For more details, please refer to
https://lore.kernel.org/all/6dd0d822-046c-4dd2-9532-79d7ab96ec05@gmail.com.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-43825

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-43827
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Add null check before access structs

In enable_phantom_plane, we should better check null pointer before
accessing various structs.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-43827

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-43828
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ext4: fix infinite loop when replaying fast_commit

When doing fast_commit replay an infinite loop may occur due to an
uninitialized extent_status struct.  ext4_ext_determine_insert_hole() does
not detect the replay and calls ext4_es_find_extent_range(), which will
return immediately without initializing the 'es' variable.

Because 'es' contains garbage, an integer overflow may happen causing an
infinite loop in this function, easily reproducible using fstest generic/039.

This commit fixes this issue by unconditionally initializing the structure
in function ext4_es_find_extent_range().

Thanks to Zhang Yi, for figuring out the real problem!
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-43828

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-43829
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/qxl: Add check for drm_cvt_mode

Add check for the return value of drm_cvt_mode() and return the error if
it fails in order to avoid NULL pointer dereference.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-43829

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-43833
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

media: v4l: async: Fix NULL pointer dereference in adding ancillary links

In v4l2_async_create_ancillary_links(), ancillary links are created for
lens and flash sub-devices. These are sub-device to sub-device links and
if the async notifier is related to a V4L2 device, the source sub-device
of the ancillary link is NULL, leading to a NULL pointer dereference.
Check the notifier's sd field is non-NULL in
v4l2_async_create_ancillary_links().

[Sakari Ailus: Reword the subject and commit messages slightly.]
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-43833

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-43834
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

xdp: fix invalid wait context of page_pool_destroy()

If the driver uses a page pool, it creates a page pool with
page_pool_create().
The reference count of page pool is 1 as default.
A page pool will be destroyed only when a reference count reaches 0.
page_pool_destroy() is used to destroy page pool, it decreases a
reference count.
When a page pool is destroyed, ->disconnect() is called, which is
mem_allocator_disconnect().
This function internally acquires mutex_lock().

If the driver uses XDP, it registers a memory model with
xdp_rxq_info_reg_mem_model().
The xdp_rxq_info_reg_mem_model() internally increases a page pool
reference count if a memory model is a page pool.
Now the reference count is 2.

To destroy a page pool, the driver should call both page_pool_destroy()
and xdp_unreg_mem_model().
The xdp_unreg_mem_model() internally calls page_pool_destroy().
Only page_pool_destroy() decreases a reference count.

If a driver calls page_pool_destroy() then xdp_unreg_mem_model(), we
will face an invalid wait context warning.
Because xdp_unreg_mem_model() calls page_pool_destroy() with
rcu_read_lock().
The page_pool_destroy() internally acquires mutex_lock().

Splat looks like:
=============================
[ BUG: Invalid wait context ]
6.10.0-rc6+ #4 Tainted: G W
-----------------------------
ethtool/1806 is trying to lock:
ffffffff90387b90 (mem_id_lock){+.+.}-{4:4}, at: mem_allocator_disconnect+0x73/0x150
other info that might help us debug this:
context-{5:5}
3 locks held by ethtool/1806:
stack backtrace:
CPU: 0 PID: 1806 Comm: ethtool Tainted: G W 6.10.0-rc6+ #4 f916f41f172891c800f2fed
Hardware name: ASUS System Product Name/PRIME Z690-P D4, BIOS 0603 11/01/2021
Call Trace:
<TASK>
dump_stack_lvl+0x7e/0xc0
__lock_acquire+0x1681/0x4de0
? _printk+0x64/0xe0
? __pfx_mark_lock.part.0+0x10/0x10
? __pfx___lock_acquire+0x10/0x10
lock_acquire+0x1b3/0x580
? mem_allocator_disconnect+0x73/0x150
? __wake_up_klogd.part.0+0x16/0xc0
? __pfx_lock_acquire+0x10/0x10
? dump_stack_lvl+0x91/0xc0
__mutex_lock+0x15c/0x1690
? mem_allocator_disconnect+0x73/0x150
? __pfx_prb_read_valid+0x10/0x10
? mem_allocator_disconnect+0x73/0x150
? __pfx_llist_add_batch+0x10/0x10
? console_unlock+0x193/0x1b0
? lockdep_hardirqs_on+0xbe/0x140
? __pfx___mutex_lock+0x10/0x10
? tick_nohz_tick_stopped+0x16/0x90
? __irq_work_queue_local+0x1e5/0x330
? irq_work_queue+0x39/0x50
? __wake_up_klogd.part.0+0x79/0xc0
? mem_allocator_disconnect+0x73/0x150
mem_allocator_disconnect+0x73/0x150
? __pfx_mem_allocator_disconnect+0x10/0x10
? mark_held_locks+0xa5/0xf0
? rcu_is_watching+0x11/0xb0
page_pool_release+0x36e/0x6d0
page_pool_destroy+0xd7/0x440
xdp_unreg_mem_model+0x1a7/0x2a0
? __pfx_xdp_unreg_mem_model+0x10/0x10
? kfree+0x125/0x370
? bnxt_free_ring.isra.0+0x2eb/0x500
? bnxt_free_mem+0x5ac/0x2500
xdp_rxq_info_unreg+0x4a/0xd0
bnxt_free_mem+0x1356/0x2500
bnxt_close_nic+0xf0/0x3b0
? __pfx_bnxt_close_nic+0x10/0x10
? ethnl_parse_bit+0x2c6/0x6d0
? __pfx___nla_validate_parse+0x10/0x10
? __pfx_ethnl_parse_bit+0x10/0x10
bnxt_set_features+0x2a8/0x3e0
__netdev_update_features+0x4dc/0x1370
? ethnl_parse_bitset+0x4ff/0x750
? __pfx_ethnl_parse_bitset+0x10/0x10
? __pfx___netdev_update_features+0x10/0x10
? mark_held_locks+0xa5/0xf0
? _raw_spin_unlock_irqrestore+0x42/0x70
? __pm_runtime_resume+0x7d/0x110
ethnl_set_features+0x32d/0xa20

To fix this problem, it uses rhashtable_lookup_fast() instead of
rhashtable_lookup() with rcu_read_lock().
Using xa without rcu_read_lock() here is safe.
xa is freed by __xdp_mem_allocator_rcu_free() and this is called by
call_rcu() of mem_xa_remove().
The mem_xa_remove() is called by page_pool_destroy() if a reference
count reaches 0.
The xa is already protected by the reference count mechanism well in the
control plane.
So removing rcu_read_lock() for page_pool_destroy() is safe.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-43834

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-43835
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

virtio_net: Fix napi_skb_cache_put warning

After the commit bdacf3e34945 ("net: Use nested-BH locking for
napi_alloc_cache.") was merged, the following warning began to appear:

	 WARNING: CPU: 5 PID: 1 at net/core/skbuff.c:1451 napi_skb_cache_put+0x82/0x4b0

	  __warn+0x12f/0x340
	  napi_skb_cache_put+0x82/0x4b0
	  napi_skb_cache_put+0x82/0x4b0
	  report_bug+0x165/0x370
	  handle_bug+0x3d/0x80
	  exc_invalid_op+0x1a/0x50
	  asm_exc_invalid_op+0x1a/0x20
	  __free_old_xmit+0x1c8/0x510
	  napi_skb_cache_put+0x82/0x4b0
	  __free_old_xmit+0x1c8/0x510
	  __free_old_xmit+0x1c8/0x510
	  __pfx___free_old_xmit+0x10/0x10

The issue arises because virtio is assuming it's running in NAPI context
even when it's not, such as in the netpoll case.

To resolve this, modify virtnet_poll_tx() to only set NAPI when budget
is available. Same for virtnet_poll_cleantx(), which always assumed that
it was in a NAPI context.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-43835

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-43836
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: ethtool: pse-pd: Fix possible null-deref

Fix a possible null dereference when a PSE supports both c33 and PoDL, but
only one of the netlink attributes is specified. The c33 or PoDL PSE
capabilities are already validated in the ethnl_set_pse_validate() call.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-43836

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-43837
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix null pointer dereference in resolve_prog_type() for BPF_PROG_TYPE_EXT

When loading a EXT program without specifying `attr->attach_prog_fd`,
the `prog->aux->dst_prog` will be null. At this time, calling
resolve_prog_type() anywhere will result in a null pointer dereference.

Example stack trace:

[    8.107863] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000004
[    8.108262] Mem abort info:
[    8.108384]   ESR = 0x0000000096000004
[    8.108547]   EC = 0x25: DABT (current EL), IL = 32 bits
[    8.108722]   SET = 0, FnV = 0
[    8.108827]   EA = 0, S1PTW = 0
[    8.108939]   FSC = 0x04: level 0 translation fault
[    8.109102] Data abort info:
[    8.109203]   ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
[    8.109399]   CM = 0, WnR = 0, TnD = 0, TagAccess = 0
[    8.109614]   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[    8.109836] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000101354000
[    8.110011] [0000000000000004] pgd=0000000000000000, p4d=0000000000000000
[    8.112624] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP
[    8.112783] Modules linked in:
[    8.113120] CPU: 0 PID: 99 Comm: may_access_dire Not tainted 6.10.0-rc3-next-20240613-dirty #1
[    8.113230] Hardware name: linux,dummy-virt (DT)
[    8.113390] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[    8.113429] pc : may_access_direct_pkt_data+0x24/0xa0
[    8.113746] lr : add_subprog_and_kfunc+0x634/0x8e8
[    8.113798] sp : ffff80008283b9f0
[    8.113813] x29: ffff80008283b9f0 x28: ffff800082795048 x27: 0000000000000001
[    8.113881] x26: ffff0000c0bb2600 x25: 0000000000000000 x24: 0000000000000000
[    8.113897] x23: ffff0000c1134000 x22: 000000000001864f x21: ffff0000c1138000
[    8.113912] x20: 0000000000000001 x19: ffff0000c12b8000 x18: ffffffffffffffff
[    8.113929] x17: 0000000000000000 x16: 0000000000000000 x15: 0720072007200720
[    8.113944] x14: 0720072007200720 x13: 0720072007200720 x12: 0720072007200720
[    8.113958] x11: 0720072007200720 x10: 0000000000f9fca4 x9 : ffff80008021f4e4
[    8.113991] x8 : 0101010101010101 x7 : 746f72705f6d656d x6 : 000000001e0e0f5f
[    8.114006] x5 : 000000000001864f x4 : ffff0000c12b8000 x3 : 000000000000001c
[    8.114020] x2 : 0000000000000002 x1 : 0000000000000000 x0 : 0000000000000000
[    8.114126] Call trace:
[    8.114159]  may_access_direct_pkt_data+0x24/0xa0
[    8.114202]  bpf_check+0x3bc/0x28c0
[    8.114214]  bpf_prog_load+0x658/0xa58
[    8.114227]  __sys_bpf+0xc50/0x2250
[    8.114240]  __arm64_sys_bpf+0x28/0x40
[    8.114254]  invoke_syscall.constprop.0+0x54/0xf0
[    8.114273]  do_el0_svc+0x4c/0xd8
[    8.114289]  el0_svc+0x3c/0x140
[    8.114305]  el0t_64_sync_handler+0x134/0x150
[    8.114331]  el0t_64_sync+0x168/0x170
[    8.114477] Code: 7100707f 54000081 f9401c00 f9403800 (b9400403)
[    8.118672] ---[ end trace 0000000000000000 ]---

One way to fix it is by forcing `attach_prog_fd` non-empty when
bpf_prog_load(). But this will lead to `libbpf_probe_bpf_prog_type`
API broken which use verifier log to probe prog type and will log
nothing if we reject invalid EXT prog before bpf_check().

Another way is by adding null check in resolve_prog_type().

The issue was introduced by commit 4a9c7bbe2ed4 ("bpf: Resolve to
prog->aux->dst_prog->type only for BPF_PROG_TYPE_EXT") which wanted
to correct type resolution for BPF_PROG_TYPE_TRACING programs. Before
that, the type resolution of BPF_PROG_TYPE_EXT prog actually follows
the logic below:

  prog->aux->dst_prog ? prog->aux->dst_prog->type : prog->type;

It implies that when EXT program is not yet attached to `dst_prog`,
the prog type should be EXT itself. This code worked fine in the past.
So just keep using it.

Fix this by returning `prog->type` for BPF_PROG_TYPE_EXT if `dst_prog`
is not present in resolve_prog_type().
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-43837

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-43838
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

bpf: fix overflow check in adjust_jmp_off()

adjust_jmp_off() incorrectly used the insn->imm field for all overflow check,
which is incorrect as that should only be done or the BPF_JMP32 | BPF_JA case,
not the general jump instruction case. Fix it by using insn->off for overflow
check in the general case.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-43838

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-43839
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

bna: adjust 'name' buf size of bna_tcb and bna_ccb structures

To have enough space to write all possible sprintf() args. Currently
'name' size is 16, but the first '%s' specifier may already need at
least 16 characters, since 'bnad->netdev->name' is used there.

For '%d' specifiers, assume that they require:
 * 1 char for 'tx_id + tx_info->tcb[i]->id' sum, BNAD_MAX_TXQ_PER_TX is 8
 * 2 chars for 'rx_id + rx_info->rx_ctrl[i].ccb->id', BNAD_MAX_RXP_PER_RX
   is 16

And replace sprintf with snprintf.

Detected using the static analysis tool - Svace.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-43839

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-43840
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

bpf, arm64: Fix trampoline for BPF_TRAMP_F_CALL_ORIG

When BPF_TRAMP_F_CALL_ORIG is set, the trampoline calls
__bpf_tramp_enter() and __bpf_tramp_exit() functions, passing them
the struct bpf_tramp_image *im pointer as an argument in R0.

The trampoline generation code uses emit_addr_mov_i64() to emit
instructions for moving the bpf_tramp_image address into R0, but
emit_addr_mov_i64() assumes the address to be in the vmalloc() space
and uses only 48 bits. Because bpf_tramp_image is allocated using
kzalloc(), its address can use more than 48-bits, in this case the
trampoline will pass an invalid address to __bpf_tramp_enter/exit()
causing a kernel crash.

Fix this by using emit_a64_mov_i64() in place of emit_addr_mov_i64()
as it can work with addresses that are greater than 48-bits.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-43840

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-43841
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

wifi: virt_wifi: avoid reporting connection success with wrong SSID

When user issues a connection with a different SSID than the one
virt_wifi has advertised, the __cfg80211_connect_result() will
trigger the warning: WARN_ON(bss_not_found).

The issue is because the connection code in virt_wifi does not
check the SSID from user space (it only checks the BSSID), and
virt_wifi will call cfg80211_connect_result() with WLAN_STATUS_SUCCESS
even if the SSID is different from the one virt_wifi has advertised.
Eventually cfg80211 won't be able to find the cfg80211_bss and generate
the warning.

Fixed it by checking the SSID (from user space) in the connection code.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 3.3
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-43841

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-43842
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

wifi: rtw89: Fix array index mistake in rtw89_sta_info_get_iter()

In rtw89_sta_info_get_iter() 'status->he_gi' is compared to array size.
But then 'rate->he_gi' is used as array index instead of 'status->he_gi'.
This can lead to go beyond array boundaries in case of 'rate->he_gi' is
not equal to 'status->he_gi' and is bigger than array size. Looks like
"copy-paste" mistake.

Fix this mistake by replacing 'rate->he_gi' with 'status->he_gi'.

Found by Linux Verification Center (linuxtesting.org) with SVACE.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-43842

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-43843
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

riscv, bpf: Fix out-of-bounds issue when preparing trampoline image

We get the size of the trampoline image during the dry run phase and
allocate memory based on that size. The allocated image will then be
populated with instructions during the real patch phase. But after
commit 26ef208c209a ("bpf: Use arch_bpf_trampoline_size"), the `im`
argument is inconsistent in the dry run and real patch phase. This may
cause emit_imm in RV64 to generate a different number of instructions
when generating the 'im' address, potentially causing out-of-bounds
issues. Let's emit the maximum number of instructions for the "im"
address during dry run to fix this problem.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-43843

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-43844
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

wifi: rtw89: wow: fix GTK offload H2C skbuff issue

We mistakenly put skb too large and that may exceed skb->end.
Therefore, we fix it.

skbuff: skb_over_panic: text:ffffffffc09e9a9d len:416 put:204 head:ffff8fba04eca780 data:ffff8fba04eca7e0 tail:0x200 end:0x140 dev:<NULL>
------------[ cut here ]------------
kernel BUG at net/core/skbuff.c:192!
invalid opcode: 0000 [#1] PREEMPT SMP PTI
CPU: 1 PID: 4747 Comm: kworker/u4:44 Tainted: G           O       6.6.30-02659-gc18865c4dfbd #1 86547039b47e46935493f615ee31d0b2d711d35e
Hardware name: HP Meep/Meep, BIOS Google_Meep.11297.262.0 03/18/2021
Workqueue: events_unbound async_run_entry_fn
RIP: 0010:skb_panic+0x5d/0x60
Code: c6 63 8b 8f bb 4c 0f 45 f6 48 c7 c7 4d 89 8b bb 48 89 ce 44 89 d1 41 56 53 41 53 ff b0 c8 00 00 00 e8 27 5f 23 00 48 83 c4 20 <0f> 0b 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44
RSP: 0018:ffffaa700144bad0 EFLAGS: 00010282
RAX: 0000000000000089 RBX: 0000000000000140 RCX: 14432c5aad26c900
RDX: 0000000000000000 RSI: 00000000ffffdfff RDI: 0000000000000001
RBP: ffffaa700144bae0 R08: 0000000000000000 R09: ffffaa700144b920
R10: 00000000ffffdfff R11: ffffffffbc28fbc0 R12: ffff8fba4e57a010
R13: 0000000000000000 R14: ffffffffbb8f8b63 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff8fba7bd00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007999c4ad1000 CR3: 000000015503a000 CR4: 0000000000350ee0
Call Trace:
 <TASK>
 ? __die_body+0x1f/0x70
 ? die+0x3d/0x60
 ? do_trap+0xa4/0x110
 ? skb_panic+0x5d/0x60
 ? do_error_trap+0x6d/0x90
 ? skb_panic+0x5d/0x60
 ? handle_invalid_op+0x30/0x40
 ? skb_panic+0x5d/0x60
 ? exc_invalid_op+0x3c/0x50
 ? asm_exc_invalid_op+0x16/0x20
 ? skb_panic+0x5d/0x60
 skb_put+0x49/0x50
 rtw89_fw_h2c_wow_gtk_ofld+0xbd/0x220 [rtw89_core 778b32de31cd1f14df2d6721ae99ba8a83636fa5]
 rtw89_wow_resume+0x31f/0x540 [rtw89_core 778b32de31cd1f14df2d6721ae99ba8a83636fa5]
 rtw89_ops_resume+0x2b/0xa0 [rtw89_core 778b32de31cd1f14df2d6721ae99ba8a83636fa5]
 ieee80211_reconfig+0x84/0x13e0 [mac80211 818a894e3b77da6298269c59ed7cdff065a4ed52]
 ? __pfx_wiphy_resume+0x10/0x10 [cfg80211 1a793119e2aeb157c4ca4091ff8e1d9ae233b59d]
 ? dev_printk_emit+0x51/0x70
 ? _dev_info+0x6e/0x90
 ? __pfx_wiphy_resume+0x10/0x10 [cfg80211 1a793119e2aeb157c4ca4091ff8e1d9ae233b59d]
 wiphy_resume+0x89/0x180 [cfg80211 1a793119e2aeb157c4ca4091ff8e1d9ae233b59d]
 ? __pfx_wiphy_resume+0x10/0x10 [cfg80211 1a793119e2aeb157c4ca4091ff8e1d9ae233b59d]
 dpm_run_callback+0x3c/0x140
 device_resume+0x1f9/0x3c0
 ? __pfx_dpm_watchdog_handler+0x10/0x10
 async_resume+0x1d/0x30
 async_run_entry_fn+0x29/0xd0
 process_scheduled_works+0x1d8/0x3d0
 worker_thread+0x1fc/0x2f0
 kthread+0xed/0x110
 ? __pfx_worker_thread+0x10/0x10
 ? __pfx_kthread+0x10/0x10
 ret_from_fork+0x38/0x50
 ? __pfx_kthread+0x10/0x10
 ret_from_fork_asm+0x1b/0x30
 </TASK>
Modules linked in: ccm 8021q r8153_ecm cdc_ether usbnet r8152 mii dm_integrity async_xor xor async_tx lz4 lz4_compress zstd zstd_compress zram zsmalloc uinput rfcomm cmac algif_hash rtw89_8922ae(O) algif_skcipher rtw89_8922a(O) af_alg rtw89_pci(O) rtw89_core(O) btusb(O) snd_soc_sst_bxt_da7219_max98357a btbcm(O) snd_soc_hdac_hdmi btintel(O) snd_soc_intel_hda_dsp_common snd_sof_probes btrtl(O) btmtk(O) snd_hda_codec_hdmi snd_soc_dmic uvcvideo videobuf2_vmalloc uvc videobuf2_memops videobuf2_v4l2 videobuf2_common snd_sof_pci_intel_apl snd_sof_intel_hda_common snd_soc_hdac_hda snd_sof_intel_hda soundwire_intel soundwire_generic_allocation snd_sof_intel_hda_mlink soundwire_cadence snd_sof_pci snd_sof_xtensa_dsp mac80211 snd_soc_acpi_intel_match snd_soc_acpi snd_sof snd_sof_utils soundwire_bus snd_soc_max98357a snd_soc_avs snd_soc_hda_codec snd_hda_ext_core snd_intel_dspcfg snd_intel_sdw_acpi snd_soc_da7219 snd_hda_codec snd_hwdep snd_hda_core veth ip6table_nat xt_MASQUERADE xt_cgroup fuse bluetooth ecdh_generic
 cfg80211 ecc
gsmi: Log Shutdown 
---truncated---
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-43844

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-43845
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

udf: Fix bogus checksum computation in udf_rename()

Syzbot reports uninitialized memory access in udf_rename() when updating
checksum of '..' directory entry of a moved directory. This is indeed
true as we pass on-stack diriter.fi to the udf_update_tag() and because
that has only struct fileIdentDesc included in it and not the impUse or
name fields, the checksumming function is going to checksum random stack
contents beyond the end of the structure. This is actually harmless
because the following udf_fiiter_write_fi() will recompute the checksum
from on-disk buffers where everything is properly included. So all that
is needed is just removing the bogus calculation.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 3.3
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-43845

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-43846
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

lib: objagg: Fix general protection fault

The library supports aggregation of objects into other objects only if
the parent object does not have a parent itself. That is, nesting is not
supported.

Aggregation happens in two cases: Without and with hints, where hints
are a pre-computed recommendation on how to aggregate the provided
objects.

Nesting is not possible in the first case due to a check that prevents
it, but in the second case there is no check because the assumption is
that nesting cannot happen when creating objects based on hints. The
violation of this assumption leads to various warnings and eventually to
a general protection fault [1].

Before fixing the root cause, error out when nesting happens and warn.

[1]
general protection fault, probably for non-canonical address 0xdead000000000d90: 0000 [#1] PREEMPT SMP PTI
CPU: 1 PID: 1083 Comm: kworker/1:9 Tainted: G        W          6.9.0-rc6-custom-gd9b4f1cca7fb #7
Hardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019
Workqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work
RIP: 0010:mlxsw_sp_acl_erp_bf_insert+0x25/0x80
[...]
Call Trace:
 <TASK>
 mlxsw_sp_acl_atcam_entry_add+0x256/0x3c0
 mlxsw_sp_acl_tcam_entry_create+0x5e/0xa0
 mlxsw_sp_acl_tcam_vchunk_migrate_one+0x16b/0x270
 mlxsw_sp_acl_tcam_vregion_rehash_work+0xbe/0x510
 process_one_work+0x151/0x370
 worker_thread+0x2cb/0x3e0
 kthread+0xd0/0x100
 ret_from_fork+0x34/0x50
 ret_from_fork_asm+0x1a/0x30
 </TASK>
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-43846

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-43847
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

wifi: ath12k: fix invalid memory access while processing fragmented packets

The monitor ring and the reo reinject ring share the same ring mask index.
When the driver receives an interrupt for the reo reinject ring, the
monitor ring is also processed, leading to invalid memory access. Since
monitor support is not yet enabled in ath12k, the ring mask for the monitor
ring should be removed.

Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.1.1-00209-QCAHKSWPL_SILICONZ-1
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-43847

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-43848
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

wifi: mac80211: fix TTLM teardown work

The worker calculates the wrong sdata pointer, so if it ever
runs, it'll crash. Fix that.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-43848

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-43849
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

soc: qcom: pdr: protect locator_addr with the main mutex

If the service locator server is restarted fast enough, the PDR can
rewrite locator_addr fields concurrently. Protect them by placing
modification of those fields under the main pdr->lock.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-43849

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-43850
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

soc: qcom: icc-bwmon: Fix refcount imbalance seen during bwmon_remove

The following warning is seen during bwmon_remove due to refcount
imbalance, fix this by releasing the OPPs after use.

Logs:
WARNING: at drivers/opp/core.c:1640 _opp_table_kref_release+0x150/0x158
Hardware name: Qualcomm Technologies, Inc. X1E80100 CRD (DT)
...
Call trace:
_opp_table_kref_release+0x150/0x158
dev_pm_opp_remove_table+0x100/0x1b4
devm_pm_opp_of_table_release+0x10/0x1c
devm_action_release+0x14/0x20
devres_release_all+0xa4/0x104
device_unbind_cleanup+0x18/0x60
device_release_driver_internal+0x1ec/0x228
driver_detach+0x50/0x98
bus_remove_driver+0x6c/0xbc
driver_unregister+0x30/0x60
platform_driver_unregister+0x14/0x20
bwmon_driver_exit+0x18/0x524 [icc_bwmon]
__arm64_sys_delete_module+0x184/0x264
invoke_syscall+0x48/0x118
el0_svc_common.constprop.0+0xc8/0xe8
do_el0_svc+0x20/0x2c
el0_svc+0x34/0xdc
el0t_64_sync_handler+0x13c/0x158
el0t_64_sync+0x190/0x194
--[ end trace 0000000000000000 ]---
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-43850

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-43851
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

soc: xilinx: rename cpu_number1 to dummy_cpu_number

The per cpu variable cpu_number1 is passed to xlnx_event_handler as
argument "dev_id", but it is not used in this function. So drop the
initialization of this variable and rename it to dummy_cpu_number.
This patch is to fix the following call trace when the kernel option
CONFIG_DEBUG_ATOMIC_SLEEP is enabled:

BUG: sleeping function called from invalid context at include/linux/sched/mm.h:274
    in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 1, name: swapper/0
    preempt_count: 1, expected: 0
    CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.1.0 #53
    Hardware name: Xilinx Versal vmk180 Eval board rev1.1 (QSPI) (DT)
    Call trace:
     dump_backtrace+0xd0/0xe0
     show_stack+0x18/0x40
     dump_stack_lvl+0x7c/0xa0
     dump_stack+0x18/0x34
     __might_resched+0x10c/0x140
     __might_sleep+0x4c/0xa0
     __kmem_cache_alloc_node+0xf4/0x168
     kmalloc_trace+0x28/0x38
     __request_percpu_irq+0x74/0x138
     xlnx_event_manager_probe+0xf8/0x298
     platform_probe+0x68/0xd8
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-43851

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-43852
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

hwmon: (ltc2991) re-order conditions to fix off by one bug

LTC2991_T_INT_CH_NR is 4.  The st->temp_en[] array has LTC2991_MAX_CHANNEL
(4) elements.  Thus if "channel" is equal to LTC2991_T_INT_CH_NR then we
have read one element beyond the end of the array.  Flip the conditions
around so that we check if "channel" is valid before using it as an array
index.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-43852

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-43853
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

cgroup/cpuset: Prevent UAF in proc_cpuset_show()

An UAF can happen when /proc/cpuset is read as reported in [1].

This can be reproduced by the following methods:
1.add an mdelay(1000) before acquiring the cgroup_lock In the
 cgroup_path_ns function.
2.$cat /proc/<pid>/cpuset   repeatly.
3.$mount -t cgroup -o cpuset cpuset /sys/fs/cgroup/cpuset/
$umount /sys/fs/cgroup/cpuset/   repeatly.

The race that cause this bug can be shown as below:

(umount)		|	(cat /proc/<pid>/cpuset)
css_release		|	proc_cpuset_show
css_release_work_fn	|	css = task_get_css(tsk, cpuset_cgrp_id);
css_free_rwork_fn	|	cgroup_path_ns(css->cgroup, ...);
cgroup_destroy_root	|	mutex_lock(&cgroup_mutex);
rebind_subsystems	|
cgroup_free_root 	|
			|	// cgrp was freed, UAF
			|	cgroup_path_ns_locked(cgrp,..);

When the cpuset is initialized, the root node top_cpuset.css.cgrp
will point to &cgrp_dfl_root.cgrp. In cgroup v1, the mount operation will
allocate cgroup_root, and top_cpuset.css.cgrp will point to the allocated
&cgroup_root.cgrp. When the umount operation is executed,
top_cpuset.css.cgrp will be rebound to &cgrp_dfl_root.cgrp.

The problem is that when rebinding to cgrp_dfl_root, there are cases
where the cgroup_root allocated by setting up the root for cgroup v1
is cached. This could lead to a Use-After-Free (UAF) if it is
subsequently freed. The descendant cgroups of cgroup v1 can only be
freed after the css is released. However, the css of the root will never
be released, yet the cgroup_root should be freed when it is unmounted.
This means that obtaining a reference to the css of the root does
not guarantee that css.cgrp->root will not be freed.

Fix this problem by using rcu_read_lock in proc_cpuset_show().
As cgroup_root is kfree_rcu after commit d23b5c577715
("cgroup: Make operations on the cgroup root_list RCU safe"),
css->cgroup won't be freed during the critical section.
To call cgroup_path_ns_locked, css_set_lock is needed, so it is safe to
replace task_get_css with task_css.

[1] https://syzkaller.appspot.com/bug?extid=9b1ff7be974a403aa4cd
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-43853

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-43854
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

block: initialize integrity buffer to zero before writing it to media

Metadata added by bio_integrity_prep is using plain kmalloc, which leads
to random kernel memory being written media.  For PI metadata this is
limited to the app tag that isn't used by kernel generated metadata,
but for non-PI metadata the entire buffer leaks kernel memory.

Fix this by adding the __GFP_ZERO flag to allocations for writes.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-43854

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-43855
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

md: fix deadlock between mddev_suspend and flush bio

Deadlock occurs when mddev is being suspended while some flush bio is in
progress. It is a complex issue.

T1. the first flush is at the ending stage, it clears 'mddev->flush_bio'
    and tries to submit data, but is blocked because mddev is suspended
    by T4.
T2. the second flush sets 'mddev->flush_bio', and attempts to queue
    md_submit_flush_data(), which is already running (T1) and won't
    execute again if on the same CPU as T1.
T3. the third flush inc active_io and tries to flush, but is blocked because
    'mddev->flush_bio' is not NULL (set by T2).
T4. mddev_suspend() is called and waits for active_io dec to 0 which is inc
    by T3.

  T1		T2		T3		T4
  (flush 1)	(flush 2)	(third 3)	(suspend)
  md_submit_flush_data
   mddev->flush_bio = NULL;
   .
   .	 	md_flush_request
   .	  	 mddev->flush_bio = bio
   .	  	 queue submit_flushes
   .		 .
   .		 .		md_handle_request
   .		 .		 active_io + 1
   .		 .		 md_flush_request
   .		 .		  wait !mddev->flush_bio
   .		 .
   .		 .				mddev_suspend
   .		 .				 wait !active_io
   .		 .
   .		 submit_flushes
   .		 queue_work md_submit_flush_data
   .		 //md_submit_flush_data is already running (T1)
   .
   md_handle_request
    wait resume

The root issue is non-atomic inc/dec of active_io during flush process.
active_io is dec before md_submit_flush_data is queued, and inc soon
after md_submit_flush_data() run.
  md_flush_request
    active_io + 1
    submit_flushes
      active_io - 1
      md_submit_flush_data
        md_handle_request
        active_io + 1
          make_request
        active_io - 1

If active_io is dec after md_handle_request() instead of within
submit_flushes(), make_request() can be called directly intead of
md_handle_request() in md_submit_flush_data(), and active_io will
only inc and dec once in the whole flush process. Deadlock will be
fixed.

Additionally, the only difference between fixing the issue and before is
that there is no return error handling of make_request(). But after
previous patch cleaned md_write_start(), make_requst() only return error
in raid5_make_request() by dm-raid, see commit 41425f96d7aa ("dm-raid456,
md/raid456: fix a deadlock for dm-raid456 while io concurrent with
reshape)". Since dm always splits data and flush operation into two
separate io, io size of flush submitted by dm always is 0, make_request()
will not be called in md_submit_flush_data(). To prevent future
modifications from introducing issues, add WARN_ON to ensure
make_request() no error is returned in this context.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-43855

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-43856
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

dma: fix call order in dmam_free_coherent

dmam_free_coherent() frees a DMA allocation, which makes the
freed vaddr available for reuse, then calls devres_destroy()
to remove and free the data structure used to track the DMA
allocation. Between the two calls, it is possible for a
concurrent task to make an allocation with the same vaddr
and add it to the devres list.

If this happens, there will be two entries in the devres list
with the same vaddr and devres_destroy() can free the wrong
entry, triggering the WARN_ON() in dmam_match.

Fix by destroying the devres entry before freeing the DMA
allocation.

  kokonut //net/encryption
    http://sponge2/b9145fe6-0f72-4325-ac2f-a84d81075b03
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-43856

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-43857
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

f2fs: fix null reference error when checking end of zone

This patch fixes a potentially null pointer being accessed by
is_end_zone_blkaddr() that checks the last block of a zone
when f2fs is mounted as a single device.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-43857

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-43858
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

jfs: Fix array-index-out-of-bounds in diFree
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-43858

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-43859
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

f2fs: fix to truncate preallocated blocks in f2fs_file_open()

chenyuwen reports a f2fs bug as below:

Unable to handle kernel NULL pointer dereference at virtual address 0000000000000011
 fscrypt_set_bio_crypt_ctx+0x78/0x1e8
 f2fs_grab_read_bio+0x78/0x208
 f2fs_submit_page_read+0x44/0x154
 f2fs_get_read_data_page+0x288/0x5f4
 f2fs_get_lock_data_page+0x60/0x190
 truncate_partial_data_page+0x108/0x4fc
 f2fs_do_truncate_blocks+0x344/0x5f0
 f2fs_truncate_blocks+0x6c/0x134
 f2fs_truncate+0xd8/0x200
 f2fs_iget+0x20c/0x5ac
 do_garbage_collect+0x5d0/0xf6c
 f2fs_gc+0x22c/0x6a4
 f2fs_disable_checkpoint+0xc8/0x310
 f2fs_fill_super+0x14bc/0x1764
 mount_bdev+0x1b4/0x21c
 f2fs_mount+0x20/0x30
 legacy_get_tree+0x50/0xbc
 vfs_get_tree+0x5c/0x1b0
 do_new_mount+0x298/0x4cc
 path_mount+0x33c/0x5fc
 __arm64_sys_mount+0xcc/0x15c
 invoke_syscall+0x60/0x150
 el0_svc_common+0xb8/0xf8
 do_el0_svc+0x28/0xa0
 el0_svc+0x24/0x84
 el0t_64_sync_handler+0x88/0xec

It is because inode.i_crypt_info is not initialized during below path:
- mount
 - f2fs_fill_super
  - f2fs_disable_checkpoint
   - f2fs_gc
    - f2fs_iget
     - f2fs_truncate

So, let's relocate truncation of preallocated blocks to f2fs_file_open(),
after fscrypt_file_open().
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-43859

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-43860
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

remoteproc: imx_rproc: Skip over memory region when node value is NULL

In imx_rproc_addr_init() "nph = of_count_phandle_with_args()" just counts
number of phandles. But phandles may be empty. So of_parse_phandle() in
the parsing loop (0 < a < nph) may return NULL which is later dereferenced.
Adjust this issue by adding NULL-return check.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

[Fixed title to fit within the prescribed 70-75 charcters]
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-43860

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-43861
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: usb: qmi_wwan: fix memory leak for not ip packets

Free the unused skb when not ip packets arrive.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-43861

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-43862
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: wan: fsl_qmc_hdlc: Convert carrier_lock spinlock to a mutex

The carrier_lock spinlock protects the carrier detection. While it is
held, framer_get_status() is called which in turn takes a mutex.
This is not correct and can lead to a deadlock.

A run with PROVE_LOCKING enabled detected the issue:
  [ BUG: Invalid wait context ]
  ...
  c204ddbc (&framer->mutex){+.+.}-{3:3}, at: framer_get_status+0x40/0x78
  other info that might help us debug this:
  context-{4:4}
  2 locks held by ifconfig/146:
  #0: c0926a38 (rtnl_mutex){+.+.}-{3:3}, at: devinet_ioctl+0x12c/0x664
  #1: c2006a40 (&qmc_hdlc->carrier_lock){....}-{2:2}, at: qmc_hdlc_framer_set_carrier+0x30/0x98

Avoid the spinlock usage and convert carrier_lock to a mutex.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-43862

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-43863
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/vmwgfx: Fix a deadlock in dma buf fence polling

Introduce a version of the fence ops that on release doesn't remove
the fence from the pending list, and thus doesn't require a lock to
fix poll->fence wait->fence unref deadlocks.

vmwgfx overwrites the wait callback to iterate over the list of all
fences and update their status, to do that it holds a lock to prevent
the list modifcations from other threads. The fence destroy callback
both deletes the fence and removes it from the list of pending
fences, for which it holds a lock.

dma buf polling cb unrefs a fence after it's been signaled: so the poll
calls the wait, which signals the fences, which are being destroyed.
The destruction tries to acquire the lock on the pending fences list
which it can never get because it's held by the wait from which it
was called.

Old bug, but not a lot of userspace apps were using dma-buf polling
interfaces. Fix those, in particular this fixes KDE stalls/deadlock.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-43863

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-43871
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

devres: Fix memory leakage caused by driver API devm_free_percpu()

It will cause memory leakage when use driver API devm_free_percpu()
to free memory allocated by devm_alloc_percpu(), fixed by using
devres_release() instead of devres_destroy() within devm_free_percpu().
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-43871

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-43872
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

RDMA/hns: Fix soft lockup under heavy CEQE load

CEQEs are handled in interrupt handler currently. This may cause the
CPU core staying in interrupt context too long and lead to soft lockup
under heavy load.

Handle CEQEs in BH workqueue and set an upper limit for the number of
CEQE handled by a single call of work handler.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-43872

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-43873
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

vhost/vsock: always initialize seqpacket_allow

There are two issues around seqpacket_allow:
1. seqpacket_allow is not initialized when socket is
   created. Thus if features are never set, it will be
   read uninitialized.
2. if VIRTIO_VSOCK_F_SEQPACKET is set and then cleared,
   then seqpacket_allow will not be cleared appropriately
   (existing apps I know about don't usually do this but
    it's legal and there's no way to be sure no one relies
    on this).

To fix:
	- initialize seqpacket_allow after allocation
	- set it unconditionally in set_features
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-43873

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-43874
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

crypto: ccp - Fix null pointer dereference in __sev_snp_shutdown_locked

Fix a null pointer dereference induced by DEBUG_TEST_DRIVER_REMOVE.
Return from __sev_snp_shutdown_locked() if the psp_device or the
sev_device structs are not initialized. Without the fix, the driver will
produce the following splat:

   ccp 0000:55:00.5: enabling device (0000 -> 0002)
   ccp 0000:55:00.5: sev enabled
   ccp 0000:55:00.5: psp enabled
   BUG: kernel NULL pointer dereference, address: 00000000000000f0
   #PF: supervisor read access in kernel mode
   #PF: error_code(0x0000) - not-present page
   PGD 0 P4D 0
   Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC NOPTI
   CPU: 262 PID: 1 Comm: swapper/0 Not tainted 6.9.0-rc1+ #29
   RIP: 0010:__sev_snp_shutdown_locked+0x2e/0x150
   Code: 00 55 48 89 e5 41 57 41 56 41 54 53 48 83 ec 10 41 89 f7 49 89 fe 65 48 8b 04 25 28 00 00 00 48 89 45 d8 48 8b 05 6a 5a 7f 06 <4c> 8b a0 f0 00 00 00 41 0f b6 9c 24 a2 00 00 00 48 83 fb 02 0f 83
   RSP: 0018:ffffb2ea4014b7b8 EFLAGS: 00010286
   RAX: 0000000000000000 RBX: ffff9e4acd2e0a28 RCX: 0000000000000000
   RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffb2ea4014b808
   RBP: ffffb2ea4014b7e8 R08: 0000000000000106 R09: 000000000003d9c0
   R10: 0000000000000001 R11: ffffffffa39ff070 R12: ffff9e49d40590c8
   R13: 0000000000000000 R14: ffffb2ea4014b808 R15: 0000000000000000
   FS:  0000000000000000(0000) GS:ffff9e58b1e00000(0000) knlGS:0000000000000000
   CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
   CR2: 00000000000000f0 CR3: 0000000418a3e001 CR4: 0000000000770ef0
   PKRU: 55555554
   Call Trace:
    <TASK>
    ? __die_body+0x6f/0xb0
    ? __die+0xcc/0xf0
    ? page_fault_oops+0x330/0x3a0
    ? save_trace+0x2a5/0x360
    ? do_user_addr_fault+0x583/0x630
    ? exc_page_fault+0x81/0x120
    ? asm_exc_page_fault+0x2b/0x30
    ? __sev_snp_shutdown_locked+0x2e/0x150
    __sev_firmware_shutdown+0x349/0x5b0
    ? pm_runtime_barrier+0x66/0xe0
    sev_dev_destroy+0x34/0xb0
    psp_dev_destroy+0x27/0x60
    sp_destroy+0x39/0x90
    sp_pci_remove+0x22/0x60
    pci_device_remove+0x4e/0x110
    really_probe+0x271/0x4e0
    __driver_probe_device+0x8f/0x160
    driver_probe_device+0x24/0x120
    __driver_attach+0xc7/0x280
    ? driver_attach+0x30/0x30
    bus_for_each_dev+0x10d/0x130
    driver_attach+0x22/0x30
    bus_add_driver+0x171/0x2b0
    ? unaccepted_memory_init_kdump+0x20/0x20
    driver_register+0x67/0x100
    __pci_register_driver+0x83/0x90
    sp_pci_init+0x22/0x30
    sp_mod_init+0x13/0x30
    do_one_initcall+0xb8/0x290
    ? sched_clock_noinstr+0xd/0x10
    ? local_clock_noinstr+0x3e/0x100
    ? stack_depot_save_flags+0x21e/0x6a0
    ? local_clock+0x1c/0x60
    ? stack_depot_save_flags+0x21e/0x6a0
    ? sched_clock_noinstr+0xd/0x10
    ? local_clock_noinstr+0x3e/0x100
    ? __lock_acquire+0xd90/0xe30
    ? sched_clock_noinstr+0xd/0x10
    ? local_clock_noinstr+0x3e/0x100
    ? __create_object+0x66/0x100
    ? local_clock+0x1c/0x60
    ? __create_object+0x66/0x100
    ? parameq+0x1b/0x90
    ? parse_one+0x6d/0x1d0
    ? parse_args+0xd7/0x1f0
    ? do_initcall_level+0x180/0x180
    do_initcall_level+0xb0/0x180
    do_initcalls+0x60/0xa0
    ? kernel_init+0x1f/0x1d0
    do_basic_setup+0x41/0x50
    kernel_init_freeable+0x1ac/0x230
    ? rest_init+0x1f0/0x1f0
    kernel_init+0x1f/0x1d0
    ? rest_init+0x1f0/0x1f0
    ret_from_fork+0x3d/0x50
    ? rest_init+0x1f0/0x1f0
    ret_from_fork_asm+0x11/0x20
    </TASK>
   Modules linked in:
   CR2: 00000000000000f0
   ---[ end trace 0000000000000000 ]---
   RIP: 0010:__sev_snp_shutdown_locked+0x2e/0x150
   Code: 00 55 48 89 e5 41 57 41 56 41 54 53 48 83 ec 10 41 89 f7 49 89 fe 65 48 8b 04 25 28 00 00 00 48 89 45 d8 48 8b 05 6a 5a 7f 06 <4c> 8b a0 f0 00 00 00 41 0f b6 9c 24 a2 00 00 00 48 83 fb 02 0f 83
   RSP: 0018:ffffb2ea4014b7b8 EFLAGS: 00010286
   RAX: 0000000000000000 RBX: ffff9e4acd2e0a28 RCX: 0000000000000000
   RDX: 0000000
---truncated---
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-43874

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-43882
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

exec: Fix ToCToU between perm check and set-uid/gid usage

When opening a file for exec via do_filp_open(), permission checking is
done against the file's metadata at that moment, and on success, a file
pointer is passed back. Much later in the execve() code path, the file
metadata (specifically mode, uid, and gid) is used to determine if/how
to set the uid and gid. However, those values may have changed since the
permissions check, meaning the execution may gain unintended privileges.

For example, if a file could change permissions from executable and not
set-id:

---------x 1 root root 16048 Aug  7 13:16 target

to set-id and non-executable:

---S------ 1 root root 16048 Aug  7 13:16 target

it is possible to gain root privileges when execution should have been
disallowed.

While this race condition is rare in real-world scenarios, it has been
observed (and proven exploitable) when package managers are updating
the setuid bits of installed programs. Such files start with being
world-executable but then are adjusted to be group-exec with a set-uid
bit. For example, "chmod o-x,u+s target" makes "target" executable only
by uid "root" and gid "cdrom", while also becoming setuid-root:

-rwxr-xr-x 1 root cdrom 16048 Aug  7 13:16 target

becomes:

-rwsr-xr-- 1 root cdrom 16048 Aug  7 13:16 target

But racing the chmod means users without group "cdrom" membership can
get the permission to execute "target" just before the chmod, and when
the chmod finishes, the exec reaches brpm_fill_uid(), and performs the
setuid to root, violating the expressed authorization of "only cdrom
group members can setuid to root".

Re-check that we still have execute permissions in case the metadata
has changed. It would be better to keep a copy from the perm-check time,
but until we can do that refactoring, the least-bad option is to do a
full inode_permission() call (under inode lock). It is understood that
this is safe against dead-locks, but hardly optimal.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-43882

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-43884
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: MGMT: Add error handling to pair_device()

hci_conn_params_add() never checks for a NULL value and could lead to a NULL
pointer dereference causing a crash.

Fixed by adding error handling in the function.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-43884

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-43886
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Add null check in resource_log_pipe_topology_update

[WHY]
When switching from "Extend" to "Second Display Only" we sometimes
call resource_get_otg_master_for_stream on a stream for the eDP,
which is disconnected. This leads to a null pointer dereference.

[HOW]
Added a null check in dc_resource.c/resource_log_pipe_topology_update.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-43886

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-43887
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net/tcp: Disable TCP-AO static key after RCU grace period

The lifetime of TCP-AO static_key is the same as the last
tcp_ao_info. On the socket destruction tcp_ao_info ceases to be
with RCU grace period, while tcp-ao static branch is currently deferred
destructed. The static key definition is
: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);

which means that if RCU grace period is delayed by more than a second
and tcp_ao_needed is in the process of disablement, other CPUs may
yet see tcp_ao_info which atent dead, but soon-to-be.
And that breaks the assumption of static_key_fast_inc_not_disabled().

See the comment near the definition:
> * The caller must make sure that the static key can't get disabled while
> * in this function. It doesn't patch jump labels, only adds a user to
> * an already enabled static key.

Originally it was introduced in commit eb8c507296f6 ("jump_label:
Prevent key->enabled int overflow"), which is needed for the atomic
contexts, one of which would be the creation of a full socket from a
request socket. In that atomic context, it's known by the presence
of the key (md5/ao) that the static branch is already enabled.
So, the ref counter for that static branch is just incremented
instead of holding the proper mutex.
static_key_fast_inc_not_disabled() is just a helper for such usage
case. But it must not be used if the static branch could get disabled
in parallel as it's not protected by jump_label_mutex and as a result,
races with jump_label_update() implementation details.

Happened on netdev test-bot[1], so not a theoretical issue:

[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1
[] ------------[ cut here ]------------
[] kernel BUG at arch/x86/kernel/jump_label.c:73!
[] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI
[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1
[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[] Workqueue: events jump_label_update_timeout
[] RIP: 0010:__jump_label_patch+0x2f6/0x350
...
[] Call Trace:
[]  <TASK>
[]  arch_jump_label_transform_queue+0x6c/0x110
[]  __jump_label_update+0xef/0x350
[]  __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60
[]  jump_label_update_timeout+0x2c/0x40
[]  process_one_work+0xe3b/0x1670
[]  worker_thread+0x587/0xce0
[]  kthread+0x28a/0x350
[]  ret_from_fork+0x31/0x70
[]  ret_from_fork_asm+0x1a/0x30
[]  </TASK>
[] Modules linked in: veth
[] ---[ end trace 0000000000000000 ]---
[] RIP: 0010:__jump_label_patch+0x2f6/0x350

[1]: https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-43887

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-43888
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

mm: list_lru: fix UAF for memory cgroup

The mem_cgroup_from_slab_obj() is supposed to be called under rcu lock or
cgroup_mutex or others which could prevent returned memcg from being
freed.  Fix it by adding missing rcu read lock.

Found by code inspection.

[songmuchun@bytedance.com: only grab rcu lock when necessary, per Vlastimil]
  Link: https://lkml.kernel.org/r/20240801024603.1865-1-songmuchun@bytedance.com
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-43888

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-43889
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

padata: Fix possible divide-by-0 panic in padata_mt_helper()

We are hit with a not easily reproducible divide-by-0 panic in padata.c at
bootup time.

  [   10.017908] Oops: divide error: 0000 1 PREEMPT SMP NOPTI
  [   10.017908] CPU: 26 PID: 2627 Comm: kworker/u1666:1 Not tainted 6.10.0-15.el10.x86_64 #1
  [   10.017908] Hardware name: Lenovo ThinkSystem SR950 [7X12CTO1WW]/[7X12CTO1WW], BIOS [PSE140J-2.30] 07/20/2021
  [   10.017908] Workqueue: events_unbound padata_mt_helper
  [   10.017908] RIP: 0010:padata_mt_helper+0x39/0xb0
    :
  [   10.017963] Call Trace:
  [   10.017968]  <TASK>
  [   10.018004]  ? padata_mt_helper+0x39/0xb0
  [   10.018084]  process_one_work+0x174/0x330
  [   10.018093]  worker_thread+0x266/0x3a0
  [   10.018111]  kthread+0xcf/0x100
  [   10.018124]  ret_from_fork+0x31/0x50
  [   10.018138]  ret_from_fork_asm+0x1a/0x30
  [   10.018147]  </TASK>

Looking at the padata_mt_helper() function, the only way a divide-by-0
panic can happen is when ps->chunk_size is 0.  The way that chunk_size is
initialized in padata_do_multithreaded(), chunk_size can be 0 when the
min_chunk in the passed-in padata_mt_job structure is 0.

Fix this divide-by-0 panic by making sure that chunk_size will be at least
1 no matter what the input parameters are.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-43889

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-43890
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

tracing: Fix overflow in get_free_elt()

"tracing_map->next_elt" in get_free_elt() is at risk of overflowing.

Once it overflows, new elements can still be inserted into the tracing_map
even though the maximum number of elements (`max_elts`) has been reached.
Continuing to insert elements after the overflow could result in the
tracing_map containing "tracing_map->max_size" elements, leaving no empty
entries.
If any attempt is made to insert an element into a full tracing_map using
`__tracing_map_insert()`, it will cause an infinite loop with preemption
disabled, leading to a CPU hang problem.

Fix this by preventing any further increments to "tracing_map->next_elt"
once it reaches "tracing_map->max_elt".
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-43890

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-43891
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

tracing: Have format file honor EVENT_FILE_FL_FREED

When eventfs was introduced, special care had to be done to coordinate the
freeing of the file meta data with the files that are exposed to user
space. The file meta data would have a ref count that is set when the file
is created and would be decremented and freed after the last user that
opened the file closed it. When the file meta data was to be freed, it
would set a flag (EVENT_FILE_FL_FREED) to denote that the file is freed,
and any new references made (like new opens or reads) would fail as it is
marked freed. This allowed other meta data to be freed after this flag was
set (under the event_mutex).

All the files that were dynamically created in the events directory had a
pointer to the file meta data and would call event_release() when the last
reference to the user space file was closed. This would be the time that it
is safe to free the file meta data.

A shortcut was made for the "format" file. It's i_private would point to
the "call" entry directly and not point to the file's meta data. This is
because all format files are the same for the same "call", so it was
thought there was no reason to differentiate them.  The other files
maintain state (like the "enable", "trigger", etc). But this meant if the
file were to disappear, the "format" file would be unaware of it.

This caused a race that could be trigger via the user_events test (that
would create dynamic events and free them), and running a loop that would
read the user_events format files:

In one console run:

 # cd tools/testing/selftests/user_events
 # while true; do ./ftrace_test; done

And in another console run:

 # cd /sys/kernel/tracing/
 # while true; do cat events/user_events/__test_event/format; done 2>/dev/null

With KASAN memory checking, it would trigger a use-after-free bug report
(which was a real bug). This was because the format file was not checking
the file's meta data flag "EVENT_FILE_FL_FREED", so it would access the
event that the file meta data pointed to after the event was freed.

After inspection, there are other locations that were found to not check
the EVENT_FILE_FL_FREED flag when accessing the trace_event_file. Add a
new helper function: event_file_file() that will make sure that the
event_mutex is held, and will return NULL if the trace_event_file has the
EVENT_FILE_FL_FREED flag set. Have the first reference of the struct file
pointer use event_file_file() and check for NULL. Later uses can still use
the event_file_data() helper function if the event_mutex is still held and
was not released since the event_file_file() call.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-43891

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-43892
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

memcg: protect concurrent access to mem_cgroup_idr

Commit 73f576c04b94 ("mm: memcontrol: fix cgroup creation failure after
many small jobs") decoupled the memcg IDs from the CSS ID space to fix the
cgroup creation failures.  It introduced IDR to maintain the memcg ID
space.  The IDR depends on external synchronization mechanisms for
modifications.  For the mem_cgroup_idr, the idr_alloc() and idr_replace()
happen within css callback and thus are protected through cgroup_mutex
from concurrent modifications.  However idr_remove() for mem_cgroup_idr
was not protected against concurrency and can be run concurrently for
different memcgs when they hit their refcnt to zero.  Fix that.

We have been seeing list_lru based kernel crashes at a low frequency in
our fleet for a long time.  These crashes were in different part of
list_lru code including list_lru_add(), list_lru_del() and reparenting
code.  Upon further inspection, it looked like for a given object (dentry
and inode), the super_block's list_lru didn't have list_lru_one for the
memcg of that object.  The initial suspicions were either the object is
not allocated through kmem_cache_alloc_lru() or somehow
memcg_list_lru_alloc() failed to allocate list_lru_one() for a memcg but
returned success.  No evidence were found for these cases.

Looking more deeply, we started seeing situations where valid memcg's id
is not present in mem_cgroup_idr and in some cases multiple valid memcgs
have same id and mem_cgroup_idr is pointing to one of them.  So, the most
reasonable explanation is that these situations can happen due to race
between multiple idr_remove() calls or race between
idr_alloc()/idr_replace() and idr_remove().  These races are causing
multiple memcgs to acquire the same ID and then offlining of one of them
would cleanup list_lrus on the system for all of them.  Later access from
other memcgs to the list_lru cause crashes due to missing list_lru_one.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-43892

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-43893
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

serial: core: check uartclk for zero to avoid divide by zero

Calling ioctl TIOCSSERIAL with an invalid baud_base can
result in uartclk being zero, which will result in a
divide by zero error in uart_get_divisor(). The check for
uartclk being zero in uart_set_info() needs to be done
before other settings are made as subsequent calls to
ioctl TIOCSSERIAL for the same port would be impacted if
the uartclk check was done where uartclk gets set.

Oops: divide error: 0000  PREEMPT SMP KASAN PTI
RIP: 0010:uart_get_divisor (drivers/tty/serial/serial_core.c:580)
Call Trace:
 <TASK>
serial8250_get_divisor (drivers/tty/serial/8250/8250_port.c:2576
    drivers/tty/serial/8250/8250_port.c:2589)
serial8250_do_set_termios (drivers/tty/serial/8250/8250_port.c:502
    drivers/tty/serial/8250/8250_port.c:2741)
serial8250_set_termios (drivers/tty/serial/8250/8250_port.c:2862)
uart_change_line_settings (./include/linux/spinlock.h:376
    ./include/linux/serial_core.h:608 drivers/tty/serial/serial_core.c:222)
uart_port_startup (drivers/tty/serial/serial_core.c:342)
uart_startup (drivers/tty/serial/serial_core.c:368)
uart_set_info (drivers/tty/serial/serial_core.c:1034)
uart_set_info_user (drivers/tty/serial/serial_core.c:1059)
tty_set_serial (drivers/tty/tty_io.c:2637)
tty_ioctl (drivers/tty/tty_io.c:2647 drivers/tty/tty_io.c:2791)
__x64_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:907
    fs/ioctl.c:893 fs/ioctl.c:893)
do_syscall_64 (arch/x86/entry/common.c:52
    (discriminator 1) arch/x86/entry/common.c:83 (discriminator 1))
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)

Rule: add
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-43893

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-43894
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/client: fix null pointer dereference in drm_client_modeset_probe

In drm_client_modeset_probe(), the return value of drm_mode_duplicate() is
assigned to modeset->mode, which will lead to a possible NULL pointer
dereference on failure of drm_mode_duplicate(). Add a check to avoid npd.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-43894

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-43895
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Skip Recompute DSC Params if no Stream on Link

[why]
Encounter NULL pointer dereference uner mst + dsc setup.

BUG: kernel NULL pointer dereference, address: 0000000000000008
    PGD 0 P4D 0
    Oops: 0000 [#1] PREEMPT SMP NOPTI
    CPU: 4 PID: 917 Comm: sway Not tainted 6.3.9-arch1-1 #1 124dc55df4f5272ccb409f39ef4872fc2b3376a2
    Hardware name: LENOVO 20NKS01Y00/20NKS01Y00, BIOS R12ET61W(1.31 ) 07/28/2022
    RIP: 0010:drm_dp_atomic_find_time_slots+0x5e/0x260 [drm_display_helper]
    Code: 01 00 00 48 8b 85 60 05 00 00 48 63 80 88 00 00 00 3b 43 28 0f 8d 2e 01 00 00 48 8b 53 30 48 8d 04 80 48 8d 04 c2 48 8b 40 18 <48> 8>
    RSP: 0018:ffff960cc2df77d8 EFLAGS: 00010293
    RAX: 0000000000000000 RBX: ffff8afb87e81280 RCX: 0000000000000224
    RDX: ffff8afb9ee37c00 RSI: ffff8afb8da1a578 RDI: ffff8afb87e81280
    RBP: ffff8afb83d67000 R08: 0000000000000001 R09: ffff8afb9652f850
    R10: ffff960cc2df7908 R11: 0000000000000002 R12: 0000000000000000
    R13: ffff8afb8d7688a0 R14: ffff8afb8da1a578 R15: 0000000000000224
    FS:  00007f4dac35ce00(0000) GS:ffff8afe30b00000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 0000000000000008 CR3: 000000010ddc6000 CR4: 00000000003506e0
    Call Trace:
<TASK>
     ? __die+0x23/0x70
     ? page_fault_oops+0x171/0x4e0
     ? plist_add+0xbe/0x100
     ? exc_page_fault+0x7c/0x180
     ? asm_exc_page_fault+0x26/0x30
     ? drm_dp_atomic_find_time_slots+0x5e/0x260 [drm_display_helper 0e67723696438d8e02b741593dd50d80b44c2026]
     ? drm_dp_atomic_find_time_slots+0x28/0x260 [drm_display_helper 0e67723696438d8e02b741593dd50d80b44c2026]
     compute_mst_dsc_configs_for_link+0x2ff/0xa40 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]
     ? fill_plane_buffer_attributes+0x419/0x510 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]
     compute_mst_dsc_configs_for_state+0x1e1/0x250 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]
     amdgpu_dm_atomic_check+0xecd/0x1190 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]
     drm_atomic_check_only+0x5c5/0xa40
     drm_mode_atomic_ioctl+0x76e/0xbc0

[how]
dsc recompute should be skipped if no mode change detected on the new
request. If detected, keep checking whether the stream is already on
current state or not.

(cherry picked from commit 8151a6c13111b465dbabe07c19f572f7cbd16fef)
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-43895

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-43896
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ASoC: cs-amp-lib: Fix NULL pointer crash if efi.get_variable is NULL

Call efi_rt_services_supported() to check that efi.get_variable exists
before calling it.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-43896

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-43897
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: drop bad gso csum_start and offset in virtio_net_hdr

Tighten csum_start and csum_offset checks in virtio_net_hdr_to_skb
for GSO packets.

The function already checks that a checksum requested with
VIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packets
this might not hold for segs after segmentation.

Syzkaller demonstrated to reach this warning in skb_checksum_help

	offset = skb_checksum_start_offset(skb);
	ret = -EINVAL;
	if (WARN_ON_ONCE(offset >= skb_headlen(skb)))

By injecting a TSO packet:

WARNING: CPU: 1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0
 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774
 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline]
 __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301
 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82
 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813
 __gre_xmit net/ipv4/ip_gre.c:469 [inline]
 ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661
 __netdev_start_xmit include/linux/netdevice.h:4850 [inline]
 netdev_start_xmit include/linux/netdevice.h:4864 [inline]
 xmit_one net/core/dev.c:3595 [inline]
 dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611
 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261
 packet_snd net/packet/af_packet.c:3073 [inline]

The geometry of the bad input packet at tcp_gso_segment:

[   52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0
[   52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244
[   52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))
[   52.003050][ T8403] csum(0x60000c7 start=199 offset=1536
ip_summed=3 complete_sw=0 valid=0 level=0)

Mitigate with stricter input validation.

csum_offset: for GSO packets, deduce the correct value from gso_type.
This is already done for USO. Extend it to TSO. Let UFO be:
udp[46]_ufo_fragment ignores these fields and always computes the
checksum in software.

csum_start: finding the real offset requires parsing to the transport
header. Do not add a parser, use existing segmentation parsing. Thanks
to SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.
Again test both TSO and USO. Do not test UFO for the above reason, and
do not test UDP tunnel offload.

GSO packet are almost always CHECKSUM_PARTIAL. USO packets may be
CHECKSUM_NONE since commit 10154dbded6d6 ("udp: Allow GSO transmit
from devices with no checksum offload"), but then still these fields
are initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So no
need to test for ip_summed == CHECKSUM_PARTIAL first.

This revises an existing fix mentioned in the Fixes tag, which broke
small packets with GSO offload, as detected by kselftests.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-43897

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-43899
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Fix null pointer deref in dcn20_resource.c

Fixes a hang thats triggered when MPV is run on a DCN401 dGPU:

mpv --hwdec=vaapi --vo=gpu --hwdec-codecs=all

and then enabling fullscreen playback (double click on the video)

The following calltrace will be seen:

[  181.843989] BUG: kernel NULL pointer dereference, address: 0000000000000000
[  181.843997] #PF: supervisor instruction fetch in kernel mode
[  181.844003] #PF: error_code(0x0010) - not-present page
[  181.844009] PGD 0 P4D 0
[  181.844020] Oops: 0010 [#1] PREEMPT SMP NOPTI
[  181.844028] CPU: 6 PID: 1892 Comm: gnome-shell Tainted: G        W  OE      6.5.0-41-generic #41~22.04.2-Ubuntu
[  181.844038] Hardware name: System manufacturer System Product Name/CROSSHAIR VI HERO, BIOS 6302 10/23/2018
[  181.844044] RIP: 0010:0x0
[  181.844079] Code: Unable to access opcode bytes at 0xffffffffffffffd6.
[  181.844084] RSP: 0018:ffffb593c2b8f7b0 EFLAGS: 00010246
[  181.844093] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000004
[  181.844099] RDX: ffffb593c2b8f804 RSI: ffffb593c2b8f7e0 RDI: ffff9e3c8e758400
[  181.844105] RBP: ffffb593c2b8f7b8 R08: ffffb593c2b8f9c8 R09: ffffb593c2b8f96c
[  181.844110] R10: 0000000000000000 R11: 0000000000000000 R12: ffffb593c2b8f9c8
[  181.844115] R13: 0000000000000001 R14: ffff9e3c88000000 R15: 0000000000000005
[  181.844121] FS:  00007c6e323bb5c0(0000) GS:ffff9e3f85f80000(0000) knlGS:0000000000000000
[  181.844128] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  181.844134] CR2: ffffffffffffffd6 CR3: 0000000140fbe000 CR4: 00000000003506e0
[  181.844141] Call Trace:
[  181.844146]  <TASK>
[  181.844153]  ? show_regs+0x6d/0x80
[  181.844167]  ? __die+0x24/0x80
[  181.844179]  ? page_fault_oops+0x99/0x1b0
[  181.844192]  ? do_user_addr_fault+0x31d/0x6b0
[  181.844204]  ? exc_page_fault+0x83/0x1b0
[  181.844216]  ? asm_exc_page_fault+0x27/0x30
[  181.844237]  dcn20_get_dcc_compression_cap+0x23/0x30 [amdgpu]
[  181.845115]  amdgpu_dm_plane_validate_dcc.constprop.0+0xe5/0x180 [amdgpu]
[  181.845985]  amdgpu_dm_plane_fill_plane_buffer_attributes+0x300/0x580 [amdgpu]
[  181.846848]  fill_dc_plane_info_and_addr+0x258/0x350 [amdgpu]
[  181.847734]  fill_dc_plane_attributes+0x162/0x350 [amdgpu]
[  181.848748]  dm_update_plane_state.constprop.0+0x4e3/0x6b0 [amdgpu]
[  181.849791]  ? dm_update_plane_state.constprop.0+0x4e3/0x6b0 [amdgpu]
[  181.850840]  amdgpu_dm_atomic_check+0xdfe/0x1760 [amdgpu]
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-43899

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-43900
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

media: xc2028: avoid use-after-free in load_firmware_cb()

syzkaller reported use-after-free in load_firmware_cb() [1].
The reason is because the module allocated a struct tuner in tuner_probe(),
and then the module initialization failed, the struct tuner was released.
A worker which created during module initialization accesses this struct
tuner later, it caused use-after-free.

The process is as follows:

task-6504           worker_thread
tuner_probe                             <= alloc dvb_frontend [2]
...
request_firmware_nowait                 <= create a worker
...
tuner_remove                            <= free dvb_frontend
...
                    request_firmware_work_func  <= the firmware is ready
                    load_firmware_cb    <= but now the dvb_frontend has been freed

To fix the issue, check the dvd_frontend in load_firmware_cb(), if it is
null, report a warning and just return.

[1]:
    ==================================================================
     BUG: KASAN: use-after-free in load_firmware_cb+0x1310/0x17a0
     Read of size 8 at addr ffff8000d7ca2308 by task kworker/2:3/6504

     Call trace:
      load_firmware_cb+0x1310/0x17a0
      request_firmware_work_func+0x128/0x220
      process_one_work+0x770/0x1824
      worker_thread+0x488/0xea0
      kthread+0x300/0x430
      ret_from_fork+0x10/0x20

     Allocated by task 6504:
      kzalloc
      tuner_probe+0xb0/0x1430
      i2c_device_probe+0x92c/0xaf0
      really_probe+0x678/0xcd0
      driver_probe_device+0x280/0x370
      __device_attach_driver+0x220/0x330
      bus_for_each_drv+0x134/0x1c0
      __device_attach+0x1f4/0x410
      device_initial_probe+0x20/0x30
      bus_probe_device+0x184/0x200
      device_add+0x924/0x12c0
      device_register+0x24/0x30
      i2c_new_device+0x4e0/0xc44
      v4l2_i2c_new_subdev_board+0xbc/0x290
      v4l2_i2c_new_subdev+0xc8/0x104
      em28xx_v4l2_init+0x1dd0/0x3770

     Freed by task 6504:
      kfree+0x238/0x4e4
      tuner_remove+0x144/0x1c0
      i2c_device_remove+0xc8/0x290
      __device_release_driver+0x314/0x5fc
      device_release_driver+0x30/0x44
      bus_remove_device+0x244/0x490
      device_del+0x350/0x900
      device_unregister+0x28/0xd0
      i2c_unregister_device+0x174/0x1d0
      v4l2_device_unregister+0x224/0x380
      em28xx_v4l2_init+0x1d90/0x3770

     The buggy address belongs to the object at ffff8000d7ca2000
      which belongs to the cache kmalloc-2k of size 2048
     The buggy address is located 776 bytes inside of
      2048-byte region [ffff8000d7ca2000, ffff8000d7ca2800)
     The buggy address belongs to the page:
     page:ffff7fe00035f280 count:1 mapcount:0 mapping:ffff8000c001f000 index:0x0
     flags: 0x7ff800000000100(slab)
     raw: 07ff800000000100 ffff7fe00049d880 0000000300000003 ffff8000c001f000
     raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
     page dumped because: kasan: bad access detected

     Memory state around the buggy address:
      ffff8000d7ca2200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      ffff8000d7ca2280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
     >ffff8000d7ca2300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                           ^
      ffff8000d7ca2380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      ffff8000d7ca2400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
     ==================================================================

[2]
    Actually, it is allocated for struct tuner, and dvb_frontend is inside.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-43900

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-43901
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Fix NULL pointer dereference for DTN log in DCN401

When users run the command:

cat /sys/kernel/debug/dri/0/amdgpu_dm_dtn_log

The following NULL pointer dereference happens:

[  +0.000003] BUG: kernel NULL pointer dereference, address: NULL
[  +0.000005] #PF: supervisor instruction fetch in kernel mode
[  +0.000002] #PF: error_code(0x0010) - not-present page
[  +0.000002] PGD 0 P4D 0
[  +0.000004] Oops: 0010 [#1] PREEMPT SMP NOPTI
[  +0.000003] RIP: 0010:0x0
[  +0.000008] Code: Unable to access opcode bytes at 0xffffffffffffffd6.
[...]
[  +0.000002] PKRU: 55555554
[  +0.000002] Call Trace:
[  +0.000002]  <TASK>
[  +0.000003]  ? show_regs+0x65/0x70
[  +0.000006]  ? __die+0x24/0x70
[  +0.000004]  ? page_fault_oops+0x160/0x470
[  +0.000006]  ? do_user_addr_fault+0x2b5/0x690
[  +0.000003]  ? prb_read_valid+0x1c/0x30
[  +0.000005]  ? exc_page_fault+0x8c/0x1a0
[  +0.000005]  ? asm_exc_page_fault+0x27/0x30
[  +0.000012]  dcn10_log_color_state+0xf9/0x510 [amdgpu]
[  +0.000306]  ? srso_alias_return_thunk+0x5/0xfbef5
[  +0.000003]  ? vsnprintf+0x2fb/0x600
[  +0.000009]  dcn10_log_hw_state+0xfd0/0xfe0 [amdgpu]
[  +0.000218]  ? __mod_memcg_lruvec_state+0xe8/0x170
[  +0.000008]  ? srso_alias_return_thunk+0x5/0xfbef5
[  +0.000002]  ? debug_smp_processor_id+0x17/0x20
[  +0.000003]  ? srso_alias_return_thunk+0x5/0xfbef5
[  +0.000002]  ? srso_alias_return_thunk+0x5/0xfbef5
[  +0.000002]  ? set_ptes.isra.0+0x2b/0x90
[  +0.000004]  ? srso_alias_return_thunk+0x5/0xfbef5
[  +0.000002]  ? _raw_spin_unlock+0x19/0x40
[  +0.000004]  ? srso_alias_return_thunk+0x5/0xfbef5
[  +0.000002]  ? do_anonymous_page+0x337/0x700
[  +0.000004]  dtn_log_read+0x82/0x120 [amdgpu]
[  +0.000207]  full_proxy_read+0x66/0x90
[  +0.000007]  vfs_read+0xb0/0x340
[  +0.000005]  ? __count_memcg_events+0x79/0xe0
[  +0.000002]  ? srso_alias_return_thunk+0x5/0xfbef5
[  +0.000003]  ? count_memcg_events.constprop.0+0x1e/0x40
[  +0.000003]  ? handle_mm_fault+0xb2/0x370
[  +0.000003]  ksys_read+0x6b/0xf0
[  +0.000004]  __x64_sys_read+0x19/0x20
[  +0.000003]  do_syscall_64+0x60/0x130
[  +0.000004]  entry_SYSCALL_64_after_hwframe+0x6e/0x76
[  +0.000003] RIP: 0033:0x7fdf32f147e2
[...]

This error happens when the color log tries to read the gamut remap
information from DCN401 which is not initialized in the dcn401_dpp_funcs
which leads to a null pointer dereference. This commit addresses this
issue by adding a proper guard to access the gamut_remap callback in
case the specific ASIC did not implement this function.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-43901

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-43902
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Add null checker before passing variables

Checks null pointer before passing variables to functions.

This fixes 3 NULL_RETURNS issues reported by Coverity.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-43902

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-43903
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Add NULL check for 'afb' before dereferencing in amdgpu_dm_plane_handle_cursor_update

This commit adds a null check for the 'afb' variable in the
amdgpu_dm_plane_handle_cursor_update function. Previously, 'afb' was
assumed to be null, but was used later in the code without a null check.
This could potentially lead to a null pointer dereference.

Fixes the below:
drivers/gpu/drm/amd/amdgpu/../display/amdgpu_dm/amdgpu_dm_plane.c:1298 amdgpu_dm_plane_handle_cursor_update() error: we previously assumed 'afb' could be null (see line 1252)
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-43903

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-43904
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Add null checks for 'stream' and 'plane' before dereferencing

This commit adds null checks for the 'stream' and 'plane' variables in
the dcn30_apply_idle_power_optimizations function. These variables were
previously assumed to be null at line 922, but they were used later in
the code without checking if they were null. This could potentially lead
to a null pointer dereference, which would cause a crash.

The null checks ensure that 'stream' and 'plane' are not null before
they are used, preventing potential crashes.

Fixes the below static smatch checker:
drivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c:938 dcn30_apply_idle_power_optimizations() error: we previously assumed 'stream' could be null (see line 922)
drivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c:940 dcn30_apply_idle_power_optimizations() error: we previously assumed 'plane' could be null (see line 922)
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-43904

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-43905
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/pm: Fix the null pointer dereference for vega10_hwmgr

Check return value and conduct null pointer handling to avoid null pointer dereference.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-43905

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-43906
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/admgpu: fix dereferencing null pointer context

When user space sets an invalid ta type, the pointer context will be empty.
So it need to check the pointer context before using it
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-43906

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-43907
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amdgpu/pm: Fix the null pointer dereference in apply_state_adjust_rules

Check the pointer value to fix potential null pointer
dereference
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-43907

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-43908
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amdgpu: Fix the null pointer dereference to ras_manager

Check ras_manager before using it
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-43908

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-43909
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amdgpu/pm: Fix the null pointer dereference for smu7

optimize the code to avoid pass a null pointer (hwmgr->backend)
to function smu7_update_edc_leakage_table.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-43909

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-43910
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

bpf: add missing check_func_arg_reg_off() to prevent out-of-bounds memory accesses

Currently, it's possible to pass in a modified CONST_PTR_TO_DYNPTR to
a global function as an argument. The adverse effects of this is that
BPF helpers can continue to make use of this modified
CONST_PTR_TO_DYNPTR from within the context of the global function,
which can unintentionally result in out-of-bounds memory accesses and
therefore compromise overall system stability i.e.

[  244.157771] BUG: KASAN: slab-out-of-bounds in bpf_dynptr_data+0x137/0x140
[  244.161345] Read of size 8 at addr ffff88810914be68 by task test_progs/302
[  244.167151] CPU: 0 PID: 302 Comm: test_progs Tainted: G O E 6.10.0-rc3-00131-g66b586715063 #533
[  244.174318] Call Trace:
[  244.175787]  <TASK>
[  244.177356]  dump_stack_lvl+0x66/0xa0
[  244.179531]  print_report+0xce/0x670
[  244.182314]  ? __virt_addr_valid+0x200/0x3e0
[  244.184908]  kasan_report+0xd7/0x110
[  244.187408]  ? bpf_dynptr_data+0x137/0x140
[  244.189714]  ? bpf_dynptr_data+0x137/0x140
[  244.192020]  bpf_dynptr_data+0x137/0x140
[  244.194264]  bpf_prog_b02a02fdd2bdc5fa_global_call_bpf_dynptr_data+0x22/0x26
[  244.198044]  bpf_prog_b0fe7b9d7dc3abde_callback_adjust_bpf_dynptr_reg_off+0x1f/0x23
[  244.202136]  bpf_user_ringbuf_drain+0x2c7/0x570
[  244.204744]  ? 0xffffffffc0009e58
[  244.206593]  ? __pfx_bpf_user_ringbuf_drain+0x10/0x10
[  244.209795]  bpf_prog_33ab33f6a804ba2d_user_ringbuf_callback_const_ptr_to_dynptr_reg_off+0x47/0x4b
[  244.215922]  bpf_trampoline_6442502480+0x43/0xe3
[  244.218691]  __x64_sys_prlimit64+0x9/0xf0
[  244.220912]  do_syscall_64+0xc1/0x1d0
[  244.223043]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  244.226458] RIP: 0033:0x7ffa3eb8f059
[  244.228582] Code: 08 89 e8 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 8f 1d 0d 00 f7 d8 64 89 01 48
[  244.241307] RSP: 002b:00007ffa3e9c6eb8 EFLAGS: 00000206 ORIG_RAX: 000000000000012e
[  244.246474] RAX: ffffffffffffffda RBX: 00007ffa3e9c7cdc RCX: 00007ffa3eb8f059
[  244.250478] RDX: 00007ffa3eb162b4 RSI: 0000000000000000 RDI: 00007ffa3e9c7fb0
[  244.255396] RBP: 00007ffa3e9c6ed0 R08: 00007ffa3e9c76c0 R09: 0000000000000000
[  244.260195] R10: 0000000000000000 R11: 0000000000000206 R12: ffffffffffffff80
[  244.264201] R13: 000000000000001c R14: 00007ffc5d6b4260 R15: 00007ffa3e1c7000
[  244.268303]  </TASK>

Add a check_func_arg_reg_off() to the path in which the BPF verifier
verifies the arguments of global function arguments, specifically
those which take an argument of type ARG_PTR_TO_DYNPTR |
MEM_RDONLY. Also, process_dynptr_func() doesn't appear to perform any
explicit and strict type matching on the supplied register type, so
let's also enforce that a register either type PTR_TO_STACK or
CONST_PTR_TO_DYNPTR is by the caller.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-43910

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-43911
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

wifi: mac80211: fix NULL dereference at band check in starting tx ba session

In MLD connection, link_data/link_conf are dynamically allocated. They
don't point to vif->bss_conf. So, there will be no chanreq assigned to
vif->bss_conf and then the chan will be NULL. Tweak the code to check
ht_supported/vht_supported/has_he/has_eht on sta deflink.

Crash log (with rtw89 version under MLO development):
[ 9890.526087] BUG: kernel NULL pointer dereference, address: 0000000000000000
[ 9890.526102] #PF: supervisor read access in kernel mode
[ 9890.526105] #PF: error_code(0x0000) - not-present page
[ 9890.526109] PGD 0 P4D 0
[ 9890.526114] Oops: 0000 [#1] PREEMPT SMP PTI
[ 9890.526119] CPU: 2 PID: 6367 Comm: kworker/u16:2 Kdump: loaded Tainted: G           OE      6.9.0 #1
[ 9890.526123] Hardware name: LENOVO 2356AD1/2356AD1, BIOS G7ETB3WW (2.73 ) 11/28/2018
[ 9890.526126] Workqueue: phy2 rtw89_core_ba_work [rtw89_core]
[ 9890.526203] RIP: 0010:ieee80211_start_tx_ba_session (net/mac80211/agg-tx.c:618 (discriminator 1)) mac80211
[ 9890.526279] Code: f7 e8 d5 93 3e ea 48 83 c4 28 89 d8 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 49 8b 84 24 e0 f1 ff ff 48 8b 80 90 1b 00 00 <83> 38 03 0f 84 37 fe ff ff bb ea ff ff ff eb cc 49 8b 84 24 10 f3
All code
========
   0:	f7 e8                	imul   %eax
   2:	d5                   	(bad)
   3:	93                   	xchg   %eax,%ebx
   4:	3e ea                	ds (bad)
   6:	48 83 c4 28          	add    $0x28,%rsp
   a:	89 d8                	mov    %ebx,%eax
   c:	5b                   	pop    %rbx
   d:	41 5c                	pop    %r12
   f:	41 5d                	pop    %r13
  11:	41 5e                	pop    %r14
  13:	41 5f                	pop    %r15
  15:	5d                   	pop    %rbp
  16:	c3                   	retq
  17:	cc                   	int3
  18:	cc                   	int3
  19:	cc                   	int3
  1a:	cc                   	int3
  1b:	49 8b 84 24 e0 f1 ff 	mov    -0xe20(%r12),%rax
  22:	ff
  23:	48 8b 80 90 1b 00 00 	mov    0x1b90(%rax),%rax
  2a:*	83 38 03             	cmpl   $0x3,(%rax)		<-- trapping instruction
  2d:	0f 84 37 fe ff ff    	je     0xfffffffffffffe6a
  33:	bb ea ff ff ff       	mov    $0xffffffea,%ebx
  38:	eb cc                	jmp    0x6
  3a:	49                   	rex.WB
  3b:	8b                   	.byte 0x8b
  3c:	84 24 10             	test   %ah,(%rax,%rdx,1)
  3f:	f3                   	repz

Code starting with the faulting instruction
===========================================
   0:	83 38 03             	cmpl   $0x3,(%rax)
   3:	0f 84 37 fe ff ff    	je     0xfffffffffffffe40
   9:	bb ea ff ff ff       	mov    $0xffffffea,%ebx
   e:	eb cc                	jmp    0xffffffffffffffdc
  10:	49                   	rex.WB
  11:	8b                   	.byte 0x8b
  12:	84 24 10             	test   %ah,(%rax,%rdx,1)
  15:	f3                   	repz
[ 9890.526285] RSP: 0018:ffffb8db09013d68 EFLAGS: 00010246
[ 9890.526291] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff9308e0d656c8
[ 9890.526295] RDX: 0000000000000000 RSI: ffffffffab99460b RDI: ffffffffab9a7685
[ 9890.526300] RBP: ffffb8db09013db8 R08: 0000000000000000 R09: 0000000000000873
[ 9890.526304] R10: ffff9308e0d64800 R11: 0000000000000002 R12: ffff9308e5ff6e70
[ 9890.526308] R13: ffff930952500e20 R14: ffff9309192a8c00 R15: 0000000000000000
[ 9890.526313] FS:  0000000000000000(0000) GS:ffff930b4e700000(0000) knlGS:0000000000000000
[ 9890.526316] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 9890.526318] CR2: 0000000000000000 CR3: 0000000391c58005 CR4: 00000000001706f0
[ 9890.526321] Call Trace:
[ 9890.526324]  <TASK>
[ 9890.526327] ? show_regs (arch/x86/kernel/dumpstack.c:479)
[ 9890.526335] ? __die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434)
[ 9890.526340] ? page_fault_oops (arch/x86/mm/fault.c:713)
[ 9890.526347] ? search_module_extables (kernel/module/main.c:3256 (discriminator
---truncated---
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-43911

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-43912
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

wifi: nl80211: disallow setting special AP channel widths

Setting the AP channel width is meant for use with the normal
20/40/... MHz channel width progression, and switching around
in S1G or narrow channels isn't supported. Disallow that.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-43912

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-43913
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

nvme: apple: fix device reference counting

Drivers must call nvme_uninit_ctrl after a successful nvme_init_ctrl.
Split the allocation side out to make the error handling boundary easier
to navigate. The apple driver had been doing this wrong, leaking the
controller device memory on a tagset failure.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-43913

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-43914
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

md/raid5: avoid BUG_ON() while continue reshape after reassembling

Currently, mdadm support --revert-reshape to abort the reshape while
reassembling, as the test 07revert-grow. However, following BUG_ON()
can be triggerred by the test:

kernel BUG at drivers/md/raid5.c:6278!
invalid opcode: 0000 [#1] PREEMPT SMP PTI
irq event stamp: 158985
CPU: 6 PID: 891 Comm: md0_reshape Not tainted 6.9.0-03335-g7592a0b0049a #94
RIP: 0010:reshape_request+0x3f1/0xe60
Call Trace:
 <TASK>
 raid5_sync_request+0x43d/0x550
 md_do_sync+0xb7a/0x2110
 md_thread+0x294/0x2b0
 kthread+0x147/0x1c0
 ret_from_fork+0x59/0x70
 ret_from_fork_asm+0x1a/0x30
 </TASK>

Root cause is that --revert-reshape update the raid_disks from 5 to 4,
while reshape position is still set, and after reassembling the array,
reshape position will be read from super block, then during reshape the
checking of 'writepos' that is caculated by old reshape position will
fail.

Fix this panic the easy way first, by converting the BUG_ON() to
WARN_ON(), and stop the reshape if checkings fail.

Noted that mdadm must fix --revert-shape as well, and probably md/raid
should enhance metadata validation as well, however this means
reassemble will fail and there must be user tools to fix the wrong
metadata.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-43914

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-44931
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

gpio: prevent potential speculation leaks in gpio_device_get_desc()

Userspace may trigger a speculative read of an address outside the gpio
descriptor array.
Users can do that by calling gpio_ioctl() with an offset out of range.
Offset is copied from user and then used as an array index to get
the gpio descriptor without sanitization in gpio_device_get_desc().

This change ensures that the offset is sanitized by using
array_index_nospec() to mitigate any possibility of speculative
information leaks.

This bug was discovered and resolved using Coverity Static Analysis
Security Testing (SAST) by Synopsys, Inc.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-44931

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-44932
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

idpf: fix UAFs when destroying the queues

The second tagged commit started sometimes (very rarely, but possible)
throwing WARNs from
net/core/page_pool.c:page_pool_disable_direct_recycling().
Turned out idpf frees interrupt vectors with embedded NAPIs *before*
freeing the queues making page_pools' NAPI pointers lead to freed
memory before these pools are destroyed by libeth.
It's not clear whether there are other accesses to the freed vectors
when destroying the queues, but anyway, we usually free queue/interrupt
vectors only when the queues are destroyed and the NAPIs are guaranteed
to not be referenced anywhere.

Invert the allocation and freeing logic making queue/interrupt vectors
be allocated first and freed last. Vectors don't require queues to be
present, so this is safe. Additionally, this change allows to remove
that useless queue->q_vector pointer cleanup, as vectors are still
valid when freeing the queues (+ both are freed within one function,
so it's not clear why nullify the pointers at all).
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-44932

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-44933
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

bnxt_en : Fix memory out-of-bounds in bnxt_fill_hw_rss_tbl()

A recent commit has modified the code in __bnxt_reserve_rings() to
set the default RSS indirection table to default only when the number
of RX rings is changing.  While this works for newer firmware that
requires RX ring reservations, it causes the regression on older
firmware not requiring RX ring resrvations (BNXT_NEW_RM() returns
false).

With older firmware, RX ring reservations are not required and so
hw_resc->resv_rx_rings is not always set to the proper value.  The
comparison:

if (old_rx_rings != bp->hw_resc.resv_rx_rings)

in __bnxt_reserve_rings() may be false even when the RX rings are
changing.  This will cause __bnxt_reserve_rings() to skip setting
the default RSS indirection table to default to match the current
number of RX rings.  This may later cause bnxt_fill_hw_rss_tbl() to
use an out-of-range index.

We already have bnxt_check_rss_tbl_no_rmgr() to handle exactly this
scenario.  We just need to move it up in bnxt_need_reserve_rings()
to be called unconditionally when using older firmware.  Without the
fix, if the TX rings are changing, we'll skip the
bnxt_check_rss_tbl_no_rmgr() call and __bnxt_reserve_rings() may also
skip the bnxt_set_dflt_rss_indir_tbl() call for the reason explained
in the last paragraph.  Without setting the default RSS indirection
table to default, it causes the regression:

BUG: KASAN: slab-out-of-bounds in __bnxt_hwrm_vnic_set_rss+0xb79/0xe40
Read of size 2 at addr ffff8881c5809618 by task ethtool/31525
Call Trace:
__bnxt_hwrm_vnic_set_rss+0xb79/0xe40
 bnxt_hwrm_vnic_rss_cfg_p5+0xf7/0x460
 __bnxt_setup_vnic_p5+0x12e/0x270
 __bnxt_open_nic+0x2262/0x2f30
 bnxt_open_nic+0x5d/0xf0
 ethnl_set_channels+0x5d4/0xb30
 ethnl_default_set_doit+0x2f1/0x620
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-44933

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-44934
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: bridge: mcast: wait for previous gc cycles when removing port

syzbot hit a use-after-free[1] which is caused because the bridge doesn't
make sure that all previous garbage has been collected when removing a
port. What happens is:
      CPU 1                   CPU 2
 start gc cycle           remove port
                         acquire gc lock first
 wait for lock
                         call br_multicasg_gc() directly
 acquire lock now but    free port
 the port can be freed
 while grp timers still
 running

Make sure all previous gc cycles have finished by using flush_work before
freeing the port.

[1]
  BUG: KASAN: slab-use-after-free in br_multicast_port_group_expired+0x4c0/0x550 net/bridge/br_multicast.c:861
  Read of size 8 at addr ffff888071d6d000 by task syz.5.1232/9699

  CPU: 1 PID: 9699 Comm: syz.5.1232 Not tainted 6.10.0-rc5-syzkaller-00021-g24ca36a562d6 #0
  Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
  Call Trace:
   <IRQ>
   __dump_stack lib/dump_stack.c:88 [inline]
   dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114
   print_address_description mm/kasan/report.c:377 [inline]
   print_report+0xc3/0x620 mm/kasan/report.c:488
   kasan_report+0xd9/0x110 mm/kasan/report.c:601
   br_multicast_port_group_expired+0x4c0/0x550 net/bridge/br_multicast.c:861
   call_timer_fn+0x1a3/0x610 kernel/time/timer.c:1792
   expire_timers kernel/time/timer.c:1843 [inline]
   __run_timers+0x74b/0xaf0 kernel/time/timer.c:2417
   __run_timer_base kernel/time/timer.c:2428 [inline]
   __run_timer_base kernel/time/timer.c:2421 [inline]
   run_timer_base+0x111/0x190 kernel/time/timer.c:2437
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-44934

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-44935
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

sctp: Fix null-ptr-deref in reuseport_add_sock().

syzbot reported a null-ptr-deref while accessing sk2->sk_reuseport_cb in
reuseport_add_sock(). [0]

The repro first creates a listener with SO_REUSEPORT.  Then, it creates
another listener on the same port and concurrently closes the first
listener.

The second listen() calls reuseport_add_sock() with the first listener as
sk2, where sk2->sk_reuseport_cb is not expected to be cleared concurrently,
but the close() does clear it by reuseport_detach_sock().

The problem is SCTP does not properly synchronise reuseport_alloc(),
reuseport_add_sock(), and reuseport_detach_sock().

The caller of reuseport_alloc() and reuseport_{add,detach}_sock() must
provide synchronisation for sockets that are classified into the same
reuseport group.

Otherwise, such sockets form multiple identical reuseport groups, and
all groups except one would be silently dead.

  1. Two sockets call listen() concurrently
  2. No socket in the same group found in sctp_ep_hashtable[]
  3. Two sockets call reuseport_alloc() and form two reuseport groups
  4. Only one group hit first in __sctp_rcv_lookup_endpoint() receives
      incoming packets

Also, the reported null-ptr-deref could occur.

TCP/UDP guarantees that would not happen by holding the hash bucket lock.

Let's apply the locking strategy to __sctp_hash_endpoint() and
__sctp_unhash_endpoint().

[0]:
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]
CPU: 1 UID: 0 PID: 10230 Comm: syz-executor119 Not tainted 6.10.0-syzkaller-12585-g301927d2d2eb #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
RIP: 0010:reuseport_add_sock+0x27e/0x5e0 net/core/sock_reuseport.c:350
Code: 00 0f b7 5d 00 bf 01 00 00 00 89 de e8 1b a4 ff f7 83 fb 01 0f 85 a3 01 00 00 e8 6d a0 ff f7 49 8d 7e 12 48 89 f8 48 c1 e8 03 <42> 0f b6 04 28 84 c0 0f 85 4b 02 00 00 41 0f b7 5e 12 49 8d 7e 14
RSP: 0018:ffffc9000b947c98 EFLAGS: 00010202
RAX: 0000000000000002 RBX: ffff8880252ddf98 RCX: ffff888079478000
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000012
RBP: 0000000000000001 R08: ffffffff8993e18d R09: 1ffffffff1fef385
R10: dffffc0000000000 R11: fffffbfff1fef386 R12: ffff8880252ddac0
R13: dffffc0000000000 R14: 0000000000000000 R15: 0000000000000000
FS:  00007f24e45b96c0(0000) GS:ffff8880b9300000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffcced5f7b8 CR3: 00000000241be000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 __sctp_hash_endpoint net/sctp/input.c:762 [inline]
 sctp_hash_endpoint+0x52a/0x600 net/sctp/input.c:790
 sctp_listen_start net/sctp/socket.c:8570 [inline]
 sctp_inet_listen+0x767/0xa20 net/sctp/socket.c:8625
 __sys_listen_socket net/socket.c:1883 [inline]
 __sys_listen+0x1b7/0x230 net/socket.c:1894
 __do_sys_listen net/socket.c:1902 [inline]
 __se_sys_listen net/socket.c:1900 [inline]
 __x64_sys_listen+0x5a/0x70 net/socket.c:1900
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f24e46039b9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 91 1a 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f24e45b9228 EFLAGS: 00000246 ORIG_RAX: 0000000000000032
RAX: ffffffffffffffda RBX: 00007f24e468e428 RCX: 00007f24e46039b9
RDX: 00007f24e46039b9 RSI: 0000000000000003 RDI: 0000000000000004
RBP: 00007f24e468e420 R08: 00007f24e45b96c0 R09: 00007f24e45b96c0
R10: 00007f24e45b96c0 R11: 0000000000000246 R12: 00007f24e468e42c
R13:
---truncated---
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-44935

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-44936
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

power: supply: rt5033: Bring back i2c_set_clientdata

Commit 3a93da231c12 ("power: supply: rt5033: Use devm_power_supply_register() helper")
reworked the driver to use devm. While at it, the i2c_set_clientdata
was dropped along with the remove callback. Unfortunately other parts
of the driver also rely on i2c clientdata so this causes kernel oops.

Bring the call back to fix the driver.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-44936

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-44937
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

platform/x86: intel-vbtn: Protect ACPI notify handler against recursion

Since commit e2ffcda16290 ("ACPI: OSL: Allow Notify () handlers to run on
all CPUs") ACPI notify handlers like the intel-vbtn notify_handler() may
run on multiple CPU cores racing with themselves.

This race gets hit on Dell Venue 7140 tablets when undocking from
the keyboard, causing the handler to try and register priv->switches_dev
twice, as can be seen from the dev_info() message getting logged twice:

[ 83.861800] intel-vbtn INT33D6:00: Registering Intel Virtual Switches input-dev after receiving a switch event
[ 83.861858] input: Intel Virtual Switches as /devices/pci0000:00/0000:00:1f.0/PNP0C09:00/INT33D6:00/input/input17
[ 83.861865] intel-vbtn INT33D6:00: Registering Intel Virtual Switches input-dev after receiving a switch event

After which things go seriously wrong:
[ 83.861872] sysfs: cannot create duplicate filename '/devices/pci0000:00/0000:00:1f.0/PNP0C09:00/INT33D6:00/input/input17'
...
[ 83.861967] kobject: kobject_add_internal failed for input17 with -EEXIST, don't try to register things with the same name in the same directory.
[ 83.877338] BUG: kernel NULL pointer dereference, address: 0000000000000018
...

Protect intel-vbtn notify_handler() from racing with itself with a mutex
to fix this.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-44937

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-44938
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

jfs: Fix shift-out-of-bounds in dbDiscardAG

When searching for the next smaller log2 block, BLKSTOL2() returned 0,
causing shift exponent -1 to be negative.

This patch fixes the issue by exiting the loop directly when negative
shift is found.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-44938

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-44939
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

jfs: fix null ptr deref in dtInsertEntry

[syzbot reported]
general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
CPU: 0 PID: 5061 Comm: syz-executor404 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
RIP: 0010:dtInsertEntry+0xd0c/0x1780 fs/jfs/jfs_dtree.c:3713
...
[Analyze]
In dtInsertEntry(), when the pointer h has the same value as p, after writing
name in UniStrncpy_to_le(), p->header.flag will be cleared. This will cause the
previously true judgment "p->header.flag & BT-LEAF" to change to no after writing
the name operation, this leads to entering an incorrect branch and accessing the
uninitialized object ih when judging this condition for the second time.

[Fix]
After got the page, check freelist first, if freelist == 0 then exit dtInsert()
and return -EINVAL.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-44939

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-44940
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

fou: remove warn in gue_gro_receive on unsupported protocol

Drop the WARN_ON_ONCE inn gue_gro_receive if the encapsulated type is
not known or does not have a GRO handler.

Such a packet is easily constructed. Syzbot generates them and sets
off this warning.

Remove the warning as it is expected and not actionable.

The warning was previously reduced from WARN_ON to WARN_ON_ONCE in
commit 270136613bf7 ("fou: Do WARN_ON_ONCE in gue_gro_receive for bad
proto callbacks").
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-44940

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-44941
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

f2fs: fix to cover read extent cache access with lock

syzbot reports a f2fs bug as below:

BUG: KASAN: slab-use-after-free in sanity_check_extent_cache+0x370/0x410 fs/f2fs/extent_cache.c:46
Read of size 4 at addr ffff8880739ab220 by task syz-executor200/5097

CPU: 0 PID: 5097 Comm: syz-executor200 Not tainted 6.9.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0x169/0x550 mm/kasan/report.c:488
 kasan_report+0x143/0x180 mm/kasan/report.c:601
 sanity_check_extent_cache+0x370/0x410 fs/f2fs/extent_cache.c:46
 do_read_inode fs/f2fs/inode.c:509 [inline]
 f2fs_iget+0x33e1/0x46e0 fs/f2fs/inode.c:560
 f2fs_nfs_get_inode+0x74/0x100 fs/f2fs/super.c:3237
 generic_fh_to_dentry+0x9f/0xf0 fs/libfs.c:1413
 exportfs_decode_fh_raw+0x152/0x5f0 fs/exportfs/expfs.c:444
 exportfs_decode_fh+0x3c/0x80 fs/exportfs/expfs.c:584
 do_handle_to_path fs/fhandle.c:155 [inline]
 handle_to_path fs/fhandle.c:210 [inline]
 do_handle_open+0x495/0x650 fs/fhandle.c:226
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

We missed to cover sanity_check_extent_cache() w/ extent cache lock,
so, below race case may happen, result in use after free issue.

- f2fs_iget
 - do_read_inode
  - f2fs_init_read_extent_tree
  : add largest extent entry in to cache
					- shrink
					 - f2fs_shrink_read_extent_tree
					  - __shrink_extent_tree
					   - __detach_extent_node
					   : drop largest extent entry
  - sanity_check_extent_cache
  : access et->largest w/o lock

let's refactor sanity_check_extent_cache() to avoid extent cache access
and call it before f2fs_init_read_extent_tree() to fix this issue.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-44941

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-44942
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

f2fs: fix to do sanity check on F2FS_INLINE_DATA flag in inode during GC

syzbot reports a f2fs bug as below:

------------[ cut here ]------------
kernel BUG at fs/f2fs/inline.c:258!
CPU: 1 PID: 34 Comm: kworker/u8:2 Not tainted 6.9.0-rc6-syzkaller-00012-g9e4bc4bcae01 #0
RIP: 0010:f2fs_write_inline_data+0x781/0x790 fs/f2fs/inline.c:258
Call Trace:
 f2fs_write_single_data_page+0xb65/0x1d60 fs/f2fs/data.c:2834
 f2fs_write_cache_pages fs/f2fs/data.c:3133 [inline]
 __f2fs_write_data_pages fs/f2fs/data.c:3288 [inline]
 f2fs_write_data_pages+0x1efe/0x3a90 fs/f2fs/data.c:3315
 do_writepages+0x35b/0x870 mm/page-writeback.c:2612
 __writeback_single_inode+0x165/0x10b0 fs/fs-writeback.c:1650
 writeback_sb_inodes+0x905/0x1260 fs/fs-writeback.c:1941
 wb_writeback+0x457/0xce0 fs/fs-writeback.c:2117
 wb_do_writeback fs/fs-writeback.c:2264 [inline]
 wb_workfn+0x410/0x1090 fs/fs-writeback.c:2304
 process_one_work kernel/workqueue.c:3254 [inline]
 process_scheduled_works+0xa12/0x17c0 kernel/workqueue.c:3335
 worker_thread+0x86d/0xd70 kernel/workqueue.c:3416
 kthread+0x2f2/0x390 kernel/kthread.c:388
 ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

The root cause is: inline_data inode can be fuzzed, so that there may
be valid blkaddr in its direct node, once f2fs triggers background GC
to migrate the block, it will hit f2fs_bug_on() during dirty page
writeback.

Let's add sanity check on F2FS_INLINE_DATA flag in inode during GC,
so that, it can forbid migrating inline_data inode's data block for
fixing.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-44942

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-44943
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

mm: gup: stop abusing try_grab_folio

A kernel warning was reported when pinning folio in CMA memory when
launching SEV virtual machine.  The splat looks like:

[  464.325306] WARNING: CPU: 13 PID: 6734 at mm/gup.c:1313 __get_user_pages+0x423/0x520
[  464.325464] CPU: 13 PID: 6734 Comm: qemu-kvm Kdump: loaded Not tainted 6.6.33+ #6
[  464.325477] RIP: 0010:__get_user_pages+0x423/0x520
[  464.325515] Call Trace:
[  464.325520]  <TASK>
[  464.325523]  ? __get_user_pages+0x423/0x520
[  464.325528]  ? __warn+0x81/0x130
[  464.325536]  ? __get_user_pages+0x423/0x520
[  464.325541]  ? report_bug+0x171/0x1a0
[  464.325549]  ? handle_bug+0x3c/0x70
[  464.325554]  ? exc_invalid_op+0x17/0x70
[  464.325558]  ? asm_exc_invalid_op+0x1a/0x20
[  464.325567]  ? __get_user_pages+0x423/0x520
[  464.325575]  __gup_longterm_locked+0x212/0x7a0
[  464.325583]  internal_get_user_pages_fast+0xfb/0x190
[  464.325590]  pin_user_pages_fast+0x47/0x60
[  464.325598]  sev_pin_memory+0xca/0x170 [kvm_amd]
[  464.325616]  sev_mem_enc_register_region+0x81/0x130 [kvm_amd]

Per the analysis done by yangge, when starting the SEV virtual machine, it
will call pin_user_pages_fast(..., FOLL_LONGTERM, ...) to pin the memory. 
But the page is in CMA area, so fast GUP will fail then fallback to the
slow path due to the longterm pinnalbe check in try_grab_folio().

The slow path will try to pin the pages then migrate them out of CMA area.
But the slow path also uses try_grab_folio() to pin the page, it will
also fail due to the same check then the above warning is triggered.

In addition, the try_grab_folio() is supposed to be used in fast path and
it elevates folio refcount by using add ref unless zero.  We are guaranteed
to have at least one stable reference in slow path, so the simple atomic add
could be used.  The performance difference should be trivial, but the
misuse may be confusing and misleading.

Redefined try_grab_folio() to try_grab_folio_fast(), and try_grab_page()
to try_grab_folio(), and use them in the proper paths.  This solves both
the abuse and the kernel warning.

The proper naming makes their usecase more clear and should prevent from
abusing in the future.

peterx said:

: The user will see the pin fails, for gpu-slow it further triggers the WARN
: right below that failure (as in the original report):
: 
:         folio = try_grab_folio(page, page_increm - 1,
:                                 foll_flags);
:         if (WARN_ON_ONCE(!folio)) { <------------------------ here
:                 /*
:                         * Release the 1st page ref if the
:                         * folio is problematic, fail hard.
:                         */
:                 gup_put_folio(page_folio(page), 1,
:                                 foll_flags);
:                 ret = -EFAULT;
:                 goto out;
:         }

[1] https://lore.kernel.org/linux-mm/1719478388-31917-1-git-send-email-yangge1116@126.com/

[shy828301@gmail.com: fix implicit declaration of function try_grab_folio_fast]
  Link: https://lkml.kernel.org/r/CAHbLzkowMSso-4Nufc9hcMehQsK9PNz3OSu-+eniU-2Mm-xjhA@mail.gmail.com
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-44943

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-44944
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

netfilter: ctnetlink: use helper function to calculate expect ID

Delete expectation path is missing a call to the nf_expect_get_id()
helper function to calculate the expectation ID, otherwise LSB of the
expectation object address is leaked to userspace.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-44944

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-44945
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

netfilter: nfnetlink: Initialise extack before use in ACKs

Add missing extack initialisation when ACKing BATCH_BEGIN and BATCH_END.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-44945

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-44946
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

kcm: Serialise kcm_sendmsg() for the same socket.

syzkaller reported UAF in kcm_release(). [0]

The scenario is

  1. Thread A builds a skb with MSG_MORE and sets kcm->seq_skb.

  2. Thread A resumes building skb from kcm->seq_skb but is blocked
     by sk_stream_wait_memory()

  3. Thread B calls sendmsg() concurrently, finishes building kcm->seq_skb
     and puts the skb to the write queue

  4. Thread A faces an error and finally frees skb that is already in the
     write queue

  5. kcm_release() does double-free the skb in the write queue

When a thread is building a MSG_MORE skb, another thread must not touch it.

Let's add a per-sk mutex and serialise kcm_sendmsg().

[0]:
BUG: KASAN: slab-use-after-free in __skb_unlink include/linux/skbuff.h:2366 [inline]
BUG: KASAN: slab-use-after-free in __skb_dequeue include/linux/skbuff.h:2385 [inline]
BUG: KASAN: slab-use-after-free in __skb_queue_purge_reason include/linux/skbuff.h:3175 [inline]
BUG: KASAN: slab-use-after-free in __skb_queue_purge include/linux/skbuff.h:3181 [inline]
BUG: KASAN: slab-use-after-free in kcm_release+0x170/0x4c8 net/kcm/kcmsock.c:1691
Read of size 8 at addr ffff0000ced0fc80 by task syz-executor329/6167

CPU: 1 PID: 6167 Comm: syz-executor329 Tainted: G    B              6.8.0-rc5-syzkaller-g9abbc24128bc #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024
Call trace:
 dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:291
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:298
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xd0/0x124 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0x178/0x518 mm/kasan/report.c:488
 kasan_report+0xd8/0x138 mm/kasan/report.c:601
 __asan_report_load8_noabort+0x20/0x2c mm/kasan/report_generic.c:381
 __skb_unlink include/linux/skbuff.h:2366 [inline]
 __skb_dequeue include/linux/skbuff.h:2385 [inline]
 __skb_queue_purge_reason include/linux/skbuff.h:3175 [inline]
 __skb_queue_purge include/linux/skbuff.h:3181 [inline]
 kcm_release+0x170/0x4c8 net/kcm/kcmsock.c:1691
 __sock_release net/socket.c:659 [inline]
 sock_close+0xa4/0x1e8 net/socket.c:1421
 __fput+0x30c/0x738 fs/file_table.c:376
 ____fput+0x20/0x30 fs/file_table.c:404
 task_work_run+0x230/0x2e0 kernel/task_work.c:180
 exit_task_work include/linux/task_work.h:38 [inline]
 do_exit+0x618/0x1f64 kernel/exit.c:871
 do_group_exit+0x194/0x22c kernel/exit.c:1020
 get_signal+0x1500/0x15ec kernel/signal.c:2893
 do_signal+0x23c/0x3b44 arch/arm64/kernel/signal.c:1249
 do_notify_resume+0x74/0x1f4 arch/arm64/kernel/entry-common.c:148
 exit_to_user_mode_prepare arch/arm64/kernel/entry-common.c:169 [inline]
 exit_to_user_mode arch/arm64/kernel/entry-common.c:178 [inline]
 el0_svc+0xac/0x168 arch/arm64/kernel/entry-common.c:713
 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730
 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598

Allocated by task 6166:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x40/0x78 mm/kasan/common.c:68
 kasan_save_alloc_info+0x70/0x84 mm/kasan/generic.c:626
 unpoison_slab_object mm/kasan/common.c:314 [inline]
 __kasan_slab_alloc+0x74/0x8c mm/kasan/common.c:340
 kasan_slab_alloc include/linux/kasan.h:201 [inline]
 slab_post_alloc_hook mm/slub.c:3813 [inline]
 slab_alloc_node mm/slub.c:3860 [inline]
 kmem_cache_alloc_node+0x204/0x4c0 mm/slub.c:3903
 __alloc_skb+0x19c/0x3d8 net/core/skbuff.c:641
 alloc_skb include/linux/skbuff.h:1296 [inline]
 kcm_sendmsg+0x1d3c/0x2124 net/kcm/kcmsock.c:783
 sock_sendmsg_nosec net/socket.c:730 [inline]
 __sock_sendmsg net/socket.c:745 [inline]
 sock_sendmsg+0x220/0x2c0 net/socket.c:768
 splice_to_socket+0x7cc/0xd58 fs/splice.c:889
 do_splice_from fs/splice.c:941 [inline]
 direct_splice_actor+0xec/0x1d8 fs/splice.c:1164
 splice_direct_to_actor+0x438/0xa0c fs/splice.c:1108
 do_splice_direct_actor 
---truncated---
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-44946

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-44947
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

fuse: Initialize beyond-EOF page contents before setting uptodate

fuse_notify_store(), unlike fuse_do_readpage(), does not enable page
zeroing (because it can be used to change partial page contents).

So fuse_notify_store() must be more careful to fully initialize page
contents (including parts of the page that are beyond end-of-file)
before marking the page uptodate.

The current code can leave beyond-EOF page contents uninitialized, which
makes these uninitialized page contents visible to userspace via mmap().

This is an information leak, but only affects systems which do not
enable init-on-alloc (via CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y or the
corresponding kernel command line parameter).
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-44947

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-44949
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

parisc: fix a possible DMA corruption

ARCH_DMA_MINALIGN was defined as 16 - this is too small - it may be
possible that two unrelated 16-byte allocations share a cache line. If
one of these allocations is written using DMA and the other is written
using cached write, the value that was written with DMA may be
corrupted.

This commit changes ARCH_DMA_MINALIGN to be 128 on PA20 and 32 on PA1.1 -
that's the largest possible cache line size.

As different parisc microarchitectures have different cache line size, we
define arch_slab_minalign(), cache_line_size() and
dma_get_cache_alignment() so that the kernel may tune slab cache
parameters dynamically, based on the detected cache line size.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-44949

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-44950
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

serial: sc16is7xx: fix invalid FIFO access with special register set

When enabling access to the special register set, Receiver time-out and
RHR interrupts can happen. In this case, the IRQ handler will try to read
from the FIFO thru the RHR register at address 0x00, but address 0x00 is
mapped to DLL register, resulting in erroneous FIFO reading.

Call graph example:
    sc16is7xx_startup(): entry
    sc16is7xx_ms_proc(): entry
    sc16is7xx_set_termios(): entry
    sc16is7xx_set_baud(): DLH/DLL = $009C --> access special register set
    sc16is7xx_port_irq() entry            --> IIR is 0x0C
    sc16is7xx_handle_rx() entry
    sc16is7xx_fifo_read(): --> unable to access FIFO (RHR) because it is
                               mapped to DLL (LCR=LCR_CONF_MODE_A)
    sc16is7xx_set_baud(): exit --> Restore access to general register set

Fix the problem by claiming the efr_lock mutex when accessing the Special
register set.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-44950

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-44951
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

serial: sc16is7xx: fix TX fifo corruption

Sometimes, when a packet is received on channel A at almost the same time
as a packet is about to be transmitted on channel B, we observe with a
logic analyzer that the received packet on channel A is transmitted on
channel B. In other words, the Tx buffer data on channel B is corrupted
with data from channel A.

The problem appeared since commit 4409df5866b7 ("serial: sc16is7xx: change
EFR lock to operate on each channels"), which changed the EFR locking to
operate on each channel instead of chip-wise.

This commit has introduced a regression, because the EFR lock is used not
only to protect the EFR registers access, but also, in a very obscure and
undocumented way, to protect access to the data buffer, which is shared by
the Tx and Rx handlers, but also by each channel of the IC.

Fix this regression first by switching to kfifo_out_linear_ptr() in
sc16is7xx_handle_tx() to eliminate the need for a shared Rx/Tx buffer.

Secondly, replace the chip-wise Rx buffer with a separate Rx buffer for
each channel.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-44951

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-44953
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

scsi: ufs: core: Fix deadlock during RTC update

There is a deadlock when runtime suspend waits for the flush of RTC work,
and the RTC work calls ufshcd_rpm_get_sync() to wait for runtime resume.

Here is deadlock backtrace:

kworker/0:1     D 4892.876354 10 10971 4859 0x4208060 0x8 10 0 120 670730152367
ptr            f0ffff80c2e40000 0 1 0x00000001 0x000000ff 0x000000ff 0x000000ff
<ffffffee5e71ddb0> __switch_to+0x1a8/0x2d4
<ffffffee5e71e604> __schedule+0x684/0xa98
<ffffffee5e71ea60> schedule+0x48/0xc8
<ffffffee5e725f78> schedule_timeout+0x48/0x170
<ffffffee5e71fb74> do_wait_for_common+0x108/0x1b0
<ffffffee5e71efe0> wait_for_completion+0x44/0x60
<ffffffee5d6de968> __flush_work+0x39c/0x424
<ffffffee5d6decc0> __cancel_work_sync+0xd8/0x208
<ffffffee5d6dee2c> cancel_delayed_work_sync+0x14/0x28
<ffffffee5e2551b8> __ufshcd_wl_suspend+0x19c/0x480
<ffffffee5e255fb8> ufshcd_wl_runtime_suspend+0x3c/0x1d4
<ffffffee5dffd80c> scsi_runtime_suspend+0x78/0xc8
<ffffffee5df93580> __rpm_callback+0x94/0x3e0
<ffffffee5df90b0c> rpm_suspend+0x2d4/0x65c
<ffffffee5df91448> __pm_runtime_suspend+0x80/0x114
<ffffffee5dffd95c> scsi_runtime_idle+0x38/0x6c
<ffffffee5df912f4> rpm_idle+0x264/0x338
<ffffffee5df90f14> __pm_runtime_idle+0x80/0x110
<ffffffee5e24ce44> ufshcd_rtc_work+0x128/0x1e4
<ffffffee5d6e3a40> process_one_work+0x26c/0x650
<ffffffee5d6e65c8> worker_thread+0x260/0x3d8
<ffffffee5d6edec8> kthread+0x110/0x134
<ffffffee5d616b18> ret_from_fork+0x10/0x20

Skip updating RTC if RPM state is not RPM_ACTIVE.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-44953

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-44954
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ALSA: line6: Fix racy access to midibuf

There can be concurrent accesses to line6 midibuf from both the URB
completion callback and the rawmidi API access.  This could be a cause
of KMSAN warning triggered by syzkaller below (so put as reported-by
here).

This patch protects the midibuf call of the former code path with a
spinlock for avoiding the possible races.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-44954

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-44955
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Don't refer to dc_sink in is_dsc_need_re_compute

[Why]
When unplug one of monitors connected after mst hub, encounter null pointer dereference.

It's due to dc_sink get released immediately in early_unregister() or detect_ctx(). When
commit new state which directly referring to info stored in dc_sink will cause null pointer
dereference.

[how]
Remove redundant checking condition. Relevant condition should already be covered by checking
if dsc_aux is null or not. Also reset dsc_aux to NULL when the connector is disconnected.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-44955

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-44956
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/xe/preempt_fence: enlarge the fence critical section

It is really easy to introduce subtle deadlocks in
preempt_fence_work_func() since we operate on single global ordered-wq
for signalling our preempt fences behind the scenes, so even though we
signal a particular fence, everything in the callback should be in the
fence critical section, since blocking in the callback will prevent
other published fences from signalling. If we enlarge the fence critical
section to cover the entire callback, then lockdep should be able to
understand this better, and complain if we grab a sensitive lock like
vm->lock, which is also held when waiting on preempt fences.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-44956

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-44957
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

xen: privcmd: Switch from mutex to spinlock for irqfds

irqfd_wakeup() gets EPOLLHUP, when it is called by
eventfd_release() by way of wake_up_poll(&ctx->wqh, EPOLLHUP), which
gets called under spin_lock_irqsave(). We can't use a mutex here as it
will lead to a deadlock.

Fix it by switching over to a spin lock.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-44957

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-44958
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

sched/smt: Fix unbalance sched_smt_present dec/inc

I got the following warn report while doing stress test:

jump label: negative count!
WARNING: CPU: 3 PID: 38 at kernel/jump_label.c:263 static_key_slow_try_dec+0x9d/0xb0
Call Trace:
 <TASK>
 __static_key_slow_dec_cpuslocked+0x16/0x70
 sched_cpu_deactivate+0x26e/0x2a0
 cpuhp_invoke_callback+0x3ad/0x10d0
 cpuhp_thread_fun+0x3f5/0x680
 smpboot_thread_fn+0x56d/0x8d0
 kthread+0x309/0x400
 ret_from_fork+0x41/0x70
 ret_from_fork_asm+0x1b/0x30
 </TASK>

Because when cpuset_cpu_inactive() fails in sched_cpu_deactivate(),
the cpu offline failed, but sched_smt_present is decremented before
calling sched_cpu_deactivate(), it leads to unbalanced dec/inc, so
fix it by incrementing sched_smt_present in the error path.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-44958

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-44959
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

tracefs: Use generic inode RCU for synchronizing freeing

With structure layout randomization enabled for 'struct inode' we need to
avoid overlapping any of the RCU-used / initialized-only-once members,
e.g. i_lru or i_sb_list to not corrupt related list traversals when making
use of the rcu_head.

For an unlucky structure layout of 'struct inode' we may end up with the
following splat when running the ftrace selftests:

[<...>] list_del corruption, ffff888103ee2cb0->next (tracefs_inode_cache+0x0/0x4e0 [slab object]) is NULL (prev is tracefs_inode_cache+0x78/0x4e0 [slab object])
[<...>] ------------[ cut here ]------------
[<...>] kernel BUG at lib/list_debug.c:54!
[<...>] invalid opcode: 0000 [#1] PREEMPT SMP KASAN
[<...>] CPU: 3 PID: 2550 Comm: mount Tainted: G                 N  6.8.12-grsec+ #122 ed2f536ca62f28b087b90e3cc906a8d25b3ddc65
[<...>] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014
[<...>] RIP: 0010:[<ffffffff84656018>] __list_del_entry_valid_or_report+0x138/0x3e0
[<...>] Code: 48 b8 99 fb 65 f2 ff ff ff ff e9 03 5c d9 fc cc 48 b8 99 fb 65 f2 ff ff ff ff e9 33 5a d9 fc cc 48 b8 99 fb 65 f2 ff ff ff ff <0f> 0b 4c 89 e9 48 89 ea 48 89 ee 48 c7 c7 60 8f dd 89 31 c0 e8 2f
[<...>] RSP: 0018:fffffe80416afaf0 EFLAGS: 00010283
[<...>] RAX: 0000000000000098 RBX: ffff888103ee2cb0 RCX: 0000000000000000
[<...>] RDX: ffffffff84655fe8 RSI: ffffffff89dd8b60 RDI: 0000000000000001
[<...>] RBP: ffff888103ee2cb0 R08: 0000000000000001 R09: fffffbd0082d5f25
[<...>] R10: fffffe80416af92f R11: 0000000000000001 R12: fdf99c16731d9b6d
[<...>] R13: 0000000000000000 R14: ffff88819ad4b8b8 R15: 0000000000000000
[<...>] RBX: tracefs_inode_cache+0x0/0x4e0 [slab object]
[<...>] RDX: __list_del_entry_valid_or_report+0x108/0x3e0
[<...>] RSI: __func__.47+0x4340/0x4400
[<...>] RBP: tracefs_inode_cache+0x0/0x4e0 [slab object]
[<...>] RSP: process kstack fffffe80416afaf0+0x7af0/0x8000 [mount 2550 2550]
[<...>] R09: kasan shadow of process kstack fffffe80416af928+0x7928/0x8000 [mount 2550 2550]
[<...>] R10: process kstack fffffe80416af92f+0x792f/0x8000 [mount 2550 2550]
[<...>] R14: tracefs_inode_cache+0x78/0x4e0 [slab object]
[<...>] FS:  00006dcb380c1840(0000) GS:ffff8881e0600000(0000) knlGS:0000000000000000
[<...>] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[<...>] CR2: 000076ab72b30e84 CR3: 000000000b088004 CR4: 0000000000360ef0 shadow CR4: 0000000000360ef0
[<...>] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[<...>] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[<...>] ASID: 0003
[<...>] Stack:
[<...>]  ffffffff818a2315 00000000f5c856ee ffffffff896f1840 ffff888103ee2cb0
[<...>]  ffff88812b6b9750 0000000079d714b6 fffffbfff1e9280b ffffffff8f49405f
[<...>]  0000000000000001 0000000000000000 ffff888104457280 ffffffff8248b392
[<...>] Call Trace:
[<...>]  <TASK>
[<...>]  [<ffffffff818a2315>] ? lock_release+0x175/0x380 fffffe80416afaf0
[<...>]  [<ffffffff8248b392>] list_lru_del+0x152/0x740 fffffe80416afb48
[<...>]  [<ffffffff8248ba93>] list_lru_del_obj+0x113/0x280 fffffe80416afb88
[<...>]  [<ffffffff8940fd19>] ? _atomic_dec_and_lock+0x119/0x200 fffffe80416afb90
[<...>]  [<ffffffff8295b244>] iput_final+0x1c4/0x9a0 fffffe80416afbb8
[<...>]  [<ffffffff8293a52b>] dentry_unlink_inode+0x44b/0xaa0 fffffe80416afbf8
[<...>]  [<ffffffff8293fefc>] __dentry_kill+0x23c/0xf00 fffffe80416afc40
[<...>]  [<ffffffff8953a85f>] ? __this_cpu_preempt_check+0x1f/0xa0 fffffe80416afc48
[<...>]  [<ffffffff82949ce5>] ? shrink_dentry_list+0x1c5/0x760 fffffe80416afc70
[<...>]  [<ffffffff82949b71>] ? shrink_dentry_list+0x51/0x760 fffffe80416afc78
[<...>]  [<ffffffff82949da8>] shrink_dentry_list+0x288/0x760 fffffe80416afc80
[<...>]  [<ffffffff8294ae75>] shrink_dcache_sb+0x155/0x420 fffffe80416afcc8
[<...>]  [<ffffffff8953a7c3>] ? debug_smp_processor_id+0x23/0xa0 fffffe80416afce0
[<...>]  [<ffffffff8294ad20>] ? do_one_tre
---truncated---
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-44959

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-44960
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

usb: gadget: core: Check for unset descriptor

Make sure the descriptor has been set before looking at maxpacket.
This fixes a null pointer panic in this case.

This may happen if the gadget doesn't properly set up the endpoint
for the current speed, or the gadget descriptors are malformed and
the descriptor for the speed/endpoint are not found.

No current gadget driver is known to have this problem, but this
may cause a hard-to-find bug during development of new gadgets.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-44960

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-44961
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amdgpu: Forward soft recovery errors to userspace

As we discussed before[1], soft recovery should be
forwarded to userspace, or we can get into a really
bad state where apps will keep submitting hanging
command buffers cascading us to a hard reset.

1: https://lore.kernel.org/all/bf23d5ed-9a6b-43e7-84ee-8cbfd0d60f18@froggi.es/
(cherry picked from commit 434967aadbbbe3ad9103cc29e9a327de20fdba01)
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-44961

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-44962
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: btnxpuart: Shutdown timer and prevent rearming when driver unloading

When unload the btnxpuart driver, its associated timer will be deleted.
If the timer happens to be modified at this moment, it leads to the
kernel call this timer even after the driver unloaded, resulting in
kernel panic.
Use timer_shutdown_sync() instead of del_timer_sync() to prevent rearming.

panic log:
  Internal error: Oops: 0000000086000007 [#1] PREEMPT SMP
  Modules linked in: algif_hash algif_skcipher af_alg moal(O) mlan(O) crct10dif_ce polyval_ce polyval_generic   snd_soc_imx_card snd_soc_fsl_asoc_card snd_soc_imx_audmux mxc_jpeg_encdec v4l2_jpeg snd_soc_wm8962 snd_soc_fsl_micfil   snd_soc_fsl_sai flexcan snd_soc_fsl_utils ap130x rpmsg_ctrl imx_pcm_dma can_dev rpmsg_char pwm_fan fuse [last unloaded:   btnxpuart]
  CPU: 5 PID: 723 Comm: memtester Tainted: G           O       6.6.23-lts-next-06207-g4aef2658ac28 #1
  Hardware name: NXP i.MX95 19X19 board (DT)
  pstate: 20400009 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
  pc : 0xffff80007a2cf464
  lr : call_timer_fn.isra.0+0x24/0x80
...
  Call trace:
   0xffff80007a2cf464
   __run_timers+0x234/0x280
   run_timer_softirq+0x20/0x40
   __do_softirq+0x100/0x26c
   ____do_softirq+0x10/0x1c
   call_on_irq_stack+0x24/0x4c
   do_softirq_own_stack+0x1c/0x2c
   irq_exit_rcu+0xc0/0xdc
   el0_interrupt+0x54/0xd8
   __el0_irq_handler_common+0x18/0x24
   el0t_64_irq_handler+0x10/0x1c
   el0t_64_irq+0x190/0x194
  Code: ???????? ???????? ???????? ???????? (????????)
  ---[ end trace 0000000000000000 ]---
  Kernel panic - not syncing: Oops: Fatal exception in interrupt
  SMP: stopping secondary CPUs
  Kernel Offset: disabled
  CPU features: 0x0,c0000000,40028143,1000721b
  Memory Limit: none
  ---[ end Kernel panic - not syncing: Oops: Fatal exception in interrupt ]---
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-44962

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-44963
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

btrfs: do not BUG_ON() when freeing tree block after error

When freeing a tree block, at btrfs_free_tree_block(), if we fail to
create a delayed reference we don't deal with the error and just do a
BUG_ON(). The error most likely to happen is -ENOMEM, and we have a
comment mentioning that only -ENOMEM can happen, but that is not true,
because in case qgroups are enabled any error returned from
btrfs_qgroup_trace_extent_post() (can be -EUCLEAN or anything returned
from btrfs_search_slot() for example) can be propagated back to
btrfs_free_tree_block().

So stop doing a BUG_ON() and return the error to the callers and make
them abort the transaction to prevent leaking space. Syzbot was
triggering this, likely due to memory allocation failure injection.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-44963

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-44964
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

idpf: fix memory leaks and crashes while performing a soft reset

The second tagged commit introduced a UAF, as it removed restoring
q_vector->vport pointers after reinitializating the structures.
This is due to that all queue allocation functions are performed here
with the new temporary vport structure and those functions rewrite
the backpointers to the vport. Then, this new struct is freed and
the pointers start leading to nowhere.

But generally speaking, the current logic is very fragile. It claims
to be more reliable when the system is low on memory, but in fact, it
consumes two times more memory as at the moment of running this
function, there are two vports allocated with their queues and vectors.
Moreover, it claims to prevent the driver from running into "bad state",
but in fact, any error during the rebuild leaves the old vport in the
partially allocated state.
Finally, if the interface is down when the function is called, it always
allocates a new queue set, but when the user decides to enable the
interface later on, vport_open() allocates them once again, IOW there's
a clear memory leak here.

Just don't allocate a new queue set when performing a reset, that solves
crashes and memory leaks. Readd the old queue number and reopen the
interface on rollback - that solves limbo states when the device is left
disabled and/or without HW queues enabled.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-44964

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-44965
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

x86/mm: Fix pti_clone_pgtable() alignment assumption

Guenter reported dodgy crashes on an i386-nosmp build using GCC-11
that had the form of endless traps until entry stack exhaust and then
#DF from the stack guard.

It turned out that pti_clone_pgtable() had alignment assumptions on
the start address, notably it hard assumes start is PMD aligned. This
is true on x86_64, but very much not true on i386.

These assumptions can cause the end condition to malfunction, leading
to a 'short' clone. Guess what happens when the user mapping has a
short copy of the entry text?

Use the correct increment form for addr to avoid alignment
assumptions.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-44965

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-44966
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

binfmt_flat: Fix corruption when not offsetting data start

Commit 04d82a6d0881 ("binfmt_flat: allow not offsetting data start")
introduced a RISC-V specific variant of the FLAT format which does
not allocate any space for the (obsolete) array of shared library
pointers. However, it did not disable the code which initializes the
array, resulting in the corruption of sizeof(long) bytes before the DATA
segment, generally the end of the TEXT segment.

Introduce MAX_SHARED_LIBS_UPDATE which depends on the state of
CONFIG_BINFMT_FLAT_NO_DATA_START_OFFSET to guard the initialization of
the shared library pointer region so that it will only be initialized
if space is reserved for it.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-44966

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-44967
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/mgag200: Bind I2C lifetime to DRM device

Managed cleanup with devm_add_action_or_reset() will release the I2C
adapter when the underlying Linux device goes away. But the connector
still refers to it, so this cleanup leaves behind a stale pointer
in struct drm_connector.ddc.

Bind the lifetime of the I2C adapter to the connector's lifetime by
using DRM's managed release. When the DRM device goes away (after
the Linux device) DRM will first clean up the connector and then
clean up the I2C adapter.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-44967

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-44968
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

tick/broadcast: Move per CPU pointer access into the atomic section

The recent fix for making the take over of the broadcast timer more
reliable retrieves a per CPU pointer in preemptible context.

This went unnoticed as compilers hoist the access into the non-preemptible
region where the pointer is actually used. But of course it's valid that
the compiler keeps it at the place where the code puts it which rightfully
triggers:

  BUG: using smp_processor_id() in preemptible [00000000] code:
       caller is hotplug_cpu__broadcast_tick_pull+0x1c/0xc0

Move it to the actual usage site which is in a non-preemptible region.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-44968

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-44969
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

s390/sclp: Prevent release of buffer in I/O

When a task waiting for completion of a Store Data operation is
interrupted, an attempt is made to halt this operation. If this attempt
fails due to a hardware or firmware problem, there is a chance that the
SCLP facility might store data into buffers referenced by the original
operation at a later time.

Handle this situation by not releasing the referenced data buffers if
the halt attempt fails. For current use cases, this might result in a
leak of few pages of memory in case of a rare hardware/firmware
malfunction.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-44969

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-44970
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net/mlx5e: SHAMPO, Fix invalid WQ linked list unlink

When all the strides in a WQE have been consumed, the WQE is unlinked
from the WQ linked list (mlx5_wq_ll_pop()). For SHAMPO, it is possible
to receive CQEs with 0 consumed strides for the same WQE even after the
WQE is fully consumed and unlinked. This triggers an additional unlink
for the same wqe which corrupts the linked list.

Fix this scenario by accepting 0 sized consumed strides without
unlinking the WQE again.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-44970

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-44971
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: dsa: bcm_sf2: Fix a possible memory leak in bcm_sf2_mdio_register()

bcm_sf2_mdio_register() calls of_phy_find_device() and then
phy_device_remove() in a loop to remove existing PHY devices.
of_phy_find_device() eventually calls bus_find_device(), which calls
get_device() on the returned struct device * to increment the refcount.
The current implementation does not decrement the refcount, which causes
memory leak.

This commit adds the missing phy_device_free() call to decrement the
refcount via put_device() to balance the refcount.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-44971

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-44972
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

btrfs: do not clear page dirty inside extent_write_locked_range()

[BUG]
For subpage + zoned case, the following workload can lead to rsv data
leak at unmount time:

  # mkfs.btrfs -f -s 4k $dev
  # mount $dev $mnt
  # fsstress -w -n 8 -d $mnt -s 1709539240
  0/0: fiemap - no filename
  0/1: copyrange read - no filename
  0/2: write - no filename
  0/3: rename - no source filename
  0/4: creat f0 x:0 0 0
  0/4: creat add id=0,parent=-1
  0/5: writev f0[259 1 0 0 0 0] [778052,113,965] 0
  0/6: ioctl(FIEMAP) f0[259 1 0 0 224 887097] [1294220,2291618343991484791,0x10000] -1
  0/7: dwrite - xfsctl(XFS_IOC_DIOINFO) f0[259 1 0 0 224 887097] return 25, fallback to stat()
  0/7: dwrite f0[259 1 0 0 224 887097] [696320,102400] 0
  # umount $mnt

The dmesg includes the following rsv leak detection warning (all call
trace skipped):

  ------------[ cut here ]------------
  WARNING: CPU: 2 PID: 4528 at fs/btrfs/inode.c:8653 btrfs_destroy_inode+0x1e0/0x200 [btrfs]
  ---[ end trace 0000000000000000 ]---
  ------------[ cut here ]------------
  WARNING: CPU: 2 PID: 4528 at fs/btrfs/inode.c:8654 btrfs_destroy_inode+0x1a8/0x200 [btrfs]
  ---[ end trace 0000000000000000 ]---
  ------------[ cut here ]------------
  WARNING: CPU: 2 PID: 4528 at fs/btrfs/inode.c:8660 btrfs_destroy_inode+0x1a0/0x200 [btrfs]
  ---[ end trace 0000000000000000 ]---
  BTRFS info (device sda): last unmount of filesystem 1b4abba9-de34-4f07-9e7f-157cf12a18d6
  ------------[ cut here ]------------
  WARNING: CPU: 3 PID: 4528 at fs/btrfs/block-group.c:4434 btrfs_free_block_groups+0x338/0x500 [btrfs]
  ---[ end trace 0000000000000000 ]---
  BTRFS info (device sda): space_info DATA has 268218368 free, is not full
  BTRFS info (device sda): space_info total=268435456, used=204800, pinned=0, reserved=0, may_use=12288, readonly=0 zone_unusable=0
  BTRFS info (device sda): global_block_rsv: size 0 reserved 0
  BTRFS info (device sda): trans_block_rsv: size 0 reserved 0
  BTRFS info (device sda): chunk_block_rsv: size 0 reserved 0
  BTRFS info (device sda): delayed_block_rsv: size 0 reserved 0
  BTRFS info (device sda): delayed_refs_rsv: size 0 reserved 0
  ------------[ cut here ]------------
  WARNING: CPU: 3 PID: 4528 at fs/btrfs/block-group.c:4434 btrfs_free_block_groups+0x338/0x500 [btrfs]
  ---[ end trace 0000000000000000 ]---
  BTRFS info (device sda): space_info METADATA has 267796480 free, is not full
  BTRFS info (device sda): space_info total=268435456, used=131072, pinned=0, reserved=0, may_use=262144, readonly=0 zone_unusable=245760
  BTRFS info (device sda): global_block_rsv: size 0 reserved 0
  BTRFS info (device sda): trans_block_rsv: size 0 reserved 0
  BTRFS info (device sda): chunk_block_rsv: size 0 reserved 0
  BTRFS info (device sda): delayed_block_rsv: size 0 reserved 0
  BTRFS info (device sda): delayed_refs_rsv: size 0 reserved 0

Above $dev is a tcmu-runner emulated zoned HDD, which has a max zone
append size of 64K, and the system has 64K page size.

[CAUSE]
I have added several trace_printk() to show the events (header skipped):

  > btrfs_dirty_pages: r/i=5/259 dirty start=774144 len=114688
  > btrfs_dirty_pages: r/i=5/259 dirty part of page=720896 off_in_page=53248 len_in_page=12288
  > btrfs_dirty_pages: r/i=5/259 dirty part of page=786432 off_in_page=0 len_in_page=65536
  > btrfs_dirty_pages: r/i=5/259 dirty part of page=851968 off_in_page=0 len_in_page=36864

The above lines show our buffered write has dirtied 3 pages of inode
259 of root 5:

  704K             768K              832K              896K
  I           |////I/////////////////I///////////|     I
              756K                               868K

  |///| is the dirtied range using subpage bitmaps. and 'I' is the page
  boundary.

  Meanwhile all three pages (704K, 768K, 832K) have their PageDirty
  flag set.

  > btrfs_direct_write: r/i=5/259 start dio filepos=696320 len=102400

Then direct IO writ
---truncated---
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-44972

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-44973
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

mm, slub: do not call do_slab_free for kfence object

In 782f8906f805 the freeing of kfence objects was moved from deep
inside do_slab_free to the wrapper functions outside. This is a nice
change, but unfortunately it missed one spot in __kmem_cache_free_bulk.

This results in a crash like this:

BUG skbuff_head_cache (Tainted: G S  B       E     ): Padding overwritten. 0xffff88907fea0f00-0xffff88907fea0fff @offset=3840

slab_err (mm/slub.c:1129)
free_to_partial_list (mm/slub.c:? mm/slub.c:4036)
slab_pad_check (mm/slub.c:864 mm/slub.c:1290)
check_slab (mm/slub.c:?)
free_to_partial_list (mm/slub.c:3171 mm/slub.c:4036)
kmem_cache_alloc_bulk (mm/slub.c:? mm/slub.c:4495 mm/slub.c:4586 mm/slub.c:4635)
napi_build_skb (net/core/skbuff.c:348 net/core/skbuff.c:527 net/core/skbuff.c:549)

All the other callers to do_slab_free appear to be ok.

Add a kfence_free check in __kmem_cache_free_bulk to avoid the crash.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-44973

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-44974
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

mptcp: pm: avoid possible UaF when selecting endp

select_local_address() and select_signal_address() both select an
endpoint entry from the list inside an RCU protected section, but return
a reference to it, to be read later on. If the entry is dereferenced
after the RCU unlock, reading info could cause a Use-after-Free.

A simple solution is to copy the required info while inside the RCU
protected section to avoid any risk of UaF later. The address ID might
need to be modified later to handle the ID0 case later, so a copy seems
OK to deal with.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-44974

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-44975
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

cgroup/cpuset: fix panic caused by partcmd_update

We find a bug as below:
BUG: unable to handle page fault for address: 00000003
PGD 0 P4D 0
Oops: 0000 [#1] PREEMPT SMP NOPTI
CPU: 3 PID: 358 Comm: bash Tainted: G        W I        6.6.0-10893-g60d6
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/4
RIP: 0010:partition_sched_domains_locked+0x483/0x600
Code: 01 48 85 d2 74 0d 48 83 05 29 3f f8 03 01 f3 48 0f bc c2 89 c0 48 9
RSP: 0018:ffffc90000fdbc58 EFLAGS: 00000202
RAX: 0000000100000003 RBX: ffff888100b3dfa0 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000000002fe80
RBP: ffff888100b3dfb0 R08: 0000000000000001 R09: 0000000000000000
R10: ffffc90000fdbcb0 R11: 0000000000000004 R12: 0000000000000002
R13: ffff888100a92b48 R14: 0000000000000000 R15: 0000000000000000
FS:  00007f44a5425740(0000) GS:ffff888237d80000(0000) knlGS:0000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000100030973 CR3: 000000010722c000 CR4: 00000000000006e0
Call Trace:
 <TASK>
 ? show_regs+0x8c/0xa0
 ? __die_body+0x23/0xa0
 ? __die+0x3a/0x50
 ? page_fault_oops+0x1d2/0x5c0
 ? partition_sched_domains_locked+0x483/0x600
 ? search_module_extables+0x2a/0xb0
 ? search_exception_tables+0x67/0x90
 ? kernelmode_fixup_or_oops+0x144/0x1b0
 ? __bad_area_nosemaphore+0x211/0x360
 ? up_read+0x3b/0x50
 ? bad_area_nosemaphore+0x1a/0x30
 ? exc_page_fault+0x890/0xd90
 ? __lock_acquire.constprop.0+0x24f/0x8d0
 ? __lock_acquire.constprop.0+0x24f/0x8d0
 ? asm_exc_page_fault+0x26/0x30
 ? partition_sched_domains_locked+0x483/0x600
 ? partition_sched_domains_locked+0xf0/0x600
 rebuild_sched_domains_locked+0x806/0xdc0
 update_partition_sd_lb+0x118/0x130
 cpuset_write_resmask+0xffc/0x1420
 cgroup_file_write+0xb2/0x290
 kernfs_fop_write_iter+0x194/0x290
 new_sync_write+0xeb/0x160
 vfs_write+0x16f/0x1d0
 ksys_write+0x81/0x180
 __x64_sys_write+0x21/0x30
 x64_sys_call+0x2f25/0x4630
 do_syscall_64+0x44/0xb0
 entry_SYSCALL_64_after_hwframe+0x78/0xe2
RIP: 0033:0x7f44a553c887

It can be reproduced with cammands:
cd /sys/fs/cgroup/
mkdir test
cd test/
echo +cpuset > ../cgroup.subtree_control
echo root > cpuset.cpus.partition
cat /sys/fs/cgroup/cpuset.cpus.effective
0-3
echo 0-3 > cpuset.cpus // taking away all cpus from root

This issue is caused by the incorrect rebuilding of scheduling domains.
In this scenario, test/cpuset.cpus.partition should be an invalid root
and should not trigger the rebuilding of scheduling domains. When calling
update_parent_effective_cpumask with partcmd_update, if newmask is not
null, it should recheck newmask whether there are cpus is available
for parect/cs that has tasks.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-44975

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-44976
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ata: pata_macio: Fix DMA table overflow

Kolbjørn and Jonáš reported that their 32-bit PowerMacs were crashing
in pata-macio since commit 09fe2bfa6b83 ("ata: pata_macio: Fix
max_segment_size with PAGE_SIZE == 64K").

For example:

  kernel BUG at drivers/ata/pata_macio.c:544!
  Oops: Exception in kernel mode, sig: 5 [#1]
  BE PAGE_SIZE=4K MMU=Hash SMP NR_CPUS=2 DEBUG_PAGEALLOC PowerMac
  ...
  NIP pata_macio_qc_prep+0xf4/0x190
  LR  pata_macio_qc_prep+0xfc/0x190
  Call Trace:
    0xc1421660 (unreliable)
    ata_qc_issue+0x14c/0x2d4
    __ata_scsi_queuecmd+0x200/0x53c
    ata_scsi_queuecmd+0x50/0xe0
    scsi_queue_rq+0x788/0xb1c
    __blk_mq_issue_directly+0x58/0xf4
    blk_mq_plug_issue_direct+0x8c/0x1b4
    blk_mq_flush_plug_list.part.0+0x584/0x5e0
    __blk_flush_plug+0xf8/0x194
    __submit_bio+0x1b8/0x2e0
    submit_bio_noacct_nocheck+0x230/0x304
    btrfs_work_helper+0x200/0x338
    process_one_work+0x1a8/0x338
    worker_thread+0x364/0x4c0
    kthread+0x100/0x104
    start_kernel_thread+0x10/0x14

That commit increased max_segment_size to 64KB, with the justification
that the SCSI core was already using that size when PAGE_SIZE == 64KB,
and that there was existing logic to split over-sized requests.

However with a sufficiently large request, the splitting logic causes
each sg to be split into two commands in the DMA table, leading to
overflow of the DMA table, triggering the BUG_ON().

With default settings the bug doesn't trigger, because the request size
is limited by max_sectors_kb == 1280, however max_sectors_kb can be
increased, and apparently some distros do that by default using udev
rules.

Fix the bug for 4KB kernels by reverting to the old max_segment_size.

For 64KB kernels the sg_tablesize needs to be halved, to allow for the
possibility that each sg will be split into two.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-44976

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-44977
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amdgpu: Validate TA binary size

Add TA binary size validation to avoid OOB write.

(cherry picked from commit c0a04e3570d72aaf090962156ad085e37c62e442)
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-44977

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-44978
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/xe: Free job before xe_exec_queue_put

Free job depends on job->vm being valid, the last xe_exec_queue_put can
destroy the VM. Prevent UAF by freeing job before xe_exec_queue_put.

(cherry picked from commit 32a42c93b74c8ca6d0915ea3eba21bceff53042f)
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-44978

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-44979
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/xe: Fix missing workqueue destroy in xe_gt_pagefault

On driver reload we never free up the memory for the pagefault and
access counter workqueues. Add those destroy calls here.

(cherry picked from commit 7586fc52b14e0b8edd0d1f8a434e0de2078b7b2b)
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-44979

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-44980
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/xe: Fix opregion leak

Being part o the display, ideally the setup and cleanup would be done by
display itself. However this is a bigger refactor that needs to be done
on both i915 and xe. For now, just fix the leak:

unreferenced object 0xffff8881a0300008 (size 192):
  comm "modprobe", pid 4354, jiffies 4295647021
  hex dump (first 32 bytes):
    00 00 87 27 81 88 ff ff 18 80 9b 00 00 c9 ff ff  ...'............
    18 81 9b 00 00 c9 ff ff 00 00 00 00 00 00 00 00  ................
  backtrace (crc 99260e31):
    [<ffffffff823ce65b>] kmemleak_alloc+0x4b/0x80
    [<ffffffff81493be2>] kmalloc_trace_noprof+0x312/0x3d0
    [<ffffffffa1345679>] intel_opregion_setup+0x89/0x700 [xe]
    [<ffffffffa125bfaf>] xe_display_init_noirq+0x2f/0x90 [xe]
    [<ffffffffa1199ec3>] xe_device_probe+0x7a3/0xbf0 [xe]
    [<ffffffffa11f3713>] xe_pci_probe+0x333/0x5b0 [xe]
    [<ffffffff81af6be8>] local_pci_probe+0x48/0xb0
    [<ffffffff81af8778>] pci_device_probe+0xc8/0x280
    [<ffffffff81d09048>] really_probe+0xf8/0x390
    [<ffffffff81d0937a>] __driver_probe_device+0x8a/0x170
    [<ffffffff81d09503>] driver_probe_device+0x23/0xb0
    [<ffffffff81d097b7>] __driver_attach+0xc7/0x190
    [<ffffffff81d0628d>] bus_for_each_dev+0x7d/0xd0
    [<ffffffff81d0851e>] driver_attach+0x1e/0x30
    [<ffffffff81d07ac7>] bus_add_driver+0x117/0x250

(cherry picked from commit 6f4e43a2f771b737d991142ec4f6d4b7ff31fbb4)
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-44980

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-44981
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

workqueue: Fix UBSAN 'subtraction overflow' error in shift_and_mask()

UBSAN reports the following 'subtraction overflow' error when booting
in a virtual machine on Android:

 | Internal error: UBSAN: integer subtraction overflow: 00000000f2005515 [#1] PREEMPT SMP
 | Modules linked in:
 | CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.10.0-00006-g3cbe9e5abd46-dirty #4
 | Hardware name: linux,dummy-virt (DT)
 | pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
 | pc : cancel_delayed_work+0x34/0x44
 | lr : cancel_delayed_work+0x2c/0x44
 | sp : ffff80008002ba60
 | x29: ffff80008002ba60 x28: 0000000000000000 x27: 0000000000000000
 | x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000
 | x23: 0000000000000000 x22: 0000000000000000 x21: ffff1f65014cd3c0
 | x20: ffffc0e84c9d0da0 x19: ffffc0e84cab3558 x18: ffff800080009058
 | x17: 00000000247ee1f8 x16: 00000000247ee1f8 x15: 00000000bdcb279d
 | x14: 0000000000000001 x13: 0000000000000075 x12: 00000a0000000000
 | x11: ffff1f6501499018 x10: 00984901651fffff x9 : ffff5e7cc35af000
 | x8 : 0000000000000001 x7 : 3d4d455453595342 x6 : 000000004e514553
 | x5 : ffff1f6501499265 x4 : ffff1f650ff60b10 x3 : 0000000000000620
 | x2 : ffff80008002ba78 x1 : 0000000000000000 x0 : 0000000000000000
 | Call trace:
 |  cancel_delayed_work+0x34/0x44
 |  deferred_probe_extend_timeout+0x20/0x70
 |  driver_register+0xa8/0x110
 |  __platform_driver_register+0x28/0x3c
 |  syscon_init+0x24/0x38
 |  do_one_initcall+0xe4/0x338
 |  do_initcall_level+0xac/0x178
 |  do_initcalls+0x5c/0xa0
 |  do_basic_setup+0x20/0x30
 |  kernel_init_freeable+0x8c/0xf8
 |  kernel_init+0x28/0x1b4
 |  ret_from_fork+0x10/0x20
 | Code: f9000fbf 97fffa2f 39400268 37100048 (d42aa2a0)
 | ---[ end trace 0000000000000000 ]---
 | Kernel panic - not syncing: UBSAN: integer subtraction overflow: Fatal exception

This is due to shift_and_mask() using a signed immediate to construct
the mask and being called with a shift of 31 (WORK_OFFQ_POOL_SHIFT) so
that it ends up decrementing from INT_MIN.

Use an unsigned constant '1U' to generate the mask in shift_and_mask().
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-44981

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-44982
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/msm/dpu: cleanup FB if dpu_format_populate_layout fails

If the dpu_format_populate_layout() fails, then FB is prepared, but not
cleaned up. This ends up leaking the pin_count on the GEM object and
causes a splat during DRM file closure:

msm_obj->pin_count
WARNING: CPU: 2 PID: 569 at drivers/gpu/drm/msm/msm_gem.c:121 update_lru_locked+0xc4/0xcc
[...]
Call trace:
 update_lru_locked+0xc4/0xcc
 put_pages+0xac/0x100
 msm_gem_free_object+0x138/0x180
 drm_gem_object_free+0x1c/0x30
 drm_gem_object_handle_put_unlocked+0x108/0x10c
 drm_gem_object_release_handle+0x58/0x70
 idr_for_each+0x68/0xec
 drm_gem_release+0x28/0x40
 drm_file_free+0x174/0x234
 drm_release+0xb0/0x160
 __fput+0xc0/0x2c8
 __fput_sync+0x50/0x5c
 __arm64_sys_close+0x38/0x7c
 invoke_syscall+0x48/0x118
 el0_svc_common.constprop.0+0x40/0xe0
 do_el0_svc+0x1c/0x28
 el0_svc+0x4c/0x120
 el0t_64_sync_handler+0x100/0x12c
 el0t_64_sync+0x190/0x194
irq event stamp: 129818
hardirqs last  enabled at (129817): [<ffffa5f6d953fcc0>] console_unlock+0x118/0x124
hardirqs last disabled at (129818): [<ffffa5f6da7dcf04>] el1_dbg+0x24/0x8c
softirqs last  enabled at (129808): [<ffffa5f6d94afc18>] handle_softirqs+0x4c8/0x4e8
softirqs last disabled at (129785): [<ffffa5f6d94105e4>] __do_softirq+0x14/0x20

Patchwork: https://patchwork.freedesktop.org/patch/600714/
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-44982

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-44983
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

netfilter: flowtable: validate vlan header

Ensure there is sufficient room to access the protocol field of the
VLAN header, validate it once before the flowtable lookup.

=====================================================
BUG: KMSAN: uninit-value in nf_flow_offload_inet_hook+0x45a/0x5f0 net/netfilter/nf_flow_table_inet.c:32
 nf_flow_offload_inet_hook+0x45a/0x5f0 net/netfilter/nf_flow_table_inet.c:32
 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]
 nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626
 nf_hook_ingress include/linux/netfilter_netdev.h:34 [inline]
 nf_ingress net/core/dev.c:5440 [inline]
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-44983

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-44984
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

bnxt_en: Fix double DMA unmapping for XDP_REDIRECT

Remove the dma_unmap_page_attrs() call in the driver's XDP_REDIRECT
code path.  This should have been removed when we let the page pool
handle the DMA mapping.  This bug causes the warning:

WARNING: CPU: 7 PID: 59 at drivers/iommu/dma-iommu.c:1198 iommu_dma_unmap_page+0xd5/0x100
CPU: 7 PID: 59 Comm: ksoftirqd/7 Tainted: G        W          6.8.0-1010-gcp #11-Ubuntu
Hardware name: Dell Inc. PowerEdge R7525/0PYVT1, BIOS 2.15.2 04/02/2024
RIP: 0010:iommu_dma_unmap_page+0xd5/0x100
Code: 89 ee 48 89 df e8 cb f2 69 ff 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d 31 c0 31 d2 31 c9 31 f6 31 ff 45 31 c0 e9 ab 17 71 00 <0f> 0b 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d 31 c0 31 d2 31 c9
RSP: 0018:ffffab1fc0597a48 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff99ff838280c8 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffab1fc0597a78 R08: 0000000000000002 R09: ffffab1fc0597c1c
R10: ffffab1fc0597cd3 R11: ffff99ffe375acd8 R12: 00000000e65b9000
R13: 0000000000000050 R14: 0000000000001000 R15: 0000000000000002
FS:  0000000000000000(0000) GS:ffff9a06efb80000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000565c34c37210 CR3: 00000005c7e3e000 CR4: 0000000000350ef0
? show_regs+0x6d/0x80
? __warn+0x89/0x150
? iommu_dma_unmap_page+0xd5/0x100
? report_bug+0x16a/0x190
? handle_bug+0x51/0xa0
? exc_invalid_op+0x18/0x80
? iommu_dma_unmap_page+0xd5/0x100
? iommu_dma_unmap_page+0x35/0x100
dma_unmap_page_attrs+0x55/0x220
? bpf_prog_4d7e87c0d30db711_xdp_dispatcher+0x64/0x9f
bnxt_rx_xdp+0x237/0x520 [bnxt_en]
bnxt_rx_pkt+0x640/0xdd0 [bnxt_en]
__bnxt_poll_work+0x1a1/0x3d0 [bnxt_en]
bnxt_poll+0xaa/0x1e0 [bnxt_en]
__napi_poll+0x33/0x1e0
net_rx_action+0x18a/0x2f0
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-44984

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-44985
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ipv6: prevent possible UAF in ip6_xmit()

If skb_expand_head() returns NULL, skb has been freed
and the associated dst/idev could also have been freed.

We must use rcu_read_lock() to prevent a possible UAF.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-44985

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-44986
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ipv6: fix possible UAF in ip6_finish_output2()

If skb_expand_head() returns NULL, skb has been freed
and associated dst/idev could also have been freed.

We need to hold rcu_read_lock() to make sure the dst and
associated idev are alive.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-44986

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-44987
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ipv6: prevent UAF in ip6_send_skb()

syzbot reported an UAF in ip6_send_skb() [1]

After ip6_local_out() has returned, we no longer can safely
dereference rt, unless we hold rcu_read_lock().

A similar issue has been fixed in commit
a688caa34beb ("ipv6: take rcu lock in rawv6_send_hdrinc()")

Another potential issue in ip6_finish_output2() is handled in a
separate patch.

[1]
 BUG: KASAN: slab-use-after-free in ip6_send_skb+0x18d/0x230 net/ipv6/ip6_output.c:1964
Read of size 8 at addr ffff88806dde4858 by task syz.1.380/6530

CPU: 1 UID: 0 PID: 6530 Comm: syz.1.380 Not tainted 6.11.0-rc3-syzkaller-00306-gdf6cbc62cc9b #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
Call Trace:
 <TASK>
  __dump_stack lib/dump_stack.c:93 [inline]
  dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119
  print_address_description mm/kasan/report.c:377 [inline]
  print_report+0x169/0x550 mm/kasan/report.c:488
  kasan_report+0x143/0x180 mm/kasan/report.c:601
  ip6_send_skb+0x18d/0x230 net/ipv6/ip6_output.c:1964
  rawv6_push_pending_frames+0x75c/0x9e0 net/ipv6/raw.c:588
  rawv6_sendmsg+0x19c7/0x23c0 net/ipv6/raw.c:926
  sock_sendmsg_nosec net/socket.c:730 [inline]
  __sock_sendmsg+0x1a6/0x270 net/socket.c:745
  sock_write_iter+0x2dd/0x400 net/socket.c:1160
 do_iter_readv_writev+0x60a/0x890
  vfs_writev+0x37c/0xbb0 fs/read_write.c:971
  do_writev+0x1b1/0x350 fs/read_write.c:1018
  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
  do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f936bf79e79
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f936cd7f038 EFLAGS: 00000246 ORIG_RAX: 0000000000000014
RAX: ffffffffffffffda RBX: 00007f936c115f80 RCX: 00007f936bf79e79
RDX: 0000000000000001 RSI: 0000000020000040 RDI: 0000000000000004
RBP: 00007f936bfe7916 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f936c115f80 R15: 00007fff2860a7a8
 </TASK>

Allocated by task 6530:
  kasan_save_stack mm/kasan/common.c:47 [inline]
  kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
  unpoison_slab_object mm/kasan/common.c:312 [inline]
  __kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:338
  kasan_slab_alloc include/linux/kasan.h:201 [inline]
  slab_post_alloc_hook mm/slub.c:3988 [inline]
  slab_alloc_node mm/slub.c:4037 [inline]
  kmem_cache_alloc_noprof+0x135/0x2a0 mm/slub.c:4044
  dst_alloc+0x12b/0x190 net/core/dst.c:89
  ip6_blackhole_route+0x59/0x340 net/ipv6/route.c:2670
  make_blackhole net/xfrm/xfrm_policy.c:3120 [inline]
  xfrm_lookup_route+0xd1/0x1c0 net/xfrm/xfrm_policy.c:3313
  ip6_dst_lookup_flow+0x13e/0x180 net/ipv6/ip6_output.c:1257
  rawv6_sendmsg+0x1283/0x23c0 net/ipv6/raw.c:898
  sock_sendmsg_nosec net/socket.c:730 [inline]
  __sock_sendmsg+0x1a6/0x270 net/socket.c:745
  ____sys_sendmsg+0x525/0x7d0 net/socket.c:2597
  ___sys_sendmsg net/socket.c:2651 [inline]
  __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2680
  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
  do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 45:
  kasan_save_stack mm/kasan/common.c:47 [inline]
  kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
  kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579
  poison_slab_object+0xe0/0x150 mm/kasan/common.c:240
  __kasan_slab_free+0x37/0x60 mm/kasan/common.c:256
  kasan_slab_free include/linux/kasan.h:184 [inline]
  slab_free_hook mm/slub.c:2252 [inline]
  slab_free mm/slub.c:4473 [inline]
  kmem_cache_free+0x145/0x350 mm/slub.c:4548
  dst_destroy+0x2ac/0x460 net/core/dst.c:124
  rcu_do_batch kernel/rcu/tree.c:2569 [inline]
  rcu_core+0xafd/0x1830 kernel/rcu/tree.
---truncated---
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-44987

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-44988
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: dsa: mv88e6xxx: Fix out-of-bound access

If an ATU violation was caused by a CPU Load operation, the SPID could
be larger than DSA_MAX_PORTS (the size of mv88e6xxx_chip.ports[] array).
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-44988

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-44989
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

bonding: fix xfrm real_dev null pointer dereference

We shouldn't set real_dev to NULL because packets can be in transit and
xfrm might call xdo_dev_offload_ok() in parallel. All callbacks assume
real_dev is set.

 Example trace:
 kernel: BUG: unable to handle page fault for address: 0000000000001030
 kernel: bond0: (slave eni0np1): making interface the new active one
 kernel: #PF: supervisor write access in kernel mode
 kernel: #PF: error_code(0x0002) - not-present page
 kernel: PGD 0 P4D 0
 kernel: Oops: 0002 [#1] PREEMPT SMP
 kernel: CPU: 4 PID: 2237 Comm: ping Not tainted 6.7.7+ #12
 kernel: Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014
 kernel: RIP: 0010:nsim_ipsec_offload_ok+0xc/0x20 [netdevsim]
 kernel: bond0: (slave eni0np1): bond_ipsec_add_sa_all: failed to add SA
 kernel: Code: e0 0f 0b 48 83 7f 38 00 74 de 0f 0b 48 8b 47 08 48 8b 37 48 8b 78 40 e9 b2 e5 9a d7 66 90 0f 1f 44 00 00 48 8b 86 80 02 00 00 <83> 80 30 10 00 00 01 b8 01 00 00 00 c3 0f 1f 80 00 00 00 00 0f 1f
 kernel: bond0: (slave eni0np1): making interface the new active one
 kernel: RSP: 0018:ffffabde81553b98 EFLAGS: 00010246
 kernel: bond0: (slave eni0np1): bond_ipsec_add_sa_all: failed to add SA
 kernel:
 kernel: RAX: 0000000000000000 RBX: ffff9eb404e74900 RCX: ffff9eb403d97c60
 kernel: RDX: ffffffffc090de10 RSI: ffff9eb404e74900 RDI: ffff9eb3c5de9e00
 kernel: RBP: ffff9eb3c0a42000 R08: 0000000000000010 R09: 0000000000000014
 kernel: R10: 7974203030303030 R11: 3030303030303030 R12: 0000000000000000
 kernel: R13: ffff9eb3c5de9e00 R14: ffffabde81553cc8 R15: ffff9eb404c53000
 kernel: FS:  00007f2a77a3ad00(0000) GS:ffff9eb43bd00000(0000) knlGS:0000000000000000
 kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 kernel: CR2: 0000000000001030 CR3: 00000001122ab000 CR4: 0000000000350ef0
 kernel: bond0: (slave eni0np1): making interface the new active one
 kernel: Call Trace:
 kernel:  <TASK>
 kernel:  ? __die+0x1f/0x60
 kernel: bond0: (slave eni0np1): bond_ipsec_add_sa_all: failed to add SA
 kernel:  ? page_fault_oops+0x142/0x4c0
 kernel:  ? do_user_addr_fault+0x65/0x670
 kernel:  ? kvm_read_and_reset_apf_flags+0x3b/0x50
 kernel: bond0: (slave eni0np1): making interface the new active one
 kernel:  ? exc_page_fault+0x7b/0x180
 kernel:  ? asm_exc_page_fault+0x22/0x30
 kernel:  ? nsim_bpf_uninit+0x50/0x50 [netdevsim]
 kernel: bond0: (slave eni0np1): bond_ipsec_add_sa_all: failed to add SA
 kernel:  ? nsim_ipsec_offload_ok+0xc/0x20 [netdevsim]
 kernel: bond0: (slave eni0np1): making interface the new active one
 kernel:  bond_ipsec_offload_ok+0x7b/0x90 [bonding]
 kernel:  xfrm_output+0x61/0x3b0
 kernel: bond0: (slave eni0np1): bond_ipsec_add_sa_all: failed to add SA
 kernel:  ip_push_pending_frames+0x56/0x80
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-44989

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-44990
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

bonding: fix null pointer deref in bond_ipsec_offload_ok

We must check if there is an active slave before dereferencing the pointer.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-44990

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-44991
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

tcp: prevent concurrent execution of tcp_sk_exit_batch

Its possible that two threads call tcp_sk_exit_batch() concurrently,
once from the cleanup_net workqueue, once from a task that failed to clone
a new netns.  In the latter case, error unwinding calls the exit handlers
in reverse order for the 'failed' netns.

tcp_sk_exit_batch() calls tcp_twsk_purge().
Problem is that since commit b099ce2602d8 ("net: Batch inet_twsk_purge"),
this function picks up twsk in any dying netns, not just the one passed
in via exit_batch list.

This means that the error unwind of setup_net() can "steal" and destroy
timewait sockets belonging to the exiting netns.

This allows the netns exit worker to proceed to call

WARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));

without the expected 1 -> 0 transition, which then splats.

At same time, error unwind path that is also running inet_twsk_purge()
will splat as well:

WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210
...
 refcount_dec include/linux/refcount.h:351 [inline]
 inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70
 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221
 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304
 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522
 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178
 setup_net+0x714/0xb40 net/core/net_namespace.c:375
 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508
 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110

... because refcount_dec() of tw_refcount unexpectedly dropped to 0.

This doesn't seem like an actual bug (no tw sockets got lost and I don't
see a use-after-free) but as erroneous trigger of debug check.

Add a mutex to force strict ordering: the task that calls tcp_twsk_purge()
blocks other task from doing final _dec_and_test before mutex-owner has
removed all tw sockets of dying netns.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-44991

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-44992
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

smb/client: avoid possible NULL dereference in cifs_free_subrequest()

Clang static checker (scan-build) warning:
	cifsglob.h:line 890, column 3
	Access to field 'ops' results in a dereference of a null pointer.

Commit 519be989717c ("cifs: Add a tracepoint to track credits involved in
R/W requests") adds a check for 'rdata->server', and let clang throw this
warning about NULL dereference.

When 'rdata->credits.value != 0 && rdata->server == NULL' happens,
add_credits_and_wake_if() will call rdata->server->ops->add_credits().
This will cause NULL dereference problem. Add a check for 'rdata->server'
to avoid NULL dereference.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-44992

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-44993
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/v3d: Fix out-of-bounds read in `v3d_csd_job_run()`

When enabling UBSAN on Raspberry Pi 5, we get the following warning:

[  387.894977] UBSAN: array-index-out-of-bounds in drivers/gpu/drm/v3d/v3d_sched.c:320:3
[  387.903868] index 7 is out of range for type '__u32 [7]'
[  387.909692] CPU: 0 PID: 1207 Comm: kworker/u16:2 Tainted: G        WC         6.10.3-v8-16k-numa #151
[  387.919166] Hardware name: Raspberry Pi 5 Model B Rev 1.0 (DT)
[  387.925961] Workqueue: v3d_csd drm_sched_run_job_work [gpu_sched]
[  387.932525] Call trace:
[  387.935296]  dump_backtrace+0x170/0x1b8
[  387.939403]  show_stack+0x20/0x38
[  387.942907]  dump_stack_lvl+0x90/0xd0
[  387.946785]  dump_stack+0x18/0x28
[  387.950301]  __ubsan_handle_out_of_bounds+0x98/0xd0
[  387.955383]  v3d_csd_job_run+0x3a8/0x438 [v3d]
[  387.960707]  drm_sched_run_job_work+0x520/0x6d0 [gpu_sched]
[  387.966862]  process_one_work+0x62c/0xb48
[  387.971296]  worker_thread+0x468/0x5b0
[  387.975317]  kthread+0x1c4/0x1e0
[  387.978818]  ret_from_fork+0x10/0x20
[  387.983014] ---[ end trace ]---

This happens because the UAPI provides only seven configuration
registers and we are reading the eighth position of this u32 array.

Therefore, fix the out-of-bounds read in `v3d_csd_job_run()` by
accessing only seven positions on the '__u32 [7]' array. The eighth
register exists indeed on V3D 7.1, but it isn't currently used. That
being so, let's guarantee that it remains unused and add a note that it
could be set in a future patch.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-44993

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-44994
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

iommu: Restore lost return in iommu_report_device_fault()

When iommu_report_device_fault gets called with a partial fault it is
supposed to collect the fault into the group and then return.

Instead the return was accidently deleted which results in trying to
process the fault and an eventual crash.

Deleting the return was a typo, put it back.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-44994

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-44995
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: hns3: fix a deadlock problem when config TC during resetting

When config TC during the reset process, may cause a deadlock, the flow is
as below:
                             pf reset start
                                 │
                                 ▼
                              ......
setup tc                         │
    │                            ▼
    ▼                      DOWN: napi_disable()
napi_disable()(skip)             │
    │                            │
    ▼                            ▼
  ......                      ......
    │                            │
    ▼                            │
napi_enable()                    │
                                 ▼
                           UINIT: netif_napi_del()
                                 │
                                 ▼
                              ......
                                 │
                                 ▼
                           INIT: netif_napi_add()
                                 │
                                 ▼
                              ......                 global reset start
                                 │                      │
                                 ▼                      ▼
                           UP: napi_enable()(skip)    ......
                                 │                      │
                                 ▼                      ▼
                              ......                 napi_disable()

In reset process, the driver will DOWN the port and then UINIT, in this
case, the setup tc process will UP the port before UINIT, so cause the
problem. Adds a DOWN process in UINIT to fix it.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-44995

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-44996
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

vsock: fix recursive ->recvmsg calls

After a vsock socket has been added to a BPF sockmap, its prot->recvmsg
has been replaced with vsock_bpf_recvmsg(). Thus the following
recursiion could happen:

vsock_bpf_recvmsg()
 -> __vsock_recvmsg()
  -> vsock_connectible_recvmsg()
   -> prot->recvmsg()
    -> vsock_bpf_recvmsg() again

We need to fix it by calling the original ->recvmsg() without any BPF
sockmap logic in __vsock_recvmsg().
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-44996

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-44997
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: ethernet: mtk_wed: fix use-after-free panic in mtk_wed_setup_tc_block_cb()

When there are multiple ap interfaces on one band and with WED on,
turning the interface down will cause a kernel panic on MT798X.

Previously, cb_priv was freed in mtk_wed_setup_tc_block() without
marking NULL,and mtk_wed_setup_tc_block_cb() didn't check the value, too.

Assign NULL after free cb_priv in mtk_wed_setup_tc_block() and check NULL
in mtk_wed_setup_tc_block_cb().

----------
Unable to handle kernel paging request at virtual address 0072460bca32b4f5
Call trace:
 mtk_wed_setup_tc_block_cb+0x4/0x38
 0xffffffc0794084bc
 tcf_block_playback_offloads+0x70/0x1e8
 tcf_block_unbind+0x6c/0xc8
...
---------
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-44997

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-44998
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

atm: idt77252: prevent use after free in dequeue_rx()

We can't dereference "skb" after calling vcc->push() because the skb
is released.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-44998

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-44999
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

gtp: pull network headers in gtp_dev_xmit()

syzbot/KMSAN reported use of uninit-value in get_dev_xmit() [1]

We must make sure the IPv4 or Ipv6 header is pulled in skb->head
before accessing fields in them.

Use pskb_inet_may_pull() to fix this issue.

[1]
BUG: KMSAN: uninit-value in ipv6_pdp_find drivers/net/gtp.c:220 [inline]
 BUG: KMSAN: uninit-value in gtp_build_skb_ip6 drivers/net/gtp.c:1229 [inline]
 BUG: KMSAN: uninit-value in gtp_dev_xmit+0x1424/0x2540 drivers/net/gtp.c:1281
  ipv6_pdp_find drivers/net/gtp.c:220 [inline]
  gtp_build_skb_ip6 drivers/net/gtp.c:1229 [inline]
  gtp_dev_xmit+0x1424/0x2540 drivers/net/gtp.c:1281
  __netdev_start_xmit include/linux/netdevice.h:4913 [inline]
  netdev_start_xmit include/linux/netdevice.h:4922 [inline]
  xmit_one net/core/dev.c:3580 [inline]
  dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3596
  __dev_queue_xmit+0x358c/0x5610 net/core/dev.c:4423
  dev_queue_xmit include/linux/netdevice.h:3105 [inline]
  packet_xmit+0x9c/0x6c0 net/packet/af_packet.c:276
  packet_snd net/packet/af_packet.c:3145 [inline]
  packet_sendmsg+0x90e3/0xa3a0 net/packet/af_packet.c:3177
  sock_sendmsg_nosec net/socket.c:730 [inline]
  __sock_sendmsg+0x30f/0x380 net/socket.c:745
  __sys_sendto+0x685/0x830 net/socket.c:2204
  __do_sys_sendto net/socket.c:2216 [inline]
  __se_sys_sendto net/socket.c:2212 [inline]
  __x64_sys_sendto+0x125/0x1d0 net/socket.c:2212
  x64_sys_call+0x3799/0x3c10 arch/x86/include/generated/asm/syscalls_64.h:45
  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
  do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was created at:
  slab_post_alloc_hook mm/slub.c:3994 [inline]
  slab_alloc_node mm/slub.c:4037 [inline]
  kmem_cache_alloc_node_noprof+0x6bf/0xb80 mm/slub.c:4080
  kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:583
  __alloc_skb+0x363/0x7b0 net/core/skbuff.c:674
  alloc_skb include/linux/skbuff.h:1320 [inline]
  alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6526
  sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2815
  packet_alloc_skb net/packet/af_packet.c:2994 [inline]
  packet_snd net/packet/af_packet.c:3088 [inline]
  packet_sendmsg+0x749c/0xa3a0 net/packet/af_packet.c:3177
  sock_sendmsg_nosec net/socket.c:730 [inline]
  __sock_sendmsg+0x30f/0x380 net/socket.c:745
  __sys_sendto+0x685/0x830 net/socket.c:2204
  __do_sys_sendto net/socket.c:2216 [inline]
  __se_sys_sendto net/socket.c:2212 [inline]
  __x64_sys_sendto+0x125/0x1d0 net/socket.c:2212
  x64_sys_call+0x3799/0x3c10 arch/x86/include/generated/asm/syscalls_64.h:45
  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
  do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

CPU: 0 UID: 0 PID: 7115 Comm: syz.1.515 Not tainted 6.11.0-rc1-syzkaller-00043-g94ede2a3e913 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-44999

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-45000
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

fs/netfs/fscache_cookie: add missing "n_accesses" check

This fixes a NULL pointer dereference bug due to a data race which
looks like this:

  BUG: kernel NULL pointer dereference, address: 0000000000000008
  #PF: supervisor read access in kernel mode
  #PF: error_code(0x0000) - not-present page
  PGD 0 P4D 0
  Oops: 0000 [#1] SMP PTI
  CPU: 33 PID: 16573 Comm: kworker/u97:799 Not tainted 6.8.7-cm4all1-hp+ #43
  Hardware name: HP ProLiant DL380 Gen9/ProLiant DL380 Gen9, BIOS P89 10/17/2018
  Workqueue: events_unbound netfs_rreq_write_to_cache_work
  RIP: 0010:cachefiles_prepare_write+0x30/0xa0
  Code: 57 41 56 45 89 ce 41 55 49 89 cd 41 54 49 89 d4 55 53 48 89 fb 48 83 ec 08 48 8b 47 08 48 83 7f 10 00 48 89 34 24 48 8b 68 20 <48> 8b 45 08 4c 8b 38 74 45 49 8b 7f 50 e8 4e a9 b0 ff 48 8b 73 10
  RSP: 0018:ffffb4e78113bde0 EFLAGS: 00010286
  RAX: ffff976126be6d10 RBX: ffff97615cdb8438 RCX: 0000000000020000
  RDX: ffff97605e6c4c68 RSI: ffff97605e6c4c60 RDI: ffff97615cdb8438
  RBP: 0000000000000000 R08: 0000000000278333 R09: 0000000000000001
  R10: ffff97605e6c4600 R11: 0000000000000001 R12: ffff97605e6c4c68
  R13: 0000000000020000 R14: 0000000000000001 R15: ffff976064fe2c00
  FS:  0000000000000000(0000) GS:ffff9776dfd40000(0000) knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  CR2: 0000000000000008 CR3: 000000005942c002 CR4: 00000000001706f0
  Call Trace:
   <TASK>
   ? __die+0x1f/0x70
   ? page_fault_oops+0x15d/0x440
   ? search_module_extables+0xe/0x40
   ? fixup_exception+0x22/0x2f0
   ? exc_page_fault+0x5f/0x100
   ? asm_exc_page_fault+0x22/0x30
   ? cachefiles_prepare_write+0x30/0xa0
   netfs_rreq_write_to_cache_work+0x135/0x2e0
   process_one_work+0x137/0x2c0
   worker_thread+0x2e9/0x400
   ? __pfx_worker_thread+0x10/0x10
   kthread+0xcc/0x100
   ? __pfx_kthread+0x10/0x10
   ret_from_fork+0x30/0x50
   ? __pfx_kthread+0x10/0x10
   ret_from_fork_asm+0x1b/0x30
   </TASK>
  Modules linked in:
  CR2: 0000000000000008
  ---[ end trace 0000000000000000 ]---

This happened because fscache_cookie_state_machine() was slow and was
still running while another process invoked fscache_unuse_cookie();
this led to a fscache_cookie_lru_do_one() call, setting the
FSCACHE_COOKIE_DO_LRU_DISCARD flag, which was picked up by
fscache_cookie_state_machine(), withdrawing the cookie via
cachefiles_withdraw_cookie(), clearing cookie->cache_priv.

At the same time, yet another process invoked
cachefiles_prepare_write(), which found a NULL pointer in this code
line:

  struct cachefiles_object *object = cachefiles_cres_object(cres);

The next line crashes, obviously:

  struct cachefiles_cache *cache = object->volume->cache;

During cachefiles_prepare_write(), the "n_accesses" counter is
non-zero (via fscache_begin_operation()).  The cookie must not be
withdrawn until it drops to zero.

The counter is checked by fscache_cookie_state_machine() before
switching to FSCACHE_COOKIE_STATE_RELINQUISHING and
FSCACHE_COOKIE_STATE_WITHDRAWING (in "case
FSCACHE_COOKIE_STATE_FAILED"), but not for
FSCACHE_COOKIE_STATE_LRU_DISCARDING ("case
FSCACHE_COOKIE_STATE_ACTIVE").

This patch adds the missing check.  With a non-zero access counter,
the function returns and the next fscache_end_cookie_access() call
will queue another fscache_cookie_state_machine() call to handle the
still-pending FSCACHE_COOKIE_DO_LRU_DISCARD.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-45000

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-45001
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: mana: Fix RX buf alloc_size alignment and atomic op panic

The MANA driver's RX buffer alloc_size is passed into napi_build_skb() to
create SKB. skb_shinfo(skb) is located at the end of skb, and its alignment
is affected by the alloc_size passed into napi_build_skb(). The size needs
to be aligned properly for better performance and atomic operations.
Otherwise, on ARM64 CPU, for certain MTU settings like 4000, atomic
operations may panic on the skb_shinfo(skb)->dataref due to alignment fault.

To fix this bug, add proper alignment to the alloc_size calculation.

Sample panic info:
[  253.298819] Unable to handle kernel paging request at virtual address ffff000129ba5cce
[  253.300900] Mem abort info:
[  253.301760]   ESR = 0x0000000096000021
[  253.302825]   EC = 0x25: DABT (current EL), IL = 32 bits
[  253.304268]   SET = 0, FnV = 0
[  253.305172]   EA = 0, S1PTW = 0
[  253.306103]   FSC = 0x21: alignment fault
Call trace:
 __skb_clone+0xfc/0x198
 skb_clone+0x78/0xe0
 raw6_local_deliver+0xfc/0x228
 ip6_protocol_deliver_rcu+0x80/0x500
 ip6_input_finish+0x48/0x80
 ip6_input+0x48/0xc0
 ip6_sublist_rcv_finish+0x50/0x78
 ip6_sublist_rcv+0x1cc/0x2b8
 ipv6_list_rcv+0x100/0x150
 __netif_receive_skb_list_core+0x180/0x220
 netif_receive_skb_list_internal+0x198/0x2a8
 __napi_poll+0x138/0x250
 net_rx_action+0x148/0x330
 handle_softirqs+0x12c/0x3a0
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-45001

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-45002
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

rtla/osnoise: Prevent NULL dereference in error handling

If the "tool->data" allocation fails then there is no need to call
osnoise_free_top() and, in fact, doing so will lead to a NULL dereference.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-45002

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-45003
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

vfs: Don't evict inode under the inode lru traversing context

The inode reclaiming process(See function prune_icache_sb) collects all
reclaimable inodes and mark them with I_FREEING flag at first, at that
time, other processes will be stuck if they try getting these inodes
(See function find_inode_fast), then the reclaiming process destroy the
inodes by function dispose_list(). Some filesystems(eg. ext4 with
ea_inode feature, ubifs with xattr) may do inode lookup in the inode
evicting callback function, if the inode lookup is operated under the
inode lru traversing context, deadlock problems may happen.

Case 1: In function ext4_evict_inode(), the ea inode lookup could happen
        if ea_inode feature is enabled, the lookup process will be stuck
	under the evicting context like this:

 1. File A has inode i_reg and an ea inode i_ea
 2. getfattr(A, xattr_buf) // i_ea is added into lru // lru->i_ea
 3. Then, following three processes running like this:

    PA                              PB
 echo 2 > /proc/sys/vm/drop_caches
  shrink_slab
   prune_dcache_sb
   // i_reg is added into lru, lru->i_ea->i_reg
   prune_icache_sb
    list_lru_walk_one
     inode_lru_isolate
      i_ea->i_state |= I_FREEING // set inode state
     inode_lru_isolate
      __iget(i_reg)
      spin_unlock(&i_reg->i_lock)
      spin_unlock(lru_lock)
                                     rm file A
                                      i_reg->nlink = 0
      iput(i_reg) // i_reg->nlink is 0, do evict
       ext4_evict_inode
        ext4_xattr_delete_inode
         ext4_xattr_inode_dec_ref_all
          ext4_xattr_inode_iget
           ext4_iget(i_ea->i_ino)
            iget_locked
             find_inode_fast
              __wait_on_freeing_inode(i_ea) ----→ AA deadlock
    dispose_list // cannot be executed by prune_icache_sb
     wake_up_bit(&i_ea->i_state)

Case 2: In deleted inode writing function ubifs_jnl_write_inode(), file
        deleting process holds BASEHD's wbuf->io_mutex while getting the
	xattr inode, which could race with inode reclaiming process(The
        reclaiming process could try locking BASEHD's wbuf->io_mutex in
	inode evicting function), then an ABBA deadlock problem would
	happen as following:

 1. File A has inode ia and a xattr(with inode ixa), regular file B has
    inode ib and a xattr.
 2. getfattr(A, xattr_buf) // ixa is added into lru // lru->ixa
 3. Then, following three processes running like this:

        PA                PB                        PC
                echo 2 > /proc/sys/vm/drop_caches
                 shrink_slab
                  prune_dcache_sb
                  // ib and ia are added into lru, lru->ixa->ib->ia
                  prune_icache_sb
                   list_lru_walk_one
                    inode_lru_isolate
                     ixa->i_state |= I_FREEING // set inode state
                    inode_lru_isolate
                     __iget(ib)
                     spin_unlock(&ib->i_lock)
                     spin_unlock(lru_lock)
                                                   rm file B
                                                    ib->nlink = 0
 rm file A
  iput(ia)
   ubifs_evict_inode(ia)
    ubifs_jnl_delete_inode(ia)
     ubifs_jnl_write_inode(ia)
      make_reservation(BASEHD) // Lock wbuf->io_mutex
      ubifs_iget(ixa->i_ino)
       iget_locked
        find_inode_fast
         __wait_on_freeing_inode(ixa)
          |          iput(ib) // ib->nlink is 0, do evict
          |           ubifs_evict_inode
          |            ubifs_jnl_delete_inode(ib)
          ↓             ubifs_jnl_write_inode
     ABBA deadlock ←-----make_reservation(BASEHD)
                   dispose_list // cannot be executed by prune_icache_sb
                    wake_up_bit(&ixa->i_state)

Fix the possible deadlock by using new inode state flag I_LRU_ISOLATING
to pin the inode in memory while inode_lru_isolate(
---truncated---
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-45003

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-45004
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

KEYS: trusted: dcp: fix leak of blob encryption key

Trusted keys unseal the key blob on load, but keep the sealed payload in
the blob field so that every subsequent read (export) will simply
convert this field to hex and send it to userspace.

With DCP-based trusted keys, we decrypt the blob encryption key (BEK)
in the Kernel due hardware limitations and then decrypt the blob payload.
BEK decryption is done in-place which means that the trusted key blob
field is modified and it consequently holds the BEK in plain text.
Every subsequent read of that key thus send the plain text BEK instead
of the encrypted BEK to userspace.

This issue only occurs when importing a trusted DCP-based key and
then exporting it again. This should rarely happen as the common use cases
are to either create a new trusted key and export it, or import a key
blob and then just use it without exporting it again.

Fix this by performing BEK decryption and encryption in a dedicated
buffer. Further always wipe the plain text BEK buffer to prevent leaking
the key via uninitialized memory.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-45004

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-45005
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

KVM: s390: fix validity interception issue when gisa is switched off

We might run into a SIE validity if gisa has been disabled either via using
kernel parameter "kvm.use_gisa=0" or by setting the related sysfs
attribute to N (echo N >/sys/module/kvm/parameters/use_gisa).

The validity is caused by an invalid value in the SIE control block's
gisa designation. That happens because we pass the uninitialized gisa
origin to virt_to_phys() before writing it to the gisa designation.

To fix this we return 0 in kvm_s390_get_gisa_desc() if the origin is 0.
kvm_s390_get_gisa_desc() is used to determine which gisa designation to
set in the SIE control block. A value of 0 in the gisa designation disables
gisa usage.

The issue surfaces in the host kernel with the following kernel message as
soon a new kvm guest start is attemted.

kvm: unhandled validity intercept 0x1011
WARNING: CPU: 0 PID: 781237 at arch/s390/kvm/intercept.c:101 kvm_handle_sie_intercept+0x42e/0x4d0 [kvm]
Modules linked in: vhost_net tap tun xt_CHECKSUM xt_MASQUERADE xt_conntrack ipt_REJECT xt_tcpudp nft_compat x_tables nf_nat_tftp nf_conntrack_tftp vfio_pci_core irqbypass vhost_vsock vmw_vsock_virtio_transport_common vsock vhost vhost_iotlb kvm nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables sunrpc mlx5_ib ib_uverbs ib_core mlx5_core uvdevice s390_trng eadm_sch vfio_ccw zcrypt_cex4 mdev vfio_iommu_type1 vfio sch_fq_codel drm i2c_core loop drm_panel_orientation_quirks configfs nfnetlink lcs ctcm fsm dm_service_time ghash_s390 prng chacha_s390 libchacha aes_s390 des_s390 libdes sha3_512_s390 sha3_256_s390 sha512_s390 sha256_s390 sha1_s390 sha_common dm_mirror dm_region_hash dm_log zfcp scsi_transport_fc scsi_dh_rdac scsi_dh_emc scsi_dh_alua pkey zcrypt dm_multipath rng_core autofs4 [last unloaded: vfio_pci]
CPU: 0 PID: 781237 Comm: CPU 0/KVM Not tainted 6.10.0-08682-gcad9f11498ea #6
Hardware name: IBM 3931 A01 701 (LPAR)
Krnl PSW : 0704c00180000000 000003d93deb0122 (kvm_handle_sie_intercept+0x432/0x4d0 [kvm])
           R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:0 PM:0 RI:0 EA:3
Krnl GPRS: 000003d900000027 000003d900000023 0000000000000028 000002cd00000000
           000002d063a00900 00000359c6daf708 00000000000bebb5 0000000000001eff
           000002cfd82e9000 000002cfd80bc000 0000000000001011 000003d93deda412
           000003ff8962df98 000003d93de77ce0 000003d93deb011e 00000359c6daf960
Krnl Code: 000003d93deb0112: c020fffe7259	larl	%r2,000003d93de7e5c4
           000003d93deb0118: c0e53fa8beac	brasl	%r14,000003d9bd3c7e70
          #000003d93deb011e: af000000		mc	0,0
          >000003d93deb0122: a728ffea		lhi	%r2,-22
           000003d93deb0126: a7f4fe24		brc	15,000003d93deafd6e
           000003d93deb012a: 9101f0b0		tm	176(%r15),1
           000003d93deb012e: a774fe48		brc	7,000003d93deafdbe
           000003d93deb0132: 40a0f0ae		sth	%r10,174(%r15)
Call Trace:
 [<000003d93deb0122>] kvm_handle_sie_intercept+0x432/0x4d0 [kvm]
([<000003d93deb011e>] kvm_handle_sie_intercept+0x42e/0x4d0 [kvm])
 [<000003d93deacc10>] vcpu_post_run+0x1d0/0x3b0 [kvm]
 [<000003d93deaceda>] __vcpu_run+0xea/0x2d0 [kvm]
 [<000003d93dead9da>] kvm_arch_vcpu_ioctl_run+0x16a/0x430 [kvm]
 [<000003d93de93ee0>] kvm_vcpu_ioctl+0x190/0x7c0 [kvm]
 [<000003d9bd728b4e>] vfs_ioctl+0x2e/0x70
 [<000003d9bd72a092>] __s390x_sys_ioctl+0xc2/0xd0
 [<000003d9be0e9222>] __do_syscall+0x1f2/0x2e0
 [<000003d9be0f9a90>] system_call+0x70/0x98
Last Breaking-Event-Address:
 [<000003d9bd3c7f58>] __warn_printk+0xe8/0xf0
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-45005

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-45006
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

xhci: Fix Panther point NULL pointer deref at full-speed re-enumeration

re-enumerating full-speed devices after a failed address device command
can trigger a NULL pointer dereference.

Full-speed devices may need to reconfigure the endpoint 0 Max Packet Size
value during enumeration. Usb core calls usb_ep0_reinit() in this case,
which ends up calling xhci_configure_endpoint().

On Panther point xHC the xhci_configure_endpoint() function will
additionally check and reserve bandwidth in software. Other hosts do
this in hardware

If xHC address device command fails then a new xhci_virt_device structure
is allocated as part of re-enabling the slot, but the bandwidth table
pointers are not set up properly here.
This triggers the NULL pointer dereference the next time usb_ep0_reinit()
is called and xhci_configure_endpoint() tries to check and reserve
bandwidth

[46710.713538] usb 3-1: new full-speed USB device number 5 using xhci_hcd
[46710.713699] usb 3-1: Device not responding to setup address.
[46710.917684] usb 3-1: Device not responding to setup address.
[46711.125536] usb 3-1: device not accepting address 5, error -71
[46711.125594] BUG: kernel NULL pointer dereference, address: 0000000000000008
[46711.125600] #PF: supervisor read access in kernel mode
[46711.125603] #PF: error_code(0x0000) - not-present page
[46711.125606] PGD 0 P4D 0
[46711.125610] Oops: Oops: 0000 [#1] PREEMPT SMP PTI
[46711.125615] CPU: 1 PID: 25760 Comm: kworker/1:2 Not tainted 6.10.3_2 #1
[46711.125620] Hardware name: Gigabyte Technology Co., Ltd.
[46711.125623] Workqueue: usb_hub_wq hub_event [usbcore]
[46711.125668] RIP: 0010:xhci_reserve_bandwidth (drivers/usb/host/xhci.c

Fix this by making sure bandwidth table pointers are set up correctly
after a failed address device command, and additionally by avoiding
checking for bandwidth in cases like this where no actual endpoints are
added or removed, i.e. only context for default control endpoint 0 is
evaluated.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-45006

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-45009
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

mptcp: pm: only decrement add_addr_accepted for MPJ req

Adding the following warning ...

  WARN_ON_ONCE(msk->pm.add_addr_accepted == 0)

... before decrementing the add_addr_accepted counter helped to find a
bug when running the "remove single subflow" subtest from the
mptcp_join.sh selftest.

Removing a 'subflow' endpoint will first trigger a RM_ADDR, then the
subflow closure. Before this patch, and upon the reception of the
RM_ADDR, the other peer will then try to decrement this
add_addr_accepted. That's not correct because the attached subflows have
not been created upon the reception of an ADD_ADDR.

A way to solve that is to decrement the counter only if the attached
subflow was an MP_JOIN to a remote id that was not 0, and initiated by
the host receiving the RM_ADDR.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-45009

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-45010
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

mptcp: pm: only mark 'subflow' endp as available

Adding the following warning ...

  WARN_ON_ONCE(msk->pm.local_addr_used == 0)

... before decrementing the local_addr_used counter helped to find a bug
when running the "remove single address" subtest from the mptcp_join.sh
selftests.

Removing a 'signal' endpoint will trigger the removal of all subflows
linked to this endpoint via mptcp_pm_nl_rm_addr_or_subflow() with
rm_type == MPTCP_MIB_RMSUBFLOW. This will decrement the local_addr_used
counter, which is wrong in this case because this counter is linked to
'subflow' endpoints, and here it is a 'signal' endpoint that is being
removed.

Now, the counter is decremented, only if the ID is being used outside
of mptcp_pm_nl_rm_addr_or_subflow(), only for 'subflow' endpoints, and
if the ID is not 0 -- local_addr_used is not taking into account these
ones. This marking of the ID as being available, and the decrement is
done no matter if a subflow using this ID is currently available,
because the subflow could have been closed before.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-45010

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-45011
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

char: xillybus: Check USB endpoints when probing device

Ensure, as the driver probes the device, that all endpoints that the
driver may attempt to access exist and are of the correct type.

All XillyUSB devices must have a Bulk IN and Bulk OUT endpoint at
address 1. This is verified in xillyusb_setup_base_eps().

On top of that, a XillyUSB device may have additional Bulk OUT
endpoints. The information about these endpoints' addresses is deduced
from a data structure (the IDT) that the driver fetches from the device
while probing it. These endpoints are checked in setup_channels().

A XillyUSB device never has more than one IN endpoint, as all data
towards the host is multiplexed in this single Bulk IN endpoint. This is
why setup_channels() only checks OUT endpoints.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-45011

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-45012
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

nouveau/firmware: use dma non-coherent allocator

Currently, enabling SG_DEBUG in the kernel will cause nouveau to hit a
BUG() on startup, when the iommu is enabled:

kernel BUG at include/linux/scatterlist.h:187!
invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
CPU: 7 PID: 930 Comm: (udev-worker) Not tainted 6.9.0-rc3Lyude-Test+ #30
Hardware name: MSI MS-7A39/A320M GAMING PRO (MS-7A39), BIOS 1.I0 01/22/2019
RIP: 0010:sg_init_one+0x85/0xa0
Code: 69 88 32 01 83 e1 03 f6 c3 03 75 20 a8 01 75 1e 48 09 cb 41 89 54
24 08 49 89 1c 24 41 89 6c 24 0c 5b 5d 41 5c e9 7b b9 88 00 <0f> 0b 0f 0b
0f 0b 48 8b 05 5e 46 9a 01 eb b2 66 66 2e 0f 1f 84 00
RSP: 0018:ffffa776017bf6a0 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffffa77600d87000 RCX: 000000000000002b
RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffffa77680d87000
RBP: 000000000000e000 R08: 0000000000000000 R09: 0000000000000000
R10: ffff98f4c46aa508 R11: 0000000000000000 R12: ffff98f4c46aa508
R13: ffff98f4c46aa008 R14: ffffa77600d4a000 R15: ffffa77600d4a018
FS:  00007feeb5aae980(0000) GS:ffff98f5c4dc0000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f22cb9a4520 CR3: 00000001043ba000 CR4: 00000000003506f0
Call Trace:
 <TASK>
 ? die+0x36/0x90
 ? do_trap+0xdd/0x100
 ? sg_init_one+0x85/0xa0
 ? do_error_trap+0x65/0x80
 ? sg_init_one+0x85/0xa0
 ? exc_invalid_op+0x50/0x70
 ? sg_init_one+0x85/0xa0
 ? asm_exc_invalid_op+0x1a/0x20
 ? sg_init_one+0x85/0xa0
 nvkm_firmware_ctor+0x14a/0x250 [nouveau]
 nvkm_falcon_fw_ctor+0x42/0x70 [nouveau]
 ga102_gsp_booter_ctor+0xb4/0x1a0 [nouveau]
 r535_gsp_oneinit+0xb3/0x15f0 [nouveau]
 ? srso_return_thunk+0x5/0x5f
 ? srso_return_thunk+0x5/0x5f
 ? nvkm_udevice_new+0x95/0x140 [nouveau]
 ? srso_return_thunk+0x5/0x5f
 ? srso_return_thunk+0x5/0x5f
 ? ktime_get+0x47/0xb0

Fix this by using the non-coherent allocator instead, I think there
might be a better answer to this, but it involve ripping up some of
APIs using sg lists.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-45012

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-45013
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

nvme: move stopping keep-alive into nvme_uninit_ctrl()

Commit 4733b65d82bd ("nvme: start keep-alive after admin queue setup")
moves starting keep-alive from nvme_start_ctrl() into
nvme_init_ctrl_finish(), but don't move stopping keep-alive into
nvme_uninit_ctrl(), so keep-alive work can be started and keep pending
after failing to start controller, finally use-after-free is triggered if
nvme host driver is unloaded.

This patch fixes kernel panic when running nvme/004 in case that connection
failure is triggered, by moving stopping keep-alive into nvme_uninit_ctrl().

This way is reasonable because keep-alive is now started in
nvme_init_ctrl_finish().
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-45013

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-45014
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

s390/boot: Avoid possible physmem_info segment corruption

When physical memory for the kernel image is allocated it does not
consider extra memory required for offsetting the image start to
match it with the lower 20 bits of KASLR virtual base address. That
might lead to kernel access beyond its memory range.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-45014

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-45015
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/msm/dpu: move dpu_encoder's connector assignment to atomic_enable()

For cases where the crtc's connectors_changed was set without enable/active
getting toggled , there is an atomic_enable() call followed by an
atomic_disable() but without an atomic_mode_set().

This results in a NULL ptr access for the dpu_encoder_get_drm_fmt() call in
the atomic_enable() as the dpu_encoder's connector was cleared in the
atomic_disable() but not re-assigned as there was no atomic_mode_set() call.

Fix the NULL ptr access by moving the assignment for atomic_enable() and also
use drm_atomic_get_new_connector_for_encoder() to get the connector from
the atomic_state.

Patchwork: https://patchwork.freedesktop.org/patch/606729/
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-45015

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-45016
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

netem: fix return value if duplicate enqueue fails

There is a bug in netem_enqueue() introduced by
commit 5845f706388a ("net: netem: fix skb length BUG_ON in __skb_to_sgvec")
that can lead to a use-after-free.

This commit made netem_enqueue() always return NET_XMIT_SUCCESS
when a packet is duplicated, which can cause the parent qdisc's q.qlen
to be mistakenly incremented. When this happens qlen_notify() may be
skipped on the parent during destruction, leaving a dangling pointer
for some classful qdiscs like DRR.

There are two ways for the bug happen:

- If the duplicated packet is dropped by rootq->enqueue() and then
  the original packet is also dropped.
- If rootq->enqueue() sends the duplicated packet to a different qdisc
  and the original packet is dropped.

In both cases NET_XMIT_SUCCESS is returned even though no packets
are enqueued at the netem qdisc.

The fix is to defer the enqueue of the duplicate packet until after
the original packet has been guaranteed to return NET_XMIT_SUCCESS.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-45016

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-45017
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net/mlx5: Fix IPsec RoCE MPV trace call

Prevent the call trace below from happening, by not allowing IPsec
creation over a slave, if master device doesn't support IPsec.

WARNING: CPU: 44 PID: 16136 at kernel/locking/rwsem.c:240 down_read+0x75/0x94
Modules linked in: esp4_offload esp4 act_mirred act_vlan cls_flower sch_ingress mlx5_vdpa vringh vhost_iotlb vdpa mst_pciconf(OE) nfsv3 nfs_acl nfs lockd grace fscache netfs xt_CHECKSUM xt_MASQUERADE xt_conntrack ipt_REJECT nf_reject_ipv4 nft_compat nft_counter nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 rfkill cuse fuse rpcrdma sunrpc rdma_ucm ib_srpt ib_isert iscsi_target_mod target_core_mod ib_umad ib_iser libiscsi scsi_transport_iscsi rdma_cm ib_ipoib iw_cm ib_cm ipmi_ssif intel_rapl_msr intel_rapl_common amd64_edac edac_mce_amd kvm_amd kvm irqbypass crct10dif_pclmul crc32_pclmul mlx5_ib ghash_clmulni_intel sha1_ssse3 dell_smbios ib_uverbs aesni_intel crypto_simd dcdbas wmi_bmof dell_wmi_descriptor cryptd pcspkr ib_core acpi_ipmi sp5100_tco ccp i2c_piix4 ipmi_si ptdma k10temp ipmi_devintf ipmi_msghandler acpi_power_meter acpi_cpufreq ext4 mbcache jbd2 sd_mod t10_pi sg mgag200 drm_kms_helper syscopyarea sysfillrect mlx5_core sysimgblt fb_sys_fops cec
 ahci libahci mlxfw drm pci_hyperv_intf libata tg3 sha256_ssse3 tls megaraid_sas i2c_algo_bit psample wmi dm_mirror dm_region_hash dm_log dm_mod [last unloaded: mst_pci]
CPU: 44 PID: 16136 Comm: kworker/44:3 Kdump: loaded Tainted: GOE 5.15.0-20240509.el8uek.uek7_u3_update_v6.6_ipsec_bf.x86_64 #2
Hardware name: Dell Inc. PowerEdge R7525/074H08, BIOS 2.0.3 01/15/2021
Workqueue: events xfrm_state_gc_task
RIP: 0010:down_read+0x75/0x94
Code: 00 48 8b 45 08 65 48 8b 14 25 80 fc 01 00 83 e0 02 48 09 d0 48 83 c8 01 48 89 45 08 5d 31 c0 89 c2 89 c6 89 c7 e9 cb 88 3b 00 <0f> 0b 48 8b 45 08 a8 01 74 b2 a8 02 75 ae 48 89 c2 48 83 ca 02 f0
RSP: 0018:ffffb26387773da8 EFLAGS: 00010282
RAX: 0000000000000000 RBX: ffffa08b658af900 RCX: 0000000000000001
RDX: 0000000000000000 RSI: ff886bc5e1366f2f RDI: 0000000000000000
RBP: ffffa08b658af940 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffffa0a9bfb31540
R13: ffffa0a9bfb37900 R14: 0000000000000000 R15: ffffa0a9bfb37905
FS:  0000000000000000(0000) GS:ffffa0a9bfb00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055a45ed814e8 CR3: 000000109038a000 CR4: 0000000000350ee0
Call Trace:
 <TASK>
 ? show_trace_log_lvl+0x1d6/0x2f9
 ? show_trace_log_lvl+0x1d6/0x2f9
 ? mlx5_devcom_for_each_peer_begin+0x29/0x60 [mlx5_core]
 ? down_read+0x75/0x94
 ? __warn+0x80/0x113
 ? down_read+0x75/0x94
 ? report_bug+0xa4/0x11d
 ? handle_bug+0x35/0x8b
 ? exc_invalid_op+0x14/0x75
 ? asm_exc_invalid_op+0x16/0x1b
 ? down_read+0x75/0x94
 ? down_read+0xe/0x94
 mlx5_devcom_for_each_peer_begin+0x29/0x60 [mlx5_core]
 mlx5_ipsec_fs_roce_tx_destroy+0xb1/0x130 [mlx5_core]
 tx_destroy+0x1b/0xc0 [mlx5_core]
 tx_ft_put+0x53/0xc0 [mlx5_core]
 mlx5e_xfrm_free_state+0x45/0x90 [mlx5_core]
 ___xfrm_state_destroy+0x10f/0x1a2
 xfrm_state_gc_task+0x81/0xa9
 process_one_work+0x1f1/0x3c6
 worker_thread+0x53/0x3e4
 ? process_one_work.cold+0x46/0x3c
 kthread+0x127/0x144
 ? set_kthread_struct+0x60/0x52
 ret_from_fork+0x22/0x2d
 </TASK>
---[ end trace 5ef7896144d398e1 ]---
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-45017

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-45018
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

netfilter: flowtable: initialise extack before use

Fix missing initialisation of extack in flow offload.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-45018

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-45019
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net/mlx5e: Take state lock during tx timeout reporter

mlx5e_safe_reopen_channels() requires the state lock taken. The
referenced changed in the Fixes tag removed the lock to fix another
issue. This patch adds it back but at a later point (when calling
mlx5e_safe_reopen_channels()) to avoid the deadlock referenced in the
Fixes tag.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-45019

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-45020
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix a kernel verifier crash in stacksafe()

Daniel Hodges reported a kernel verifier crash when playing with sched-ext.
Further investigation shows that the crash is due to invalid memory access
in stacksafe(). More specifically, it is the following code:

    if (exact != NOT_EXACT &&
        old->stack[spi].slot_type[i % BPF_REG_SIZE] !=
        cur->stack[spi].slot_type[i % BPF_REG_SIZE])
            return false;

The 'i' iterates old->allocated_stack.
If cur->allocated_stack < old->allocated_stack the out-of-bound
access will happen.

To fix the issue add 'i >= cur->allocated_stack' check such that if
the condition is true, stacksafe() should fail. Otherwise,
cur->stack[spi].slot_type[i % BPF_REG_SIZE] memory access is legal.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-45020

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-45021
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

memcg_write_event_control(): fix a user-triggerable oops

we are *not* guaranteed that anything past the terminating NUL
is mapped (let alone initialized with anything sane).
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-45021

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-45022
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

mm/vmalloc: fix page mapping if vm_area_alloc_pages() with high order fallback to order 0

The __vmap_pages_range_noflush() assumes its argument pages** contains
pages with the same page shift.  However, since commit e9c3cda4d86e ("mm,
vmalloc: fix high order __GFP_NOFAIL allocations"), if gfp_flags includes
__GFP_NOFAIL with high order in vm_area_alloc_pages() and page allocation
failed for high order, the pages** may contain two different page shifts
(high order and order-0).  This could lead __vmap_pages_range_noflush() to
perform incorrect mappings, potentially resulting in memory corruption.

Users might encounter this as follows (vmap_allow_huge = true, 2M is for
PMD_SIZE):

kvmalloc(2M, __GFP_NOFAIL|GFP_X)
    __vmalloc_node_range_noprof(vm_flags=VM_ALLOW_HUGE_VMAP)
        vm_area_alloc_pages(order=9) ---> order-9 allocation failed and fallback to order-0
            vmap_pages_range()
                vmap_pages_range_noflush()
                    __vmap_pages_range_noflush(page_shift = 21) ----> wrong mapping happens

We can remove the fallback code because if a high-order allocation fails,
__vmalloc_node_range_noprof() will retry with order-0.  Therefore, it is
unnecessary to fallback to order-0 here.  Therefore, fix this by removing
the fallback code.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-45022

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-45023
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

md/raid1: Fix data corruption for degraded array with slow disk

read_balance() will avoid reading from slow disks as much as possible,
however, if valid data only lands in slow disks, and a new normal disk
is still in recovery, unrecovered data can be read:

raid1_read_request
 read_balance
  raid1_should_read_first
  -> return false
  choose_best_rdev
  -> normal disk is not recovered, return -1
  choose_bb_rdev
  -> missing the checking of recovery, return the normal disk
 -> read unrecovered data

Root cause is that the checking of recovery is missing in
choose_bb_rdev(). Hence add such checking to fix the problem.

Also fix similar problem in choose_slow_rdev().
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-45023

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-45024
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

mm/hugetlb: fix hugetlb vs. core-mm PT locking

We recently made GUP's common page table walking code to also walk hugetlb
VMAs without most hugetlb special-casing, preparing for the future of
having less hugetlb-specific page table walking code in the codebase. 
Turns out that we missed one page table locking detail: page table locking
for hugetlb folios that are not mapped using a single PMD/PUD.

Assume we have hugetlb folio that spans multiple PTEs (e.g., 64 KiB
hugetlb folios on arm64 with 4 KiB base page size).  GUP, as it walks the
page tables, will perform a pte_offset_map_lock() to grab the PTE table
lock.

However, hugetlb that concurrently modifies these page tables would
actually grab the mm->page_table_lock: with USE_SPLIT_PTE_PTLOCKS, the
locks would differ.  Something similar can happen right now with hugetlb
folios that span multiple PMDs when USE_SPLIT_PMD_PTLOCKS.

This issue can be reproduced [1], for example triggering:

[ 3105.936100] ------------[ cut here ]------------
[ 3105.939323] WARNING: CPU: 31 PID: 2732 at mm/gup.c:142 try_grab_folio+0x11c/0x188
[ 3105.944634] Modules linked in: [...]
[ 3105.974841] CPU: 31 PID: 2732 Comm: reproducer Not tainted 6.10.0-64.eln141.aarch64 #1
[ 3105.980406] Hardware name: QEMU KVM Virtual Machine, BIOS edk2-20240524-4.fc40 05/24/2024
[ 3105.986185] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[ 3105.991108] pc : try_grab_folio+0x11c/0x188
[ 3105.994013] lr : follow_page_pte+0xd8/0x430
[ 3105.996986] sp : ffff80008eafb8f0
[ 3105.999346] x29: ffff80008eafb900 x28: ffffffe8d481f380 x27: 00f80001207cff43
[ 3106.004414] x26: 0000000000000001 x25: 0000000000000000 x24: ffff80008eafba48
[ 3106.009520] x23: 0000ffff9372f000 x22: ffff7a54459e2000 x21: ffff7a546c1aa978
[ 3106.014529] x20: ffffffe8d481f3c0 x19: 0000000000610041 x18: 0000000000000001
[ 3106.019506] x17: 0000000000000001 x16: ffffffffffffffff x15: 0000000000000000
[ 3106.024494] x14: ffffb85477fdfe08 x13: 0000ffff9372ffff x12: 0000000000000000
[ 3106.029469] x11: 1fffef4a88a96be1 x10: ffff7a54454b5f0c x9 : ffffb854771b12f0
[ 3106.034324] x8 : 0008000000000000 x7 : ffff7a546c1aa980 x6 : 0008000000000080
[ 3106.038902] x5 : 00000000001207cf x4 : 0000ffff9372f000 x3 : ffffffe8d481f000
[ 3106.043420] x2 : 0000000000610041 x1 : 0000000000000001 x0 : 0000000000000000
[ 3106.047957] Call trace:
[ 3106.049522]  try_grab_folio+0x11c/0x188
[ 3106.051996]  follow_pmd_mask.constprop.0.isra.0+0x150/0x2e0
[ 3106.055527]  follow_page_mask+0x1a0/0x2b8
[ 3106.058118]  __get_user_pages+0xf0/0x348
[ 3106.060647]  faultin_page_range+0xb0/0x360
[ 3106.063651]  do_madvise+0x340/0x598

Let's make huge_pte_lockptr() effectively use the same PT locks as any
core-mm page table walker would.  Add ptep_lockptr() to obtain the PTE
page table lock using a pte pointer -- unfortunately we cannot convert
pte_lockptr() because virt_to_page() doesn't work with kmap'ed page tables
we can have with CONFIG_HIGHPTE.

Handle CONFIG_PGTABLE_LEVELS correctly by checking in reverse order, such
that when e.g., CONFIG_PGTABLE_LEVELS==2 with
PGDIR_SIZE==P4D_SIZE==PUD_SIZE==PMD_SIZE will work as expected.  Document
why that works.

There is one ugly case: powerpc 8xx, whereby we have an 8 MiB hugetlb
folio being mapped using two PTE page tables.  While hugetlb wants to take
the PMD table lock, core-mm would grab the PTE table lock of one of both
PTE page tables.  In such corner cases, we have to make sure that both
locks match, which is (fortunately!) currently guaranteed for 8xx as it
does not support SMP and consequently doesn't use split PT locks.

[1] https://lore.kernel.org/all/1bbfcc7f-f222-45a5-ac44-c5a1381c596d@redhat.com/
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-45024

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-45025
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

fix bitmap corruption on close_range() with CLOSE_RANGE_UNSHARE

copy_fd_bitmaps(new, old, count) is expected to copy the first
count/BITS_PER_LONG bits from old->full_fds_bits[] and fill
the rest with zeroes.  What it does is copying enough words
(BITS_TO_LONGS(count/BITS_PER_LONG)), then memsets the rest.
That works fine, *if* all bits past the cutoff point are
clear.  Otherwise we are risking garbage from the last word
we'd copied.

For most of the callers that is true - expand_fdtable() has
count equal to old->max_fds, so there's no open descriptors
past count, let alone fully occupied words in ->open_fds[],
which is what bits in ->full_fds_bits[] correspond to.

The other caller (dup_fd()) passes sane_fdtable_size(old_fdt, max_fds),
which is the smallest multiple of BITS_PER_LONG that covers all
opened descriptors below max_fds.  In the common case (copying on
fork()) max_fds is ~0U, so all opened descriptors will be below
it and we are fine, by the same reasons why the call in expand_fdtable()
is safe.

Unfortunately, there is a case where max_fds is less than that
and where we might, indeed, end up with junk in ->full_fds_bits[] -
close_range(from, to, CLOSE_RANGE_UNSHARE) with
	* descriptor table being currently shared
	* 'to' being above the current capacity of descriptor table
	* 'from' being just under some chunk of opened descriptors.
In that case we end up with observably wrong behaviour - e.g. spawn
a child with CLONE_FILES, get all descriptors in range 0..127 open,
then close_range(64, ~0U, CLOSE_RANGE_UNSHARE) and watch dup(0) ending
up with descriptor #128, despite #64 being observably not open.

The minimally invasive fix would be to deal with that in dup_fd().
If this proves to add measurable overhead, we can go that way, but
let's try to fix copy_fd_bitmaps() first.

* new helper: bitmap_copy_and_expand(to, from, bits_to_copy, size).
* make copy_fd_bitmaps() take the bitmap size in words, rather than
bits; it's 'count' argument is always a multiple of BITS_PER_LONG,
so we are not losing any information, and that way we can use the
same helper for all three bitmaps - compiler will see that count
is a multiple of BITS_PER_LONG for the large ones, so it'll generate
plain memcpy()+memset().

Reproducer added to tools/testing/selftests/core/close_range_test.c
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-45025

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-45026
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

s390/dasd: fix error recovery leading to data corruption on ESE devices

Extent Space Efficient (ESE) or thin provisioned volumes need to be
formatted on demand during usual IO processing.

The dasd_ese_needs_format function checks for error codes that signal
the non existence of a proper track format.

The check for incorrect length is to imprecise since other error cases
leading to transport of insufficient data also have this flag set.
This might lead to data corruption in certain error cases for example
during a storage server warmstart.

Fix by removing the check for incorrect length and replacing by
explicitly checking for invalid track format in transport mode.

Also remove the check for file protected since this is not a valid
ESE handling case.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-45026

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-45027
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

usb: xhci: Check for xhci->interrupters being allocated in xhci_mem_clearup()

If xhci_mem_init() fails, it calls into xhci_mem_cleanup() to mop
up the damage. If it fails early enough, before xhci->interrupters
is allocated but after xhci->max_interrupters has been set, which
happens in most (all?) cases, things get uglier, as xhci_mem_cleanup()
unconditionally derefences xhci->interrupters. With prejudice.

Gate the interrupt freeing loop with a check on xhci->interrupters
being non-NULL.

Found while debugging a DMA allocation issue that led the XHCI driver
on this exact path.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-45027

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-45028
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

mmc: mmc_test: Fix NULL dereference on allocation failure

If the "test->highmem = alloc_pages()" allocation fails then calling
__free_pages(test->highmem) will result in a NULL dereference.  Also
change the error code to -ENOMEM instead of returning success.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-45028

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-45029
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

i2c: tegra: Do not mark ACPI devices as irq safe

On ACPI machines, the tegra i2c module encounters an issue due to a
mutex being called inside a spinlock. This leads to the following bug:

	BUG: sleeping function called from invalid context at kernel/locking/mutex.c:585
	...

	Call trace:
	__might_sleep
	__mutex_lock_common
	mutex_lock_nested
	acpi_subsys_runtime_resume
	rpm_resume
	tegra_i2c_xfer

The problem arises because during __pm_runtime_resume(), the spinlock
&dev->power.lock is acquired before rpm_resume() is called. Later,
rpm_resume() invokes acpi_subsys_runtime_resume(), which relies on
mutexes, triggering the error.

To address this issue, devices on ACPI are now marked as not IRQ-safe,
considering the dependency of acpi_subsys_runtime_resume() on mutexes.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-45029

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-45030
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

igb: cope with large MAX_SKB_FRAGS

Sabrina reports that the igb driver does not cope well with large
MAX_SKB_FRAG values: setting MAX_SKB_FRAG to 45 causes payload
corruption on TX.

An easy reproducer is to run ssh to connect to the machine.  With
MAX_SKB_FRAGS=17 it works, with MAX_SKB_FRAGS=45 it fails.  This has
been reported originally in
https://bugzilla.redhat.com/show_bug.cgi?id=2265320

The root cause of the issue is that the driver does not take into
account properly the (possibly large) shared info size when selecting
the ring layout, and will try to fit two packets inside the same 4K
page even when the 1st fraglist will trump over the 2nd head.

Address the issue by checking if 2K buffers are insufficient.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-45030

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46672
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

wifi: brcmfmac: cfg80211: Handle SSID based pmksa deletion

wpa_supplicant 2.11 sends since 1efdba5fdc2c ("Handle PMKSA flush in the
driver for SAE/OWE offload cases") SSID based PMKSA del commands.
brcmfmac is not prepared and tries to dereference the NULL bssid and
pmkid pointers in cfg80211_pmksa. PMKID_V3 operations support SSID based
updates so copy the SSID.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46672

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46673
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

scsi: aacraid: Fix double-free on probe failure

aac_probe_one() calls hardware-specific init functions through the
aac_driver_ident::init pointer, all of which eventually call down to
aac_init_adapter().

If aac_init_adapter() fails after allocating memory for aac_dev::queues,
it frees the memory but does not clear that member.

After the hardware-specific init function returns an error,
aac_probe_one() goes down an error path that frees the memory pointed to
by aac_dev::queues, resulting.in a double-free.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46673

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46674
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

usb: dwc3: st: fix probed platform device ref count on probe error path

The probe function never performs any paltform device allocation, thus
error path "undo_platform_dev_alloc" is entirely bogus.  It drops the
reference count from the platform device being probed.  If error path is
triggered, this will lead to unbalanced device reference counts and
premature release of device resources, thus possible use-after-free when
releasing remaining devm-managed resources.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46674

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46675
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

usb: dwc3: core: Prevent USB core invalid event buffer address access

This commit addresses an issue where the USB core could access an
invalid event buffer address during runtime suspend, potentially causing
SMMU faults and other memory issues in Exynos platforms. The problem
arises from the following sequence.
        1. In dwc3_gadget_suspend, there is a chance of a timeout when
        moving the USB core to the halt state after clearing the
        run/stop bit by software.
        2. In dwc3_core_exit, the event buffer is cleared regardless of
        the USB core's status, which may lead to an SMMU faults and
        other memory issues. if the USB core tries to access the event
        buffer address.

To prevent this hardware quirk on Exynos platforms, this commit ensures
that the event buffer address is not cleared by software  when the USB
core is active during runtime suspend by checking its status before
clearing the buffer address.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46675

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46676
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

nfc: pn533: Add poll mod list filling check

In case of im_protocols value is 1 and tm_protocols value is 0 this
combination successfully passes the check
'if (!im_protocols && !tm_protocols)' in the nfc_start_poll().
But then after pn533_poll_create_mod_list() call in pn533_start_poll()
poll mod list will remain empty and dev->poll_mod_count will remain 0
which lead to division by zero.

Normally no im protocol has value 1 in the mask, so this combination is
not expected by driver. But these protocol values actually come from
userspace via Netlink interface (NFC_CMD_START_POLL operation). So a
broken or malicious program may pass a message containing a "bad"
combination of protocol parameter values so that dev->poll_mod_count
is not incremented inside pn533_poll_create_mod_list(), thus leading
to division by zero.
Call trace looks like:
nfc_genl_start_poll()
  nfc_start_poll()
    ->start_poll()
    pn533_start_poll()

Add poll mod list filling check.

Found by Linux Verification Center (linuxtesting.org) with SVACE.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46676

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46677
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

gtp: fix a potential NULL pointer dereference

When sockfd_lookup() fails, gtp_encap_enable_socket() returns a
NULL pointer, but its callers only check for error pointers thus miss
the NULL pointer case.

Fix it by returning an error pointer with the error code carried from
sockfd_lookup().

(I found this bug during code inspection.)
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46677

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46678
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

bonding: change ipsec_lock from spin lock to mutex

In the cited commit, bond->ipsec_lock is added to protect ipsec_list,
hence xdo_dev_state_add and xdo_dev_state_delete are called inside
this lock. As ipsec_lock is a spin lock and such xfrmdev ops may sleep,
"scheduling while atomic" will be triggered when changing bond's
active slave.

[  101.055189] BUG: scheduling while atomic: bash/902/0x00000200
[  101.055726] Modules linked in:
[  101.058211] CPU: 3 PID: 902 Comm: bash Not tainted 6.9.0-rc4+ #1
[  101.058760] Hardware name:
[  101.059434] Call Trace:
[  101.059436]  <TASK>
[  101.060873]  dump_stack_lvl+0x51/0x60
[  101.061275]  __schedule_bug+0x4e/0x60
[  101.061682]  __schedule+0x612/0x7c0
[  101.062078]  ? __mod_timer+0x25c/0x370
[  101.062486]  schedule+0x25/0xd0
[  101.062845]  schedule_timeout+0x77/0xf0
[  101.063265]  ? asm_common_interrupt+0x22/0x40
[  101.063724]  ? __bpf_trace_itimer_state+0x10/0x10
[  101.064215]  __wait_for_common+0x87/0x190
[  101.064648]  ? usleep_range_state+0x90/0x90
[  101.065091]  cmd_exec+0x437/0xb20 [mlx5_core]
[  101.065569]  mlx5_cmd_do+0x1e/0x40 [mlx5_core]
[  101.066051]  mlx5_cmd_exec+0x18/0x30 [mlx5_core]
[  101.066552]  mlx5_crypto_create_dek_key+0xea/0x120 [mlx5_core]
[  101.067163]  ? bonding_sysfs_store_option+0x4d/0x80 [bonding]
[  101.067738]  ? kmalloc_trace+0x4d/0x350
[  101.068156]  mlx5_ipsec_create_sa_ctx+0x33/0x100 [mlx5_core]
[  101.068747]  mlx5e_xfrm_add_state+0x47b/0xaa0 [mlx5_core]
[  101.069312]  bond_change_active_slave+0x392/0x900 [bonding]
[  101.069868]  bond_option_active_slave_set+0x1c2/0x240 [bonding]
[  101.070454]  __bond_opt_set+0xa6/0x430 [bonding]
[  101.070935]  __bond_opt_set_notify+0x2f/0x90 [bonding]
[  101.071453]  bond_opt_tryset_rtnl+0x72/0xb0 [bonding]
[  101.071965]  bonding_sysfs_store_option+0x4d/0x80 [bonding]
[  101.072567]  kernfs_fop_write_iter+0x10c/0x1a0
[  101.073033]  vfs_write+0x2d8/0x400
[  101.073416]  ? alloc_fd+0x48/0x180
[  101.073798]  ksys_write+0x5f/0xe0
[  101.074175]  do_syscall_64+0x52/0x110
[  101.074576]  entry_SYSCALL_64_after_hwframe+0x4b/0x53

As bond_ipsec_add_sa_all and bond_ipsec_del_sa_all are only called
from bond_change_active_slave, which requires holding the RTNL lock.
And bond_ipsec_add_sa and bond_ipsec_del_sa are xfrm state
xdo_dev_state_add and xdo_dev_state_delete APIs, which are in user
context. So ipsec_lock doesn't have to be spin lock, change it to
mutex, and thus the above issue can be resolved.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46678

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46679
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ethtool: check device is present when getting link settings

A sysfs reader can race with a device reset or removal, attempting to
read device state when the device is not actually present. eg:

     [exception RIP: qed_get_current_link+17]
  #8 [ffffb9e4f2907c48] qede_get_link_ksettings at ffffffffc07a994a [qede]
  #9 [ffffb9e4f2907cd8] __rh_call_get_link_ksettings at ffffffff992b01a3
 #10 [ffffb9e4f2907d38] __ethtool_get_link_ksettings at ffffffff992b04e4
 #11 [ffffb9e4f2907d90] duplex_show at ffffffff99260300
 #12 [ffffb9e4f2907e38] dev_attr_show at ffffffff9905a01c
 #13 [ffffb9e4f2907e50] sysfs_kf_seq_show at ffffffff98e0145b
 #14 [ffffb9e4f2907e68] seq_read at ffffffff98d902e3
 #15 [ffffb9e4f2907ec8] vfs_read at ffffffff98d657d1
 #16 [ffffb9e4f2907f00] ksys_read at ffffffff98d65c3f
 #17 [ffffb9e4f2907f38] do_syscall_64 at ffffffff98a052fb

 crash> struct net_device.state ffff9a9d21336000
    state = 5,

state 5 is __LINK_STATE_START (0b1) and __LINK_STATE_NOCARRIER (0b100).
The device is not present, note lack of __LINK_STATE_PRESENT (0b10).

This is the same sort of panic as observed in commit 4224cfd7fb65
("net-sysfs: add check for netdevice being present to speed_show").

There are many other callers of __ethtool_get_link_ksettings() which
don't have a device presence check.

Move this check into ethtool to protect all callers.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46679

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46680
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: btnxpuart: Fix random crash seen while removing driver

This fixes the random kernel crash seen while removing the driver, when
running the load/unload test over multiple iterations.

1) modprobe btnxpuart
2) hciconfig hci0 reset
3) hciconfig (check hci0 interface up with valid BD address)
4) modprobe -r btnxpuart
Repeat steps 1 to 4

The ps_wakeup() call in btnxpuart_close() schedules the psdata->work(),
which gets scheduled after module is removed, causing a kernel crash.

This hidden issue got highlighted after enabling Power Save by default
in 4183a7be7700 (Bluetooth: btnxpuart: Enable Power Save feature on
startup)

The new ps_cleanup() deasserts UART break immediately while closing
serdev device, cancels any scheduled ps_work and destroys the ps_lock
mutex.

[   85.884604] Unable to handle kernel paging request at virtual address ffffd4a61638f258
[   85.884624] Mem abort info:
[   85.884625]   ESR = 0x0000000086000007
[   85.884628]   EC = 0x21: IABT (current EL), IL = 32 bits
[   85.884633]   SET = 0, FnV = 0
[   85.884636]   EA = 0, S1PTW = 0
[   85.884638]   FSC = 0x07: level 3 translation fault
[   85.884642] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000041dd0000
[   85.884646] [ffffd4a61638f258] pgd=1000000095fff003, p4d=1000000095fff003, pud=100000004823d003, pmd=100000004823e003, pte=0000000000000000
[   85.884662] Internal error: Oops: 0000000086000007 [#1] PREEMPT SMP
[   85.890932] Modules linked in: algif_hash algif_skcipher af_alg overlay fsl_jr_uio caam_jr caamkeyblob_desc caamhash_desc caamalg_desc crypto_engine authenc libdes crct10dif_ce polyval_ce polyval_generic snd_soc_imx_spdif snd_soc_imx_card snd_soc_ak5558 snd_soc_ak4458 caam secvio error snd_soc_fsl_spdif snd_soc_fsl_micfil snd_soc_fsl_sai snd_soc_fsl_utils gpio_ir_recv rc_core fuse [last unloaded: btnxpuart(O)]
[   85.927297] CPU: 1 PID: 67 Comm: kworker/1:3 Tainted: G           O       6.1.36+g937b1be4345a #1
[   85.936176] Hardware name: FSL i.MX8MM EVK board (DT)
[   85.936182] Workqueue: events 0xffffd4a61638f380
[   85.936198] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[   85.952817] pc : 0xffffd4a61638f258
[   85.952823] lr : 0xffffd4a61638f258
[   85.952827] sp : ffff8000084fbd70
[   85.952829] x29: ffff8000084fbd70 x28: 0000000000000000 x27: 0000000000000000
[   85.963112] x26: ffffd4a69133f000 x25: ffff4bf1c8540990 x24: ffff4bf215b87305
[   85.963119] x23: ffff4bf215b87300 x22: ffff4bf1c85409d0 x21: ffff4bf1c8540970
[   85.977382] x20: 0000000000000000 x19: ffff4bf1c8540880 x18: 0000000000000000
[   85.977391] x17: 0000000000000000 x16: 0000000000000133 x15: 0000ffffe2217090
[   85.977399] x14: 0000000000000001 x13: 0000000000000133 x12: 0000000000000139
[   85.977407] x11: 0000000000000001 x10: 0000000000000a60 x9 : ffff8000084fbc50
[   85.977417] x8 : ffff4bf215b7d000 x7 : ffff4bf215b83b40 x6 : 00000000000003e8
[   85.977424] x5 : 00000000410fd030 x4 : 0000000000000000 x3 : 0000000000000000
[   85.977432] x2 : 0000000000000000 x1 : ffff4bf1c4265880 x0 : 0000000000000000
[   85.977443] Call trace:
[   85.977446]  0xffffd4a61638f258
[   85.977451]  0xffffd4a61638f3e8
[   85.977455]  process_one_work+0x1d4/0x330
[   85.977464]  worker_thread+0x6c/0x430
[   85.977471]  kthread+0x108/0x10c
[   85.977476]  ret_from_fork+0x10/0x20
[   85.977488] Code: bad PC value
[   85.977491] ---[ end trace 0000000000000000 ]---

Preset since v6.9.11
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46680

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46681
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

pktgen: use cpus_read_lock() in pg_net_init()

I have seen the WARN_ON(smp_processor_id() != cpu) firing
in pktgen_thread_worker() during tests.

We must use cpus_read_lock()/cpus_read_unlock()
around the for_each_online_cpu(cpu) loop.

While we are at it use WARN_ON_ONCE() to avoid a possible syslog flood.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46681

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46682
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

nfsd: prevent panic for nfsv4.0 closed files in nfs4_show_open

Prior to commit 3f29cc82a84c ("nfsd: split sc_status out of
sc_type") states_show() relied on sc_type field to be of valid
type before calling into a subfunction to show content of a
particular stateid. From that commit, we split the validity of
the stateid into sc_status and no longer changed sc_type to 0
while unhashing the stateid. This resulted in kernel oopsing
for nfsv4.0 opens that stay around and in nfs4_show_open()
would derefence sc_file which was NULL.

Instead, for closed open stateids forgo displaying information
that relies of having a valid sc_file.

To reproduce: mount the server with 4.0, read and close
a file and then on the server cat /proc/fs/nfsd/clients/2/states

[  513.590804] Call trace:
[  513.590925]  _raw_spin_lock+0xcc/0x160
[  513.591119]  nfs4_show_open+0x78/0x2c0 [nfsd]
[  513.591412]  states_show+0x44c/0x488 [nfsd]
[  513.591681]  seq_read_iter+0x5d8/0x760
[  513.591896]  seq_read+0x188/0x208
[  513.592075]  vfs_read+0x148/0x470
[  513.592241]  ksys_read+0xcc/0x178
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46682

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46683
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/xe: prevent UAF around preempt fence

The fence lock is part of the queue, therefore in the current design
anything locking the fence should then also hold a ref to the queue to
prevent the queue from being freed.

However, currently it looks like we signal the fence and then drop the
queue ref, but if something is waiting on the fence, the waiter is
kicked to wake up at some later point, where upon waking up it first
grabs the lock before checking the fence state. But if we have already
dropped the queue ref, then the lock might already be freed as part of
the queue, leading to uaf.

To prevent this, move the fence lock into the fence itself so we don't
run into lifetime issues. Alternative might be to have device level
lock, or only release the queue in the fence release callback, however
that might require pushing to another worker to avoid locking issues.

References: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/2454
References: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/2342
References: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/2020
(cherry picked from commit 7116c35aacedc38be6d15bd21b2fc936eed0008b)
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46683

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46684
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

binfmt_elf_fdpic: fix AUXV size calculation when ELF_HWCAP2 is defined

create_elf_fdpic_tables() does not correctly account the space for the
AUX vector when an architecture has ELF_HWCAP2 defined. Prior to the
commit 10e29251be0e ("binfmt_elf_fdpic: fix /proc/<pid>/auxv") it
resulted in the last entry of the AUX vector being set to zero, but with
that change it results in a kernel BUG.

Fix that by adding one to the number of AUXV entries (nitems) when
ELF_HWCAP2 is defined.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46684

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46685
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

pinctrl: single: fix potential NULL dereference in pcs_get_function()

pinmux_generic_get_function() can return NULL and the pointer 'function'
was dereferenced without checking against NULL. Add checking of pointer
'function' in pcs_get_function().

Found by code review.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46685

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46686
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

smb/client: avoid dereferencing rdata=NULL in smb2_new_read_req()

This happens when called from SMB2_read() while using rdma
and reaching the rdma_readwrite_threshold.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46686

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46687
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix a use-after-free when hitting errors inside btrfs_submit_chunk()

[BUG]
There is an internal report that KASAN is reporting use-after-free, with
the following backtrace:

  BUG: KASAN: slab-use-after-free in btrfs_check_read_bio+0xa68/0xb70 [btrfs]
  Read of size 4 at addr ffff8881117cec28 by task kworker/u16:2/45
  CPU: 1 UID: 0 PID: 45 Comm: kworker/u16:2 Not tainted 6.11.0-rc2-next-20240805-default+ #76
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014
  Workqueue: btrfs-endio btrfs_end_bio_work [btrfs]
  Call Trace:
   dump_stack_lvl+0x61/0x80
   print_address_description.constprop.0+0x5e/0x2f0
   print_report+0x118/0x216
   kasan_report+0x11d/0x1f0
   btrfs_check_read_bio+0xa68/0xb70 [btrfs]
   process_one_work+0xce0/0x12a0
   worker_thread+0x717/0x1250
   kthread+0x2e3/0x3c0
   ret_from_fork+0x2d/0x70
   ret_from_fork_asm+0x11/0x20

  Allocated by task 20917:
   kasan_save_stack+0x37/0x60
   kasan_save_track+0x10/0x30
   __kasan_slab_alloc+0x7d/0x80
   kmem_cache_alloc_noprof+0x16e/0x3e0
   mempool_alloc_noprof+0x12e/0x310
   bio_alloc_bioset+0x3f0/0x7a0
   btrfs_bio_alloc+0x2e/0x50 [btrfs]
   submit_extent_page+0x4d1/0xdb0 [btrfs]
   btrfs_do_readpage+0x8b4/0x12a0 [btrfs]
   btrfs_readahead+0x29a/0x430 [btrfs]
   read_pages+0x1a7/0xc60
   page_cache_ra_unbounded+0x2ad/0x560
   filemap_get_pages+0x629/0xa20
   filemap_read+0x335/0xbf0
   vfs_read+0x790/0xcb0
   ksys_read+0xfd/0x1d0
   do_syscall_64+0x6d/0x140
   entry_SYSCALL_64_after_hwframe+0x4b/0x53

  Freed by task 20917:
   kasan_save_stack+0x37/0x60
   kasan_save_track+0x10/0x30
   kasan_save_free_info+0x37/0x50
   __kasan_slab_free+0x4b/0x60
   kmem_cache_free+0x214/0x5d0
   bio_free+0xed/0x180
   end_bbio_data_read+0x1cc/0x580 [btrfs]
   btrfs_submit_chunk+0x98d/0x1880 [btrfs]
   btrfs_submit_bio+0x33/0x70 [btrfs]
   submit_one_bio+0xd4/0x130 [btrfs]
   submit_extent_page+0x3ea/0xdb0 [btrfs]
   btrfs_do_readpage+0x8b4/0x12a0 [btrfs]
   btrfs_readahead+0x29a/0x430 [btrfs]
   read_pages+0x1a7/0xc60
   page_cache_ra_unbounded+0x2ad/0x560
   filemap_get_pages+0x629/0xa20
   filemap_read+0x335/0xbf0
   vfs_read+0x790/0xcb0
   ksys_read+0xfd/0x1d0
   do_syscall_64+0x6d/0x140
   entry_SYSCALL_64_after_hwframe+0x4b/0x53

[CAUSE]
Although I cannot reproduce the error, the report itself is good enough
to pin down the cause.

The call trace is the regular endio workqueue context, but the
free-by-task trace is showing that during btrfs_submit_chunk() we
already hit a critical error, and is calling btrfs_bio_end_io() to error
out.  And the original endio function called bio_put() to free the whole
bio.

This means a double freeing thus causing use-after-free, e.g.:

1. Enter btrfs_submit_bio() with a read bio
   The read bio length is 128K, crossing two 64K stripes.

2. The first run of btrfs_submit_chunk()

2.1 Call btrfs_map_block(), which returns 64K
2.2 Call btrfs_split_bio()
    Now there are two bios, one referring to the first 64K, the other
    referring to the second 64K.
2.3 The first half is submitted.

3. The second run of btrfs_submit_chunk()

3.1 Call btrfs_map_block(), which by somehow failed
    Now we call btrfs_bio_end_io() to handle the error

3.2 btrfs_bio_end_io() calls the original endio function
    Which is end_bbio_data_read(), and it calls bio_put() for the
    original bio.

    Now the original bio is freed.

4. The submitted first 64K bio finished
   Now we call into btrfs_check_read_bio() and tries to advance the bio
   iter.
   But since the original bio (thus its iter) is already freed, we
   trigger the above use-after free.

   And even if the memory is not poisoned/corrupted, we will later call
   the original endio function, causing a double freeing.

[FIX]
Instead of calling btrfs_bio_end_io(), call btrfs_orig_bbio_end_io(),
which has the extra check on split bios and do the pr
---truncated---
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46687

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46688
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

erofs: fix out-of-bound access when z_erofs_gbuf_growsize() partially fails

If z_erofs_gbuf_growsize() partially fails on a global buffer due to
memory allocation failure or fault injection (as reported by syzbot [1]),
new pages need to be freed by comparing to the existing pages to avoid
memory leaks.

However, the old gbuf->pages[] array may not be large enough, which can
lead to null-ptr-deref or out-of-bound access.

Fix this by checking against gbuf->nrpages in advance.

[1] https://lore.kernel.org/r/000000000000f7b96e062018c6e3@google.com
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46688

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46689
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

soc: qcom: cmd-db: Map shared memory as WC, not WB

Linux does not write into cmd-db region. This region of memory is write
protected by XPU. XPU may sometime falsely detect clean cache eviction
as "write" into the write protected region leading to secure interrupt
which causes an endless loop somewhere in Trust Zone.

The only reason it is working right now is because Qualcomm Hypervisor
maps the same region as Non-Cacheable memory in Stage 2 translation
tables. The issue manifests if we want to use another hypervisor (like
Xen or KVM), which does not know anything about those specific mappings.

Changing the mapping of cmd-db memory from MEMREMAP_WB to MEMREMAP_WT/WC
removes dependency on correct mappings in Stage 2 tables. This patch
fixes the issue by updating the mapping to MEMREMAP_WC.

I tested this on SA8155P with Xen.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46689

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46690
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

nfsd: fix nfsd4_deleg_getattr_conflict in presence of third party lease

It is not safe to dereference fl->c.flc_owner without first confirming
fl->fl_lmops is the expected manager.  nfsd4_deleg_getattr_conflict()
tests fl_lmops but largely ignores the result and assumes that flc_owner
is an nfs4_delegation anyway.  This is wrong.

With this patch we restore the "!= &nfsd_lease_mng_ops" case to behave
as it did before the change mentioned below.  This is the same as the
current code, but without any reference to a possible delegation.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46690

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46691
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

usb: typec: ucsi: Move unregister out of atomic section

Commit '9329933699b3 ("soc: qcom: pmic_glink: Make client-lock
non-sleeping")' moved the pmic_glink client list under a spinlock, as it
is accessed by the rpmsg/glink callback, which in turn is invoked from
IRQ context.

This means that ucsi_unregister() is now called from atomic context,
which isn't feasible as it's expecting a sleepable context. An effort is
under way to get GLINK to invoke its callbacks in a sleepable context,
but until then lets schedule the unregistration.

A side effect of this is that ucsi_unregister() can now happen
after the remote processor, and thereby the communication link with it, is
gone. pmic_glink_send() is amended with a check to avoid the resulting NULL
pointer dereference.
This does however result in the user being informed about this error by
the following entry in the kernel log:

  ucsi_glink.pmic_glink_ucsi pmic_glink.ucsi.0: failed to send UCSI write request: -5
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46691

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46692
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

firmware: qcom: scm: Mark get_wq_ctx() as atomic call

Currently get_wq_ctx() is wrongly configured as a standard call. When two
SMC calls are in sleep and one SMC wakes up, it calls get_wq_ctx() to
resume the corresponding sleeping thread. But if get_wq_ctx() is
interrupted, goes to sleep and another SMC call is waiting to be allocated
a waitq context, it leads to a deadlock.

To avoid this get_wq_ctx() must be an atomic call and can't be a standard
SMC call. Hence mark get_wq_ctx() as a fast call.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46692

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46693
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

soc: qcom: pmic_glink: Fix race during initialization

As pointed out by Stephen Boyd it is possible that during initialization
of the pmic_glink child drivers, the protection-domain notifiers fires,
and the associated work is scheduled, before the client registration
returns and as a result the local "client" pointer has been initialized.

The outcome of this is a NULL pointer dereference as the "client"
pointer is blindly dereferenced.

Timeline provided by Stephen:
 CPU0                               CPU1
 ----                               ----
 ucsi->client = NULL;
 devm_pmic_glink_register_client()
  client->pdr_notify(client->priv, pg->client_state)
   pmic_glink_ucsi_pdr_notify()
    schedule_work(&ucsi->register_work)
    <schedule away>
                                    pmic_glink_ucsi_register()
                                     ucsi_register()
                                      pmic_glink_ucsi_read_version()
                                       pmic_glink_ucsi_read()
                                        pmic_glink_ucsi_read()
                                         pmic_glink_send(ucsi->client)
                                         <client is NULL BAD>
 ucsi->client = client // Too late!

This code is identical across the altmode, battery manager and usci
child drivers.

Resolve this by splitting the allocation of the "client" object and the
registration thereof into two operations.

This only happens if the protection domain registry is populated at the
time of registration, which by the introduction of commit '1ebcde047c54
("soc: qcom: add pd-mapper implementation")' became much more likely.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46693

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46694
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: avoid using null object of framebuffer

Instead of using state->fb->obj[0] directly, get object from framebuffer
by calling drm_gem_fb_get_obj() and return error code when object is
null to avoid using null object of framebuffer.

(cherry picked from commit 73dd0ad9e5dad53766ea3e631303430116f834b3)
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46694

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46695
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

selinux,smack: don't bypass permissions check in inode_setsecctx hook

Marek Gresko reports that the root user on an NFS client is able to
change the security labels on files on an NFS filesystem that is
exported with root squashing enabled.

The end of the kerneldoc comment for __vfs_setxattr_noperm() states:

 *  This function requires the caller to lock the inode's i_mutex before it
 *  is executed. It also assumes that the caller will make the appropriate
 *  permission checks.

nfsd_setattr() does do permissions checking via fh_verify() and
nfsd_permission(), but those don't do all the same permissions checks
that are done by security_inode_setxattr() and its related LSM hooks do.

Since nfsd_setattr() is the only consumer of security_inode_setsecctx(),
simplest solution appears to be to replace the call to
__vfs_setxattr_noperm() with a call to __vfs_setxattr_locked().  This
fixes the above issue and has the added benefit of causing nfsd to
recall conflicting delegations on a file when a client tries to change
its security label.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.4
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46695

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46696
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

nfsd: fix potential UAF in nfsd4_cb_getattr_release

Once we drop the delegation reference, the fields embedded in it are no
longer safe to access. Do that last.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46696

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46697
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

nfsd: ensure that nfsd4_fattr_args.context is zeroed out

If nfsd4_encode_fattr4 ends up doing a "goto out" before we get to
checking for the security label, then args.context will be set to
uninitialized junk on the stack, which we'll then try to free.
Initialize it early.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46697

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46698
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

video/aperture: optionally match the device in sysfb_disable()

In aperture_remove_conflicting_pci_devices(), we currently only
call sysfb_disable() on vga class devices.  This leads to the
following problem when the pimary device is not VGA compatible:

1. A PCI device with a non-VGA class is the boot display
2. That device is probed first and it is not a VGA device so
   sysfb_disable() is not called, but the device resources
   are freed by aperture_detach_platform_device()
3. Non-primary GPU has a VGA class and it ends up calling sysfb_disable()
4. NULL pointer dereference via sysfb_disable() since the resources
   have already been freed by aperture_detach_platform_device() when
   it was called by the other device.

Fix this by passing a device pointer to sysfb_disable() and checking
the device to determine if we should execute it or not.

v2: Fix build when CONFIG_SCREEN_INFO is not set
v3: Move device check into the mutex
    Drop primary variable in aperture_remove_conflicting_pci_devices()
    Drop __init on pci sysfb_pci_dev_is_enabled()
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46698

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46699
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/v3d: Disable preemption while updating GPU stats

We forgot to disable preemption around the write_seqcount_begin/end() pair
while updating GPU stats:

  [ ] WARNING: CPU: 2 PID: 12 at include/linux/seqlock.h:221 __seqprop_assert.isra.0+0x128/0x150 [v3d]
  [ ] Workqueue: v3d_bin drm_sched_run_job_work [gpu_sched]
 <...snip...>
  [ ] Call trace:
  [ ]  __seqprop_assert.isra.0+0x128/0x150 [v3d]
  [ ]  v3d_job_start_stats.isra.0+0x90/0x218 [v3d]
  [ ]  v3d_bin_job_run+0x23c/0x388 [v3d]
  [ ]  drm_sched_run_job_work+0x520/0x6d0 [gpu_sched]
  [ ]  process_one_work+0x62c/0xb48
  [ ]  worker_thread+0x468/0x5b0
  [ ]  kthread+0x1c4/0x1e0
  [ ]  ret_from_fork+0x10/0x20

Fix it.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46699

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46700
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amdgpu/mes: fix mes ring buffer overflow

wait memory room until enough before writing mes packets
to avoid ring buffer overflow.

v2: squash in sched_hw_submission fix

(cherry picked from commit 34e087e8920e635c62e2ed6a758b0cd27f836d13)
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46700

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46701
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

libfs: fix infinite directory reads for offset dir

After we switch tmpfs dir operations from simple_dir_operations to
simple_offset_dir_operations, every rename happened will fill new dentry
to dest dir's maple tree(&SHMEM_I(inode)->dir_offsets->mt) with a free
key starting with octx->newx_offset, and then set newx_offset equals to
free key + 1. This will lead to infinite readdir combine with rename
happened at the same time, which fail generic/736 in xfstests(detail show
as below).

1. create 5000 files(1 2 3...) under one dir
2. call readdir(man 3 readdir) once, and get one entry
3. rename(entry, "TEMPFILE"), then rename("TEMPFILE", entry)
4. loop 2~3, until readdir return nothing or we loop too many
   times(tmpfs break test with the second condition)

We choose the same logic what commit 9b378f6ad48cf ("btrfs: fix infinite
directory reads") to fix it, record the last_index when we open dir, and
do not emit the entry which index >= last_index. The file->private_data
now used in offset dir can use directly to do this, and we also update
the last_index when we llseek the dir file.

[brauner: only update last_index after seek when offset is zero like Jan suggested]
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46701

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46702
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

thunderbolt: Mark XDomain as unplugged when router is removed

I noticed that when we do discrete host router NVM upgrade and it gets
hot-removed from the PCIe side as a result of NVM firmware authentication,
if there is another host connected with enabled paths we hang in tearing
them down. This is due to fact that the Thunderbolt networking driver
also tries to cleanup the paths and ends up blocking in
tb_disconnect_xdomain_paths() waiting for the domain lock.

However, at this point we already cleaned the paths in tb_stop() so
there is really no need for tb_disconnect_xdomain_paths() to do that
anymore. Furthermore it already checks if the XDomain is unplugged and
bails out early so take advantage of that and mark the XDomain as
unplugged when we remove the parent router.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46702

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46703
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

Revert "serial: 8250_omap: Set the console genpd always on if no console suspend"

This reverts commit 68e6939ea9ec3d6579eadeab16060339cdeaf940.

Kevin reported that this causes a crash during suspend on platforms that
dont use PM domains.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46703

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46704
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

workqueue: Fix spruious data race in __flush_work()

When flushing a work item for cancellation, __flush_work() knows that it
exclusively owns the work item through its PENDING bit. 134874e2eee9
("workqueue: Allow cancel_work_sync() and disable_work() from atomic
contexts on BH work items") added a read of @work->data to determine whether
to use busy wait for BH work items that are being canceled. While the read
is safe when @from_cancel, @work->data was read before testing @from_cancel
to simplify code structure:

	data = *work_data_bits(work);
	if (from_cancel &&
	    !WARN_ON_ONCE(data & WORK_STRUCT_PWQ) && (data & WORK_OFFQ_BH)) {

While the read data was never used if !@from_cancel, this could trigger
KCSAN data race detection spuriously:

  ==================================================================
  BUG: KCSAN: data-race in __flush_work / __flush_work

  write to 0xffff8881223aa3e8 of 8 bytes by task 3998 on cpu 0:
   instrument_write include/linux/instrumented.h:41 [inline]
   ___set_bit include/asm-generic/bitops/instrumented-non-atomic.h:28 [inline]
   insert_wq_barrier kernel/workqueue.c:3790 [inline]
   start_flush_work kernel/workqueue.c:4142 [inline]
   __flush_work+0x30b/0x570 kernel/workqueue.c:4178
   flush_work kernel/workqueue.c:4229 [inline]
   ...

  read to 0xffff8881223aa3e8 of 8 bytes by task 50 on cpu 1:
   __flush_work+0x42a/0x570 kernel/workqueue.c:4188
   flush_work kernel/workqueue.c:4229 [inline]
   flush_delayed_work+0x66/0x70 kernel/workqueue.c:4251
   ...

  value changed: 0x0000000000400000 -> 0xffff88810006c00d

Reorganize the code so that @from_cancel is tested before @work->data is
accessed. The only problem is triggering KCSAN detection spuriously. This
shouldn't need READ_ONCE() or other access qualifiers.

No functional changes.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46704

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46705
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/xe: reset mmio mappings with devm

Set our various mmio mappings to NULL. This should make it easier to
catch something rogue trying to mess with mmio after device removal. For
example, we might unmap everything and then start hitting some mmio
address which has already been unmamped by us and then remapped by
something else, causing all kinds of carnage.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46705

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46706
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

tty: serial: fsl_lpuart: mark last busy before uart_add_one_port

With "earlycon initcall_debug=1 loglevel=8" in bootargs, kernel
sometimes boot hang. It is because normal console still is not ready,
but runtime suspend is called, so early console putchar will hang
in waiting TRDE set in UARTSTAT.

The lpuart driver has auto suspend delay set to 3000ms, but during
uart_add_one_port, a child device serial ctrl will added and probed with
its pm runtime enabled(see serial_ctrl.c).
The runtime suspend call path is:
device_add
     |-> bus_probe_device
           |->device_initial_probe
	           |->__device_attach
                         |-> pm_runtime_get_sync(dev->parent);
			 |-> pm_request_idle(dev);
			 |-> pm_runtime_put(dev->parent);

So in the end, before normal console ready, the lpuart get runtime
suspended. And earlycon putchar will hang.

To address the issue, mark last busy just after pm_runtime_enable,
three seconds is long enough to switch from bootconsole to normal
console.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46706

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46707
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

KVM: arm64: Make ICC_*SGI*_EL1 undef in the absence of a vGICv3

On a system with a GICv3, if a guest hasn't been configured with
GICv3 and that the host is not capable of GICv2 emulation,
a write to any of the ICC_*SGI*_EL1 registers is trapped to EL2.

We therefore try to emulate the SGI access, only to hit a NULL
pointer as no private interrupt is allocated (no GIC, remember?).

The obvious fix is to give the guest what it deserves, in the
shape of a UNDEF exception.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46707

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46708
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

pinctrl: qcom: x1e80100: Fix special pin offsets

Remove the erroneus 0x100000 offset to prevent the boards from crashing
on pin state setting, as well as for the intended state changes to take
effect.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46708

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46709
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/vmwgfx: Fix prime with external buffers

Make sure that for external buffers mapping goes through the dma_buf
interface instead of trying to access pages directly.

External buffers might not provide direct access to readable/writable
pages so to make sure the bo's created from external dma_bufs can be
read dma_buf interface has to be used.

Fixes crashes in IGT's kms_prime with vgem. Regular desktop usage won't
trigger this due to the fact that virtual machines will not have
multiple GPUs but it enables better test coverage in IGT.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46709

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46710
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/vmwgfx: Prevent unmapping active read buffers

The kms paths keep a persistent map active to read and compare the cursor
buffer. These maps can race with each other in simple scenario where:
a) buffer "a" mapped for update
b) buffer "a" mapped for compare
c) do the compare
d) unmap "a" for compare
e) update the cursor
f) unmap "a" for update
At step "e" the buffer has been unmapped and the read contents is bogus.

Prevent unmapping of active read buffers by simply keeping a count of
how many paths have currently active maps and unmap only when the count
reaches 0.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46710

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46711
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

mptcp: pm: fix ID 0 endp usage after multiple re-creations

'local_addr_used' and 'add_addr_accepted' are decremented for addresses
not related to the initial subflow (ID0), because the source and
destination addresses of the initial subflows are known from the
beginning: they don't count as "additional local address being used" or
"ADD_ADDR being accepted".

It is then required not to increment them when the entrypoint used by
the initial subflow is removed and re-added during a connection. Without
this modification, this entrypoint cannot be removed and re-added more
than once.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46711

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46712
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/vmwgfx: Disable coherent dumb buffers without 3d

Coherent surfaces make only sense if the host renders to them using
accelerated apis. Without 3d the entire content of dumb buffers stays
in the guest making all of the extra work they're doing to synchronize
between guest and host useless.

Configurations without 3d also tend to run with very low graphics
memory limits. The pinned console fb, mob cursors and graphical login
manager tend to run out of 16MB graphics memory that those guests use.

Fix it by making sure the coherent dumb buffers are only used on
configs with 3d enabled.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46712

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46714
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Skip wbscl_set_scaler_filter if filter is null

Callers can pass null in filter (i.e. from returned from the function
wbscl_get_filter_coeffs_16p) and a null check is added to ensure that is
not the case.

This fixes 4 NULL_RETURNS issues reported by Coverity.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46714

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46719
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

usb: typec: ucsi: Fix null pointer dereference in trace

ucsi_register_altmode checks IS_ERR for the alt pointer and treats
NULL as valid. When CONFIG_TYPEC_DP_ALTMODE is not enabled,
ucsi_register_displayport returns NULL which causes a NULL pointer
dereference in trace. Rather than return NULL, call
typec_port_register_altmode to register DisplayPort alternate mode
as a non-controllable mode when CONFIG_TYPEC_DP_ALTMODE is not enabled.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46719

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46720
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amdgpu: fix dereference after null check

check the pointer hive before use.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46720

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46721
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

apparmor: fix possible NULL pointer dereference

profile->parent->dents[AAFS_PROF_DIR] could be NULL only if its parent is made
from __create_missing_ancestors(..) and 'ent->old' is NULL in
aa_replace_profiles(..).
In that case, it must return an error code and the code, -ENOENT represents
its state that the path of its parent is not existed yet.

BUG: kernel NULL pointer dereference, address: 0000000000000030
PGD 0 P4D 0
PREEMPT SMP PTI
CPU: 4 PID: 3362 Comm: apparmor_parser Not tainted 6.8.0-24-generic #24
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014
RIP: 0010:aafs_create.constprop.0+0x7f/0x130
Code: 4c 63 e0 48 83 c4 18 4c 89 e0 5b 41 5c 41 5d 41 5e 41 5f 5d 31 d2 31 c9 31 f6 31 ff 45 31 c0 45 31 c9 45 31 d2 c3 cc cc cc cc <4d> 8b 55 30 4d 8d ba a0 00 00 00 4c 89 55 c0 4c 89 ff e8 7a 6a ae
RSP: 0018:ffffc9000b2c7c98 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 00000000000041ed RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc9000b2c7cd8 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffffffff82baac10
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
FS:  00007be9f22cf740(0000) GS:ffff88817bc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000030 CR3: 0000000134b08000 CR4: 00000000000006f0
Call Trace:
 <TASK>
 ? show_regs+0x6d/0x80
 ? __die+0x24/0x80
 ? page_fault_oops+0x99/0x1b0
 ? kernelmode_fixup_or_oops+0xb2/0x140
 ? __bad_area_nosemaphore+0x1a5/0x2c0
 ? find_vma+0x34/0x60
 ? bad_area_nosemaphore+0x16/0x30
 ? do_user_addr_fault+0x2a2/0x6b0
 ? exc_page_fault+0x83/0x1b0
 ? asm_exc_page_fault+0x27/0x30
 ? aafs_create.constprop.0+0x7f/0x130
 ? aafs_create.constprop.0+0x51/0x130
 __aafs_profile_mkdir+0x3d6/0x480
 aa_replace_profiles+0x83f/0x1270
 policy_update+0xe3/0x180
 profile_load+0xbc/0x150
 ? rw_verify_area+0x47/0x140
 vfs_write+0x100/0x480
 ? __x64_sys_openat+0x55/0xa0
 ? syscall_exit_to_user_mode+0x86/0x260
 ksys_write+0x73/0x100
 __x64_sys_write+0x19/0x30
 x64_sys_call+0x7e/0x25c0
 do_syscall_64+0x7f/0x180
 entry_SYSCALL_64_after_hwframe+0x78/0x80
RIP: 0033:0x7be9f211c574
Code: c7 00 16 00 00 00 b8 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 80 3d d5 ea 0e 00 00 74 13 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 55 48 89 e5 48 83 ec 20 48 89
RSP: 002b:00007ffd26f2b8c8 EFLAGS: 00000202 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00005d504415e200 RCX: 00007be9f211c574
RDX: 0000000000001fc1 RSI: 00005d504418bc80 RDI: 0000000000000004
RBP: 0000000000001fc1 R08: 0000000000001fc1 R09: 0000000080000000
R10: 0000000000000000 R11: 0000000000000202 R12: 00005d504418bc80
R13: 0000000000000004 R14: 00007ffd26f2b9b0 R15: 00007ffd26f2ba30
 </TASK>
Modules linked in: snd_seq_dummy snd_hrtimer qrtr snd_hda_codec_generic snd_hda_intel snd_intel_dspcfg snd_intel_sdw_acpi snd_hda_codec snd_hda_core snd_hwdep snd_pcm snd_seq_midi snd_seq_midi_event snd_rawmidi snd_seq snd_seq_device i2c_i801 snd_timer i2c_smbus qxl snd soundcore drm_ttm_helper lpc_ich ttm joydev input_leds serio_raw mac_hid binfmt_misc msr parport_pc ppdev lp parport efi_pstore nfnetlink dmi_sysfs qemu_fw_cfg ip_tables x_tables autofs4 hid_generic usbhid hid ahci libahci psmouse virtio_rng xhci_pci xhci_pci_renesas
CR2: 0000000000000030
---[ end trace 0000000000000000 ]---
RIP: 0010:aafs_create.constprop.0+0x7f/0x130
Code: 4c 63 e0 48 83 c4 18 4c 89 e0 5b 41 5c 41 5d 41 5e 41 5f 5d 31 d2 31 c9 31 f6 31 ff 45 31 c0 45 31 c9 45 31 d2 c3 cc cc cc cc <4d> 8b 55 30 4d 8d ba a0 00 00 00 4c 89 55 c0 4c 89 ff e8 7a 6a ae
RSP: 0018:ffffc9000b2c7c98 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 00000000000041ed RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc9000b2c7cd8 R08: 0000000000000000 R09: 0000000000000000
R10: 0000
---truncated---
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46721

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46722
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amdgpu: fix mc_data out-of-bounds read warning

Clear warning that read mc_data[i-1] may out-of-bounds.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46722

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46723
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amdgpu: fix ucode out-of-bounds read warning

Clear warning that read ucode[] may out-of-bounds.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46723

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46724
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amdgpu: Fix out-of-bounds read of df_v1_7_channel_number

Check the fb_channel_number range to avoid the array out-of-bounds
read error
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46724

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46725
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amdgpu: Fix out-of-bounds write warning

Check the ring type value to fix the out-of-bounds
write warning
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46725

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46726
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Ensure index calculation will not overflow

[WHY & HOW]
Make sure vmid0p72_idx, vnom0p8_idx and vmax0p9_idx calculation will
never overflow and exceess array size.

This fixes 3 OVERRUN and 1 INTEGER_OVERFLOW issues reported by Coverity.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46726

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46727
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Add otg_master NULL check within resource_log_pipe_topology_update

[Why]
Coverity reports NULL_RETURN warning.

[How]
Add otg_master NULL check.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46727

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46728
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Check index for aux_rd_interval before using

aux_rd_interval has size of 7 and should be checked.

This fixes 3 OVERRUN and 1 INTEGER_OVERFLOW issues reported by Coverity.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46728

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46730
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Ensure array index tg_inst won't be -1

[WHY & HOW]
tg_inst will be a negative if timing_generator_count equals 0, which
should be checked before used.

This fixes 2 OVERRUN issues reported by Coverity.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46730

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46731
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/pm: fix the Out-of-bounds read warning

using index i - 1U may beyond element index
for mc_data[] when i = 0.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46731

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46732
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Assign linear_pitch_alignment even for VM

[Description]
Assign linear_pitch_alignment so we don't cause a divide by 0
error in VM environments
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46732

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46735
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ublk_drv: fix NULL pointer dereference in ublk_ctrl_start_recovery()

When two UBLK_CMD_START_USER_RECOVERY commands are submitted, the
first one sets 'ubq->ubq_daemon' to NULL, and the second one triggers
WARN in ublk_queue_reinit() and subsequently a NULL pointer dereference
issue.

Fix it by adding the check in ublk_ctrl_start_recovery() and return
immediately in case of zero 'ub->nr_queues_ready'.

  BUG: kernel NULL pointer dereference, address: 0000000000000028
  RIP: 0010:ublk_ctrl_start_recovery.constprop.0+0x82/0x180
  Call Trace:
   <TASK>
   ? __die+0x20/0x70
   ? page_fault_oops+0x75/0x170
   ? exc_page_fault+0x64/0x140
   ? asm_exc_page_fault+0x22/0x30
   ? ublk_ctrl_start_recovery.constprop.0+0x82/0x180
   ublk_ctrl_uring_cmd+0x4f7/0x6c0
   ? pick_next_task_idle+0x26/0x40
   io_uring_cmd+0x9a/0x1b0
   io_issue_sqe+0x193/0x3f0
   io_wq_submit_work+0x9b/0x390
   io_worker_handle_work+0x165/0x360
   io_wq_worker+0xcb/0x2f0
   ? finish_task_switch.isra.0+0x203/0x290
   ? finish_task_switch.isra.0+0x203/0x290
   ? __pfx_io_wq_worker+0x10/0x10
   ret_from_fork+0x2d/0x50
   ? __pfx_io_wq_worker+0x10/0x10
   ret_from_fork_asm+0x1a/0x30
   </TASK>
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46735

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46737
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

nvmet-tcp: fix kernel crash if commands allocation fails

If the commands allocation fails in nvmet_tcp_alloc_cmds()
the kernel crashes in nvmet_tcp_release_queue_work() because of
a NULL pointer dereference.

  nvmet: failed to install queue 0 cntlid 1 ret 6
  Unable to handle kernel NULL pointer dereference at
         virtual address 0000000000000008

Fix the bug by setting queue->nr_cmds to zero in case
nvmet_tcp_alloc_cmd() fails.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46737

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46738
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

VMCI: Fix use-after-free when removing resource in vmci_resource_remove()

When removing a resource from vmci_resource_table in
vmci_resource_remove(), the search is performed using the resource
handle by comparing context and resource fields.

It is possible though to create two resources with different types
but same handle (same context and resource fields).

When trying to remove one of the resources, vmci_resource_remove()
may not remove the intended one, but the object will still be freed
as in the case of the datagram type in vmci_datagram_destroy_handle().
vmci_resource_table will still hold a pointer to this freed resource
leading to a use-after-free vulnerability.

BUG: KASAN: use-after-free in vmci_handle_is_equal include/linux/vmw_vmci_defs.h:142 [inline]
BUG: KASAN: use-after-free in vmci_resource_remove+0x3a1/0x410 drivers/misc/vmw_vmci/vmci_resource.c:147
Read of size 4 at addr ffff88801c16d800 by task syz-executor197/1592
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x82/0xa9 lib/dump_stack.c:106
 print_address_description.constprop.0+0x21/0x366 mm/kasan/report.c:239
 __kasan_report.cold+0x7f/0x132 mm/kasan/report.c:425
 kasan_report+0x38/0x51 mm/kasan/report.c:442
 vmci_handle_is_equal include/linux/vmw_vmci_defs.h:142 [inline]
 vmci_resource_remove+0x3a1/0x410 drivers/misc/vmw_vmci/vmci_resource.c:147
 vmci_qp_broker_detach+0x89a/0x11b9 drivers/misc/vmw_vmci/vmci_queue_pair.c:2182
 ctx_free_ctx+0x473/0xbe1 drivers/misc/vmw_vmci/vmci_context.c:444
 kref_put include/linux/kref.h:65 [inline]
 vmci_ctx_put drivers/misc/vmw_vmci/vmci_context.c:497 [inline]
 vmci_ctx_destroy+0x170/0x1d6 drivers/misc/vmw_vmci/vmci_context.c:195
 vmci_host_close+0x125/0x1ac drivers/misc/vmw_vmci/vmci_host.c:143
 __fput+0x261/0xa34 fs/file_table.c:282
 task_work_run+0xf0/0x194 kernel/task_work.c:164
 tracehook_notify_resume include/linux/tracehook.h:189 [inline]
 exit_to_user_mode_loop+0x184/0x189 kernel/entry/common.c:187
 exit_to_user_mode_prepare+0x11b/0x123 kernel/entry/common.c:220
 __syscall_exit_to_user_mode_work kernel/entry/common.c:302 [inline]
 syscall_exit_to_user_mode+0x18/0x42 kernel/entry/common.c:313
 do_syscall_64+0x41/0x85 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x6e/0x0

This change ensures the type is also checked when removing
the resource from vmci_resource_table in vmci_resource_remove().
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46738

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46739
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

uio_hv_generic: Fix kernel NULL pointer dereference in hv_uio_rescind

For primary VM Bus channels, primary_channel pointer is always NULL. This
pointer is valid only for the secondary channels. Also, rescind callback
is meant for primary channels only.

Fix NULL pointer dereference by retrieving the device_obj from the parent
for the primary channel.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46739

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46740
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

binder: fix UAF caused by offsets overwrite

Binder objects are processed and copied individually into the target
buffer during transactions. Any raw data in-between these objects is
copied as well. However, this raw data copy lacks an out-of-bounds
check. If the raw data exceeds the data section size then the copy
overwrites the offsets section. This eventually triggers an error that
attempts to unwind the processed objects. However, at this point the
offsets used to index these objects are now corrupted.

Unwinding with corrupted offsets can result in decrements of arbitrary
nodes and lead to their premature release. Other users of such nodes are
left with a dangling pointer triggering a use-after-free. This issue is
made evident by the following KASAN report (trimmed):

  ==================================================================
  BUG: KASAN: slab-use-after-free in _raw_spin_lock+0xe4/0x19c
  Write of size 4 at addr ffff47fc91598f04 by task binder-util/743

  CPU: 9 UID: 0 PID: 743 Comm: binder-util Not tainted 6.11.0-rc4 #1
  Hardware name: linux,dummy-virt (DT)
  Call trace:
   _raw_spin_lock+0xe4/0x19c
   binder_free_buf+0x128/0x434
   binder_thread_write+0x8a4/0x3260
   binder_ioctl+0x18f0/0x258c
  [...]

  Allocated by task 743:
   __kmalloc_cache_noprof+0x110/0x270
   binder_new_node+0x50/0x700
   binder_transaction+0x413c/0x6da8
   binder_thread_write+0x978/0x3260
   binder_ioctl+0x18f0/0x258c
  [...]

  Freed by task 745:
   kfree+0xbc/0x208
   binder_thread_read+0x1c5c/0x37d4
   binder_ioctl+0x16d8/0x258c
  [...]
  ==================================================================

To avoid this issue, let's check that the raw data copy is within the
boundaries of the data section.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46740

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46741
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

misc: fastrpc: Fix double free of 'buf' in error path

smatch warning:
drivers/misc/fastrpc.c:1926 fastrpc_req_mmap() error: double free of 'buf'

In fastrpc_req_mmap() error path, the fastrpc buffer is freed in
fastrpc_req_munmap_impl() if unmap is successful.

But in the end, there is an unconditional call to fastrpc_buf_free().
So the above case triggers the double free of fastrpc buf.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46741

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46742
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

smb/server: fix potential null-ptr-deref of lease_ctx_info in smb2_open()

null-ptr-deref will occur when (req_op_level == SMB2_OPLOCK_LEVEL_LEASE)
and parse_lease_state() return NULL.

Fix this by check if 'lease_ctx_info' is NULL.

Additionally, remove the redundant parentheses in
parse_durable_handle_context().
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46742

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46743
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

of/irq: Prevent device address out-of-bounds read in interrupt map walk

When of_irq_parse_raw() is invoked with a device address smaller than
the interrupt parent node (from #address-cells property), KASAN detects
the following out-of-bounds read when populating the initial match table
(dyndbg="func of_irq_parse_* +p"):

  OF: of_irq_parse_one: dev=/soc@0/picasso/watchdog, index=0
  OF:  parent=/soc@0/pci@878000000000/gpio0@17,0, intsize=2
  OF:  intspec=4
  OF: of_irq_parse_raw: ipar=/soc@0/pci@878000000000/gpio0@17,0, size=2
  OF:  -> addrsize=3
  ==================================================================
  BUG: KASAN: slab-out-of-bounds in of_irq_parse_raw+0x2b8/0x8d0
  Read of size 4 at addr ffffff81beca5608 by task bash/764

  CPU: 1 PID: 764 Comm: bash Tainted: G           O       6.1.67-484c613561-nokia_sm_arm64 #1
  Hardware name: Unknown Unknown Product/Unknown Product, BIOS 2023.01-12.24.03-dirty 01/01/2023
  Call trace:
   dump_backtrace+0xdc/0x130
   show_stack+0x1c/0x30
   dump_stack_lvl+0x6c/0x84
   print_report+0x150/0x448
   kasan_report+0x98/0x140
   __asan_load4+0x78/0xa0
   of_irq_parse_raw+0x2b8/0x8d0
   of_irq_parse_one+0x24c/0x270
   parse_interrupts+0xc0/0x120
   of_fwnode_add_links+0x100/0x2d0
   fw_devlink_parse_fwtree+0x64/0xc0
   device_add+0xb38/0xc30
   of_device_add+0x64/0x90
   of_platform_device_create_pdata+0xd0/0x170
   of_platform_bus_create+0x244/0x600
   of_platform_notify+0x1b0/0x254
   blocking_notifier_call_chain+0x9c/0xd0
   __of_changeset_entry_notify+0x1b8/0x230
   __of_changeset_apply_notify+0x54/0xe4
   of_overlay_fdt_apply+0xc04/0xd94
   ...

  The buggy address belongs to the object at ffffff81beca5600
   which belongs to the cache kmalloc-128 of size 128
  The buggy address is located 8 bytes inside of
   128-byte region [ffffff81beca5600, ffffff81beca5680)

  The buggy address belongs to the physical page:
  page:00000000230d3d03 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1beca4
  head:00000000230d3d03 order:1 compound_mapcount:0 compound_pincount:0
  flags: 0x8000000000010200(slab|head|zone=2)
  raw: 8000000000010200 0000000000000000 dead000000000122 ffffff810000c300
  raw: 0000000000000000 0000000000200020 00000001ffffffff 0000000000000000
  page dumped because: kasan: bad access detected

  Memory state around the buggy address:
   ffffff81beca5500: 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
   ffffff81beca5580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
  >ffffff81beca5600: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                        ^
   ffffff81beca5680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
   ffffff81beca5700: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
  ==================================================================
  OF:  -> got it !

Prevent the out-of-bounds read by copying the device address into a
buffer of sufficient size.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46743

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46744
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

Squashfs: sanity check symbolic link size

Syzkiller reports a "KMSAN: uninit-value in pick_link" bug.

This is caused by an uninitialised page, which is ultimately caused
by a corrupted symbolic link size read from disk.

The reason why the corrupted symlink size causes an uninitialised
page is due to the following sequence of events:

1. squashfs_read_inode() is called to read the symbolic
   link from disk.  This assigns the corrupted value
   3875536935 to inode->i_size.

2. Later squashfs_symlink_read_folio() is called, which assigns
   this corrupted value to the length variable, which being a
   signed int, overflows producing a negative number.

3. The following loop that fills in the page contents checks that
   the copied bytes is less than length, which being negative means
   the loop is skipped, producing an uninitialised page.

This patch adds a sanity check which checks that the symbolic
link size is not larger than expected.

--

V2: fix spelling mistake.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46744

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46746
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

HID: amd_sfh: free driver_data after destroying hid device

HID driver callbacks aren't called anymore once hid_destroy_device() has
been called. Hence, hid driver_data should be freed only after the
hid_destroy_device() function returned as driver_data is used in several
callbacks.

I observed a crash with kernel 6.10.0 on my T14s Gen 3, after enabling
KASAN to debug memory allocation, I got this output:

  [   13.050438] ==================================================================
  [   13.054060] BUG: KASAN: slab-use-after-free in amd_sfh_get_report+0x3ec/0x530 [amd_sfh]
  [   13.054809] psmouse serio1: trackpoint: Synaptics TrackPoint firmware: 0x02, buttons: 3/3
  [   13.056432] Read of size 8 at addr ffff88813152f408 by task (udev-worker)/479

  [   13.060970] CPU: 5 PID: 479 Comm: (udev-worker) Not tainted 6.10.0-arch1-2 #1 893bb55d7f0073f25c46adbb49eb3785fefd74b0
  [   13.063978] Hardware name: LENOVO 21CQCTO1WW/21CQCTO1WW, BIOS R22ET70W (1.40 ) 03/21/2024
  [   13.067860] Call Trace:
  [   13.069383] input: TPPS/2 Synaptics TrackPoint as /devices/platform/i8042/serio1/input/input8
  [   13.071486]  <TASK>
  [   13.071492]  dump_stack_lvl+0x5d/0x80
  [   13.074870] snd_hda_intel 0000:33:00.6: enabling device (0000 -> 0002)
  [   13.078296]  ? amd_sfh_get_report+0x3ec/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38]
  [   13.082199]  print_report+0x174/0x505
  [   13.085776]  ? __pfx__raw_spin_lock_irqsave+0x10/0x10
  [   13.089367]  ? srso_alias_return_thunk+0x5/0xfbef5
  [   13.093255]  ? amd_sfh_get_report+0x3ec/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38]
  [   13.097464]  kasan_report+0xc8/0x150
  [   13.101461]  ? amd_sfh_get_report+0x3ec/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38]
  [   13.105802]  amd_sfh_get_report+0x3ec/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38]
  [   13.110303]  amdtp_hid_request+0xb8/0x110 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38]
  [   13.114879]  ? srso_alias_return_thunk+0x5/0xfbef5
  [   13.119450]  sensor_hub_get_feature+0x1d3/0x540 [hid_sensor_hub 3f13be3016ff415bea03008d45d99da837ee3082]
  [   13.124097]  hid_sensor_parse_common_attributes+0x4d0/0xad0 [hid_sensor_iio_common c3a5cbe93969c28b122609768bbe23efe52eb8f5]
  [   13.127404]  ? srso_alias_return_thunk+0x5/0xfbef5
  [   13.131925]  ? __pfx_hid_sensor_parse_common_attributes+0x10/0x10 [hid_sensor_iio_common c3a5cbe93969c28b122609768bbe23efe52eb8f5]
  [   13.136455]  ? _raw_spin_lock_irqsave+0x96/0xf0
  [   13.140197]  ? __pfx__raw_spin_lock_irqsave+0x10/0x10
  [   13.143602]  ? devm_iio_device_alloc+0x34/0x50 [industrialio 3d261d5e5765625d2b052be40e526d62b1d2123b]
  [   13.147234]  ? srso_alias_return_thunk+0x5/0xfbef5
  [   13.150446]  ? __devm_add_action+0x167/0x1d0
  [   13.155061]  hid_gyro_3d_probe+0x120/0x7f0 [hid_sensor_gyro_3d 63da36a143b775846ab2dbb86c343b401b5e3172]
  [   13.158581]  ? srso_alias_return_thunk+0x5/0xfbef5
  [   13.161814]  platform_probe+0xa2/0x150
  [   13.165029]  really_probe+0x1e3/0x8a0
  [   13.168243]  __driver_probe_device+0x18c/0x370
  [   13.171500]  driver_probe_device+0x4a/0x120
  [   13.175000]  __driver_attach+0x190/0x4a0
  [   13.178521]  ? __pfx___driver_attach+0x10/0x10
  [   13.181771]  bus_for_each_dev+0x106/0x180
  [   13.185033]  ? __pfx__raw_spin_lock+0x10/0x10
  [   13.188229]  ? __pfx_bus_for_each_dev+0x10/0x10
  [   13.191446]  ? srso_alias_return_thunk+0x5/0xfbef5
  [   13.194382]  bus_add_driver+0x29e/0x4d0
  [   13.197328]  driver_register+0x1a5/0x360
  [   13.200283]  ? __pfx_hid_gyro_3d_platform_driver_init+0x10/0x10 [hid_sensor_gyro_3d 63da36a143b775846ab2dbb86c343b401b5e3172]
  [   13.203362]  do_one_initcall+0xa7/0x380
  [   13.206432]  ? __pfx_do_one_initcall+0x10/0x10
  [   13.210175]  ? srso_alias_return_thunk+0x5/0xfbef5
  [   13.213211]  ? kasan_unpoison+0x44/0x70
  [   13.216688]  do_init_module+0x238/0x750
  [   13.2196
---truncated---
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46746

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46747
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

HID: cougar: fix slab-out-of-bounds Read in cougar_report_fixup

report_fixup for the Cougar 500k Gaming Keyboard was not verifying
that the report descriptor size was correct before accessing it
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46747

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46749
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: btnxpuart: Fix Null pointer dereference in btnxpuart_flush()

This adds a check before freeing the rx->skb in flush and close
functions to handle the kernel crash seen while removing driver after FW
download fails or before FW download completes.

dmesg log:
[   54.634586] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000080
[   54.643398] Mem abort info:
[   54.646204]   ESR = 0x0000000096000004
[   54.649964]   EC = 0x25: DABT (current EL), IL = 32 bits
[   54.655286]   SET = 0, FnV = 0
[   54.658348]   EA = 0, S1PTW = 0
[   54.661498]   FSC = 0x04: level 0 translation fault
[   54.666391] Data abort info:
[   54.669273]   ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
[   54.674768]   CM = 0, WnR = 0, TnD = 0, TagAccess = 0
[   54.674771]   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[   54.674775] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000048860000
[   54.674780] [0000000000000080] pgd=0000000000000000, p4d=0000000000000000
[   54.703880] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP
[   54.710152] Modules linked in: btnxpuart(-) overlay fsl_jr_uio caam_jr caamkeyblob_desc caamhash_desc caamalg_desc crypto_engine authenc libdes crct10dif_ce polyval_ce polyval_generic snd_soc_imx_spdif snd_soc_imx_card snd_soc_ak5558 snd_soc_ak4458 caam secvio error snd_soc_fsl_micfil snd_soc_fsl_spdif snd_soc_fsl_sai snd_soc_fsl_utils imx_pcm_dma gpio_ir_recv rc_core sch_fq_codel fuse
[   54.744357] CPU: 3 PID: 72 Comm: kworker/u9:0 Not tainted 6.6.3-otbr-g128004619037 #2
[   54.744364] Hardware name: FSL i.MX8MM EVK board (DT)
[   54.744368] Workqueue: hci0 hci_power_on
[   54.757244] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[   54.757249] pc : kfree_skb_reason+0x18/0xb0
[   54.772299] lr : btnxpuart_flush+0x40/0x58 [btnxpuart]
[   54.782921] sp : ffff8000805ebca0
[   54.782923] x29: ffff8000805ebca0 x28: ffffa5c6cf1869c0 x27: ffffa5c6cf186000
[   54.782931] x26: ffff377b84852400 x25: ffff377b848523c0 x24: ffff377b845e7230
[   54.782938] x23: ffffa5c6ce8dbe08 x22: ffffa5c6ceb65410 x21: 00000000ffffff92
[   54.782945] x20: ffffa5c6ce8dbe98 x19: ffffffffffffffac x18: ffffffffffffffff
[   54.807651] x17: 0000000000000000 x16: ffffa5c6ce2824ec x15: ffff8001005eb857
[   54.821917] x14: 0000000000000000 x13: ffffa5c6cf1a02e0 x12: 0000000000000642
[   54.821924] x11: 0000000000000040 x10: ffffa5c6cf19d690 x9 : ffffa5c6cf19d688
[   54.821931] x8 : ffff377b86000028 x7 : 0000000000000000 x6 : 0000000000000000
[   54.821938] x5 : ffff377b86000000 x4 : 0000000000000000 x3 : 0000000000000000
[   54.843331] x2 : 0000000000000000 x1 : 0000000000000002 x0 : ffffffffffffffac
[   54.857599] Call trace:
[   54.857601]  kfree_skb_reason+0x18/0xb0
[   54.863878]  btnxpuart_flush+0x40/0x58 [btnxpuart]
[   54.863888]  hci_dev_open_sync+0x3a8/0xa04
[   54.872773]  hci_power_on+0x54/0x2e4
[   54.881832]  process_one_work+0x138/0x260
[   54.881842]  worker_thread+0x32c/0x438
[   54.881847]  kthread+0x118/0x11c
[   54.881853]  ret_from_fork+0x10/0x20
[   54.896406] Code: a9be7bfd 910003fd f9000bf3 aa0003f3 (b940d400)
[   54.896410] ---[ end trace 0000000000000000 ]---
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46749

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46750
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

PCI: Add missing bridge lock to pci_bus_lock()

One of the true positives that the cfg_access_lock lockdep effort
identified is this sequence:

  WARNING: CPU: 14 PID: 1 at drivers/pci/pci.c:4886 pci_bridge_secondary_bus_reset+0x5d/0x70
  RIP: 0010:pci_bridge_secondary_bus_reset+0x5d/0x70
  Call Trace:
   <TASK>
   ? __warn+0x8c/0x190
   ? pci_bridge_secondary_bus_reset+0x5d/0x70
   ? report_bug+0x1f8/0x200
   ? handle_bug+0x3c/0x70
   ? exc_invalid_op+0x18/0x70
   ? asm_exc_invalid_op+0x1a/0x20
   ? pci_bridge_secondary_bus_reset+0x5d/0x70
   pci_reset_bus+0x1d8/0x270
   vmd_probe+0x778/0xa10
   pci_device_probe+0x95/0x120

Where pci_reset_bus() users are triggering unlocked secondary bus resets.
Ironically pci_bus_reset(), several calls down from pci_reset_bus(), uses
pci_bus_lock() before issuing the reset which locks everything *but* the
bridge itself.

For the same motivation as adding:

  bridge = pci_upstream_bridge(dev);
  if (bridge)
    pci_dev_lock(bridge);

to pci_reset_function() for the "bus" and "cxl_bus" reset cases, add
pci_dev_lock() for @bus->self to pci_bus_lock().

[bhelgaas: squash in recursive locking deadlock fix from Keith Busch:
https://lore.kernel.org/r/20240711193650.701834-1-kbusch@meta.com]
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46750

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46751
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

btrfs: don't BUG_ON() when 0 reference count at btrfs_lookup_extent_info()

Instead of doing a BUG_ON() handle the error by returning -EUCLEAN,
aborting the transaction and logging an error message.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46751

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46755
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

wifi: mwifiex: Do not return unused priv in mwifiex_get_priv_by_id()

mwifiex_get_priv_by_id() returns the priv pointer corresponding to
the bss_num and bss_type, but without checking if the priv is actually
currently in use.
Unused priv pointers do not have a wiphy attached to them which can
lead to NULL pointer dereferences further down the callstack.  Fix
this by returning only used priv pointers which have priv->bss_mode
set to something else than NL80211_IFTYPE_UNSPECIFIED.

Said NULL pointer dereference happened when an Accesspoint was started
with wpa_supplicant -i mlan0 with this config:

network={
        ssid="somessid"
        mode=2
        frequency=2412
        key_mgmt=WPA-PSK WPA-PSK-SHA256
        proto=RSN
        group=CCMP
        pairwise=CCMP
        psk="12345678"
}

When waiting for the AP to be established, interrupting wpa_supplicant
with <ctrl-c> and starting it again this happens:

| Unable to handle kernel NULL pointer dereference at virtual address 0000000000000140
| Mem abort info:
|   ESR = 0x0000000096000004
|   EC = 0x25: DABT (current EL), IL = 32 bits
|   SET = 0, FnV = 0
|   EA = 0, S1PTW = 0
|   FSC = 0x04: level 0 translation fault
| Data abort info:
|   ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
|   CM = 0, WnR = 0, TnD = 0, TagAccess = 0
|   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
| user pgtable: 4k pages, 48-bit VAs, pgdp=0000000046d96000
| [0000000000000140] pgd=0000000000000000, p4d=0000000000000000
| Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP
| Modules linked in: caam_jr caamhash_desc spidev caamalg_desc crypto_engine authenc libdes mwifiex_sdio
+mwifiex crct10dif_ce cdc_acm onboard_usb_hub fsl_imx8_ddr_perf imx8m_ddrc rtc_ds1307 lm75 rtc_snvs
+imx_sdma caam imx8mm_thermal spi_imx error imx_cpufreq_dt fuse ip_tables x_tables ipv6
| CPU: 0 PID: 8 Comm: kworker/0:1 Not tainted 6.9.0-00007-g937242013fce-dirty #18
| Hardware name: somemachine (DT)
| Workqueue: events sdio_irq_work
| pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
| pc : mwifiex_get_cfp+0xd8/0x15c [mwifiex]
| lr : mwifiex_get_cfp+0x34/0x15c [mwifiex]
| sp : ffff8000818b3a70
| x29: ffff8000818b3a70 x28: ffff000006bfd8a5 x27: 0000000000000004
| x26: 000000000000002c x25: 0000000000001511 x24: 0000000002e86bc9
| x23: ffff000006bfd996 x22: 0000000000000004 x21: ffff000007bec000
| x20: 000000000000002c x19: 0000000000000000 x18: 0000000000000000
| x17: 000000040044ffff x16: 00500072b5503510 x15: ccc283740681e517
| x14: 0201000101006d15 x13: 0000000002e8ff43 x12: 002c01000000ffb1
| x11: 0100000000000000 x10: 02e8ff43002c0100 x9 : 0000ffb100100157
| x8 : ffff000003d20000 x7 : 00000000000002f1 x6 : 00000000ffffe124
| x5 : 0000000000000001 x4 : 0000000000000003 x3 : 0000000000000000
| x2 : 0000000000000000 x1 : 0001000000011001 x0 : 0000000000000000
| Call trace:
|  mwifiex_get_cfp+0xd8/0x15c [mwifiex]
|  mwifiex_parse_single_response_buf+0x1d0/0x504 [mwifiex]
|  mwifiex_handle_event_ext_scan_report+0x19c/0x2f8 [mwifiex]
|  mwifiex_process_sta_event+0x298/0xf0c [mwifiex]
|  mwifiex_process_event+0x110/0x238 [mwifiex]
|  mwifiex_main_process+0x428/0xa44 [mwifiex]
|  mwifiex_sdio_interrupt+0x64/0x12c [mwifiex_sdio]
|  process_sdio_pending_irqs+0x64/0x1b8
|  sdio_irq_work+0x4c/0x7c
|  process_one_work+0x148/0x2a0
|  worker_thread+0x2fc/0x40c
|  kthread+0x110/0x114
|  ret_from_fork+0x10/0x20
| Code: a94153f3 a8c37bfd d50323bf d65f03c0 (f940a000)
| ---[ end trace 0000000000000000 ]---
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46755

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46756
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

hwmon: (w83627ehf) Fix underflows seen when writing limit attributes

DIV_ROUND_CLOSEST() after kstrtol() results in an underflow if a large
negative number such as -9223372036854775808 is provided by the user.
Fix it by reordering clamp_val() and DIV_ROUND_CLOSEST() operations.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46756

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46757
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

hwmon: (nct6775-core) Fix underflows seen when writing limit attributes

DIV_ROUND_CLOSEST() after kstrtol() results in an underflow if a large
negative number such as -9223372036854775808 is provided by the user.
Fix it by reordering clamp_val() and DIV_ROUND_CLOSEST() operations.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46757

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46758
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

hwmon: (lm95234) Fix underflows seen when writing limit attributes

DIV_ROUND_CLOSEST() after kstrtol() results in an underflow if a large
negative number such as -9223372036854775808 is provided by the user.
Fix it by reordering clamp_val() and DIV_ROUND_CLOSEST() operations.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46758

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46759
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

hwmon: (adc128d818) Fix underflows seen when writing limit attributes

DIV_ROUND_CLOSEST() after kstrtol() results in an underflow if a large
negative number such as -9223372036854775808 is provided by the user.
Fix it by reordering clamp_val() and DIV_ROUND_CLOSEST() operations.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46759

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46760
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

wifi: rtw88: usb: schedule rx work after everything is set up

Right now it's possible to hit NULL pointer dereference in
rtw_rx_fill_rx_status on hw object and/or its fields because
initialization routine can start getting USB replies before
rtw_dev is fully setup.

The stack trace looks like this:

rtw_rx_fill_rx_status
rtw8821c_query_rx_desc
rtw_usb_rx_handler
...
queue_work
rtw_usb_read_port_complete
...
usb_submit_urb
rtw_usb_rx_resubmit
rtw_usb_init_rx
rtw_usb_probe

So while we do the async stuff rtw_usb_probe continues and calls
rtw_register_hw, which does all kinds of initialization (e.g.
via ieee80211_register_hw) that rtw_rx_fill_rx_status relies on.

Fix this by moving the first usb_submit_urb after everything
is set up.

For me, this bug manifested as:
[    8.893177] rtw_8821cu 1-1:1.2: band wrong, packet dropped
[    8.910904] rtw_8821cu 1-1:1.2: hw->conf.chandef.chan NULL in rtw_rx_fill_rx_status
because I'm using Larry's backport of rtw88 driver with the NULL
checks in rtw_rx_fill_rx_status.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46760

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46761
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

pci/hotplug/pnv_php: Fix hotplug driver crash on Powernv

The hotplug driver for powerpc (pci/hotplug/pnv_php.c) causes a kernel
crash when we try to hot-unplug/disable the PCIe switch/bridge from
the PHB.

The crash occurs because although the MSI data structure has been
released during disable/hot-unplug path and it has been assigned
with NULL, still during unregistration the code was again trying to
explicitly disable the MSI which causes the NULL pointer dereference and
kernel crash.

The patch fixes the check during unregistration path to prevent invoking
pci_disable_msi/msix() since its data structure is already freed.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46761

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46762
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

xen: privcmd: Fix possible access to a freed kirqfd instance

Nothing prevents simultaneous ioctl calls to privcmd_irqfd_assign() and
privcmd_irqfd_deassign(). If that happens, it is possible that a kirqfd
created and added to the irqfds_list by privcmd_irqfd_assign() may get
removed by another thread executing privcmd_irqfd_deassign(), while the
former is still using it after dropping the locks.

This can lead to a situation where an already freed kirqfd instance may
be accessed and cause kernel oops.

Use SRCU locking to prevent the same, as is done for the KVM
implementation for irqfds.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46762

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46763
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

fou: Fix null-ptr-deref in GRO.

We observed a null-ptr-deref in fou_gro_receive() while shutting down
a host.  [0]

The NULL pointer is sk->sk_user_data, and the offset 8 is of protocol
in struct fou.

When fou_release() is called due to netns dismantle or explicit tunnel
teardown, udp_tunnel_sock_release() sets NULL to sk->sk_user_data.
Then, the tunnel socket is destroyed after a single RCU grace period.

So, in-flight udp4_gro_receive() could find the socket and execute the
FOU GRO handler, where sk->sk_user_data could be NULL.

Let's use rcu_dereference_sk_user_data() in fou_from_sock() and add NULL
checks in FOU GRO handlers.

[0]:
BUG: kernel NULL pointer dereference, address: 0000000000000008
 PF: supervisor read access in kernel mode
 PF: error_code(0x0000) - not-present page
PGD 80000001032f4067 P4D 80000001032f4067 PUD 103240067 PMD 0
SMP PTI
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.10.216-204.855.amzn2.x86_64 #1
Hardware name: Amazon EC2 c5.large/, BIOS 1.0 10/16/2017
RIP: 0010:fou_gro_receive (net/ipv4/fou.c:233) [fou]
Code: 41 5f c3 cc cc cc cc e8 e7 2e 69 f4 0f 1f 80 00 00 00 00 0f 1f 44 00 00 49 89 f8 41 54 48 89 f7 48 89 d6 49 8b 80 88 02 00 00 <0f> b6 48 08 0f b7 42 4a 66 25 fd fd 80 cc 02 66 89 42 4a 0f b6 42
RSP: 0018:ffffa330c0003d08 EFLAGS: 00010297
RAX: 0000000000000000 RBX: ffff93d9e3a6b900 RCX: 0000000000000010
RDX: ffff93d9e3a6b900 RSI: ffff93d9e3a6b900 RDI: ffff93dac2e24d08
RBP: ffff93d9e3a6b900 R08: ffff93dacbce6400 R09: 0000000000000002
R10: 0000000000000000 R11: ffffffffb5f369b0 R12: ffff93dacbce6400
R13: ffff93dac2e24d08 R14: 0000000000000000 R15: ffffffffb4edd1c0
FS:  0000000000000000(0000) GS:ffff93daee800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000008 CR3: 0000000102140001 CR4: 00000000007706f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
 <IRQ>
 ? show_trace_log_lvl (arch/x86/kernel/dumpstack.c:259)
 ? __die_body.cold (arch/x86/kernel/dumpstack.c:478 arch/x86/kernel/dumpstack.c:420)
 ? no_context (arch/x86/mm/fault.c:752)
 ? exc_page_fault (arch/x86/include/asm/irqflags.h:49 arch/x86/include/asm/irqflags.h:89 arch/x86/mm/fault.c:1435 arch/x86/mm/fault.c:1483)
 ? asm_exc_page_fault (arch/x86/include/asm/idtentry.h:571)
 ? fou_gro_receive (net/ipv4/fou.c:233) [fou]
 udp_gro_receive (include/linux/netdevice.h:2552 net/ipv4/udp_offload.c:559)
 udp4_gro_receive (net/ipv4/udp_offload.c:604)
 inet_gro_receive (net/ipv4/af_inet.c:1549 (discriminator 7))
 dev_gro_receive (net/core/dev.c:6035 (discriminator 4))
 napi_gro_receive (net/core/dev.c:6170)
 ena_clean_rx_irq (drivers/amazon/net/ena/ena_netdev.c:1558) [ena]
 ena_io_poll (drivers/amazon/net/ena/ena_netdev.c:1742) [ena]
 napi_poll (net/core/dev.c:6847)
 net_rx_action (net/core/dev.c:6917)
 __do_softirq (arch/x86/include/asm/jump_label.h:25 include/linux/jump_label.h:200 include/trace/events/irq.h:142 kernel/softirq.c:299)
 asm_call_irq_on_stack (arch/x86/entry/entry_64.S:809)
</IRQ>
 do_softirq_own_stack (arch/x86/include/asm/irq_stack.h:27 arch/x86/include/asm/irq_stack.h:77 arch/x86/kernel/irq_64.c:77)
 irq_exit_rcu (kernel/softirq.c:393 kernel/softirq.c:423 kernel/softirq.c:435)
 common_interrupt (arch/x86/kernel/irq.c:239)
 asm_common_interrupt (arch/x86/include/asm/idtentry.h:626)
RIP: 0010:acpi_idle_do_entry (arch/x86/include/asm/irqflags.h:49 arch/x86/include/asm/irqflags.h:89 drivers/acpi/processor_idle.c:114 drivers/acpi/processor_idle.c:575)
Code: 8b 15 d1 3c c4 02 ed c3 cc cc cc cc 65 48 8b 04 25 40 ef 01 00 48 8b 00 a8 08 75 eb 0f 1f 44 00 00 0f 00 2d d5 09 55 00 fb f4 <fa> c3 cc cc cc cc e9 be fc ff ff 66 66 2e 0f 1f 84 00 00 00 00 00
RSP: 0018:ffffffffb5603e58 EFLAGS: 00000246
RAX: 0000000000004000 RBX: ffff93dac0929c00 RCX: ffff93daee833900
RDX: ffff93daee800000 RSI: ffff93d
---truncated---
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46763

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46765
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ice: protect XDP configuration with a mutex

The main threat to data consistency in ice_xdp() is a possible asynchronous
PF reset. It can be triggered by a user or by TX timeout handler.

XDP setup and PF reset code access the same resources in the following
sections:
* ice_vsi_close() in ice_prepare_for_reset() - already rtnl-locked
* ice_vsi_rebuild() for the PF VSI - not protected
* ice_vsi_open() - already rtnl-locked

With an unfortunate timing, such accesses can result in a crash such as the
one below:

[ +1.999878] ice 0000:b1:00.0: Registered XDP mem model MEM_TYPE_XSK_BUFF_POOL on Rx ring 14
[ +2.002992] ice 0000:b1:00.0: Registered XDP mem model MEM_TYPE_XSK_BUFF_POOL on Rx ring 18
[Mar15 18:17] ice 0000:b1:00.0 ens801f0np0: NETDEV WATCHDOG: CPU: 38: transmit queue 14 timed out 80692736 ms
[ +0.000093] ice 0000:b1:00.0 ens801f0np0: tx_timeout: VSI_num: 6, Q 14, NTC: 0x0, HW_HEAD: 0x0, NTU: 0x0, INT: 0x4000001
[ +0.000012] ice 0000:b1:00.0 ens801f0np0: tx_timeout recovery level 1, txqueue 14
[ +0.394718] ice 0000:b1:00.0: PTP reset successful
[ +0.006184] BUG: kernel NULL pointer dereference, address: 0000000000000098
[ +0.000045] #PF: supervisor read access in kernel mode
[ +0.000023] #PF: error_code(0x0000) - not-present page
[ +0.000023] PGD 0 P4D 0
[ +0.000018] Oops: 0000 [#1] PREEMPT SMP NOPTI
[ +0.000023] CPU: 38 PID: 7540 Comm: kworker/38:1 Not tainted 6.8.0-rc7 #1
[ +0.000031] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0014.082620210524 08/26/2021
[ +0.000036] Workqueue: ice ice_service_task [ice]
[ +0.000183] RIP: 0010:ice_clean_tx_ring+0xa/0xd0 [ice]
[...]
[ +0.000013] Call Trace:
[ +0.000016] <TASK>
[ +0.000014] ? __die+0x1f/0x70
[ +0.000029] ? page_fault_oops+0x171/0x4f0
[ +0.000029] ? schedule+0x3b/0xd0
[ +0.000027] ? exc_page_fault+0x7b/0x180
[ +0.000022] ? asm_exc_page_fault+0x22/0x30
[ +0.000031] ? ice_clean_tx_ring+0xa/0xd0 [ice]
[ +0.000194] ice_free_tx_ring+0xe/0x60 [ice]
[ +0.000186] ice_destroy_xdp_rings+0x157/0x310 [ice]
[ +0.000151] ice_vsi_decfg+0x53/0xe0 [ice]
[ +0.000180] ice_vsi_rebuild+0x239/0x540 [ice]
[ +0.000186] ice_vsi_rebuild_by_type+0x76/0x180 [ice]
[ +0.000145] ice_rebuild+0x18c/0x840 [ice]
[ +0.000145] ? delay_tsc+0x4a/0xc0
[ +0.000022] ? delay_tsc+0x92/0xc0
[ +0.000020] ice_do_reset+0x140/0x180 [ice]
[ +0.000886] ice_service_task+0x404/0x1030 [ice]
[ +0.000824] process_one_work+0x171/0x340
[ +0.000685] worker_thread+0x277/0x3a0
[ +0.000675] ? preempt_count_add+0x6a/0xa0
[ +0.000677] ? _raw_spin_lock_irqsave+0x23/0x50
[ +0.000679] ? __pfx_worker_thread+0x10/0x10
[ +0.000653] kthread+0xf0/0x120
[ +0.000635] ? __pfx_kthread+0x10/0x10
[ +0.000616] ret_from_fork+0x2d/0x50
[ +0.000612] ? __pfx_kthread+0x10/0x10
[ +0.000604] ret_from_fork_asm+0x1b/0x30
[ +0.000604] </TASK>

The previous way of handling this through returning -EBUSY is not viable,
particularly when destroying AF_XDP socket, because the kernel proceeds
with removal anyway.

There is plenty of code between those calls and there is no need to create
a large critical section that covers all of them, same as there is no need
to protect ice_vsi_rebuild() with rtnl_lock().

Add xdp_state_lock mutex to protect ice_vsi_rebuild() and ice_xdp().

Leaving unprotected sections in between would result in two states that
have to be considered:
1. when the VSI is closed, but not yet rebuild
2. when VSI is already rebuild, but not yet open

The latter case is actually already handled through !netif_running() case,
we just need to adjust flag checking a little. The former one is not as
trivial, because between ice_vsi_close() and ice_vsi_rebuild(), a lot of
hardware interaction happens, this can make adding/deleting rings exit
with an error. Luckily, VSI rebuild is pending and can apply new
configuration for us in a managed fashion.

Therefore, add an additional VSI state flag ICE_VSI_REBUILD_PENDING to
indicate that ice_x
---truncated---
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46765

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46766
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ice: move netif_queue_set_napi to rtnl-protected sections

Currently, netif_queue_set_napi() is called from ice_vsi_rebuild() that is
not rtnl-locked when called from the reset. This creates the need to take
the rtnl_lock just for a single function and complicates the
synchronization with .ndo_bpf. At the same time, there no actual need to
fill napi-to-queue information at this exact point.

Fill napi-to-queue information when opening the VSI and clear it when the
VSI is being closed. Those routines are already rtnl-locked.

Also, rewrite napi-to-queue assignment in a way that prevents inclusion of
XDP queues, as this leads to out-of-bounds writes, such as one below.

[  +0.000004] BUG: KASAN: slab-out-of-bounds in netif_queue_set_napi+0x1c2/0x1e0
[  +0.000012] Write of size 8 at addr ffff889881727c80 by task bash/7047
[  +0.000006] CPU: 24 PID: 7047 Comm: bash Not tainted 6.10.0-rc2+ #2
[  +0.000004] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0014.082620210524 08/26/2021
[  +0.000003] Call Trace:
[  +0.000003]  <TASK>
[  +0.000002]  dump_stack_lvl+0x60/0x80
[  +0.000007]  print_report+0xce/0x630
[  +0.000007]  ? __pfx__raw_spin_lock_irqsave+0x10/0x10
[  +0.000007]  ? __virt_addr_valid+0x1c9/0x2c0
[  +0.000005]  ? netif_queue_set_napi+0x1c2/0x1e0
[  +0.000003]  kasan_report+0xe9/0x120
[  +0.000004]  ? netif_queue_set_napi+0x1c2/0x1e0
[  +0.000004]  netif_queue_set_napi+0x1c2/0x1e0
[  +0.000005]  ice_vsi_close+0x161/0x670 [ice]
[  +0.000114]  ice_dis_vsi+0x22f/0x270 [ice]
[  +0.000095]  ice_pf_dis_all_vsi.constprop.0+0xae/0x1c0 [ice]
[  +0.000086]  ice_prepare_for_reset+0x299/0x750 [ice]
[  +0.000087]  pci_dev_save_and_disable+0x82/0xd0
[  +0.000006]  pci_reset_function+0x12d/0x230
[  +0.000004]  reset_store+0xa0/0x100
[  +0.000006]  ? __pfx_reset_store+0x10/0x10
[  +0.000002]  ? __pfx_mutex_lock+0x10/0x10
[  +0.000004]  ? __check_object_size+0x4c1/0x640
[  +0.000007]  kernfs_fop_write_iter+0x30b/0x4a0
[  +0.000006]  vfs_write+0x5d6/0xdf0
[  +0.000005]  ? fd_install+0x180/0x350
[  +0.000005]  ? __pfx_vfs_write+0x10/0xA10
[  +0.000004]  ? do_fcntl+0x52c/0xcd0
[  +0.000004]  ? kasan_save_track+0x13/0x60
[  +0.000003]  ? kasan_save_free_info+0x37/0x60
[  +0.000006]  ksys_write+0xfa/0x1d0
[  +0.000003]  ? __pfx_ksys_write+0x10/0x10
[  +0.000002]  ? __x64_sys_fcntl+0x121/0x180
[  +0.000004]  ? _raw_spin_lock+0x87/0xe0
[  +0.000005]  do_syscall_64+0x80/0x170
[  +0.000007]  ? _raw_spin_lock+0x87/0xe0
[  +0.000004]  ? __pfx__raw_spin_lock+0x10/0x10
[  +0.000003]  ? file_close_fd_locked+0x167/0x230
[  +0.000005]  ? syscall_exit_to_user_mode+0x7d/0x220
[  +0.000005]  ? do_syscall_64+0x8c/0x170
[  +0.000004]  ? do_syscall_64+0x8c/0x170
[  +0.000003]  ? do_syscall_64+0x8c/0x170
[  +0.000003]  ? fput+0x1a/0x2c0
[  +0.000004]  ? filp_close+0x19/0x30
[  +0.000004]  ? do_dup2+0x25a/0x4c0
[  +0.000004]  ? __x64_sys_dup2+0x6e/0x2e0
[  +0.000002]  ? syscall_exit_to_user_mode+0x7d/0x220
[  +0.000004]  ? do_syscall_64+0x8c/0x170
[  +0.000003]  ? __count_memcg_events+0x113/0x380
[  +0.000005]  ? handle_mm_fault+0x136/0x820
[  +0.000005]  ? do_user_addr_fault+0x444/0xa80
[  +0.000004]  ? clear_bhb_loop+0x25/0x80
[  +0.000004]  ? clear_bhb_loop+0x25/0x80
[  +0.000002]  entry_SYSCALL_64_after_hwframe+0x76/0x7e
[  +0.000005] RIP: 0033:0x7f2033593154
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46766

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46768
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

hwmon: (hp-wmi-sensors) Check if WMI event data exists

The BIOS can choose to return no event data in response to a
WMI event, so the ACPI object passed to the WMI notify handler
can be NULL.

Check for such a situation and ignore the event in such a case.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46768

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46769
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

spi: intel: Add check devm_kasprintf() returned value

intel_spi_populate_chip() use devm_kasprintf() to set pdata->name.
This can return a NULL pointer on failure but this returned value
is not checked.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46769

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46770
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ice: Add netif_device_attach/detach into PF reset flow

Ethtool callbacks can be executed while reset is in progress and try to
access deleted resources, e.g. getting coalesce settings can result in a
NULL pointer dereference seen below.

Reproduction steps:
Once the driver is fully initialized, trigger reset:
	# echo 1 > /sys/class/net/<interface>/device/reset
when reset is in progress try to get coalesce settings using ethtool:
	# ethtool -c <interface>

BUG: kernel NULL pointer dereference, address: 0000000000000020
PGD 0 P4D 0
Oops: Oops: 0000 [#1] PREEMPT SMP PTI
CPU: 11 PID: 19713 Comm: ethtool Tainted: G S                 6.10.0-rc7+ #7
RIP: 0010:ice_get_q_coalesce+0x2e/0xa0 [ice]
RSP: 0018:ffffbab1e9bcf6a8 EFLAGS: 00010206
RAX: 000000000000000c RBX: ffff94512305b028 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffff9451c3f2e588 RDI: ffff9451c3f2e588
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: ffff9451c3f2e580 R11: 000000000000001f R12: ffff945121fa9000
R13: ffffbab1e9bcf760 R14: 0000000000000013 R15: ffffffff9e65dd40
FS:  00007faee5fbe740(0000) GS:ffff94546fd80000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000020 CR3: 0000000106c2e005 CR4: 00000000001706f0
Call Trace:
<TASK>
ice_get_coalesce+0x17/0x30 [ice]
coalesce_prepare_data+0x61/0x80
ethnl_default_doit+0xde/0x340
genl_family_rcv_msg_doit+0xf2/0x150
genl_rcv_msg+0x1b3/0x2c0
netlink_rcv_skb+0x5b/0x110
genl_rcv+0x28/0x40
netlink_unicast+0x19c/0x290
netlink_sendmsg+0x222/0x490
__sys_sendto+0x1df/0x1f0
__x64_sys_sendto+0x24/0x30
do_syscall_64+0x82/0x160
entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x7faee60d8e27

Calling netif_device_detach() before reset makes the net core not call
the driver when ethtool command is issued, the attempt to execute an
ethtool command during reset will result in the following message:

    netlink error: No such device

instead of NULL pointer dereference. Once reset is done and
ice_rebuild() is executing, the netif_device_attach() is called to allow
for ethtool operations to occur again in a safe manner.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46770

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46771
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

can: bcm: Remove proc entry when dev is unregistered.

syzkaller reported a warning in bcm_connect() below. [0]

The repro calls connect() to vxcan1, removes vxcan1, and calls
connect() with ifindex == 0.

Calling connect() for a BCM socket allocates a proc entry.
Then, bcm_sk(sk)->bound is set to 1 to prevent further connect().

However, removing the bound device resets bcm_sk(sk)->bound to 0
in bcm_notify().

The 2nd connect() tries to allocate a proc entry with the same
name and sets NULL to bcm_sk(sk)->bcm_proc_read, leaking the
original proc entry.

Since the proc entry is available only for connect()ed sockets,
let's clean up the entry when the bound netdev is unregistered.

[0]:
proc_dir_entry 'can-bcm/2456' already registered
WARNING: CPU: 1 PID: 394 at fs/proc/generic.c:376 proc_register+0x645/0x8f0 fs/proc/generic.c:375
Modules linked in:
CPU: 1 PID: 394 Comm: syz-executor403 Not tainted 6.10.0-rc7-g852e42cc2dd4
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
RIP: 0010:proc_register+0x645/0x8f0 fs/proc/generic.c:375
Code: 00 00 00 00 00 48 85 ed 0f 85 97 02 00 00 4d 85 f6 0f 85 9f 02 00 00 48 c7 c7 9b cb cf 87 48 89 de 4c 89 fa e8 1c 6f eb fe 90 <0f> 0b 90 90 48 c7 c7 98 37 99 89 e8 cb 7e 22 05 bb 00 00 00 10 48
RSP: 0018:ffa0000000cd7c30 EFLAGS: 00010246
RAX: 9e129be1950f0200 RBX: ff1100011b51582c RCX: ff1100011857cd80
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000002
RBP: 0000000000000000 R08: ffd400000000000f R09: ff1100013e78cac0
R10: ffac800000cd7980 R11: ff1100013e12b1f0 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: ff1100011a99a2ec
FS:  00007fbd7086f740(0000) GS:ff1100013fd00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000200071c0 CR3: 0000000118556004 CR4: 0000000000771ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
 <TASK>
 proc_create_net_single+0x144/0x210 fs/proc/proc_net.c:220
 bcm_connect+0x472/0x840 net/can/bcm.c:1673
 __sys_connect_file net/socket.c:2049 [inline]
 __sys_connect+0x5d2/0x690 net/socket.c:2066
 __do_sys_connect net/socket.c:2076 [inline]
 __se_sys_connect net/socket.c:2073 [inline]
 __x64_sys_connect+0x8f/0x100 net/socket.c:2073
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xd9/0x1c0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x4b/0x53
RIP: 0033:0x7fbd708b0e5d
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 9f 1b 00 f7 d8 64 89 01 48
RSP: 002b:00007fff8cd33f08 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fbd708b0e5d
RDX: 0000000000000010 RSI: 0000000020000040 RDI: 0000000000000003
RBP: 0000000000000000 R08: 0000000000000040 R09: 0000000000000040
R10: 0000000000000040 R11: 0000000000000246 R12: 00007fff8cd34098
R13: 0000000000401280 R14: 0000000000406de8 R15: 00007fbd70ab9000
 </TASK>
remove_proc_entry: removing non-empty directory 'net/can-bcm', leaking at least '2456'
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46771

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46772
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Check denominator crb_pipes before used

[WHAT & HOW]
A denominator cannot be 0, and is checked before used.

This fixes 2 DIVIDE_BY_ZERO issues reported by Coverity.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46772

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46773
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Check denominator pbn_div before used

[WHAT & HOW]
A denominator cannot be 0, and is checked before used.

This fixes 1 DIVIDE_BY_ZERO issue reported by Coverity.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46773

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46774
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

powerpc/rtas: Prevent Spectre v1 gadget construction in sys_rtas()

Smatch warns:

  arch/powerpc/kernel/rtas.c:1932 __do_sys_rtas() warn: potential
  spectre issue 'args.args' [r] (local cap)

The 'nargs' and 'nret' locals come directly from a user-supplied
buffer and are used as indexes into a small stack-based array and as
inputs to copy_to_user() after they are subject to bounds checks.

Use array_index_nospec() after the bounds checks to clamp these values
for speculative execution.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46774

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46775
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Validate function returns

[WHAT & HOW]
Function return values must be checked before data can be used
in subsequent functions.

This fixes 4 CHECKED_RETURN issues reported by Coverity.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46775

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46776
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Run DC_LOG_DC after checking link->link_enc

[WHAT]
The DC_LOG_DC should be run after link->link_enc is checked, not before.

This fixes 1 REVERSE_INULL issue reported by Coverity.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46776

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46777
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

udf: Avoid excessive partition lengths

Avoid mounting filesystems where the partition would overflow the
32-bits used for block number. Also refuse to mount filesystems where
the partition length is so large we cannot safely index bits in a
block bitmap.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46777

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46778
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Check UnboundedRequestEnabled's value

CalculateSwathAndDETConfiguration_params_st's UnboundedRequestEnabled
is a pointer (i.e. dml_bool_t *UnboundedRequestEnabled), and thus
if (p->UnboundedRequestEnabled) checks its address, not bool value.

This fixes 1 REVERSE_INULL issue reported by Coverity.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46778

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46779
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/imagination: Free pvr_vm_gpuva after unlink

This caused a measurable memory leak. Although the individual
allocations are small, the leaks occurs in a high-usage codepath
(remapping or unmapping device memory) so they add up quickly.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46779

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46780
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

nilfs2: protect references to superblock parameters exposed in sysfs

The superblock buffers of nilfs2 can not only be overwritten at runtime
for modifications/repairs, but they are also regularly swapped, replaced
during resizing, and even abandoned when degrading to one side due to
backing device issues.  So, accessing them requires mutual exclusion using
the reader/writer semaphore "nilfs->ns_sem".

Some sysfs attribute show methods read this superblock buffer without the
necessary mutual exclusion, which can cause problems with pointer
dereferencing and memory access, so fix it.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46780

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46781
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

nilfs2: fix missing cleanup on rollforward recovery error

In an error injection test of a routine for mount-time recovery, KASAN
found a use-after-free bug.

It turned out that if data recovery was performed using partial logs
created by dsync writes, but an error occurred before starting the log
writer to create a recovered checkpoint, the inodes whose data had been
recovered were left in the ns_dirty_files list of the nilfs object and
were not freed.

Fix this issue by cleaning up inodes that have read the recovery data if
the recovery routine fails midway before the log writer starts.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46781

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46782
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ila: call nf_unregister_net_hooks() sooner

syzbot found an use-after-free Read in ila_nf_input [1]

Issue here is that ila_xlat_exit_net() frees the rhashtable,
then call nf_unregister_net_hooks().

It should be done in the reverse way, with a synchronize_rcu().

This is a good match for a pre_exit() method.

[1]
 BUG: KASAN: use-after-free in rht_key_hashfn include/linux/rhashtable.h:159 [inline]
 BUG: KASAN: use-after-free in __rhashtable_lookup include/linux/rhashtable.h:604 [inline]
 BUG: KASAN: use-after-free in rhashtable_lookup include/linux/rhashtable.h:646 [inline]
 BUG: KASAN: use-after-free in rhashtable_lookup_fast+0x77a/0x9b0 include/linux/rhashtable.h:672
Read of size 4 at addr ffff888064620008 by task ksoftirqd/0/16

CPU: 0 UID: 0 PID: 16 Comm: ksoftirqd/0 Not tainted 6.11.0-rc4-syzkaller-00238-g2ad6d23f465a #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
Call Trace:
 <TASK>
  __dump_stack lib/dump_stack.c:93 [inline]
  dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119
  print_address_description mm/kasan/report.c:377 [inline]
  print_report+0x169/0x550 mm/kasan/report.c:488
  kasan_report+0x143/0x180 mm/kasan/report.c:601
  rht_key_hashfn include/linux/rhashtable.h:159 [inline]
  __rhashtable_lookup include/linux/rhashtable.h:604 [inline]
  rhashtable_lookup include/linux/rhashtable.h:646 [inline]
  rhashtable_lookup_fast+0x77a/0x9b0 include/linux/rhashtable.h:672
  ila_lookup_wildcards net/ipv6/ila/ila_xlat.c:132 [inline]
  ila_xlat_addr net/ipv6/ila/ila_xlat.c:652 [inline]
  ila_nf_input+0x1fe/0x3c0 net/ipv6/ila/ila_xlat.c:190
  nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]
  nf_hook_slow+0xc3/0x220 net/netfilter/core.c:626
  nf_hook include/linux/netfilter.h:269 [inline]
  NF_HOOK+0x29e/0x450 include/linux/netfilter.h:312
  __netif_receive_skb_one_core net/core/dev.c:5661 [inline]
  __netif_receive_skb+0x1ea/0x650 net/core/dev.c:5775
  process_backlog+0x662/0x15b0 net/core/dev.c:6108
  __napi_poll+0xcb/0x490 net/core/dev.c:6772
  napi_poll net/core/dev.c:6841 [inline]
  net_rx_action+0x89b/0x1240 net/core/dev.c:6963
  handle_softirqs+0x2c4/0x970 kernel/softirq.c:554
  run_ksoftirqd+0xca/0x130 kernel/softirq.c:928
  smpboot_thread_fn+0x544/0xa30 kernel/smpboot.c:164
  kthread+0x2f0/0x390 kernel/kthread.c:389
  ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
  ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x64620
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xbfffffff(buddy)
raw: 00fff00000000000 ffffea0000959608 ffffea00019d9408 0000000000000000
raw: 0000000000000000 0000000000000003 00000000bfffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x52dc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_ZERO), pid 5242, tgid 5242 (syz-executor), ts 73611328570, free_ts 618981657187
  set_page_owner include/linux/page_owner.h:32 [inline]
  post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1493
  prep_new_page mm/page_alloc.c:1501 [inline]
  get_page_from_freelist+0x2e4c/0x2f10 mm/page_alloc.c:3439
  __alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4695
  __alloc_pages_node_noprof include/linux/gfp.h:269 [inline]
  alloc_pages_node_noprof include/linux/gfp.h:296 [inline]
  ___kmalloc_large_node+0x8b/0x1d0 mm/slub.c:4103
  __kmalloc_large_node_noprof+0x1a/0x80 mm/slub.c:4130
  __do_kmalloc_node mm/slub.c:4146 [inline]
  __kmalloc_node_noprof+0x2d2/0x440 mm/slub.c:4164
  __kvmalloc_node_noprof+0x72/0x190 mm/util.c:650
  bucket_table_alloc lib/rhashtable.c:186 [inline]
  rhashtable_init_noprof+0x534/0xa60 lib/rhashtable.c:1071
  ila_xlat_init_net+0xa0/0x110 net/ipv6/ila/ila_xlat.c:613
  ops_ini
---truncated---
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46782

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46783
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

tcp_bpf: fix return value of tcp_bpf_sendmsg()

When we cork messages in psock->cork, the last message triggers the
flushing will result in sending a sk_msg larger than the current
message size. In this case, in tcp_bpf_send_verdict(), 'copied' becomes
negative at least in the following case:

468         case __SK_DROP:
469         default:
470                 sk_msg_free_partial(sk, msg, tosend);
471                 sk_msg_apply_bytes(psock, tosend);
472                 *copied -= (tosend + delta); // <==== HERE
473                 return -EACCES;

Therefore, it could lead to the following BUG with a proper value of
'copied' (thanks to syzbot). We should not use negative 'copied' as a
return value here.

  ------------[ cut here ]------------
  kernel BUG at net/socket.c:733!
  Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP
  Modules linked in:
  CPU: 0 UID: 0 PID: 3265 Comm: syz-executor510 Not tainted 6.11.0-rc3-syzkaller-00060-gd07b43284ab3 #0
  Hardware name: linux,dummy-virt (DT)
  pstate: 61400009 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
  pc : sock_sendmsg_nosec net/socket.c:733 [inline]
  pc : sock_sendmsg_nosec net/socket.c:728 [inline]
  pc : __sock_sendmsg+0x5c/0x60 net/socket.c:745
  lr : sock_sendmsg_nosec net/socket.c:730 [inline]
  lr : __sock_sendmsg+0x54/0x60 net/socket.c:745
  sp : ffff800088ea3b30
  x29: ffff800088ea3b30 x28: fbf00000062bc900 x27: 0000000000000000
  x26: ffff800088ea3bc0 x25: ffff800088ea3bc0 x24: 0000000000000000
  x23: f9f00000048dc000 x22: 0000000000000000 x21: ffff800088ea3d90
  x20: f9f00000048dc000 x19: ffff800088ea3d90 x18: 0000000000000001
  x17: 0000000000000000 x16: 0000000000000000 x15: 000000002002ffaf
  x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000
  x11: 0000000000000000 x10: ffff8000815849c0 x9 : ffff8000815b49c0
  x8 : 0000000000000000 x7 : 000000000000003f x6 : 0000000000000000
  x5 : 00000000000007e0 x4 : fff07ffffd239000 x3 : fbf00000062bc900
  x2 : 0000000000000000 x1 : 0000000000000000 x0 : 00000000fffffdef
  Call trace:
   sock_sendmsg_nosec net/socket.c:733 [inline]
   __sock_sendmsg+0x5c/0x60 net/socket.c:745
   ____sys_sendmsg+0x274/0x2ac net/socket.c:2597
   ___sys_sendmsg+0xac/0x100 net/socket.c:2651
   __sys_sendmsg+0x84/0xe0 net/socket.c:2680
   __do_sys_sendmsg net/socket.c:2689 [inline]
   __se_sys_sendmsg net/socket.c:2687 [inline]
   __arm64_sys_sendmsg+0x24/0x30 net/socket.c:2687
   __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
   invoke_syscall+0x48/0x110 arch/arm64/kernel/syscall.c:49
   el0_svc_common.constprop.0+0x40/0xe0 arch/arm64/kernel/syscall.c:132
   do_el0_svc+0x1c/0x28 arch/arm64/kernel/syscall.c:151
   el0_svc+0x34/0xec arch/arm64/kernel/entry-common.c:712
   el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:730
   el0t_64_sync+0x19c/0x1a0 arch/arm64/kernel/entry.S:598
  Code: f9404463 d63f0060 3108441f 54fffe81 (d4210000)
  ---[ end trace 0000000000000000 ]---
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46783

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46784
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: mana: Fix error handling in mana_create_txq/rxq's NAPI cleanup

Currently napi_disable() gets called during rxq and txq cleanup,
even before napi is enabled and hrtimer is initialized. It causes
kernel panic.

? page_fault_oops+0x136/0x2b0
  ? page_counter_cancel+0x2e/0x80
  ? do_user_addr_fault+0x2f2/0x640
  ? refill_obj_stock+0xc4/0x110
  ? exc_page_fault+0x71/0x160
  ? asm_exc_page_fault+0x27/0x30
  ? __mmdrop+0x10/0x180
  ? __mmdrop+0xec/0x180
  ? hrtimer_active+0xd/0x50
  hrtimer_try_to_cancel+0x2c/0xf0
  hrtimer_cancel+0x15/0x30
  napi_disable+0x65/0x90
  mana_destroy_rxq+0x4c/0x2f0
  mana_create_rxq.isra.0+0x56c/0x6d0
  ? mana_uncfg_vport+0x50/0x50
  mana_alloc_queues+0x21b/0x320
  ? skb_dequeue+0x5f/0x80
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46784

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46785
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

eventfs: Use list_del_rcu() for SRCU protected list variable

Chi Zhiling reported:

  We found a null pointer accessing in tracefs[1], the reason is that the
  variable 'ei_child' is set to LIST_POISON1, that means the list was
  removed in eventfs_remove_rec. so when access the ei_child->is_freed, the
  panic triggered.

  by the way, the following script can reproduce this panic

  loop1 (){
      while true
      do
          echo "p:kp submit_bio" > /sys/kernel/debug/tracing/kprobe_events
          echo "" > /sys/kernel/debug/tracing/kprobe_events
      done
  }
  loop2 (){
      while true
      do
          tree /sys/kernel/debug/tracing/events/kprobes/
      done
  }
  loop1 &
  loop2

  [1]:
  [ 1147.959632][T17331] Unable to handle kernel paging request at virtual address dead000000000150
  [ 1147.968239][T17331] Mem abort info:
  [ 1147.971739][T17331]   ESR = 0x0000000096000004
  [ 1147.976172][T17331]   EC = 0x25: DABT (current EL), IL = 32 bits
  [ 1147.982171][T17331]   SET = 0, FnV = 0
  [ 1147.985906][T17331]   EA = 0, S1PTW = 0
  [ 1147.989734][T17331]   FSC = 0x04: level 0 translation fault
  [ 1147.995292][T17331] Data abort info:
  [ 1147.998858][T17331]   ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
  [ 1148.005023][T17331]   CM = 0, WnR = 0, TnD = 0, TagAccess = 0
  [ 1148.010759][T17331]   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
  [ 1148.016752][T17331] [dead000000000150] address between user and kernel address ranges
  [ 1148.024571][T17331] Internal error: Oops: 0000000096000004 [#1] SMP
  [ 1148.030825][T17331] Modules linked in: team_mode_loadbalance team nlmon act_gact cls_flower sch_ingress bonding tls macvlan dummy ib_core bridge stp llc veth amdgpu amdxcp mfd_core gpu_sched drm_exec drm_buddy radeon crct10dif_ce video drm_suballoc_helper ghash_ce drm_ttm_helper sha2_ce ttm sha256_arm64 i2c_algo_bit sha1_ce sbsa_gwdt cp210x drm_display_helper cec sr_mod cdrom drm_kms_helper binfmt_misc sg loop fuse drm dm_mod nfnetlink ip_tables autofs4 [last unloaded: tls]
  [ 1148.072808][T17331] CPU: 3 PID: 17331 Comm: ls Tainted: G        W         ------- ----  6.6.43 #2
  [ 1148.081751][T17331] Source Version: 21b3b386e948bedd29369af66f3e98ab01b1c650
  [ 1148.088783][T17331] Hardware name: Greatwall GW-001M1A-FTF/GW-001M1A-FTF, BIOS KunLun BIOS V4.0 07/16/2020
  [ 1148.098419][T17331] pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
  [ 1148.106060][T17331] pc : eventfs_iterate+0x2c0/0x398
  [ 1148.111017][T17331] lr : eventfs_iterate+0x2fc/0x398
  [ 1148.115969][T17331] sp : ffff80008d56bbd0
  [ 1148.119964][T17331] x29: ffff80008d56bbf0 x28: ffff001ff5be2600 x27: 0000000000000000
  [ 1148.127781][T17331] x26: ffff001ff52ca4e0 x25: 0000000000009977 x24: dead000000000100
  [ 1148.135598][T17331] x23: 0000000000000000 x22: 000000000000000b x21: ffff800082645f10
  [ 1148.143415][T17331] x20: ffff001fddf87c70 x19: ffff80008d56bc90 x18: 0000000000000000
  [ 1148.151231][T17331] x17: 0000000000000000 x16: 0000000000000000 x15: ffff001ff52ca4e0
  [ 1148.159048][T17331] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000
  [ 1148.166864][T17331] x11: 0000000000000000 x10: 0000000000000000 x9 : ffff8000804391d0
  [ 1148.174680][T17331] x8 : 0000000180000000 x7 : 0000000000000018 x6 : 0000aaab04b92862
  [ 1148.182498][T17331] x5 : 0000aaab04b92862 x4 : 0000000080000000 x3 : 0000000000000068
  [ 1148.190314][T17331] x2 : 000000000000000f x1 : 0000000000007ea8 x0 : 0000000000000001
  [ 1148.198131][T17331] Call trace:
  [ 1148.201259][T17331]  eventfs_iterate+0x2c0/0x398
  [ 1148.205864][T17331]  iterate_dir+0x98/0x188
  [ 1148.210036][T17331]  __arm64_sys_getdents64+0x78/0x160
  [ 1148.215161][T17331]  invoke_syscall+0x78/0x108
  [ 1148.219593][T17331]  el0_svc_common.constprop.0+0x48/0xf0
  [ 1148.224977][T17331]  do_el0_svc+0x24/0x38
  [ 1148.228974][T17331]  el0_svc+0x40/0x168
  [ 1148.232798][T17
---truncated---
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46785

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46786
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

fscache: delete fscache_cookie_lru_timer when fscache exits to avoid UAF

The fscache_cookie_lru_timer is initialized when the fscache module
is inserted, but is not deleted when the fscache module is removed.
If timer_reduce() is called before removing the fscache module,
the fscache_cookie_lru_timer will be added to the timer list of
the current cpu. Afterwards, a use-after-free will be triggered
in the softIRQ after removing the fscache module, as follows:

==================================================================
BUG: unable to handle page fault for address: fffffbfff803c9e9
 PF: supervisor read access in kernel mode
 PF: error_code(0x0000) - not-present page
PGD 21ffea067 P4D 21ffea067 PUD 21ffe6067 PMD 110a7c067 PTE 0
Oops: Oops: 0000 [#1] PREEMPT SMP KASAN PTI
CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Tainted: G W 6.11.0-rc3 #855
Tainted: [W]=WARN
RIP: 0010:__run_timer_base.part.0+0x254/0x8a0
Call Trace:
 <IRQ>
 tmigr_handle_remote_up+0x627/0x810
 __walk_groups.isra.0+0x47/0x140
 tmigr_handle_remote+0x1fa/0x2f0
 handle_softirqs+0x180/0x590
 irq_exit_rcu+0x84/0xb0
 sysvec_apic_timer_interrupt+0x6e/0x90
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20
RIP: 0010:default_idle+0xf/0x20
 default_idle_call+0x38/0x60
 do_idle+0x2b5/0x300
 cpu_startup_entry+0x54/0x60
 start_secondary+0x20d/0x280
 common_startup_64+0x13e/0x148
 </TASK>
Modules linked in: [last unloaded: netfs]
==================================================================

Therefore delete fscache_cookie_lru_timer when removing the fscahe module.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46786

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46787
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

userfaultfd: fix checks for huge PMDs

Patch series "userfaultfd: fix races around pmd_trans_huge() check", v2.

The pmd_trans_huge() code in mfill_atomic() is wrong in three different
ways depending on kernel version:

1. The pmd_trans_huge() check is racy and can lead to a BUG_ON() (if you hit
   the right two race windows) - I've tested this in a kernel build with
   some extra mdelay() calls. See the commit message for a description
   of the race scenario.
   On older kernels (before 6.5), I think the same bug can even
   theoretically lead to accessing transhuge page contents as a page table
   if you hit the right 5 narrow race windows (I haven't tested this case).
2. As pointed out by Qi Zheng, pmd_trans_huge() is not sufficient for
   detecting PMDs that don't point to page tables.
   On older kernels (before 6.5), you'd just have to win a single fairly
   wide race to hit this.
   I've tested this on 6.1 stable by racing migration (with a mdelay()
   patched into try_to_migrate()) against UFFDIO_ZEROPAGE - on my x86
   VM, that causes a kernel oops in ptlock_ptr().
3. On newer kernels (>=6.5), for shmem mappings, khugepaged is allowed
   to yank page tables out from under us (though I haven't tested that),
   so I think the BUG_ON() checks in mfill_atomic() are just wrong.

I decided to write two separate fixes for these (one fix for bugs 1+2, one
fix for bug 3), so that the first fix can be backported to kernels
affected by bugs 1+2.


This patch (of 2):

This fixes two issues.

I discovered that the following race can occur:

  mfill_atomic                other thread
  ============                ============
                              <zap PMD>
  pmdp_get_lockless() [reads none pmd]
  <bail if trans_huge>
  <if none:>
                              <pagefault creates transhuge zeropage>
    __pte_alloc [no-op]
                              <zap PMD>
  <bail if pmd_trans_huge(*dst_pmd)>
  BUG_ON(pmd_none(*dst_pmd))

I have experimentally verified this in a kernel with extra mdelay() calls;
the BUG_ON(pmd_none(*dst_pmd)) triggers.

On kernels newer than commit 0d940a9b270b ("mm/pgtable: allow
pte_offset_map[_lock]() to fail"), this can't lead to anything worse than
a BUG_ON(), since the page table access helpers are actually designed to
deal with page tables concurrently disappearing; but on older kernels
(<=6.4), I think we could probably theoretically race past the two
BUG_ON() checks and end up treating a hugepage as a page table.

The second issue is that, as Qi Zheng pointed out, there are other types
of huge PMDs that pmd_trans_huge() can't catch: devmap PMDs and swap PMDs
(in particular, migration PMDs).

On <=6.4, this is worse than the first issue: If mfill_atomic() runs on a
PMD that contains a migration entry (which just requires winning a single,
fairly wide race), it will pass the PMD to pte_offset_map_lock(), which
assumes that the PMD points to a page table.

Breakage follows: First, the kernel tries to take the PTE lock (which will
crash or maybe worse if there is no "struct page" for the address bits in
the migration entry PMD - I think at least on X86 there usually is no
corresponding "struct page" thanks to the PTE inversion mitigation, amd64
looks different).

If that didn't crash, the kernel would next try to write a PTE into what
it wrongly thinks is a page table.

As part of fixing these issues, get rid of the check for pmd_trans_huge()
before __pte_alloc() - that's redundant, we're going to have to check for
that after the __pte_alloc() anyway.

Backport note: pmdp_get_lockless() is pmd_read_atomic() in older kernels.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46787

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46788
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

tracing/osnoise: Use a cpumask to know what threads are kthreads

The start_kthread() and stop_thread() code was not always called with the
interface_lock held. This means that the kthread variable could be
unexpectedly changed causing the kthread_stop() to be called on it when it
should not have been, leading to:

 while true; do
   rtla timerlat top -u -q & PID=$!;
   sleep 5;
   kill -INT $PID;
   sleep 0.001;
   kill -TERM $PID;
   wait $PID;
  done

Causing the following OOPS:

 Oops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN PTI
 KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]
 CPU: 5 UID: 0 PID: 885 Comm: timerlatu/5 Not tainted 6.11.0-rc4-test-00002-gbc754cc76d1b-dirty #125 a533010b71dab205ad2f507188ce8c82203b0254
 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
 RIP: 0010:hrtimer_active+0x58/0x300
 Code: 48 c1 ee 03 41 54 48 01 d1 48 01 d6 55 53 48 83 ec 20 80 39 00 0f 85 30 02 00 00 49 8b 6f 30 4c 8d 75 10 4c 89 f0 48 c1 e8 03 <0f> b6 3c 10 4c 89 f0 83 e0 07 83 c0 03 40 38 f8 7c 09 40 84 ff 0f
 RSP: 0018:ffff88811d97f940 EFLAGS: 00010202
 RAX: 0000000000000002 RBX: ffff88823c6b5b28 RCX: ffffed10478d6b6b
 RDX: dffffc0000000000 RSI: ffffed10478d6b6c RDI: ffff88823c6b5b28
 RBP: 0000000000000000 R08: ffff88823c6b5b58 R09: ffff88823c6b5b60
 R10: ffff88811d97f957 R11: 0000000000000010 R12: 00000000000a801d
 R13: ffff88810d8b35d8 R14: 0000000000000010 R15: ffff88823c6b5b28
 FS:  0000000000000000(0000) GS:ffff88823c680000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 0000561858ad7258 CR3: 000000007729e001 CR4: 0000000000170ef0
 Call Trace:
  <TASK>
  ? die_addr+0x40/0xa0
  ? exc_general_protection+0x154/0x230
  ? asm_exc_general_protection+0x26/0x30
  ? hrtimer_active+0x58/0x300
  ? __pfx_mutex_lock+0x10/0x10
  ? __pfx_locks_remove_file+0x10/0x10
  hrtimer_cancel+0x15/0x40
  timerlat_fd_release+0x8e/0x1f0
  ? security_file_release+0x43/0x80
  __fput+0x372/0xb10
  task_work_run+0x11e/0x1f0
  ? _raw_spin_lock+0x85/0xe0
  ? __pfx_task_work_run+0x10/0x10
  ? poison_slab_object+0x109/0x170
  ? do_exit+0x7a0/0x24b0
  do_exit+0x7bd/0x24b0
  ? __pfx_migrate_enable+0x10/0x10
  ? __pfx_do_exit+0x10/0x10
  ? __pfx_read_tsc+0x10/0x10
  ? ktime_get+0x64/0x140
  ? _raw_spin_lock_irq+0x86/0xe0
  do_group_exit+0xb0/0x220
  get_signal+0x17ba/0x1b50
  ? vfs_read+0x179/0xa40
  ? timerlat_fd_read+0x30b/0x9d0
  ? __pfx_get_signal+0x10/0x10
  ? __pfx_timerlat_fd_read+0x10/0x10
  arch_do_signal_or_restart+0x8c/0x570
  ? __pfx_arch_do_signal_or_restart+0x10/0x10
  ? vfs_read+0x179/0xa40
  ? ksys_read+0xfe/0x1d0
  ? __pfx_ksys_read+0x10/0x10
  syscall_exit_to_user_mode+0xbc/0x130
  do_syscall_64+0x74/0x110
  ? __pfx___rseq_handle_notify_resume+0x10/0x10
  ? __pfx_ksys_read+0x10/0x10
  ? fpregs_restore_userregs+0xdb/0x1e0
  ? fpregs_restore_userregs+0xdb/0x1e0
  ? syscall_exit_to_user_mode+0x116/0x130
  ? do_syscall_64+0x74/0x110
  ? do_syscall_64+0x74/0x110
  ? do_syscall_64+0x74/0x110
  entry_SYSCALL_64_after_hwframe+0x71/0x79
 RIP: 0033:0x7ff0070eca9c
 Code: Unable to access opcode bytes at 0x7ff0070eca72.
 RSP: 002b:00007ff006dff8c0 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
 RAX: 0000000000000000 RBX: 0000000000000005 RCX: 00007ff0070eca9c
 RDX: 0000000000000400 RSI: 00007ff006dff9a0 RDI: 0000000000000003
 RBP: 00007ff006dffde0 R08: 0000000000000000 R09: 00007ff000000ba0
 R10: 00007ff007004b08 R11: 0000000000000246 R12: 0000000000000003
 R13: 00007ff006dff9a0 R14: 0000000000000007 R15: 0000000000000008
  </TASK>
 Modules linked in: snd_hda_intel snd_intel_dspcfg snd_intel_sdw_acpi snd_hda_codec snd_hwdep snd_hda_core
 ---[ end trace 0000000000000000 ]---

This is because it would mistakenly call kthread_stop() on a user space
thread making it "exit" before it actually exits.

Since kthread
---truncated---
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46788

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46789
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

mm/slub: add check for s->flags in the alloc_tagging_slab_free_hook

When enable CONFIG_MEMCG & CONFIG_KFENCE & CONFIG_KMEMLEAK, the following
warning always occurs,This is because the following call stack occurred:
mem_pool_alloc
    kmem_cache_alloc_noprof
        slab_alloc_node
            kfence_alloc

Once the kfence allocation is successful,slab->obj_exts will not be empty,
because it has already been assigned a value in kfence_init_pool.

Since in the prepare_slab_obj_exts_hook function,we perform a check for
s->flags & (SLAB_NO_OBJ_EXT | SLAB_NOLEAKTRACE),the alloc_tag_add function
will not be called as a result.Therefore,ref->ct remains NULL.

However,when we call mem_pool_free,since obj_ext is not empty, it
eventually leads to the alloc_tag_sub scenario being invoked.  This is
where the warning occurs.

So we should add corresponding checks in the alloc_tagging_slab_free_hook.
For __GFP_NO_OBJ_EXT case,I didn't see the specific case where it's using
kfence,so I won't add the corresponding check in
alloc_tagging_slab_free_hook for now.

[    3.734349] ------------[ cut here ]------------
[    3.734807] alloc_tag was not set
[    3.735129] WARNING: CPU: 4 PID: 40 at ./include/linux/alloc_tag.h:130 kmem_cache_free+0x444/0x574
[    3.735866] Modules linked in: autofs4
[    3.736211] CPU: 4 UID: 0 PID: 40 Comm: ksoftirqd/4 Tainted: G        W          6.11.0-rc3-dirty #1
[    3.736969] Tainted: [W]=WARN
[    3.737258] Hardware name: QEMU KVM Virtual Machine, BIOS unknown 2/2/2022
[    3.737875] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[    3.738501] pc : kmem_cache_free+0x444/0x574
[    3.738951] lr : kmem_cache_free+0x444/0x574
[    3.739361] sp : ffff80008357bb60
[    3.739693] x29: ffff80008357bb70 x28: 0000000000000000 x27: 0000000000000000
[    3.740338] x26: ffff80008207f000 x25: ffff000b2eb2fd60 x24: ffff0000c0005700
[    3.740982] x23: ffff8000804229e4 x22: ffff800082080000 x21: ffff800081756000
[    3.741630] x20: fffffd7ff8253360 x19: 00000000000000a8 x18: ffffffffffffffff
[    3.742274] x17: ffff800ab327f000 x16: ffff800083398000 x15: ffff800081756df0
[    3.742919] x14: 0000000000000000 x13: 205d344320202020 x12: 5b5d373038343337
[    3.743560] x11: ffff80008357b650 x10: 000000000000005d x9 : 00000000ffffffd0
[    3.744231] x8 : 7f7f7f7f7f7f7f7f x7 : ffff80008237bad0 x6 : c0000000ffff7fff
[    3.744907] x5 : ffff80008237ba78 x4 : ffff8000820bbad0 x3 : 0000000000000001
[    3.745580] x2 : 68d66547c09f7800 x1 : 68d66547c09f7800 x0 : 0000000000000000
[    3.746255] Call trace:
[    3.746530]  kmem_cache_free+0x444/0x574
[    3.746931]  mem_pool_free+0x44/0xf4
[    3.747306]  free_object_rcu+0xc8/0xdc
[    3.747693]  rcu_do_batch+0x234/0x8a4
[    3.748075]  rcu_core+0x230/0x3e4
[    3.748424]  rcu_core_si+0x14/0x1c
[    3.748780]  handle_softirqs+0x134/0x378
[    3.749189]  run_ksoftirqd+0x70/0x9c
[    3.749560]  smpboot_thread_fn+0x148/0x22c
[    3.749978]  kthread+0x10c/0x118
[    3.750323]  ret_from_fork+0x10/0x20
[    3.750696] ---[ end trace 0000000000000000 ]---
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46789

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46790
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

codetag: debug: mark codetags for poisoned page as empty

When PG_hwpoison pages are freed they are treated differently in
free_pages_prepare() and instead of being released they are isolated.

Page allocation tag counters are decremented at this point since the page
is considered not in use.  Later on when such pages are released by
unpoison_memory(), the allocation tag counters will be decremented again
and the following warning gets reported:

[  113.930443][ T3282] ------------[ cut here ]------------
[  113.931105][ T3282] alloc_tag was not set
[  113.931576][ T3282] WARNING: CPU: 2 PID: 3282 at ./include/linux/alloc_tag.h:130 pgalloc_tag_sub.part.66+0x154/0x164
[  113.932866][ T3282] Modules linked in: hwpoison_inject fuse ip6t_rpfilter ip6t_REJECT nf_reject_ipv6 ipt_REJECT nf_reject_ipv4 xt_conntrack ebtable_nat ebtable_broute ip6table_nat ip6table_man4
[  113.941638][ T3282] CPU: 2 UID: 0 PID: 3282 Comm: madvise11 Kdump: loaded Tainted: G        W          6.11.0-rc4-dirty #18
[  113.943003][ T3282] Tainted: [W]=WARN
[  113.943453][ T3282] Hardware name: QEMU KVM Virtual Machine, BIOS unknown 2/2/2022
[  113.944378][ T3282] pstate: 40400005 (nZcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[  113.945319][ T3282] pc : pgalloc_tag_sub.part.66+0x154/0x164
[  113.946016][ T3282] lr : pgalloc_tag_sub.part.66+0x154/0x164
[  113.946706][ T3282] sp : ffff800087093a10
[  113.947197][ T3282] x29: ffff800087093a10 x28: ffff0000d7a9d400 x27: ffff80008249f0a0
[  113.948165][ T3282] x26: 0000000000000000 x25: ffff80008249f2b0 x24: 0000000000000000
[  113.949134][ T3282] x23: 0000000000000001 x22: 0000000000000001 x21: 0000000000000000
[  113.950597][ T3282] x20: ffff0000c08fcad8 x19: ffff80008251e000 x18: ffffffffffffffff
[  113.952207][ T3282] x17: 0000000000000000 x16: 0000000000000000 x15: ffff800081746210
[  113.953161][ T3282] x14: 0000000000000000 x13: 205d323832335420 x12: 5b5d353031313339
[  113.954120][ T3282] x11: ffff800087093500 x10: 000000000000005d x9 : 00000000ffffffd0
[  113.955078][ T3282] x8 : 7f7f7f7f7f7f7f7f x7 : ffff80008236ba90 x6 : c0000000ffff7fff
[  113.956036][ T3282] x5 : ffff000b34bf4dc8 x4 : ffff8000820aba90 x3 : 0000000000000001
[  113.956994][ T3282] x2 : ffff800ab320f000 x1 : 841d1e35ac932e00 x0 : 0000000000000000
[  113.957962][ T3282] Call trace:
[  113.958350][ T3282]  pgalloc_tag_sub.part.66+0x154/0x164
[  113.959000][ T3282]  pgalloc_tag_sub+0x14/0x1c
[  113.959539][ T3282]  free_unref_page+0xf4/0x4b8
[  113.960096][ T3282]  __folio_put+0xd4/0x120
[  113.960614][ T3282]  folio_put+0x24/0x50
[  113.961103][ T3282]  unpoison_memory+0x4f0/0x5b0
[  113.961678][ T3282]  hwpoison_unpoison+0x30/0x48 [hwpoison_inject]
[  113.962436][ T3282]  simple_attr_write_xsigned.isra.34+0xec/0x1cc
[  113.963183][ T3282]  simple_attr_write+0x38/0x48
[  113.963750][ T3282]  debugfs_attr_write+0x54/0x80
[  113.964330][ T3282]  full_proxy_write+0x68/0x98
[  113.964880][ T3282]  vfs_write+0xdc/0x4d0
[  113.965372][ T3282]  ksys_write+0x78/0x100
[  113.965875][ T3282]  __arm64_sys_write+0x24/0x30
[  113.966440][ T3282]  invoke_syscall+0x7c/0x104
[  113.966984][ T3282]  el0_svc_common.constprop.1+0x88/0x104
[  113.967652][ T3282]  do_el0_svc+0x2c/0x38
[  113.968893][ T3282]  el0_svc+0x3c/0x1b8
[  113.969379][ T3282]  el0t_64_sync_handler+0x98/0xbc
[  113.969980][ T3282]  el0t_64_sync+0x19c/0x1a0
[  113.970511][ T3282] ---[ end trace 0000000000000000 ]---

To fix this, clear the page tag reference after the page got isolated
and accounted for.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46790

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46791
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

can: mcp251x: fix deadlock if an interrupt occurs during mcp251x_open

The mcp251x_hw_wake() function is called with the mpc_lock mutex held and
disables the interrupt handler so that no interrupts can be processed while
waking the device. If an interrupt has already occurred then waiting for
the interrupt handler to complete will deadlock because it will be trying
to acquire the same mutex.

CPU0                           CPU1
----                           ----
mcp251x_open()
 mutex_lock(&priv->mcp_lock)
  request_threaded_irq()
                               <interrupt>
                               mcp251x_can_ist()
                                mutex_lock(&priv->mcp_lock)
  mcp251x_hw_wake()
   disable_irq() <-- deadlock

Use disable_irq_nosync() instead because the interrupt handler does
everything while holding the mutex so it doesn't matter if it's still
running.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46791

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46792
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

riscv: misaligned: Restrict user access to kernel memory

raw_copy_{to,from}_user() do not call access_ok(), so this code allowed
userspace to access any virtual memory address.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 3.3
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46792

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46793
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ASoC: Intel: Boards: Fix NULL pointer deref in BYT/CHT boards harder

Since commit 13f58267cda3 ("ASoC: soc.h: don't create dummy Component
via COMP_DUMMY()") dummy codecs declared like this:

SND_SOC_DAILINK_DEF(dummy,
        DAILINK_COMP_ARRAY(COMP_DUMMY()));

expand to:

static struct snd_soc_dai_link_component dummy[] = {
};

Which means that dummy is a zero sized array and thus dais[i].codecs should
not be dereferenced *at all* since it points to the address of the next
variable stored in the data section as the "dummy" variable has an address
but no size, so even dereferencing dais[0] is already an out of bounds
array reference.

Which means that the if (dais[i].codecs->name) check added in
commit 7d99a70b6595 ("ASoC: Intel: Boards: Fix NULL pointer deref
in BYT/CHT boards") relies on that the part of the next variable which
the name member maps to just happens to be NULL.

Which apparently so far it usually is, except when it isn't
and then it results in crashes like this one:

[   28.795659] BUG: unable to handle page fault for address: 0000000000030011
...
[   28.795780] Call Trace:
[   28.795787]  <TASK>
...
[   28.795862]  ? strcmp+0x18/0x40
[   28.795872]  0xffffffffc150c605
[   28.795887]  platform_probe+0x40/0xa0
...
[   28.795979]  ? __pfx_init_module+0x10/0x10 [snd_soc_sst_bytcr_wm5102]

Really fix things this time around by checking dais.num_codecs != 0.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46793

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46794
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

x86/tdx: Fix data leak in mmio_read()

The mmio_read() function makes a TDVMCALL to retrieve MMIO data for an
address from the VMM.

Sean noticed that mmio_read() unintentionally exposes the value of an
initialized variable (val) on the stack to the VMM.

This variable is only needed as an output value. It did not need to be
passed to the VMM in the first place.

Do not send the original value of *val to the VMM.

[ dhansen: clarify what 'val' is used for. ]
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 3.3
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46794

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46795
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ksmbd: unset the binding mark of a reused connection

Steve French reported null pointer dereference error from sha256 lib.
cifs.ko can send session setup requests on reused connection.
If reused connection is used for binding session, conn->binding can
still remain true and generate_preauth_hash() will not set
sess->Preauth_HashValue and it will be NULL.
It is used as a material to create an encryption key in
ksmbd_gen_smb311_encryptionkey. ->Preauth_HashValue cause null pointer
dereference error from crypto_shash_update().

BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: 0000 [#1] PREEMPT SMP PTI
CPU: 8 PID: 429254 Comm: kworker/8:39
Hardware name: LENOVO 20MAS08500/20MAS08500, BIOS N2CET69W (1.52 )
Workqueue: ksmbd-io handle_ksmbd_work [ksmbd]
RIP: 0010:lib_sha256_base_do_update.isra.0+0x11e/0x1d0 [sha256_ssse3]
<TASK>
? show_regs+0x6d/0x80
? __die+0x24/0x80
? page_fault_oops+0x99/0x1b0
? do_user_addr_fault+0x2ee/0x6b0
? exc_page_fault+0x83/0x1b0
? asm_exc_page_fault+0x27/0x30
? __pfx_sha256_transform_rorx+0x10/0x10 [sha256_ssse3]
? lib_sha256_base_do_update.isra.0+0x11e/0x1d0 [sha256_ssse3]
? __pfx_sha256_transform_rorx+0x10/0x10 [sha256_ssse3]
? __pfx_sha256_transform_rorx+0x10/0x10 [sha256_ssse3]
_sha256_update+0x77/0xa0 [sha256_ssse3]
sha256_avx2_update+0x15/0x30 [sha256_ssse3]
crypto_shash_update+0x1e/0x40
hmac_update+0x12/0x20
crypto_shash_update+0x1e/0x40
generate_key+0x234/0x380 [ksmbd]
generate_smb3encryptionkey+0x40/0x1c0 [ksmbd]
ksmbd_gen_smb311_encryptionkey+0x72/0xa0 [ksmbd]
ntlm_authenticate.isra.0+0x423/0x5d0 [ksmbd]
smb2_sess_setup+0x952/0xaa0 [ksmbd]
__process_request+0xa3/0x1d0 [ksmbd]
__handle_ksmbd_work+0x1c4/0x2f0 [ksmbd]
handle_ksmbd_work+0x2d/0xa0 [ksmbd]
process_one_work+0x16c/0x350
worker_thread+0x306/0x440
? __pfx_worker_thread+0x10/0x10
kthread+0xef/0x120
? __pfx_kthread+0x10/0x10
ret_from_fork+0x44/0x70
? __pfx_kthread+0x10/0x10
ret_from_fork_asm+0x1b/0x30
</TASK>
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46795

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46796
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

smb: client: fix double put of @cfile in smb2_set_path_size()

If smb2_compound_op() is called with a valid @cfile and returned
-EINVAL, we need to call cifs_get_writable_path() before retrying it
as the reference of @cfile was already dropped by previous call.

This fixes the following KASAN splat when running fstests generic/013
against Windows Server 2022:

  CIFS: Attempting to mount //w22-fs0/scratch
  run fstests generic/013 at 2024-09-02 19:48:59
  ==================================================================
  BUG: KASAN: slab-use-after-free in detach_if_pending+0xab/0x200
  Write of size 8 at addr ffff88811f1a3730 by task kworker/3:2/176

  CPU: 3 UID: 0 PID: 176 Comm: kworker/3:2 Not tainted 6.11.0-rc6 #2
  Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40
  04/01/2014
  Workqueue: cifsoplockd cifs_oplock_break [cifs]
  Call Trace:
   <TASK>
   dump_stack_lvl+0x5d/0x80
   ? detach_if_pending+0xab/0x200
   print_report+0x156/0x4d9
   ? detach_if_pending+0xab/0x200
   ? __virt_addr_valid+0x145/0x300
   ? __phys_addr+0x46/0x90
   ? detach_if_pending+0xab/0x200
   kasan_report+0xda/0x110
   ? detach_if_pending+0xab/0x200
   detach_if_pending+0xab/0x200
   timer_delete+0x96/0xe0
   ? __pfx_timer_delete+0x10/0x10
   ? rcu_is_watching+0x20/0x50
   try_to_grab_pending+0x46/0x3b0
   __cancel_work+0x89/0x1b0
   ? __pfx___cancel_work+0x10/0x10
   ? kasan_save_track+0x14/0x30
   cifs_close_deferred_file+0x110/0x2c0 [cifs]
   ? __pfx_cifs_close_deferred_file+0x10/0x10 [cifs]
   ? __pfx_down_read+0x10/0x10
   cifs_oplock_break+0x4c1/0xa50 [cifs]
   ? __pfx_cifs_oplock_break+0x10/0x10 [cifs]
   ? lock_is_held_type+0x85/0xf0
   ? mark_held_locks+0x1a/0x90
   process_one_work+0x4c6/0x9f0
   ? find_held_lock+0x8a/0xa0
   ? __pfx_process_one_work+0x10/0x10
   ? lock_acquired+0x220/0x550
   ? __list_add_valid_or_report+0x37/0x100
   worker_thread+0x2e4/0x570
   ? __kthread_parkme+0xd1/0xf0
   ? __pfx_worker_thread+0x10/0x10
   kthread+0x17f/0x1c0
   ? kthread+0xda/0x1c0
   ? __pfx_kthread+0x10/0x10
   ret_from_fork+0x31/0x60
   ? __pfx_kthread+0x10/0x10
   ret_from_fork_asm+0x1a/0x30
   </TASK>

  Allocated by task 1118:
   kasan_save_stack+0x30/0x50
   kasan_save_track+0x14/0x30
   __kasan_kmalloc+0xaa/0xb0
   cifs_new_fileinfo+0xc8/0x9d0 [cifs]
   cifs_atomic_open+0x467/0x770 [cifs]
   lookup_open.isra.0+0x665/0x8b0
   path_openat+0x4c3/0x1380
   do_filp_open+0x167/0x270
   do_sys_openat2+0x129/0x160
   __x64_sys_creat+0xad/0xe0
   do_syscall_64+0xbb/0x1d0
   entry_SYSCALL_64_after_hwframe+0x77/0x7f

  Freed by task 83:
   kasan_save_stack+0x30/0x50
   kasan_save_track+0x14/0x30
   kasan_save_free_info+0x3b/0x70
   poison_slab_object+0xe9/0x160
   __kasan_slab_free+0x32/0x50
   kfree+0xf2/0x300
   process_one_work+0x4c6/0x9f0
   worker_thread+0x2e4/0x570
   kthread+0x17f/0x1c0
   ret_from_fork+0x31/0x60
   ret_from_fork_asm+0x1a/0x30

  Last potentially related work creation:
   kasan_save_stack+0x30/0x50
   __kasan_record_aux_stack+0xad/0xc0
   insert_work+0x29/0xe0
   __queue_work+0x5ea/0x760
   queue_work_on+0x6d/0x90
   _cifsFileInfo_put+0x3f6/0x770 [cifs]
   smb2_compound_op+0x911/0x3940 [cifs]
   smb2_set_path_size+0x228/0x270 [cifs]
   cifs_set_file_size+0x197/0x460 [cifs]
   cifs_setattr+0xd9c/0x14b0 [cifs]
   notify_change+0x4e3/0x740
   do_truncate+0xfa/0x180
   vfs_truncate+0x195/0x200
   __x64_sys_truncate+0x109/0x150
   do_syscall_64+0xbb/0x1d0
   entry_SYSCALL_64_after_hwframe+0x77/0x7f
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46796

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46797
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

powerpc/qspinlock: Fix deadlock in MCS queue

If an interrupt occurs in queued_spin_lock_slowpath() after we increment
qnodesp->count and before node->lock is initialized, another CPU might
see stale lock values in get_tail_qnode(). If the stale lock value happens
to match the lock on that CPU, then we write to the "next" pointer of
the wrong qnode. This causes a deadlock as the former CPU, once it becomes
the head of the MCS queue, will spin indefinitely until it's "next" pointer
is set by its successor in the queue.

Running stress-ng on a 16 core (16EC/16VP) shared LPAR, results in
occasional lockups similar to the following:

   $ stress-ng --all 128 --vm-bytes 80% --aggressive \
               --maximize --oomable --verify  --syslog \
               --metrics  --times  --timeout 5m

   watchdog: CPU 15 Hard LOCKUP
   ......
   NIP [c0000000000b78f4] queued_spin_lock_slowpath+0x1184/0x1490
   LR [c000000001037c5c] _raw_spin_lock+0x6c/0x90
   Call Trace:
    0xc000002cfffa3bf0 (unreliable)
    _raw_spin_lock+0x6c/0x90
    raw_spin_rq_lock_nested.part.135+0x4c/0xd0
    sched_ttwu_pending+0x60/0x1f0
    __flush_smp_call_function_queue+0x1dc/0x670
    smp_ipi_demux_relaxed+0xa4/0x100
    xive_muxed_ipi_action+0x20/0x40
    __handle_irq_event_percpu+0x80/0x240
    handle_irq_event_percpu+0x2c/0x80
    handle_percpu_irq+0x84/0xd0
    generic_handle_irq+0x54/0x80
    __do_irq+0xac/0x210
    __do_IRQ+0x74/0xd0
    0x0
    do_IRQ+0x8c/0x170
    hardware_interrupt_common_virt+0x29c/0x2a0
   --- interrupt: 500 at queued_spin_lock_slowpath+0x4b8/0x1490
   ......
   NIP [c0000000000b6c28] queued_spin_lock_slowpath+0x4b8/0x1490
   LR [c000000001037c5c] _raw_spin_lock+0x6c/0x90
   --- interrupt: 500
    0xc0000029c1a41d00 (unreliable)
    _raw_spin_lock+0x6c/0x90
    futex_wake+0x100/0x260
    do_futex+0x21c/0x2a0
    sys_futex+0x98/0x270
    system_call_exception+0x14c/0x2f0
    system_call_vectored_common+0x15c/0x2ec

The following code flow illustrates how the deadlock occurs.
For the sake of brevity, assume that both locks (A and B) are
contended and we call the queued_spin_lock_slowpath() function.

        CPU0                                   CPU1
        ----                                   ----
  spin_lock_irqsave(A)                          |
  spin_unlock_irqrestore(A)                     |
    spin_lock(B)                                |
         |                                      |
         ▼                                      |
   id = qnodesp->count++;                       |
  (Note that nodes[0].lock == A)                |
         |                                      |
         ▼                                      |
      Interrupt                                 |
  (happens before "nodes[0].lock = B")          |
         |                                      |
         ▼                                      |
  spin_lock_irqsave(A)                          |
         |                                      |
         ▼                                      |
   id = qnodesp->count++                        |
   nodes[1].lock = A                            |
         |                                      |
         ▼                                      |
  Tail of MCS queue                             |
         |                             spin_lock_irqsave(A)
         ▼                                      |
  Head of MCS queue                             ▼
         |                             CPU0 is previous tail
         ▼                                      |
   Spin indefinitely                            ▼
  (until "nodes[1].next != NULL")      prev = get_tail_qnode(A, CPU0)
                                                |
                                                ▼
                                       prev == &qnodes[CPU0].nodes[0]
                                     (as qnodes
---truncated---
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46797

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46798
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ASoC: dapm: Fix UAF for snd_soc_pcm_runtime object

When using kernel with the following extra config,

  - CONFIG_KASAN=y
  - CONFIG_KASAN_GENERIC=y
  - CONFIG_KASAN_INLINE=y
  - CONFIG_KASAN_VMALLOC=y
  - CONFIG_FRAME_WARN=4096

kernel detects that snd_pcm_suspend_all() access a freed
'snd_soc_pcm_runtime' object when the system is suspended, which
leads to a use-after-free bug:

[   52.047746] BUG: KASAN: use-after-free in snd_pcm_suspend_all+0x1a8/0x270
[   52.047765] Read of size 1 at addr ffff0000b9434d50 by task systemd-sleep/2330

[   52.047785] Call trace:
[   52.047787]  dump_backtrace+0x0/0x3c0
[   52.047794]  show_stack+0x34/0x50
[   52.047797]  dump_stack_lvl+0x68/0x8c
[   52.047802]  print_address_description.constprop.0+0x74/0x2c0
[   52.047809]  kasan_report+0x210/0x230
[   52.047815]  __asan_report_load1_noabort+0x3c/0x50
[   52.047820]  snd_pcm_suspend_all+0x1a8/0x270
[   52.047824]  snd_soc_suspend+0x19c/0x4e0

The snd_pcm_sync_stop() has a NULL check on 'substream->runtime' before
making any access. So we need to always set 'substream->runtime' to NULL
everytime we kfree() it.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46798

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46799
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: ethernet: ti: am65-cpsw: Fix NULL dereference on XDP_TX

If number of TX queues are set to 1 we get a NULL pointer
dereference during XDP_TX.

~# ethtool -L eth0 tx 1
~# ./xdp-trafficgen udp -A <ipv6-src> -a <ipv6-dst> eth0 -t 2
Transmitting on eth0 (ifindex 2)
[  241.135257] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000030

Fix this by using actual TX queues instead of max TX queues
when picking the TX channel in am65_cpsw_ndo_xdp_xmit().
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46799

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46800
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

sch/netem: fix use after free in netem_dequeue

If netem_dequeue() enqueues packet to inner qdisc and that qdisc
returns __NET_XMIT_STOLEN. The packet is dropped but
qdisc_tree_reduce_backlog() is not called to update the parent's
q.qlen, leading to the similar use-after-free as Commit
e04991a48dbaf382 ("netem: fix return value if duplicate enqueue
fails")

Commands to trigger KASAN UaF:

ip link add type dummy
ip link set lo up
ip link set dummy0 up
tc qdisc add dev lo parent root handle 1: drr
tc filter add dev lo parent 1: basic classid 1:1
tc class add dev lo classid 1:1 drr
tc qdisc add dev lo parent 1:1 handle 2: netem
tc qdisc add dev lo parent 2: handle 3: drr
tc filter add dev lo parent 3: basic classid 3:1 action mirred egress
redirect dev dummy0
tc class add dev lo classid 3:1 drr
ping -c1 -W0.01 localhost # Trigger bug
tc class del dev lo classid 1:1
tc class add dev lo classid 1:1 drr
ping -c1 -W0.01 localhost # UaF
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46800

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46801
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

libfs: fix get_stashed_dentry()

get_stashed_dentry() tries to optimistically retrieve a stashed dentry
from a provided location.  It needs to ensure to hold rcu lock before it
dereference the stashed location to prevent UAF issues.  Use
rcu_dereference() instead of READ_ONCE() it's effectively equivalent
with some lockdep bells and whistles and it communicates clearly that
this expects rcu protection.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46801

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46802
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: added NULL check at start of dc_validate_stream

[Why]
prevent invalid memory access

[How]
check if dc and stream are NULL
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46802

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46803
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amdkfd: Check debug trap enable before write dbg_ev_file

In interrupt context, write dbg_ev_file will be run by work queue. It
will cause write dbg_ev_file execution after debug_trap_disable, which
will cause NULL pointer access.
v2: cancel work "debug_event_workarea" before set dbg_ev_file as NULL.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46803

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46804
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Add array index check for hdcp ddc access

[Why]
Coverity reports OVERRUN warning. Do not check if array
index valid.

[How]
Check msg_id valid and valid array index.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46804

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46805
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amdgpu: fix the waring dereferencing hive

Check the amdgpu_hive_info *hive that maybe is NULL.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46805

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46806
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amdgpu: Fix the warning division or modulo by zero

Checks the partition mode and returns an error for an invalid mode.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46806

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46807
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/amdgpu: Check tbo resource pointer

Validate tbo resource pointer, skip if NULL
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46807

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46808
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Add missing NULL pointer check within dpcd_extend_address_range

[Why & How]
ASSERT if return NULL from kcalloc.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46808

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46809
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Check BIOS images before it is used

BIOS images may fail to load and null checks are added before they are
used.

This fixes 6 NULL_RETURNS issues reported by Coverity.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46809

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46810
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/bridge: tc358767: Check if fully initialized before signalling HPD event via IRQ

Make sure the connector is fully initialized before signalling any
HPD events via drm_kms_helper_hotplug_event(), otherwise this may
lead to NULL pointer dereference.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46810

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46811
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Fix index may exceed array range within fpu_update_bw_bounding_box

[Why]
Coverity reports OVERRUN warning. soc.num_states could
be 40. But array range of bw_params->clk_table.entries is 8.

[How]
Assert if soc.num_states greater than 8.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46811

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46812
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Skip inactive planes within ModeSupportAndSystemConfiguration

[Why]
Coverity reports Memory - illegal accesses.

[How]
Skip inactive planes.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46812

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46813
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Check link_index before accessing dc->links[]

[WHY & HOW]
dc->links[] has max size of MAX_LINKS and NULL is return when trying to
access with out-of-bound index.

This fixes 3 OVERRUN and 1 RESOURCE_LEAK issues reported by Coverity.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46813

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46814
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Check msg_id before processing transcation

[WHY & HOW]
HDCP_MESSAGE_ID_INVALID (-1) is not a valid msg_id nor is it a valid
array index, and it needs checking before used.

This fixes 4 OVERRUN issues reported by Coverity.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46814

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46815
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Check num_valid_sets before accessing reader_wm_sets[]

[WHY & HOW]
num_valid_sets needs to be checked to avoid a negative index when
accessing reader_wm_sets[num_valid_sets - 1].

This fixes an OVERRUN issue reported by Coverity.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46815

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46816
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Stop amdgpu_dm initialize when link nums greater than max_links

[Why]
Coverity report OVERRUN warning. There are
only max_links elements within dc->links. link
count could up to AMDGPU_DM_MAX_DISPLAY_INDEX 31.

[How]
Make sure link count less than max_links.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46816

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46817
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Stop amdgpu_dm initialize when stream nums greater than 6

[Why]
Coverity reports OVERRUN warning. Should abort amdgpu_dm
initialize.

[How]
Return failure to amdgpu_dm_init.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46817

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46818
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Check gpio_id before used as array index

[WHY & HOW]
GPIO_ID_UNKNOWN (-1) is not a valid value for array index and therefore
should be checked in advance.

This fixes 5 OVERRUN issues reported by Coverity.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46818

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46819
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amdgpu: the warning dereferencing obj for nbio_v7_4

if ras_manager obj null, don't print NBIO err data
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46819

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46820
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amdgpu/vcn: remove irq disabling in vcn 5 suspend

We do not directly enable/disable VCN IRQ in vcn 5.0.0.
And we do not handle the IRQ state as well. So the calls to
disable IRQ and set state are removed. This effectively gets
rid of the warining of
      "WARN_ON(!amdgpu_irq_enabled(adev, src, type))"
in amdgpu_irq_put().
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46820

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46821
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/pm: Fix negative array index read

Avoid using the negative values
for clk_idex as an index into an array pptable->DpmDescriptor.

V2: fix clk_index return check (Tim Huang)
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46821

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46822
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

arm64: acpi: Harden get_cpu_for_acpi_id() against missing CPU entry

In a review discussion of the changes to support vCPU hotplug where
a check was added on the GICC being enabled if was online, it was
noted that there is need to map back to the cpu and use that to index
into a cpumask. As such, a valid ID is needed.

If an MPIDR check fails in acpi_map_gic_cpu_interface() it is possible
for the entry in cpu_madt_gicc[cpu] == NULL.  This function would
then cause a NULL pointer dereference.   Whilst a path to trigger
this has not been established, harden this caller against the
possibility.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46822

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46823
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

kunit/overflow: Fix UB in overflow_allocation_test

The 'device_name' array doesn't exist out of the
'overflow_allocation_test' function scope. However, it is being used as
a driver name when calling 'kunit_driver_create' from
'kunit_device_register'. It produces the kernel panic with KASAN
enabled.

Since this variable is used in one place only, remove it and pass the
device name into kunit_device_register directly as an ascii string.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46823

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46824
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

iommufd: Require drivers to supply the cache_invalidate_user ops

If drivers don't do this then iommufd will oops invalidation ioctls with
something like:

  Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
  Mem abort info:
    ESR = 0x0000000086000004
    EC = 0x21: IABT (current EL), IL = 32 bits
    SET = 0, FnV = 0
    EA = 0, S1PTW = 0
    FSC = 0x04: level 0 translation fault
  user pgtable: 4k pages, 48-bit VAs, pgdp=0000000101059000
  [0000000000000000] pgd=0000000000000000, p4d=0000000000000000
  Internal error: Oops: 0000000086000004 [#1] PREEMPT SMP
  Modules linked in:
  CPU: 2 PID: 371 Comm: qemu-system-aar Not tainted 6.8.0-rc7-gde77230ac23a #9
  Hardware name: linux,dummy-virt (DT)
  pstate: 81400809 (Nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=-c)
  pc : 0x0
  lr : iommufd_hwpt_invalidate+0xa4/0x204
  sp : ffff800080f3bcc0
  x29: ffff800080f3bcf0 x28: ffff0000c369b300 x27: 0000000000000000
  x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000
  x23: 0000000000000000 x22: 00000000c1e334a0 x21: ffff0000c1e334a0
  x20: ffff800080f3bd38 x19: ffff800080f3bd58 x18: 0000000000000000
  x17: 0000000000000000 x16: 0000000000000000 x15: 0000ffff8240d6d8
  x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000
  x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000
  x8 : 0000001000000002 x7 : 0000fffeac1ec950 x6 : 0000000000000000
  x5 : ffff800080f3bd78 x4 : 0000000000000003 x3 : 0000000000000002
  x2 : 0000000000000000 x1 : ffff800080f3bcc8 x0 : ffff0000c6034d80
  Call trace:
   0x0
   iommufd_fops_ioctl+0x154/0x274
   __arm64_sys_ioctl+0xac/0xf0
   invoke_syscall+0x48/0x110
   el0_svc_common.constprop.0+0x40/0xe0
   do_el0_svc+0x1c/0x28
   el0_svc+0x34/0xb4
   el0t_64_sync_handler+0x120/0x12c
   el0t_64_sync+0x190/0x194

All existing drivers implement this op for nesting, this is mostly a
bisection aid.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46824

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46825
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

wifi: iwlwifi: mvm: use IWL_FW_CHECK for link ID check

The lookup function iwl_mvm_rcu_fw_link_id_to_link_conf() is
normally called with input from the firmware, so it should use
IWL_FW_CHECK() instead of WARN_ON().
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46825

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46826
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ELF: fix kernel.randomize_va_space double read

ELF loader uses "randomize_va_space" twice. It is sysctl and can change
at any moment, so 2 loads could see 2 different values in theory with
unpredictable consequences.

Issue exactly one load for consistent value across one exec.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46826

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46827
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

wifi: ath12k: fix firmware crash due to invalid peer nss

Currently, if the access point receives an association
request containing an Extended HE Capabilities Information
Element with an invalid MCS-NSS, it triggers a firmware
crash.

This issue arises when EHT-PHY capabilities shows support
for a bandwidth and MCS-NSS set for that particular
bandwidth is filled by zeros and due to this, driver obtains
peer_nss as 0 and sending this value to firmware causes
crash.

Address this issue by implementing a validation step for
the peer_nss value before passing it to the firmware. If
the value is greater than zero, proceed with forwarding
it to the firmware. However, if the value is invalid,
reject the association request to prevent potential
firmware crashes.

Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.0.1-00029-QCAHKSWPL_SILICONZ-1
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46827

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46828
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

sched: sch_cake: fix bulk flow accounting logic for host fairness

In sch_cake, we keep track of the count of active bulk flows per host,
when running in dst/src host fairness mode, which is used as the
round-robin weight when iterating through flows. The count of active
bulk flows is updated whenever a flow changes state.

This has a peculiar interaction with the hash collision handling: when a
hash collision occurs (after the set-associative hashing), the state of
the hash bucket is simply updated to match the new packet that collided,
and if host fairness is enabled, that also means assigning new per-host
state to the flow. For this reason, the bulk flow counters of the
host(s) assigned to the flow are decremented, before new state is
assigned (and the counters, which may not belong to the same host
anymore, are incremented again).

Back when this code was introduced, the host fairness mode was always
enabled, so the decrement was unconditional. When the configuration
flags were introduced the *increment* was made conditional, but
the *decrement* was not. Which of course can lead to a spurious
decrement (and associated wrap-around to U16_MAX).

AFAICT, when host fairness is disabled, the decrement and wrap-around
happens as soon as a hash collision occurs (which is not that common in
itself, due to the set-associative hashing). However, in most cases this
is harmless, as the value is only used when host fairness mode is
enabled. So in order to trigger an array overflow, sch_cake has to first
be configured with host fairness disabled, and while running in this
mode, a hash collision has to occur to cause the overflow. Then, the
qdisc has to be reconfigured to enable host fairness, which leads to the
array out-of-bounds because the wrapped-around value is retained and
used as an array index. It seems that syzbot managed to trigger this,
which is quite impressive in its own right.

This patch fixes the issue by introducing the same conditional check on
decrement as is used on increment.

The original bug predates the upstreaming of cake, but the commit listed
in the Fixes tag touched that code, meaning that this patch won't apply
before that.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46828

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46829
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

rtmutex: Drop rt_mutex::wait_lock before scheduling

rt_mutex_handle_deadlock() is called with rt_mutex::wait_lock held.  In the
good case it returns with the lock held and in the deadlock case it emits a
warning and goes into an endless scheduling loop with the lock held, which
triggers the 'scheduling in atomic' warning.

Unlock rt_mutex::wait_lock in the dead lock case before issuing the warning
and dropping into the schedule for ever loop.

[ tglx: Moved unlock before the WARN(), removed the pointless comment,
  	massaged changelog, added Fixes tag ]
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46829

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46830
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

KVM: x86: Acquire kvm->srcu when handling KVM_SET_VCPU_EVENTS

Grab kvm->srcu when processing KVM_SET_VCPU_EVENTS, as KVM will forcibly
leave nested VMX/SVM if SMM mode is being toggled, and leaving nested VMX
reads guest memory.

Note, kvm_vcpu_ioctl_x86_set_vcpu_events() can also be called from KVM_RUN
via sync_regs(), which already holds SRCU.  I.e. trying to precisely use
kvm_vcpu_srcu_read_lock() around the problematic SMM code would cause
problems.  Acquiring SRCU isn't all that expensive, so for simplicity,
grab it unconditionally for KVM_SET_VCPU_EVENTS.

 =============================
 WARNING: suspicious RCU usage
 6.10.0-rc7-332d2c1d713e-next-vm #552 Not tainted
 -----------------------------
 include/linux/kvm_host.h:1027 suspicious rcu_dereference_check() usage!

 other info that might help us debug this:

 rcu_scheduler_active = 2, debug_locks = 1
 1 lock held by repro/1071:
  #0: ffff88811e424430 (&vcpu->mutex){+.+.}-{3:3}, at: kvm_vcpu_ioctl+0x7d/0x970 [kvm]

 stack backtrace:
 CPU: 15 PID: 1071 Comm: repro Not tainted 6.10.0-rc7-332d2c1d713e-next-vm #552
 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
 Call Trace:
  <TASK>
  dump_stack_lvl+0x7f/0x90
  lockdep_rcu_suspicious+0x13f/0x1a0
  kvm_vcpu_gfn_to_memslot+0x168/0x190 [kvm]
  kvm_vcpu_read_guest+0x3e/0x90 [kvm]
  nested_vmx_load_msr+0x6b/0x1d0 [kvm_intel]
  load_vmcs12_host_state+0x432/0xb40 [kvm_intel]
  vmx_leave_nested+0x30/0x40 [kvm_intel]
  kvm_vcpu_ioctl_x86_set_vcpu_events+0x15d/0x2b0 [kvm]
  kvm_arch_vcpu_ioctl+0x1107/0x1750 [kvm]
  ? mark_held_locks+0x49/0x70
  ? kvm_vcpu_ioctl+0x7d/0x970 [kvm]
  ? kvm_vcpu_ioctl+0x497/0x970 [kvm]
  kvm_vcpu_ioctl+0x497/0x970 [kvm]
  ? lock_acquire+0xba/0x2d0
  ? find_held_lock+0x2b/0x80
  ? do_user_addr_fault+0x40c/0x6f0
  ? lock_release+0xb7/0x270
  __x64_sys_ioctl+0x82/0xb0
  do_syscall_64+0x6c/0x170
  entry_SYSCALL_64_after_hwframe+0x4b/0x53
 RIP: 0033:0x7ff11eb1b539
  </TASK>
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46830

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46831
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: microchip: vcap: Fix use-after-free error in kunit test

This is a clear use-after-free error. We remove it, and rely on checking
the return code of vcap_del_rule.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46831

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46832
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

MIPS: cevt-r4k: Don't call get_c0_compare_int if timer irq is installed

This avoids warning:

[    0.118053] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:283

Caused by get_c0_compare_int on secondary CPU.

We also skipped saving IRQ number to struct clock_event_device *cd as
it's never used by clockevent core, as per comments it's only meant
for "non CPU local devices".
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46832

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46833
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: hns3: void array out of bound when loop tnl_num

When query reg inf of SSU, it loops tnl_num times. However, tnl_num comes
from hardware and the length of array is a fixed value. To void array out
of bound, make sure the loop time is not greater than the length of array
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46833

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46834
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ethtool: fail closed if we can't get max channel used in indirection tables

Commit 0d1b7d6c9274 ("bnxt: fix crashes when reducing ring count with
active RSS contexts") proves that allowing indirection table to contain
channels with out of bounds IDs may lead to crashes. Currently the
max channel check in the core gets skipped if driver can't fetch
the indirection table or when we can't allocate memory.

Both of those conditions should be extremely rare but if they do
happen we should try to be safe and fail the channel change.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46834

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46835
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amdgpu: Fix smatch static checker warning

adev->gfx.imu.funcs could be NULL
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46835

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46836
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

usb: gadget: aspeed_udc: validate endpoint index for ast udc

We should verify the bound of the array to assure that host
may not manipulate the index to point past endpoint array.

Found by static analysis.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46836

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46837
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/panthor: Restrict high priorities on group_create

We were allowing any users to create a high priority group without any
permission checks. As a result, this was allowing possible denial of
service.

We now only allow the DRM master or users with the CAP_SYS_NICE
capability to set higher priorities than PANTHOR_GROUP_PRIORITY_MEDIUM.

As the sole user of that uAPI lives in Mesa and hardcode a value of
MEDIUM [1], this should be safe to do.

Additionally, as those checks are performed at the ioctl level,
panthor_group_create now only check for priority level validity.

[1]https://gitlab.freedesktop.org/mesa/mesa/-/blob/f390835074bdf162a63deb0311d1a6de527f9f89/src/gallium/drivers/panfrost/pan_csf.c#L1038
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46837

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46838
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

userfaultfd: don't BUG_ON() if khugepaged yanks our page table

Since khugepaged was changed to allow retracting page tables in file
mappings without holding the mmap lock, these BUG_ON()s are wrong - get
rid of them.

We could also remove the preceding "if (unlikely(...))" block, but then we
could reach pte_offset_map_lock() with transhuge pages not just for file
mappings but also for anonymous mappings - which would probably be fine
but I think is not necessarily expected.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46838

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46840
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

btrfs: clean up our handling of refs == 0 in snapshot delete

In reada we BUG_ON(refs == 0), which could be unkind since we aren't
holding a lock on the extent leaf and thus could get a transient
incorrect answer.  In walk_down_proc we also BUG_ON(refs == 0), which
could happen if we have extent tree corruption.  Change that to return
-EUCLEAN.  In do_walk_down() we catch this case and handle it correctly,
however we return -EIO, which -EUCLEAN is a more appropriate error code.
Finally in walk_up_proc we have the same BUG_ON(refs == 0), so convert
that to proper error handling.  Also adjust the error message so we can
actually do something with the information.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46840

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46841
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

btrfs: don't BUG_ON on ENOMEM from btrfs_lookup_extent_info() in walk_down_proc()

We handle errors here properly, ENOMEM isn't fatal, return the error.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46841

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46842
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

scsi: lpfc: Handle mailbox timeouts in lpfc_get_sfp_info

The MBX_TIMEOUT return code is not handled in lpfc_get_sfp_info and the
routine unconditionally frees submitted mailbox commands regardless of
return status.  The issue is that for MBX_TIMEOUT cases, when firmware
returns SFP information at a later time, that same mailbox memory region
references previously freed memory in its cmpl routine.

Fix by adding checks for the MBX_TIMEOUT return code.  During mailbox
resource cleanup, check the mbox flag to make sure that the wait did not
timeout.  If the MBOX_WAKE flag is not set, then do not free the resources
because it will be freed when firmware completes the mailbox at a later
time in its cmpl routine.

Also, increase the timeout from 30 to 60 seconds to accommodate boot
scripts requiring longer timeouts.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46842

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46843
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

scsi: ufs: core: Remove SCSI host only if added

If host tries to remove ufshcd driver from a UFS device it would cause a
kernel panic if ufshcd_async_scan fails during ufshcd_probe_hba before
adding a SCSI host with scsi_add_host and MCQ is enabled since SCSI host
has been defered after MCQ configuration introduced by commit 0cab4023ec7b
("scsi: ufs: core: Defer adding host to SCSI if MCQ is supported").

To guarantee that SCSI host is removed only if it has been added, set the
scsi_host_added flag to true after adding a SCSI host and check whether it
is set or not before removing it.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46843

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46844
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

um: line: always fill *error_out in setup_one_line()

The pointer isn't initialized by callers, but I have
encountered cases where it's still printed; initialize
it in all possible cases in setup_one_line().
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46844

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46845
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

tracing/timerlat: Only clear timer if a kthread exists

The timerlat tracer can use user space threads to check for osnoise and
timer latency. If the program using this is killed via a SIGTERM, the
threads are shutdown one at a time and another tracing instance can start
up resetting the threads before they are fully closed. That causes the
hrtimer assigned to the kthread to be shutdown and freed twice when the
dying thread finally closes the file descriptors, causing a use-after-free
bug.

Only cancel the hrtimer if the associated thread is still around. Also add
the interface_lock around the resetting of the tlat_var->kthread.

Note, this is just a quick fix that can be backported to stable. A real
fix is to have a better synchronization between the shutdown of old
threads and the starting of new ones.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46845

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46846
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

spi: rockchip: Resolve unbalanced runtime PM / system PM handling

Commit e882575efc77 ("spi: rockchip: Suspend and resume the bus during
NOIRQ_SYSTEM_SLEEP_PM ops") stopped respecting runtime PM status and
simply disabled clocks unconditionally when suspending the system. This
causes problems when the device is already runtime suspended when we go
to sleep -- in which case we double-disable clocks and produce a
WARNing.

Switch back to pm_runtime_force_{suspend,resume}(), because that still
seems like the right thing to do, and the aforementioned commit makes no
explanation why it stopped using it.

Also, refactor some of the resume() error handling, because it's not
actually a good idea to re-disable clocks on failure.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46846

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46847
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

mm: vmalloc: ensure vmap_block is initialised before adding to queue

Commit 8c61291fd850 ("mm: fix incorrect vbq reference in
purge_fragmented_block") extended the 'vmap_block' structure to contain a
'cpu' field which is set at allocation time to the id of the initialising
CPU.

When a new 'vmap_block' is being instantiated by new_vmap_block(), the
partially initialised structure is added to the local 'vmap_block_queue'
xarray before the 'cpu' field has been initialised.  If another CPU is
concurrently walking the xarray (e.g.  via vm_unmap_aliases()), then it
may perform an out-of-bounds access to the remote queue thanks to an
uninitialised index.

This has been observed as UBSAN errors in Android:

 | Internal error: UBSAN: array index out of bounds: 00000000f2005512 [#1] PREEMPT SMP
 |
 | Call trace:
 |  purge_fragmented_block+0x204/0x21c
 |  _vm_unmap_aliases+0x170/0x378
 |  vm_unmap_aliases+0x1c/0x28
 |  change_memory_common+0x1dc/0x26c
 |  set_memory_ro+0x18/0x24
 |  module_enable_ro+0x98/0x238
 |  do_init_module+0x1b0/0x310

Move the initialisation of 'vb->cpu' in new_vmap_block() ahead of the
addition to the xarray.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46847

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46848
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

perf/x86/intel: Limit the period on Haswell

Running the ltp test cve-2015-3290 concurrently reports the following
warnings.

perfevents: irq loop stuck!
  WARNING: CPU: 31 PID: 32438 at arch/x86/events/intel/core.c:3174
  intel_pmu_handle_irq+0x285/0x370
  Call Trace:
   <NMI>
   ? __warn+0xa4/0x220
   ? intel_pmu_handle_irq+0x285/0x370
   ? __report_bug+0x123/0x130
   ? intel_pmu_handle_irq+0x285/0x370
   ? __report_bug+0x123/0x130
   ? intel_pmu_handle_irq+0x285/0x370
   ? report_bug+0x3e/0xa0
   ? handle_bug+0x3c/0x70
   ? exc_invalid_op+0x18/0x50
   ? asm_exc_invalid_op+0x1a/0x20
   ? irq_work_claim+0x1e/0x40
   ? intel_pmu_handle_irq+0x285/0x370
   perf_event_nmi_handler+0x3d/0x60
   nmi_handle+0x104/0x330

Thanks to Thomas Gleixner's analysis, the issue is caused by the low
initial period (1) of the frequency estimation algorithm, which triggers
the defects of the HW, specifically erratum HSW11 and HSW143. (For the
details, please refer https://lore.kernel.org/lkml/87plq9l5d2.ffs@tglx/)

The HSW11 requires a period larger than 100 for the INST_RETIRED.ALL
event, but the initial period in the freq mode is 1. The erratum is the
same as the BDM11, which has been supported in the kernel. A minimum
period of 128 is enforced as well on HSW.

HSW143 is regarding that the fixed counter 1 may overcount 32 with the
Hyper-Threading is enabled. However, based on the test, the hardware
has more issues than it tells. Besides the fixed counter 1, the message
'interrupt took too long' can be observed on any counter which was armed
with a period < 32 and two events expired in the same NMI. A minimum
period of 32 is enforced for the rest of the events.
The recommended workaround code of the HSW143 is not implemented.
Because it only addresses the issue for the fixed counter. It brings
extra overhead through extra MSR writing. No related overcounting issue
has been reported so far.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46848

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46849
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ASoC: meson: axg-card: fix 'use-after-free'

Buffer 'card->dai_link' is reallocated in 'meson_card_reallocate_links()',
so move 'pad' pointer initialization after this function when memory is
already reallocated.

Kasan bug report:

==================================================================
BUG: KASAN: slab-use-after-free in axg_card_add_link+0x76c/0x9bc
Read of size 8 at addr ffff000000e8b260 by task modprobe/356

CPU: 0 PID: 356 Comm: modprobe Tainted: G O 6.9.12-sdkernel #1
Call trace:
 dump_backtrace+0x94/0xec
 show_stack+0x18/0x24
 dump_stack_lvl+0x78/0x90
 print_report+0xfc/0x5c0
 kasan_report+0xb8/0xfc
 __asan_load8+0x9c/0xb8
 axg_card_add_link+0x76c/0x9bc [snd_soc_meson_axg_sound_card]
 meson_card_probe+0x344/0x3b8 [snd_soc_meson_card_utils]
 platform_probe+0x8c/0xf4
 really_probe+0x110/0x39c
 __driver_probe_device+0xb8/0x18c
 driver_probe_device+0x108/0x1d8
 __driver_attach+0xd0/0x25c
 bus_for_each_dev+0xe0/0x154
 driver_attach+0x34/0x44
 bus_add_driver+0x134/0x294
 driver_register+0xa8/0x1e8
 __platform_driver_register+0x44/0x54
 axg_card_pdrv_init+0x20/0x1000 [snd_soc_meson_axg_sound_card]
 do_one_initcall+0xdc/0x25c
 do_init_module+0x10c/0x334
 load_module+0x24c4/0x26cc
 init_module_from_file+0xd4/0x128
 __arm64_sys_finit_module+0x1f4/0x41c
 invoke_syscall+0x60/0x188
 el0_svc_common.constprop.0+0x78/0x13c
 do_el0_svc+0x30/0x40
 el0_svc+0x38/0x78
 el0t_64_sync_handler+0x100/0x12c
 el0t_64_sync+0x190/0x194
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46849

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46850
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Avoid race between dcn35_set_drr() and dc_state_destruct()

dc_state_destruct() nulls the resource context of the DC state. The pipe
context passed to dcn35_set_drr() is a member of this resource context.

If dc_state_destruct() is called parallel to the IRQ processing (which
calls dcn35_set_drr() at some point), we can end up using already nulled
function callback fields of struct stream_resource.

The logic in dcn35_set_drr() already tries to avoid this, by checking tg
against NULL. But if the nulling happens exactly after the NULL check and
before the next access, then we get a race.

Avoid this by copying tg first to a local variable, and then use this
variable for all the operations. This should work, as long as nobody
frees the resource pool where the timing generators live.

(cherry picked from commit 0607a50c004798a96e62c089a4c34c220179dcb5)
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46850

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46851
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Avoid race between dcn10_set_drr() and dc_state_destruct()

dc_state_destruct() nulls the resource context of the DC state. The pipe
context passed to dcn10_set_drr() is a member of this resource context.

If dc_state_destruct() is called parallel to the IRQ processing (which
calls dcn10_set_drr() at some point), we can end up using already nulled
function callback fields of struct stream_resource.

The logic in dcn10_set_drr() already tries to avoid this, by checking tg
against NULL. But if the nulling happens exactly after the NULL check and
before the next access, then we get a race.

Avoid this by copying tg first to a local variable, and then use this
variable for all the operations. This should work, as long as nobody
frees the resource pool where the timing generators live.

(cherry picked from commit a3cc326a43bdc48fbdf53443e1027a03e309b643)
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46851

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46852
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

dma-buf: heaps: Fix off-by-one in CMA heap fault handler

Until VM_DONTEXPAND was added in commit 1c1914d6e8c6 ("dma-buf: heaps:
Don't track CMA dma-buf pages under RssFile") it was possible to obtain
a mapping larger than the buffer size via mremap and bypass the overflow
check in dma_buf_mmap_internal. When using such a mapping to attempt to
fault past the end of the buffer, the CMA heap fault handler also checks
the fault offset against the buffer size, but gets the boundary wrong by
1. Fix the boundary check so that we don't read off the end of the pages
array and insert an arbitrary page in the mapping.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46852

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46853
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

spi: nxp-fspi: fix the KASAN report out-of-bounds bug

Change the memcpy length to fix the out-of-bounds issue when writing the
data that is not 4 byte aligned to TX FIFO.

To reproduce the issue, write 3 bytes data to NOR chip.

dd if=3b of=/dev/mtd0
[   36.926103] ==================================================================
[   36.933409] BUG: KASAN: slab-out-of-bounds in nxp_fspi_exec_op+0x26ec/0x2838
[   36.940514] Read of size 4 at addr ffff00081037c2a0 by task dd/455
[   36.946721]
[   36.948235] CPU: 3 UID: 0 PID: 455 Comm: dd Not tainted 6.11.0-rc5-gc7b0e37c8434 #1070
[   36.956185] Hardware name: Freescale i.MX8QM MEK (DT)
[   36.961260] Call trace:
[   36.963723]  dump_backtrace+0x90/0xe8
[   36.967414]  show_stack+0x18/0x24
[   36.970749]  dump_stack_lvl+0x78/0x90
[   36.974451]  print_report+0x114/0x5cc
[   36.978151]  kasan_report+0xa4/0xf0
[   36.981670]  __asan_report_load_n_noabort+0x1c/0x28
[   36.986587]  nxp_fspi_exec_op+0x26ec/0x2838
[   36.990800]  spi_mem_exec_op+0x8ec/0xd30
[   36.994762]  spi_mem_no_dirmap_read+0x190/0x1e0
[   36.999323]  spi_mem_dirmap_write+0x238/0x32c
[   37.003710]  spi_nor_write_data+0x220/0x374
[   37.007932]  spi_nor_write+0x110/0x2e8
[   37.011711]  mtd_write_oob_std+0x154/0x1f0
[   37.015838]  mtd_write_oob+0x104/0x1d0
[   37.019617]  mtd_write+0xb8/0x12c
[   37.022953]  mtdchar_write+0x224/0x47c
[   37.026732]  vfs_write+0x1e4/0x8c8
[   37.030163]  ksys_write+0xec/0x1d0
[   37.033586]  __arm64_sys_write+0x6c/0x9c
[   37.037539]  invoke_syscall+0x6c/0x258
[   37.041327]  el0_svc_common.constprop.0+0x160/0x22c
[   37.046244]  do_el0_svc+0x44/0x5c
[   37.049589]  el0_svc+0x38/0x78
[   37.052681]  el0t_64_sync_handler+0x13c/0x158
[   37.057077]  el0t_64_sync+0x190/0x194
[   37.060775]
[   37.062274] Allocated by task 455:
[   37.065701]  kasan_save_stack+0x2c/0x54
[   37.069570]  kasan_save_track+0x20/0x3c
[   37.073438]  kasan_save_alloc_info+0x40/0x54
[   37.077736]  __kasan_kmalloc+0xa0/0xb8
[   37.081515]  __kmalloc_noprof+0x158/0x2f8
[   37.085563]  mtd_kmalloc_up_to+0x120/0x154
[   37.089690]  mtdchar_write+0x130/0x47c
[   37.093469]  vfs_write+0x1e4/0x8c8
[   37.096901]  ksys_write+0xec/0x1d0
[   37.100332]  __arm64_sys_write+0x6c/0x9c
[   37.104287]  invoke_syscall+0x6c/0x258
[   37.108064]  el0_svc_common.constprop.0+0x160/0x22c
[   37.112972]  do_el0_svc+0x44/0x5c
[   37.116319]  el0_svc+0x38/0x78
[   37.119401]  el0t_64_sync_handler+0x13c/0x158
[   37.123788]  el0t_64_sync+0x190/0x194
[   37.127474]
[   37.128977] The buggy address belongs to the object at ffff00081037c2a0
[   37.128977]  which belongs to the cache kmalloc-8 of size 8
[   37.141177] The buggy address is located 0 bytes inside of
[   37.141177]  allocated 3-byte region [ffff00081037c2a0, ffff00081037c2a3)
[   37.153465]
[   37.154971] The buggy address belongs to the physical page:
[   37.160559] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x89037c
[   37.168596] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   37.175149] page_type: 0xfdffffff(slab)
[   37.179021] raw: 0bfffe0000000000 ffff000800002500 dead000000000122 0000000000000000
[   37.186788] raw: 0000000000000000 0000000080800080 00000001fdffffff 0000000000000000
[   37.194553] page dumped because: kasan: bad access detected
[   37.200144]
[   37.201647] Memory state around the buggy address:
[   37.206460]  ffff00081037c180: fa fc fc fc fa fc fc fc fa fc fc fc fa fc fc fc
[   37.213701]  ffff00081037c200: fa fc fc fc 05 fc fc fc 03 fc fc fc 02 fc fc fc
[   37.220946] >ffff00081037c280: 06 fc fc fc 03 fc fc fc fc fc fc fc fc fc fc fc
[   37.228186]                                ^
[   37.232473]  ffff00081037c300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   37.239718]  ffff00081037c380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   37.246962] ==============================================================
---truncated---
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46853

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46854
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: dpaa: Pad packets to ETH_ZLEN

When sending packets under 60 bytes, up to three bytes of the buffer
following the data may be leaked. Avoid this by extending all packets to
ETH_ZLEN, ensuring nothing is leaked in the padding. This bug can be
reproduced by running

	$ ping -s 11 destination
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46854

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46855
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

netfilter: nft_socket: fix sk refcount leaks

We must put 'sk' reference before returning.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46855

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46856
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: phy: dp83822: Fix NULL pointer dereference on DP83825 devices

The probe() function is only used for DP83822 and DP83826 PHY,
leaving the private data pointer uninitialized for the DP83825 models
which causes a NULL pointer dereference in the recently introduced/changed
functions dp8382x_config_init() and dp83822_set_wol().

Add the dp8382x_probe() function, so all PHY models will have a valid
private data pointer to fix this issue and also prevent similar issues
in the future.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46856

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46857
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net/mlx5: Fix bridge mode operations when there are no VFs

Currently, trying to set the bridge mode attribute when numvfs=0 leads to a
crash:

bridge link set dev eth2 hwmode vepa

[  168.967392] BUG: kernel NULL pointer dereference, address: 0000000000000030
[...]
[  168.969989] RIP: 0010:mlx5_add_flow_rules+0x1f/0x300 [mlx5_core]
[...]
[  168.976037] Call Trace:
[  168.976188]  <TASK>
[  168.978620]  _mlx5_eswitch_set_vepa_locked+0x113/0x230 [mlx5_core]
[  168.979074]  mlx5_eswitch_set_vepa+0x7f/0xa0 [mlx5_core]
[  168.979471]  rtnl_bridge_setlink+0xe9/0x1f0
[  168.979714]  rtnetlink_rcv_msg+0x159/0x400
[  168.980451]  netlink_rcv_skb+0x54/0x100
[  168.980675]  netlink_unicast+0x241/0x360
[  168.980918]  netlink_sendmsg+0x1f6/0x430
[  168.981162]  ____sys_sendmsg+0x3bb/0x3f0
[  168.982155]  ___sys_sendmsg+0x88/0xd0
[  168.985036]  __sys_sendmsg+0x59/0xa0
[  168.985477]  do_syscall_64+0x79/0x150
[  168.987273]  entry_SYSCALL_64_after_hwframe+0x76/0x7e
[  168.987773] RIP: 0033:0x7f8f7950f917

(esw->fdb_table.legacy.vepa_fdb is null)

The bridge mode is only relevant when there are multiple functions per
port. Therefore, prevent setting and getting this setting when there are no
VFs.

Note that after this change, there are no settings to change on the PF
interface using `bridge link` when there are no VFs, so the interface no
longer appears in the `bridge link` output.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46857

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46858
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

mptcp: pm: Fix uaf in __timer_delete_sync

There are two paths to access mptcp_pm_del_add_timer, result in a race
condition:

     CPU1				CPU2
     ====                               ====
     net_rx_action
     napi_poll                          netlink_sendmsg
     __napi_poll                        netlink_unicast
     process_backlog                    netlink_unicast_kernel
     __netif_receive_skb                genl_rcv
     __netif_receive_skb_one_core       netlink_rcv_skb
     NF_HOOK                            genl_rcv_msg
     ip_local_deliver_finish            genl_family_rcv_msg
     ip_protocol_deliver_rcu            genl_family_rcv_msg_doit
     tcp_v4_rcv                         mptcp_pm_nl_flush_addrs_doit
     tcp_v4_do_rcv                      mptcp_nl_remove_addrs_list
     tcp_rcv_established                mptcp_pm_remove_addrs_and_subflows
     tcp_data_queue                     remove_anno_list_by_saddr
     mptcp_incoming_options             mptcp_pm_del_add_timer
     mptcp_pm_del_add_timer             kfree(entry)

In remove_anno_list_by_saddr(running on CPU2), after leaving the critical
zone protected by "pm.lock", the entry will be released, which leads to the
occurrence of uaf in the mptcp_pm_del_add_timer(running on CPU1).

Keeping a reference to add_timer inside the lock, and calling
sk_stop_timer_sync() with this reference, instead of "entry->add_timer".

Move list_del(&entry->list) to mptcp_pm_del_add_timer and inside the pm lock,
do not directly access any members of the entry outside the pm lock, which
can avoid similar "entry->x" uaf.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46858

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46859
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

platform/x86: panasonic-laptop: Fix SINF array out of bounds accesses

The panasonic laptop code in various places uses the SINF array with index
values of 0 - SINF_CUR_BRIGHT(0x0d) without checking that the SINF array
is big enough.

Not all panasonic laptops have this many SINF array entries, for example
the Toughbook CF-18 model only has 10 SINF array entries. So it only
supports the AC+DC brightness entries and mute.

Check that the SINF array has a minimum size which covers all AC+DC
brightness entries and refuse to load if the SINF array is smaller.

For higher SINF indexes hide the sysfs attributes when the SINF array
does not contain an entry for that attribute, avoiding show()/store()
accessing the array out of bounds and add bounds checking to the probe()
and resume() code accessing these.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46859

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46860
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

wifi: mt76: mt7921: fix NULL pointer access in mt7921_ipv6_addr_change

When disabling wifi mt7921_ipv6_addr_change() is called as a notifier.
At this point mvif->phy is already NULL so we cannot use it here.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46860

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46861
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

usbnet: ipheth: do not stop RX on failing RX callback

RX callbacks can fail for multiple reasons:

* Payload too short
* Payload formatted incorrecly (e.g. bad NCM framing)
* Lack of memory

None of these should cause the driver to seize up.

Make such failures non-critical and continue processing further
incoming URBs.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46861

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46862
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ASoC: Intel: soc-acpi-intel-mtl-match: add missing empty item

There is no links_num in struct snd_soc_acpi_mach {}, and we test
!link->num_adr as a condition to end the loop in hda_sdw_machine_select().
So an empty item in struct snd_soc_acpi_link_adr array is required.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46862

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46863
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ASoC: Intel: soc-acpi-intel-lnl-match: add missing empty item

There is no links_num in struct snd_soc_acpi_mach {}, and we test
!link->num_adr as a condition to end the loop in hda_sdw_machine_select().
So an empty item in struct snd_soc_acpi_link_adr array is required.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46863

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46864
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

x86/hyperv: fix kexec crash due to VP assist page corruption

commit 9636be85cc5b ("x86/hyperv: Fix hyperv_pcpu_input_arg handling when
CPUs go online/offline") introduces a new cpuhp state for hyperv
initialization.

cpuhp_setup_state() returns the state number if state is
CPUHP_AP_ONLINE_DYN or CPUHP_BP_PREPARE_DYN and 0 for all other states.
For the hyperv case, since a new cpuhp state was introduced it would
return 0. However, in hv_machine_shutdown(), the cpuhp_remove_state() call
is conditioned upon "hyperv_init_cpuhp > 0". This will never be true and
so hv_cpu_die() won't be called on all CPUs. This means the VP assist page
won't be reset. When the kexec kernel tries to setup the VP assist page
again, the hypervisor corrupts the memory region of the old VP assist page
causing a panic in case the kexec kernel is using that memory elsewhere.
This was originally fixed in commit dfe94d4086e4 ("x86/hyperv: Fix kexec
panic/hang issues").

Get rid of hyperv_init_cpuhp entirely since we are no longer using a
dynamic cpuhp state and use CPUHP_AP_HYPERV_ONLINE directly with
cpuhp_remove_state().
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46864

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46865
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

fou: fix initialization of grc

The grc must be initialize first. There can be a condition where if
fou is NULL, goto out will be executed and grc would be used
uninitialized.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46865

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46866
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/xe/client: add missing bo locking in show_meminfo()

bo_meminfo() wants to inspect bo state like tt and the ttm resource,
however this state can change at any point leading to stuff like NPD and
UAF, if the bo lock is not held. Grab the bo lock when calling
bo_meminfo(), ensuring we drop any spinlocks first. In the case of
object_idr we now also need to hold a ref.

v2 (MattB)
  - Also add xe_bo_assert_held()

(cherry picked from commit 4f63d712fa104c3ebefcb289d1e733e86d8698c7)
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46866

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46867
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/xe/client: fix deadlock in show_meminfo()

There is a real deadlock as well as sleeping in atomic() bug in here, if
the bo put happens to be the last ref, since bo destruction wants to
grab the same spinlock and sleeping locks.  Fix that by dropping the ref
using xe_bo_put_deferred(), and moving the final commit outside of the
lock. Dropping the lock around the put is tricky since the bo can go
out of scope and delete itself from the list, making it difficult to
navigate to the next list entry.

(cherry picked from commit 0083b8e6f11d7662283a267d4ce7c966812ffd8a)
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46867

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46868
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

firmware: qcom: uefisecapp: Fix deadlock in qcuefi_acquire()

If the __qcuefi pointer is not set, then in the original code, we would
hold onto the lock.  That means that if we tried to set it later, then
it would cause a deadlock.  Drop the lock on the error path.  That's
what all the callers are expecting.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46868

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46869
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: btintel_pcie: Allocate memory for driver private data

Fix driver not allocating memory for struct btintel_data which is used
to store internal data.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46869

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46870
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Disable DMCUB timeout for DCN35

[Why]
DMCUB can intermittently take longer than expected to process commands.

Old ASIC policy was to continue while logging a diagnostic error - which
works fine for ASIC without IPS, but with IPS this could lead to a race
condition where we attempt to access DCN state while it's inaccessible,
leading to a system hang when the NIU port is not disabled or register
accesses that timeout and the display configuration in an undefined
state.

[How]
We need to investigate why these accesses take longer than expected, but
for now we should disable the timeout on DCN35 to avoid this race
condition. Since the waits happen only at lower interrupt levels the
risk of taking too long at higher IRQ and causing a system watchdog
timeout are minimal.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46870

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-46871
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Correct the defined value for AMDGPU_DMUB_NOTIFICATION_MAX

[Why & How]
It actually exposes '6' types in enum dmub_notification_type. Not 5. Using smaller
number to create array dmub_callback & dmub_thread_offload has potential to access
item out of array bound. Fix it.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-46871

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47658
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

crypto: stm32/cryp - call finalize with bh disabled

The finalize operation in interrupt mode produce a produces a spinlock
recursion warning. The reason is the fact that BH must be disabled
during this process.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47658

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47659
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

smack: tcp: ipv4, fix incorrect labeling

Currently, Smack mirrors the label of incoming tcp/ipv4 connections:
when a label 'foo' connects to a label 'bar' with tcp/ipv4,
'foo' always gets 'foo' in returned ipv4 packets. So,
1) returned packets are incorrectly labeled ('foo' instead of 'bar')
2) 'bar' can write to 'foo' without being authorized to write.

Here is a scenario how to see this:

* Take two machines, let's call them C and S,
   with active Smack in the default state
   (no settings, no rules, no labeled hosts, only builtin labels)

* At S, add Smack rule 'foo bar w'
   (labels 'foo' and 'bar' are instantiated at S at this moment)

* At S, at label 'bar', launch a program
   that listens for incoming tcp/ipv4 connections

* From C, at label 'foo', connect to the listener at S.
   (label 'foo' is instantiated at C at this moment)
   Connection succeedes and works.

* Send some data in both directions.
* Collect network traffic of this connection.

All packets in both directions are labeled with the CIPSO
of the label 'foo'. Hence, label 'bar' writes to 'foo' without
being authorized, and even without ever being known at C.

If anybody cares: exactly the same happens with DCCP.

This behavior 1st manifested in release 2.6.29.4 (see Fixes below)
and it looks unintentional. At least, no explanation was provided.

I changed returned packes label into the 'bar',
to bring it into line with the Smack documentation claims.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47659

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47660
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

fsnotify: clear PARENT_WATCHED flags lazily

In some setups directories can have many (usually negative) dentries.
Hence __fsnotify_update_child_dentry_flags() function can take a
significant amount of time. Since the bulk of this function happens
under inode->i_lock this causes a significant contention on the lock
when we remove the watch from the directory as the
__fsnotify_update_child_dentry_flags() call from fsnotify_recalc_mask()
races with __fsnotify_update_child_dentry_flags() calls from
__fsnotify_parent() happening on children. This can lead upto softlockup
reports reported by users.

Fix the problem by calling fsnotify_update_children_dentry_flags() to
set PARENT_WATCHED flags only when parent starts watching children.

When parent stops watching children, clear false positive PARENT_WATCHED
flags lazily in __fsnotify_parent() for each accessed child.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47660

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47661
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Avoid overflow from uint32_t to uint8_t

[WHAT & HOW]
dmub_rb_cmd's ramping_boundary has size of uint8_t and it is assigned
0xFFFF. Fix it by changing it to uint8_t with value of 0xFF.

This fixes 2 INTEGER_OVERFLOW issues reported by Coverity.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47661

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47662
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Remove register from DCN35 DMCUB diagnostic collection

[Why]
These registers should not be read from driver and triggering the
security violation when DMCUB work times out and diagnostics are
collected blocks Z8 entry.

[How]
Remove the register read from DCN35.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47662

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47663
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

staging: iio: frequency: ad9834: Validate frequency parameter value

In ad9834_write_frequency() clk_get_rate() can return 0. In such case
ad9834_calc_freqreg() call will lead to division by zero. Checking
'if (fout > (clk_freq / 2))' doesn't protect in case of 'fout' is 0.
ad9834_write_frequency() is called from ad9834_write(), where fout is
taken from text buffer, which can contain any value.

Modify parameters checking.

Found by Linux Verification Center (linuxtesting.org) with SVACE.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47663

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47664
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

spi: hisi-kunpeng: Add verification for the max_frequency provided by the firmware

If the value of max_speed_hz is 0, it may cause a division by zero
error in hisi_calc_effective_speed().
The value of max_speed_hz is provided by firmware.
Firmware is generally considered as a trusted domain. However, as
division by zero errors can cause system failure, for defense measure,
the value of max_speed is validated here. So 0 is regarded as invalid
and an error code is returned.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47664

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47665
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

i3c: mipi-i3c-hci: Error out instead on BUG_ON() in IBI DMA setup

Definitely condition dma_get_cache_alignment * defined value > 256
during driver initialization is not reason to BUG_ON(). Turn that to
graceful error out with -EINVAL.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47665

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47666
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

scsi: pm80xx: Set phy->enable_completion only when we wait for it

pm8001_phy_control() populates the enable_completion pointer with a stack
address, sends a PHY_LINK_RESET / PHY_HARD_RESET, waits 300 ms, and
returns. The problem arises when a phy control response comes late.  After
300 ms the pm8001_phy_control() function returns and the passed
enable_completion stack address is no longer valid. Late phy control
response invokes complete() on a dangling enable_completion pointer which
leads to a kernel crash.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47666

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47667
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

PCI: keystone: Add workaround for Errata #i2037 (AM65x SR 1.0)

Errata #i2037 in AM65x/DRA80xM Processors Silicon Revision 1.0
(SPRZ452D_July 2018_Revised December 2019 [1]) mentions when an
inbound PCIe TLP spans more than two internal AXI 128-byte bursts,
the bus may corrupt the packet payload and the corrupt data may
cause associated applications or the processor to hang.

The workaround for Errata #i2037 is to limit the maximum read
request size and maximum payload size to 128 bytes. Add workaround
for Errata #i2037 here.

The errata and workaround is applicable only to AM65x SR 1.0 and
later versions of the silicon will have this fixed.

[1] -> https://www.ti.com/lit/er/sprz452i/sprz452i.pdf
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47667

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47668
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

lib/generic-radix-tree.c: Fix rare race in __genradix_ptr_alloc()

If we need to increase the tree depth, allocate a new node, and then
race with another thread that increased the tree depth before us, we'll
still have a preallocated node that might be used later.

If we then use that node for a new non-root node, it'll still have a
pointer to the old root instead of being zeroed - fix this by zeroing it
in the cmpxchg failure path.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47668

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47669
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

nilfs2: fix state management in error path of log writing function

After commit a694291a6211 ("nilfs2: separate wait function from
nilfs_segctor_write") was applied, the log writing function
nilfs_segctor_do_construct() was able to issue I/O requests continuously
even if user data blocks were split into multiple logs across segments,
but two potential flaws were introduced in its error handling.

First, if nilfs_segctor_begin_construction() fails while creating the
second or subsequent logs, the log writing function returns without
calling nilfs_segctor_abort_construction(), so the writeback flag set on
pages/folios will remain uncleared.  This causes page cache operations to
hang waiting for the writeback flag.  For example,
truncate_inode_pages_final(), which is called via nilfs_evict_inode() when
an inode is evicted from memory, will hang.

Second, the NILFS_I_COLLECTED flag set on normal inodes remain uncleared. 
As a result, if the next log write involves checkpoint creation, that's
fine, but if a partial log write is performed that does not, inodes with
NILFS_I_COLLECTED set are erroneously removed from the "sc_dirty_files"
list, and their data and b-tree blocks may not be written to the device,
corrupting the block mapping.

Fix these issues by uniformly calling nilfs_segctor_abort_construction()
on failure of each step in the loop in nilfs_segctor_do_construct(),
having it clean up logs and segment usages according to progress, and
correcting the conditions for calling nilfs_redirty_inodes() to ensure
that the NILFS_I_COLLECTED flag is cleared.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47669

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47670
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ocfs2: add bounds checking to ocfs2_xattr_find_entry()

Add a paranoia check to make sure it doesn't stray beyond valid memory
region containing ocfs2 xattr entries when scanning for a match.  It will
prevent out-of-bound access in case of crafted images.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47670

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47671
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

USB: usbtmc: prevent kernel-usb-infoleak

The syzbot reported a kernel-usb-infoleak in usbtmc_write,
we need to clear the structure before filling fields.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47671

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47672
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

wifi: iwlwifi: mvm: don't wait for tx queues if firmware is dead

There is a WARNING in iwl_trans_wait_tx_queues_empty() (that was
recently converted from just a message), that can be hit if we
wait for TX queues to become empty after firmware died. Clearly,
we can't expect anything from the firmware after it's declared dead.

Don't call iwl_trans_wait_tx_queues_empty() in this case. While it could
be a good idea to stop the flow earlier, the flush functions do some
maintenance work that is not related to the firmware, so keep that part
of the code running even when the firmware is not running.

[edit commit message]
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47672

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47673
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

wifi: iwlwifi: mvm: pause TCM when the firmware is stopped

Not doing so will make us send a host command to the transport while the
firmware is not alive, which will trigger a WARNING.

bad state = 0
WARNING: CPU: 2 PID: 17434 at drivers/net/wireless/intel/iwlwifi/iwl-trans.c:115 iwl_trans_send_cmd+0x1cb/0x1e0 [iwlwifi]
RIP: 0010:iwl_trans_send_cmd+0x1cb/0x1e0 [iwlwifi]
Call Trace:
 <TASK>
 iwl_mvm_send_cmd+0x40/0xc0 [iwlmvm]
 iwl_mvm_config_scan+0x198/0x260 [iwlmvm]
 iwl_mvm_recalc_tcm+0x730/0x11d0 [iwlmvm]
 iwl_mvm_tcm_work+0x1d/0x30 [iwlmvm]
 process_one_work+0x29e/0x640
 worker_thread+0x2df/0x690
 ? rescuer_thread+0x540/0x540
 kthread+0x192/0x1e0
 ? set_kthread_struct+0x90/0x90
 ret_from_fork+0x22/0x30
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47673

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47674
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

mm: avoid leaving partial pfn mappings around in error case

As Jann points out, PFN mappings are special, because unlike normal
memory mappings, there is no lifetime information associated with the
mapping - it is just a raw mapping of PFNs with no reference counting of
a 'struct page'.

That's all very much intentional, but it does mean that it's easy to
mess up the cleanup in case of errors.  Yes, a failed mmap() will always
eventually clean up any partial mappings, but without any explicit
lifetime in the page table mapping itself, it's very easy to do the
error handling in the wrong order.

In particular, it's easy to mistakenly free the physical backing store
before the page tables are actually cleaned up and (temporarily) have
stale dangling PTE entries.

To make this situation less error-prone, just make sure that any partial
pfn mapping is torn down early, before any other error handling.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47674

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47675
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix use-after-free in bpf_uprobe_multi_link_attach()

If bpf_link_prime() fails, bpf_uprobe_multi_link_attach() goes to the
error_free label and frees the array of bpf_uprobe's without calling
bpf_uprobe_unregister().

This leaks bpf_uprobe->uprobe and worse, this frees bpf_uprobe->consumer
without removing it from the uprobe->consumers list.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47675

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47676
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

mm/hugetlb.c: fix UAF of vma in hugetlb fault pathway

Syzbot reports a UAF in hugetlb_fault().  This happens because
vmf_anon_prepare() could drop the per-VMA lock and allow the current VMA
to be freed before hugetlb_vma_unlock_read() is called.

We can fix this by using a modified version of vmf_anon_prepare() that
doesn't release the VMA lock on failure, and then release it ourselves
after hugetlb_vma_unlock_read().
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47676

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47677
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

exfat: resolve memory leak from exfat_create_upcase_table()

If exfat_load_upcase_table reaches end and returns -EINVAL,
allocated memory doesn't get freed and while
exfat_load_default_upcase_table allocates more memory, leading to a
memory leak.

Here's link to syzkaller crash report illustrating this issue:
https://syzkaller.appspot.com/text?tag=CrashReport&x=1406c201980000
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47677

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47678
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

icmp: change the order of rate limits

ICMP messages are ratelimited :

After the blamed commits, the two rate limiters are applied in this order:

1) host wide ratelimit (icmp_global_allow())

2) Per destination ratelimit (inetpeer based)

In order to avoid side-channels attacks, we need to apply
the per destination check first.

This patch makes the following change :

1) icmp_global_allow() checks if the host wide limit is reached.
   But credits are not yet consumed. This is deferred to 3)

2) The per destination limit is checked/updated.
   This might add a new node in inetpeer tree.

3) icmp_global_consume() consumes tokens if prior operations succeeded.

This means that host wide ratelimit is still effective
in keeping inetpeer tree small even under DDOS.

As a bonus, I removed icmp_global.lock as the fast path
can use a lock-free operation.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47678

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47679
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

vfs: fix race between evice_inodes() and find_inode()&iput()

Hi, all

Recently I noticed a bug[1] in btrfs, after digged it into
and I believe it'a race in vfs.

Let's assume there's a inode (ie ino 261) with i_count 1 is
called by iput(), and there's a concurrent thread calling
generic_shutdown_super().

cpu0:                              cpu1:
iput() // i_count is 1
  ->spin_lock(inode)
  ->dec i_count to 0
  ->iput_final()                    generic_shutdown_super()
    ->__inode_add_lru()               ->evict_inodes()
      // cause some reason[2]           ->if (atomic_read(inode->i_count)) continue;
      // return before                  // inode 261 passed the above check
      // list_lru_add_obj()             // and then schedule out
   ->spin_unlock()
// note here: the inode 261
// was still at sb list and hash list,
// and I_FREEING|I_WILL_FREE was not been set

btrfs_iget()
  // after some function calls
  ->find_inode()
    // found the above inode 261
    ->spin_lock(inode)
   // check I_FREEING|I_WILL_FREE
   // and passed
      ->__iget()
    ->spin_unlock(inode)                // schedule back
                                        ->spin_lock(inode)
                                        // check (I_NEW|I_FREEING|I_WILL_FREE) flags,
                                        // passed and set I_FREEING
iput()                                  ->spin_unlock(inode)
  ->spin_lock(inode)			  ->evict()
  // dec i_count to 0
  ->iput_final()
    ->spin_unlock()
    ->evict()

Now, we have two threads simultaneously evicting
the same inode, which may trigger the BUG(inode->i_state & I_CLEAR)
statement both within clear_inode() and iput().

To fix the bug, recheck the inode->i_count after holding i_lock.
Because in the most scenarios, the first check is valid, and
the overhead of spin_lock() can be reduced.

If there is any misunderstanding, please let me know, thanks.

[1]: https://lore.kernel.org/linux-btrfs/000000000000eabe1d0619c48986@google.com/
[2]: The reason might be 1. SB_ACTIVE was removed or 2. mapping_shrinkable()
return false when I reproduced the bug.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47679

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47680
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

f2fs: check discard support for conventional zones

As the helper function f2fs_bdev_support_discard() shows, f2fs checks if
the target block devices support discard by calling
bdev_max_discard_sectors() and bdev_is_zoned(). This check works well
for most cases, but it does not work for conventional zones on zoned
block devices. F2fs assumes that zoned block devices support discard,
and calls __submit_discard_cmd(). When __submit_discard_cmd() is called
for sequential write required zones, it works fine since
__submit_discard_cmd() issues zone reset commands instead of discard
commands. However, when __submit_discard_cmd() is called for
conventional zones, __blkdev_issue_discard() is called even when the
devices do not support discard.

The inappropriate __blkdev_issue_discard() call was not a problem before
the commit 30f1e7241422 ("block: move discard checks into the ioctl
handler") because __blkdev_issue_discard() checked if the target devices
support discard or not. If not, it returned EOPNOTSUPP. After the
commit, __blkdev_issue_discard() no longer checks it. It always returns
zero and sets NULL to the given bio pointer. This NULL pointer triggers
f2fs_bug_on() in __submit_discard_cmd(). The BUG is recreated with the
commands below at the umount step, where /dev/nullb0 is a zoned null_blk
with 5GB total size, 128MB zone size and 10 conventional zones.

$ mkfs.f2fs -f -m /dev/nullb0
$ mount /dev/nullb0 /mnt
$ for ((i=0;i<5;i++)); do dd if=/dev/zero of=/mnt/test bs=65536 count=1600 conv=fsync; done
$ umount /mnt

To fix the BUG, avoid the inappropriate __blkdev_issue_discard() call.
When discard is requested for conventional zones, check if the device
supports discard or not. If not, return EOPNOTSUPP.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47680

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47681
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

wifi: mt76: mt7996: fix NULL pointer dereference in mt7996_mcu_sta_bfer_he

Fix the NULL pointer dereference in mt7996_mcu_sta_bfer_he
routine adding an sta interface to the mt7996 driver.

Found by code review.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47681

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47682
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

scsi: sd: Fix off-by-one error in sd_read_block_characteristics()

Ff the device returns page 0xb1 with length 8 (happens with qemu v2.x, for
example), sd_read_block_characteristics() may attempt an out-of-bounds
memory access when accessing the zoned field at offset 8.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47682

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47683
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Skip Recompute DSC Params if no Stream on Link

[why]
Encounter NULL pointer dereference uner mst + dsc setup.

BUG: kernel NULL pointer dereference, address: 0000000000000008
    PGD 0 P4D 0
    Oops: 0000 [#1] PREEMPT SMP NOPTI
    CPU: 4 PID: 917 Comm: sway Not tainted 6.3.9-arch1-1 #1 124dc55df4f5272ccb409f39ef4872fc2b3376a2
    Hardware name: LENOVO 20NKS01Y00/20NKS01Y00, BIOS R12ET61W(1.31 ) 07/28/2022
    RIP: 0010:drm_dp_atomic_find_time_slots+0x5e/0x260 [drm_display_helper]
    Code: 01 00 00 48 8b 85 60 05 00 00 48 63 80 88 00 00 00 3b 43 28 0f 8d 2e 01 00 00 48 8b 53 30 48 8d 04 80 48 8d 04 c2 48 8b 40 18 <48> 8>
    RSP: 0018:ffff960cc2df77d8 EFLAGS: 00010293
    RAX: 0000000000000000 RBX: ffff8afb87e81280 RCX: 0000000000000224
    RDX: ffff8afb9ee37c00 RSI: ffff8afb8da1a578 RDI: ffff8afb87e81280
    RBP: ffff8afb83d67000 R08: 0000000000000001 R09: ffff8afb9652f850
    R10: ffff960cc2df7908 R11: 0000000000000002 R12: 0000000000000000
    R13: ffff8afb8d7688a0 R14: ffff8afb8da1a578 R15: 0000000000000224
    FS:  00007f4dac35ce00(0000) GS:ffff8afe30b00000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 0000000000000008 CR3: 000000010ddc6000 CR4: 00000000003506e0
    Call Trace:
<TASK>
     ? __die+0x23/0x70
     ? page_fault_oops+0x171/0x4e0
     ? plist_add+0xbe/0x100
     ? exc_page_fault+0x7c/0x180
     ? asm_exc_page_fault+0x26/0x30
     ? drm_dp_atomic_find_time_slots+0x5e/0x260 [drm_display_helper 0e67723696438d8e02b741593dd50d80b44c2026]
     ? drm_dp_atomic_find_time_slots+0x28/0x260 [drm_display_helper 0e67723696438d8e02b741593dd50d80b44c2026]
     compute_mst_dsc_configs_for_link+0x2ff/0xa40 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]
     ? fill_plane_buffer_attributes+0x419/0x510 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]
     compute_mst_dsc_configs_for_state+0x1e1/0x250 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]
     amdgpu_dm_atomic_check+0xecd/0x1190 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]
     drm_atomic_check_only+0x5c5/0xa40
     drm_mode_atomic_ioctl+0x76e/0xbc0

[how]
dsc recompute should be skipped if no mode change detected on the new
request. If detected, keep checking whether the stream is already on
current state or not.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47683

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47684
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

tcp: check skb is non-NULL in tcp_rto_delta_us()

We have some machines running stock Ubuntu 20.04.6 which is their 5.4.0-174-generic
kernel that are running ceph and recently hit a null ptr dereference in
tcp_rearm_rto(). Initially hitting it from the TLP path, but then later we also
saw it getting hit from the RACK case as well. Here are examples of the oops
messages we saw in each of those cases:

Jul 26 15:05:02 rx [11061395.780353] BUG: kernel NULL pointer dereference, address: 0000000000000020
Jul 26 15:05:02 rx [11061395.787572] #PF: supervisor read access in kernel mode
Jul 26 15:05:02 rx [11061395.792971] #PF: error_code(0x0000) - not-present page
Jul 26 15:05:02 rx [11061395.798362] PGD 0 P4D 0
Jul 26 15:05:02 rx [11061395.801164] Oops: 0000 [#1] SMP NOPTI
Jul 26 15:05:02 rx [11061395.805091] CPU: 0 PID: 9180 Comm: msgr-worker-1 Tainted: G W 5.4.0-174-generic #193-Ubuntu
Jul 26 15:05:02 rx [11061395.814996] Hardware name: Supermicro SMC 2x26 os-gen8 64C NVME-Y 256G/H12SSW-NTR, BIOS 2.5.V1.2U.NVMe.UEFI 05/09/2023
Jul 26 15:05:02 rx [11061395.825952] RIP: 0010:tcp_rearm_rto+0xe4/0x160
Jul 26 15:05:02 rx [11061395.830656] Code: 87 ca 04 00 00 00 5b 41 5c 41 5d 5d c3 c3 49 8b bc 24 40 06 00 00 eb 8d 48 bb cf f7 53 e3 a5 9b c4 20 4c 89 ef e8 0c fe 0e 00 <48> 8b 78 20 48 c1 ef 03 48 89 f8 41 8b bc 24 80 04 00 00 48 f7 e3
Jul 26 15:05:02 rx [11061395.849665] RSP: 0018:ffffb75d40003e08 EFLAGS: 00010246
Jul 26 15:05:02 rx [11061395.855149] RAX: 0000000000000000 RBX: 20c49ba5e353f7cf RCX: 0000000000000000
Jul 26 15:05:02 rx [11061395.862542] RDX: 0000000062177c30 RSI: 000000000000231c RDI: ffff9874ad283a60
Jul 26 15:05:02 rx [11061395.869933] RBP: ffffb75d40003e20 R08: 0000000000000000 R09: ffff987605e20aa8
Jul 26 15:05:02 rx [11061395.877318] R10: ffffb75d40003f00 R11: ffffb75d4460f740 R12: ffff9874ad283900
Jul 26 15:05:02 rx [11061395.884710] R13: ffff9874ad283a60 R14: ffff9874ad283980 R15: ffff9874ad283d30
Jul 26 15:05:02 rx [11061395.892095] FS: 00007f1ef4a2e700(0000) GS:ffff987605e00000(0000) knlGS:0000000000000000
Jul 26 15:05:02 rx [11061395.900438] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Jul 26 15:05:02 rx [11061395.906435] CR2: 0000000000000020 CR3: 0000003e450ba003 CR4: 0000000000760ef0
Jul 26 15:05:02 rx [11061395.913822] PKRU: 55555554
Jul 26 15:05:02 rx [11061395.916786] Call Trace:
Jul 26 15:05:02 rx [11061395.919488]
Jul 26 15:05:02 rx [11061395.921765] ? show_regs.cold+0x1a/0x1f
Jul 26 15:05:02 rx [11061395.925859] ? __die+0x90/0xd9
Jul 26 15:05:02 rx [11061395.929169] ? no_context+0x196/0x380
Jul 26 15:05:02 rx [11061395.933088] ? ip6_protocol_deliver_rcu+0x4e0/0x4e0
Jul 26 15:05:02 rx [11061395.938216] ? ip6_sublist_rcv_finish+0x3d/0x50
Jul 26 15:05:02 rx [11061395.943000] ? __bad_area_nosemaphore+0x50/0x1a0
Jul 26 15:05:02 rx [11061395.947873] ? bad_area_nosemaphore+0x16/0x20
Jul 26 15:05:02 rx [11061395.952486] ? do_user_addr_fault+0x267/0x450
Jul 26 15:05:02 rx [11061395.957104] ? ipv6_list_rcv+0x112/0x140
Jul 26 15:05:02 rx [11061395.961279] ? __do_page_fault+0x58/0x90
Jul 26 15:05:02 rx [11061395.965458] ? do_page_fault+0x2c/0xe0
Jul 26 15:05:02 rx [11061395.969465] ? page_fault+0x34/0x40
Jul 26 15:05:02 rx [11061395.973217] ? tcp_rearm_rto+0xe4/0x160
Jul 26 15:05:02 rx [11061395.977313] ? tcp_rearm_rto+0xe4/0x160
Jul 26 15:05:02 rx [11061395.981408] tcp_send_loss_probe+0x10b/0x220
Jul 26 15:05:02 rx [11061395.985937] tcp_write_timer_handler+0x1b4/0x240
Jul 26 15:05:02 rx [11061395.990809] tcp_write_timer+0x9e/0xe0
Jul 26 15:05:02 rx [11061395.994814] ? tcp_write_timer_handler+0x240/0x240
Jul 26 15:05:02 rx [11061395.999866] call_timer_fn+0x32/0x130
Jul 26 15:05:02 rx [11061396.003782] __run_timers.part.0+0x180/0x280
Jul 26 15:05:02 rx [11061396.008309] ? recalibrate_cpu_khz+0x10/0x10
Jul 26 15:05:02 rx [11061396.012841] ? native_x2apic_icr_write+0x30/0x30
Jul 26 15:05:02 rx [11061396.017718] ? lapic_next_even
---truncated---
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47684

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47685
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

netfilter: nf_reject_ipv6: fix nf_reject_ip6_tcphdr_put()

syzbot reported that nf_reject_ip6_tcphdr_put() was possibly sending
garbage on the four reserved tcp bits (th->res1)

Use skb_put_zero() to clear the whole TCP header,
as done in nf_reject_ip_tcphdr_put()

BUG: KMSAN: uninit-value in nf_reject_ip6_tcphdr_put+0x688/0x6c0 net/ipv6/netfilter/nf_reject_ipv6.c:255
  nf_reject_ip6_tcphdr_put+0x688/0x6c0 net/ipv6/netfilter/nf_reject_ipv6.c:255
  nf_send_reset6+0xd84/0x15b0 net/ipv6/netfilter/nf_reject_ipv6.c:344
  nft_reject_inet_eval+0x3c1/0x880 net/netfilter/nft_reject_inet.c:48
  expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline]
  nft_do_chain+0x438/0x22a0 net/netfilter/nf_tables_core.c:288
  nft_do_chain_inet+0x41a/0x4f0 net/netfilter/nft_chain_filter.c:161
  nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]
  nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626
  nf_hook include/linux/netfilter.h:269 [inline]
  NF_HOOK include/linux/netfilter.h:312 [inline]
  ipv6_rcv+0x29b/0x390 net/ipv6/ip6_input.c:310
  __netif_receive_skb_one_core net/core/dev.c:5661 [inline]
  __netif_receive_skb+0x1da/0xa00 net/core/dev.c:5775
  process_backlog+0x4ad/0xa50 net/core/dev.c:6108
  __napi_poll+0xe7/0x980 net/core/dev.c:6772
  napi_poll net/core/dev.c:6841 [inline]
  net_rx_action+0xa5a/0x19b0 net/core/dev.c:6963
  handle_softirqs+0x1ce/0x800 kernel/softirq.c:554
  __do_softirq+0x14/0x1a kernel/softirq.c:588
  do_softirq+0x9a/0x100 kernel/softirq.c:455
  __local_bh_enable_ip+0x9f/0xb0 kernel/softirq.c:382
  local_bh_enable include/linux/bottom_half.h:33 [inline]
  rcu_read_unlock_bh include/linux/rcupdate.h:908 [inline]
  __dev_queue_xmit+0x2692/0x5610 net/core/dev.c:4450
  dev_queue_xmit include/linux/netdevice.h:3105 [inline]
  neigh_resolve_output+0x9ca/0xae0 net/core/neighbour.c:1565
  neigh_output include/net/neighbour.h:542 [inline]
  ip6_finish_output2+0x2347/0x2ba0 net/ipv6/ip6_output.c:141
  __ip6_finish_output net/ipv6/ip6_output.c:215 [inline]
  ip6_finish_output+0xbb8/0x14b0 net/ipv6/ip6_output.c:226
  NF_HOOK_COND include/linux/netfilter.h:303 [inline]
  ip6_output+0x356/0x620 net/ipv6/ip6_output.c:247
  dst_output include/net/dst.h:450 [inline]
  NF_HOOK include/linux/netfilter.h:314 [inline]
  ip6_xmit+0x1ba6/0x25d0 net/ipv6/ip6_output.c:366
  inet6_csk_xmit+0x442/0x530 net/ipv6/inet6_connection_sock.c:135
  __tcp_transmit_skb+0x3b07/0x4880 net/ipv4/tcp_output.c:1466
  tcp_transmit_skb net/ipv4/tcp_output.c:1484 [inline]
  tcp_connect+0x35b6/0x7130 net/ipv4/tcp_output.c:4143
  tcp_v6_connect+0x1bcc/0x1e40 net/ipv6/tcp_ipv6.c:333
  __inet_stream_connect+0x2ef/0x1730 net/ipv4/af_inet.c:679
  inet_stream_connect+0x6a/0xd0 net/ipv4/af_inet.c:750
  __sys_connect_file net/socket.c:2061 [inline]
  __sys_connect+0x606/0x690 net/socket.c:2078
  __do_sys_connect net/socket.c:2088 [inline]
  __se_sys_connect net/socket.c:2085 [inline]
  __x64_sys_connect+0x91/0xe0 net/socket.c:2085
  x64_sys_call+0x27a5/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:43
  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
  do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was stored to memory at:
  nf_reject_ip6_tcphdr_put+0x60c/0x6c0 net/ipv6/netfilter/nf_reject_ipv6.c:249
  nf_send_reset6+0xd84/0x15b0 net/ipv6/netfilter/nf_reject_ipv6.c:344
  nft_reject_inet_eval+0x3c1/0x880 net/netfilter/nft_reject_inet.c:48
  expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline]
  nft_do_chain+0x438/0x22a0 net/netfilter/nf_tables_core.c:288
  nft_do_chain_inet+0x41a/0x4f0 net/netfilter/nft_chain_filter.c:161
  nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]
  nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626
  nf_hook include/linux/netfilter.h:269 [inline]
  NF_HOOK include/linux/netfilter.h:312 [inline]
  ipv6_rcv+0x29b/0x390 net/ipv6/ip6_input.c:310
  __netif_receive_skb_one_core
---truncated---
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 9.1
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47685

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47686
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ep93xx: clock: Fix off by one in ep93xx_div_recalc_rate()

The psc->div[] array has psc->num_div elements.  These values come from
when we call clk_hw_register_div().  It's adc_divisors and
ARRAY_SIZE(adc_divisors)) and so on.  So this condition needs to be >=
instead of > to prevent an out of bounds read.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47686

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47687
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

vdpa/mlx5: Fix invalid mr resource destroy

Certain error paths from mlx5_vdpa_dev_add() can end up releasing mr
resources which never got initialized in the first place.

This patch adds the missing check in mlx5_vdpa_destroy_mr_resources()
to block releasing non-initialized mr resources.

Reference trace:

  mlx5_core 0000:08:00.2: mlx5_vdpa_dev_add:3274:(pid 2700) warning: No mac address provisioned?
  BUG: kernel NULL pointer dereference, address: 0000000000000000
  #PF: supervisor read access in kernel mode
  #PF: error_code(0x0000) - not-present page
  PGD 140216067 P4D 0
  Oops: 0000 [#1] PREEMPT SMP NOPTI
  CPU: 8 PID: 2700 Comm: vdpa Kdump: loaded Not tainted 5.14.0-496.el9.x86_64 #1
  Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
  RIP: 0010:vhost_iotlb_del_range+0xf/0xe0 [vhost_iotlb]
  Code: [...]
  RSP: 0018:ff1c823ac23077f0 EFLAGS: 00010246
  RAX: ffffffffc1a21a60 RBX: ffffffff899567a0 RCX: 0000000000000000
  RDX: ffffffffffffffff RSI: 0000000000000000 RDI: 0000000000000000
  RBP: ff1bda1f7c21e800 R08: 0000000000000000 R09: ff1c823ac2307670
  R10: ff1c823ac2307668 R11: ffffffff8a9e7b68 R12: 0000000000000000
  R13: 0000000000000000 R14: ff1bda1f43e341a0 R15: 00000000ffffffea
  FS:  00007f56eba7c740(0000) GS:ff1bda269f800000(0000) knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  CR2: 0000000000000000 CR3: 0000000104d90001 CR4: 0000000000771ef0
  DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
  DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
  PKRU: 55555554
  Call Trace:

   ? show_trace_log_lvl+0x1c4/0x2df
   ? show_trace_log_lvl+0x1c4/0x2df
   ? mlx5_vdpa_free+0x3d/0x150 [mlx5_vdpa]
   ? __die_body.cold+0x8/0xd
   ? page_fault_oops+0x134/0x170
   ? __irq_work_queue_local+0x2b/0xc0
   ? irq_work_queue+0x2c/0x50
   ? exc_page_fault+0x62/0x150
   ? asm_exc_page_fault+0x22/0x30
   ? __pfx_mlx5_vdpa_free+0x10/0x10 [mlx5_vdpa]
   ? vhost_iotlb_del_range+0xf/0xe0 [vhost_iotlb]
   mlx5_vdpa_free+0x3d/0x150 [mlx5_vdpa]
   vdpa_release_dev+0x1e/0x50 [vdpa]
   device_release+0x31/0x90
   kobject_cleanup+0x37/0x130
   mlx5_vdpa_dev_add+0x2d2/0x7a0 [mlx5_vdpa]
   vdpa_nl_cmd_dev_add_set_doit+0x277/0x4c0 [vdpa]
   genl_family_rcv_msg_doit+0xd9/0x130
   genl_family_rcv_msg+0x14d/0x220
   ? __pfx_vdpa_nl_cmd_dev_add_set_doit+0x10/0x10 [vdpa]
   ? _copy_to_user+0x1a/0x30
   ? move_addr_to_user+0x4b/0xe0
   genl_rcv_msg+0x47/0xa0
   ? __import_iovec+0x46/0x150
   ? __pfx_genl_rcv_msg+0x10/0x10
   netlink_rcv_skb+0x54/0x100
   genl_rcv+0x24/0x40
   netlink_unicast+0x245/0x370
   netlink_sendmsg+0x206/0x440
   __sys_sendto+0x1dc/0x1f0
   ? do_read_fault+0x10c/0x1d0
   ? do_pte_missing+0x10d/0x190
   __x64_sys_sendto+0x20/0x30
   do_syscall_64+0x5c/0xf0
   ? __count_memcg_events+0x4f/0xb0
   ? mm_account_fault+0x6c/0x100
   ? handle_mm_fault+0x116/0x270
   ? do_user_addr_fault+0x1d6/0x6a0
   ? do_syscall_64+0x6b/0xf0
   ? clear_bhb_loop+0x25/0x80
   ? clear_bhb_loop+0x25/0x80
   ? clear_bhb_loop+0x25/0x80
   ? clear_bhb_loop+0x25/0x80
   ? clear_bhb_loop+0x25/0x80
   entry_SYSCALL_64_after_hwframe+0x78/0x80
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47687

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47688
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

driver core: Fix a potential null-ptr-deref in module_add_driver()

Inject fault while probing of-fpga-region, if kasprintf() fails in
module_add_driver(), the second sysfs_remove_link() in exit path will cause
null-ptr-deref as below because kernfs_name_hash() will call strlen() with
NULL driver_name.

Fix it by releasing resources based on the exit path sequence.

	 KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
	 Mem abort info:
	   ESR = 0x0000000096000005
	   EC = 0x25: DABT (current EL), IL = 32 bits
	   SET = 0, FnV = 0
	   EA = 0, S1PTW = 0
	   FSC = 0x05: level 1 translation fault
	 Data abort info:
	   ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000
	   CM = 0, WnR = 0, TnD = 0, TagAccess = 0
	   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
	 [dfffffc000000000] address between user and kernel address ranges
	 Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP
	 Dumping ftrace buffer:
	    (ftrace buffer empty)
	 Modules linked in: of_fpga_region(+) fpga_region fpga_bridge cfg80211 rfkill 8021q garp mrp stp llc ipv6 [last unloaded: of_fpga_region]
	 CPU: 2 UID: 0 PID: 2036 Comm: modprobe Not tainted 6.11.0-rc2-g6a0e38264012 #295
	 Hardware name: linux,dummy-virt (DT)
	 pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
	 pc : strlen+0x24/0xb0
	 lr : kernfs_name_hash+0x1c/0xc4
	 sp : ffffffc081f97380
	 x29: ffffffc081f97380 x28: ffffffc081f97b90 x27: ffffff80c821c2a0
	 x26: ffffffedac0be418 x25: 0000000000000000 x24: ffffff80c09d2000
	 x23: 0000000000000000 x22: 0000000000000000 x21: 0000000000000000
	 x20: 0000000000000000 x19: 0000000000000000 x18: 0000000000001840
	 x17: 0000000000000000 x16: 0000000000000000 x15: 1ffffff8103f2e42
	 x14: 00000000f1f1f1f1 x13: 0000000000000004 x12: ffffffb01812d61d
	 x11: 1ffffff01812d61c x10: ffffffb01812d61c x9 : dfffffc000000000
	 x8 : 0000004fe7ed29e4 x7 : ffffff80c096b0e7 x6 : 0000000000000001
	 x5 : ffffff80c096b0e0 x4 : 1ffffffdb990efa2 x3 : 0000000000000000
	 x2 : 0000000000000000 x1 : dfffffc000000000 x0 : 0000000000000000
	 Call trace:
	  strlen+0x24/0xb0
	  kernfs_name_hash+0x1c/0xc4
	  kernfs_find_ns+0x118/0x2e8
	  kernfs_remove_by_name_ns+0x80/0x100
	  sysfs_remove_link+0x74/0xa8
	  module_add_driver+0x278/0x394
	  bus_add_driver+0x1f0/0x43c
	  driver_register+0xf4/0x3c0
	  __platform_driver_register+0x60/0x88
	  of_fpga_region_init+0x20/0x1000 [of_fpga_region]
	  do_one_initcall+0x110/0x788
	  do_init_module+0x1dc/0x5c8
	  load_module+0x3c38/0x4cac
	  init_module_from_file+0xd4/0x128
	  idempotent_init_module+0x2cc/0x528
	  __arm64_sys_finit_module+0xac/0x100
	  invoke_syscall+0x6c/0x258
	  el0_svc_common.constprop.0+0x160/0x22c
	  do_el0_svc+0x44/0x5c
	  el0_svc+0x48/0xb8
	  el0t_64_sync_handler+0x13c/0x158
	  el0t_64_sync+0x190/0x194
	 Code: f2fbffe1 a90157f4 12000802 aa0003f5 (38e16861)
	 ---[ end trace 0000000000000000 ]---
	 Kernel panic - not syncing: Oops: Fatal exception
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47688

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47689
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

f2fs: fix to don't set SB_RDONLY in f2fs_handle_critical_error()

syzbot reports a f2fs bug as below:

------------[ cut here ]------------
WARNING: CPU: 1 PID: 58 at kernel/rcu/sync.c:177 rcu_sync_dtor+0xcd/0x180 kernel/rcu/sync.c:177
CPU: 1 UID: 0 PID: 58 Comm: kworker/1:2 Not tainted 6.10.0-syzkaller-12562-g1722389b0d86 #0
Workqueue: events destroy_super_work
RIP: 0010:rcu_sync_dtor+0xcd/0x180 kernel/rcu/sync.c:177
Call Trace:
 percpu_free_rwsem+0x41/0x80 kernel/locking/percpu-rwsem.c:42
 destroy_super_work+0xec/0x130 fs/super.c:282
 process_one_work kernel/workqueue.c:3231 [inline]
 process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3312
 worker_thread+0x86d/0xd40 kernel/workqueue.c:3390
 kthread+0x2f0/0x390 kernel/kthread.c:389
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

As Christian Brauner pointed out [1]: the root cause is f2fs sets
SB_RDONLY flag in internal function, rather than setting the flag
covered w/ sb->s_umount semaphore via remount procedure, then below
race condition causes this bug:

- freeze_super()
 - sb_wait_write(sb, SB_FREEZE_WRITE)
 - sb_wait_write(sb, SB_FREEZE_PAGEFAULT)
 - sb_wait_write(sb, SB_FREEZE_FS)
					- f2fs_handle_critical_error
					 - sb->s_flags |= SB_RDONLY
- thaw_super
 - thaw_super_locked
  - sb_rdonly() is true, so it skips
    sb_freeze_unlock(sb, SB_FREEZE_FS)
  - deactivate_locked_super

Since f2fs has almost the same logic as ext4 [2] when handling critical
error in filesystem if it mounts w/ errors=remount-ro option:
- set CP_ERROR_FLAG flag which indicates filesystem is stopped
- record errors to superblock
- set SB_RDONLY falg
Once we set CP_ERROR_FLAG flag, all writable interfaces can detect the
flag and stop any further updates on filesystem. So, it is safe to not
set SB_RDONLY flag, let's remove the logic and keep in line w/ ext4 [3].

[1] https://lore.kernel.org/all/20240729-himbeeren-funknetz-96e62f9c7aee@brauner
[2] https://lore.kernel.org/all/20240729132721.hxih6ehigadqf7wx@quack3
[3] https://lore.kernel.org/linux-ext4/20240805201241.27286-1-jack@suse.cz
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47689

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47690
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

f2fs: get rid of online repaire on corrupted directory

syzbot reports a f2fs bug as below:

kernel BUG at fs/f2fs/inode.c:896!
RIP: 0010:f2fs_evict_inode+0x1598/0x15c0 fs/f2fs/inode.c:896
Call Trace:
 evict+0x532/0x950 fs/inode.c:704
 dispose_list fs/inode.c:747 [inline]
 evict_inodes+0x5f9/0x690 fs/inode.c:797
 generic_shutdown_super+0x9d/0x2d0 fs/super.c:627
 kill_block_super+0x44/0x90 fs/super.c:1696
 kill_f2fs_super+0x344/0x690 fs/f2fs/super.c:4898
 deactivate_locked_super+0xc4/0x130 fs/super.c:473
 cleanup_mnt+0x41f/0x4b0 fs/namespace.c:1373
 task_work_run+0x24f/0x310 kernel/task_work.c:228
 ptrace_notify+0x2d2/0x380 kernel/signal.c:2402
 ptrace_report_syscall include/linux/ptrace.h:415 [inline]
 ptrace_report_syscall_exit include/linux/ptrace.h:477 [inline]
 syscall_exit_work+0xc6/0x190 kernel/entry/common.c:173
 syscall_exit_to_user_mode_prepare kernel/entry/common.c:200 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:205 [inline]
 syscall_exit_to_user_mode+0x279/0x370 kernel/entry/common.c:218
 do_syscall_64+0x100/0x230 arch/x86/entry/common.c:89
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0010:f2fs_evict_inode+0x1598/0x15c0 fs/f2fs/inode.c:896

Online repaire on corrupted directory in f2fs_lookup() can generate
dirty data/meta while racing w/ readonly remount, it may leave dirty
inode after filesystem becomes readonly, however, checkpoint() will
skips flushing dirty inode in a state of readonly mode, result in
above panic.

Let's get rid of online repaire in f2fs_lookup(), and leave the work
to fsck.f2fs.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47690

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47691
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

f2fs: fix to avoid use-after-free in f2fs_stop_gc_thread()

syzbot reports a f2fs bug as below:

 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
 print_report+0xe8/0x550 mm/kasan/report.c:491
 kasan_report+0x143/0x180 mm/kasan/report.c:601
 kasan_check_range+0x282/0x290 mm/kasan/generic.c:189
 instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
 atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:252 [inline]
 __refcount_add include/linux/refcount.h:184 [inline]
 __refcount_inc include/linux/refcount.h:241 [inline]
 refcount_inc include/linux/refcount.h:258 [inline]
 get_task_struct include/linux/sched/task.h:118 [inline]
 kthread_stop+0xca/0x630 kernel/kthread.c:704
 f2fs_stop_gc_thread+0x65/0xb0 fs/f2fs/gc.c:210
 f2fs_do_shutdown+0x192/0x540 fs/f2fs/file.c:2283
 f2fs_ioc_shutdown fs/f2fs/file.c:2325 [inline]
 __f2fs_ioctl+0x443a/0xbe60 fs/f2fs/file.c:4325
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:907 [inline]
 __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The root cause is below race condition, it may cause use-after-free
issue in sbi->gc_th pointer.

- remount
 - f2fs_remount
  - f2fs_stop_gc_thread
   - kfree(gc_th)
				- f2fs_ioc_shutdown
				 - f2fs_do_shutdown
				  - f2fs_stop_gc_thread
				   - kthread_stop(gc_th->f2fs_gc_task)
   : sbi->gc_thread = NULL;

We will call f2fs_do_shutdown() in two paths:
- for f2fs_ioc_shutdown() path, we should grab sb->s_umount semaphore
for fixing.
- for f2fs_shutdown() path, it's safe since caller has already grabbed
sb->s_umount semaphore.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47691

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47692
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

nfsd: return -EINVAL when namelen is 0

When we have a corrupted main.sqlite in /var/lib/nfs/nfsdcld/, it may
result in namelen being 0, which will cause memdup_user() to return
ZERO_SIZE_PTR.
When we access the name.data that has been assigned the value of
ZERO_SIZE_PTR in nfs4_client_to_reclaim(), null pointer dereference is
triggered.

[ T1205] ==================================================================
[ T1205] BUG: KASAN: null-ptr-deref in nfs4_client_to_reclaim+0xe9/0x260
[ T1205] Read of size 1 at addr 0000000000000010 by task nfsdcld/1205
[ T1205]
[ T1205] CPU: 11 PID: 1205 Comm: nfsdcld Not tainted 5.10.0-00003-g2c1423731b8d #406
[ T1205] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_073836-buildvm-ppc64le-16.ppc.fedoraproject.org-3.fc31 04/01/2014
[ T1205] Call Trace:
[ T1205]  dump_stack+0x9a/0xd0
[ T1205]  ? nfs4_client_to_reclaim+0xe9/0x260
[ T1205]  __kasan_report.cold+0x34/0x84
[ T1205]  ? nfs4_client_to_reclaim+0xe9/0x260
[ T1205]  kasan_report+0x3a/0x50
[ T1205]  nfs4_client_to_reclaim+0xe9/0x260
[ T1205]  ? nfsd4_release_lockowner+0x410/0x410
[ T1205]  cld_pipe_downcall+0x5ca/0x760
[ T1205]  ? nfsd4_cld_tracking_exit+0x1d0/0x1d0
[ T1205]  ? down_write_killable_nested+0x170/0x170
[ T1205]  ? avc_policy_seqno+0x28/0x40
[ T1205]  ? selinux_file_permission+0x1b4/0x1e0
[ T1205]  rpc_pipe_write+0x84/0xb0
[ T1205]  vfs_write+0x143/0x520
[ T1205]  ksys_write+0xc9/0x170
[ T1205]  ? __ia32_sys_read+0x50/0x50
[ T1205]  ? ktime_get_coarse_real_ts64+0xfe/0x110
[ T1205]  ? ktime_get_coarse_real_ts64+0xa2/0x110
[ T1205]  do_syscall_64+0x33/0x40
[ T1205]  entry_SYSCALL_64_after_hwframe+0x67/0xd1
[ T1205] RIP: 0033:0x7fdbdb761bc7
[ T1205] Code: 0f 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 514
[ T1205] RSP: 002b:00007fff8c4b7248 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[ T1205] RAX: ffffffffffffffda RBX: 000000000000042b RCX: 00007fdbdb761bc7
[ T1205] RDX: 000000000000042b RSI: 00007fff8c4b75f0 RDI: 0000000000000008
[ T1205] RBP: 00007fdbdb761bb0 R08: 0000000000000000 R09: 0000000000000001
[ T1205] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000042b
[ T1205] R13: 0000000000000008 R14: 00007fff8c4b75f0 R15: 0000000000000000
[ T1205] ==================================================================

Fix it by checking namelen.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47692

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47693
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

IB/core: Fix ib_cache_setup_one error flow cleanup

When ib_cache_update return an error, we exit ib_cache_setup_one
instantly with no proper cleanup, even though before this we had
already successfully done gid_table_setup_one, that results in
the kernel WARN below.

Do proper cleanup using gid_table_cleanup_one before returning
the err in order to fix the issue.

WARNING: CPU: 4 PID: 922 at drivers/infiniband/core/cache.c:806 gid_table_release_one+0x181/0x1a0
Modules linked in:
CPU: 4 UID: 0 PID: 922 Comm: c_repro Not tainted 6.11.0-rc1+ #3
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
RIP: 0010:gid_table_release_one+0x181/0x1a0
Code: 44 8b 38 75 0c e8 2f cb 34 ff 4d 8b b5 28 05 00 00 e8 23 cb 34 ff 44 89 f9 89 da 4c 89 f6 48 c7 c7 d0 58 14 83 e8 4f de 21 ff <0f> 0b 4c 8b 75 30 e9 54 ff ff ff 48 8    3 c4 10 5b 5d 41 5c 41 5d 41
RSP: 0018:ffffc90002b835b0 EFLAGS: 00010286
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff811c8527
RDX: 0000000000000000 RSI: ffffffff811c8534 RDI: 0000000000000001
RBP: ffff8881011b3d00 R08: ffff88810b3abe00 R09: 205d303839303631
R10: 666572207972746e R11: 72746e6520444947 R12: 0000000000000001
R13: ffff888106390000 R14: ffff8881011f2110 R15: 0000000000000001
FS:  00007fecc3b70800(0000) GS:ffff88813bd00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000340 CR3: 000000010435a001 CR4: 00000000003706b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 ? show_regs+0x94/0xa0
 ? __warn+0x9e/0x1c0
 ? gid_table_release_one+0x181/0x1a0
 ? report_bug+0x1f9/0x340
 ? gid_table_release_one+0x181/0x1a0
 ? handle_bug+0xa2/0x110
 ? exc_invalid_op+0x31/0xa0
 ? asm_exc_invalid_op+0x16/0x20
 ? __warn_printk+0xc7/0x180
 ? __warn_printk+0xd4/0x180
 ? gid_table_release_one+0x181/0x1a0
 ib_device_release+0x71/0xe0
 ? __pfx_ib_device_release+0x10/0x10
 device_release+0x44/0xd0
 kobject_put+0x135/0x3d0
 put_device+0x20/0x30
 rxe_net_add+0x7d/0xa0
 rxe_newlink+0xd7/0x190
 nldev_newlink+0x1b0/0x2a0
 ? __pfx_nldev_newlink+0x10/0x10
 rdma_nl_rcv_msg+0x1ad/0x2e0
 rdma_nl_rcv_skb.constprop.0+0x176/0x210
 netlink_unicast+0x2de/0x400
 netlink_sendmsg+0x306/0x660
 __sock_sendmsg+0x110/0x120
 ____sys_sendmsg+0x30e/0x390
 ___sys_sendmsg+0x9b/0xf0
 ? kstrtouint+0x6e/0xa0
 ? kstrtouint_from_user+0x7c/0xb0
 ? get_pid_task+0xb0/0xd0
 ? proc_fail_nth_write+0x5b/0x140
 ? __fget_light+0x9a/0x200
 ? preempt_count_add+0x47/0xa0
 __sys_sendmsg+0x61/0xd0
 do_syscall_64+0x50/0x110
 entry_SYSCALL_64_after_hwframe+0x76/0x7e
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47693

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47694
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

IB/mlx5: Fix UMR pd cleanup on error flow of driver init

The cited commit moves the pd allocation from function
mlx5r_umr_resource_cleanup() to a new function mlx5r_umr_cleanup().
So the fix in commit [1] is broken. In error flow, will hit panic [2].

Fix it by checking pd pointer to avoid panic if it is NULL;

[1] RDMA/mlx5: Fix UMR cleanup on error flow of driver init
[2]
 [  347.567063] infiniband mlx5_0: Couldn't register device with driver model
 [  347.591382] BUG: kernel NULL pointer dereference, address: 0000000000000020
 [  347.593438] #PF: supervisor read access in kernel mode
 [  347.595176] #PF: error_code(0x0000) - not-present page
 [  347.596962] PGD 0 P4D 0
 [  347.601361] RIP: 0010:ib_dealloc_pd_user+0x12/0xc0 [ib_core]
 [  347.604171] RSP: 0018:ffff888106293b10 EFLAGS: 00010282
 [  347.604834] RAX: 0000000000000000 RBX: 000000000000000e RCX: 0000000000000000
 [  347.605672] RDX: ffff888106293ad0 RSI: 0000000000000000 RDI: 0000000000000000
 [  347.606529] RBP: 0000000000000000 R08: ffff888106293ae0 R09: ffff888106293ae0
 [  347.607379] R10: 0000000000000a06 R11: 0000000000000000 R12: 0000000000000000
 [  347.608224] R13: ffffffffa0704dc0 R14: 0000000000000001 R15: 0000000000000001
 [  347.609067] FS:  00007fdc720cd9c0(0000) GS:ffff88852c880000(0000) knlGS:0000000000000000
 [  347.610094] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 [  347.610727] CR2: 0000000000000020 CR3: 0000000103012003 CR4: 0000000000370eb0
 [  347.611421] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
 [  347.612113] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
 [  347.612804] Call Trace:
 [  347.613130]  <TASK>
 [  347.613417]  ? __die+0x20/0x60
 [  347.613793]  ? page_fault_oops+0x150/0x3e0
 [  347.614243]  ? free_msg+0x68/0x80 [mlx5_core]
 [  347.614840]  ? cmd_exec+0x48f/0x11d0 [mlx5_core]
 [  347.615359]  ? exc_page_fault+0x74/0x130
 [  347.615808]  ? asm_exc_page_fault+0x22/0x30
 [  347.616273]  ? ib_dealloc_pd_user+0x12/0xc0 [ib_core]
 [  347.616801]  mlx5r_umr_cleanup+0x23/0x90 [mlx5_ib]
 [  347.617365]  mlx5_ib_stage_pre_ib_reg_umr_cleanup+0x36/0x40 [mlx5_ib]
 [  347.618025]  __mlx5_ib_add+0x96/0xd0 [mlx5_ib]
 [  347.618539]  mlx5r_probe+0xe9/0x310 [mlx5_ib]
 [  347.619032]  ? kernfs_add_one+0x107/0x150
 [  347.619478]  ? __mlx5_ib_add+0xd0/0xd0 [mlx5_ib]
 [  347.619984]  auxiliary_bus_probe+0x3e/0x90
 [  347.620448]  really_probe+0xc5/0x3a0
 [  347.620857]  __driver_probe_device+0x80/0x160
 [  347.621325]  driver_probe_device+0x1e/0x90
 [  347.621770]  __driver_attach+0xec/0x1c0
 [  347.622213]  ? __device_attach_driver+0x100/0x100
 [  347.622724]  bus_for_each_dev+0x71/0xc0
 [  347.623151]  bus_add_driver+0xed/0x240
 [  347.623570]  driver_register+0x58/0x100
 [  347.623998]  __auxiliary_driver_register+0x6a/0xc0
 [  347.624499]  ? driver_register+0xae/0x100
 [  347.624940]  ? 0xffffffffa0893000
 [  347.625329]  mlx5_ib_init+0x16a/0x1e0 [mlx5_ib]
 [  347.625845]  do_one_initcall+0x4a/0x2a0
 [  347.626273]  ? gcov_event+0x2e2/0x3a0
 [  347.626706]  do_init_module+0x8a/0x260
 [  347.627126]  init_module_from_file+0x8b/0xd0
 [  347.627596]  __x64_sys_finit_module+0x1ca/0x2f0
 [  347.628089]  do_syscall_64+0x4c/0x100
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47694

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47695
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

RDMA/rtrs-clt: Reset cid to con_num - 1 to stay in bounds

In the function init_conns(), after the create_con() and create_cm() for
loop if something fails. In the cleanup for loop after the destroy tag, we
access out of bound memory because cid is set to clt_path->s.con_num.

This commits resets the cid to clt_path->s.con_num - 1, to stay in bounds
in the cleanup loop later.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47695

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47696
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

RDMA/iwcm: Fix WARNING:at_kernel/workqueue.c:#check_flush_dependency

In the commit aee2424246f9 ("RDMA/iwcm: Fix a use-after-free related to
destroying CM IDs"), the function flush_workqueue is invoked to flush the
work queue iwcm_wq.

But at that time, the work queue iwcm_wq was created via the function
alloc_ordered_workqueue without the flag WQ_MEM_RECLAIM.

Because the current process is trying to flush the whole iwcm_wq, if
iwcm_wq doesn't have the flag WQ_MEM_RECLAIM, verify that the current
process is not reclaiming memory or running on a workqueue which doesn't
have the flag WQ_MEM_RECLAIM as that can break forward-progress guarantee
leading to a deadlock.

The call trace is as below:

[  125.350876][ T1430] Call Trace:
[  125.356281][ T1430]  <TASK>
[ 125.361285][ T1430] ? __warn (kernel/panic.c:693)
[ 125.367640][ T1430] ? check_flush_dependency (kernel/workqueue.c:3706 (discriminator 9))
[ 125.375689][ T1430] ? report_bug (lib/bug.c:180 lib/bug.c:219)
[ 125.382505][ T1430] ? handle_bug (arch/x86/kernel/traps.c:239)
[ 125.388987][ T1430] ? exc_invalid_op (arch/x86/kernel/traps.c:260 (discriminator 1))
[ 125.395831][ T1430] ? asm_exc_invalid_op (arch/x86/include/asm/idtentry.h:621)
[ 125.403125][ T1430] ? check_flush_dependency (kernel/workqueue.c:3706 (discriminator 9))
[ 125.410984][ T1430] ? check_flush_dependency (kernel/workqueue.c:3706 (discriminator 9))
[ 125.418764][ T1430] __flush_workqueue (kernel/workqueue.c:3970)
[ 125.426021][ T1430] ? __pfx___might_resched (kernel/sched/core.c:10151)
[ 125.433431][ T1430] ? destroy_cm_id (drivers/infiniband/core/iwcm.c:375) iw_cm
[ 125.441209][ T1430] ? __pfx___flush_workqueue (kernel/workqueue.c:3910)
[ 125.473900][ T1430] ? _raw_spin_lock_irqsave (arch/x86/include/asm/atomic.h:107 include/linux/atomic/atomic-arch-fallback.h:2170 include/linux/atomic/atomic-instrumented.h:1302 include/asm-generic/qspinlock.h:111 include/linux/spinlock.h:187 include/linux/spinlock_api_smp.h:111 kernel/locking/spinlock.c:162)
[ 125.473909][ T1430] ? __pfx__raw_spin_lock_irqsave (kernel/locking/spinlock.c:161)
[ 125.482537][ T1430] _destroy_id (drivers/infiniband/core/cma.c:2044) rdma_cm
[ 125.495072][ T1430] nvme_rdma_free_queue (drivers/nvme/host/rdma.c:656 drivers/nvme/host/rdma.c:650) nvme_rdma
[ 125.505827][ T1430] nvme_rdma_reset_ctrl_work (drivers/nvme/host/rdma.c:2180) nvme_rdma
[ 125.505831][ T1430] process_one_work (kernel/workqueue.c:3231)
[ 125.515122][ T1430] worker_thread (kernel/workqueue.c:3306 kernel/workqueue.c:3393)
[ 125.515127][ T1430] ? __pfx_worker_thread (kernel/workqueue.c:3339)
[ 125.531837][ T1430] kthread (kernel/kthread.c:389)
[ 125.539864][ T1430] ? __pfx_kthread (kernel/kthread.c:342)
[ 125.550628][ T1430] ret_from_fork (arch/x86/kernel/process.c:147)
[ 125.558840][ T1430] ? __pfx_kthread (kernel/kthread.c:342)
[ 125.558844][ T1430] ret_from_fork_asm (arch/x86/entry/entry_64.S:257)
[  125.566487][ T1430]  </TASK>
[  125.566488][ T1430] ---[ end trace 0000000000000000 ]---
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47696

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47697
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drivers: media: dvb-frontends/rtl2830: fix an out-of-bounds write error

Ensure index in rtl2830_pid_filter does not exceed 31 to prevent
out-of-bounds access.

dev->filters is a 32-bit value, so set_bit and clear_bit functions should
only operate on indices from 0 to 31. If index is 32, it will attempt to
access a non-existent 33rd bit, leading to out-of-bounds access.
Change the boundary check from index > 32 to index >= 32 to resolve this
issue.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47697

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47698
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drivers: media: dvb-frontends/rtl2832: fix an out-of-bounds write error

Ensure index in rtl2832_pid_filter does not exceed 31 to prevent
out-of-bounds access.

dev->filters is a 32-bit value, so set_bit and clear_bit functions should
only operate on indices from 0 to 31. If index is 32, it will attempt to
access a non-existent 33rd bit, leading to out-of-bounds access.
Change the boundary check from index > 32 to index >= 32 to resolve this
issue.

[hverkuil: added fixes tag, rtl2830_pid_filter -> rtl2832_pid_filter in logmsg]
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47698

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47699
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

nilfs2: fix potential null-ptr-deref in nilfs_btree_insert()

Patch series "nilfs2: fix potential issues with empty b-tree nodes".

This series addresses three potential issues with empty b-tree nodes that
can occur with corrupted filesystem images, including one recently
discovered by syzbot.


This patch (of 3):

If a b-tree is broken on the device, and the b-tree height is greater than
2 (the level of the root node is greater than 1) even if the number of
child nodes of the b-tree root is 0, a NULL pointer dereference occurs in
nilfs_btree_prepare_insert(), which is called from nilfs_btree_insert().

This is because, when the number of child nodes of the b-tree root is 0,
nilfs_btree_do_lookup() does not set the block buffer head in any of
path[x].bp_bh, leaving it as the initial value of NULL, but if the level
of the b-tree root node is greater than 1, nilfs_btree_get_nonroot_node(),
which accesses the buffer memory of path[x].bp_bh, is called.

Fix this issue by adding a check to nilfs_btree_root_broken(), which
performs sanity checks when reading the root node from the device, to
detect this inconsistency.

Thanks to Lizhi Xu for trying to solve the bug and clarifying the cause
early on.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47699

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47700
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ext4: check stripe size compatibility on remount as well

We disable stripe size in __ext4_fill_super if it is not a multiple of
the cluster ratio however this check is missed when trying to remount.
This can leave us with cases where stripe < cluster_ratio after
remount:set making EXT4_B2C(sbi->s_stripe) become 0 that can cause some
unforeseen bugs like divide by 0.

Fix that by adding the check in remount path as well.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47700

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47701
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ext4: avoid OOB when system.data xattr changes underneath the filesystem

When looking up for an entry in an inlined directory, if e_value_offs is
changed underneath the filesystem by some change in the block device, it
will lead to an out-of-bounds access that KASAN detects as an UAF.

EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: none.
loop0: detected capacity change from 2048 to 2047
==================================================================
BUG: KASAN: use-after-free in ext4_search_dir+0xf2/0x1c0 fs/ext4/namei.c:1500
Read of size 1 at addr ffff88803e91130f by task syz-executor269/5103

CPU: 0 UID: 0 PID: 5103 Comm: syz-executor269 Not tainted 6.11.0-rc4-syzkaller #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:93 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0x169/0x550 mm/kasan/report.c:488
 kasan_report+0x143/0x180 mm/kasan/report.c:601
 ext4_search_dir+0xf2/0x1c0 fs/ext4/namei.c:1500
 ext4_find_inline_entry+0x4be/0x5e0 fs/ext4/inline.c:1697
 __ext4_find_entry+0x2b4/0x1b30 fs/ext4/namei.c:1573
 ext4_lookup_entry fs/ext4/namei.c:1727 [inline]
 ext4_lookup+0x15f/0x750 fs/ext4/namei.c:1795
 lookup_one_qstr_excl+0x11f/0x260 fs/namei.c:1633
 filename_create+0x297/0x540 fs/namei.c:3980
 do_symlinkat+0xf9/0x3a0 fs/namei.c:4587
 __do_sys_symlinkat fs/namei.c:4610 [inline]
 __se_sys_symlinkat fs/namei.c:4607 [inline]
 __x64_sys_symlinkat+0x95/0xb0 fs/namei.c:4607
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f3e73ced469
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 21 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff4d40c258 EFLAGS: 00000246 ORIG_RAX: 000000000000010a
RAX: ffffffffffffffda RBX: 0032656c69662f2e RCX: 00007f3e73ced469
RDX: 0000000020000200 RSI: 00000000ffffff9c RDI: 00000000200001c0
RBP: 0000000000000000 R08: 00007fff4d40c290 R09: 00007fff4d40c290
R10: 0023706f6f6c2f76 R11: 0000000000000246 R12: 00007fff4d40c27c
R13: 0000000000000003 R14: 431bde82d7b634db R15: 00007fff4d40c2b0
 </TASK>

Calling ext4_xattr_ibody_find right after reading the inode with
ext4_get_inode_loc will lead to a check of the validity of the xattrs,
avoiding this problem.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47701

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47702
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

bpf: Fail verification for sign-extension of packet data/data_end/data_meta

syzbot reported a kernel crash due to
  commit 1f1e864b6555 ("bpf: Handle sign-extenstin ctx member accesses").
The reason is due to sign-extension of 32-bit load for
packet data/data_end/data_meta uapi field.

The original code looks like:
        r2 = *(s32 *)(r1 + 76) /* load __sk_buff->data */
        r3 = *(u32 *)(r1 + 80) /* load __sk_buff->data_end */
        r0 = r2
        r0 += 8
        if r3 > r0 goto +1
        ...
Note that __sk_buff->data load has 32-bit sign extension.

After verification and convert_ctx_accesses(), the final asm code looks like:
        r2 = *(u64 *)(r1 +208)
        r2 = (s32)r2
        r3 = *(u64 *)(r1 +80)
        r0 = r2
        r0 += 8
        if r3 > r0 goto pc+1
        ...
Note that 'r2 = (s32)r2' may make the kernel __sk_buff->data address invalid
which may cause runtime failure.

Currently, in C code, typically we have
        void *data = (void *)(long)skb->data;
        void *data_end = (void *)(long)skb->data_end;
        ...
and it will generate
        r2 = *(u64 *)(r1 +208)
        r3 = *(u64 *)(r1 +80)
        r0 = r2
        r0 += 8
        if r3 > r0 goto pc+1

If we allow sign-extension,
        void *data = (void *)(long)(int)skb->data;
        void *data_end = (void *)(long)skb->data_end;
        ...
the generated code looks like
        r2 = *(u64 *)(r1 +208)
        r2 <<= 32
        r2 s>>= 32
        r3 = *(u64 *)(r1 +80)
        r0 = r2
        r0 += 8
        if r3 > r0 goto pc+1
and this will cause verification failure since "r2 <<= 32" is not allowed
as "r2" is a packet pointer.

To fix this issue for case
  r2 = *(s32 *)(r1 + 76) /* load __sk_buff->data */
this patch added additional checking in is_valid_access() callback
function for packet data/data_end/data_meta access. If those accesses
are with sign-extenstion, the verification will fail.

  [1] https://lore.kernel.org/bpf/000000000000c90eee061d236d37@google.com/
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47702

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47703
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

bpf, lsm: Add check for BPF LSM return value

A bpf prog returning a positive number attached to file_alloc_security
hook makes kernel panic.

This happens because file system can not filter out the positive number
returned by the LSM prog using IS_ERR, and misinterprets this positive
number as a file pointer.

Given that hook file_alloc_security never returned positive number
before the introduction of BPF LSM, and other BPF LSM hooks may
encounter similar issues, this patch adds LSM return value check
in verifier, to ensure no unexpected value is returned.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47703

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47704
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Check link_res->hpo_dp_link_enc before using it

[WHAT & HOW]
Functions dp_enable_link_phy and dp_disable_link_phy can pass link_res
without initializing hpo_dp_link_enc and it is necessary to check for
null before dereferencing.

This fixes 2 FORWARD_NULL issues reported by Coverity.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47704

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47705
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

block: fix potential invalid pointer dereference in blk_add_partition

The blk_add_partition() function initially used a single if-condition
(IS_ERR(part)) to check for errors when adding a partition. This was
modified to handle the specific case of -ENXIO separately, allowing the
function to proceed without logging the error in this case. However,
this change unintentionally left a path where md_autodetect_dev()
could be called without confirming that part is a valid pointer.

This commit separates the error handling logic by splitting the
initial if-condition, improving code readability and handling specific
error scenarios explicitly. The function now distinguishes the general
error case from -ENXIO without altering the existing behavior of
md_autodetect_dev() calls.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47705

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47706
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

block, bfq: fix possible UAF for bfqq->bic with merge chain

1) initial state, three tasks:

		Process 1       Process 2	Process 3
		 (BIC1)          (BIC2)		 (BIC3)
		  |  Λ            |  Λ		  |  Λ
		  |  |            |  |		  |  |
		  V  |            V  |		  V  |
		  bfqq1           bfqq2		  bfqq3
process ref:	   1		    1		    1

2) bfqq1 merged to bfqq2:

		Process 1       Process 2	Process 3
		 (BIC1)          (BIC2)		 (BIC3)
		  |               |		  |  Λ
		  \--------------\|		  |  |
		                  V		  V  |
		  bfqq1--------->bfqq2		  bfqq3
process ref:	   0		    2		    1

3) bfqq2 merged to bfqq3:

		Process 1       Process 2	Process 3
		 (BIC1)          (BIC2)		 (BIC3)
	 here -> Λ                |		  |
		  \--------------\ \-------------\|
		                  V		  V
		  bfqq1--------->bfqq2---------->bfqq3
process ref:	   0		    1		    3

In this case, IO from Process 1 will get bfqq2 from BIC1 first, and then
get bfqq3 through merge chain, and finially handle IO by bfqq3.
Howerver, current code will think bfqq2 is owned by BIC1, like initial
state, and set bfqq2->bic to BIC1.

bfq_insert_request
-> by Process 1
 bfqq = bfq_init_rq(rq)
  bfqq = bfq_get_bfqq_handle_split
   bfqq = bic_to_bfqq
   -> get bfqq2 from BIC1
 bfqq->ref++
 rq->elv.priv[0] = bic
 rq->elv.priv[1] = bfqq
 if (bfqq_process_refs(bfqq) == 1)
  bfqq->bic = bic
  -> record BIC1 to bfqq2

  __bfq_insert_request
   new_bfqq = bfq_setup_cooperator
   -> get bfqq3 from bfqq2->new_bfqq
   bfqq_request_freed(bfqq)
   new_bfqq->ref++
   rq->elv.priv[1] = new_bfqq
   -> handle IO by bfqq3

Fix the problem by checking bfqq is from merge chain fist. And this
might fix a following problem reported by our syzkaller(unreproducible):

==================================================================
BUG: KASAN: slab-use-after-free in bfq_do_early_stable_merge block/bfq-iosched.c:5692 [inline]
BUG: KASAN: slab-use-after-free in bfq_do_or_sched_stable_merge block/bfq-iosched.c:5805 [inline]
BUG: KASAN: slab-use-after-free in bfq_get_queue+0x25b0/0x2610 block/bfq-iosched.c:5889
Write of size 1 at addr ffff888123839eb8 by task kworker/0:1H/18595

CPU: 0 PID: 18595 Comm: kworker/0:1H Tainted: G             L     6.6.0-07439-gba2303cacfda #6
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
Workqueue: kblockd blk_mq_requeue_work
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x91/0xf0 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:364 [inline]
 print_report+0x10d/0x610 mm/kasan/report.c:475
 kasan_report+0x8e/0xc0 mm/kasan/report.c:588
 bfq_do_early_stable_merge block/bfq-iosched.c:5692 [inline]
 bfq_do_or_sched_stable_merge block/bfq-iosched.c:5805 [inline]
 bfq_get_queue+0x25b0/0x2610 block/bfq-iosched.c:5889
 bfq_get_bfqq_handle_split+0x169/0x5d0 block/bfq-iosched.c:6757
 bfq_init_rq block/bfq-iosched.c:6876 [inline]
 bfq_insert_request block/bfq-iosched.c:6254 [inline]
 bfq_insert_requests+0x1112/0x5cf0 block/bfq-iosched.c:6304
 blk_mq_insert_request+0x290/0x8d0 block/blk-mq.c:2593
 blk_mq_requeue_work+0x6bc/0xa70 block/blk-mq.c:1502
 process_one_work kernel/workqueue.c:2627 [inline]
 process_scheduled_works+0x432/0x13f0 kernel/workqueue.c:2700
 worker_thread+0x6f2/0x1160 kernel/workqueue.c:2781
 kthread+0x33c/0x440 kernel/kthread.c:388
 ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:305
 </TASK>

Allocated by task 20776:
 kasan_save_stack+0x20/0x40 mm/kasan/common.c:45
 kasan_set_track+0x25/0x30 mm/kasan/common.c:52
 __kasan_slab_alloc+0x87/0x90 mm/kasan/common.c:328
 kasan_slab_alloc include/linux/kasan.h:188 [inline]
 slab_post_alloc_hook mm/slab.h:763 [inline]
 slab_alloc_node mm/slub.c:3458 [inline]
 kmem_cache_alloc_node+0x1a4/0x6f0 mm/slub.c:3503
 ioc_create_icq block/blk-ioc.c:370 [inline]
---truncated---
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47706

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47707
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ipv6: avoid possible NULL deref in rt6_uncached_list_flush_dev()

Blamed commit accidentally removed a check for rt->rt6i_idev being NULL,
as spotted by syzbot:

Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 1 UID: 0 PID: 10998 Comm: syz-executor Not tainted 6.11.0-rc6-syzkaller-00208-g625403177711 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
 RIP: 0010:rt6_uncached_list_flush_dev net/ipv6/route.c:177 [inline]
 RIP: 0010:rt6_disable_ip+0x33e/0x7e0 net/ipv6/route.c:4914
Code: 41 80 3c 04 00 74 0a e8 90 d0 9b f7 48 8b 7c 24 08 48 8b 07 48 89 44 24 10 4c 89 f0 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 08 4c 89 f7 e8 64 d0 9b f7 48 8b 44 24 18 49 39 06
RSP: 0018:ffffc900047374e0 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 1ffff1100fdf8f33 RCX: dffffc0000000000
RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffff88807efc78c0
RBP: ffffc900047375d0 R08: 0000000000000003 R09: fffff520008e6e8c
R10: dffffc0000000000 R11: fffff520008e6e8c R12: 1ffff1100fdf8f18
R13: ffff88807efc7998 R14: 0000000000000000 R15: ffff88807efc7930
FS:  0000000000000000(0000) GS:ffff8880b8900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020002a80 CR3: 0000000022f62000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
  addrconf_ifdown+0x15d/0x1bd0 net/ipv6/addrconf.c:3856
 addrconf_notify+0x3cb/0x1020
  notifier_call_chain+0x19f/0x3e0 kernel/notifier.c:93
  call_netdevice_notifiers_extack net/core/dev.c:2032 [inline]
  call_netdevice_notifiers net/core/dev.c:2046 [inline]
  unregister_netdevice_many_notify+0xd81/0x1c40 net/core/dev.c:11352
  unregister_netdevice_many net/core/dev.c:11414 [inline]
  unregister_netdevice_queue+0x303/0x370 net/core/dev.c:11289
  unregister_netdevice include/linux/netdevice.h:3129 [inline]
  __tun_detach+0x6b9/0x1600 drivers/net/tun.c:685
  tun_detach drivers/net/tun.c:701 [inline]
  tun_chr_close+0x108/0x1b0 drivers/net/tun.c:3510
  __fput+0x24a/0x8a0 fs/file_table.c:422
  task_work_run+0x24f/0x310 kernel/task_work.c:228
  exit_task_work include/linux/task_work.h:40 [inline]
  do_exit+0xa2f/0x27f0 kernel/exit.c:882
  do_group_exit+0x207/0x2c0 kernel/exit.c:1031
  __do_sys_exit_group kernel/exit.c:1042 [inline]
  __se_sys_exit_group kernel/exit.c:1040 [inline]
  __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1040
  x64_sys_call+0x2634/0x2640 arch/x86/include/generated/asm/syscalls_64.h:232
  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
  do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f1acc77def9
Code: Unable to access opcode bytes at 0x7f1acc77decf.
RSP: 002b:00007ffeb26fa738 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f1acc77def9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000043
RBP: 00007f1acc7dd508 R08: 00007ffeb26f84d7 R09: 0000000000000003
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
R13: 0000000000000003 R14: 00000000ffffffff R15: 00007ffeb26fa8e0
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
 RIP: 0010:rt6_uncached_list_flush_dev net/ipv6/route.c:177 [inline]
 RIP: 0010:rt6_disable_ip+0x33e/0x7e0 net/ipv6/route.c:4914
Code: 41 80 3c 04 00 74 0a e8 90 d0 9b f7 48 8b 7c 24 08 48 8b 07 48 89 44 24 10 4c 89 f0 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 08 4c 89 f7 e8 64 d0 9b f7 48 8b 44 24 18 49 39 06
RSP: 0018:ffffc900047374e0 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 1ffff1100fdf8f33 RCX: dffffc0000000000
RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffff88807efc78c0
R
---truncated---
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47707

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47708
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

netkit: Assign missing bpf_net_context

During the introduction of struct bpf_net_context handling for
XDP-redirect, the netkit driver has been missed, which also requires it
because NETKIT_REDIRECT invokes skb_do_redirect() which is accessing the
per-CPU variables. Otherwise we see the following crash:

	BUG: kernel NULL pointer dereference, address: 0000000000000038
	bpf_redirect()
	netkit_xmit()
	dev_hard_start_xmit()

Set the bpf_net_context before invoking netkit_xmit() program within the
netkit driver.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47708

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47709
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

can: bcm: Clear bo->bcm_proc_read after remove_proc_entry().

syzbot reported a warning in bcm_release(). [0]

The blamed change fixed another warning that is triggered when
connect() is issued again for a socket whose connect()ed device has
been unregistered.

However, if the socket is just close()d without the 2nd connect(), the
remaining bo->bcm_proc_read triggers unnecessary remove_proc_entry()
in bcm_release().

Let's clear bo->bcm_proc_read after remove_proc_entry() in bcm_notify().

[0]
name '4986'
WARNING: CPU: 0 PID: 5234 at fs/proc/generic.c:711 remove_proc_entry+0x2e7/0x5d0 fs/proc/generic.c:711
Modules linked in:
CPU: 0 UID: 0 PID: 5234 Comm: syz-executor606 Not tainted 6.11.0-rc5-syzkaller-00178-g5517ae241919 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
RIP: 0010:remove_proc_entry+0x2e7/0x5d0 fs/proc/generic.c:711
Code: ff eb 05 e8 cb 1e 5e ff 48 8b 5c 24 10 48 c7 c7 e0 f7 aa 8e e8 2a 38 8e 09 90 48 c7 c7 60 3a 1b 8c 48 89 de e8 da 42 20 ff 90 <0f> 0b 90 90 48 8b 44 24 18 48 c7 44 24 40 0e 36 e0 45 49 c7 04 07
RSP: 0018:ffffc9000345fa20 EFLAGS: 00010246
RAX: 2a2d0aee2eb64600 RBX: ffff888032f1f548 RCX: ffff888029431e00
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc9000345fb08 R08: ffffffff8155b2f2 R09: 1ffff1101710519a
R10: dffffc0000000000 R11: ffffed101710519b R12: ffff888011d38640
R13: 0000000000000004 R14: 0000000000000000 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff8880b8800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fcfb52722f0 CR3: 000000000e734000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 bcm_release+0x250/0x880 net/can/bcm.c:1578
 __sock_release net/socket.c:659 [inline]
 sock_close+0xbc/0x240 net/socket.c:1421
 __fput+0x24a/0x8a0 fs/file_table.c:422
 task_work_run+0x24f/0x310 kernel/task_work.c:228
 exit_task_work include/linux/task_work.h:40 [inline]
 do_exit+0xa2f/0x27f0 kernel/exit.c:882
 do_group_exit+0x207/0x2c0 kernel/exit.c:1031
 __do_sys_exit_group kernel/exit.c:1042 [inline]
 __se_sys_exit_group kernel/exit.c:1040 [inline]
 __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1040
 x64_sys_call+0x2634/0x2640 arch/x86/include/generated/asm/syscalls_64.h:232
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fcfb51ee969
Code: Unable to access opcode bytes at 0x7fcfb51ee93f.
RSP: 002b:00007ffce0109ca8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007fcfb51ee969
RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001
RBP: 00007fcfb526f3b0 R08: ffffffffffffffb8 R09: 0000555500000000
R10: 0000555500000000 R11: 0000000000000246 R12: 00007fcfb526f3b0
R13: 0000000000000000 R14: 00007fcfb5271ee0 R15: 00007fcfb51bf160
 </TASK>
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47709

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47710
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

sock_map: Add a cond_resched() in sock_hash_free()

Several syzbot soft lockup reports all have in common sock_hash_free()

If a map with a large number of buckets is destroyed, we need to yield
the cpu when needed.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47710

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47711
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

af_unix: Don't return OOB skb in manage_oob().

syzbot reported use-after-free in unix_stream_recv_urg(). [0]

The scenario is

  1. send(MSG_OOB)
  2. recv(MSG_OOB)
     -> The consumed OOB remains in recv queue
  3. send(MSG_OOB)
  4. recv()
     -> manage_oob() returns the next skb of the consumed OOB
     -> This is also OOB, but unix_sk(sk)->oob_skb is not cleared
  5. recv(MSG_OOB)
     -> unix_sk(sk)->oob_skb is used but already freed

The recent commit 8594d9b85c07 ("af_unix: Don't call skb_get() for OOB
skb.") uncovered the issue.

If the OOB skb is consumed and the next skb is peeked in manage_oob(),
we still need to check if the skb is OOB.

Let's do so by falling back to the following checks in manage_oob()
and add the test case in selftest.

Note that we need to add a similar check for SIOCATMARK.

[0]:
BUG: KASAN: slab-use-after-free in unix_stream_read_actor+0xa6/0xb0 net/unix/af_unix.c:2959
Read of size 4 at addr ffff8880326abcc4 by task syz-executor178/5235

CPU: 0 UID: 0 PID: 5235 Comm: syz-executor178 Not tainted 6.11.0-rc5-syzkaller-00742-gfbdaffe41adc #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:93 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0x169/0x550 mm/kasan/report.c:488
 kasan_report+0x143/0x180 mm/kasan/report.c:601
 unix_stream_read_actor+0xa6/0xb0 net/unix/af_unix.c:2959
 unix_stream_recv_urg+0x1df/0x320 net/unix/af_unix.c:2640
 unix_stream_read_generic+0x2456/0x2520 net/unix/af_unix.c:2778
 unix_stream_recvmsg+0x22b/0x2c0 net/unix/af_unix.c:2996
 sock_recvmsg_nosec net/socket.c:1046 [inline]
 sock_recvmsg+0x22f/0x280 net/socket.c:1068
 ____sys_recvmsg+0x1db/0x470 net/socket.c:2816
 ___sys_recvmsg net/socket.c:2858 [inline]
 __sys_recvmsg+0x2f0/0x3e0 net/socket.c:2888
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f5360d6b4e9
Code: 48 83 c4 28 c3 e8 37 17 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff29b3a458 EFLAGS: 00000246 ORIG_RAX: 000000000000002f
RAX: ffffffffffffffda RBX: 00007fff29b3a638 RCX: 00007f5360d6b4e9
RDX: 0000000000002001 RSI: 0000000020000640 RDI: 0000000000000003
RBP: 00007f5360dde610 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
R13: 00007fff29b3a628 R14: 0000000000000001 R15: 0000000000000001
 </TASK>

Allocated by task 5235:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
 unpoison_slab_object mm/kasan/common.c:312 [inline]
 __kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:338
 kasan_slab_alloc include/linux/kasan.h:201 [inline]
 slab_post_alloc_hook mm/slub.c:3988 [inline]
 slab_alloc_node mm/slub.c:4037 [inline]
 kmem_cache_alloc_node_noprof+0x16b/0x320 mm/slub.c:4080
 __alloc_skb+0x1c3/0x440 net/core/skbuff.c:667
 alloc_skb include/linux/skbuff.h:1320 [inline]
 alloc_skb_with_frags+0xc3/0x770 net/core/skbuff.c:6528
 sock_alloc_send_pskb+0x91a/0xa60 net/core/sock.c:2815
 sock_alloc_send_skb include/net/sock.h:1778 [inline]
 queue_oob+0x108/0x680 net/unix/af_unix.c:2198
 unix_stream_sendmsg+0xd24/0xf80 net/unix/af_unix.c:2351
 sock_sendmsg_nosec net/socket.c:730 [inline]
 __sock_sendmsg+0x221/0x270 net/socket.c:745
 ____sys_sendmsg+0x525/0x7d0 net/socket.c:2597
 ___sys_sendmsg net/socket.c:2651 [inline]
 __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2680
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 5235:
 kasan_save_stack mm/kasan/common.c:47
---truncated---
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47711

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47712
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

wifi: wilc1000: fix potential RCU dereference issue in wilc_parse_join_bss_param

In the `wilc_parse_join_bss_param` function, the TSF field of the `ies`
structure is accessed after the RCU read-side critical section is
unlocked. According to RCU usage rules, this is illegal. Reusing this
pointer can lead to unpredictable behavior, including accessing memory
that has been updated or causing use-after-free issues.

This possible bug was identified using a static analysis tool developed
by myself, specifically designed to detect RCU-related issues.

To address this, the TSF value is now stored in a local variable
`ies_tsf` before the RCU lock is released. The `param->tsf_lo` field is
then assigned using this local variable, ensuring that the TSF value is
safely accessed.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47712

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47713
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

wifi: mac80211: use two-phase skb reclamation in ieee80211_do_stop()

Since '__dev_queue_xmit()' should be called with interrupts enabled,
the following backtrace:

ieee80211_do_stop()
 ...
 spin_lock_irqsave(&local->queue_stop_reason_lock, flags)
 ...
 ieee80211_free_txskb()
  ieee80211_report_used_skb()
   ieee80211_report_ack_skb()
    cfg80211_mgmt_tx_status_ext()
     nl80211_frame_tx_status()
      genlmsg_multicast_netns()
       genlmsg_multicast_netns_filtered()
        nlmsg_multicast_filtered()
	 netlink_broadcast_filtered()
	  do_one_broadcast()
	   netlink_broadcast_deliver()
	    __netlink_sendskb()
	     netlink_deliver_tap()
	      __netlink_deliver_tap_skb()
	       dev_queue_xmit()
	        __dev_queue_xmit() ; with IRQS disabled
 ...
 spin_unlock_irqrestore(&local->queue_stop_reason_lock, flags)

issues the warning (as reported by syzbot reproducer):

WARNING: CPU: 2 PID: 5128 at kernel/softirq.c:362 __local_bh_enable_ip+0xc3/0x120

Fix this by implementing a two-phase skb reclamation in
'ieee80211_do_stop()', where actual work is performed
outside of a section with interrupts disabled.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47713

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47714
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

wifi: mt76: mt7996: use hweight16 to get correct tx antenna

The chainmask is u16 so using hweight8 cannot get correct tx_ant.
Without this patch, the tx_ant of band 2 would be -1 and lead to the
following issue:
BUG: KASAN: stack-out-of-bounds in mt7996_mcu_add_sta+0x12e0/0x16e0 [mt7996e]
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47714

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47715
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

wifi: mt76: mt7915: fix oops on non-dbdc mt7986

mt7915_band_config() sets band_idx = 1 on the main phy for mt7986
with MT7975_ONE_ADIE or MT7976_ONE_ADIE.

Commit 0335c034e726 ("wifi: mt76: fix race condition related to
checking tx queue fill status") introduced a dereference of the
phys array indirectly indexed by band_idx via wcid->phy_idx in
mt76_wcid_cleanup(). This caused the following Oops on affected
mt7986 devices:

 Unable to handle kernel read from unreadable memory at virtual address 0000000000000024
 Mem abort info:
   ESR = 0x0000000096000005
   EC = 0x25: DABT (current EL), IL = 32 bits
   SET = 0, FnV = 0
   EA = 0, S1PTW = 0
   FSC = 0x05: level 1 translation fault
 Data abort info:
   ISV = 0, ISS = 0x00000005
   CM = 0, WnR = 0
 user pgtable: 4k pages, 39-bit VAs, pgdp=0000000042545000
 [0000000000000024] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000
 Internal error: Oops: 0000000096000005 [#1] SMP
 Modules linked in: ... mt7915e mt76_connac_lib mt76 mac80211 cfg80211 ...
 CPU: 2 PID: 1631 Comm: hostapd Not tainted 5.15.150 #0
 Hardware name: ZyXEL EX5700 (Telenor) (DT)
 pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
 pc : mt76_wcid_cleanup+0x84/0x22c [mt76]
 lr : mt76_wcid_cleanup+0x64/0x22c [mt76]
 sp : ffffffc00a803700
 x29: ffffffc00a803700 x28: ffffff80008f7300 x27: ffffff80003f3c00
 x26: ffffff80000a7880 x25: ffffffc008c26e00 x24: 0000000000000001
 x23: ffffffc000a68114 x22: 0000000000000000 x21: ffffff8004172cc8
 x20: ffffffc00a803748 x19: ffffff8004152020 x18: 0000000000000000
 x17: 00000000000017c0 x16: ffffffc008ef5000 x15: 0000000000000be0
 x14: ffffff8004172e28 x13: ffffff8004172e28 x12: 0000000000000000
 x11: 0000000000000000 x10: ffffff8004172e30 x9 : ffffff8004172e28
 x8 : 0000000000000000 x7 : ffffff8004156020 x6 : 0000000000000000
 x5 : 0000000000000031 x4 : 0000000000000000 x3 : 0000000000000001
 x2 : 0000000000000000 x1 : ffffff80008f7300 x0 : 0000000000000024
 Call trace:
  mt76_wcid_cleanup+0x84/0x22c [mt76]
  __mt76_sta_remove+0x70/0xbc [mt76]
  mt76_sta_state+0x8c/0x1a4 [mt76]
  mt7915_eeprom_get_power_delta+0x11e4/0x23a0 [mt7915e]
  drv_sta_state+0x144/0x274 [mac80211]
  sta_info_move_state+0x1cc/0x2a4 [mac80211]
  sta_set_sinfo+0xaf8/0xc24 [mac80211]
  sta_info_destroy_addr_bss+0x4c/0x6c [mac80211]

  ieee80211_color_change_finish+0x1c08/0x1e70 [mac80211]
  cfg80211_check_station_change+0x1360/0x4710 [cfg80211]
  genl_family_rcv_msg_doit+0xb4/0x110
  genl_rcv_msg+0xd0/0x1bc
  netlink_rcv_skb+0x58/0x120
  genl_rcv+0x34/0x50
  netlink_unicast+0x1f0/0x2ec
  netlink_sendmsg+0x198/0x3d0
  ____sys_sendmsg+0x1b0/0x210
  ___sys_sendmsg+0x80/0xf0
  __sys_sendmsg+0x44/0xa0
  __arm64_sys_sendmsg+0x20/0x30
  invoke_syscall.constprop.0+0x4c/0xe0
  do_el0_svc+0x40/0xd0
  el0_svc+0x14/0x4c
  el0t_64_sync_handler+0x100/0x110
  el0t_64_sync+0x15c/0x160
 Code: d2800002 910092c0 52800023 f9800011 (885f7c01)
 ---[ end trace 7e42dd9a39ed2281 ]---

Fix by using mt76_dev_phy() which will map band_idx to the correct phy
for all hardware combinations.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47715

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47716
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ARM: 9410/1: vfp: Use asm volatile in fmrx/fmxr macros

Floating point instructions in userspace can crash some arm kernels
built with clang/LLD 17.0.6:

    BUG: unsupported FP instruction in kernel mode
    FPEXC == 0xc0000780
    Internal error: Oops - undefined instruction: 0 [#1] ARM
    CPU: 0 PID: 196 Comm: vfp-reproducer Not tainted 6.10.0 #1
    Hardware name: BCM2835
    PC is at vfp_support_entry+0xc8/0x2cc
    LR is at do_undefinstr+0xa8/0x250
    pc : [<c0101d50>]    lr : [<c010a80c>]    psr: a0000013
    sp : dc8d1f68  ip : 60000013  fp : bedea19c
    r10: ec532b17  r9 : 00000010  r8 : 0044766c
    r7 : c0000780  r6 : ec532b17  r5 : c1c13800  r4 : dc8d1fb0
    r3 : c10072c4  r2 : c0101c88  r1 : ec532b17  r0 : 0044766c
    Flags: NzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none
    Control: 00c5387d  Table: 0251c008  DAC: 00000051
    Register r0 information: non-paged memory
    Register r1 information: vmalloc memory
    Register r2 information: non-slab/vmalloc memory
    Register r3 information: non-slab/vmalloc memory
    Register r4 information: 2-page vmalloc region
    Register r5 information: slab kmalloc-cg-2k
    Register r6 information: vmalloc memory
    Register r7 information: non-slab/vmalloc memory
    Register r8 information: non-paged memory
    Register r9 information: zero-size pointer
    Register r10 information: vmalloc memory
    Register r11 information: non-paged memory
    Register r12 information: non-paged memory
    Process vfp-reproducer (pid: 196, stack limit = 0x61aaaf8b)
    Stack: (0xdc8d1f68 to 0xdc8d2000)
    1f60:                   0000081f b6f69300 0000000f c10073f4 c10072c4 dc8d1fb0
    1f80: ec532b17 0c532b17 0044766c b6f9ccd8 00000000 c010a80c 00447670 60000010
    1fa0: ffffffff c1c13800 00c5387d c0100f10 b6f68af8 00448fc0 00000000 bedea188
    1fc0: bedea314 00000001 00448ebc b6f9d000 00447608 b6f9ccd8 00000000 bedea19c
    1fe0: bede9198 bedea188 b6e1061c 0044766c 60000010 ffffffff 00000000 00000000
    Call trace:
    [<c0101d50>] (vfp_support_entry) from [<c010a80c>] (do_undefinstr+0xa8/0x250)
    [<c010a80c>] (do_undefinstr) from [<c0100f10>] (__und_usr+0x70/0x80)
    Exception stack(0xdc8d1fb0 to 0xdc8d1ff8)
    1fa0:                                     b6f68af8 00448fc0 00000000 bedea188
    1fc0: bedea314 00000001 00448ebc b6f9d000 00447608 b6f9ccd8 00000000 bedea19c
    1fe0: bede9198 bedea188 b6e1061c 0044766c 60000010 ffffffff
    Code: 0a000061 e3877202 e594003c e3a09010 (eef16a10)
    ---[ end trace 0000000000000000 ]---
    Kernel panic - not syncing: Fatal exception in interrupt
    ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]---

This is a minimal userspace reproducer on a Raspberry Pi Zero W:

    #include <stdio.h>
    #include <math.h>

    int main(void)
    {
            double v = 1.0;
            printf("%fn", NAN + *(volatile double *)&v);
            return 0;
    }

Another way to consistently trigger the oops is:

    calvin@raspberry-pi-zero-w ~$ python -c "import json"

The bug reproduces only when the kernel is built with DYNAMIC_DEBUG=n,
because the pr_debug() calls act as barriers even when not activated.

This is the output from the same kernel source built with the same
compiler and DYNAMIC_DEBUG=y, where the userspace reproducer works as
expected:

    VFP: bounce: trigger ec532b17 fpexc c0000780
    VFP: emulate: INST=0xee377b06 SCR=0x00000000
    VFP: bounce: trigger eef1fa10 fpexc c0000780
    VFP: emulate: INST=0xeeb40b40 SCR=0x00000000
    VFP: raising exceptions 30000000

    calvin@raspberry-pi-zero-w ~$ ./vfp-reproducer
    nan

Crudely grepping for vmsr/vmrs instructions in the otherwise nearly
idential text for vfp_support_entry() makes the problem obvious:

    vmlinux.llvm.good [0xc0101cb8] <+48>:  vmrs   r7, fpexc
    vmlinux.llvm.good [0xc0101cd8] <+80>:  vmsr   fpexc, r0
    vmlinux.llvm.good [0xc0101d20
---truncated---
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47716

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47717
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

RISC-V: KVM: Don't zero-out PMU snapshot area before freeing data

With the latest Linux-6.11-rc3, the below NULL pointer crash is observed
when SBI PMU snapshot is enabled for the guest and the guest is forcefully
powered-off.

  Unable to handle kernel NULL pointer dereference at virtual address 0000000000000508
  Oops [#1]
  Modules linked in: kvm
  CPU: 0 UID: 0 PID: 61 Comm: term-poll Not tainted 6.11.0-rc3-00018-g44d7178dd77a #3
  Hardware name: riscv-virtio,qemu (DT)
  epc : __kvm_write_guest_page+0x94/0xa6 [kvm]
   ra : __kvm_write_guest_page+0x54/0xa6 [kvm]
  epc : ffffffff01590e98 ra : ffffffff01590e58 sp : ffff8f80001f39b0
   gp : ffffffff81512a60 tp : ffffaf80024872c0 t0 : ffffaf800247e000
   t1 : 00000000000007e0 t2 : 0000000000000000 s0 : ffff8f80001f39f0
   s1 : 00007fff89ac4000 a0 : ffffffff015dd7e8 a1 : 0000000000000086
   a2 : 0000000000000000 a3 : ffffaf8000000000 a4 : ffffaf80024882c0
   a5 : 0000000000000000 a6 : ffffaf800328d780 a7 : 00000000000001cc
   s2 : ffffaf800197bd00 s3 : 00000000000828c4 s4 : ffffaf800248c000
   s5 : ffffaf800247d000 s6 : 0000000000001000 s7 : 0000000000001000
   s8 : 0000000000000000 s9 : 00007fff861fd500 s10: 0000000000000001
   s11: 0000000000800000 t3 : 00000000000004d3 t4 : 00000000000004d3
   t5 : ffffffff814126e0 t6 : ffffffff81412700
  status: 0000000200000120 badaddr: 0000000000000508 cause: 000000000000000d
  [<ffffffff01590e98>] __kvm_write_guest_page+0x94/0xa6 [kvm]
  [<ffffffff015943a6>] kvm_vcpu_write_guest+0x56/0x90 [kvm]
  [<ffffffff015a175c>] kvm_pmu_clear_snapshot_area+0x42/0x7e [kvm]
  [<ffffffff015a1972>] kvm_riscv_vcpu_pmu_deinit.part.0+0xe0/0x14e [kvm]
  [<ffffffff015a2ad0>] kvm_riscv_vcpu_pmu_deinit+0x1a/0x24 [kvm]
  [<ffffffff0159b344>] kvm_arch_vcpu_destroy+0x28/0x4c [kvm]
  [<ffffffff0158e420>] kvm_destroy_vcpus+0x5a/0xda [kvm]
  [<ffffffff0159930c>] kvm_arch_destroy_vm+0x14/0x28 [kvm]
  [<ffffffff01593260>] kvm_destroy_vm+0x168/0x2a0 [kvm]
  [<ffffffff015933d4>] kvm_put_kvm+0x3c/0x58 [kvm]
  [<ffffffff01593412>] kvm_vm_release+0x22/0x2e [kvm]

Clearly, the kvm_vcpu_write_guest() function is crashing because it is
being called from kvm_pmu_clear_snapshot_area() upon guest tear down.

To address the above issue, simplify the kvm_pmu_clear_snapshot_area() to
not zero-out PMU snapshot area from kvm_pmu_clear_snapshot_area() because
the guest is anyway being tore down.

The kvm_pmu_clear_snapshot_area() is also called when guest changes
PMU snapshot area of a VCPU but even in this case the previous PMU
snaphsot area must not be zeroed-out because the guest might have
reclaimed the pervious PMU snapshot area for some other purpose.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47717

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47718
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

wifi: rtw88: always wait for both firmware loading attempts

In 'rtw_wait_firmware_completion()', always wait for both (regular and
wowlan) firmware loading attempts. Otherwise if 'rtw_usb_intf_init()'
has failed in 'rtw_usb_probe()', 'rtw_usb_disconnect()' may issue
'ieee80211_free_hw()' when one of 'rtw_load_firmware_cb()' (usually
the wowlan one) is still in progress, causing UAF detected by KASAN.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47718

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47719
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

iommufd: Protect against overflow of ALIGN() during iova allocation

Userspace can supply an iova and uptr such that the target iova alignment
becomes really big and ALIGN() overflows which corrupts the selected area
range during allocation. CONFIG_IOMMUFD_TEST can detect this:

   WARNING: CPU: 1 PID: 5092 at drivers/iommu/iommufd/io_pagetable.c:268 iopt_alloc_area_pages drivers/iommu/iommufd/io_pagetable.c:268 [inline]
   WARNING: CPU: 1 PID: 5092 at drivers/iommu/iommufd/io_pagetable.c:268 iopt_map_pages+0xf95/0x1050 drivers/iommu/iommufd/io_pagetable.c:352
   Modules linked in:
   CPU: 1 PID: 5092 Comm: syz-executor294 Not tainted 6.10.0-rc5-syzkaller-00294-g3ffea9a7a6f7 #0
   Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
   RIP: 0010:iopt_alloc_area_pages drivers/iommu/iommufd/io_pagetable.c:268 [inline]
   RIP: 0010:iopt_map_pages+0xf95/0x1050 drivers/iommu/iommufd/io_pagetable.c:352
   Code: fc e9 a4 f3 ff ff e8 1a 8b 4c fc 41 be e4 ff ff ff e9 8a f3 ff ff e8 0a 8b 4c fc 90 0f 0b 90 e9 37 f5 ff ff e8 fc 8a 4c fc 90 <0f> 0b 90 e9 68 f3 ff ff 48 c7 c1 ec 82 ad 8f 80 e1 07 80 c1 03 38
   RSP: 0018:ffffc90003ebf9e0 EFLAGS: 00010293
   RAX: ffffffff85499fa4 RBX: 00000000ffffffef RCX: ffff888079b49e00
   RDX: 0000000000000000 RSI: 00000000ffffffef RDI: 0000000000000000
   RBP: ffffc90003ebfc50 R08: ffffffff85499b30 R09: ffffffff85499942
   R10: 0000000000000002 R11: ffff888079b49e00 R12: ffff8880228e0010
   R13: 0000000000000000 R14: 1ffff920007d7f68 R15: ffffc90003ebfd00
   FS:  000055557d760380(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000
   CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
   CR2: 00000000005fdeb8 CR3: 000000007404a000 CR4: 00000000003506f0
   DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
   DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
   Call Trace:
    <TASK>
    iommufd_ioas_copy+0x610/0x7b0 drivers/iommu/iommufd/ioas.c:274
    iommufd_fops_ioctl+0x4d9/0x5a0 drivers/iommu/iommufd/main.c:421
    vfs_ioctl fs/ioctl.c:51 [inline]
    __do_sys_ioctl fs/ioctl.c:907 [inline]
    __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893
    do_syscall_x64 arch/x86/entry/common.c:52 [inline]
    do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
    entry_SYSCALL_64_after_hwframe+0x77/0x7f

Cap the automatic alignment to the huge page size, which is probably a
better idea overall. Huge automatic alignments can fragment and chew up
the available IOVA space without any reason.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47719

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47720
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Add null check for set_output_gamma in dcn30_set_output_transfer_func

This commit adds a null check for the set_output_gamma function pointer
in the  dcn30_set_output_transfer_func function. Previously,
set_output_gamma was being checked for nullity at line 386, but then it
was being dereferenced without any nullity check at line 401. This
could potentially lead to a null pointer dereference error if
set_output_gamma is indeed null.

To fix this, we now ensure that set_output_gamma is not null before
dereferencing it. We do this by adding a nullity check for
set_output_gamma before the call to set_output_gamma at line 401. If
set_output_gamma is null, we log an error message and do not call the
function.

This fix prevents a potential null pointer dereference error.

drivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c:401 dcn30_set_output_transfer_func()
error: we previously assumed 'mpc->funcs->set_output_gamma' could be null (see line 386)

drivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c
    373 bool dcn30_set_output_transfer_func(struct dc *dc,
    374                                 struct pipe_ctx *pipe_ctx,
    375                                 const struct dc_stream_state *stream)
    376 {
    377         int mpcc_id = pipe_ctx->plane_res.hubp->inst;
    378         struct mpc *mpc = pipe_ctx->stream_res.opp->ctx->dc->res_pool->mpc;
    379         const struct pwl_params *params = NULL;
    380         bool ret = false;
    381
    382         /* program OGAM or 3DLUT only for the top pipe*/
    383         if (pipe_ctx->top_pipe == NULL) {
    384                 /*program rmu shaper and 3dlut in MPC*/
    385                 ret = dcn30_set_mpc_shaper_3dlut(pipe_ctx, stream);
    386                 if (ret == false && mpc->funcs->set_output_gamma) {
                                            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ If this is NULL

    387                         if (stream->out_transfer_func.type == TF_TYPE_HWPWL)
    388                                 params = &stream->out_transfer_func.pwl;
    389                         else if (pipe_ctx->stream->out_transfer_func.type ==
    390                                         TF_TYPE_DISTRIBUTED_POINTS &&
    391                                         cm3_helper_translate_curve_to_hw_format(
    392                                         &stream->out_transfer_func,
    393                                         &mpc->blender_params, false))
    394                                 params = &mpc->blender_params;
    395                          /* there are no ROM LUTs in OUTGAM */
    396                         if (stream->out_transfer_func.type == TF_TYPE_PREDEFINED)
    397                                 BREAK_TO_DEBUGGER();
    398                 }
    399         }
    400
--> 401         mpc->funcs->set_output_gamma(mpc, mpcc_id, params);
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Then it will crash

    402         return ret;
    403 }
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47720

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47721
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

wifi: rtw89: remove unused C2H event ID RTW89_MAC_C2H_FUNC_READ_WOW_CAM to prevent out-of-bounds reading

The handler of firmware C2H event RTW89_MAC_C2H_FUNC_READ_WOW_CAM isn't
implemented, but driver expects number of handlers is
NUM_OF_RTW89_MAC_C2H_FUNC_WOW causing out-of-bounds access. Fix it by
removing ID.

Addresses-Coverity-ID: 1598775 ("Out-of-bounds read")
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47721

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47723
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

jfs: fix out-of-bounds in dbNextAG() and diAlloc()

In dbNextAG() , there is no check for the case where bmp->db_numag is
greater or same than MAXAG due to a polluted image, which causes an
out-of-bounds. Therefore, a bounds check should be added in dbMount().

And in dbNextAG(), a check for the case where agpref is greater than
bmp->db_numag should be added, so an out-of-bounds exception should be
prevented.

Additionally, a check for the case where agno is greater or same than
MAXAG should be added in diAlloc() to prevent out-of-bounds.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47723

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47724
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

wifi: ath11k: use work queue to process beacon tx event

Commit 3a415daa3e8b ("wifi: ath11k: add P2P IE in beacon template")
from Feb 28, 2024 (linux-next), leads to the following Smatch static
checker warning:

drivers/net/wireless/ath/ath11k/wmi.c:1742 ath11k_wmi_p2p_go_bcn_ie()
warn: sleeping in atomic context

The reason is that ath11k_bcn_tx_status_event() will directly call might
sleep function ath11k_wmi_cmd_send() during RCU read-side critical
sections. The call trace is like:

ath11k_bcn_tx_status_event()
-> rcu_read_lock()
-> ath11k_mac_bcn_tx_event()
	-> ath11k_mac_setup_bcn_tmpl()
	……
		-> ath11k_wmi_bcn_tmpl()
			-> ath11k_wmi_cmd_send()
-> rcu_read_unlock()

Commit 886433a98425 ("ath11k: add support for BSS color change") added the
ath11k_mac_bcn_tx_event(), commit 01e782c89108 ("ath11k: fix warning
of RCU usage for ath11k_mac_get_arvif_by_vdev_id()") added the RCU lock
to avoid warning but also introduced this BUG.

Use work queue to avoid directly calling ath11k_mac_bcn_tx_event()
during RCU critical sections. No need to worry about the deletion of vif
because cancel_work_sync() will drop the work if it doesn't start or
block vif deletion until the running work is done.

Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.30
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47724

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47726
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

f2fs: fix to wait dio completion

It should wait all existing dio write IOs before block removal,
otherwise, previous direct write IO may overwrite data in the
block which may be reused by other inode.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47726

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47727
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

x86/tdx: Fix "in-kernel MMIO" check

TDX only supports kernel-initiated MMIO operations. The handle_mmio()
function checks if the #VE exception occurred in the kernel and rejects
the operation if it did not.

However, userspace can deceive the kernel into performing MMIO on its
behalf. For example, if userspace can point a syscall to an MMIO address,
syscall does get_user() or put_user() on it, triggering MMIO #VE. The
kernel will treat the #VE as in-kernel MMIO.

Ensure that the target MMIO address is within the kernel before decoding
instruction.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47727

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47728
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

bpf: Zero former ARG_PTR_TO_{LONG,INT} args in case of error

For all non-tracing helpers which formerly had ARG_PTR_TO_{LONG,INT} as input
arguments, zero the value for the case of an error as otherwise it could leak
memory. For tracing, it is not needed given CAP_PERFMON can already read all
kernel memory anyway hence bpf_get_func_arg() and bpf_get_func_ret() is skipped
in here.

Also, the MTU helpers mtu_len pointer value is being written but also read.
Technically, the MEM_UNINIT should not be there in order to always force init.
Removing MEM_UNINIT needs more verifier rework though: MEM_UNINIT right now
implies two things actually: i) write into memory, ii) memory does not have
to be initialized. If we lift MEM_UNINIT, it then becomes: i) read into memory,
ii) memory must be initialized. This means that for bpf_*_check_mtu() we're
readding the issue we're trying to fix, that is, it would then be able to
write back into things like .rodata BPF maps. Follow-up work will rework the
MEM_UNINIT semantics such that the intent can be better expressed. For now
just clear the *mtu_len on error path which can be lifted later again.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47728

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47729
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/xe: Use reserved copy engine for user binds on faulting devices

User binds map to engines with can fault, faults depend on user binds
completion, thus we can deadlock. Avoid this by using reserved copy
engine for user binds on faulting devices.

While we are here, normalize bind queue creation with a helper.

v2:
 - Pass in extensions to bind queue creation (CI)
v3:
 - s/resevered/reserved (Lucas)
 - Fix NULL hwe check (Jonathan)
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47729

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47730
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

crypto: hisilicon/qm - inject error before stopping queue

The master ooo cannot be completely closed when the
accelerator core reports memory error. Therefore, the driver
needs to inject the qm error to close the master ooo. Currently,
the qm error is injected after stopping queue, memory may be
released immediately after stopping queue, causing the device to
access the released memory. Therefore, error is injected to close master
ooo before stopping queue to ensure that the device does not access
the released memory.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47730

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47731
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drivers/perf: Fix ali_drw_pmu driver interrupt status clearing

The alibaba_uncore_pmu driver forgot to clear all interrupt status
in the interrupt processing function. After the PMU counter overflow
interrupt occurred, an interrupt storm occurred, causing the system
to hang.

Therefore, clear the correct interrupt status in the interrupt handling
function to fix it.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47731

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47732
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

crypto: iaa - Fix potential use after free bug

The free_device_compression_mode(iaa_device, device_mode) function frees
"device_mode" but it iss passed to iaa_compression_modes[i]->free() a few
lines later resulting in a use after free.

The good news is that, so far as I can tell, nothing implements the
->free() function and the use after free happens in dead code.  But, with
this fix, when something does implement it, we'll be ready.  :)
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47732

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47733
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

netfs: Delete subtree of 'fs/netfs' when netfs module exits

In netfs_init() or fscache_proc_init(), we create dentry under 'fs/netfs',
but in netfs_exit(), we only delete the proc entry of 'fs/netfs' without
deleting its subtree. This triggers the following WARNING:

==================================================================
remove_proc_entry: removing non-empty directory 'fs/netfs', leaking at least 'requests'
WARNING: CPU: 4 PID: 566 at fs/proc/generic.c:717 remove_proc_entry+0x160/0x1c0
Modules linked in: netfs(-)
CPU: 4 UID: 0 PID: 566 Comm: rmmod Not tainted 6.11.0-rc3 #860
RIP: 0010:remove_proc_entry+0x160/0x1c0
Call Trace:
 <TASK>
 netfs_exit+0x12/0x620 [netfs]
 __do_sys_delete_module.isra.0+0x14c/0x2e0
 do_syscall_64+0x4b/0x110
 entry_SYSCALL_64_after_hwframe+0x76/0x7e
==================================================================

Therefore use remove_proc_subtree() instead of remove_proc_entry() to
fix the above problem.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47733

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47734
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

bonding: Fix unnecessary warnings and logs from bond_xdp_get_xmit_slave()

syzbot reported a WARNING in bond_xdp_get_xmit_slave. To reproduce
this[1], one bond device (bond1) has xdpdrv, which increases
bpf_master_redirect_enabled_key. Another bond device (bond0) which is
unsupported by XDP but its slave (veth3) has xdpgeneric that returns
XDP_TX. This triggers WARN_ON_ONCE() from the xdp_master_redirect().
To reduce unnecessary warnings and improve log management, we need to
delete the WARN_ON_ONCE() and add ratelimit to the netdev_err().

[1] Steps to reproduce:
    # Needs tx_xdp with return XDP_TX;
    ip l add veth0 type veth peer veth1
    ip l add veth3 type veth peer veth4
    ip l add bond0 type bond mode 6 # BOND_MODE_ALB, unsupported by XDP
    ip l add bond1 type bond # BOND_MODE_ROUNDROBIN by default
    ip l set veth0 master bond1
    ip l set bond1 up
    # Increases bpf_master_redirect_enabled_key
    ip l set dev bond1 xdpdrv object tx_xdp.o section xdp_tx
    ip l set veth3 master bond0
    ip l set bond0 up
    ip l set veth4 up
    # Triggers WARN_ON_ONCE() from the xdp_master_redirect()
    ip l set veth3 xdpgeneric object tx_xdp.o section xdp_tx
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47734

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47735
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

RDMA/hns: Fix spin_unlock_irqrestore() called with IRQs enabled

Fix missuse of spin_lock_irq()/spin_unlock_irq() when
spin_lock_irqsave()/spin_lock_irqrestore() was hold.

This was discovered through the lock debugging, and the corresponding
log is as follows:

raw_local_irq_restore() called with IRQs enabled
WARNING: CPU: 96 PID: 2074 at kernel/locking/irqflag-debug.c:10 warn_bogus_irq_restore+0x30/0x40
...
Call trace:
 warn_bogus_irq_restore+0x30/0x40
 _raw_spin_unlock_irqrestore+0x84/0xc8
 add_qp_to_list+0x11c/0x148 [hns_roce_hw_v2]
 hns_roce_create_qp_common.constprop.0+0x240/0x780 [hns_roce_hw_v2]
 hns_roce_create_qp+0x98/0x160 [hns_roce_hw_v2]
 create_qp+0x138/0x258
 ib_create_qp_kernel+0x50/0xe8
 create_mad_qp+0xa8/0x128
 ib_mad_port_open+0x218/0x448
 ib_mad_init_device+0x70/0x1f8
 add_client_context+0xfc/0x220
 enable_device_and_get+0xd0/0x140
 ib_register_device.part.0+0xf4/0x1c8
 ib_register_device+0x34/0x50
 hns_roce_register_device+0x174/0x3d0 [hns_roce_hw_v2]
 hns_roce_init+0xfc/0x2c0 [hns_roce_hw_v2]
 __hns_roce_hw_v2_init_instance+0x7c/0x1d0 [hns_roce_hw_v2]
 hns_roce_hw_v2_init_instance+0x9c/0x180 [hns_roce_hw_v2]
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47735

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47736
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

erofs: handle overlapped pclusters out of crafted images properly

syzbot reported a task hang issue due to a deadlock case where it is
waiting for the folio lock of a cached folio that will be used for
cache I/Os.

After looking into the crafted fuzzed image, I found it's formed with
several overlapped big pclusters as below:

 Ext:   logical offset   |  length :     physical offset    |  length
   0:        0..   16384 |   16384 :     151552..    167936 |   16384
   1:    16384..   32768 |   16384 :     155648..    172032 |   16384
   2:    32768..   49152 |   16384 :  537223168.. 537239552 |   16384
...

Here, extent 0/1 are physically overlapped although it's entirely
_impossible_ for normal filesystem images generated by mkfs.

First, managed folios containing compressed data will be marked as
up-to-date and then unlocked immediately (unlike in-place folios) when
compressed I/Os are complete.  If physical blocks are not submitted in
the incremental order, there should be separate BIOs to avoid dependency
issues.  However, the current code mis-arranges z_erofs_fill_bio_vec()
and BIO submission which causes unexpected BIO waits.

Second, managed folios will be connected to their own pclusters for
efficient inter-queries.  However, this is somewhat hard to implement
easily if overlapped big pclusters exist.  Again, these only appear in
fuzzed images so let's simply fall back to temporary short-lived pages
for correctness.

Additionally, it justifies that referenced managed folios cannot be
truncated for now and reverts part of commit 2080ca1ed3e4 ("erofs: tidy
up `struct z_erofs_bvec`") for simplicity although it shouldn't be any
difference.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47736

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47737
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

nfsd: call cache_put if xdr_reserve_space returns NULL

If not enough buffer space available, but idmap_lookup has triggered
lookup_fn which calls cache_get and returns successfully. Then we
missed to call cache_put here which pairs with cache_get.

Reviwed-by: Jeff Layton <jlayton@kernel.org>
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47737

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47738
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

wifi: mac80211: don't use rate mask for offchannel TX either

Like the commit ab9177d83c04 ("wifi: mac80211: don't use rate mask for
scanning"), ignore incorrect settings to avoid no supported rate warning
reported by syzbot.

The syzbot did bisect and found cause is commit 9df66d5b9f45 ("cfg80211:
fix default HE tx bitrate mask in 2G band"), which however corrects
bitmask of HE MCS and recognizes correctly settings of empty legacy rate
plus HE MCS rate instead of returning -EINVAL.

As suggestions [1], follow the change of SCAN TX to consider this case of
offchannel TX as well.

[1] https://lore.kernel.org/linux-wireless/6ab2dc9c3afe753ca6fdcdd1421e7a1f47e87b84.camel@sipsolutions.net/T/#m2ac2a6d2be06a37c9c47a3d8a44b4f647ed4f024
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 3.3
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47738

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47739
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

padata: use integer wrap around to prevent deadlock on seq_nr overflow

When submitting more than 2^32 padata objects to padata_do_serial, the
current sorting implementation incorrectly sorts padata objects with
overflowed seq_nr, causing them to be placed before existing objects in
the reorder list. This leads to a deadlock in the serialization process
as padata_find_next cannot match padata->seq_nr and pd->processed
because the padata instance with overflowed seq_nr will be selected
next.

To fix this, we use an unsigned integer wrap around to correctly sort
padata objects in scenarios with integer overflow.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47739

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47741
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix race setting file private on concurrent lseek using same fd

When doing concurrent lseek(2) system calls against the same file
descriptor, using multiple threads belonging to the same process, we have
a short time window where a race happens and can result in a memory leak.

The race happens like this:

1) A program opens a file descriptor for a file and then spawns two
   threads (with the pthreads library for example), lets call them
   task A and task B;

2) Task A calls lseek with SEEK_DATA or SEEK_HOLE and ends up at
   file.c:find_desired_extent() while holding a read lock on the inode;

3) At the start of find_desired_extent(), it extracts the file's
   private_data pointer into a local variable named 'private', which has
   a value of NULL;

4) Task B also calls lseek with SEEK_DATA or SEEK_HOLE, locks the inode
   in shared mode and enters file.c:find_desired_extent(), where it also
   extracts file->private_data into its local variable 'private', which
   has a NULL value;

5) Because it saw a NULL file private, task A allocates a private
   structure and assigns to the file structure;

6) Task B also saw a NULL file private so it also allocates its own file
   private and then assigns it to the same file structure, since both
   tasks are using the same file descriptor.

   At this point we leak the private structure allocated by task A.

Besides the memory leak, there's also the detail that both tasks end up
using the same cached state record in the private structure (struct
btrfs_file_private::llseek_cached_state), which can result in a
use-after-free problem since one task can free it while the other is
still using it (only one task took a reference count on it). Also, sharing
the cached state is not a good idea since it could result in incorrect
results in the future - right now it should not be a problem because it
end ups being used only in extent-io-tree.c:count_range_bits() where we do
range validation before using the cached state.

Fix this by protecting the private assignment and check of a file while
holding the inode's spinlock and keep track of the task that allocated
the private, so that it's used only by that task in order to prevent
user-after-free issues with the cached state record as well as potentially
using it incorrectly in the future.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47741

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47742
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

firmware_loader: Block path traversal

Most firmware names are hardcoded strings, or are constructed from fairly
constrained format strings where the dynamic parts are just some hex
numbers or such.

However, there are a couple codepaths in the kernel where firmware file
names contain string components that are passed through from a device or
semi-privileged userspace; the ones I could find (not counting interfaces
that require root privileges) are:

 - lpfc_sli4_request_firmware_update() seems to construct the firmware
   filename from "ModelName", a string that was previously parsed out of
   some descriptor ("Vital Product Data") in lpfc_fill_vpd()
 - nfp_net_fw_find() seems to construct a firmware filename from a model
   name coming from nfp_hwinfo_lookup(pf->hwinfo, "nffw.partno"), which I
   think parses some descriptor that was read from the device.
   (But this case likely isn't exploitable because the format string looks
   like "netronome/nic_%s", and there shouldn't be any *folders* starting
   with "netronome/nic_". The previous case was different because there,
   the "%s" is *at the start* of the format string.)
 - module_flash_fw_schedule() is reachable from the
   ETHTOOL_MSG_MODULE_FW_FLASH_ACT netlink command, which is marked as
   GENL_UNS_ADMIN_PERM (meaning CAP_NET_ADMIN inside a user namespace is
   enough to pass the privilege check), and takes a userspace-provided
   firmware name.
   (But I think to reach this case, you need to have CAP_NET_ADMIN over a
   network namespace that a special kind of ethernet device is mapped into,
   so I think this is not a viable attack path in practice.)

Fix it by rejecting any firmware names containing ".." path components.

For what it's worth, I went looking and haven't found any USB device
drivers that use the firmware loader dangerously.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47742

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47743
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

KEYS: prevent NULL pointer dereference in find_asymmetric_key()

In find_asymmetric_key(), if all NULLs are passed in the id_{0,1,2}
arguments, the kernel will first emit WARN but then have an oops
because id_2 gets dereferenced anyway.

Add the missing id_2 check and move WARN_ON() to the final else branch
to avoid duplicate NULL checks.

Found by Linux Verification Center (linuxtesting.org) with Svace static
analysis tool.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47743

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47744
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

KVM: Use dedicated mutex to protect kvm_usage_count to avoid deadlock

Use a dedicated mutex to guard kvm_usage_count to fix a potential deadlock
on x86 due to a chain of locks and SRCU synchronizations.  Translating the
below lockdep splat, CPU1 #6 will wait on CPU0 #1, CPU0 #8 will wait on
CPU2 #3, and CPU2 #7 will wait on CPU1 #4 (if there's a writer, due to the
fairness of r/w semaphores).

    CPU0                     CPU1                     CPU2
1   lock(&kvm->slots_lock);
2                                                     lock(&vcpu->mutex);
3                                                     lock(&kvm->srcu);
4                            lock(cpu_hotplug_lock);
5                            lock(kvm_lock);
6                            lock(&kvm->slots_lock);
7                                                     lock(cpu_hotplug_lock);
8   sync(&kvm->srcu);

Note, there are likely more potential deadlocks in KVM x86, e.g. the same
pattern of taking cpu_hotplug_lock outside of kvm_lock likely exists with
__kvmclock_cpufreq_notifier():

  cpuhp_cpufreq_online()
  |
  -> cpufreq_online()
     |
     -> cpufreq_gov_performance_limits()
        |
        -> __cpufreq_driver_target()
           |
           -> __target_index()
              |
              -> cpufreq_freq_transition_begin()
                 |
                 -> cpufreq_notify_transition()
                    |
                    -> ... __kvmclock_cpufreq_notifier()

But, actually triggering such deadlocks is beyond rare due to the
combination of dependencies and timings involved.  E.g. the cpufreq
notifier is only used on older CPUs without a constant TSC, mucking with
the NX hugepage mitigation while VMs are running is very uncommon, and
doing so while also onlining/offlining a CPU (necessary to generate
contention on cpu_hotplug_lock) would be even more unusual.

The most robust solution to the general cpu_hotplug_lock issue is likely
to switch vm_list to be an RCU-protected list, e.g. so that x86's cpufreq
notifier doesn't to take kvm_lock.  For now, settle for fixing the most
blatant deadlock, as switching to an RCU-protected list is a much more
involved change, but add a comment in locking.rst to call out that care
needs to be taken when walking holding kvm_lock and walking vm_list.

  ======================================================
  WARNING: possible circular locking dependency detected
  6.10.0-smp--c257535a0c9d-pip #330 Tainted: G S         O
  ------------------------------------------------------
  tee/35048 is trying to acquire lock:
  ff6a80eced71e0a8 (&kvm->slots_lock){+.+.}-{3:3}, at: set_nx_huge_pages+0x179/0x1e0 [kvm]

  but task is already holding lock:
  ffffffffc07abb08 (kvm_lock){+.+.}-{3:3}, at: set_nx_huge_pages+0x14a/0x1e0 [kvm]

  which lock already depends on the new lock.

   the existing dependency chain (in reverse order) is:

  -> #3 (kvm_lock){+.+.}-{3:3}:
         __mutex_lock+0x6a/0xb40
         mutex_lock_nested+0x1f/0x30
         kvm_dev_ioctl+0x4fb/0xe50 [kvm]
         __se_sys_ioctl+0x7b/0xd0
         __x64_sys_ioctl+0x21/0x30
         x64_sys_call+0x15d0/0x2e60
         do_syscall_64+0x83/0x160
         entry_SYSCALL_64_after_hwframe+0x76/0x7e

  -> #2 (cpu_hotplug_lock){++++}-{0:0}:
         cpus_read_lock+0x2e/0xb0
         static_key_slow_inc+0x16/0x30
         kvm_lapic_set_base+0x6a/0x1c0 [kvm]
         kvm_set_apic_base+0x8f/0xe0 [kvm]
         kvm_set_msr_common+0x9ae/0xf80 [kvm]
         vmx_set_msr+0xa54/0xbe0 [kvm_intel]
         __kvm_set_msr+0xb6/0x1a0 [kvm]
         kvm_arch_vcpu_ioctl+0xeca/0x10c0 [kvm]
         kvm_vcpu_ioctl+0x485/0x5b0 [kvm]
         __se_sys_ioctl+0x7b/0xd0
         __x64_sys_ioctl+0x21/0x30
         x64_sys_call+0x15d0/0x2e60
         do_syscall_64+0x83/0x160
         entry_SYSCALL_64_after_hwframe+0x76/0x7e

  -> #1 (&kvm->srcu){.+.+}-{0:0}:
         __synchronize_srcu+0x44/0x1a0
      
---truncated---
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47744

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47745
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

mm: call the security_mmap_file() LSM hook in remap_file_pages()

The remap_file_pages syscall handler calls do_mmap() directly, which
doesn't contain the LSM security check. And if the process has called
personality(READ_IMPLIES_EXEC) before and remap_file_pages() is called for
RW pages, this will actually result in remapping the pages to RWX,
bypassing a W^X policy enforced by SELinux.

So we should check prot by security_mmap_file LSM hook in the
remap_file_pages syscall handler before do_mmap() is called. Otherwise, it
potentially permits an attacker to bypass a W^X policy enforced by
SELinux.

The bypass is similar to CVE-2016-10044, which bypass the same thing via
AIO and can be found in [1].

The PoC:

$ cat > test.c

int main(void) {
	size_t pagesz = sysconf(_SC_PAGE_SIZE);
	int mfd = syscall(SYS_memfd_create, "test", 0);
	const char *buf = mmap(NULL, 4 * pagesz, PROT_READ | PROT_WRITE,
		MAP_SHARED, mfd, 0);
	unsigned int old = syscall(SYS_personality, 0xffffffff);
	syscall(SYS_personality, READ_IMPLIES_EXEC | old);
	syscall(SYS_remap_file_pages, buf, pagesz, 0, 2, 0);
	syscall(SYS_personality, old);
	// show the RWX page exists even if W^X policy is enforced
	int fd = open("/proc/self/maps", O_RDONLY);
	unsigned char buf2[1024];
	while (1) {
		int ret = read(fd, buf2, 1024);
		if (ret <= 0) break;
		write(1, buf2, ret);
	}
	close(fd);
}

$ gcc test.c -o test
$ ./test | grep rwx
7f1836c34000-7f1836c35000 rwxs 00002000 00:01 2050 /memfd:test (deleted)

[PM: subject line tweaks]
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47745

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47746
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

fuse: use exclusive lock when FUSE_I_CACHE_IO_MODE is set

This may be a typo. The comment has said shared locks are
not allowed when this bit is set. If using shared lock, the
wait in `fuse_file_cached_io_open` may be forever.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47746

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47747
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: seeq: Fix use after free vulnerability in ether3 Driver Due to Race Condition

In the ether3_probe function, a timer is initialized with a callback
function ether3_ledoff, bound to &prev(dev)->timer. Once the timer is
started, there is a risk of a race condition if the module or device
is removed, triggering the ether3_remove function to perform cleanup.
The sequence of operations that may lead to a UAF bug is as follows:

CPU0                                    CPU1

                      |  ether3_ledoff
ether3_remove         |
  free_netdev(dev);   |
  put_devic           |
  kfree(dev);         |
 |  ether3_outw(priv(dev)->regs.config2 |= CFG2_CTRLO, REG_CONFIG2);
                      | // use dev

Fix it by ensuring that the timer is canceled before proceeding with
the cleanup in ether3_remove.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47747

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47748
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

vhost_vdpa: assign irq bypass producer token correctly

We used to call irq_bypass_unregister_producer() in
vhost_vdpa_setup_vq_irq() which is problematic as we don't know if the
token pointer is still valid or not.

Actually, we use the eventfd_ctx as the token so the life cycle of the
token should be bound to the VHOST_SET_VRING_CALL instead of
vhost_vdpa_setup_vq_irq() which could be called by set_status().

Fixing this by setting up irq bypass producer's token when handling
VHOST_SET_VRING_CALL and un-registering the producer before calling
vhost_vring_ioctl() to prevent a possible use after free as eventfd
could have been released in vhost_vring_ioctl(). And such registering
and unregistering will only be done if DRIVER_OK is set.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47748

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47749
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

RDMA/cxgb4: Added NULL check for lookup_atid

The lookup_atid() function can return NULL if the ATID is
invalid or does not exist in the identifier table, which
could lead to dereferencing a null pointer without a
check in the `act_establish()` and `act_open_rpl()` functions.
Add a NULL check to prevent null pointer dereferencing.

Found by Linux Verification Center (linuxtesting.org) with SVACE.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47749

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47750
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

RDMA/hns: Fix Use-After-Free of rsv_qp on HIP08

Currently rsv_qp is freed before ib_unregister_device() is called
on HIP08. During the time interval, users can still dereg MR and
rsv_qp will be used in this process, leading to a UAF. Move the
release of rsv_qp after calling ib_unregister_device() to fix it.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47750

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47751
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

PCI: kirin: Fix buffer overflow in kirin_pcie_parse_port()

Within kirin_pcie_parse_port(), the pcie->num_slots is compared to
pcie->gpio_id_reset size (MAX_PCI_SLOTS) which is correct and would lead
to an overflow.

Thus, fix condition to pcie->num_slots + 1 >= MAX_PCI_SLOTS and move
pcie->num_slots increment below the if-statement to avoid out-of-bounds
array access.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

[kwilczynski: commit log]
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47751

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47752
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

media: mediatek: vcodec: Fix H264 stateless decoder smatch warning

Fix a smatch static checker warning on vdec_h264_req_if.c.
Which leads to a kernel crash when fb is NULL.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47752

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47753
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

media: mediatek: vcodec: Fix VP8 stateless decoder smatch warning

Fix a smatch static checker warning on vdec_vp8_req_if.c.
Which leads to a kernel crash when fb is NULL.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47753

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47754
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

media: mediatek: vcodec: Fix H264 multi stateless decoder smatch warning

Fix a smatch static checker warning on vdec_h264_req_multi_if.c.
Which leads to a kernel crash when fb is NULL.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47754

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47756
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

PCI: keystone: Fix if-statement expression in ks_pcie_quirk()

This code accidentally uses && where || was intended.  It potentially
results in a NULL dereference.

Thus, fix the if-statement expression to use the correct condition.

[kwilczynski: commit log]
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47756

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-47757
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

nilfs2: fix potential oob read in nilfs_btree_check_delete()

The function nilfs_btree_check_delete(), which checks whether degeneration
to direct mapping occurs before deleting a b-tree entry, causes memory
access outside the block buffer when retrieving the maximum key if the
root node has no entries.

This does not usually happen because b-tree mappings with 0 child nodes
are never created by mkfs.nilfs2 or nilfs2 itself.  However, it can happen
if the b-tree root node read from a device is configured that way, so fix
this potential issue by adding a check for that case.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47757

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49850
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

bpf: correctly handle malformed BPF_CORE_TYPE_ID_LOCAL relos

In case of malformed relocation record of kind BPF_CORE_TYPE_ID_LOCAL
referencing a non-existing BTF type, function bpf_core_calc_relo_insn
would cause a null pointer deference.

Fix this by adding a proper check upper in call stack, as malformed
relocation records could be passed from user space.

Simplest reproducer is a program:

    r0 = 0
    exit

With a single relocation record:

    .insn_off = 0,          /* patch first instruction */
    .type_id = 100500,      /* this type id does not exist */
    .access_str_off = 6,    /* offset of string "0" */
    .kind = BPF_CORE_TYPE_ID_LOCAL,

See the link for original reproducer or next commit for a test case.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49850

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49851
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

tpm: Clean up TPM space after command failure

tpm_dev_transmit prepares the TPM space before attempting command
transmission. However if the command fails no rollback of this
preparation is done. This can result in transient handles being leaked
if the device is subsequently closed with no further commands performed.

Fix this by flushing the space in the event of command transmission
failure.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49851

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49852
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

scsi: elx: libefc: Fix potential use after free in efc_nport_vport_del()

The kref_put() function will call nport->release if the refcount drops to
zero.  The nport->release release function is _efc_nport_free() which frees
"nport".  But then we dereference "nport" on the next line which is a use
after free.  Re-order these lines to avoid the use after free.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49852

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49853
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

firmware: arm_scmi: Fix double free in OPTEE transport

Channels can be shared between protocols, avoid freeing the same channel
descriptors twice when unloading the stack.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49853

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49854
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

block, bfq: fix uaf for accessing waker_bfqq after splitting

After commit 42c306ed7233 ("block, bfq: don't break merge chain in
bfq_split_bfqq()"), if the current procress is the last holder of bfqq,
the bfqq can be freed after bfq_split_bfqq(). Hence recored the bfqq and
then access bfqq->waker_bfqq may trigger UAF. What's more, the waker_bfqq
may in the merge chain of bfqq, hence just recored waker_bfqq is still
not safe.

Fix the problem by adding a helper bfq_waker_bfqq() to check if
bfqq->waker_bfqq is in the merge chain, and current procress is the only
holder.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49854

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49855
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

nbd: fix race between timeout and normal completion

If request timetout is handled by nbd_requeue_cmd(), normal completion
has to be stopped for avoiding to complete this requeued request, other
use-after-free can be triggered.

Fix the race by clearing NBD_CMD_INFLIGHT in nbd_requeue_cmd(), meantime
make sure that cmd->lock is grabbed for clearing the flag and the
requeue.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49855

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49856
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

x86/sgx: Fix deadlock in SGX NUMA node search

When the current node doesn't have an EPC section configured by firmware
and all other EPC sections are used up, CPU can get stuck inside the
while loop that looks for an available EPC page from remote nodes
indefinitely, leading to a soft lockup. Note how nid_of_current will
never be equal to nid in that while loop because nid_of_current is not
set in sgx_numa_mask.

Also worth mentioning is that it's perfectly fine for the firmware not
to setup an EPC section on a node. While setting up an EPC section on
each node can enhance performance, it is not a requirement for
functionality.

Rework the loop to start and end on *a* node that has SGX memory. This
avoids the deadlock looking for the current SGX-lacking node to show up
in the loop when it never will.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49856

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49857
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

wifi: iwlwifi: mvm: set the cipher for secured NDP ranging

The cipher pointer is not set, but is derefereced trying to set its
content, which leads to a NULL pointer dereference.
Fix it by pointing to the cipher parameter before dereferencing.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49857

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49858
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

efistub/tpm: Use ACPI reclaim memory for event log to avoid corruption

The TPM event log table is a Linux specific construct, where the data
produced by the GetEventLog() boot service is cached in memory, and
passed on to the OS using an EFI configuration table.

The use of EFI_LOADER_DATA here results in the region being left
unreserved in the E820 memory map constructed by the EFI stub, and this
is the memory description that is passed on to the incoming kernel by
kexec, which is therefore unaware that the region should be reserved.

Even though the utility of the TPM2 event log after a kexec is
questionable, any corruption might send the parsing code off into the
weeds and crash the kernel. So let's use EFI_ACPI_RECLAIM_MEMORY
instead, which is always treated as reserved by the E820 conversion
logic.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49858

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49859
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

f2fs: fix to check atomic_file in f2fs ioctl interfaces

Some f2fs ioctl interfaces like f2fs_ioc_set_pin_file(),
f2fs_move_file_range(), and f2fs_defragment_range() missed to
check atomic_write status, which may cause potential race issue,
fix it.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49859

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49860
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ACPI: sysfs: validate return type of _STR method

Only buffer objects are valid return values of _STR.

If something else is returned description_show() will access invalid
memory.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49860

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49861
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix helper writes to read-only maps

Lonial found an issue that despite user- and BPF-side frozen BPF map
(like in case of .rodata), it was still possible to write into it from
a BPF program side through specific helpers having ARG_PTR_TO_{LONG,INT}
as arguments.

In check_func_arg() when the argument is as mentioned, the meta->raw_mode
is never set. Later, check_helper_mem_access(), under the case of
PTR_TO_MAP_VALUE as register base type, it assumes BPF_READ for the
subsequent call to check_map_access_type() and given the BPF map is
read-only it succeeds.

The helpers really need to be annotated as ARG_PTR_TO_{LONG,INT} | MEM_UNINIT
when results are written into them as opposed to read out of them. The
latter indicates that it's okay to pass a pointer to uninitialized memory
as the memory is written to anyway.

However, ARG_PTR_TO_{LONG,INT} is a special case of ARG_PTR_TO_FIXED_SIZE_MEM
just with additional alignment requirement. So it is better to just get
rid of the ARG_PTR_TO_{LONG,INT} special cases altogether and reuse the
fixed size memory types. For this, add MEM_ALIGNED to additionally ensure
alignment given these helpers write directly into the args via *<ptr> = val.
The .arg*_size has been initialized reflecting the actual sizeof(*<ptr>).

MEM_ALIGNED can only be used in combination with MEM_FIXED_SIZE annotated
argument types, since in !MEM_FIXED_SIZE cases the verifier does not know
the buffer size a priori and therefore cannot blindly write *<ptr> = val.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49861

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49862
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

powercap: intel_rapl: Fix off by one in get_rpi()

The rp->priv->rpi array is either rpi_msr or rpi_tpmi which have
NR_RAPL_PRIMITIVES number of elements.  Thus the > needs to be >=
to prevent an off by one access.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49862

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49863
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

vhost/scsi: null-ptr-dereference in vhost_scsi_get_req()

Since commit 3f8ca2e115e5 ("vhost/scsi: Extract common handling code
from control queue handler") a null pointer dereference bug can be
triggered when guest sends an SCSI AN request.

In vhost_scsi_ctl_handle_vq(), `vc.target` is assigned with
`&v_req.tmf.lun[1]` within a switch-case block and is then passed to
vhost_scsi_get_req() which extracts `vc->req` and `tpg`. However, for
a `VIRTIO_SCSI_T_AN_*` request, tpg is not required, so `vc.target` is
set to NULL in this branch. Later, in vhost_scsi_get_req(),
`vc->target` is dereferenced without being checked, leading to a null
pointer dereference bug. This bug can be triggered from guest.

When this bug occurs, the vhost_worker process is killed while holding
`vq->mutex` and the corresponding tpg will remain occupied
indefinitely.

Below is the KASAN report:
Oops: general protection fault, probably for non-canonical address
0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 1 PID: 840 Comm: poc Not tainted 6.10.0+ #1
Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS
1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:vhost_scsi_get_req+0x165/0x3a0
Code: 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 2b 02 00 00
48 b8 00 00 00 00 00 fc ff df 4d 8b 65 30 4c 89 e2 48 c1 ea 03 <0f> b6
04 02 4c 89 e2 83 e2 07 38 d0 7f 08 84 c0 0f 85 be 01 00 00
RSP: 0018:ffff888017affb50 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: ffff88801b000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff888017affcb8
RBP: ffff888017affb80 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: ffff888017affc88 R14: ffff888017affd1c R15: ffff888017993000
FS:  000055556e076500(0000) GS:ffff88806b100000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000200027c0 CR3: 0000000010ed0004 CR4: 0000000000370ef0
Call Trace:
 <TASK>
 ? show_regs+0x86/0xa0
 ? die_addr+0x4b/0xd0
 ? exc_general_protection+0x163/0x260
 ? asm_exc_general_protection+0x27/0x30
 ? vhost_scsi_get_req+0x165/0x3a0
 vhost_scsi_ctl_handle_vq+0x2a4/0xca0
 ? __pfx_vhost_scsi_ctl_handle_vq+0x10/0x10
 ? __switch_to+0x721/0xeb0
 ? __schedule+0xda5/0x5710
 ? __kasan_check_write+0x14/0x30
 ? _raw_spin_lock+0x82/0xf0
 vhost_scsi_ctl_handle_kick+0x52/0x90
 vhost_run_work_list+0x134/0x1b0
 vhost_task_fn+0x121/0x350
...
 </TASK>
---[ end trace 0000000000000000 ]---

Let's add a check in vhost_scsi_get_req.

[whitespace fixes]
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49863

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49864
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

rxrpc: Fix a race between socket set up and I/O thread creation

In rxrpc_open_socket(), it sets up the socket and then sets up the I/O
thread that will handle it.  This is a problem, however, as there's a gap
between the two phases in which a packet may come into rxrpc_encap_rcv()
from the UDP packet but we oops when trying to wake the not-yet created I/O
thread.

As a quick fix, just make rxrpc_encap_rcv() discard the packet if there's
no I/O thread yet.

A better, but more intrusive fix would perhaps be to rearrange things such
that the socket creation is done by the I/O thread.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49864

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49865
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/xe/vm: move xa_alloc to prevent UAF

Evil user can guess the next id of the vm before the ioctl completes and
then call vm destroy ioctl to trigger UAF since create ioctl is still
referencing the same vm. Move the xa_alloc all the way to the end to
prevent this.

v2:
 - Rebase

(cherry picked from commit dcfd3971327f3ee92765154baebbaece833d3ca9)
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49865

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49866
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

tracing/timerlat: Fix a race during cpuhp processing

There is another found exception that the "timerlat/1" thread was
scheduled on CPU0, and lead to timer corruption finally:

```
ODEBUG: init active (active state 0) object: ffff888237c2e108 object type: hrtimer hint: timerlat_irq+0x0/0x220
WARNING: CPU: 0 PID: 426 at lib/debugobjects.c:518 debug_print_object+0x7d/0xb0
Modules linked in:
CPU: 0 UID: 0 PID: 426 Comm: timerlat/1 Not tainted 6.11.0-rc7+ #45
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
RIP: 0010:debug_print_object+0x7d/0xb0
...
Call Trace:
 <TASK>
 ? __warn+0x7c/0x110
 ? debug_print_object+0x7d/0xb0
 ? report_bug+0xf1/0x1d0
 ? prb_read_valid+0x17/0x20
 ? handle_bug+0x3f/0x70
 ? exc_invalid_op+0x13/0x60
 ? asm_exc_invalid_op+0x16/0x20
 ? debug_print_object+0x7d/0xb0
 ? debug_print_object+0x7d/0xb0
 ? __pfx_timerlat_irq+0x10/0x10
 __debug_object_init+0x110/0x150
 hrtimer_init+0x1d/0x60
 timerlat_main+0xab/0x2d0
 ? __pfx_timerlat_main+0x10/0x10
 kthread+0xb7/0xe0
 ? __pfx_kthread+0x10/0x10
 ret_from_fork+0x2d/0x40
 ? __pfx_kthread+0x10/0x10
 ret_from_fork_asm+0x1a/0x30
 </TASK>
```

After tracing the scheduling event, it was discovered that the migration
of the "timerlat/1" thread was performed during thread creation. Further
analysis confirmed that it is because the CPU online processing for
osnoise is implemented through workers, which is asynchronous with the
offline processing. When the worker was scheduled to create a thread, the
CPU may has already been removed from the cpu_online_mask during the offline
process, resulting in the inability to select the right CPU:

T1                       | T2
[CPUHP_ONLINE]           | cpu_device_down()
osnoise_hotplug_workfn() |
                         |     cpus_write_lock()
                         |     takedown_cpu(1)
                         |     cpus_write_unlock()
[CPUHP_OFFLINE]          |
    cpus_read_lock()     |
    start_kthread(1)     |
    cpus_read_unlock()   |

To fix this, skip online processing if the CPU is already offline.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49866

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49867
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

btrfs: wait for fixup workers before stopping cleaner kthread during umount

During unmount, at close_ctree(), we have the following steps in this order:

1) Park the cleaner kthread - this doesn't destroy the kthread, it basically
   halts its execution (wake ups against it work but do nothing);

2) We stop the cleaner kthread - this results in freeing the respective
   struct task_struct;

3) We call btrfs_stop_all_workers() which waits for any jobs running in all
   the work queues and then free the work queues.

Syzbot reported a case where a fixup worker resulted in a crash when doing
a delayed iput on its inode while attempting to wake up the cleaner at
btrfs_add_delayed_iput(), because the task_struct of the cleaner kthread
was already freed. This can happen during unmount because we don't wait
for any fixup workers still running before we call kthread_stop() against
the cleaner kthread, which stops and free all its resources.

Fix this by waiting for any fixup workers at close_ctree() before we call
kthread_stop() against the cleaner and run pending delayed iputs.

The stack traces reported by syzbot were the following:

  BUG: KASAN: slab-use-after-free in __lock_acquire+0x77/0x2050 kernel/locking/lockdep.c:5065
  Read of size 8 at addr ffff8880272a8a18 by task kworker/u8:3/52

  CPU: 1 UID: 0 PID: 52 Comm: kworker/u8:3 Not tainted 6.12.0-rc1-syzkaller #0
  Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
  Workqueue: btrfs-fixup btrfs_work_helper
  Call Trace:
   <TASK>
   __dump_stack lib/dump_stack.c:94 [inline]
   dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
   print_address_description mm/kasan/report.c:377 [inline]
   print_report+0x169/0x550 mm/kasan/report.c:488
   kasan_report+0x143/0x180 mm/kasan/report.c:601
   __lock_acquire+0x77/0x2050 kernel/locking/lockdep.c:5065
   lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5825
   __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
   _raw_spin_lock_irqsave+0xd5/0x120 kernel/locking/spinlock.c:162
   class_raw_spinlock_irqsave_constructor include/linux/spinlock.h:551 [inline]
   try_to_wake_up+0xb0/0x1480 kernel/sched/core.c:4154
   btrfs_writepage_fixup_worker+0xc16/0xdf0 fs/btrfs/inode.c:2842
   btrfs_work_helper+0x390/0xc50 fs/btrfs/async-thread.c:314
   process_one_work kernel/workqueue.c:3229 [inline]
   process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310
   worker_thread+0x870/0xd30 kernel/workqueue.c:3391
   kthread+0x2f0/0x390 kernel/kthread.c:389
   ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
   ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
   </TASK>

  Allocated by task 2:
   kasan_save_stack mm/kasan/common.c:47 [inline]
   kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
   unpoison_slab_object mm/kasan/common.c:319 [inline]
   __kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:345
   kasan_slab_alloc include/linux/kasan.h:247 [inline]
   slab_post_alloc_hook mm/slub.c:4086 [inline]
   slab_alloc_node mm/slub.c:4135 [inline]
   kmem_cache_alloc_node_noprof+0x16b/0x320 mm/slub.c:4187
   alloc_task_struct_node kernel/fork.c:180 [inline]
   dup_task_struct+0x57/0x8c0 kernel/fork.c:1107
   copy_process+0x5d1/0x3d50 kernel/fork.c:2206
   kernel_clone+0x223/0x880 kernel/fork.c:2787
   kernel_thread+0x1bc/0x240 kernel/fork.c:2849
   create_kthread kernel/kthread.c:412 [inline]
   kthreadd+0x60d/0x810 kernel/kthread.c:765
   ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
   ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

  Freed by task 61:
   kasan_save_stack mm/kasan/common.c:47 [inline]
   kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
   kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579
   poison_slab_object mm/kasan/common.c:247 [inline]
   __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264
   kasan_slab_free include/linux/kasan.h:230 [inline]
   slab_free_h
---truncated---
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49867

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49868
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix a NULL pointer dereference when failed to start a new trasacntion

[BUG]
Syzbot reported a NULL pointer dereference with the following crash:

  FAULT_INJECTION: forcing a failure.
   start_transaction+0x830/0x1670 fs/btrfs/transaction.c:676
   prepare_to_relocate+0x31f/0x4c0 fs/btrfs/relocation.c:3642
   relocate_block_group+0x169/0xd20 fs/btrfs/relocation.c:3678
  ...
  BTRFS info (device loop0): balance: ended with status: -12
  Oops: general protection fault, probably for non-canonical address 0xdffffc00000000cc: 0000 [#1] PREEMPT SMP KASAN NOPTI
  KASAN: null-ptr-deref in range [0x0000000000000660-0x0000000000000667]
  RIP: 0010:btrfs_update_reloc_root+0x362/0xa80 fs/btrfs/relocation.c:926
  Call Trace:
   <TASK>
   commit_fs_roots+0x2ee/0x720 fs/btrfs/transaction.c:1496
   btrfs_commit_transaction+0xfaf/0x3740 fs/btrfs/transaction.c:2430
   del_balance_item fs/btrfs/volumes.c:3678 [inline]
   reset_balance_state+0x25e/0x3c0 fs/btrfs/volumes.c:3742
   btrfs_balance+0xead/0x10c0 fs/btrfs/volumes.c:4574
   btrfs_ioctl_balance+0x493/0x7c0 fs/btrfs/ioctl.c:3673
   vfs_ioctl fs/ioctl.c:51 [inline]
   __do_sys_ioctl fs/ioctl.c:907 [inline]
   __se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893
   do_syscall_x64 arch/x86/entry/common.c:52 [inline]
   do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
   entry_SYSCALL_64_after_hwframe+0x77/0x7f

[CAUSE]
The allocation failure happens at the start_transaction() inside
prepare_to_relocate(), and during the error handling we call
unset_reloc_control(), which makes fs_info->balance_ctl to be NULL.

Then we continue the error path cleanup in btrfs_balance() by calling
reset_balance_state() which will call del_balance_item() to fully delete
the balance item in the root tree.

However during the small window between set_reloc_contrl() and
unset_reloc_control(), we can have a subvolume tree update and created a
reloc_root for that subvolume.

Then we go into the final btrfs_commit_transaction() of
del_balance_item(), and into btrfs_update_reloc_root() inside
commit_fs_roots().

That function checks if fs_info->reloc_ctl is in the merge_reloc_tree
stage, but since fs_info->reloc_ctl is NULL, it results a NULL pointer
dereference.

[FIX]
Just add extra check on fs_info->reloc_ctl inside
btrfs_update_reloc_root(), before checking
fs_info->reloc_ctl->merge_reloc_tree.

That DEAD_RELOC_TREE handling is to prevent further modification to the
reloc tree during merge stage, but since there is no reloc_ctl at all,
we do not need to bother that.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49868

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49869
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

btrfs: send: fix buffer overflow detection when copying path to cache entry

Starting with commit c0247d289e73 ("btrfs: send: annotate struct
name_cache_entry with __counted_by()") we annotated the variable length
array "name" from the name_cache_entry structure with __counted_by() to
improve overflow detection. However that alone was not correct, because
the length of that array does not match the "name_len" field - it matches
that plus 1 to include the NUL string terminator, so that makes a
fortified kernel think there's an overflow and report a splat like this:

  strcpy: detected buffer overflow: 20 byte write of buffer size 19
  WARNING: CPU: 3 PID: 3310 at __fortify_report+0x45/0x50
  CPU: 3 UID: 0 PID: 3310 Comm: btrfs Not tainted 6.11.0-prnet #1
  Hardware name: CompuLab Ltd.  sbc-ihsw/Intense-PC2 (IPC2), BIOS IPC2_3.330.7 X64 03/15/2018
  RIP: 0010:__fortify_report+0x45/0x50
  Code: 48 8b 34 (...)
  RSP: 0018:ffff97ebc0d6f650 EFLAGS: 00010246
  RAX: 7749924ef60fa600 RBX: ffff8bf5446a521a RCX: 0000000000000027
  RDX: 00000000ffffdfff RSI: ffff97ebc0d6f548 RDI: ffff8bf84e7a1cc8
  RBP: ffff8bf548574080 R08: ffffffffa8c40e10 R09: 0000000000005ffd
  R10: 0000000000000004 R11: ffffffffa8c70e10 R12: ffff8bf551eef400
  R13: 0000000000000000 R14: 0000000000000013 R15: 00000000000003a8
  FS:  00007fae144de8c0(0000) GS:ffff8bf84e780000(0000) knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  CR2: 00007fae14691690 CR3: 00000001027a2003 CR4: 00000000001706f0
  Call Trace:
   <TASK>
   ? __warn+0x12a/0x1d0
   ? __fortify_report+0x45/0x50
   ? report_bug+0x154/0x1c0
   ? handle_bug+0x42/0x70
   ? exc_invalid_op+0x1a/0x50
   ? asm_exc_invalid_op+0x1a/0x20
   ? __fortify_report+0x45/0x50
   __fortify_panic+0x9/0x10
  __get_cur_name_and_parent+0x3bc/0x3c0
   get_cur_path+0x207/0x3b0
   send_extent_data+0x709/0x10d0
   ? find_parent_nodes+0x22df/0x25d0
   ? mas_nomem+0x13/0x90
   ? mtree_insert_range+0xa5/0x110
   ? btrfs_lru_cache_store+0x5f/0x1e0
   ? iterate_extent_inodes+0x52d/0x5a0
   process_extent+0xa96/0x11a0
   ? __pfx_lookup_backref_cache+0x10/0x10
   ? __pfx_store_backref_cache+0x10/0x10
   ? __pfx_iterate_backrefs+0x10/0x10
   ? __pfx_check_extent_item+0x10/0x10
   changed_cb+0x6fa/0x930
   ? tree_advance+0x362/0x390
   ? memcmp_extent_buffer+0xd7/0x160
   send_subvol+0xf0a/0x1520
   btrfs_ioctl_send+0x106b/0x11d0
   ? __pfx___clone_root_cmp_sort+0x10/0x10
   _btrfs_ioctl_send+0x1ac/0x240
   btrfs_ioctl+0x75b/0x850
   __se_sys_ioctl+0xca/0x150
   do_syscall_64+0x85/0x160
   ? __count_memcg_events+0x69/0x100
   ? handle_mm_fault+0x1327/0x15c0
   ? __se_sys_rt_sigprocmask+0xf1/0x180
   ? syscall_exit_to_user_mode+0x75/0xa0
   ? do_syscall_64+0x91/0x160
   ? do_user_addr_fault+0x21d/0x630
  entry_SYSCALL_64_after_hwframe+0x76/0x7e
  RIP: 0033:0x7fae145eeb4f
  Code: 00 48 89 (...)
  RSP: 002b:00007ffdf1cb09b0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
  RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007fae145eeb4f
  RDX: 00007ffdf1cb0ad0 RSI: 0000000040489426 RDI: 0000000000000004
  RBP: 00000000000078fe R08: 00007fae144006c0 R09: 00007ffdf1cb0927
  R10: 0000000000000008 R11: 0000000000000246 R12: 00007ffdf1cb1ce8
  R13: 0000000000000003 R14: 000055c499fab2e0 R15: 0000000000000004
   </TASK>

Fix this by not storing the NUL string terminator since we don't actually
need it for name cache entries, this way "name_len" corresponds to the
actual size of the "name" array. This requires marking the "name" array
field with __nonstring and using memcpy() instead of strcpy() as
recommended by the guidelines at:

   https://github.com/KSPP/linux/issues/90
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49869

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49870
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

cachefiles: fix dentry leak in cachefiles_open_file()

A dentry leak may be caused when a lookup cookie and a cull are concurrent:

            P1             |             P2
-----------------------------------------------------------
cachefiles_lookup_cookie
  cachefiles_look_up_object
    lookup_one_positive_unlocked
     // get dentry
                            cachefiles_cull
                              inode->i_flags |= S_KERNEL_FILE;
    cachefiles_open_file
      cachefiles_mark_inode_in_use
        __cachefiles_mark_inode_in_use
          can_use = false
          if (!(inode->i_flags & S_KERNEL_FILE))
            can_use = true
	  return false
        return false
        // Returns an error but doesn't put dentry

After that the following WARNING will be triggered when the backend folder
is umounted:

==================================================================
BUG: Dentry 000000008ad87947{i=7a,n=Dx_1_1.img}  still in use (1) [unmount of ext4 sda]
WARNING: CPU: 4 PID: 359261 at fs/dcache.c:1767 umount_check+0x5d/0x70
CPU: 4 PID: 359261 Comm: umount Not tainted 6.6.0-dirty #25
RIP: 0010:umount_check+0x5d/0x70
Call Trace:
 <TASK>
 d_walk+0xda/0x2b0
 do_one_tree+0x20/0x40
 shrink_dcache_for_umount+0x2c/0x90
 generic_shutdown_super+0x20/0x160
 kill_block_super+0x1a/0x40
 ext4_kill_sb+0x22/0x40
 deactivate_locked_super+0x35/0x80
 cleanup_mnt+0x104/0x160
==================================================================

Whether cachefiles_open_file() returns true or false, the reference count
obtained by lookup_positive_unlocked() in cachefiles_look_up_object()
should be released.

Therefore release that reference count in cachefiles_look_up_object() to
fix the above issue and simplify the code.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49870

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49871
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

Input: adp5589-keys - fix NULL pointer dereference

We register a devm action to call adp5589_clear_config() and then pass
the i2c client as argument so that we can call i2c_get_clientdata() in
order to get our device object. However, i2c_set_clientdata() is only
being set at the end of the probe function which means that we'll get a
NULL pointer dereference in case the probe function fails early.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49871

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49872
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

mm/gup: fix memfd_pin_folios alloc race panic

If memfd_pin_folios tries to create a hugetlb page, but someone else
already did, then folio gets the value -EEXIST here:

        folio = memfd_alloc_folio(memfd, start_idx);
        if (IS_ERR(folio)) {
                ret = PTR_ERR(folio);
                if (ret != -EEXIST)
                        goto err;

then on the next trip through the "while start_idx" loop we panic here:

        if (folio) {
                folio_put(folio);

To fix, set the folio to NULL on error.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49872

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49873
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

mm/filemap: fix filemap_get_folios_contig THP panic

Patch series "memfd-pin huge page fixes".

Fix multiple bugs that occur when using memfd_pin_folios with hugetlb
pages and THP.  The hugetlb bugs only bite when the page is not yet
faulted in when memfd_pin_folios is called.  The THP bug bites when the
starting offset passed to memfd_pin_folios is not huge page aligned.  See
the commit messages for details.


This patch (of 5):

memfd_pin_folios on memory backed by THP panics if the requested start
offset is not huge page aligned:

BUG: kernel NULL pointer dereference, address: 0000000000000036
RIP: 0010:filemap_get_folios_contig+0xdf/0x290
RSP: 0018:ffffc9002092fbe8 EFLAGS: 00010202
RAX: 0000000000000002 RBX: 0000000000000002 RCX: 0000000000000002

The fault occurs here, because xas_load returns a folio with value 2:

    filemap_get_folios_contig()
        for (folio = xas_load(&xas); folio && xas.xa_index <= end;
                        folio = xas_next(&xas)) {
                ...
                if (!folio_try_get(folio))   <-- BOOM

"2" is an xarray sibling entry.  We get it because memfd_pin_folios does
not round the indices passed to filemap_get_folios_contig to huge page
boundaries for THP, so we load from the middle of a huge page range see a
sibling.  (It does round for hugetlbfs, at the is_file_hugepages test).

To fix, if the folio is a sibling, then return the next index as the
starting point for the next call to filemap_get_folios_contig.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49873

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49874
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

i3c: master: svc: Fix use after free vulnerability in svc_i3c_master Driver Due to Race Condition

In the svc_i3c_master_probe function, &master->hj_work is bound with
svc_i3c_master_hj_work, &master->ibi_work is bound with
svc_i3c_master_ibi_work. And svc_i3c_master_ibi_work  can start the
hj_work, svc_i3c_master_irq_handler can start the ibi_work.

If we remove the module which will call svc_i3c_master_remove to
make cleanup, it will free master->base through i3c_master_unregister
while the work mentioned above will be used. The sequence of operations
that may lead to a UAF bug is as follows:

CPU0                                         CPU1

                                    | svc_i3c_master_hj_work
svc_i3c_master_remove               |
i3c_master_unregister(&master->base)|
device_unregister(&master->dev)     |
device_release                      |
//free master->base                 |
                                    | i3c_master_do_daa(&master->base)
                                    | //use master->base

Fix it by ensuring that the work is canceled before proceeding with the
cleanup in svc_i3c_master_remove.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49874

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49875
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

nfsd: map the EBADMSG to nfserr_io to avoid warning

Ext4 will throw -EBADMSG through ext4_readdir when a checksum error
occurs, resulting in the following WARNING.

Fix it by mapping EBADMSG to nfserr_io.

nfsd_buffered_readdir
 iterate_dir // -EBADMSG -74
  ext4_readdir // .iterate_shared
   ext4_dx_readdir
    ext4_htree_fill_tree
     htree_dirblock_to_tree
      ext4_read_dirblock
       __ext4_read_dirblock
        ext4_dirblock_csum_verify
         warn_no_space_for_csum
          __warn_no_space_for_csum
        return ERR_PTR(-EFSBADCRC) // -EBADMSG -74
 nfserrno // WARNING

[  161.115610] ------------[ cut here ]------------
[  161.116465] nfsd: non-standard errno: -74
[  161.117315] WARNING: CPU: 1 PID: 780 at fs/nfsd/nfsproc.c:878 nfserrno+0x9d/0xd0
[  161.118596] Modules linked in:
[  161.119243] CPU: 1 PID: 780 Comm: nfsd Not tainted 5.10.0-00014-g79679361fd5d #138
[  161.120684] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qe
mu.org 04/01/2014
[  161.123601] RIP: 0010:nfserrno+0x9d/0xd0
[  161.124676] Code: 0f 87 da 30 dd 00 83 e3 01 b8 00 00 00 05 75 d7 44 89 ee 48 c7 c7 c0 57 24 98 89 44 24 04 c6
 05 ce 2b 61 03 01 e8 99 20 d8 00 <0f> 0b 8b 44 24 04 eb b5 4c 89 e6 48 c7 c7 a0 6d a4 99 e8 cc 15 33
[  161.127797] RSP: 0018:ffffc90000e2f9c0 EFLAGS: 00010286
[  161.128794] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
[  161.130089] RDX: 1ffff1103ee16f6d RSI: 0000000000000008 RDI: fffff520001c5f2a
[  161.131379] RBP: 0000000000000022 R08: 0000000000000001 R09: ffff8881f70c1827
[  161.132664] R10: ffffed103ee18304 R11: 0000000000000001 R12: 0000000000000021
[  161.133949] R13: 00000000ffffffb6 R14: ffff8881317c0000 R15: ffffc90000e2fbd8
[  161.135244] FS:  0000000000000000(0000) GS:ffff8881f7080000(0000) knlGS:0000000000000000
[  161.136695] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  161.137761] CR2: 00007fcaad70b348 CR3: 0000000144256006 CR4: 0000000000770ee0
[  161.139041] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  161.140291] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[  161.141519] PKRU: 55555554
[  161.142076] Call Trace:
[  161.142575]  ? __warn+0x9b/0x140
[  161.143229]  ? nfserrno+0x9d/0xd0
[  161.143872]  ? report_bug+0x125/0x150
[  161.144595]  ? handle_bug+0x41/0x90
[  161.145284]  ? exc_invalid_op+0x14/0x70
[  161.146009]  ? asm_exc_invalid_op+0x12/0x20
[  161.146816]  ? nfserrno+0x9d/0xd0
[  161.147487]  nfsd_buffered_readdir+0x28b/0x2b0
[  161.148333]  ? nfsd4_encode_dirent_fattr+0x380/0x380
[  161.149258]  ? nfsd_buffered_filldir+0xf0/0xf0
[  161.150093]  ? wait_for_concurrent_writes+0x170/0x170
[  161.151004]  ? generic_file_llseek_size+0x48/0x160
[  161.151895]  nfsd_readdir+0x132/0x190
[  161.152606]  ? nfsd4_encode_dirent_fattr+0x380/0x380
[  161.153516]  ? nfsd_unlink+0x380/0x380
[  161.154256]  ? override_creds+0x45/0x60
[  161.155006]  nfsd4_encode_readdir+0x21a/0x3d0
[  161.155850]  ? nfsd4_encode_readlink+0x210/0x210
[  161.156731]  ? write_bytes_to_xdr_buf+0x97/0xe0
[  161.157598]  ? __write_bytes_to_xdr_buf+0xd0/0xd0
[  161.158494]  ? lock_downgrade+0x90/0x90
[  161.159232]  ? nfs4svc_decode_voidarg+0x10/0x10
[  161.160092]  nfsd4_encode_operation+0x15a/0x440
[  161.160959]  nfsd4_proc_compound+0x718/0xe90
[  161.161818]  nfsd_dispatch+0x18e/0x2c0
[  161.162586]  svc_process_common+0x786/0xc50
[  161.163403]  ? nfsd_svc+0x380/0x380
[  161.164137]  ? svc_printk+0x160/0x160
[  161.164846]  ? svc_xprt_do_enqueue.part.0+0x365/0x380
[  161.165808]  ? nfsd_svc+0x380/0x380
[  161.166523]  ? rcu_is_watching+0x23/0x40
[  161.167309]  svc_process+0x1a5/0x200
[  161.168019]  nfsd+0x1f5/0x380
[  161.168663]  ? nfsd_shutdown_threads+0x260/0x260
[  161.169554]  kthread+0x1c4/0x210
[  161.170224]  ? kthread_insert_work_sanity_check+0x80/0x80
[  161.171246]  ret_from_fork+0x1f/0x30
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49875

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49876
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/xe: fix UAF around queue destruction

We currently do stuff like queuing the final destruction step on a
random system wq, which will outlive the driver instance. With bad
timing we can teardown the driver with one or more work workqueue still
being alive leading to various UAF splats. Add a fini step to ensure
user queues are properly torn down. At this point GuC should already be
nuked so queue itself should no longer be referenced from hw pov.

v2 (Matt B)
 - Looks much safer to use a waitqueue and then just wait for the
   xa_array to become empty before triggering the drain.

(cherry picked from commit 861108666cc0e999cffeab6aff17b662e68774e3)
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49876

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49877
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ocfs2: fix possible null-ptr-deref in ocfs2_set_buffer_uptodate

When doing cleanup, if flags without OCFS2_BH_READAHEAD, it may trigger
NULL pointer dereference in the following ocfs2_set_buffer_uptodate() if
bh is NULL.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49877

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49878
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

resource: fix region_intersects() vs add_memory_driver_managed()

On a system with CXL memory, the resource tree (/proc/iomem) related to
CXL memory may look like something as follows.

490000000-50fffffff : CXL Window 0
  490000000-50fffffff : region0
    490000000-50fffffff : dax0.0
      490000000-50fffffff : System RAM (kmem)

Because drivers/dax/kmem.c calls add_memory_driver_managed() during
onlining CXL memory, which makes "System RAM (kmem)" a descendant of "CXL
Window X".  This confuses region_intersects(), which expects all "System
RAM" resources to be at the top level of iomem_resource.  This can lead to
bugs.

For example, when the following command line is executed to write some
memory in CXL memory range via /dev/mem,

 $ dd if=data of=/dev/mem bs=$((1 << 10)) seek=$((0x490000000 >> 10)) count=1
 dd: error writing '/dev/mem': Bad address
 1+0 records in
 0+0 records out
 0 bytes copied, 0.0283507 s, 0.0 kB/s

the command fails as expected.  However, the error code is wrong.  It
should be "Operation not permitted" instead of "Bad address".  More
seriously, the /dev/mem permission checking in devmem_is_allowed() passes
incorrectly.  Although the accessing is prevented later because ioremap()
isn't allowed to map system RAM, it is a potential security issue.  During
command executing, the following warning is reported in the kernel log for
calling ioremap() on system RAM.

 ioremap on RAM at 0x0000000490000000 - 0x0000000490000fff
 WARNING: CPU: 2 PID: 416 at arch/x86/mm/ioremap.c:216 __ioremap_caller.constprop.0+0x131/0x35d
 Call Trace:
  memremap+0xcb/0x184
  xlate_dev_mem_ptr+0x25/0x2f
  write_mem+0x94/0xfb
  vfs_write+0x128/0x26d
  ksys_write+0xac/0xfe
  do_syscall_64+0x9a/0xfd
  entry_SYSCALL_64_after_hwframe+0x4b/0x53

The details of command execution process are as follows.  In the above
resource tree, "System RAM" is a descendant of "CXL Window 0" instead of a
top level resource.  So, region_intersects() will report no System RAM
resources in the CXL memory region incorrectly, because it only checks the
top level resources.  Consequently, devmem_is_allowed() will return 1
(allow access via /dev/mem) for CXL memory region incorrectly. 
Fortunately, ioremap() doesn't allow to map System RAM and reject the
access.

So, region_intersects() needs to be fixed to work correctly with the
resource tree with "System RAM" not at top level as above.  To fix it, if
we found a unmatched resource in the top level, we will continue to search
matched resources in its descendant resources.  So, we will not miss any
matched resources in resource tree anymore.

In the new implementation, an example resource tree

|------------- "CXL Window 0" ------------|
|-- "System RAM" --|

will behave similar as the following fake resource tree for
region_intersects(, IORESOURCE_SYSTEM_RAM, ),

|-- "System RAM" --||-- "CXL Window 0a" --|

Where "CXL Window 0a" is part of the original "CXL Window 0" that
isn't covered by "System RAM".
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49878

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49879
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm: omapdrm: Add missing check for alloc_ordered_workqueue

As it may return NULL pointer and cause NULL pointer dereference. Add check
for the return value of alloc_ordered_workqueue.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49879

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49880
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ext4: fix off by one issue in alloc_flex_gd()

Wesley reported an issue:

==================================================================
EXT4-fs (dm-5): resizing filesystem from 7168 to 786432 blocks
------------[ cut here ]------------
kernel BUG at fs/ext4/resize.c:324!
CPU: 9 UID: 0 PID: 3576 Comm: resize2fs Not tainted 6.11.0+ #27
RIP: 0010:ext4_resize_fs+0x1212/0x12d0
Call Trace:
 __ext4_ioctl+0x4e0/0x1800
 ext4_ioctl+0x12/0x20
 __x64_sys_ioctl+0x99/0xd0
 x64_sys_call+0x1206/0x20d0
 do_syscall_64+0x72/0x110
 entry_SYSCALL_64_after_hwframe+0x76/0x7e
==================================================================

While reviewing the patch, Honza found that when adjusting resize_bg in
alloc_flex_gd(), it was possible for flex_gd->resize_bg to be bigger than
flexbg_size.

The reproduction of the problem requires the following:

 o_group = flexbg_size * 2 * n;
 o_size = (o_group + 1) * group_size;
 n_group: [o_group + flexbg_size, o_group + flexbg_size * 2)
 o_size = (n_group + 1) * group_size;

Take n=0,flexbg_size=16 as an example:

              last:15
|o---------------|--------------n-|
o_group:0    resize to      n_group:30

The corresponding reproducer is:

img=test.img
rm -f $img
truncate -s 600M $img
mkfs.ext4 -F $img -b 1024 -G 16 8M
dev=`losetup -f --show $img`
mkdir -p /tmp/test
mount $dev /tmp/test
resize2fs $dev 248M

Delete the problematic plus 1 to fix the issue, and add a WARN_ON_ONCE()
to prevent the issue from happening again.

[ Note: another reproucer which this commit fixes is:

  img=test.img
  rm -f $img
  truncate -s 25MiB $img
  mkfs.ext4 -b 4096 -E nodiscard,lazy_itable_init=0,lazy_journal_init=0 $img
  truncate -s 3GiB $img
  dev=`losetup -f --show $img`
  mkdir -p /tmp/test
  mount $dev /tmp/test
  resize2fs $dev 3G
  umount $dev
  losetup -d $dev

  -- TYT ]
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49880

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49881
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ext4: update orig_path in ext4_find_extent()

In ext4_find_extent(), if the path is not big enough, we free it and set
*orig_path to NULL. But after reallocating and successfully initializing
the path, we don't update *orig_path, in which case the caller gets a
valid path but a NULL ppath, and this may cause a NULL pointer dereference
or a path memory leak. For example:

ext4_split_extent
  path = *ppath = 2000
  ext4_find_extent
    if (depth > path[0].p_maxdepth)
      kfree(path = 2000);
      *orig_path = path = NULL;
      path = kcalloc() = 3000
  ext4_split_extent_at(*ppath = NULL)
    path = *ppath;
    ex = path[depth].p_ext;
    // NULL pointer dereference!

==================================================================
BUG: kernel NULL pointer dereference, address: 0000000000000010
CPU: 6 UID: 0 PID: 576 Comm: fsstress Not tainted 6.11.0-rc2-dirty #847
RIP: 0010:ext4_split_extent_at+0x6d/0x560
Call Trace:
 <TASK>
 ext4_split_extent.isra.0+0xcb/0x1b0
 ext4_ext_convert_to_initialized+0x168/0x6c0
 ext4_ext_handle_unwritten_extents+0x325/0x4d0
 ext4_ext_map_blocks+0x520/0xdb0
 ext4_map_blocks+0x2b0/0x690
 ext4_iomap_begin+0x20e/0x2c0
[...]
==================================================================

Therefore, *orig_path is updated when the extent lookup succeeds, so that
the caller can safely use path or *ppath.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49881

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49882
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ext4: fix double brelse() the buffer of the extents path

In ext4_ext_try_to_merge_up(), set path[1].p_bh to NULL after it has been
released, otherwise it may be released twice. An example of what triggers
this is as follows:

  split2    map    split1
|--------|-------|--------|

ext4_ext_map_blocks
 ext4_ext_handle_unwritten_extents
  ext4_split_convert_extents
   // path->p_depth == 0
   ext4_split_extent
     // 1. do split1
     ext4_split_extent_at
       |ext4_ext_insert_extent
       |  ext4_ext_create_new_leaf
       |    ext4_ext_grow_indepth
       |      le16_add_cpu(&neh->eh_depth, 1)
       |    ext4_find_extent
       |      // return -ENOMEM
       |// get error and try zeroout
       |path = ext4_find_extent
       |  path->p_depth = 1
       |ext4_ext_try_to_merge
       |  ext4_ext_try_to_merge_up
       |    path->p_depth = 0
       |    brelse(path[1].p_bh)  ---> not set to NULL here
       |// zeroout success
     // 2. update path
     ext4_find_extent
     // 3. do split2
     ext4_split_extent_at
       ext4_ext_insert_extent
         ext4_ext_create_new_leaf
           ext4_ext_grow_indepth
             le16_add_cpu(&neh->eh_depth, 1)
           ext4_find_extent
             path[0].p_bh = NULL;
             path->p_depth = 1
             read_extent_tree_block  ---> return err
             // path[1].p_bh is still the old value
             ext4_free_ext_path
               ext4_ext_drop_refs
                 // path->p_depth == 1
                 brelse(path[1].p_bh)  ---> brelse a buffer twice

Finally got the following WARRNING when removing the buffer from lru:

============================================
VFS: brelse: Trying to free free buffer
WARNING: CPU: 2 PID: 72 at fs/buffer.c:1241 __brelse+0x58/0x90
CPU: 2 PID: 72 Comm: kworker/u19:1 Not tainted 6.9.0-dirty #716
RIP: 0010:__brelse+0x58/0x90
Call Trace:
 <TASK>
 __find_get_block+0x6e7/0x810
 bdev_getblk+0x2b/0x480
 __ext4_get_inode_loc+0x48a/0x1240
 ext4_get_inode_loc+0xb2/0x150
 ext4_reserve_inode_write+0xb7/0x230
 __ext4_mark_inode_dirty+0x144/0x6a0
 ext4_ext_insert_extent+0x9c8/0x3230
 ext4_ext_map_blocks+0xf45/0x2dc0
 ext4_map_blocks+0x724/0x1700
 ext4_do_writepages+0x12d6/0x2a70
[...]
============================================
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49882

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49883
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ext4: aovid use-after-free in ext4_ext_insert_extent()

As Ojaswin mentioned in Link, in ext4_ext_insert_extent(), if the path is
reallocated in ext4_ext_create_new_leaf(), we'll use the stale path and
cause UAF. Below is a sample trace with dummy values:

ext4_ext_insert_extent
  path = *ppath = 2000
  ext4_ext_create_new_leaf(ppath)
    ext4_find_extent(ppath)
      path = *ppath = 2000
      if (depth > path[0].p_maxdepth)
            kfree(path = 2000);
            *ppath = path = NULL;
      path = kcalloc() = 3000
      *ppath = 3000;
      return path;
  /* here path is still 2000, UAF! */
  eh = path[depth].p_hdr

==================================================================
BUG: KASAN: slab-use-after-free in ext4_ext_insert_extent+0x26d4/0x3330
Read of size 8 at addr ffff8881027bf7d0 by task kworker/u36:1/179
CPU: 3 UID: 0 PID: 179 Comm: kworker/u6:1 Not tainted 6.11.0-rc2-dirty #866
Call Trace:
 <TASK>
 ext4_ext_insert_extent+0x26d4/0x3330
 ext4_ext_map_blocks+0xe22/0x2d40
 ext4_map_blocks+0x71e/0x1700
 ext4_do_writepages+0x1290/0x2800
[...]

Allocated by task 179:
 ext4_find_extent+0x81c/0x1f70
 ext4_ext_map_blocks+0x146/0x2d40
 ext4_map_blocks+0x71e/0x1700
 ext4_do_writepages+0x1290/0x2800
 ext4_writepages+0x26d/0x4e0
 do_writepages+0x175/0x700
[...]

Freed by task 179:
 kfree+0xcb/0x240
 ext4_find_extent+0x7c0/0x1f70
 ext4_ext_insert_extent+0xa26/0x3330
 ext4_ext_map_blocks+0xe22/0x2d40
 ext4_map_blocks+0x71e/0x1700
 ext4_do_writepages+0x1290/0x2800
 ext4_writepages+0x26d/0x4e0
 do_writepages+0x175/0x700
[...]
==================================================================

So use *ppath to update the path to avoid the above problem.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49883

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49884
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ext4: fix slab-use-after-free in ext4_split_extent_at()

We hit the following use-after-free:

==================================================================
BUG: KASAN: slab-use-after-free in ext4_split_extent_at+0xba8/0xcc0
Read of size 2 at addr ffff88810548ed08 by task kworker/u20:0/40
CPU: 0 PID: 40 Comm: kworker/u20:0 Not tainted 6.9.0-dirty #724
Call Trace:
 <TASK>
 kasan_report+0x93/0xc0
 ext4_split_extent_at+0xba8/0xcc0
 ext4_split_extent.isra.0+0x18f/0x500
 ext4_split_convert_extents+0x275/0x750
 ext4_ext_handle_unwritten_extents+0x73e/0x1580
 ext4_ext_map_blocks+0xe20/0x2dc0
 ext4_map_blocks+0x724/0x1700
 ext4_do_writepages+0x12d6/0x2a70
[...]

Allocated by task 40:
 __kmalloc_noprof+0x1ac/0x480
 ext4_find_extent+0xf3b/0x1e70
 ext4_ext_map_blocks+0x188/0x2dc0
 ext4_map_blocks+0x724/0x1700
 ext4_do_writepages+0x12d6/0x2a70
[...]

Freed by task 40:
 kfree+0xf1/0x2b0
 ext4_find_extent+0xa71/0x1e70
 ext4_ext_insert_extent+0xa22/0x3260
 ext4_split_extent_at+0x3ef/0xcc0
 ext4_split_extent.isra.0+0x18f/0x500
 ext4_split_convert_extents+0x275/0x750
 ext4_ext_handle_unwritten_extents+0x73e/0x1580
 ext4_ext_map_blocks+0xe20/0x2dc0
 ext4_map_blocks+0x724/0x1700
 ext4_do_writepages+0x12d6/0x2a70
[...]
==================================================================

The flow of issue triggering is as follows:

ext4_split_extent_at
  path = *ppath
  ext4_ext_insert_extent(ppath)
    ext4_ext_create_new_leaf(ppath)
      ext4_find_extent(orig_path)
        path = *orig_path
        read_extent_tree_block
          // return -ENOMEM or -EIO
        ext4_free_ext_path(path)
          kfree(path)
        *orig_path = NULL
  a. If err is -ENOMEM:
  ext4_ext_dirty(path + path->p_depth)
  // path use-after-free !!!
  b. If err is -EIO and we have EXT_DEBUG defined:
  ext4_ext_show_leaf(path)
    eh = path[depth].p_hdr
    // path also use-after-free !!!

So when trying to zeroout or fix the extent length, call ext4_find_extent()
to update the path.

In addition we use *ppath directly as an ext4_ext_show_leaf() input to
avoid possible use-after-free when EXT_DEBUG is defined, and to avoid
unnecessary path updates.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49884

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49885
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

mm, slub: avoid zeroing kmalloc redzone

Since commit 946fa0dbf2d8 ("mm/slub: extend redzone check to extra
allocated kmalloc space than requested"), setting orig_size treats
the wasted space (object_size - orig_size) as a redzone. However with
init_on_free=1 we clear the full object->size, including the redzone.

Additionally we clear the object metadata, including the stored orig_size,
making it zero, which makes check_object() treat the whole object as a
redzone.

These issues lead to the following BUG report with "slub_debug=FUZ
init_on_free=1":

[    0.000000] =============================================================================
[    0.000000] BUG kmalloc-8 (Not tainted): kmalloc Redzone overwritten
[    0.000000] -----------------------------------------------------------------------------
[    0.000000]
[    0.000000] 0xffff000010032858-0xffff00001003285f @offset=2136. First byte 0x0 instead of 0xcc
[    0.000000] FIX kmalloc-8: Restoring kmalloc Redzone 0xffff000010032858-0xffff00001003285f=0xcc
[    0.000000] Slab 0xfffffdffc0400c80 objects=36 used=23 fp=0xffff000010032a18 flags=0x3fffe0000000200(workingset|node=0|zone=0|lastcpupid=0x1ffff)
[    0.000000] Object 0xffff000010032858 @offset=2136 fp=0xffff0000100328c8
[    0.000000]
[    0.000000] Redzone  ffff000010032850: cc cc cc cc cc cc cc cc                          ........
[    0.000000] Object   ffff000010032858: cc cc cc cc cc cc cc cc                          ........
[    0.000000] Redzone  ffff000010032860: cc cc cc cc cc cc cc cc                          ........
[    0.000000] Padding  ffff0000100328b4: 00 00 00 00 00 00 00 00 00 00 00 00              ............
[    0.000000] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.11.0-rc3-next-20240814-00004-g61844c55c3f4 #144
[    0.000000] Hardware name: NXP i.MX95 19X19 board (DT)
[    0.000000] Call trace:
[    0.000000]  dump_backtrace+0x90/0xe8
[    0.000000]  show_stack+0x18/0x24
[    0.000000]  dump_stack_lvl+0x74/0x8c
[    0.000000]  dump_stack+0x18/0x24
[    0.000000]  print_trailer+0x150/0x218
[    0.000000]  check_object+0xe4/0x454
[    0.000000]  free_to_partial_list+0x2f8/0x5ec

To address the issue, use orig_size to clear the used area. And restore
the value of orig_size after clear the remaining area.

When CONFIG_SLUB_DEBUG not defined, (get_orig_size()' directly returns
s->object_size. So when using memset to init the area, the size can simply
be orig_size, as orig_size returns object_size when CONFIG_SLUB_DEBUG not
enabled. And orig_size can never be bigger than object_size.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49885

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49886
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

platform/x86: ISST: Fix the KASAN report slab-out-of-bounds bug

Attaching SST PCI device to VM causes "BUG: KASAN: slab-out-of-bounds".
kasan report:
[   19.411889] ==================================================================
[   19.413702] BUG: KASAN: slab-out-of-bounds in _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common]
[   19.415634] Read of size 8 at addr ffff888829e65200 by task cpuhp/16/113
[   19.417368]
[   19.418627] CPU: 16 PID: 113 Comm: cpuhp/16 Tainted: G            E      6.9.0 #10
[   19.420435] Hardware name: VMware, Inc. VMware20,1/440BX Desktop Reference Platform, BIOS VMW201.00V.20192059.B64.2207280713 07/28/2022
[   19.422687] Call Trace:
[   19.424091]  <TASK>
[   19.425448]  dump_stack_lvl+0x5d/0x80
[   19.426963]  ? _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common]
[   19.428694]  print_report+0x19d/0x52e
[   19.430206]  ? __pfx__raw_spin_lock_irqsave+0x10/0x10
[   19.431837]  ? _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common]
[   19.433539]  kasan_report+0xf0/0x170
[   19.435019]  ? _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common]
[   19.436709]  _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common]
[   19.438379]  ? __pfx_sched_clock_cpu+0x10/0x10
[   19.439910]  isst_if_cpu_online+0x406/0x58f [isst_if_common]
[   19.441573]  ? __pfx_isst_if_cpu_online+0x10/0x10 [isst_if_common]
[   19.443263]  ? ttwu_queue_wakelist+0x2c1/0x360
[   19.444797]  cpuhp_invoke_callback+0x221/0xec0
[   19.446337]  cpuhp_thread_fun+0x21b/0x610
[   19.447814]  ? __pfx_cpuhp_thread_fun+0x10/0x10
[   19.449354]  smpboot_thread_fn+0x2e7/0x6e0
[   19.450859]  ? __pfx_smpboot_thread_fn+0x10/0x10
[   19.452405]  kthread+0x29c/0x350
[   19.453817]  ? __pfx_kthread+0x10/0x10
[   19.455253]  ret_from_fork+0x31/0x70
[   19.456685]  ? __pfx_kthread+0x10/0x10
[   19.458114]  ret_from_fork_asm+0x1a/0x30
[   19.459573]  </TASK>
[   19.460853]
[   19.462055] Allocated by task 1198:
[   19.463410]  kasan_save_stack+0x30/0x50
[   19.464788]  kasan_save_track+0x14/0x30
[   19.466139]  __kasan_kmalloc+0xaa/0xb0
[   19.467465]  __kmalloc+0x1cd/0x470
[   19.468748]  isst_if_cdev_register+0x1da/0x350 [isst_if_common]
[   19.470233]  isst_if_mbox_init+0x108/0xff0 [isst_if_mbox_msr]
[   19.471670]  do_one_initcall+0xa4/0x380
[   19.472903]  do_init_module+0x238/0x760
[   19.474105]  load_module+0x5239/0x6f00
[   19.475285]  init_module_from_file+0xd1/0x130
[   19.476506]  idempotent_init_module+0x23b/0x650
[   19.477725]  __x64_sys_finit_module+0xbe/0x130
[   19.476506]  idempotent_init_module+0x23b/0x650
[   19.477725]  __x64_sys_finit_module+0xbe/0x130
[   19.478920]  do_syscall_64+0x82/0x160
[   19.480036]  entry_SYSCALL_64_after_hwframe+0x76/0x7e
[   19.481292]
[   19.482205] The buggy address belongs to the object at ffff888829e65000
 which belongs to the cache kmalloc-512 of size 512
[   19.484818] The buggy address is located 0 bytes to the right of
 allocated 512-byte region [ffff888829e65000, ffff888829e65200)
[   19.487447]
[   19.488328] The buggy address belongs to the physical page:
[   19.489569] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888829e60c00 pfn:0x829e60
[   19.491140] head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   19.492466] anon flags: 0x57ffffc0000840(slab|head|node=1|zone=2|lastcpupid=0x1fffff)
[   19.493914] page_type: 0xffffffff()
[   19.494988] raw: 0057ffffc0000840 ffff88810004cc80 0000000000000000 0000000000000001
[   19.496451] raw: ffff888829e60c00 0000000080200018 00000001ffffffff 0000000000000000
[   19.497906] head: 0057ffffc0000840 ffff88810004cc80 0000000000000000 0000000000000001
[   19.499379] head: ffff888829e60c00 0000000080200018 00000001ffffffff 0000000000000000
[   19.500844] head: 0057ffffc0000003 ffffea0020a79801 ffffea0020a79848 00000000ffffffff
[   19.502316] head: 0000000800000000 0000000000000000 00000000ffffffff 0000000000000000
[   19.503784] page dumped because: k
---truncated---
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49886

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49887
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

f2fs: fix to don't panic system for no free segment fault injection

f2fs: fix to don't panic system for no free segment fault injection

syzbot reports a f2fs bug as below:

F2FS-fs (loop0): inject no free segment in get_new_segment of __allocate_new_segment+0x1ce/0x940 fs/f2fs/segment.c:3167
F2FS-fs (loop0): Stopped filesystem due to reason: 7
------------[ cut here ]------------
kernel BUG at fs/f2fs/segment.c:2748!
CPU: 0 UID: 0 PID: 5109 Comm: syz-executor304 Not tainted 6.11.0-rc6-syzkaller-00363-g89f5e14d05b4 #0
RIP: 0010:get_new_segment fs/f2fs/segment.c:2748 [inline]
RIP: 0010:new_curseg+0x1f61/0x1f70 fs/f2fs/segment.c:2836
Call Trace:
 __allocate_new_segment+0x1ce/0x940 fs/f2fs/segment.c:3167
 f2fs_allocate_new_section fs/f2fs/segment.c:3181 [inline]
 f2fs_allocate_pinning_section+0xfa/0x4e0 fs/f2fs/segment.c:3195
 f2fs_expand_inode_data+0x5d6/0xbb0 fs/f2fs/file.c:1799
 f2fs_fallocate+0x448/0x960 fs/f2fs/file.c:1903
 vfs_fallocate+0x553/0x6c0 fs/open.c:334
 do_vfs_ioctl+0x2592/0x2e50 fs/ioctl.c:886
 __do_sys_ioctl fs/ioctl.c:905 [inline]
 __se_sys_ioctl+0x81/0x170 fs/ioctl.c:893
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0010:get_new_segment fs/f2fs/segment.c:2748 [inline]
RIP: 0010:new_curseg+0x1f61/0x1f70 fs/f2fs/segment.c:2836

The root cause is when we inject no free segment fault into f2fs,
we should not panic system, fix it.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49887

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49888
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix a sdiv overflow issue

Zac Ecob reported a problem where a bpf program may cause kernel crash due
to the following error:
  Oops: divide error: 0000 [#1] PREEMPT SMP KASAN PTI

The failure is due to the below signed divide:
  LLONG_MIN/-1 where LLONG_MIN equals to -9,223,372,036,854,775,808.
LLONG_MIN/-1 is supposed to give a positive number 9,223,372,036,854,775,808,
but it is impossible since for 64-bit system, the maximum positive
number is 9,223,372,036,854,775,807. On x86_64, LLONG_MIN/-1 will
cause a kernel exception. On arm64, the result for LLONG_MIN/-1 is
LLONG_MIN.

Further investigation found all the following sdiv/smod cases may trigger
an exception when bpf program is running on x86_64 platform:
  - LLONG_MIN/-1 for 64bit operation
  - INT_MIN/-1 for 32bit operation
  - LLONG_MIN%-1 for 64bit operation
  - INT_MIN%-1 for 32bit operation
where -1 can be an immediate or in a register.

On arm64, there are no exceptions:
  - LLONG_MIN/-1 = LLONG_MIN
  - INT_MIN/-1 = INT_MIN
  - LLONG_MIN%-1 = 0
  - INT_MIN%-1 = 0
where -1 can be an immediate or in a register.

Insn patching is needed to handle the above cases and the patched codes
produced results aligned with above arm64 result. The below are pseudo
codes to handle sdiv/smod exceptions including both divisor -1 and divisor 0
and the divisor is stored in a register.

sdiv:
      tmp = rX
      tmp += 1 /* [-1, 0] -> [0, 1]
      if tmp >(unsigned) 1 goto L2
      if tmp == 0 goto L1
      rY = 0
  L1:
      rY = -rY;
      goto L3
  L2:
      rY /= rX
  L3:

smod:
      tmp = rX
      tmp += 1 /* [-1, 0] -> [0, 1]
      if tmp >(unsigned) 1 goto L1
      if tmp == 1 (is64 ? goto L2 : goto L3)
      rY = 0;
      goto L2
  L1:
      rY %= rX
  L2:
      goto L4  // only when !is64
  L3:
      wY = wY  // only when !is64
  L4:

  [1] https://lore.kernel.org/bpf/tPJLTEh7S_DxFEqAI2Ji5MBSoZVg7_G-Py2iaZpAaWtM961fFTWtsnlzwvTbzBzaUzwQAoNATXKUlt0LZOFgnDcIyKCswAnAGdUF3LBrhGQ=@protonmail.com/
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49888

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49889
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ext4: avoid use-after-free in ext4_ext_show_leaf()

In ext4_find_extent(), path may be freed by error or be reallocated, so
using a previously saved *ppath may have been freed and thus may trigger
use-after-free, as follows:

ext4_split_extent
  path = *ppath;
  ext4_split_extent_at(ppath)
  path = ext4_find_extent(ppath)
  ext4_split_extent_at(ppath)
    // ext4_find_extent fails to free path
    // but zeroout succeeds
  ext4_ext_show_leaf(inode, path)
    eh = path[depth].p_hdr
    // path use-after-free !!!

Similar to ext4_split_extent_at(), we use *ppath directly as an input to
ext4_ext_show_leaf(). Fix a spelling error by the way.

Same problem in ext4_ext_handle_unwritten_extents(). Since 'path' is only
used in ext4_ext_show_leaf(), remove 'path' and use *ppath directly.

This issue is triggered only when EXT_DEBUG is defined and therefore does
not affect functionality.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49889

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49890
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/pm: ensure the fw_info is not null before using it

This resolves the dereference null return value warning
reported by Coverity.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49890

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49891
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

scsi: lpfc: Validate hdwq pointers before dereferencing in reset/errata paths

When the HBA is undergoing a reset or is handling an errata event, NULL ptr
dereference crashes may occur in routines such as
lpfc_sli_flush_io_rings(), lpfc_dev_loss_tmo_callbk(), or
lpfc_abort_handler().

Add NULL ptr checks before dereferencing hdwq pointers that may have been
freed due to operations colliding with a reset or errata event handler.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49891

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49892
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Initialize get_bytes_per_element's default to 1

Variables, used as denominators and maybe not assigned to other values,
should not be 0. bytes_per_element_y & bytes_per_element_c are
initialized by get_bytes_per_element() which should never return 0.

This fixes 10 DIVIDE_BY_ZERO issues reported by Coverity.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49892

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49893
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Check stream_status before it is used

[WHAT & HOW]
dc_state_get_stream_status can return null, and therefore null must be
checked before stream_status is used.

This fixes 1 NULL_RETURNS issue reported by Coverity.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49893

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49894
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Fix index out of bounds in degamma hardware format translation

Fixes index out of bounds issue in
`cm_helper_translate_curve_to_degamma_hw_format` function. The issue
could occur when the index 'i' exceeds the number of transfer function
points (TRANSFER_FUNC_POINTS).

The fix adds a check to ensure 'i' is within bounds before accessing the
transfer function points. If 'i' is out of bounds the function returns
false to indicate an error.

Reported by smatch:
drivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:594 cm_helper_translate_curve_to_degamma_hw_format() error: buffer overflow 'output_tf->tf_pts.red' 1025 <= s32max
drivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:595 cm_helper_translate_curve_to_degamma_hw_format() error: buffer overflow 'output_tf->tf_pts.green' 1025 <= s32max
drivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:596 cm_helper_translate_curve_to_degamma_hw_format() error: buffer overflow 'output_tf->tf_pts.blue' 1025 <= s32max
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49894

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49895
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Fix index out of bounds in DCN30 degamma hardware format translation

This commit addresses a potential index out of bounds issue in the
`cm3_helper_translate_curve_to_degamma_hw_format` function in the DCN30
color  management module. The issue could occur when the index 'i'
exceeds the  number of transfer function points (TRANSFER_FUNC_POINTS).

The fix adds a check to ensure 'i' is within bounds before accessing the
transfer function points. If 'i' is out of bounds, the function returns
false to indicate an error.

Reported by smatch:
drivers/gpu/drm/amd/amdgpu/../display/dc/dcn30/dcn30_cm_common.c:338 cm3_helper_translate_curve_to_degamma_hw_format() error: buffer overflow 'output_tf->tf_pts.red' 1025 <= s32max
drivers/gpu/drm/amd/amdgpu/../display/dc/dcn30/dcn30_cm_common.c:339 cm3_helper_translate_curve_to_degamma_hw_format() error: buffer overflow 'output_tf->tf_pts.green' 1025 <= s32max
drivers/gpu/drm/amd/amdgpu/../display/dc/dcn30/dcn30_cm_common.c:340 cm3_helper_translate_curve_to_degamma_hw_format() error: buffer overflow 'output_tf->tf_pts.blue' 1025 <= s32max
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49895

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49896
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Check stream before comparing them

[WHAT & HOW]
amdgpu_dm can pass a null stream to dc_is_stream_unchanged. It is
necessary to check for null before dereferencing them.

This fixes 1 FORWARD_NULL issue reported by Coverity.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49896

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49897
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Check phantom_stream before it is used

dcn32_enable_phantom_stream can return null, so returned value
must be checked before used.

This fixes 1 NULL_RETURNS issue reported by Coverity.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49897

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49898
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Check null-initialized variables

[WHAT & HOW]
drr_timing and subvp_pipe are initialized to null and they are not
always assigned new values. It is necessary to check for null before
dereferencing.

This fixes 2 FORWARD_NULL issues reported by Coverity.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49898

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49899
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Initialize denominators' default to 1

[WHAT & HOW]
Variables used as denominators and maybe not assigned to other values,
should not be 0. Change their default to 1 so they are never 0.

This fixes 10 DIVIDE_BY_ZERO issues reported by Coverity.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49899

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49900
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

jfs: Fix uninit-value access of new_ea in ea_buffer

syzbot reports that lzo1x_1_do_compress is using uninit-value:

=====================================================
BUG: KMSAN: uninit-value in lzo1x_1_do_compress+0x19f9/0x2510 lib/lzo/lzo1x_compress.c:178

...

Uninit was stored to memory at:
 ea_put fs/jfs/xattr.c:639 [inline]

...

Local variable ea_buf created at:
 __jfs_setxattr+0x5d/0x1ae0 fs/jfs/xattr.c:662
 __jfs_xattr_set+0xe6/0x1f0 fs/jfs/xattr.c:934

=====================================================

The reason is ea_buf->new_ea is not initialized properly.

Fix this by using memset to empty its content at the beginning
in ea_get().
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49900

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49901
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/msm/adreno: Assign msm_gpu->pdev earlier to avoid nullptrs

There are some cases, such as the one uncovered by Commit 46d4efcccc68
("drm/msm/a6xx: Avoid a nullptr dereference when speedbin setting fails")
where

msm_gpu_cleanup() : platform_set_drvdata(gpu->pdev, NULL);

is called on gpu->pdev == NULL, as the GPU device has not been fully
initialized yet.

Turns out that there's more than just the aforementioned path that
causes this to happen (e.g. the case when there's speedbin data in the
catalog, but opp-supported-hw is missing in DT).

Assigning msm_gpu->pdev earlier seems like the least painful solution
to this, therefore do so.

Patchwork: https://patchwork.freedesktop.org/patch/602742/
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49901

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49902
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

jfs: check if leafidx greater than num leaves per dmap tree

syzbot report a out of bounds in dbSplit, it because dmt_leafidx greater
than num leaves per dmap tree, add a checking for dmt_leafidx in dbFindLeaf.

Shaggy:
Modified sanity check to apply to control pages as well as leaf pages.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49902

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49903
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

jfs: Fix uaf in dbFreeBits

[syzbot reported]
==================================================================
BUG: KASAN: slab-use-after-free in __mutex_lock_common kernel/locking/mutex.c:587 [inline]
BUG: KASAN: slab-use-after-free in __mutex_lock+0xfe/0xd70 kernel/locking/mutex.c:752
Read of size 8 at addr ffff8880229254b0 by task syz-executor357/5216

CPU: 0 UID: 0 PID: 5216 Comm: syz-executor357 Not tainted 6.11.0-rc3-syzkaller-00156-gd7a5aa4b3c00 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:93 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0x169/0x550 mm/kasan/report.c:488
 kasan_report+0x143/0x180 mm/kasan/report.c:601
 __mutex_lock_common kernel/locking/mutex.c:587 [inline]
 __mutex_lock+0xfe/0xd70 kernel/locking/mutex.c:752
 dbFreeBits+0x7ea/0xd90 fs/jfs/jfs_dmap.c:2390
 dbFreeDmap fs/jfs/jfs_dmap.c:2089 [inline]
 dbFree+0x35b/0x680 fs/jfs/jfs_dmap.c:409
 dbDiscardAG+0x8a9/0xa20 fs/jfs/jfs_dmap.c:1650
 jfs_ioc_trim+0x433/0x670 fs/jfs/jfs_discard.c:100
 jfs_ioctl+0x2d0/0x3e0 fs/jfs/ioctl.c:131
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:907 [inline]
 __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83

Freed by task 5218:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579
 poison_slab_object+0xe0/0x150 mm/kasan/common.c:240
 __kasan_slab_free+0x37/0x60 mm/kasan/common.c:256
 kasan_slab_free include/linux/kasan.h:184 [inline]
 slab_free_hook mm/slub.c:2252 [inline]
 slab_free mm/slub.c:4473 [inline]
 kfree+0x149/0x360 mm/slub.c:4594
 dbUnmount+0x11d/0x190 fs/jfs/jfs_dmap.c:278
 jfs_mount_rw+0x4ac/0x6a0 fs/jfs/jfs_mount.c:247
 jfs_remount+0x3d1/0x6b0 fs/jfs/super.c:454
 reconfigure_super+0x445/0x880 fs/super.c:1083
 vfs_cmd_reconfigure fs/fsopen.c:263 [inline]
 vfs_fsconfig_locked fs/fsopen.c:292 [inline]
 __do_sys_fsconfig fs/fsopen.c:473 [inline]
 __se_sys_fsconfig+0xb6e/0xf80 fs/fsopen.c:345
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

[Analysis]
There are two paths (dbUnmount and jfs_ioc_trim) that generate race
condition when accessing bmap, which leads to the occurrence of uaf.

Use the lock s_umount to synchronize them, in order to avoid uaf caused
by race condition.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49903

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49904
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amdgpu: add list empty check to avoid null pointer issue

Add list empty check to avoid null pointer issues in some corner cases.
- list_for_each_entry_safe()
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49904

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49905
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Add null check for 'afb' in amdgpu_dm_plane_handle_cursor_update (v2)

This commit adds a null check for the 'afb' variable in the
amdgpu_dm_plane_handle_cursor_update function. Previously, 'afb' was
assumed to be null, but was used later in the code without a null check.
This could potentially lead to a null pointer dereference.

Changes since v1:
- Moved the null check for 'afb' to the line where 'afb' is used. (Alex)

Fixes the below:
drivers/gpu/drm/amd/amdgpu/../display/amdgpu_dm/amdgpu_dm_plane.c:1298 amdgpu_dm_plane_handle_cursor_update() error: we previously assumed 'afb' could be null (see line 1252)
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49905

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49906
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Check null pointer before try to access it

[why & how]
Change the order of the pipe_ctx->plane_state check to ensure that
plane_state is not null before accessing it.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49906

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49907
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Check null pointers before using dc->clk_mgr

[WHY & HOW]
dc->clk_mgr is null checked previously in the same function, indicating
it might be null.

Passing "dc" to "dc->hwss.apply_idle_power_optimizations", which
dereferences null "dc->clk_mgr". (The function pointer resolves to
"dcn35_apply_idle_power_optimizations".)

This fixes 1 FORWARD_NULL issue reported by Coverity.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49907

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49908
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Add null check for 'afb' in amdgpu_dm_update_cursor (v2)

This commit adds a null check for the 'afb' variable in the
amdgpu_dm_update_cursor function. Previously, 'afb' was assumed to be
null at line 8388, but was used later in the code without a null check.
This could potentially lead to a null pointer dereference.

Changes since v1:
- Moved the null check for 'afb' to the line where 'afb' is used. (Alex)

Fixes the below:
drivers/gpu/drm/amd/amdgpu/../display/amdgpu_dm/amdgpu_dm.c:8433 amdgpu_dm_update_cursor()
	error: we previously assumed 'afb' could be null (see line 8388)
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49908

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49909
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Add NULL check for function pointer in dcn32_set_output_transfer_func

This commit adds a null check for the set_output_gamma function pointer
in the dcn32_set_output_transfer_func function. Previously,
set_output_gamma was being checked for null, but then it was being
dereferenced without any null check. This could lead to a null pointer
dereference if set_output_gamma is null.

To fix this, we now ensure that set_output_gamma is not null before
dereferencing it. We do this by adding a null check for set_output_gamma
before the call to set_output_gamma.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49909

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49910
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Add NULL check for function pointer in dcn401_set_output_transfer_func

This commit adds a null check for the set_output_gamma function pointer
in the dcn401_set_output_transfer_func function. Previously,
set_output_gamma was being checked for null, but then it was being
dereferenced without any null check. This could lead to a null pointer
dereference if set_output_gamma is null.

To fix this, we now ensure that set_output_gamma is not null before
dereferencing it. We do this by adding a null check for set_output_gamma
before the call to set_output_gamma.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49910

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49911
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Add NULL check for function pointer in dcn20_set_output_transfer_func

This commit adds a null check for the set_output_gamma function pointer
in the dcn20_set_output_transfer_func function. Previously,
set_output_gamma was being checked for null at line 1030, but then it
was being dereferenced without any null check at line 1048. This could
potentially lead to a null pointer dereference error if set_output_gamma
is null.

To fix this, we now ensure that set_output_gamma is not null before
dereferencing it. We do this by adding a null check for set_output_gamma
before the call to set_output_gamma at line 1048.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49911

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49912
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Handle null 'stream_status' in 'planes_changed_for_existing_stream'

This commit adds a null check for 'stream_status' in the function
'planes_changed_for_existing_stream'. Previously, the code assumed
'stream_status' could be null, but did not handle the case where it was
actually null. This could lead to a null pointer dereference.

Reported by smatch:
drivers/gpu/drm/amd/amdgpu/../display/dc/core/dc_resource.c:3784 planes_changed_for_existing_stream() error: we previously assumed 'stream_status' could be null (see line 3774)
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49912

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49913
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Add null check for top_pipe_to_program in commit_planes_for_stream

This commit addresses a null pointer dereference issue in the
`commit_planes_for_stream` function at line 4140. The issue could occur
when `top_pipe_to_program` is null.

The fix adds a check to ensure `top_pipe_to_program` is not null before
accessing its stream_res. This prevents a null pointer dereference.

Reported by smatch:
drivers/gpu/drm/amd/amdgpu/../display/dc/core/dc.c:4140 commit_planes_for_stream() error: we previously assumed 'top_pipe_to_program' could be null (see line 3906)
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49913

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49914
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Add null check for pipe_ctx->plane_state in dcn20_program_pipe

This commit addresses a null pointer dereference issue in the
`dcn20_program_pipe` function. The issue could occur when
`pipe_ctx->plane_state` is null.

The fix adds a check to ensure `pipe_ctx->plane_state` is not null
before accessing. This prevents a null pointer dereference.

Reported by smatch:
drivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn20/dcn20_hwseq.c:1925 dcn20_program_pipe() error: we previously assumed 'pipe_ctx->plane_state' could be null (see line 1877)
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49914

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49915
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Add NULL check for clk_mgr in dcn32_init_hw

This commit addresses a potential null pointer dereference issue in the
`dcn32_init_hw` function. The issue could occur when `dc->clk_mgr` is
null.

The fix adds a check to ensure `dc->clk_mgr` is not null before
accessing its functions. This prevents a potential null pointer
dereference.

Reported by smatch:
drivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn32/dcn32_hwseq.c:961 dcn32_init_hw() error: we previously assumed 'dc->clk_mgr' could be null (see line 782)
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49915

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49916
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Add NULL check for clk_mgr and clk_mgr->funcs in dcn401_init_hw

This commit addresses a potential null pointer dereference issue in the
`dcn401_init_hw` function. The issue could occur when `dc->clk_mgr` or
`dc->clk_mgr->funcs` is null.

The fix adds a check to ensure `dc->clk_mgr` and `dc->clk_mgr->funcs` is
not null before accessing its functions. This prevents a potential null
pointer dereference.

Reported by smatch:
drivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn401/dcn401_hwseq.c:416 dcn401_init_hw() error: we previously assumed 'dc->clk_mgr' could be null (see line 225)
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49916

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49917
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Add NULL check for clk_mgr and clk_mgr->funcs in dcn30_init_hw

This commit addresses a potential null pointer dereference issue in the
`dcn30_init_hw` function. The issue could occur when `dc->clk_mgr` or
`dc->clk_mgr->funcs` is null.

The fix adds a check to ensure `dc->clk_mgr` and `dc->clk_mgr->funcs` is
not null before accessing its functions. This prevents a potential null
pointer dereference.

Reported by smatch:
drivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c:789 dcn30_init_hw() error: we previously assumed 'dc->clk_mgr' could be null (see line 628)
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49917

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49918
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Add null check for head_pipe in dcn32_acquire_idle_pipe_for_head_pipe_in_layer

This commit addresses a potential null pointer dereference issue in the
`dcn32_acquire_idle_pipe_for_head_pipe_in_layer` function. The issue
could occur when `head_pipe` is null.

The fix adds a check to ensure `head_pipe` is not null before asserting
it. If `head_pipe` is null, the function returns NULL to prevent a
potential null pointer dereference.

Reported by smatch:
drivers/gpu/drm/amd/amdgpu/../display/dc/resource/dcn32/dcn32_resource.c:2690 dcn32_acquire_idle_pipe_for_head_pipe_in_layer() error: we previously assumed 'head_pipe' could be null (see line 2681)
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49918

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49919
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Add null check for head_pipe in dcn201_acquire_free_pipe_for_layer

This commit addresses a potential null pointer dereference issue in the
`dcn201_acquire_free_pipe_for_layer` function. The issue could occur
when `head_pipe` is null.

The fix adds a check to ensure `head_pipe` is not null before asserting
it. If `head_pipe` is null, the function returns NULL to prevent a
potential null pointer dereference.

Reported by smatch:
drivers/gpu/drm/amd/amdgpu/../display/dc/resource/dcn201/dcn201_resource.c:1016 dcn201_acquire_free_pipe_for_layer() error: we previously assumed 'head_pipe' could be null (see line 1010)
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49919

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49920
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Check null pointers before multiple uses

[WHAT & HOW]
Poniters, such as stream_enc and dc->bw_vbios, are null checked previously
in the same function, so Coverity warns "implies that stream_enc and
dc->bw_vbios might be null". They are used multiple times in the
subsequent code and need to be checked.

This fixes 10 FORWARD_NULL issues reported by Coverity.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49920

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49921
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Check null pointers before used

[WHAT & HOW]
Poniters, such as dc->clk_mgr, are null checked previously in the same
function, so Coverity warns "implies that "dc->clk_mgr" might be null".
As a result, these pointers need to be checked when used again.

This fixes 10 FORWARD_NULL issues reported by Coverity.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49921

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49922
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Check null pointers before using them

[WHAT & HOW]
These pointers are null checked previously in the same function,
indicating they might be null as reported by Coverity. As a result,
they need to be checked when used again.

This fixes 3 FORWARD_NULL issue reported by Coverity.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49922

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49923
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Pass non-null to dcn20_validate_apply_pipe_split_flags

[WHAT & HOW]
"dcn20_validate_apply_pipe_split_flags" dereferences merge, and thus it
cannot be a null pointer. Let's pass a valid pointer to avoid null
dereference.

This fixes 2 FORWARD_NULL issues reported by Coverity.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49923

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49924
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

fbdev: pxafb: Fix possible use after free in pxafb_task()

In the pxafb_probe function, it calls the pxafb_init_fbinfo function,
after which &fbi->task is associated with pxafb_task. Moreover,
within this pxafb_init_fbinfo function, the pxafb_blank function
within the &pxafb_ops struct is capable of scheduling work.

If we remove the module which will call pxafb_remove to make cleanup,
it will call unregister_framebuffer function which can call
do_unregister_framebuffer to free fbi->fb through
put_fb_info(fb_info), while the work mentioned above will be used.
The sequence of operations that may lead to a UAF bug is as follows:

CPU0                                                CPU1

                                   | pxafb_task
pxafb_remove                       |
unregister_framebuffer(info)       |
do_unregister_framebuffer(fb_info) |
put_fb_info(fb_info)               |
// free fbi->fb                    | set_ctrlr_state(fbi, state)
                                   | __pxafb_lcd_power(fbi, 0)
                                   | fbi->lcd_power(on, &fbi->fb.var)
                                   | //use fbi->fb

Fix it by ensuring that the work is canceled before proceeding
with the cleanup in pxafb_remove.

Note that only root user can remove the driver at runtime.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49924

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49925
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

fbdev: efifb: Register sysfs groups through driver core

The driver core can register and cleanup sysfs groups already.
Make use of that functionality to simplify the error handling and
cleanup.

Also avoid a UAF race during unregistering where the sysctl attributes
were usable after the info struct was freed.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49925

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49926
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

rcu-tasks: Fix access non-existent percpu rtpcp variable in rcu_tasks_need_gpcb()

For kernels built with CONFIG_FORCE_NR_CPUS=y, the nr_cpu_ids is
defined as NR_CPUS instead of the number of possible cpus, this
will cause the following system panic:

smpboot: Allowing 4 CPUs, 0 hotplug CPUs
...
setup_percpu: NR_CPUS:512 nr_cpumask_bits:512 nr_cpu_ids:512 nr_node_ids:1
...
BUG: unable to handle page fault for address: ffffffff9911c8c8
Oops: 0000 [#1] PREEMPT SMP PTI
CPU: 0 PID: 15 Comm: rcu_tasks_trace Tainted: G W
6.6.21 #1 5dc7acf91a5e8e9ac9dcfc35bee0245691283ea6
RIP: 0010:rcu_tasks_need_gpcb+0x25d/0x2c0
RSP: 0018:ffffa371c00a3e60 EFLAGS: 00010082
CR2: ffffffff9911c8c8 CR3: 000000040fa20005 CR4: 00000000001706f0
Call Trace:
<TASK>
? __die+0x23/0x80
? page_fault_oops+0xa4/0x180
? exc_page_fault+0x152/0x180
? asm_exc_page_fault+0x26/0x40
? rcu_tasks_need_gpcb+0x25d/0x2c0
? __pfx_rcu_tasks_kthread+0x40/0x40
rcu_tasks_one_gp+0x69/0x180
rcu_tasks_kthread+0x94/0xc0
kthread+0xe8/0x140
? __pfx_kthread+0x40/0x40
ret_from_fork+0x34/0x80
? __pfx_kthread+0x40/0x40
ret_from_fork_asm+0x1b/0x80
</TASK>

Considering that there may be holes in the CPU numbers, use the
maximum possible cpu number, instead of nr_cpu_ids, for configuring
enqueue and dequeue limits.

[ neeraj.upadhyay: Fix htmldocs build error reported by Stephen Rothwell ]
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49926

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49927
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

x86/ioapic: Handle allocation failures gracefully

Breno observed panics when using failslab under certain conditions during
runtime:

   can not alloc irq_pin_list (-1,0,20)
   Kernel panic - not syncing: IO-APIC: failed to add irq-pin. Can not proceed

   panic+0x4e9/0x590
   mp_irqdomain_alloc+0x9ab/0xa80
   irq_domain_alloc_irqs_locked+0x25d/0x8d0
   __irq_domain_alloc_irqs+0x80/0x110
   mp_map_pin_to_irq+0x645/0x890
   acpi_register_gsi_ioapic+0xe6/0x150
   hpet_open+0x313/0x480

That's a pointless panic which is a leftover of the historic IO/APIC code
which panic'ed during early boot when the interrupt allocation failed.

The only place which might justify panic is the PIT/HPET timer_check() code
which tries to figure out whether the timer interrupt is delivered through
the IO/APIC. But that code does not require to handle interrupt allocation
failures. If the interrupt cannot be allocated then timer delivery fails
and it either panics due to that or falls back to legacy mode.

Cure this by removing the panic wrapper around __add_pin_to_irq_node() and
making mp_irqdomain_alloc() aware of the failure condition and handle it as
any other failure in this function gracefully.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49927

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49928
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

wifi: rtw89: avoid reading out of bounds when loading TX power FW elements

Because the loop-expression will do one more time before getting false from
cond-expression, the original code copied one more entry size beyond valid
region.

Fix it by moving the entry copy to loop-body.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49928

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49929
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

wifi: iwlwifi: mvm: avoid NULL pointer dereference

iwl_mvm_tx_skb_sta() and iwl_mvm_tx_mpdu() verify that the mvmvsta
pointer is not NULL.
It retrieves this pointer using iwl_mvm_sta_from_mac80211, which is
dereferencing the ieee80211_sta pointer.
If sta is NULL, iwl_mvm_sta_from_mac80211 will dereference a NULL
pointer.
Fix this by checking the sta pointer before retrieving the mvmsta
from it. If sta is not NULL, then mvmsta isn't either.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49929

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49930
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

wifi: ath11k: fix array out-of-bound access in SoC stats

Currently, the ath11k_soc_dp_stats::hal_reo_error array is defined with a
maximum size of DP_REO_DST_RING_MAX. However, the ath11k_dp_process_rx()
function access ath11k_soc_dp_stats::hal_reo_error using the REO
destination SRNG ring ID, which is incorrect. SRNG ring ID differ from
normal ring ID, and this usage leads to out-of-bounds array access. To fix
this issue, modify ath11k_dp_process_rx() to use the normal ring ID
directly instead of the SRNG ring ID to avoid out-of-bounds array access.

Tested-on: QCN9074 hw1.0 PCI WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49930

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49931
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

wifi: ath12k: fix array out-of-bound access in SoC stats

Currently, the ath12k_soc_dp_stats::hal_reo_error array is defined with a
maximum size of DP_REO_DST_RING_MAX. However, the ath12k_dp_rx_process()
function access ath12k_soc_dp_stats::hal_reo_error using the REO
destination SRNG ring ID, which is incorrect. SRNG ring ID differ from
normal ring ID, and this usage leads to out-of-bounds array access. To
fix this issue, modify ath12k_dp_rx_process() to use the normal ring ID
directly instead of the SRNG ring ID to avoid out-of-bounds array access.

Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.0.1-00029-QCAHKSWPL_SILICONZ-1
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49931

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49932
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

btrfs: don't readahead the relocation inode on RST

On relocation we're doing readahead on the relocation inode, but if the
filesystem is backed by a RAID stripe tree we can get ENOENT (e.g. due to
preallocated extents not being mapped in the RST) from the lookup.

But readahead doesn't handle the error and submits invalid reads to the
device, causing an assertion in the scatter-gather list code:

  BTRFS info (device nvme1n1): balance: start -d -m -s
  BTRFS info (device nvme1n1): relocating block group 6480920576 flags data|raid0
  BTRFS error (device nvme1n1): cannot find raid-stripe for logical [6481928192, 6481969152] devid 2, profile raid0
  ------------[ cut here ]------------
  kernel BUG at include/linux/scatterlist.h:115!
  Oops: invalid opcode: 0000 [#1] PREEMPT SMP PTI
  CPU: 0 PID: 1012 Comm: btrfs Not tainted 6.10.0-rc7+ #567
  RIP: 0010:__blk_rq_map_sg+0x339/0x4a0
  RSP: 0018:ffffc90001a43820 EFLAGS: 00010202
  RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffea00045d4802
  RDX: 0000000117520000 RSI: 0000000000000000 RDI: ffff8881027d1000
  RBP: 0000000000003000 R08: ffffea00045d4902 R09: 0000000000000000
  R10: 0000000000000000 R11: 0000000000001000 R12: ffff8881003d10b8
  R13: ffffc90001a438f0 R14: 0000000000000000 R15: 0000000000003000
  FS:  00007fcc048a6900(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  CR2: 000000002cd11000 CR3: 00000001109ea001 CR4: 0000000000370eb0
  Call Trace:
   <TASK>
   ? __die_body.cold+0x14/0x25
   ? die+0x2e/0x50
   ? do_trap+0xca/0x110
   ? do_error_trap+0x65/0x80
   ? __blk_rq_map_sg+0x339/0x4a0
   ? exc_invalid_op+0x50/0x70
   ? __blk_rq_map_sg+0x339/0x4a0
   ? asm_exc_invalid_op+0x1a/0x20
   ? __blk_rq_map_sg+0x339/0x4a0
   nvme_prep_rq.part.0+0x9d/0x770
   nvme_queue_rq+0x7d/0x1e0
   __blk_mq_issue_directly+0x2a/0x90
   ? blk_mq_get_budget_and_tag+0x61/0x90
   blk_mq_try_issue_list_directly+0x56/0xf0
   blk_mq_flush_plug_list.part.0+0x52b/0x5d0
   __blk_flush_plug+0xc6/0x110
   blk_finish_plug+0x28/0x40
   read_pages+0x160/0x1c0
   page_cache_ra_unbounded+0x109/0x180
   relocate_file_extent_cluster+0x611/0x6a0
   ? btrfs_search_slot+0xba4/0xd20
   ? balance_dirty_pages_ratelimited_flags+0x26/0xb00
   relocate_data_extent.constprop.0+0x134/0x160
   relocate_block_group+0x3f2/0x500
   btrfs_relocate_block_group+0x250/0x430
   btrfs_relocate_chunk+0x3f/0x130
   btrfs_balance+0x71b/0xef0
   ? kmalloc_trace_noprof+0x13b/0x280
   btrfs_ioctl+0x2c2e/0x3030
   ? kvfree_call_rcu+0x1e6/0x340
   ? list_lru_add_obj+0x66/0x80
   ? mntput_no_expire+0x3a/0x220
   __x64_sys_ioctl+0x96/0xc0
   do_syscall_64+0x54/0x110
   entry_SYSCALL_64_after_hwframe+0x76/0x7e
  RIP: 0033:0x7fcc04514f9b
  Code: Unable to access opcode bytes at 0x7fcc04514f71.
  RSP: 002b:00007ffeba923370 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
  RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fcc04514f9b
  RDX: 00007ffeba923460 RSI: 00000000c4009420 RDI: 0000000000000003
  RBP: 0000000000000000 R08: 0000000000000013 R09: 0000000000000001
  R10: 00007fcc043fbba8 R11: 0000000000000246 R12: 00007ffeba924fc5
  R13: 00007ffeba923460 R14: 0000000000000002 R15: 00000000004d4bb0
   </TASK>
  Modules linked in:
  ---[ end trace 0000000000000000 ]---
  RIP: 0010:__blk_rq_map_sg+0x339/0x4a0
  RSP: 0018:ffffc90001a43820 EFLAGS: 00010202
  RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffea00045d4802
  RDX: 0000000117520000 RSI: 0000000000000000 RDI: ffff8881027d1000
  RBP: 0000000000003000 R08: ffffea00045d4902 R09: 0000000000000000
  R10: 0000000000000000 R11: 0000000000001000 R12: ffff8881003d10b8
  R13: ffffc90001a438f0 R14: 0000000000000000 R15: 0000000000003000
  FS:  00007fcc048a6900(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  CR2: 00007fcc04514f71 CR3: 00000001109ea001 CR4: 0000000000370eb0
  Kernel p
---truncated---
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49932

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49933
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

blk_iocost: fix more out of bound shifts

Recently running UBSAN caught few out of bound shifts in the
ioc_forgive_debts() function:

UBSAN: shift-out-of-bounds in block/blk-iocost.c:2142:38
shift exponent 80 is too large for 64-bit type 'u64' (aka 'unsigned long
long')
...
UBSAN: shift-out-of-bounds in block/blk-iocost.c:2144:30
shift exponent 80 is too large for 64-bit type 'u64' (aka 'unsigned long
long')
...
Call Trace:
<IRQ>
dump_stack_lvl+0xca/0x130
__ubsan_handle_shift_out_of_bounds+0x22c/0x280
? __lock_acquire+0x6441/0x7c10
ioc_timer_fn+0x6cec/0x7750
? blk_iocost_init+0x720/0x720
? call_timer_fn+0x5d/0x470
call_timer_fn+0xfa/0x470
? blk_iocost_init+0x720/0x720
__run_timer_base+0x519/0x700
...

Actual impact of this issue was not identified but I propose to fix the
undefined behaviour.
The proposed fix to prevent those out of bound shifts consist of
precalculating exponent before using it the shift operations by taking
min value from the actual exponent and maximum possible number of bits.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49933

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49934
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

fs/inode: Prevent dump_mapping() accessing invalid dentry.d_name.name

It's observed that a crash occurs during hot-remove a memory device,
in which user is accessing the hugetlb. See calltrace as following:

------------[ cut here ]------------
WARNING: CPU: 1 PID: 14045 at arch/x86/mm/fault.c:1278 do_user_addr_fault+0x2a0/0x790
Modules linked in: kmem device_dax cxl_mem cxl_pmem cxl_port cxl_pci dax_hmem dax_pmem nd_pmem cxl_acpi nd_btt cxl_core crc32c_intel nvme virtiofs fuse nvme_core nfit libnvdimm dm_multipath scsi_dh_rdac scsi_dh_emc s
mirror dm_region_hash dm_log dm_mod
CPU: 1 PID: 14045 Comm: daxctl Not tainted 6.10.0-rc2-lizhijian+ #492
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
RIP: 0010:do_user_addr_fault+0x2a0/0x790
Code: 48 8b 00 a8 04 0f 84 b5 fe ff ff e9 1c ff ff ff 4c 89 e9 4c 89 e2 be 01 00 00 00 bf 02 00 00 00 e8 b5 ef 24 00 e9 42 fe ff ff <0f> 0b 48 83 c4 08 4c 89 ea 48 89 ee 4c 89 e7 5b 5d 41 5c 41 5d 41
RSP: 0000:ffffc90000a575f0 EFLAGS: 00010046
RAX: ffff88800c303600 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000001000 RSI: ffffffff82504162 RDI: ffffffff824b2c36
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffffc90000a57658
R13: 0000000000001000 R14: ffff88800bc2e040 R15: 0000000000000000
FS:  00007f51cb57d880(0000) GS:ffff88807fd00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000001000 CR3: 00000000072e2004 CR4: 00000000001706f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 ? __warn+0x8d/0x190
 ? do_user_addr_fault+0x2a0/0x790
 ? report_bug+0x1c3/0x1d0
 ? handle_bug+0x3c/0x70
 ? exc_invalid_op+0x14/0x70
 ? asm_exc_invalid_op+0x16/0x20
 ? do_user_addr_fault+0x2a0/0x790
 ? exc_page_fault+0x31/0x200
 exc_page_fault+0x68/0x200
<...snip...>
BUG: unable to handle page fault for address: 0000000000001000
 #PF: supervisor read access in kernel mode
 #PF: error_code(0x0000) - not-present page
 PGD 800000000ad92067 P4D 800000000ad92067 PUD 7677067 PMD 0
 Oops: Oops: 0000 [#1] PREEMPT SMP PTI
 ---[ end trace 0000000000000000 ]---
 BUG: unable to handle page fault for address: 0000000000001000
 #PF: supervisor read access in kernel mode
 #PF: error_code(0x0000) - not-present page
 PGD 800000000ad92067 P4D 800000000ad92067 PUD 7677067 PMD 0
 Oops: Oops: 0000 [#1] PREEMPT SMP PTI
 CPU: 1 PID: 14045 Comm: daxctl Kdump: loaded Tainted: G        W          6.10.0-rc2-lizhijian+ #492
 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
 RIP: 0010:dentry_name+0x1f4/0x440
<...snip...>
? dentry_name+0x2fa/0x440
vsnprintf+0x1f3/0x4f0
vprintk_store+0x23a/0x540
vprintk_emit+0x6d/0x330
_printk+0x58/0x80
dump_mapping+0x10b/0x1a0
? __pfx_free_object_rcu+0x10/0x10
__dump_page+0x26b/0x3e0
? vprintk_emit+0xe0/0x330
? _printk+0x58/0x80
? dump_page+0x17/0x50
dump_page+0x17/0x50
do_migrate_range+0x2f7/0x7f0
? do_migrate_range+0x42/0x7f0
? offline_pages+0x2f4/0x8c0
offline_pages+0x60a/0x8c0
memory_subsys_offline+0x9f/0x1c0
? lockdep_hardirqs_on+0x77/0x100
? _raw_spin_unlock_irqrestore+0x38/0x60
device_offline+0xe3/0x110
state_store+0x6e/0xc0
kernfs_fop_write_iter+0x143/0x200
vfs_write+0x39f/0x560
ksys_write+0x65/0xf0
do_syscall_64+0x62/0x130

Previously, some sanity check have been done in dump_mapping() before
the print facility parsing '%pd' though, it's still possible to run into
an invalid dentry.d_name.name.

Since dump_mapping() only needs to dump the filename only, retrieve it
by itself in a safer way to prevent an unnecessary crash.

Note that either retrieving the filename with '%pd' or
strncpy_from_kernel_nofault(), the filename could be unreliable.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.6
VECTOR: PHYSICAL
VECTORSTRING: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49934

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49935
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ACPI: PAD: fix crash in exit_round_robin()

The kernel occasionally crashes in cpumask_clear_cpu(), which is called
within exit_round_robin(), because when executing clear_bit(nr, addr) with
nr set to 0xffffffff, the address calculation may cause misalignment within
the memory, leading to access to an invalid memory address.

----------
BUG: unable to handle kernel paging request at ffffffffe0740618
        ...
CPU: 3 PID: 2919323 Comm: acpi_pad/14 Kdump: loaded Tainted: G           OE  X --------- -  - 4.18.0-425.19.2.el8_7.x86_64 #1
        ...
RIP: 0010:power_saving_thread+0x313/0x411 [acpi_pad]
Code: 89 cd 48 89 d3 eb d1 48 c7 c7 55 70 72 c0 e8 64 86 b0 e4 c6 05 0d a1 02 00 01 e9 bc fd ff ff 45 89 e4 42 8b 04 a5 20 82 72 c0 <f0> 48 0f b3 05 f4 9c 01 00 42 c7 04 a5 20 82 72 c0 ff ff ff ff 31
RSP: 0018:ff72a5d51fa77ec8 EFLAGS: 00010202
RAX: 00000000ffffffff RBX: ff462981e5d8cb80 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000246 RDI: 0000000000000246
RBP: ff46297556959d80 R08: 0000000000000382 R09: ff46297c8d0f38d8
R10: 0000000000000000 R11: 0000000000000001 R12: 000000000000000e
R13: 0000000000000000 R14: ffffffffffffffff R15: 000000000000000e
FS:  0000000000000000(0000) GS:ff46297a800c0000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffe0740618 CR3: 0000007e20410004 CR4: 0000000000771ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
 ? acpi_pad_add+0x120/0x120 [acpi_pad]
 kthread+0x10b/0x130
 ? set_kthread_struct+0x50/0x50
 ret_from_fork+0x1f/0x40
        ...
CR2: ffffffffe0740618

crash> dis -lr ffffffffc0726923
        ...
/usr/src/debug/kernel-4.18.0-425.19.2.el8_7/linux-4.18.0-425.19.2.el8_7.x86_64/./include/linux/cpumask.h: 114
0xffffffffc0726918 <power_saving_thread+776>:	mov    %r12d,%r12d
/usr/src/debug/kernel-4.18.0-425.19.2.el8_7/linux-4.18.0-425.19.2.el8_7.x86_64/./include/linux/cpumask.h: 325
0xffffffffc072691b <power_saving_thread+779>:	mov    -0x3f8d7de0(,%r12,4),%eax
/usr/src/debug/kernel-4.18.0-425.19.2.el8_7/linux-4.18.0-425.19.2.el8_7.x86_64/./arch/x86/include/asm/bitops.h: 80
0xffffffffc0726923 <power_saving_thread+787>:	lock btr %rax,0x19cf4(%rip)        # 0xffffffffc0740620 <pad_busy_cpus_bits>

crash> px tsk_in_cpu[14]
$66 = 0xffffffff

crash> px 0xffffffffc072692c+0x19cf4
$99 = 0xffffffffc0740620

crash> sym 0xffffffffc0740620
ffffffffc0740620 (b) pad_busy_cpus_bits [acpi_pad]

crash> px pad_busy_cpus_bits[0]
$42 = 0xfffc0
----------

To fix this, ensure that tsk_in_cpu[tsk_index] != -1 before calling
cpumask_clear_cpu() in exit_round_robin(), just as it is done in
round_robin_cpu().

[ rjw: Subject edit, avoid updates to the same value ]
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49935

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49936
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net/xen-netback: prevent UAF in xenvif_flush_hash()

During the list_for_each_entry_rcu iteration call of xenvif_flush_hash,
kfree_rcu does not exist inside the rcu read critical section, so if
kfree_rcu is called when the rcu grace period ends during the iteration,
UAF occurs when accessing head->next after the entry becomes free.

Therefore, to solve this, you need to change it to list_for_each_entry_safe.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49936

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49937
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

wifi: cfg80211: Set correct chandef when starting CAC

When starting CAC in a mode other than AP mode, it return a
"WARNING: CPU: 0 PID: 63 at cfg80211_chandef_dfs_usable+0x20/0xaf [cfg80211]"
caused by the chandef.chan being null at the end of CAC.

Solution: Ensure the channel definition is set for the different modes
when starting CAC to avoid getting a NULL 'chan' at the end of CAC.

 Call Trace:
  ? show_regs.part.0+0x14/0x16
  ? __warn+0x67/0xc0
  ? cfg80211_chandef_dfs_usable+0x20/0xaf [cfg80211]
  ? report_bug+0xa7/0x130
  ? exc_overflow+0x30/0x30
  ? handle_bug+0x27/0x50
  ? exc_invalid_op+0x18/0x60
  ? handle_exception+0xf6/0xf6
  ? exc_overflow+0x30/0x30
  ? cfg80211_chandef_dfs_usable+0x20/0xaf [cfg80211]
  ? exc_overflow+0x30/0x30
  ? cfg80211_chandef_dfs_usable+0x20/0xaf [cfg80211]
  ? regulatory_propagate_dfs_state.cold+0x1b/0x4c [cfg80211]
  ? cfg80211_propagate_cac_done_wk+0x1a/0x30 [cfg80211]
  ? process_one_work+0x165/0x280
  ? worker_thread+0x120/0x3f0
  ? kthread+0xc2/0xf0
  ? process_one_work+0x280/0x280
  ? kthread_complete_and_exit+0x20/0x20
  ? ret_from_fork+0x19/0x24

[shorten subject, remove OCB, reorder cases to match previous list]
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49937

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49938
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

wifi: ath9k_htc: Use __skb_set_length() for resetting urb before resubmit

Syzbot points out that skb_trim() has a sanity check on the existing length of
the skb, which can be uninitialised in some error paths. The intent here is
clearly just to reset the length to zero before resubmitting, so switch to
calling __skb_set_length(skb, 0) directly. In addition, __skb_set_length()
already contains a call to skb_reset_tail_pointer(), so remove the redundant
call.

The syzbot report came from ath9k_hif_usb_reg_in_cb(), but there's a similar
usage of skb_trim() in ath9k_hif_usb_rx_cb(), change both while we're at it.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49938

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49939
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

wifi: rtw89: avoid to add interface to list twice when SER

If SER L2 occurs during the WoWLAN resume flow, the add interface flow
is triggered by ieee80211_reconfig(). However, due to
rtw89_wow_resume() return failure, it will cause the add interface flow
to be executed again, resulting in a double add list and causing a kernel
panic. Therefore, we have added a check to prevent double adding of the
list.

list_add double add: new=ffff99d6992e2010, prev=ffff99d6992e2010, next=ffff99d695302628.
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:37!
invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
CPU: 0 PID: 9 Comm: kworker/0:1 Tainted: G        W  O       6.6.30-02659-gc18865c4dfbd #1 770df2933251a0e3c888ba69d1053a817a6376a7
Hardware name: HP Grunt/Grunt, BIOS Google_Grunt.11031.169.0 06/24/2021
Workqueue: events_freezable ieee80211_restart_work [mac80211]
RIP: 0010:__list_add_valid_or_report+0x5e/0xb0
Code: c7 74 18 48 39 ce 74 13 b0 01 59 5a 5e 5f 41 58 41 59 41 5a 5d e9 e2 d6 03 00 cc 48 c7 c7 8d 4f 17 83 48 89 c2 e8 02 c0 00 00 <0f> 0b 48 c7 c7 aa 8c 1c 83 e8 f4 bf 00 00 0f 0b 48 c7 c7 c8 bc 12
RSP: 0018:ffffa91b8007bc50 EFLAGS: 00010246
RAX: 0000000000000058 RBX: ffff99d6992e0900 RCX: a014d76c70ef3900
RDX: ffffa91b8007bae8 RSI: 00000000ffffdfff RDI: 0000000000000001
RBP: ffffa91b8007bc88 R08: 0000000000000000 R09: ffffa91b8007bae0
R10: 00000000ffffdfff R11: ffffffff83a79800 R12: ffff99d695302060
R13: ffff99d695300900 R14: ffff99d6992e1be0 R15: ffff99d6992e2010
FS:  0000000000000000(0000) GS:ffff99d6aac00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000078fbdba43480 CR3: 000000010e464000 CR4: 00000000001506f0
Call Trace:
 <TASK>
 ? __die_body+0x1f/0x70
 ? die+0x3d/0x60
 ? do_trap+0xa4/0x110
 ? __list_add_valid_or_report+0x5e/0xb0
 ? do_error_trap+0x6d/0x90
 ? __list_add_valid_or_report+0x5e/0xb0
 ? handle_invalid_op+0x30/0x40
 ? __list_add_valid_or_report+0x5e/0xb0
 ? exc_invalid_op+0x3c/0x50
 ? asm_exc_invalid_op+0x16/0x20
 ? __list_add_valid_or_report+0x5e/0xb0
 rtw89_ops_add_interface+0x309/0x310 [rtw89_core 7c32b1ee6854761c0321027c8a58c5160e41f48f]
 drv_add_interface+0x5c/0x130 [mac80211 83e989e6e616bd5b4b8a2b0a9f9352a2c385a3bc]
 ieee80211_reconfig+0x241/0x13d0 [mac80211 83e989e6e616bd5b4b8a2b0a9f9352a2c385a3bc]
 ? finish_wait+0x3e/0x90
 ? synchronize_rcu_expedited+0x174/0x260
 ? sync_rcu_exp_done_unlocked+0x50/0x50
 ? wake_bit_function+0x40/0x40
 ieee80211_restart_work+0xf0/0x140 [mac80211 83e989e6e616bd5b4b8a2b0a9f9352a2c385a3bc]
 process_scheduled_works+0x1e5/0x480
 worker_thread+0xea/0x1e0
 kthread+0xdb/0x110
 ? move_linked_works+0x90/0x90
 ? kthread_associate_blkcg+0xa0/0xa0
 ret_from_fork+0x3b/0x50
 ? kthread_associate_blkcg+0xa0/0xa0
 ret_from_fork_asm+0x11/0x20
 </TASK>
Modules linked in: dm_integrity async_xor xor async_tx lz4 lz4_compress zstd zstd_compress zram zsmalloc rfcomm cmac uinput algif_hash algif_skcipher af_alg btusb btrtl iio_trig_hrtimer industrialio_sw_trigger btmtk industrialio_configfs btbcm btintel uvcvideo videobuf2_vmalloc iio_trig_sysfs videobuf2_memops videobuf2_v4l2 videobuf2_common uvc snd_hda_codec_hdmi veth snd_hda_intel snd_intel_dspcfg acpi_als snd_hda_codec industrialio_triggered_buffer kfifo_buf snd_hwdep industrialio i2c_piix4 snd_hda_core designware_i2s ip6table_nat snd_soc_max98357a xt_MASQUERADE xt_cgroup snd_soc_acp_rt5682_mach fuse rtw89_8922ae(O) rtw89_8922a(O) rtw89_pci(O) rtw89_core(O) 8021q mac80211(O) bluetooth ecdh_generic ecc cfg80211 r8152 mii joydev
gsmi: Log Shutdown Reason 0x03
---[ end trace 0000000000000000 ]---
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49939

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49940
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

l2tp: prevent possible tunnel refcount underflow

When a session is created, it sets a backpointer to its tunnel. When
the session refcount drops to 0, l2tp_session_free drops the tunnel
refcount if session->tunnel is non-NULL. However, session->tunnel is
set in l2tp_session_create, before the tunnel refcount is incremented
by l2tp_session_register, which leaves a small window where
session->tunnel is non-NULL when the tunnel refcount hasn't been
bumped.

Moving the assignment to l2tp_session_register is trivial but
l2tp_session_create calls l2tp_session_set_header_len which uses
session->tunnel to get the tunnel's encap. Add an encap arg to
l2tp_session_set_header_len to avoid using session->tunnel.

If l2tpv3 sessions have colliding IDs, it is possible for
l2tp_v3_session_get to race with l2tp_session_register and fetch a
session which doesn't yet have session->tunnel set. Add a check for
this case.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49940

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49941
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

gpiolib: Fix potential NULL pointer dereference in gpiod_get_label()

In `gpiod_get_label()`, it is possible that `srcu_dereference_check()` may
return a NULL pointer, leading to a scenario where `label->str` is accessed
without verifying if `label` itself is NULL.

This patch adds a proper NULL check for `label` before accessing
`label->str`. The check for `label->str != NULL` is removed because
`label->str` can never be NULL if `label` is not NULL.

This fixes the issue where the label name was being printed as `(efault)`
when dumping the sysfs GPIO file when `label == NULL`.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49941

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49942
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/xe: Prevent null pointer access in xe_migrate_copy

xe_migrate_copy designed to copy content of TTM resources. When source
resource is null, it will trigger a NULL pointer dereference in
xe_migrate_copy. To avoid this situation, update lacks source flag to
true for this case, the flag will trigger xe_migrate_clear rather than
xe_migrate_copy.

Issue trace:
<7> [317.089847] xe 0000:00:02.0: [drm:xe_migrate_copy [xe]] Pass 14,
 sizes: 4194304 & 4194304
<7> [317.089945] xe 0000:00:02.0: [drm:xe_migrate_copy [xe]] Pass 15,
 sizes: 4194304 & 4194304
<1> [317.128055] BUG: kernel NULL pointer dereference, address:
 0000000000000010
<1> [317.128064] #PF: supervisor read access in kernel mode
<1> [317.128066] #PF: error_code(0x0000) - not-present page
<6> [317.128069] PGD 0 P4D 0
<4> [317.128071] Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI
<4> [317.128074] CPU: 1 UID: 0 PID: 1440 Comm: kunit_try_catch Tainted:
 G     U           N 6.11.0-rc7-xe #1
<4> [317.128078] Tainted: [U]=USER, [N]=TEST
<4> [317.128080] Hardware name: Intel Corporation Lunar Lake Client
 Platform/LNL-M LP5 RVP1, BIOS LNLMFWI1.R00.3221.D80.2407291239 07/29/2024
<4> [317.128082] RIP: 0010:xe_migrate_copy+0x66/0x13e0 [xe]
<4> [317.128158] Code: 00 00 48 89 8d e0 fe ff ff 48 8b 40 10 4c 89 85 c8
 fe ff ff 44 88 8d bd fe ff ff 65 48 8b 3c 25 28 00 00 00 48 89 7d d0 31
 ff <8b> 79 10 48 89 85 a0 fe ff ff 48 8b 00 48 89 b5 d8 fe ff ff 83 ff
<4> [317.128162] RSP: 0018:ffffc9000167f9f0 EFLAGS: 00010246
<4> [317.128164] RAX: ffff8881120d8028 RBX: ffff88814d070428 RCX:
 0000000000000000
<4> [317.128166] RDX: ffff88813cb99c00 RSI: 0000000004000000 RDI:
 0000000000000000
<4> [317.128168] RBP: ffffc9000167fbb8 R08: ffff88814e7b1f08 R09:
 0000000000000001
<4> [317.128170] R10: 0000000000000001 R11: 0000000000000001 R12:
 ffff88814e7b1f08
<4> [317.128172] R13: ffff88814e7b1f08 R14: ffff88813cb99c00 R15:
 0000000000000001
<4> [317.128174] FS:  0000000000000000(0000) GS:ffff88846f280000(0000)
 knlGS:0000000000000000
<4> [317.128176] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
<4> [317.128178] CR2: 0000000000000010 CR3: 000000011f676004 CR4:
 0000000000770ef0
<4> [317.128180] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
 0000000000000000
<4> [317.128182] DR3: 0000000000000000 DR6: 00000000ffff07f0 DR7:
 0000000000000400
<4> [317.128184] PKRU: 55555554
<4> [317.128185] Call Trace:
<4> [317.128187]  <TASK>
<4> [317.128189]  ? show_regs+0x67/0x70
<4> [317.128194]  ? __die_body+0x20/0x70
<4> [317.128196]  ? __die+0x2b/0x40
<4> [317.128198]  ? page_fault_oops+0x15f/0x4e0
<4> [317.128203]  ? do_user_addr_fault+0x3fb/0x970
<4> [317.128205]  ? lock_acquire+0xc7/0x2e0
<4> [317.128209]  ? exc_page_fault+0x87/0x2b0
<4> [317.128212]  ? asm_exc_page_fault+0x27/0x30
<4> [317.128216]  ? xe_migrate_copy+0x66/0x13e0 [xe]
<4> [317.128263]  ? __lock_acquire+0xb9d/0x26f0
<4> [317.128265]  ? __lock_acquire+0xb9d/0x26f0
<4> [317.128267]  ? sg_free_append_table+0x20/0x80
<4> [317.128271]  ? lock_acquire+0xc7/0x2e0
<4> [317.128273]  ? mark_held_locks+0x4d/0x80
<4> [317.128275]  ? trace_hardirqs_on+0x1e/0xd0
<4> [317.128278]  ? _raw_spin_unlock_irqrestore+0x31/0x60
<4> [317.128281]  ? __pm_runtime_resume+0x60/0xa0
<4> [317.128284]  xe_bo_move+0x682/0xc50 [xe]
<4> [317.128315]  ? lock_is_held_type+0xaa/0x120
<4> [317.128318]  ttm_bo_handle_move_mem+0xe5/0x1a0 [ttm]
<4> [317.128324]  ttm_bo_validate+0xd1/0x1a0 [ttm]
<4> [317.128328]  shrink_test_run_device+0x721/0xc10 [xe]
<4> [317.128360]  ? find_held_lock+0x31/0x90
<4> [317.128363]  ? lock_release+0xd1/0x2a0
<4> [317.128365]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
 [kunit]
<4> [317.128370]  xe_bo_shrink_kunit+0x11/0x20 [xe]
<4> [317.128397]  kunit_try_run_case+0x6e/0x150 [kunit]
<4> [317.128400]  ? trace_hardirqs_on+0x1e/0xd0
<4> [317.128402]  ? _raw_spin_unlock_irqrestore+0x31/0x60
<4> [317.128404]  kunit_generic_run_threadfn_adapter+0x1e/0x40 [ku
---truncated---
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49942

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49943
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/xe/guc_submit: add missing locking in wedged_fini

Any non-wedged queue can have a zero refcount here and can be running
concurrently with an async queue destroy, therefore dereferencing the
queue ptr to check wedge status after the lookup can trigger UAF if
queue is not wedged.  Fix this by keeping the submission_state lock held
around the check to postpone the free and make the check safe, before
dropping again around the put() to avoid the deadlock.

(cherry picked from commit d28af0b6b9580b9f90c265a7da0315b0ad20bbfd)
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49943

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49944
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

sctp: set sk_state back to CLOSED if autobind fails in sctp_listen_start

In sctp_listen_start() invoked by sctp_inet_listen(), it should set the
sk_state back to CLOSED if sctp_autobind() fails due to whatever reason.

Otherwise, next time when calling sctp_inet_listen(), if sctp_sk(sk)->reuse
is already set via setsockopt(SCTP_REUSE_PORT), sctp_sk(sk)->bind_hash will
be dereferenced as sk_state is LISTENING, which causes a crash as bind_hash
is NULL.

  KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
  RIP: 0010:sctp_inet_listen+0x7f0/0xa20 net/sctp/socket.c:8617
  Call Trace:
   <TASK>
   __sys_listen_socket net/socket.c:1883 [inline]
   __sys_listen+0x1b7/0x230 net/socket.c:1894
   __do_sys_listen net/socket.c:1902 [inline]
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49944

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49945
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net/ncsi: Disable the ncsi work before freeing the associated structure

The work function can run after the ncsi device is freed, resulting
in use-after-free bugs or kernel panic.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49945

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49946
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ppp: do not assume bh is held in ppp_channel_bridge_input()

Networking receive path is usually handled from BH handler.
However, some protocols need to acquire the socket lock, and
packets might be stored in the socket backlog is the socket was
owned by a user process.

In this case, release_sock(), __release_sock(), and sk_backlog_rcv()
might call the sk->sk_backlog_rcv() handler in process context.

sybot caught ppp was not considering this case in
ppp_channel_bridge_input() :

WARNING: inconsistent lock state
6.11.0-rc7-syzkaller-g5f5673607153 #0 Not tainted
--------------------------------
inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage.
ksoftirqd/1/24 [HC0[0]:SC1[1]:HE1:SE0] takes:
 ffff0000db7f11e0 (&pch->downl){+.?.}-{2:2}, at: spin_lock include/linux/spinlock.h:351 [inline]
 ffff0000db7f11e0 (&pch->downl){+.?.}-{2:2}, at: ppp_channel_bridge_input drivers/net/ppp/ppp_generic.c:2272 [inline]
 ffff0000db7f11e0 (&pch->downl){+.?.}-{2:2}, at: ppp_input+0x16c/0x854 drivers/net/ppp/ppp_generic.c:2304
{SOFTIRQ-ON-W} state was registered at:
   lock_acquire+0x240/0x728 kernel/locking/lockdep.c:5759
   __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
   _raw_spin_lock+0x48/0x60 kernel/locking/spinlock.c:154
   spin_lock include/linux/spinlock.h:351 [inline]
   ppp_channel_bridge_input drivers/net/ppp/ppp_generic.c:2272 [inline]
   ppp_input+0x16c/0x854 drivers/net/ppp/ppp_generic.c:2304
   pppoe_rcv_core+0xfc/0x314 drivers/net/ppp/pppoe.c:379
   sk_backlog_rcv include/net/sock.h:1111 [inline]
   __release_sock+0x1a8/0x3d8 net/core/sock.c:3004
   release_sock+0x68/0x1b8 net/core/sock.c:3558
   pppoe_sendmsg+0xc8/0x5d8 drivers/net/ppp/pppoe.c:903
   sock_sendmsg_nosec net/socket.c:730 [inline]
   __sock_sendmsg net/socket.c:745 [inline]
   __sys_sendto+0x374/0x4f4 net/socket.c:2204
   __do_sys_sendto net/socket.c:2216 [inline]
   __se_sys_sendto net/socket.c:2212 [inline]
   __arm64_sys_sendto+0xd8/0xf8 net/socket.c:2212
   __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
   invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
   el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
   do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
   el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:712
   el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730
   el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598
irq event stamp: 282914
 hardirqs last  enabled at (282914): [<ffff80008b42e30c>] __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:151 [inline]
 hardirqs last  enabled at (282914): [<ffff80008b42e30c>] _raw_spin_unlock_irqrestore+0x38/0x98 kernel/locking/spinlock.c:194
 hardirqs last disabled at (282913): [<ffff80008b42e13c>] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline]
 hardirqs last disabled at (282913): [<ffff80008b42e13c>] _raw_spin_lock_irqsave+0x2c/0x7c kernel/locking/spinlock.c:162
 softirqs last  enabled at (282904): [<ffff8000801f8e88>] softirq_handle_end kernel/softirq.c:400 [inline]
 softirqs last  enabled at (282904): [<ffff8000801f8e88>] handle_softirqs+0xa3c/0xbfc kernel/softirq.c:582
 softirqs last disabled at (282909): [<ffff8000801fbdf8>] run_ksoftirqd+0x70/0x158 kernel/softirq.c:928

other info that might help us debug this:
 Possible unsafe locking scenario:

       CPU0
       ----
  lock(&pch->downl);
  <Interrupt>
    lock(&pch->downl);

 *** DEADLOCK ***

1 lock held by ksoftirqd/1/24:
  #0: ffff80008f74dfa0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire+0x10/0x4c include/linux/rcupdate.h:325

stack backtrace:
CPU: 1 UID: 0 PID: 24 Comm: ksoftirqd/1 Not tainted 6.11.0-rc7-syzkaller-g5f5673607153 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
Call trace:
  dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:319
  show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:326
  __dump_sta
---truncated---
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49946

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49947
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: test for not too small csum_start in virtio_net_hdr_to_skb()

syzbot was able to trigger this warning [1], after injecting a
malicious packet through af_packet, setting skb->csum_start and thus
the transport header to an incorrect value.

We can at least make sure the transport header is after
the end of the network header (with a estimated minimal size).

[1]
[   67.873027] skb len=4096 headroom=16 headlen=14 tailroom=0
mac=(-1,-1) mac_len=0 net=(16,-6) trans=10
shinfo(txflags=0 nr_frags=1 gso(size=0 type=0 segs=0))
csum(0xa start=10 offset=0 ip_summed=3 complete_sw=0 valid=0 level=0)
hash(0x0 sw=0 l4=0) proto=0x0800 pkttype=0 iif=0
priority=0x0 mark=0x0 alloc_cpu=10 vlan_all=0x0
encapsulation=0 inner(proto=0x0000, mac=0, net=0, trans=0)
[   67.877172] dev name=veth0_vlan feat=0x000061164fdd09e9
[   67.877764] sk family=17 type=3 proto=0
[   67.878279] skb linear:   00000000: 00 00 10 00 00 00 00 00 0f 00 00 00 08 00
[   67.879128] skb frag:     00000000: 0e 00 07 00 00 00 28 00 08 80 1c 00 04 00 00 02
[   67.879877] skb frag:     00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   67.880647] skb frag:     00000020: 00 00 02 00 00 00 08 00 1b 00 00 00 00 00 00 00
[   67.881156] skb frag:     00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   67.881753] skb frag:     00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   67.882173] skb frag:     00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   67.882790] skb frag:     00000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   67.883171] skb frag:     00000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   67.883733] skb frag:     00000080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   67.884206] skb frag:     00000090: 00 00 00 00 00 00 00 00 00 00 69 70 76 6c 61 6e
[   67.884704] skb frag:     000000a0: 31 00 00 00 00 00 00 00 00 00 2b 00 00 00 00 00
[   67.885139] skb frag:     000000b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   67.885677] skb frag:     000000c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   67.886042] skb frag:     000000d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   67.886408] skb frag:     000000e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   67.887020] skb frag:     000000f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   67.887384] skb frag:     00000100: 00 00
[   67.887878] ------------[ cut here ]------------
[   67.887908] offset (-6) >= skb_headlen() (14)
[   67.888445] WARNING: CPU: 10 PID: 2088 at net/core/dev.c:3332 skb_checksum_help (net/core/dev.c:3332 (discriminator 2))
[   67.889353] Modules linked in: macsec macvtap macvlan hsr wireguard curve25519_x86_64 libcurve25519_generic libchacha20poly1305 chacha_x86_64 libchacha poly1305_x86_64 dummy bridge sr_mod cdrom evdev pcspkr i2c_piix4 9pnet_virtio 9p 9pnet netfs
[   67.890111] CPU: 10 UID: 0 PID: 2088 Comm: b363492833 Not tainted 6.11.0-virtme #1011
[   67.890183] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   67.890309] RIP: 0010:skb_checksum_help (net/core/dev.c:3332 (discriminator 2))
[   67.891043] Call Trace:
[   67.891173]  <TASK>
[   67.891274] ? __warn (kernel/panic.c:741)
[   67.891320] ? skb_checksum_help (net/core/dev.c:3332 (discriminator 2))
[   67.891333] ? report_bug (lib/bug.c:180 lib/bug.c:219)
[   67.891348] ? handle_bug (arch/x86/kernel/traps.c:239)
[   67.891363] ? exc_invalid_op (arch/x86/kernel/traps.c:260 (discriminator 1))
[   67.891372] ? asm_exc_invalid_op (./arch/x86/include/asm/idtentry.h:621)
[   67.891388] ? skb_checksum_help (net/core/dev.c:3332 (discriminator 2))
[   67.891399] ? skb_checksum_help (net/core/dev.c:3332 (discriminator 2))
[   67.891416] ip_do_fragment (net/ipv4/ip_output.c:777 (discriminator 1))
[   67.891448] ? __ip_local_out (./include/linux/skbuff.h:1146 ./include/net/l3mdev.h:196 ./include/net/l3mdev.h:213 ne
---truncated---
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49947

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49948
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: add more sanity checks to qdisc_pkt_len_init()

One path takes care of SKB_GSO_DODGY, assuming
skb->len is bigger than hdr_len.

virtio_net_hdr_to_skb() does not fully dissect TCP headers,
it only make sure it is at least 20 bytes.

It is possible for an user to provide a malicious 'GSO' packet,
total length of 80 bytes.

- 20 bytes of IPv4 header
- 60 bytes TCP header
- a small gso_size like 8

virtio_net_hdr_to_skb() would declare this packet as a normal
GSO packet, because it would see 40 bytes of payload,
bigger than gso_size.

We need to make detect this case to not underflow
qdisc_skb_cb(skb)->pkt_len.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49948

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49949
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: avoid potential underflow in qdisc_pkt_len_init() with UFO

After commit 7c6d2ecbda83 ("net: be more gentle about silly gso
requests coming from user") virtio_net_hdr_to_skb() had sanity check
to detect malicious attempts from user space to cook a bad GSO packet.

Then commit cf9acc90c80ec ("net: virtio_net_hdr_to_skb: count
transport header in UFO") while fixing one issue, allowed user space
to cook a GSO packet with the following characteristic :

IPv4 SKB_GSO_UDP, gso_size=3, skb->len = 28.

When this packet arrives in qdisc_pkt_len_init(), we end up
with hdr_len = 28 (IPv4 header + UDP header), matching skb->len

Then the following sets gso_segs to 0 :

gso_segs = DIV_ROUND_UP(skb->len - hdr_len,
                        shinfo->gso_size);

Then later we set qdisc_skb_cb(skb)->pkt_len to back to zero :/

qdisc_skb_cb(skb)->pkt_len += (gso_segs - 1) * hdr_len;

This leads to the following crash in fq_codel [1]

qdisc_pkt_len_init() is best effort, we only want an estimation
of the bytes sent on the wire, not crashing the kernel.

This patch is fixing this particular issue, a following one
adds more sanity checks for another potential bug.

[1]
[   70.724101] BUG: kernel NULL pointer dereference, address: 0000000000000000
[   70.724561] #PF: supervisor read access in kernel mode
[   70.724561] #PF: error_code(0x0000) - not-present page
[   70.724561] PGD 10ac61067 P4D 10ac61067 PUD 107ee2067 PMD 0
[   70.724561] Oops: Oops: 0000 [#1] SMP NOPTI
[   70.724561] CPU: 11 UID: 0 PID: 2163 Comm: b358537762 Not tainted 6.11.0-virtme #991
[   70.724561] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   70.724561] RIP: 0010:fq_codel_enqueue (net/sched/sch_fq_codel.c:120 net/sched/sch_fq_codel.c:168 net/sched/sch_fq_codel.c:230) sch_fq_codel
[ 70.724561] Code: 24 08 49 c1 e1 06 44 89 7c 24 18 45 31 ed 45 31 c0 31 ff 89 44 24 14 4c 03 8b 90 01 00 00 eb 04 39 ca 73 37 4d 8b 39 83 c7 01 <49> 8b 17 49 89 11 41 8b 57 28 45 8b 5f 34 49 c7 07 00 00 00 00 49
All code
========
   0:	24 08                	and    $0x8,%al
   2:	49 c1 e1 06          	shl    $0x6,%r9
   6:	44 89 7c 24 18       	mov    %r15d,0x18(%rsp)
   b:	45 31 ed             	xor    %r13d,%r13d
   e:	45 31 c0             	xor    %r8d,%r8d
  11:	31 ff                	xor    %edi,%edi
  13:	89 44 24 14          	mov    %eax,0x14(%rsp)
  17:	4c 03 8b 90 01 00 00 	add    0x190(%rbx),%r9
  1e:	eb 04                	jmp    0x24
  20:	39 ca                	cmp    %ecx,%edx
  22:	73 37                	jae    0x5b
  24:	4d 8b 39             	mov    (%r9),%r15
  27:	83 c7 01             	add    $0x1,%edi
  2a:*	49 8b 17             	mov    (%r15),%rdx		<-- trapping instruction
  2d:	49 89 11             	mov    %rdx,(%r9)
  30:	41 8b 57 28          	mov    0x28(%r15),%edx
  34:	45 8b 5f 34          	mov    0x34(%r15),%r11d
  38:	49 c7 07 00 00 00 00 	movq   $0x0,(%r15)
  3f:	49                   	rex.WB

Code starting with the faulting instruction
===========================================
   0:	49 8b 17             	mov    (%r15),%rdx
   3:	49 89 11             	mov    %rdx,(%r9)
   6:	41 8b 57 28          	mov    0x28(%r15),%edx
   a:	45 8b 5f 34          	mov    0x34(%r15),%r11d
   e:	49 c7 07 00 00 00 00 	movq   $0x0,(%r15)
  15:	49                   	rex.WB
[   70.724561] RSP: 0018:ffff95ae85e6fb90 EFLAGS: 00000202
[   70.724561] RAX: 0000000002000000 RBX: ffff95ae841de000 RCX: 0000000000000000
[   70.724561] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000001
[   70.724561] RBP: ffff95ae85e6fbf8 R08: 0000000000000000 R09: ffff95b710a30000
[   70.724561] R10: 0000000000000000 R11: bdf289445ce31881 R12: ffff95ae85e6fc58
[   70.724561] R13: 0000000000000000 R14: 0000000000000040 R15: 0000000000000000
[   70.724561] FS:  000000002c5c1380(0000) GS:ffff95bd7fcc0000(0000) knlGS:0000000000000000
[   70.724561] CS:  0010 DS: 0000 ES: 0000 C
---truncated---
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49949

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49950
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: L2CAP: Fix uaf in l2cap_connect

[Syzbot reported]
BUG: KASAN: slab-use-after-free in l2cap_connect.constprop.0+0x10d8/0x1270 net/bluetooth/l2cap_core.c:3949
Read of size 8 at addr ffff8880241e9800 by task kworker/u9:0/54

CPU: 0 UID: 0 PID: 54 Comm: kworker/u9:0 Not tainted 6.11.0-rc6-syzkaller-00268-g788220eee30d #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
Workqueue: hci2 hci_rx_work
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:93 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:119
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0xc3/0x620 mm/kasan/report.c:488
 kasan_report+0xd9/0x110 mm/kasan/report.c:601
 l2cap_connect.constprop.0+0x10d8/0x1270 net/bluetooth/l2cap_core.c:3949
 l2cap_connect_req net/bluetooth/l2cap_core.c:4080 [inline]
 l2cap_bredr_sig_cmd net/bluetooth/l2cap_core.c:4772 [inline]
 l2cap_sig_channel net/bluetooth/l2cap_core.c:5543 [inline]
 l2cap_recv_frame+0xf0b/0x8eb0 net/bluetooth/l2cap_core.c:6825
 l2cap_recv_acldata+0x9b4/0xb70 net/bluetooth/l2cap_core.c:7514
 hci_acldata_packet net/bluetooth/hci_core.c:3791 [inline]
 hci_rx_work+0xaab/0x1610 net/bluetooth/hci_core.c:4028
 process_one_work+0x9c5/0x1b40 kernel/workqueue.c:3231
 process_scheduled_works kernel/workqueue.c:3312 [inline]
 worker_thread+0x6c8/0xed0 kernel/workqueue.c:3389
 kthread+0x2c1/0x3a0 kernel/kthread.c:389
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
...

Freed by task 5245:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:579
 poison_slab_object+0xf7/0x160 mm/kasan/common.c:240
 __kasan_slab_free+0x32/0x50 mm/kasan/common.c:256
 kasan_slab_free include/linux/kasan.h:184 [inline]
 slab_free_hook mm/slub.c:2256 [inline]
 slab_free mm/slub.c:4477 [inline]
 kfree+0x12a/0x3b0 mm/slub.c:4598
 l2cap_conn_free net/bluetooth/l2cap_core.c:1810 [inline]
 kref_put include/linux/kref.h:65 [inline]
 l2cap_conn_put net/bluetooth/l2cap_core.c:1822 [inline]
 l2cap_conn_del+0x59d/0x730 net/bluetooth/l2cap_core.c:1802
 l2cap_connect_cfm+0x9e6/0xf80 net/bluetooth/l2cap_core.c:7241
 hci_connect_cfm include/net/bluetooth/hci_core.h:1960 [inline]
 hci_conn_failed+0x1c3/0x370 net/bluetooth/hci_conn.c:1265
 hci_abort_conn_sync+0x75a/0xb50 net/bluetooth/hci_sync.c:5583
 abort_conn_sync+0x197/0x360 net/bluetooth/hci_conn.c:2917
 hci_cmd_sync_work+0x1a4/0x410 net/bluetooth/hci_sync.c:328
 process_one_work+0x9c5/0x1b40 kernel/workqueue.c:3231
 process_scheduled_works kernel/workqueue.c:3312 [inline]
 worker_thread+0x6c8/0xed0 kernel/workqueue.c:3389
 kthread+0x2c1/0x3a0 kernel/kthread.c:389
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49950

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49951
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: MGMT: Fix possible crash on mgmt_index_removed

If mgmt_index_removed is called while there are commands queued on
cmd_sync it could lead to crashes like the bellow trace:

0x0000053D: __list_del_entry_valid_or_report+0x98/0xdc
0x0000053D: mgmt_pending_remove+0x18/0x58 [bluetooth]
0x0000053E: mgmt_remove_adv_monitor_complete+0x80/0x108 [bluetooth]
0x0000053E: hci_cmd_sync_work+0xbc/0x164 [bluetooth]

So while handling mgmt_index_removed this attempts to dequeue
commands passed as user_data to cmd_sync.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49951

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49952
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

netfilter: nf_tables: prevent nf_skb_duplicated corruption

syzbot found that nf_dup_ipv4() or nf_dup_ipv6() could write
per-cpu variable nf_skb_duplicated in an unsafe way [1].

Disabling preemption as hinted by the splat is not enough,
we have to disable soft interrupts as well.

[1]
BUG: using __this_cpu_write() in preemptible [00000000] code: syz.4.282/6316
 caller is nf_dup_ipv4+0x651/0x8f0 net/ipv4/netfilter/nf_dup_ipv4.c:87
CPU: 0 UID: 0 PID: 6316 Comm: syz.4.282 Not tainted 6.11.0-rc7-syzkaller-00104-g7052622fccb1 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
Call Trace:
 <TASK>
  __dump_stack lib/dump_stack.c:93 [inline]
  dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119
  check_preemption_disabled+0x10e/0x120 lib/smp_processor_id.c:49
  nf_dup_ipv4+0x651/0x8f0 net/ipv4/netfilter/nf_dup_ipv4.c:87
  nft_dup_ipv4_eval+0x1db/0x300 net/ipv4/netfilter/nft_dup_ipv4.c:30
  expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline]
  nft_do_chain+0x4ad/0x1da0 net/netfilter/nf_tables_core.c:288
  nft_do_chain_ipv4+0x202/0x320 net/netfilter/nft_chain_filter.c:23
  nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]
  nf_hook_slow+0xc3/0x220 net/netfilter/core.c:626
  nf_hook+0x2c4/0x450 include/linux/netfilter.h:269
  NF_HOOK_COND include/linux/netfilter.h:302 [inline]
  ip_output+0x185/0x230 net/ipv4/ip_output.c:433
  ip_local_out net/ipv4/ip_output.c:129 [inline]
  ip_send_skb+0x74/0x100 net/ipv4/ip_output.c:1495
  udp_send_skb+0xacf/0x1650 net/ipv4/udp.c:981
  udp_sendmsg+0x1c21/0x2a60 net/ipv4/udp.c:1269
  sock_sendmsg_nosec net/socket.c:730 [inline]
  __sock_sendmsg+0x1a6/0x270 net/socket.c:745
  ____sys_sendmsg+0x525/0x7d0 net/socket.c:2597
  ___sys_sendmsg net/socket.c:2651 [inline]
  __sys_sendmmsg+0x3b2/0x740 net/socket.c:2737
  __do_sys_sendmmsg net/socket.c:2766 [inline]
  __se_sys_sendmmsg net/socket.c:2763 [inline]
  __x64_sys_sendmmsg+0xa0/0xb0 net/socket.c:2763
  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
  do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f4ce4f7def9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f4ce5d4a038 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
RAX: ffffffffffffffda RBX: 00007f4ce5135f80 RCX: 00007f4ce4f7def9
RDX: 0000000000000001 RSI: 0000000020005d40 RDI: 0000000000000006
RBP: 00007f4ce4ff0b76 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f4ce5135f80 R15: 00007ffd4cbc6d68
 </TASK>
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49952

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49953
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net/mlx5e: Fix crash caused by calling __xfrm_state_delete() twice

The km.state is not checked in driver's delayed work. When
xfrm_state_check_expire() is called, the state can be reset to
XFRM_STATE_EXPIRED, even if it is XFRM_STATE_DEAD already. This
happens when xfrm state is deleted, but not freed yet. As
__xfrm_state_delete() is called again in xfrm timer, the following
crash occurs.

To fix this issue, skip xfrm_state_check_expire() if km.state is not
XFRM_STATE_VALID.

 Oops: general protection fault, probably for non-canonical address 0xdead000000000108: 0000 [#1] SMP
 CPU: 5 UID: 0 PID: 7448 Comm: kworker/u102:2 Not tainted 6.11.0-rc2+ #1
 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
 Workqueue: mlx5e_ipsec: eth%d mlx5e_ipsec_handle_sw_limits [mlx5_core]
 RIP: 0010:__xfrm_state_delete+0x3d/0x1b0
 Code: 0f 84 8b 01 00 00 48 89 fd c6 87 c8 00 00 00 05 48 8d bb 40 10 00 00 e8 11 04 1a 00 48 8b 95 b8 00 00 00 48 8b 85 c0 00 00 00 <48> 89 42 08 48 89 10 48 8b 55 10 48 b8 00 01 00 00 00 00 ad de 48
 RSP: 0018:ffff88885f945ec8 EFLAGS: 00010246
 RAX: dead000000000122 RBX: ffffffff82afa940 RCX: 0000000000000036
 RDX: dead000000000100 RSI: 0000000000000000 RDI: ffffffff82afb980
 RBP: ffff888109a20340 R08: ffff88885f945ea0 R09: 0000000000000000
 R10: 0000000000000000 R11: ffff88885f945ff8 R12: 0000000000000246
 R13: ffff888109a20340 R14: ffff88885f95f420 R15: ffff88885f95f400
 FS:  0000000000000000(0000) GS:ffff88885f940000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 00007f2163102430 CR3: 00000001128d6001 CR4: 0000000000370eb0
 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
 Call Trace:
  <IRQ>
  ? die_addr+0x33/0x90
  ? exc_general_protection+0x1a2/0x390
  ? asm_exc_general_protection+0x22/0x30
  ? __xfrm_state_delete+0x3d/0x1b0
  ? __xfrm_state_delete+0x2f/0x1b0
  xfrm_timer_handler+0x174/0x350
  ? __xfrm_state_delete+0x1b0/0x1b0
  __hrtimer_run_queues+0x121/0x270
  hrtimer_run_softirq+0x88/0xd0
  handle_softirqs+0xcc/0x270
  do_softirq+0x3c/0x50
  </IRQ>
  <TASK>
  __local_bh_enable_ip+0x47/0x50
  mlx5e_ipsec_handle_sw_limits+0x7d/0x90 [mlx5_core]
  process_one_work+0x137/0x2d0
  worker_thread+0x28d/0x3a0
  ? rescuer_thread+0x480/0x480
  kthread+0xb8/0xe0
  ? kthread_park+0x80/0x80
  ret_from_fork+0x2d/0x50
  ? kthread_park+0x80/0x80
  ret_from_fork_asm+0x11/0x20
  </TASK>
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49953

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49954
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

static_call: Replace pointless WARN_ON() in static_call_module_notify()

static_call_module_notify() triggers a WARN_ON(), when memory allocation
fails in __static_call_add_module().

That's not really justified, because the failure case must be correctly
handled by the well known call chain and the error code is passed
through to the initiating userspace application.

A memory allocation fail is not a fatal problem, but the WARN_ON() takes
the machine out when panic_on_warn is set.

Replace it with a pr_warn().
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49954

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49955
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ACPI: battery: Fix possible crash when unregistering a battery hook

When a battery hook returns an error when adding a new battery, then
the battery hook is automatically unregistered.
However the battery hook provider cannot know that, so it will later
call battery_hook_unregister() on the already unregistered battery
hook, resulting in a crash.

Fix this by using the list head to mark already unregistered battery
hooks as already being unregistered so that they can be ignored by
battery_hook_unregister().
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49955

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49956
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

gfs2: fix double destroy_workqueue error

When gfs2_fill_super() fails, destroy_workqueue() is called within
gfs2_gl_hash_clear(), and the subsequent code path calls
destroy_workqueue() on the same work queue again.

This issue can be fixed by setting the work queue pointer to NULL after
the first destroy_workqueue() call and checking for a NULL pointer
before attempting to destroy the work queue again.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49956

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49957
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ocfs2: fix null-ptr-deref when journal load failed.

During the mounting process, if journal_reset() fails because of too short
journal, then lead to jbd2_journal_load() fails with NULL j_sb_buffer. 
Subsequently, ocfs2_journal_shutdown() calls
jbd2_journal_flush()->jbd2_cleanup_journal_tail()->
__jbd2_update_log_tail()->jbd2_journal_update_sb_log_tail()
->lock_buffer(journal->j_sb_buffer), resulting in a null-pointer
dereference error.

To resolve this issue, we should check the JBD2_LOADED flag to ensure the
journal was properly loaded.  Additionally, use journal instead of
osb->journal directly to simplify the code.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49957

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49958
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ocfs2: reserve space for inline xattr before attaching reflink tree

One of our customers reported a crash and a corrupted ocfs2 filesystem. 
The crash was due to the detection of corruption.  Upon troubleshooting,
the fsck -fn output showed the below corruption

[EXTENT_LIST_FREE] Extent list in owner 33080590 claims 230 as the next free chain record,
but fsck believes the largest valid value is 227.  Clamp the next record value? n

The stat output from the debugfs.ocfs2 showed the following corruption
where the "Next Free Rec:" had overshot the "Count:" in the root metadata
block.

        Inode: 33080590   Mode: 0640   Generation: 2619713622 (0x9c25a856)
        FS Generation: 904309833 (0x35e6ac49)
        CRC32: 00000000   ECC: 0000
        Type: Regular   Attr: 0x0   Flags: Valid
        Dynamic Features: (0x16) HasXattr InlineXattr Refcounted
        Extended Attributes Block: 0  Extended Attributes Inline Size: 256
        User: 0 (root)   Group: 0 (root)   Size: 281320357888
        Links: 1   Clusters: 141738
        ctime: 0x66911b56 0x316edcb8 -- Fri Jul 12 06:02:30.829349048 2024
        atime: 0x66911d6b 0x7f7a28d -- Fri Jul 12 06:11:23.133669517 2024
        mtime: 0x66911b56 0x12ed75d7 -- Fri Jul 12 06:02:30.317552087 2024
        dtime: 0x0 -- Wed Dec 31 17:00:00 1969
        Refcount Block: 2777346
        Last Extblk: 2886943   Orphan Slot: 0
        Sub Alloc Slot: 0   Sub Alloc Bit: 14
        Tree Depth: 1   Count: 227   Next Free Rec: 230
        ## Offset        Clusters       Block#
        0  0             2310           2776351
        1  2310          2139           2777375
        2  4449          1221           2778399
        3  5670          731            2779423
        4  6401          566            2780447
        .......          ....           .......
        .......          ....           .......

The issue was in the reflink workfow while reserving space for inline
xattr.  The problematic function is ocfs2_reflink_xattr_inline().  By the
time this function is called the reflink tree is already recreated at the
destination inode from the source inode.  At this point, this function
reserves space for inline xattrs at the destination inode without even
checking if there is space at the root metadata block.  It simply reduces
the l_count from 243 to 227 thereby making space of 256 bytes for inline
xattr whereas the inode already has extents beyond this index (in this
case up to 230), thereby causing corruption.

The fix for this is to reserve space for inline metadata at the destination
inode before the reflink tree gets recreated. The customer has verified the
fix.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49958

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49959
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

jbd2: stop waiting for space when jbd2_cleanup_journal_tail() returns error

In __jbd2_log_wait_for_space(), we might call jbd2_cleanup_journal_tail()
to recover some journal space. But if an error occurs while executing
jbd2_cleanup_journal_tail() (e.g., an EIO), we don't stop waiting for free
space right away, we try other branches, and if j_committing_transaction
is NULL (i.e., the tid is 0), we will get the following complain:

============================================
JBD2: I/O error when updating journal superblock for sdd-8.
__jbd2_log_wait_for_space: needed 256 blocks and only had 217 space available
__jbd2_log_wait_for_space: no way to get more journal space in sdd-8
------------[ cut here ]------------
WARNING: CPU: 2 PID: 139804 at fs/jbd2/checkpoint.c:109 __jbd2_log_wait_for_space+0x251/0x2e0
Modules linked in:
CPU: 2 PID: 139804 Comm: kworker/u8:3 Not tainted 6.6.0+ #1
RIP: 0010:__jbd2_log_wait_for_space+0x251/0x2e0
Call Trace:
 <TASK>
 add_transaction_credits+0x5d1/0x5e0
 start_this_handle+0x1ef/0x6a0
 jbd2__journal_start+0x18b/0x340
 ext4_dirty_inode+0x5d/0xb0
 __mark_inode_dirty+0xe4/0x5d0
 generic_update_time+0x60/0x70
[...]
============================================

So only if jbd2_cleanup_journal_tail() returns 1, i.e., there is nothing to
clean up at the moment, continue to try to reclaim free space in other ways.

Note that this fix relies on commit 6f6a6fda2945 ("jbd2: fix ocfs2 corrupt
when updating journal superblock fails") to make jbd2_cleanup_journal_tail
return the correct error code.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49959

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49960
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ext4: fix timer use-after-free on failed mount

Syzbot has found an ODEBUG bug in ext4_fill_super

The del_timer_sync function cancels the s_err_report timer,
which reminds about filesystem errors daily. We should
guarantee the timer is no longer active before kfree(sbi).

When filesystem mounting fails, the flow goes to failed_mount3,
where an error occurs when ext4_stop_mmpd is called, causing
a read I/O failure. This triggers the ext4_handle_error function
that ultimately re-arms the timer,
leaving the s_err_report timer active before kfree(sbi) is called.

Fix the issue by canceling the s_err_report timer after calling ext4_stop_mmpd.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49960

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49961
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

media: i2c: ar0521: Use cansleep version of gpiod_set_value()

If we use GPIO reset from I2C port expander, we must use *_cansleep()
variant of GPIO functions.
This was not done in ar0521_power_on()/ar0521_power_off() functions.
Let's fix that.

------------[ cut here ]------------
WARNING: CPU: 0 PID: 11 at drivers/gpio/gpiolib.c:3496 gpiod_set_value+0x74/0x7c
Modules linked in:
CPU: 0 PID: 11 Comm: kworker/u16:0 Not tainted 6.10.0 #53
Hardware name: Diasom DS-RK3568-SOM-EVB (DT)
Workqueue: events_unbound deferred_probe_work_func
pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : gpiod_set_value+0x74/0x7c
lr : ar0521_power_on+0xcc/0x290
sp : ffffff8001d7ab70
x29: ffffff8001d7ab70 x28: ffffff80027dcc90 x27: ffffff8003c82000
x26: ffffff8003ca9250 x25: ffffffc080a39c60 x24: ffffff8003ca9088
x23: ffffff8002402720 x22: ffffff8003ca9080 x21: ffffff8003ca9088
x20: 0000000000000000 x19: ffffff8001eb2a00 x18: ffffff80efeeac80
x17: 756d2d6332692f30 x16: 0000000000000000 x15: 0000000000000000
x14: ffffff8001d91d40 x13: 0000000000000016 x12: ffffffc080e98930
x11: ffffff8001eb2880 x10: 0000000000000890 x9 : ffffff8001d7a9f0
x8 : ffffff8001d92570 x7 : ffffff80efeeac80 x6 : 000000003fc6e780
x5 : ffffff8001d91c80 x4 : 0000000000000002 x3 : 0000000000000000
x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000001
Call trace:
 gpiod_set_value+0x74/0x7c
 ar0521_power_on+0xcc/0x290
...
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49961

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49962
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ACPICA: check null return of ACPI_ALLOCATE_ZEROED() in acpi_db_convert_to_package()

ACPICA commit 4d4547cf13cca820ff7e0f859ba83e1a610b9fd0

ACPI_ALLOCATE_ZEROED() may fail, elements might be NULL and will cause
NULL pointer dereference later.

[ rjw: Subject and changelog edits ]
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49962

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49963
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

mailbox: bcm2835: Fix timeout during suspend mode

During noirq suspend phase the Raspberry Pi power driver suffer of
firmware property timeouts. The reason is that the IRQ of the underlying
BCM2835 mailbox is disabled and rpi_firmware_property_list() will always
run into a timeout [1].

Since the VideoCore side isn't consider as a wakeup source, set the
IRQF_NO_SUSPEND flag for the mailbox IRQ in order to keep it enabled
during suspend-resume cycle.

[1]
PM: late suspend of devices complete after 1.754 msecs
WARNING: CPU: 0 PID: 438 at drivers/firmware/raspberrypi.c:128
 rpi_firmware_property_list+0x204/0x22c
Firmware transaction 0x00028001 timeout
Modules linked in:
CPU: 0 PID: 438 Comm: bash Tainted: G         C         6.9.3-dirty #17
Hardware name: BCM2835
Call trace:
unwind_backtrace from show_stack+0x18/0x1c
show_stack from dump_stack_lvl+0x34/0x44
dump_stack_lvl from __warn+0x88/0xec
__warn from warn_slowpath_fmt+0x7c/0xb0
warn_slowpath_fmt from rpi_firmware_property_list+0x204/0x22c
rpi_firmware_property_list from rpi_firmware_property+0x68/0x8c
rpi_firmware_property from rpi_firmware_set_power+0x54/0xc0
rpi_firmware_set_power from _genpd_power_off+0xe4/0x148
_genpd_power_off from genpd_sync_power_off+0x7c/0x11c
genpd_sync_power_off from genpd_finish_suspend+0xcc/0xe0
genpd_finish_suspend from dpm_run_callback+0x78/0xd0
dpm_run_callback from device_suspend_noirq+0xc0/0x238
device_suspend_noirq from dpm_suspend_noirq+0xb0/0x168
dpm_suspend_noirq from suspend_devices_and_enter+0x1b8/0x5ac
suspend_devices_and_enter from pm_suspend+0x254/0x2e4
pm_suspend from state_store+0xa8/0xd4
state_store from kernfs_fop_write_iter+0x154/0x1a0
kernfs_fop_write_iter from vfs_write+0x12c/0x184
vfs_write from ksys_write+0x78/0xc0
ksys_write from ret_fast_syscall+0x0/0x54
Exception stack(0xcc93dfa8 to 0xcc93dff0)
[...]
PM: noirq suspend of devices complete after 3095.584 msecs
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49963

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49964
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

mm/hugetlb: fix memfd_pin_folios free_huge_pages leak

memfd_pin_folios followed by unpin_folios fails to restore free_huge_pages
if the pages were not already faulted in, because the folio refcount for
pages created by memfd_alloc_folio never goes to 0.  memfd_pin_folios
needs another folio_put to undo the folio_try_get below:

memfd_alloc_folio()
  alloc_hugetlb_folio_nodemask()
    dequeue_hugetlb_folio_nodemask()
      dequeue_hugetlb_folio_node_exact()
        folio_ref_unfreeze(folio, 1);    ; adds 1 refcount
  folio_try_get()                        ; adds 1 refcount
  hugetlb_add_to_page_cache()            ; adds 512 refcount (on x86)

With the fix, after memfd_pin_folios + unpin_folios, the refcount for the
(unfaulted) page is 512, which is correct, as the refcount for a faulted
unpinned page is 513.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49964

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49965
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ocfs2: remove unreasonable unlock in ocfs2_read_blocks

Patch series "Misc fixes for ocfs2_read_blocks", v5.

This series contains 2 fixes for ocfs2_read_blocks().  The first patch fix
the issue reported by syzbot, which detects bad unlock balance in
ocfs2_read_blocks().  The second patch fixes an issue reported by Heming
Zhao when reviewing above fix.


This patch (of 2):

There was a lock release before exiting, so remove the unreasonable unlock.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49965

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49966
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ocfs2: cancel dqi_sync_work before freeing oinfo

ocfs2_global_read_info() will initialize and schedule dqi_sync_work at the
end, if error occurs after successfully reading global quota, it will
trigger the following warning with CONFIG_DEBUG_OBJECTS_* enabled:

ODEBUG: free active (active state 0) object: 00000000d8b0ce28 object type: timer_list hint: qsync_work_fn+0x0/0x16c

This reports that there is an active delayed work when freeing oinfo in
error handling, so cancel dqi_sync_work first.  BTW, return status instead
of -1 when .read_file_info fails.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49966

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49967
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ext4: no need to continue when the number of entries is 1
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49967

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49968
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ext4: filesystems without casefold feature cannot be mounted with siphash

When mounting the ext4 filesystem, if the default hash version is set to
DX_HASH_SIPHASH but the casefold feature is not set, exit the mounting.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49968

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49969
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Fix index out of bounds in DCN30 color transformation

This commit addresses a potential index out of bounds issue in the
`cm3_helper_translate_curve_to_hw_format` function in the DCN30 color
management module. The issue could occur when the index 'i' exceeds the
number of transfer function points (TRANSFER_FUNC_POINTS).

The fix adds a check to ensure 'i' is within bounds before accessing the
transfer function points. If 'i' is out of bounds, the function returns
false to indicate an error.

drivers/gpu/drm/amd/amdgpu/../display/dc/dcn30/dcn30_cm_common.c:180 cm3_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.red' 1025 <= s32max
drivers/gpu/drm/amd/amdgpu/../display/dc/dcn30/dcn30_cm_common.c:181 cm3_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.green' 1025 <= s32max
drivers/gpu/drm/amd/amdgpu/../display/dc/dcn30/dcn30_cm_common.c:182 cm3_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.blue' 1025 <= s32max
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49969

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49970
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Implement bounds check for stream encoder creation in DCN401

'stream_enc_regs' array is an array of dcn10_stream_enc_registers
structures. The array is initialized with four elements, corresponding
to the four calls to stream_enc_regs() in the array initializer. This
means that valid indices for this array are 0, 1, 2, and 3.

The error message 'stream_enc_regs' 4 <= 5 below, is indicating that
there is an attempt to access this array with an index of 5, which is
out of bounds. This could lead to undefined behavior

Here, eng_id is used as an index to access the stream_enc_regs array. If
eng_id is 5, this would result in an out-of-bounds access on the
stream_enc_regs array.

Thus fixing Buffer overflow error in dcn401_stream_encoder_create

Found by smatch:
drivers/gpu/drm/amd/amdgpu/../display/dc/resource/dcn401/dcn401_resource.c:1209 dcn401_stream_encoder_create() error: buffer overflow 'stream_enc_regs' 4 <= 5
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49970

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49971
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Increase array size of dummy_boolean

[WHY]
dml2_core_shared_mode_support and dml_core_mode_support access the third
element of dummy_boolean, i.e. hw_debug5 = &s->dummy_boolean[2], when
dummy_boolean has size of 2. Any assignment to hw_debug5 causes an
OVERRUN.

[HOW]
Increase dummy_boolean's array size to 3.

This fixes 2 OVERRUN issues reported by Coverity.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49971

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49972
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Deallocate DML memory if allocation fails

[Why]
When DC state create DML memory allocation fails, memory is not
deallocated subsequently, resulting in uninitialized structure
that is not NULL.

[How]
Deallocate memory if DML memory allocation fails.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49972

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49973
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

r8169: add tally counter fields added with RTL8125

RTL8125 added fields to the tally counter, what may result in the chip
dma'ing these new fields to unallocated memory. Therefore make sure
that the allocated memory area is big enough to hold all of the
tally counter values, even if we use only parts of it.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49973

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49974
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

NFSD: Limit the number of concurrent async COPY operations

Nothing appears to limit the number of concurrent async COPY
operations that clients can start. In addition, AFAICT each async
COPY can copy an unlimited number of 4MB chunks, so can run for a
long time. Thus IMO async COPY can become a DoS vector.

Add a restriction mechanism that bounds the number of concurrent
background COPY operations. Start simple and try to be fair -- this
patch implements a per-namespace limit.

An async COPY request that occurs while this limit is exceeded gets
NFS4ERR_DELAY. The requesting client can choose to send the request
again after a delay or fall back to a traditional read/write style
copy.

If there is need to make the mechanism more sophisticated, we can
visit that in future patches.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49974

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49975
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

uprobes: fix kernel info leak via "[uprobes]" vma

xol_add_vma() maps the uninitialized page allocated by __create_xol_area()
into userspace. On some architectures (x86) this memory is readable even
without VM_READ, VM_EXEC results in the same pgprot_t as VM_EXEC|VM_READ,
although this doesn't really matter, debugger can read this memory anyway.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49975

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49976
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

tracing/timerlat: Drop interface_lock in stop_kthread()

stop_kthread() is the offline callback for "trace/osnoise:online", since
commit 5bfbcd1ee57b ("tracing/timerlat: Add interface_lock around clearing
of kthread in stop_kthread()"), the following ABBA deadlock scenario is
introduced:

T1                            | T2 [BP]               | T3 [AP]
osnoise_hotplug_workfn()      | work_for_cpu_fn()     | cpuhp_thread_fun()
                              |   _cpu_down()         |   osnoise_cpu_die()
  mutex_lock(&interface_lock) |                       |     stop_kthread()
                              |     cpus_write_lock() |       mutex_lock(&interface_lock)
  cpus_read_lock()            |     cpuhp_kick_ap()   |

As the interface_lock here in just for protecting the "kthread" field of
the osn_var, use xchg() instead to fix this issue. Also use
for_each_online_cpu() back in stop_per_cpu_kthreads() as it can take
cpu_read_lock() again.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49976

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49977
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: stmmac: Fix zero-division error when disabling tc cbs

The commit b8c43360f6e4 ("net: stmmac: No need to calculate speed divider
when offload is disabled") allows the "port_transmit_rate_kbps" to be
set to a value of 0, which is then passed to the "div_s64" function when
tc-cbs is disabled. This leads to a zero-division error.

When tc-cbs is disabled, the idleslope, sendslope, and credit values the
credit values are not required to be configured. Therefore, adding a return
statement after setting the txQ mode to DCB when tc-cbs is disabled would
prevent a zero-division error.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49977

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49978
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

gso: fix udp gso fraglist segmentation after pull from frag_list

Detect gso fraglist skbs with corrupted geometry (see below) and
pass these to skb_segment instead of skb_segment_list, as the first
can segment them correctly.

Valid SKB_GSO_FRAGLIST skbs
- consist of two or more segments
- the head_skb holds the protocol headers plus first gso_size
- one or more frag_list skbs hold exactly one segment
- all but the last must be gso_size

Optional datapath hooks such as NAT and BPF (bpf_skb_pull_data) can
modify these skbs, breaking these invariants.

In extreme cases they pull all data into skb linear. For UDP, this
causes a NULL ptr deref in __udpv4_gso_segment_list_csum at
udp_hdr(seg->next)->dest.

Detect invalid geometry due to pull, by checking head_skb size.
Don't just drop, as this may blackhole a destination. Convert to be
able to pass to regular skb_segment.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49978

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49979
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: gso: fix tcp fraglist segmentation after pull from frag_list

Detect tcp gso fraglist skbs with corrupted geometry (see below) and
pass these to skb_segment instead of skb_segment_list, as the first
can segment them correctly.

Valid SKB_GSO_FRAGLIST skbs
- consist of two or more segments
- the head_skb holds the protocol headers plus first gso_size
- one or more frag_list skbs hold exactly one segment
- all but the last must be gso_size

Optional datapath hooks such as NAT and BPF (bpf_skb_pull_data) can
modify these skbs, breaking these invariants.

In extreme cases they pull all data into skb linear. For TCP, this
causes a NULL ptr deref in __tcpv4_gso_segment_list_csum at
tcp_hdr(seg->next).

Detect invalid geometry due to pull, by checking head_skb size.
Don't just drop, as this may blackhole a destination. Convert to be
able to pass to regular skb_segment.

Approach and description based on a patch by Willem de Bruijn.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49979

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49980
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

vrf: revert "vrf: Remove unnecessary RCU-bh critical section"

This reverts commit 504fc6f4f7f681d2a03aa5f68aad549d90eab853.

dev_queue_xmit_nit is expected to be called with BH disabled.
__dev_queue_xmit has the following:

        /* Disable soft irqs for various locks below. Also
         * stops preemption for RCU.
         */
        rcu_read_lock_bh();

VRF must follow this invariant. The referenced commit removed this
protection. Which triggered a lockdep warning:

	================================
	WARNING: inconsistent lock state
	6.11.0 #1 Tainted: G        W
	--------------------------------
	inconsistent {IN-SOFTIRQ-W} -> {SOFTIRQ-ON-W} usage.
	btserver/134819 [HC0[0]:SC0[0]:HE1:SE1] takes:
	ffff8882da30c118 (rlock-AF_PACKET){+.?.}-{2:2}, at: tpacket_rcv+0x863/0x3b30
	{IN-SOFTIRQ-W} state was registered at:
	  lock_acquire+0x19a/0x4f0
	  _raw_spin_lock+0x27/0x40
	  packet_rcv+0xa33/0x1320
	  __netif_receive_skb_core.constprop.0+0xcb0/0x3a90
	  __netif_receive_skb_list_core+0x2c9/0x890
	  netif_receive_skb_list_internal+0x610/0xcc0
          [...]

	other info that might help us debug this:
	 Possible unsafe locking scenario:

	       CPU0
	       ----
	  lock(rlock-AF_PACKET);
	  <Interrupt>
	    lock(rlock-AF_PACKET);

	 *** DEADLOCK ***

	Call Trace:
	 <TASK>
	 dump_stack_lvl+0x73/0xa0
	 mark_lock+0x102e/0x16b0
	 __lock_acquire+0x9ae/0x6170
	 lock_acquire+0x19a/0x4f0
	 _raw_spin_lock+0x27/0x40
	 tpacket_rcv+0x863/0x3b30
	 dev_queue_xmit_nit+0x709/0xa40
	 vrf_finish_direct+0x26e/0x340 [vrf]
	 vrf_l3_out+0x5f4/0xe80 [vrf]
	 __ip_local_out+0x51e/0x7a0
          [...]
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49980

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49981
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

media: venus: fix use after free bug in venus_remove due to race condition

in venus_probe, core->work is bound with venus_sys_error_handler, which is
used to handle error. The code use core->sys_err_done to make sync work.
The core->work is started in venus_event_notify.

If we call venus_remove, there might be an unfished work. The possible
sequence is as follows:

CPU0                  CPU1

                     |venus_sys_error_handler
venus_remove         |
hfi_destroy	 		 |
venus_hfi_destroy	 |
kfree(hdev);	     |
                     |hfi_reinit
					 |venus_hfi_queues_reinit
                     |//use hdev

Fix it by canceling the work in venus_remove.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49981

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49982
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

aoe: fix the potential use-after-free problem in more places

For fixing CVE-2023-6270, f98364e92662 ("aoe: fix the potential
use-after-free problem in aoecmd_cfg_pkts") makes tx() calling dev_put()
instead of doing in aoecmd_cfg_pkts(). It avoids that the tx() runs
into use-after-free.

Then Nicolai Stange found more places in aoe have potential use-after-free
problem with tx(). e.g. revalidate(), aoecmd_ata_rw(), resend(), probe()
and aoecmd_cfg_rsp(). Those functions also use aoenet_xmit() to push
packet to tx queue. So they should also use dev_hold() to increase the
refcnt of skb->dev.

On the other hand, moving dev_put() to tx() causes that the refcnt of
skb->dev be reduced to a negative value, because corresponding
dev_hold() are not called in revalidate(), aoecmd_ata_rw(), resend(),
probe(), and aoecmd_cfg_rsp(). This patch fixed this issue.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49982

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49983
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ext4: drop ppath from ext4_ext_replay_update_ex() to avoid double-free

When calling ext4_force_split_extent_at() in ext4_ext_replay_update_ex(),
the 'ppath' is updated but it is the 'path' that is freed, thus potentially
triggering a double-free in the following process:

ext4_ext_replay_update_ex
  ppath = path
  ext4_force_split_extent_at(&ppath)
    ext4_split_extent_at
      ext4_ext_insert_extent
        ext4_ext_create_new_leaf
          ext4_ext_grow_indepth
            ext4_find_extent
              if (depth > path[0].p_maxdepth)
                kfree(path)                 ---> path First freed
                *orig_path = path = NULL    ---> null ppath
  kfree(path)                               ---> path double-free !!!

So drop the unnecessary ppath and use path directly to avoid this problem.
And use ext4_find_extent() directly to update path, avoiding unnecessary
memory allocation and freeing. Also, propagate the error returned by
ext4_find_extent() instead of using strange error codes.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49983

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49984
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/v3d: Prevent out of bounds access in performance query extensions

Check that the number of perfmons userspace is passing in the copy and
reset extensions is not greater than the internal kernel storage where
the ids will be copied into.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49984

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49985
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

i2c: stm32f7: Do not prepare/unprepare clock during runtime suspend/resume

In case there is any sort of clock controller attached to this I2C bus
controller, for example Versaclock or even an AIC32x4 I2C codec, then
an I2C transfer triggered from the clock controller clk_ops .prepare
callback may trigger a deadlock on drivers/clk/clk.c prepare_lock mutex.

This is because the clock controller first grabs the prepare_lock mutex
and then performs the prepare operation, including its I2C access. The
I2C access resumes this I2C bus controller via .runtime_resume callback,
which calls clk_prepare_enable(), which attempts to grab the prepare_lock
mutex again and deadlocks.

Since the clock are already prepared since probe() and unprepared in
remove(), use simple clk_enable()/clk_disable() calls to enable and
disable the clock on runtime suspend and resume, to avoid hitting the
prepare_lock mutex.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49985

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49986
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

platform/x86: x86-android-tablets: Fix use after free on platform_device_register() errors

x86_android_tablet_remove() frees the pdevs[] array, so it should not
be used after calling x86_android_tablet_remove().

When platform_device_register() fails, store the pdevs[x] PTR_ERR() value
into the local ret variable before calling x86_android_tablet_remove()
to avoid using pdevs[] after it has been freed.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49986

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49987
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

bpftool: Fix undefined behavior in qsort(NULL, 0, ...)

When netfilter has no entry to display, qsort is called with
qsort(NULL, 0, ...). This results in undefined behavior, as UBSan
reports:

net.c:827:2: runtime error: null pointer passed as argument 1, which is declared to never be null

Although the C standard does not explicitly state whether calling qsort
with a NULL pointer when the size is 0 constitutes undefined behavior,
Section 7.1.4 of the C standard (Use of library functions) mentions:

"Each of the following statements applies unless explicitly stated
otherwise in the detailed descriptions that follow: If an argument to a
function has an invalid value (such as a value outside the domain of
the function, or a pointer outside the address space of the program, or
a null pointer, or a pointer to non-modifiable storage when the
corresponding parameter is not const-qualified) or a type (after
promotion) not expected by a function with variable number of
arguments, the behavior is undefined."

To avoid this, add an early return when nf_link_info is NULL to prevent
calling qsort with a NULL pointer.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49987

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49988
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ksmbd: add refcnt to ksmbd_conn struct

When sending an oplock break request, opinfo->conn is used,
But freed ->conn can be used on multichannel.
This patch add a reference count to the ksmbd_conn struct
so that it can be freed when it is no longer used.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49988

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49989
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: fix double free issue during amdgpu module unload

Flexible endpoints use DIGs from available inflexible endpoints,
so only the encoders of inflexible links need to be freed.
Otherwise, a double free issue may occur when unloading the
amdgpu module.

[  279.190523] RIP: 0010:__slab_free+0x152/0x2f0
[  279.190577] Call Trace:
[  279.190580]  <TASK>
[  279.190582]  ? show_regs+0x69/0x80
[  279.190590]  ? die+0x3b/0x90
[  279.190595]  ? do_trap+0xc8/0xe0
[  279.190601]  ? do_error_trap+0x73/0xa0
[  279.190605]  ? __slab_free+0x152/0x2f0
[  279.190609]  ? exc_invalid_op+0x56/0x70
[  279.190616]  ? __slab_free+0x152/0x2f0
[  279.190642]  ? asm_exc_invalid_op+0x1f/0x30
[  279.190648]  ? dcn10_link_encoder_destroy+0x19/0x30 [amdgpu]
[  279.191096]  ? __slab_free+0x152/0x2f0
[  279.191102]  ? dcn10_link_encoder_destroy+0x19/0x30 [amdgpu]
[  279.191469]  kfree+0x260/0x2b0
[  279.191474]  dcn10_link_encoder_destroy+0x19/0x30 [amdgpu]
[  279.191821]  link_destroy+0xd7/0x130 [amdgpu]
[  279.192248]  dc_destruct+0x90/0x270 [amdgpu]
[  279.192666]  dc_destroy+0x19/0x40 [amdgpu]
[  279.193020]  amdgpu_dm_fini+0x16e/0x200 [amdgpu]
[  279.193432]  dm_hw_fini+0x26/0x40 [amdgpu]
[  279.193795]  amdgpu_device_fini_hw+0x24c/0x400 [amdgpu]
[  279.194108]  amdgpu_driver_unload_kms+0x4f/0x70 [amdgpu]
[  279.194436]  amdgpu_pci_remove+0x40/0x80 [amdgpu]
[  279.194632]  pci_device_remove+0x3a/0xa0
[  279.194638]  device_remove+0x40/0x70
[  279.194642]  device_release_driver_internal+0x1ad/0x210
[  279.194647]  driver_detach+0x4e/0xa0
[  279.194650]  bus_remove_driver+0x6f/0xf0
[  279.194653]  driver_unregister+0x33/0x60
[  279.194657]  pci_unregister_driver+0x44/0x90
[  279.194662]  amdgpu_exit+0x19/0x1f0 [amdgpu]
[  279.194939]  __do_sys_delete_module.isra.0+0x198/0x2f0
[  279.194946]  __x64_sys_delete_module+0x16/0x20
[  279.194950]  do_syscall_64+0x58/0x120
[  279.194954]  entry_SYSCALL_64_after_hwframe+0x6e/0x76
[  279.194980]  </TASK>
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49989

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49990
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/xe/hdcp: Check GSC structure validity

Sometimes xe_gsc is not initialized when checked at HDCP capability
check. Add gsc structure check to avoid null pointer error.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49990

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49991
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amdkfd: amdkfd_free_gtt_mem clear the correct pointer

Pass pointer reference to amdgpu_bo_unref to clear the correct pointer,
otherwise amdgpu_bo_unref clear the local variable, the original pointer
not set to NULL, this could cause use-after-free bug.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49991

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49992
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/stm: Avoid use-after-free issues with crtc and plane

ltdc_load() calls functions drm_crtc_init_with_planes(),
drm_universal_plane_init() and drm_encoder_init(). These functions
should not be called with parameters allocated with devm_kzalloc()
to avoid use-after-free issues [1].

Use allocations managed by the DRM framework.

Found by Linux Verification Center (linuxtesting.org).

[1]
https://lore.kernel.org/lkml/u366i76e3qhh3ra5oxrtngjtm2u5lterkekcz6y2jkndhuxzli@diujon4h7qwb/
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49992

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49994
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

block: fix integer overflow in BLKSECDISCARD

I independently rediscovered

	commit 22d24a544b0d49bbcbd61c8c0eaf77d3c9297155
	block: fix overflow in blk_ioctl_discard()

but for secure erase.

Same problem:

	uint64_t r[2] = {512, 18446744073709551104ULL};
	ioctl(fd, BLKSECDISCARD, r);

will enter near infinite loop inside blkdev_issue_secure_erase():

	a.out: attempt to access beyond end of device
	loop0: rw=5, sector=3399043073, nr_sectors = 1024 limit=2048
	bio_check_eod: 3286214 callbacks suppressed
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49994

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49995
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

tipc: guard against string buffer overrun

Smatch reports that copying media_name and if_name to name_parts may
overwrite the destination.

 .../bearer.c:166 bearer_name_validate() error: strcpy() 'media_name' too large for 'name_parts->media_name' (32 vs 16)
 .../bearer.c:167 bearer_name_validate() error: strcpy() 'if_name' too large for 'name_parts->if_name' (1010102 vs 16)

This does seem to be the case so guard against this possibility by using
strscpy() and failing if truncation occurs.

Introduced by commit b97bf3fd8f6a ("[TIPC] Initial merge")

Compile tested only.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49995

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49996
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

cifs: Fix buffer overflow when parsing NFS reparse points

ReparseDataLength is sum of the InodeType size and DataBuffer size.
So to get DataBuffer size it is needed to subtract InodeType's size from
ReparseDataLength.

Function cifs_strndup_from_utf16() is currentlly accessing buf->DataBuffer
at position after the end of the buffer because it does not subtract
InodeType size from the length. Fix this problem and correctly subtract
variable len.

Member InodeType is present only when reparse buffer is large enough. Check
for ReparseDataLength before accessing InodeType to prevent another invalid
memory access.

Major and minor rdev values are present also only when reparse buffer is
large enough. Check for reparse buffer size before calling reparse_mkdev().
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49996

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49997
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: ethernet: lantiq_etop: fix memory disclosure

When applying padding, the buffer is not zeroed, which results in memory
disclosure. The mentioned data is observed on the wire. This patch uses
skb_put_padto() to pad Ethernet frames properly. The mentioned function
zeroes the expanded buffer.

In case the packet cannot be padded it is silently dropped. Statistics
are also not incremented. This driver does not support statistics in the
old 32-bit format or the new 64-bit format. These will be added in the
future. In its current form, the patch should be easily backported to
stable versions.

Ethernet MACs on Amazon-SE and Danube cannot do padding of the packets
in hardware, so software padding must be applied.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49997

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49998
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: dsa: improve shutdown sequence

Alexander Sverdlin presents 2 problems during shutdown with the
lan9303 driver. One is specific to lan9303 and the other just happens
to reproduce there.

The first problem is that lan9303 is unique among DSA drivers in that it
calls dev_get_drvdata() at "arbitrary runtime" (not probe, not shutdown,
not remove):

phy_state_machine()
-> ...
   -> dsa_user_phy_read()
      -> ds->ops->phy_read()
         -> lan9303_phy_read()
            -> chip->ops->phy_read()
               -> lan9303_mdio_phy_read()
                  -> dev_get_drvdata()

But we never stop the phy_state_machine(), so it may continue to run
after dsa_switch_shutdown(). Our common pattern in all DSA drivers is
to set drvdata to NULL to suppress the remove() method that may come
afterwards. But in this case it will result in an NPD.

The second problem is that the way in which we set
dp->conduit->dsa_ptr = NULL; is concurrent with receive packet
processing. dsa_switch_rcv() checks once whether dev->dsa_ptr is NULL,
but afterwards, rather than continuing to use that non-NULL value,
dev->dsa_ptr is dereferenced again and again without NULL checks:
dsa_conduit_find_user() and many other places. In between dereferences,
there is no locking to ensure that what was valid once continues to be
valid.

Both problems have the common aspect that closing the conduit interface
solves them.

In the first case, dev_close(conduit) triggers the NETDEV_GOING_DOWN
event in dsa_user_netdevice_event() which closes user ports as well.
dsa_port_disable_rt() calls phylink_stop(), which synchronously stops
the phylink state machine, and ds->ops->phy_read() will thus no longer
call into the driver after this point.

In the second case, dev_close(conduit) should do this, as per
Documentation/networking/driver.rst:

| Quiescence
| ----------
|
| After the ndo_stop routine has been called, the hardware must
| not receive or transmit any data.  All in flight packets must
| be aborted. If necessary, poll or wait for completion of
| any reset commands.

So it should be sufficient to ensure that later, when we zeroize
conduit->dsa_ptr, there will be no concurrent dsa_switch_rcv() call
on this conduit.

The addition of the netif_device_detach() function is to ensure that
ioctls, rtnetlinks and ethtool requests on the user ports no longer
propagate down to the driver - we're no longer prepared to handle them.

The race condition actually did not exist when commit 0650bf52b31f
("net: dsa: be compatible with masters which unregister on shutdown")
first introduced dsa_switch_shutdown(). It was created later, when we
stopped unregistering the user interfaces from a bad spot, and we just
replaced that sequence with a racy zeroization of conduit->dsa_ptr
(one which doesn't ensure that the interfaces aren't up).
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49998

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-49999
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

afs: Fix the setting of the server responding flag

In afs_wait_for_operation(), we set transcribe the call responded flag to
the server record that we used after doing the fileserver iteration loop -
but it's possible to exit the loop having had a response from the server
that we've discarded (e.g. it returned an abort or we started receiving
data, but the call didn't complete).

This means that op->server might be NULL, but we don't check that before
attempting to set the server flag.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-49999

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50000
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net/mlx5e: Fix NULL deref in mlx5e_tir_builder_alloc()

In mlx5e_tir_builder_alloc() kvzalloc() may return NULL
which is dereferenced on the next line in a reference
to the modify field.

Found by Linux Verification Center (linuxtesting.org) with SVACE.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50000

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50001
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net/mlx5: Fix error path in multi-packet WQE transmit

Remove the erroneous unmap in case no DMA mapping was established

The multi-packet WQE transmit code attempts to obtain a DMA mapping for
the skb. This could fail, e.g. under memory pressure, when the IOMMU
driver just can't allocate more memory for page tables. While the code
tries to handle this in the path below the err_unmap label it erroneously
unmaps one entry from the sq's FIFO list of active mappings. Since the
current map attempt failed this unmap is removing some random DMA mapping
that might still be required. If the PCI function now presents that IOVA,
the IOMMU may assumes a rogue DMA access and e.g. on s390 puts the PCI
function in error state.

The erroneous behavior was seen in a stress-test environment that created
memory pressure.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50001

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50002
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

static_call: Handle module init failure correctly in static_call_del_module()

Module insertion invokes static_call_add_module() to initialize the static
calls in a module. static_call_add_module() invokes __static_call_init(),
which allocates a struct static_call_mod to either encapsulate the built-in
static call sites of the associated key into it so further modules can be
added or to append the module to the module chain.

If that allocation fails the function returns with an error code and the
module core invokes static_call_del_module() to clean up eventually added
static_call_mod entries.

This works correctly, when all keys used by the module were converted over
to a module chain before the failure. If not then static_call_del_module()
causes a #GP as it blindly assumes that key::mods points to a valid struct
static_call_mod.

The problem is that key::mods is not a individual struct member of struct
static_call_key, it's part of a union to save space:

        union {
                /* bit 0: 0 = mods, 1 = sites */
                unsigned long type;
                struct static_call_mod *mods;
                struct static_call_site *sites;
	};

key::sites is a pointer to the list of built-in usage sites of the static
call. The type of the pointer is differentiated by bit 0. A mods pointer
has the bit clear, the sites pointer has the bit set.

As static_call_del_module() blidly assumes that the pointer is a valid
static_call_mod type, it fails to check for this failure case and
dereferences the pointer to the list of built-in call sites, which is
obviously bogus.

Cure it by checking whether the key has a sites or a mods pointer.

If it's a sites pointer then the key is not to be touched. As the sites are
walked in the same order as in __static_call_init() the site walk can be
terminated because all subsequent sites have not been touched by the init
code due to the error exit.

If it was converted before the allocation fail, then the inner loop which
searches for a module match will find nothing.

A fail in the second allocation in __static_call_init() is harmless and
does not require special treatment. The first allocation succeeded and
converted the key to a module chain. That first entry has mod::mod == NULL
and mod::next == NULL, so the inner loop of static_call_del_module() will
neither find a module match nor a module chain. The next site in the walk
was either already converted, but can't match the module, or it will exit
the outer loop because it has a static_call_site pointer and not a
static_call_mod pointer.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50002

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50003
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Fix system hang while resume with TBT monitor

[Why]
Connected with a Thunderbolt monitor and do the suspend and the system
may hang while resume.

The TBT monitor HPD will be triggered during the resume procedure
and call the drm_client_modeset_probe() while
struct drm_connector connector->dev->master is NULL.

It will mess up the pipe topology after resume.

[How]
Skip the TBT monitor HPD during the resume procedure because we
currently will probe the connectors after resume by default.

(cherry picked from commit 453f86a26945207a16b8f66aaed5962dc2b95b85)
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50003

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50004
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: update DML2 policy EnhancedPrefetchScheduleAccelerationFinal DCN35

[WHY & HOW]
Mismatch in DCN35 DML2 cause bw validation failed to acquire unexpected DPP pipe to cause
grey screen and system hang. Remove EnhancedPrefetchScheduleAccelerationFinal value override
to match HW spec.

(cherry picked from commit 9dad21f910fcea2bdcff4af46159101d7f9cd8ba)
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50004

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50005
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

mac802154: Fix potential RCU dereference issue in mac802154_scan_worker

In the `mac802154_scan_worker` function, the `scan_req->type` field was
accessed after the RCU read-side critical section was unlocked. According
to RCU usage rules, this is illegal and can lead to unpredictable
behavior, such as accessing memory that has been updated or causing
use-after-free issues.

This possible bug was identified using a static analysis tool developed
by myself, specifically designed to detect RCU-related issues.

To address this, the `scan_req->type` value is now stored in a local
variable `scan_req_type` while still within the RCU read-side critical
section. The `scan_req_type` is then used after the RCU lock is released,
ensuring that the type value is safely accessed without violating RCU
rules.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50005

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50006
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ext4: fix i_data_sem unlock order in ext4_ind_migrate()

Fuzzing reports a possible deadlock in jbd2_log_wait_commit.

This issue is triggered when an EXT4_IOC_MIGRATE ioctl is set to require
synchronous updates because the file descriptor is opened with O_SYNC.
This can lead to the jbd2_journal_stop() function calling
jbd2_might_wait_for_commit(), potentially causing a deadlock if the
EXT4_IOC_MIGRATE call races with a write(2) system call.

This problem only arises when CONFIG_PROVE_LOCKING is enabled. In this
case, the jbd2_might_wait_for_commit macro locks jbd2_handle in the
jbd2_journal_stop function while i_data_sem is locked. This triggers
lockdep because the jbd2_journal_start function might also lock the same
jbd2_handle simultaneously.

Found by Linux Verification Center (linuxtesting.org) with syzkaller.

Rule: add
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50006

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50007
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ALSA: asihpi: Fix potential OOB array access

ASIHPI driver stores some values in the static array upon a response
from the driver, and its index depends on the firmware.  We shouldn't
trust it blindly.

This patch adds a sanity check of the array index to fit in the array
size.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50007

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50008
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

wifi: mwifiex: Fix memcpy() field-spanning write warning in mwifiex_cmd_802_11_scan_ext()

Replace one-element array with a flexible-array member in
`struct host_cmd_ds_802_11_scan_ext`.

With this, fix the following warning:

elo 16 17:51:58 surfacebook kernel: ------------[ cut here ]------------
elo 16 17:51:58 surfacebook kernel: memcpy: detected field-spanning write (size 243) of single field "ext_scan->tlv_buffer" at drivers/net/wireless/marvell/mwifiex/scan.c:2239 (size 1)
elo 16 17:51:58 surfacebook kernel: WARNING: CPU: 0 PID: 498 at drivers/net/wireless/marvell/mwifiex/scan.c:2239 mwifiex_cmd_802_11_scan_ext+0x83/0x90 [mwifiex]
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50008

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50009
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

cpufreq: amd-pstate: add check for cpufreq_cpu_get's return value

cpufreq_cpu_get may return NULL. To avoid NULL-dereference check it
and return in case of error.

Found by Linux Verification Center (linuxtesting.org) with SVACE.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50009

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50010
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

exec: don't WARN for racy path_noexec check

Both i_mode and noexec checks wrapped in WARN_ON stem from an artifact
of the previous implementation. They used to legitimately check for the
condition, but that got moved up in two commits:
633fb6ac3980 ("exec: move S_ISREG() check earlier")
0fd338b2d2cd ("exec: move path_noexec() check earlier")

Instead of being removed said checks are WARN_ON'ed instead, which
has some debug value.

However, the spurious path_noexec check is racy, resulting in
unwarranted warnings should someone race with setting the noexec flag.

One can note there is more to perm-checking whether execve is allowed
and none of the conditions are guaranteed to still hold after they were
tested for.

Additionally this does not validate whether the code path did any perm
checking to begin with -- it will pass if the inode happens to be
regular.

Keep the redundant path_noexec() check even though it's mindless
nonsense checking for guarantee that isn't given so drop the WARN.

Reword the commentary and do small tidy ups while here.

[brauner: keep redundant path_noexec() check]
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50010

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50011
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ASoC: Intel: soc-acpi-intel-rpl-match: add missing empty item

There is no links_num in struct snd_soc_acpi_mach {}, and we test
!link->num_adr as a condition to end the loop in hda_sdw_machine_select().
So an empty item in struct snd_soc_acpi_link_adr array is required.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50011

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50012
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

cpufreq: Avoid a bad reference count on CPU node

In the parse_perf_domain function, if the call to
of_parse_phandle_with_args returns an error, then the reference to the
CPU device node that was acquired at the start of the function would not
be properly decremented.

Address this by declaring the variable with the __free(device_node)
cleanup attribute.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50012

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50013
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

exfat: fix memory leak in exfat_load_bitmap()

If the first directory entry in the root directory is not a bitmap
directory entry, 'bh' will not be released and reassigned, which
will cause a memory leak.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50013

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50014
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ext4: fix access to uninitialised lock in fc replay path

The following kernel trace can be triggered with fstest generic/629 when
executed against a filesystem with fast-commit feature enabled:

INFO: trying to register non-static key.
The code is fine but needs lockdep annotation, or maybe
you didn't initialize this object before use?
turning off the locking correctness validator.
CPU: 0 PID: 866 Comm: mount Not tainted 6.10.0+ #11
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-3-gd478f380-prebuilt.qemu.org 04/01/2014
Call Trace:
 <TASK>
 dump_stack_lvl+0x66/0x90
 register_lock_class+0x759/0x7d0
 __lock_acquire+0x85/0x2630
 ? __find_get_block+0xb4/0x380
 lock_acquire+0xd1/0x2d0
 ? __ext4_journal_get_write_access+0xd5/0x160
 _raw_spin_lock+0x33/0x40
 ? __ext4_journal_get_write_access+0xd5/0x160
 __ext4_journal_get_write_access+0xd5/0x160
 ext4_reserve_inode_write+0x61/0xb0
 __ext4_mark_inode_dirty+0x79/0x270
 ? ext4_ext_replay_set_iblocks+0x2f8/0x450
 ext4_ext_replay_set_iblocks+0x330/0x450
 ext4_fc_replay+0x14c8/0x1540
 ? jread+0x88/0x2e0
 ? rcu_is_watching+0x11/0x40
 do_one_pass+0x447/0xd00
 jbd2_journal_recover+0x139/0x1b0
 jbd2_journal_load+0x96/0x390
 ext4_load_and_init_journal+0x253/0xd40
 ext4_fill_super+0x2cc6/0x3180
...

In the replay path there's an attempt to lock sbi->s_bdev_wb_lock in
function ext4_check_bdev_write_error().  Unfortunately, at this point this
spinlock has not been initialized yet.  Moving it's initialization to an
earlier point in __ext4_fill_super() fixes this splat.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50014

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50015
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ext4: dax: fix overflowing extents beyond inode size when partially writing

The dax_iomap_rw() does two things in each iteration: map written blocks
and copy user data to blocks. If the process is killed by user(See signal
handling in dax_iomap_iter()), the copied data will be returned and added
on inode size, which means that the length of written extents may exceed
the inode size, then fsck will fail. An example is given as:

dd if=/dev/urandom of=file bs=4M count=1
 dax_iomap_rw
  iomap_iter // round 1
   ext4_iomap_begin
    ext4_iomap_alloc // allocate 0~2M extents(written flag)
  dax_iomap_iter // copy 2M data
  iomap_iter // round 2
   iomap_iter_advance
    iter->pos += iter->processed // iter->pos = 2M
   ext4_iomap_begin
    ext4_iomap_alloc // allocate 2~4M extents(written flag)
  dax_iomap_iter
   fatal_signal_pending
  done = iter->pos - iocb->ki_pos // done = 2M
 ext4_handle_inode_extension
  ext4_update_inode_size // inode size = 2M

fsck reports: Inode 13, i_size is 2097152, should be 4194304.  Fix?

Fix the problem by truncating extents if the written length is smaller
than expected.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50015

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50016
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Avoid overflow assignment in link_dp_cts

sampling_rate is an uint8_t but is assigned an unsigned int, and thus it
can overflow. As a result, sampling_rate is changed to uint32_t.

Similarly, LINK_QUAL_PATTERN_SET has a size of 2 bits, and it should
only be assigned to a value less or equal than 4.

This fixes 2 INTEGER_OVERFLOW issues reported by Coverity.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50016

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50017
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

x86/mm/ident_map: Use gbpages only where full GB page should be mapped.

When ident_pud_init() uses only GB pages to create identity maps, large
ranges of addresses not actually requested can be included in the resulting
table; a 4K request will map a full GB.  This can include a lot of extra
address space past that requested, including areas marked reserved by the
BIOS.  That allows processor speculation into reserved regions, that on UV
systems can cause system halts.

Only use GB pages when map creation requests include the full GB page of
space.  Fall back to using smaller 2M pages when only portions of a GB page
are included in the request.

No attempt is made to coalesce mapping requests. If a request requires a
map entry at the 2M (pmd) level, subsequent mapping requests within the
same 1G region will also be at the pmd level, even if adjacent or
overlapping such requests could have been combined to map a full GB page.
Existing usage starts with larger regions and then adds smaller regions, so
this should not have any great consequence.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50017

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50018
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: napi: Prevent overflow of napi_defer_hard_irqs

In commit 6f8b12d661d0 ("net: napi: add hard irqs deferral feature")
napi_defer_irqs was added to net_device and napi_defer_irqs_count was
added to napi_struct, both as type int.

This value never goes below zero, so there is not reason for it to be a
signed int. Change the type for both from int to u32, and add an
overflow check to sysfs to limit the value to S32_MAX.

The limit of S32_MAX was chosen because the practical limit before this
patch was S32_MAX (anything larger was an overflow) and thus there are
no behavioral changes introduced. If the extra bit is needed in the
future, the limit can be raised.

Before this patch:

$ sudo bash -c 'echo 2147483649 > /sys/class/net/eth4/napi_defer_hard_irqs'
$ cat /sys/class/net/eth4/napi_defer_hard_irqs
-2147483647

After this patch:

$ sudo bash -c 'echo 2147483649 > /sys/class/net/eth4/napi_defer_hard_irqs'
bash: line 0: echo: write error: Numerical result out of range

Similarly, /sys/class/net/XXXXX/tx_queue_len is defined as unsigned:

include/linux/netdevice.h:      unsigned int            tx_queue_len;

And has an overflow check:

dev_change_tx_queue_len(..., unsigned long new_len):

  if (new_len != (unsigned int)new_len)
          return -ERANGE;
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50018

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50019
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

kthread: unpark only parked kthread

Calling into kthread unparking unconditionally is mostly harmless when
the kthread is already unparked. The wake up is then simply ignored
because the target is not in TASK_PARKED state.

However if the kthread is per CPU, the wake up is preceded by a call
to kthread_bind() which expects the task to be inactive and in
TASK_PARKED state, which obviously isn't the case if it is unparked.

As a result, calling kthread_stop() on an unparked per-cpu kthread
triggers such a warning:

	WARNING: CPU: 0 PID: 11 at kernel/kthread.c:525 __kthread_bind_mask kernel/kthread.c:525
	 <TASK>
	 kthread_stop+0x17a/0x630 kernel/kthread.c:707
	 destroy_workqueue+0x136/0xc40 kernel/workqueue.c:5810
	 wg_destruct+0x1e2/0x2e0 drivers/net/wireguard/device.c:257
	 netdev_run_todo+0xe1a/0x1000 net/core/dev.c:10693
	 default_device_exit_batch+0xa14/0xa90 net/core/dev.c:11769
	 ops_exit_list net/core/net_namespace.c:178 [inline]
	 cleanup_net+0x89d/0xcc0 net/core/net_namespace.c:640
	 process_one_work kernel/workqueue.c:3231 [inline]
	 process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3312
	 worker_thread+0x86d/0xd70 kernel/workqueue.c:3393
	 kthread+0x2f0/0x390 kernel/kthread.c:389
	 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
	 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
	 </TASK>

Fix this with skipping unecessary unparking while stopping a kthread.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50019

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50020
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ice: Fix improper handling of refcount in ice_sriov_set_msix_vec_count()

This patch addresses an issue with improper reference count handling in the
ice_sriov_set_msix_vec_count() function.

First, the function calls ice_get_vf_by_id(), which increments the
reference count of the vf pointer. If the subsequent call to
ice_get_vf_vsi() fails, the function currently returns an error without
decrementing the reference count of the vf pointer, leading to a reference
count leak. The correct behavior, as implemented in this patch, is to
decrement the reference count using ice_put_vf(vf) before returning an
error when vsi is NULL.

Second, the function calls ice_sriov_get_irqs(), which sets
vf->first_vector_idx. If this call returns a negative value, indicating an
error, the function returns an error without decrementing the reference
count of the vf pointer, resulting in another reference count leak. The
patch addresses this by adding a call to ice_put_vf(vf) before returning
an error when vf->first_vector_idx < 0.

This bug was identified by an experimental static analysis tool developed
by our team. The tool specializes in analyzing reference count operations
and identifying potential mismanagement of reference counts. In this case,
the tool flagged the missing decrement operation as a potential issue,
leading to this patch.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50020

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50021
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ice: Fix improper handling of refcount in ice_dpll_init_rclk_pins()

This patch addresses a reference count handling issue in the
ice_dpll_init_rclk_pins() function. The function calls ice_dpll_get_pins(),
which increments the reference count of the relevant resources. However,
if the condition WARN_ON((!vsi || !vsi->netdev)) is met, the function
currently returns an error without properly releasing the resources
acquired by ice_dpll_get_pins(), leading to a reference count leak.

To resolve this, the check has been moved to the top of the function. This
ensures that the function verifies the state before any resources are
acquired, avoiding the need for additional resource management in the
error path.

This bug was identified by an experimental static analysis tool developed
by our team. The tool specializes in analyzing reference count operations
and detecting potential issues where resources are not properly managed.
In this case, the tool flagged the missing release operation as a
potential problem, which led to the development of this patch.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50021

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50022
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

device-dax: correct pgoff align in dax_set_mapping()

pgoff should be aligned using ALIGN_DOWN() instead of ALIGN().  Otherwise,
vmf->address not aligned to fault_size will be aligned to the next
alignment, that can result in memory failure getting the wrong address.

It's a subtle situation that only can be observed in
page_mapped_in_vma() after the page is page fault handled by
dev_dax_huge_fault.  Generally, there is little chance to perform
page_mapped_in_vma in dev-dax's page unless in specific error injection
to the dax device to trigger an MCE - memory-failure.  In that case,
page_mapped_in_vma() will be triggered to determine which task is
accessing the failure address and kill that task in the end.


We used self-developed dax device (which is 2M aligned mapping) , to
perform error injection to random address.  It turned out that error
injected to non-2M-aligned address was causing endless MCE until panic.
Because page_mapped_in_vma() kept resulting wrong address and the task
accessing the failure address was never killed properly:


[ 3783.719419] Memory failure: 0x200c9742: recovery action for dax page: 
Recovered
[ 3784.049006] mce: Uncorrected hardware memory error in user-access at 
200c9742380
[ 3784.049190] Memory failure: 0x200c9742: recovery action for dax page: 
Recovered
[ 3784.448042] mce: Uncorrected hardware memory error in user-access at 
200c9742380
[ 3784.448186] Memory failure: 0x200c9742: recovery action for dax page: 
Recovered
[ 3784.792026] mce: Uncorrected hardware memory error in user-access at 
200c9742380
[ 3784.792179] Memory failure: 0x200c9742: recovery action for dax page: 
Recovered
[ 3785.162502] mce: Uncorrected hardware memory error in user-access at 
200c9742380
[ 3785.162633] Memory failure: 0x200c9742: recovery action for dax page: 
Recovered
[ 3785.461116] mce: Uncorrected hardware memory error in user-access at 
200c9742380
[ 3785.461247] Memory failure: 0x200c9742: recovery action for dax page: 
Recovered
[ 3785.764730] mce: Uncorrected hardware memory error in user-access at 
200c9742380
[ 3785.764859] Memory failure: 0x200c9742: recovery action for dax page: 
Recovered
[ 3786.042128] mce: Uncorrected hardware memory error in user-access at 
200c9742380
[ 3786.042259] Memory failure: 0x200c9742: recovery action for dax page: 
Recovered
[ 3786.464293] mce: Uncorrected hardware memory error in user-access at 
200c9742380
[ 3786.464423] Memory failure: 0x200c9742: recovery action for dax page: 
Recovered
[ 3786.818090] mce: Uncorrected hardware memory error in user-access at 
200c9742380
[ 3786.818217] Memory failure: 0x200c9742: recovery action for dax page: 
Recovered
[ 3787.085297] mce: Uncorrected hardware memory error in user-access at 
200c9742380
[ 3787.085424] Memory failure: 0x200c9742: recovery action for dax page: 
Recovered

It took us several weeks to pinpoint this problem,  but we eventually
used bpftrace to trace the page fault and mce address and successfully
identified the issue.


Joao added:

; Likely we never reproduce in production because we always pin
: device-dax regions in the region align they provide (Qemu does
: similarly with prealloc in hugetlb/file backed memory).  I think this
: bug requires that we touch *unpinned* device-dax regions unaligned to
: the device-dax selected alignment (page size i.e.  4K/2M/1G)
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50022

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50023
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: phy: Remove LED entry from LEDs list on unregister

Commit c938ab4da0eb ("net: phy: Manual remove LEDs to ensure correct
ordering") correctly fixed a problem with using devm_ but missed
removing the LED entry from the LEDs list.

This cause kernel panic on specific scenario where the port for the PHY
is torn down and up and the kmod for the PHY is removed.

On setting the port down the first time, the assosiacted LEDs are
correctly unregistered. The associated kmod for the PHY is now removed.
The kmod is now added again and the port is now put up, the associated LED
are registered again.
On putting the port down again for the second time after these step, the
LED list now have 4 elements. With the first 2 already unregistered
previously and the 2 new one registered again.

This cause a kernel panic as the first 2 element should have been
removed.

Fix this by correctly removing the element when LED is unregistered.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50023

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50024
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: Fix an unsafe loop on the list

The kernel may crash when deleting a genetlink family if there are still
listeners for that family:

Oops: Kernel access of bad area, sig: 11 [#1]
  ...
  NIP [c000000000c080bc] netlink_update_socket_mc+0x3c/0xc0
  LR [c000000000c0f764] __netlink_clear_multicast_users+0x74/0xc0
  Call Trace:
__netlink_clear_multicast_users+0x74/0xc0
genl_unregister_family+0xd4/0x2d0

Change the unsafe loop on the list to a safe one, because inside the
loop there is an element removal from this list.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50024

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50025
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

scsi: fnic: Move flush_work initialization out of if block

After commit 379a58caa199 ("scsi: fnic: Move fnic_fnic_flush_tx() to a
work queue"), it can happen that a work item is sent to an uninitialized
work queue.  This may has the effect that the item being queued is never
actually queued, and any further actions depending on it will not
proceed.

The following warning is observed while the fnic driver is loaded:

kernel: WARNING: CPU: 11 PID: 0 at ../kernel/workqueue.c:1524 __queue_work+0x373/0x410
kernel:  <IRQ>
kernel:  queue_work_on+0x3a/0x50
kernel:  fnic_wq_copy_cmpl_handler+0x54a/0x730 [fnic 62fbff0c42e7fb825c60a55cde2fb91facb2ed24]
kernel:  fnic_isr_msix_wq_copy+0x2d/0x60 [fnic 62fbff0c42e7fb825c60a55cde2fb91facb2ed24]
kernel:  __handle_irq_event_percpu+0x36/0x1a0
kernel:  handle_irq_event_percpu+0x30/0x70
kernel:  handle_irq_event+0x34/0x60
kernel:  handle_edge_irq+0x7e/0x1a0
kernel:  __common_interrupt+0x3b/0xb0
kernel:  common_interrupt+0x58/0xa0
kernel:  </IRQ>

It has been observed that this may break the rediscovery of Fibre
Channel devices after a temporary fabric failure.

This patch fixes it by moving the work queue initialization out of
an if block in fnic_probe().
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50025

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50026
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

scsi: wd33c93: Don't use stale scsi_pointer value

A regression was introduced with commit dbb2da557a6a ("scsi: wd33c93:
Move the SCSI pointer to private command data") which results in an oops
in wd33c93_intr(). That commit added the scsi_pointer variable and
initialized it from hostdata->connected. However, during selection,
hostdata->connected is not yet valid. Fix this by getting the current
scsi_pointer from hostdata->selecting.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50026

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50027
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

thermal: core: Free tzp copy along with the thermal zone

The object pointed to by tz->tzp may still be accessed after being
freed in thermal_zone_device_unregister(), so move the freeing of it
to the point after the removal completion has been completed at which
it cannot be accessed any more.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50027

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50028
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

thermal: core: Reference count the zone in thermal_zone_get_by_id()

There are places in the thermal netlink code where nothing prevents
the thermal zone object from going away while being accessed after it
has been returned by thermal_zone_get_by_id().

To address this, make thermal_zone_get_by_id() get a reference on the
thermal zone device object to be returned with the help of get_device(),
under thermal_list_lock, and adjust all of its callers to this change
with the help of the cleanup.h infrastructure.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50028

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50029
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: hci_conn: Fix UAF in hci_enhanced_setup_sync

This checks if the ACL connection remains valid as it could be destroyed
while hci_enhanced_setup_sync is pending on cmd_sync leading to the
following trace:

BUG: KASAN: slab-use-after-free in hci_enhanced_setup_sync+0x91b/0xa60
Read of size 1 at addr ffff888002328ffd by task kworker/u5:2/37

CPU: 0 UID: 0 PID: 37 Comm: kworker/u5:2 Not tainted 6.11.0-rc6-01300-g810be445d8d6 #7099
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014
Workqueue: hci0 hci_cmd_sync_work
Call Trace:
 <TASK>
 dump_stack_lvl+0x5d/0x80
 ? hci_enhanced_setup_sync+0x91b/0xa60
 print_report+0x152/0x4c0
 ? hci_enhanced_setup_sync+0x91b/0xa60
 ? __virt_addr_valid+0x1fa/0x420
 ? hci_enhanced_setup_sync+0x91b/0xa60
 kasan_report+0xda/0x1b0
 ? hci_enhanced_setup_sync+0x91b/0xa60
 hci_enhanced_setup_sync+0x91b/0xa60
 ? __pfx_hci_enhanced_setup_sync+0x10/0x10
 ? __pfx___mutex_lock+0x10/0x10
 hci_cmd_sync_work+0x1c2/0x330
 process_one_work+0x7d9/0x1360
 ? __pfx_lock_acquire+0x10/0x10
 ? __pfx_process_one_work+0x10/0x10
 ? assign_work+0x167/0x240
 worker_thread+0x5b7/0xf60
 ? __kthread_parkme+0xac/0x1c0
 ? __pfx_worker_thread+0x10/0x10
 ? __pfx_worker_thread+0x10/0x10
 kthread+0x293/0x360
 ? __pfx_kthread+0x10/0x10
 ret_from_fork+0x2f/0x70
 ? __pfx_kthread+0x10/0x10
 ret_from_fork_asm+0x1a/0x30
 </TASK>

Allocated by task 34:
 kasan_save_stack+0x30/0x50
 kasan_save_track+0x14/0x30
 __kasan_kmalloc+0x8f/0xa0
 __hci_conn_add+0x187/0x17d0
 hci_connect_sco+0x2e1/0xb90
 sco_sock_connect+0x2a2/0xb80
 __sys_connect+0x227/0x2a0
 __x64_sys_connect+0x6d/0xb0
 do_syscall_64+0x71/0x140
 entry_SYSCALL_64_after_hwframe+0x76/0x7e

Freed by task 37:
 kasan_save_stack+0x30/0x50
 kasan_save_track+0x14/0x30
 kasan_save_free_info+0x3b/0x60
 __kasan_slab_free+0x101/0x160
 kfree+0xd0/0x250
 device_release+0x9a/0x210
 kobject_put+0x151/0x280
 hci_conn_del+0x448/0xbf0
 hci_abort_conn_sync+0x46f/0x980
 hci_cmd_sync_work+0x1c2/0x330
 process_one_work+0x7d9/0x1360
 worker_thread+0x5b7/0xf60
 kthread+0x293/0x360
 ret_from_fork+0x2f/0x70
 ret_from_fork_asm+0x1a/0x30
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50029

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50030
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/xe/ct: prevent UAF in send_recv()

Ensure we serialize with completion side to prevent UAF with fence going
out of scope on the stack, since we have no clue if it will fire after
the timeout before we can erase from the xa. Also we have some dependent
loads and stores for which we need the correct ordering, and we lack the
needed barriers. Fix this by grabbing the ct->lock after the wait, which
is also held by the completion side.

v2 (Badal):
 - Also print done after acquiring the lock and seeing timeout.

(cherry picked from commit 52789ce35c55ccd30c4b67b9cc5b2af55e0122ea)
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50030

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50031
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/v3d: Stop the active perfmon before being destroyed

When running `kmscube` with one or more performance monitors enabled
via `GALLIUM_HUD`, the following kernel panic can occur:

[   55.008324] Unable to handle kernel paging request at virtual address 00000000052004a4
[   55.008368] Mem abort info:
[   55.008377]   ESR = 0x0000000096000005
[   55.008387]   EC = 0x25: DABT (current EL), IL = 32 bits
[   55.008402]   SET = 0, FnV = 0
[   55.008412]   EA = 0, S1PTW = 0
[   55.008421]   FSC = 0x05: level 1 translation fault
[   55.008434] Data abort info:
[   55.008442]   ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000
[   55.008455]   CM = 0, WnR = 0, TnD = 0, TagAccess = 0
[   55.008467]   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[   55.008481] user pgtable: 4k pages, 39-bit VAs, pgdp=00000001046c6000
[   55.008497] [00000000052004a4] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000
[   55.008525] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP
[   55.008542] Modules linked in: rfcomm [...] vc4 v3d snd_soc_hdmi_codec drm_display_helper
gpu_sched drm_shmem_helper cec drm_dma_helper drm_kms_helper i2c_brcmstb
drm drm_panel_orientation_quirks snd_soc_core snd_compress snd_pcm_dmaengine snd_pcm snd_timer snd backlight
[   55.008799] CPU: 2 PID: 166 Comm: v3d_bin Tainted: G         C         6.6.47+rpt-rpi-v8 #1  Debian 1:6.6.47-1+rpt1
[   55.008824] Hardware name: Raspberry Pi 4 Model B Rev 1.5 (DT)
[   55.008838] pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[   55.008855] pc : __mutex_lock.constprop.0+0x90/0x608
[   55.008879] lr : __mutex_lock.constprop.0+0x58/0x608
[   55.008895] sp : ffffffc080673cf0
[   55.008904] x29: ffffffc080673cf0 x28: 0000000000000000 x27: ffffff8106188a28
[   55.008926] x26: ffffff8101e78040 x25: ffffff8101baa6c0 x24: ffffffd9d989f148
[   55.008947] x23: ffffffda1c2a4008 x22: 0000000000000002 x21: ffffffc080673d38
[   55.008968] x20: ffffff8101238000 x19: ffffff8104f83188 x18: 0000000000000000
[   55.008988] x17: 0000000000000000 x16: ffffffda1bd04d18 x15: 00000055bb08bc90
[   55.009715] x14: 0000000000000000 x13: 0000000000000000 x12: ffffffda1bd4cbb0
[   55.010433] x11: 00000000fa83b2da x10: 0000000000001a40 x9 : ffffffda1bd04d04
[   55.011162] x8 : ffffff8102097b80 x7 : 0000000000000000 x6 : 00000000030a5857
[   55.011880] x5 : 00ffffffffffffff x4 : 0300000005200470 x3 : 0300000005200470
[   55.012598] x2 : ffffff8101238000 x1 : 0000000000000021 x0 : 0300000005200470
[   55.013292] Call trace:
[   55.013959]  __mutex_lock.constprop.0+0x90/0x608
[   55.014646]  __mutex_lock_slowpath+0x1c/0x30
[   55.015317]  mutex_lock+0x50/0x68
[   55.015961]  v3d_perfmon_stop+0x40/0xe0 [v3d]
[   55.016627]  v3d_bin_job_run+0x10c/0x2d8 [v3d]
[   55.017282]  drm_sched_main+0x178/0x3f8 [gpu_sched]
[   55.017921]  kthread+0x11c/0x128
[   55.018554]  ret_from_fork+0x10/0x20
[   55.019168] Code: f9400260 f1001c1f 54001ea9 927df000 (b9403401)
[   55.019776] ---[ end trace 0000000000000000 ]---
[   55.020411] note: v3d_bin[166] exited with preempt_count 1

This issue arises because, upon closing the file descriptor (which happens
when we interrupt `kmscube`), the active performance monitor is not
stopped. Although all perfmons are destroyed in `v3d_perfmon_close_file()`,
the active performance monitor's pointer (`v3d->active_perfmon`) is still
retained.

If `kmscube` is run again, the driver will attempt to stop the active
performance monitor using the stale pointer in `v3d->active_perfmon`.
However, this pointer is no longer valid because the previous process has
already terminated, and all performance monitors associated with it have
been destroyed and freed.

To fix this, when the active performance monitor belongs to a given
process, explicitly stop it before destroying and freeing it.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50031

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50032
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

rcu/nocb: Fix rcuog wake-up from offline softirq

After a CPU has set itself offline and before it eventually calls
rcutree_report_cpu_dead(), there are still opportunities for callbacks
to be enqueued, for example from a softirq. When that happens on NOCB,
the rcuog wake-up is deferred through an IPI to an online CPU in order
not to call into the scheduler and risk arming the RT-bandwidth after
hrtimers have been migrated out and disabled.

But performing a synchronized IPI from a softirq is buggy as reported in
the following scenario:

        WARNING: CPU: 1 PID: 26 at kernel/smp.c:633 smp_call_function_single
        Modules linked in: rcutorture torture
        CPU: 1 UID: 0 PID: 26 Comm: migration/1 Not tainted 6.11.0-rc1-00012-g9139f93209d1 #1
        Stopper: multi_cpu_stop+0x0/0x320 <- __stop_cpus+0xd0/0x120
        RIP: 0010:smp_call_function_single
        <IRQ>
        swake_up_one_online
        __call_rcu_nocb_wake
        __call_rcu_common
        ? rcu_torture_one_read
        call_timer_fn
        __run_timers
        run_timer_softirq
        handle_softirqs
        irq_exit_rcu
        ? tick_handle_periodic
        sysvec_apic_timer_interrupt
        </IRQ>

Fix this with forcing deferred rcuog wake up through the NOCB timer when
the CPU is offline. The actual wake up will happen from
rcutree_report_cpu_dead().
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50032

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50033
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

slip: make slhc_remember() more robust against malicious packets

syzbot found that slhc_remember() was missing checks against
malicious packets [1].

slhc_remember() only checked the size of the packet was at least 20,
which is not good enough.

We need to make sure the packet includes the IPv4 and TCP header
that are supposed to be carried.

Add iph and th pointers to make the code more readable.

[1]

BUG: KMSAN: uninit-value in slhc_remember+0x2e8/0x7b0 drivers/net/slip/slhc.c:666
  slhc_remember+0x2e8/0x7b0 drivers/net/slip/slhc.c:666
  ppp_receive_nonmp_frame+0xe45/0x35e0 drivers/net/ppp/ppp_generic.c:2455
  ppp_receive_frame drivers/net/ppp/ppp_generic.c:2372 [inline]
  ppp_do_recv+0x65f/0x40d0 drivers/net/ppp/ppp_generic.c:2212
  ppp_input+0x7dc/0xe60 drivers/net/ppp/ppp_generic.c:2327
  pppoe_rcv_core+0x1d3/0x720 drivers/net/ppp/pppoe.c:379
  sk_backlog_rcv+0x13b/0x420 include/net/sock.h:1113
  __release_sock+0x1da/0x330 net/core/sock.c:3072
  release_sock+0x6b/0x250 net/core/sock.c:3626
  pppoe_sendmsg+0x2b8/0xb90 drivers/net/ppp/pppoe.c:903
  sock_sendmsg_nosec net/socket.c:729 [inline]
  __sock_sendmsg+0x30f/0x380 net/socket.c:744
  ____sys_sendmsg+0x903/0xb60 net/socket.c:2602
  ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2656
  __sys_sendmmsg+0x3c1/0x960 net/socket.c:2742
  __do_sys_sendmmsg net/socket.c:2771 [inline]
  __se_sys_sendmmsg net/socket.c:2768 [inline]
  __x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2768
  x64_sys_call+0xb6e/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:308
  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
  do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was created at:
  slab_post_alloc_hook mm/slub.c:4091 [inline]
  slab_alloc_node mm/slub.c:4134 [inline]
  kmem_cache_alloc_node_noprof+0x6bf/0xb80 mm/slub.c:4186
  kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:587
  __alloc_skb+0x363/0x7b0 net/core/skbuff.c:678
  alloc_skb include/linux/skbuff.h:1322 [inline]
  sock_wmalloc+0xfe/0x1a0 net/core/sock.c:2732
  pppoe_sendmsg+0x3a7/0xb90 drivers/net/ppp/pppoe.c:867
  sock_sendmsg_nosec net/socket.c:729 [inline]
  __sock_sendmsg+0x30f/0x380 net/socket.c:744
  ____sys_sendmsg+0x903/0xb60 net/socket.c:2602
  ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2656
  __sys_sendmmsg+0x3c1/0x960 net/socket.c:2742
  __do_sys_sendmmsg net/socket.c:2771 [inline]
  __se_sys_sendmmsg net/socket.c:2768 [inline]
  __x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2768
  x64_sys_call+0xb6e/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:308
  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
  do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

CPU: 0 UID: 0 PID: 5460 Comm: syz.2.33 Not tainted 6.12.0-rc2-syzkaller-00006-g87d6aab2389e #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50033

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50034
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net/smc: fix lacks of icsk_syn_mss with IPPROTO_SMC

Eric report a panic on IPPROTO_SMC, and give the facts
that when INET_PROTOSW_ICSK was set, icsk->icsk_sync_mss must be set too.

Bug: Unable to handle kernel NULL pointer dereference at virtual address
0000000000000000
Mem abort info:
ESR = 0x0000000086000005
EC = 0x21: IABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x05: level 1 translation fault
user pgtable: 4k pages, 48-bit VAs, pgdp=00000001195d1000
[0000000000000000] pgd=0800000109c46003, p4d=0800000109c46003,
pud=0000000000000000
Internal error: Oops: 0000000086000005 [#1] PREEMPT SMP
Modules linked in:
CPU: 1 UID: 0 PID: 8037 Comm: syz.3.265 Not tainted
6.11.0-rc7-syzkaller-g5f5673607153 #0
Hardware name: Google Google Compute Engine/Google Compute Engine,
BIOS Google 08/06/2024
pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : 0x0
lr : cipso_v4_sock_setattr+0x2a8/0x3c0 net/ipv4/cipso_ipv4.c:1910
sp : ffff80009b887a90
x29: ffff80009b887aa0 x28: ffff80008db94050 x27: 0000000000000000
x26: 1fffe0001aa6f5b3 x25: dfff800000000000 x24: ffff0000db75da00
x23: 0000000000000000 x22: ffff0000d8b78518 x21: 0000000000000000
x20: ffff0000d537ad80 x19: ffff0000d8b78000 x18: 1fffe000366d79ee
x17: ffff8000800614a8 x16: ffff800080569b84 x15: 0000000000000001
x14: 000000008b336894 x13: 00000000cd96feaa x12: 0000000000000003
x11: 0000000000040000 x10: 00000000000020a3 x9 : 1fffe0001b16f0f1
x8 : 0000000000000000 x7 : 0000000000000000 x6 : 000000000000003f
x5 : 0000000000000040 x4 : 0000000000000001 x3 : 0000000000000000
x2 : 0000000000000002 x1 : 0000000000000000 x0 : ffff0000d8b78000
Call trace:
0x0
netlbl_sock_setattr+0x2e4/0x338 net/netlabel/netlabel_kapi.c:1000
smack_netlbl_add+0xa4/0x154 security/smack/smack_lsm.c:2593
smack_socket_post_create+0xa8/0x14c security/smack/smack_lsm.c:2973
security_socket_post_create+0x94/0xd4 security/security.c:4425
__sock_create+0x4c8/0x884 net/socket.c:1587
sock_create net/socket.c:1622 [inline]
__sys_socket_create net/socket.c:1659 [inline]
__sys_socket+0x134/0x340 net/socket.c:1706
__do_sys_socket net/socket.c:1720 [inline]
__se_sys_socket net/socket.c:1718 [inline]
__arm64_sys_socket+0x7c/0x94 net/socket.c:1718
__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:712
el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730
el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598
Code: ???????? ???????? ???????? ???????? (????????)
---[ end trace 0000000000000000 ]---

This patch add a toy implementation that performs a simple return to
prevent such panic. This is because MSS can be set in sock_create_kern
or smc_setsockopt, similar to how it's done in AF_SMC. However, for
AF_SMC, there is currently no way to synchronize MSS within
__sys_connect_file. This toy implementation lays the groundwork for us
to support such feature for IPPROTO_SMC in the future.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50034

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50035
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ppp: fix ppp_async_encode() illegal access

syzbot reported an issue in ppp_async_encode() [1]

In this case, pppoe_sendmsg() is called with a zero size.
Then ppp_async_encode() is called with an empty skb.

BUG: KMSAN: uninit-value in ppp_async_encode drivers/net/ppp/ppp_async.c:545 [inline]
 BUG: KMSAN: uninit-value in ppp_async_push+0xb4f/0x2660 drivers/net/ppp/ppp_async.c:675
  ppp_async_encode drivers/net/ppp/ppp_async.c:545 [inline]
  ppp_async_push+0xb4f/0x2660 drivers/net/ppp/ppp_async.c:675
  ppp_async_send+0x130/0x1b0 drivers/net/ppp/ppp_async.c:634
  ppp_channel_bridge_input drivers/net/ppp/ppp_generic.c:2280 [inline]
  ppp_input+0x1f1/0xe60 drivers/net/ppp/ppp_generic.c:2304
  pppoe_rcv_core+0x1d3/0x720 drivers/net/ppp/pppoe.c:379
  sk_backlog_rcv+0x13b/0x420 include/net/sock.h:1113
  __release_sock+0x1da/0x330 net/core/sock.c:3072
  release_sock+0x6b/0x250 net/core/sock.c:3626
  pppoe_sendmsg+0x2b8/0xb90 drivers/net/ppp/pppoe.c:903
  sock_sendmsg_nosec net/socket.c:729 [inline]
  __sock_sendmsg+0x30f/0x380 net/socket.c:744
  ____sys_sendmsg+0x903/0xb60 net/socket.c:2602
  ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2656
  __sys_sendmmsg+0x3c1/0x960 net/socket.c:2742
  __do_sys_sendmmsg net/socket.c:2771 [inline]
  __se_sys_sendmmsg net/socket.c:2768 [inline]
  __x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2768
  x64_sys_call+0xb6e/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:308
  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
  do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was created at:
  slab_post_alloc_hook mm/slub.c:4092 [inline]
  slab_alloc_node mm/slub.c:4135 [inline]
  kmem_cache_alloc_node_noprof+0x6bf/0xb80 mm/slub.c:4187
  kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:587
  __alloc_skb+0x363/0x7b0 net/core/skbuff.c:678
  alloc_skb include/linux/skbuff.h:1322 [inline]
  sock_wmalloc+0xfe/0x1a0 net/core/sock.c:2732
  pppoe_sendmsg+0x3a7/0xb90 drivers/net/ppp/pppoe.c:867
  sock_sendmsg_nosec net/socket.c:729 [inline]
  __sock_sendmsg+0x30f/0x380 net/socket.c:744
  ____sys_sendmsg+0x903/0xb60 net/socket.c:2602
  ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2656
  __sys_sendmmsg+0x3c1/0x960 net/socket.c:2742
  __do_sys_sendmmsg net/socket.c:2771 [inline]
  __se_sys_sendmmsg net/socket.c:2768 [inline]
  __x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2768
  x64_sys_call+0xb6e/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:308
  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
  do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

CPU: 1 UID: 0 PID: 5411 Comm: syz.1.14 Not tainted 6.12.0-rc1-syzkaller-00165-g360c1f1f24c6 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50035

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50036
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: do not delay dst_entries_add() in dst_release()

dst_entries_add() uses per-cpu data that might be freed at netns
dismantle from ip6_route_net_exit() calling dst_entries_destroy()

Before ip6_route_net_exit() can be called, we release all
the dsts associated with this netns, via calls to dst_release(),
which waits an rcu grace period before calling dst_destroy()

dst_entries_add() use in dst_destroy() is racy, because
dst_entries_destroy() could have been called already.

Decrementing the number of dsts must happen sooner.

Notes:

1) in CONFIG_XFRM case, dst_destroy() can call
   dst_release_immediate(child), this might also cause UAF
   if the child does not have DST_NOCOUNT set.
   IPSEC maintainers might take a look and see how to address this.

2) There is also discussion about removing this count of dst,
   which might happen in future kernels.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50036

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50037
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/fbdev-dma: Only cleanup deferred I/O if necessary

Commit 5a498d4d06d6 ("drm/fbdev-dma: Only install deferred I/O if
necessary") initializes deferred I/O only if it is used.
drm_fbdev_dma_fb_destroy() however calls fb_deferred_io_cleanup()
unconditionally with struct fb_info.fbdefio == NULL. KASAN with the
out-of-tree Apple silicon display driver posts following warning from
__flush_work() of a random struct work_struct instead of the expected
NULL pointer derefs.

[   22.053799] ------------[ cut here ]------------
[   22.054832] WARNING: CPU: 2 PID: 1 at kernel/workqueue.c:4177 __flush_work+0x4d8/0x580
[   22.056597] Modules linked in: uhid bnep uinput nls_ascii ip6_tables ip_tables i2c_dev loop fuse dm_multipath nfnetlink zram hid_magicmouse btrfs xor xor_neon brcmfmac_wcc raid6_pq hci_bcm4377 bluetooth brcmfmac hid_apple brcmutil nvmem_spmi_mfd simple_mfd_spmi dockchannel_hid cfg80211 joydev regmap_spmi nvme_apple ecdh_generic ecc macsmc_hid rfkill dwc3 appledrm snd_soc_macaudio macsmc_power nvme_core apple_isp phy_apple_atc apple_sart apple_rtkit_helper apple_dockchannel tps6598x macsmc_hwmon snd_soc_cs42l84 videobuf2_v4l2 spmi_apple_controller nvmem_apple_efuses videobuf2_dma_sg apple_z2 videobuf2_memops spi_nor panel_summit videobuf2_common asahi videodev pwm_apple apple_dcp snd_soc_apple_mca apple_admac spi_apple clk_apple_nco i2c_pasemi_platform snd_pcm_dmaengine mc i2c_pasemi_core mux_core ofpart adpdrm drm_dma_helper apple_dart apple_soc_cpufreq leds_pwm phram
[   22.073768] CPU: 2 UID: 0 PID: 1 Comm: systemd-shutdow Not tainted 6.11.2-asahi+ #asahi-dev
[   22.075612] Hardware name: Apple MacBook Pro (13-inch, M2, 2022) (DT)
[   22.077032] pstate: 01400005 (nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
[   22.078567] pc : __flush_work+0x4d8/0x580
[   22.079471] lr : __flush_work+0x54/0x580
[   22.080345] sp : ffffc000836ef820
[   22.081089] x29: ffffc000836ef880 x28: 0000000000000000 x27: ffff80002ddb7128
[   22.082678] x26: dfffc00000000000 x25: 1ffff000096f0c57 x24: ffffc00082d3e358
[   22.084263] x23: ffff80004b7862b8 x22: dfffc00000000000 x21: ffff80005aa1d470
[   22.085855] x20: ffff80004b786000 x19: ffff80004b7862a0 x18: 0000000000000000
[   22.087439] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000005
[   22.089030] x14: 1ffff800106ddf0a x13: 0000000000000000 x12: 0000000000000000
[   22.090618] x11: ffffb800106ddf0f x10: dfffc00000000000 x9 : 1ffff800106ddf0e
[   22.092206] x8 : 0000000000000000 x7 : aaaaaaaaaaaaaaaa x6 : 0000000000000001
[   22.093790] x5 : ffffc000836ef728 x4 : 0000000000000000 x3 : 0000000000000020
[   22.095368] x2 : 0000000000000008 x1 : 00000000000000aa x0 : 0000000000000000
[   22.096955] Call trace:
[   22.097505]  __flush_work+0x4d8/0x580
[   22.098330]  flush_delayed_work+0x80/0xb8
[   22.099231]  fb_deferred_io_cleanup+0x3c/0x130
[   22.100217]  drm_fbdev_dma_fb_destroy+0x6c/0xe0 [drm_dma_helper]
[   22.101559]  unregister_framebuffer+0x210/0x2f0
[   22.102575]  drm_fb_helper_unregister_info+0x48/0x60
[   22.103683]  drm_fbdev_dma_client_unregister+0x4c/0x80 [drm_dma_helper]
[   22.105147]  drm_client_dev_unregister+0x1cc/0x230
[   22.106217]  drm_dev_unregister+0x58/0x570
[   22.107125]  apple_drm_unbind+0x50/0x98 [appledrm]
[   22.108199]  component_del+0x1f8/0x3a8
[   22.109042]  dcp_platform_shutdown+0x24/0x38 [apple_dcp]
[   22.110357]  platform_shutdown+0x70/0x90
[   22.111219]  device_shutdown+0x368/0x4d8
[   22.112095]  kernel_restart+0x6c/0x1d0
[   22.112946]  __arm64_sys_reboot+0x1c8/0x328
[   22.113868]  invoke_syscall+0x78/0x1a8
[   22.114703]  do_el0_svc+0x124/0x1a0
[   22.115498]  el0_svc+0x3c/0xe0
[   22.116181]  el0t_64_sync_handler+0x70/0xc0
[   22.117110]  el0t_64_sync+0x190/0x198
[   22.117931] ---[ end trace 0000000000000000 ]---
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50037

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50038
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

netfilter: xtables: avoid NFPROTO_UNSPEC where needed

syzbot managed to call xt_cluster match via ebtables:

 WARNING: CPU: 0 PID: 11 at net/netfilter/xt_cluster.c:72 xt_cluster_mt+0x196/0x780
 [..]
 ebt_do_table+0x174b/0x2a40

Module registers to NFPROTO_UNSPEC, but it assumes ipv4/ipv6 packet
processing.  As this is only useful to restrict locally terminating
TCP/UDP traffic, register this for ipv4 and ipv6 family only.

Pablo points out that this is a general issue, direct users of the
set/getsockopt interface can call into targets/matches that were only
intended for use with ip(6)tables.

Check all UNSPEC matches and targets for similar issues:

- matches and targets are fine except if they assume skb_network_header()
  is valid -- this is only true when called from inet layer: ip(6) stack
  pulls the ip/ipv6 header into linear data area.
- targets that return XT_CONTINUE or other xtables verdicts must be
  restricted too, they are incompatbile with the ebtables traverser, e.g.
  EBT_CONTINUE is a completely different value than XT_CONTINUE.

Most matches/targets are changed to register for NFPROTO_IPV4/IPV6, as
they are provided for use by ip(6)tables.

The MARK target is also used by arptables, so register for NFPROTO_ARP too.

While at it, bail out if connbytes fails to enable the corresponding
conntrack family.

This change passes the selftests in iptables.git.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50038

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50039
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net/sched: accept TCA_STAB only for root qdisc

Most qdiscs maintain their backlog using qdisc_pkt_len(skb)
on the assumption it is invariant between the enqueue()
and dequeue() handlers.

Unfortunately syzbot can crash a host rather easily using
a TBF + SFQ combination, with an STAB on SFQ [1]

We can't support TCA_STAB on arbitrary level, this would
require to maintain per-qdisc storage.

[1]
[   88.796496] BUG: kernel NULL pointer dereference, address: 0000000000000000
[   88.798611] #PF: supervisor read access in kernel mode
[   88.799014] #PF: error_code(0x0000) - not-present page
[   88.799506] PGD 0 P4D 0
[   88.799829] Oops: Oops: 0000 [#1] SMP NOPTI
[   88.800569] CPU: 14 UID: 0 PID: 2053 Comm: b371744477 Not tainted 6.12.0-rc1-virtme #1117
[   88.801107] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   88.801779] RIP: 0010:sfq_dequeue (net/sched/sch_sfq.c:272 net/sched/sch_sfq.c:499) sch_sfq
[ 88.802544] Code: 0f b7 50 12 48 8d 04 d5 00 00 00 00 48 89 d6 48 29 d0 48 8b 91 c0 01 00 00 48 c1 e0 03 48 01 c2 66 83 7a 1a 00 7e c0 48 8b 3a <4c> 8b 07 4c 89 02 49 89 50 08 48 c7 47 08 00 00 00 00 48 c7 07 00
All code
========
   0:	0f b7 50 12          	movzwl 0x12(%rax),%edx
   4:	48 8d 04 d5 00 00 00 	lea    0x0(,%rdx,8),%rax
   b:	00
   c:	48 89 d6             	mov    %rdx,%rsi
   f:	48 29 d0             	sub    %rdx,%rax
  12:	48 8b 91 c0 01 00 00 	mov    0x1c0(%rcx),%rdx
  19:	48 c1 e0 03          	shl    $0x3,%rax
  1d:	48 01 c2             	add    %rax,%rdx
  20:	66 83 7a 1a 00       	cmpw   $0x0,0x1a(%rdx)
  25:	7e c0                	jle    0xffffffffffffffe7
  27:	48 8b 3a             	mov    (%rdx),%rdi
  2a:*	4c 8b 07             	mov    (%rdi),%r8		<-- trapping instruction
  2d:	4c 89 02             	mov    %r8,(%rdx)
  30:	49 89 50 08          	mov    %rdx,0x8(%r8)
  34:	48 c7 47 08 00 00 00 	movq   $0x0,0x8(%rdi)
  3b:	00
  3c:	48                   	rex.W
  3d:	c7                   	.byte 0xc7
  3e:	07                   	(bad)
	...

Code starting with the faulting instruction
===========================================
   0:	4c 8b 07             	mov    (%rdi),%r8
   3:	4c 89 02             	mov    %r8,(%rdx)
   6:	49 89 50 08          	mov    %rdx,0x8(%r8)
   a:	48 c7 47 08 00 00 00 	movq   $0x0,0x8(%rdi)
  11:	00
  12:	48                   	rex.W
  13:	c7                   	.byte 0xc7
  14:	07                   	(bad)
	...
[   88.803721] RSP: 0018:ffff9a1f892b7d58 EFLAGS: 00000206
[   88.804032] RAX: 0000000000000000 RBX: ffff9a1f8420c800 RCX: ffff9a1f8420c800
[   88.804560] RDX: ffff9a1f81bc1440 RSI: 0000000000000000 RDI: 0000000000000000
[   88.805056] RBP: ffffffffc04bb0e0 R08: 0000000000000001 R09: 00000000ff7f9a1f
[   88.805473] R10: 000000000001001b R11: 0000000000009a1f R12: 0000000000000140
[   88.806194] R13: 0000000000000001 R14: ffff9a1f886df400 R15: ffff9a1f886df4ac
[   88.806734] FS:  00007f445601a740(0000) GS:ffff9a2e7fd80000(0000) knlGS:0000000000000000
[   88.807225] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   88.807672] CR2: 0000000000000000 CR3: 000000050cc46000 CR4: 00000000000006f0
[   88.808165] Call Trace:
[   88.808459]  <TASK>
[   88.808710] ? __die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434)
[   88.809261] ? page_fault_oops (arch/x86/mm/fault.c:715)
[   88.809561] ? exc_page_fault (./arch/x86/include/asm/irqflags.h:26 ./arch/x86/include/asm/irqflags.h:87 ./arch/x86/include/asm/irqflags.h:147 arch/x86/mm/fault.c:1489 arch/x86/mm/fault.c:1539)
[   88.809806] ? asm_exc_page_fault (./arch/x86/include/asm/idtentry.h:623)
[   88.810074] ? sfq_dequeue (net/sched/sch_sfq.c:272 net/sched/sch_sfq.c:499) sch_sfq
[   88.810411] sfq_reset (net/sched/sch_sfq.c:525) sch_sfq
[   88.810671] qdisc_reset (./include/linux/skbuff.h:2135 ./include/linux/skbuff.h:2441 ./include/linux/skbuff.h:3304 ./include/linux/skbuff.h:3310 net/sched/sch_g
---truncated---
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50039

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50040
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

igb: Do not bring the device up after non-fatal error

Commit 004d25060c78 ("igb: Fix igb_down hung on surprise removal")
changed igb_io_error_detected() to ignore non-fatal pcie errors in order
to avoid hung task that can happen when igb_down() is called multiple
times. This caused an issue when processing transient non-fatal errors.
igb_io_resume(), which is called after igb_io_error_detected(), assumes
that device is brought down by igb_io_error_detected() if the interface
is up. This resulted in panic with stacktrace below.

[ T3256] igb 0000:09:00.0 haeth0: igb: haeth0 NIC Link is Down
[  T292] pcieport 0000:00:1c.5: AER: Uncorrected (Non-Fatal) error received: 0000:09:00.0
[  T292] igb 0000:09:00.0: PCIe Bus Error: severity=Uncorrected (Non-Fatal), type=Transaction Layer, (Requester ID)
[  T292] igb 0000:09:00.0:   device [8086:1537] error status/mask=00004000/00000000
[  T292] igb 0000:09:00.0:    [14] CmpltTO [  200.105524,009][  T292] igb 0000:09:00.0: AER:   TLP Header: 00000000 00000000 00000000 00000000
[  T292] pcieport 0000:00:1c.5: AER: broadcast error_detected message
[  T292] igb 0000:09:00.0: Non-correctable non-fatal error reported.
[  T292] pcieport 0000:00:1c.5: AER: broadcast mmio_enabled message
[  T292] pcieport 0000:00:1c.5: AER: broadcast resume message
[  T292] ------------[ cut here ]------------
[  T292] kernel BUG at net/core/dev.c:6539!
[  T292] invalid opcode: 0000 [#1] PREEMPT SMP
[  T292] RIP: 0010:napi_enable+0x37/0x40
[  T292] Call Trace:
[  T292]  <TASK>
[  T292]  ? die+0x33/0x90
[  T292]  ? do_trap+0xdc/0x110
[  T292]  ? napi_enable+0x37/0x40
[  T292]  ? do_error_trap+0x70/0xb0
[  T292]  ? napi_enable+0x37/0x40
[  T292]  ? napi_enable+0x37/0x40
[  T292]  ? exc_invalid_op+0x4e/0x70
[  T292]  ? napi_enable+0x37/0x40
[  T292]  ? asm_exc_invalid_op+0x16/0x20
[  T292]  ? napi_enable+0x37/0x40
[  T292]  igb_up+0x41/0x150
[  T292]  igb_io_resume+0x25/0x70
[  T292]  report_resume+0x54/0x70
[  T292]  ? report_frozen_detected+0x20/0x20
[  T292]  pci_walk_bus+0x6c/0x90
[  T292]  ? aer_print_port_info+0xa0/0xa0
[  T292]  pcie_do_recovery+0x22f/0x380
[  T292]  aer_process_err_devices+0x110/0x160
[  T292]  aer_isr+0x1c1/0x1e0
[  T292]  ? disable_irq_nosync+0x10/0x10
[  T292]  irq_thread_fn+0x1a/0x60
[  T292]  irq_thread+0xe3/0x1a0
[  T292]  ? irq_set_affinity_notifier+0x120/0x120
[  T292]  ? irq_affinity_notify+0x100/0x100
[  T292]  kthread+0xe2/0x110
[  T292]  ? kthread_complete_and_exit+0x20/0x20
[  T292]  ret_from_fork+0x2d/0x50
[  T292]  ? kthread_complete_and_exit+0x20/0x20
[  T292]  ret_from_fork_asm+0x11/0x20
[  T292]  </TASK>

To fix this issue igb_io_resume() checks if the interface is running and
the device is not down this means igb_io_error_detected() did not bring
the device down and there is no need to bring it up.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50040

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50041
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

i40e: Fix macvlan leak by synchronizing access to mac_filter_hash

This patch addresses a macvlan leak issue in the i40e driver caused by
concurrent access to vsi->mac_filter_hash. The leak occurs when multiple
threads attempt to modify the mac_filter_hash simultaneously, leading to
inconsistent state and potential memory leaks.

To fix this, we now wrap the calls to i40e_del_mac_filter() and zeroing
vf->default_lan_addr.addr with spin_lock/unlock_bh(&vsi->mac_filter_hash_lock),
ensuring atomic operations and preventing concurrent access.

Additionally, we add lockdep_assert_held(&vsi->mac_filter_hash_lock) in
i40e_add_mac_filter() to help catch similar issues in the future.

Reproduction steps:
1. Spawn VFs and configure port vlan on them.
2. Trigger concurrent macvlan operations (e.g., adding and deleting
	portvlan and/or mac filters).
3. Observe the potential memory leak and inconsistent state in the
	mac_filter_hash.

This synchronization ensures the integrity of the mac_filter_hash and prevents
the described leak.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50041

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50042
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ice: Fix increasing MSI-X on VF

Increasing MSI-X value on a VF leads to invalid memory operations. This
is caused by not reallocating some arrays.

Reproducer:
  modprobe ice
  echo 0 > /sys/bus/pci/devices/$PF_PCI/sriov_drivers_autoprobe
  echo 1 > /sys/bus/pci/devices/$PF_PCI/sriov_numvfs
  echo 17 > /sys/bus/pci/devices/$VF0_PCI/sriov_vf_msix_count

Default MSI-X is 16, so 17 and above triggers this issue.

KASAN reports:

  BUG: KASAN: slab-out-of-bounds in ice_vsi_alloc_ring_stats+0x38d/0x4b0 [ice]
  Read of size 8 at addr ffff8888b937d180 by task bash/28433
  (...)

  Call Trace:
   (...)
   ? ice_vsi_alloc_ring_stats+0x38d/0x4b0 [ice]
   kasan_report+0xed/0x120
   ? ice_vsi_alloc_ring_stats+0x38d/0x4b0 [ice]
   ice_vsi_alloc_ring_stats+0x38d/0x4b0 [ice]
   ice_vsi_cfg_def+0x3360/0x4770 [ice]
   ? mutex_unlock+0x83/0xd0
   ? __pfx_ice_vsi_cfg_def+0x10/0x10 [ice]
   ? __pfx_ice_remove_vsi_lkup_fltr+0x10/0x10 [ice]
   ice_vsi_cfg+0x7f/0x3b0 [ice]
   ice_vf_reconfig_vsi+0x114/0x210 [ice]
   ice_sriov_set_msix_vec_count+0x3d0/0x960 [ice]
   sriov_vf_msix_count_store+0x21c/0x300
   (...)

  Allocated by task 28201:
   (...)
   ice_vsi_cfg_def+0x1c8e/0x4770 [ice]
   ice_vsi_cfg+0x7f/0x3b0 [ice]
   ice_vsi_setup+0x179/0xa30 [ice]
   ice_sriov_configure+0xcaa/0x1520 [ice]
   sriov_numvfs_store+0x212/0x390
   (...)

To fix it, use ice_vsi_rebuild() instead of ice_vf_reconfig_vsi(). This
causes the required arrays to be reallocated taking the new queue count
into account (ice_vsi_realloc_stat_arrays()). Set req_txq and req_rxq
before ice_vsi_rebuild(), so that realloc uses the newly set queue
count.

Additionally, ice_vsi_rebuild() does not remove VSI filters
(ice_fltr_remove_all()), so ice_vf_init_host_cfg() is no longer
necessary.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50042

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50043
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

nfsd: fix possible badness in FREE_STATEID

When multiple FREE_STATEIDs are sent for the same delegation stateid,
it can lead to a possible either use-after-free or counter refcount
underflow errors.

In nfsd4_free_stateid() under the client lock we find a delegation
stateid, however the code drops the lock before calling nfs4_put_stid(),
that allows another FREE_STATE to find the stateid again. The first one
will proceed to then free the stateid which leads to either
use-after-free or decrementing already zeroed counter.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50043

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50044
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: RFCOMM: FIX possible deadlock in rfcomm_sk_state_change

rfcomm_sk_state_change attempts to use sock_lock so it must never be
called with it locked but rfcomm_sock_ioctl always attempt to lock it
causing the following trace:

======================================================
WARNING: possible circular locking dependency detected
6.8.0-syzkaller-08951-gfe46a7dd189e #0 Not tainted
------------------------------------------------------
syz-executor386/5093 is trying to acquire lock:
ffff88807c396258 (sk_lock-AF_BLUETOOTH-BTPROTO_RFCOMM){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1671 [inline]
ffff88807c396258 (sk_lock-AF_BLUETOOTH-BTPROTO_RFCOMM){+.+.}-{0:0}, at: rfcomm_sk_state_change+0x5b/0x310 net/bluetooth/rfcomm/sock.c:73

but task is already holding lock:
ffff88807badfd28 (&d->lock){+.+.}-{3:3}, at: __rfcomm_dlc_close+0x226/0x6a0 net/bluetooth/rfcomm/core.c:491
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 3.3
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50044

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50045
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

netfilter: br_netfilter: fix panic with metadata_dst skb

Fix a kernel panic in the br_netfilter module when sending untagged
traffic via a VxLAN device.
This happens during the check for fragmentation in br_nf_dev_queue_xmit.

It is dependent on:
1) the br_netfilter module being loaded;
2) net.bridge.bridge-nf-call-iptables set to 1;
3) a bridge with a VxLAN (single-vxlan-device) netdevice as a bridge port;
4) untagged frames with size higher than the VxLAN MTU forwarded/flooded

When forwarding the untagged packet to the VxLAN bridge port, before
the netfilter hooks are called, br_handle_egress_vlan_tunnel is called and
changes the skb_dst to the tunnel dst. The tunnel_dst is a metadata type
of dst, i.e., skb_valid_dst(skb) is false, and metadata->dst.dev is NULL.

Then in the br_netfilter hooks, in br_nf_dev_queue_xmit, there's a check
for frames that needs to be fragmented: frames with higher MTU than the
VxLAN device end up calling br_nf_ip_fragment, which in turns call
ip_skb_dst_mtu.

The ip_dst_mtu tries to use the skb_dst(skb) as if it was a valid dst
with valid dst->dev, thus the crash.

This case was never supported in the first place, so drop the packet
instead.

PING 10.0.0.2 (10.0.0.2) from 0.0.0.0 h1-eth0: 2000(2028) bytes of data.
[  176.291791] Unable to handle kernel NULL pointer dereference at
virtual address 0000000000000110
[  176.292101] Mem abort info:
[  176.292184]   ESR = 0x0000000096000004
[  176.292322]   EC = 0x25: DABT (current EL), IL = 32 bits
[  176.292530]   SET = 0, FnV = 0
[  176.292709]   EA = 0, S1PTW = 0
[  176.292862]   FSC = 0x04: level 0 translation fault
[  176.293013] Data abort info:
[  176.293104]   ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
[  176.293488]   CM = 0, WnR = 0, TnD = 0, TagAccess = 0
[  176.293787]   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[  176.293995] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000043ef5000
[  176.294166] [0000000000000110] pgd=0000000000000000,
p4d=0000000000000000
[  176.294827] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP
[  176.295252] Modules linked in: vxlan ip6_udp_tunnel udp_tunnel veth
br_netfilter bridge stp llc ipv6 crct10dif_ce
[  176.295923] CPU: 0 PID: 188 Comm: ping Not tainted
6.8.0-rc3-g5b3fbd61b9d1 #2
[  176.296314] Hardware name: linux,dummy-virt (DT)
[  176.296535] pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS
BTYPE=--)
[  176.296808] pc : br_nf_dev_queue_xmit+0x390/0x4ec [br_netfilter]
[  176.297382] lr : br_nf_dev_queue_xmit+0x2ac/0x4ec [br_netfilter]
[  176.297636] sp : ffff800080003630
[  176.297743] x29: ffff800080003630 x28: 0000000000000008 x27:
ffff6828c49ad9f8
[  176.298093] x26: ffff6828c49ad000 x25: 0000000000000000 x24:
00000000000003e8
[  176.298430] x23: 0000000000000000 x22: ffff6828c4960b40 x21:
ffff6828c3b16d28
[  176.298652] x20: ffff6828c3167048 x19: ffff6828c3b16d00 x18:
0000000000000014
[  176.298926] x17: ffffb0476322f000 x16: ffffb7e164023730 x15:
0000000095744632
[  176.299296] x14: ffff6828c3f1c880 x13: 0000000000000002 x12:
ffffb7e137926a70
[  176.299574] x11: 0000000000000001 x10: ffff6828c3f1c898 x9 :
0000000000000000
[  176.300049] x8 : ffff6828c49bf070 x7 : 0008460f18d5f20e x6 :
f20e0100bebafeca
[  176.300302] x5 : ffff6828c7f918fe x4 : ffff6828c49bf070 x3 :
0000000000000000
[  176.300586] x2 : 0000000000000000 x1 : ffff6828c3c7ad00 x0 :
ffff6828c7f918f0
[  176.300889] Call trace:
[  176.301123]  br_nf_dev_queue_xmit+0x390/0x4ec [br_netfilter]
[  176.301411]  br_nf_post_routing+0x2a8/0x3e4 [br_netfilter]
[  176.301703]  nf_hook_slow+0x48/0x124
[  176.302060]  br_forward_finish+0xc8/0xe8 [bridge]
[  176.302371]  br_nf_hook_thresh+0x124/0x134 [br_netfilter]
[  176.302605]  br_nf_forward_finish+0x118/0x22c [br_netfilter]
[  176.302824]  br_nf_forward_ip.part.0+0x264/0x290 [br_netfilter]
[  176.303136]  br_nf_forward+0x2b8/0x4e0 [br_netfilter]
[  176.303359]  nf_hook_slow+0x48/0x124
[  176.303
---truncated---
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50045

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50046
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

NFSv4: Prevent NULL-pointer dereference in nfs42_complete_copies()

On the node of an NFS client, some files saved in the mountpoint of the
NFS server were copied to another location of the same NFS server.
Accidentally, the nfs42_complete_copies() got a NULL-pointer dereference
crash with the following syslog:

[232064.838881] NFSv4: state recovery failed for open file nfs/pvc-12b5200d-cd0f-46a3-b9f0-af8f4fe0ef64.qcow2, error = -116
[232064.839360] NFSv4: state recovery failed for open file nfs/pvc-12b5200d-cd0f-46a3-b9f0-af8f4fe0ef64.qcow2, error = -116
[232066.588183] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000058
[232066.588586] Mem abort info:
[232066.588701]   ESR = 0x0000000096000007
[232066.588862]   EC = 0x25: DABT (current EL), IL = 32 bits
[232066.589084]   SET = 0, FnV = 0
[232066.589216]   EA = 0, S1PTW = 0
[232066.589340]   FSC = 0x07: level 3 translation fault
[232066.589559] Data abort info:
[232066.589683]   ISV = 0, ISS = 0x00000007
[232066.589842]   CM = 0, WnR = 0
[232066.589967] user pgtable: 64k pages, 48-bit VAs, pgdp=00002000956ff400
[232066.590231] [0000000000000058] pgd=08001100ae100003, p4d=08001100ae100003, pud=08001100ae100003, pmd=08001100b3c00003, pte=0000000000000000
[232066.590757] Internal error: Oops: 96000007 [#1] SMP
[232066.590958] Modules linked in: rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache netfs ocfs2_dlmfs ocfs2_stack_o2cb ocfs2_dlm vhost_net vhost vhost_iotlb tap tun ipt_rpfilter xt_multiport ip_set_hash_ip ip_set_hash_net xfrm_interface xfrm6_tunnel tunnel4 tunnel6 esp4 ah4 wireguard libcurve25519_generic veth xt_addrtype xt_set nf_conntrack_netlink ip_set_hash_ipportnet ip_set_hash_ipportip ip_set_bitmap_port ip_set_hash_ipport dummy ip_set ip_vs_sh ip_vs_wrr ip_vs_rr ip_vs iptable_filter sch_ingress nfnetlink_cttimeout vport_gre ip_gre ip_tunnel gre vport_geneve geneve vport_vxlan vxlan ip6_udp_tunnel udp_tunnel openvswitch nf_conncount dm_round_robin dm_service_time dm_multipath xt_nat xt_MASQUERADE nft_chain_nat nf_nat xt_mark xt_conntrack xt_comment nft_compat nft_counter nf_tables nfnetlink ocfs2 ocfs2_nodemanager ocfs2_stackglue iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi ipmi_ssif nbd overlay 8021q garp mrp bonding tls rfkill sunrpc ext4 mbcache jbd2
[232066.591052]  vfat fat cas_cache cas_disk ses enclosure scsi_transport_sas sg acpi_ipmi ipmi_si ipmi_devintf ipmi_msghandler ip_tables vfio_pci vfio_pci_core vfio_virqfd vfio_iommu_type1 vfio dm_mirror dm_region_hash dm_log dm_mod nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 br_netfilter bridge stp llc fuse xfs libcrc32c ast drm_vram_helper qla2xxx drm_kms_helper syscopyarea crct10dif_ce sysfillrect ghash_ce sysimgblt sha2_ce fb_sys_fops cec sha256_arm64 sha1_ce drm_ttm_helper ttm nvme_fc igb sbsa_gwdt nvme_fabrics drm nvme_core i2c_algo_bit i40e scsi_transport_fc megaraid_sas aes_neon_bs
[232066.596953] CPU: 6 PID: 4124696 Comm: 10.253.166.125- Kdump: loaded Not tainted 5.15.131-9.cl9_ocfs2.aarch64 #1
[232066.597356] Hardware name: Great Wall .\x93\x8e...RF6260 V5/GWMSSE2GL1T, BIOS T656FBE_V3.0.18 2024-01-06
[232066.597721] pstate: 20400009 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[232066.598034] pc : nfs4_reclaim_open_state+0x220/0x800 [nfsv4]
[232066.598327] lr : nfs4_reclaim_open_state+0x12c/0x800 [nfsv4]
[232066.598595] sp : ffff8000f568fc70
[232066.598731] x29: ffff8000f568fc70 x28: 0000000000001000 x27: ffff21003db33000
[232066.599030] x26: ffff800005521ae0 x25: ffff0100f98fa3f0 x24: 0000000000000001
[232066.599319] x23: ffff800009920008 x22: ffff21003db33040 x21: ffff21003db33050
[232066.599628] x20: ffff410172fe9e40 x19: ffff410172fe9e00 x18: 0000000000000000
[232066.599914] x17: 0000000000000000 x16: 0000000000000004 x15: 0000000000000000
[232066.600195] x14: 0000000000000000 x13: ffff800008e685a8 x12: 00000000eac0c6e6
[232066.600498] x11: 00000000000000
---truncated---
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50046

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50047
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

smb: client: fix UAF in async decryption

Doing an async decryption (large read) crashes with a
slab-use-after-free way down in the crypto API.

Reproducer:
    # mount.cifs -o ...,seal,esize=1 //srv/share /mnt
    # dd if=/mnt/largefile of=/dev/null
    ...
    [  194.196391] ==================================================================
    [  194.196844] BUG: KASAN: slab-use-after-free in gf128mul_4k_lle+0xc1/0x110
    [  194.197269] Read of size 8 at addr ffff888112bd0448 by task kworker/u77:2/899
    [  194.197707]
    [  194.197818] CPU: 12 UID: 0 PID: 899 Comm: kworker/u77:2 Not tainted 6.11.0-lku-00028-gfca3ca14a17a-dirty #43
    [  194.198400] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.2-3-gd478f380-prebuilt.qemu.org 04/01/2014
    [  194.199046] Workqueue: smb3decryptd smb2_decrypt_offload [cifs]
    [  194.200032] Call Trace:
    [  194.200191]  <TASK>
    [  194.200327]  dump_stack_lvl+0x4e/0x70
    [  194.200558]  ? gf128mul_4k_lle+0xc1/0x110
    [  194.200809]  print_report+0x174/0x505
    [  194.201040]  ? __pfx__raw_spin_lock_irqsave+0x10/0x10
    [  194.201352]  ? srso_return_thunk+0x5/0x5f
    [  194.201604]  ? __virt_addr_valid+0xdf/0x1c0
    [  194.201868]  ? gf128mul_4k_lle+0xc1/0x110
    [  194.202128]  kasan_report+0xc8/0x150
    [  194.202361]  ? gf128mul_4k_lle+0xc1/0x110
    [  194.202616]  gf128mul_4k_lle+0xc1/0x110
    [  194.202863]  ghash_update+0x184/0x210
    [  194.203103]  shash_ahash_update+0x184/0x2a0
    [  194.203377]  ? __pfx_shash_ahash_update+0x10/0x10
    [  194.203651]  ? srso_return_thunk+0x5/0x5f
    [  194.203877]  ? crypto_gcm_init_common+0x1ba/0x340
    [  194.204142]  gcm_hash_assoc_remain_continue+0x10a/0x140
    [  194.204434]  crypt_message+0xec1/0x10a0 [cifs]
    [  194.206489]  ? __pfx_crypt_message+0x10/0x10 [cifs]
    [  194.208507]  ? srso_return_thunk+0x5/0x5f
    [  194.209205]  ? srso_return_thunk+0x5/0x5f
    [  194.209925]  ? srso_return_thunk+0x5/0x5f
    [  194.210443]  ? srso_return_thunk+0x5/0x5f
    [  194.211037]  decrypt_raw_data+0x15f/0x250 [cifs]
    [  194.212906]  ? __pfx_decrypt_raw_data+0x10/0x10 [cifs]
    [  194.214670]  ? srso_return_thunk+0x5/0x5f
    [  194.215193]  smb2_decrypt_offload+0x12a/0x6c0 [cifs]

This is because TFM is being used in parallel.

Fix this by allocating a new AEAD TFM for async decryption, but keep
the existing one for synchronous READ cases (similar to what is done
in smb3_calc_signature()).

Also remove the calls to aead_request_set_callback() and
crypto_wait_req() since it's always going to be a synchronous operation.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50047

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50048
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

fbcon: Fix a NULL pointer dereference issue in fbcon_putcs

syzbot has found a NULL pointer dereference bug in fbcon.
Here is the simplified C reproducer:

struct param {
	uint8_t type;
	struct tiocl_selection ts;
};

int main()
{
	struct fb_con2fbmap con2fb;
	struct param param;

	int fd = open("/dev/fb1", 0, 0);

	con2fb.console = 0x19;
	con2fb.framebuffer = 0;
	ioctl(fd, FBIOPUT_CON2FBMAP, &con2fb);

	param.type = 2;
	param.ts.xs = 0; param.ts.ys = 0;
	param.ts.xe = 0; param.ts.ye = 0;
	param.ts.sel_mode = 0;

	int fd1 = open("/dev/tty1", O_RDWR, 0);
	ioctl(fd1, TIOCLINUX, &param);

	con2fb.console = 1;
	con2fb.framebuffer = 0;
	ioctl(fd, FBIOPUT_CON2FBMAP, &con2fb);

	return 0;
}

After calling ioctl(fd1, TIOCLINUX, &param), the subsequent ioctl(fd, FBIOPUT_CON2FBMAP, &con2fb)
causes the kernel to follow a different execution path:

 set_con2fb_map
  -> con2fb_init_display
   -> fbcon_set_disp
    -> redraw_screen
     -> hide_cursor
      -> clear_selection
       -> highlight
        -> invert_screen
         -> do_update_region
          -> fbcon_putcs
           -> ops->putcs

Since ops->putcs is a NULL pointer, this leads to a kernel panic.
To prevent this, we need to call set_blitting_type() within set_con2fb_map()
to properly initialize ops->putcs.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50048

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50049
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Check null pointer before dereferencing se

[WHAT & HOW]
se is null checked previously in the same function, indicating
it might be null; therefore, it must be checked when used again.

This fixes 1 FORWARD_NULL issue reported by Coverity.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50049

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50055
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

driver core: bus: Fix double free in driver API bus_register()

For bus_register(), any error which happens after kset_register() will
cause that @priv are freed twice, fixed by setting @priv with NULL after
the first free.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50055

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50056
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

usb: gadget: uvc: Fix ERR_PTR dereference in uvc_v4l2.c

Fix potential dereferencing of ERR_PTR() in find_format_by_pix()
and uvc_v4l2_enum_format().

Fix the following smatch errors:

drivers/usb/gadget/function/uvc_v4l2.c:124 find_format_by_pix()
error: 'fmtdesc' dereferencing possible ERR_PTR()

drivers/usb/gadget/function/uvc_v4l2.c:392 uvc_v4l2_enum_format()
error: 'fmtdesc' dereferencing possible ERR_PTR()

Also, fix similar issue in uvc_v4l2_try_format() for potential
dereferencing of ERR_PTR().
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50056

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50057
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

usb: typec: tipd: Free IRQ only if it was requested before

In polling mode, if no IRQ was requested there is no need to free it.
Call devm_free_irq() only if client->irq is set. This fixes the warning
caused by the tps6598x module removal:

WARNING: CPU: 2 PID: 333 at kernel/irq/devres.c:144 devm_free_irq+0x80/0x8c
...
...
Call trace:
  devm_free_irq+0x80/0x8c
  tps6598x_remove+0x28/0x88 [tps6598x]
  i2c_device_remove+0x2c/0x9c
  device_remove+0x4c/0x80
  device_release_driver_internal+0x1cc/0x228
  driver_detach+0x50/0x98
  bus_remove_driver+0x6c/0xbc
  driver_unregister+0x30/0x60
  i2c_del_driver+0x54/0x64
  tps6598x_i2c_driver_exit+0x18/0xc3c [tps6598x]
  __arm64_sys_delete_module+0x184/0x264
  invoke_syscall+0x48/0x110
  el0_svc_common.constprop.0+0xc8/0xe8
  do_el0_svc+0x20/0x2c
  el0_svc+0x28/0x98
  el0t_64_sync_handler+0x13c/0x158
  el0t_64_sync+0x190/0x194
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 3.3
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50057

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50058
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

serial: protect uart_port_dtr_rts() in uart_shutdown() too

Commit af224ca2df29 (serial: core: Prevent unsafe uart port access, part
3) added few uport == NULL checks. It added one to uart_shutdown(), so
the commit assumes, uport can be NULL in there. But right after that
protection, there is an unprotected "uart_port_dtr_rts(uport, false);"
call. That is invoked only if HUPCL is set, so I assume that is the
reason why we do not see lots of these reports.

Or it cannot be NULL at this point at all for some reason :P.

Until the above is investigated, stay on the safe side and move this
dereference to the if too.

I got this inconsistency from Coverity under CID 1585130. Thanks.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50058

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50059
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ntb: ntb_hw_switchtec: Fix use after free vulnerability in switchtec_ntb_remove due to race condition

In the switchtec_ntb_add function, it can call switchtec_ntb_init_sndev
function, then &sndev->check_link_status_work is bound with
check_link_status_work. switchtec_ntb_link_notification may be called
to start the work.

If we remove the module which will call switchtec_ntb_remove to make
cleanup, it will free sndev through kfree(sndev), while the work
mentioned above will be used. The sequence of operations that may lead
to a UAF bug is as follows:

CPU0                                 CPU1

                        | check_link_status_work
switchtec_ntb_remove    |
kfree(sndev);           |
                        | if (sndev->link_force_down)
                        | // use sndev

Fix it by ensuring that the work is canceled before proceeding with
the cleanup in switchtec_ntb_remove.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50059

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50060
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

io_uring: check if we need to reschedule during overflow flush

In terms of normal application usage, this list will always be empty.
And if an application does overflow a bit, it'll have a few entries.
However, nothing obviously prevents syzbot from running a test case
that generates a ton of overflow entries, and then flushing them can
take quite a while.

Check for needing to reschedule while flushing, and drop our locks and
do so if necessary. There's no state to maintain here as overflows
always prune from head-of-list, hence it's fine to drop and reacquire
the locks at the end of the loop.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50060

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50061
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

i3c: master: cdns: Fix use after free vulnerability in cdns_i3c_master Driver Due to Race Condition

In the cdns_i3c_master_probe function, &master->hj_work is bound with
cdns_i3c_master_hj. And cdns_i3c_master_interrupt can call
cnds_i3c_master_demux_ibis function to start the work.

If we remove the module which will call cdns_i3c_master_remove to
make cleanup, it will free master->base through i3c_master_unregister
while the work mentioned above will be used. The sequence of operations
that may lead to a UAF bug is as follows:

CPU0                                      CPU1

                                     | cdns_i3c_master_hj
cdns_i3c_master_remove               |
i3c_master_unregister(&master->base) |
device_unregister(&master->dev)      |
device_release                       |
//free master->base                  |
                                     | i3c_master_do_daa(&master->base)
                                     | //use master->base

Fix it by ensuring that the work is canceled before proceeding with
the cleanup in cdns_i3c_master_remove.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50061

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50062
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

RDMA/rtrs-srv: Avoid null pointer deref during path establishment

For RTRS path establishment, RTRS client initiates and completes con_num
of connections. After establishing all its connections, the information
is exchanged between the client and server through the info_req message.
During this exchange, it is essential that all connections have been
established, and the state of the RTRS srv path is CONNECTED.

So add these sanity checks, to make sure we detect and abort process in
error scenarios to avoid null pointer deref.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50062

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50063
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

bpf: Prevent tail call between progs attached to different hooks

bpf progs can be attached to kernel functions, and the attached functions
can take different parameters or return different return values. If
prog attached to one kernel function tail calls prog attached to another
kernel function, the ctx access or return value verification could be
bypassed.

For example, if prog1 is attached to func1 which takes only 1 parameter
and prog2 is attached to func2 which takes two parameters. Since verifier
assumes the bpf ctx passed to prog2 is constructed based on func2's
prototype, verifier allows prog2 to access the second parameter from
the bpf ctx passed to it. The problem is that verifier does not prevent
prog1 from passing its bpf ctx to prog2 via tail call. In this case,
the bpf ctx passed to prog2 is constructed from func1 instead of func2,
that is, the assumption for ctx access verification is bypassed.

Another example, if BPF LSM prog1 is attached to hook file_alloc_security,
and BPF LSM prog2 is attached to hook bpf_lsm_audit_rule_known. Verifier
knows the return value rules for these two hooks, e.g. it is legal for
bpf_lsm_audit_rule_known to return positive number 1, and it is illegal
for file_alloc_security to return positive number. So verifier allows
prog2 to return positive number 1, but does not allow prog1 to return
positive number. The problem is that verifier does not prevent prog1
from calling prog2 via tail call. In this case, prog2's return value 1
will be used as the return value for prog1's hook file_alloc_security.
That is, the return value rule is bypassed.

This patch adds restriction for tail call to prevent such bypasses.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50063

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50064
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

zram: free secondary algorithms names

We need to kfree() secondary algorithms names when reset zram device that
had multi-streams, otherwise we leak memory.

[senozhatsky@chromium.org: kfree(NULL) is legal]
  Link: https://lkml.kernel.org/r/20240917013021.868769-1-senozhatsky@chromium.org
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50064

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50065
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ntfs3: Change to non-blocking allocation in ntfs_d_hash

d_hash is done while under "rcu-walk" and should not sleep.
__get_name() allocates using GFP_KERNEL, having the possibility
to sleep when under memory pressure. Change the allocation to
GFP_NOWAIT.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50065

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50066
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

mm/mremap: fix move_normal_pmd/retract_page_tables race

In mremap(), move_page_tables() looks at the type of the PMD entry and the
specified address range to figure out by which method the next chunk of
page table entries should be moved.

At that point, the mmap_lock is held in write mode, but no rmap locks are
held yet.  For PMD entries that point to page tables and are fully covered
by the source address range, move_pgt_entry(NORMAL_PMD, ...) is called,
which first takes rmap locks, then does move_normal_pmd(). 
move_normal_pmd() takes the necessary page table locks at source and
destination, then moves an entire page table from the source to the
destination.

The problem is: The rmap locks, which protect against concurrent page
table removal by retract_page_tables() in the THP code, are only taken
after the PMD entry has been read and it has been decided how to move it. 
So we can race as follows (with two processes that have mappings of the
same tmpfs file that is stored on a tmpfs mount with huge=advise); note
that process A accesses page tables through the MM while process B does it
through the file rmap:

process A                      process B
=========                      =========
mremap
  mremap_to
    move_vma
      move_page_tables
        get_old_pmd
        alloc_new_pmd
                      *** PREEMPT ***
                               madvise(MADV_COLLAPSE)
                                 do_madvise
                                   madvise_walk_vmas
                                     madvise_vma_behavior
                                       madvise_collapse
                                         hpage_collapse_scan_file
                                           collapse_file
                                             retract_page_tables
                                               i_mmap_lock_read(mapping)
                                               pmdp_collapse_flush
                                               i_mmap_unlock_read(mapping)
        move_pgt_entry(NORMAL_PMD, ...)
          take_rmap_locks
          move_normal_pmd
          drop_rmap_locks

When this happens, move_normal_pmd() can end up creating bogus PMD entries
in the line `pmd_populate(mm, new_pmd, pmd_pgtable(pmd))`.  The effect
depends on arch-specific and machine-specific details; on x86, you can end
up with physical page 0 mapped as a page table, which is likely
exploitable for user->kernel privilege escalation.

Fix the race by letting process B recheck that the PMD still points to a
page table after the rmap locks have been taken.  Otherwise, we bail and
let the caller fall back to the PTE-level copying path, which will then
bail immediately at the pmd_none() check.

Bug reachability: Reaching this bug requires that you can create
shmem/file THP mappings - anonymous THP uses different code that doesn't
zap stuff under rmap locks.  File THP is gated on an experimental config
flag (CONFIG_READ_ONLY_THP_FOR_FS), so on normal distro kernels you need
shmem THP to hit this bug.  As far as I know, getting shmem THP normally
requires that you can mount your own tmpfs with the right mount flags,
which would require creating your own user+mount namespace; though I don't
know if some distros maybe enable shmem THP by default or something like
that.

Bug impact: This issue can likely be used for user->kernel privilege
escalation when it is reachable.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50066

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50067
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

uprobe: avoid out-of-bounds memory access of fetching args

Uprobe needs to fetch args into a percpu buffer, and then copy to ring
buffer to avoid non-atomic context problem.

Sometimes user-space strings, arrays can be very large, but the size of
percpu buffer is only page size. And store_trace_args() won't check
whether these data exceeds a single page or not, caused out-of-bounds
memory access.

It could be reproduced by following steps:
1. build kernel with CONFIG_KASAN enabled
2. save follow program as test.c

```
\#include <stdio.h>
\#include <stdlib.h>
\#include <string.h>

// If string length large than MAX_STRING_SIZE, the fetch_store_strlen()
// will return 0, cause __get_data_size() return shorter size, and
// store_trace_args() will not trigger out-of-bounds access.
// So make string length less than 4096.
\#define STRLEN 4093

void generate_string(char *str, int n)
{
    int i;
    for (i = 0; i < n; ++i)
    {
        char c = i % 26 + 'a';
        str[i] = c;
    }
    str[n-1] = '\0';
}

void print_string(char *str)
{
    printf("%s\n", str);
}

int main()
{
    char tmp[STRLEN];

    generate_string(tmp, STRLEN);
    print_string(tmp);

    return 0;
}
```
3. compile program
`gcc -o test test.c`

4. get the offset of `print_string()`
```
objdump -t test | grep -w print_string
0000000000401199 g     F .text  000000000000001b              print_string
```

5. configure uprobe with offset 0x1199
```
off=0x1199

cd /sys/kernel/debug/tracing/
echo "p /root/test:${off} arg1=+0(%di):ustring arg2=\$comm arg3=+0(%di):ustring"
 > uprobe_events
echo 1 > events/uprobes/enable
echo 1 > tracing_on
```

6. run `test`, and kasan will report error.
==================================================================
BUG: KASAN: use-after-free in strncpy_from_user+0x1d6/0x1f0
Write of size 8 at addr ffff88812311c004 by task test/499CPU: 0 UID: 0 PID: 499 Comm: test Not tainted 6.12.0-rc3+ #18
Hardware name: Red Hat KVM, BIOS 1.16.0-4.al8 04/01/2014
Call Trace:
 <TASK>
 dump_stack_lvl+0x55/0x70
 print_address_description.constprop.0+0x27/0x310
 kasan_report+0x10f/0x120
 ? strncpy_from_user+0x1d6/0x1f0
 strncpy_from_user+0x1d6/0x1f0
 ? rmqueue.constprop.0+0x70d/0x2ad0
 process_fetch_insn+0xb26/0x1470
 ? __pfx_process_fetch_insn+0x10/0x10
 ? _raw_spin_lock+0x85/0xe0
 ? __pfx__raw_spin_lock+0x10/0x10
 ? __pte_offset_map+0x1f/0x2d0
 ? unwind_next_frame+0xc5f/0x1f80
 ? arch_stack_walk+0x68/0xf0
 ? is_bpf_text_address+0x23/0x30
 ? kernel_text_address.part.0+0xbb/0xd0
 ? __kernel_text_address+0x66/0xb0
 ? unwind_get_return_address+0x5e/0xa0
 ? __pfx_stack_trace_consume_entry+0x10/0x10
 ? arch_stack_walk+0xa2/0xf0
 ? _raw_spin_lock_irqsave+0x8b/0xf0
 ? __pfx__raw_spin_lock_irqsave+0x10/0x10
 ? depot_alloc_stack+0x4c/0x1f0
 ? _raw_spin_unlock_irqrestore+0xe/0x30
 ? stack_depot_save_flags+0x35d/0x4f0
 ? kasan_save_stack+0x34/0x50
 ? kasan_save_stack+0x24/0x50
 ? mutex_lock+0x91/0xe0
 ? __pfx_mutex_lock+0x10/0x10
 prepare_uprobe_buffer.part.0+0x2cd/0x500
 uprobe_dispatcher+0x2c3/0x6a0
 ? __pfx_uprobe_dispatcher+0x10/0x10
 ? __kasan_slab_alloc+0x4d/0x90
 handler_chain+0xdd/0x3e0
 handle_swbp+0x26e/0x3d0
 ? __pfx_handle_swbp+0x10/0x10
 ? uprobe_pre_sstep_notifier+0x151/0x1b0
 irqentry_exit_to_user_mode+0xe2/0x1b0
 asm_exc_int3+0x39/0x40
RIP: 0033:0x401199
Code: 01 c2 0f b6 45 fb 88 02 83 45 fc 01 8b 45 fc 3b 45 e4 7c b7 8b 45 e4 48 98 48 8d 50 ff 48 8b 45 e8 48 01 d0 ce
RSP: 002b:00007ffdf00576a8 EFLAGS: 00000206
RAX: 00007ffdf00576b0 RBX: 0000000000000000 RCX: 0000000000000ff2
RDX: 0000000000000ffc RSI: 0000000000000ffd RDI: 00007ffdf00576b0
RBP: 00007ffdf00586b0 R08: 00007feb2f9c0d20 R09: 00007feb2f9c0d20
R10: 0000000000000001 R11: 0000000000000202 R12: 0000000000401040
R13: 00007ffdf0058780 R14: 0000000000000000 R15: 0000000000000000
 </TASK>

This commit enforces the buffer's maxlen less than a page-size to avoid
store_trace_args() out-of-memory access.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50067

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50068
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

mm/damon/tests/sysfs-kunit.h: fix memory leak in damon_sysfs_test_add_targets()

The sysfs_target->regions allocated in damon_sysfs_regions_alloc() is not
freed in damon_sysfs_test_add_targets(), which cause the following memory
leak, free it to fix it.

	unreferenced object 0xffffff80c2a8db80 (size 96):
	  comm "kunit_try_catch", pid 187, jiffies 4294894363
	  hex dump (first 32 bytes):
	    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
	    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
	  backtrace (crc 0):
	    [<0000000001e3714d>] kmemleak_alloc+0x34/0x40
	    [<000000008e6835c1>] __kmalloc_cache_noprof+0x26c/0x2f4
	    [<000000001286d9f8>] damon_sysfs_test_add_targets+0x1cc/0x738
	    [<0000000032ef8f77>] kunit_try_run_case+0x13c/0x3ac
	    [<00000000f3edea23>] kunit_generic_run_threadfn_adapter+0x80/0xec
	    [<00000000adf936cf>] kthread+0x2e8/0x374
	    [<0000000041bb1628>] ret_from_fork+0x10/0x20
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50068

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50069
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

pinctrl: apple: check devm_kasprintf() returned value

devm_kasprintf() can return a NULL pointer on failure but this returned
value is not checked. Fix this lack and check the returned value.

Found by code review.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50069

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50070
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

pinctrl: stm32: check devm_kasprintf() returned value

devm_kasprintf() can return a NULL pointer on failure but this returned
value is not checked. Fix this lack and check the returned value.

Found by code review.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50070

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50071
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

pinctrl: nuvoton: fix a double free in ma35_pinctrl_dt_node_to_map_func()

'new_map' is allocated using devm_* which takes care of freeing the
allocated data on device removal, call to

	.dt_free_map = pinconf_generic_dt_free_map

double frees the map as pinconf_generic_dt_free_map() calls
pinctrl_utils_free_map().

Fix this by using kcalloc() instead of auto-managed devm_kcalloc().
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50071

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50072
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

x86/bugs: Use code segment selector for VERW operand

Robert Gill reported below #GP in 32-bit mode when dosemu software was
executing vm86() system call:

  general protection fault: 0000 [#1] PREEMPT SMP
  CPU: 4 PID: 4610 Comm: dosemu.bin Not tainted 6.6.21-gentoo-x86 #1
  Hardware name: Dell Inc. PowerEdge 1950/0H723K, BIOS 2.7.0 10/30/2010
  EIP: restore_all_switch_stack+0xbe/0xcf
  EAX: 00000000 EBX: 00000000 ECX: 00000000 EDX: 00000000
  ESI: 00000000 EDI: 00000000 EBP: 00000000 ESP: ff8affdc
  DS: 0000 ES: 0000 FS: 0000 GS: 0033 SS: 0068 EFLAGS: 00010046
  CR0: 80050033 CR2: 00c2101c CR3: 04b6d000 CR4: 000406d0
  Call Trace:
   show_regs+0x70/0x78
   die_addr+0x29/0x70
   exc_general_protection+0x13c/0x348
   exc_bounds+0x98/0x98
   handle_exception+0x14d/0x14d
   exc_bounds+0x98/0x98
   restore_all_switch_stack+0xbe/0xcf
   exc_bounds+0x98/0x98
   restore_all_switch_stack+0xbe/0xcf

This only happens in 32-bit mode when VERW based mitigations like MDS/RFDS
are enabled. This is because segment registers with an arbitrary user value
can result in #GP when executing VERW. Intel SDM vol. 2C documents the
following behavior for VERW instruction:

  #GP(0) - If a memory operand effective address is outside the CS, DS, ES,
	   FS, or GS segment limit.

CLEAR_CPU_BUFFERS macro executes VERW instruction before returning to user
space. Use %cs selector to reference VERW operand. This ensures VERW will
not #GP for an arbitrary user %ds.

[ mingo: Fixed the SOB chain. ]
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50072

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50073
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

tty: n_gsm: Fix use-after-free in gsm_cleanup_mux

BUG: KASAN: slab-use-after-free in gsm_cleanup_mux+0x77b/0x7b0
drivers/tty/n_gsm.c:3160 [n_gsm]
Read of size 8 at addr ffff88815fe99c00 by task poc/3379
CPU: 0 UID: 0 PID: 3379 Comm: poc Not tainted 6.11.0+ #56
Hardware name: VMware, Inc. VMware Virtual Platform/440BX
Desktop Reference Platform, BIOS 6.00 11/12/2020
Call Trace:
 <TASK>
 gsm_cleanup_mux+0x77b/0x7b0 drivers/tty/n_gsm.c:3160 [n_gsm]
 __pfx_gsm_cleanup_mux+0x10/0x10 drivers/tty/n_gsm.c:3124 [n_gsm]
 __pfx_sched_clock_cpu+0x10/0x10 kernel/sched/clock.c:389
 update_load_avg+0x1c1/0x27b0 kernel/sched/fair.c:4500
 __pfx_min_vruntime_cb_rotate+0x10/0x10 kernel/sched/fair.c:846
 __rb_insert_augmented+0x492/0xbf0 lib/rbtree.c:161
 gsmld_ioctl+0x395/0x1450 drivers/tty/n_gsm.c:3408 [n_gsm]
 _raw_spin_lock_irqsave+0x92/0xf0 arch/x86/include/asm/atomic.h:107
 __pfx_gsmld_ioctl+0x10/0x10 drivers/tty/n_gsm.c:3822 [n_gsm]
 ktime_get+0x5e/0x140 kernel/time/timekeeping.c:195
 ldsem_down_read+0x94/0x4e0 arch/x86/include/asm/atomic64_64.h:79
 __pfx_ldsem_down_read+0x10/0x10 drivers/tty/tty_ldsem.c:338
 __pfx_do_vfs_ioctl+0x10/0x10 fs/ioctl.c:805
 tty_ioctl+0x643/0x1100 drivers/tty/tty_io.c:2818

Allocated by task 65:
 gsm_data_alloc.constprop.0+0x27/0x190 drivers/tty/n_gsm.c:926 [n_gsm]
 gsm_send+0x2c/0x580 drivers/tty/n_gsm.c:819 [n_gsm]
 gsm1_receive+0x547/0xad0 drivers/tty/n_gsm.c:3038 [n_gsm]
 gsmld_receive_buf+0x176/0x280 drivers/tty/n_gsm.c:3609 [n_gsm]
 tty_ldisc_receive_buf+0x101/0x1e0 drivers/tty/tty_buffer.c:391
 tty_port_default_receive_buf+0x61/0xa0 drivers/tty/tty_port.c:39
 flush_to_ldisc+0x1b0/0x750 drivers/tty/tty_buffer.c:445
 process_scheduled_works+0x2b0/0x10d0 kernel/workqueue.c:3229
 worker_thread+0x3dc/0x950 kernel/workqueue.c:3391
 kthread+0x2a3/0x370 kernel/kthread.c:389
 ret_from_fork+0x2d/0x70 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:257

Freed by task 3367:
 kfree+0x126/0x420 mm/slub.c:4580
 gsm_cleanup_mux+0x36c/0x7b0 drivers/tty/n_gsm.c:3160 [n_gsm]
 gsmld_ioctl+0x395/0x1450 drivers/tty/n_gsm.c:3408 [n_gsm]
 tty_ioctl+0x643/0x1100 drivers/tty/tty_io.c:2818

[Analysis]
gsm_msg on the tx_ctrl_list or tx_data_list of gsm_mux
can be freed by multi threads through ioctl,which leads
to the occurrence of uaf. Protect it by gsm tx lock.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50073

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50074
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

parport: Proper fix for array out-of-bounds access

The recent fix for array out-of-bounds accesses replaced sprintf()
calls blindly with snprintf().  However, since snprintf() returns the
would-be-printed size, not the actually output size, the length
calculation can still go over the given limit.

Use scnprintf() instead of snprintf(), which returns the actually
output letters, for addressing the potential out-of-bounds access
properly.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50074

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50075
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

xhci: tegra: fix checked USB2 port number

If USB virtualizatoin is enabled, USB2 ports are shared between all
Virtual Functions. The USB2 port number owned by an USB2 root hub in
a Virtual Function may be less than total USB2 phy number supported
by the Tegra XUSB controller.

Using total USB2 phy number as port number to check all PORTSC values
would cause invalid memory access.

[  116.923438] Unable to handle kernel paging request at virtual address 006c622f7665642f
...
[  117.213640] Call trace:
[  117.216783]  tegra_xusb_enter_elpg+0x23c/0x658
[  117.222021]  tegra_xusb_runtime_suspend+0x40/0x68
[  117.227260]  pm_generic_runtime_suspend+0x30/0x50
[  117.232847]  __rpm_callback+0x84/0x3c0
[  117.237038]  rpm_suspend+0x2dc/0x740
[  117.241229] pm_runtime_work+0xa0/0xb8
[  117.245769]  process_scheduled_works+0x24c/0x478
[  117.251007]  worker_thread+0x23c/0x328
[  117.255547]  kthread+0x104/0x1b0
[  117.259389]  ret_from_fork+0x10/0x20
[  117.263582] Code: 54000222 f9461ae8 f8747908 b4ffff48 (f9400100)
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50075

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50076
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

vt: prevent kernel-infoleak in con_font_get()

font.data may not initialize all memory spaces depending on the implementation
of vc->vc_sw->con_font_get. This may cause info-leak, so to prevent this, it
is safest to modify it to initialize the allocated memory space to 0, and it
generally does not affect the overall performance of the system.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50076

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50077
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: ISO: Fix multiple init when debugfs is disabled

If bt_debugfs is not created successfully, which happens if either
CONFIG_DEBUG_FS or CONFIG_DEBUG_FS_ALLOW_ALL is unset, then iso_init()
returns early and does not set iso_inited to true. This means that a
subsequent call to iso_init() will result in duplicate calls to
proto_register(), bt_sock_register(), etc.

With CONFIG_LIST_HARDENED and CONFIG_BUG_ON_DATA_CORRUPTION enabled, the
duplicate call to proto_register() triggers this BUG():

  list_add double add: new=ffffffffc0b280d0, prev=ffffffffbab56250,
    next=ffffffffc0b280d0.
  ------------[ cut here ]------------
  kernel BUG at lib/list_debug.c:35!
  Oops: invalid opcode: 0000 [#1] PREEMPT SMP PTI
  CPU: 2 PID: 887 Comm: bluetoothd Not tainted 6.10.11-1-ao-desktop #1
  RIP: 0010:__list_add_valid_or_report+0x9a/0xa0
  ...
    __list_add_valid_or_report+0x9a/0xa0
    proto_register+0x2b5/0x340
    iso_init+0x23/0x150 [bluetooth]
    set_iso_socket_func+0x68/0x1b0 [bluetooth]
    kmem_cache_free+0x308/0x330
    hci_sock_sendmsg+0x990/0x9e0 [bluetooth]
    __sock_sendmsg+0x7b/0x80
    sock_write_iter+0x9a/0x110
    do_iter_readv_writev+0x11d/0x220
    vfs_writev+0x180/0x3e0
    do_writev+0xca/0x100
  ...

This change removes the early return. The check for iso_debugfs being
NULL was unnecessary, it is always NULL when iso_inited is false.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50077

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50078
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: Call iso_exit() on module unload

If iso_init() has been called, iso_exit() must be called on module
unload. Without that, the struct proto that iso_init() registered with
proto_register() becomes invalid, which could cause unpredictable
problems later. In my case, with CONFIG_LIST_HARDENED and
CONFIG_BUG_ON_DATA_CORRUPTION enabled, loading the module again usually
triggers this BUG():

  list_add corruption. next->prev should be prev (ffffffffb5355fd0),
    but was 0000000000000068. (next=ffffffffc0a010d0).
  ------------[ cut here ]------------
  kernel BUG at lib/list_debug.c:29!
  Oops: invalid opcode: 0000 [#1] PREEMPT SMP PTI
  CPU: 1 PID: 4159 Comm: modprobe Not tainted 6.10.11-4+bt2-ao-desktop #1
  RIP: 0010:__list_add_valid_or_report+0x61/0xa0
  ...
    __list_add_valid_or_report+0x61/0xa0
    proto_register+0x299/0x320
    hci_sock_init+0x16/0xc0 [bluetooth]
    bt_init+0x68/0xd0 [bluetooth]
    __pfx_bt_init+0x10/0x10 [bluetooth]
    do_one_initcall+0x80/0x2f0
    do_init_module+0x8b/0x230
    __do_sys_init_module+0x15f/0x190
    do_syscall_64+0x68/0x110
  ...
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50078

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50079
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

io_uring/sqpoll: ensure task state is TASK_RUNNING when running task_work

When the sqpoll is exiting and cancels pending work items, it may need
to run task_work. If this happens from within io_uring_cancel_generic(),
then it may be under waiting for the io_uring_task waitqueue. This
results in the below splat from the scheduler, as the ring mutex may be
attempted grabbed while in a TASK_INTERRUPTIBLE state.

Ensure that the task state is set appropriately for that, just like what
is done for the other cases in io_run_task_work().

do not call blocking ops when !TASK_RUNNING; state=1 set at [<0000000029387fd2>] prepare_to_wait+0x88/0x2fc
WARNING: CPU: 6 PID: 59939 at kernel/sched/core.c:8561 __might_sleep+0xf4/0x140
Modules linked in:
CPU: 6 UID: 0 PID: 59939 Comm: iou-sqp-59938 Not tainted 6.12.0-rc3-00113-g8d020023b155 #7456
Hardware name: linux,dummy-virt (DT)
pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
pc : __might_sleep+0xf4/0x140
lr : __might_sleep+0xf4/0x140
sp : ffff80008c5e7830
x29: ffff80008c5e7830 x28: ffff0000d93088c0 x27: ffff60001c2d7230
x26: dfff800000000000 x25: ffff0000e16b9180 x24: ffff80008c5e7a50
x23: 1ffff000118bcf4a x22: ffff0000e16b9180 x21: ffff0000e16b9180
x20: 000000000000011b x19: ffff80008310fac0 x18: 1ffff000118bcd90
x17: 30303c5b20746120 x16: 74657320313d6574 x15: 0720072007200720
x14: 0720072007200720 x13: 0720072007200720 x12: ffff600036c64f0b
x11: 1fffe00036c64f0a x10: ffff600036c64f0a x9 : dfff800000000000
x8 : 00009fffc939b0f6 x7 : ffff0001b6327853 x6 : 0000000000000001
x5 : ffff0001b6327850 x4 : ffff600036c64f0b x3 : ffff8000803c35bc
x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0000e16b9180
Call trace:
 __might_sleep+0xf4/0x140
 mutex_lock+0x84/0x124
 io_handle_tw_list+0xf4/0x260
 tctx_task_work_run+0x94/0x340
 io_run_task_work+0x1ec/0x3c0
 io_uring_cancel_generic+0x364/0x524
 io_sq_thread+0x820/0x124c
 ret_from_fork+0x10/0x20
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50079

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50080
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ublk: don't allow user copy for unprivileged device

UBLK_F_USER_COPY requires userspace to call write() on ublk char
device for filling request buffer, and unprivileged device can't
be trusted.

So don't allow user copy for unprivileged device.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50080

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50081
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

blk-mq: setup queue ->tag_set before initializing hctx

Commit 7b815817aa58 ("blk-mq: add helper for checking if one CPU is mapped to specified hctx")
needs to check queue mapping via tag set in hctx's cpuhp handler.

However, q->tag_set may not be setup yet when the cpuhp handler is
enabled, then kernel oops is triggered.

Fix the issue by setup queue tag_set before initializing hctx.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50081

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50082
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

blk-rq-qos: fix crash on rq_qos_wait vs. rq_qos_wake_function race

We're seeing crashes from rq_qos_wake_function that look like this:

  BUG: unable to handle page fault for address: ffffafe180a40084
  #PF: supervisor write access in kernel mode
  #PF: error_code(0x0002) - not-present page
  PGD 100000067 P4D 100000067 PUD 10027c067 PMD 10115d067 PTE 0
  Oops: Oops: 0002 [#1] PREEMPT SMP PTI
  CPU: 17 UID: 0 PID: 0 Comm: swapper/17 Not tainted 6.12.0-rc3-00013-geca631b8fe80 #11
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
  RIP: 0010:_raw_spin_lock_irqsave+0x1d/0x40
  Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 41 54 9c 41 5c fa 65 ff 05 62 97 30 4c 31 c0 ba 01 00 00 00 <f0> 0f b1 17 75 0a 4c 89 e0 41 5c c3 cc cc cc cc 89 c6 e8 2c 0b 00
  RSP: 0018:ffffafe180580ca0 EFLAGS: 00010046
  RAX: 0000000000000000 RBX: ffffafe180a3f7a8 RCX: 0000000000000011
  RDX: 0000000000000001 RSI: 0000000000000003 RDI: ffffafe180a40084
  RBP: 0000000000000000 R08: 00000000001e7240 R09: 0000000000000011
  R10: 0000000000000028 R11: 0000000000000888 R12: 0000000000000002
  R13: ffffafe180a40084 R14: 0000000000000000 R15: 0000000000000003
  FS:  0000000000000000(0000) GS:ffff9aaf1f280000(0000) knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  CR2: ffffafe180a40084 CR3: 000000010e428002 CR4: 0000000000770ef0
  DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
  DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
  PKRU: 55555554
  Call Trace:
   <IRQ>
   try_to_wake_up+0x5a/0x6a0
   rq_qos_wake_function+0x71/0x80
   __wake_up_common+0x75/0xa0
   __wake_up+0x36/0x60
   scale_up.part.0+0x50/0x110
   wb_timer_fn+0x227/0x450
   ...

So rq_qos_wake_function() calls wake_up_process(data->task), which calls
try_to_wake_up(), which faults in raw_spin_lock_irqsave(&p->pi_lock).

p comes from data->task, and data comes from the waitqueue entry, which
is stored on the waiter's stack in rq_qos_wait(). Analyzing the core
dump with drgn, I found that the waiter had already woken up and moved
on to a completely unrelated code path, clobbering what was previously
data->task. Meanwhile, the waker was passing the clobbered garbage in
data->task to wake_up_process(), leading to the crash.

What's happening is that in between rq_qos_wake_function() deleting the
waitqueue entry and calling wake_up_process(), rq_qos_wait() is finding
that it already got a token and returning. The race looks like this:

rq_qos_wait()                           rq_qos_wake_function()
==============================================================
prepare_to_wait_exclusive()
                                        data->got_token = true;
                                        list_del_init(&curr->entry);
if (data.got_token)
        break;
finish_wait(&rqw->wait, &data.wq);
  ^- returns immediately because
     list_empty_careful(&wq_entry->entry)
     is true
... return, go do something else ...
                                        wake_up_process(data->task)
                                          (NO LONGER VALID!)-^

Normally, finish_wait() is supposed to synchronize against the waker.
But, as noted above, it is returning immediately because the waitqueue
entry has already been removed from the waitqueue.

The bug is that rq_qos_wake_function() is accessing the waitqueue entry
AFTER deleting it. Note that autoremove_wake_function() wakes the waiter
and THEN deletes the waitqueue entry, which is the proper order.

Fix it by swapping the order. We also need to use
list_del_init_careful() to match the list_empty_careful() in
finish_wait().
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50082

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50083
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

tcp: fix mptcp DSS corruption due to large pmtu xmit

Syzkaller was able to trigger a DSS corruption:

  TCP: request_sock_subflow_v4: Possible SYN flooding on port [::]:20002. Sending cookies.
  ------------[ cut here ]------------
  WARNING: CPU: 0 PID: 5227 at net/mptcp/protocol.c:695 __mptcp_move_skbs_from_subflow+0x20a9/0x21f0 net/mptcp/protocol.c:695
  Modules linked in:
  CPU: 0 UID: 0 PID: 5227 Comm: syz-executor350 Not tainted 6.11.0-syzkaller-08829-gaf9c191ac2a0 #0
  Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
  RIP: 0010:__mptcp_move_skbs_from_subflow+0x20a9/0x21f0 net/mptcp/protocol.c:695
  Code: 0f b6 dc 31 ff 89 de e8 b5 dd ea f5 89 d8 48 81 c4 50 01 00 00 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc e8 98 da ea f5 90 <0f> 0b 90 e9 47 ff ff ff e8 8a da ea f5 90 0f 0b 90 e9 99 e0 ff ff
  RSP: 0018:ffffc90000006db8 EFLAGS: 00010246
  RAX: ffffffff8ba9df18 RBX: 00000000000055f0 RCX: ffff888030023c00
  RDX: 0000000000000100 RSI: 00000000000081e5 RDI: 00000000000055f0
  RBP: 1ffff110062bf1ae R08: ffffffff8ba9cf12 R09: 1ffff110062bf1b8
  R10: dffffc0000000000 R11: ffffed10062bf1b9 R12: 0000000000000000
  R13: dffffc0000000000 R14: 00000000700cec61 R15: 00000000000081e5
  FS:  000055556679c380(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  CR2: 0000000020287000 CR3: 0000000077892000 CR4: 00000000003506f0
  DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
  DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
  Call Trace:
   <IRQ>
   move_skbs_to_msk net/mptcp/protocol.c:811 [inline]
   mptcp_data_ready+0x29c/0xa90 net/mptcp/protocol.c:854
   subflow_data_ready+0x34a/0x920 net/mptcp/subflow.c:1490
   tcp_data_queue+0x20fd/0x76c0 net/ipv4/tcp_input.c:5283
   tcp_rcv_established+0xfba/0x2020 net/ipv4/tcp_input.c:6237
   tcp_v4_do_rcv+0x96d/0xc70 net/ipv4/tcp_ipv4.c:1915
   tcp_v4_rcv+0x2dc0/0x37f0 net/ipv4/tcp_ipv4.c:2350
   ip_protocol_deliver_rcu+0x22e/0x440 net/ipv4/ip_input.c:205
   ip_local_deliver_finish+0x341/0x5f0 net/ipv4/ip_input.c:233
   NF_HOOK+0x3a4/0x450 include/linux/netfilter.h:314
   NF_HOOK+0x3a4/0x450 include/linux/netfilter.h:314
   __netif_receive_skb_one_core net/core/dev.c:5662 [inline]
   __netif_receive_skb+0x2bf/0x650 net/core/dev.c:5775
   process_backlog+0x662/0x15b0 net/core/dev.c:6107
   __napi_poll+0xcb/0x490 net/core/dev.c:6771
   napi_poll net/core/dev.c:6840 [inline]
   net_rx_action+0x89b/0x1240 net/core/dev.c:6962
   handle_softirqs+0x2c5/0x980 kernel/softirq.c:554
   do_softirq+0x11b/0x1e0 kernel/softirq.c:455
   </IRQ>
   <TASK>
   __local_bh_enable_ip+0x1bb/0x200 kernel/softirq.c:382
   local_bh_enable include/linux/bottom_half.h:33 [inline]
   rcu_read_unlock_bh include/linux/rcupdate.h:919 [inline]
   __dev_queue_xmit+0x1764/0x3e80 net/core/dev.c:4451
   dev_queue_xmit include/linux/netdevice.h:3094 [inline]
   neigh_hh_output include/net/neighbour.h:526 [inline]
   neigh_output include/net/neighbour.h:540 [inline]
   ip_finish_output2+0xd41/0x1390 net/ipv4/ip_output.c:236
   ip_local_out net/ipv4/ip_output.c:130 [inline]
   __ip_queue_xmit+0x118c/0x1b80 net/ipv4/ip_output.c:536
   __tcp_transmit_skb+0x2544/0x3b30 net/ipv4/tcp_output.c:1466
   tcp_transmit_skb net/ipv4/tcp_output.c:1484 [inline]
   tcp_mtu_probe net/ipv4/tcp_output.c:2547 [inline]
   tcp_write_xmit+0x641d/0x6bf0 net/ipv4/tcp_output.c:2752
   __tcp_push_pending_frames+0x9b/0x360 net/ipv4/tcp_output.c:3015
   tcp_push_pending_frames include/net/tcp.h:2107 [inline]
   tcp_data_snd_check net/ipv4/tcp_input.c:5714 [inline]
   tcp_rcv_established+0x1026/0x2020 net/ipv4/tcp_input.c:6239
   tcp_v4_do_rcv+0x96d/0xc70 net/ipv4/tcp_ipv4.c:1915
   sk_backlog_rcv include/net/sock.h:1113 [inline]
   __release_sock+0x214/0x350 net/core/sock.c:3072
   release_sock+0x61/0x1f0 net/core/sock.c:3626
   mptcp_push_
---truncated---
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50083

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50084
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: microchip: vcap api: Fix memory leaks in vcap_api_encode_rule_test()

Commit a3c1e45156ad ("net: microchip: vcap: Fix use-after-free error in
kunit test") fixed the use-after-free error, but introduced below
memory leaks by removing necessary vcap_free_rule(), add it to fix it.

	unreferenced object 0xffffff80ca58b700 (size 192):
	  comm "kunit_try_catch", pid 1215, jiffies 4294898264
	  hex dump (first 32 bytes):
	    00 12 7a 00 05 00 00 00 0a 00 00 00 64 00 00 00  ..z.........d...
	    00 00 00 00 00 00 00 00 00 04 0b cc 80 ff ff ff  ................
	  backtrace (crc 9c09c3fe):
	    [<0000000052a0be73>] kmemleak_alloc+0x34/0x40
	    [<0000000043605459>] __kmalloc_cache_noprof+0x26c/0x2f4
	    [<0000000040a01b8d>] vcap_alloc_rule+0x3cc/0x9c4
	    [<000000003fe86110>] vcap_api_encode_rule_test+0x1ac/0x16b0
	    [<00000000b3595fc4>] kunit_try_run_case+0x13c/0x3ac
	    [<0000000010f5d2bf>] kunit_generic_run_threadfn_adapter+0x80/0xec
	    [<00000000c5d82c9a>] kthread+0x2e8/0x374
	    [<00000000f4287308>] ret_from_fork+0x10/0x20
	unreferenced object 0xffffff80cc0b0400 (size 64):
	  comm "kunit_try_catch", pid 1215, jiffies 4294898265
	  hex dump (first 32 bytes):
	    80 04 0b cc 80 ff ff ff 18 b7 58 ca 80 ff ff ff  ..........X.....
	    39 00 00 00 02 00 00 00 06 05 04 03 02 01 ff ff  9...............
	  backtrace (crc daf014e9):
	    [<0000000052a0be73>] kmemleak_alloc+0x34/0x40
	    [<0000000043605459>] __kmalloc_cache_noprof+0x26c/0x2f4
	    [<000000000ff63fd4>] vcap_rule_add_key+0x2cc/0x528
	    [<00000000dfdb1e81>] vcap_api_encode_rule_test+0x224/0x16b0
	    [<00000000b3595fc4>] kunit_try_run_case+0x13c/0x3ac
	    [<0000000010f5d2bf>] kunit_generic_run_threadfn_adapter+0x80/0xec
	    [<00000000c5d82c9a>] kthread+0x2e8/0x374
	    [<00000000f4287308>] ret_from_fork+0x10/0x20
	unreferenced object 0xffffff80cc0b0700 (size 64):
	  comm "kunit_try_catch", pid 1215, jiffies 4294898265
	  hex dump (first 32 bytes):
	    80 07 0b cc 80 ff ff ff 28 b7 58 ca 80 ff ff ff  ........(.X.....
	    3c 00 00 00 00 00 00 00 01 2f 03 b3 ec ff ff ff  <......../......
	  backtrace (crc 8d877792):
	    [<0000000052a0be73>] kmemleak_alloc+0x34/0x40
	    [<0000000043605459>] __kmalloc_cache_noprof+0x26c/0x2f4
	    [<000000006eadfab7>] vcap_rule_add_action+0x2d0/0x52c
	    [<00000000323475d1>] vcap_api_encode_rule_test+0x4d4/0x16b0
	    [<00000000b3595fc4>] kunit_try_run_case+0x13c/0x3ac
	    [<0000000010f5d2bf>] kunit_generic_run_threadfn_adapter+0x80/0xec
	    [<00000000c5d82c9a>] kthread+0x2e8/0x374
	    [<00000000f4287308>] ret_from_fork+0x10/0x20
	unreferenced object 0xffffff80cc0b0900 (size 64):
	  comm "kunit_try_catch", pid 1215, jiffies 4294898266
	  hex dump (first 32 bytes):
	    80 09 0b cc 80 ff ff ff 80 06 0b cc 80 ff ff ff  ................
	    7d 00 00 00 01 00 00 00 00 00 00 00 ff 00 00 00  }...............
	  backtrace (crc 34181e56):
	    [<0000000052a0be73>] kmemleak_alloc+0x34/0x40
	    [<0000000043605459>] __kmalloc_cache_noprof+0x26c/0x2f4
	    [<000000000ff63fd4>] vcap_rule_add_key+0x2cc/0x528
	    [<00000000991e3564>] vcap_val_rule+0xcf0/0x13e8
	    [<00000000fc9868e5>] vcap_api_encode_rule_test+0x678/0x16b0
	    [<00000000b3595fc4>] kunit_try_run_case+0x13c/0x3ac
	    [<0000000010f5d2bf>] kunit_generic_run_threadfn_adapter+0x80/0xec
	    [<00000000c5d82c9a>] kthread+0x2e8/0x374
	    [<00000000f4287308>] ret_from_fork+0x10/0x20
	unreferenced object 0xffffff80cc0b0980 (size 64):
	  comm "kunit_try_catch", pid 1215, jiffies 4294898266
	  hex dump (first 32 bytes):
	    18 b7 58 ca 80 ff ff ff 00 09 0b cc 80 ff ff ff  ..X.............
	    67 00 00 00 00 00 00 00 01 01 74 88 c0 ff ff ff  g.........t.....
	  backtrace (crc 275fd9be):
	    [<0000000052a0be73>] kmemleak_alloc+0x34/0x40
	    [<0000000043605459>] __kmalloc_cache_noprof+0x26c/0x2f4
	    [<000000000ff63fd4>] vcap_rule_add_key+0x2cc/0x528
	    [<000000001396a1a2>] test_add_de
---truncated---
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50084

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50085
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

mptcp: pm: fix UaF read in mptcp_pm_nl_rm_addr_or_subflow

Syzkaller reported this splat:

  ==================================================================
  BUG: KASAN: slab-use-after-free in mptcp_pm_nl_rm_addr_or_subflow+0xb44/0xcc0 net/mptcp/pm_netlink.c:881
  Read of size 4 at addr ffff8880569ac858 by task syz.1.2799/14662

  CPU: 0 UID: 0 PID: 14662 Comm: syz.1.2799 Not tainted 6.12.0-rc2-syzkaller-00307-g36c254515dc6 #0
  Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
  Call Trace:
   <TASK>
   __dump_stack lib/dump_stack.c:94 [inline]
   dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
   print_address_description mm/kasan/report.c:377 [inline]
   print_report+0xc3/0x620 mm/kasan/report.c:488
   kasan_report+0xd9/0x110 mm/kasan/report.c:601
   mptcp_pm_nl_rm_addr_or_subflow+0xb44/0xcc0 net/mptcp/pm_netlink.c:881
   mptcp_pm_nl_rm_subflow_received net/mptcp/pm_netlink.c:914 [inline]
   mptcp_nl_remove_id_zero_address+0x305/0x4a0 net/mptcp/pm_netlink.c:1572
   mptcp_pm_nl_del_addr_doit+0x5c9/0x770 net/mptcp/pm_netlink.c:1603
   genl_family_rcv_msg_doit+0x202/0x2f0 net/netlink/genetlink.c:1115
   genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]
   genl_rcv_msg+0x565/0x800 net/netlink/genetlink.c:1210
   netlink_rcv_skb+0x165/0x410 net/netlink/af_netlink.c:2551
   genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219
   netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline]
   netlink_unicast+0x53c/0x7f0 net/netlink/af_netlink.c:1357
   netlink_sendmsg+0x8b8/0xd70 net/netlink/af_netlink.c:1901
   sock_sendmsg_nosec net/socket.c:729 [inline]
   __sock_sendmsg net/socket.c:744 [inline]
   ____sys_sendmsg+0x9ae/0xb40 net/socket.c:2607
   ___sys_sendmsg+0x135/0x1e0 net/socket.c:2661
   __sys_sendmsg+0x117/0x1f0 net/socket.c:2690
   do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline]
   __do_fast_syscall_32+0x73/0x120 arch/x86/entry/common.c:386
   do_fast_syscall_32+0x32/0x80 arch/x86/entry/common.c:411
   entry_SYSENTER_compat_after_hwframe+0x84/0x8e
  RIP: 0023:0xf7fe4579
  Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00
  RSP: 002b:00000000f574556c EFLAGS: 00000296 ORIG_RAX: 0000000000000172
  RAX: ffffffffffffffda RBX: 000000000000000b RCX: 0000000020000140
  RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
  RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
  R10: 0000000000000000 R11: 0000000000000296 R12: 0000000000000000
  R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
   </TASK>

  Allocated by task 5387:
   kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
   kasan_save_track+0x14/0x30 mm/kasan/common.c:68
   poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
   __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394
   kmalloc_noprof include/linux/slab.h:878 [inline]
   kzalloc_noprof include/linux/slab.h:1014 [inline]
   subflow_create_ctx+0x87/0x2a0 net/mptcp/subflow.c:1803
   subflow_ulp_init+0xc3/0x4d0 net/mptcp/subflow.c:1956
   __tcp_set_ulp net/ipv4/tcp_ulp.c:146 [inline]
   tcp_set_ulp+0x326/0x7f0 net/ipv4/tcp_ulp.c:167
   mptcp_subflow_create_socket+0x4ae/0x10a0 net/mptcp/subflow.c:1764
   __mptcp_subflow_connect+0x3cc/0x1490 net/mptcp/subflow.c:1592
   mptcp_pm_create_subflow_or_signal_addr+0xbda/0x23a0 net/mptcp/pm_netlink.c:642
   mptcp_pm_nl_fully_established net/mptcp/pm_netlink.c:650 [inline]
   mptcp_pm_nl_work+0x3a1/0x4f0 net/mptcp/pm_netlink.c:943
   mptcp_worker+0x15a/0x1240 net/mptcp/protocol.c:2777
   process_one_work+0x958/0x1b30 kernel/workqueue.c:3229
   process_scheduled_works kernel/workqueue.c:3310 [inline]
   worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391
   kthread+0x2c1/0x3a0 kernel/kthread.c:389
   ret_from_fork+0x45/0x80 arch/x86/ke
---truncated---
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50085

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50086
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ksmbd: fix user-after-free from session log off

There is racy issue between smb2 session log off and smb2 session setup.
It will cause user-after-free from session log off.
This add session_lock when setting SMB2_SESSION_EXPIRED and referece
count to session struct not to free session while it is being used.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50086

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50087
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix uninitialized pointer free on read_alloc_one_name() error

The function read_alloc_one_name() does not initialize the name field of
the passed fscrypt_str struct if kmalloc fails to allocate the
corresponding buffer.  Thus, it is not guaranteed that
fscrypt_str.name is initialized when freeing it.

This is a follow-up to the linked patch that fixes the remaining
instances of the bug introduced by commit e43eec81c516 ("btrfs: use
struct qstr instead of name and namelen pairs").
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50087

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50088
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix uninitialized pointer free in add_inode_ref()

The add_inode_ref() function does not initialize the "name" struct when
it is declared.  If any of the following calls to "read_one_inode()
returns NULL,

	dir = read_one_inode(root, parent_objectid);
	if (!dir) {
		ret = -ENOENT;
		goto out;
	}

	inode = read_one_inode(root, inode_objectid);
	if (!inode) {
		ret = -EIO;
		goto out;
	}

then "name.name" would be freed on "out" before being initialized.

out:
	...
	kfree(name.name);

This issue was reported by Coverity with CID 1526744.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50088

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50089
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

unicode: Don't special case ignorable code points

We don't need to handle them separately. Instead, just let them
decompose/casefold to themselves.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50089

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50090
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/xe/oa: Fix overflow in oa batch buffer

By default xe_bb_create_job() appends a MI_BATCH_BUFFER_END to batch
buffer, this is not a problem if batch buffer is only used once but
oa reuses the batch buffer for the same metric and at each call
it appends a MI_BATCH_BUFFER_END, printing the warning below and then
overflowing.

[  381.072016] ------------[ cut here ]------------
[  381.072019] xe 0000:00:02.0: [drm] Assertion `bb->len * 4 + bb_prefetch(q->gt) <= size` failed!
               platform: LUNARLAKE subplatform: 1
               graphics: Xe2_LPG / Xe2_HPG 20.04 step B0
               media: Xe2_LPM / Xe2_HPM 20.00 step B0
               tile: 0 VRAM 0 B
               GT: 0 type 1

So here checking if batch buffer already have MI_BATCH_BUFFER_END if
not append it.

v2:
- simply fix, suggestion from Ashutosh

(cherry picked from commit 9ba0e0f30ca42a98af3689460063edfb6315718a)
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50090

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50091
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

dm vdo: don't refer to dedupe_context after releasing it

Clear the dedupe_context pointer in a data_vio whenever ownership of
the context is lost, so that vdo can't examine it accidentally.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50091

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50092
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: netconsole: fix wrong warning

A warning is triggered when there is insufficient space in the buffer
for userdata. However, this is not an issue since userdata will be sent
in the next iteration.

Current warning message:

    ------------[ cut here ]------------
     WARNING: CPU: 13 PID: 3013042 at drivers/net/netconsole.c:1122 write_ext_msg+0x3b6/0x3d0
      ? write_ext_msg+0x3b6/0x3d0
      console_flush_all+0x1e9/0x330

The code incorrectly issues a warning when this_chunk is zero, which is
a valid scenario. The warning should only be triggered when this_chunk
is negative.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 3.3
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50092

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50093
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

thermal: intel: int340x: processor: Fix warning during module unload

The processor_thermal driver uses pcim_device_enable() to enable a PCI
device, which means the device will be automatically disabled on driver
detach.  Thus there is no need to call pci_disable_device() again on it.

With recent PCI device resource management improvements, e.g. commit
f748a07a0b64 ("PCI: Remove legacy pcim_release()"), this problem is
exposed and triggers the warining below.

 [  224.010735] proc_thermal_pci 0000:00:04.0: disabling already-disabled device
 [  224.010747] WARNING: CPU: 8 PID: 4442 at drivers/pci/pci.c:2250 pci_disable_device+0xe5/0x100
 ...
 [  224.010844] Call Trace:
 [  224.010845]  <TASK>
 [  224.010847]  ? show_regs+0x6d/0x80
 [  224.010851]  ? __warn+0x8c/0x140
 [  224.010854]  ? pci_disable_device+0xe5/0x100
 [  224.010856]  ? report_bug+0x1c9/0x1e0
 [  224.010859]  ? handle_bug+0x46/0x80
 [  224.010862]  ? exc_invalid_op+0x1d/0x80
 [  224.010863]  ? asm_exc_invalid_op+0x1f/0x30
 [  224.010867]  ? pci_disable_device+0xe5/0x100
 [  224.010869]  ? pci_disable_device+0xe5/0x100
 [  224.010871]  ? kfree+0x21a/0x2b0
 [  224.010873]  pcim_disable_device+0x20/0x30
 [  224.010875]  devm_action_release+0x16/0x20
 [  224.010878]  release_nodes+0x47/0xc0
 [  224.010880]  devres_release_all+0x9f/0xe0
 [  224.010883]  device_unbind_cleanup+0x12/0x80
 [  224.010885]  device_release_driver_internal+0x1ca/0x210
 [  224.010887]  driver_detach+0x4e/0xa0
 [  224.010889]  bus_remove_driver+0x6f/0xf0
 [  224.010890]  driver_unregister+0x35/0x60
 [  224.010892]  pci_unregister_driver+0x44/0x90
 [  224.010894]  proc_thermal_pci_driver_exit+0x14/0x5f0 [processor_thermal_device_pci]
 ...
 [  224.010921] ---[ end trace 0000000000000000 ]---

Remove the excess pci_disable_device() calls.

[ rjw: Subject and changelog edits ]
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50093

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50094
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

sfc: Don't invoke xdp_do_flush() from netpoll.

Yury reported a crash in the sfc driver originated from
netpoll_send_udp(). The netconsole sends a message and then netpoll
invokes the driver's NAPI function with a budget of zero. It is
dedicated to allow driver to free TX resources, that it may have used
while sending the packet.

In the netpoll case the driver invokes xdp_do_flush() unconditionally,
leading to crash because bpf_net_context was never assigned.

Invoke xdp_do_flush() only if budget is not zero.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50094

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50095
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

RDMA/mad: Improve handling of timed out WRs of mad agent

Current timeout handler of mad agent acquires/releases mad_agent_priv
lock for every timed out WRs. This causes heavy locking contention
when higher no. of WRs are to be handled inside timeout handler.

This leads to softlockup with below trace in some use cases where
rdma-cm path is used to establish connection between peer nodes

Trace:
-----
 BUG: soft lockup - CPU#4 stuck for 26s! [kworker/u128:3:19767]
 CPU: 4 PID: 19767 Comm: kworker/u128:3 Kdump: loaded Tainted: G OE
     -------  ---  5.14.0-427.13.1.el9_4.x86_64 #1
 Hardware name: Dell Inc. PowerEdge R740/01YM03, BIOS 2.4.8 11/26/2019
 Workqueue: ib_mad1 timeout_sends [ib_core]
 RIP: 0010:__do_softirq+0x78/0x2ac
 RSP: 0018:ffffb253449e4f98 EFLAGS: 00000246
 RAX: 00000000ffffffff RBX: 0000000000000000 RCX: 000000000000001f
 RDX: 000000000000001d RSI: 000000003d1879ab RDI: fff363b66fd3a86b
 RBP: ffffb253604cbcd8 R08: 0000009065635f3b R09: 0000000000000000
 R10: 0000000000000040 R11: ffffb253449e4ff8 R12: 0000000000000000
 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000040
 FS:  0000000000000000(0000) GS:ffff8caa1fc80000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 00007fd9ec9db900 CR3: 0000000891934006 CR4: 00000000007706e0
 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
 PKRU: 55555554
 Call Trace:
  <IRQ>
  ? show_trace_log_lvl+0x1c4/0x2df
  ? show_trace_log_lvl+0x1c4/0x2df
  ? __irq_exit_rcu+0xa1/0xc0
  ? watchdog_timer_fn+0x1b2/0x210
  ? __pfx_watchdog_timer_fn+0x10/0x10
  ? __hrtimer_run_queues+0x127/0x2c0
  ? hrtimer_interrupt+0xfc/0x210
  ? __sysvec_apic_timer_interrupt+0x5c/0x110
  ? sysvec_apic_timer_interrupt+0x37/0x90
  ? asm_sysvec_apic_timer_interrupt+0x16/0x20
  ? __do_softirq+0x78/0x2ac
  ? __do_softirq+0x60/0x2ac
  __irq_exit_rcu+0xa1/0xc0
  sysvec_call_function_single+0x72/0x90
  </IRQ>
  <TASK>
  asm_sysvec_call_function_single+0x16/0x20
 RIP: 0010:_raw_spin_unlock_irq+0x14/0x30
 RSP: 0018:ffffb253604cbd88 EFLAGS: 00000247
 RAX: 000000000001960d RBX: 0000000000000002 RCX: ffff8cad2a064800
 RDX: 000000008020001b RSI: 0000000000000001 RDI: ffff8cad5d39f66c
 RBP: ffff8cad5d39f600 R08: 0000000000000001 R09: 0000000000000000
 R10: ffff8caa443e0c00 R11: ffffb253604cbcd8 R12: ffff8cacb8682538
 R13: 0000000000000005 R14: ffffb253604cbd90 R15: ffff8cad5d39f66c
  cm_process_send_error+0x122/0x1d0 [ib_cm]
  timeout_sends+0x1dd/0x270 [ib_core]
  process_one_work+0x1e2/0x3b0
  ? __pfx_worker_thread+0x10/0x10
  worker_thread+0x50/0x3a0
  ? __pfx_worker_thread+0x10/0x10
  kthread+0xdd/0x100
  ? __pfx_kthread+0x10/0x10
  ret_from_fork+0x29/0x50
  </TASK>

Simplified timeout handler by creating local list of timed out WRs
and invoke send handler post creating the list. The new method acquires/
releases lock once to fetch the list and hence helps to reduce locking
contetiong when processing higher no. of WRs
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50095

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50096
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

nouveau/dmem: Fix vulnerability in migrate_to_ram upon copy error

The `nouveau_dmem_copy_one` function ensures that the copy push command is
sent to the device firmware but does not track whether it was executed
successfully.

In the case of a copy error (e.g., firmware or hardware failure), the
copy push command will be sent via the firmware channel, and
`nouveau_dmem_copy_one` will likely report success, leading to the
`migrate_to_ram` function returning a dirty HIGH_USER page to the user.

This can result in a security vulnerability, as a HIGH_USER page that may
contain sensitive or corrupted data could be returned to the user.

To prevent this vulnerability, we allocate a zero page. Thus, in case of
an error, a non-dirty (zero) page will be returned to the user.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50096

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50097
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: fec: don't save PTP state if PTP is unsupported

Some platforms (such as i.MX25 and i.MX27) do not support PTP, so on
these platforms fec_ptp_init() is not called and the related members
in fep are not initialized. However, fec_ptp_save_state() is called
unconditionally, which causes the kernel to panic. Therefore, add a
condition so that fec_ptp_save_state() is not called if PTP is not
supported.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50097

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50098
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

scsi: ufs: core: Set SDEV_OFFLINE when UFS is shut down

There is a history of deadlock if reboot is performed at the beginning
of booting. SDEV_QUIESCE was set for all LU's scsi_devices by UFS
shutdown, and at that time the audio driver was waiting on
blk_mq_submit_bio() holding a mutex_lock while reading the fw binary.
After that, a deadlock issue occurred while audio driver shutdown was
waiting for mutex_unlock of blk_mq_submit_bio(). To solve this, set
SDEV_OFFLINE for all LUs except WLUN, so that any I/O that comes down
after a UFS shutdown will return an error.

[   31.907781]I[0:      swapper/0:    0]        1        130705007       1651079834      11289729804                0 D(   2) 3 ffffff882e208000 *             init [device_shutdown]
[   31.907793]I[0:      swapper/0:    0] Mutex: 0xffffff8849a2b8b0: owner[0xffffff882e28cb00 kworker/6:0 :49]
[   31.907806]I[0:      swapper/0:    0] Call trace:
[   31.907810]I[0:      swapper/0:    0]  __switch_to+0x174/0x338
[   31.907819]I[0:      swapper/0:    0]  __schedule+0x5ec/0x9cc
[   31.907826]I[0:      swapper/0:    0]  schedule+0x7c/0xe8
[   31.907834]I[0:      swapper/0:    0]  schedule_preempt_disabled+0x24/0x40
[   31.907842]I[0:      swapper/0:    0]  __mutex_lock+0x408/0xdac
[   31.907849]I[0:      swapper/0:    0]  __mutex_lock_slowpath+0x14/0x24
[   31.907858]I[0:      swapper/0:    0]  mutex_lock+0x40/0xec
[   31.907866]I[0:      swapper/0:    0]  device_shutdown+0x108/0x280
[   31.907875]I[0:      swapper/0:    0]  kernel_restart+0x4c/0x11c
[   31.907883]I[0:      swapper/0:    0]  __arm64_sys_reboot+0x15c/0x280
[   31.907890]I[0:      swapper/0:    0]  invoke_syscall+0x70/0x158
[   31.907899]I[0:      swapper/0:    0]  el0_svc_common+0xb4/0xf4
[   31.907909]I[0:      swapper/0:    0]  do_el0_svc+0x2c/0xb0
[   31.907918]I[0:      swapper/0:    0]  el0_svc+0x34/0xe0
[   31.907928]I[0:      swapper/0:    0]  el0t_64_sync_handler+0x68/0xb4
[   31.907937]I[0:      swapper/0:    0]  el0t_64_sync+0x1a0/0x1a4

[   31.908774]I[0:      swapper/0:    0]       49                0         11960702      11236868007                0 D(   2) 6 ffffff882e28cb00 *      kworker/6:0 [__bio_queue_enter]
[   31.908783]I[0:      swapper/0:    0] Call trace:
[   31.908788]I[0:      swapper/0:    0]  __switch_to+0x174/0x338
[   31.908796]I[0:      swapper/0:    0]  __schedule+0x5ec/0x9cc
[   31.908803]I[0:      swapper/0:    0]  schedule+0x7c/0xe8
[   31.908811]I[0:      swapper/0:    0]  __bio_queue_enter+0xb8/0x178
[   31.908818]I[0:      swapper/0:    0]  blk_mq_submit_bio+0x194/0x67c
[   31.908827]I[0:      swapper/0:    0]  __submit_bio+0xb8/0x19c
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50098

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50099
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

arm64: probes: Remove broken LDR (literal) uprobe support

The simulate_ldr_literal() and simulate_ldrsw_literal() functions are
unsafe to use for uprobes. Both functions were originally written for
use with kprobes, and access memory with plain C accesses. When uprobes
was added, these were reused unmodified even though they cannot safely
access user memory.

There are three key problems:

1) The plain C accesses do not have corresponding extable entries, and
   thus if they encounter a fault the kernel will treat these as
   unintentional accesses to user memory, resulting in a BUG() which
   will kill the kernel thread, and likely lead to further issues (e.g.
   lockup or panic()).

2) The plain C accesses are subject to HW PAN and SW PAN, and so when
   either is in use, any attempt to simulate an access to user memory
   will fault. Thus neither simulate_ldr_literal() nor
   simulate_ldrsw_literal() can do anything useful when simulating a
   user instruction on any system with HW PAN or SW PAN.

3) The plain C accesses are privileged, as they run in kernel context,
   and in practice can access a small range of kernel virtual addresses.
   The instructions they simulate have a range of +/-1MiB, and since the
   simulated instructions must itself be a user instructions in the
   TTBR0 address range, these can address the final 1MiB of the TTBR1
   acddress range by wrapping downwards from an address in the first
   1MiB of the TTBR0 address range.

   In contemporary kernels the last 8MiB of TTBR1 address range is
   reserved, and accesses to this will always fault, meaning this is no
   worse than (1).

   Historically, it was theoretically possible for the linear map or
   vmemmap to spill into the final 8MiB of the TTBR1 address range, but
   in practice this is extremely unlikely to occur as this would
   require either:

   * Having enough physical memory to fill the entire linear map all the
     way to the final 1MiB of the TTBR1 address range.

   * Getting unlucky with KASLR randomization of the linear map such
     that the populated region happens to overlap with the last 1MiB of
     the TTBR address range.

   ... and in either case if we were to spill into the final page there
   would be larger problems as the final page would alias with error
   pointers.

Practically speaking, (1) and (2) are the big issues. Given there have
been no reports of problems since the broken code was introduced, it
appears that no-one is relying on probing these instructions with
uprobes.

Avoid these issues by not allowing uprobes on LDR (literal) and LDRSW
(literal), limiting the use of simulate_ldr_literal() and
simulate_ldrsw_literal() to kprobes. Attempts to place uprobes on LDR
(literal) and LDRSW (literal) will be rejected as
arm_probe_decode_insn() will return INSN_REJECTED. In future we can
consider introducing working uprobes support for these instructions, but
this will require more significant work.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50099

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50100
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

USB: gadget: dummy-hcd: Fix "task hung" problem

The syzbot fuzzer has been encountering "task hung" problems ever
since the dummy-hcd driver was changed to use hrtimers instead of
regular timers.  It turns out that the problems are caused by a subtle
difference between the timer_pending() and hrtimer_active() APIs.

The changeover blindly replaced the first by the second.  However,
timer_pending() returns True when the timer is queued but not when its
callback is running, whereas hrtimer_active() returns True when the
hrtimer is queued _or_ its callback is running.  This difference
occasionally caused dummy_urb_enqueue() to think that the callback
routine had not yet started when in fact it was almost finished.  As a
result the hrtimer was not restarted, which made it impossible for the
driver to dequeue later the URB that was just enqueued.  This caused
usb_kill_urb() to hang, and things got worse from there.

Since hrtimers have no API for telling when they are queued and the
callback isn't running, the driver must keep track of this for itself.
That's what this patch does, adding a new "timer_pending" flag and
setting or clearing it at the appropriate times.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50100

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50101
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

iommu/vt-d: Fix incorrect pci_for_each_dma_alias() for non-PCI devices

Previously, the domain_context_clear() function incorrectly called
pci_for_each_dma_alias() to set up context entries for non-PCI devices.
This could lead to kernel hangs or other unexpected behavior.

Add a check to only call pci_for_each_dma_alias() for PCI devices. For
non-PCI devices, domain_context_clear_one() is called directly.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50101

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50102
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

x86: fix user address masking non-canonical speculation issue

It turns out that AMD has a "Meltdown Lite(tm)" issue with non-canonical
accesses in kernel space.  And so using just the high bit to decide
whether an access is in user space or kernel space ends up with the good
old "leak speculative data" if you have the right gadget using the
result:

  CVE-2020-12965 “Transient Execution of Non-Canonical Accesses“

Now, the kernel surrounds the access with a STAC/CLAC pair, and those
instructions end up serializing execution on older Zen architectures,
which closes the speculation window.

But that was true only up until Zen 5, which renames the AC bit [1].
That improves performance of STAC/CLAC a lot, but also means that the
speculation window is now open.

Note that this affects not just the new address masking, but also the
regular valid_user_address() check used by access_ok(), and the asm
version of the sign bit check in the get_user() helpers.

It does not affect put_user() or clear_user() variants, since there's no
speculative result to be used in a gadget for those operations.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50102

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50103
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ASoC: qcom: Fix NULL Dereference in asoc_qcom_lpass_cpu_platform_probe()

A devm_kzalloc() in asoc_qcom_lpass_cpu_platform_probe() could
possibly return NULL pointer. NULL Pointer Dereference may be
triggerred without addtional check.
Add a NULL check for the returned pointer.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50103

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50104
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ASoC: qcom: sdm845: add missing soundwire runtime stream alloc

During the migration of Soundwire runtime stream allocation from
the Qualcomm Soundwire controller to SoC's soundcard drivers the sdm845
soundcard was forgotten.

At this point any playback attempt or audio daemon startup, for instance
on sdm845-db845c (Qualcomm RB3 board), will result in stream pointer
NULL dereference:

 Unable to handle kernel NULL pointer dereference at virtual
 address 0000000000000020
 Mem abort info:
   ESR = 0x0000000096000004
   EC = 0x25: DABT (current EL), IL = 32 bits
   SET = 0, FnV = 0
   EA = 0, S1PTW = 0
   FSC = 0x04: level 0 translation fault
 Data abort info:
   ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
   CM = 0, WnR = 0, TnD = 0, TagAccess = 0
   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
 user pgtable: 4k pages, 48-bit VAs, pgdp=0000000101ecf000
 [0000000000000020] pgd=0000000000000000, p4d=0000000000000000
 Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP
 Modules linked in: ...
 CPU: 5 UID: 0 PID: 1198 Comm: aplay
 Not tainted 6.12.0-rc2-qcomlt-arm64-00059-g9d78f315a362-dirty #18
 Hardware name: Thundercomm Dragonboard 845c (DT)
 pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
 pc : sdw_stream_add_slave+0x44/0x380 [soundwire_bus]
 lr : sdw_stream_add_slave+0x44/0x380 [soundwire_bus]
 sp : ffff80008a2035c0
 x29: ffff80008a2035c0 x28: ffff80008a203978 x27: 0000000000000000
 x26: 00000000000000c0 x25: 0000000000000000 x24: ffff1676025f4800
 x23: ffff167600ff1cb8 x22: ffff167600ff1c98 x21: 0000000000000003
 x20: ffff167607316000 x19: ffff167604e64e80 x18: 0000000000000000
 x17: 0000000000000000 x16: ffffcec265074160 x15: 0000000000000000
 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000
 x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000
 x8 : 0000000000000000 x7 : 0000000000000000 x6 : ffff167600ff1cec
 x5 : ffffcec22cfa2010 x4 : 0000000000000000 x3 : 0000000000000003
 x2 : ffff167613f836c0 x1 : 0000000000000000 x0 : ffff16761feb60b8
 Call trace:
  sdw_stream_add_slave+0x44/0x380 [soundwire_bus]
  wsa881x_hw_params+0x68/0x80 [snd_soc_wsa881x]
  snd_soc_dai_hw_params+0x3c/0xa4
  __soc_pcm_hw_params+0x230/0x660
  dpcm_be_dai_hw_params+0x1d0/0x3f8
  dpcm_fe_dai_hw_params+0x98/0x268
  snd_pcm_hw_params+0x124/0x460
  snd_pcm_common_ioctl+0x998/0x16e8
  snd_pcm_ioctl+0x34/0x58
  __arm64_sys_ioctl+0xac/0xf8
  invoke_syscall+0x48/0x104
  el0_svc_common.constprop.0+0x40/0xe0
  do_el0_svc+0x1c/0x28
  el0_svc+0x34/0xe0
  el0t_64_sync_handler+0x120/0x12c
  el0t_64_sync+0x190/0x194
 Code: aa0403fb f9418400 9100e000 9400102f (f8420f22)
 ---[ end trace 0000000000000000 ]---

0000000000006108 <sdw_stream_add_slave>:
    6108:       d503233f        paciasp
    610c:       a9b97bfd        stp     x29, x30, [sp, #-112]!
    6110:       910003fd        mov     x29, sp
    6114:       a90153f3        stp     x19, x20, [sp, #16]
    6118:       a9025bf5        stp     x21, x22, [sp, #32]
    611c:       aa0103f6        mov     x22, x1
    6120:       2a0303f5        mov     w21, w3
    6124:       a90363f7        stp     x23, x24, [sp, #48]
    6128:       aa0003f8        mov     x24, x0
    612c:       aa0203f7        mov     x23, x2
    6130:       a9046bf9        stp     x25, x26, [sp, #64]
    6134:       aa0403f9        mov     x25, x4        <-- x4 copied to x25
    6138:       a90573fb        stp     x27, x28, [sp, #80]
    613c:       aa0403fb        mov     x27, x4
    6140:       f9418400        ldr     x0, [x0, #776]
    6144:       9100e000        add     x0, x0, #0x38
    6148:       94000000        bl      0 <mutex_lock>
    614c:       f8420f22        ldr     x2, [x25, #32]!  <-- offset 0x44
    ^^^
This is 0x6108 + offset 0x44 from the beginning of sdw_stream_add_slave()
where data abort happens.
wsa881x_hw_params() is called with stream = NULL and passes it further
in register x4 (5th argu
---truncated---
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50104

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50105
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ASoC: qcom: sc7280: Fix missing Soundwire runtime stream alloc

Commit 15c7fab0e047 ("ASoC: qcom: Move Soundwire runtime stream alloc to
soundcards") moved the allocation of Soundwire stream runtime from the
Qualcomm Soundwire driver to each individual machine sound card driver,
except that it forgot to update SC7280 card.

Just like for other Qualcomm sound cards using Soundwire, the card
driver should allocate and release the runtime.  Otherwise sound
playback will result in a NULL pointer dereference or other effect of
uninitialized memory accesses (which was confirmed on SDM845 having
similar issue).
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50105

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50106
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

nfsd: fix race between laundromat and free_stateid

There is a race between laundromat handling of revoked delegations
and a client sending free_stateid operation. Laundromat thread
finds that delegation has expired and needs to be revoked so it
marks the delegation stid revoked and it puts it on a reaper list
but then it unlock the state lock and the actual delegation revocation
happens without the lock. Once the stid is marked revoked a racing
free_stateid processing thread does the following (1) it calls
list_del_init() which removes it from the reaper list and (2) frees
the delegation stid structure. The laundromat thread ends up not
calling the revoke_delegation() function for this particular delegation
but that means it will no release the lock lease that exists on
the file.

Now, a new open for this file comes in and ends up finding that
lease list isn't empty and calls nfsd_breaker_owns_lease() which ends
up trying to derefence a freed delegation stateid. Leading to the
followint use-after-free KASAN warning:

kernel: ==================================================================
kernel: BUG: KASAN: slab-use-after-free in nfsd_breaker_owns_lease+0x140/0x160 [nfsd]
kernel: Read of size 8 at addr ffff0000e73cd0c8 by task nfsd/6205
kernel:
kernel: CPU: 2 UID: 0 PID: 6205 Comm: nfsd Kdump: loaded Not tainted 6.11.0-rc7+ #9
kernel: Hardware name: Apple Inc. Apple Virtualization Generic Platform, BIOS 2069.0.0.0.0 08/03/2024
kernel: Call trace:
kernel: dump_backtrace+0x98/0x120
kernel: show_stack+0x1c/0x30
kernel: dump_stack_lvl+0x80/0xe8
kernel: print_address_description.constprop.0+0x84/0x390
kernel: print_report+0xa4/0x268
kernel: kasan_report+0xb4/0xf8
kernel: __asan_report_load8_noabort+0x1c/0x28
kernel: nfsd_breaker_owns_lease+0x140/0x160 [nfsd]
kernel: nfsd_file_do_acquire+0xb3c/0x11d0 [nfsd]
kernel: nfsd_file_acquire_opened+0x84/0x110 [nfsd]
kernel: nfs4_get_vfs_file+0x634/0x958 [nfsd]
kernel: nfsd4_process_open2+0xa40/0x1a40 [nfsd]
kernel: nfsd4_open+0xa08/0xe80 [nfsd]
kernel: nfsd4_proc_compound+0xb8c/0x2130 [nfsd]
kernel: nfsd_dispatch+0x22c/0x718 [nfsd]
kernel: svc_process_common+0x8e8/0x1960 [sunrpc]
kernel: svc_process+0x3d4/0x7e0 [sunrpc]
kernel: svc_handle_xprt+0x828/0xe10 [sunrpc]
kernel: svc_recv+0x2cc/0x6a8 [sunrpc]
kernel: nfsd+0x270/0x400 [nfsd]
kernel: kthread+0x288/0x310
kernel: ret_from_fork+0x10/0x20

This patch proposes a fixed that's based on adding 2 new additional
stid's sc_status values that help coordinate between the laundromat
and other operations (nfsd4_free_stateid() and nfsd4_delegreturn()).

First to make sure, that once the stid is marked revoked, it is not
removed by the nfsd4_free_stateid(), the laundromat take a reference
on the stateid. Then, coordinating whether the stid has been put
on the cl_revoked list or we are processing FREE_STATEID and need to
make sure to remove it from the list, each check that state and act
accordingly. If laundromat has added to the cl_revoke list before
the arrival of FREE_STATEID, then nfsd4_free_stateid() knows to remove
it from the list. If nfsd4_free_stateid() finds that operations arrived
before laundromat has placed it on cl_revoke list, it marks the state
freed and then laundromat will no longer add it to the list.

Also, for nfsd4_delegreturn() when looking for the specified stid,
we need to access stid that are marked removed or freeable, it means
the laundromat has started processing it but hasn't finished and this
delegreturn needs to return nfserr_deleg_revoked and not
nfserr_bad_stateid. The latter will not trigger a FREE_STATEID and the
lack of it will leave this stid on the cl_revoked list indefinitely.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50106

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50107
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

platform/x86/intel/pmc: Fix pmc_core_iounmap to call iounmap for valid addresses

Commit 50c6dbdfd16e ("x86/ioremap: Improve iounmap() address range checks")
introduces a WARN when adrress ranges of iounmap are invalid. On Thinkpad
P1 Gen 7 (Meteor Lake-P) this caused the following warning to appear:

WARNING: CPU: 7 PID: 713 at arch/x86/mm/ioremap.c:461 iounmap+0x58/0x1f0
Modules linked in: rfkill(+) snd_timer(+) fjes(+) snd soundcore intel_pmc_core(+)
int3403_thermal(+) int340x_thermal_zone intel_vsec pmt_telemetry acpi_pad pmt_class
acpi_tad int3400_thermal acpi_thermal_rel joydev loop nfnetlink zram xe drm_suballoc_helper
nouveau i915 mxm_wmi drm_ttm_helper gpu_sched drm_gpuvm drm_exec drm_buddy i2c_algo_bit
crct10dif_pclmul crc32_pclmul ttm crc32c_intel polyval_clmulni rtsx_pci_sdmmc ucsi_acpi
polyval_generic mmc_core hid_multitouch drm_display_helper ghash_clmulni_intel typec_ucsi
nvme sha512_ssse3 video sha256_ssse3 nvme_core intel_vpu sha1_ssse3 rtsx_pci cec typec
nvme_auth i2c_hid_acpi i2c_hid wmi pinctrl_meteorlake serio_raw ip6_tables ip_tables fuse
CPU: 7 UID: 0 PID: 713 Comm: (udev-worker) Not tainted 6.12.0-rc2iounmap+ #42
Hardware name: LENOVO 21KWCTO1WW/21KWCTO1WW, BIOS N48ET19W (1.06 ) 07/18/2024
RIP: 0010:iounmap+0x58/0x1f0
Code: 85 6a 01 00 00 48 8b 05 e6 e2 28 04 48 39 c5 72 19 eb 26 cc cc cc 48 ba 00 00 00 00 00 00 32 00 48 8d 44 02 ff 48 39 c5 72 23 <0f> 0b 48 83 c4 08 5b 5d 41 5c c3 cc cc cc cc 48 ba 00 00 00 00 00
RSP: 0018:ffff888131eff038 EFLAGS: 00010207
RAX: ffffc90000000000 RBX: 0000000000000000 RCX: ffff888e33b80000
RDX: dffffc0000000000 RSI: ffff888e33bc29c0 RDI: 0000000000000000
RBP: 0000000000000000 R08: ffff8881598a8000 R09: ffff888e2ccedc10
R10: 0000000000000003 R11: ffffffffb3367634 R12: 00000000fe000000
R13: ffff888101d0da28 R14: ffffffffc2e437e0 R15: ffff888110b03b28
FS:  00007f3c1d4b3980(0000) GS:ffff888e33b80000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005651cfc93578 CR3: 0000000124e4c002 CR4: 0000000000f70ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff07f0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
<TASK>
? __warn.cold+0xb6/0x176
? iounmap+0x58/0x1f0
? report_bug+0x1f4/0x2b0
? handle_bug+0x58/0x90
? exc_invalid_op+0x17/0x40
? asm_exc_invalid_op+0x1a/0x20
? iounmap+0x58/0x1f0
pmc_core_ssram_get_pmc+0x477/0x6c0 [intel_pmc_core]
? __pfx_pmc_core_ssram_get_pmc+0x10/0x10 [intel_pmc_core]
? __pfx_do_pci_enable_device+0x10/0x10
? pci_wait_for_pending+0x60/0x110
? pci_enable_device_flags+0x1e3/0x2e0
? __pfx_mtl_core_init+0x10/0x10 [intel_pmc_core]
pmc_core_ssram_init+0x7f/0x110 [intel_pmc_core]
mtl_core_init+0xda/0x130 [intel_pmc_core]
? __mutex_init+0xb9/0x130
pmc_core_probe+0x27e/0x10b0 [intel_pmc_core]
? _raw_spin_lock_irqsave+0x96/0xf0
? __pfx_pmc_core_probe+0x10/0x10 [intel_pmc_core]
? __pfx_mutex_unlock+0x10/0x10
? __pfx_mutex_lock+0x10/0x10
? device_pm_check_callbacks+0x82/0x370
? acpi_dev_pm_attach+0x234/0x2b0
platform_probe+0x9f/0x150
really_probe+0x1e0/0x8a0
__driver_probe_device+0x18c/0x370
? __pfx___driver_attach+0x10/0x10
driver_probe_device+0x4a/0x120
__driver_attach+0x190/0x4a0
? __pfx___driver_attach+0x10/0x10
bus_for_each_dev+0x103/0x180
? __pfx_bus_for_each_dev+0x10/0x10
? klist_add_tail+0x136/0x270
bus_add_driver+0x2fc/0x540
driver_register+0x1a5/0x360
? __pfx_pmc_core_driver_init+0x10/0x10 [intel_pmc_core]
do_one_initcall+0xa4/0x380
? __pfx_do_one_initcall+0x10/0x10
? kasan_unpoison+0x44/0x70
do_init_module+0x296/0x800
load_module+0x5090/0x6ce0
? __pfx_load_module+0x10/0x10
? ima_post_read_file+0x193/0x200
? __pfx_ima_post_read_file+0x10/0x10
? rw_verify_area+0x152/0x4c0
? kernel_read_file+0x257/0x750
? __pfx_kernel_read_file+0x10/0x10
? __pfx_filemap_get_read_batch+0x10/0x10
? init_module_from_file+0xd1/0x130
init_module_from_file+0xd1/0x130
? __pfx_init_module_from_file+0x10/0
---truncated---
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50107

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50108
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Disable PSR-SU on Parade 08-01 TCON too

Stuart Hayhurst has found that both at bootup and fullscreen VA-API video
is leading to black screens for around 1 second and kernel WARNING [1] traces
when calling dmub_psr_enable() with Parade 08-01 TCON.

These symptoms all go away with PSR-SU disabled for this TCON, so disable
it for now while DMUB traces [2] from the failure can be analyzed and the failure
state properly root caused.

(cherry picked from commit afb634a6823d8d9db23c5fb04f79c5549349628b)
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50108

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50109
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

md/raid10: fix null ptr dereference in raid10_size()

In raid10_run() if raid10_set_queue_limits() succeed, the return value
is set to zero, and if following procedures failed raid10_run() will
return zero while mddev->private is still NULL, causing null ptr
dereference in raid10_size().

Fix the problem by only overwrite the return value if
raid10_set_queue_limits() failed.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50109

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50110
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

xfrm: fix one more kernel-infoleak in algo dumping

During fuzz testing, the following issue was discovered:

BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x598/0x2a30
 _copy_to_iter+0x598/0x2a30
 __skb_datagram_iter+0x168/0x1060
 skb_copy_datagram_iter+0x5b/0x220
 netlink_recvmsg+0x362/0x1700
 sock_recvmsg+0x2dc/0x390
 __sys_recvfrom+0x381/0x6d0
 __x64_sys_recvfrom+0x130/0x200
 x64_sys_call+0x32c8/0x3cc0
 do_syscall_64+0xd8/0x1c0
 entry_SYSCALL_64_after_hwframe+0x79/0x81

Uninit was stored to memory at:
 copy_to_user_state_extra+0xcc1/0x1e00
 dump_one_state+0x28c/0x5f0
 xfrm_state_walk+0x548/0x11e0
 xfrm_dump_sa+0x1e0/0x840
 netlink_dump+0x943/0x1c40
 __netlink_dump_start+0x746/0xdb0
 xfrm_user_rcv_msg+0x429/0xc00
 netlink_rcv_skb+0x613/0x780
 xfrm_netlink_rcv+0x77/0xc0
 netlink_unicast+0xe90/0x1280
 netlink_sendmsg+0x126d/0x1490
 __sock_sendmsg+0x332/0x3d0
 ____sys_sendmsg+0x863/0xc30
 ___sys_sendmsg+0x285/0x3e0
 __x64_sys_sendmsg+0x2d6/0x560
 x64_sys_call+0x1316/0x3cc0
 do_syscall_64+0xd8/0x1c0
 entry_SYSCALL_64_after_hwframe+0x79/0x81

Uninit was created at:
 __kmalloc+0x571/0xd30
 attach_auth+0x106/0x3e0
 xfrm_add_sa+0x2aa0/0x4230
 xfrm_user_rcv_msg+0x832/0xc00
 netlink_rcv_skb+0x613/0x780
 xfrm_netlink_rcv+0x77/0xc0
 netlink_unicast+0xe90/0x1280
 netlink_sendmsg+0x126d/0x1490
 __sock_sendmsg+0x332/0x3d0
 ____sys_sendmsg+0x863/0xc30
 ___sys_sendmsg+0x285/0x3e0
 __x64_sys_sendmsg+0x2d6/0x560
 x64_sys_call+0x1316/0x3cc0
 do_syscall_64+0xd8/0x1c0
 entry_SYSCALL_64_after_hwframe+0x79/0x81

Bytes 328-379 of 732 are uninitialized
Memory access of size 732 starts at ffff88800e18e000
Data copied to user address 00007ff30f48aff0

CPU: 2 PID: 18167 Comm: syz-executor.0 Not tainted 6.8.11 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014

Fixes copying of xfrm algorithms where some random
data of the structure fields can end up in userspace.
Padding in structures may be filled with random (possibly sensitve)
data and should never be given directly to user-space.

A similar issue was resolved in the commit
8222d5910dae ("xfrm: Zero padding when dumping algos and encap")

Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50110

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50111
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

LoongArch: Enable IRQ if do_ale() triggered in irq-enabled context

Unaligned access exception can be triggered in irq-enabled context such
as user mode, in this case do_ale() may call get_user() which may cause
sleep. Then we will get:

 BUG: sleeping function called from invalid context at arch/loongarch/kernel/access-helper.h:7
 in_atomic(): 0, irqs_disabled(): 1, non_block: 0, pid: 129, name: modprobe
 preempt_count: 0, expected: 0
 RCU nest depth: 0, expected: 0
 CPU: 0 UID: 0 PID: 129 Comm: modprobe Tainted: G        W          6.12.0-rc1+ #1723
 Tainted: [W]=WARN
 Stack : 9000000105e0bd48 0000000000000000 9000000003803944 9000000105e08000
         9000000105e0bc70 9000000105e0bc78 0000000000000000 0000000000000000
         9000000105e0bc78 0000000000000001 9000000185e0ba07 9000000105e0b890
         ffffffffffffffff 9000000105e0bc78 73924b81763be05b 9000000100194500
         000000000000020c 000000000000000a 0000000000000000 0000000000000003
         00000000000023f0 00000000000e1401 00000000072f8000 0000007ffbb0e260
         0000000000000000 0000000000000000 9000000005437650 90000000055d5000
         0000000000000000 0000000000000003 0000007ffbb0e1f0 0000000000000000
         0000005567b00490 0000000000000000 9000000003803964 0000007ffbb0dfec
         00000000000000b0 0000000000000007 0000000000000003 0000000000071c1d
         ...
 Call Trace:
 [<9000000003803964>] show_stack+0x64/0x1a0
 [<9000000004c57464>] dump_stack_lvl+0x74/0xb0
 [<9000000003861ab4>] __might_resched+0x154/0x1a0
 [<900000000380c96c>] emulate_load_store_insn+0x6c/0xf60
 [<9000000004c58118>] do_ale+0x78/0x180
 [<9000000003801bc8>] handle_ale+0x128/0x1e0

So enable IRQ if unaligned access exception is triggered in irq-enabled
context to fix it.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50111

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50112
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

x86/lam: Disable ADDRESS_MASKING in most cases

Linear Address Masking (LAM) has a weakness related to transient
execution as described in the SLAM paper[1]. Unless Linear Address
Space Separation (LASS) is enabled this weakness may be exploitable.

Until kernel adds support for LASS[2], only allow LAM for COMPILE_TEST,
or when speculation mitigations have been disabled at compile time,
otherwise keep LAM disabled.

There are no processors in market that support LAM yet, so currently
nobody is affected by this issue.

[1] SLAM: https://download.vusec.net/papers/slam_sp24.pdf
[2] LASS: https://lore.kernel.org/lkml/20230609183632.48706-1-alexander.shishkin@linux.intel.com/

[ dhansen: update SPECULATION_MITIGATIONS -> CPU_MITIGATIONS ]
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50112

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50113
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

firewire: core: fix invalid port index for parent device

In a commit 24b7f8e5cd65 ("firewire: core: use helper functions for self
ID sequence"), the enumeration over self ID sequence was refactored with
some helper functions with KUnit tests. These helper functions are
guaranteed to work expectedly by the KUnit tests, however their application
includes a mistake to assign invalid value to the index of port connected
to parent device.

This bug affects the case that any extra node devices which has three or
more ports are connected to 1394 OHCI controller. In the case, the path
to update the tree cache could hits WARN_ON(), and gets general protection
fault due to the access to invalid address computed by the invalid value.

This commit fixes the bug to assign correct port index.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50113

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50114
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

KVM: arm64: Unregister redistributor for failed vCPU creation

Alex reports that syzkaller has managed to trigger a use-after-free when
tearing down a VM:

  BUG: KASAN: slab-use-after-free in kvm_put_kvm+0x300/0xe68 virt/kvm/kvm_main.c:5769
  Read of size 8 at addr ffffff801c6890d0 by task syz.3.2219/10758

  CPU: 3 UID: 0 PID: 10758 Comm: syz.3.2219 Not tainted 6.11.0-rc6-dirty #64
  Hardware name: linux,dummy-virt (DT)
  Call trace:
   dump_backtrace+0x17c/0x1a8 arch/arm64/kernel/stacktrace.c:317
   show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:324
   __dump_stack lib/dump_stack.c:93 [inline]
   dump_stack_lvl+0x94/0xc0 lib/dump_stack.c:119
   print_report+0x144/0x7a4 mm/kasan/report.c:377
   kasan_report+0xcc/0x128 mm/kasan/report.c:601
   __asan_report_load8_noabort+0x20/0x2c mm/kasan/report_generic.c:381
   kvm_put_kvm+0x300/0xe68 virt/kvm/kvm_main.c:5769
   kvm_vm_release+0x4c/0x60 virt/kvm/kvm_main.c:1409
   __fput+0x198/0x71c fs/file_table.c:422
   ____fput+0x20/0x30 fs/file_table.c:450
   task_work_run+0x1cc/0x23c kernel/task_work.c:228
   do_notify_resume+0x144/0x1a0 include/linux/resume_user_mode.h:50
   el0_svc+0x64/0x68 arch/arm64/kernel/entry-common.c:169
   el0t_64_sync_handler+0x90/0xfc arch/arm64/kernel/entry-common.c:730
   el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598

Upon closer inspection, it appears that we do not properly tear down the
MMIO registration for a vCPU that fails creation late in the game, e.g.
a vCPU w/ the same ID already exists in the VM.

It is important to consider the context of commit that introduced this bug
by moving the unregistration out of __kvm_vgic_vcpu_destroy(). That
change correctly sought to avoid an srcu v. config_lock inversion by
breaking up the vCPU teardown into two parts, one guarded by the
config_lock.

Fix the use-after-free while avoiding lock inversion by adding a
special-cased unregistration to __kvm_vgic_vcpu_destroy(). This is safe
because failed vCPUs are torn down outside of the config_lock.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50114

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50115
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

KVM: nSVM: Ignore nCR3[4:0] when loading PDPTEs from memory

Ignore nCR3[4:0] when loading PDPTEs from memory for nested SVM, as bits
4:0 of CR3 are ignored when PAE paging is used, and thus VMRUN doesn't
enforce 32-byte alignment of nCR3.

In the absolute worst case scenario, failure to ignore bits 4:0 can result
in an out-of-bounds read, e.g. if the target page is at the end of a
memslot, and the VMM isn't using guard pages.

Per the APM:

  The CR3 register points to the base address of the page-directory-pointer
  table. The page-directory-pointer table is aligned on a 32-byte boundary,
  with the low 5 address bits 4:0 assumed to be 0.

And the SDM's much more explicit:

  4:0    Ignored

Note, KVM gets this right when loading PDPTRs, it's only the nSVM flow
that is broken.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50115

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50116
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

nilfs2: fix kernel bug due to missing clearing of buffer delay flag

Syzbot reported that after nilfs2 reads a corrupted file system image
and degrades to read-only, the BUG_ON check for the buffer delay flag
in submit_bh_wbc() may fail, causing a kernel bug.

This is because the buffer delay flag is not cleared when clearing the
buffer state flags to discard a page/folio or a buffer head. So, fix
this.

This became necessary when the use of nilfs2's own page clear routine
was expanded.  This state inconsistency does not occur if the buffer
is written normally by log writing.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50116

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50117
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd: Guard against bad data for ATIF ACPI method

If a BIOS provides bad data in response to an ATIF method call
this causes a NULL pointer dereference in the caller.

```
? show_regs (arch/x86/kernel/dumpstack.c:478 (discriminator 1))
? __die (arch/x86/kernel/dumpstack.c:423 arch/x86/kernel/dumpstack.c:434)
? page_fault_oops (arch/x86/mm/fault.c:544 (discriminator 2) arch/x86/mm/fault.c:705 (discriminator 2))
? do_user_addr_fault (arch/x86/mm/fault.c:440 (discriminator 1) arch/x86/mm/fault.c:1232 (discriminator 1))
? acpi_ut_update_object_reference (drivers/acpi/acpica/utdelete.c:642)
? exc_page_fault (arch/x86/mm/fault.c:1542)
? asm_exc_page_fault (./arch/x86/include/asm/idtentry.h:623)
? amdgpu_atif_query_backlight_caps.constprop.0 (drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c:387 (discriminator 2)) amdgpu
? amdgpu_atif_query_backlight_caps.constprop.0 (drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c:386 (discriminator 1)) amdgpu
```

It has been encountered on at least one system, so guard for it.

(cherry picked from commit c9b7c809b89f24e9372a4e7f02d64c950b07fdee)
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50117

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50118
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

btrfs: reject ro->rw reconfiguration if there are hard ro requirements

[BUG]
Syzbot reports the following crash:

  BTRFS info (device loop0 state MCS): disabling free space tree
  BTRFS info (device loop0 state MCS): clearing compat-ro feature flag for FREE_SPACE_TREE (0x1)
  BTRFS info (device loop0 state MCS): clearing compat-ro feature flag for FREE_SPACE_TREE_VALID (0x2)
  Oops: general protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN NOPTI
  KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]
  Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
  RIP: 0010:backup_super_roots fs/btrfs/disk-io.c:1691 [inline]
  RIP: 0010:write_all_supers+0x97a/0x40f0 fs/btrfs/disk-io.c:4041
  Call Trace:
   <TASK>
   btrfs_commit_transaction+0x1eae/0x3740 fs/btrfs/transaction.c:2530
   btrfs_delete_free_space_tree+0x383/0x730 fs/btrfs/free-space-tree.c:1312
   btrfs_start_pre_rw_mount+0xf28/0x1300 fs/btrfs/disk-io.c:3012
   btrfs_remount_rw fs/btrfs/super.c:1309 [inline]
   btrfs_reconfigure+0xae6/0x2d40 fs/btrfs/super.c:1534
   btrfs_reconfigure_for_mount fs/btrfs/super.c:2020 [inline]
   btrfs_get_tree_subvol fs/btrfs/super.c:2079 [inline]
   btrfs_get_tree+0x918/0x1920 fs/btrfs/super.c:2115
   vfs_get_tree+0x90/0x2b0 fs/super.c:1800
   do_new_mount+0x2be/0xb40 fs/namespace.c:3472
   do_mount fs/namespace.c:3812 [inline]
   __do_sys_mount fs/namespace.c:4020 [inline]
   __se_sys_mount+0x2d6/0x3c0 fs/namespace.c:3997
   do_syscall_x64 arch/x86/entry/common.c:52 [inline]
   do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
   entry_SYSCALL_64_after_hwframe+0x77/0x7f

[CAUSE]
To support mounting different subvolume with different RO/RW flags for
the new mount APIs, btrfs introduced two workaround to support this feature:

- Skip mount option/feature checks if we are mounting a different
  subvolume

- Reconfigure the fs to RW if the initial mount is RO

Combining these two, we can have the following sequence:

- Mount the fs ro,rescue=all,clear_cache,space_cache=v1
  rescue=all will mark the fs as hard read-only, so no v2 cache clearing
  will happen.

- Mount a subvolume rw of the same fs.
  We go into btrfs_get_tree_subvol(), but fc_mount() returns EBUSY
  because our new fc is RW, different from the original fs.

  Now we enter btrfs_reconfigure_for_mount(), which switches the RO flag
  first so that we can grab the existing fs_info.
  Then we reconfigure the fs to RW.

- During reconfiguration, option/features check is skipped
  This means we will restart the v2 cache clearing, and convert back to
  v1 cache.
  This will trigger fs writes, and since the original fs has "rescue=all"
  option, it skips the csum tree read.

  And eventually causing NULL pointer dereference in super block
  writeback.

[FIX]
For reconfiguration caused by different subvolume RO/RW flags, ensure we
always run btrfs_check_options() to ensure we have proper hard RO
requirements met.

In fact the function btrfs_check_options() doesn't really do many
complex checks, but hard RO requirement and some feature dependency
checks, thus there is no special reason not to do the check for mount
reconfiguration.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50118

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50119
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

cifs: fix warning when destroy 'cifs_io_request_pool'

There's a issue as follows:
WARNING: CPU: 1 PID: 27826 at mm/slub.c:4698 free_large_kmalloc+0xac/0xe0
RIP: 0010:free_large_kmalloc+0xac/0xe0
Call Trace:
 <TASK>
 ? __warn+0xea/0x330
 mempool_destroy+0x13f/0x1d0
 init_cifs+0xa50/0xff0 [cifs]
 do_one_initcall+0xdc/0x550
 do_init_module+0x22d/0x6b0
 load_module+0x4e96/0x5ff0
 init_module_from_file+0xcd/0x130
 idempotent_init_module+0x330/0x620
 __x64_sys_finit_module+0xb3/0x110
 do_syscall_64+0xc1/0x1d0
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Obviously, 'cifs_io_request_pool' is not created by mempool_create().
So just use mempool_exit() to revert 'cifs_io_request_pool'.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50119

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50120
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

smb: client: Handle kstrdup failures for passwords

In smb3_reconfigure(), after duplicating ctx->password and
ctx->password2 with kstrdup(), we need to check for allocation
failures.

If ses->password allocation fails, return -ENOMEM.
If ses->password2 allocation fails, free ses->password, set it
to NULL, and return -ENOMEM.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50120

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50121
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

nfsd: cancel nfsd_shrinker_work using sync mode in nfs4_state_shutdown_net

In the normal case, when we excute `echo 0 > /proc/fs/nfsd/threads`, the
function `nfs4_state_destroy_net` in `nfs4_state_shutdown_net` will
release all resources related to the hashed `nfs4_client`. If the
`nfsd_client_shrinker` is running concurrently, the `expire_client`
function will first unhash this client and then destroy it. This can
lead to the following warning. Additionally, numerous use-after-free
errors may occur as well.

nfsd_client_shrinker         echo 0 > /proc/fs/nfsd/threads

expire_client                nfsd_shutdown_net
  unhash_client                ...
                               nfs4_state_shutdown_net
                                 /* won't wait shrinker exit */
  /*                             cancel_work(&nn->nfsd_shrinker_work)
   * nfsd_file for this          /* won't destroy unhashed client1 */
   * client1 still alive         nfs4_state_destroy_net
   */

                               nfsd_file_cache_shutdown
                                 /* trigger warning */
                                 kmem_cache_destroy(nfsd_file_slab)
                                 kmem_cache_destroy(nfsd_file_mark_slab)
  /* release nfsd_file and mark */
  __destroy_client

====================================================================
BUG nfsd_file (Not tainted): Objects remaining in nfsd_file on
__kmem_cache_shutdown()
--------------------------------------------------------------------
CPU: 4 UID: 0 PID: 764 Comm: sh Not tainted 6.12.0-rc3+ #1

 dump_stack_lvl+0x53/0x70
 slab_err+0xb0/0xf0
 __kmem_cache_shutdown+0x15c/0x310
 kmem_cache_destroy+0x66/0x160
 nfsd_file_cache_shutdown+0xac/0x210 [nfsd]
 nfsd_destroy_serv+0x251/0x2a0 [nfsd]
 nfsd_svc+0x125/0x1e0 [nfsd]
 write_threads+0x16a/0x2a0 [nfsd]
 nfsctl_transaction_write+0x74/0xa0 [nfsd]
 vfs_write+0x1a5/0x6d0
 ksys_write+0xc1/0x160
 do_syscall_64+0x5f/0x170
 entry_SYSCALL_64_after_hwframe+0x76/0x7e

====================================================================
BUG nfsd_file_mark (Tainted: G    B   W         ): Objects remaining
nfsd_file_mark on __kmem_cache_shutdown()
--------------------------------------------------------------------

 dump_stack_lvl+0x53/0x70
 slab_err+0xb0/0xf0
 __kmem_cache_shutdown+0x15c/0x310
 kmem_cache_destroy+0x66/0x160
 nfsd_file_cache_shutdown+0xc8/0x210 [nfsd]
 nfsd_destroy_serv+0x251/0x2a0 [nfsd]
 nfsd_svc+0x125/0x1e0 [nfsd]
 write_threads+0x16a/0x2a0 [nfsd]
 nfsctl_transaction_write+0x74/0xa0 [nfsd]
 vfs_write+0x1a5/0x6d0
 ksys_write+0xc1/0x160
 do_syscall_64+0x5f/0x170
 entry_SYSCALL_64_after_hwframe+0x76/0x7e

To resolve this issue, cancel `nfsd_shrinker_work` using synchronous
mode in nfs4_state_shutdown_net.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50121

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50122
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

PCI: Hold rescan lock while adding devices during host probe

Since adding the PCI power control code, we may end up with a race between
the pwrctl platform device rescanning the bus and host controller probe
functions. The latter need to take the rescan lock when adding devices or
we may end up in an undefined state having two incompletely added devices
and hit the following crash when trying to remove the device over sysfs:

  Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
  Internal error: Oops: 0000000096000004 [#1] SMP
  Call trace:
    __pi_strlen+0x14/0x150
    kernfs_find_ns+0x80/0x13c
    kernfs_remove_by_name_ns+0x54/0xf0
    sysfs_remove_bin_file+0x24/0x34
    pci_remove_resource_files+0x3c/0x84
    pci_remove_sysfs_dev_files+0x28/0x38
    pci_stop_bus_device+0x8c/0xd8
    pci_stop_bus_device+0x40/0xd8
    pci_stop_and_remove_bus_device_locked+0x28/0x48
    remove_store+0x70/0xb0
    dev_attr_store+0x20/0x38
    sysfs_kf_write+0x58/0x78
    kernfs_fop_write_iter+0xe8/0x184
    vfs_write+0x2dc/0x308
    ksys_write+0x7c/0xec
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50122

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50123
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

bpf: Add the missing BPF_LINK_TYPE invocation for sockmap

There is an out-of-bounds read in bpf_link_show_fdinfo() for the sockmap
link fd. Fix it by adding the missing BPF_LINK_TYPE invocation for
sockmap link

Also add comments for bpf_link_type to prevent missing updates in the
future.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50123

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50124
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: ISO: Fix UAF on iso_sock_timeout

conn->sk maybe have been unlinked/freed while waiting for iso_conn_lock
so this checks if the conn->sk is still valid by checking if it part of
iso_sk_list.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50124

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50125
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: SCO: Fix UAF on sco_sock_timeout

conn->sk maybe have been unlinked/freed while waiting for sco_conn_lock
so this checks if the conn->sk is still valid by checking if it part of
sco_sk_list.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50125

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50126
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: sched: use RCU read-side critical section in taprio_dump()

Fix possible use-after-free in 'taprio_dump()' by adding RCU
read-side critical section there. Never seen on x86 but
found on a KASAN-enabled arm64 system when investigating
https://syzkaller.appspot.com/bug?extid=b65e0af58423fc8a73aa:

[T15862] BUG: KASAN: slab-use-after-free in taprio_dump+0xa0c/0xbb0
[T15862] Read of size 4 at addr ffff0000d4bb88f8 by task repro/15862
[T15862]
[T15862] CPU: 0 UID: 0 PID: 15862 Comm: repro Not tainted 6.11.0-rc1-00293-gdefaf1a2113a-dirty #2
[T15862] Hardware name: QEMU QEMU Virtual Machine, BIOS edk2-20240524-5.fc40 05/24/2024
[T15862] Call trace:
[T15862]  dump_backtrace+0x20c/0x220
[T15862]  show_stack+0x2c/0x40
[T15862]  dump_stack_lvl+0xf8/0x174
[T15862]  print_report+0x170/0x4d8
[T15862]  kasan_report+0xb8/0x1d4
[T15862]  __asan_report_load4_noabort+0x20/0x2c
[T15862]  taprio_dump+0xa0c/0xbb0
[T15862]  tc_fill_qdisc+0x540/0x1020
[T15862]  qdisc_notify.isra.0+0x330/0x3a0
[T15862]  tc_modify_qdisc+0x7b8/0x1838
[T15862]  rtnetlink_rcv_msg+0x3c8/0xc20
[T15862]  netlink_rcv_skb+0x1f8/0x3d4
[T15862]  rtnetlink_rcv+0x28/0x40
[T15862]  netlink_unicast+0x51c/0x790
[T15862]  netlink_sendmsg+0x79c/0xc20
[T15862]  __sock_sendmsg+0xe0/0x1a0
[T15862]  ____sys_sendmsg+0x6c0/0x840
[T15862]  ___sys_sendmsg+0x1ac/0x1f0
[T15862]  __sys_sendmsg+0x110/0x1d0
[T15862]  __arm64_sys_sendmsg+0x74/0xb0
[T15862]  invoke_syscall+0x88/0x2e0
[T15862]  el0_svc_common.constprop.0+0xe4/0x2a0
[T15862]  do_el0_svc+0x44/0x60
[T15862]  el0_svc+0x50/0x184
[T15862]  el0t_64_sync_handler+0x120/0x12c
[T15862]  el0t_64_sync+0x190/0x194
[T15862]
[T15862] Allocated by task 15857:
[T15862]  kasan_save_stack+0x3c/0x70
[T15862]  kasan_save_track+0x20/0x3c
[T15862]  kasan_save_alloc_info+0x40/0x60
[T15862]  __kasan_kmalloc+0xd4/0xe0
[T15862]  __kmalloc_cache_noprof+0x194/0x334
[T15862]  taprio_change+0x45c/0x2fe0
[T15862]  tc_modify_qdisc+0x6a8/0x1838
[T15862]  rtnetlink_rcv_msg+0x3c8/0xc20
[T15862]  netlink_rcv_skb+0x1f8/0x3d4
[T15862]  rtnetlink_rcv+0x28/0x40
[T15862]  netlink_unicast+0x51c/0x790
[T15862]  netlink_sendmsg+0x79c/0xc20
[T15862]  __sock_sendmsg+0xe0/0x1a0
[T15862]  ____sys_sendmsg+0x6c0/0x840
[T15862]  ___sys_sendmsg+0x1ac/0x1f0
[T15862]  __sys_sendmsg+0x110/0x1d0
[T15862]  __arm64_sys_sendmsg+0x74/0xb0
[T15862]  invoke_syscall+0x88/0x2e0
[T15862]  el0_svc_common.constprop.0+0xe4/0x2a0
[T15862]  do_el0_svc+0x44/0x60
[T15862]  el0_svc+0x50/0x184
[T15862]  el0t_64_sync_handler+0x120/0x12c
[T15862]  el0t_64_sync+0x190/0x194
[T15862]
[T15862] Freed by task 6192:
[T15862]  kasan_save_stack+0x3c/0x70
[T15862]  kasan_save_track+0x20/0x3c
[T15862]  kasan_save_free_info+0x4c/0x80
[T15862]  poison_slab_object+0x110/0x160
[T15862]  __kasan_slab_free+0x3c/0x74
[T15862]  kfree+0x134/0x3c0
[T15862]  taprio_free_sched_cb+0x18c/0x220
[T15862]  rcu_core+0x920/0x1b7c
[T15862]  rcu_core_si+0x10/0x1c
[T15862]  handle_softirqs+0x2e8/0xd64
[T15862]  __do_softirq+0x14/0x20
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50126

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50127
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: sched: fix use-after-free in taprio_change()

In 'taprio_change()', 'admin' pointer may become dangling due to sched
switch / removal caused by 'advance_sched()', and critical section
protected by 'q->current_entry_lock' is too small to prevent from such
a scenario (which causes use-after-free detected by KASAN). Fix this
by prefer 'rcu_replace_pointer()' over 'rcu_assign_pointer()' to update
'admin' immediately before an attempt to schedule freeing.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50127

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50128
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: wwan: fix global oob in wwan_rtnl_policy

The variable wwan_rtnl_link_ops assign a *bigger* maxtype which leads to
a global out-of-bounds read when parsing the netlink attributes. Exactly
same bug cause as the oob fixed in commit b33fb5b801c6 ("net: qualcomm:
rmnet: fix global oob in rmnet_policy").

==================================================================
BUG: KASAN: global-out-of-bounds in validate_nla lib/nlattr.c:388 [inline]
BUG: KASAN: global-out-of-bounds in __nla_validate_parse+0x19d7/0x29a0 lib/nlattr.c:603
Read of size 1 at addr ffffffff8b09cb60 by task syz.1.66276/323862

CPU: 0 PID: 323862 Comm: syz.1.66276 Not tainted 6.1.70 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x177/0x231 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:284 [inline]
 print_report+0x14f/0x750 mm/kasan/report.c:395
 kasan_report+0x139/0x170 mm/kasan/report.c:495
 validate_nla lib/nlattr.c:388 [inline]
 __nla_validate_parse+0x19d7/0x29a0 lib/nlattr.c:603
 __nla_parse+0x3c/0x50 lib/nlattr.c:700
 nla_parse_nested_deprecated include/net/netlink.h:1269 [inline]
 __rtnl_newlink net/core/rtnetlink.c:3514 [inline]
 rtnl_newlink+0x7bc/0x1fd0 net/core/rtnetlink.c:3623
 rtnetlink_rcv_msg+0x794/0xef0 net/core/rtnetlink.c:6122
 netlink_rcv_skb+0x1de/0x420 net/netlink/af_netlink.c:2508
 netlink_unicast_kernel net/netlink/af_netlink.c:1326 [inline]
 netlink_unicast+0x74b/0x8c0 net/netlink/af_netlink.c:1352
 netlink_sendmsg+0x882/0xb90 net/netlink/af_netlink.c:1874
 sock_sendmsg_nosec net/socket.c:716 [inline]
 __sock_sendmsg net/socket.c:728 [inline]
 ____sys_sendmsg+0x5cc/0x8f0 net/socket.c:2499
 ___sys_sendmsg+0x21c/0x290 net/socket.c:2553
 __sys_sendmsg net/socket.c:2582 [inline]
 __do_sys_sendmsg net/socket.c:2591 [inline]
 __se_sys_sendmsg+0x19e/0x270 net/socket.c:2589
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x45/0x90 arch/x86/entry/common.c:81
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f67b19a24ad
RSP: 002b:00007f67b17febb8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f67b1b45f80 RCX: 00007f67b19a24ad
RDX: 0000000000000000 RSI: 0000000020005e40 RDI: 0000000000000004
RBP: 00007f67b1a1e01d R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffd2513764f R14: 00007ffd251376e0 R15: 00007f67b17fed40
 </TASK>

The buggy address belongs to the variable:
 wwan_rtnl_policy+0x20/0x40

The buggy address belongs to the physical page:
page:ffffea00002c2700 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xb09c
flags: 0xfff00000001000(reserved|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000001000 ffffea00002c2708 ffffea00002c2708 0000000000000000
raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner info is not present (never set?)

Memory state around the buggy address:
 ffffffff8b09ca00: 05 f9 f9 f9 05 f9 f9 f9 00 01 f9 f9 00 01 f9 f9
 ffffffff8b09ca80: 00 00 00 05 f9 f9 f9 f9 00 00 03 f9 f9 f9 f9 f9
>ffffffff8b09cb00: 00 00 00 00 05 f9 f9 f9 00 00 00 00 f9 f9 f9 f9
                                                       ^
 ffffffff8b09cb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================

According to the comment of `nla_parse_nested_deprecated`, use correct size
`IFLA_WWAN_MAX` here to fix this issue.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50128

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50129
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: pse-pd: Fix out of bound for loop

Adjust the loop limit to prevent out-of-bounds access when iterating over
PI structures. The loop should not reach the index pcdev->nr_lines since
we allocate exactly pcdev->nr_lines number of PI structures. This fix
ensures proper bounds are maintained during iterations.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50129

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50130
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

netfilter: bpf: must hold reference on net namespace

BUG: KASAN: slab-use-after-free in __nf_unregister_net_hook+0x640/0x6b0
Read of size 8 at addr ffff8880106fe400 by task repro/72=
bpf_nf_link_release+0xda/0x1e0
bpf_link_free+0x139/0x2d0
bpf_link_release+0x68/0x80
__fput+0x414/0xb60

Eric says:
 It seems that bpf was able to defer the __nf_unregister_net_hook()
 after exit()/close() time.
 Perhaps a netns reference is missing, because the netns has been
 dismantled/freed already.
 bpf_nf_link_attach() does :
 link->net = net;
 But I do not see a reference being taken on net.

Add such a reference and release it after hook unreg.
Note that I was unable to get syzbot reproducer to work, so I
do not know if this resolves this splat.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50130

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50131
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

tracing: Consider the NULL character when validating the event length

strlen() returns a string length excluding the null byte. If the string
length equals to the maximum buffer length, the buffer will have no
space for the NULL terminating character.

This commit checks this condition and returns failure for it.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50131

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50132
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

tracing/probes: Fix MAX_TRACE_ARGS limit handling

When creating a trace_probe we would set nr_args prior to truncating the
arguments to MAX_TRACE_ARGS. However, we would only initialize arguments
up to the limit.

This caused invalid memory access when attempting to set up probes with
more than 128 fetchargs.

  BUG: kernel NULL pointer dereference, address: 0000000000000020
  #PF: supervisor read access in kernel mode
  #PF: error_code(0x0000) - not-present page
  PGD 0 P4D 0
  Oops: Oops: 0000 [#1] PREEMPT SMP PTI
  CPU: 0 UID: 0 PID: 1769 Comm: cat Not tainted 6.11.0-rc7+ #8
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-1.fc39 04/01/2014
  RIP: 0010:__set_print_fmt+0x134/0x330

Resolve the issue by applying the MAX_TRACE_ARGS limit earlier. Return
an error when there are too many arguments instead of silently
truncating.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50132

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50133
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

LoongArch: Don't crash in stack_top() for tasks without vDSO

Not all tasks have a vDSO mapped, for example kthreads never do. If such
a task ever ends up calling stack_top(), it will derefence the NULL vdso
pointer and crash.

This can for example happen when using kunit:

	[<9000000000203874>] stack_top+0x58/0xa8
	[<90000000002956cc>] arch_pick_mmap_layout+0x164/0x220
	[<90000000003c284c>] kunit_vm_mmap_init+0x108/0x12c
	[<90000000003c1fbc>] __kunit_add_resource+0x38/0x8c
	[<90000000003c2704>] kunit_vm_mmap+0x88/0xc8
	[<9000000000410b14>] usercopy_test_init+0xbc/0x25c
	[<90000000003c1db4>] kunit_try_run_case+0x5c/0x184
	[<90000000003c3d54>] kunit_generic_run_threadfn_adapter+0x24/0x48
	[<900000000022e4bc>] kthread+0xc8/0xd4
	[<9000000000200ce8>] ret_from_kernel_thread+0xc/0xa4
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50133

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50134
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/vboxvideo: Replace fake VLA at end of vbva_mouse_pointer_shape with real VLA

Replace the fake VLA at end of the vbva_mouse_pointer_shape shape with
a real VLA to fix a "memcpy: detected field-spanning write error" warning:

[   13.319813] memcpy: detected field-spanning write (size 16896) of single field "p->data" at drivers/gpu/drm/vboxvideo/hgsmi_base.c:154 (size 4)
[   13.319841] WARNING: CPU: 0 PID: 1105 at drivers/gpu/drm/vboxvideo/hgsmi_base.c:154 hgsmi_update_pointer_shape+0x192/0x1c0 [vboxvideo]
[   13.320038] Call Trace:
[   13.320173]  hgsmi_update_pointer_shape [vboxvideo]
[   13.320184]  vbox_cursor_atomic_update [vboxvideo]

Note as mentioned in the added comment it seems the original length
calculation for the allocated and send hgsmi buffer is 4 bytes too large.
Changing this is not the goal of this patch, so this behavior is kept.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50134

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50135
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

nvme-pci: fix race condition between reset and nvme_dev_disable()

nvme_dev_disable() modifies the dev->online_queues field, therefore
nvme_pci_update_nr_queues() should avoid racing against it, otherwise
we could end up passing invalid values to blk_mq_update_nr_hw_queues().

 WARNING: CPU: 39 PID: 61303 at drivers/pci/msi/api.c:347
          pci_irq_get_affinity+0x187/0x210
 Workqueue: nvme-reset-wq nvme_reset_work [nvme]
 RIP: 0010:pci_irq_get_affinity+0x187/0x210
 Call Trace:
  <TASK>
  ? blk_mq_pci_map_queues+0x87/0x3c0
  ? pci_irq_get_affinity+0x187/0x210
  blk_mq_pci_map_queues+0x87/0x3c0
  nvme_pci_map_queues+0x189/0x460 [nvme]
  blk_mq_update_nr_hw_queues+0x2a/0x40
  nvme_reset_work+0x1be/0x2a0 [nvme]

Fix the bug by locking the shutdown_lock mutex before using
dev->online_queues. Give up if nvme_dev_disable() is running or if
it has been executed already.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50135

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50136
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net/mlx5: Unregister notifier on eswitch init failure

It otherwise remains registered and a subsequent attempt at eswitch
enabling might trigger warnings of the sort:

[  682.589148] ------------[ cut here ]------------
[  682.590204] notifier callback eswitch_vport_event [mlx5_core] already registered
[  682.590256] WARNING: CPU: 13 PID: 2660 at kernel/notifier.c:31 notifier_chain_register+0x3e/0x90
[...snipped]
[  682.610052] Call Trace:
[  682.610369]  <TASK>
[  682.610663]  ? __warn+0x7c/0x110
[  682.611050]  ? notifier_chain_register+0x3e/0x90
[  682.611556]  ? report_bug+0x148/0x170
[  682.611977]  ? handle_bug+0x36/0x70
[  682.612384]  ? exc_invalid_op+0x13/0x60
[  682.612817]  ? asm_exc_invalid_op+0x16/0x20
[  682.613284]  ? notifier_chain_register+0x3e/0x90
[  682.613789]  atomic_notifier_chain_register+0x25/0x40
[  682.614322]  mlx5_eswitch_enable_locked+0x1d4/0x3b0 [mlx5_core]
[  682.614965]  mlx5_eswitch_enable+0xc9/0x100 [mlx5_core]
[  682.615551]  mlx5_device_enable_sriov+0x25/0x340 [mlx5_core]
[  682.616170]  mlx5_core_sriov_configure+0x50/0x170 [mlx5_core]
[  682.616789]  sriov_numvfs_store+0xb0/0x1b0
[  682.617248]  kernfs_fop_write_iter+0x117/0x1a0
[  682.617734]  vfs_write+0x231/0x3f0
[  682.618138]  ksys_write+0x63/0xe0
[  682.618536]  do_syscall_64+0x4c/0x100
[  682.618958]  entry_SYSCALL_64_after_hwframe+0x4b/0x53
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50136

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50137
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

reset: starfive: jh71x0: Fix accessing the empty member on JH7110 SoC

data->asserted will be NULL on JH7110 SoC since commit 82327b127d41
("reset: starfive: Add StarFive JH7110 reset driver") was added. Add
the judgment condition to avoid errors when calling reset_control_status
on JH7110 SoC.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50137

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50138
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

bpf: Use raw_spinlock_t in ringbuf

The function __bpf_ringbuf_reserve is invoked from a tracepoint, which
disables preemption. Using spinlock_t in this context can lead to a
"sleep in atomic" warning in the RT variant. This issue is illustrated
in the example below:

BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48
in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 556208, name: test_progs
preempt_count: 1, expected: 0
RCU nest depth: 1, expected: 1
INFO: lockdep is turned off.
Preemption disabled at:
[<ffffd33a5c88ea44>] migrate_enable+0xc0/0x39c
CPU: 7 PID: 556208 Comm: test_progs Tainted: G
Hardware name: Qualcomm SA8775P Ride (DT)
Call trace:
 dump_backtrace+0xac/0x130
 show_stack+0x1c/0x30
 dump_stack_lvl+0xac/0xe8
 dump_stack+0x18/0x30
 __might_resched+0x3bc/0x4fc
 rt_spin_lock+0x8c/0x1a4
 __bpf_ringbuf_reserve+0xc4/0x254
 bpf_ringbuf_reserve_dynptr+0x5c/0xdc
 bpf_prog_ac3d15160d62622a_test_read_write+0x104/0x238
 trace_call_bpf+0x238/0x774
 perf_call_bpf_enter.isra.0+0x104/0x194
 perf_syscall_enter+0x2f8/0x510
 trace_sys_enter+0x39c/0x564
 syscall_trace_enter+0x220/0x3c0
 do_el0_svc+0x138/0x1dc
 el0_svc+0x54/0x130
 el0t_64_sync_handler+0x134/0x150
 el0t_64_sync+0x17c/0x180

Switch the spinlock to raw_spinlock_t to avoid this error.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50138

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50139
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

KVM: arm64: Fix shift-out-of-bounds bug

Fix a shift-out-of-bounds bug reported by UBSAN when running
VM with MTE enabled host kernel.

UBSAN: shift-out-of-bounds in arch/arm64/kvm/sys_regs.c:1988:14
shift exponent 33 is too large for 32-bit type 'int'
CPU: 26 UID: 0 PID: 7629 Comm: qemu-kvm Not tainted 6.12.0-rc2 #34
Hardware name: IEI NF5280R7/Mitchell MB, BIOS 00.00. 2024-10-12 09:28:54 10/14/2024
Call trace:
 dump_backtrace+0xa0/0x128
 show_stack+0x20/0x38
 dump_stack_lvl+0x74/0x90
 dump_stack+0x18/0x28
 __ubsan_handle_shift_out_of_bounds+0xf8/0x1e0
 reset_clidr+0x10c/0x1c8
 kvm_reset_sys_regs+0x50/0x1c8
 kvm_reset_vcpu+0xec/0x2b0
 __kvm_vcpu_set_target+0x84/0x158
 kvm_vcpu_set_target+0x138/0x168
 kvm_arch_vcpu_ioctl_vcpu_init+0x40/0x2b0
 kvm_arch_vcpu_ioctl+0x28c/0x4b8
 kvm_vcpu_ioctl+0x4bc/0x7a8
 __arm64_sys_ioctl+0xb4/0x100
 invoke_syscall+0x70/0x100
 el0_svc_common.constprop.0+0x48/0xf0
 do_el0_svc+0x24/0x38
 el0_svc+0x3c/0x158
 el0t_64_sync_handler+0x120/0x130
 el0t_64_sync+0x194/0x198
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50139

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50140
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

sched/core: Disable page allocation in task_tick_mm_cid()

With KASAN and PREEMPT_RT enabled, calling task_work_add() in
task_tick_mm_cid() may cause the following splat.

[   63.696416] BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48
[   63.696416] in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 610, name: modprobe
[   63.696416] preempt_count: 10001, expected: 0
[   63.696416] RCU nest depth: 1, expected: 1

This problem is caused by the following call trace.

  sched_tick() [ acquire rq->__lock ]
   -> task_tick_mm_cid()
    -> task_work_add()
     -> __kasan_record_aux_stack()
      -> kasan_save_stack()
       -> stack_depot_save_flags()
        -> alloc_pages_mpol_noprof()
         -> __alloc_pages_noprof()
	  -> get_page_from_freelist()
	   -> rmqueue()
	    -> rmqueue_pcplist()
	     -> __rmqueue_pcplist()
	      -> rmqueue_bulk()
	       -> rt_spin_lock()

The rq lock is a raw_spinlock_t. We can't sleep while holding
it. IOW, we can't call alloc_pages() in stack_depot_save_flags().

The task_tick_mm_cid() function with its task_work_add() call was
introduced by commit 223baf9d17f2 ("sched: Fix performance regression
introduced by mm_cid") in v6.4 kernel.

Fortunately, there is a kasan_record_aux_stack_noalloc() variant that
calls stack_depot_save_flags() while not allowing it to allocate
new pages.  To allow task_tick_mm_cid() to use task_work without
page allocation, a new TWAF_NO_ALLOC flag is added to enable calling
kasan_record_aux_stack_noalloc() instead of kasan_record_aux_stack()
if set. The task_tick_mm_cid() function is modified to add this new flag.

The possible downside is the missing stack trace in a KASAN report due
to new page allocation required when task_work_add_noallloc() is called
which should be rare.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50140

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50141
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ACPI: PRM: Find EFI_MEMORY_RUNTIME block for PRM handler and context

PRMT needs to find the correct type of block to translate the PA-VA
mapping for EFI runtime services.

The issue arises because the PRMT is finding a block of type
EFI_CONVENTIONAL_MEMORY, which is not appropriate for runtime services
as described in Section 2.2.2 (Runtime Services) of the UEFI
Specification [1]. Since the PRM handler is a type of runtime service,
this causes an exception when the PRM handler is called.

    [Firmware Bug]: Unable to handle paging request in EFI runtime service
    WARNING: CPU: 22 PID: 4330 at drivers/firmware/efi/runtime-wrappers.c:341
        __efi_queue_work+0x11c/0x170
    Call trace:

Let PRMT find a block with EFI_MEMORY_RUNTIME for PRM handler and PRM
context.

If no suitable block is found, a warning message will be printed, but
the procedure continues to manage the next PRM handler.

However, if the PRM handler is actually called without proper allocation,
it would result in a failure during error handling.

By using the correct memory types for runtime services, ensure that the
PRM handler and the context are properly mapped in the virtual address
space during runtime, preventing the paging request error.

The issue is really that only memory that has been remapped for runtime
by the firmware can be used by the PRM handler, and so the region needs
to have the EFI_MEMORY_RUNTIME attribute.

[ rjw: Subject and changelog edits ]
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50141

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50142
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

xfrm: validate new SA's prefixlen using SA family when sel.family is unset

This expands the validation introduced in commit 07bf7908950a ("xfrm:
Validate address prefix lengths in the xfrm selector.")

syzbot created an SA with
    usersa.sel.family = AF_UNSPEC
    usersa.sel.prefixlen_s = 128
    usersa.family = AF_INET

Because of the AF_UNSPEC selector, verify_newsa_info doesn't put
limits on prefixlen_{s,d}. But then copy_from_user_state sets
x->sel.family to usersa.family (AF_INET). Do the same conversion in
verify_newsa_info before validating prefixlen_{s,d}, since that's how
prefixlen is going to be used later on.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50142

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50143
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

udf: fix uninit-value use in udf_get_fileshortad

Check for overflow when computing alen in udf_current_aext to mitigate
later uninit-value use in udf_get_fileshortad KMSAN bug[1].
After applying the patch reproducer did not trigger any issue[2].

[1] https://syzkaller.appspot.com/bug?extid=8901c4560b7ab5c2f9df
[2] https://syzkaller.appspot.com/x/log.txt?x=10242227980000
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50143

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50144
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/xe: fix unbalanced rpm put() with fence_fini()

Currently we can call fence_fini() twice if something goes wrong when
sending the GuC CT for the tlb request, since we signal the fence and
return an error, leading to the caller also calling fini() on the error
path in the case of stack version of the flow, which leads to an extra
rpm put() which might later cause device to enter suspend when it
shouldn't. It looks like we can just drop the fini() call since the
fence signaller side will already call this for us.

There are known mysterious splats with device going to sleep even with
an rpm ref, and this could be one candidate.

v2 (Matt B):
  - Prefer warning if we detect double fini()

(cherry picked from commit cfcbc0520d5055825f0647ab922b655688605183)
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50144

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50145
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

octeon_ep: Add SKB allocation failures handling in __octep_oq_process_rx()

build_skb() returns NULL in case of a memory allocation failure so handle
it inside __octep_oq_process_rx() to avoid NULL pointer dereference.

__octep_oq_process_rx() is called during NAPI polling by the driver. If
skb allocation fails, keep on pulling packets out of the Rx DMA queue: we
shouldn't break the polling immediately and thus falsely indicate to the
octep_napi_poll() that the Rx pressure is going down. As there is no
associated skb in this case, don't process the packets and don't push them
up the network stack - they are skipped.

Helper function is implemented to unmmap/flush all the fragment buffers
used by the dropped packet. 'alloc_failures' counter is incremented to
mark the skb allocation error in driver statistics.

Found by Linux Verification Center (linuxtesting.org) with SVACE.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50145

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50146
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net/mlx5e: Don't call cleanup on profile rollback failure

When profile rollback fails in mlx5e_netdev_change_profile, the netdev
profile var is left set to NULL. Avoid a crash when unloading the driver
by not calling profile->cleanup in such a case.

This was encountered while testing, with the original trigger that
the wq rescuer thread creation got interrupted (presumably due to
Ctrl+C-ing modprobe), which gets converted to ENOMEM (-12) by
mlx5e_priv_init, the profile rollback also fails for the same reason
(signal still active) so the profile is left as NULL, leading to a crash
later in _mlx5e_remove.

 [  732.473932] mlx5_core 0000:08:00.1: E-Switch: Unload vfs: mode(OFFLOADS), nvfs(2), necvfs(0), active vports(2)
 [  734.525513] workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR
 [  734.557372] mlx5_core 0000:08:00.1: mlx5e_netdev_init_profile:6235:(pid 6086): mlx5e_priv_init failed, err=-12
 [  734.559187] mlx5_core 0000:08:00.1 eth3: mlx5e_netdev_change_profile: new profile init failed, -12
 [  734.560153] workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR
 [  734.589378] mlx5_core 0000:08:00.1: mlx5e_netdev_init_profile:6235:(pid 6086): mlx5e_priv_init failed, err=-12
 [  734.591136] mlx5_core 0000:08:00.1 eth3: mlx5e_netdev_change_profile: failed to rollback to orig profile, -12
 [  745.537492] BUG: kernel NULL pointer dereference, address: 0000000000000008
 [  745.538222] #PF: supervisor read access in kernel mode
<snipped>
 [  745.551290] Call Trace:
 [  745.551590]  <TASK>
 [  745.551866]  ? __die+0x20/0x60
 [  745.552218]  ? page_fault_oops+0x150/0x400
 [  745.555307]  ? exc_page_fault+0x79/0x240
 [  745.555729]  ? asm_exc_page_fault+0x22/0x30
 [  745.556166]  ? mlx5e_remove+0x6b/0xb0 [mlx5_core]
 [  745.556698]  auxiliary_bus_remove+0x18/0x30
 [  745.557134]  device_release_driver_internal+0x1df/0x240
 [  745.557654]  bus_remove_device+0xd7/0x140
 [  745.558075]  device_del+0x15b/0x3c0
 [  745.558456]  mlx5_rescan_drivers_locked.part.0+0xb1/0x2f0 [mlx5_core]
 [  745.559112]  mlx5_unregister_device+0x34/0x50 [mlx5_core]
 [  745.559686]  mlx5_uninit_one+0x46/0xf0 [mlx5_core]
 [  745.560203]  remove_one+0x4e/0xd0 [mlx5_core]
 [  745.560694]  pci_device_remove+0x39/0xa0
 [  745.561112]  device_release_driver_internal+0x1df/0x240
 [  745.561631]  driver_detach+0x47/0x90
 [  745.562022]  bus_remove_driver+0x84/0x100
 [  745.562444]  pci_unregister_driver+0x3b/0x90
 [  745.562890]  mlx5_cleanup+0xc/0x1b [mlx5_core]
 [  745.563415]  __x64_sys_delete_module+0x14d/0x2f0
 [  745.563886]  ? kmem_cache_free+0x1b0/0x460
 [  745.564313]  ? lockdep_hardirqs_on_prepare+0xe2/0x190
 [  745.564825]  do_syscall_64+0x6d/0x140
 [  745.565223]  entry_SYSCALL_64_after_hwframe+0x4b/0x53
 [  745.565725] RIP: 0033:0x7f1579b1288b
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50146

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50147
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net/mlx5: Fix command bitmask initialization

Command bitmask have a dedicated bit for MANAGE_PAGES command, this bit
isn't Initialize during command bitmask Initialization, only during
MANAGE_PAGES.

In addition, mlx5_cmd_trigger_completions() is trying to trigger
completion for MANAGE_PAGES command as well.

Hence, in case health error occurred before any MANAGE_PAGES command
have been invoke (for example, during mlx5_enable_hca()),
mlx5_cmd_trigger_completions() will try to trigger completion for
MANAGE_PAGES command, which will result in null-ptr-deref error.[1]

Fix it by Initialize command bitmask correctly.

While at it, re-write the code for better understanding.

[1]
BUG: KASAN: null-ptr-deref in mlx5_cmd_trigger_completions+0x1db/0x600 [mlx5_core]
Write of size 4 at addr 0000000000000214 by task kworker/u96:2/12078
CPU: 10 PID: 12078 Comm: kworker/u96:2 Not tainted 6.9.0-rc2_for_upstream_debug_2024_04_07_19_01 #1
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
Workqueue: mlx5_health0000:08:00.0 mlx5_fw_fatal_reporter_err_work [mlx5_core]
Call Trace:
 <TASK>
 dump_stack_lvl+0x7e/0xc0
 kasan_report+0xb9/0xf0
 kasan_check_range+0xec/0x190
 mlx5_cmd_trigger_completions+0x1db/0x600 [mlx5_core]
 mlx5_cmd_flush+0x94/0x240 [mlx5_core]
 enter_error_state+0x6c/0xd0 [mlx5_core]
 mlx5_fw_fatal_reporter_err_work+0xf3/0x480 [mlx5_core]
 process_one_work+0x787/0x1490
 ? lockdep_hardirqs_on_prepare+0x400/0x400
 ? pwq_dec_nr_in_flight+0xda0/0xda0
 ? assign_work+0x168/0x240
 worker_thread+0x586/0xd30
 ? rescuer_thread+0xae0/0xae0
 kthread+0x2df/0x3b0
 ? kthread_complete_and_exit+0x20/0x20
 ret_from_fork+0x2d/0x70
 ? kthread_complete_and_exit+0x20/0x20
 ret_from_fork_asm+0x11/0x20
 </TASK>
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50147

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50148
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: bnep: fix wild-memory-access in proto_unregister

There's issue as follows:
  KASAN: maybe wild-memory-access in range [0xdead...108-0xdead...10f]
  CPU: 3 UID: 0 PID: 2805 Comm: rmmod Tainted: G        W
  RIP: 0010:proto_unregister+0xee/0x400
  Call Trace:
   <TASK>
   __do_sys_delete_module+0x318/0x580
   do_syscall_64+0xc1/0x1d0
   entry_SYSCALL_64_after_hwframe+0x77/0x7f

As bnep_init() ignore bnep_sock_init()'s return value, and bnep_sock_init()
will cleanup all resource. Then when remove bnep module will call
bnep_sock_cleanup() to cleanup sock's resource.
To solve above issue just return bnep_sock_init()'s return value in
bnep_exit().
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50148

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50149
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/xe: Don't free job in TDR

Freeing job in TDR is not safe as TDR can pass the run_job thread
resulting in UAF. It is only safe for free job to naturally be called by
the scheduler. Rather free job in TDR, add to pending list.

(cherry picked from commit ea2f6a77d0c40d97f4a4dc93fee4afe15d94926d)
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50149

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50150
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

usb: typec: altmode should keep reference to parent

The altmode device release refers to its parent device, but without keeping
a reference to it.

When registering the altmode, get a reference to the parent and put it in
the release function.

Before this fix, when using CONFIG_DEBUG_KOBJECT_RELEASE, we see issues
like this:

[   43.572860] kobject: 'port0.0' (ffff8880057ba008): kobject_release, parent 0000000000000000 (delayed 3000)
[   43.573532] kobject: 'port0.1' (ffff8880057bd008): kobject_release, parent 0000000000000000 (delayed 1000)
[   43.574407] kobject: 'port0' (ffff8880057b9008): kobject_release, parent 0000000000000000 (delayed 3000)
[   43.575059] kobject: 'port1.0' (ffff8880057ca008): kobject_release, parent 0000000000000000 (delayed 4000)
[   43.575908] kobject: 'port1.1' (ffff8880057c9008): kobject_release, parent 0000000000000000 (delayed 4000)
[   43.576908] kobject: 'typec' (ffff8880062dbc00): kobject_release, parent 0000000000000000 (delayed 4000)
[   43.577769] kobject: 'port1' (ffff8880057bf008): kobject_release, parent 0000000000000000 (delayed 3000)
[   46.612867] ==================================================================
[   46.613402] BUG: KASAN: slab-use-after-free in typec_altmode_release+0x38/0x129
[   46.614003] Read of size 8 at addr ffff8880057b9118 by task kworker/2:1/48
[   46.614538]
[   46.614668] CPU: 2 UID: 0 PID: 48 Comm: kworker/2:1 Not tainted 6.12.0-rc1-00138-gedbae730ad31 #535
[   46.615391] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014
[   46.616042] Workqueue: events kobject_delayed_cleanup
[   46.616446] Call Trace:
[   46.616648]  <TASK>
[   46.616820]  dump_stack_lvl+0x5b/0x7c
[   46.617112]  ? typec_altmode_release+0x38/0x129
[   46.617470]  print_report+0x14c/0x49e
[   46.617769]  ? rcu_read_unlock_sched+0x56/0x69
[   46.618117]  ? __virt_addr_valid+0x19a/0x1ab
[   46.618456]  ? kmem_cache_debug_flags+0xc/0x1d
[   46.618807]  ? typec_altmode_release+0x38/0x129
[   46.619161]  kasan_report+0x8d/0xb4
[   46.619447]  ? typec_altmode_release+0x38/0x129
[   46.619809]  ? process_scheduled_works+0x3cb/0x85f
[   46.620185]  typec_altmode_release+0x38/0x129
[   46.620537]  ? process_scheduled_works+0x3cb/0x85f
[   46.620907]  device_release+0xaf/0xf2
[   46.621206]  kobject_delayed_cleanup+0x13b/0x17a
[   46.621584]  process_scheduled_works+0x4f6/0x85f
[   46.621955]  ? __pfx_process_scheduled_works+0x10/0x10
[   46.622353]  ? hlock_class+0x31/0x9a
[   46.622647]  ? lock_acquired+0x361/0x3c3
[   46.622956]  ? move_linked_works+0x46/0x7d
[   46.623277]  worker_thread+0x1ce/0x291
[   46.623582]  ? __kthread_parkme+0xc8/0xdf
[   46.623900]  ? __pfx_worker_thread+0x10/0x10
[   46.624236]  kthread+0x17e/0x190
[   46.624501]  ? kthread+0xfb/0x190
[   46.624756]  ? __pfx_kthread+0x10/0x10
[   46.625015]  ret_from_fork+0x20/0x40
[   46.625268]  ? __pfx_kthread+0x10/0x10
[   46.625532]  ret_from_fork_asm+0x1a/0x30
[   46.625805]  </TASK>
[   46.625953]
[   46.626056] Allocated by task 678:
[   46.626287]  kasan_save_stack+0x24/0x44
[   46.626555]  kasan_save_track+0x14/0x2d
[   46.626811]  __kasan_kmalloc+0x3f/0x4d
[   46.627049]  __kmalloc_noprof+0x1bf/0x1f0
[   46.627362]  typec_register_port+0x23/0x491
[   46.627698]  cros_typec_probe+0x634/0xbb6
[   46.628026]  platform_probe+0x47/0x8c
[   46.628311]  really_probe+0x20a/0x47d
[   46.628605]  device_driver_attach+0x39/0x72
[   46.628940]  bind_store+0x87/0xd7
[   46.629213]  kernfs_fop_write_iter+0x1aa/0x218
[   46.629574]  vfs_write+0x1d6/0x29b
[   46.629856]  ksys_write+0xcd/0x13b
[   46.630128]  do_syscall_64+0xd4/0x139
[   46.630420]  entry_SYSCALL_64_after_hwframe+0x76/0x7e
[   46.630820]
[   46.630946] Freed by task 48:
[   46.631182]  kasan_save_stack+0x24/0x44
[   46.631493]  kasan_save_track+0x14/0x2d
[   46.631799]  kasan_save_free_info+0x3f/0x4d
[   46.632144]  __kasan_slab_free+0x37/0x45
[   46.632474]
---truncated---
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50150

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50151
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

smb: client: fix OOBs when building SMB2_IOCTL request

When using encryption, either enforced by the server or when using
'seal' mount option, the client will squash all compound request buffers
down for encryption into a single iov in smb2_set_next_command().

SMB2_ioctl_init() allocates a small buffer (448 bytes) to hold the
SMB2_IOCTL request in the first iov, and if the user passes an input
buffer that is greater than 328 bytes, smb2_set_next_command() will
end up writing off the end of @rqst->iov[0].iov_base as shown below:

  mount.cifs //srv/share /mnt -o ...,seal
  ln -s $(perl -e "print('a')for 1..1024") /mnt/link

  BUG: KASAN: slab-out-of-bounds in
  smb2_set_next_command.cold+0x1d6/0x24c [cifs]
  Write of size 4116 at addr ffff8881148fcab8 by task ln/859

  CPU: 1 UID: 0 PID: 859 Comm: ln Not tainted 6.12.0-rc3 #1
  Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
  1.16.3-2.fc40 04/01/2014
  Call Trace:
   <TASK>
   dump_stack_lvl+0x5d/0x80
   ? smb2_set_next_command.cold+0x1d6/0x24c [cifs]
   print_report+0x156/0x4d9
   ? smb2_set_next_command.cold+0x1d6/0x24c [cifs]
   ? __virt_addr_valid+0x145/0x310
   ? __phys_addr+0x46/0x90
   ? smb2_set_next_command.cold+0x1d6/0x24c [cifs]
   kasan_report+0xda/0x110
   ? smb2_set_next_command.cold+0x1d6/0x24c [cifs]
   kasan_check_range+0x10f/0x1f0
   __asan_memcpy+0x3c/0x60
   smb2_set_next_command.cold+0x1d6/0x24c [cifs]
   smb2_compound_op+0x238c/0x3840 [cifs]
   ? kasan_save_track+0x14/0x30
   ? kasan_save_free_info+0x3b/0x70
   ? vfs_symlink+0x1a1/0x2c0
   ? do_symlinkat+0x108/0x1c0
   ? __pfx_smb2_compound_op+0x10/0x10 [cifs]
   ? kmem_cache_free+0x118/0x3e0
   ? cifs_get_writable_path+0xeb/0x1a0 [cifs]
   smb2_get_reparse_inode+0x423/0x540 [cifs]
   ? __pfx_smb2_get_reparse_inode+0x10/0x10 [cifs]
   ? rcu_is_watching+0x20/0x50
   ? __kmalloc_noprof+0x37c/0x480
   ? smb2_create_reparse_symlink+0x257/0x490 [cifs]
   ? smb2_create_reparse_symlink+0x38f/0x490 [cifs]
   smb2_create_reparse_symlink+0x38f/0x490 [cifs]
   ? __pfx_smb2_create_reparse_symlink+0x10/0x10 [cifs]
   ? find_held_lock+0x8a/0xa0
   ? hlock_class+0x32/0xb0
   ? __build_path_from_dentry_optional_prefix+0x19d/0x2e0 [cifs]
   cifs_symlink+0x24f/0x960 [cifs]
   ? __pfx_make_vfsuid+0x10/0x10
   ? __pfx_cifs_symlink+0x10/0x10 [cifs]
   ? make_vfsgid+0x6b/0xc0
   ? generic_permission+0x96/0x2d0
   vfs_symlink+0x1a1/0x2c0
   do_symlinkat+0x108/0x1c0
   ? __pfx_do_symlinkat+0x10/0x10
   ? strncpy_from_user+0xaa/0x160
   __x64_sys_symlinkat+0xb9/0xf0
   do_syscall_64+0xbb/0x1d0
   entry_SYSCALL_64_after_hwframe+0x77/0x7f
  RIP: 0033:0x7f08d75c13bb
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50151

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50152
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

smb: client: fix possible double free in smb2_set_ea()

Clang static checker(scan-build) warning：
fs/smb/client/smb2ops.c:1304:2: Attempt to free released memory.
 1304 |         kfree(ea);
      |         ^~~~~~~~~

There is a double free in such case:
'ea is initialized to NULL' -> 'first successful memory allocation for
ea' -> 'something failed, goto sea_exit' -> 'first memory release for ea'
-> 'goto replay_again' -> 'second goto sea_exit before allocate memory
for ea' -> 'second memory release for ea resulted in double free'.

Re-initialie 'ea' to NULL near to the replay_again label, it can fix this
double free problem.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50152

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50153
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

scsi: target: core: Fix null-ptr-deref in target_alloc_device()

There is a null-ptr-deref issue reported by KASAN:

BUG: KASAN: null-ptr-deref in target_alloc_device+0xbc4/0xbe0 [target_core_mod]
...
 kasan_report+0xb9/0xf0
 target_alloc_device+0xbc4/0xbe0 [target_core_mod]
 core_dev_setup_virtual_lun0+0xef/0x1f0 [target_core_mod]
 target_core_init_configfs+0x205/0x420 [target_core_mod]
 do_one_initcall+0xdd/0x4e0
...
 entry_SYSCALL_64_after_hwframe+0x76/0x7e

In target_alloc_device(), if allocing memory for dev queues fails, then
dev will be freed by dev->transport->free_device(), but dev->transport
is not initialized at that time, which will lead to a null pointer
reference problem.

Fixing this bug by freeing dev with hba->backend->ops->free_device().
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50153

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50154
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

tcp/dccp: Don't use timer_pending() in reqsk_queue_unlink().

Martin KaFai Lau reported use-after-free [0] in reqsk_timer_handler().

  """
  We are seeing a use-after-free from a bpf prog attached to
  trace_tcp_retransmit_synack. The program passes the req->sk to the
  bpf_sk_storage_get_tracing kernel helper which does check for null
  before using it.
  """

The commit 83fccfc3940c ("inet: fix potential deadlock in
reqsk_queue_unlink()") added timer_pending() in reqsk_queue_unlink() not
to call del_timer_sync() from reqsk_timer_handler(), but it introduced a
small race window.

Before the timer is called, expire_timers() calls detach_timer(timer, true)
to clear timer->entry.pprev and marks it as not pending.

If reqsk_queue_unlink() checks timer_pending() just after expire_timers()
calls detach_timer(), TCP will miss del_timer_sync(); the reqsk timer will
continue running and send multiple SYN+ACKs until it expires.

The reported UAF could happen if req->sk is close()d earlier than the timer
expiration, which is 63s by default.

The scenario would be

  1. inet_csk_complete_hashdance() calls inet_csk_reqsk_queue_drop(),
     but del_timer_sync() is missed

  2. reqsk timer is executed and scheduled again

  3. req->sk is accept()ed and reqsk_put() decrements rsk_refcnt, but
     reqsk timer still has another one, and inet_csk_accept() does not
     clear req->sk for non-TFO sockets

  4. sk is close()d

  5. reqsk timer is executed again, and BPF touches req->sk

Let's not use timer_pending() by passing the caller context to
__inet_csk_reqsk_queue_drop().

Note that reqsk timer is pinned, so the issue does not happen in most
use cases. [1]

[0]
BUG: KFENCE: use-after-free read in bpf_sk_storage_get_tracing+0x2e/0x1b0

Use-after-free read at 0x00000000a891fb3a (in kfence-#1):
bpf_sk_storage_get_tracing+0x2e/0x1b0
bpf_prog_5ea3e95db6da0438_tcp_retransmit_synack+0x1d20/0x1dda
bpf_trace_run2+0x4c/0xc0
tcp_rtx_synack+0xf9/0x100
reqsk_timer_handler+0xda/0x3d0
run_timer_softirq+0x292/0x8a0
irq_exit_rcu+0xf5/0x320
sysvec_apic_timer_interrupt+0x6d/0x80
asm_sysvec_apic_timer_interrupt+0x16/0x20
intel_idle_irq+0x5a/0xa0
cpuidle_enter_state+0x94/0x273
cpu_startup_entry+0x15e/0x260
start_secondary+0x8a/0x90
secondary_startup_64_no_verify+0xfa/0xfb

kfence-#1: 0x00000000a72cc7b6-0x00000000d97616d9, size=2376, cache=TCPv6

allocated by task 0 on cpu 9 at 260507.901592s:
sk_prot_alloc+0x35/0x140
sk_clone_lock+0x1f/0x3f0
inet_csk_clone_lock+0x15/0x160
tcp_create_openreq_child+0x1f/0x410
tcp_v6_syn_recv_sock+0x1da/0x700
tcp_check_req+0x1fb/0x510
tcp_v6_rcv+0x98b/0x1420
ipv6_list_rcv+0x2258/0x26e0
napi_complete_done+0x5b1/0x2990
mlx5e_napi_poll+0x2ae/0x8d0
net_rx_action+0x13e/0x590
irq_exit_rcu+0xf5/0x320
common_interrupt+0x80/0x90
asm_common_interrupt+0x22/0x40
cpuidle_enter_state+0xfb/0x273
cpu_startup_entry+0x15e/0x260
start_secondary+0x8a/0x90
secondary_startup_64_no_verify+0xfa/0xfb

freed by task 0 on cpu 9 at 260507.927527s:
rcu_core_si+0x4ff/0xf10
irq_exit_rcu+0xf5/0x320
sysvec_apic_timer_interrupt+0x6d/0x80
asm_sysvec_apic_timer_interrupt+0x16/0x20
cpuidle_enter_state+0xfb/0x273
cpu_startup_entry+0x15e/0x260
start_secondary+0x8a/0x90
secondary_startup_64_no_verify+0xfa/0xfb
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50154

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50155
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

netdevsim: use cond_resched() in nsim_dev_trap_report_work()

I am still seeing many syzbot reports hinting that syzbot
might fool nsim_dev_trap_report_work() with hundreds of ports [1]

Lets use cond_resched(), and system_unbound_wq
instead of implicit system_wq.

[1]
INFO: task syz-executor:20633 blocked for more than 143 seconds.
      Not tainted 6.12.0-rc2-syzkaller-00205-g1d227fcc7222 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor    state:D stack:25856 pid:20633 tgid:20633 ppid:1      flags:0x00004006
...
NMI backtrace for cpu 1
CPU: 1 UID: 0 PID: 16760 Comm: kworker/1:0 Not tainted 6.12.0-rc2-syzkaller-00205-g1d227fcc7222 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Workqueue: events nsim_dev_trap_report_work
 RIP: 0010:__sanitizer_cov_trace_pc+0x0/0x70 kernel/kcov.c:210
Code: 89 fb e8 23 00 00 00 48 8b 3d 04 fb 9c 0c 48 89 de 5b e9 c3 c7 5d 00 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 <f3> 0f 1e fa 48 8b 04 24 65 48 8b 0c 25 c0 d7 03 00 65 8b 15 60 f0
RSP: 0018:ffffc90000a187e8 EFLAGS: 00000246
RAX: 0000000000000100 RBX: ffffc90000a188e0 RCX: ffff888027d3bc00
RDX: ffff888027d3bc00 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffff88804a2e6000 R08: ffffffff8a4bc495 R09: ffffffff89da3577
R10: 0000000000000004 R11: ffffffff8a4bc2b0 R12: dffffc0000000000
R13: ffff88806573b503 R14: dffffc0000000000 R15: ffff8880663cca00
FS:  0000000000000000(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fc90a747f98 CR3: 000000000e734000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 000000000000002b DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Call Trace:
 <NMI>
 </NMI>
 <TASK>
  __local_bh_enable_ip+0x1bb/0x200 kernel/softirq.c:382
  spin_unlock_bh include/linux/spinlock.h:396 [inline]
  nsim_dev_trap_report drivers/net/netdevsim/dev.c:820 [inline]
  nsim_dev_trap_report_work+0x75d/0xaa0 drivers/net/netdevsim/dev.c:850
  process_one_work kernel/workqueue.c:3229 [inline]
  process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310
  worker_thread+0x870/0xd30 kernel/workqueue.c:3391
  kthread+0x2f0/0x390 kernel/kthread.c:389
  ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
  ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50155

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50156
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/msm: Avoid NULL dereference in msm_disp_state_print_regs()

If the allocation in msm_disp_state_dump_regs() failed then
`block->state` can be NULL. The msm_disp_state_print_regs() function
_does_ have code to try to handle it with:

  if (*reg)
    dump_addr = *reg;

...but since "dump_addr" is initialized to NULL the above is actually
a noop. The code then goes on to dereference `dump_addr`.

Make the function print "Registers not stored" when it sees a NULL to
solve this. Since we're touching the code, fix
msm_disp_state_print_regs() not to pointlessly take a double-pointer
and properly mark the pointer as `const`.

Patchwork: https://patchwork.freedesktop.org/patch/619657/
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50156

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50158
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

RDMA/bnxt_re: Fix out of bound check

Driver exports pacing stats only on GenP5 and P7 adapters. But while
parsing the pacing stats, driver has a check for "rdev->dbr_pacing".  This
caused a trace when KASAN is enabled.

BUG: KASAN: slab-out-of-bounds in bnxt_re_get_hw_stats+0x2b6a/0x2e00 [bnxt_re]
Write of size 8 at addr ffff8885942a6340 by task modprobe/4809
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50158

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50159
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

firmware: arm_scmi: Fix the double free in scmi_debugfs_common_setup()

Clang static checker(scan-build) throws below warning：
  |  drivers/firmware/arm_scmi/driver.c:line 2915, column 2
  |        Attempt to free released memory.

When devm_add_action_or_reset() fails, scmi_debugfs_common_cleanup()
will run twice which causes double free of 'dbg->name'.

Remove the redundant scmi_debugfs_common_cleanup() to fix this problem.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50159

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50160
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ALSA: hda/cs8409: Fix possible NULL dereference

If snd_hda_gen_add_kctl fails to allocate memory and returns NULL, then
NULL pointer dereference will occur in the next line.

Since dolphin_fixups function is a hda_fixup function which is not supposed
to return any errors, add simple check before dereference, ignore the fail.

Found by Linux Verification Center (linuxtesting.org) with SVACE.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50160

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50161
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

bpf: Check the remaining info_cnt before repeating btf fields

When trying to repeat the btf fields for array of nested struct, it
doesn't check the remaining info_cnt. The following splat will be
reported when the value of ret * nelems is greater than BTF_FIELDS_MAX:

  ------------[ cut here ]------------
  UBSAN: array-index-out-of-bounds in ../kernel/bpf/btf.c:3951:49
  index 11 is out of range for type 'btf_field_info [11]'
  CPU: 6 UID: 0 PID: 411 Comm: test_progs ...... 6.11.0-rc4+ #1
  Tainted: [O]=OOT_MODULE
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ...
  Call Trace:
   <TASK>
   dump_stack_lvl+0x57/0x70
   dump_stack+0x10/0x20
   ubsan_epilogue+0x9/0x40
   __ubsan_handle_out_of_bounds+0x6f/0x80
   ? kallsyms_lookup_name+0x48/0xb0
   btf_parse_fields+0x992/0xce0
   map_create+0x591/0x770
   __sys_bpf+0x229/0x2410
   __x64_sys_bpf+0x1f/0x30
   x64_sys_call+0x199/0x9f0
   do_syscall_64+0x3b/0xc0
   entry_SYSCALL_64_after_hwframe+0x4b/0x53
  RIP: 0033:0x7fea56f2cc5d
  ......
   </TASK>
  ---[ end trace ]---

Fix it by checking the remaining info_cnt in btf_repeat_fields() before
repeating the btf fields.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50161

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50162
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

bpf: devmap: provide rxq after redirect

rxq contains a pointer to the device from where
the redirect happened. Currently, the BPF program
that was executed after a redirect via BPF_MAP_TYPE_DEVMAP*
does not have it set.

This is particularly bad since accessing ingress_ifindex, e.g.

SEC("xdp")
int prog(struct xdp_md *pkt)
{
        return bpf_redirect_map(&dev_redirect_map, 0, 0);
}

SEC("xdp/devmap")
int prog_after_redirect(struct xdp_md *pkt)
{
        bpf_printk("ifindex %i", pkt->ingress_ifindex);
        return XDP_PASS;
}

depends on access to rxq, so a NULL pointer gets dereferenced:

<1>[  574.475170] BUG: kernel NULL pointer dereference, address: 0000000000000000
<1>[  574.475188] #PF: supervisor read access in kernel mode
<1>[  574.475194] #PF: error_code(0x0000) - not-present page
<6>[  574.475199] PGD 0 P4D 0
<4>[  574.475207] Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI
<4>[  574.475217] CPU: 4 UID: 0 PID: 217 Comm: kworker/4:1 Not tainted 6.11.0-rc5-reduced-00859-g780801200300 #23
<4>[  574.475226] Hardware name: Intel(R) Client Systems NUC13ANHi7/NUC13ANBi7, BIOS ANRPL357.0026.2023.0314.1458 03/14/2023
<4>[  574.475231] Workqueue: mld mld_ifc_work
<4>[  574.475247] RIP: 0010:bpf_prog_5e13354d9cf5018a_prog_after_redirect+0x17/0x3c
<4>[  574.475257] Code: cc cc cc cc cc cc cc 80 00 00 00 cc cc cc cc cc cc cc cc f3 0f 1e fa 0f 1f 44 00 00 66 90 55 48 89 e5 f3 0f 1e fa 48 8b 57 20 <48> 8b 52 00 8b 92 e0 00 00 00 48 bf f8 a6 d5 c4 5d a0 ff ff be 0b
<4>[  574.475263] RSP: 0018:ffffa62440280c98 EFLAGS: 00010206
<4>[  574.475269] RAX: ffffa62440280cd8 RBX: 0000000000000001 RCX: 0000000000000000
<4>[  574.475274] RDX: 0000000000000000 RSI: ffffa62440549048 RDI: ffffa62440280ce0
<4>[  574.475278] RBP: ffffa62440280c98 R08: 0000000000000002 R09: 0000000000000001
<4>[  574.475281] R10: ffffa05dc8b98000 R11: ffffa05f577fca40 R12: ffffa05dcab24000
<4>[  574.475285] R13: ffffa62440280ce0 R14: ffffa62440549048 R15: ffffa62440549000
<4>[  574.475289] FS:  0000000000000000(0000) GS:ffffa05f4f700000(0000) knlGS:0000000000000000
<4>[  574.475294] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
<4>[  574.475298] CR2: 0000000000000000 CR3: 000000025522e000 CR4: 0000000000f50ef0
<4>[  574.475303] PKRU: 55555554
<4>[  574.475306] Call Trace:
<4>[  574.475313]  <IRQ>
<4>[  574.475318]  ? __die+0x23/0x70
<4>[  574.475329]  ? page_fault_oops+0x180/0x4c0
<4>[  574.475339]  ? skb_pp_cow_data+0x34c/0x490
<4>[  574.475346]  ? kmem_cache_free+0x257/0x280
<4>[  574.475357]  ? exc_page_fault+0x67/0x150
<4>[  574.475368]  ? asm_exc_page_fault+0x26/0x30
<4>[  574.475381]  ? bpf_prog_5e13354d9cf5018a_prog_after_redirect+0x17/0x3c
<4>[  574.475386]  bq_xmit_all+0x158/0x420
<4>[  574.475397]  __dev_flush+0x30/0x90
<4>[  574.475407]  veth_poll+0x216/0x250 [veth]
<4>[  574.475421]  __napi_poll+0x28/0x1c0
<4>[  574.475430]  net_rx_action+0x32d/0x3a0
<4>[  574.475441]  handle_softirqs+0xcb/0x2c0
<4>[  574.475451]  do_softirq+0x40/0x60
<4>[  574.475458]  </IRQ>
<4>[  574.475461]  <TASK>
<4>[  574.475464]  __local_bh_enable_ip+0x66/0x70
<4>[  574.475471]  __dev_queue_xmit+0x268/0xe40
<4>[  574.475480]  ? selinux_ip_postroute+0x213/0x420
<4>[  574.475491]  ? alloc_skb_with_frags+0x4a/0x1d0
<4>[  574.475502]  ip6_finish_output2+0x2be/0x640
<4>[  574.475512]  ? nf_hook_slow+0x42/0xf0
<4>[  574.475521]  ip6_finish_output+0x194/0x300
<4>[  574.475529]  ? __pfx_ip6_finish_output+0x10/0x10
<4>[  574.475538]  mld_sendpack+0x17c/0x240
<4>[  574.475548]  mld_ifc_work+0x192/0x410
<4>[  574.475557]  process_one_work+0x15d/0x380
<4>[  574.475566]  worker_thread+0x29d/0x3a0
<4>[  574.475573]  ? __pfx_worker_thread+0x10/0x10
<4>[  574.475580]  ? __pfx_worker_thread+0x10/0x10
<4>[  574.475587]  kthread+0xcd/0x100
<4>[  574.475597]  ? __pfx_kthread+0x10/0x10
<4>[  574.475606]  ret_from_fork+0x31/0x50
<4>[  574.475615]  ? __pfx_kthread+0x10/0x10
<4>[  574.475623]  ret_from_fork_asm+0x1a/0x
---truncated---
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50162

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50163
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

bpf: Make sure internal and UAPI bpf_redirect flags don't overlap

The bpf_redirect_info is shared between the SKB and XDP redirect paths,
and the two paths use the same numeric flag values in the ri->flags
field (specifically, BPF_F_BROADCAST == BPF_F_NEXTHOP). This means that
if skb bpf_redirect_neigh() is used with a non-NULL params argument and,
subsequently, an XDP redirect is performed using the same
bpf_redirect_info struct, the XDP path will get confused and end up
crashing, which syzbot managed to trigger.

With the stack-allocated bpf_redirect_info, the structure is no longer
shared between the SKB and XDP paths, so the crash doesn't happen
anymore. However, different code paths using identically-numbered flag
values in the same struct field still seems like a bit of a mess, so
this patch cleans that up by moving the flag definitions together and
redefining the three flags in BPF_F_REDIRECT_INTERNAL to not overlap
with the flags used for XDP. It also adds a BUILD_BUG_ON() check to make
sure the overlap is not re-introduced by mistake.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50163

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50164
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix overloading of MEM_UNINIT's meaning

Lonial reported an issue in the BPF verifier where check_mem_size_reg()
has the following code:

    if (!tnum_is_const(reg->var_off))
        /* For unprivileged variable accesses, disable raw
         * mode so that the program is required to
         * initialize all the memory that the helper could
         * just partially fill up.
         */
         meta = NULL;

This means that writes are not checked when the register containing the
size of the passed buffer has not a fixed size. Through this bug, a BPF
program can write to a map which is marked as read-only, for example,
.rodata global maps.

The problem is that MEM_UNINIT's initial meaning that "the passed buffer
to the BPF helper does not need to be initialized" which was added back
in commit 435faee1aae9 ("bpf, verifier: add ARG_PTR_TO_RAW_STACK type")
got overloaded over time with "the passed buffer is being written to".

The problem however is that checks such as the above which were added later
via 06c1c049721a ("bpf: allow helpers access to variable memory") set meta
to NULL in order force the user to always initialize the passed buffer to
the helper. Due to the current double meaning of MEM_UNINIT, this bypasses
verifier write checks to the memory (not boundary checks though) and only
assumes the latter memory is read instead.

Fix this by reverting MEM_UNINIT back to its original meaning, and having
MEM_WRITE as an annotation to BPF helpers in order to then trigger the
BPF verifier checks for writing to memory.

Some notes: check_arg_pair_ok() ensures that for ARG_CONST_SIZE{,_OR_ZERO}
we can access fn->arg_type[arg - 1] since it must contain a preceding
ARG_PTR_TO_MEM. For check_mem_reg() the meta argument can be removed
altogether since we do check both BPF_READ and BPF_WRITE. Same for the
equivalent check_kfunc_mem_size_reg().
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50164

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50165
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

bpf: Preserve param->string when parsing mount options

In bpf_parse_param(), keep the value of param->string intact so it can
be freed later. Otherwise, the kmalloc area pointed to by param->string
will be leaked as shown below:

unreferenced object 0xffff888118c46d20 (size 8):
  comm "new_name", pid 12109, jiffies 4295580214
  hex dump (first 8 bytes):
    61 6e 79 00 38 c9 5c 7e                          any.8.\~
  backtrace (crc e1b7f876):
    [<00000000c6848ac7>] kmemleak_alloc+0x4b/0x80
    [<00000000de9f7d00>] __kmalloc_node_track_caller_noprof+0x36e/0x4a0
    [<000000003e29b886>] memdup_user+0x32/0xa0
    [<0000000007248326>] strndup_user+0x46/0x60
    [<0000000035b3dd29>] __x64_sys_fsconfig+0x368/0x3d0
    [<0000000018657927>] x64_sys_call+0xff/0x9f0
    [<00000000c0cabc95>] do_syscall_64+0x3b/0xc0
    [<000000002f331597>] entry_SYSCALL_64_after_hwframe+0x4b/0x53
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50165

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50166
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

fsl/fman: Fix refcount handling of fman-related devices

In mac_probe() there are multiple calls to of_find_device_by_node(),
fman_bind() and fman_port_bind() which takes references to of_dev->dev.
Not all references taken by these calls are released later on error path
in mac_probe() and in mac_remove() which lead to reference leaks.

Add references release.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50166

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50167
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

be2net: fix potential memory leak in be_xmit()

The be_xmit() returns NETDEV_TX_OK without freeing skb
in case of be_xmit_enqueue() fails, add dev_kfree_skb_any() to fix it.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50167

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50168
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net/sun3_82586: fix potential memory leak in sun3_82586_send_packet()

The sun3_82586_send_packet() returns NETDEV_TX_OK without freeing skb
in case of skb->len being too long, add dev_kfree_skb() to fix it.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50168

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50169
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

vsock: Update rx_bytes on read_skb()

Make sure virtio_transport_inc_rx_pkt() and virtio_transport_dec_rx_pkt()
calls are balanced (i.e. virtio_vsock_sock::rx_bytes doesn't lie) after
vsock_transport::read_skb().

While here, also inform the peer that we've freed up space and it has more
credit.

Failing to update rx_bytes after packet is dequeued leads to a warning on
SOCK_STREAM recv():

[  233.396654] rx_queue is empty, but rx_bytes is non-zero
[  233.396702] WARNING: CPU: 11 PID: 40601 at net/vmw_vsock/virtio_transport_common.c:589
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50169

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50170
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: bcmasp: fix potential memory leak in bcmasp_xmit()

The bcmasp_xmit() returns NETDEV_TX_OK without freeing skb
in case of mapping fails, add dev_kfree_skb() to fix it.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50170

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50171
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: systemport: fix potential memory leak in bcm_sysport_xmit()

The bcm_sysport_xmit() returns NETDEV_TX_OK without freeing skb
in case of dma_map_single() fails, add dev_kfree_skb() to fix it.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50171

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50172
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

RDMA/bnxt_re: Fix a possible memory leak

In bnxt_re_setup_chip_ctx() when bnxt_qplib_map_db_bar() fails
driver is not freeing the memory allocated for "rdev->chip_ctx".
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50172

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50173
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/panthor: Fix access to uninitialized variable in tick_ctx_cleanup()

The group variable can't be used to retrieve ptdev in our second loop,
because it points to the previously iterated list_head, not a valid
group. Get the ptdev object from the scheduler instead.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50173

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50174
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/panthor: Fix race when converting group handle to group object

XArray provides it's own internal lock which protects the internal array
when entries are being simultaneously added and removed. However there
is still a race between retrieving the pointer from the XArray and
incrementing the reference count.

To avoid this race simply hold the internal XArray lock when
incrementing the reference count, this ensures there cannot be a racing
call to xa_erase().
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50174

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50175
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

media: qcom: camss: Remove use_count guard in stop_streaming

The use_count check was introduced so that multiple concurrent Raw Data
Interfaces RDIs could be driven by different virtual channels VCs on the
CSIPHY input driving the video pipeline.

This is an invalid use of use_count though as use_count pertains to the
number of times a video entity has been opened by user-space not the number
of active streams.

If use_count and stream-on count don't agree then stop_streaming() will
break as is currently the case and has become apparent when using CAMSS
with libcamera's released softisp 0.3.

The use of use_count like this is a bit hacky and right now breaks regular
usage of CAMSS for a single stream case. Stopping qcam results in the splat
below, and then it cannot be started again and any attempts to do so fails
with -EBUSY.

[ 1265.509831] WARNING: CPU: 5 PID: 919 at drivers/media/common/videobuf2/videobuf2-core.c:2183 __vb2_queue_cancel+0x230/0x2c8 [videobuf2_common]
...
[ 1265.510630] Call trace:
[ 1265.510636]  __vb2_queue_cancel+0x230/0x2c8 [videobuf2_common]
[ 1265.510648]  vb2_core_streamoff+0x24/0xcc [videobuf2_common]
[ 1265.510660]  vb2_ioctl_streamoff+0x5c/0xa8 [videobuf2_v4l2]
[ 1265.510673]  v4l_streamoff+0x24/0x30 [videodev]
[ 1265.510707]  __video_do_ioctl+0x190/0x3f4 [videodev]
[ 1265.510732]  video_usercopy+0x304/0x8c4 [videodev]
[ 1265.510757]  video_ioctl2+0x18/0x34 [videodev]
[ 1265.510782]  v4l2_ioctl+0x40/0x60 [videodev]
...
[ 1265.510944] videobuf2_common: driver bug: stop_streaming operation is leaving buffer 0 in active state
[ 1265.511175] videobuf2_common: driver bug: stop_streaming operation is leaving buffer 1 in active state
[ 1265.511398] videobuf2_common: driver bug: stop_streaming operation is leaving buffer 2 in active st

One CAMSS specific way to handle multiple VCs on the same RDI might be:

- Reference count each pipeline enable for CSIPHY, CSID, VFE and RDIx.
- The video buffers are already associated with msm_vfeN_rdiX so
  release video buffers when told to do so by stop_streaming.
- Only release the power-domains for the CSIPHY, CSID and VFE when
  their internal refcounts drop.

Either way refusing to release video buffers based on use_count is
erroneous and should be reverted. The silicon enabling code for selecting
VCs is perfectly fine. Its a "known missing feature" that concurrent VCs
won't work with CAMSS right now.

Initial testing with this code didn't show an error but, SoftISP and "real"
usage with Google Hangouts breaks the upstream code pretty quickly, we need
to do a partial revert and take another pass at VCs.

This commit partially reverts commit 89013969e232 ("media: camss: sm8250:
Pipeline starting and stopping for multiple virtual channels")
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50175

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50176
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

remoteproc: k3-r5: Fix error handling when power-up failed

By simply bailing out, the driver was violating its rule and internal
assumptions that either both or no rproc should be initialized. E.g.,
this could cause the first core to be available but not the second one,
leading to crashes on its shutdown later on while trying to dereference
that second instance.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50176

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50178
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

cpufreq: loongson3: Use raw_smp_processor_id() in do_service_request()

Use raw_smp_processor_id() instead of plain smp_processor_id() in
do_service_request(), otherwise we may get some errors with the driver
enabled:

 BUG: using smp_processor_id() in preemptible [00000000] code: (udev-worker)/208
 caller is loongson3_cpufreq_probe+0x5c/0x250 [loongson3_cpufreq]
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50178

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50179
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ceph: remove the incorrect Fw reference check when dirtying pages

When doing the direct-io reads it will also try to mark pages dirty,
but for the read path it won't hold the Fw caps and there is case
will it get the Fw reference.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50179

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50180
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

fbdev: sisfb: Fix strbuf array overflow

The values of the variables xres and yres are placed in strbuf.
These variables are obtained from strbuf1.
The strbuf1 array contains digit characters
and a space if the array contains non-digit characters.
Then, when executing sprintf(strbuf, "%ux%ux8", xres, yres);
more than 16 bytes will be written to strbuf.
It is suggested to increase the size of the strbuf array to 24.

Found by Linux Verification Center (linuxtesting.org) with SVACE.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50180

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50181
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

clk: imx: Remove CLK_SET_PARENT_GATE for DRAM mux for i.MX7D

For i.MX7D DRAM related mux clock, the clock source change should ONLY
be done done in low level asm code without accessing DRAM, and then
calling clk API to sync the HW clock status with clk tree, it should never
touch real clock source switch via clk API, so CLK_SET_PARENT_GATE flag
should NOT be added, otherwise, DRAM's clock parent will be disabled when
DRAM is active, and system will hang.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50181

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50182
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

secretmem: disable memfd_secret() if arch cannot set direct map

Return -ENOSYS from memfd_secret() syscall if !can_set_direct_map().  This
is the case for example on some arm64 configurations, where marking 4k
PTEs in the direct map not present can only be done if the direct map is
set up at 4k granularity in the first place (as ARM's break-before-make
semantics do not easily allow breaking apart large/gigantic pages).

More precisely, on arm64 systems with !can_set_direct_map(),
set_direct_map_invalid_noflush() is a no-op, however it returns success
(0) instead of an error.  This means that memfd_secret will seemingly
"work" (e.g.  syscall succeeds, you can mmap the fd and fault in pages),
but it does not actually achieve its goal of removing its memory from the
direct map.

Note that with this patch, memfd_secret() will start erroring on systems
where can_set_direct_map() returns false (arm64 with
CONFIG_RODATA_FULL_DEFAULT_ENABLED=n, CONFIG_DEBUG_PAGEALLOC=n and
CONFIG_KFENCE=n), but that still seems better than the current silent
failure.  Since CONFIG_RODATA_FULL_DEFAULT_ENABLED defaults to 'y', most
arm64 systems actually have a working memfd_secret() and aren't be
affected.

From going through the iterations of the original memfd_secret patch
series, it seems that disabling the syscall in these scenarios was the
intended behavior [1] (preferred over having
set_direct_map_invalid_noflush return an error as that would result in
SIGBUSes at page-fault time), however the check for it got dropped between
v16 [2] and v17 [3], when secretmem moved away from CMA allocations.

[1]: https://lore.kernel.org/lkml/20201124164930.GK8537@kernel.org/
[2]: https://lore.kernel.org/lkml/20210121122723.3446-11-rppt@kernel.org/#t
[3]: https://lore.kernel.org/lkml/20201125092208.12544-10-rppt@kernel.org/
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50182

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50187
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/vc4: Stop the active perfmon before being destroyed

Upon closing the file descriptor, the active performance monitor is not
stopped. Although all perfmons are destroyed in `vc4_perfmon_close_file()`,
the active performance monitor's pointer (`vc4->active_perfmon`) is still
retained.

If we open a new file descriptor and submit a few jobs with performance
monitors, the driver will attempt to stop the active performance monitor
using the stale pointer in `vc4->active_perfmon`. However, this pointer
is no longer valid because the previous process has already terminated,
and all performance monitors associated with it have been destroyed and
freed.

To fix this, when the active performance monitor belongs to a given
process, explicitly stop it before destroying and freeing it.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50187

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50188
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: phy: dp83869: fix memory corruption when enabling fiber

When configuring the fiber port, the DP83869 PHY driver incorrectly
calls linkmode_set_bit() with a bit mask (1 << 10) rather than a bit
number (10). This corrupts some other memory location -- in case of
arm64 the priv pointer in the same structure.

Since the advertising flags are updated from supported at the end of the
function the incorrect line isn't needed at all and can be removed.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50188

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50189
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

HID: amd_sfh: Switch to device-managed dmam_alloc_coherent()

Using the device-managed version allows to simplify clean-up in probe()
error path.

Additionally, this device-managed ensures proper cleanup, which helps to
resolve memory errors, page faults, btrfs going read-only, and btrfs
disk corruption.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50189

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50192
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

irqchip/gic-v4: Don't allow a VMOVP on a dying VPE

Kunkun Jiang reported that there is a small window of opportunity for
userspace to force a change of affinity for a VPE while the VPE has already
been unmapped, but the corresponding doorbell interrupt still visible in
/proc/irq/.

Plug the race by checking the value of vmapp_count, which tracks whether
the VPE is mapped ot not, and returning an error in this case.

This involves making vmapp_count common to both GICv4.1 and its v4.0
ancestor.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50192

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50193
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

x86/entry_32: Clear CPU buffers after register restore in NMI return

CPU buffers are currently cleared after call to exc_nmi, but before
register state is restored. This may be okay for MDS mitigation but not for
RDFS. Because RDFS mitigation requires CPU buffers to be cleared when
registers don't have any sensitive data.

Move CLEAR_CPU_BUFFERS after RESTORE_ALL_NMI.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50193

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50194
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

arm64: probes: Fix uprobes for big-endian kernels

The arm64 uprobes code is broken for big-endian kernels as it doesn't
convert the in-memory instruction encoding (which is always
little-endian) into the kernel's native endianness before analyzing and
simulating instructions. This may result in a few distinct problems:

* The kernel may may erroneously reject probing an instruction which can
  safely be probed.

* The kernel may erroneously erroneously permit stepping an
  instruction out-of-line when that instruction cannot be stepped
  out-of-line safely.

* The kernel may erroneously simulate instruction incorrectly dur to
  interpretting the byte-swapped encoding.

The endianness mismatch isn't caught by the compiler or sparse because:

* The arch_uprobe::{insn,ixol} fields are encoded as arrays of u8, so
  the compiler and sparse have no idea these contain a little-endian
  32-bit value. The core uprobes code populates these with a memcpy()
  which similarly does not handle endianness.

* While the uprobe_opcode_t type is an alias for __le32, both
  arch_uprobe_analyze_insn() and arch_uprobe_skip_sstep() cast from u8[]
  to the similarly-named probe_opcode_t, which is an alias for u32.
  Hence there is no endianness conversion warning.

Fix this by changing the arch_uprobe::{insn,ixol} fields to __le32 and
adding the appropriate __le32_to_cpu() conversions prior to consuming
the instruction encoding. The core uprobes copies these fields as opaque
ranges of bytes, and so is unaffected by this change.

At the same time, remove MAX_UINSN_BYTES and consistently use
AARCH64_INSN_SIZE for clarity.

Tested with the following:

| #include <stdio.h>
| #include <stdbool.h>
|
| #define noinline __attribute__((noinline))
|
| static noinline void *adrp_self(void)
| {
|         void *addr;
|
|         asm volatile(
|         "       adrp    %x0, adrp_self\n"
|         "       add     %x0, %x0, :lo12:adrp_self\n"
|         : "=r" (addr));
| }
|
|
| int main(int argc, char *argv)
| {
|         void *ptr = adrp_self();
|         bool equal = (ptr == adrp_self);
|
|         printf("adrp_self   => %p\n"
|                "adrp_self() => %p\n"
|                "%s\n",
|                adrp_self, ptr, equal ? "EQUAL" : "NOT EQUAL");
|
|         return 0;
| }

.... where the adrp_self() function was compiled to:

| 00000000004007e0 <adrp_self>:
|   4007e0:       90000000        adrp    x0, 400000 <__ehdr_start>
|   4007e4:       911f8000        add     x0, x0, #0x7e0
|   4007e8:       d65f03c0        ret

Before this patch, the ADRP is not recognized, and is assumed to be
steppable, resulting in corruption of the result:

| # ./adrp-self
| adrp_self   => 0x4007e0
| adrp_self() => 0x4007e0
| EQUAL
| # echo 'p /root/adrp-self:0x007e0' > /sys/kernel/tracing/uprobe_events
| # echo 1 > /sys/kernel/tracing/events/uprobes/enable
| # ./adrp-self
| adrp_self   => 0x4007e0
| adrp_self() => 0xffffffffff7e0
| NOT EQUAL

After this patch, the ADRP is correctly recognized and simulated:

| # ./adrp-self
| adrp_self   => 0x4007e0
| adrp_self() => 0x4007e0
| EQUAL
| #
| # echo 'p /root/adrp-self:0x007e0' > /sys/kernel/tracing/uprobe_events
| # echo 1 > /sys/kernel/tracing/events/uprobes/enable
| # ./adrp-self
| adrp_self   => 0x4007e0
| adrp_self() => 0x4007e0
| EQUAL
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50194

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50195
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

posix-clock: Fix missing timespec64 check in pc_clock_settime()

As Andrew pointed out, it will make sense that the PTP core
checked timespec64 struct's tv_sec and tv_nsec range before calling
ptp->info->settime64().

As the man manual of clock_settime() said, if tp.tv_sec is negative or
tp.tv_nsec is outside the range [0..999,999,999], it should return EINVAL,
which include dynamic clocks which handles PTP clock, and the condition is
consistent with timespec64_valid(). As Thomas suggested, timespec64_valid()
only check the timespec is valid, but not ensure that the time is
in a valid range, so check it ahead using timespec64_valid_strict()
in pc_clock_settime() and return -EINVAL if not valid.

There are some drivers that use tp->tv_sec and tp->tv_nsec directly to
write registers without validity checks and assume that the higher layer
has checked it, which is dangerous and will benefit from this, such as
hclge_ptp_settime(), igb_ptp_settime_i210(), _rcar_gen4_ptp_settime(),
and some drivers can remove the checks of itself.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50195

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50196
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

pinctrl: ocelot: fix system hang on level based interrupts

The current implementation only calls chained_irq_enter() and
chained_irq_exit() if it detects pending interrupts.

```
for (i = 0; i < info->stride; i++) {
	uregmap_read(info->map, id_reg + 4 * i, &reg);
	if (!reg)
		continue;

	chained_irq_enter(parent_chip, desc);
```

However, in case of GPIO pin configured in level mode and the parent
controller configured in edge mode, GPIO interrupt might be lowered by the
hardware. In the result, if the interrupt is short enough, the parent
interrupt is still pending while the GPIO interrupt is cleared;
chained_irq_enter() never gets called and the system hangs trying to
service the parent interrupt.

Moving chained_irq_enter() and chained_irq_exit() outside the for loop
ensures that they are called even when GPIO interrupt is lowered by the
hardware.

The similar code with chained_irq_enter() / chained_irq_exit() functions
wrapping interrupt checking loop may be found in many other drivers:
```
grep -r -A 10 chained_irq_enter drivers/pinctrl
```
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50196

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50197
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

pinctrl: intel: platform: fix error path in device_for_each_child_node()

The device_for_each_child_node() loop requires calls to
fwnode_handle_put() upon early returns to decrement the refcount of
the child node and avoid leaking memory if that error path is triggered.

There is one early returns within that loop in
intel_platform_pinctrl_prepare_community(), but fwnode_handle_put() is
missing.

Instead of adding the missing call, the scoped version of the loop can
be used to simplify the code and avoid mistakes in the future if new
early returns are added, as the child node is only used for parsing, and
it is never assigned.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50197

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50198
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

iio: light: veml6030: fix IIO device retrieval from embedded device

The dev pointer that is received as an argument in the
in_illuminance_period_available_show function references the device
embedded in the IIO device, not in the i2c client.

dev_to_iio_dev() must be used to accessthe right data. The current
implementation leads to a segmentation fault on every attempt to read
the attribute because indio_dev gets a NULL assignment.

This bug has been present since the first appearance of the driver,
apparently since the last version (V6) before getting applied. A
constant attribute was used until then, and the last modifications might
have not been tested again.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50198

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50201
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/radeon: Fix encoder->possible_clones

Include the encoder itself in its possible_clones bitmask.
In the past nothing validated that drivers were populating
possible_clones correctly, but that changed in commit
74d2aacbe840 ("drm: Validate encoder->possible_clones").
Looks like radeon never got the memo and is still not
following the rules 100% correctly.

This results in some warnings during driver initialization:
Bogus possible_clones: [ENCODER:46:TV-46] possible_clones=0x4 (full encoder mask=0x7)
WARNING: CPU: 0 PID: 170 at drivers/gpu/drm/drm_mode_config.c:615 drm_mode_config_validate+0x113/0x39c
...

(cherry picked from commit 3b6e7d40649c0d75572039aff9d0911864c689db)
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50201

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50202
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

nilfs2: propagate directory read errors from nilfs_find_entry()

Syzbot reported that a task hang occurs in vcs_open() during a fuzzing
test for nilfs2.

The root cause of this problem is that in nilfs_find_entry(), which
searches for directory entries, ignores errors when loading a directory
page/folio via nilfs_get_folio() fails.

If the filesystem images is corrupted, and the i_size of the directory
inode is large, and the directory page/folio is successfully read but
fails the sanity check, for example when it is zero-filled,
nilfs_check_folio() may continue to spit out error messages in bursts.

Fix this issue by propagating the error to the callers when loading a
page/folio fails in nilfs_find_entry().

The current interface of nilfs_find_entry() and its callers is outdated
and cannot propagate error codes such as -EIO and -ENOMEM returned via
nilfs_find_entry(), so fix it together.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50202

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50203
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

bpf, arm64: Fix address emission with tag-based KASAN enabled

When BPF_TRAMP_F_CALL_ORIG is enabled, the address of a bpf_tramp_image
struct on the stack is passed during the size calculation pass and
an address on the heap is passed during code generation. This may
cause a heap buffer overflow if the heap address is tagged because
emit_a64_mov_i64() will emit longer code than it did during the size
calculation pass. The same problem could occur without tag-based
KASAN if one of the 16-bit words of the stack address happened to
be all-ones during the size calculation pass. Fix the problem by
assuming the worst case (4 instructions) when calculating the size
of the bpf_tramp_image address emission.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50203

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50204
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

fs: don't try and remove empty rbtree node

When copying a namespace we won't have added the new copy into the
namespace rbtree until after the copy succeeded. Calling free_mnt_ns()
will try to remove the copy from the rbtree which is invalid. Simply
free the namespace skeleton directly.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50204

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50205
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ALSA: firewire-lib: Avoid division by zero in apply_constraint_to_size()

The step variable is initialized to zero. It is changed in the loop,
but if it's not changed it will remain zero. Add a variable check
before the division.

The observed behavior was introduced by commit 826b5de90c0b
("ALSA: firewire-lib: fix insufficient PCM rule for period/buffer size"),
and it is difficult to show that any of the interval parameters will
satisfy the snd_interval_test() condition with data from the
amdtp_rate_table[] table.

Found by Linux Verification Center (linuxtesting.org) with SVACE.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50205

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50206
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: ethernet: mtk_eth_soc: fix memory corruption during fq dma init

The loop responsible for allocating up to MTK_FQ_DMA_LENGTH buffers must
only touch as many descriptors, otherwise it ends up corrupting unrelated
memory. Fix the loop iteration count accordingly.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50206

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50207
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ring-buffer: Fix reader locking when changing the sub buffer order

The function ring_buffer_subbuf_order_set() updates each
ring_buffer_per_cpu and installs new sub buffers that match the requested
page order. This operation may be invoked concurrently with readers that
rely on some of the modified data, such as the head bit (RB_PAGE_HEAD), or
the ring_buffer_per_cpu.pages and reader_page pointers. However, no
exclusive access is acquired by ring_buffer_subbuf_order_set(). Modifying
the mentioned data while a reader also operates on them can then result in
incorrect memory access and various crashes.

Fix the problem by taking the reader_lock when updating a specific
ring_buffer_per_cpu in ring_buffer_subbuf_order_set().
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50207

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50208
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

RDMA/bnxt_re: Fix a bug while setting up Level-2 PBL pages

Avoid memory corruption while setting up Level-2 PBL pages for the non MR
resources when num_pages > 256K.

There will be a single PDE page address (contiguous pages in the case of >
PAGE_SIZE), but, current logic assumes multiple pages, leading to invalid
memory access after 256K PBL entries in the PDE.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50208

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50209
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

RDMA/bnxt_re: Add a check for memory allocation

__alloc_pbl() can return error when memory allocation fails.
Driver is not checking the status on one of the instances.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50209

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50210
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

posix-clock: posix-clock: Fix unbalanced locking in pc_clock_settime()

If get_clock_desc() succeeds, it calls fget() for the clockid's fd,
and get the clk->rwsem read lock, so the error path should release
the lock to make the lock balance and fput the clockid's fd to make
the refcount balance and release the fd related resource.

However the below commit left the error path locked behind resulting in
unbalanced locking. Check timespec64_valid_strict() before
get_clock_desc() to fix it, because the "ts" is not changed
after that.

[pabeni@redhat.com: fixed commit message typo]
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50210

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50211
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

udf: refactor inode_bmap() to handle error

Refactor inode_bmap() to handle error since udf_next_aext() can return
error now. On situations like ftruncate, udf_extend_file() can now
detect errors and bail out early without resorting to checking for
particular offsets and assuming internal behavior of these functions.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 3.3
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50211

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50213
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/tests: hdmi: Fix memory leaks in drm_display_mode_from_cea_vic()

modprobe drm_hdmi_state_helper_test and then rmmod it, the following
memory leak occurs.

The `mode` allocated in drm_mode_duplicate() called by
drm_display_mode_from_cea_vic() is not freed, which cause the memory leak:

	unreferenced object 0xffffff80ccd18100 (size 128):
	  comm "kunit_try_catch", pid 1851, jiffies 4295059695
	  hex dump (first 32 bytes):
	    57 62 00 00 80 02 90 02 f0 02 20 03 00 00 e0 01  Wb........ .....
	    ea 01 ec 01 0d 02 00 00 0a 00 00 00 00 00 00 00  ................
	  backtrace (crc c2f1aa95):
	    [<000000000f10b11b>] kmemleak_alloc+0x34/0x40
	    [<000000001cd4cf73>] __kmalloc_cache_noprof+0x26c/0x2f4
	    [<00000000f1f3cffa>] drm_mode_duplicate+0x44/0x19c
	    [<000000008cbeef13>] drm_display_mode_from_cea_vic+0x88/0x98
	    [<0000000019daaacf>] 0xffffffedc11ae69c
	    [<000000000aad0f85>] kunit_try_run_case+0x13c/0x3ac
	    [<00000000a9210bac>] kunit_generic_run_threadfn_adapter+0x80/0xec
	    [<000000000a0b2e9e>] kthread+0x2e8/0x374
	    [<00000000bd668858>] ret_from_fork+0x10/0x20
	......

Free `mode` by using drm_kunit_display_mode_from_cea_vic()
to fix it.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50213

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50214
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/connector: hdmi: Fix memory leak in drm_display_mode_from_cea_vic()

modprobe drm_connector_test and then rmmod drm_connector_test,
the following memory leak occurs.

The `mode` allocated in drm_mode_duplicate() called by
drm_display_mode_from_cea_vic() is not freed, which cause the memory leak:

	unreferenced object 0xffffff80cb0ee400 (size 128):
	  comm "kunit_try_catch", pid 1948, jiffies 4294950339
	  hex dump (first 32 bytes):
	    14 44 02 00 80 07 d8 07 04 08 98 08 00 00 38 04  .D............8.
	    3c 04 41 04 65 04 00 00 05 00 00 00 00 00 00 00  <.A.e...........
	  backtrace (crc 90e9585c):
	    [<00000000ec42e3d7>] kmemleak_alloc+0x34/0x40
	    [<00000000d0ef055a>] __kmalloc_cache_noprof+0x26c/0x2f4
	    [<00000000c2062161>] drm_mode_duplicate+0x44/0x19c
	    [<00000000f96c74aa>] drm_display_mode_from_cea_vic+0x88/0x98
	    [<00000000d8f2c8b4>] 0xffffffdc982a4868
	    [<000000005d164dbc>] kunit_try_run_case+0x13c/0x3ac
	    [<000000006fb23398>] kunit_generic_run_threadfn_adapter+0x80/0xec
	    [<000000006ea56ca0>] kthread+0x2e8/0x374
	    [<000000000676063f>] ret_from_fork+0x10/0x20
	......

Free `mode` by using drm_kunit_display_mode_from_cea_vic()
to fix it.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50214

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50215
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

nvmet-auth: assign dh_key to NULL after kfree_sensitive

ctrl->dh_key might be used across multiple calls to nvmet_setup_dhgroup()
for the same controller. So it's better to nullify it after release on
error path in order to avoid double free later in nvmet_destroy_auth().

Found by Linux Verification Center (linuxtesting.org) with Svace.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50215

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50217
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix use-after-free of block device file in __btrfs_free_extra_devids()

Mounting btrfs from two images (which have the same one fsid and two
different dev_uuids) in certain executing order may trigger an UAF for
variable 'device->bdev_file' in __btrfs_free_extra_devids(). And
following are the details:

1. Attach image_1 to loop0, attach image_2 to loop1, and scan btrfs
   devices by ioctl(BTRFS_IOC_SCAN_DEV):

             /  btrfs_device_1 → loop0
   fs_device
             \  btrfs_device_2 → loop1
2. mount /dev/loop0 /mnt
   btrfs_open_devices
    btrfs_device_1->bdev_file = btrfs_get_bdev_and_sb(loop0)
    btrfs_device_2->bdev_file = btrfs_get_bdev_and_sb(loop1)
   btrfs_fill_super
    open_ctree
     fail: btrfs_close_devices // -ENOMEM
	    btrfs_close_bdev(btrfs_device_1)
             fput(btrfs_device_1->bdev_file)
	      // btrfs_device_1->bdev_file is freed
	    btrfs_close_bdev(btrfs_device_2)
             fput(btrfs_device_2->bdev_file)

3. mount /dev/loop1 /mnt
   btrfs_open_devices
    btrfs_get_bdev_and_sb(&bdev_file)
     // EIO, btrfs_device_1->bdev_file is not assigned,
     // which points to a freed memory area
    btrfs_device_2->bdev_file = btrfs_get_bdev_and_sb(loop1)
   btrfs_fill_super
    open_ctree
     btrfs_free_extra_devids
      if (btrfs_device_1->bdev_file)
       fput(btrfs_device_1->bdev_file) // UAF !

Fix it by setting 'device->bdev_file' as 'NULL' after closing the
btrfs_device in btrfs_close_one_device().
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50217

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50221
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amd/pm: Vangogh: Fix kernel memory out of bounds write

KASAN reports that the GPU metrics table allocated in
vangogh_tables_init() is not large enough for the memset done in
smu_cmn_init_soft_gpu_metrics(). Condensed report follows:

[   33.861314] BUG: KASAN: slab-out-of-bounds in smu_cmn_init_soft_gpu_metrics+0x73/0x200 [amdgpu]
[   33.861799] Write of size 168 at addr ffff888129f59500 by task mangoapp/1067
...
[   33.861808] CPU: 6 UID: 1000 PID: 1067 Comm: mangoapp Tainted: G        W          6.12.0-rc4 #356 1a56f59a8b5182eeaf67eb7cb8b13594dd23b544
[   33.861816] Tainted: [W]=WARN
[   33.861818] Hardware name: Valve Galileo/Galileo, BIOS F7G0107 12/01/2023
[   33.861822] Call Trace:
[   33.861826]  <TASK>
[   33.861829]  dump_stack_lvl+0x66/0x90
[   33.861838]  print_report+0xce/0x620
[   33.861853]  kasan_report+0xda/0x110
[   33.862794]  kasan_check_range+0xfd/0x1a0
[   33.862799]  __asan_memset+0x23/0x40
[   33.862803]  smu_cmn_init_soft_gpu_metrics+0x73/0x200 [amdgpu 13b1bc364ec578808f676eba412c20eaab792779]
[   33.863306]  vangogh_get_gpu_metrics_v2_4+0x123/0xad0 [amdgpu 13b1bc364ec578808f676eba412c20eaab792779]
[   33.864257]  vangogh_common_get_gpu_metrics+0xb0c/0xbc0 [amdgpu 13b1bc364ec578808f676eba412c20eaab792779]
[   33.865682]  amdgpu_dpm_get_gpu_metrics+0xcc/0x110 [amdgpu 13b1bc364ec578808f676eba412c20eaab792779]
[   33.866160]  amdgpu_get_gpu_metrics+0x154/0x2d0 [amdgpu 13b1bc364ec578808f676eba412c20eaab792779]
[   33.867135]  dev_attr_show+0x43/0xc0
[   33.867147]  sysfs_kf_seq_show+0x1f1/0x3b0
[   33.867155]  seq_read_iter+0x3f8/0x1140
[   33.867173]  vfs_read+0x76c/0xc50
[   33.867198]  ksys_read+0xfb/0x1d0
[   33.867214]  do_syscall_64+0x90/0x160
...
[   33.867353] Allocated by task 378 on cpu 7 at 22.794876s:
[   33.867358]  kasan_save_stack+0x33/0x50
[   33.867364]  kasan_save_track+0x17/0x60
[   33.867367]  __kasan_kmalloc+0x87/0x90
[   33.867371]  vangogh_init_smc_tables+0x3f9/0x840 [amdgpu]
[   33.867835]  smu_sw_init+0xa32/0x1850 [amdgpu]
[   33.868299]  amdgpu_device_init+0x467b/0x8d90 [amdgpu]
[   33.868733]  amdgpu_driver_load_kms+0x19/0xf0 [amdgpu]
[   33.869167]  amdgpu_pci_probe+0x2d6/0xcd0 [amdgpu]
[   33.869608]  local_pci_probe+0xda/0x180
[   33.869614]  pci_device_probe+0x43f/0x6b0

Empirically we can confirm that the former allocates 152 bytes for the
table, while the latter memsets the 168 large block.

Root cause appears that when GPU metrics tables for v2_4 parts were added
it was not considered to enlarge the table to fit.

The fix in this patch is rather "brute force" and perhaps later should be
done in a smarter way, by extracting and consolidating the part version to
size logic to a common helper, instead of brute forcing the largest
possible allocation. Nevertheless, for now this works and fixes the out of
bounds write.

v2:
 * Drop impossible v3_0 case. (Mario)

(cherry picked from commit 0880f58f9609f0200483a49429af0f050d281703)
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50221

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50222
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

iov_iter: fix copy_page_from_iter_atomic() if KMAP_LOCAL_FORCE_MAP

generic/077 on x86_32 CONFIG_DEBUG_KMAP_LOCAL_FORCE_MAP=y with highmem,
on huge=always tmpfs, issues a warning and then hangs (interruptibly):

WARNING: CPU: 5 PID: 3517 at mm/highmem.c:622 kunmap_local_indexed+0x62/0xc9
CPU: 5 UID: 0 PID: 3517 Comm: cp Not tainted 6.12.0-rc4 #2
...
copy_page_from_iter_atomic+0xa6/0x5ec
generic_perform_write+0xf6/0x1b4
shmem_file_write_iter+0x54/0x67

Fix copy_page_from_iter_atomic() by limiting it in that case
(include/linux/skbuff.h skb_frag_must_loop() does similar).

But going forward, perhaps CONFIG_DEBUG_KMAP_LOCAL_FORCE_MAP is too
surprising, has outlived its usefulness, and should just be removed?
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50222

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50223
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

sched/numa: Fix the potential null pointer dereference in task_numa_work()

When running stress-ng-vm-segv test, we found a null pointer dereference
error in task_numa_work(). Here is the backtrace:

  [323676.066985] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020
  ......
  [323676.067108] CPU: 35 PID: 2694524 Comm: stress-ng-vm-se
  ......
  [323676.067113] pstate: 23401009 (nzCv daif +PAN -UAO +TCO +DIT +SSBS BTYPE=--)
  [323676.067115] pc : vma_migratable+0x1c/0xd0
  [323676.067122] lr : task_numa_work+0x1ec/0x4e0
  [323676.067127] sp : ffff8000ada73d20
  [323676.067128] x29: ffff8000ada73d20 x28: 0000000000000000 x27: 000000003e89f010
  [323676.067130] x26: 0000000000080000 x25: ffff800081b5c0d8 x24: ffff800081b27000
  [323676.067133] x23: 0000000000010000 x22: 0000000104d18cc0 x21: ffff0009f7158000
  [323676.067135] x20: 0000000000000000 x19: 0000000000000000 x18: ffff8000ada73db8
  [323676.067138] x17: 0001400000000000 x16: ffff800080df40b0 x15: 0000000000000035
  [323676.067140] x14: ffff8000ada73cc8 x13: 1fffe0017cc72001 x12: ffff8000ada73cc8
  [323676.067142] x11: ffff80008001160c x10: ffff000be639000c x9 : ffff8000800f4ba4
  [323676.067145] x8 : ffff000810375000 x7 : ffff8000ada73974 x6 : 0000000000000001
  [323676.067147] x5 : 0068000b33e26707 x4 : 0000000000000001 x3 : ffff0009f7158000
  [323676.067149] x2 : 0000000000000041 x1 : 0000000000004400 x0 : 0000000000000000
  [323676.067152] Call trace:
  [323676.067153]  vma_migratable+0x1c/0xd0
  [323676.067155]  task_numa_work+0x1ec/0x4e0
  [323676.067157]  task_work_run+0x78/0xd8
  [323676.067161]  do_notify_resume+0x1ec/0x290
  [323676.067163]  el0_svc+0x150/0x160
  [323676.067167]  el0t_64_sync_handler+0xf8/0x128
  [323676.067170]  el0t_64_sync+0x17c/0x180
  [323676.067173] Code: d2888001 910003fd f9000bf3 aa0003f3 (f9401000)
  [323676.067177] SMP: stopping secondary CPUs
  [323676.070184] Starting crashdump kernel...

stress-ng-vm-segv in stress-ng is used to stress test the SIGSEGV error
handling function of the system, which tries to cause a SIGSEGV error on
return from unmapping the whole address space of the child process.

Normally this program will not cause kernel crashes. But before the
munmap system call returns to user mode, a potential task_numa_work()
for numa balancing could be added and executed. In this scenario, since the
child process has no vma after munmap, the vma_next() in task_numa_work()
will return a null pointer even if the vma iterator restarts from 0.

Recheck the vma pointer before dereferencing it in task_numa_work().
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50223

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50224
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

spi: spi-fsl-dspi: Fix crash when not using GPIO chip select

Add check for the return value of spi_get_csgpiod() to avoid passing a NULL
pointer to gpiod_direction_output(), preventing a crash when GPIO chip
select is not used.

Fix below crash:
[    4.251960] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
[    4.260762] Mem abort info:
[    4.263556]   ESR = 0x0000000096000004
[    4.267308]   EC = 0x25: DABT (current EL), IL = 32 bits
[    4.272624]   SET = 0, FnV = 0
[    4.275681]   EA = 0, S1PTW = 0
[    4.278822]   FSC = 0x04: level 0 translation fault
[    4.283704] Data abort info:
[    4.286583]   ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
[    4.292074]   CM = 0, WnR = 0, TnD = 0, TagAccess = 0
[    4.297130]   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[    4.302445] [0000000000000000] user address but active_mm is swapper
[    4.308805] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP
[    4.315072] Modules linked in:
[    4.318124] CPU: 2 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12.0-rc4-next-20241023-00008-ga20ec42c5fc1 #359
[    4.328130] Hardware name: LS1046A QDS Board (DT)
[    4.332832] pstate: 40000005 (nZcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[    4.339794] pc : gpiod_direction_output+0x34/0x5c
[    4.344505] lr : gpiod_direction_output+0x18/0x5c
[    4.349208] sp : ffff80008003b8f0
[    4.352517] x29: ffff80008003b8f0 x28: 0000000000000000 x27: ffffc96bcc7e9068
[    4.359659] x26: ffffc96bcc6e00b0 x25: ffffc96bcc598398 x24: ffff447400132810
[    4.366800] x23: 0000000000000000 x22: 0000000011e1a300 x21: 0000000000020002
[    4.373940] x20: 0000000000000000 x19: 0000000000000000 x18: ffffffffffffffff
[    4.381081] x17: ffff44740016e600 x16: 0000000500000003 x15: 0000000000000007
[    4.388221] x14: 0000000000989680 x13: 0000000000020000 x12: 000000000000001e
[    4.395362] x11: 0044b82fa09b5a53 x10: 0000000000000019 x9 : 0000000000000008
[    4.402502] x8 : 0000000000000002 x7 : 0000000000000007 x6 : 0000000000000000
[    4.409641] x5 : 0000000000000200 x4 : 0000000002000000 x3 : 0000000000000000
[    4.416781] x2 : 0000000000022202 x1 : 0000000000000000 x0 : 0000000000000000
[    4.423921] Call trace:
[    4.426362]  gpiod_direction_output+0x34/0x5c (P)
[    4.431067]  gpiod_direction_output+0x18/0x5c (L)
[    4.435771]  dspi_setup+0x220/0x334
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50224

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50225
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix error propagation of split bios

The purpose of btrfs_bbio_propagate_error() shall be propagating an error
of split bio to its original btrfs_bio, and tell the error to the upper
layer. However, it's not working well on some cases.

* Case 1. Immediate (or quick) end_bio with an error

When btrfs sends btrfs_bio to mirrored devices, btrfs calls
btrfs_bio_end_io() when all the mirroring bios are completed. If that
btrfs_bio was split, it is from btrfs_clone_bioset and its end_io function
is btrfs_orig_write_end_io. For this case, btrfs_bbio_propagate_error()
accesses the orig_bbio's bio context to increase the error count.

That works well in most cases. However, if the end_io is called enough
fast, orig_bbio's (remaining part after split) bio context may not be
properly set at that time. Since the bio context is set when the orig_bbio
(the last btrfs_bio) is sent to devices, that might be too late for earlier
split btrfs_bio's completion.  That will result in NULL pointer
dereference.

That bug is easily reproducible by running btrfs/146 on zoned devices [1]
and it shows the following trace.

[1] You need raid-stripe-tree feature as it create "-d raid0 -m raid1" FS.

  BUG: kernel NULL pointer dereference, address: 0000000000000020
  #PF: supervisor read access in kernel mode
  #PF: error_code(0x0000) - not-present page
  PGD 0 P4D 0
  Oops: Oops: 0000 [#1] PREEMPT SMP PTI
  CPU: 1 UID: 0 PID: 13 Comm: kworker/u32:1 Not tainted 6.11.0-rc7-BTRFS-ZNS+ #474
  Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
  Workqueue: writeback wb_workfn (flush-btrfs-5)
  RIP: 0010:btrfs_bio_end_io+0xae/0xc0 [btrfs]
  BTRFS error (device dm-0): bdev /dev/mapper/error-test errs: wr 2, rd 0, flush 0, corrupt 0, gen 0
  RSP: 0018:ffffc9000006f248 EFLAGS: 00010246
  RAX: 0000000000000000 RBX: ffff888005a7f080 RCX: ffffc9000006f1dc
  RDX: 0000000000000000 RSI: 000000000000000a RDI: ffff888005a7f080
  RBP: ffff888011dfc540 R08: 0000000000000000 R09: 0000000000000001
  R10: ffffffff82e508e0 R11: 0000000000000005 R12: ffff88800ddfbe58
  R13: ffff888005a7f080 R14: ffff888005a7f158 R15: ffff888005a7f158
  FS:  0000000000000000(0000) GS:ffff88803ea80000(0000) knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  CR2: 0000000000000020 CR3: 0000000002e22006 CR4: 0000000000370ef0
  DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
  DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
  Call Trace:
   <TASK>
   ? __die_body.cold+0x19/0x26
   ? page_fault_oops+0x13e/0x2b0
   ? _printk+0x58/0x73
   ? do_user_addr_fault+0x5f/0x750
   ? exc_page_fault+0x76/0x240
   ? asm_exc_page_fault+0x22/0x30
   ? btrfs_bio_end_io+0xae/0xc0 [btrfs]
   ? btrfs_log_dev_io_error+0x7f/0x90 [btrfs]
   btrfs_orig_write_end_io+0x51/0x90 [btrfs]
   dm_submit_bio+0x5c2/0xa50 [dm_mod]
   ? find_held_lock+0x2b/0x80
   ? blk_try_enter_queue+0x90/0x1e0
   __submit_bio+0xe0/0x130
   ? ktime_get+0x10a/0x160
   ? lockdep_hardirqs_on+0x74/0x100
   submit_bio_noacct_nocheck+0x199/0x410
   btrfs_submit_bio+0x7d/0x150 [btrfs]
   btrfs_submit_chunk+0x1a1/0x6d0 [btrfs]
   ? lockdep_hardirqs_on+0x74/0x100
   ? __folio_start_writeback+0x10/0x2c0
   btrfs_submit_bbio+0x1c/0x40 [btrfs]
   submit_one_bio+0x44/0x60 [btrfs]
   submit_extent_folio+0x13f/0x330 [btrfs]
   ? btrfs_set_range_writeback+0xa3/0xd0 [btrfs]
   extent_writepage_io+0x18b/0x360 [btrfs]
   extent_write_locked_range+0x17c/0x340 [btrfs]
   ? __pfx_end_bbio_data_write+0x10/0x10 [btrfs]
   run_delalloc_cow+0x71/0xd0 [btrfs]
   btrfs_run_delalloc_range+0x176/0x500 [btrfs]
   ? find_lock_delalloc_range+0x119/0x260 [btrfs]
   writepage_delalloc+0x2ab/0x480 [btrfs]
   extent_write_cache_pages+0x236/0x7d0 [btrfs]
   btrfs_writepages+0x72/0x130 [btrfs]
   do_writepages+0xd4/0x240
   ? find_held_lock+0x2b/0x80
   ? wbc_attach_and_unlock_inode+0x12c/0x290
   ? wbc_attach_and_unlock_inode+0x12c/0x29
---truncated---
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50225

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50226
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

cxl/port: Fix use-after-free, permit out-of-order decoder shutdown

In support of investigating an initialization failure report [1],
cxl_test was updated to register mock memory-devices after the mock
root-port/bus device had been registered. That led to cxl_test crashing
with a use-after-free bug with the following signature:

    cxl_port_attach_region: cxl region3: cxl_host_bridge.0:port3 decoder3.0 add: mem0:decoder7.0 @ 0 next: cxl_switch_uport.0 nr_eps: 1 nr_targets: 1
    cxl_port_attach_region: cxl region3: cxl_host_bridge.0:port3 decoder3.0 add: mem4:decoder14.0 @ 1 next: cxl_switch_uport.0 nr_eps: 2 nr_targets: 1
    cxl_port_setup_targets: cxl region3: cxl_switch_uport.0:port6 target[0] = cxl_switch_dport.0 for mem0:decoder7.0 @ 0
1)  cxl_port_setup_targets: cxl region3: cxl_switch_uport.0:port6 target[1] = cxl_switch_dport.4 for mem4:decoder14.0 @ 1
    [..]
    cxld_unregister: cxl decoder14.0:
    cxl_region_decode_reset: cxl_region region3:
    mock_decoder_reset: cxl_port port3: decoder3.0 reset
2)  mock_decoder_reset: cxl_port port3: decoder3.0: out of order reset, expected decoder3.1
    cxl_endpoint_decoder_release: cxl decoder14.0:
    [..]
    cxld_unregister: cxl decoder7.0:
3)  cxl_region_decode_reset: cxl_region region3:
    Oops: general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6bc3: 0000 [#1] PREEMPT SMP PTI
    [..]
    RIP: 0010:to_cxl_port+0x8/0x60 [cxl_core]
    [..]
    Call Trace:
     <TASK>
     cxl_region_decode_reset+0x69/0x190 [cxl_core]
     cxl_region_detach+0xe8/0x210 [cxl_core]
     cxl_decoder_kill_region+0x27/0x40 [cxl_core]
     cxld_unregister+0x5d/0x60 [cxl_core]

At 1) a region has been established with 2 endpoint decoders (7.0 and
14.0). Those endpoints share a common switch-decoder in the topology
(3.0). At teardown, 2), decoder14.0 is the first to be removed and hits
the "out of order reset case" in the switch decoder. The effect though
is that region3 cleanup is aborted leaving it in-tact and
referencing decoder14.0. At 3) the second attempt to teardown region3
trips over the stale decoder14.0 object which has long since been
deleted.

The fix here is to recognize that the CXL specification places no
mandate on in-order shutdown of switch-decoders, the driver enforces
in-order allocation, and hardware enforces in-order commit. So, rather
than fail and leave objects dangling, always remove them.

In support of making cxl_region_decode_reset() always succeed,
cxl_region_invalidate_memregion() failures are turned into warnings.
Crashing the kernel is ok there since system integrity is at risk if
caches cannot be managed around physical address mutation events like
CXL region destruction.

A new device_for_each_child_reverse_from() is added to cleanup
port->commit_end after all dependent decoders have been disabled. In
other words if decoders are allocated 0->1->2 and disabled 1->2->0 then
port->commit_end only decrements from 2 after 2 has been disabled, and
it decrements all the way to zero since 1 was disabled previously.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50226

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50227
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

thunderbolt: Fix KASAN reported stack out-of-bounds read in tb_retimer_scan()

KASAN reported following issue:

 BUG: KASAN: stack-out-of-bounds in tb_retimer_scan+0xffe/0x1550 [thunderbolt]
 Read of size 4 at addr ffff88810111fc1c by task kworker/u56:0/11
 CPU: 0 UID: 0 PID: 11 Comm: kworker/u56:0 Tainted: G     U             6.11.0+ #1387
 Tainted: [U]=USER
 Workqueue: thunderbolt0 tb_handle_hotplug [thunderbolt]
 Call Trace:
  <TASK>
  dump_stack_lvl+0x6c/0x90
  print_report+0xd1/0x630
  kasan_report+0xdb/0x110
  __asan_report_load4_noabort+0x14/0x20
  tb_retimer_scan+0xffe/0x1550 [thunderbolt]
  tb_scan_port+0xa6f/0x2060 [thunderbolt]
  tb_handle_hotplug+0x17b1/0x3080 [thunderbolt]
  process_one_work+0x626/0x1100
  worker_thread+0x6c8/0xfa0
  kthread+0x2c8/0x3a0
  ret_from_fork+0x3a/0x80
  ret_from_fork_asm+0x1a/0x30

This happens because the loop variable still gets incremented by one so
max becomes 3 instead of 2, and this makes the second loop read past the
the array declared on the stack.

Fix this by assigning to max directly in the loop body.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50227

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50229
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

nilfs2: fix potential deadlock with newly created symlinks

Syzbot reported that page_symlink(), called by nilfs_symlink(), triggers
memory reclamation involving the filesystem layer, which can result in
circular lock dependencies among the reader/writer semaphore
nilfs->ns_segctor_sem, s_writers percpu_rwsem (intwrite) and the
fs_reclaim pseudo lock.

This is because after commit 21fc61c73c39 ("don't put symlink bodies in
pagecache into highmem"), the gfp flags of the page cache for symbolic
links are overwritten to GFP_KERNEL via inode_nohighmem().

This is not a problem for symlinks read from the backing device, because
the __GFP_FS flag is dropped after inode_nohighmem() is called.  However,
when a new symlink is created with nilfs_symlink(), the gfp flags remain
overwritten to GFP_KERNEL.  Then, memory allocation called from
page_symlink() etc.  triggers memory reclamation including the FS layer,
which may call nilfs_evict_inode() or nilfs_dirty_inode().  And these can
cause a deadlock if they are called while nilfs->ns_segctor_sem is held:

Fix this issue by dropping the __GFP_FS flag from the page cache GFP flags
of newly created symlinks in the same way that nilfs_new_inode() and
__nilfs_read_inode() do, as a workaround until we adopt nofs allocation
scope consistently or improve the locking constraints.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50229

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50230
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

nilfs2: fix kernel bug due to missing clearing of checked flag

Syzbot reported that in directory operations after nilfs2 detects
filesystem corruption and degrades to read-only,
__block_write_begin_int(), which is called to prepare block writes, may
fail the BUG_ON check for accesses exceeding the folio/page size,
triggering a kernel bug.

This was found to be because the "checked" flag of a page/folio was not
cleared when it was discarded by nilfs2's own routine, which causes the
sanity check of directory entries to be skipped when the directory
page/folio is reloaded.  So, fix that.

This was necessary when the use of nilfs2's own page discard routine was
applied to more than just metadata files.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50230

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50231
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

iio: gts-helper: Fix memory leaks in iio_gts_build_avail_scale_table()

modprobe iio-test-gts and rmmod it, then the following memory leak
occurs:

	unreferenced object 0xffffff80c810be00 (size 64):
	  comm "kunit_try_catch", pid 1654, jiffies 4294913981
	  hex dump (first 32 bytes):
	    02 00 00 00 08 00 00 00 20 00 00 00 40 00 00 00  ........ ...@...
	    80 00 00 00 00 02 00 00 00 04 00 00 00 08 00 00  ................
	  backtrace (crc a63d875e):
	    [<0000000028c1b3c2>] kmemleak_alloc+0x34/0x40
	    [<000000001d6ecc87>] __kmalloc_noprof+0x2bc/0x3c0
	    [<00000000393795c1>] devm_iio_init_iio_gts+0x4b4/0x16f4
	    [<0000000071bb4b09>] 0xffffffdf052a62e0
	    [<000000000315bc18>] 0xffffffdf052a6488
	    [<00000000f9dc55b5>] kunit_try_run_case+0x13c/0x3ac
	    [<00000000175a3fd4>] kunit_generic_run_threadfn_adapter+0x80/0xec
	    [<00000000f505065d>] kthread+0x2e8/0x374
	    [<00000000bbfb0e5d>] ret_from_fork+0x10/0x20
	unreferenced object 0xffffff80cbfe9e70 (size 16):
	  comm "kunit_try_catch", pid 1658, jiffies 4294914015
	  hex dump (first 16 bytes):
	    10 00 00 00 40 00 00 00 80 00 00 00 00 00 00 00  ....@...........
	  backtrace (crc 857f0cb4):
	    [<0000000028c1b3c2>] kmemleak_alloc+0x34/0x40
	    [<000000001d6ecc87>] __kmalloc_noprof+0x2bc/0x3c0
	    [<00000000393795c1>] devm_iio_init_iio_gts+0x4b4/0x16f4
	    [<0000000071bb4b09>] 0xffffffdf052a62e0
	    [<000000007d089d45>] 0xffffffdf052a6864
	    [<00000000f9dc55b5>] kunit_try_run_case+0x13c/0x3ac
	    [<00000000175a3fd4>] kunit_generic_run_threadfn_adapter+0x80/0xec
	    [<00000000f505065d>] kthread+0x2e8/0x374
	    [<00000000bbfb0e5d>] ret_from_fork+0x10/0x20
	......

It includes 5*5 times "size 64" memory leaks, which correspond to 5 times
test_init_iio_gain_scale() calls with gts_test_gains size 10 (10*size(int))
and gts_test_itimes size 5. It also includes 5*1 times "size 16"
memory leak, which correspond to one time __test_init_iio_gain_scale()
call with gts_test_gains_gain_low size 3 (3*size(int)) and gts_test_itimes
size 5.

The reason is that the per_time_gains[i] is not freed which is allocated in
the "gts->num_itime" for loop in iio_gts_build_avail_scale_table().
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50231

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50232
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

iio: adc: ad7124: fix division by zero in ad7124_set_channel_odr()

In the ad7124_write_raw() function, parameter val can potentially
be zero. This may lead to a division by zero when DIV_ROUND_CLOSEST()
is called within ad7124_set_channel_odr(). The ad7124_write_raw()
function is invoked through the sequence: iio_write_channel_raw() ->
iio_write_channel_attribute() -> iio_channel_write(), with no checks
in place to ensure val is non-zero.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50232

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50233
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

staging: iio: frequency: ad9832: fix division by zero in ad9832_calc_freqreg()

In the ad9832_write_frequency() function, clk_get_rate() might return 0.
This can lead to a division by zero when calling ad9832_calc_freqreg().
The check if (fout > (clk_get_rate(st->mclk) / 2)) does not protect
against the case when fout is 0. The ad9832_write_frequency() function
is called from ad9832_write(), and fout is derived from a text buffer,
which can contain any value.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50233

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50234
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

wifi: iwlegacy: Clear stale interrupts before resuming device

iwl4965 fails upon resume from hibernation on my laptop. The reason
seems to be a stale interrupt which isn't being cleared out before
interrupts are enabled. We end up with a race beween the resume
trying to bring things back up, and the restart work (queued form
the interrupt handler) trying to bring things down. Eventually
the whole thing blows up.

Fix the problem by clearing out any stale interrupts before
interrupts get enabled during resume.

Here's a debug log of the indicent:
[   12.042589] ieee80211 phy0: il_isr ISR inta 0x00000080, enabled 0xaa00008b, fh 0x00000000
[   12.042625] ieee80211 phy0: il4965_irq_tasklet inta 0x00000080, enabled 0x00000000, fh 0x00000000
[   12.042651] iwl4965 0000:10:00.0: RF_KILL bit toggled to enable radio.
[   12.042653] iwl4965 0000:10:00.0: On demand firmware reload
[   12.042690] ieee80211 phy0: il4965_irq_tasklet End inta 0x00000000, enabled 0xaa00008b, fh 0x00000000, flags 0x00000282
[   12.052207] ieee80211 phy0: il4965_mac_start enter
[   12.052212] ieee80211 phy0: il_prep_station Add STA to driver ID 31: ff:ff:ff:ff:ff:ff
[   12.052244] ieee80211 phy0: il4965_set_hw_ready hardware  ready
[   12.052324] ieee80211 phy0: il_apm_init Init card's basic functions
[   12.052348] ieee80211 phy0: il_apm_init L1 Enabled; Disabling L0S
[   12.055727] ieee80211 phy0: il4965_load_bsm Begin load bsm
[   12.056140] ieee80211 phy0: il4965_verify_bsm Begin verify bsm
[   12.058642] ieee80211 phy0: il4965_verify_bsm BSM bootstrap uCode image OK
[   12.058721] ieee80211 phy0: il4965_load_bsm BSM write complete, poll 1 iterations
[   12.058734] ieee80211 phy0: __il4965_up iwl4965 is coming up
[   12.058737] ieee80211 phy0: il4965_mac_start Start UP work done.
[   12.058757] ieee80211 phy0: __il4965_down iwl4965 is going down
[   12.058761] ieee80211 phy0: il_scan_cancel_timeout Scan cancel timeout
[   12.058762] ieee80211 phy0: il_do_scan_abort Not performing scan to abort
[   12.058765] ieee80211 phy0: il_clear_ucode_stations Clearing ucode stations in driver
[   12.058767] ieee80211 phy0: il_clear_ucode_stations No active stations found to be cleared
[   12.058819] ieee80211 phy0: _il_apm_stop Stop card, put in low power state
[   12.058827] ieee80211 phy0: _il_apm_stop_master stop master
[   12.058864] ieee80211 phy0: il4965_clear_free_frames 0 frames on pre-allocated heap on clear.
[   12.058869] ieee80211 phy0: Hardware restart was requested
[   16.132299] iwl4965 0000:10:00.0: START_ALIVE timeout after 4000ms.
[   16.132303] ------------[ cut here ]------------
[   16.132304] Hardware became unavailable upon resume. This could be a software issue prior to suspend or a hardware issue.
[   16.132338] WARNING: CPU: 0 PID: 181 at net/mac80211/util.c:1826 ieee80211_reconfig+0x8f/0x14b0 [mac80211]
[   16.132390] Modules linked in: ctr ccm sch_fq_codel xt_tcpudp xt_multiport xt_state iptable_filter iptable_nat nf_nat nf_conntrack nf_defrag_ipv4 ip_tables x_tables binfmt_misc joydev mousedev btusb btrtl btintel btbcm bluetooth ecdh_generic ecc iTCO_wdt i2c_dev iwl4965 iwlegacy coretemp snd_hda_codec_analog pcspkr psmouse mac80211 snd_hda_codec_generic libarc4 sdhci_pci cqhci sha256_generic sdhci libsha256 firewire_ohci snd_hda_intel snd_intel_dspcfg mmc_core snd_hda_codec snd_hwdep firewire_core led_class iosf_mbi snd_hda_core uhci_hcd lpc_ich crc_itu_t cfg80211 ehci_pci ehci_hcd snd_pcm usbcore mfd_core rfkill snd_timer snd usb_common soundcore video parport_pc parport intel_agp wmi intel_gtt backlight e1000e agpgart evdev
[   16.132456] CPU: 0 UID: 0 PID: 181 Comm: kworker/u8:6 Not tainted 6.11.0-cl+ #143
[   16.132460] Hardware name: Hewlett-Packard HP Compaq 6910p/30BE, BIOS 68MCU Ver. F.19 07/06/2010
[   16.132463] Workqueue: async async_run_entry_fn
[   16.132469] RIP: 0010:ieee80211_reconfig+0x8f/0x14b0 [mac80211]
[   16.132501] Code: da 02 00 0
---truncated---
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50234

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50235
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

wifi: cfg80211: clear wdev->cqm_config pointer on free

When we free wdev->cqm_config when unregistering, we also
need to clear out the pointer since the same wdev/netdev
may get re-registered in another network namespace, then
destroyed later, running this code again, which results in
a double-free.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50235

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50236
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

wifi: ath10k: Fix memory leak in management tx

In the current logic, memory is allocated for storing the MSDU context
during management packet TX but this memory is not being freed during
management TX completion. Similar leaks are seen in the management TX
cleanup logic.

Kmemleak reports this problem as below,

unreferenced object 0xffffff80b64ed250 (size 16):
  comm "kworker/u16:7", pid 148, jiffies 4294687130 (age 714.199s)
  hex dump (first 16 bytes):
    00 2b d8 d8 80 ff ff ff c4 74 e9 fd 07 00 00 00  .+.......t......
  backtrace:
    [<ffffffe6e7b245dc>] __kmem_cache_alloc_node+0x1e4/0x2d8
    [<ffffffe6e7adde88>] kmalloc_trace+0x48/0x110
    [<ffffffe6bbd765fc>] ath10k_wmi_tlv_op_gen_mgmt_tx_send+0xd4/0x1d8 [ath10k_core]
    [<ffffffe6bbd3eed4>] ath10k_mgmt_over_wmi_tx_work+0x134/0x298 [ath10k_core]
    [<ffffffe6e78d5974>] process_scheduled_works+0x1ac/0x400
    [<ffffffe6e78d60b8>] worker_thread+0x208/0x328
    [<ffffffe6e78dc890>] kthread+0x100/0x1c0
    [<ffffffe6e78166c0>] ret_from_fork+0x10/0x20

Free the memory during completion and cleanup to fix the leak.

Protect the mgmt_pending_tx idr_remove() operation in
ath10k_wmi_tlv_op_cleanup_mgmt_tx_send() using ar->data_lock similar to
other instances.

Tested-on: WCN3990 hw1.0 SNOC WLAN.HL.2.0-01387-QCAHLSWMTPLZ-1
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50236

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50237
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

wifi: mac80211: do not pass a stopped vif to the driver in .get_txpower

Avoid potentially crashing in the driver because of uninitialized private data
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50237

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50238
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

phy: qcom: qmp-usbc: fix NULL-deref on runtime suspend

Commit 413db06c05e7 ("phy: qcom-qmp-usb: clean up probe initialisation")
removed most users of the platform device driver data from the
qcom-qmp-usb driver, but mistakenly also removed the initialisation
despite the data still being used in the runtime PM callbacks. This bug
was later reproduced when the driver was copied to create the qmp-usbc
driver.

Restore the driver data initialisation at probe to avoid a NULL-pointer
dereference on runtime suspend.

Apparently no one uses runtime PM, which currently needs to be enabled
manually through sysfs, with these drivers.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50238

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50239
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

phy: qcom: qmp-usb-legacy: fix NULL-deref on runtime suspend

Commit 413db06c05e7 ("phy: qcom-qmp-usb: clean up probe initialisation")
removed most users of the platform device driver data from the
qcom-qmp-usb driver, but mistakenly also removed the initialisation
despite the data still being used in the runtime PM callbacks. This bug
was later reproduced when the driver was copied to create the
qmp-usb-legacy driver.

Restore the driver data initialisation at probe to avoid a NULL-pointer
dereference on runtime suspend.

Apparently no one uses runtime PM, which currently needs to be enabled
manually through sysfs, with these drivers.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50239

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50240
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

phy: qcom: qmp-usb: fix NULL-deref on runtime suspend

Commit 413db06c05e7 ("phy: qcom-qmp-usb: clean up probe initialisation")
removed most users of the platform device driver data, but mistakenly
also removed the initialisation despite the data still being used in the
runtime PM callbacks.

Restore the driver data initialisation at probe to avoid a NULL-pointer
dereference on runtime suspend.

Apparently no one uses runtime PM, which currently needs to be enabled
manually through sysfs, with this driver.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50240

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50241
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

NFSD: Initialize struct nfsd4_copy earlier

Ensure the refcount and async_copies fields are initialized early.
cleanup_async_copy() will reference these fields if an error occurs
in nfsd4_copy(). If they are not correctly initialized, at the very
least, a refcount underflow occurs.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50241

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50242
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

fs/ntfs3: Additional check in ntfs_file_release
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50242

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50243
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

fs/ntfs3: Fix general protection fault in run_is_mapped_full

Fixed deleating of a non-resident attribute in ntfs_create_inode()
rollback.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50243

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50244
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

fs/ntfs3: Additional check in ni_clear()

Checking of NTFS_FLAGS_LOG_REPLAYING added to prevent access to
uninitialized bitmap during replay process.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50244

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50245
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

fs/ntfs3: Fix possible deadlock in mi_read

Mutex lock with another subclass used in ni_lock_dir().
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50245

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50246
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

fs/ntfs3: Add rough attr alloc_size check
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50246

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50247
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

fs/ntfs3: Check if more than chunk-size bytes are written

A incorrectly formatted chunk may decompress into
more than LZNT_CHUNK_SIZE bytes and a index out of bounds
will occur in s_max_off.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50247

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50248
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ntfs3: Add bounds checking to mi_enum_attr()

Added bounds checking to make sure that every attr don't stray beyond
valid memory region.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50248

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50249
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ACPI: CPPC: Make rmw_lock a raw_spin_lock

The following BUG was triggered:

=============================
[ BUG: Invalid wait context ]
6.12.0-rc2-XXX #406 Not tainted
-----------------------------
kworker/1:1/62 is trying to lock:
ffffff8801593030 (&cpc_ptr->rmw_lock){+.+.}-{3:3}, at: cpc_write+0xcc/0x370
other info that might help us debug this:
context-{5:5}
2 locks held by kworker/1:1/62:
  #0: ffffff897ef5ec98 (&rq->__lock){-.-.}-{2:2}, at: raw_spin_rq_lock_nested+0x2c/0x50
  #1: ffffff880154e238 (&sg_policy->update_lock){....}-{2:2}, at: sugov_update_shared+0x3c/0x280
stack backtrace:
CPU: 1 UID: 0 PID: 62 Comm: kworker/1:1 Not tainted 6.12.0-rc2-g9654bd3e8806 #406
Workqueue:  0x0 (events)
Call trace:
  dump_backtrace+0xa4/0x130
  show_stack+0x20/0x38
  dump_stack_lvl+0x90/0xd0
  dump_stack+0x18/0x28
  __lock_acquire+0x480/0x1ad8
  lock_acquire+0x114/0x310
  _raw_spin_lock+0x50/0x70
  cpc_write+0xcc/0x370
  cppc_set_perf+0xa0/0x3a8
  cppc_cpufreq_fast_switch+0x40/0xc0
  cpufreq_driver_fast_switch+0x4c/0x218
  sugov_update_shared+0x234/0x280
  update_load_avg+0x6ec/0x7b8
  dequeue_entities+0x108/0x830
  dequeue_task_fair+0x58/0x408
  __schedule+0x4f0/0x1070
  schedule+0x54/0x130
  worker_thread+0xc0/0x2e8
  kthread+0x130/0x148
  ret_from_fork+0x10/0x20

sugov_update_shared() locks a raw_spinlock while cpc_write() locks a
spinlock.

To have a correct wait-type order, update rmw_lock to a raw spinlock and
ensure that interrupts will be disabled on the CPU holding it.

[ rjw: Changelog edits ]
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50249

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50250
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

fsdax: dax_unshare_iter needs to copy entire blocks

The code that copies data from srcmap to iomap in dax_unshare_iter is
very very broken, which bfoster's recent fsx changes have exposed.

If the pos and len passed to dax_file_unshare are not aligned to an
fsblock boundary, the iter pos and length in the _iter function will
reflect this unalignment.

dax_iomap_direct_access always returns a pointer to the start of the
kmapped fsdax page, even if its pos argument is in the middle of that
page.  This is catastrophic for data integrity when iter->pos is not
aligned to a page, because daddr/saddr do not point to the same byte in
the file as iter->pos.  Hence we corrupt user data by copying it to the
wrong place.

If iter->pos + iomap_length() in the _iter function not aligned to a
page, then we fail to copy a full block, and only partially populate the
destination block.  This is catastrophic for data confidentiality
because we expose stale pmem contents.

Fix both of these issues by aligning copy_pos/copy_len to a page
boundary (remember, this is fsdax so 1 fsblock == 1 base page) so that
we always copy full blocks.

We're not done yet -- there's no call to invalidate_inode_pages2_range,
so programs that have the file range mmap'd will continue accessing the
old memory mapping after the file metadata updates have completed.

Be careful with the return value -- if the unshare succeeds, we still
need to return the number of bytes that the iomap iter thinks we're
operating on.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50250

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50251
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

netfilter: nft_payload: sanitize offset and length before calling skb_checksum()

If access to offset + length is larger than the skbuff length, then
skb_checksum() triggers BUG_ON().

skb_checksum() internally subtracts the length parameter while iterating
over skbuff, BUG_ON(len) at the end of it checks that the expected
length to be included in the checksum calculation is fully consumed.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.2
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50251

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50252
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

mlxsw: spectrum_ipip: Fix memory leak when changing remote IPv6 address

The device stores IPv6 addresses that are used for encapsulation in
linear memory that is managed by the driver.

Changing the remote address of an ip6gre net device never worked
properly, but since cited commit the following reproducer [1] would
result in a warning [2] and a memory leak [3]. The problem is that the
new remote address is never added by the driver to its hash table (and
therefore the device) and the old address is never removed from it.

Fix by programming the new address when the configuration of the ip6gre
net device changes and removing the old one. If the address did not
change, then the above would result in increasing the reference count of
the address and then decreasing it.

[1]
 # ip link add name bla up type ip6gre local 2001:db8:1::1 remote 2001:db8:2::1 tos inherit ttl inherit
 # ip link set dev bla type ip6gre remote 2001:db8:3::1
 # ip link del dev bla
 # devlink dev reload pci/0000:01:00.0

[2]
WARNING: CPU: 0 PID: 1682 at drivers/net/ethernet/mellanox/mlxsw/spectrum.c:3002 mlxsw_sp_ipv6_addr_put+0x140/0x1d0
Modules linked in:
CPU: 0 UID: 0 PID: 1682 Comm: ip Not tainted 6.12.0-rc3-custom-g86b5b55bc835 #151
Hardware name: Nvidia SN5600/VMOD0013, BIOS 5.13 05/31/2023
RIP: 0010:mlxsw_sp_ipv6_addr_put+0x140/0x1d0
[...]
Call Trace:
 <TASK>
 mlxsw_sp_router_netdevice_event+0x55f/0x1240
 notifier_call_chain+0x5a/0xd0
 call_netdevice_notifiers_info+0x39/0x90
 unregister_netdevice_many_notify+0x63e/0x9d0
 rtnl_dellink+0x16b/0x3a0
 rtnetlink_rcv_msg+0x142/0x3f0
 netlink_rcv_skb+0x50/0x100
 netlink_unicast+0x242/0x390
 netlink_sendmsg+0x1de/0x420
 ____sys_sendmsg+0x2bd/0x320
 ___sys_sendmsg+0x9a/0xe0
 __sys_sendmsg+0x7a/0xd0
 do_syscall_64+0x9e/0x1a0
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

[3]
unreferenced object 0xffff898081f597a0 (size 32):
  comm "ip", pid 1626, jiffies 4294719324
  hex dump (first 32 bytes):
    20 01 0d b8 00 02 00 00 00 00 00 00 00 00 00 01   ...............
    21 49 61 83 80 89 ff ff 00 00 00 00 01 00 00 00  !Ia.............
  backtrace (crc fd9be911):
    [<00000000df89c55d>] __kmalloc_cache_noprof+0x1da/0x260
    [<00000000ff2a1ddb>] mlxsw_sp_ipv6_addr_kvdl_index_get+0x281/0x340
    [<000000009ddd445d>] mlxsw_sp_router_netdevice_event+0x47b/0x1240
    [<00000000743e7757>] notifier_call_chain+0x5a/0xd0
    [<000000007c7b9e13>] call_netdevice_notifiers_info+0x39/0x90
    [<000000002509645d>] register_netdevice+0x5f7/0x7a0
    [<00000000c2e7d2a9>] ip6gre_newlink_common.isra.0+0x65/0x130
    [<0000000087cd6d8d>] ip6gre_newlink+0x72/0x120
    [<000000004df7c7cc>] rtnl_newlink+0x471/0xa20
    [<0000000057ed632a>] rtnetlink_rcv_msg+0x142/0x3f0
    [<0000000032e0d5b5>] netlink_rcv_skb+0x50/0x100
    [<00000000908bca63>] netlink_unicast+0x242/0x390
    [<00000000cdbe1c87>] netlink_sendmsg+0x1de/0x420
    [<0000000011db153e>] ____sys_sendmsg+0x2bd/0x320
    [<000000003b6d53eb>] ___sys_sendmsg+0x9a/0xe0
    [<00000000cae27c62>] __sys_sendmsg+0x7a/0xd0
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50252

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50253
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

bpf: Check the validity of nr_words in bpf_iter_bits_new()

Check the validity of nr_words in bpf_iter_bits_new(). Without this
check, when multiplication overflow occurs for nr_bits (e.g., when
nr_words = 0x0400-0001, nr_bits becomes 64), stack corruption may occur
due to bpf_probe_read_kernel_common(..., nr_bytes = 0x2000-0008).

Fix it by limiting the maximum value of nr_words to 511. The value is
derived from the current implementation of BPF memory allocator. To
ensure compatibility if the BPF memory allocator's size limitation
changes in the future, use the helper bpf_mem_alloc_check_size() to
check whether nr_bytes is too larger. And return -E2BIG instead of
-ENOMEM for oversized nr_bytes.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50253

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50254
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

bpf: Free dynamically allocated bits in bpf_iter_bits_destroy()

bpf_iter_bits_destroy() uses "kit->nr_bits <= 64" to check whether the
bits are dynamically allocated. However, the check is incorrect and may
cause a kmemleak as shown below:

unreferenced object 0xffff88812628c8c0 (size 32):
  comm "swapper/0", pid 1, jiffies 4294727320
  hex dump (first 32 bytes):
	b0 c1 55 f5 81 88 ff ff f0 f0 f0 f0 f0 f0 f0 f0  ..U...........
	f0 f0 f0 f0 f0 f0 f0 f0 00 00 00 00 00 00 00 00  ..............
  backtrace (crc 781e32cc):
	[<00000000c452b4ab>] kmemleak_alloc+0x4b/0x80
	[<0000000004e09f80>] __kmalloc_node_noprof+0x480/0x5c0
	[<00000000597124d6>] __alloc.isra.0+0x89/0xb0
	[<000000004ebfffcd>] alloc_bulk+0x2af/0x720
	[<00000000d9c10145>] prefill_mem_cache+0x7f/0xb0
	[<00000000ff9738ff>] bpf_mem_alloc_init+0x3e2/0x610
	[<000000008b616eac>] bpf_global_ma_init+0x19/0x30
	[<00000000fc473efc>] do_one_initcall+0xd3/0x3c0
	[<00000000ec81498c>] kernel_init_freeable+0x66a/0x940
	[<00000000b119f72f>] kernel_init+0x20/0x160
	[<00000000f11ac9a7>] ret_from_fork+0x3c/0x70
	[<0000000004671da4>] ret_from_fork_asm+0x1a/0x30

That is because nr_bits will be set as zero in bpf_iter_bits_next()
after all bits have been iterated.

Fix the issue by setting kit->bit to kit->nr_bits instead of setting
kit->nr_bits to zero when the iteration completes in
bpf_iter_bits_next(). In addition, use "!nr_bits || bits >= nr_bits" to
check whether the iteration is complete and still use "nr_bits > 64" to
indicate whether bits are dynamically allocated. The "!nr_bits" check is
necessary because bpf_iter_bits_new() may fail before setting
kit->nr_bits, and this condition will stop the iteration early instead
of accessing the zeroed or freed kit->bits.

Considering the initial value of kit->bits is -1 and the type of
kit->nr_bits is unsigned int, change the type of kit->nr_bits to int.
The potential overflow problem will be handled in the following patch.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50254

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50255
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: hci: fix null-ptr-deref in hci_read_supported_codecs

Fix __hci_cmd_sync_sk() to return not NULL for unknown opcodes.

__hci_cmd_sync_sk() returns NULL if a command returns a status event.
However, it also returns NULL where an opcode doesn't exist in the
hci_cc table because hci_cmd_complete_evt() assumes status = skb->data[0]
for unknown opcodes.
This leads to null-ptr-deref in cmd_sync for HCI_OP_READ_LOCAL_CODECS as
there is no hci_cc for HCI_OP_READ_LOCAL_CODECS, which always assumes
status = skb->data[0].

KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077]
CPU: 1 PID: 2000 Comm: kworker/u9:5 Not tainted 6.9.0-ga6bcb805883c-dirty #10
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Workqueue: hci7 hci_power_on
RIP: 0010:hci_read_supported_codecs+0xb9/0x870 net/bluetooth/hci_codec.c:138
Code: 08 48 89 ef e8 b8 c1 8f fd 48 8b 75 00 e9 96 00 00 00 49 89 c6 48 ba 00 00 00 00 00 fc ff df 4c 8d 60 70 4c 89 e3 48 c1 eb 03 <0f> b6 04 13 84 c0 0f 85 82 06 00 00 41 83 3c 24 02 77 0a e8 bf 78
RSP: 0018:ffff888120bafac8 EFLAGS: 00010212
RAX: 0000000000000000 RBX: 000000000000000e RCX: ffff8881173f0040
RDX: dffffc0000000000 RSI: ffffffffa58496c0 RDI: ffff88810b9ad1e4
RBP: ffff88810b9ac000 R08: ffffffffa77882a7 R09: 1ffffffff4ef1054
R10: dffffc0000000000 R11: fffffbfff4ef1055 R12: 0000000000000070
R13: 0000000000000000 R14: 0000000000000000 R15: ffff88810b9ac000
FS:  0000000000000000(0000) GS:ffff8881f6c00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f6ddaa3439e CR3: 0000000139764003 CR4: 0000000000770ef0
PKRU: 55555554
Call Trace:
 <TASK>
 hci_read_local_codecs_sync net/bluetooth/hci_sync.c:4546 [inline]
 hci_init_stage_sync net/bluetooth/hci_sync.c:3441 [inline]
 hci_init4_sync net/bluetooth/hci_sync.c:4706 [inline]
 hci_init_sync net/bluetooth/hci_sync.c:4742 [inline]
 hci_dev_init_sync net/bluetooth/hci_sync.c:4912 [inline]
 hci_dev_open_sync+0x19a9/0x2d30 net/bluetooth/hci_sync.c:4994
 hci_dev_do_open net/bluetooth/hci_core.c:483 [inline]
 hci_power_on+0x11e/0x560 net/bluetooth/hci_core.c:1015
 process_one_work kernel/workqueue.c:3267 [inline]
 process_scheduled_works+0x8ef/0x14f0 kernel/workqueue.c:3348
 worker_thread+0x91f/0xe50 kernel/workqueue.c:3429
 kthread+0x2cb/0x360 kernel/kthread.c:388
 ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50255

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50256
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

netfilter: nf_reject_ipv6: fix potential crash in nf_send_reset6()

I got a syzbot report without a repro [1] crashing in nf_send_reset6()

I think the issue is that dev->hard_header_len is zero, and we attempt
later to push an Ethernet header.

Use LL_MAX_HEADER, as other functions in net/ipv6/netfilter/nf_reject_ipv6.c.

[1]

skbuff: skb_under_panic: text:ffffffff89b1d008 len:74 put:14 head:ffff88803123aa00 data:ffff88803123a9f2 tail:0x3c end:0x140 dev:syz_tun
 kernel BUG at net/core/skbuff.c:206 !
Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
CPU: 0 UID: 0 PID: 7373 Comm: syz.1.568 Not tainted 6.12.0-rc2-syzkaller-00631-g6d858708d465 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
 RIP: 0010:skb_panic net/core/skbuff.c:206 [inline]
 RIP: 0010:skb_under_panic+0x14b/0x150 net/core/skbuff.c:216
Code: 0d 8d 48 c7 c6 60 a6 29 8e 48 8b 54 24 08 8b 0c 24 44 8b 44 24 04 4d 89 e9 50 41 54 41 57 41 56 e8 ba 30 38 02 48 83 c4 20 90 <0f> 0b 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3
RSP: 0018:ffffc900045269b0 EFLAGS: 00010282
RAX: 0000000000000088 RBX: dffffc0000000000 RCX: cd66dacdc5d8e800
RDX: 0000000000000000 RSI: 0000000000000200 RDI: 0000000000000000
RBP: ffff88802d39a3d0 R08: ffffffff8174afec R09: 1ffff920008a4ccc
R10: dffffc0000000000 R11: fffff520008a4ccd R12: 0000000000000140
R13: ffff88803123aa00 R14: ffff88803123a9f2 R15: 000000000000003c
FS:  00007fdbee5ff6c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000005d322000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
  skb_push+0xe5/0x100 net/core/skbuff.c:2636
  eth_header+0x38/0x1f0 net/ethernet/eth.c:83
  dev_hard_header include/linux/netdevice.h:3208 [inline]
  nf_send_reset6+0xce6/0x1270 net/ipv6/netfilter/nf_reject_ipv6.c:358
  nft_reject_inet_eval+0x3b9/0x690 net/netfilter/nft_reject_inet.c:48
  expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline]
  nft_do_chain+0x4ad/0x1da0 net/netfilter/nf_tables_core.c:288
  nft_do_chain_inet+0x418/0x6b0 net/netfilter/nft_chain_filter.c:161
  nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]
  nf_hook_slow+0xc3/0x220 net/netfilter/core.c:626
  nf_hook include/linux/netfilter.h:269 [inline]
  NF_HOOK include/linux/netfilter.h:312 [inline]
  br_nf_pre_routing_ipv6+0x63e/0x770 net/bridge/br_netfilter_ipv6.c:184
  nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]
  nf_hook_bridge_pre net/bridge/br_input.c:277 [inline]
  br_handle_frame+0x9fd/0x1530 net/bridge/br_input.c:424
  __netif_receive_skb_core+0x13e8/0x4570 net/core/dev.c:5562
  __netif_receive_skb_one_core net/core/dev.c:5666 [inline]
  __netif_receive_skb+0x12f/0x650 net/core/dev.c:5781
  netif_receive_skb_internal net/core/dev.c:5867 [inline]
  netif_receive_skb+0x1e8/0x890 net/core/dev.c:5926
  tun_rx_batched+0x1b7/0x8f0 drivers/net/tun.c:1550
  tun_get_user+0x3056/0x47e0 drivers/net/tun.c:2007
  tun_chr_write_iter+0x10d/0x1f0 drivers/net/tun.c:2053
  new_sync_write fs/read_write.c:590 [inline]
  vfs_write+0xa6d/0xc90 fs/read_write.c:683
  ksys_write+0x183/0x2b0 fs/read_write.c:736
  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
  do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fdbeeb7d1ff
Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 c9 8d 02 00 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 1c 8e 02 00 48
RSP: 002b:00007fdbee5ff000 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007fdbeed36058 RCX: 00007fdbeeb7d1ff
RDX: 000000000000008e RSI: 0000000020000040 RDI: 00000000000000c8
RBP: 00007fdbeebf12be R08: 0000000
---truncated---
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50256

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50257
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

netfilter: Fix use-after-free in get_info()

ip6table_nat module unload has refcnt warning for UAF. call trace is:

WARNING: CPU: 1 PID: 379 at kernel/module/main.c:853 module_put+0x6f/0x80
Modules linked in: ip6table_nat(-)
CPU: 1 UID: 0 PID: 379 Comm: ip6tables Not tainted 6.12.0-rc4-00047-gc2ee9f594da8-dirty #205
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
RIP: 0010:module_put+0x6f/0x80
Call Trace:
 <TASK>
 get_info+0x128/0x180
 do_ip6t_get_ctl+0x6a/0x430
 nf_getsockopt+0x46/0x80
 ipv6_getsockopt+0xb9/0x100
 rawv6_getsockopt+0x42/0x190
 do_sock_getsockopt+0xaa/0x180
 __sys_getsockopt+0x70/0xc0
 __x64_sys_getsockopt+0x20/0x30
 do_syscall_64+0xa2/0x1a0
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Concurrent execution of module unload and get_info() trigered the warning.
The root cause is as follows:

cpu0				      cpu1
module_exit
//mod->state = MODULE_STATE_GOING
  ip6table_nat_exit
    xt_unregister_template
	kfree(t)
	//removed from templ_list
				      getinfo()
					  t = xt_find_table_lock
						list_for_each_entry(tmpl, &xt_templates[af]...)
							if (strcmp(tmpl->name, name))
								continue;  //table not found
							try_module_get
						list_for_each_entry(t, &xt_net->tables[af]...)
							return t;  //not get refcnt
					  module_put(t->me) //uaf
    unregister_pernet_subsys
    //remove table from xt_net list

While xt_table module was going away and has been removed from
xt_templates list, we couldnt get refcnt of xt_table->me. Check
module in xt_net->tables list re-traversal to fix it.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50257

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50258
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: fix crash when config small gso_max_size/gso_ipv4_max_size

Config a small gso_max_size/gso_ipv4_max_size will lead to an underflow
in sk_dst_gso_max_size(), which may trigger a BUG_ON crash,
because sk->sk_gso_max_size would be much bigger than device limits.
Call Trace:
tcp_write_xmit
    tso_segs = tcp_init_tso_segs(skb, mss_now);
        tcp_set_skb_tso_segs
            tcp_skb_pcount_set
                // skb->len = 524288, mss_now = 8
                // u16 tso_segs = 524288/8 = 65535 -> 0
                tso_segs = DIV_ROUND_UP(skb->len, mss_now)
    BUG_ON(!tso_segs)
Add check for the minimum value of gso_max_size and gso_ipv4_max_size.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50258

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50259
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

netdevsim: Add trailing zero to terminate the string in nsim_nexthop_bucket_activity_write()

This was found by a static analyzer.
We should not forget the trailing zero after copy_from_user()
if we will further do some string operations, sscanf() in this
case. Adding a trailing zero will ensure that the function
performs properly.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50259

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50260
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

sock_map: fix a NULL pointer dereference in sock_map_link_update_prog()

The following race condition could trigger a NULL pointer dereference:

sock_map_link_detach():		sock_map_link_update_prog():
   mutex_lock(&sockmap_mutex);
   ...
   sockmap_link->map = NULL;
   mutex_unlock(&sockmap_mutex);
   				   mutex_lock(&sockmap_mutex);
				   ...
				   sock_map_prog_link_lookup(sockmap_link->map);
				   mutex_unlock(&sockmap_mutex);
   <continue>

Fix it by adding a NULL pointer check. In this specific case, it makes
no sense to update a link which is being released.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50260

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50261
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

macsec: Fix use-after-free while sending the offloading packet

KASAN reports the following UAF. The metadata_dst, which is used to
store the SCI value for macsec offload, is already freed by
metadata_dst_free() in macsec_free_netdev(), while driver still use it
for sending the packet.

To fix this issue, dst_release() is used instead to release
metadata_dst. So it is not freed instantly in macsec_free_netdev() if
still referenced by skb.

 BUG: KASAN: slab-use-after-free in mlx5e_xmit+0x1e8f/0x4190 [mlx5_core]
 Read of size 2 at addr ffff88813e42e038 by task kworker/7:2/714
 [...]
 Workqueue: mld mld_ifc_work
 Call Trace:
  <TASK>
  dump_stack_lvl+0x51/0x60
  print_report+0xc1/0x600
  kasan_report+0xab/0xe0
  mlx5e_xmit+0x1e8f/0x4190 [mlx5_core]
  dev_hard_start_xmit+0x120/0x530
  sch_direct_xmit+0x149/0x11e0
  __qdisc_run+0x3ad/0x1730
  __dev_queue_xmit+0x1196/0x2ed0
  vlan_dev_hard_start_xmit+0x32e/0x510 [8021q]
  dev_hard_start_xmit+0x120/0x530
  __dev_queue_xmit+0x14a7/0x2ed0
  macsec_start_xmit+0x13e9/0x2340
  dev_hard_start_xmit+0x120/0x530
  __dev_queue_xmit+0x14a7/0x2ed0
  ip6_finish_output2+0x923/0x1a70
  ip6_finish_output+0x2d7/0x970
  ip6_output+0x1ce/0x3a0
  NF_HOOK.constprop.0+0x15f/0x190
  mld_sendpack+0x59a/0xbd0
  mld_ifc_work+0x48a/0xa80
  process_one_work+0x5aa/0xe50
  worker_thread+0x79c/0x1290
  kthread+0x28f/0x350
  ret_from_fork+0x2d/0x70
  ret_from_fork_asm+0x11/0x20
  </TASK>

 Allocated by task 3922:
  kasan_save_stack+0x20/0x40
  kasan_save_track+0x10/0x30
  __kasan_kmalloc+0x77/0x90
  __kmalloc_noprof+0x188/0x400
  metadata_dst_alloc+0x1f/0x4e0
  macsec_newlink+0x914/0x1410
  __rtnl_newlink+0xe08/0x15b0
  rtnl_newlink+0x5f/0x90
  rtnetlink_rcv_msg+0x667/0xa80
  netlink_rcv_skb+0x12c/0x360
  netlink_unicast+0x551/0x770
  netlink_sendmsg+0x72d/0xbd0
  __sock_sendmsg+0xc5/0x190
  ____sys_sendmsg+0x52e/0x6a0
  ___sys_sendmsg+0xeb/0x170
  __sys_sendmsg+0xb5/0x140
  do_syscall_64+0x4c/0x100
  entry_SYSCALL_64_after_hwframe+0x4b/0x53

 Freed by task 4011:
  kasan_save_stack+0x20/0x40
  kasan_save_track+0x10/0x30
  kasan_save_free_info+0x37/0x50
  poison_slab_object+0x10c/0x190
  __kasan_slab_free+0x11/0x30
  kfree+0xe0/0x290
  macsec_free_netdev+0x3f/0x140
  netdev_run_todo+0x450/0xc70
  rtnetlink_rcv_msg+0x66f/0xa80
  netlink_rcv_skb+0x12c/0x360
  netlink_unicast+0x551/0x770
  netlink_sendmsg+0x72d/0xbd0
  __sock_sendmsg+0xc5/0x190
  ____sys_sendmsg+0x52e/0x6a0
  ___sys_sendmsg+0xeb/0x170
  __sys_sendmsg+0xb5/0x140
  do_syscall_64+0x4c/0x100
  entry_SYSCALL_64_after_hwframe+0x4b/0x53
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50261

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50262
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix out-of-bounds write in trie_get_next_key()

trie_get_next_key() allocates a node stack with size trie->max_prefixlen,
while it writes (trie->max_prefixlen + 1) nodes to the stack when it has
full paths from the root to leaves. For example, consider a trie with
max_prefixlen is 8, and the nodes with key 0x00/0, 0x00/1, 0x00/2, ...
0x00/8 inserted. Subsequent calls to trie_get_next_key with _key with
.prefixlen = 8 make 9 nodes be written on the node stack with size 8.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50262

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50263
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

fork: only invoke khugepaged, ksm hooks if no error

There is no reason to invoke these hooks early against an mm that is in an
incomplete state.

The change in commit d24062914837 ("fork: use __mt_dup() to duplicate
maple tree in dup_mmap()") makes this more pertinent as we may be in a
state where entries in the maple tree are not yet consistent.

Their placement early in dup_mmap() only appears to have been meaningful
for early error checking, and since functionally it'd require a very small
allocation to fail (in practice 'too small to fail') that'd only occur in
the most dire circumstances, meaning the fork would fail or be OOM'd in
any case.

Since both khugepaged and KSM tracking are there to provide optimisations
to memory performance rather than critical functionality, it doesn't
really matter all that much if, under such dire memory pressure, we fail
to register an mm with these.

As a result, we follow the example of commit d2081b2bf819 ("mm:
khugepaged: make khugepaged_enter() void function") and make ksm_fork() a
void function also.

We only expose the mm to these functions once we are done with them and
only if no error occurred in the fork operation.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50263

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50264
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

vsock/virtio: Initialization of the dangling pointer occurring in vsk->trans

During loopback communication, a dangling pointer can be created in
vsk->trans, potentially leading to a Use-After-Free condition.  This
issue is resolved by initializing vsk->trans to NULL.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50264

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50265
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ocfs2: remove entry once instead of null-ptr-dereference in ocfs2_xa_remove()

Syzkaller is able to provoke null-ptr-dereference in ocfs2_xa_remove():

[   57.319872] (a.out,1161,7):ocfs2_xa_remove:2028 ERROR: status = -12
[   57.320420] (a.out,1161,7):ocfs2_xa_cleanup_value_truncate:1999 ERROR: Partial truncate while removing xattr overlay.upper.  Leaking 1 clusters and removing the entry
[   57.321727] BUG: kernel NULL pointer dereference, address: 0000000000000004
[...]
[   57.325727] RIP: 0010:ocfs2_xa_block_wipe_namevalue+0x2a/0xc0
[...]
[   57.331328] Call Trace:
[   57.331477]  <TASK>
[...]
[   57.333511]  ? do_user_addr_fault+0x3e5/0x740
[   57.333778]  ? exc_page_fault+0x70/0x170
[   57.334016]  ? asm_exc_page_fault+0x2b/0x30
[   57.334263]  ? __pfx_ocfs2_xa_block_wipe_namevalue+0x10/0x10
[   57.334596]  ? ocfs2_xa_block_wipe_namevalue+0x2a/0xc0
[   57.334913]  ocfs2_xa_remove_entry+0x23/0xc0
[   57.335164]  ocfs2_xa_set+0x704/0xcf0
[   57.335381]  ? _raw_spin_unlock+0x1a/0x40
[   57.335620]  ? ocfs2_inode_cache_unlock+0x16/0x20
[   57.335915]  ? trace_preempt_on+0x1e/0x70
[   57.336153]  ? start_this_handle+0x16c/0x500
[   57.336410]  ? preempt_count_sub+0x50/0x80
[   57.336656]  ? _raw_read_unlock+0x20/0x40
[   57.336906]  ? start_this_handle+0x16c/0x500
[   57.337162]  ocfs2_xattr_block_set+0xa6/0x1e0
[   57.337424]  __ocfs2_xattr_set_handle+0x1fd/0x5d0
[   57.337706]  ? ocfs2_start_trans+0x13d/0x290
[   57.337971]  ocfs2_xattr_set+0xb13/0xfb0
[   57.338207]  ? dput+0x46/0x1c0
[   57.338393]  ocfs2_xattr_trusted_set+0x28/0x30
[   57.338665]  ? ocfs2_xattr_trusted_set+0x28/0x30
[   57.338948]  __vfs_removexattr+0x92/0xc0
[   57.339182]  __vfs_removexattr_locked+0xd5/0x190
[   57.339456]  ? preempt_count_sub+0x50/0x80
[   57.339705]  vfs_removexattr+0x5f/0x100
[...]

Reproducer uses faultinject facility to fail ocfs2_xa_remove() ->
ocfs2_xa_value_truncate() with -ENOMEM.

In this case the comment mentions that we can return 0 if
ocfs2_xa_cleanup_value_truncate() is going to wipe the entry
anyway. But the following 'rc' check is wrong and execution flow do
'ocfs2_xa_remove_entry(loc);' twice:
* 1st: in ocfs2_xa_cleanup_value_truncate();
* 2nd: returning back to ocfs2_xa_remove() instead of going to 'out'.

Fix this by skipping the 2nd removal of the same entry and making
syzkaller repro happy.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50265

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50266
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

clk: qcom: videocc-sm8350: use HW_CTRL_TRIGGER for vcodec GDSCs

A recent change in the venus driver results in a stuck clock on the
Lenovo ThinkPad X13s, for example, when streaming video in firefox:

	video_cc_mvs0_clk status stuck at 'off'
	WARNING: CPU: 6 PID: 2885 at drivers/clk/qcom/clk-branch.c:87 clk_branch_wait+0x144/0x15c
	...
	Call trace:
	 clk_branch_wait+0x144/0x15c
	 clk_branch2_enable+0x30/0x40
	 clk_core_enable+0xd8/0x29c
	 clk_enable+0x2c/0x4c
	 vcodec_clks_enable.isra.0+0x94/0xd8 [venus_core]
	 coreid_power_v4+0x464/0x628 [venus_core]
	 vdec_start_streaming+0xc4/0x510 [venus_dec]
	 vb2_start_streaming+0x6c/0x180 [videobuf2_common]
	 vb2_core_streamon+0x120/0x1dc [videobuf2_common]
	 vb2_streamon+0x1c/0x6c [videobuf2_v4l2]
	 v4l2_m2m_ioctl_streamon+0x30/0x80 [v4l2_mem2mem]
	 v4l_streamon+0x24/0x30 [videodev]

using the out-of-tree sm8350/sc8280xp venus support. [1]

Update also the sm8350/sc8280xp GDSC definitions so that the hw control
mode can be changed at runtime as the venus driver now requires.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50266

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50267
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

USB: serial: io_edgeport: fix use after free in debug printk

The "dev_dbg(&urb->dev->dev, ..." which happens after usb_free_urb(urb)
is a use after free of the "urb" pointer.  Store the "dev" pointer at the
start of the function to avoid this issue.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50267

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50268
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

usb: typec: fix potential out of bounds in ucsi_ccg_update_set_new_cam_cmd()

The "*cmd" variable can be controlled by the user via debugfs.  That means
"new_cam" can be as high as 255 while the size of the uc->updated[] array
is UCSI_MAX_ALTMODES (30).

The call tree is:
ucsi_cmd() // val comes from simple_attr_write_xsigned()
-> ucsi_send_command()
   -> ucsi_send_command_common()
      -> ucsi_run_command() // calls ucsi->ops->sync_control()
         -> ucsi_ccg_sync_control()
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50268

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50269
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

usb: musb: sunxi: Fix accessing an released usb phy

Commit 6ed05c68cbca ("usb: musb: sunxi: Explicitly release USB PHY on
exit") will cause that usb phy @glue->xceiv is accessed after released.

1) register platform driver @sunxi_musb_driver
// get the usb phy @glue->xceiv
sunxi_musb_probe() -> devm_usb_get_phy().

2) register and unregister platform driver @musb_driver
musb_probe() -> sunxi_musb_init()
use the phy here
//the phy is released here
musb_remove() -> sunxi_musb_exit() -> devm_usb_put_phy()

3) register @musb_driver again
musb_probe() -> sunxi_musb_init()
use the phy here but the phy has been released at 2).
...

Fixed by reverting the commit, namely, removing devm_usb_put_phy()
from sunxi_musb_exit().
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50269

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50270
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

mm/damon/core: avoid overflow in damon_feed_loop_next_input()

damon_feed_loop_next_input() is inefficient and fragile to overflows. 
Specifically, 'score_goal_diff_bp' calculation can overflow when 'score'
is high.  The calculation is actually unnecessary at all because 'goal' is
a constant of value 10,000.  Calculation of 'compensation' is again
fragile to overflow.  Final calculation of return value for under-achiving
case is again fragile to overflow when the current score is
under-achieving the target.

Add two corner cases handling at the beginning of the function to make the
body easier to read, and rewrite the body of the function to avoid
overflows and the unnecessary bp value calcuation.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50270

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50271
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

signal: restore the override_rlimit logic

Prior to commit d64696905554 ("Reimplement RLIMIT_SIGPENDING on top of
ucounts") UCOUNT_RLIMIT_SIGPENDING rlimit was not enforced for a class of
signals.  However now it's enforced unconditionally, even if
override_rlimit is set.  This behavior change caused production issues.  

For example, if the limit is reached and a process receives a SIGSEGV
signal, sigqueue_alloc fails to allocate the necessary resources for the
signal delivery, preventing the signal from being delivered with siginfo. 
This prevents the process from correctly identifying the fault address and
handling the error.  From the user-space perspective, applications are
unaware that the limit has been reached and that the siginfo is
effectively 'corrupted'.  This can lead to unpredictable behavior and
crashes, as we observed with java applications.

Fix this by passing override_rlimit into inc_rlimit_get_ucounts() and skip
the comparison to max there if override_rlimit is set.  This effectively
restores the old behavior.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50271

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50272
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

filemap: Fix bounds checking in filemap_read()

If the caller supplies an iocb->ki_pos value that is close to the
filesystem upper limit, and an iterator with a count that causes us to
overflow that limit, then filemap_read() enters an infinite loop.

This behaviour was discovered when testing xfstests generic/525 with the
"localio" optimisation for loopback NFS mounts.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50272

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50273
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

btrfs: reinitialize delayed ref list after deleting it from the list

At insert_delayed_ref() if we need to update the action of an existing
ref to BTRFS_DROP_DELAYED_REF, we delete the ref from its ref head's
ref_add_list using list_del(), which leaves the ref's add_list member
not reinitialized, as list_del() sets the next and prev members of the
list to LIST_POISON1 and LIST_POISON2, respectively.

If later we end up calling drop_delayed_ref() against the ref, which can
happen during merging or when destroying delayed refs due to a transaction
abort, we can trigger a crash since at drop_delayed_ref() we call
list_empty() against the ref's add_list, which returns false since
the list was not reinitialized after the list_del() and as a consequence
we call list_del() again at drop_delayed_ref(). This results in an
invalid list access since the next and prev members are set to poison
pointers, resulting in a splat if CONFIG_LIST_HARDENED and
CONFIG_DEBUG_LIST are set or invalid poison pointer dereferences
otherwise.

So fix this by deleting from the list with list_del_init() instead.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50273

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50274
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

idpf: avoid vport access in idpf_get_link_ksettings

When the device control plane is removed or the platform
running device control plane is rebooted, a reset is detected
on the driver. On driver reset, it releases the resources and
waits for the reset to complete. If the reset fails, it takes
the error path and releases the vport lock. At this time if the
monitoring tools tries to access link settings, it call traces
for accessing released vport pointer.

To avoid it, move link_speed_mbps to netdev_priv structure
which removes the dependency on vport pointer and the vport lock
in idpf_get_link_ksettings. Also use netif_carrier_ok()
to check the link status and adjust the offsetof to use link_up
instead of link_speed_mbps.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50274

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50275
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

arm64/sve: Discard stale CPU state when handling SVE traps

The logic for handling SVE traps manipulates saved FPSIMD/SVE state
incorrectly, and a race with preemption can result in a task having
TIF_SVE set and TIF_FOREIGN_FPSTATE clear even though the live CPU state
is stale (e.g. with SVE traps enabled). This has been observed to result
in warnings from do_sve_acc() where SVE traps are not expected while
TIF_SVE is set:

|         if (test_and_set_thread_flag(TIF_SVE))
|                 WARN_ON(1); /* SVE access shouldn't have trapped */

Warnings of this form have been reported intermittently, e.g.

  https://lore.kernel.org/linux-arm-kernel/CA+G9fYtEGe_DhY2Ms7+L7NKsLYUomGsgqpdBj+QwDLeSg=JhGg@mail.gmail.com/
  https://lore.kernel.org/linux-arm-kernel/000000000000511e9a060ce5a45c@google.com/

The race can occur when the SVE trap handler is preempted before and
after manipulating the saved FPSIMD/SVE state, starting and ending on
the same CPU, e.g.

| void do_sve_acc(unsigned long esr, struct pt_regs *regs)
| {
|         // Trap on CPU 0 with TIF_SVE clear, SVE traps enabled
|         // task->fpsimd_cpu is 0.
|         // per_cpu_ptr(&fpsimd_last_state, 0) is task.
|
|         ...
|
|         // Preempted; migrated from CPU 0 to CPU 1.
|         // TIF_FOREIGN_FPSTATE is set.
|
|         get_cpu_fpsimd_context();
|
|         if (test_and_set_thread_flag(TIF_SVE))
|                 WARN_ON(1); /* SVE access shouldn't have trapped */
|
|         sve_init_regs() {
|                 if (!test_thread_flag(TIF_FOREIGN_FPSTATE)) {
|                         ...
|                 } else {
|                         fpsimd_to_sve(current);
|                         current->thread.fp_type = FP_STATE_SVE;
|                 }
|         }
|
|         put_cpu_fpsimd_context();
|
|         // Preempted; migrated from CPU 1 to CPU 0.
|         // task->fpsimd_cpu is still 0
|         // If per_cpu_ptr(&fpsimd_last_state, 0) is still task then:
|         // - Stale HW state is reused (with SVE traps enabled)
|         // - TIF_FOREIGN_FPSTATE is cleared
|         // - A return to userspace skips HW state restore
| }

Fix the case where the state is not live and TIF_FOREIGN_FPSTATE is set
by calling fpsimd_flush_task_state() to detach from the saved CPU
state. This ensures that a subsequent context switch will not reuse the
stale CPU state, and will instead set TIF_FOREIGN_FPSTATE, forcing the
new state to be reloaded from memory prior to a return to userspace.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50275

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50276
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: vertexcom: mse102x: Fix possible double free of TX skb

The scope of the TX skb is wider than just mse102x_tx_frame_spi(),
so in case the TX skb room needs to be expanded, we should free the
the temporary skb instead of the original skb. Otherwise the original
TX skb pointer would be freed again in mse102x_tx_work(), which leads
to crashes:

  Internal error: Oops: 0000000096000004 [#2] PREEMPT SMP
  CPU: 0 PID: 712 Comm: kworker/0:1 Tainted: G      D            6.6.23
  Hardware name: chargebyte Charge SOM DC-ONE (DT)
  Workqueue: events mse102x_tx_work [mse102x]
  pstate: 20400009 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
  pc : skb_release_data+0xb8/0x1d8
  lr : skb_release_data+0x1ac/0x1d8
  sp : ffff8000819a3cc0
  x29: ffff8000819a3cc0 x28: ffff0000046daa60 x27: ffff0000057f2dc0
  x26: ffff000005386c00 x25: 0000000000000002 x24: 00000000ffffffff
  x23: 0000000000000000 x22: 0000000000000001 x21: ffff0000057f2e50
  x20: 0000000000000006 x19: 0000000000000000 x18: ffff00003fdacfcc
  x17: e69ad452d0c49def x16: 84a005feff870102 x15: 0000000000000000
  x14: 000000000000024a x13: 0000000000000002 x12: 0000000000000000
  x11: 0000000000000400 x10: 0000000000000930 x9 : ffff00003fd913e8
  x8 : fffffc00001bc008
  x7 : 0000000000000000 x6 : 0000000000000008
  x5 : ffff00003fd91340 x4 : 0000000000000000 x3 : 0000000000000009
  x2 : 00000000fffffffe x1 : 0000000000000000 x0 : 0000000000000000
  Call trace:
   skb_release_data+0xb8/0x1d8
   kfree_skb_reason+0x48/0xb0
   mse102x_tx_work+0x164/0x35c [mse102x]
   process_one_work+0x138/0x260
   worker_thread+0x32c/0x438
   kthread+0x118/0x11c
   ret_from_fork+0x10/0x20
  Code: aa1303e0 97fffab6 72001c1f 54000141 (f9400660)
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50276

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50277
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

dm: fix a crash if blk_alloc_disk fails

If blk_alloc_disk fails, the variable md->disk is set to an error value.
cleanup_mapped_device will see that md->disk is non-NULL and it will
attempt to access it, causing a crash on this statement
"md->disk->private_data = NULL;".
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50277

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50278
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

dm cache: fix potential out-of-bounds access on the first resume

Out-of-bounds access occurs if the fast device is expanded unexpectedly
before the first-time resume of the cache table. This happens because
expanding the fast device requires reloading the cache table for
cache_create to allocate new in-core data structures that fit the new
size, and the check in cache_preresume is not performed during the
first resume, leading to the issue.

Reproduce steps:

1. prepare component devices:

dmsetup create cmeta --table "0 8192 linear /dev/sdc 0"
dmsetup create cdata --table "0 65536 linear /dev/sdc 8192"
dmsetup create corig --table "0 524288 linear /dev/sdc 262144"
dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 oflag=direct

2. load a cache table of 512 cache blocks, and deliberately expand the
   fast device before resuming the cache, making the in-core data
   structures inadequate.

dmsetup create cache --notable
dmsetup reload cache --table "0 524288 cache /dev/mapper/cmeta \
/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0"
dmsetup reload cdata --table "0 131072 linear /dev/sdc 8192"
dmsetup resume cdata
dmsetup resume cache

3. suspend the cache to write out the in-core dirty bitset and hint
   array, leading to out-of-bounds access to the dirty bitset at offset
   0x40:

dmsetup suspend cache

KASAN reports:

  BUG: KASAN: vmalloc-out-of-bounds in is_dirty_callback+0x2b/0x80
  Read of size 8 at addr ffffc90000085040 by task dmsetup/90

  (...snip...)
  The buggy address belongs to the virtual mapping at
   [ffffc90000085000, ffffc90000087000) created by:
   cache_ctr+0x176a/0x35f0

  (...snip...)
  Memory state around the buggy address:
   ffffc90000084f00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
   ffffc90000084f80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
  >ffffc90000085000: 00 00 00 00 00 00 00 00 f8 f8 f8 f8 f8 f8 f8 f8
                                             ^
   ffffc90000085080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
   ffffc90000085100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8

Fix by checking the size change on the first resume.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50278

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50279
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

dm cache: fix out-of-bounds access to the dirty bitset when resizing

dm-cache checks the dirty bits of the cache blocks to be dropped when
shrinking the fast device, but an index bug in bitset iteration causes
out-of-bounds access.

Reproduce steps:

1. create a cache device of 1024 cache blocks (128 bytes dirty bitset)

dmsetup create cmeta --table "0 8192 linear /dev/sdc 0"
dmsetup create cdata --table "0 131072 linear /dev/sdc 8192"
dmsetup create corig --table "0 524288 linear /dev/sdc 262144"
dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 oflag=direct
dmsetup create cache --table "0 524288 cache /dev/mapper/cmeta \
/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0"

2. shrink the fast device to 512 cache blocks, triggering out-of-bounds
   access to the dirty bitset (offset 0x80)

dmsetup suspend cache
dmsetup reload cdata --table "0 65536 linear /dev/sdc 8192"
dmsetup resume cdata
dmsetup resume cache

KASAN reports:

  BUG: KASAN: vmalloc-out-of-bounds in cache_preresume+0x269/0x7b0
  Read of size 8 at addr ffffc900000f3080 by task dmsetup/131

  (...snip...)
  The buggy address belongs to the virtual mapping at
   [ffffc900000f3000, ffffc900000f5000) created by:
   cache_ctr+0x176a/0x35f0

  (...snip...)
  Memory state around the buggy address:
   ffffc900000f2f80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
   ffffc900000f3000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  >ffffc900000f3080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
                     ^
   ffffc900000f3100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
   ffffc900000f3180: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8

Fix by making the index post-incremented.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50279

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50281
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

KEYS: trusted: dcp: fix NULL dereference in AEAD crypto operation

When sealing or unsealing a key blob we currently do not wait for
the AEAD cipher operation to finish and simply return after submitting
the request. If there is some load on the system we can exit before
the cipher operation is done and the buffer we read from/write to
is already removed from the stack. This will e.g. result in NULL
pointer dereference errors in the DCP driver during blob creation.

Fix this by waiting for the AEAD cipher operation to finish before
resuming the seal and unseal calls.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50281

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50282
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/amdgpu: add missing size check in amdgpu_debugfs_gprwave_read()

Avoid a possible buffer overflow if size is larger than 4K.

(cherry picked from commit f5d873f5825b40d886d03bd2aede91d4cf002434)
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50282

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50283
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ksmbd: fix slab-use-after-free in smb3_preauth_hash_rsp

ksmbd_user_session_put should be called under smb3_preauth_hash_rsp().
It will avoid freeing session before calling smb3_preauth_hash_rsp().
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50283

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50284
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ksmbd: Fix the missing xa_store error check

xa_store() can fail, it return xa_err(-EINVAL) if the entry cannot
be stored in an XArray, or xa_err(-ENOMEM) if memory allocation failed,
so check error for xa_store() to fix it.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50284

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50285
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ksmbd: check outstanding simultaneous SMB operations

If Client send simultaneous SMB operations to ksmbd, It exhausts too much
memory through the "ksmbd_work_cache”. It will cause OOM issue.
ksmbd has a credit mechanism but it can't handle this problem. This patch
add the check if it exceeds max credits to prevent this problem by assuming
that one smb request consumes at least one credit.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50285

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50286
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ksmbd: fix slab-use-after-free in ksmbd_smb2_session_create

There is a race condition between ksmbd_smb2_session_create and
ksmbd_expire_session. This patch add missing sessions_table_lock
while adding/deleting session from global session table.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50286

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50287
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

media: v4l2-tpg: prevent the risk of a division by zero

As reported by Coverity, the logic at tpg_precalculate_line()
blindly rescales the buffer even when scaled_witdh is equal to
zero. If this ever happens, this will cause a division by zero.

Instead, add a WARN_ON_ONCE() to trigger such cases and return
without doing any precalculation.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50287

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50288
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

media: vivid: fix buffer overwrite when using > 32 buffers

The maximum number of buffers that can be requested was increased to
64 for the video capture queue. But video capture used a must_blank
array that was still sized for 32 (VIDEO_MAX_FRAME). This caused an
out-of-bounds write when using buffer indices >= 32.

Create a new define MAX_VID_CAP_BUFFERS that is used to access the
must_blank array and set max_num_buffers for the video capture queue.

This solves a crash reported by:

	https://bugzilla.kernel.org/show_bug.cgi?id=219258
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50288

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50291
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

media: dvb-core: add missing buffer index check

dvb_vb2_expbuf() didn't check if the given buffer index was
for a valid buffer. Add this check.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50291

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50296
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: hns3: fix kernel crash when uninstalling driver

When the driver is uninstalled and the VF is disabled concurrently, a
kernel crash occurs. The reason is that the two actions call function
pci_disable_sriov(). The num_VFs is checked to determine whether to
release the corresponding resources. During the second calling, num_VFs
is not 0 and the resource release function is called. However, the
corresponding resource has been released during the first invoking.
Therefore, the problem occurs:

[15277.839633][T50670] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020
...
[15278.131557][T50670] Call trace:
[15278.134686][T50670]  klist_put+0x28/0x12c
[15278.138682][T50670]  klist_del+0x14/0x20
[15278.142592][T50670]  device_del+0xbc/0x3c0
[15278.146676][T50670]  pci_remove_bus_device+0x84/0x120
[15278.151714][T50670]  pci_stop_and_remove_bus_device+0x6c/0x80
[15278.157447][T50670]  pci_iov_remove_virtfn+0xb4/0x12c
[15278.162485][T50670]  sriov_disable+0x50/0x11c
[15278.166829][T50670]  pci_disable_sriov+0x24/0x30
[15278.171433][T50670]  hnae3_unregister_ae_algo_prepare+0x60/0x90 [hnae3]
[15278.178039][T50670]  hclge_exit+0x28/0xd0 [hclge]
[15278.182730][T50670]  __se_sys_delete_module.isra.0+0x164/0x230
[15278.188550][T50670]  __arm64_sys_delete_module+0x1c/0x30
[15278.193848][T50670]  invoke_syscall+0x50/0x11c
[15278.198278][T50670]  el0_svc_common.constprop.0+0x158/0x164
[15278.203837][T50670]  do_el0_svc+0x34/0xcc
[15278.207834][T50670]  el0_svc+0x20/0x30

For details, see the following figure.

     rmmod hclge              disable VFs
----------------------------------------------------
hclge_exit()            sriov_numvfs_store()
  ...                     device_lock()
  pci_disable_sriov()     hns3_pci_sriov_configure()
                            pci_disable_sriov()
                              sriov_disable()
    sriov_disable()             if !num_VFs :
      if !num_VFs :               return;
        return;                 sriov_del_vfs()
      sriov_del_vfs()             ...
        ...                       klist_put()
        klist_put()               ...
        ...                     num_VFs = 0;
      num_VFs = 0;        device_unlock();

In this patch, when driver is removing, we get the device_lock()
to protect num_VFs, just like sriov_numvfs_store().
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50296

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50297
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: xilinx: axienet: Enqueue Tx packets in dql before dmaengine starts

Enqueue packets in dql after dma engine starts causes race condition.
Tx transfer starts once dma engine is started and may execute dql dequeue
in completion before it gets queued. It results in following kernel crash
while running iperf stress test:

kernel BUG at lib/dynamic_queue_limits.c:99!
<snip>
Internal error: Oops - BUG: 00000000f2000800 [#1] SMP
pc : dql_completed+0x238/0x248
lr : dql_completed+0x3c/0x248

Call trace:
  dql_completed+0x238/0x248
  axienet_dma_tx_cb+0xa0/0x170
  xilinx_dma_do_tasklet+0xdc/0x290
  tasklet_action_common+0xf8/0x11c
  tasklet_action+0x30/0x3c
  handle_softirqs+0xf8/0x230
<snip>

Start dmaengine after enqueue in dql fixes the crash.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50297

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50298
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: enetc: allocate vf_state during PF probes

In the previous implementation, vf_state is allocated memory only when VF
is enabled. However, net_device_ops::ndo_set_vf_mac() may be called before
VF is enabled to configure the MAC address of VF. If this is the case,
enetc_pf_set_vf_mac() will access vf_state, resulting in access to a null
pointer. The simplified error log is as follows.

root@ls1028ardb:~# ip link set eno0 vf 1 mac 00:0c:e7:66:77:89
[  173.543315] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000004
[  173.637254] pc : enetc_pf_set_vf_mac+0x3c/0x80 Message from sy
[  173.641973] lr : do_setlink+0x4a8/0xec8
[  173.732292] Call trace:
[  173.734740]  enetc_pf_set_vf_mac+0x3c/0x80
[  173.738847]  __rtnl_newlink+0x530/0x89c
[  173.742692]  rtnl_newlink+0x50/0x7c
[  173.746189]  rtnetlink_rcv_msg+0x128/0x390
[  173.750298]  netlink_rcv_skb+0x60/0x130
[  173.754145]  rtnetlink_rcv+0x18/0x24
[  173.757731]  netlink_unicast+0x318/0x380
[  173.761665]  netlink_sendmsg+0x17c/0x3c8
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50298

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50299
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

sctp: properly validate chunk size in sctp_sf_ootb()

A size validation fix similar to that in Commit 50619dbf8db7 ("sctp: add
size validation when walking chunks") is also required in sctp_sf_ootb()
to address a crash reported by syzbot:

  BUG: KMSAN: uninit-value in sctp_sf_ootb+0x7f5/0xce0 net/sctp/sm_statefuns.c:3712
  sctp_sf_ootb+0x7f5/0xce0 net/sctp/sm_statefuns.c:3712
  sctp_do_sm+0x181/0x93d0 net/sctp/sm_sideeffect.c:1166
  sctp_endpoint_bh_rcv+0xc38/0xf90 net/sctp/endpointola.c:407
  sctp_inq_push+0x2ef/0x380 net/sctp/inqueue.c:88
  sctp_rcv+0x3831/0x3b20 net/sctp/input.c:243
  sctp4_rcv+0x42/0x50 net/sctp/protocol.c:1159
  ip_protocol_deliver_rcu+0xb51/0x13d0 net/ipv4/ip_input.c:205
  ip_local_deliver_finish+0x336/0x500 net/ipv4/ip_input.c:233
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50299

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50300
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

regulator: rtq2208: Fix uninitialized use of regulator_config

Fix rtq2208 driver uninitialized use to cause kernel error.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50300

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50301
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

security/keys: fix slab-out-of-bounds in key_task_permission

KASAN reports an out of bounds read:
BUG: KASAN: slab-out-of-bounds in __kuid_val include/linux/uidgid.h:36
BUG: KASAN: slab-out-of-bounds in uid_eq include/linux/uidgid.h:63 [inline]
BUG: KASAN: slab-out-of-bounds in key_task_permission+0x394/0x410
security/keys/permission.c:54
Read of size 4 at addr ffff88813c3ab618 by task stress-ng/4362

CPU: 2 PID: 4362 Comm: stress-ng Not tainted 5.10.0-14930-gafbffd6c3ede #15
Call Trace:
 __dump_stack lib/dump_stack.c:82 [inline]
 dump_stack+0x107/0x167 lib/dump_stack.c:123
 print_address_description.constprop.0+0x19/0x170 mm/kasan/report.c:400
 __kasan_report.cold+0x6c/0x84 mm/kasan/report.c:560
 kasan_report+0x3a/0x50 mm/kasan/report.c:585
 __kuid_val include/linux/uidgid.h:36 [inline]
 uid_eq include/linux/uidgid.h:63 [inline]
 key_task_permission+0x394/0x410 security/keys/permission.c:54
 search_nested_keyrings+0x90e/0xe90 security/keys/keyring.c:793

This issue was also reported by syzbot.

It can be reproduced by following these steps(more details [1]):
1. Obtain more than 32 inputs that have similar hashes, which ends with the
   pattern '0xxxxxxxe6'.
2. Reboot and add the keys obtained in step 1.

The reproducer demonstrates how this issue happened:
1. In the search_nested_keyrings function, when it iterates through the
   slots in a node(below tag ascend_to_node), if the slot pointer is meta
   and node->back_pointer != NULL(it means a root), it will proceed to
   descend_to_node. However, there is an exception. If node is the root,
   and one of the slots points to a shortcut, it will be treated as a
   keyring.
2. Whether the ptr is keyring decided by keyring_ptr_is_keyring function.
   However, KEYRING_PTR_SUBTYPE is 0x2UL, the same as
   ASSOC_ARRAY_PTR_SUBTYPE_MASK.
3. When 32 keys with the similar hashes are added to the tree, the ROOT
   has keys with hashes that are not similar (e.g. slot 0) and it splits
   NODE A without using a shortcut. When NODE A is filled with keys that
   all hashes are xxe6, the keys are similar, NODE A will split with a
   shortcut. Finally, it forms the tree as shown below, where slot 6 points
   to a shortcut.

                      NODE A
              +------>+---+
      ROOT    |       | 0 | xxe6
      +---+   |       +---+
 xxxx | 0 | shortcut  :   : xxe6
      +---+   |       +---+
 xxe6 :   :   |       |   | xxe6
      +---+   |       +---+
      | 6 |---+       :   : xxe6
      +---+           +---+
 xxe6 :   :           | f | xxe6
      +---+           +---+
 xxe6 | f |
      +---+

4. As mentioned above, If a slot(slot 6) of the root points to a shortcut,
   it may be mistakenly transferred to a key*, leading to a read
   out-of-bounds read.

To fix this issue, one should jump to descend_to_node if the ptr is a
shortcut, regardless of whether the node is root or not.

[1] https://lore.kernel.org/linux-kernel/1cfa878e-8c7b-4570-8606-21daf5e13ce7@huaweicloud.com/

[jarkko: tweaked the commit message a bit to have an appropriate closes
 tag.]
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50301

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50302
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

HID: core: zero-initialize the report buffer

Since the report buffer is used by all kinds of drivers in various ways, let's
zero-initialize it during allocation to make sure that it can't be ever used
to leak kernel memory via specially-crafted report.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50302

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50303
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

resource,kexec: walk_system_ram_res_rev must retain resource flags

walk_system_ram_res_rev() erroneously discards resource flags when passing
the information to the callback.

This causes systems with IORESOURCE_SYSRAM_DRIVER_MANAGED memory to have
these resources selected during kexec to store kexec buffers if that
memory happens to be at placed above normal system ram.

This leads to undefined behavior after reboot.  If the kexec buffer is
never touched, nothing happens.  If the kexec buffer is touched, it could
lead to a crash (like below) or undefined behavior.

Tested on a system with CXL memory expanders with driver managed memory,
TPM enabled, and CONFIG_IMA_KEXEC=y.  Adding printk's showed the flags
were being discarded and as a result the check for
IORESOURCE_SYSRAM_DRIVER_MANAGED passes.

find_next_iomem_res: name(System RAM (kmem))
		     start(10000000000)
		     end(1034fffffff)
		     flags(83000200)

locate_mem_hole_top_down: start(10000000000) end(1034fffffff) flags(0)

[.] BUG: unable to handle page fault for address: ffff89834ffff000
[.] #PF: supervisor read access in kernel mode
[.] #PF: error_code(0x0000) - not-present page
[.] PGD c04c8bf067 P4D c04c8bf067 PUD c04c8be067 PMD 0
[.] Oops: 0000 [#1] SMP
[.] RIP: 0010:ima_restore_measurement_list+0x95/0x4b0
[.] RSP: 0018:ffffc900000d3a80 EFLAGS: 00010286
[.] RAX: 0000000000001000 RBX: 0000000000000000 RCX: ffff89834ffff000
[.] RDX: 0000000000000018 RSI: ffff89834ffff000 RDI: ffff89834ffff018
[.] RBP: ffffc900000d3ba0 R08: 0000000000000020 R09: ffff888132b8a900
[.] R10: 4000000000000000 R11: 000000003a616d69 R12: 0000000000000000
[.] R13: ffffffff8404ac28 R14: 0000000000000000 R15: ffff89834ffff000
[.] FS:  0000000000000000(0000) GS:ffff893d44640000(0000) knlGS:0000000000000000
[.] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[.] ata5: SATA link down (SStatus 0 SControl 300)
[.] CR2: ffff89834ffff000 CR3: 000001034d00f001 CR4: 0000000000770ef0
[.] PKRU: 55555554
[.] Call Trace:
[.]  <TASK>
[.]  ? __die+0x78/0xc0
[.]  ? page_fault_oops+0x2a8/0x3a0
[.]  ? exc_page_fault+0x84/0x130
[.]  ? asm_exc_page_fault+0x22/0x30
[.]  ? ima_restore_measurement_list+0x95/0x4b0
[.]  ? template_desc_init_fields+0x317/0x410
[.]  ? crypto_alloc_tfm_node+0x9c/0xc0
[.]  ? init_ima_lsm+0x30/0x30
[.]  ima_load_kexec_buffer+0x72/0xa0
[.]  ima_init+0x44/0xa0
[.]  __initstub__kmod_ima__373_1201_init_ima7+0x1e/0xb0
[.]  ? init_ima_lsm+0x30/0x30
[.]  do_one_initcall+0xad/0x200
[.]  ? idr_alloc_cyclic+0xaa/0x110
[.]  ? new_slab+0x12c/0x420
[.]  ? new_slab+0x12c/0x420
[.]  ? number+0x12a/0x430
[.]  ? sysvec_apic_timer_interrupt+0xa/0x80
[.]  ? asm_sysvec_apic_timer_interrupt+0x16/0x20
[.]  ? parse_args+0xd4/0x380
[.]  ? parse_args+0x14b/0x380
[.]  kernel_init_freeable+0x1c1/0x2b0
[.]  ? rest_init+0xb0/0xb0
[.]  kernel_init+0x16/0x1a0
[.]  ret_from_fork+0x2f/0x40
[.]  ? rest_init+0xb0/0xb0
[.]  ret_from_fork_asm+0x11/0x20
[.]  </TASK>
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50303

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-50304
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ipv4: ip_tunnel: Fix suspicious RCU usage warning in ip_tunnel_find()

The per-netns IP tunnel hash table is protected by the RTNL mutex and
ip_tunnel_find() is only called from the control path where the mutex is
taken.

Add a lockdep expression to hlist_for_each_entry_rcu() in
ip_tunnel_find() in order to validate that the mutex is held and to
silence the suspicious RCU usage warning [1].

[1]
WARNING: suspicious RCU usage
6.12.0-rc3-custom-gd95d9a31aceb #139 Not tainted
-----------------------------
net/ipv4/ip_tunnel.c:221 RCU-list traversed in non-reader section!!

other info that might help us debug this:

rcu_scheduler_active = 2, debug_locks = 1
1 lock held by ip/362:
 #0: ffffffff86fc7cb0 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x377/0xf60

stack backtrace:
CPU: 12 UID: 0 PID: 362 Comm: ip Not tainted 6.12.0-rc3-custom-gd95d9a31aceb #139
Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
Call Trace:
 <TASK>
 dump_stack_lvl+0xba/0x110
 lockdep_rcu_suspicious.cold+0x4f/0xd6
 ip_tunnel_find+0x435/0x4d0
 ip_tunnel_newlink+0x517/0x7a0
 ipgre_newlink+0x14c/0x170
 __rtnl_newlink+0x1173/0x19c0
 rtnl_newlink+0x6c/0xa0
 rtnetlink_rcv_msg+0x3cc/0xf60
 netlink_rcv_skb+0x171/0x450
 netlink_unicast+0x539/0x7f0
 netlink_sendmsg+0x8c1/0xd80
 ____sys_sendmsg+0x8f9/0xc20
 ___sys_sendmsg+0x197/0x1e0
 __sys_sendmsg+0x122/0x1f0
 do_syscall_64+0xbb/0x1d0
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50304

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-53042
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ipv4: ip_tunnel: Fix suspicious RCU usage warning in ip_tunnel_init_flow()

There are code paths from which the function is called without holding
the RCU read lock, resulting in a suspicious RCU usage warning [1].

Fix by using l3mdev_master_upper_ifindex_by_index() which will acquire
the RCU read lock before calling
l3mdev_master_upper_ifindex_by_index_rcu().

[1]
WARNING: suspicious RCU usage
6.12.0-rc3-custom-gac8f72681cf2 #141 Not tainted
-----------------------------
net/core/dev.c:876 RCU-list traversed in non-reader section!!

other info that might help us debug this:

rcu_scheduler_active = 2, debug_locks = 1
1 lock held by ip/361:
 #0: ffffffff86fc7cb0 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x377/0xf60

stack backtrace:
CPU: 3 UID: 0 PID: 361 Comm: ip Not tainted 6.12.0-rc3-custom-gac8f72681cf2 #141
Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
Call Trace:
 <TASK>
 dump_stack_lvl+0xba/0x110
 lockdep_rcu_suspicious.cold+0x4f/0xd6
 dev_get_by_index_rcu+0x1d3/0x210
 l3mdev_master_upper_ifindex_by_index_rcu+0x2b/0xf0
 ip_tunnel_bind_dev+0x72f/0xa00
 ip_tunnel_newlink+0x368/0x7a0
 ipgre_newlink+0x14c/0x170
 __rtnl_newlink+0x1173/0x19c0
 rtnl_newlink+0x6c/0xa0
 rtnetlink_rcv_msg+0x3cc/0xf60
 netlink_rcv_skb+0x171/0x450
 netlink_unicast+0x539/0x7f0
 netlink_sendmsg+0x8c1/0xd80
 ____sys_sendmsg+0x8f9/0xc20
 ___sys_sendmsg+0x197/0x1e0
 __sys_sendmsg+0x122/0x1f0
 do_syscall_64+0xbb/0x1d0
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-53042

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-53043
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

mctp i2c: handle NULL header address

daddr can be NULL if there is no neighbour table entry present,
in that case the tx packet should be dropped.

saddr will usually be set by MCTP core, but check for NULL in case a
packet is transmitted by a different protocol.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-53043

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-53044
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net/sched: sch_api: fix xa_insert() error path in tcf_block_get_ext()

This command:

$ tc qdisc replace dev eth0 ingress_block 1 egress_block 1 clsact
Error: block dev insert failed: -EBUSY.

fails because user space requests the same block index to be set for
both ingress and egress.

[ side note, I don't think it even failed prior to commit 913b47d3424e
  ("net/sched: Introduce tc block netdev tracking infra"), because this
  is a command from an old set of notes of mine which used to work, but
  alas, I did not scientifically bisect this ]

The problem is not that it fails, but rather, that the second time
around, it fails differently (and irrecoverably):

$ tc qdisc replace dev eth0 ingress_block 1 egress_block 1 clsact
Error: dsa_core: Flow block cb is busy.

[ another note: the extack is added by me for illustration purposes.
  the context of the problem is that clsact_init() obtains the same
  &q->ingress_block pointer as &q->egress_block, and since we call
  tcf_block_get_ext() on both of them, "dev" will be added to the
  block->ports xarray twice, thus failing the operation: once through
  the ingress block pointer, and once again through the egress block
  pointer. the problem itself is that when xa_insert() fails, we have
  emitted a FLOW_BLOCK_BIND command through ndo_setup_tc(), but the
  offload never sees a corresponding FLOW_BLOCK_UNBIND. ]

Even correcting the bad user input, we still cannot recover:

$ tc qdisc replace dev swp3 ingress_block 1 egress_block 2 clsact
Error: dsa_core: Flow block cb is busy.

Basically the only way to recover is to reboot the system, or unbind and
rebind the net device driver.

To fix the bug, we need to fill the correct error teardown path which
was missed during code movement, and call tcf_block_offload_unbind()
when xa_insert() fails.

[ last note, fundamentally I blame the label naming convention in
  tcf_block_get_ext() for the bug. The labels should be named after what
  they do, not after the error path that jumps to them. This way, it is
  obviously wrong that two labels pointing to the same code mean
  something is wrong, and checking the code correctness at the goto site
  is also easier ]
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-53044

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-53045
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ASoC: dapm: fix bounds checker error in dapm_widget_list_create

The widgets array in the snd_soc_dapm_widget_list has a __counted_by
attribute attached to it, which points to the num_widgets variable. This
attribute is used in bounds checking, and if it is not set before the
array is filled, then the bounds sanitizer will issue a warning or a
kernel panic if CONFIG_UBSAN_TRAP is set.

This patch sets the size of the widgets list calculated with
list_for_each as the initial value for num_widgets as it is used for
allocating memory for the array. It is updated with the actual number of
added elements after the array is filled.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-53045

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-53046
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

arm64: dts: imx8ulp: correct the flexspi compatible string

The flexspi on imx8ulp only has 16 LUTs, and imx8mm flexspi has
32 LUTs, so correct the compatible string here, otherwise will
meet below error:

[    1.119072] ------------[ cut here ]------------
[    1.123926] WARNING: CPU: 0 PID: 1 at drivers/spi/spi-nxp-fspi.c:855 nxp_fspi_exec_op+0xb04/0xb64
[    1.133239] Modules linked in:
[    1.136448] CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.11.0-rc6-next-20240902-00001-g131bf9439dd9 #69
[    1.146821] Hardware name: NXP i.MX8ULP EVK (DT)
[    1.151647] pstate: 40000005 (nZcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[    1.158931] pc : nxp_fspi_exec_op+0xb04/0xb64
[    1.163496] lr : nxp_fspi_exec_op+0xa34/0xb64
[    1.168060] sp : ffff80008002b2a0
[    1.171526] x29: ffff80008002b2d0 x28: 0000000000000000 x27: 0000000000000000
[    1.179002] x26: ffff2eb645542580 x25: ffff800080610014 x24: ffff800080610000
[    1.186480] x23: ffff2eb645548080 x22: 0000000000000006 x21: ffff2eb6455425e0
[    1.193956] x20: 0000000000000000 x19: ffff80008002b5e0 x18: ffffffffffffffff
[    1.201432] x17: ffff2eb644467508 x16: 0000000000000138 x15: 0000000000000002
[    1.208907] x14: 0000000000000000 x13: ffff2eb6400d8080 x12: 00000000ffffff00
[    1.216378] x11: 0000000000000000 x10: ffff2eb6400d8080 x9 : ffff2eb697adca80
[    1.223850] x8 : ffff2eb697ad3cc0 x7 : 0000000100000000 x6 : 0000000000000001
[    1.231324] x5 : 0000000000000000 x4 : 0000000000000000 x3 : 00000000000007a6
[    1.238795] x2 : 0000000000000000 x1 : 00000000000001ce x0 : 00000000ffffff92
[    1.246267] Call trace:
[    1.248824]  nxp_fspi_exec_op+0xb04/0xb64
[    1.253031]  spi_mem_exec_op+0x3a0/0x430
[    1.257139]  spi_nor_read_id+0x80/0xcc
[    1.261065]  spi_nor_scan+0x1ec/0xf10
[    1.264901]  spi_nor_probe+0x108/0x2fc
[    1.268828]  spi_mem_probe+0x6c/0xbc
[    1.272574]  spi_probe+0x84/0xe4
[    1.275958]  really_probe+0xbc/0x29c
[    1.279713]  __driver_probe_device+0x78/0x12c
[    1.284277]  driver_probe_device+0xd8/0x15c
[    1.288660]  __device_attach_driver+0xb8/0x134
[    1.293316]  bus_for_each_drv+0x88/0xe8
[    1.297337]  __device_attach+0xa0/0x190
[    1.301353]  device_initial_probe+0x14/0x20
[    1.305734]  bus_probe_device+0xac/0xb0
[    1.309752]  device_add+0x5d0/0x790
[    1.313408]  __spi_add_device+0x134/0x204
[    1.317606]  of_register_spi_device+0x3b4/0x590
[    1.322348]  spi_register_controller+0x47c/0x754
[    1.327181]  devm_spi_register_controller+0x4c/0xa4
[    1.332289]  nxp_fspi_probe+0x1cc/0x2b0
[    1.336307]  platform_probe+0x68/0xc4
[    1.340145]  really_probe+0xbc/0x29c
[    1.343893]  __driver_probe_device+0x78/0x12c
[    1.348457]  driver_probe_device+0xd8/0x15c
[    1.352838]  __driver_attach+0x90/0x19c
[    1.356857]  bus_for_each_dev+0x7c/0xdc
[    1.360877]  driver_attach+0x24/0x30
[    1.364624]  bus_add_driver+0xe4/0x208
[    1.368552]  driver_register+0x5c/0x124
[    1.372573]  __platform_driver_register+0x28/0x34
[    1.377497]  nxp_fspi_driver_init+0x1c/0x28
[    1.381888]  do_one_initcall+0x80/0x1c8
[    1.385908]  kernel_init_freeable+0x1c4/0x28c
[    1.390472]  kernel_init+0x20/0x1d8
[    1.394138]  ret_from_fork+0x10/0x20
[    1.397885] ---[ end trace 0000000000000000 ]---
[    1.407908] ------------[ cut here ]------------
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-53046

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-53047
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

mptcp: init: protect sched with rcu_read_lock

Enabling CONFIG_PROVE_RCU_LIST with its dependence CONFIG_RCU_EXPERT
creates this splat when an MPTCP socket is created:

  =============================
  WARNING: suspicious RCU usage
  6.12.0-rc2+ #11 Not tainted
  -----------------------------
  net/mptcp/sched.c:44 RCU-list traversed in non-reader section!!

  other info that might help us debug this:

  rcu_scheduler_active = 2, debug_locks = 1
  no locks held by mptcp_connect/176.

  stack backtrace:
  CPU: 0 UID: 0 PID: 176 Comm: mptcp_connect Not tainted 6.12.0-rc2+ #11
  Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
  Call Trace:
   <TASK>
   dump_stack_lvl (lib/dump_stack.c:123)
   lockdep_rcu_suspicious (kernel/locking/lockdep.c:6822)
   mptcp_sched_find (net/mptcp/sched.c:44 (discriminator 7))
   mptcp_init_sock (net/mptcp/protocol.c:2867 (discriminator 1))
   ? sock_init_data_uid (arch/x86/include/asm/atomic.h:28)
   inet_create.part.0.constprop.0 (net/ipv4/af_inet.c:386)
   ? __sock_create (include/linux/rcupdate.h:347 (discriminator 1))
   __sock_create (net/socket.c:1576)
   __sys_socket (net/socket.c:1671)
   ? __pfx___sys_socket (net/socket.c:1712)
   ? do_user_addr_fault (arch/x86/mm/fault.c:1419 (discriminator 1))
   __x64_sys_socket (net/socket.c:1728)
   do_syscall_64 (arch/x86/entry/common.c:52 (discriminator 1))
   entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)

That's because when the socket is initialised, rcu_read_lock() is not
used despite the explicit comment written above the declaration of
mptcp_sched_find() in sched.c. Adding the missing lock/unlock avoids the
warning.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-53047

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-53048
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

ice: fix crash on probe for DPLL enabled E810 LOM

The E810 Lan On Motherboard (LOM) design is vendor specific. Intel
provides the reference design, but it is up to vendor on the final
product design. For some cases, like Linux DPLL support, the static
values defined in the driver does not reflect the actual LOM design.
Current implementation of dpll pins is causing the crash on probe
of the ice driver for such DPLL enabled E810 LOM designs:

WARNING: (...) at drivers/dpll/dpll_core.c:495 dpll_pin_get+0x2c4/0x330
...
Call Trace:
 <TASK>
 ? __warn+0x83/0x130
 ? dpll_pin_get+0x2c4/0x330
 ? report_bug+0x1b7/0x1d0
 ? handle_bug+0x42/0x70
 ? exc_invalid_op+0x18/0x70
 ? asm_exc_invalid_op+0x1a/0x20
 ? dpll_pin_get+0x117/0x330
 ? dpll_pin_get+0x2c4/0x330
 ? dpll_pin_get+0x117/0x330
 ice_dpll_get_pins.isra.0+0x52/0xe0 [ice]
...

The number of dpll pins enabled by LOM vendor is greater than expected
and defined in the driver for Intel designed NICs, which causes the crash.

Prevent the crash and allow generic pin initialization within Linux DPLL
subsystem for DPLL enabled E810 LOM designs.

Newly designed solution for described issue will be based on "per HW
design" pin initialization. It requires pin information dynamically
acquired from the firmware and is already in progress, planned for
next-tree only.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-53048

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-53049
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

slub/kunit: fix a WARNING due to unwrapped __kmalloc_cache_noprof

'modprobe slub_kunit' will have a warning as shown below. The root cause
is that __kmalloc_cache_noprof was directly used, which resulted in no
alloc_tag being allocated. This caused current->alloc_tag to be null,
leading to a warning in alloc_tag_add_check.

Let's add an alloc_hook layer to __kmalloc_cache_noprof specifically
within lib/slub_kunit.c, which is the only user of this internal slub
function outside kmalloc implementation itself.

[58162.947016] WARNING: CPU: 2 PID: 6210 at
./include/linux/alloc_tag.h:125 alloc_tagging_slab_alloc_hook+0x268/0x27c
[58162.957721] Call trace:
[58162.957919]  alloc_tagging_slab_alloc_hook+0x268/0x27c
[58162.958286]  __kmalloc_cache_noprof+0x14c/0x344
[58162.958615]  test_kmalloc_redzone_access+0x50/0x10c [slub_kunit]
[58162.959045]  kunit_try_run_case+0x74/0x184 [kunit]
[58162.959401]  kunit_generic_run_threadfn_adapter+0x2c/0x4c [kunit]
[58162.959841]  kthread+0x10c/0x118
[58162.960093]  ret_from_fork+0x10/0x20
[58162.960363] ---[ end trace 0000000000000000 ]---
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-53049

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-53050
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/i915/hdcp: Add encoder check in hdcp2_get_capability

Add encoder check in intel_hdcp2_get_capability to avoid
null pointer error.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-53050

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-53051
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/i915/hdcp: Add encoder check in intel_hdcp_get_capability

Sometimes during hotplug scenario or suspend/resume scenario encoder is
not always initialized when intel_hdcp_get_capability add
a check to avoid kernel null pointer dereference.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-53051

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-53052
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

io_uring/rw: fix missing NOWAIT check for O_DIRECT start write

When io_uring starts a write, it'll call kiocb_start_write() to bump the
super block rwsem, preventing any freezes from happening while that
write is in-flight. The freeze side will grab that rwsem for writing,
excluding any new writers from happening and waiting for existing writes
to finish. But io_uring unconditionally uses kiocb_start_write(), which
will block if someone is currently attempting to freeze the mount point.
This causes a deadlock where freeze is waiting for previous writes to
complete, but the previous writes cannot complete, as the task that is
supposed to complete them is blocked waiting on starting a new write.
This results in the following stuck trace showing that dependency with
the write blocked starting a new write:

task:fio             state:D stack:0     pid:886   tgid:886   ppid:876
Call trace:
 __switch_to+0x1d8/0x348
 __schedule+0x8e8/0x2248
 schedule+0x110/0x3f0
 percpu_rwsem_wait+0x1e8/0x3f8
 __percpu_down_read+0xe8/0x500
 io_write+0xbb8/0xff8
 io_issue_sqe+0x10c/0x1020
 io_submit_sqes+0x614/0x2110
 __arm64_sys_io_uring_enter+0x524/0x1038
 invoke_syscall+0x74/0x268
 el0_svc_common.constprop.0+0x160/0x238
 do_el0_svc+0x44/0x60
 el0_svc+0x44/0xb0
 el0t_64_sync_handler+0x118/0x128
 el0t_64_sync+0x168/0x170
INFO: task fsfreeze:7364 blocked for more than 15 seconds.
      Not tainted 6.12.0-rc5-00063-g76aaf945701c #7963

with the attempting freezer stuck trying to grab the rwsem:

task:fsfreeze        state:D stack:0     pid:7364  tgid:7364  ppid:995
Call trace:
 __switch_to+0x1d8/0x348
 __schedule+0x8e8/0x2248
 schedule+0x110/0x3f0
 percpu_down_write+0x2b0/0x680
 freeze_super+0x248/0x8a8
 do_vfs_ioctl+0x149c/0x1b18
 __arm64_sys_ioctl+0xd0/0x1a0
 invoke_syscall+0x74/0x268
 el0_svc_common.constprop.0+0x160/0x238
 do_el0_svc+0x44/0x60
 el0_svc+0x44/0xb0
 el0t_64_sync_handler+0x118/0x128
 el0t_64_sync+0x168/0x170

Fix this by having the io_uring side honor IOCB_NOWAIT, and only attempt a
blocking grab of the super block rwsem if it isn't set. For normal issue
where IOCB_NOWAIT would always be set, this returns -EAGAIN which will
have io_uring core issue a blocking attempt of the write. That will in
turn also get completions run, ensuring forward progress.

Since freezing requires CAP_SYS_ADMIN in the first place, this isn't
something that can be triggered by a regular user.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.4
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-53052

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-53053
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

scsi: ufs: core: Fix another deadlock during RTC update

If ufshcd_rtc_work calls ufshcd_rpm_put_sync() and the pm's usage_count
is 0, we will enter the runtime suspend callback.  However, the runtime
suspend callback will wait to flush ufshcd_rtc_work, causing a deadlock.

Replace ufshcd_rpm_put_sync() with ufshcd_rpm_put() to avoid the
deadlock.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-53053

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-53055
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

wifi: iwlwifi: mvm: fix 6 GHz scan construction

If more than 255 colocated APs exist for the set of all
APs found during 2.4/5 GHz scanning, then the 6 GHz scan
construction will loop forever since the loop variable
has type u8, which can never reach the number found when
that's bigger than 255, and is stored in a u32 variable.
Also move it into the loops to have a smaller scope.

Using a u32 there is fine, we limit the number of APs in
the scan list and each has a limit on the number of RNR
entries due to the frame size. With a limit of 1000 scan
results, a frame size upper bound of 4096 (really it's
more like ~2300) and a TBTT entry size of at least 11,
we get an upper bound for the number of ~372k, well in
the bounds of a u32.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-53055

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-53056
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/mediatek: Fix potential NULL dereference in mtk_crtc_destroy()

In mtk_crtc_create(), if the call to mbox_request_channel() fails then we
set the "mtk_crtc->cmdq_client.chan" pointer to NULL.  In that situation,
we do not call cmdq_pkt_create().

During the cleanup, we need to check if the "mtk_crtc->cmdq_client.chan"
is NULL first before calling cmdq_pkt_destroy().  Calling
cmdq_pkt_destroy() is unnecessary if we didn't call cmdq_pkt_create() and
it will result in a NULL pointer dereference.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-53056

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-53057
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT

In qdisc_tree_reduce_backlog, Qdiscs with major handle ffff: are assumed
to be either root or ingress. This assumption is bogus since it's valid
to create egress qdiscs with major handle ffff:
Budimir Markovic found that for qdiscs like DRR that maintain an active
class list, it will cause a UAF with a dangling class pointer.

In 066a3b5b2346, the concern was to avoid iterating over the ingress
qdisc since its parent is itself. The proper fix is to stop when parent
TC_H_ROOT is reached because the only way to retrieve ingress is when a
hierarchy which does not contain a ffff: major handle call into
qdisc_lookup with TC_H_MAJ(TC_H_ROOT).

In the scenario where major ffff: is an egress qdisc in any of the tree
levels, the updates will also propagate to TC_H_ROOT, which then the
iteration must stop.


 net/sched/sch_api.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-53057

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-53058
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

net: stmmac: TSO: Fix unbalanced DMA map/unmap for non-paged SKB data

In case the non-paged data of a SKB carries protocol header and protocol
payload to be transmitted on a certain platform that the DMA AXI address
width is configured to 40-bit/48-bit, or the size of the non-paged data
is bigger than TSO_MAX_BUFF_SIZE on a certain platform that the DMA AXI
address width is configured to 32-bit, then this SKB requires at least
two DMA transmit descriptors to serve it.

For example, three descriptors are allocated to split one DMA buffer
mapped from one piece of non-paged data:
    dma_desc[N + 0],
    dma_desc[N + 1],
    dma_desc[N + 2].
Then three elements of tx_q->tx_skbuff_dma[] will be allocated to hold
extra information to be reused in stmmac_tx_clean():
    tx_q->tx_skbuff_dma[N + 0],
    tx_q->tx_skbuff_dma[N + 1],
    tx_q->tx_skbuff_dma[N + 2].
Now we focus on tx_q->tx_skbuff_dma[entry].buf, which is the DMA buffer
address returned by DMA mapping call. stmmac_tx_clean() will try to
unmap the DMA buffer _ONLY_IF_ tx_q->tx_skbuff_dma[entry].buf
is a valid buffer address.

The expected behavior that saves DMA buffer address of this non-paged
data to tx_q->tx_skbuff_dma[entry].buf is:
    tx_q->tx_skbuff_dma[N + 0].buf = NULL;
    tx_q->tx_skbuff_dma[N + 1].buf = NULL;
    tx_q->tx_skbuff_dma[N + 2].buf = dma_map_single();
Unfortunately, the current code misbehaves like this:
    tx_q->tx_skbuff_dma[N + 0].buf = dma_map_single();
    tx_q->tx_skbuff_dma[N + 1].buf = NULL;
    tx_q->tx_skbuff_dma[N + 2].buf = NULL;

On the stmmac_tx_clean() side, when dma_desc[N + 0] is closed by the
DMA engine, tx_q->tx_skbuff_dma[N + 0].buf is a valid buffer address
obviously, then the DMA buffer will be unmapped immediately.
There may be a rare case that the DMA engine does not finish the
pending dma_desc[N + 1], dma_desc[N + 2] yet. Now things will go
horribly wrong, DMA is going to access a unmapped/unreferenced memory
region, corrupted data will be transmited or iommu fault will be
triggered :(

In contrast, the for-loop that maps SKB fragments behaves perfectly
as expected, and that is how the driver should do for both non-paged
data and paged frags actually.

This patch corrects DMA map/unmap sequences by fixing the array index
for tx_q->tx_skbuff_dma[entry].buf when assigning DMA buffer address.

Tested and verified on DWXGMAC CORE 3.20a
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-53058

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-53061
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

media: s5p-jpeg: prevent buffer overflows

The current logic allows word to be less than 2. If this happens,
there will be buffer overflows, as reported by smatch. Add extra
checks to prevent it.

While here, remove an unused word = 0 assignment.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-53061

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-53062
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

media: mgb4: protect driver against spectre

Frequency range is set from sysfs via frequency_range_store(),
being vulnerable to spectre, as reported by smatch:

	drivers/media/pci/mgb4/mgb4_cmt.c:231 mgb4_cmt_set_vin_freq_range() warn: potential spectre issue 'cmt_vals_in' [r]
	drivers/media/pci/mgb4/mgb4_cmt.c:238 mgb4_cmt_set_vin_freq_range() warn: possible spectre second half.  'reg_set'

Fix it.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-53062

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-53063
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

media: dvbdev: prevent the risk of out of memory access

The dvbdev contains a static variable used to store dvb minors.

The behavior of it depends if CONFIG_DVB_DYNAMIC_MINORS is set
or not. When not set, dvb_register_device() won't check for
boundaries, as it will rely that a previous call to
dvb_register_adapter() would already be enforcing it.

On a similar way, dvb_device_open() uses the assumption
that the register functions already did the needed checks.

This can be fragile if some device ends using different
calls. This also generate warnings on static check analysers
like Coverity.

So, add explicit guards to prevent potential risk of OOM issues.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-53063

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-53064
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

idpf: fix idpf_vc_core_init error path

In an event where the platform running the device control plane
is rebooted, reset is detected on the driver. It releases
all the resources and waits for the reset to complete. Once the
reset is done, it tries to build the resources back. At this
time if the device control plane is not yet started, then
the driver timeouts on the virtchnl message and retries to
establish the mailbox again.

In the retry flow, mailbox is deinitialized but the mailbox
workqueue is still alive and polling for the mailbox message.
This results in accessing the released control queue leading to
null-ptr-deref. Fix it by unrolling the work queue cancellation
and mailbox deinitialization in the reverse order which they got
initialized.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-53064

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-53065
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

mm/slab: fix warning caused by duplicate kmem_cache creation in kmem_buckets_create

Commit b035f5a6d852 ("mm: slab: reduce the kmalloc() minimum alignment
if DMA bouncing possible") reduced ARCH_KMALLOC_MINALIGN to 8 on arm64.
However, with KASAN_HW_TAGS enabled, arch_slab_minalign() becomes 16.
This causes kmalloc_caches[*][8] to be aliased to kmalloc_caches[*][16],
resulting in kmem_buckets_create() attempting to create a kmem_cache for
size 16 twice. This duplication triggers warnings on boot:

[    2.325108] ------------[ cut here ]------------
[    2.325135] kmem_cache of name 'memdup_user-16' already exists
[    2.325783] WARNING: CPU: 0 PID: 1 at mm/slab_common.c:107 __kmem_cache_create_args+0xb8/0x3b0
[    2.327957] Modules linked in:
[    2.328550] CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12.0-rc5mm-unstable-arm64+ #12
[    2.328683] Hardware name: QEMU QEMU Virtual Machine, BIOS 2024.02-2 03/11/2024
[    2.328790] pstate: 61000009 (nZCv daif -PAN -UAO -TCO +DIT -SSBS BTYPE=--)
[    2.328911] pc : __kmem_cache_create_args+0xb8/0x3b0
[    2.328930] lr : __kmem_cache_create_args+0xb8/0x3b0
[    2.328942] sp : ffff800083d6fc50
[    2.328961] x29: ffff800083d6fc50 x28: f2ff0000c1674410 x27: ffff8000820b0598
[    2.329061] x26: 000000007fffffff x25: 0000000000000010 x24: 0000000000002000
[    2.329101] x23: ffff800083d6fce8 x22: ffff8000832222e8 x21: ffff800083222388
[    2.329118] x20: f2ff0000c1674410 x19: f5ff0000c16364c0 x18: ffff800083d80030
[    2.329135] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000
[    2.329152] x14: 0000000000000000 x13: 0a73747369786520 x12: 79646165726c6120
[    2.329169] x11: 656820747563205b x10: 2d2d2d2d2d2d2d2d x9 : 0000000000000000
[    2.329194] x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000
[    2.329210] x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000
[    2.329226] x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000
[    2.329291] Call trace:
[    2.329407]  __kmem_cache_create_args+0xb8/0x3b0
[    2.329499]  kmem_buckets_create+0xfc/0x320
[    2.329526]  init_user_buckets+0x34/0x78
[    2.329540]  do_one_initcall+0x64/0x3c8
[    2.329550]  kernel_init_freeable+0x26c/0x578
[    2.329562]  kernel_init+0x3c/0x258
[    2.329574]  ret_from_fork+0x10/0x20
[    2.329698] ---[ end trace 0000000000000000 ]---

[    2.403704] ------------[ cut here ]------------
[    2.404716] kmem_cache of name 'msg_msg-16' already exists
[    2.404801] WARNING: CPU: 2 PID: 1 at mm/slab_common.c:107 __kmem_cache_create_args+0xb8/0x3b0
[    2.404842] Modules linked in:
[    2.404971] CPU: 2 UID: 0 PID: 1 Comm: swapper/0 Tainted: G        W          6.12.0-rc5mm-unstable-arm64+ #12
[    2.405026] Tainted: [W]=WARN
[    2.405043] Hardware name: QEMU QEMU Virtual Machine, BIOS 2024.02-2 03/11/2024
[    2.405057] pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[    2.405079] pc : __kmem_cache_create_args+0xb8/0x3b0
[    2.405100] lr : __kmem_cache_create_args+0xb8/0x3b0
[    2.405111] sp : ffff800083d6fc50
[    2.405115] x29: ffff800083d6fc50 x28: fbff0000c1674410 x27: ffff8000820b0598
[    2.405135] x26: 000000000000ffd0 x25: 0000000000000010 x24: 0000000000006000
[    2.405153] x23: ffff800083d6fce8 x22: ffff8000832222e8 x21: ffff800083222388
[    2.405169] x20: fbff0000c1674410 x19: fdff0000c163d6c0 x18: ffff800083d80030
[    2.405185] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000
[    2.405201] x14: 0000000000000000 x13: 0a73747369786520 x12: 79646165726c6120
[    2.405217] x11: 656820747563205b x10: 2d2d2d2d2d2d2d2d x9 : 0000000000000000
[    2.405233] x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000
[    2.405248] x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000
[    2.405271] x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000
[    2.405287] Call trace:
[    2
---truncated---
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-53065

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-53066
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

nfs: Fix KMSAN warning in decode_getfattr_attrs()

Fix the following KMSAN warning:

CPU: 1 UID: 0 PID: 7651 Comm: cp Tainted: G    B
Tainted: [B]=BAD_PAGE
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009)
=====================================================
=====================================================
BUG: KMSAN: uninit-value in decode_getfattr_attrs+0x2d6d/0x2f90
 decode_getfattr_attrs+0x2d6d/0x2f90
 decode_getfattr_generic+0x806/0xb00
 nfs4_xdr_dec_getattr+0x1de/0x240
 rpcauth_unwrap_resp_decode+0xab/0x100
 rpcauth_unwrap_resp+0x95/0xc0
 call_decode+0x4ff/0xb50
 __rpc_execute+0x57b/0x19d0
 rpc_execute+0x368/0x5e0
 rpc_run_task+0xcfe/0xee0
 nfs4_proc_getattr+0x5b5/0x990
 __nfs_revalidate_inode+0x477/0xd00
 nfs_access_get_cached+0x1021/0x1cc0
 nfs_do_access+0x9f/0xae0
 nfs_permission+0x1e4/0x8c0
 inode_permission+0x356/0x6c0
 link_path_walk+0x958/0x1330
 path_lookupat+0xce/0x6b0
 filename_lookup+0x23e/0x770
 vfs_statx+0xe7/0x970
 vfs_fstatat+0x1f2/0x2c0
 __se_sys_newfstatat+0x67/0x880
 __x64_sys_newfstatat+0xbd/0x120
 x64_sys_call+0x1826/0x3cf0
 do_syscall_64+0xd0/0x1b0
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The KMSAN warning is triggered in decode_getfattr_attrs(), when calling
decode_attr_mdsthreshold(). It appears that fattr->mdsthreshold is not
initialized.

Fix the issue by initializing fattr->mdsthreshold to NULL in
nfs_fattr_init().
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-53066

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-53067
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

scsi: ufs: core: Start the RTC update work later

The RTC update work involves runtime resuming the UFS controller. Hence,
only start the RTC update work after runtime power management in the UFS
driver has been fully initialized. This patch fixes the following kernel
crash:

Internal error: Oops: 0000000096000006 [#1] PREEMPT SMP
Workqueue: events ufshcd_rtc_work
Call trace:
 _raw_spin_lock_irqsave+0x34/0x8c (P)
 pm_runtime_get_if_active+0x24/0x9c (L)
 pm_runtime_get_if_active+0x24/0x9c
 ufshcd_rtc_work+0x138/0x1b4
 process_one_work+0x148/0x288
 worker_thread+0x2cc/0x3d4
 kthread+0x110/0x114
 ret_from_fork+0x10/0x20
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-53067

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-53068
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

firmware: arm_scmi: Fix slab-use-after-free in scmi_bus_notifier()

The scmi_dev->name is released prematurely in __scmi_device_destroy(),
which causes slab-use-after-free when accessing scmi_dev->name in
scmi_bus_notifier(). So move the release of scmi_dev->name to
scmi_device_release() to avoid slab-use-after-free.

  |  BUG: KASAN: slab-use-after-free in strncmp+0xe4/0xec
  |  Read of size 1 at addr ffffff80a482bcc0 by task swapper/0/1
  |
  |  CPU: 1 PID: 1 Comm: swapper/0 Not tainted 6.6.38-debug #1
  |  Hardware name: Qualcomm Technologies, Inc. SA8775P Ride (DT)
  |  Call trace:
  |   dump_backtrace+0x94/0x114
  |   show_stack+0x18/0x24
  |   dump_stack_lvl+0x48/0x60
  |   print_report+0xf4/0x5b0
  |   kasan_report+0xa4/0xec
  |   __asan_report_load1_noabort+0x20/0x2c
  |   strncmp+0xe4/0xec
  |   scmi_bus_notifier+0x5c/0x54c
  |   notifier_call_chain+0xb4/0x31c
  |   blocking_notifier_call_chain+0x68/0x9c
  |   bus_notify+0x54/0x78
  |   device_del+0x1bc/0x840
  |   device_unregister+0x20/0xb4
  |   __scmi_device_destroy+0xac/0x280
  |   scmi_device_destroy+0x94/0xd0
  |   scmi_chan_setup+0x524/0x750
  |   scmi_probe+0x7fc/0x1508
  |   platform_probe+0xc4/0x19c
  |   really_probe+0x32c/0x99c
  |   __driver_probe_device+0x15c/0x3c4
  |   driver_probe_device+0x5c/0x170
  |   __driver_attach+0x1c8/0x440
  |   bus_for_each_dev+0xf4/0x178
  |   driver_attach+0x3c/0x58
  |   bus_add_driver+0x234/0x4d4
  |   driver_register+0xf4/0x3c0
  |   __platform_driver_register+0x60/0x88
  |   scmi_driver_init+0xb0/0x104
  |   do_one_initcall+0xb4/0x664
  |   kernel_init_freeable+0x3c8/0x894
  |   kernel_init+0x24/0x1e8
  |   ret_from_fork+0x10/0x20
  |
  |  Allocated by task 1:
  |   kasan_save_stack+0x2c/0x54
  |   kasan_set_track+0x2c/0x40
  |   kasan_save_alloc_info+0x24/0x34
  |   __kasan_kmalloc+0xa0/0xb8
  |   __kmalloc_node_track_caller+0x6c/0x104
  |   kstrdup+0x48/0x84
  |   kstrdup_const+0x34/0x40
  |   __scmi_device_create.part.0+0x8c/0x408
  |   scmi_device_create+0x104/0x370
  |   scmi_chan_setup+0x2a0/0x750
  |   scmi_probe+0x7fc/0x1508
  |   platform_probe+0xc4/0x19c
  |   really_probe+0x32c/0x99c
  |   __driver_probe_device+0x15c/0x3c4
  |   driver_probe_device+0x5c/0x170
  |   __driver_attach+0x1c8/0x440
  |   bus_for_each_dev+0xf4/0x178
  |   driver_attach+0x3c/0x58
  |   bus_add_driver+0x234/0x4d4
  |   driver_register+0xf4/0x3c0
  |   __platform_driver_register+0x60/0x88
  |   scmi_driver_init+0xb0/0x104
  |   do_one_initcall+0xb4/0x664
  |   kernel_init_freeable+0x3c8/0x894
  |   kernel_init+0x24/0x1e8
  |   ret_from_fork+0x10/0x20
  |
  |  Freed by task 1:
  |   kasan_save_stack+0x2c/0x54
  |   kasan_set_track+0x2c/0x40
  |   kasan_save_free_info+0x38/0x5c
  |   __kasan_slab_free+0xe8/0x164
  |   __kmem_cache_free+0x11c/0x230
  |   kfree+0x70/0x130
  |   kfree_const+0x20/0x40
  |   __scmi_device_destroy+0x70/0x280
  |   scmi_device_destroy+0x94/0xd0
  |   scmi_chan_setup+0x524/0x750
  |   scmi_probe+0x7fc/0x1508
  |   platform_probe+0xc4/0x19c
  |   really_probe+0x32c/0x99c
  |   __driver_probe_device+0x15c/0x3c4
  |   driver_probe_device+0x5c/0x170
  |   __driver_attach+0x1c8/0x440
  |   bus_for_each_dev+0xf4/0x178
  |   driver_attach+0x3c/0x58
  |   bus_add_driver+0x234/0x4d4
  |   driver_register+0xf4/0x3c0
  |   __platform_driver_register+0x60/0x88
  |   scmi_driver_init+0xb0/0x104
  |   do_one_initcall+0xb4/0x664
  |   kernel_init_freeable+0x3c8/0x894
  |   kernel_init+0x24/0x1e8
  |   ret_from_fork+0x10/0x20
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-53068

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-53069
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

firmware: qcom: scm: fix a NULL-pointer dereference

Some SCM calls can be invoked with __scm being NULL (the driver may not
have been and will not be probed as there's no SCM entry in device-tree).
Make sure we don't dereference a NULL pointer.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-53069

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-53070
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

usb: dwc3: fix fault at system suspend if device was already runtime suspended

If the device was already runtime suspended then during system suspend
we cannot access the device registers else it will crash.

Also we cannot access any registers after dwc3_core_exit() on some
platforms so move the dwc3_enable_susphy() call to the top.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-53070

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-53071
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/panthor: Be stricter about IO mapping flags

The current panthor_device_mmap_io() implementation has two issues:

1. For mapping DRM_PANTHOR_USER_FLUSH_ID_MMIO_OFFSET,
   panthor_device_mmap_io() bails if VM_WRITE is set, but does not clear
   VM_MAYWRITE. That means userspace can use mprotect() to make the mapping
   writable later on. This is a classic Linux driver gotcha.
   I don't think this actually has any impact in practice:
   When the GPU is powered, writes to the FLUSH_ID seem to be ignored; and
   when the GPU is not powered, the dummy_latest_flush page provided by the
   driver is deliberately designed to not do any flushes, so the only thing
   writing to the dummy_latest_flush could achieve would be to make *more*
   flushes happen.

2. panthor_device_mmap_io() does not block MAP_PRIVATE mappings (which are
   mappings without the VM_SHARED flag).
   MAP_PRIVATE in combination with VM_MAYWRITE indicates that the VMA has
   copy-on-write semantics, which for VM_PFNMAP are semi-supported but
   fairly cursed.
   In particular, in such a mapping, the driver can only install PTEs
   during mmap() by calling remap_pfn_range() (because remap_pfn_range()
   wants to **store the physical address of the mapped physical memory into
   the vm_pgoff of the VMA**); installing PTEs later on with a fault
   handler (as panthor does) is not supported in private mappings, and so
   if you try to fault in such a mapping, vmf_insert_pfn_prot() splats when
   it hits a BUG() check.

Fix it by clearing the VM_MAYWRITE flag (userspace writing to the FLUSH_ID
doesn't make sense) and requiring VM_SHARED (copy-on-write semantics for
the FLUSH_ID don't make sense).

Reproducers for both scenarios are in the notes of my patch on the mailing
list; I tested that these bugs exist on a Rock 5B machine.

Note that I only compile-tested the patch, I haven't tested it; I don't
have a working kernel build setup for the test machine yet. Please test it
before applying it.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-53071

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-53072
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

platform/x86/amd/pmc: Detect when STB is not available

Loading the amd_pmc module as:

    amd_pmc enable_stb=1

...can result in the following messages in the kernel ring buffer:

    amd_pmc AMDI0009:00: SMU cmd failed. err: 0xff
    ioremap on RAM at 0x0000000000000000 - 0x0000000000ffffff
    WARNING: CPU: 10 PID: 2151 at arch/x86/mm/ioremap.c:217 __ioremap_caller+0x2cd/0x340

Further debugging reveals that this occurs when the requests for
S2D_PHYS_ADDR_LOW and S2D_PHYS_ADDR_HIGH return a value of 0,
indicating that the STB is inaccessible. To prevent the ioremap
warning and provide clarity to the user, handle the invalid address
and display an error message.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-53072

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-53073
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

NFSD: Never decrement pending_async_copies on error

The error flow in nfsd4_copy() calls cleanup_async_copy(), which
already decrements nn->pending_async_copies.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-53073

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-53074
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

wifi: iwlwifi: mvm: don't leak a link on AP removal

Release the link mapping resource in AP removal. This impacted devices
that do not support the MLD API (9260 and down).
On those devices, we couldn't start the AP again after the AP has been
already started and stopped.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-53074

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-53075
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

riscv: Prevent a bad reference count on CPU nodes

When populating cache leaves we previously fetched the CPU device node
at the very beginning. But when ACPI is enabled we go through a
specific branch which returns early and does not call 'of_node_put' for
the node that was acquired.

Since we are not using a CPU device node for the ACPI code anyways, we
can simply move the initialization of it just passed the ACPI block, and
we are guaranteed to have an 'of_node_put' call for the acquired node.
This prevents a bad reference count of the CPU device node.

Moreover, the previous function did not check for errors when acquiring
the device node, so a return -ENOENT has been added for that case.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-53075

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-53076
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

iio: gts-helper: Fix memory leaks for the error path of iio_gts_build_avail_scale_table()

If per_time_scales[i] or per_time_gains[i] kcalloc fails in the for loop
of iio_gts_build_avail_scale_table(), the err_free_out will fail to call
kfree() each time when i is reduced to 0, so all the per_time_scales[0]
and per_time_gains[0] will not be freed, which will cause memory leaks.

Fix it by checking if i >= 0.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-53076

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-53077
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

rpcrdma: Always release the rpcrdma_device's xa_array

Dai pointed out that the xa_init_flags() in rpcrdma_add_one() needs
to have a matching xa_destroy() in rpcrdma_remove_one() to release
underlying memory that the xarray might have accrued during
operation.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-53077

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-53078
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/tegra: Fix NULL vs IS_ERR() check in probe()

The iommu_paging_domain_alloc() function doesn't  return NULL pointers,
it returns error pointers.  Update the check to match.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-53078

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-53079
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

mm/thp: fix deferred split unqueue naming and locking

Recent changes are putting more pressure on THP deferred split queues:
under load revealing long-standing races, causing list_del corruptions,
"Bad page state"s and worse (I keep BUGs in both of those, so usually
don't get to see how badly they end up without).  The relevant recent
changes being 6.8's mTHP, 6.10's mTHP swapout, and 6.12's mTHP swapin,
improved swap allocation, and underused THP splitting.

Before fixing locking: rename misleading folio_undo_large_rmappable(),
which does not undo large_rmappable, to folio_unqueue_deferred_split(),
which is what it does.  But that and its out-of-line __callee are mm
internals of very limited usability: add comment and WARN_ON_ONCEs to
check usage; and return a bool to say if a deferred split was unqueued,
which can then be used in WARN_ON_ONCEs around safety checks (sparing
callers the arcane conditionals in __folio_unqueue_deferred_split()).

Just omit the folio_unqueue_deferred_split() from free_unref_folios(), all
of whose callers now call it beforehand (and if any forget then bad_page()
will tell) - except for its caller put_pages_list(), which itself no
longer has any callers (and will be deleted separately).

Swapout: mem_cgroup_swapout() has been resetting folio->memcg_data 0
without checking and unqueueing a THP folio from deferred split list;
which is unfortunate, since the split_queue_lock depends on the memcg
(when memcg is enabled); so swapout has been unqueueing such THPs later,
when freeing the folio, using the pgdat's lock instead: potentially
corrupting the memcg's list.  __remove_mapping() has frozen refcount to 0
here, so no problem with calling folio_unqueue_deferred_split() before
resetting memcg_data.

That goes back to 5.4 commit 87eaceb3faa5 ("mm: thp: make deferred split
shrinker memcg aware"): which included a check on swapcache before adding
to deferred queue, but no check on deferred queue before adding THP to
swapcache.  That worked fine with the usual sequence of events in reclaim
(though there were a couple of rare ways in which a THP on deferred queue
could have been swapped out), but 6.12 commit dafff3f4c850 ("mm: split
underused THPs") avoids splitting underused THPs in reclaim, which makes
swapcache THPs on deferred queue commonplace.

Keep the check on swapcache before adding to deferred queue?  Yes: it is
no longer essential, but preserves the existing behaviour, and is likely
to be a worthwhile optimization (vmstat showed much more traffic on the
queue under swapping load if the check was removed); update its comment.

Memcg-v1 move (deprecated): mem_cgroup_move_account() has been changing
folio->memcg_data without checking and unqueueing a THP folio from the
deferred list, sometimes corrupting "from" memcg's list, like swapout. 
Refcount is non-zero here, so folio_unqueue_deferred_split() can only be
used in a WARN_ON_ONCE to validate the fix, which must be done earlier:
mem_cgroup_move_charge_pte_range() first try to split the THP (splitting
of course unqueues), or skip it if that fails.  Not ideal, but moving
charge has been requested, and khugepaged should repair the THP later:
nobody wants new custom unqueueing code just for this deprecated case.

The 87eaceb3faa5 commit did have the code to move from one deferred list
to another (but was not conscious of its unsafety while refcount non-0);
but that was removed by 5.6 commit fac0516b5534 ("mm: thp: don't need care
deferred split queue in memcg charge move path"), which argued that the
existence of a PMD mapping guarantees that the THP cannot be on a deferred
list.  As above, false in rare cases, and now commonly false.

Backport to 6.11 should be straightforward.  Earlier backports must take
care that other _deferred_list fixes and dependencies are included.  There
is not a strong case for backports, but they can fix cornercases.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-53079

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-53080
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/panthor: Lock XArray when getting entries for the VM

Similar to commit cac075706f29 ("drm/panthor: Fix race when converting
group handle to group object") we need to use the XArray's internal
locking when retrieving a vm pointer from there.

v2: Removed part of the patch that was trying to protect fetching
the heap pointer from XArray, as that operation is protected by
the @pool->lock.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-53080

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-53081
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

media: ar0521: don't overflow when checking PLL values

The PLL checks are comparing 64 bit integers with 32 bit
ones, as reported by Coverity. Depending on the values of
the variables, this may underflow.

Fix it ensuring that both sides of the expression are u64.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-53081

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-53082
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

virtio_net: Add hash_key_length check

Add hash_key_length check in virtnet_probe() to avoid possible out of
bound errors when setting/reading the hash key.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-53082

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-53083
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

usb: typec: qcom-pmic: init value of hdr_len/txbuf_len earlier

If the read of USB_PDPHY_RX_ACKNOWLEDGE_REG failed, then hdr_len and
txbuf_len are uninitialized. This commit stops to print uninitialized
value and misleading/false data.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-53083

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-53084
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/imagination: Break an object reference loop

When remaining resources are being cleaned up on driver close,
outstanding VM mappings may result in resources being leaked, due
to an object reference loop, as shown below, with each object (or
set of objects) referencing the object below it:

    PVR GEM Object
    GPU scheduler "finished" fence
    GPU scheduler “scheduled” fence
    PVR driver “done” fence
    PVR Context
    PVR VM Context
    PVR VM Mappings
    PVR GEM Object

The reference that the PVR VM Context has on the VM mappings is a
soft one, in the sense that the freeing of outstanding VM mappings
is done as part of VM context destruction; no reference counts are
involved, as is the case for all the other references in the loop.

To break the reference loop during cleanup, free the outstanding
VM mappings before destroying the PVR Context associated with the
VM context.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-53084

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-53085
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

tpm: Lock TPM chip in tpm_pm_suspend() first

Setting TPM_CHIP_FLAG_SUSPENDED in the end of tpm_pm_suspend() can be racy
according, as this leaves window for tpm_hwrng_read() to be called while
the operation is in progress. The recent bug report gives also evidence of
this behaviour.

Aadress this by locking the TPM chip before checking any chip->flags both
in tpm_pm_suspend() and tpm_hwrng_read(). Move TPM_CHIP_FLAG_SUSPENDED
check inside tpm_get_random() so that it will be always checked only when
the lock is reserved.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-53085

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-53086
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/xe: Drop VM dma-resv lock on xe_sync_in_fence_get failure in exec IOCTL

Upon failure all locks need to be dropped before returning to the user.

(cherry picked from commit 7d1a4258e602ffdce529f56686925034c1b3b095)
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-53086

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-53087
CVE STATUS: Patched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

drm/xe: Fix possible exec queue leak in exec IOCTL

In a couple of places after an exec queue is looked up the exec IOCTL
returns on input errors without dropping the exec queue ref. Fix this
ensuring the exec queue ref is dropped on input error.

(cherry picked from commit 07064a200b40ac2195cb6b7b779897d9377e5e6f)
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-53087

LAYER: meta-raspberrypi
PACKAGE NAME: linux-raspberrypi
PACKAGE VERSION: 1_6.6.22+git
CVE: CVE-2024-53088
CVE STATUS: Unpatched
CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved:

i40e: fix race condition by adding filter's intermediate sync state

Fix a race condition in the i40e driver that leads to MAC/VLAN filters
becoming corrupted and leaking. Address the issue that occurs under
heavy load when multiple threads are concurrently modifying MAC/VLAN
filters by setting mac and port VLAN.

1. Thread T0 allocates a filter in i40e_add_filter() within
        i40e_ndo_set_vf_port_vlan().
2. Thread T1 concurrently frees the filter in __i40e_del_filter() within
        i40e_ndo_set_vf_mac().
3. Subsequently, i40e_service_task() calls i40e_sync_vsi_filters(), which
        refers to the already freed filter memory, causing corruption.

Reproduction steps:
1. Spawn multiple VFs.
2. Apply a concurrent heavy load by running parallel operations to change
        MAC addresses on the VFs and change port VLANs on the host.
3. Observe errors in dmesg:
"Error I40E_AQ_RC_ENOSPC adding RX filters on VF XX,
	please set promiscuous on manually for VF XX".

Exact code for stable reproduction Intel can't open-source now.

The fix involves implementing a new intermediate filter state,
I40E_FILTER_NEW_SYNC, for the time when a filter is on a tmp_add_list.
These filters cannot be deleted from the hash list directly but
must be removed using the full process.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-53088

LAYER: meta-selinux
PACKAGE NAME: libselinux-python
PACKAGE VERSION: 3.6
CVE: CVE-2020-10751
CVE STATUS: Unpatched
CVE SUMMARY: A flaw was found in the Linux kernels SELinux LSM hook implementation before version 5.7, where it incorrectly assumed that an skb would only contain a single netlink message. The hook would incorrectly only validate the first netlink message in the skb and allow or deny the rest of the messages within the skb with the granted permission without further processing.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 6.1
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-10751

LAYER: meta-oe
PACKAGE NAME: udisks2
PACKAGE VERSION: 2.10.1
CVE: CVE-2010-1149
CVE STATUS: Patched
CVE SUMMARY: probers/udisks-dm-export.c in udisks before 1.0.1 exports UDISKS_DM_TARGETS_PARAMS information to udev even for a crypt UDISKS_DM_TARGETS_TYPE, which allows local users to discover encryption keys by (1) running a certain udevadm command or (2) reading a certain file under /dev/.udev/db/.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-1149

LAYER: meta-oe
PACKAGE NAME: udisks2
PACKAGE VERSION: 2.10.1
CVE: CVE-2010-4661
CVE STATUS: Patched
CVE SUMMARY: udisks before 1.0.3 allows a local user to load arbitrary Linux kernel modules.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4661

LAYER: meta-oe
PACKAGE NAME: udisks2
PACKAGE VERSION: 2.10.1
CVE: CVE-2014-0004
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in udisks before 1.0.5 and 2.x before 2.1.3 allows local users to cause a denial of service (crash) and possibly execute arbitrary code via a long mount point.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0004

LAYER: meta-oe
PACKAGE NAME: udisks2
PACKAGE VERSION: 2.10.1
CVE: CVE-2018-17336
CVE STATUS: Patched
CVE SUMMARY: UDisks 2.8.0 has a format string vulnerability in udisks_log in udiskslogging.c, allowing attackers to obtain sensitive information (stack contents), cause a denial of service (memory corruption), or possibly have unspecified other impact via a malformed filesystem label, as demonstrated by %d or %n substrings.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-17336

LAYER: meta-oe
PACKAGE NAME: udisks2
PACKAGE VERSION: 2.10.1
CVE: CVE-2021-3802
CVE STATUS: Patched
CVE SUMMARY: A vulnerability found in udisks2. This flaw allows an attacker to input a specially crafted image file/USB leading to kernel panic. The highest threat from this vulnerability is to system availability.
CVSS v2 BASE SCORE: 6.3
CVSS v3 BASE SCORE: 4.2
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:S/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3802

LAYER: meta-oe
PACKAGE NAME: polkit
PACKAGE VERSION: 124
CVE: CVE-2013-4288
CVE STATUS: Patched
CVE SUMMARY: Race condition in PolicyKit (aka polkit) allows local users to bypass intended PolicyKit restrictions and gain privileges by starting a setuid or pkexec process before the authorization check is performed, related to (1) the polkit_unix_process_new API function, (2) the dbus API, or (3) the --process (unix-process) option for authorization to pkcheck.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4288

LAYER: meta-oe
PACKAGE NAME: polkit
PACKAGE VERSION: 124
CVE: CVE-2015-3218
CVE STATUS: Patched
CVE SUMMARY: The authentication_agent_new function in polkitbackend/polkitbackendinteractiveauthority.c in PolicyKit (aka polkit) before 0.113 allows local users to cause a denial of service (NULL pointer dereference and polkitd daemon crash) by calling RegisterAuthenticationAgent with an invalid object path.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3218

LAYER: meta-oe
PACKAGE NAME: polkit
PACKAGE VERSION: 124
CVE: CVE-2015-3255
CVE STATUS: Patched
CVE SUMMARY: The polkit_backend_action_pool_init function in polkitbackend/polkitbackendactionpool.c in PolicyKit (aka polkit) before 0.113 might allow local users to gain privileges via duplicate action IDs in action descriptions.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3255

LAYER: meta-oe
PACKAGE NAME: polkit
PACKAGE VERSION: 124
CVE: CVE-2015-3256
CVE STATUS: Patched
CVE SUMMARY: PolicyKit (aka polkit) before 0.113 allows local users to cause a denial of service (memory corruption and polkitd daemon crash) and possibly gain privileges via unspecified vectors, related to "javascript rule evaluation."
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3256

LAYER: meta-oe
PACKAGE NAME: polkit
PACKAGE VERSION: 124
CVE: CVE-2015-4625
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the authentication_agent_new_cookie function in PolicyKit (aka polkit) before 0.113 allows local users to gain privileges by creating a large number of connections, which triggers the issuance of a duplicate cookie value.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-4625

LAYER: meta-oe
PACKAGE NAME: polkit
PACKAGE VERSION: 124
CVE: CVE-2016-2568
CVE STATUS: Unpatched
CVE SUMMARY: pkexec, when used with --user nonpriv, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2568

LAYER: meta-oe
PACKAGE NAME: polkit
PACKAGE VERSION: 124
CVE: CVE-2018-1116
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in polkit before version 0.116. The implementation of the polkit_backend_interactive_authority_check_authorization function in polkitd allows to test for authentication and trigger authentication of unrelated processes owned by other users. This may result in a local DoS and information disclosure.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1116

LAYER: meta-oe
PACKAGE NAME: polkit
PACKAGE VERSION: 124
CVE: CVE-2018-19788
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in PolicyKit (aka polkit) 0.115 that allows a user with a uid greater than INT_MAX to successfully execute any systemctl command.
CVSS v2 BASE SCORE: 9.0
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:S/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19788

LAYER: meta-oe
PACKAGE NAME: polkit
PACKAGE VERSION: 124
CVE: CVE-2019-6133
CVE STATUS: Patched
CVE SUMMARY: In PolicyKit (aka polkit) 0.115, the "start time" protection mechanism can be bypassed because fork() is not atomic, and therefore authorization decisions are improperly cached. This is related to lack of uid checking in polkitbackend/polkitbackendinteractiveauthority.c.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 6.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-6133

LAYER: meta-oe
PACKAGE NAME: polkit
PACKAGE VERSION: 124
CVE: CVE-2021-3560
CVE STATUS: Patched
CVE SUMMARY: It was found that polkit could be tricked into bypassing the credential checks for D-Bus requests, elevating the privileges of the requestor to the root user. This flaw could be used by an unprivileged local attacker to, for example, create a new local administrator. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3560

LAYER: meta-oe
PACKAGE NAME: polkit
PACKAGE VERSION: 124
CVE: CVE-2021-4034
CVE STATUS: Patched
CVE SUMMARY: A local privilege escalation vulnerability was found on polkit's pkexec utility. The pkexec application is a setuid tool designed to allow unprivileged users to run commands as privileged users according predefined policies. The current version of pkexec doesn't handle the calling parameters count correctly and ends trying to execute environment variables as commands. An attacker can leverage this by crafting environment variables in such a way it'll induce pkexec to execute arbitrary code. When successfully executed the attack can cause a local privilege escalation given unprivileged users administrative rights on the target machine.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-4034

LAYER: meta-oe
PACKAGE NAME: polkit
PACKAGE VERSION: 124
CVE: CVE-2021-4115
CVE STATUS: Patched
CVE SUMMARY: There is a flaw in polkit which can allow an unprivileged user to cause polkit to crash, due to process file descriptor exhaustion. The highest threat from this vulnerability is to availability. NOTE: Polkit process outage duration is tied to the failing process being reaped and a new one being spawned
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-4115

LAYER: meta
PACKAGE NAME: ppp
PACKAGE VERSION: 2.5.0
CVE: CVE-2004-1002
CVE STATUS: Patched
CVE SUMMARY: Integer underflow in pppd in cbcp.c for ppp 2.4.1 allows remote attackers to cause a denial of service (daemon crash) via a CBCP packet with an invalid length value that causes pppd to access an incorrect memory location.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-1002

LAYER: meta
PACKAGE NAME: ppp
PACKAGE VERSION: 2.5.0
CVE: CVE-2008-5366
CVE STATUS: Patched
CVE SUMMARY: The postinst script in ppp 2.4.4rel on Debian GNU/Linux allows local users to overwrite arbitrary files via a symlink attack on the (1) /tmp/probe-finished or (2) /tmp/ppp-errors temporary file.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-5366

LAYER: meta
PACKAGE NAME: ppp
PACKAGE VERSION: 2.5.0
CVE: CVE-2020-15704
CVE STATUS: Patched
CVE SUMMARY: The modprobe child process in the ./debian/patches/load_ppp_generic_if_needed patch file incorrectly handled module loading. A local non-root attacker could exploit the MODPROBE_OPTIONS environment variable to read arbitrary root files. Fixed in 2.4.5-5ubuntu1.4, 2.4.5-5.1ubuntu2.3+esm2, 2.4.7-1+2ubuntu1.16.04.3, 2.4.7-2+2ubuntu1.3, 2.4.7-2+4.1ubuntu5.1, 2.4.7-2+4.1ubuntu6. Was ZDI-CAN-11504.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-15704

LAYER: meta
PACKAGE NAME: ppp
PACKAGE VERSION: 2.5.0
CVE: CVE-2022-4603
CVE STATUS: Patched
CVE SUMMARY: A vulnerability classified as problematic has been found in ppp. Affected is the function dumpppp of the file pppdump/pppdump.c of the component pppdump. The manipulation of the argument spkt.buf/rpkt.buf leads to improper validation of array index. The real existence of this vulnerability is still doubted at the moment. The name of the patch is a75fb7b198eed50d769c80c36629f38346882cbf. It is recommended to apply a patch to fix this issue. VDB-216198 is the identifier assigned to this vulnerability. NOTE: pppdump is not used in normal process of setting up a PPP connection, is not installed setuid-root, and is not invoked automatically in any scenario.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.3
VECTOR: ADJACENT_NETWORK
VECTORSTRING: CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-4603

LAYER: meta-qt5
PACKAGE NAME: qtsvg
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2004-0691
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the BMP image format parser for the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0691

LAYER: meta-qt5
PACKAGE NAME: qtsvg
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2004-0692
CVE STATUS: Patched
CVE SUMMARY: The XPM parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0693.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0692

LAYER: meta-qt5
PACKAGE NAME: qtsvg
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2004-0693
CVE STATUS: Patched
CVE SUMMARY: The GIF parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0692.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0693

LAYER: meta-qt5
PACKAGE NAME: qtsvg
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2005-0627
CVE STATUS: Patched
CVE SUMMARY: Qt before 3.3.4 searches the BUILD_PREFIX directory, which could be world-writable, to load shared libraries regardless of the LD_LIBRARY_PATH environment variable, which allows local users to execute arbitrary programs.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-0627

LAYER: meta-qt5
PACKAGE NAME: qtsvg
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2006-4811
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in Qt 3.3 before 3.3.7, 4.1 before 4.1.5, and 4.2 before 4.2.1, as used in the KDE khtml library, kdelibs 3.1.3, and possibly other packages, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted pixmap image.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-4811

LAYER: meta-qt5
PACKAGE NAME: qtsvg
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2007-0242
CVE STATUS: Patched
CVE SUMMARY: The UTF-8 decoder in codecs/qutfcodec.cpp in Qt 3.3.8 and 4.2.3 does not reject long UTF-8 sequences as required by the standard, which allows remote attackers to conduct cross-site scripting (XSS) and directory traversal attacks via long sequences that decode to dangerous metacharacters.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-0242

LAYER: meta-qt5
PACKAGE NAME: qtsvg
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2007-3388
CVE STATUS: Patched
CVE SUMMARY: Multiple format string vulnerabilities in (1) qtextedit.cpp, (2) qdatatable.cpp, (3) qsqldatabase.cpp, (4) qsqlindex.cpp, (5) qsqlrecord.cpp, (6) qglobal.cpp, and (7) qsvgdevice.cpp in QTextEdit in Trolltech Qt 3 before 3.3.8 20070727 allow remote attackers to execute arbitrary code via format string specifiers in text used to compose an error message.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-3388

LAYER: meta-qt5
PACKAGE NAME: qtsvg
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2007-4137
CVE STATUS: Patched
CVE SUMMARY: Off-by-one error in the QUtf8Decoder::toUnicode function in Trolltech Qt 3 allows context-dependent attackers to cause a denial of service (crash) via a crafted Unicode string that triggers a heap-based buffer overflow.  NOTE: Qt 4 has the same error in the QUtf8Codec::convertToUnicode function, but it is not exploitable.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-4137

LAYER: meta-qt5
PACKAGE NAME: qtsvg
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2009-2700
CVE STATUS: Patched
CVE SUMMARY: src/network/ssl/qsslcertificate.cpp in Nokia Trolltech Qt 4.x does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-2700

LAYER: meta-qt5
PACKAGE NAME: qtsvg
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2010-1766
CVE STATUS: Patched
CVE SUMMARY: Off-by-one error in the WebSocketHandshake::readServerHandshake function in websockets/WebSocketHandshake.cpp in WebCore in WebKit before r56380, as used in Qt and other products, allows remote websockets servers to cause a denial of service (memory corruption) or possibly have unspecified other impact via an upgrade header that is long and invalid.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-1766

LAYER: meta-qt5
PACKAGE NAME: qtsvg
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2010-2621
CVE STATUS: Patched
CVE SUMMARY: The QSslSocketBackendPrivate::transmit function in src_network_ssl_qsslsocket_openssl.cpp in Qt 4.6.3 and earlier allows remote attackers to cause a denial of service (infinite loop) via a malformed request.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2621

LAYER: meta-qt5
PACKAGE NAME: qtsvg
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2010-5076
CVE STATUS: Patched
CVE SUMMARY: QSslSocket in Qt before 4.7.0-rc1 recognizes a wildcard IP address in the subject's Common Name field of an X.509 certificate, which might allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-5076

LAYER: meta-qt5
PACKAGE NAME: qtsvg
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2011-3193
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the Lookup_MarkMarkPos function in the HarfBuzz module (harfbuzz-gpos.c), as used by Qt before 4.7.4 and Pango, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted font file.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3193

LAYER: meta-qt5
PACKAGE NAME: qtsvg
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2011-3194
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the TIFF reader in gui/image/qtiffhandler.cpp in Qt 4.7.4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the TIFFTAG_SAMPLESPERPIXEL tag in a greyscale TIFF image with multiple samples per pixel.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3194

LAYER: meta-qt5
PACKAGE NAME: qtsvg
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2012-5624
CVE STATUS: Patched
CVE SUMMARY: The XMLHttpRequest object in Qt before 4.8.4 enables http redirection to the file scheme, which allows man-in-the-middle attackers to force the read of arbitrary local files and possibly obtain sensitive information via a file: URL to a QML application.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-5624

LAYER: meta-qt5
PACKAGE NAME: qtsvg
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2012-6093
CVE STATUS: Patched
CVE SUMMARY: The QSslSocket::sslErrors function in Qt before 4.6.5, 4.7.x before 4.7.6, 4.8.x before 4.8.5, when using certain versions of openSSL, uses an "incompatible structure layout" that can read memory from the wrong location, which causes Qt to report an incorrect error when certificate validation fails and might cause users to make unsafe security decisions to accept a certificate.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-6093

LAYER: meta-qt5
PACKAGE NAME: qtsvg
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2013-0254
CVE STATUS: Patched
CVE SUMMARY: The QSharedMemory class in Qt 5.0.0, 4.8.x before 4.8.5, 4.7.x before 4.7.6, and other versions including 4.4.0 uses weak permissions (world-readable and world-writable) for shared memory segments, which allows local users to read sensitive information or modify critical program data, as demonstrated by reading a pixmap being sent to an X server.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0254

LAYER: meta-qt5
PACKAGE NAME: qtsvg
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2013-4549
CVE STATUS: Patched
CVE SUMMARY: QXmlSimpleReader in Qt before 5.2 allows context-dependent attackers to cause a denial of service (memory consumption) via an XML Entity Expansion (XEE) attack.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4549

LAYER: meta-qt5
PACKAGE NAME: qtsvg
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2014-0190
CVE STATUS: Patched
CVE SUMMARY: The GIF decoder in QtGui in Qt before 5.3 allows remote attackers to cause a denial of service (NULL pointer dereference) via invalid width and height values in a GIF image.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0190

LAYER: meta-qt5
PACKAGE NAME: qtsvg
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2015-0295
CVE STATUS: Patched
CVE SUMMARY: The BMP decoder in QtGui in QT before 5.5 does not properly calculate the masks used to extract the color components, which allows remote attackers to cause a denial of service (divide-by-zero and crash) via a crafted BMP file.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0295

LAYER: meta-qt5
PACKAGE NAME: qtsvg
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2015-1290
CVE STATUS: Patched
CVE SUMMARY: The Google V8 engine, as used in Google Chrome before 44.0.2403.89 and QtWebEngineCore in Qt before 5.5.1, allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a crafted web site.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1290

LAYER: meta-qt5
PACKAGE NAME: qtsvg
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2015-1858
CVE STATUS: Patched
CVE SUMMARY: Multiple buffer overflows in gui/image/qbmphandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted BMP image.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1858

LAYER: meta-qt5
PACKAGE NAME: qtsvg
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2015-1859
CVE STATUS: Patched
CVE SUMMARY: Multiple buffer overflows in plugins/imageformats/ico/qicohandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted ICO image.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1859

LAYER: meta-qt5
PACKAGE NAME: qtsvg
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2015-1860
CVE STATUS: Patched
CVE SUMMARY: Multiple buffer overflows in gui/image/qgifhandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a crafted GIF image.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1860

LAYER: meta-qt5
PACKAGE NAME: qtsvg
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2015-7298
CVE STATUS: Patched
CVE SUMMARY: ownCloud Desktop Client before 2.0.1, when compiled with a Qt release after 5.3.x, does not call QNetworkReply::ignoreSslErrors with the list of errors to be ignored, which makes it easier for remote attackers to conduct man-in-the-middle (MITM) attacks by leveraging a server using a self-signed certificate.  NOTE: this vulnerability exists because of a partial CVE-2015-4456 regression.
CVSS v2 BASE SCORE: 5.1
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7298

LAYER: meta-qt5
PACKAGE NAME: qtsvg
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2015-9541
CVE STATUS: Patched
CVE SUMMARY: Qt through 5.14 allows an exponential XML entity expansion attack via a crafted SVG document that is mishandled in QXmlStreamReader, a related issue to CVE-2003-1564.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-9541

LAYER: meta-qt5
PACKAGE NAME: qtsvg
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2017-10904
CVE STATUS: Patched
CVE SUMMARY: Qt for Android prior to 5.9.0 allows remote attackers to execute arbitrary OS commands via unspecified vectors.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-10904

LAYER: meta-qt5
PACKAGE NAME: qtsvg
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2017-10905
CVE STATUS: Patched
CVE SUMMARY: A vulnerability in applications created using Qt for Android prior to 5.9.3 allows attackers to alter environment variables via unspecified vectors.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-10905

LAYER: meta-qt5
PACKAGE NAME: qtsvg
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2017-15011
CVE STATUS: Patched
CVE SUMMARY: The named pipes in qtsingleapp in Qt 5.x, as used in qBittorrent and SugarSync, are configured for remote access and allow remote attackers to cause a denial of service (application crash) via an unspecified string.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15011

LAYER: meta-qt5
PACKAGE NAME: qtsvg
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-15518
CVE STATUS: Patched
CVE SUMMARY: QXmlStream in Qt 5.x before 5.11.3 has a double-free or corruption during parsing of a specially crafted illegal XML document.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-15518

LAYER: meta-qt5
PACKAGE NAME: qtsvg
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-19865
CVE STATUS: Patched
CVE SUMMARY: A keystroke logging issue was discovered in Virtual Keyboard in Qt 5.7.x, 5.8.x, 5.9.x, 5.10.x, and 5.11.x before 5.11.3.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19865

LAYER: meta-qt5
PACKAGE NAME: qtsvg
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-19869
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt before 5.11.3. A malformed SVG image causes a segmentation fault in qsvghandler.cpp.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19869

LAYER: meta-qt5
PACKAGE NAME: qtsvg
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-19870
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt before 5.11.3. A malformed GIF image causes a NULL pointer dereference in QGifHandler resulting in a segmentation fault.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19870

LAYER: meta-qt5
PACKAGE NAME: qtsvg
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-19871
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt before 5.11.3. There is QTgaFile Uncontrolled Resource Consumption.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19871

LAYER: meta-qt5
PACKAGE NAME: qtsvg
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-19872
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt 5.11. A malformed PPM image causes a division by zero and a crash in qppmhandler.cpp.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19872

LAYER: meta-qt5
PACKAGE NAME: qtsvg
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-19873
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt before 5.11.3. QBmpHandler has a buffer overflow via BMP data.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19873

LAYER: meta-qt5
PACKAGE NAME: qtsvg
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-21035
CVE STATUS: Patched
CVE SUMMARY: In Qt through 5.14.1, the WebSocket implementation accepts up to 2GB for frames and 2GB for messages. Smaller limits cannot be configured. This makes it easier for attackers to cause a denial of service (memory consumption).
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 8.6
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-21035

LAYER: meta-qt5
PACKAGE NAME: qtsvg
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2020-0569
CVE STATUS: Patched
CVE SUMMARY: Out of bounds write in Intel(R) PROSet/Wireless WiFi products on Windows 10 may allow an authenticated user to potentially enable denial of service via local access.
CVSS v2 BASE SCORE: 2.7
CVSS v3 BASE SCORE: 5.7
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:L/Au:S/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-0569

LAYER: meta-qt5
PACKAGE NAME: qtsvg
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2020-0570
CVE STATUS: Patched
CVE SUMMARY: Uncontrolled search path in the QT Library before 5.14.0, 5.12.7 and 5.9.10 may allow an authenticated user to potentially enable elevation of privilege via local access.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 7.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-0570

LAYER: meta-qt5
PACKAGE NAME: qtsvg
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2020-12267
CVE STATUS: Patched
CVE SUMMARY: setMarkdown in Qt before 5.14.2 has a use-after-free related to QTextMarkdownImporter::insertBlock.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-12267

LAYER: meta-qt5
PACKAGE NAME: qtsvg
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2020-13962
CVE STATUS: Patched
CVE SUMMARY: Qt 5.12.2 through 5.14.2, as used in unofficial builds of Mumble 1.3.0 and other products, mishandles OpenSSL's error queue, which can cause a denial of service to QSslSocket users. Because errors leak in unrelated TLS sessions, an unrelated session may be disconnected when any handshake fails. (Mumble 1.3.1 is not affected, regardless of the Qt version.)
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-13962

LAYER: meta-qt5
PACKAGE NAME: qtsvg
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2020-17507
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt through 5.12.9, and 5.13.x through 5.15.x before 5.15.1. read_xbm_body in gui/image/qxbmhandler.cpp has a buffer over-read.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-17507

LAYER: meta-qt5
PACKAGE NAME: qtsvg
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2020-24742
CVE STATUS: Patched
CVE SUMMARY: An issue has been fixed in Qt versions 5.14.0 where QPluginLoader attempts to load plugins relative to the working directory, allowing attackers to execute arbitrary code via crafted files.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-24742

LAYER: meta-qt5
PACKAGE NAME: qtsvg
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2021-28025
CVE STATUS: Patched
CVE SUMMARY: Integer Overflow vulnerability in qsvghandler.cpp in Qt qtsvg versions 5.15.1, 6.0.0, 6.0.2, and 6.2, allows local attackers to cause a denial of service (DoS).
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-28025

LAYER: meta-qt5
PACKAGE NAME: qtsvg
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2021-3481
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in Qt. An out-of-bounds read vulnerability was found in QRadialFetchSimd in qt/qtbase/src/gui/painting/qdrawhelper_p.h in Qt/Qtbase. While rendering and displaying a crafted Scalable Vector Graphics (SVG) file this flaw may lead to an unauthorized memory access. The highest threat from this vulnerability is to data confidentiality and the application availability.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3481

LAYER: meta-qt5
PACKAGE NAME: qtsvg
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2021-38593
CVE STATUS: Patched
CVE SUMMARY: Qt 5.x before 5.15.6 and 6.x through 6.1.2 has an out-of-bounds write in QOutlineMapper::convertPath (called from QRasterPaintEngine::fill and QPaintEngineEx::stroke).
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-38593

LAYER: meta-qt5
PACKAGE NAME: qtsvg
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2021-45930
CVE STATUS: Patched
CVE SUMMARY: Qt SVG in Qt 5.0.0 through 5.15.2 and 6.0.0 through 6.2.1 has an out-of-bounds write in QtPrivate::QCommonArrayOps<QPainterPath::Element>::growAppend (called from QPainterPath::addPath and QPathClipper::intersect).
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-45930

LAYER: meta-qt5
PACKAGE NAME: qtsvg
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2022-25255
CVE STATUS: Patched
CVE SUMMARY: In Qt 5.9.x through 5.15.x before 5.15.9 and 6.x before 6.2.4 on Linux and UNIX, QProcess could execute a binary from the current working directory when not found in the PATH.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-25255

LAYER: meta-qt5
PACKAGE NAME: qtsvg
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2022-25634
CVE STATUS: Patched
CVE SUMMARY: Qt through 5.15.8 and 6.x through 6.2.3 can load system library files from an unintended working directory.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-25634

LAYER: meta-qt5
PACKAGE NAME: qtsvg
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2022-40983
CVE STATUS: Patched
CVE SUMMARY: An integer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an integer overflow during memory allocation, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-40983

LAYER: meta-qt5
PACKAGE NAME: qtsvg
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2022-43591
CVE STATUS: Patched
CVE SUMMARY: A buffer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an out-of-bounds memory access, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-43591

LAYER: meta-qt5
PACKAGE NAME: qtsvg
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-24607
CVE STATUS: Patched
CVE SUMMARY: Qt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13, 6.x before 6.2.8, and 6.3.x before 6.4.3.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-24607

LAYER: meta-qt5
PACKAGE NAME: qtsvg
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-32573
CVE STATUS: Patched
CVE SUMMARY: In Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-32573

LAYER: meta-qt5
PACKAGE NAME: qtsvg
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-32762
CVE STATUS: Unpatched
CVE SUMMARY: An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-32762

LAYER: meta-qt5
PACKAGE NAME: qtsvg
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-32763
CVE STATUS: Unpatched
CVE SUMMARY: An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. When a SVG file with an image inside it is rendered, a QTextLayout buffer overflow can be triggered.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-32763

LAYER: meta-qt5
PACKAGE NAME: qtsvg
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-33285
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. QDnsLookup has a buffer over-read via a crafted reply from a DNS server.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-33285

LAYER: meta-qt5
PACKAGE NAME: qtsvg
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-34410
CVE STATUS: Unpatched
CVE SUMMARY: An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-34410

LAYER: meta-qt5
PACKAGE NAME: qtsvg
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-37369
CVE STATUS: Unpatched
CVE SUMMARY: In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-37369

LAYER: meta-qt5
PACKAGE NAME: qtsvg
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-38197
CVE STATUS: Unpatched
CVE SUMMARY: An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-38197

LAYER: meta-qt5
PACKAGE NAME: qtsvg
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-43114
CVE STATUS: Unpatched
CVE SUMMARY: An issue was discovered in Qt before 5.15.16, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3 on Windows. When using the GDI font engine, if a corrupted font is loaded via QFontDatabase::addApplicationFont{FromData], then it can cause the application to crash because of missing length checks.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-43114

LAYER: meta-qt5
PACKAGE NAME: qtsvg
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-51714
CVE STATUS: Unpatched
CVE SUMMARY: An issue was discovered in the HTTP2 implementation in Qt before 5.15.17, 6.x before 6.2.11, 6.3.x through 6.5.x before 6.5.4, and 6.6.x before 6.6.2. network/access/http2/hpacktable.cpp has an incorrect HPack integer overflow check.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-51714

LAYER: meta-qt5
PACKAGE NAME: qtsvg
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2024-39936
CVE STATUS: Unpatched
CVE SUMMARY: An issue was discovered in HTTP2 in Qt before 5.15.18, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.7, and 6.6.x through 6.7.x before 6.7.3. Code to make security-relevant decisions about an established connection may execute too early, because the encrypted() signal has not yet been emitted and processed..
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.6
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-39936

LAYER: meta
PACKAGE NAME: harfbuzz-native
PACKAGE VERSION: 8.3.0
CVE: CVE-2015-8947
CVE STATUS: Patched
CVE SUMMARY: hb-ot-layout-gpos-table.hh in HarfBuzz before 1.0.5 allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via crafted data, a different vulnerability than CVE-2016-2052.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 7.6
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8947

LAYER: meta
PACKAGE NAME: harfbuzz-native
PACKAGE VERSION: 8.3.0
CVE: CVE-2015-9274
CVE STATUS: Patched
CVE SUMMARY: HarfBuzz before 1.0.4 allows remote attackers to cause a denial of service (invalid read of two bytes and application crash) because of GPOS and GSUB table mishandling, related to hb-ot-layout-gpos-table.hh, hb-ot-layout-gsub-table.hh, and hb-ot-layout-gsubgpos-private.hh.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-9274

LAYER: meta
PACKAGE NAME: harfbuzz-native
PACKAGE VERSION: 8.3.0
CVE: CVE-2016-2052
CVE STATUS: Patched
CVE SUMMARY: Multiple unspecified vulnerabilities in HarfBuzz before 1.0.6, as used in Google Chrome before 48.0.2564.82, allow attackers to cause a denial of service or possibly have other impact via crafted data, as demonstrated by a buffer over-read resulting from an inverted length check in hb-ot-font.cc, a different issue than CVE-2015-8947.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.6
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2052

LAYER: meta
PACKAGE NAME: harfbuzz-native
PACKAGE VERSION: 8.3.0
CVE: CVE-2021-45931
CVE STATUS: Patched
CVE SUMMARY: HarfBuzz 2.9.0 has an out-of-bounds write in hb_bit_set_invertible_t::set (called from hb_sparseset_t<hb_bit_set_invertible_t>::set and hb_set_copy).
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-45931

LAYER: meta
PACKAGE NAME: harfbuzz-native
PACKAGE VERSION: 8.3.0
CVE: CVE-2022-33068
CVE STATUS: Patched
CVE SUMMARY: An integer overflow in the component hb-ot-shape-fallback.cc of Harfbuzz v4.3.0 allows attackers to cause a Denial of Service (DoS) via unspecified vectors.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-33068

LAYER: meta
PACKAGE NAME: harfbuzz-native
PACKAGE VERSION: 8.3.0
CVE: CVE-2023-25193
CVE STATUS: Patched
CVE SUMMARY: hb-ot-layout-gsubgpos.hh in HarfBuzz through 6.0.0 allows attackers to trigger O(n^2) growth via consecutive marks during the process of looking back for base glyphs when attaching marks.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-25193

LAYER: meta
PACKAGE NAME: pixman-native
PACKAGE VERSION: 1_0.42.2
CVE: CVE-2013-6424
CVE STATUS: Patched
CVE SUMMARY: Integer underflow in the xTrapezoidValid macro in render/picture.h in X.Org allows context-dependent attackers to cause a denial of service (crash) via a negative bottom value.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-6424

LAYER: meta
PACKAGE NAME: pixman-native
PACKAGE VERSION: 1_0.42.2
CVE: CVE-2013-6425
CVE STATUS: Patched
CVE SUMMARY: Integer underflow in the pixman_trapezoid_valid macro in pixman.h in Pixman before 0.32.0, as used in X.Org server and cairo, allows context-dependent attackers to cause a denial of service (crash) via a negative bottom value.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-6425

LAYER: meta
PACKAGE NAME: pixman-native
PACKAGE VERSION: 1_0.42.2
CVE: CVE-2014-9766
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the create_bits function in pixman-bits-image.c in Pixman before 0.32.6 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via large height and stride values.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9766

LAYER: meta
PACKAGE NAME: pixman-native
PACKAGE VERSION: 1_0.42.2
CVE: CVE-2015-5297
CVE STATUS: Patched
CVE SUMMARY: An integer overflow issue has been reported in the general_composite_rect() function in pixman prior to version 0.32.8. An attacker could exploit this issue to cause an application using pixman to crash or, potentially, execute arbitrary code.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 6.7
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-5297

LAYER: meta
PACKAGE NAME: pixman-native
PACKAGE VERSION: 1_0.42.2
CVE: CVE-2022-44638
CVE STATUS: Patched
CVE SUMMARY: In libpixman in Pixman before 0.42.2, there is an out-of-bounds write (aka heap-based buffer overflow) in rasterize_edges_8 due to an integer overflow in pixman_sample_floor_y.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-44638

LAYER: meta
PACKAGE NAME: pixman-native
PACKAGE VERSION: 1_0.42.2
CVE: CVE-2023-37769
CVE STATUS: Ignored
CVE DETAIL: not-applicable-config
CVE DESCRIPTION: stress-test is an uninstalled test
CVE SUMMARY: stress-test master commit e4c878 was discovered to contain a FPE vulnerability via the component combine_inner at /pixman-combine-float.c.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-37769

LAYER: meta
PACKAGE NAME: libxrandr-native
PACKAGE VERSION: 1_1.5.4
CVE: CVE-2013-1986
CVE STATUS: Patched
CVE SUMMARY: Multiple integer overflows in X.org libXrandr 1.4.0 and earlier allow X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the (1) XRRQueryOutputProperty and (2) XRRQueryProviderProperty functions.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1986

LAYER: meta
PACKAGE NAME: libxrandr-native
PACKAGE VERSION: 1_1.5.4
CVE: CVE-2016-7947
CVE STATUS: Patched
CVE SUMMARY: Multiple integer overflows in X.org libXrandr before 1.5.1 allow remote X servers to trigger out-of-bounds write operations via a crafted response.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7947

LAYER: meta
PACKAGE NAME: libxrandr-native
PACKAGE VERSION: 1_1.5.4
CVE: CVE-2016-7948
CVE STATUS: Patched
CVE SUMMARY: X.org libXrandr before 1.5.1 allows remote X servers to trigger out-of-bounds write operations by leveraging mishandling of reply data.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7948

LAYER: meta
PACKAGE NAME: cairo-native
PACKAGE VERSION: 1.18.0
CVE: CVE-2007-5503
CVE STATUS: Patched
CVE SUMMARY: Multiple integer overflows in Cairo before 1.4.12 might allow remote attackers to execute arbitrary code, as demonstrated using a crafted PNG image with large width and height values, which is not properly handled by the read_png function.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-5503

LAYER: meta
PACKAGE NAME: cairo-native
PACKAGE VERSION: 1.18.0
CVE: CVE-2014-5116
CVE STATUS: Patched
CVE SUMMARY: The cairo_image_surface_get_data function in Cairo 1.10.2, as used in GTK+ and Wireshark, allows context-dependent attackers to cause a denial of service (NULL pointer dereference) via a large string.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-5116

LAYER: meta
PACKAGE NAME: cairo-native
PACKAGE VERSION: 1.18.0
CVE: CVE-2016-3190
CVE STATUS: Patched
CVE SUMMARY: The fill_xrgb32_lerp_opaque_spans function in cairo-image-compositor.c in cairo before 1.14.2 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a negative span length.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3190

LAYER: meta
PACKAGE NAME: cairo-native
PACKAGE VERSION: 1.18.0
CVE: CVE-2016-9082
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the write_png function in cairo 1.14.6 allows remote attackers to cause a denial of service (invalid pointer dereference) via a large svg file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9082

LAYER: meta
PACKAGE NAME: cairo-native
PACKAGE VERSION: 1.18.0
CVE: CVE-2017-7475
CVE STATUS: Patched
CVE SUMMARY: Cairo version 1.15.4 is vulnerable to a NULL pointer dereference related to the FT_Load_Glyph and FT_Render_Glyph resulting in an application crash.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7475

LAYER: meta
PACKAGE NAME: cairo-native
PACKAGE VERSION: 1.18.0
CVE: CVE-2017-9814
CVE STATUS: Patched
CVE SUMMARY: cairo-truetype-subset.c in cairo 1.15.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds read) because of mishandling of an unexpected malloc(0) call.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9814

LAYER: meta
PACKAGE NAME: cairo-native
PACKAGE VERSION: 1.18.0
CVE: CVE-2018-18064
CVE STATUS: Patched
CVE SUMMARY: cairo through 1.15.14 has an out-of-bounds stack-memory write during processing of a crafted document by WebKitGTK+ because of the interaction between cairo-rectangular-scan-converter.c (the generate and render_rows functions) and cairo-image-compositor.c (the _cairo_image_spans_and_zero function).
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-18064

LAYER: meta
PACKAGE NAME: cairo-native
PACKAGE VERSION: 1.18.0
CVE: CVE-2018-19876
CVE STATUS: Patched
CVE SUMMARY: cairo 1.16.0, in cairo_ft_apply_variations() in cairo-ft-font.c, would free memory using a free function incompatible with WebKit's fastMalloc, leading to an application crash with a "free(): invalid pointer" error.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19876

LAYER: meta
PACKAGE NAME: cairo-native
PACKAGE VERSION: 1.18.0
CVE: CVE-2019-6461
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in cairo 1.16.0. There is an assertion problem in the function _cairo_arc_in_direction in the file cairo-arc.c.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-6461

LAYER: meta
PACKAGE NAME: cairo-native
PACKAGE VERSION: 1.18.0
CVE: CVE-2019-6462
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in cairo 1.16.0. There is an infinite loop in the function _arc_error_normalized in the file cairo-arc.c, related to _arc_max_angle_for_tolerance_normalized.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-6462

LAYER: meta
PACKAGE NAME: cairo-native
PACKAGE VERSION: 1.18.0
CVE: CVE-2020-35492
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in cairo's image-compositor.c in all versions prior to 1.17.4. This flaw allows an attacker who can provide a crafted input file to cairo's image-compositor (for example, by convincing a user to open a file in an application using cairo, or if an application uses cairo on untrusted input) to cause a stack buffer overflow -> out-of-bounds WRITE. The highest impact from this vulnerability is to confidentiality, integrity, as well as system availability.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-35492

LAYER: meta
PACKAGE NAME: libxrender-native
PACKAGE VERSION: 1_0.9.11
CVE: CVE-2013-1987
CVE STATUS: Patched
CVE SUMMARY: Multiple integer overflows in X.org libXrender 0.9.7 and earlier allow X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the (1) XRenderQueryFilters, (2) XRenderQueryFormats, and (3) XRenderQueryPictIndexValues functions.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1987

LAYER: meta
PACKAGE NAME: libxrender-native
PACKAGE VERSION: 1_0.9.11
CVE: CVE-2016-7949
CVE STATUS: Patched
CVE SUMMARY: Multiple buffer overflows in the (1) XvQueryAdaptors and (2) XvQueryEncodings functions in X.org libXrender before 0.9.10 allow remote X servers to trigger out-of-bounds write operations via vectors involving length fields.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7949

LAYER: meta
PACKAGE NAME: libxrender-native
PACKAGE VERSION: 1_0.9.11
CVE: CVE-2016-7950
CVE STATUS: Patched
CVE SUMMARY: The XRenderQueryFilters function in X.org libXrender before 0.9.10 allows remote X servers to trigger out-of-bounds write operations via vectors involving filter name lengths.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7950

LAYER: meta
PACKAGE NAME: wpa-supplicant
PACKAGE VERSION: 2.10
CVE: CVE-2005-0470
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in wpa_supplicant before 0.2.7 allows remote attackers to cause a denial of service (segmentation fault) via invalid EAPOL-Key packet data.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-0470

LAYER: meta
PACKAGE NAME: wpa-supplicant
PACKAGE VERSION: 2.10
CVE: CVE-2007-6025
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in driver_wext.c in wpa_supplicant 0.6.0 and earlier allows remote attackers to cause a denial of service (crash) via crafted TSF data.
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-6025

LAYER: meta
PACKAGE NAME: wpa-supplicant
PACKAGE VERSION: 2.10
CVE: CVE-2014-3686
CVE STATUS: Patched
CVE SUMMARY: wpa_supplicant and hostapd 0.7.2 through 2.2, when running with certain configurations and using wpa_cli or hostapd_cli with action scripts, allows remote attackers to execute arbitrary commands via a crafted frame.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3686

LAYER: meta
PACKAGE NAME: wpa-supplicant
PACKAGE VERSION: 2.10
CVE: CVE-2015-0210
CVE STATUS: Patched
CVE SUMMARY: wpa_supplicant 2.0-16 does not properly check certificate subject name, which allows remote attackers to cause a man-in-the-middle attack.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0210

LAYER: meta
PACKAGE NAME: wpa-supplicant
PACKAGE VERSION: 2.10
CVE: CVE-2015-1863
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in wpa_supplicant 1.0 through 2.4 allows remote attackers to cause a denial of service (crash), read memory, or possibly execute arbitrary code via crafted SSID information in a management frame when creating or updating P2P entries.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 0.0
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1863

LAYER: meta
PACKAGE NAME: wpa-supplicant
PACKAGE VERSION: 2.10
CVE: CVE-2015-4141
CVE STATUS: Patched
CVE SUMMARY: The WPS UPnP function in hostapd, when using WPS AP, and wpa_supplicant, when using WPS external registrar (ER), 0.7.0 through 2.4 allows remote attackers to cause a denial of service (crash) via a negative chunk length, which triggers an out-of-bounds read or heap-based buffer overflow.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-4141

LAYER: meta
PACKAGE NAME: wpa-supplicant
PACKAGE VERSION: 2.10
CVE: CVE-2015-4142
CVE STATUS: Patched
CVE SUMMARY: Integer underflow in the WMM Action frame parser in hostapd 0.5.5 through 2.4 and wpa_supplicant 0.7.0 through 2.4, when used for AP mode MLME/SME functionality, allows remote attackers to cause a denial of service (crash) via a crafted frame, which triggers an out-of-bounds read.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-4142

LAYER: meta
PACKAGE NAME: wpa-supplicant
PACKAGE VERSION: 2.10
CVE: CVE-2015-4143
CVE STATUS: Patched
CVE SUMMARY: The EAP-pwd server and peer implementation in hostapd and wpa_supplicant 1.0 through 2.4 allows remote attackers to cause a denial of service (out-of-bounds read and crash) via a crafted (1) Commit or (2) Confirm message payload.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-4143

LAYER: meta
PACKAGE NAME: wpa-supplicant
PACKAGE VERSION: 2.10
CVE: CVE-2015-4144
CVE STATUS: Patched
CVE SUMMARY: The EAP-pwd server and peer implementation in hostapd and wpa_supplicant 1.0 through 2.4 does not validate that a message is long enough to contain the Total-Length field, which allows remote attackers to cause a denial of service (crash) via a crafted message.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-4144

LAYER: meta
PACKAGE NAME: wpa-supplicant
PACKAGE VERSION: 2.10
CVE: CVE-2015-4145
CVE STATUS: Patched
CVE SUMMARY: The EAP-pwd server and peer implementation in hostapd and wpa_supplicant 1.0 through 2.4 does not validate a fragment is already being processed, which allows remote attackers to cause a denial of service (memory leak) via a crafted message.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-4145

LAYER: meta
PACKAGE NAME: wpa-supplicant
PACKAGE VERSION: 2.10
CVE: CVE-2015-4146
CVE STATUS: Patched
CVE SUMMARY: The EAP-pwd peer implementation in hostapd and wpa_supplicant 1.0 through 2.4 does not clear the L (Length) and M (More) flags before determining if a response should be fragmented, which allows remote attackers to cause a denial of service (crash) via a crafted message.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-4146

LAYER: meta
PACKAGE NAME: wpa-supplicant
PACKAGE VERSION: 2.10
CVE: CVE-2015-5314
CVE STATUS: Patched
CVE SUMMARY: The eap_pwd_process function in eap_server/eap_server_pwd.c in hostapd 2.x before 2.6 does not validate that the reassembly buffer is large enough for the final fragment when used with (1) an internal EAP server or (2) a RADIUS server and EAP-pwd is enabled in a runtime configuration, which allows remote attackers to cause a denial of service (process termination) via a large final fragment in an EAP-pwd message.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-5314

LAYER: meta
PACKAGE NAME: wpa-supplicant
PACKAGE VERSION: 2.10
CVE: CVE-2015-5315
CVE STATUS: Patched
CVE SUMMARY: The eap_pwd_process function in eap_peer/eap_pwd.c in wpa_supplicant 2.x before 2.6 does not validate that the reassembly buffer is large enough for the final fragment when EAP-pwd is enabled in a network configuration profile, which allows remote attackers to cause a denial of service (process termination) via a large final fragment in an EAP-pwd message.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-5315

LAYER: meta
PACKAGE NAME: wpa-supplicant
PACKAGE VERSION: 2.10
CVE: CVE-2015-5316
CVE STATUS: Patched
CVE SUMMARY: The eap_pwd_perform_confirm_exchange function in eap_peer/eap_pwd.c in wpa_supplicant 2.x before 2.6, when EAP-pwd is enabled in a network configuration profile, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an EAP-pwd Confirm message followed by the Identity exchange.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-5316

LAYER: meta
PACKAGE NAME: wpa-supplicant
PACKAGE VERSION: 2.10
CVE: CVE-2015-8041
CVE STATUS: Patched
CVE SUMMARY: Multiple integer overflows in the NDEF record parser in hostapd before 2.5 and wpa_supplicant before 2.5 allow remote attackers to cause a denial of service (process crash or infinite loop) via a large payload length field value in an (1) WPS or (2) P2P NFC NDEF record, which triggers an out-of-bounds read.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8041

LAYER: meta
PACKAGE NAME: wpa-supplicant
PACKAGE VERSION: 2.10
CVE: CVE-2016-4476
CVE STATUS: Patched
CVE SUMMARY: hostapd 0.6.7 through 2.5 and wpa_supplicant 0.6.7 through 2.5 do not reject \n and \r characters in passphrase parameters, which allows remote attackers to cause a denial of service (daemon outage) via a crafted WPS operation.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4476

LAYER: meta
PACKAGE NAME: wpa-supplicant
PACKAGE VERSION: 2.10
CVE: CVE-2017-13077
CVE STATUS: Patched
CVE SUMMARY: Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Pairwise Transient Key (PTK) Temporal Key (TK) during the four-way handshake, allowing an attacker within radio range to replay, decrypt, or spoof frames.
CVSS v2 BASE SCORE: 5.4
CVSS v3 BASE SCORE: 6.8
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-13077

LAYER: meta
PACKAGE NAME: wpa-supplicant
PACKAGE VERSION: 2.10
CVE: CVE-2017-13078
CVE STATUS: Patched
CVE SUMMARY: Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Group Temporal Key (GTK) during the four-way handshake, allowing an attacker within radio range to replay frames from access points to clients.
CVSS v2 BASE SCORE: 2.9
CVSS v3 BASE SCORE: 5.3
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-13078

LAYER: meta
PACKAGE NAME: wpa-supplicant
PACKAGE VERSION: 2.10
CVE: CVE-2017-13079
CVE STATUS: Patched
CVE SUMMARY: Wi-Fi Protected Access (WPA and WPA2) that supports IEEE 802.11w allows reinstallation of the Integrity Group Temporal Key (IGTK) during the four-way handshake, allowing an attacker within radio range to spoof frames from access points to clients.
CVSS v2 BASE SCORE: 2.9
CVSS v3 BASE SCORE: 5.3
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-13079

LAYER: meta
PACKAGE NAME: wpa-supplicant
PACKAGE VERSION: 2.10
CVE: CVE-2017-13080
CVE STATUS: Patched
CVE SUMMARY: Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Group Temporal Key (GTK) during the group key handshake, allowing an attacker within radio range to replay frames from access points to clients.
CVSS v2 BASE SCORE: 2.9
CVSS v3 BASE SCORE: 5.3
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-13080

LAYER: meta
PACKAGE NAME: wpa-supplicant
PACKAGE VERSION: 2.10
CVE: CVE-2017-13081
CVE STATUS: Patched
CVE SUMMARY: Wi-Fi Protected Access (WPA and WPA2) that supports IEEE 802.11w allows reinstallation of the Integrity Group Temporal Key (IGTK) during the group key handshake, allowing an attacker within radio range to spoof frames from access points to clients.
CVSS v2 BASE SCORE: 2.9
CVSS v3 BASE SCORE: 5.3
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-13081

LAYER: meta
PACKAGE NAME: wpa-supplicant
PACKAGE VERSION: 2.10
CVE: CVE-2017-13082
CVE STATUS: Patched
CVE SUMMARY: Wi-Fi Protected Access (WPA and WPA2) that supports IEEE 802.11r allows reinstallation of the Pairwise Transient Key (PTK) Temporal Key (TK) during the fast BSS transmission (FT) handshake, allowing an attacker within radio range to replay, decrypt, or spoof frames.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 8.1
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-13082

LAYER: meta
PACKAGE NAME: wpa-supplicant
PACKAGE VERSION: 2.10
CVE: CVE-2017-13084
CVE STATUS: Patched
CVE SUMMARY: Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Station-To-Station-Link (STSL) Transient Key (STK) during the PeerKey handshake, allowing an attacker within radio range to replay, decrypt, or spoof frames.
CVSS v2 BASE SCORE: 5.4
CVSS v3 BASE SCORE: 6.8
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-13084

LAYER: meta
PACKAGE NAME: wpa-supplicant
PACKAGE VERSION: 2.10
CVE: CVE-2017-13086
CVE STATUS: Patched
CVE SUMMARY: Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Tunneled Direct-Link Setup (TDLS) Peer Key (TPK) during the TDLS handshake, allowing an attacker within radio range to replay, decrypt, or spoof frames.
CVSS v2 BASE SCORE: 5.4
CVSS v3 BASE SCORE: 6.8
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-13086

LAYER: meta
PACKAGE NAME: wpa-supplicant
PACKAGE VERSION: 2.10
CVE: CVE-2017-13087
CVE STATUS: Patched
CVE SUMMARY: Wi-Fi Protected Access (WPA and WPA2) that support 802.11v allows reinstallation of the Group Temporal Key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame, allowing an attacker within radio range to replay frames from access points to clients.
CVSS v2 BASE SCORE: 2.9
CVSS v3 BASE SCORE: 5.3
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-13087

LAYER: meta
PACKAGE NAME: wpa-supplicant
PACKAGE VERSION: 2.10
CVE: CVE-2017-13088
CVE STATUS: Patched
CVE SUMMARY: Wi-Fi Protected Access (WPA and WPA2) that support 802.11v allows reinstallation of the Integrity Group Temporal Key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame, allowing an attacker within radio range to replay frames from access points to clients.
CVSS v2 BASE SCORE: 2.9
CVSS v3 BASE SCORE: 5.3
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-13088

LAYER: meta
PACKAGE NAME: wpa-supplicant
PACKAGE VERSION: 2.10
CVE: CVE-2018-14526
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in rsn_supp/wpa.c in wpa_supplicant 2.0 through 2.6. Under certain conditions, the integrity of EAPOL-Key messages is not checked, leading to a decryption oracle. An attacker within range of the Access Point and client can abuse the vulnerability to recover sensitive information.
CVSS v2 BASE SCORE: 3.3
CVSS v3 BASE SCORE: 6.5
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-14526

LAYER: meta
PACKAGE NAME: wpa-supplicant
PACKAGE VERSION: 2.10
CVE: CVE-2019-11555
CVE STATUS: Patched
CVE SUMMARY: The EAP-pwd implementation in hostapd (EAP server) before 2.8 and wpa_supplicant (EAP peer) before 2.8 does not validate fragmentation reassembly state properly for a case where an unexpected fragment could be received. This could result in process termination due to a NULL pointer dereference (denial of service). This affects eap_server/eap_server_pwd.c and eap_peer/eap_pwd.c.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-11555

LAYER: meta
PACKAGE NAME: wpa-supplicant
PACKAGE VERSION: 2.10
CVE: CVE-2019-16275
CVE STATUS: Patched
CVE SUMMARY: hostapd before 2.10 and wpa_supplicant before 2.10 allow an incorrect indication of disconnection in certain situations because source address validation is mishandled. This is a denial of service that should have been prevented by PMF (aka management frame protection). The attacker must send a crafted 802.11 frame from a location that is within the 802.11 communications range.
CVSS v2 BASE SCORE: 3.3
CVSS v3 BASE SCORE: 6.5
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-16275

LAYER: meta
PACKAGE NAME: wpa-supplicant
PACKAGE VERSION: 2.10
CVE: CVE-2019-9494
CVE STATUS: Patched
CVE SUMMARY: The implementations of SAE in hostapd and wpa_supplicant are vulnerable to side channel attacks as a result of observable timing differences and cache access patterns. An attacker may be able to gain leaked information from a side channel attack that can be used for full password recovery. Both hostapd with SAE support and wpa_supplicant with SAE support prior to and including version 2.7 are affected.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-9494

LAYER: meta
PACKAGE NAME: wpa-supplicant
PACKAGE VERSION: 2.10
CVE: CVE-2019-9495
CVE STATUS: Patched
CVE SUMMARY: The implementations of EAP-PWD in hostapd and wpa_supplicant are vulnerable to side-channel attacks as a result of cache access patterns. All versions of hostapd and wpa_supplicant with EAP-PWD support are vulnerable. The ability to install and execute applications is necessary for a successful attack. Memory access patterns are visible in a shared cache. Weak passwords may be cracked. Versions of hostapd/wpa_supplicant 2.7 and newer, are not vulnerable to the timing attack described in CVE-2019-9494. Both hostapd with EAP-pwd support and wpa_supplicant with EAP-pwd support prior to and including version 2.7 are affected.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 3.7
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-9495

LAYER: meta
PACKAGE NAME: wpa-supplicant
PACKAGE VERSION: 2.10
CVE: CVE-2019-9496
CVE STATUS: Patched
CVE SUMMARY: An invalid authentication sequence could result in the hostapd process terminating due to missing state validation steps when processing the SAE confirm message when in hostapd/AP mode. All version of hostapd with SAE support are vulnerable. An attacker may force the hostapd process to terminate, performing a denial of service attack. Both hostapd with SAE support and wpa_supplicant with SAE support prior to and including version 2.7 are affected.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-9496

LAYER: meta
PACKAGE NAME: wpa-supplicant
PACKAGE VERSION: 2.10
CVE: CVE-2019-9497
CVE STATUS: Patched
CVE SUMMARY: The implementations of EAP-PWD in hostapd EAP Server and wpa_supplicant EAP Peer do not validate the scalar and element values in EAP-pwd-Commit. This vulnerability may allow an attacker to complete EAP-PWD authentication without knowing the password. However, unless the crypto library does not implement additional checks for the EC point, the attacker will not be able to derive the session key or complete the key exchange. Both hostapd with SAE support and wpa_supplicant with SAE support prior to and including version 2.4 are affected. Both hostapd with EAP-pwd support and wpa_supplicant with EAP-pwd support prior to and including version 2.7 are affected.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-9497

LAYER: meta
PACKAGE NAME: wpa-supplicant
PACKAGE VERSION: 2.10
CVE: CVE-2019-9498
CVE STATUS: Patched
CVE SUMMARY: The implementations of EAP-PWD in hostapd EAP Server, when built against a crypto library missing explicit validation on imported elements, do not validate the scalar and element values in EAP-pwd-Commit. An attacker may be able to use invalid scalar/element values to complete authentication, gaining session key and network access without needing or learning the password. Both hostapd with SAE support and wpa_supplicant with SAE support prior to and including version 2.4 are affected. Both hostapd with EAP-pwd support and wpa_supplicant with EAP-pwd support prior to and including version 2.7 are affected.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-9498

LAYER: meta
PACKAGE NAME: wpa-supplicant
PACKAGE VERSION: 2.10
CVE: CVE-2019-9499
CVE STATUS: Patched
CVE SUMMARY: The implementations of EAP-PWD in wpa_supplicant EAP Peer, when built against a crypto library missing explicit validation on imported elements, do not validate the scalar and element values in EAP-pwd-Commit. An attacker may complete authentication, session key and control of the data connection with a client. Both hostapd with SAE support and wpa_supplicant with SAE support prior to and including version 2.4 are affected. Both hostapd with EAP-pwd support and wpa_supplicant with EAP-pwd support prior to and including version 2.7 are affected.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-9499

LAYER: meta
PACKAGE NAME: wpa-supplicant
PACKAGE VERSION: 2.10
CVE: CVE-2021-27803
CVE STATUS: Patched
CVE SUMMARY: A vulnerability was discovered in how p2p/p2p_pd.c in wpa_supplicant before 2.10 processes P2P (Wi-Fi Direct) provision discovery requests. It could result in denial of service or other impact (potentially execution of arbitrary code), for an attacker within radio range.
CVSS v2 BASE SCORE: 5.4
CVSS v3 BASE SCORE: 7.5
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-27803

LAYER: meta
PACKAGE NAME: wpa-supplicant
PACKAGE VERSION: 2.10
CVE: CVE-2021-30004
CVE STATUS: Patched
CVE SUMMARY: In wpa_supplicant and hostapd 2.9, forging attacks may occur because AlgorithmIdentifier parameters are mishandled in tls/pkcs1.c and tls/x509v3.c.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-30004

LAYER: meta
PACKAGE NAME: wpa-supplicant
PACKAGE VERSION: 2.10
CVE: CVE-2022-23303
CVE STATUS: Patched
CVE SUMMARY: The implementations of SAE in hostapd before 2.10 and wpa_supplicant before 2.10 are vulnerable to side channel attacks as a result of cache access patterns. NOTE: this issue exists because of an incomplete fix for CVE-2019-9494.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-23303

LAYER: meta
PACKAGE NAME: wpa-supplicant
PACKAGE VERSION: 2.10
CVE: CVE-2022-23304
CVE STATUS: Patched
CVE SUMMARY: The implementations of EAP-pwd in hostapd before 2.10 and wpa_supplicant before 2.10 are vulnerable to side-channel attacks as a result of cache access patterns. NOTE: this issue exists because of an incomplete fix for CVE-2019-9495.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-23304

LAYER: meta
PACKAGE NAME: wpa-supplicant
PACKAGE VERSION: 2.10
CVE: CVE-2023-52160
CVE STATUS: Patched
CVE SUMMARY: The implementation of PEAP in wpa_supplicant through 2.10 allows authentication bypass. For a successful attack, wpa_supplicant must be configured to not verify the network's TLS certificate during Phase 1 authentication, and an eap_peap_decrypt vulnerability can then be abused to skip Phase 2 authentication. The attack vector is sending an EAP-TLV Success packet instead of starting Phase 2. This allows an adversary to impersonate Enterprise Wi-Fi networks.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-52160

LAYER: meta
PACKAGE NAME: wpa-supplicant
PACKAGE VERSION: 2.10
CVE: CVE-2024-5290
CVE STATUS: Unpatched
CVE SUMMARY: An issue was discovered in Ubuntu wpa_supplicant that resulted in loading of arbitrary shared objects, which allows a local unprivileged attacker to escalate privileges to the user that wpa_supplicant runs as (usually root).




Membership in the netdev group or access to the dbus interface of wpa_supplicant allow an unprivileged user to specify an arbitrary path to a module to be loaded by the wpa_supplicant process; other escalation paths might exist.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-5290

LAYER: meta
PACKAGE NAME: libxtst-native
PACKAGE VERSION: 1_1.2.4
CVE: CVE-2013-2063
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in X.org libXtst 1.2.1 and earlier allows X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the XRecordGetContext function.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2063

LAYER: meta
PACKAGE NAME: libxtst-native
PACKAGE VERSION: 1_1.2.4
CVE: CVE-2016-7951
CVE STATUS: Patched
CVE SUMMARY: Multiple integer overflows in X.org libXtst before 1.2.3 allow remote X servers to trigger out-of-bounds memory access operations by leveraging the lack of range checks.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7951

LAYER: meta
PACKAGE NAME: libxtst-native
PACKAGE VERSION: 1_1.2.4
CVE: CVE-2016-7952
CVE STATUS: Patched
CVE SUMMARY: X.org libXtst before 1.2.3 allows remote X servers to cause a denial of service (infinite loop) via a reply in the (1) XRecordStartOfData, (2) XRecordEndOfData, or (3) XRecordClientDied category without a client sequence and with attached data.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7952

LAYER: meta
PACKAGE NAME: libxcursor-native
PACKAGE VERSION: 1_1.2.2
CVE: CVE-2013-2003
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in X.org libXcursor 1.1.13 and earlier allows X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the _XcursorFileHeaderCreate function.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2003

LAYER: meta
PACKAGE NAME: libxcursor-native
PACKAGE VERSION: 1_1.2.2
CVE: CVE-2015-9262
CVE STATUS: Patched
CVE SUMMARY: _XcursorThemeInherits in library.c in libXcursor before 1.1.15 allows remote attackers to cause denial of service or potentially code execution via a one-byte heap overflow.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-9262

LAYER: meta
PACKAGE NAME: libxcursor-native
PACKAGE VERSION: 1_1.2.2
CVE: CVE-2017-16612
CVE STATUS: Patched
CVE SUMMARY: libXcursor before 1.1.15 has various integer overflows that could lead to heap buffer overflows when processing malicious cursors, e.g., with programs like GIMP. It is also possible that an attack vector exists against the related code in cursor/xcursor.c in Wayland through 1.14.0.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-16612

LAYER: meta
PACKAGE NAME: libxext-native
PACKAGE VERSION: 1_1.3.6
CVE: CVE-2013-1982
CVE STATUS: Patched
CVE SUMMARY: Multiple integer overflows in X.org libXext 1.3.1 and earlier allow X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the (1) XcupGetReservedColormapEntries, (2) XcupStoreColors, (3) XdbeGetVisualInfo, (4) XeviGetVisualInfo, (5) XShapeGetRectangles, and (6) XSyncListSystemCounters functions.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1982

LAYER: meta
PACKAGE NAME: libxi-native
PACKAGE VERSION: 1_1.8.1
CVE: CVE-2013-1984
CVE STATUS: Patched
CVE SUMMARY: Multiple integer overflows in X.org libXi 1.7.1 and earlier allow X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the (1) XGetDeviceControl, (2) XGetFeedbackControl, (3) XGetDeviceDontPropagateList, (4) XGetDeviceMotionEvents, (5) XIGetProperty, (6) XIGetSelectedEvents, (7) XGetDeviceProperties, and (8) XListInputDevices functions.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1984

LAYER: meta
PACKAGE NAME: libxi-native
PACKAGE VERSION: 1_1.8.1
CVE: CVE-2013-1995
CVE STATUS: Patched
CVE SUMMARY: X.org libXi 1.7.1 and earlier allows X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to an unexpected sign extension in the XListInputDevices function.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1995

LAYER: meta
PACKAGE NAME: libxi-native
PACKAGE VERSION: 1_1.8.1
CVE: CVE-2013-1998
CVE STATUS: Patched
CVE SUMMARY: Multiple buffer overflows in X.org libXi 1.7.1 and earlier allow X servers to cause a denial of service (crash) and possibly execute arbitrary code via crafted length or index values to the (1) XGetDeviceButtonMapping, (2) XIPassiveGrabDevice, and (3) XQueryDeviceState functions.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1998

LAYER: meta
PACKAGE NAME: libxi-native
PACKAGE VERSION: 1_1.8.1
CVE: CVE-2016-7945
CVE STATUS: Patched
CVE SUMMARY: Multiple integer overflows in X.org libXi before 1.7.7 allow remote X servers to cause a denial of service (out-of-bounds memory access or infinite loop) via vectors involving length fields.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7945

LAYER: meta
PACKAGE NAME: libxi-native
PACKAGE VERSION: 1_1.8.1
CVE: CVE-2016-7946
CVE STATUS: Patched
CVE SUMMARY: X.org libXi before 1.7.7 allows remote X servers to cause a denial of service (infinite loop) via vectors involving length fields.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7946

LAYER: meta-clang
PACKAGE NAME: clang-native
PACKAGE VERSION: 18.1.6
CVE: CVE-2014-2893
CVE STATUS: Patched
CVE SUMMARY: The GetHTMLRunDir function in the scan-build utility in Clang 3.5 and earlier allows local users to obtain sensitive information or overwrite arbitrary files via a symlink attack on temporary directories with predictable names.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-2893

LAYER: meta
PACKAGE NAME: libjpeg-turbo-native
PACKAGE VERSION: 1_3.0.1
CVE: CVE-2012-2806
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the get_sos function in jdmarker.c in libjpeg-turbo 1.2.0 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a large component count in the header of a JPEG image.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2806

LAYER: meta
PACKAGE NAME: libjpeg-turbo-native
PACKAGE VERSION: 1_3.0.1
CVE: CVE-2013-6629
CVE STATUS: Patched
CVE SUMMARY: The get_sos function in jdmarker.c in (1) libjpeg 6b and (2) libjpeg-turbo through 1.3.0, as used in Google Chrome before 31.0.1650.48, Ghostscript, and other products, does not check for certain duplications of component data during the reading of segments that follow Start Of Scan (SOS) JPEG markers, which allows remote attackers to obtain sensitive information from uninitialized memory locations via a crafted JPEG image.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-6629

LAYER: meta
PACKAGE NAME: libjpeg-turbo-native
PACKAGE VERSION: 1_3.0.1
CVE: CVE-2014-9092
CVE STATUS: Patched
CVE SUMMARY: libjpeg-turbo before 1.3.1 allows remote attackers to cause a denial of service (crash) via a crafted JPEG file, related to the Exif marker.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9092

LAYER: meta
PACKAGE NAME: libjpeg-turbo-native
PACKAGE VERSION: 1_3.0.1
CVE: CVE-2016-3616
CVE STATUS: Patched
CVE SUMMARY: The cjpeg utility in libjpeg allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) or execute arbitrary code via a crafted file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3616

LAYER: meta
PACKAGE NAME: libjpeg-turbo-native
PACKAGE VERSION: 1_3.0.1
CVE: CVE-2017-15232
CVE STATUS: Patched
CVE SUMMARY: libjpeg-turbo 1.5.2 has a NULL Pointer Dereference in jdpostct.c and jquant1.c via a crafted JPEG file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15232

LAYER: meta
PACKAGE NAME: libjpeg-turbo-native
PACKAGE VERSION: 1_3.0.1
CVE: CVE-2017-9614
CVE STATUS: Patched
CVE SUMMARY: The fill_input_buffer function in jdatasrc.c in libjpeg-turbo 1.5.1 allows remote attackers to cause a denial of service (invalid memory access and application crash) or possibly have unspecified other impact via a crafted jpg file. NOTE: Maintainer asserts the issue is due to a bug in downstream code caused by misuse of the libjpeg API
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9614

LAYER: meta
PACKAGE NAME: libjpeg-turbo-native
PACKAGE VERSION: 1_3.0.1
CVE: CVE-2018-1152
CVE STATUS: Patched
CVE SUMMARY: libjpeg-turbo 1.5.90 is vulnerable to a denial of service vulnerability caused by a divide by zero when processing a crafted BMP image.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1152

LAYER: meta
PACKAGE NAME: libjpeg-turbo-native
PACKAGE VERSION: 1_3.0.1
CVE: CVE-2018-14498
CVE STATUS: Patched
CVE SUMMARY: get_8bit_row in rdbmp.c in libjpeg-turbo through 1.5.90 and MozJPEG through 3.3.1 allows attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted 8-bit BMP in which one or more of the color indices is out of range for the number of palette entries.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-14498

LAYER: meta
PACKAGE NAME: libjpeg-turbo-native
PACKAGE VERSION: 1_3.0.1
CVE: CVE-2018-19664
CVE STATUS: Patched
CVE SUMMARY: libjpeg-turbo 2.0.1 has a heap-based buffer over-read in the put_pixel_rows function in wrbmp.c, as demonstrated by djpeg.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19664

LAYER: meta
PACKAGE NAME: libjpeg-turbo-native
PACKAGE VERSION: 1_3.0.1
CVE: CVE-2018-20330
CVE STATUS: Patched
CVE SUMMARY: The tjLoadImage function in libjpeg-turbo 2.0.1 has an integer overflow with a resultant heap-based buffer overflow via a BMP image because multiplication of pitch and height is mishandled, as demonstrated by tjbench.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20330

LAYER: meta
PACKAGE NAME: libjpeg-turbo-native
PACKAGE VERSION: 1_3.0.1
CVE: CVE-2019-13960
CVE STATUS: Patched
CVE SUMMARY: In libjpeg-turbo 2.0.2, a large amount of memory can be used during processing of an invalid progressive JPEG image containing incorrect width and height values in the image header. NOTE: the vendor's expectation, for use cases in which this memory usage would be a denial of service, is that the application should interpret libjpeg warnings as fatal errors (aborting decompression) and/or set limits on resource consumption or image sizes
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-13960

LAYER: meta
PACKAGE NAME: libjpeg-turbo-native
PACKAGE VERSION: 1_3.0.1
CVE: CVE-2020-13790
CVE STATUS: Patched
CVE SUMMARY: libjpeg-turbo 2.0.4, and mozjpeg 4.0.0, has a heap-based buffer over-read in get_rgb_row() in rdppm.c via a malformed PPM input file.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 8.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-13790

LAYER: meta
PACKAGE NAME: libjpeg-turbo-native
PACKAGE VERSION: 1_3.0.1
CVE: CVE-2020-17541
CVE STATUS: Patched
CVE SUMMARY: Libjpeg-turbo all version have a stack-based buffer overflow in the "transform" component. A remote attacker can send a malformed jpeg file to the service and cause arbitrary code execution or denial of service of the target service.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-17541

LAYER: meta
PACKAGE NAME: libjpeg-turbo-native
PACKAGE VERSION: 1_3.0.1
CVE: CVE-2020-35538
CVE STATUS: Patched
CVE SUMMARY: A crafted input file could cause a null pointer dereference in jcopy_sample_rows() when processed by libjpeg-turbo.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-35538

LAYER: meta
PACKAGE NAME: libjpeg-turbo-native
PACKAGE VERSION: 1_3.0.1
CVE: CVE-2021-20205
CVE STATUS: Patched
CVE SUMMARY: Libjpeg-turbo versions 2.0.91 and 2.0.90 is vulnerable to a denial of service vulnerability caused by a divide by zero when processing a crafted GIF image.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-20205

LAYER: meta
PACKAGE NAME: libjpeg-turbo-native
PACKAGE VERSION: 1_3.0.1
CVE: CVE-2021-29390
CVE STATUS: Patched
CVE SUMMARY: libjpeg-turbo version 2.0.90 has a heap-based buffer over-read (2 bytes) in decompress_smooth_data in jdcoefct.c.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-29390

LAYER: meta
PACKAGE NAME: libjpeg-turbo-native
PACKAGE VERSION: 1_3.0.1
CVE: CVE-2021-46822
CVE STATUS: Patched
CVE SUMMARY: The PPM reader in libjpeg-turbo through 2.0.90 mishandles use of tjLoadImage for loading a 16-bit binary PPM file into a grayscale buffer and loading a 16-bit binary PGM file into an RGB buffer. This is related to a heap-based buffer overflow in the get_word_rgb_row function in rdppm.c.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-46822

LAYER: meta
PACKAGE NAME: libjpeg-turbo-native
PACKAGE VERSION: 1_3.0.1
CVE: CVE-2023-2804
CVE STATUS: Patched
CVE SUMMARY: A heap-based buffer overflow issue was discovered in libjpeg-turbo in h2v2_merged_upsample_internal() function of jdmrgext.c file. The vulnerability can only be exploited with 12-bit data precision for which the range of the sample data type exceeds the valid sample range, hence, an attacker could craft a 12-bit lossless JPEG image that contains out-of-range 12-bit samples. An application attempting to decompress such image using merged upsampling would lead to segmentation fault or buffer overflows, causing an application to crash.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-2804

LAYER: meta
PACKAGE NAME: libstd-rs
PACKAGE VERSION: 1.75.0
CVE: CVE-2015-20001
CVE STATUS: Patched
CVE SUMMARY: In the standard library in Rust before 1.2.0, BinaryHeap is not panic-safe. The binary heap is left in an inconsistent state when the comparison of generic elements inside sift_up or sift_down_range panics. This bug leads to a drop of zeroed memory as an arbitrary type, which can result in a memory safety violation.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-20001

LAYER: meta
PACKAGE NAME: libstd-rs
PACKAGE VERSION: 1.75.0
CVE: CVE-2017-20004
CVE STATUS: Patched
CVE SUMMARY: In the standard library in Rust before 1.19.0, there is a synchronization problem in the MutexGuard object. MutexGuards can be used across threads with any types, allowing for memory safety issues through race conditions.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-20004

LAYER: meta
PACKAGE NAME: libstd-rs
PACKAGE VERSION: 1.75.0
CVE: CVE-2018-1000622
CVE STATUS: Patched
CVE SUMMARY: The Rust Programming Language rustdoc version Between 0.8 and 1.27.0 contains a CWE-427: Uncontrolled Search Path Element vulnerability in rustdoc plugins that can result in local code execution as a different user. This attack appear to be exploitable via using the --plugin flag without the --plugin-path flag. This vulnerability appears to have been fixed in 1.27.1.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1000622

LAYER: meta
PACKAGE NAME: libstd-rs
PACKAGE VERSION: 1.75.0
CVE: CVE-2018-1000657
CVE STATUS: Patched
CVE SUMMARY: Rust Programming Language Rust standard library version Commit bfa0e1f58acf1c28d500c34ed258f09ae021893e and later; stable release 1.3.0 and later contains a Buffer Overflow vulnerability in std::collections::vec_deque::VecDeque::reserve() function that can result in Arbitrary code execution, but no proof-of-concept exploit is currently published.. This vulnerability appears to have been fixed in after commit fdfafb510b1a38f727e920dccbeeb638d39a8e60; stable release 1.22.0 and later.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1000657

LAYER: meta
PACKAGE NAME: libstd-rs
PACKAGE VERSION: 1.75.0
CVE: CVE-2018-1000810
CVE STATUS: Patched
CVE SUMMARY: The Rust Programming Language Standard Library version 1.29.0, 1.28.0, 1.27.2, 1.27.1, 127.0, 126.2, 126.1, 126.0 contains a CWE-680: Integer Overflow to Buffer Overflow vulnerability in standard library that can result in buffer overflow. This attack appear to be exploitable via str::repeat, passed a large number, can overflow an internal buffer. This vulnerability appears to have been fixed in 1.29.1.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1000810

LAYER: meta
PACKAGE NAME: libstd-rs
PACKAGE VERSION: 1.75.0
CVE: CVE-2018-25008
CVE STATUS: Patched
CVE SUMMARY: In the standard library in Rust before 1.29.0, there is weak synchronization in the Arc::get_mut method. This synchronization issue can be lead to memory safety issues through race conditions.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-25008

LAYER: meta
PACKAGE NAME: libstd-rs
PACKAGE VERSION: 1.75.0
CVE: CVE-2019-1010299
CVE STATUS: Patched
CVE SUMMARY: The Rust Programming Language Standard Library 1.18.0 and later is affected by: CWE-200: Information Exposure. The impact is: Contents of uninitialized memory could be printed to string or to log file. The component is: Debug trait implementation for std::collections::vec_deque::Iter. The attack vector is: The program needs to invoke debug printing for iterator over an empty VecDeque. The fixed version is: 1.30.0, nightly versions after commit b85e4cc8fadaabd41da5b9645c08c68b8f89908d.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-1010299

LAYER: meta
PACKAGE NAME: libstd-rs
PACKAGE VERSION: 1.75.0
CVE: CVE-2019-12083
CVE STATUS: Patched
CVE SUMMARY: The Rust Programming Language Standard Library 1.34.x before 1.34.2 contains a stabilized method which, if overridden, can violate Rust's safety guarantees and cause memory unsafety. If the `Error::type_id` method is overridden then any type can be safely cast to any other type, causing memory safety vulnerabilities in safe code (e.g., out-of-bounds write or read). Code that does not manually implement Error::type_id is unaffected.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-12083

LAYER: meta
PACKAGE NAME: libstd-rs
PACKAGE VERSION: 1.75.0
CVE: CVE-2019-16760
CVE STATUS: Patched
CVE SUMMARY: Cargo prior to Rust 1.26.0 may download the wrong dependency if your package.toml file uses the `package` configuration key. Usage of the `package` key to rename dependencies in `Cargo.toml` is ignored in Rust 1.25.0 and prior. When Rust 1.25.0 and prior is used Cargo may download the wrong dependency, which could be squatted on crates.io to be a malicious package. This not only affects manifests that you write locally yourself, but also manifests published to crates.io. Rust 1.0.0 through Rust 1.25.0 is affected by this advisory because Cargo will ignore the `package` key in manifests. Rust 1.26.0 through Rust 1.30.0 are not affected and typically will emit an error because the `package` key is unstable. Rust 1.31.0 and after are not affected because Cargo understands the `package` key. Users of the affected versions are strongly encouraged to update their compiler to the latest available one. Preventing this issue from happening requires updating your compiler to be either Rust 1.26.0 or newer. There will be no point release for Rust versions prior to 1.26.0. Users of Rust 1.19.0 to Rust 1.25.0 can instead apply linked patches to mitigate the issue.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 4.6
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-16760

LAYER: meta
PACKAGE NAME: libstd-rs
PACKAGE VERSION: 1.75.0
CVE: CVE-2020-36317
CVE STATUS: Patched
CVE SUMMARY: In the standard library in Rust before 1.49.0, String::retain() function has a panic safety problem. It allows creation of a non-UTF-8 Rust string when the provided closure panics. This bug could result in a memory safety violation when other string APIs assume that UTF-8 encoding is used on the same string.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-36317

LAYER: meta
PACKAGE NAME: libstd-rs
PACKAGE VERSION: 1.75.0
CVE: CVE-2020-36318
CVE STATUS: Patched
CVE SUMMARY: In the standard library in Rust before 1.49.0, VecDeque::make_contiguous has a bug that pops the same element more than once under certain condition. This bug could result in a use-after-free or double free.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-36318

LAYER: meta
PACKAGE NAME: libstd-rs
PACKAGE VERSION: 1.75.0
CVE: CVE-2020-36323
CVE STATUS: Patched
CVE SUMMARY: In the standard library in Rust before 1.52.0, there is an optimization for joining strings that can cause uninitialized bytes to be exposed (or the program to crash) if the borrowed string changes after its length is checked.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 8.2
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-36323

LAYER: meta
PACKAGE NAME: libstd-rs
PACKAGE VERSION: 1.75.0
CVE: CVE-2021-28875
CVE STATUS: Patched
CVE SUMMARY: In the standard library in Rust before 1.50.0, read_to_end() does not validate the return value from Read in an unsafe context. This bug could lead to a buffer overflow.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-28875

LAYER: meta
PACKAGE NAME: libstd-rs
PACKAGE VERSION: 1.75.0
CVE: CVE-2021-28876
CVE STATUS: Patched
CVE SUMMARY: In the standard library in Rust before 1.52.0, the Zip implementation has a panic safety issue. It calls __iterator_get_unchecked() more than once for the same index when the underlying iterator panics (in certain conditions). This bug could lead to a memory safety violation due to an unmet safety requirement for the TrustedRandomAccess trait.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-28876

LAYER: meta
PACKAGE NAME: libstd-rs
PACKAGE VERSION: 1.75.0
CVE: CVE-2021-28877
CVE STATUS: Patched
CVE SUMMARY: In the standard library in Rust before 1.51.0, the Zip implementation calls __iterator_get_unchecked() for the same index more than once when nested. This bug can lead to a memory safety violation due to an unmet safety requirement for the TrustedRandomAccess trait.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-28877

LAYER: meta
PACKAGE NAME: libstd-rs
PACKAGE VERSION: 1.75.0
CVE: CVE-2021-28878
CVE STATUS: Patched
CVE SUMMARY: In the standard library in Rust before 1.52.0, the Zip implementation calls __iterator_get_unchecked() more than once for the same index (under certain conditions) when next_back() and next() are used together. This bug could lead to a memory safety violation due to an unmet safety requirement for the TrustedRandomAccess trait.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-28878

LAYER: meta
PACKAGE NAME: libstd-rs
PACKAGE VERSION: 1.75.0
CVE: CVE-2021-28879
CVE STATUS: Patched
CVE SUMMARY: In the standard library in Rust before 1.52.0, the Zip implementation can report an incorrect size due to an integer overflow. This bug can lead to a buffer overflow when a consumed Zip iterator is used again.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-28879

LAYER: meta
PACKAGE NAME: libstd-rs
PACKAGE VERSION: 1.75.0
CVE: CVE-2021-29922
CVE STATUS: Patched
CVE SUMMARY: library/std/src/net/parser.rs in Rust before 1.53.0 does not properly consider extraneous zero characters at the beginning of an IP address string, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 9.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-29922

LAYER: meta
PACKAGE NAME: libstd-rs
PACKAGE VERSION: 1.75.0
CVE: CVE-2021-31162
CVE STATUS: Patched
CVE SUMMARY: In the standard library in Rust before 1.52.0, a double free can occur in the Vec::from_iter function if freeing the element panics.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-31162

LAYER: meta
PACKAGE NAME: libstd-rs
PACKAGE VERSION: 1.75.0
CVE: CVE-2022-21658
CVE STATUS: Patched
CVE SUMMARY: Rust is a multi-paradigm, general-purpose programming language designed for performance and safety, especially safe concurrency. The Rust Security Response WG was notified that the `std::fs::remove_dir_all` standard library function is vulnerable a race condition enabling symlink following (CWE-363). An attacker could use this security issue to trick a privileged program into deleting files and directories the attacker couldn't otherwise access or delete. Rust 1.0.0 through Rust 1.58.0 is affected by this vulnerability with 1.58.1 containing a patch. Note that the following build targets don't have usable APIs to properly mitigate the attack, and are thus still vulnerable even with a patched toolchain: macOS before version 10.10 (Yosemite) and REDOX. We recommend everyone to update to Rust 1.58.1 as soon as possible, especially people developing programs expected to run in privileged contexts (including system daemons and setuid binaries), as those have the highest risk of being affected by this. Note that adding checks in your codebase before calling remove_dir_all will not mitigate the vulnerability, as they would also be vulnerable to race conditions like remove_dir_all itself. The existing mitigation is working as intended outside of race conditions.
CVSS v2 BASE SCORE: 3.3
CVSS v3 BASE SCORE: 7.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-21658

LAYER: meta
PACKAGE NAME: libstd-rs
PACKAGE VERSION: 1.75.0
CVE: CVE-2023-40030
CVE STATUS: Patched
CVE SUMMARY: Cargo downloads a Rust project’s dependencies and compiles the project. Starting in Rust 1.60.0 and prior to 1.72, Cargo did not escape Cargo feature names when including them in the report generated by `cargo build --timings`. A malicious package included as a dependency may inject nearly arbitrary HTML here, potentially leading to cross-site scripting if the report is subsequently uploaded somewhere. The vulnerability affects users relying on dependencies from git, local paths, or alternative registries. Users who solely depend on crates.io are unaffected.

Rust 1.60.0 introduced `cargo build --timings`, which produces a report of how long the different steps of the build process took. It includes lists of Cargo features for each crate. Prior to Rust 1.72, Cargo feature names were allowed to contain almost any characters (with some exceptions as used by the feature syntax), but it would produce a future incompatibility warning about them since Rust 1.49. crates.io is far more stringent about what it considers a valid feature name and has not allowed such feature names. As the feature names were included unescaped in the timings report, they could be used to inject Javascript into the page, for example with a feature name like `features = ["<img src='' onerror=alert(0)"]`. If this report were subsequently uploaded to a domain that uses credentials, the injected Javascript could access resources from the website visitor.

This issue was fixed in Rust 1.72 by turning the future incompatibility warning into an error. Users should still exercise care in which package they download, by only including trusted dependencies in their projects. Please note that even with these vulnerabilities fixed, by design Cargo allows arbitrary code execution at build time thanks to build scripts and procedural macros: a malicious dependency will be able to cause damage regardless of these vulnerabilities. crates.io has server-side checks preventing this attack, and there are no packages on crates.io exploiting these vulnerabilities. crates.io users still need to excercise care in choosing their dependencies though, as remote code execution is allowed by design there as well.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.1
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-40030

LAYER: meta
PACKAGE NAME: libstd-rs
PACKAGE VERSION: 1.75.0
CVE: CVE-2024-43402
CVE STATUS: Unpatched
CVE SUMMARY: Rust is a programming language. The fix for CVE-2024-24576, where `std::process::Command` incorrectly escaped arguments when invoking batch files on Windows, was incomplete. Prior to Rust version 1.81.0, it was possible to bypass the fix when the batch file name had trailing whitespace or periods (which are ignored and stripped by Windows). To determine whether to apply the `cmd.exe` escaping rules, the original fix for the vulnerability checked whether the command name ended with `.bat` or `.cmd`. At the time that seemed enough, as we refuse to invoke batch scripts with no file extension. Windows removes trailing whitespace and periods when parsing file paths. For example, `.bat. .` is interpreted by Windows as `.bat`, but the original fix didn't check for that. Affected users who are using Rust 1.77.2 or greater can remove the trailing whitespace (ASCII 0x20) and trailing periods (ASCII 0x2E) from the batch file name to bypass the incomplete fix and enable the mitigations. Users are affected if their code or one of their dependencies invoke a batch script on Windows with trailing whitespace or trailing periods in the name, and pass untrusted arguments to it. Rust 1.81.0 will update the standard library to apply the CVE-2024-24576 mitigations to all batch files invocations, regardless of the trailing chars in the file name.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-43402

LAYER: meta
PACKAGE NAME: libpng-native
PACKAGE VERSION: 1.6.42
CVE: CVE-2002-0660
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in libpng 1.0.12-3.woody.2 and libpng3 1.2.1-1.1.woody.2 on Debian GNU/Linux 3.0, and other operating systems, may allow attackers to cause a denial of service and possibly execute arbitrary code, a different vulnerability than CVE-2002-0728.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-0660

LAYER: meta
PACKAGE NAME: libpng-native
PACKAGE VERSION: 1.6.42
CVE: CVE-2002-0728
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the progressive reader for libpng 1.2.x before 1.2.4, and 1.0.x before 1.0.14, allows attackers to cause a denial of service (crash) via a PNG data stream that has more IDAT data than indicated by the IHDR chunk.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-0728

LAYER: meta
PACKAGE NAME: libpng-native
PACKAGE VERSION: 1.6.42
CVE: CVE-2002-1363
CVE STATUS: Patched
CVE SUMMARY: Portable Network Graphics (PNG) library libpng 1.2.5 and earlier does not correctly calculate offsets, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a buffer overflow attack on the row buffers.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-1363

LAYER: meta
PACKAGE NAME: libpng-native
PACKAGE VERSION: 1.6.42
CVE: CVE-2004-0421
CVE STATUS: Patched
CVE SUMMARY: The Portable Network Graphics library (libpng) 1.0.15 and earlier allows attackers to cause a denial of service (crash) via a malformed PNG image file that triggers an error that causes an out-of-bounds read when creating the error message.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0421

LAYER: meta
PACKAGE NAME: libpng-native
PACKAGE VERSION: 1.6.42
CVE: CVE-2004-0597
CVE STATUS: Patched
CVE SUMMARY: Multiple buffer overflows in libpng 1.2.5 and earlier, as used in multiple products, allow remote attackers to execute arbitrary code via malformed PNG images in which (1) the png_handle_tRNS function does not properly validate the length of transparency chunk (tRNS) data, or the (2) png_handle_sBIT or (3) png_handle_hIST functions do not perform sufficient bounds checking.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0597

LAYER: meta
PACKAGE NAME: libpng-native
PACKAGE VERSION: 1.6.42
CVE: CVE-2004-0598
CVE STATUS: Patched
CVE SUMMARY: The png_handle_iCCP function in libpng 1.2.5 and earlier allows remote attackers to cause a denial of service (application crash) via a certain PNG image that triggers a null dereference.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0598

LAYER: meta
PACKAGE NAME: libpng-native
PACKAGE VERSION: 1.6.42
CVE: CVE-2004-0599
CVE STATUS: Patched
CVE SUMMARY: Multiple integer overflows in the (1) png_read_png in pngread.c or (2) png_handle_sPLT functions in pngrutil.c or (3) progressive display image reading capability in libpng 1.2.5 and earlier allow remote attackers to cause a denial of service (application crash) via a malformed PNG image.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0599

LAYER: meta
PACKAGE NAME: libpng-native
PACKAGE VERSION: 1.6.42
CVE: CVE-2006-0481
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the alpha strip capability in libpng 1.2.7 allows context-dependent attackers to cause a denial of service (crash) when the png_do_strip_filler function is used to strip alpha channels out of the image.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-0481

LAYER: meta
PACKAGE NAME: libpng-native
PACKAGE VERSION: 1.6.42
CVE: CVE-2006-3334
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the png_decompress_chunk function in pngrutil.c in libpng before 1.2.12 allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via unspecified vectors related to "chunk error processing," possibly involving the "chunk_name".
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-3334

LAYER: meta
PACKAGE NAME: libpng-native
PACKAGE VERSION: 1.6.42
CVE: CVE-2006-5793
CVE STATUS: Patched
CVE SUMMARY: The sPLT chunk handling code (png_set_sPLT function in pngset.c) in libpng 1.0.6 through 1.2.12 uses a sizeof operator on the wrong data type, which allows context-dependent attackers to cause a denial of service (crash) via malformed sPLT chunks that trigger an out-of-bounds read.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-5793

LAYER: meta
PACKAGE NAME: libpng-native
PACKAGE VERSION: 1.6.42
CVE: CVE-2006-7244
CVE STATUS: Patched
CVE SUMMARY: Memory leak in pngwutil.c in libpng 1.2.13beta1, and other versions before 1.2.15beta3, allows context-dependent attackers to cause a denial of service (memory leak or segmentation fault) via a JPEG image containing an iCCP chunk with a negative embedded profile length.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-7244

LAYER: meta
PACKAGE NAME: libpng-native
PACKAGE VERSION: 1.6.42
CVE: CVE-2007-2445
CVE STATUS: Patched
CVE SUMMARY: The png_handle_tRNS function in pngrutil.c in libpng before 1.0.25 and 1.2.x before 1.2.17 allows remote attackers to cause a denial of service (application crash) via a grayscale PNG image with a bad tRNS chunk CRC value.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-2445

LAYER: meta
PACKAGE NAME: libpng-native
PACKAGE VERSION: 1.6.42
CVE: CVE-2007-5266
CVE STATUS: Patched
CVE SUMMARY: Off-by-one error in ICC profile chunk handling in the png_set_iCCP function in pngset.c in libpng before 1.0.29 beta1 and 1.2.x before 1.2.21 beta1 allows remote attackers to cause a denial of service (crash) via a crafted PNG image that prevents a name field from being NULL terminated.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-5266

LAYER: meta
PACKAGE NAME: libpng-native
PACKAGE VERSION: 1.6.42
CVE: CVE-2007-5267
CVE STATUS: Patched
CVE SUMMARY: Off-by-one error in ICC profile chunk handling in the png_set_iCCP function in pngset.c in libpng before 1.2.22 beta1 allows remote attackers to cause a denial of service (crash) via a crafted PNG image, due to an incorrect fix for CVE-2007-5266.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-5267

LAYER: meta
PACKAGE NAME: libpng-native
PACKAGE VERSION: 1.6.42
CVE: CVE-2007-5268
CVE STATUS: Patched
CVE SUMMARY: pngrtran.c in libpng before 1.0.29 and 1.2.x before 1.2.21 use (1) logical instead of bitwise operations and (2) incorrect comparisons, which might allow remote attackers to cause a denial of service (crash) via a crafted PNG image.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-5268

LAYER: meta
PACKAGE NAME: libpng-native
PACKAGE VERSION: 1.6.42
CVE: CVE-2007-5269
CVE STATUS: Patched
CVE SUMMARY: Certain chunk handlers in libpng before 1.0.29 and 1.2.x before 1.2.21 allow remote attackers to cause a denial of service (crash) via crafted (1) pCAL (png_handle_pCAL), (2) sCAL (png_handle_sCAL), (3) tEXt (png_push_read_tEXt), (4) iTXt (png_handle_iTXt), and (5) ztXT (png_handle_ztXt) chunking in PNG images, which trigger out-of-bounds read operations.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-5269

LAYER: meta
PACKAGE NAME: libpng-native
PACKAGE VERSION: 1.6.42
CVE: CVE-2008-1382
CVE STATUS: Patched
CVE SUMMARY: libpng 1.0.6 through 1.0.32, 1.2.0 through 1.2.26, and 1.4.0beta01 through 1.4.0beta19 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a PNG file with zero length "unknown" chunks, which trigger an access of uninitialized memory.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1382

LAYER: meta
PACKAGE NAME: libpng-native
PACKAGE VERSION: 1.6.42
CVE: CVE-2008-3964
CVE STATUS: Patched
CVE SUMMARY: Multiple off-by-one errors in libpng before 1.2.32beta01, and 1.4 before 1.4.0beta34, allow context-dependent attackers to cause a denial of service (crash) or have unspecified other impact via a PNG image with crafted zTXt chunks, related to (1) the png_push_read_zTXt function in pngread.c, and possibly related to (2) pngtest.c.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-3964

LAYER: meta
PACKAGE NAME: libpng-native
PACKAGE VERSION: 1.6.42
CVE: CVE-2008-5907
CVE STATUS: Patched
CVE SUMMARY: The png_check_keyword function in pngwutil.c in libpng before 1.0.42, and 1.2.x before 1.2.34, might allow context-dependent attackers to set the value of an arbitrary memory location to zero via vectors involving creation of crafted PNG files with keywords, related to an implicit cast of the '\0' character constant to a NULL pointer.  NOTE: some sources incorrectly report this as a double free vulnerability.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-5907

LAYER: meta
PACKAGE NAME: libpng-native
PACKAGE VERSION: 1.6.42
CVE: CVE-2008-6218
CVE STATUS: Patched
CVE SUMMARY: Memory leak in the png_handle_tEXt function in pngrutil.c in libpng before 1.2.33 rc02 and 1.4.0 beta36 allows context-dependent attackers to cause a denial of service (memory exhaustion) via a crafted PNG file.
CVSS v2 BASE SCORE: 7.1
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-6218

LAYER: meta
PACKAGE NAME: libpng-native
PACKAGE VERSION: 1.6.42
CVE: CVE-2009-0040
CVE STATUS: Patched
CVE SUMMARY: The PNG reference library (aka libpng) before 1.0.43, and 1.2.x before 1.2.35, as used in pngcrush and other applications, allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted PNG file that triggers a free of an uninitialized pointer in (1) the png_read_png function, (2) pCAL chunk handling, or (3) setup of 16-bit gamma tables.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-0040

LAYER: meta
PACKAGE NAME: libpng-native
PACKAGE VERSION: 1.6.42
CVE: CVE-2009-2042
CVE STATUS: Patched
CVE SUMMARY: libpng before 1.2.37 does not properly parse 1-bit interlaced images with width values that are not divisible by 8, which causes libpng to include uninitialized bits in certain rows of a PNG file and might allow remote attackers to read portions of sensitive memory via "out-of-bounds pixels" in the file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-2042

LAYER: meta
PACKAGE NAME: libpng-native
PACKAGE VERSION: 1.6.42
CVE: CVE-2009-5063
CVE STATUS: Patched
CVE SUMMARY: Memory leak in the embedded_profile_len function in pngwutil.c in libpng before 1.2.39beta5 allows context-dependent attackers to cause a denial of service (memory leak or segmentation fault) via a JPEG image containing an iCCP chunk with a negative embedded profile length.  NOTE: this is due to an incomplete fix for CVE-2006-7244.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-5063

LAYER: meta
PACKAGE NAME: libpng-native
PACKAGE VERSION: 1.6.42
CVE: CVE-2010-0205
CVE STATUS: Patched
CVE SUMMARY: The png_decompress_chunk function in pngrutil.c in libpng 1.0.x before 1.0.53, 1.2.x before 1.2.43, and 1.4.x before 1.4.1 does not properly handle compressed ancillary-chunk data that has a disproportionately large uncompressed representation, which allows remote attackers to cause a denial of service (memory and CPU consumption, and application hang) via a crafted PNG file, as demonstrated by use of the deflate compression method on data composed of many occurrences of the same character, related to a "decompression bomb" attack.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-0205

LAYER: meta
PACKAGE NAME: libpng-native
PACKAGE VERSION: 1.6.42
CVE: CVE-2010-1205
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in pngpread.c in libpng before 1.2.44 and 1.4.x before 1.4.3, as used in progressive applications, might allow remote attackers to execute arbitrary code via a PNG image that triggers an additional data row.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-1205

LAYER: meta
PACKAGE NAME: libpng-native
PACKAGE VERSION: 1.6.42
CVE: CVE-2010-2249
CVE STATUS: Patched
CVE SUMMARY: Memory leak in pngrutil.c in libpng before 1.2.44, and 1.4.x before 1.4.3, allows remote attackers to cause a denial of service (memory consumption and application crash) via a PNG image containing malformed Physical Scale (aka sCAL) chunks.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2249

LAYER: meta
PACKAGE NAME: libpng-native
PACKAGE VERSION: 1.6.42
CVE: CVE-2011-0408
CVE STATUS: Patched
CVE SUMMARY: pngrtran.c in libpng 1.5.x before 1.5.1 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted palette-based PNG image that triggers a buffer overflow, related to the png_do_expand_palette function, the png_do_rgb_to_gray function, and an integer underflow.  NOTE: some of these details are obtained from third party information.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-0408

LAYER: meta
PACKAGE NAME: libpng-native
PACKAGE VERSION: 1.6.42
CVE: CVE-2011-2501
CVE STATUS: Patched
CVE SUMMARY: The png_format_buffer function in pngerror.c in libpng 1.0.x before 1.0.55, 1.2.x before 1.2.45, 1.4.x before 1.4.8, and 1.5.x before 1.5.4 allows remote attackers to cause a denial of service (application crash) via a crafted PNG image that triggers an out-of-bounds read during the copying of error-message data.  NOTE: this vulnerability exists because of a CVE-2004-0421 regression. NOTE: this is called an off-by-one error by some sources.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2501

LAYER: meta
PACKAGE NAME: libpng-native
PACKAGE VERSION: 1.6.42
CVE: CVE-2011-2690
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in libpng 1.0.x before 1.0.55, 1.2.x before 1.2.45, 1.4.x before 1.4.8, and 1.5.x before 1.5.4, when used by an application that calls the png_rgb_to_gray function but not the png_set_expand function, allows remote attackers to overwrite memory with an arbitrary amount of data, and possibly have unspecified other impact, via a crafted PNG image.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2690

LAYER: meta
PACKAGE NAME: libpng-native
PACKAGE VERSION: 1.6.42
CVE: CVE-2011-2691
CVE STATUS: Patched
CVE SUMMARY: The png_err function in pngerror.c in libpng 1.0.x before 1.0.55, 1.2.x before 1.2.45, 1.4.x before 1.4.8, and 1.5.x before 1.5.4 makes a function call using a NULL pointer argument instead of an empty-string argument, which allows remote attackers to cause a denial of service (application crash) via a crafted PNG image.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2691

LAYER: meta
PACKAGE NAME: libpng-native
PACKAGE VERSION: 1.6.42
CVE: CVE-2011-2692
CVE STATUS: Patched
CVE SUMMARY: The png_handle_sCAL function in pngrutil.c in libpng 1.0.x before 1.0.55, 1.2.x before 1.2.45, 1.4.x before 1.4.8, and 1.5.x before 1.5.4 does not properly handle invalid sCAL chunks, which allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a crafted PNG image that triggers the reading of uninitialized memory.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2692

LAYER: meta
PACKAGE NAME: libpng-native
PACKAGE VERSION: 1.6.42
CVE: CVE-2011-3045
CVE STATUS: Patched
CVE SUMMARY: Integer signedness error in the png_inflate function in pngrutil.c in libpng before 1.4.10beta01, as used in Google Chrome before 17.0.963.83 and other products, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted PNG file, a different vulnerability than CVE-2011-3026.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3045

LAYER: meta
PACKAGE NAME: libpng-native
PACKAGE VERSION: 1.6.42
CVE: CVE-2011-3048
CVE STATUS: Patched
CVE SUMMARY: The png_set_text_2 function in pngset.c in libpng 1.0.x before 1.0.59, 1.2.x before 1.2.49, 1.4.x before 1.4.11, and 1.5.x before 1.5.10 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted text chunk in a PNG image file, which triggers a memory allocation failure that is not properly handled, leading to a heap-based buffer overflow.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3048

LAYER: meta
PACKAGE NAME: libpng-native
PACKAGE VERSION: 1.6.42
CVE: CVE-2011-3328
CVE STATUS: Patched
CVE SUMMARY: The png_handle_cHRM function in pngrutil.c in libpng 1.5.4, when color-correction support is enabled, allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a malformed PNG image containing a cHRM chunk associated with a certain zero value.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3328

LAYER: meta
PACKAGE NAME: libpng-native
PACKAGE VERSION: 1.6.42
CVE: CVE-2011-3464
CVE STATUS: Patched
CVE SUMMARY: Off-by-one error in the png_formatted_warning function in pngerror.c in libpng 1.5.4 through 1.5.7 might allow remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via unspecified vectors, which trigger a stack-based buffer overflow.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3464

LAYER: meta
PACKAGE NAME: libpng-native
PACKAGE VERSION: 1.6.42
CVE: CVE-2012-3425
CVE STATUS: Patched
CVE SUMMARY: The png_push_read_zTXt function in pngpread.c in libpng 1.0.x before 1.0.58, 1.2.x before 1.2.48, 1.4.x before 1.4.10, and 1.5.x before 1.5.10 allows remote attackers to cause a denial of service (out-of-bounds read) via a large avail_in field value in a PNG image.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-3425

LAYER: meta
PACKAGE NAME: libpng-native
PACKAGE VERSION: 1.6.42
CVE: CVE-2013-6954
CVE STATUS: Patched
CVE SUMMARY: The png_do_expand_palette function in libpng before 1.6.8 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via (1) a PLTE chunk of zero bytes or (2) a NULL palette, related to pngrtran.c and pngset.c.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-6954

LAYER: meta
PACKAGE NAME: libpng-native
PACKAGE VERSION: 1.6.42
CVE: CVE-2013-7353
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the png_set_unknown_chunks function in libpng/pngset.c in libpng before 1.5.14beta08 allows context-dependent attackers to cause a denial of service (segmentation fault and crash) via a crafted image, which triggers a heap-based buffer overflow.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-7353

LAYER: meta
PACKAGE NAME: libpng-native
PACKAGE VERSION: 1.6.42
CVE: CVE-2013-7354
CVE STATUS: Patched
CVE SUMMARY: Multiple integer overflows in libpng before 1.5.14rc03 allow remote attackers to cause a denial of service (crash) via a crafted image to the (1) png_set_sPLT or (2) png_set_text_2 function, which triggers a heap-based buffer overflow.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-7354

LAYER: meta
PACKAGE NAME: libpng-native
PACKAGE VERSION: 1.6.42
CVE: CVE-2014-0333
CVE STATUS: Patched
CVE SUMMARY: The png_push_read_chunk function in pngpread.c in the progressive decoder in libpng 1.6.x through 1.6.9 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via an IDAT chunk with a length of zero.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0333

LAYER: meta
PACKAGE NAME: libpng-native
PACKAGE VERSION: 1.6.42
CVE: CVE-2014-9495
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the png_combine_row function in libpng before 1.5.21 and 1.6.x before 1.6.16, when running on 64-bit systems, might allow context-dependent attackers to execute arbitrary code via a "very wide interlaced" PNG image.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9495

LAYER: meta
PACKAGE NAME: libpng-native
PACKAGE VERSION: 1.6.42
CVE: CVE-2015-0973
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the png_read_IDAT_data function in pngrutil.c in libpng before 1.5.21 and 1.6.x before 1.6.16 allows context-dependent attackers to execute arbitrary code via IDAT data with a large width, a different vulnerability than CVE-2014-9495.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0973

LAYER: meta
PACKAGE NAME: libpng-native
PACKAGE VERSION: 1.6.42
CVE: CVE-2015-7981
CVE STATUS: Patched
CVE SUMMARY: The png_convert_to_rfc1123 function in png.c in libpng 1.0.x before 1.0.64, 1.2.x before 1.2.54, and 1.4.x before 1.4.17 allows remote attackers to obtain sensitive process memory information via crafted tIME chunk data in an image file, which triggers an out-of-bounds read.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7981

LAYER: meta
PACKAGE NAME: libpng-native
PACKAGE VERSION: 1.6.42
CVE: CVE-2015-8126
CVE STATUS: Patched
CVE SUMMARY: Multiple buffer overflows in the (1) png_set_PLTE and (2) png_get_PLTE functions in libpng before 1.0.64, 1.1.x and 1.2.x before 1.2.54, 1.3.x and 1.4.x before 1.4.17, 1.5.x before 1.5.24, and 1.6.x before 1.6.19 allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a small bit-depth value in an IHDR (aka image header) chunk in a PNG image.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8126

LAYER: meta
PACKAGE NAME: libpng-native
PACKAGE VERSION: 1.6.42
CVE: CVE-2015-8472
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the png_set_PLTE function in libpng before 1.0.65, 1.1.x and 1.2.x before 1.2.55, 1.3.x, 1.4.x before 1.4.18, 1.5.x before 1.5.25, and 1.6.x before 1.6.20 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a small bit-depth value in an IHDR (aka image header) chunk in a PNG image.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-8126.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 7.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8472

LAYER: meta
PACKAGE NAME: libpng-native
PACKAGE VERSION: 1.6.42
CVE: CVE-2015-8540
CVE STATUS: Patched
CVE SUMMARY: Integer underflow in the png_check_keyword function in pngwutil.c in libpng 0.90 through 0.99, 1.0.x before 1.0.66, 1.1.x and 1.2.x before 1.2.56, 1.3.x and 1.4.x before 1.4.19, and 1.5.x before 1.5.26 allows remote attackers to have unspecified impact via a space character as a keyword in a PNG image, which triggers an out-of-bounds read.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8540

LAYER: meta
PACKAGE NAME: libpng-native
PACKAGE VERSION: 1.6.42
CVE: CVE-2016-10087
CVE STATUS: Patched
CVE SUMMARY: The png_set_text_2 function in libpng 0.71 before 1.0.67, 1.2.x before 1.2.57, 1.4.x before 1.4.20, 1.5.x before 1.5.28, and 1.6.x before 1.6.27 allows context-dependent attackers to cause a NULL pointer dereference vectors involving loading a text chunk into a png structure, removing the text, and then adding another text chunk to the structure.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10087

LAYER: meta
PACKAGE NAME: libpng-native
PACKAGE VERSION: 1.6.42
CVE: CVE-2016-3751
CVE STATUS: Patched
CVE SUMMARY: Unspecified vulnerability in libpng before 1.6.20, as used in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-07-01, allows attackers to gain privileges via a crafted application, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bug 23265085.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3751

LAYER: meta
PACKAGE NAME: libpng-native
PACKAGE VERSION: 1.6.42
CVE: CVE-2017-12652
CVE STATUS: Patched
CVE SUMMARY: libpng before 1.6.32 does not properly check the length of chunks against the user limit.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-12652

LAYER: meta
PACKAGE NAME: libpng-native
PACKAGE VERSION: 1.6.42
CVE: CVE-2018-13785
CVE STATUS: Patched
CVE SUMMARY: In libpng 1.6.34, a wrong calculation of row_factor in the png_check_chunk_length function (pngrutil.c) may trigger an integer overflow and resultant divide-by-zero while processing a crafted PNG file, leading to a denial of service.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-13785

LAYER: meta
PACKAGE NAME: libpng-native
PACKAGE VERSION: 1.6.42
CVE: CVE-2018-14048
CVE STATUS: Patched
CVE SUMMARY: An issue has been found in libpng 1.6.34. It is a SEGV in the function png_free_data in png.c, related to the recommended error handling for png_read_image.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-14048

LAYER: meta
PACKAGE NAME: libpng-native
PACKAGE VERSION: 1.6.42
CVE: CVE-2018-14550
CVE STATUS: Patched
CVE SUMMARY: An issue has been found in third-party PNM decoding associated with libpng 1.6.35. It is a stack-based buffer overflow in the function get_token in pnm2png.c in pnm2png.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-14550

LAYER: meta
PACKAGE NAME: libpng-native
PACKAGE VERSION: 1.6.42
CVE: CVE-2019-6129
CVE STATUS: Patched
CVE SUMMARY: png_create_info_struct in png.c in libpng 1.6.36 has a memory leak, as demonstrated by pngcp. NOTE: a third party has stated "I don't think it is libpng's job to free this buffer.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-6129

LAYER: meta
PACKAGE NAME: libpng-native
PACKAGE VERSION: 1.6.42
CVE: CVE-2019-7317
CVE STATUS: Patched
CVE SUMMARY: png_image_free in png.c in libpng 1.6.x before 1.6.37 has a use-after-free because png_image_free_function is called under png_safe_execute.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-7317

LAYER: meta
PACKAGE NAME: libpng-native
PACKAGE VERSION: 1.6.42
CVE: CVE-2021-4214
CVE STATUS: Patched
CVE SUMMARY: A heap overflow flaw was found in libpngs' pngimage.c program. This flaw allows an attacker with local network access to pass a specially crafted PNG file to the pngimage utility, causing an application to crash, leading to a denial of service.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-4214

LAYER: meta
PACKAGE NAME: libksba
PACKAGE VERSION: 1.6.6
CVE: CVE-2014-9087
CVE STATUS: Patched
CVE SUMMARY: Integer underflow in the ksba_oid_to_str function in Libksba before 1.3.2, as used in GnuPG, allows remote attackers to cause a denial of service (crash) via a crafted OID in a (1) S/MIME message or (2) ECC based OpenPGP data, which triggers a buffer overflow.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9087

LAYER: meta
PACKAGE NAME: libksba
PACKAGE VERSION: 1.6.6
CVE: CVE-2016-4353
CVE STATUS: Patched
CVE SUMMARY: ber-decoder.c in Libksba before 1.3.3 does not properly handle decoder stack overflows, which allows remote attackers to cause a denial of service (abort) via crafted BER data.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4353

LAYER: meta
PACKAGE NAME: libksba
PACKAGE VERSION: 1.6.6
CVE: CVE-2016-4354
CVE STATUS: Patched
CVE SUMMARY: ber-decoder.c in Libksba before 1.3.3 uses an incorrect integer data type, which allows remote attackers to cause a denial of service (crash) via crafted BER data, which leads to a buffer overflow.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4354

LAYER: meta
PACKAGE NAME: libksba
PACKAGE VERSION: 1.6.6
CVE: CVE-2016-4355
CVE STATUS: Patched
CVE SUMMARY: Multiple integer overflows in ber-decoder.c in Libksba before 1.3.3 allow remote attackers to cause a denial of service (crash) via crafted BER data, which leads to a buffer overflow.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4355

LAYER: meta
PACKAGE NAME: libksba
PACKAGE VERSION: 1.6.6
CVE: CVE-2016-4356
CVE STATUS: Patched
CVE SUMMARY: The append_utf8_value function in the DN decoder (dn.c) in Libksba before 1.3.3 allows remote attackers to cause a denial of service (out-of-bounds read) by clearing the high bit of the byte after invalid utf-8 encoded data.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4356

LAYER: meta
PACKAGE NAME: libksba
PACKAGE VERSION: 1.6.6
CVE: CVE-2016-4574
CVE STATUS: Patched
CVE SUMMARY: Off-by-one error in the append_utf8_value function in the DN decoder (dn.c) in Libksba before 1.3.4 allows remote attackers to cause a denial of service (out-of-bounds read) via invalid utf-8 encoded data. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-4356.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4574

LAYER: meta
PACKAGE NAME: libksba
PACKAGE VERSION: 1.6.6
CVE: CVE-2016-4579
CVE STATUS: Patched
CVE SUMMARY: Libksba before 1.3.4 allows remote attackers to cause a denial of service (out-of-bounds read and crash) via unspecified vectors, related to the "returned length of the object from _ksba_ber_parse_tl."
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4579

LAYER: meta
PACKAGE NAME: libksba
PACKAGE VERSION: 1.6.6
CVE: CVE-2022-3515
CVE STATUS: Patched
CVE SUMMARY: A vulnerability was found in the Libksba library due to an integer overflow within the CRL parser. The vulnerability can be exploited remotely for code execution on the target system by passing specially crafted data to the application, for example, a malicious S/MIME attachment.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3515

LAYER: meta
PACKAGE NAME: libksba
PACKAGE VERSION: 1.6.6
CVE: CVE-2022-47629
CVE STATUS: Patched
CVE SUMMARY: Libksba before 1.6.3 is prone to an integer overflow vulnerability in the CRL signature parser.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-47629

LAYER: meta
PACKAGE NAME: libx11-native
PACKAGE VERSION: 1_1.8.9
CVE: CVE-2006-5397
CVE STATUS: Patched
CVE SUMMARY: The Xinput module (modules/im/ximcp/imLcIm.c) in X.Org libX11 1.0.2 and 1.0.3 opens a file for reading twice using the same file descriptor, which causes a file descriptor leak that allows local users to read files specified by the XCOMPOSEFILE environment variable via the duplicate file descriptor.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-5397

LAYER: meta
PACKAGE NAME: libx11-native
PACKAGE VERSION: 1_1.8.9
CVE: CVE-2007-1667
CVE STATUS: Patched
CVE SUMMARY: Multiple integer overflows in (1) the XGetPixel function in ImUtil.c in X.Org libx11 before 1.0.3, and (2) XInitImage function in xwd.c for ImageMagick, allow user-assisted remote attackers to cause a denial of service (crash) or obtain sensitive information via crafted images with large or negative values that trigger a buffer overflow.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-1667

LAYER: meta
PACKAGE NAME: libx11-native
PACKAGE VERSION: 1_1.8.9
CVE: CVE-2013-1981
CVE STATUS: Patched
CVE SUMMARY: Multiple integer overflows in X.org libX11 1.5.99.901 (1.6 RC1) and earlier allow X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the (1) XQueryFont, (2) _XF86BigfontQueryFont, (3) XListFontsWithInfo, (4) XGetMotionEvents, (5) XListHosts, (6) XGetModifierMapping, (7) XGetPointerMapping, (8) XGetKeyboardMapping, (9) XGetWindowProperty, (10) XGetImage, (11) LoadColornameDB, (12) XrmGetFileDatabase, (13) _XimParseStringFile, or (14) TransFileName functions.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1981

LAYER: meta
PACKAGE NAME: libx11-native
PACKAGE VERSION: 1_1.8.9
CVE: CVE-2013-1997
CVE STATUS: Patched
CVE SUMMARY: Multiple buffer overflows in X.org libX11 1.5.99.901 (1.6 RC1) and earlier allow X servers to cause a denial of service (crash) and possibly execute arbitrary code via crafted length or index values to the (1) XAllocColorCells, (2) _XkbReadGetDeviceInfoReply, (3) _XkbReadGeomShapes, (4) _XkbReadGetGeometryReply, (5) _XkbReadKeySyms, (6) _XkbReadKeyActions, (7) _XkbReadKeyBehaviors, (8) _XkbReadModifierMap, (9) _XkbReadExplicitComponents, (10) _XkbReadVirtualModMap, (11) _XkbReadGetNamesReply, (12) _XkbReadGetMapReply, (13) _XimXGetReadData, (14) XListFonts, (15) XListExtensions, and (16) XGetFontPath functions.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1997

LAYER: meta
PACKAGE NAME: libx11-native
PACKAGE VERSION: 1_1.8.9
CVE: CVE-2013-2004
CVE STATUS: Patched
CVE SUMMARY: The (1) GetDatabase and (2) _XimParseStringFile functions in X.org libX11 1.5.99.901 (1.6 RC1) and earlier do not restrict the recursion depth when processing directives to include files, which allows X servers to cause a denial of service (stack consumption) via a crafted file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2004

LAYER: meta
PACKAGE NAME: libx11-native
PACKAGE VERSION: 1_1.8.9
CVE: CVE-2013-7439
CVE STATUS: Patched
CVE SUMMARY: Multiple off-by-one errors in the (1) MakeBigReq and (2) SetReqLen macros in include/X11/Xlibint.h in X11R6.x and libX11 before 1.6.0 allow remote attackers to have unspecified impact via a crafted request, which triggers a buffer overflow.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-7439

LAYER: meta
PACKAGE NAME: libx11-native
PACKAGE VERSION: 1_1.8.9
CVE: CVE-2016-7942
CVE STATUS: Patched
CVE SUMMARY: The XGetImage function in X.org libX11 before 1.6.4 might allow remote X servers to gain privileges via vectors involving image type and geometry, which triggers out-of-bounds read operations.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7942

LAYER: meta
PACKAGE NAME: libx11-native
PACKAGE VERSION: 1_1.8.9
CVE: CVE-2016-7943
CVE STATUS: Patched
CVE SUMMARY: The XListFonts function in X.org libX11 before 1.6.4 might allow remote X servers to gain privileges via vectors involving length fields, which trigger out-of-bounds write operations.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7943

LAYER: meta
PACKAGE NAME: libx11-native
PACKAGE VERSION: 1_1.8.9
CVE: CVE-2018-14598
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in XListExtensions in ListExt.c in libX11 through 1.6.5. A malicious server can send a reply in which the first string overflows, causing a variable to be set to NULL that will be freed later on, leading to DoS (segmentation fault).
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-14598

LAYER: meta
PACKAGE NAME: libx11-native
PACKAGE VERSION: 1_1.8.9
CVE: CVE-2018-14599
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in libX11 through 1.6.5. The function XListExtensions in ListExt.c is vulnerable to an off-by-one error caused by malicious server responses, leading to DoS or possibly unspecified other impact.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-14599

LAYER: meta
PACKAGE NAME: libx11-native
PACKAGE VERSION: 1_1.8.9
CVE: CVE-2018-14600
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in libX11 through 1.6.5. The function XListExtensions in ListExt.c interprets a variable as signed instead of unsigned, resulting in an out-of-bounds write (of up to 128 bytes), leading to DoS or remote code execution.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-14600

LAYER: meta
PACKAGE NAME: libx11-native
PACKAGE VERSION: 1_1.8.9
CVE: CVE-2020-14344
CVE STATUS: Patched
CVE SUMMARY: An integer overflow leading to a heap-buffer overflow was found in The X Input Method (XIM) client was implemented in libX11 before version 1.6.10. As per upstream this is security relevant when setuid programs call XIM client functions while running with elevated privileges. No such programs are shipped with Red Hat Enterprise Linux.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 6.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-14344

LAYER: meta
PACKAGE NAME: libx11-native
PACKAGE VERSION: 1_1.8.9
CVE: CVE-2020-14363
CVE STATUS: Patched
CVE SUMMARY: An integer overflow vulnerability leading to a double-free was found in libX11. This flaw allows a local privileged attacker to cause an application compiled with libX11 to crash, or in some cases, result in arbitrary code execution. The highest threat from this flaw is to confidentiality, integrity as well as system availability.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-14363

LAYER: meta
PACKAGE NAME: libx11-native
PACKAGE VERSION: 1_1.8.9
CVE: CVE-2021-31535
CVE STATUS: Patched
CVE SUMMARY: LookupCol.c in X.Org X through X11R7.7 and libX11 before 1.7.1 might allow remote attackers to execute arbitrary code. The libX11 XLookupColor request (intended for server-side color lookup) contains a flaw allowing a client to send color-name requests with a name longer than the maximum size allowed by the protocol (and also longer than the maximum packet size for normal-sized packets). The user-controlled data exceeding the maximum size is then interpreted by the server as additional X protocol requests and executed, e.g., to disable X server authorization completely. For example, if the victim encounters malicious terminal control sequences for color codes, then the attacker may be able to take full control of the running graphical session.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-31535

LAYER: meta
PACKAGE NAME: libx11-native
PACKAGE VERSION: 1_1.8.9
CVE: CVE-2023-3138
CVE STATUS: Patched
CVE SUMMARY: A vulnerability was found in libX11. The security flaw occurs because the functions in src/InitExt.c in libX11 do not check that the values provided for the Request, Event, or Error IDs are within the bounds of the arrays that those functions write to, using those IDs as array indexes. They trust that they were called with values provided by an Xserver adhering to the bounds specified in the X11 protocol, as all X servers provided by X.Org do. As the protocol only specifies a single byte for these values, an out-of-bounds value provided by a malicious server (or a malicious proxy-in-the-middle) can only overwrite other portions of the Display structure and not write outside the bounds of the Display structure itself, possibly causing the client to crash with this memory corruption.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-3138

LAYER: meta
PACKAGE NAME: libx11-native
PACKAGE VERSION: 1_1.8.9
CVE: CVE-2023-43785
CVE STATUS: Patched
CVE SUMMARY: A vulnerability was found in libX11 due to a boundary condition within the _XkbReadKeySyms() function. This flaw allows a local user to trigger an out-of-bounds read error and read the contents of memory on the system.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-43785

LAYER: meta
PACKAGE NAME: libx11-native
PACKAGE VERSION: 1_1.8.9
CVE: CVE-2023-43786
CVE STATUS: Patched
CVE SUMMARY: A vulnerability was found in libX11 due to an infinite loop within the PutSubImage() function. This flaw allows a local user to consume all available system resources and cause a denial of service condition.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-43786

LAYER: meta
PACKAGE NAME: libx11-native
PACKAGE VERSION: 1_1.8.9
CVE: CVE-2023-43787
CVE STATUS: Patched
CVE SUMMARY: A vulnerability was found in libX11 due to an integer overflow within the XCreateImage() function. This flaw allows a local user to trigger an integer overflow and execute arbitrary code with elevated privileges.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-43787

LAYER: meta
PACKAGE NAME: freetype-native
PACKAGE VERSION: 2.13.2
CVE: CVE-2006-0747
CVE STATUS: Patched
CVE SUMMARY: Integer underflow in Freetype before 2.2 allows remote attackers to cause a denial of service (crash) via a font file with an odd number of blue values, which causes the underflow when decrementing by 2 in a context that assumes an even number of values.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-0747

LAYER: meta
PACKAGE NAME: freetype-native
PACKAGE VERSION: 2.13.2
CVE: CVE-2006-1861
CVE STATUS: Patched
CVE SUMMARY: Multiple integer overflows in FreeType before 2.2 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via attack vectors related to (1) bdf/bdflib.c, (2) sfnt/ttcmap.c, (3) cff/cffgload.c, and (4) the read_lwfn function and a crafted LWFN file in base/ftmac.c.  NOTE: item 4 was originally identified by CVE-2006-2493.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-1861

LAYER: meta
PACKAGE NAME: freetype-native
PACKAGE VERSION: 2.13.2
CVE: CVE-2006-2661
CVE STATUS: Patched
CVE SUMMARY: ftutil.c in Freetype before 2.2 allows remote attackers to cause a denial of service (crash) via a crafted font file that triggers a null dereference.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-2661

LAYER: meta
PACKAGE NAME: freetype-native
PACKAGE VERSION: 2.13.2
CVE: CVE-2006-3467
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in FreeType before 2.2 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted PCF file, as demonstrated by the Red Hat bad1.pcf test file, due to a partial fix of CVE-2006-1861.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-3467

LAYER: meta
PACKAGE NAME: freetype-native
PACKAGE VERSION: 2.13.2
CVE: CVE-2007-2754
CVE STATUS: Patched
CVE SUMMARY: Integer signedness error in truetype/ttgload.c in Freetype 2.3.4 and earlier might allow remote attackers to execute arbitrary code via a crafted TTF image with a negative n_points value, which leads to an integer overflow and heap-based buffer overflow.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-2754

LAYER: meta
PACKAGE NAME: freetype-native
PACKAGE VERSION: 2.13.2
CVE: CVE-2007-3506
CVE STATUS: Patched
CVE SUMMARY: The ft_bitmap_assure_buffer function in src/base/ftbimap.c in FreeType 2.3.3 allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via unspecified vectors involving bitmap fonts, related to a "memory buffer overwrite bug."
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-3506

LAYER: meta
PACKAGE NAME: freetype-native
PACKAGE VERSION: 2.13.2
CVE: CVE-2008-1806
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in FreeType2 before 2.3.6 allows context-dependent attackers to execute arbitrary code via a crafted set of 16-bit length values within the Private dictionary table in a Printer Font Binary (PFB) file, which triggers a heap-based buffer overflow.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1806

LAYER: meta
PACKAGE NAME: freetype-native
PACKAGE VERSION: 2.13.2
CVE: CVE-2008-1807
CVE STATUS: Patched
CVE SUMMARY: FreeType2 before 2.3.6 allow context-dependent attackers to execute arbitrary code via an invalid "number of axes" field in a Printer Font Binary (PFB) file, which triggers a free of arbitrary memory locations, leading to memory corruption.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1807

LAYER: meta
PACKAGE NAME: freetype-native
PACKAGE VERSION: 2.13.2
CVE: CVE-2008-1808
CVE STATUS: Patched
CVE SUMMARY: Multiple off-by-one errors in FreeType2 before 2.3.6 allow context-dependent attackers to execute arbitrary code via (1) a crafted table in a Printer Font Binary (PFB) file or (2) a crafted SHC instruction in a TrueType Font (TTF) file, which triggers a heap-based buffer overflow.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1808

LAYER: meta
PACKAGE NAME: freetype-native
PACKAGE VERSION: 2.13.2
CVE: CVE-2009-0946
CVE STATUS: Patched
CVE SUMMARY: Multiple integer overflows in FreeType 2.3.9 and earlier allow remote attackers to execute arbitrary code via vectors related to large values in certain inputs in (1) smooth/ftsmooth.c, (2) sfnt/ttcmap.c, and (3) cff/cffload.c.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-0946

LAYER: meta
PACKAGE NAME: freetype-native
PACKAGE VERSION: 2.13.2
CVE: CVE-2010-2497
CVE STATUS: Patched
CVE SUMMARY: Integer underflow in glyph handling in FreeType before 2.4.0 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2497

LAYER: meta
PACKAGE NAME: freetype-native
PACKAGE VERSION: 2.13.2
CVE: CVE-2010-2498
CVE STATUS: Patched
CVE SUMMARY: The psh_glyph_find_strong_points function in pshinter/pshalgo.c in FreeType before 2.4.0 does not properly implement hinting masks, which allows remote attackers to cause a denial of service (heap memory corruption and application crash) or possibly execute arbitrary code via a crafted font file that triggers an invalid free operation.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2498

LAYER: meta
PACKAGE NAME: freetype-native
PACKAGE VERSION: 2.13.2
CVE: CVE-2010-2499
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the Mac_Read_POST_Resource function in base/ftobjs.c in FreeType before 2.4.0 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted LaserWriter PS font file with an embedded PFB fragment.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2499

LAYER: meta
PACKAGE NAME: freetype-native
PACKAGE VERSION: 2.13.2
CVE: CVE-2010-2500
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the gray_render_span function in smooth/ftgrays.c in FreeType before 2.4.0 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2500

LAYER: meta
PACKAGE NAME: freetype-native
PACKAGE VERSION: 2.13.2
CVE: CVE-2010-2519
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the Mac_Read_POST_Resource function in base/ftobjs.c in FreeType before 2.4.0 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted length value in a POST fragment header in a font file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2519

LAYER: meta
PACKAGE NAME: freetype-native
PACKAGE VERSION: 2.13.2
CVE: CVE-2010-2520
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the Ins_IUP function in truetype/ttinterp.c in FreeType before 2.4.0, when TrueType bytecode support is enabled, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file.
CVSS v2 BASE SCORE: 5.1
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2520

LAYER: meta
PACKAGE NAME: freetype-native
PACKAGE VERSION: 2.13.2
CVE: CVE-2010-2527
CVE STATUS: Patched
CVE SUMMARY: Multiple buffer overflows in demo programs in FreeType before 2.4.0 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2527

LAYER: meta
PACKAGE NAME: freetype-native
PACKAGE VERSION: 2.13.2
CVE: CVE-2010-2541
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in ftmulti.c in the ftmulti demo program in FreeType before 2.4.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2541

LAYER: meta
PACKAGE NAME: freetype-native
PACKAGE VERSION: 2.13.2
CVE: CVE-2010-2805
CVE STATUS: Patched
CVE SUMMARY: The FT_Stream_EnterFrame function in base/ftstream.c in FreeType before 2.4.2 does not properly validate certain position values, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2805

LAYER: meta
PACKAGE NAME: freetype-native
PACKAGE VERSION: 2.13.2
CVE: CVE-2010-2806
CVE STATUS: Patched
CVE SUMMARY: Array index error in the t42_parse_sfnts function in type42/t42parse.c in FreeType before 2.4.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via negative size values for certain strings in FontType42 font files, leading to a heap-based buffer overflow.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2806

LAYER: meta
PACKAGE NAME: freetype-native
PACKAGE VERSION: 2.13.2
CVE: CVE-2010-2807
CVE STATUS: Patched
CVE SUMMARY: FreeType before 2.4.2 uses incorrect integer data types during bounds checking, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2807

LAYER: meta
PACKAGE NAME: freetype-native
PACKAGE VERSION: 2.13.2
CVE: CVE-2010-2808
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the Mac_Read_POST_Resource function in base/ftobjs.c in FreeType before 2.4.2 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via a crafted Adobe Type 1 Mac Font File (aka LWFN) font.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2808

LAYER: meta
PACKAGE NAME: freetype-native
PACKAGE VERSION: 2.13.2
CVE: CVE-2010-3053
CVE STATUS: Patched
CVE SUMMARY: bdf/bdflib.c in FreeType before 2.4.2 allows remote attackers to cause a denial of service (application crash) via a crafted BDF font file, related to an attempted modification of a value in a static string.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-3053

LAYER: meta
PACKAGE NAME: freetype-native
PACKAGE VERSION: 2.13.2
CVE: CVE-2010-3054
CVE STATUS: Patched
CVE SUMMARY: Unspecified vulnerability in FreeType 2.3.9, and other versions before 2.4.2, allows remote attackers to cause a denial of service via vectors involving nested Standard Encoding Accented Character (aka seac) calls, related to psaux.h, cffgload.c, cffgload.h, and t1decode.c.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-3054

LAYER: meta
PACKAGE NAME: freetype-native
PACKAGE VERSION: 2.13.2
CVE: CVE-2010-3311
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in base/ftstream.c in libXft (aka the X FreeType library) in FreeType before 2.4 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted Compact Font Format (CFF) font file that triggers a heap-based buffer overflow, related to an "input stream position error" issue, a different vulnerability than CVE-2010-1797.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-3311

LAYER: meta
PACKAGE NAME: freetype-native
PACKAGE VERSION: 2.13.2
CVE: CVE-2010-3814
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the Ins_SHZ function in ttinterp.c in FreeType 2.4.3 and earlier allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted SHZ bytecode instruction, related to TrueType opcodes, as demonstrated by a PDF document with a crafted embedded font.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-3814

LAYER: meta
PACKAGE NAME: freetype-native
PACKAGE VERSION: 2.13.2
CVE: CVE-2010-3855
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the ft_var_readpackedpoints function in truetype/ttgxvar.c in FreeType 2.4.3 and earlier allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted TrueType GX font.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-3855

LAYER: meta
PACKAGE NAME: freetype-native
PACKAGE VERSION: 2.13.2
CVE: CVE-2011-0226
CVE STATUS: Patched
CVE SUMMARY: Integer signedness error in psaux/t1decode.c in FreeType before 2.4.6, as used in CoreGraphics in Apple iOS before 4.2.9 and 4.3.x before 4.3.4 and other products, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted Type 1 font in a PDF document, as exploited in the wild in July 2011.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-0226

LAYER: meta
PACKAGE NAME: freetype-native
PACKAGE VERSION: 2.13.2
CVE: CVE-2011-2895
CVE STATUS: Patched
CVE SUMMARY: The LZW decompressor in (1) the BufCompressedFill function in fontfile/decompress.c in X.Org libXfont before 1.4.4 and (2) compress/compress.c in 4.3BSD, as used in zopen.c in OpenBSD before 3.8, FreeBSD, NetBSD 4.0.x and 5.0.x before 5.0.3 and 5.1.x before 5.1.1, FreeType 2.1.9, and other products, does not properly handle code words that are absent from the decompression table when encountered, which allows context-dependent attackers to trigger an infinite loop or a heap-based buffer overflow, and possibly execute arbitrary code, via a crafted compressed stream, a related issue to CVE-2006-1168 and CVE-2011-2896.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2895

LAYER: meta
PACKAGE NAME: freetype-native
PACKAGE VERSION: 2.13.2
CVE: CVE-2012-1126
CVE STATUS: Patched
CVE SUMMARY: FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via crafted property data in a BDF font.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1126

LAYER: meta
PACKAGE NAME: freetype-native
PACKAGE VERSION: 2.13.2
CVE: CVE-2012-1127
CVE STATUS: Patched
CVE SUMMARY: FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via crafted glyph or bitmap data in a BDF font.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1127

LAYER: meta
PACKAGE NAME: freetype-native
PACKAGE VERSION: 2.13.2
CVE: CVE-2012-1128
CVE STATUS: Patched
CVE SUMMARY: FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (NULL pointer dereference and memory corruption) or possibly execute arbitrary code via a crafted TrueType font.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1128

LAYER: meta
PACKAGE NAME: freetype-native
PACKAGE VERSION: 2.13.2
CVE: CVE-2012-1129
CVE STATUS: Patched
CVE SUMMARY: FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via a crafted SFNT string in a Type 42 font.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1129

LAYER: meta
PACKAGE NAME: freetype-native
PACKAGE VERSION: 2.13.2
CVE: CVE-2012-1130
CVE STATUS: Patched
CVE SUMMARY: FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via crafted property data in a PCF font.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1130

LAYER: meta
PACKAGE NAME: freetype-native
PACKAGE VERSION: 2.13.2
CVE: CVE-2012-1131
CVE STATUS: Patched
CVE SUMMARY: FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, on 64-bit platforms allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via vectors related to the cell table of a font.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1131

LAYER: meta
PACKAGE NAME: freetype-native
PACKAGE VERSION: 2.13.2
CVE: CVE-2012-1132
CVE STATUS: Patched
CVE SUMMARY: FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via crafted dictionary data in a Type 1 font.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1132

LAYER: meta
PACKAGE NAME: freetype-native
PACKAGE VERSION: 2.13.2
CVE: CVE-2012-1133
CVE STATUS: Patched
CVE SUMMARY: FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap write operation and memory corruption) or possibly execute arbitrary code via crafted glyph or bitmap data in a BDF font.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1133

LAYER: meta
PACKAGE NAME: freetype-native
PACKAGE VERSION: 2.13.2
CVE: CVE-2012-1134
CVE STATUS: Patched
CVE SUMMARY: FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap write operation and memory corruption) or possibly execute arbitrary code via crafted private-dictionary data in a Type 1 font.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1134

LAYER: meta
PACKAGE NAME: freetype-native
PACKAGE VERSION: 2.13.2
CVE: CVE-2012-1135
CVE STATUS: Patched
CVE SUMMARY: FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via vectors involving the NPUSHB and NPUSHW instructions in a TrueType font.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1135

LAYER: meta
PACKAGE NAME: freetype-native
PACKAGE VERSION: 2.13.2
CVE: CVE-2012-1136
CVE STATUS: Patched
CVE SUMMARY: FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap write operation and memory corruption) or possibly execute arbitrary code via crafted glyph or bitmap data in a BDF font that lacks an ENCODING field.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1136

LAYER: meta
PACKAGE NAME: freetype-native
PACKAGE VERSION: 2.13.2
CVE: CVE-2012-1137
CVE STATUS: Patched
CVE SUMMARY: FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via a crafted header in a BDF font.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1137

LAYER: meta
PACKAGE NAME: freetype-native
PACKAGE VERSION: 2.13.2
CVE: CVE-2012-1138
CVE STATUS: Patched
CVE SUMMARY: FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via vectors involving the MIRP instruction in a TrueType font.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1138

LAYER: meta
PACKAGE NAME: freetype-native
PACKAGE VERSION: 2.13.2
CVE: CVE-2012-1139
CVE STATUS: Patched
CVE SUMMARY: Array index error in FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid stack read operation and memory corruption) or possibly execute arbitrary code via crafted glyph data in a BDF font.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1139

LAYER: meta
PACKAGE NAME: freetype-native
PACKAGE VERSION: 2.13.2
CVE: CVE-2012-1140
CVE STATUS: Patched
CVE SUMMARY: FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via a crafted PostScript font object.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1140

LAYER: meta
PACKAGE NAME: freetype-native
PACKAGE VERSION: 2.13.2
CVE: CVE-2012-1141
CVE STATUS: Patched
CVE SUMMARY: FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via a crafted ASCII string in a BDF font.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1141

LAYER: meta
PACKAGE NAME: freetype-native
PACKAGE VERSION: 2.13.2
CVE: CVE-2012-1142
CVE STATUS: Patched
CVE SUMMARY: FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap write operation and memory corruption) or possibly execute arbitrary code via crafted glyph-outline data in a font.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1142

LAYER: meta
PACKAGE NAME: freetype-native
PACKAGE VERSION: 2.13.2
CVE: CVE-2012-1143
CVE STATUS: Patched
CVE SUMMARY: FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (divide-by-zero error) via a crafted font.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1143

LAYER: meta
PACKAGE NAME: freetype-native
PACKAGE VERSION: 2.13.2
CVE: CVE-2012-1144
CVE STATUS: Patched
CVE SUMMARY: FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap write operation and memory corruption) or possibly execute arbitrary code via a crafted TrueType font.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1144

LAYER: meta
PACKAGE NAME: freetype-native
PACKAGE VERSION: 2.13.2
CVE: CVE-2012-5668
CVE STATUS: Patched
CVE SUMMARY: FreeType before 2.4.11 allows context-dependent attackers to cause a denial of service (NULL pointer dereference and crash) via vectors related to BDF fonts and the improper handling of an "allocation error" in the bdf_free_font function.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-5668

LAYER: meta
PACKAGE NAME: freetype-native
PACKAGE VERSION: 2.13.2
CVE: CVE-2012-5669
CVE STATUS: Patched
CVE SUMMARY: The _bdf_parse_glyphs function in FreeType before 2.4.11 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via vectors related to BDF fonts and an incorrect calculation that triggers an out-of-bounds read.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-5669

LAYER: meta
PACKAGE NAME: freetype-native
PACKAGE VERSION: 2.13.2
CVE: CVE-2012-5670
CVE STATUS: Patched
CVE SUMMARY: The _bdf_parse_glyphs function in FreeType before 2.4.11 allows context-dependent attackers to cause a denial of service (out-of-bounds write and crash) via vectors related to BDF fonts and an ENCODING field with a negative value.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-5670

LAYER: meta
PACKAGE NAME: freetype-native
PACKAGE VERSION: 2.13.2
CVE: CVE-2014-2240
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in the cf2_hintmap_build function in cff/cf2hints.c in FreeType before 2.5.3 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large number of stem hints in a font file.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-2240

LAYER: meta
PACKAGE NAME: freetype-native
PACKAGE VERSION: 2.13.2
CVE: CVE-2014-2241
CVE STATUS: Patched
CVE SUMMARY: The (1) cf2_initLocalRegionBuffer and (2) cf2_initGlobalRegionBuffer functions in cff/cf2ft.c in FreeType before 2.5.3 do not properly check if a subroutine exists, which allows remote attackers to cause a denial of service (assertion failure), as demonstrated by a crafted ttf file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-2241

LAYER: meta
PACKAGE NAME: freetype-native
PACKAGE VERSION: 2.13.2
CVE: CVE-2014-9656
CVE STATUS: Patched
CVE SUMMARY: The tt_sbit_decoder_load_image function in sfnt/ttsbit.c in FreeType before 2.5.4 does not properly check for an integer overflow, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a crafted OpenType font.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9656

LAYER: meta
PACKAGE NAME: freetype-native
PACKAGE VERSION: 2.13.2
CVE: CVE-2014-9657
CVE STATUS: Patched
CVE SUMMARY: The tt_face_load_hdmx function in truetype/ttpload.c in FreeType before 2.5.4 does not establish a minimum record size, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a crafted TrueType font.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9657

LAYER: meta
PACKAGE NAME: freetype-native
PACKAGE VERSION: 2.13.2
CVE: CVE-2014-9658
CVE STATUS: Patched
CVE SUMMARY: The tt_face_load_kern function in sfnt/ttkern.c in FreeType before 2.5.4 enforces an incorrect minimum table length, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a crafted TrueType font.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9658

LAYER: meta
PACKAGE NAME: freetype-native
PACKAGE VERSION: 2.13.2
CVE: CVE-2014-9659
CVE STATUS: Patched
CVE SUMMARY: cff/cf2intrp.c in the CFF CharString interpreter in FreeType before 2.5.4 proceeds with additional hints after the hint mask has been computed, which allows remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted OpenType font.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-2240.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9659

LAYER: meta
PACKAGE NAME: freetype-native
PACKAGE VERSION: 2.13.2
CVE: CVE-2014-9660
CVE STATUS: Patched
CVE SUMMARY: The _bdf_parse_glyphs function in bdf/bdflib.c in FreeType before 2.5.4 does not properly handle a missing ENDCHAR record, which allows remote attackers to cause a denial of service (NULL pointer dereference) or possibly have unspecified other impact via a crafted BDF font.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9660

LAYER: meta
PACKAGE NAME: freetype-native
PACKAGE VERSION: 2.13.2
CVE: CVE-2014-9661
CVE STATUS: Patched
CVE SUMMARY: type42/t42parse.c in FreeType before 2.5.4 does not consider that scanning can be incomplete without triggering an error, which allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via a crafted Type42 font.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9661

LAYER: meta
PACKAGE NAME: freetype-native
PACKAGE VERSION: 2.13.2
CVE: CVE-2014-9662
CVE STATUS: Patched
CVE SUMMARY: cff/cf2ft.c in FreeType before 2.5.4 does not validate the return values of point-allocation functions, which allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted OTF font.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9662

LAYER: meta
PACKAGE NAME: freetype-native
PACKAGE VERSION: 2.13.2
CVE: CVE-2014-9663
CVE STATUS: Patched
CVE SUMMARY: The tt_cmap4_validate function in sfnt/ttcmap.c in FreeType before 2.5.4 validates a certain length field before that field's value is completely calculated, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a crafted cmap SFNT table.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9663

LAYER: meta
PACKAGE NAME: freetype-native
PACKAGE VERSION: 2.13.2
CVE: CVE-2014-9664
CVE STATUS: Patched
CVE SUMMARY: FreeType before 2.5.4 does not check for the end of the data during certain parsing actions, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a crafted Type42 font, related to type42/t42parse.c and type1/t1load.c.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9664

LAYER: meta
PACKAGE NAME: freetype-native
PACKAGE VERSION: 2.13.2
CVE: CVE-2014-9665
CVE STATUS: Patched
CVE SUMMARY: The Load_SBit_Png function in sfnt/pngshim.c in FreeType before 2.5.4 does not restrict the rows and pitch values of PNG data, which allows remote attackers to cause a denial of service (integer overflow and heap-based buffer overflow) or possibly have unspecified other impact by embedding a PNG file in a .ttf font file.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9665

LAYER: meta
PACKAGE NAME: freetype-native
PACKAGE VERSION: 2.13.2
CVE: CVE-2014-9666
CVE STATUS: Patched
CVE SUMMARY: The tt_sbit_decoder_init function in sfnt/ttsbit.c in FreeType before 2.5.4 proceeds with a count-to-size association without restricting the count value, which allows remote attackers to cause a denial of service (integer overflow and out-of-bounds read) or possibly have unspecified other impact via a crafted embedded bitmap.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9666

LAYER: meta
PACKAGE NAME: freetype-native
PACKAGE VERSION: 2.13.2
CVE: CVE-2014-9667
CVE STATUS: Patched
CVE SUMMARY: sfnt/ttload.c in FreeType before 2.5.4 proceeds with offset+length calculations without restricting the values, which allows remote attackers to cause a denial of service (integer overflow and out-of-bounds read) or possibly have unspecified other impact via a crafted SFNT table.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9667

LAYER: meta
PACKAGE NAME: freetype-native
PACKAGE VERSION: 2.13.2
CVE: CVE-2014-9668
CVE STATUS: Patched
CVE SUMMARY: The woff_open_font function in sfnt/sfobjs.c in FreeType before 2.5.4 proceeds with offset+length calculations without restricting length values, which allows remote attackers to cause a denial of service (integer overflow and heap-based buffer overflow) or possibly have unspecified other impact via a crafted Web Open Font Format (WOFF) file.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9668

LAYER: meta
PACKAGE NAME: freetype-native
PACKAGE VERSION: 2.13.2
CVE: CVE-2014-9669
CVE STATUS: Patched
CVE SUMMARY: Multiple integer overflows in sfnt/ttcmap.c in FreeType before 2.5.4 allow remote attackers to cause a denial of service (out-of-bounds read or memory corruption) or possibly have unspecified other impact via a crafted cmap SFNT table.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9669

LAYER: meta
PACKAGE NAME: freetype-native
PACKAGE VERSION: 2.13.2
CVE: CVE-2014-9670
CVE STATUS: Patched
CVE SUMMARY: Multiple integer signedness errors in the pcf_get_encodings function in pcf/pcfread.c in FreeType before 2.5.4 allow remote attackers to cause a denial of service (integer overflow, NULL pointer dereference, and application crash) via a crafted PCF file that specifies negative values for the first column and first row.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9670

LAYER: meta
PACKAGE NAME: freetype-native
PACKAGE VERSION: 2.13.2
CVE: CVE-2014-9671
CVE STATUS: Patched
CVE SUMMARY: Off-by-one error in the pcf_get_properties function in pcf/pcfread.c in FreeType before 2.5.4 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted PCF file with a 0xffffffff size value that is improperly incremented.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9671

LAYER: meta
PACKAGE NAME: freetype-native
PACKAGE VERSION: 2.13.2
CVE: CVE-2014-9672
CVE STATUS: Patched
CVE SUMMARY: Array index error in the parse_fond function in base/ftmac.c in FreeType before 2.5.4 allows remote attackers to cause a denial of service (out-of-bounds read) or obtain sensitive information from process memory via a crafted FOND resource in a Mac font file.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9672

LAYER: meta
PACKAGE NAME: freetype-native
PACKAGE VERSION: 2.13.2
CVE: CVE-2014-9673
CVE STATUS: Patched
CVE SUMMARY: Integer signedness error in the Mac_Read_POST_Resource function in base/ftobjs.c in FreeType before 2.5.4 allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted Mac font.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9673

LAYER: meta
PACKAGE NAME: freetype-native
PACKAGE VERSION: 2.13.2
CVE: CVE-2014-9674
CVE STATUS: Patched
CVE SUMMARY: The Mac_Read_POST_Resource function in base/ftobjs.c in FreeType before 2.5.4 proceeds with adding to length values without validating the original values, which allows remote attackers to cause a denial of service (integer overflow and heap-based buffer overflow) or possibly have unspecified other impact via a crafted Mac font.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9674

LAYER: meta
PACKAGE NAME: freetype-native
PACKAGE VERSION: 2.13.2
CVE: CVE-2014-9675
CVE STATUS: Patched
CVE SUMMARY: bdf/bdflib.c in FreeType before 2.5.4 identifies property names by only verifying that an initial substring is present, which allows remote attackers to discover heap pointer values and bypass the ASLR protection mechanism via a crafted BDF font.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9675

LAYER: meta
PACKAGE NAME: freetype-native
PACKAGE VERSION: 2.13.2
CVE: CVE-2014-9745
CVE STATUS: Patched
CVE SUMMARY: The parse_encoding function in type1/t1load.c in FreeType before 2.5.3 allows remote attackers to cause a denial of service (infinite loop) via a "broken number-with-base" in a Postscript stream, as demonstrated by 8#garbage.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9745

LAYER: meta
PACKAGE NAME: freetype-native
PACKAGE VERSION: 2.13.2
CVE: CVE-2014-9746
CVE STATUS: Patched
CVE SUMMARY: The (1) t1_parse_font_matrix function in type1/t1load.c, (2) cid_parse_font_matrix function in cid/cidload.c, (3) t42_parse_font_matrix function in type42/t42parse.c, and (4) ps_parser_load_field function in psaux/psobjs.c in FreeType before 2.5.4 do not check return values, which allows remote attackers to cause a denial of service (uninitialized memory access and application crash) or possibly have unspecified other impact via a crafted font.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9746

LAYER: meta
PACKAGE NAME: freetype-native
PACKAGE VERSION: 2.13.2
CVE: CVE-2014-9747
CVE STATUS: Patched
CVE SUMMARY: The t42_parse_encoding function in type42/t42parse.c in FreeType before 2.5.4 does not properly update the current position for immediates-only mode, which allows remote attackers to cause a denial of service (infinite loop) via a Type42 font.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9747

LAYER: meta
PACKAGE NAME: freetype-native
PACKAGE VERSION: 2.13.2
CVE: CVE-2015-9290
CVE STATUS: Patched
CVE SUMMARY: In FreeType before 2.6.1, a buffer over-read occurs in type1/t1parse.c on function T1_Get_Private_Dict where there is no check that the new values of cur and limit are sensible before going to Again.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-9290

LAYER: meta
PACKAGE NAME: freetype-native
PACKAGE VERSION: 2.13.2
CVE: CVE-2015-9381
CVE STATUS: Patched
CVE SUMMARY: FreeType before 2.6.1 has a heap-based buffer over-read in T1_Get_Private_Dict in type1/t1parse.c.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-9381

LAYER: meta
PACKAGE NAME: freetype-native
PACKAGE VERSION: 2.13.2
CVE: CVE-2015-9382
CVE STATUS: Patched
CVE SUMMARY: FreeType before 2.6.1 has a buffer over-read in skip_comment in psaux/psobjs.c because ps_parser_skip_PS_token is mishandled in an FT_New_Memory_Face operation.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-9382

LAYER: meta
PACKAGE NAME: freetype-native
PACKAGE VERSION: 2.13.2
CVE: CVE-2015-9383
CVE STATUS: Patched
CVE SUMMARY: FreeType before 2.6.2 has a heap-based buffer over-read in tt_cmap14_validate in sfnt/ttcmap.c.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-9383

LAYER: meta
PACKAGE NAME: freetype-native
PACKAGE VERSION: 2.13.2
CVE: CVE-2016-10244
CVE STATUS: Patched
CVE SUMMARY: The parse_charstrings function in type1/t1load.c in FreeType 2 before 2.7 does not ensure that a font contains a glyph name, which allows remote attackers to cause a denial of service (heap-based buffer over-read) or possibly have unspecified other impact via a crafted file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10244

LAYER: meta
PACKAGE NAME: freetype-native
PACKAGE VERSION: 2.13.2
CVE: CVE-2016-10328
CVE STATUS: Patched
CVE SUMMARY: FreeType 2 before 2016-12-16 has an out-of-bounds write caused by a heap-based buffer overflow related to the cff_parser_run function in cff/cffparse.c.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10328

LAYER: meta
PACKAGE NAME: freetype-native
PACKAGE VERSION: 2.13.2
CVE: CVE-2017-7857
CVE STATUS: Patched
CVE SUMMARY: FreeType 2 before 2017-03-08 has an out-of-bounds write caused by a heap-based buffer overflow related to the TT_Get_MM_Var function in truetype/ttgxvar.c and the sfnt_init_face function in sfnt/sfobjs.c.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7857

LAYER: meta
PACKAGE NAME: freetype-native
PACKAGE VERSION: 2.13.2
CVE: CVE-2017-7858
CVE STATUS: Patched
CVE SUMMARY: FreeType 2 before 2017-03-07 has an out-of-bounds write related to the TT_Get_MM_Var function in truetype/ttgxvar.c and the sfnt_init_face function in sfnt/sfobjs.c.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7858

LAYER: meta
PACKAGE NAME: freetype-native
PACKAGE VERSION: 2.13.2
CVE: CVE-2017-7864
CVE STATUS: Patched
CVE SUMMARY: FreeType 2 before 2017-02-02 has an out-of-bounds write caused by a heap-based buffer overflow related to the tt_size_reset function in truetype/ttobjs.c.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7864

LAYER: meta
PACKAGE NAME: freetype-native
PACKAGE VERSION: 2.13.2
CVE: CVE-2017-8105
CVE STATUS: Patched
CVE SUMMARY: FreeType 2 before 2017-03-24 has an out-of-bounds write caused by a heap-based buffer overflow related to the t1_decoder_parse_charstrings function in psaux/t1decode.c.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8105

LAYER: meta
PACKAGE NAME: freetype-native
PACKAGE VERSION: 2.13.2
CVE: CVE-2017-8287
CVE STATUS: Patched
CVE SUMMARY: FreeType 2 before 2017-03-26 has an out-of-bounds write caused by a heap-based buffer overflow related to the t1_builder_close_contour function in psaux/psobjs.c.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8287

LAYER: meta
PACKAGE NAME: freetype-native
PACKAGE VERSION: 2.13.2
CVE: CVE-2018-6942
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in FreeType 2 through 2.9. A NULL pointer dereference in the Ins_GETVARIATION() function within ttinterp.c could lead to DoS via a crafted font file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-6942

LAYER: meta
PACKAGE NAME: freetype-native
PACKAGE VERSION: 2.13.2
CVE: CVE-2020-15999
CVE STATUS: Patched
CVE SUMMARY: Heap buffer overflow in Freetype in Google Chrome prior to 86.0.4240.111 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-15999

LAYER: meta
PACKAGE NAME: freetype-native
PACKAGE VERSION: 2.13.2
CVE: CVE-2022-27404
CVE STATUS: Patched
CVE SUMMARY: FreeType commit 1e2eb65048f75c64b68708efed6ce904c31f3b2f was discovered to contain a heap buffer overflow via the function sfnt_init_face.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-27404

LAYER: meta
PACKAGE NAME: freetype-native
PACKAGE VERSION: 2.13.2
CVE: CVE-2022-27405
CVE STATUS: Patched
CVE SUMMARY: FreeType commit 53dfdcd8198d2b3201a23c4bad9190519ba918db was discovered to contain a segmentation violation via the function FNT_Size_Request.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-27405

LAYER: meta
PACKAGE NAME: freetype-native
PACKAGE VERSION: 2.13.2
CVE: CVE-2022-27406
CVE STATUS: Patched
CVE SUMMARY: FreeType commit 22a0cccb4d9d002f33c1ba7a4b36812c7d4f46b5 was discovered to contain a segmentation violation via the function FT_Request_Size.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-27406

LAYER: meta
PACKAGE NAME: libxfixes-native
PACKAGE VERSION: 1_6.0.1
CVE: CVE-2013-1983
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in X.org libXfixes 5.0 and earlier allows X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the XFixesGetCursorImage function.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1983

LAYER: meta
PACKAGE NAME: libxfixes-native
PACKAGE VERSION: 1_6.0.1
CVE: CVE-2016-7944
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in X.org libXfixes before 5.0.3 on 32-bit platforms might allow remote X servers to gain privileges via a length value of INT_MAX, which triggers the client to stop reading data and get out of sync.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7944

LAYER: meta
PACKAGE NAME: fribidi-native
PACKAGE VERSION: 1.0.14
CVE: CVE-2010-3444
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the log2vis_utf8 function in pyfribidi.c in GNU FriBidi 0.19.1, 0.19.2, and possibly other versions, as used in PyFriBidi 0.10.1, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted Arabic UTF-8 string that causes original 2-byte UTF-8 sequences to be transformed into 3-byte sequences.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-3444

LAYER: meta
PACKAGE NAME: fribidi-native
PACKAGE VERSION: 1.0.14
CVE: CVE-2019-18397
CVE STATUS: Patched
CVE SUMMARY: A buffer overflow in the fribidi_get_par_embedding_levels_ex() function in lib/fribidi-bidi.c of GNU FriBidi through 1.0.7 allows an attacker to cause a denial of service or possibly execute arbitrary code by delivering crafted text content to a user, when this content is then rendered by an application that uses FriBidi for text layout calculations. Examples include any GNOME or GTK+ based application that uses Pango for text layout, as this internally uses FriBidi for bidirectional text layout. For example, the attacker can construct a crafted text file to be opened in GEdit, or a crafted IRC message to be viewed in HexChat.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-18397

LAYER: meta
PACKAGE NAME: fribidi-native
PACKAGE VERSION: 1.0.14
CVE: CVE-2022-25308
CVE STATUS: Patched
CVE SUMMARY: A stack-based buffer overflow flaw was found in the Fribidi package. This flaw allows an attacker to pass a specially crafted file to the Fribidi application, which leads to a possible memory leak or a denial of service.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-25308

LAYER: meta
PACKAGE NAME: fribidi-native
PACKAGE VERSION: 1.0.14
CVE: CVE-2022-25309
CVE STATUS: Patched
CVE SUMMARY: A heap-based buffer overflow flaw was found in the Fribidi package and affects the fribidi_cap_rtl_to_unicode() function of the fribidi-char-sets-cap-rtl.c file. This flaw allows an attacker to pass a specially crafted file to the Fribidi application with the '--caprtl' option, leading to a crash and causing a denial of service.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-25309

LAYER: meta
PACKAGE NAME: fribidi-native
PACKAGE VERSION: 1.0.14
CVE: CVE-2022-25310
CVE STATUS: Patched
CVE SUMMARY: A segmentation fault (SEGV) flaw was found in the Fribidi package and affects the fribidi_remove_bidi_marks() function of the lib/fribidi.c file. This flaw allows an attacker to pass a specially crafted file to Fribidi, leading to a crash and causing a denial of service.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-25310

LAYER: meta
PACKAGE NAME: cargo-native
PACKAGE VERSION: 1.75.0
CVE: CVE-2022-36113
CVE STATUS: Patched
CVE SUMMARY: Cargo is a package manager for the rust programming language. After a package is downloaded, Cargo extracts its source code in the ~/.cargo folder on disk, making it available to the Rust projects it builds. To record when an extraction is successful, Cargo writes "ok" to the .cargo-ok file at the root of the extracted source code once it extracted all the files. It was discovered that Cargo allowed packages to contain a .cargo-ok symbolic link, which Cargo would extract. Then, when Cargo attempted to write "ok" into .cargo-ok, it would actually replace the first two bytes of the file the symlink pointed to with ok. This would allow an attacker to corrupt one file on the machine using Cargo to extract the package. Note that by design Cargo allows code execution at build time, due to build scripts and procedural macros. The vulnerabilities in this advisory allow performing a subset of the possible damage in a harder to track down way. Your dependencies must still be trusted if you want to be protected from attacks, as it's possible to perform the same attacks with build scripts and procedural macros. The vulnerability is present in all versions of Cargo. Rust 1.64, to be released on September 22nd, will include a fix for it. Since the vulnerability is just a more limited way to accomplish what a malicious build scripts or procedural macros can do, we decided not to publish Rust point releases backporting the security fix. Patch files are available for Rust 1.63.0 are available in the wg-security-response repository for people building their own toolchain.
Mitigations We recommend users of alternate registries to exercise care in which package they download, by only including trusted dependencies in their projects. Please note that even with these vulnerabilities fixed, by design Cargo allows arbitrary code execution at build time thanks to build scripts and procedural macros: a malicious dependency will be able to cause damage regardless of these vulnerabilities. crates.io implemented server-side checks to reject these kinds of packages years ago, and there are no packages on crates.io exploiting these vulnerabilities. crates.io users still need to exercise care in choosing their dependencies though, as remote code execution is allowed by design there as well.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.6
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-36113

LAYER: meta
PACKAGE NAME: cargo-native
PACKAGE VERSION: 1.75.0
CVE: CVE-2022-36114
CVE STATUS: Patched
CVE SUMMARY: Cargo is a package manager for the rust programming language. It was discovered that Cargo did not limit the amount of data extracted from compressed archives. An attacker could upload to an alternate registry a specially crafted package that extracts way more data than its size (also known as a "zip bomb"), exhausting the disk space on the machine using Cargo to download the package. Note that by design Cargo allows code execution at build time, due to build scripts and procedural macros. The vulnerabilities in this advisory allow performing a subset of the possible damage in a harder to track down way. Your dependencies must still be trusted if you want to be protected from attacks, as it's possible to perform the same attacks with build scripts and procedural macros. The vulnerability is present in all versions of Cargo. Rust 1.64, to be released on September 22nd, will include a fix for it. Since the vulnerability is just a more limited way to accomplish what a malicious build scripts or procedural macros can do, we decided not to publish Rust point releases backporting the security fix. Patch files are available for Rust 1.63.0 are available in the wg-security-response repository for people building their own toolchain. We recommend users of alternate registries to excercise care in which package they download, by only including trusted dependencies in their projects. Please note that even with these vulnerabilities fixed, by design Cargo allows arbitrary code execution at build time thanks to build scripts and procedural macros: a malicious dependency will be able to cause damage regardless of these vulnerabilities. crates.io implemented server-side checks to reject these kinds of packages years ago, and there are no packages on crates.io exploiting these vulnerabilities. crates.io users still need to excercise care in choosing their dependencies though, as the same concerns about build scripts and procedural macros apply here.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-36114

LAYER: meta
PACKAGE NAME: cargo-native
PACKAGE VERSION: 1.75.0
CVE: CVE-2022-46176
CVE STATUS: Patched
CVE SUMMARY: Cargo is a Rust package manager. The Rust Security Response WG was notified that Cargo did not perform SSH host key verification when cloning indexes and dependencies via SSH. An attacker could exploit this to perform man-in-the-middle (MITM) attacks. This vulnerability has been assigned CVE-2022-46176. All Rust versions containing Cargo before 1.66.1 are vulnerable. Note that even if you don't explicitly use SSH for alternate registry indexes or crate dependencies, you might be affected by this vulnerability if you have configured git to replace HTTPS connections to GitHub with SSH (through git's [`url.<base>.insteadOf`][1] setting), as that'd cause you to clone the crates.io index through SSH. Rust 1.66.1 will ensure Cargo checks the SSH host key and abort the connection if the server's public key is not already trusted. We recommend everyone to upgrade as soon as possible. 
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-46176

LAYER: meta
PACKAGE NAME: cargo-native
PACKAGE VERSION: 1.75.0
CVE: CVE-2023-38497
CVE STATUS: Patched
CVE SUMMARY: Cargo downloads the Rust project’s dependencies and compiles the project. Cargo prior to version 0.72.2, bundled with Rust prior to version 1.71.1, did not respect the umask when extracting crate archives on UNIX-like systems. If the user downloaded a crate containing files writeable by any local user, another local user could exploit this to change the source code compiled and executed by the current user. To prevent existing cached extractions from being exploitable, the Cargo binary version 0.72.2 included in Rust 1.71.1 or later will purge caches generated by older Cargo versions automatically. As a workaround, configure one's system to prevent other local users from accessing the Cargo directory, usually located in `~/.cargo`.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.9
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-38497

LAYER: meta
PACKAGE NAME: cargo-native
PACKAGE VERSION: 1.75.0
CVE: CVE-2024-47846
CVE STATUS: Patched
CVE SUMMARY: Cross-Site Request Forgery (CSRF) vulnerability in The Wikimedia Foundation Mediawiki - Cargo allows Cross Site Request Forgery.This issue affects Mediawiki - Cargo: from 3.6.X before 3.6.1.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47846

LAYER: meta
PACKAGE NAME: cargo-native
PACKAGE VERSION: 1.75.0
CVE: CVE-2024-47847
CVE STATUS: Patched
CVE SUMMARY: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - Cargo allows Cross-Site Scripting (XSS).This issue affects Mediawiki - Cargo: from 3.6.X before 3.6.1.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.1
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47847

LAYER: meta
PACKAGE NAME: cargo-native
PACKAGE VERSION: 1.75.0
CVE: CVE-2024-47849
CVE STATUS: Patched
CVE SUMMARY: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in The Wikimedia Foundation Mediawiki - Cargo allows SQL Injection.This issue affects Mediawiki - Cargo: from 3.6.X before 3.6.1.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47849

LAYER: meta
PACKAGE NAME: rust-native
PACKAGE VERSION: 1.75.0
CVE: CVE-2015-20001
CVE STATUS: Patched
CVE SUMMARY: In the standard library in Rust before 1.2.0, BinaryHeap is not panic-safe. The binary heap is left in an inconsistent state when the comparison of generic elements inside sift_up or sift_down_range panics. This bug leads to a drop of zeroed memory as an arbitrary type, which can result in a memory safety violation.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-20001

LAYER: meta
PACKAGE NAME: rust-native
PACKAGE VERSION: 1.75.0
CVE: CVE-2017-20004
CVE STATUS: Patched
CVE SUMMARY: In the standard library in Rust before 1.19.0, there is a synchronization problem in the MutexGuard object. MutexGuards can be used across threads with any types, allowing for memory safety issues through race conditions.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-20004

LAYER: meta
PACKAGE NAME: rust-native
PACKAGE VERSION: 1.75.0
CVE: CVE-2018-1000622
CVE STATUS: Patched
CVE SUMMARY: The Rust Programming Language rustdoc version Between 0.8 and 1.27.0 contains a CWE-427: Uncontrolled Search Path Element vulnerability in rustdoc plugins that can result in local code execution as a different user. This attack appear to be exploitable via using the --plugin flag without the --plugin-path flag. This vulnerability appears to have been fixed in 1.27.1.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1000622

LAYER: meta
PACKAGE NAME: rust-native
PACKAGE VERSION: 1.75.0
CVE: CVE-2018-1000657
CVE STATUS: Patched
CVE SUMMARY: Rust Programming Language Rust standard library version Commit bfa0e1f58acf1c28d500c34ed258f09ae021893e and later; stable release 1.3.0 and later contains a Buffer Overflow vulnerability in std::collections::vec_deque::VecDeque::reserve() function that can result in Arbitrary code execution, but no proof-of-concept exploit is currently published.. This vulnerability appears to have been fixed in after commit fdfafb510b1a38f727e920dccbeeb638d39a8e60; stable release 1.22.0 and later.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1000657

LAYER: meta
PACKAGE NAME: rust-native
PACKAGE VERSION: 1.75.0
CVE: CVE-2018-1000810
CVE STATUS: Patched
CVE SUMMARY: The Rust Programming Language Standard Library version 1.29.0, 1.28.0, 1.27.2, 1.27.1, 127.0, 126.2, 126.1, 126.0 contains a CWE-680: Integer Overflow to Buffer Overflow vulnerability in standard library that can result in buffer overflow. This attack appear to be exploitable via str::repeat, passed a large number, can overflow an internal buffer. This vulnerability appears to have been fixed in 1.29.1.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1000810

LAYER: meta
PACKAGE NAME: rust-native
PACKAGE VERSION: 1.75.0
CVE: CVE-2018-25008
CVE STATUS: Patched
CVE SUMMARY: In the standard library in Rust before 1.29.0, there is weak synchronization in the Arc::get_mut method. This synchronization issue can be lead to memory safety issues through race conditions.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-25008

LAYER: meta
PACKAGE NAME: rust-native
PACKAGE VERSION: 1.75.0
CVE: CVE-2019-1010299
CVE STATUS: Patched
CVE SUMMARY: The Rust Programming Language Standard Library 1.18.0 and later is affected by: CWE-200: Information Exposure. The impact is: Contents of uninitialized memory could be printed to string or to log file. The component is: Debug trait implementation for std::collections::vec_deque::Iter. The attack vector is: The program needs to invoke debug printing for iterator over an empty VecDeque. The fixed version is: 1.30.0, nightly versions after commit b85e4cc8fadaabd41da5b9645c08c68b8f89908d.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-1010299

LAYER: meta
PACKAGE NAME: rust-native
PACKAGE VERSION: 1.75.0
CVE: CVE-2019-12083
CVE STATUS: Patched
CVE SUMMARY: The Rust Programming Language Standard Library 1.34.x before 1.34.2 contains a stabilized method which, if overridden, can violate Rust's safety guarantees and cause memory unsafety. If the `Error::type_id` method is overridden then any type can be safely cast to any other type, causing memory safety vulnerabilities in safe code (e.g., out-of-bounds write or read). Code that does not manually implement Error::type_id is unaffected.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-12083

LAYER: meta
PACKAGE NAME: rust-native
PACKAGE VERSION: 1.75.0
CVE: CVE-2019-16760
CVE STATUS: Patched
CVE SUMMARY: Cargo prior to Rust 1.26.0 may download the wrong dependency if your package.toml file uses the `package` configuration key. Usage of the `package` key to rename dependencies in `Cargo.toml` is ignored in Rust 1.25.0 and prior. When Rust 1.25.0 and prior is used Cargo may download the wrong dependency, which could be squatted on crates.io to be a malicious package. This not only affects manifests that you write locally yourself, but also manifests published to crates.io. Rust 1.0.0 through Rust 1.25.0 is affected by this advisory because Cargo will ignore the `package` key in manifests. Rust 1.26.0 through Rust 1.30.0 are not affected and typically will emit an error because the `package` key is unstable. Rust 1.31.0 and after are not affected because Cargo understands the `package` key. Users of the affected versions are strongly encouraged to update their compiler to the latest available one. Preventing this issue from happening requires updating your compiler to be either Rust 1.26.0 or newer. There will be no point release for Rust versions prior to 1.26.0. Users of Rust 1.19.0 to Rust 1.25.0 can instead apply linked patches to mitigate the issue.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 4.6
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-16760

LAYER: meta
PACKAGE NAME: rust-native
PACKAGE VERSION: 1.75.0
CVE: CVE-2020-36317
CVE STATUS: Patched
CVE SUMMARY: In the standard library in Rust before 1.49.0, String::retain() function has a panic safety problem. It allows creation of a non-UTF-8 Rust string when the provided closure panics. This bug could result in a memory safety violation when other string APIs assume that UTF-8 encoding is used on the same string.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-36317

LAYER: meta
PACKAGE NAME: rust-native
PACKAGE VERSION: 1.75.0
CVE: CVE-2020-36318
CVE STATUS: Patched
CVE SUMMARY: In the standard library in Rust before 1.49.0, VecDeque::make_contiguous has a bug that pops the same element more than once under certain condition. This bug could result in a use-after-free or double free.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-36318

LAYER: meta
PACKAGE NAME: rust-native
PACKAGE VERSION: 1.75.0
CVE: CVE-2020-36323
CVE STATUS: Patched
CVE SUMMARY: In the standard library in Rust before 1.52.0, there is an optimization for joining strings that can cause uninitialized bytes to be exposed (or the program to crash) if the borrowed string changes after its length is checked.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 8.2
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-36323

LAYER: meta
PACKAGE NAME: rust-native
PACKAGE VERSION: 1.75.0
CVE: CVE-2021-28875
CVE STATUS: Patched
CVE SUMMARY: In the standard library in Rust before 1.50.0, read_to_end() does not validate the return value from Read in an unsafe context. This bug could lead to a buffer overflow.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-28875

LAYER: meta
PACKAGE NAME: rust-native
PACKAGE VERSION: 1.75.0
CVE: CVE-2021-28876
CVE STATUS: Patched
CVE SUMMARY: In the standard library in Rust before 1.52.0, the Zip implementation has a panic safety issue. It calls __iterator_get_unchecked() more than once for the same index when the underlying iterator panics (in certain conditions). This bug could lead to a memory safety violation due to an unmet safety requirement for the TrustedRandomAccess trait.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-28876

LAYER: meta
PACKAGE NAME: rust-native
PACKAGE VERSION: 1.75.0
CVE: CVE-2021-28877
CVE STATUS: Patched
CVE SUMMARY: In the standard library in Rust before 1.51.0, the Zip implementation calls __iterator_get_unchecked() for the same index more than once when nested. This bug can lead to a memory safety violation due to an unmet safety requirement for the TrustedRandomAccess trait.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-28877

LAYER: meta
PACKAGE NAME: rust-native
PACKAGE VERSION: 1.75.0
CVE: CVE-2021-28878
CVE STATUS: Patched
CVE SUMMARY: In the standard library in Rust before 1.52.0, the Zip implementation calls __iterator_get_unchecked() more than once for the same index (under certain conditions) when next_back() and next() are used together. This bug could lead to a memory safety violation due to an unmet safety requirement for the TrustedRandomAccess trait.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-28878

LAYER: meta
PACKAGE NAME: rust-native
PACKAGE VERSION: 1.75.0
CVE: CVE-2021-28879
CVE STATUS: Patched
CVE SUMMARY: In the standard library in Rust before 1.52.0, the Zip implementation can report an incorrect size due to an integer overflow. This bug can lead to a buffer overflow when a consumed Zip iterator is used again.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-28879

LAYER: meta
PACKAGE NAME: rust-native
PACKAGE VERSION: 1.75.0
CVE: CVE-2021-29922
CVE STATUS: Patched
CVE SUMMARY: library/std/src/net/parser.rs in Rust before 1.53.0 does not properly consider extraneous zero characters at the beginning of an IP address string, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 9.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-29922

LAYER: meta
PACKAGE NAME: rust-native
PACKAGE VERSION: 1.75.0
CVE: CVE-2021-31162
CVE STATUS: Patched
CVE SUMMARY: In the standard library in Rust before 1.52.0, a double free can occur in the Vec::from_iter function if freeing the element panics.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-31162

LAYER: meta
PACKAGE NAME: rust-native
PACKAGE VERSION: 1.75.0
CVE: CVE-2022-21658
CVE STATUS: Patched
CVE SUMMARY: Rust is a multi-paradigm, general-purpose programming language designed for performance and safety, especially safe concurrency. The Rust Security Response WG was notified that the `std::fs::remove_dir_all` standard library function is vulnerable a race condition enabling symlink following (CWE-363). An attacker could use this security issue to trick a privileged program into deleting files and directories the attacker couldn't otherwise access or delete. Rust 1.0.0 through Rust 1.58.0 is affected by this vulnerability with 1.58.1 containing a patch. Note that the following build targets don't have usable APIs to properly mitigate the attack, and are thus still vulnerable even with a patched toolchain: macOS before version 10.10 (Yosemite) and REDOX. We recommend everyone to update to Rust 1.58.1 as soon as possible, especially people developing programs expected to run in privileged contexts (including system daemons and setuid binaries), as those have the highest risk of being affected by this. Note that adding checks in your codebase before calling remove_dir_all will not mitigate the vulnerability, as they would also be vulnerable to race conditions like remove_dir_all itself. The existing mitigation is working as intended outside of race conditions.
CVSS v2 BASE SCORE: 3.3
CVSS v3 BASE SCORE: 7.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-21658

LAYER: meta
PACKAGE NAME: rust-native
PACKAGE VERSION: 1.75.0
CVE: CVE-2023-40030
CVE STATUS: Patched
CVE SUMMARY: Cargo downloads a Rust project’s dependencies and compiles the project. Starting in Rust 1.60.0 and prior to 1.72, Cargo did not escape Cargo feature names when including them in the report generated by `cargo build --timings`. A malicious package included as a dependency may inject nearly arbitrary HTML here, potentially leading to cross-site scripting if the report is subsequently uploaded somewhere. The vulnerability affects users relying on dependencies from git, local paths, or alternative registries. Users who solely depend on crates.io are unaffected.

Rust 1.60.0 introduced `cargo build --timings`, which produces a report of how long the different steps of the build process took. It includes lists of Cargo features for each crate. Prior to Rust 1.72, Cargo feature names were allowed to contain almost any characters (with some exceptions as used by the feature syntax), but it would produce a future incompatibility warning about them since Rust 1.49. crates.io is far more stringent about what it considers a valid feature name and has not allowed such feature names. As the feature names were included unescaped in the timings report, they could be used to inject Javascript into the page, for example with a feature name like `features = ["<img src='' onerror=alert(0)"]`. If this report were subsequently uploaded to a domain that uses credentials, the injected Javascript could access resources from the website visitor.

This issue was fixed in Rust 1.72 by turning the future incompatibility warning into an error. Users should still exercise care in which package they download, by only including trusted dependencies in their projects. Please note that even with these vulnerabilities fixed, by design Cargo allows arbitrary code execution at build time thanks to build scripts and procedural macros: a malicious dependency will be able to cause damage regardless of these vulnerabilities. crates.io has server-side checks preventing this attack, and there are no packages on crates.io exploiting these vulnerabilities. crates.io users still need to excercise care in choosing their dependencies though, as remote code execution is allowed by design there as well.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.1
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-40030

LAYER: meta
PACKAGE NAME: rust-native
PACKAGE VERSION: 1.75.0
CVE: CVE-2024-43402
CVE STATUS: Unpatched
CVE SUMMARY: Rust is a programming language. The fix for CVE-2024-24576, where `std::process::Command` incorrectly escaped arguments when invoking batch files on Windows, was incomplete. Prior to Rust version 1.81.0, it was possible to bypass the fix when the batch file name had trailing whitespace or periods (which are ignored and stripped by Windows). To determine whether to apply the `cmd.exe` escaping rules, the original fix for the vulnerability checked whether the command name ended with `.bat` or `.cmd`. At the time that seemed enough, as we refuse to invoke batch scripts with no file extension. Windows removes trailing whitespace and periods when parsing file paths. For example, `.bat. .` is interpreted by Windows as `.bat`, but the original fix didn't check for that. Affected users who are using Rust 1.77.2 or greater can remove the trailing whitespace (ASCII 0x20) and trailing periods (ASCII 0x2E) from the batch file name to bypass the incomplete fix and enable the mitigations. Users are affected if their code or one of their dependencies invoke a batch script on Windows with trailing whitespace or trailing periods in the name, and pass untrusted arguments to it. Rust 1.81.0 will update the standard library to apply the CVE-2024-24576 mitigations to all batch files invocations, regardless of the trailing chars in the file name.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-43402

LAYER: meta-qt5
PACKAGE NAME: qtwayland-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2004-0691
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the BMP image format parser for the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0691

LAYER: meta-qt5
PACKAGE NAME: qtwayland-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2004-0692
CVE STATUS: Patched
CVE SUMMARY: The XPM parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0693.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0692

LAYER: meta-qt5
PACKAGE NAME: qtwayland-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2004-0693
CVE STATUS: Patched
CVE SUMMARY: The GIF parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0692.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0693

LAYER: meta-qt5
PACKAGE NAME: qtwayland-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2005-0627
CVE STATUS: Patched
CVE SUMMARY: Qt before 3.3.4 searches the BUILD_PREFIX directory, which could be world-writable, to load shared libraries regardless of the LD_LIBRARY_PATH environment variable, which allows local users to execute arbitrary programs.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-0627

LAYER: meta-qt5
PACKAGE NAME: qtwayland-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2006-4811
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in Qt 3.3 before 3.3.7, 4.1 before 4.1.5, and 4.2 before 4.2.1, as used in the KDE khtml library, kdelibs 3.1.3, and possibly other packages, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted pixmap image.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-4811

LAYER: meta-qt5
PACKAGE NAME: qtwayland-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2007-0242
CVE STATUS: Patched
CVE SUMMARY: The UTF-8 decoder in codecs/qutfcodec.cpp in Qt 3.3.8 and 4.2.3 does not reject long UTF-8 sequences as required by the standard, which allows remote attackers to conduct cross-site scripting (XSS) and directory traversal attacks via long sequences that decode to dangerous metacharacters.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-0242

LAYER: meta-qt5
PACKAGE NAME: qtwayland-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2007-3388
CVE STATUS: Patched
CVE SUMMARY: Multiple format string vulnerabilities in (1) qtextedit.cpp, (2) qdatatable.cpp, (3) qsqldatabase.cpp, (4) qsqlindex.cpp, (5) qsqlrecord.cpp, (6) qglobal.cpp, and (7) qsvgdevice.cpp in QTextEdit in Trolltech Qt 3 before 3.3.8 20070727 allow remote attackers to execute arbitrary code via format string specifiers in text used to compose an error message.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-3388

LAYER: meta-qt5
PACKAGE NAME: qtwayland-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2007-4137
CVE STATUS: Patched
CVE SUMMARY: Off-by-one error in the QUtf8Decoder::toUnicode function in Trolltech Qt 3 allows context-dependent attackers to cause a denial of service (crash) via a crafted Unicode string that triggers a heap-based buffer overflow.  NOTE: Qt 4 has the same error in the QUtf8Codec::convertToUnicode function, but it is not exploitable.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-4137

LAYER: meta-qt5
PACKAGE NAME: qtwayland-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2009-2700
CVE STATUS: Patched
CVE SUMMARY: src/network/ssl/qsslcertificate.cpp in Nokia Trolltech Qt 4.x does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-2700

LAYER: meta-qt5
PACKAGE NAME: qtwayland-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2010-1766
CVE STATUS: Patched
CVE SUMMARY: Off-by-one error in the WebSocketHandshake::readServerHandshake function in websockets/WebSocketHandshake.cpp in WebCore in WebKit before r56380, as used in Qt and other products, allows remote websockets servers to cause a denial of service (memory corruption) or possibly have unspecified other impact via an upgrade header that is long and invalid.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-1766

LAYER: meta-qt5
PACKAGE NAME: qtwayland-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2010-2621
CVE STATUS: Patched
CVE SUMMARY: The QSslSocketBackendPrivate::transmit function in src_network_ssl_qsslsocket_openssl.cpp in Qt 4.6.3 and earlier allows remote attackers to cause a denial of service (infinite loop) via a malformed request.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2621

LAYER: meta-qt5
PACKAGE NAME: qtwayland-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2010-5076
CVE STATUS: Patched
CVE SUMMARY: QSslSocket in Qt before 4.7.0-rc1 recognizes a wildcard IP address in the subject's Common Name field of an X.509 certificate, which might allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-5076

LAYER: meta-qt5
PACKAGE NAME: qtwayland-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2011-3193
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the Lookup_MarkMarkPos function in the HarfBuzz module (harfbuzz-gpos.c), as used by Qt before 4.7.4 and Pango, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted font file.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3193

LAYER: meta-qt5
PACKAGE NAME: qtwayland-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2011-3194
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the TIFF reader in gui/image/qtiffhandler.cpp in Qt 4.7.4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the TIFFTAG_SAMPLESPERPIXEL tag in a greyscale TIFF image with multiple samples per pixel.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3194

LAYER: meta-qt5
PACKAGE NAME: qtwayland-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2012-5624
CVE STATUS: Patched
CVE SUMMARY: The XMLHttpRequest object in Qt before 4.8.4 enables http redirection to the file scheme, which allows man-in-the-middle attackers to force the read of arbitrary local files and possibly obtain sensitive information via a file: URL to a QML application.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-5624

LAYER: meta-qt5
PACKAGE NAME: qtwayland-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2012-6093
CVE STATUS: Patched
CVE SUMMARY: The QSslSocket::sslErrors function in Qt before 4.6.5, 4.7.x before 4.7.6, 4.8.x before 4.8.5, when using certain versions of openSSL, uses an "incompatible structure layout" that can read memory from the wrong location, which causes Qt to report an incorrect error when certificate validation fails and might cause users to make unsafe security decisions to accept a certificate.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-6093

LAYER: meta-qt5
PACKAGE NAME: qtwayland-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2013-0254
CVE STATUS: Patched
CVE SUMMARY: The QSharedMemory class in Qt 5.0.0, 4.8.x before 4.8.5, 4.7.x before 4.7.6, and other versions including 4.4.0 uses weak permissions (world-readable and world-writable) for shared memory segments, which allows local users to read sensitive information or modify critical program data, as demonstrated by reading a pixmap being sent to an X server.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0254

LAYER: meta-qt5
PACKAGE NAME: qtwayland-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2013-4549
CVE STATUS: Patched
CVE SUMMARY: QXmlSimpleReader in Qt before 5.2 allows context-dependent attackers to cause a denial of service (memory consumption) via an XML Entity Expansion (XEE) attack.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4549

LAYER: meta-qt5
PACKAGE NAME: qtwayland-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2014-0190
CVE STATUS: Patched
CVE SUMMARY: The GIF decoder in QtGui in Qt before 5.3 allows remote attackers to cause a denial of service (NULL pointer dereference) via invalid width and height values in a GIF image.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0190

LAYER: meta-qt5
PACKAGE NAME: qtwayland-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2015-0295
CVE STATUS: Patched
CVE SUMMARY: The BMP decoder in QtGui in QT before 5.5 does not properly calculate the masks used to extract the color components, which allows remote attackers to cause a denial of service (divide-by-zero and crash) via a crafted BMP file.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0295

LAYER: meta-qt5
PACKAGE NAME: qtwayland-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2015-1290
CVE STATUS: Patched
CVE SUMMARY: The Google V8 engine, as used in Google Chrome before 44.0.2403.89 and QtWebEngineCore in Qt before 5.5.1, allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a crafted web site.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1290

LAYER: meta-qt5
PACKAGE NAME: qtwayland-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2015-1858
CVE STATUS: Patched
CVE SUMMARY: Multiple buffer overflows in gui/image/qbmphandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted BMP image.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1858

LAYER: meta-qt5
PACKAGE NAME: qtwayland-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2015-1859
CVE STATUS: Patched
CVE SUMMARY: Multiple buffer overflows in plugins/imageformats/ico/qicohandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted ICO image.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1859

LAYER: meta-qt5
PACKAGE NAME: qtwayland-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2015-1860
CVE STATUS: Patched
CVE SUMMARY: Multiple buffer overflows in gui/image/qgifhandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a crafted GIF image.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1860

LAYER: meta-qt5
PACKAGE NAME: qtwayland-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2015-7298
CVE STATUS: Patched
CVE SUMMARY: ownCloud Desktop Client before 2.0.1, when compiled with a Qt release after 5.3.x, does not call QNetworkReply::ignoreSslErrors with the list of errors to be ignored, which makes it easier for remote attackers to conduct man-in-the-middle (MITM) attacks by leveraging a server using a self-signed certificate.  NOTE: this vulnerability exists because of a partial CVE-2015-4456 regression.
CVSS v2 BASE SCORE: 5.1
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7298

LAYER: meta-qt5
PACKAGE NAME: qtwayland-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2015-9541
CVE STATUS: Patched
CVE SUMMARY: Qt through 5.14 allows an exponential XML entity expansion attack via a crafted SVG document that is mishandled in QXmlStreamReader, a related issue to CVE-2003-1564.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-9541

LAYER: meta-qt5
PACKAGE NAME: qtwayland-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2017-10904
CVE STATUS: Patched
CVE SUMMARY: Qt for Android prior to 5.9.0 allows remote attackers to execute arbitrary OS commands via unspecified vectors.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-10904

LAYER: meta-qt5
PACKAGE NAME: qtwayland-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2017-10905
CVE STATUS: Patched
CVE SUMMARY: A vulnerability in applications created using Qt for Android prior to 5.9.3 allows attackers to alter environment variables via unspecified vectors.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-10905

LAYER: meta-qt5
PACKAGE NAME: qtwayland-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2017-15011
CVE STATUS: Patched
CVE SUMMARY: The named pipes in qtsingleapp in Qt 5.x, as used in qBittorrent and SugarSync, are configured for remote access and allow remote attackers to cause a denial of service (application crash) via an unspecified string.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15011

LAYER: meta-qt5
PACKAGE NAME: qtwayland-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-15518
CVE STATUS: Patched
CVE SUMMARY: QXmlStream in Qt 5.x before 5.11.3 has a double-free or corruption during parsing of a specially crafted illegal XML document.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-15518

LAYER: meta-qt5
PACKAGE NAME: qtwayland-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-19865
CVE STATUS: Patched
CVE SUMMARY: A keystroke logging issue was discovered in Virtual Keyboard in Qt 5.7.x, 5.8.x, 5.9.x, 5.10.x, and 5.11.x before 5.11.3.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19865

LAYER: meta-qt5
PACKAGE NAME: qtwayland-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-19869
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt before 5.11.3. A malformed SVG image causes a segmentation fault in qsvghandler.cpp.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19869

LAYER: meta-qt5
PACKAGE NAME: qtwayland-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-19870
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt before 5.11.3. A malformed GIF image causes a NULL pointer dereference in QGifHandler resulting in a segmentation fault.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19870

LAYER: meta-qt5
PACKAGE NAME: qtwayland-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-19871
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt before 5.11.3. There is QTgaFile Uncontrolled Resource Consumption.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19871

LAYER: meta-qt5
PACKAGE NAME: qtwayland-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-19872
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt 5.11. A malformed PPM image causes a division by zero and a crash in qppmhandler.cpp.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19872

LAYER: meta-qt5
PACKAGE NAME: qtwayland-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-19873
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt before 5.11.3. QBmpHandler has a buffer overflow via BMP data.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19873

LAYER: meta-qt5
PACKAGE NAME: qtwayland-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-21035
CVE STATUS: Patched
CVE SUMMARY: In Qt through 5.14.1, the WebSocket implementation accepts up to 2GB for frames and 2GB for messages. Smaller limits cannot be configured. This makes it easier for attackers to cause a denial of service (memory consumption).
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 8.6
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-21035

LAYER: meta-qt5
PACKAGE NAME: qtwayland-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2020-0569
CVE STATUS: Patched
CVE SUMMARY: Out of bounds write in Intel(R) PROSet/Wireless WiFi products on Windows 10 may allow an authenticated user to potentially enable denial of service via local access.
CVSS v2 BASE SCORE: 2.7
CVSS v3 BASE SCORE: 5.7
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:L/Au:S/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-0569

LAYER: meta-qt5
PACKAGE NAME: qtwayland-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2020-0570
CVE STATUS: Patched
CVE SUMMARY: Uncontrolled search path in the QT Library before 5.14.0, 5.12.7 and 5.9.10 may allow an authenticated user to potentially enable elevation of privilege via local access.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 7.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-0570

LAYER: meta-qt5
PACKAGE NAME: qtwayland-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2020-12267
CVE STATUS: Patched
CVE SUMMARY: setMarkdown in Qt before 5.14.2 has a use-after-free related to QTextMarkdownImporter::insertBlock.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-12267

LAYER: meta-qt5
PACKAGE NAME: qtwayland-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2020-13962
CVE STATUS: Patched
CVE SUMMARY: Qt 5.12.2 through 5.14.2, as used in unofficial builds of Mumble 1.3.0 and other products, mishandles OpenSSL's error queue, which can cause a denial of service to QSslSocket users. Because errors leak in unrelated TLS sessions, an unrelated session may be disconnected when any handshake fails. (Mumble 1.3.1 is not affected, regardless of the Qt version.)
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-13962

LAYER: meta-qt5
PACKAGE NAME: qtwayland-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2020-17507
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt through 5.12.9, and 5.13.x through 5.15.x before 5.15.1. read_xbm_body in gui/image/qxbmhandler.cpp has a buffer over-read.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-17507

LAYER: meta-qt5
PACKAGE NAME: qtwayland-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2020-24742
CVE STATUS: Patched
CVE SUMMARY: An issue has been fixed in Qt versions 5.14.0 where QPluginLoader attempts to load plugins relative to the working directory, allowing attackers to execute arbitrary code via crafted files.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-24742

LAYER: meta-qt5
PACKAGE NAME: qtwayland-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2021-28025
CVE STATUS: Patched
CVE SUMMARY: Integer Overflow vulnerability in qsvghandler.cpp in Qt qtsvg versions 5.15.1, 6.0.0, 6.0.2, and 6.2, allows local attackers to cause a denial of service (DoS).
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-28025

LAYER: meta-qt5
PACKAGE NAME: qtwayland-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2021-3481
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in Qt. An out-of-bounds read vulnerability was found in QRadialFetchSimd in qt/qtbase/src/gui/painting/qdrawhelper_p.h in Qt/Qtbase. While rendering and displaying a crafted Scalable Vector Graphics (SVG) file this flaw may lead to an unauthorized memory access. The highest threat from this vulnerability is to data confidentiality and the application availability.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3481

LAYER: meta-qt5
PACKAGE NAME: qtwayland-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2021-38593
CVE STATUS: Patched
CVE SUMMARY: Qt 5.x before 5.15.6 and 6.x through 6.1.2 has an out-of-bounds write in QOutlineMapper::convertPath (called from QRasterPaintEngine::fill and QPaintEngineEx::stroke).
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-38593

LAYER: meta-qt5
PACKAGE NAME: qtwayland-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2022-25255
CVE STATUS: Patched
CVE SUMMARY: In Qt 5.9.x through 5.15.x before 5.15.9 and 6.x before 6.2.4 on Linux and UNIX, QProcess could execute a binary from the current working directory when not found in the PATH.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-25255

LAYER: meta-qt5
PACKAGE NAME: qtwayland-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2022-25634
CVE STATUS: Patched
CVE SUMMARY: Qt through 5.15.8 and 6.x through 6.2.3 can load system library files from an unintended working directory.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-25634

LAYER: meta-qt5
PACKAGE NAME: qtwayland-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2022-40983
CVE STATUS: Patched
CVE SUMMARY: An integer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an integer overflow during memory allocation, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-40983

LAYER: meta-qt5
PACKAGE NAME: qtwayland-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2022-43591
CVE STATUS: Patched
CVE SUMMARY: A buffer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an out-of-bounds memory access, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-43591

LAYER: meta-qt5
PACKAGE NAME: qtwayland-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-24607
CVE STATUS: Patched
CVE SUMMARY: Qt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13, 6.x before 6.2.8, and 6.3.x before 6.4.3.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-24607

LAYER: meta-qt5
PACKAGE NAME: qtwayland-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-32573
CVE STATUS: Unpatched
CVE SUMMARY: In Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-32573

LAYER: meta-qt5
PACKAGE NAME: qtwayland-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-32762
CVE STATUS: Unpatched
CVE SUMMARY: An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-32762

LAYER: meta-qt5
PACKAGE NAME: qtwayland-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-32763
CVE STATUS: Unpatched
CVE SUMMARY: An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. When a SVG file with an image inside it is rendered, a QTextLayout buffer overflow can be triggered.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-32763

LAYER: meta-qt5
PACKAGE NAME: qtwayland-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-33285
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. QDnsLookup has a buffer over-read via a crafted reply from a DNS server.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-33285

LAYER: meta-qt5
PACKAGE NAME: qtwayland-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-34410
CVE STATUS: Unpatched
CVE SUMMARY: An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-34410

LAYER: meta-qt5
PACKAGE NAME: qtwayland-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-37369
CVE STATUS: Unpatched
CVE SUMMARY: In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-37369

LAYER: meta-qt5
PACKAGE NAME: qtwayland-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-38197
CVE STATUS: Unpatched
CVE SUMMARY: An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-38197

LAYER: meta-qt5
PACKAGE NAME: qtwayland-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-43114
CVE STATUS: Unpatched
CVE SUMMARY: An issue was discovered in Qt before 5.15.16, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3 on Windows. When using the GDI font engine, if a corrupted font is loaded via QFontDatabase::addApplicationFont{FromData], then it can cause the application to crash because of missing length checks.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-43114

LAYER: meta-qt5
PACKAGE NAME: qtwayland-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-51714
CVE STATUS: Unpatched
CVE SUMMARY: An issue was discovered in the HTTP2 implementation in Qt before 5.15.17, 6.x before 6.2.11, 6.3.x through 6.5.x before 6.5.4, and 6.6.x before 6.6.2. network/access/http2/hpacktable.cpp has an incorrect HPack integer overflow check.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-51714

LAYER: meta-qt5
PACKAGE NAME: qtwayland-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2024-39936
CVE STATUS: Unpatched
CVE SUMMARY: An issue was discovered in HTTP2 in Qt before 5.15.18, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.7, and 6.6.x through 6.7.x before 6.7.3. Code to make security-relevant decisions about an established connection may execute too early, because the encrypted() signal has not yet been emitted and processed..
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.6
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-39936

LAYER: meta
PACKAGE NAME: avahi
PACKAGE VERSION: 0.8
CVE: CVE-2006-2288
CVE STATUS: Patched
CVE SUMMARY: Avahi before 0.6.10 allows local users to cause a denial of service (mDNS/DNS-SD service disconnect) via unspecified mDNS name conflicts.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-2288

LAYER: meta
PACKAGE NAME: avahi
PACKAGE VERSION: 0.8
CVE: CVE-2006-2289
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in avahi-core in Avahi before 0.6.10 allows local users to execute arbitrary code via unknown vectors.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-2289

LAYER: meta
PACKAGE NAME: avahi
PACKAGE VERSION: 0.8
CVE: CVE-2006-5461
CVE STATUS: Patched
CVE SUMMARY: Avahi before 0.6.15 does not verify the sender identity of netlink messages to ensure that they come from the kernel instead of another process, which allows local users to spoof network changes to Avahi.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-5461

LAYER: meta
PACKAGE NAME: avahi
PACKAGE VERSION: 0.8
CVE: CVE-2006-6870
CVE STATUS: Patched
CVE SUMMARY: The consume_labels function in avahi-core/dns.c in Avahi before 0.6.16 allows remote attackers to cause a denial of service (infinite loop) via a crafted compressed DNS response with a label that points to itself.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-6870

LAYER: meta
PACKAGE NAME: avahi
PACKAGE VERSION: 0.8
CVE: CVE-2007-3372
CVE STATUS: Patched
CVE SUMMARY: The Avahi daemon in Avahi before 0.6.20 allows attackers to cause a denial of service (exit) via empty TXT data over D-Bus, which triggers an assert error.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-3372

LAYER: meta
PACKAGE NAME: avahi
PACKAGE VERSION: 0.8
CVE: CVE-2008-5081
CVE STATUS: Patched
CVE SUMMARY: The originates_from_local_legacy_unicast_socket function (avahi-core/server.c) in avahi-daemon in Avahi before 0.6.24 allows remote attackers to cause a denial of service (crash) via a crafted mDNS packet with a source port of 0, which triggers an assertion failure.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-5081

LAYER: meta
PACKAGE NAME: avahi
PACKAGE VERSION: 0.8
CVE: CVE-2010-2244
CVE STATUS: Patched
CVE SUMMARY: The AvahiDnsPacket function in avahi-core/socket.c in avahi-daemon in Avahi 0.6.16 and 0.6.25 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a DNS packet with an invalid checksum followed by a DNS packet with a valid checksum, a different vulnerability than CVE-2008-5081.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2244

LAYER: meta
PACKAGE NAME: avahi
PACKAGE VERSION: 0.8
CVE: CVE-2011-1002
CVE STATUS: Patched
CVE SUMMARY: avahi-core/socket.c in avahi-daemon in Avahi before 0.6.29 allows remote attackers to cause a denial of service (infinite loop) via an empty mDNS (1) IPv4 or (2) IPv6 UDP packet to port 5353.  NOTE: this vulnerability exists because of an incorrect fix for CVE-2010-2244.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1002

LAYER: meta
PACKAGE NAME: avahi
PACKAGE VERSION: 0.8
CVE: CVE-2017-6519
CVE STATUS: Patched
CVE SUMMARY: avahi-daemon in Avahi through 0.6.32 and 0.7 inadvertently responds to IPv6 unicast queries with source addresses that are not on-link, which allows remote attackers to cause a denial of service (traffic amplification) and may cause information leakage by obtaining potentially sensitive  information from the responding device via port-5353 UDP packets.  NOTE: this may overlap CVE-2015-2809.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 9.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-6519

LAYER: meta
PACKAGE NAME: avahi
PACKAGE VERSION: 0.8
CVE: CVE-2021-26720
CVE STATUS: Ignored
CVE DETAIL: not-applicable-platform
CVE DESCRIPTION: Issue only affects Debian/SUSE
CVE SUMMARY: avahi-daemon-check-dns.sh in the Debian avahi package through 0.8-4 is executed as root via /etc/network/if-up.d/avahi-daemon, and allows a local attacker to cause a denial of service or create arbitrary empty files via a symlink attack on files under /run/avahi-daemon. NOTE: this only affects the packaging for Debian GNU/Linux (used indirectly by SUSE), not the upstream Avahi product.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-26720

LAYER: meta
PACKAGE NAME: avahi
PACKAGE VERSION: 0.8
CVE: CVE-2021-3468
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in avahi in versions 0.6 up to 0.8. The event used to signal the termination of the client connection on the avahi Unix socket is not correctly handled in the client_work function, allowing a local attacker to trigger an infinite loop. The highest threat from this vulnerability is to the availability of the avahi service, which becomes unresponsive after this flaw is triggered.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3468

LAYER: meta
PACKAGE NAME: avahi
PACKAGE VERSION: 0.8
CVE: CVE-2021-3502
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in avahi 0.8-5. A reachable assertion is present in avahi_s_host_name_resolver_start function allowing a local attacker to crash the avahi service by requesting hostname resolutions through the avahi socket or dbus methods for invalid hostnames. The highest threat from this vulnerability is to the service availability.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3502

LAYER: meta
PACKAGE NAME: avahi
PACKAGE VERSION: 0.8
CVE: CVE-2023-1981
CVE STATUS: Patched
CVE SUMMARY: A vulnerability was found in the avahi library. This flaw allows an unprivileged user to make a dbus call, causing the avahi daemon to crash.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-1981

LAYER: meta
PACKAGE NAME: avahi
PACKAGE VERSION: 0.8
CVE: CVE-2023-38469
CVE STATUS: Patched
CVE SUMMARY: A vulnerability was found in Avahi, where a reachable assertion exists in avahi_dns_packet_append_record.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.2
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-38469

LAYER: meta
PACKAGE NAME: avahi
PACKAGE VERSION: 0.8
CVE: CVE-2023-38470
CVE STATUS: Patched
CVE SUMMARY: A vulnerability was found in Avahi. A reachable assertion exists in the avahi_escape_label() function.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.2
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-38470

LAYER: meta
PACKAGE NAME: avahi
PACKAGE VERSION: 0.8
CVE: CVE-2023-38471
CVE STATUS: Patched
CVE SUMMARY: A vulnerability was found in Avahi. A reachable assertion exists in the dbus_set_host_name function.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.2
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-38471

LAYER: meta
PACKAGE NAME: avahi
PACKAGE VERSION: 0.8
CVE: CVE-2023-38472
CVE STATUS: Patched
CVE SUMMARY: A vulnerability was found in Avahi. A reachable assertion exists in the avahi_rdata_parse() function.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.2
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-38472

LAYER: meta
PACKAGE NAME: avahi
PACKAGE VERSION: 0.8
CVE: CVE-2023-38473
CVE STATUS: Patched
CVE SUMMARY: A vulnerability was found in Avahi. A reachable assertion exists in the avahi_alternative_host_name() function.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.2
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-38473

LAYER: meta-oe
PACKAGE NAME: yajl
PACKAGE VERSION: 2.1.0
CVE: CVE-2017-16516
CVE STATUS: Patched
CVE SUMMARY: In the yajl-ruby gem 1.3.0 for Ruby, when a crafted JSON file is supplied to Yajl::Parser.new.parse, the whole ruby process crashes with a SIGABRT in the yajl_string_decode function in yajl_encode.c. This results in the whole ruby process terminating and potentially a denial of service.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-16516

LAYER: meta-oe
PACKAGE NAME: yajl
PACKAGE VERSION: 2.1.0
CVE: CVE-2022-24795
CVE STATUS: Patched
CVE SUMMARY: yajl-ruby is a C binding to the YAJL JSON parsing and generation library. The 1.x branch and the 2.x branch of `yajl` contain an integer overflow which leads to subsequent heap memory corruption when dealing with large (~2GB) inputs. The reallocation logic at `yajl_buf.c#L64` may result in the `need` 32bit integer wrapping to 0 when `need` approaches a value of 0x80000000 (i.e. ~2GB of data), which results in a reallocation of buf->alloc into a small heap chunk. These integers are declared as `size_t` in the 2.x branch of `yajl`, which practically prevents the issue from triggering on 64bit platforms, however this does not preclude this issue triggering on 32bit builds on which `size_t` is a 32bit integer. Subsequent population of this under-allocated heap chunk is based on the original buffer size, leading to heap memory corruption. This vulnerability mostly impacts process availability. Maintainers believe exploitation for arbitrary code execution is unlikely. A patch is available and anticipated to be part of yajl-ruby version 1.4.2. As a workaround, avoid passing large inputs to YAJL.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-24795

LAYER: meta-oe
PACKAGE NAME: yajl
PACKAGE VERSION: 2.1.0
CVE: CVE-2023-33460
CVE STATUS: Patched
CVE SUMMARY: There's a memory leak in yajl 2.1.0 with use of yajl_tree_parse function. which will cause out-of-memory in server and cause crash.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-33460

LAYER: meta-oe
PACKAGE NAME: wavpack
PACKAGE VERSION: 5.6.0
CVE: CVE-2016-10169
CVE STATUS: Patched
CVE SUMMARY: The read_code function in read_words.c in Wavpack before 5.1.0 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted WV file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10169

LAYER: meta-oe
PACKAGE NAME: wavpack
PACKAGE VERSION: 5.6.0
CVE: CVE-2016-10170
CVE STATUS: Patched
CVE SUMMARY: The WriteCaffHeader function in cli/caff.c in Wavpack before 5.1.0 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted WV file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10170

LAYER: meta-oe
PACKAGE NAME: wavpack
PACKAGE VERSION: 5.6.0
CVE: CVE-2016-10171
CVE STATUS: Patched
CVE SUMMARY: The unreorder_channels function in cli/wvunpack.c in Wavpack before 5.1.0 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted WV file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10171

LAYER: meta-oe
PACKAGE NAME: wavpack
PACKAGE VERSION: 5.6.0
CVE: CVE-2016-10172
CVE STATUS: Patched
CVE SUMMARY: The read_new_config_info function in open_utils.c in Wavpack before 5.1.0 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted WV file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10172

LAYER: meta-oe
PACKAGE NAME: wavpack
PACKAGE VERSION: 5.6.0
CVE: CVE-2018-10536
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in WavPack 5.1.0 and earlier. The WAV parser component contains a vulnerability that allows writing to memory because ParseRiffHeaderConfig in riff.c does not reject multiple format chunks.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-10536

LAYER: meta-oe
PACKAGE NAME: wavpack
PACKAGE VERSION: 5.6.0
CVE: CVE-2018-10537
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in WavPack 5.1.0 and earlier. The W64 parser component contains a vulnerability that allows writing to memory because ParseWave64HeaderConfig in wave64.c does not reject multiple format chunks.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-10537

LAYER: meta-oe
PACKAGE NAME: wavpack
PACKAGE VERSION: 5.6.0
CVE: CVE-2018-10538
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in WavPack 5.1.0 and earlier for WAV input. Out-of-bounds writes can occur because ParseRiffHeaderConfig in riff.c does not validate the sizes of unknown chunks before attempting memory allocation, related to a lack of integer-overflow protection within a bytes_to_copy calculation and subsequent malloc call, leading to insufficient memory allocation.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-10538

LAYER: meta-oe
PACKAGE NAME: wavpack
PACKAGE VERSION: 5.6.0
CVE: CVE-2018-10539
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in WavPack 5.1.0 and earlier for DSDiff input. Out-of-bounds writes can occur because ParseDsdiffHeaderConfig in dsdiff.c does not validate the sizes of unknown chunks before attempting memory allocation, related to a lack of integer-overflow protection within a bytes_to_copy calculation and subsequent malloc call, leading to insufficient memory allocation.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-10539

LAYER: meta-oe
PACKAGE NAME: wavpack
PACKAGE VERSION: 5.6.0
CVE: CVE-2018-10540
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in WavPack 5.1.0 and earlier for W64 input. Out-of-bounds writes can occur because ParseWave64HeaderConfig in wave64.c does not validate the sizes of unknown chunks before attempting memory allocation, related to a lack of integer-overflow protection within a bytes_to_copy calculation and subsequent malloc call, leading to insufficient memory allocation.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-10540

LAYER: meta-oe
PACKAGE NAME: wavpack
PACKAGE VERSION: 5.6.0
CVE: CVE-2018-19840
CVE STATUS: Patched
CVE SUMMARY: The function WavpackPackInit in pack_utils.c in libwavpack.a in WavPack through 5.1.0 allows attackers to cause a denial-of-service (resource exhaustion caused by an infinite loop) via a crafted wav audio file because WavpackSetConfiguration64 mishandles a sample rate of zero.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19840

LAYER: meta-oe
PACKAGE NAME: wavpack
PACKAGE VERSION: 5.6.0
CVE: CVE-2018-19841
CVE STATUS: Patched
CVE SUMMARY: The function WavpackVerifySingleBlock in open_utils.c in libwavpack.a in WavPack through 5.1.0 allows attackers to cause a denial-of-service (out-of-bounds read and application crash) via a crafted WavPack Lossless Audio file, as demonstrated by wvunpack.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19841

LAYER: meta-oe
PACKAGE NAME: wavpack
PACKAGE VERSION: 5.6.0
CVE: CVE-2018-6767
CVE STATUS: Patched
CVE SUMMARY: A stack-based buffer over-read in the ParseRiffHeaderConfig function of cli/riff.c file of WavPack 5.1.0 allows a remote attacker to cause a denial-of-service attack or possibly have unspecified other impact via a maliciously crafted RF64 file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-6767

LAYER: meta-oe
PACKAGE NAME: wavpack
PACKAGE VERSION: 5.6.0
CVE: CVE-2018-7253
CVE STATUS: Patched
CVE SUMMARY: The ParseDsdiffHeaderConfig function of the cli/dsdiff.c file of WavPack 5.1.0 allows a remote attacker to cause a denial-of-service (heap-based buffer over-read) or possibly overwrite the heap via a maliciously crafted DSDIFF file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-7253

LAYER: meta-oe
PACKAGE NAME: wavpack
PACKAGE VERSION: 5.6.0
CVE: CVE-2018-7254
CVE STATUS: Patched
CVE SUMMARY: The ParseCaffHeaderConfig function of the cli/caff.c file of WavPack 5.1.0 allows a remote attacker to cause a denial-of-service (global buffer over-read), or possibly trigger a buffer overflow or incorrect memory allocation, via a maliciously crafted CAF file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-7254

LAYER: meta-oe
PACKAGE NAME: wavpack
PACKAGE VERSION: 5.6.0
CVE: CVE-2019-1010315
CVE STATUS: Patched
CVE SUMMARY: WavPack 5.1 and earlier is affected by: CWE 369: Divide by Zero. The impact is: Divide by zero can lead to sudden crash of a software/service that tries to parse a .wav file. The component is: ParseDsdiffHeaderConfig (dsdiff.c:282). The attack vector is: Maliciously crafted .wav file. The fixed version is: After commit https://github.com/dbry/WavPack/commit/4c0faba32fddbd0745cbfaf1e1aeb3da5d35b9fc.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-1010315

LAYER: meta-oe
PACKAGE NAME: wavpack
PACKAGE VERSION: 5.6.0
CVE: CVE-2019-1010317
CVE STATUS: Patched
CVE SUMMARY: WavPack 5.1.0 and earlier is affected by: CWE-457: Use of Uninitialized Variable. The impact is: Unexpected control flow, crashes, and segfaults. The component is: ParseCaffHeaderConfig (caff.c:486). The attack vector is: Maliciously crafted .wav file. The fixed version is: After commit https://github.com/dbry/WavPack/commit/f68a9555b548306c5b1ee45199ccdc4a16a6101b.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-1010317

LAYER: meta-oe
PACKAGE NAME: wavpack
PACKAGE VERSION: 5.6.0
CVE: CVE-2019-1010319
CVE STATUS: Patched
CVE SUMMARY: WavPack 5.1.0 and earlier is affected by: CWE-457: Use of Uninitialized Variable. The impact is: Unexpected control flow, crashes, and segfaults. The component is: ParseWave64HeaderConfig (wave64.c:211). The attack vector is: Maliciously crafted .wav file. The fixed version is: After commit https://github.com/dbry/WavPack/commit/33a0025d1d63ccd05d9dbaa6923d52b1446a62fe.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-1010319

LAYER: meta-oe
PACKAGE NAME: wavpack
PACKAGE VERSION: 5.6.0
CVE: CVE-2019-11498
CVE STATUS: Patched
CVE SUMMARY: WavpackSetConfiguration64 in pack_utils.c in libwavpack.a in WavPack through 5.1.0 has a "Conditional jump or move depends on uninitialised value" condition, which might allow attackers to cause a denial of service (application crash) via a DFF file that lacks valid sample-rate data.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-11498

LAYER: meta-oe
PACKAGE NAME: wavpack
PACKAGE VERSION: 5.6.0
CVE: CVE-2020-35738
CVE STATUS: Patched
CVE SUMMARY: WavPack 5.3.0 has an out-of-bounds write in WavpackPackSamples in pack_utils.c because of an integer overflow in a malloc argument. NOTE: some third-parties claim that there are later "unofficial" releases through 5.3.2, which are also affected.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 6.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-35738

LAYER: meta-oe
PACKAGE NAME: wavpack
PACKAGE VERSION: 5.6.0
CVE: CVE-2021-44269
CVE STATUS: Patched
CVE SUMMARY: An out of bounds read was found in Wavpack 5.4.0 in processing *.WAV files. This issue triggered in function WavpackPackSamples of file src/pack_utils.c, tainted variable cnt is too large, that makes pointer sptr read beyond heap bound.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-44269

LAYER: meta-oe
PACKAGE NAME: wavpack
PACKAGE VERSION: 5.6.0
CVE: CVE-2022-2476
CVE STATUS: Patched
CVE SUMMARY: A null pointer dereference bug was found in wavpack-5.4.0 The results from the ASAN log: AddressSanitizer:DEADLYSIGNAL ===================================================================84257==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x561b47a970c6 bp 0x7fff13952fb0 sp 0x7fff1394fca0 T0) ==84257==The signal is caused by a WRITE memory access. ==84257==Hint: address points to the zero page. #0 0x561b47a970c5 in main cli/wvunpack.c:834 #1 0x7efc4f5c0082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) #2 0x561b47a945ed in _start (/usr/local/bin/wvunpack+0xa5ed) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV cli/wvunpack.c:834 in main ==84257==ABORTING
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2476

LAYER: meta
PACKAGE NAME: speex
PACKAGE VERSION: 1.2.1
CVE: CVE-2008-1686
CVE STATUS: Patched
CVE SUMMARY: Array index vulnerability in Speex 1.1.12 and earlier, as used in libfishsound 0.9.0 and earlier, including Illiminable DirectShow Filters and Annodex Plugins for Firefox, xine-lib before 1.1.12, and many other products, allows remote attackers to execute arbitrary code via a header structure containing a negative offset, which is used to dereference a function pointer.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1686

LAYER: meta
PACKAGE NAME: speex
PACKAGE VERSION: 1.2.1
CVE: CVE-2020-23903
CVE STATUS: Patched
CVE SUMMARY: A Divide by Zero vulnerability in the function static int read_samples of Speex v1.2 allows attackers to cause a denial of service (DoS) via a crafted WAV file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-23903

LAYER: meta
PACKAGE NAME: speex
PACKAGE VERSION: 1.2.1
CVE: CVE-2020-23904
CVE STATUS: Patched
CVE SUMMARY: A stack buffer overflow in speexenc.c of Speex v1.2 allows attackers to cause a denial of service (DoS) via a crafted WAV file. NOTE: the vendor states "I cannot reproduce it" and it "is a demo program.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-23904

LAYER: meta-oe
PACKAGE NAME: libid3tag
PACKAGE VERSION: 0.15.1b
CVE: CVE-2004-2779
CVE STATUS: Patched
CVE SUMMARY: id3_utf16_deserialize() in utf16.c in libid3tag through 0.15.1b misparses ID3v2 tags encoded in UTF-16 with an odd number of bytes, triggering an endless loop allocating memory until an OOM condition is reached, leading to denial-of-service (DoS).
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-2779

LAYER: meta-oe
PACKAGE NAME: libid3tag
PACKAGE VERSION: 0.15.1b
CVE: CVE-2008-2109
CVE STATUS: Patched
CVE SUMMARY: field.c in the libid3tag 0.15.0b library allows context-dependent attackers to cause a denial of service (CPU consumption) via an ID3_FIELD_TYPE_STRINGLIST field that ends in '\0', which triggers an infinite loop.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-2109

LAYER: meta-oe
PACKAGE NAME: libid3tag
PACKAGE VERSION: 0.15.1b
CVE: CVE-2017-11550
CVE STATUS: Patched
CVE SUMMARY: The id3_ucs4_length function in ucs4.c in libid3tag 0.15.1b allows remote attackers to cause a denial of service (NULL Pointer Dereference and application crash) via a crafted mp3 file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-11550

LAYER: meta-oe
PACKAGE NAME: libid3tag
PACKAGE VERSION: 0.15.1b
CVE: CVE-2017-11551
CVE STATUS: Patched
CVE SUMMARY: The id3_field_parse function in field.c in libid3tag 0.15.1b allows remote attackers to cause a denial of service (OOM) via a crafted MP3 file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-11551

LAYER: meta
PACKAGE NAME: icu
PACKAGE VERSION: 74-2
CVE: CVE-2007-4770
CVE STATUS: Patched
CVE SUMMARY: libicu in International Components for Unicode (ICU) 3.8.1 and earlier attempts to process backreferences to the nonexistent capture group zero (aka \0), which might allow context-dependent attackers to read from, or write to, out-of-bounds memory locations, related to corruption of REStackFrames.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-4770

LAYER: meta
PACKAGE NAME: icu
PACKAGE VERSION: 74-2
CVE: CVE-2007-4771
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the doInterval function in regexcmp.cpp in libicu in International Components for Unicode (ICU) 3.8.1 and earlier allows context-dependent attackers to cause a denial of service (memory consumption) and possibly have unspecified other impact via a regular expression that writes a large amount of data to the backtracking stack.  NOTE: some of these details are obtained from third party information.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-4771

LAYER: meta
PACKAGE NAME: icu
PACKAGE VERSION: 74-2
CVE: CVE-2011-4599
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in the _canonicalize function in common/uloc.c in International Components for Unicode (ICU) before 49.1 allows remote attackers to execute arbitrary code via a crafted locale ID that is not properly handled during variant canonicalization.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-4599

LAYER: meta
PACKAGE NAME: icu
PACKAGE VERSION: 74-2
CVE: CVE-2014-7923
CVE STATUS: Patched
CVE SUMMARY: The Regular Expressions package in International Components for Unicode (ICU) 52 before SVN revision 292944, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via vectors related to a look-behind expression.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-7923

LAYER: meta
PACKAGE NAME: icu
PACKAGE VERSION: 74-2
CVE: CVE-2014-7926
CVE STATUS: Patched
CVE SUMMARY: The Regular Expressions package in International Components for Unicode (ICU) 52 before SVN revision 292944, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via vectors related to a zero-length quantifier.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-7926

LAYER: meta
PACKAGE NAME: icu
PACKAGE VERSION: 74-2
CVE: CVE-2014-7940
CVE STATUS: Patched
CVE SUMMARY: The collator implementation in i18n/ucol.cpp in International Components for Unicode (ICU) 52 through SVN revision 293126, as used in Google Chrome before 40.0.2214.91, does not initialize memory for a data structure, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted character sequence.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-7940

LAYER: meta
PACKAGE NAME: icu
PACKAGE VERSION: 74-2
CVE: CVE-2014-8146
CVE STATUS: Patched
CVE SUMMARY: The resolveImplicitLevels function in common/ubidi.c in the Unicode Bidirectional Algorithm implementation in ICU4C in International Components for Unicode (ICU) before 55.1 does not properly track directionally isolated pieces of text, which allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly execute arbitrary code via crafted text.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8146

LAYER: meta
PACKAGE NAME: icu
PACKAGE VERSION: 74-2
CVE: CVE-2014-8147
CVE STATUS: Patched
CVE SUMMARY: The resolveImplicitLevels function in common/ubidi.c in the Unicode Bidirectional Algorithm implementation in ICU4C in International Components for Unicode (ICU) before 55.1 uses an integer data type that is inconsistent with a header file, which allows remote attackers to cause a denial of service (incorrect malloc followed by invalid free) or possibly execute arbitrary code via crafted text.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8147

LAYER: meta
PACKAGE NAME: icu
PACKAGE VERSION: 74-2
CVE: CVE-2014-9654
CVE STATUS: Patched
CVE SUMMARY: The Regular Expressions package in International Components for Unicode (ICU) for C/C++ before 2014-12-03, as used in Google Chrome before 40.0.2214.91, calculates certain values without ensuring that they can be represented in a 24-bit field, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted string, a related issue to CVE-2014-7923.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9654

LAYER: meta
PACKAGE NAME: icu
PACKAGE VERSION: 74-2
CVE: CVE-2014-9911
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in the ures_getByKeyWithFallback function in common/uresbund.cpp in International Components for Unicode (ICU) before 54.1 for C/C++ allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted uloc_getDisplayName call.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9911

LAYER: meta
PACKAGE NAME: icu
PACKAGE VERSION: 74-2
CVE: CVE-2015-5922
CVE STATUS: Patched
CVE SUMMARY: Unspecified vulnerability in International Components for Unicode (ICU) before 53.1.0, as used in Apple OS X before 10.11 and watchOS before 2, has unknown impact and attack vectors.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-5922

LAYER: meta
PACKAGE NAME: icu
PACKAGE VERSION: 74-2
CVE: CVE-2016-6293
CVE STATUS: Patched
CVE SUMMARY: The uloc_acceptLanguageFromHTTP function in common/uloc.cpp in International Components for Unicode (ICU) through 57.1 for C/C++ does not ensure that there is a '\0' character at the end of a certain temporary array, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a call with a long httpAcceptLanguage argument.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6293

LAYER: meta
PACKAGE NAME: icu
PACKAGE VERSION: 74-2
CVE: CVE-2016-7415
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in the Locale class in common/locid.cpp in International Components for Unicode (ICU) through 57.1 for C/C++ allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a long locale string.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7415

LAYER: meta
PACKAGE NAME: icu
PACKAGE VERSION: 74-2
CVE: CVE-2017-14952
CVE STATUS: Patched
CVE SUMMARY: Double free in i18n/zonemeta.cpp in International Components for Unicode (ICU) for C/C++ through 59.1 allows remote attackers to execute arbitrary code via a crafted string, aka a "redundant UVector entry clean up function call" issue.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14952

LAYER: meta
PACKAGE NAME: icu
PACKAGE VERSION: 74-2
CVE: CVE-2017-15396
CVE STATUS: Patched
CVE SUMMARY: A stack buffer overflow in NumberingSystem in International Components for Unicode (ICU) for C/C++ before 60.2, as used in V8 in Google Chrome prior to 62.0.3202.75 and other products, allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15396

LAYER: meta
PACKAGE NAME: icu
PACKAGE VERSION: 74-2
CVE: CVE-2017-15422
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in international date handling in International Components for Unicode (ICU) for C/C++ before 60.1, as used in V8 in Google Chrome prior to 63.0.3239.84 and other products, allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15422

LAYER: meta
PACKAGE NAME: icu
PACKAGE VERSION: 74-2
CVE: CVE-2017-17484
CVE STATUS: Patched
CVE SUMMARY: The ucnv_UTF8FromUTF8 function in ucnv_u8.cpp in International Components for Unicode (ICU) for C/C++ through 60.1 mishandles ucnv_convertEx calls for UTF-8 to UTF-8 conversion, which allows remote attackers to cause a denial of service (stack-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted string, as demonstrated by ZNC.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17484

LAYER: meta
PACKAGE NAME: icu
PACKAGE VERSION: 74-2
CVE: CVE-2017-7867
CVE STATUS: Patched
CVE SUMMARY: International Components for Unicode (ICU) for C/C++ before 2017-02-13 has an out-of-bounds write caused by a heap-based buffer overflow related to the utf8TextAccess function in common/utext.cpp and the utext_setNativeIndex* function.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7867

LAYER: meta
PACKAGE NAME: icu
PACKAGE VERSION: 74-2
CVE: CVE-2017-7868
CVE STATUS: Patched
CVE SUMMARY: International Components for Unicode (ICU) for C/C++ before 2017-02-13 has an out-of-bounds write caused by a heap-based buffer overflow related to the utf8TextAccess function in common/utext.cpp and the utext_moveIndex32* function.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7868

LAYER: meta
PACKAGE NAME: icu
PACKAGE VERSION: 74-2
CVE: CVE-2018-18928
CVE STATUS: Patched
CVE SUMMARY: International Components for Unicode (ICU) for C/C++ 63.1 has an integer overflow in number::impl::DecimalQuantity::toScientificString() in i18n/number_decimalquantity.cpp.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-18928

LAYER: meta
PACKAGE NAME: icu
PACKAGE VERSION: 74-2
CVE: CVE-2020-10531
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in International Components for Unicode (ICU) for C/C++ through 66.1. An integer overflow, leading to a heap-based buffer overflow, exists in the UnicodeString::doAppend() function in common/unistr.cpp.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-10531

LAYER: meta
PACKAGE NAME: icu
PACKAGE VERSION: 74-2
CVE: CVE-2020-21913
CVE STATUS: Patched
CVE SUMMARY: International Components for Unicode (ICU-20850) v66.1 was discovered to contain a use after free bug in the pkg_createWithAssemblyCode function in the file tools/pkgdata/pkgdata.cpp.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-21913

LAYER: meta
PACKAGE NAME: libsamplerate0
PACKAGE VERSION: 0.2.2
CVE: CVE-2017-7697
CVE STATUS: Patched
CVE SUMMARY: In libsamplerate before 0.1.9, a buffer over-read occurs in the calc_output_single function in src_sinc.c via a crafted audio file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7697

LAYER: meta
PACKAGE NAME: boost
PACKAGE VERSION: 1.84.0
CVE: CVE-2008-0171
CVE STATUS: Patched
CVE SUMMARY: regex/v4/perl_matcher_non_recursive.hpp in the Boost regex library (aka Boost.Regex) in Boost 1.33 and 1.34 allows context-dependent attackers to cause a denial of service (failed assertion and crash) via an invalid regular expression.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-0171

LAYER: meta
PACKAGE NAME: boost
PACKAGE VERSION: 1.84.0
CVE: CVE-2008-0172
CVE STATUS: Patched
CVE SUMMARY: The get_repeat_type function in basic_regex_creator.hpp in the Boost regex library (aka Boost.Regex) in Boost 1.33 and 1.34 allows context-dependent attackers to cause a denial of service (NULL dereference and crash) via an invalid regular expression.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-0172

LAYER: meta
PACKAGE NAME: boost
PACKAGE VERSION: 1.84.0
CVE: CVE-2013-0252
CVE STATUS: Patched
CVE SUMMARY: boost::locale::utf::utf_traits in the Boost.Locale library in Boost 1.48 through 1.52 does not properly detect certain invalid UTF-8 sequences, which might allow remote attackers to bypass input validation protection mechanisms via crafted trailing bytes.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0252

LAYER: meta
PACKAGE NAME: mpg123
PACKAGE VERSION: 1.32.6
CVE: CVE-2003-0577
CVE STATUS: Patched
CVE SUMMARY: mpg123 0.59r allows remote attackers to cause a denial of service and possibly execute arbitrary code via an MP3 file with a zero bitrate, which creates a negative frame size.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-0577

LAYER: meta
PACKAGE NAME: mpg123
PACKAGE VERSION: 1.32.6
CVE: CVE-2003-0865
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in readstring of httpget.c for mpg123 0.59r and 0.59s allows remote attackers to execute arbitrary code via a long request.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-0865

LAYER: meta
PACKAGE NAME: mpg123
PACKAGE VERSION: 1.32.6
CVE: CVE-2004-0805
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in layer2.c in mpg123 0.59r and possibly mpg123 0.59s allows remote attackers to execute arbitrary code via a certain (1) mp3 or (2) mp2 file.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0805

LAYER: meta
PACKAGE NAME: mpg123
PACKAGE VERSION: 1.32.6
CVE: CVE-2004-0982
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the getauthfromURL function in httpget.c in mpg123 pre0.59s and mpg123 0.59r could allow remote attackers or local users to execute arbitrary code via an mp3 file that contains a long string before the @ (at sign) in a URL.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0982

LAYER: meta
PACKAGE NAME: mpg123
PACKAGE VERSION: 1.32.6
CVE: CVE-2004-0991
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in mpg123 before 0.59s-r9 allows remote attackers to execute arbitrary code via frame headers in MP2 or MP3 files.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0991

LAYER: meta
PACKAGE NAME: mpg123
PACKAGE VERSION: 1.32.6
CVE: CVE-2004-1284
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the find_next_file function in playlist.c for mpg123 0.59r allows remote attackers to execute arbitrary code via a crafted MP3 playlist.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-1284

LAYER: meta
PACKAGE NAME: mpg123
PACKAGE VERSION: 1.32.6
CVE: CVE-2006-1655
CVE STATUS: Patched
CVE SUMMARY: Multiple buffer overflows in mpg123 0.59r allow user-assisted attackers to trigger a segmentation fault and possibly have other impacts via a certain MP3 file, as demonstrated by mpg1DoS3.  NOTE: this issue might be related to CVE-2004-0991, but it is not clear.
CVSS v2 BASE SCORE: 6.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:S/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-1655

LAYER: meta
PACKAGE NAME: mpg123
PACKAGE VERSION: 1.32.6
CVE: CVE-2006-3355
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in httpdget.c in mpg123 before 0.59s-rll allows remote attackers to execute arbitrary code via a long URL, which is not properly terminated before being used with the strncpy function.  NOTE: This appears to be the result of an incomplete patch for CVE-2004-0982.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-3355

LAYER: meta
PACKAGE NAME: mpg123
PACKAGE VERSION: 1.32.6
CVE: CVE-2007-0578
CVE STATUS: Patched
CVE SUMMARY: The http_open function in httpget.c in mpg123 before 0.64 allows remote attackers to cause a denial of service (infinite loop) by closing the HTTP connection early.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-0578

LAYER: meta
PACKAGE NAME: mpg123
PACKAGE VERSION: 1.32.6
CVE: CVE-2007-4397
CVE STATUS: Patched
CVE SUMMARY: Multiple CRLF injection vulnerabilities in (1) xmms-thing 1.0, (2) XMMS Remote Control Script 1.07, (3) Disrok 1.0, (4) a2x 0.0.1, (5) Another xmms-info script 1.0, (6) XChat-XMMS 0.8.1, and other unspecified scripts for XChat allow user-assisted remote attackers to execute arbitrary IRC commands via CRLF sequences in the name of the song in a .mp3 file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-4397

LAYER: meta
PACKAGE NAME: mpg123
PACKAGE VERSION: 1.32.6
CVE: CVE-2009-1301
CVE STATUS: Patched
CVE SUMMARY: Integer signedness error in the store_id3_text function in the ID3v2 code in mpg123 before 1.7.2 allows remote attackers to cause a denial of service (out-of-bounds memory access) and possibly execute arbitrary code via an ID3 tag with a negative encoding value.  NOTE: some of these details are obtained from third party information.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-1301

LAYER: meta
PACKAGE NAME: mpg123
PACKAGE VERSION: 1.32.6
CVE: CVE-2014-9497
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in mpg123 before 1.18.0.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9497

LAYER: meta
PACKAGE NAME: mpg123
PACKAGE VERSION: 1.32.6
CVE: CVE-2017-10683
CVE STATUS: Patched
CVE SUMMARY: In mpg123 1.25.0, there is a heap-based buffer over-read in the convert_latin1 function in libmpg123/id3.c. A crafted input will lead to a remote denial of service attack.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-10683

LAYER: meta
PACKAGE NAME: mpg123
PACKAGE VERSION: 1.32.6
CVE: CVE-2017-11126
CVE STATUS: Patched
CVE SUMMARY: The III_i_stereo function in libmpg123/layer3.c in mpg123 through 1.25.1 allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted audio file that is mishandled in the code for the "block_type != 2" case, a similar issue to CVE-2017-9870.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-11126

LAYER: meta
PACKAGE NAME: mpg123
PACKAGE VERSION: 1.32.6
CVE: CVE-2017-12797
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the INT123_parse_new_id3 function in the ID3 parser in mpg123 before 1.25.5 on 32-bit platforms allows remote attackers to cause a denial of service via a crafted file, which triggers a heap-based buffer overflow.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-12797

LAYER: meta
PACKAGE NAME: mpg123
PACKAGE VERSION: 1.32.6
CVE: CVE-2017-12839
CVE STATUS: Patched
CVE SUMMARY: A heap-based buffer over-read in the getbits function in src/libmpg123/getbits.h in mpg123 through 1.25.5 allows remote attackers to cause a possible denial-of-service (out-of-bounds read) or possibly have unspecified other impact via a crafted mp3 file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-12839

LAYER: meta
PACKAGE NAME: mpg123
PACKAGE VERSION: 1.32.6
CVE: CVE-2017-9545
CVE STATUS: Patched
CVE SUMMARY: The next_text function in src/libmpg123/id3.c in mpg123 1.24.0 allows remote attackers to cause a denial of service (buffer over-read) via a crafted mp3 file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9545

LAYER: meta
PACKAGE NAME: taglib
PACKAGE VERSION: 2.0.1
CVE: CVE-2012-1107
CVE STATUS: Patched
CVE SUMMARY: The analyzeCurrent function in ape/apeproperties.cpp in TagLib 1.7 and earlier allows context-dependent attackers to cause a denial of service (application crash) via a crafted sampleRate in an ape file, which triggers a divide-by-zero error.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1107

LAYER: meta
PACKAGE NAME: taglib
PACKAGE VERSION: 2.0.1
CVE: CVE-2012-1108
CVE STATUS: Patched
CVE SUMMARY: The parse function in ogg/xiphcomment.cpp in TagLib 1.7 and earlier allows remote attackers to cause a denial of service (crash) via a crafted vendorLength field in an ogg file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1108

LAYER: meta
PACKAGE NAME: taglib
PACKAGE VERSION: 2.0.1
CVE: CVE-2012-1584
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the mid function in toolkit/tbytevector.cpp in TagLib 1.7 and earlier allows context-dependent attackers to cause a denial of service (application crash) via a crafted file header field in a media file, which triggers a large memory allocation.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1584

LAYER: meta
PACKAGE NAME: taglib
PACKAGE VERSION: 2.0.1
CVE: CVE-2017-12678
CVE STATUS: Patched
CVE SUMMARY: In TagLib 1.11.1, the rebuildAggregateFrames function in id3v2framefactory.cpp has a pointer to cast vulnerability, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted audio file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-12678

LAYER: meta
PACKAGE NAME: taglib
PACKAGE VERSION: 2.0.1
CVE: CVE-2018-11439
CVE STATUS: Patched
CVE SUMMARY: The TagLib::Ogg::FLAC::File::scan function in oggflacfile.cpp in TagLib 1.11.1 allows remote attackers to cause information disclosure (heap-based buffer over-read) via a crafted audio file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-11439

LAYER: meta-oe
PACKAGE NAME: fmt
PACKAGE VERSION: 10.2.1
CVE: CVE-2018-1000052
CVE STATUS: Patched
CVE SUMMARY: fmtlib version prior to version 4.1.0 (before commit 0555cea5fc0bf890afe0071a558e44625a34ba85) contains a Memory corruption (SIGSEGV), CWE-134 vulnerability in fmt::print() library function that can result in Denial of Service. This attack appear to be exploitable via Specifying an invalid format specifier in the fmt::print() function results in a SIGSEGV (memory corruption, invalid write). This vulnerability appears to have been fixed in after commit 8cf30aa2be256eba07bb1cefb998c52326e846e7.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1000052

LAYER: meta
PACKAGE NAME: libsolv
PACKAGE VERSION: 0.7.28
CVE: CVE-2018-20532
CVE STATUS: Patched
CVE SUMMARY: There is a NULL pointer dereference at ext/testcase.c (function testcase_read) in libsolvext.a in libsolv through 0.7.2 that will cause a denial of service.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20532

LAYER: meta
PACKAGE NAME: libsolv
PACKAGE VERSION: 0.7.28
CVE: CVE-2018-20533
CVE STATUS: Patched
CVE SUMMARY: There is a NULL pointer dereference at ext/testcase.c (function testcase_str2dep_complex) in libsolvext.a in libsolv through 0.7.2 that will cause a denial of service.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20533

LAYER: meta
PACKAGE NAME: libsolv
PACKAGE VERSION: 0.7.28
CVE: CVE-2018-20534
CVE STATUS: Patched
CVE SUMMARY: There is an illegal address access at ext/testcase.c in libsolv.a in libsolv through 0.7.2 that will cause a denial of service. NOTE: third parties dispute this issue stating that the issue affects the test suite and not the underlying library. It cannot be exploited in any real-world application
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20534

LAYER: meta
PACKAGE NAME: libsolv
PACKAGE VERSION: 0.7.28
CVE: CVE-2019-20387
CVE STATUS: Patched
CVE SUMMARY: repodata_schema2id in repodata.c in libsolv before 0.7.6 has a heap-based buffer over-read via a last schema whose length is less than the length of the input schema.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-20387

LAYER: meta
PACKAGE NAME: libsolv
PACKAGE VERSION: 0.7.28
CVE: CVE-2021-3200
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow vulnerability in libsolv 2020-12-13 via the Solver * testcase_read(Pool *pool, FILE *fp, const char *testcase, Queue *job, char **resultp, int *resultflagsp function at src/testcase.c: line 2334, which could cause a denial of service
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 3.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3200

LAYER: meta
PACKAGE NAME: libsolv
PACKAGE VERSION: 0.7.28
CVE: CVE-2021-33928
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow vulnerability in function pool_installable in src/repo.h in libsolv before 0.7.17 allows attackers to cause a Denial of Service.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-33928

LAYER: meta
PACKAGE NAME: libsolv
PACKAGE VERSION: 0.7.28
CVE: CVE-2021-33929
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow vulnerability in function pool_disabled_solvable in src/repo.h in libsolv before 0.7.17 allows attackers to cause a Denial of Service.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-33929

LAYER: meta
PACKAGE NAME: libsolv
PACKAGE VERSION: 0.7.28
CVE: CVE-2021-33930
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow vulnerability in function pool_installable_whatprovides in src/repo.h in libsolv before 0.7.17 allows attackers to cause a Denial of Service.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-33930

LAYER: meta
PACKAGE NAME: libsolv
PACKAGE VERSION: 0.7.28
CVE: CVE-2021-33938
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow vulnerability in function prune_to_recommended in src/policy.c in libsolv before 0.7.17 allows attackers to cause a Denial of Service.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-33938

LAYER: meta
PACKAGE NAME: libsolv
PACKAGE VERSION: 0.7.28
CVE: CVE-2021-44568
CVE STATUS: Patched
CVE SUMMARY: Two heap-overflow vulnerabilities exist in openSUSE/libsolv libsolv through 13 Dec 2020 in the decisionmap variable via the resolve_dependencies function at src/solver.c (line 1940 & line 1995), which could cause a remote Denial of Service.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-44568

LAYER: meta
PACKAGE NAME: libical
PACKAGE VERSION: 3.0.17
CVE: CVE-2016-5823
CVE STATUS: Patched
CVE SUMMARY: The icalproperty_new_clone function in libical 0.47 and 1.0 allows remote attackers to cause a denial of service (use-after-free) via a crafted ics file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5823

LAYER: meta
PACKAGE NAME: libical
PACKAGE VERSION: 3.0.17
CVE: CVE-2016-5824
CVE STATUS: Patched
CVE SUMMARY: libical 1.0 allows remote attackers to cause a denial of service (use-after-free) via a crafted ics file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5824

LAYER: meta
PACKAGE NAME: libical
PACKAGE VERSION: 3.0.17
CVE: CVE-2016-5825
CVE STATUS: Patched
CVE SUMMARY: The icalparser_parse_string function in libical 0.47 and 1.0 allows remote attackers to cause a denial of service (out-of-bounds heap read) via a crafted ics file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5825

LAYER: meta
PACKAGE NAME: libical
PACKAGE VERSION: 3.0.17
CVE: CVE-2016-5826
CVE STATUS: Patched
CVE SUMMARY: The parser_get_next_char function in libical 0.47 and 1.0 allows remote attackers to cause a denial of service (out-of-bounds heap read) by crafting a string to the icalparser_parse_string function.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5826

LAYER: meta
PACKAGE NAME: libical
PACKAGE VERSION: 3.0.17
CVE: CVE-2016-5827
CVE STATUS: Patched
CVE SUMMARY: The icaltime_from_string function in libical 0.47 and 1.0 allows remote attackers to cause a denial of service (out-of-bounds heap read) via a crafted string to the icalparser_parse_string function.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5827

LAYER: meta
PACKAGE NAME: libical
PACKAGE VERSION: 3.0.17
CVE: CVE-2016-9584
CVE STATUS: Patched
CVE SUMMARY: libical allows remote attackers to cause a denial of service (use-after-free) and possibly read heap memory via a crafted ics file.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 9.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9584

LAYER: meta
PACKAGE NAME: vala-native
PACKAGE VERSION: 0.56.15
CVE: CVE-2014-8154
CVE STATUS: Patched
CVE SUMMARY: The Gst.MapInfo function in Vala 0.26.0 and 0.26.1 uses an incorrect buffer length declaration for the Gstreamer bindings, which allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via unspecified vectors, which trigger a heap-based buffer overflow.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8154

LAYER: meta
PACKAGE NAME: lame
PACKAGE VERSION: 3.100
CVE: CVE-2015-9099
CVE STATUS: Patched
CVE SUMMARY: The lame_init_params function in lame.c in libmp3lame.a in LAME 3.99.5 allows remote attackers to cause a denial of service (invalid read and application crash) via a crafted audio file with a negative sample rate.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-9099

LAYER: meta
PACKAGE NAME: lame
PACKAGE VERSION: 3.100
CVE: CVE-2015-9100
CVE STATUS: Patched
CVE SUMMARY: The fill_buffer_resample function in util.c in libmp3lame.a in LAME 3.99.5 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted audio file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-9100

LAYER: meta
PACKAGE NAME: lame
PACKAGE VERSION: 3.100
CVE: CVE-2015-9101
CVE STATUS: Patched
CVE SUMMARY: The fill_buffer_resample function in util.c in libmp3lame.a in LAME 3.98.4, 3.98.2, 3.98, 3.99, 3.99.1, 3.99.2, 3.99.3, 3.99.4 and 3.99.5 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted audio file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-9101

LAYER: meta
PACKAGE NAME: lame
PACKAGE VERSION: 3.100
CVE: CVE-2017-11720
CVE STATUS: Patched
CVE SUMMARY: There is a division-by-zero vulnerability in LAME 3.99.5, caused by a malformed input file.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-11720

LAYER: meta
PACKAGE NAME: lame
PACKAGE VERSION: 3.100
CVE: CVE-2017-13712
CVE STATUS: Patched
CVE SUMMARY: NULL Pointer Dereference in the id3v2AddAudioDuration function in libmp3lame/id3tag.c in LAME 3.99.5 allows attackers to perform Denial of Service by triggering a NULL first argument.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-13712

LAYER: meta
PACKAGE NAME: lame
PACKAGE VERSION: 3.100
CVE: CVE-2017-15018
CVE STATUS: Patched
CVE SUMMARY: LAME 3.99.5, 3.99.4, 3.99.3, 3.99.2, 3.99.1, 3.99, 3.98.4, 3.98.2 and 3.98 have a heap-based buffer over-read when handling a malformed file in k_34_4 in vbrquantize.c.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15018

LAYER: meta
PACKAGE NAME: lame
PACKAGE VERSION: 3.100
CVE: CVE-2017-15019
CVE STATUS: Patched
CVE SUMMARY: LAME 3.99.5 has a NULL Pointer Dereference in the hip_decode_init function within libmp3lame/mpglib_interface.c via a malformed mpg file, because of an incorrect calloc call.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15019

LAYER: meta
PACKAGE NAME: lame
PACKAGE VERSION: 3.100
CVE: CVE-2017-15045
CVE STATUS: Patched
CVE SUMMARY: LAME 3.99, 3.99.1, 3.99.2, 3.99.3, 3.99.4, 3.99.5, 3.98.4, 3.98.2 and 3.98 has a heap-based buffer over-read in fill_buffer in libmp3lame/util.c, related to lame_encode_buffer_sample_t in libmp3lame/lame.c, a different vulnerability than CVE-2017-9410.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15045

LAYER: meta
PACKAGE NAME: lame
PACKAGE VERSION: 3.100
CVE: CVE-2017-15046
CVE STATUS: Patched
CVE SUMMARY: LAME 3.99.5, 3.99.4, 3.98.4, 3.98.2, 3.98 and 3.97 have a stack-based buffer overflow in unpack_read_samples in frontend/get_audio.c, a different vulnerability than CVE-2017-9412.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15046

LAYER: meta
PACKAGE NAME: lame
PACKAGE VERSION: 3.100
CVE: CVE-2017-8419
CVE STATUS: Patched
CVE SUMMARY: LAME through 3.99.5 relies on the signed integer data type for values in a WAV or AIFF header, which allows remote attackers to cause a denial of service (stack-based buffer overflow or heap-based buffer overflow) or possibly have unspecified other impact via a crafted file, as demonstrated by mishandling of num_channels.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8419

LAYER: meta
PACKAGE NAME: lame
PACKAGE VERSION: 3.100
CVE: CVE-2017-9412
CVE STATUS: Patched
CVE SUMMARY: The unpack_read_samples function in frontend/get_audio.c in LAME 3.99.5 allows remote attackers to cause a denial of service (invalid memory read and application crash) via a crafted wav file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9412

LAYER: meta
PACKAGE NAME: lame
PACKAGE VERSION: 3.100
CVE: CVE-2017-9869
CVE STATUS: Patched
CVE SUMMARY: The II_step_one function in layer2.c in mpglib, as used in libmpgdecoder.a in LAME 3.99.5 and other products, allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted audio file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9869

LAYER: meta
PACKAGE NAME: lame
PACKAGE VERSION: 3.100
CVE: CVE-2017-9870
CVE STATUS: Patched
CVE SUMMARY: The III_i_stereo function in layer3.c in mpglib, as used in libmpgdecoder.a in LAME 3.99.5 and other products, allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted audio file that is mishandled in the code for the "block_type == 2" case, a similar issue to CVE-2017-11126.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9870

LAYER: meta
PACKAGE NAME: lame
PACKAGE VERSION: 3.100
CVE: CVE-2017-9871
CVE STATUS: Patched
CVE SUMMARY: The III_i_stereo function in layer3.c in mpglib, as used in libmpgdecoder.a in LAME 3.99.5 and other products, allows remote attackers to cause a denial of service (stack-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted audio file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9871

LAYER: meta
PACKAGE NAME: lame
PACKAGE VERSION: 3.100
CVE: CVE-2017-9872
CVE STATUS: Patched
CVE SUMMARY: The III_dequantize_sample function in layer3.c in mpglib, as used in libmpgdecoder.a in LAME 3.99.5 and other products, allows remote attackers to cause a denial of service (stack-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted audio file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9872

LAYER: meta
PACKAGE NAME: gpgme
PACKAGE VERSION: 1.23.2
CVE: CVE-2007-1263
CVE STATUS: Patched
CVE SUMMARY: GnuPG 1.4.6 and earlier and GPGME before 1.1.4, when run from the command line, does not visually distinguish signed and unsigned portions of OpenPGP messages with multiple components, which might allow remote attackers to forge the contents of a message without detection.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-1263

LAYER: meta
PACKAGE NAME: gpgme
PACKAGE VERSION: 1.23.2
CVE: CVE-2014-3564
CVE STATUS: Patched
CVE SUMMARY: Multiple heap-based buffer overflows in the status_handler function in (1) engine-gpgsm.c and (2) engine-uiserver.c in GPGME before 1.5.1 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via vectors related to "different line lengths in a specific order."
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3564

LAYER: meta
PACKAGE NAME: gpgme
PACKAGE VERSION: 1.23.2
CVE: CVE-2020-8945
CVE STATUS: Patched
CVE SUMMARY: The proglottis Go wrapper before 0.1.1 for the GPGME library has a use-after-free, as demonstrated by use for container image pulls by Docker or CRI-O. This leads to a crash or potential code execution during GPG signature verification.
CVSS v2 BASE SCORE: 5.1
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-8945

LAYER: meta
PACKAGE NAME: json-c
PACKAGE VERSION: 0.17
CVE: CVE-2013-6370
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the printbuf APIs in json-c before 0.12 allows remote attackers to cause a denial of service via unspecified vectors.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-6370

LAYER: meta
PACKAGE NAME: json-c
PACKAGE VERSION: 0.17
CVE: CVE-2013-6371
CVE STATUS: Patched
CVE SUMMARY: The hash functionality in json-c before 0.12 allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted JSON data, involving collisions.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-6371

LAYER: meta
PACKAGE NAME: json-c
PACKAGE VERSION: 0.17
CVE: CVE-2020-12762
CVE STATUS: Patched
CVE SUMMARY: json-c through 0.14 has an integer overflow and out-of-bounds write via a large JSON file, as demonstrated by printbuf_memappend.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-12762

LAYER: meta
PACKAGE NAME: json-c
PACKAGE VERSION: 0.17
CVE: CVE-2021-32292
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in json-c from 20200420 (post 0.14 unreleased code) through 0.15-20200726. A stack-buffer-overflow exists in the auxiliary sample program json_parse which is located in the function parseit.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-32292

LAYER: meta-oe
PACKAGE NAME: libopus
PACKAGE VERSION: 1.5.2
CVE: CVE-2013-0899
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the padding implementation in the opus_packet_parse_impl function in src/opus_decoder.c in Opus before 1.0.2, as used in Google Chrome before 25.0.1364.97 on Windows and Linux and before 25.0.1364.99 on Mac OS X and other products, allows remote attackers to cause a denial of service (out-of-bounds read) via a long packet.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0899

LAYER: meta
PACKAGE NAME: vala
PACKAGE VERSION: 0.56.15
CVE: CVE-2014-8154
CVE STATUS: Patched
CVE SUMMARY: The Gst.MapInfo function in Vala 0.26.0 and 0.26.1 uses an incorrect buffer length declaration for the Gstreamer bindings, which allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via unspecified vectors, which trigger a heap-based buffer overflow.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8154

LAYER: meta
PACKAGE NAME: libsoup
PACKAGE VERSION: 3.4.4
CVE: CVE-2006-5876
CVE STATUS: Patched
CVE SUMMARY: The soup_headers_parse function in soup-headers.c for libsoup HTTP library before 2.2.99 allows remote attackers to cause a denial of service (crash) via malformed HTTP headers, probably involving missing fields or values.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-5876

LAYER: meta
PACKAGE NAME: libsoup
PACKAGE VERSION: 3.4.4
CVE: CVE-2009-0585
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the soup_base64_encode function in soup-misc.c in libsoup 2.x.x before 2.2.x, and 2.x before 2.24, allows context-dependent attackers to execute arbitrary code via a long string that is converted to a base64 representation.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-0585

LAYER: meta
PACKAGE NAME: libsoup
PACKAGE VERSION: 3.4.4
CVE: CVE-2011-2524
CVE STATUS: Patched
CVE SUMMARY: Directory traversal vulnerability in soup-uri.c in SoupServer in libsoup before 2.35.4 allows remote attackers to read arbitrary files via a %2e%2e (encoded dot dot) in a URI.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2524

LAYER: meta
PACKAGE NAME: libsoup
PACKAGE VERSION: 3.4.4
CVE: CVE-2012-2132
CVE STATUS: Patched
CVE SUMMARY: libsoup 2.32.2 and earlier does not validate certificates or clear the trust flag when the ssl-ca-file does not exist, which allows remote attackers to bypass authentication by connecting with a SSL connection.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2132

LAYER: meta
PACKAGE NAME: libsoup
PACKAGE VERSION: 3.4.4
CVE: CVE-2017-2885
CVE STATUS: Patched
CVE SUMMARY: An exploitable stack based buffer overflow vulnerability exists in the GNOME libsoup 2.58. A specially crafted HTTP request can cause a stack overflow resulting in remote code execution. An attacker can send a special HTTP request to the vulnerable server to trigger this vulnerability.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-2885

LAYER: meta
PACKAGE NAME: libsoup
PACKAGE VERSION: 3.4.4
CVE: CVE-2018-11713
CVE STATUS: Patched
CVE SUMMARY: WebCore/platform/network/soup/SocketStreamHandleImplSoup.cpp in the libsoup network backend of WebKit, as used in WebKitGTK+ prior to version 2.20.0 or without libsoup 2.62.0, unexpectedly failed to use system proxy settings for WebSocket connections. As a result, users could be deanonymized by crafted web sites via a WebSocket connection.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-11713

LAYER: meta
PACKAGE NAME: libsoup
PACKAGE VERSION: 3.4.4
CVE: CVE-2018-12910
CVE STATUS: Patched
CVE SUMMARY: The get_cookies function in soup-cookie-jar.c in libsoup 2.63.2 allows attackers to have unspecified impact via an empty hostname.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-12910

LAYER: meta
PACKAGE NAME: libsoup
PACKAGE VERSION: 3.4.4
CVE: CVE-2019-17266
CVE STATUS: Patched
CVE SUMMARY: libsoup from versions 2.65.1 until 2.68.1 have a heap-based buffer over-read because soup_ntlm_parse_challenge() in soup-auth-ntlm.c does not properly check an NTLM message's length before proceeding with a memcpy.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-17266

LAYER: meta
PACKAGE NAME: flac
PACKAGE VERSION: 1.4.3
CVE: CVE-2007-4619
CVE STATUS: Patched
CVE SUMMARY: Multiple integer overflows in Free Lossless Audio Codec (FLAC) libFLAC before 1.2.1, as used in Winamp before 5.5 and other products, allow user-assisted remote attackers to execute arbitrary code via a malformed FLAC file that triggers improper memory allocation, resulting in a heap-based buffer overflow.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-4619

LAYER: meta
PACKAGE NAME: flac
PACKAGE VERSION: 1.4.3
CVE: CVE-2007-6277
CVE STATUS: Patched
CVE SUMMARY: Multiple buffer overflows in Free Lossless Audio Codec (FLAC) libFLAC before 1.2.1 allow user-assisted remote attackers to execute arbitrary code via large (1) Metadata Block Size, (2) VORBIS Comment String Size, (3) Picture Metadata MIME-TYPE Size, (4) Picture Description Size, (5) Picture Data Length, (6) Padding Length, and (7) PICTURE Metadata width and height values in a .FLAC file, which result in a heap-based overflow; and large (8) VORBIS Comment String Size Length, (9) Picture MIME-Type, (10) Picture MIME-Type URL, and (11) Picture Description Length values in a .FLAC file, which result in a stack-based overflow.  NOTE: some of these issues may overlap CVE-2007-4619.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-6277

LAYER: meta
PACKAGE NAME: flac
PACKAGE VERSION: 1.4.3
CVE: CVE-2007-6278
CVE STATUS: Patched
CVE SUMMARY: Free Lossless Audio Codec (FLAC) libFLAC before 1.2.1 allows user-assisted remote attackers to force a client to download arbitrary files via the MIME-Type URL flag (-->) for the FLAC image file in a crafted .FLAC file.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-6278

LAYER: meta
PACKAGE NAME: flac
PACKAGE VERSION: 1.4.3
CVE: CVE-2007-6279
CVE STATUS: Patched
CVE SUMMARY: Multiple double free vulnerabilities in Free Lossless Audio Codec (FLAC) libFLAC before 1.2.1 allow user-assisted remote attackers to execute arbitrary code via malformed (1) Seektable values or (2) Seektable Data Offsets in a .FLAC file.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-6279

LAYER: meta
PACKAGE NAME: flac
PACKAGE VERSION: 1.4.3
CVE: CVE-2014-8962
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in stream_decoder.c in libFLAC before 1.3.1 allows remote attackers to execute arbitrary code via a crafted .flac file.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8962

LAYER: meta
PACKAGE NAME: flac
PACKAGE VERSION: 1.4.3
CVE: CVE-2014-9028
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in stream_decoder.c in libFLAC before 1.3.1 allows remote attackers to execute arbitrary code via a crafted .flac file.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9028

LAYER: meta
PACKAGE NAME: flac
PACKAGE VERSION: 1.4.3
CVE: CVE-2017-6888
CVE STATUS: Patched
CVE SUMMARY: An error in the "read_metadata_vorbiscomment_()" function (src/libFLAC/stream_decoder.c) in FLAC version 1.3.2 can be exploited to cause a memory leak via a specially crafted FLAC file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-6888

LAYER: meta
PACKAGE NAME: flac
PACKAGE VERSION: 1.4.3
CVE: CVE-2020-22219
CVE STATUS: Patched
CVE SUMMARY: Buffer Overflow vulnerability in function bitwriter_grow_ in flac before 1.4.0 allows remote attackers to run arbitrary code via crafted input to the encoder.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-22219

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2004-0691
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the BMP image format parser for the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0691

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2004-0692
CVE STATUS: Patched
CVE SUMMARY: The XPM parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0693.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0692

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2004-0693
CVE STATUS: Patched
CVE SUMMARY: The GIF parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0692.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0693

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2005-0627
CVE STATUS: Patched
CVE SUMMARY: Qt before 3.3.4 searches the BUILD_PREFIX directory, which could be world-writable, to load shared libraries regardless of the LD_LIBRARY_PATH environment variable, which allows local users to execute arbitrary programs.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-0627

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2006-4811
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in Qt 3.3 before 3.3.7, 4.1 before 4.1.5, and 4.2 before 4.2.1, as used in the KDE khtml library, kdelibs 3.1.3, and possibly other packages, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted pixmap image.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-4811

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2007-0242
CVE STATUS: Patched
CVE SUMMARY: The UTF-8 decoder in codecs/qutfcodec.cpp in Qt 3.3.8 and 4.2.3 does not reject long UTF-8 sequences as required by the standard, which allows remote attackers to conduct cross-site scripting (XSS) and directory traversal attacks via long sequences that decode to dangerous metacharacters.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-0242

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2007-3388
CVE STATUS: Patched
CVE SUMMARY: Multiple format string vulnerabilities in (1) qtextedit.cpp, (2) qdatatable.cpp, (3) qsqldatabase.cpp, (4) qsqlindex.cpp, (5) qsqlrecord.cpp, (6) qglobal.cpp, and (7) qsvgdevice.cpp in QTextEdit in Trolltech Qt 3 before 3.3.8 20070727 allow remote attackers to execute arbitrary code via format string specifiers in text used to compose an error message.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-3388

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2007-4137
CVE STATUS: Patched
CVE SUMMARY: Off-by-one error in the QUtf8Decoder::toUnicode function in Trolltech Qt 3 allows context-dependent attackers to cause a denial of service (crash) via a crafted Unicode string that triggers a heap-based buffer overflow.  NOTE: Qt 4 has the same error in the QUtf8Codec::convertToUnicode function, but it is not exploitable.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-4137

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2009-2700
CVE STATUS: Patched
CVE SUMMARY: src/network/ssl/qsslcertificate.cpp in Nokia Trolltech Qt 4.x does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-2700

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2010-1766
CVE STATUS: Patched
CVE SUMMARY: Off-by-one error in the WebSocketHandshake::readServerHandshake function in websockets/WebSocketHandshake.cpp in WebCore in WebKit before r56380, as used in Qt and other products, allows remote websockets servers to cause a denial of service (memory corruption) or possibly have unspecified other impact via an upgrade header that is long and invalid.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-1766

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2010-2621
CVE STATUS: Patched
CVE SUMMARY: The QSslSocketBackendPrivate::transmit function in src_network_ssl_qsslsocket_openssl.cpp in Qt 4.6.3 and earlier allows remote attackers to cause a denial of service (infinite loop) via a malformed request.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2621

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2010-5076
CVE STATUS: Patched
CVE SUMMARY: QSslSocket in Qt before 4.7.0-rc1 recognizes a wildcard IP address in the subject's Common Name field of an X.509 certificate, which might allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-5076

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2011-3193
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the Lookup_MarkMarkPos function in the HarfBuzz module (harfbuzz-gpos.c), as used by Qt before 4.7.4 and Pango, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted font file.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3193

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2011-3194
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the TIFF reader in gui/image/qtiffhandler.cpp in Qt 4.7.4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the TIFFTAG_SAMPLESPERPIXEL tag in a greyscale TIFF image with multiple samples per pixel.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3194

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2012-5624
CVE STATUS: Patched
CVE SUMMARY: The XMLHttpRequest object in Qt before 4.8.4 enables http redirection to the file scheme, which allows man-in-the-middle attackers to force the read of arbitrary local files and possibly obtain sensitive information via a file: URL to a QML application.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-5624

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2012-6093
CVE STATUS: Patched
CVE SUMMARY: The QSslSocket::sslErrors function in Qt before 4.6.5, 4.7.x before 4.7.6, 4.8.x before 4.8.5, when using certain versions of openSSL, uses an "incompatible structure layout" that can read memory from the wrong location, which causes Qt to report an incorrect error when certificate validation fails and might cause users to make unsafe security decisions to accept a certificate.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-6093

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2013-0254
CVE STATUS: Patched
CVE SUMMARY: The QSharedMemory class in Qt 5.0.0, 4.8.x before 4.8.5, 4.7.x before 4.7.6, and other versions including 4.4.0 uses weak permissions (world-readable and world-writable) for shared memory segments, which allows local users to read sensitive information or modify critical program data, as demonstrated by reading a pixmap being sent to an X server.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0254

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2013-4549
CVE STATUS: Patched
CVE SUMMARY: QXmlSimpleReader in Qt before 5.2 allows context-dependent attackers to cause a denial of service (memory consumption) via an XML Entity Expansion (XEE) attack.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4549

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2014-0190
CVE STATUS: Patched
CVE SUMMARY: The GIF decoder in QtGui in Qt before 5.3 allows remote attackers to cause a denial of service (NULL pointer dereference) via invalid width and height values in a GIF image.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0190

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2015-0295
CVE STATUS: Patched
CVE SUMMARY: The BMP decoder in QtGui in QT before 5.5 does not properly calculate the masks used to extract the color components, which allows remote attackers to cause a denial of service (divide-by-zero and crash) via a crafted BMP file.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0295

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2015-1290
CVE STATUS: Patched
CVE SUMMARY: The Google V8 engine, as used in Google Chrome before 44.0.2403.89 and QtWebEngineCore in Qt before 5.5.1, allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a crafted web site.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1290

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2015-1858
CVE STATUS: Patched
CVE SUMMARY: Multiple buffer overflows in gui/image/qbmphandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted BMP image.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1858

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2015-1859
CVE STATUS: Patched
CVE SUMMARY: Multiple buffer overflows in plugins/imageformats/ico/qicohandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted ICO image.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1859

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2015-1860
CVE STATUS: Patched
CVE SUMMARY: Multiple buffer overflows in gui/image/qgifhandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a crafted GIF image.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1860

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2015-7298
CVE STATUS: Patched
CVE SUMMARY: ownCloud Desktop Client before 2.0.1, when compiled with a Qt release after 5.3.x, does not call QNetworkReply::ignoreSslErrors with the list of errors to be ignored, which makes it easier for remote attackers to conduct man-in-the-middle (MITM) attacks by leveraging a server using a self-signed certificate.  NOTE: this vulnerability exists because of a partial CVE-2015-4456 regression.
CVSS v2 BASE SCORE: 5.1
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7298

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2015-9541
CVE STATUS: Patched
CVE SUMMARY: Qt through 5.14 allows an exponential XML entity expansion attack via a crafted SVG document that is mishandled in QXmlStreamReader, a related issue to CVE-2003-1564.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-9541

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2017-10904
CVE STATUS: Patched
CVE SUMMARY: Qt for Android prior to 5.9.0 allows remote attackers to execute arbitrary OS commands via unspecified vectors.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-10904

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2017-10905
CVE STATUS: Patched
CVE SUMMARY: A vulnerability in applications created using Qt for Android prior to 5.9.3 allows attackers to alter environment variables via unspecified vectors.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-10905

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2017-15011
CVE STATUS: Patched
CVE SUMMARY: The named pipes in qtsingleapp in Qt 5.x, as used in qBittorrent and SugarSync, are configured for remote access and allow remote attackers to cause a denial of service (application crash) via an unspecified string.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15011

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-15518
CVE STATUS: Patched
CVE SUMMARY: QXmlStream in Qt 5.x before 5.11.3 has a double-free or corruption during parsing of a specially crafted illegal XML document.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-15518

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-19865
CVE STATUS: Patched
CVE SUMMARY: A keystroke logging issue was discovered in Virtual Keyboard in Qt 5.7.x, 5.8.x, 5.9.x, 5.10.x, and 5.11.x before 5.11.3.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19865

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-19869
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt before 5.11.3. A malformed SVG image causes a segmentation fault in qsvghandler.cpp.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19869

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-19870
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt before 5.11.3. A malformed GIF image causes a NULL pointer dereference in QGifHandler resulting in a segmentation fault.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19870

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-19871
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt before 5.11.3. There is QTgaFile Uncontrolled Resource Consumption.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19871

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-19872
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt 5.11. A malformed PPM image causes a division by zero and a crash in qppmhandler.cpp.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19872

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-19873
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt before 5.11.3. QBmpHandler has a buffer overflow via BMP data.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19873

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-21035
CVE STATUS: Patched
CVE SUMMARY: In Qt through 5.14.1, the WebSocket implementation accepts up to 2GB for frames and 2GB for messages. Smaller limits cannot be configured. This makes it easier for attackers to cause a denial of service (memory consumption).
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 8.6
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-21035

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2020-0569
CVE STATUS: Patched
CVE SUMMARY: Out of bounds write in Intel(R) PROSet/Wireless WiFi products on Windows 10 may allow an authenticated user to potentially enable denial of service via local access.
CVSS v2 BASE SCORE: 2.7
CVSS v3 BASE SCORE: 5.7
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:L/Au:S/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-0569

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2020-0570
CVE STATUS: Patched
CVE SUMMARY: Uncontrolled search path in the QT Library before 5.14.0, 5.12.7 and 5.9.10 may allow an authenticated user to potentially enable elevation of privilege via local access.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 7.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-0570

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2020-12267
CVE STATUS: Patched
CVE SUMMARY: setMarkdown in Qt before 5.14.2 has a use-after-free related to QTextMarkdownImporter::insertBlock.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-12267

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2020-13962
CVE STATUS: Patched
CVE SUMMARY: Qt 5.12.2 through 5.14.2, as used in unofficial builds of Mumble 1.3.0 and other products, mishandles OpenSSL's error queue, which can cause a denial of service to QSslSocket users. Because errors leak in unrelated TLS sessions, an unrelated session may be disconnected when any handshake fails. (Mumble 1.3.1 is not affected, regardless of the Qt version.)
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-13962

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2020-17507
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt through 5.12.9, and 5.13.x through 5.15.x before 5.15.1. read_xbm_body in gui/image/qxbmhandler.cpp has a buffer over-read.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-17507

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2020-24742
CVE STATUS: Patched
CVE SUMMARY: An issue has been fixed in Qt versions 5.14.0 where QPluginLoader attempts to load plugins relative to the working directory, allowing attackers to execute arbitrary code via crafted files.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-24742

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2021-28025
CVE STATUS: Patched
CVE SUMMARY: Integer Overflow vulnerability in qsvghandler.cpp in Qt qtsvg versions 5.15.1, 6.0.0, 6.0.2, and 6.2, allows local attackers to cause a denial of service (DoS).
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-28025

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2021-3481
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in Qt. An out-of-bounds read vulnerability was found in QRadialFetchSimd in qt/qtbase/src/gui/painting/qdrawhelper_p.h in Qt/Qtbase. While rendering and displaying a crafted Scalable Vector Graphics (SVG) file this flaw may lead to an unauthorized memory access. The highest threat from this vulnerability is to data confidentiality and the application availability.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3481

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2021-38593
CVE STATUS: Patched
CVE SUMMARY: Qt 5.x before 5.15.6 and 6.x through 6.1.2 has an out-of-bounds write in QOutlineMapper::convertPath (called from QRasterPaintEngine::fill and QPaintEngineEx::stroke).
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-38593

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2022-25255
CVE STATUS: Patched
CVE SUMMARY: In Qt 5.9.x through 5.15.x before 5.15.9 and 6.x before 6.2.4 on Linux and UNIX, QProcess could execute a binary from the current working directory when not found in the PATH.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-25255

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2022-25634
CVE STATUS: Patched
CVE SUMMARY: Qt through 5.15.8 and 6.x through 6.2.3 can load system library files from an unintended working directory.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-25634

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2022-40983
CVE STATUS: Patched
CVE SUMMARY: An integer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an integer overflow during memory allocation, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-40983

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2022-43591
CVE STATUS: Patched
CVE SUMMARY: A buffer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an out-of-bounds memory access, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-43591

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-24607
CVE STATUS: Patched
CVE SUMMARY: Qt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13, 6.x before 6.2.8, and 6.3.x before 6.4.3.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-24607

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-32573
CVE STATUS: Unpatched
CVE SUMMARY: In Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-32573

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-32762
CVE STATUS: Unpatched
CVE SUMMARY: An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-32762

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-32763
CVE STATUS: Unpatched
CVE SUMMARY: An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. When a SVG file with an image inside it is rendered, a QTextLayout buffer overflow can be triggered.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-32763

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-33285
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. QDnsLookup has a buffer over-read via a crafted reply from a DNS server.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-33285

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-34410
CVE STATUS: Unpatched
CVE SUMMARY: An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-34410

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-37369
CVE STATUS: Unpatched
CVE SUMMARY: In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-37369

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-38197
CVE STATUS: Unpatched
CVE SUMMARY: An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-38197

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-43114
CVE STATUS: Unpatched
CVE SUMMARY: An issue was discovered in Qt before 5.15.16, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3 on Windows. When using the GDI font engine, if a corrupted font is loaded via QFontDatabase::addApplicationFont{FromData], then it can cause the application to crash because of missing length checks.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-43114

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-51714
CVE STATUS: Unpatched
CVE SUMMARY: An issue was discovered in the HTTP2 implementation in Qt before 5.15.17, 6.x before 6.2.11, 6.3.x through 6.5.x before 6.5.4, and 6.6.x before 6.6.2. network/access/http2/hpacktable.cpp has an incorrect HPack integer overflow check.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-51714

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2024-39936
CVE STATUS: Unpatched
CVE SUMMARY: An issue was discovered in HTTP2 in Qt before 5.15.18, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.7, and 6.6.x through 6.7.x before 6.7.3. Code to make security-relevant decisions about an established connection may execute too early, because the encrypted() signal has not yet been emitted and processed..
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.6
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-39936

LAYER: meta-oe
PACKAGE NAME: nss-native
PACKAGE VERSION: 3.98
CVE: CVE-2004-0826
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in Netscape Network Security Services (NSS) library allows remote attackers to execute arbitrary code via a modified record length field in an SSLv2 client hello message.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0826

LAYER: meta-oe
PACKAGE NAME: nss-native
PACKAGE VERSION: 3.98
CVE: CVE-2006-4340
CVE STATUS: Patched
CVE SUMMARY: Mozilla Network Security Service (NSS) library before 3.11.3, as used in Mozilla Firefox before 1.5.0.7, Thunderbird before 1.5.0.7, and SeaMonkey before 1.0.5, when using an RSA key with exponent 3, does not properly handle extra data in a signature, which allows remote attackers to forge signatures for SSL/TLS and email certificates, a similar vulnerability to CVE-2006-4339.  NOTE: on 20061107, Mozilla released an advisory stating that these versions were not completely patched by MFSA2006-60. The newer fixes for 1.5.0.7 are covered by CVE-2006-5462.
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-4340

LAYER: meta-oe
PACKAGE NAME: nss-native
PACKAGE VERSION: 3.98
CVE: CVE-2006-5462
CVE STATUS: Patched
CVE SUMMARY: Mozilla Network Security Service (NSS) library before 3.11.3, as used in Mozilla Firefox before 1.5.0.8, Thunderbird before 1.5.0.8, and SeaMonkey before 1.0.6, when using an RSA key with exponent 3, does not properly handle extra data in a signature, which allows remote attackers to forge signatures for SSL/TLS and email certificates. NOTE: this identifier is for unpatched product versions that were originally intended to be addressed by CVE-2006-4340.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-5462

LAYER: meta-oe
PACKAGE NAME: nss-native
PACKAGE VERSION: 3.98
CVE: CVE-2007-0008
CVE STATUS: Patched
CVE SUMMARY: Integer underflow in the SSLv2 support in Mozilla Network Security Services (NSS) before 3.11.5, as used by Firefox before 1.5.0.10 and 2.x before 2.0.0.2, SeaMonkey before 1.0.8, Thunderbird before 1.5.0.10, and certain Sun Java System server products before 20070611, allows remote attackers to execute arbitrary code via a crafted SSLv2 server message containing a public key that is too short to encrypt the "Master Secret", which results in a heap-based overflow.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-0008

LAYER: meta-oe
PACKAGE NAME: nss-native
PACKAGE VERSION: 3.98
CVE: CVE-2007-0009
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in the SSLv2 support in Mozilla Network Security Services (NSS) before 3.11.5, as used by Firefox before 1.5.0.10 and 2.x before 2.0.0.2, Thunderbird before 1.5.0.10, SeaMonkey before 1.0.8, and certain Sun Java System server products before 20070611, allows remote attackers to execute arbitrary code via invalid "Client Master Key" length values.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-0009

LAYER: meta-oe
PACKAGE NAME: nss-native
PACKAGE VERSION: 3.98
CVE: CVE-2009-2404
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in a regular-expression parser in Mozilla Network Security Services (NSS) before 3.12.3, as used in Firefox, Thunderbird, SeaMonkey, Evolution, Pidgin, and AOL Instant Messenger (AIM), allows remote SSL servers to cause a denial of service (application crash) or possibly execute arbitrary code via a long domain name in the subject's Common Name (CN) field of an X.509 certificate, related to the cert_TestHostName function.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-2404

LAYER: meta-oe
PACKAGE NAME: nss-native
PACKAGE VERSION: 3.98
CVE: CVE-2009-2408
CVE STATUS: Patched
CVE SUMMARY: Mozilla Network Security Services (NSS) before 3.12.3, Firefox before 3.0.13, Thunderbird before 2.0.0.23, and SeaMonkey before 1.1.18 do not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority. NOTE: this was originally reported for Firefox before 3.5.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-2408

LAYER: meta-oe
PACKAGE NAME: nss-native
PACKAGE VERSION: 3.98
CVE: CVE-2011-5094
CVE STATUS: Patched
CVE SUMMARY: Mozilla Network Security Services (NSS) 3.x, with certain settings of the SSL_ENABLE_RENEGOTIATION option, does not properly restrict client-initiated renegotiation within the SSL and TLS protocols, which might make it easier for remote attackers to cause a denial of service (CPU consumption) by performing many renegotiations within a single connection, a different vulnerability than CVE-2011-1473.  NOTE: it can also be argued that it is the responsibility of server deployments, not a security library, to prevent or limit renegotiation when it is inappropriate within a specific environment
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-5094

LAYER: meta-oe
PACKAGE NAME: nss-native
PACKAGE VERSION: 3.98
CVE: CVE-2012-0441
CVE STATUS: Patched
CVE SUMMARY: The ASN.1 decoder in the QuickDER decoder in Mozilla Network Security Services (NSS) before 3.13.4, as used in Firefox 4.x through 12.0, Firefox ESR 10.x before 10.0.5, Thunderbird 5.0 through 12.0, Thunderbird ESR 10.x before 10.0.5, and SeaMonkey before 2.10, allows remote attackers to cause a denial of service (application crash) via a zero-length item, as demonstrated by (1) a zero-length basic constraint or (2) a zero-length field in an OCSP response.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-0441

LAYER: meta-oe
PACKAGE NAME: nss-native
PACKAGE VERSION: 3.98
CVE: CVE-2013-0791
CVE STATUS: Patched
CVE SUMMARY: The CERT_DecodeCertPackage function in Mozilla Network Security Services (NSS), as used in Mozilla Firefox before 20.0, Firefox ESR 17.x before 17.0.5, Thunderbird before 17.0.5, Thunderbird ESR 17.x before 17.0.5, SeaMonkey before 2.17, and other products, allows remote attackers to cause a denial of service (out-of-bounds read and memory corruption) via a crafted certificate.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0791

LAYER: meta-oe
PACKAGE NAME: nss-native
PACKAGE VERSION: 3.98
CVE: CVE-2013-1620
CVE STATUS: Patched
CVE SUMMARY: The TLS implementation in Mozilla Network Security Services (NSS) does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1620

LAYER: meta-oe
PACKAGE NAME: nss-native
PACKAGE VERSION: 3.98
CVE: CVE-2013-1739
CVE STATUS: Patched
CVE SUMMARY: Mozilla Network Security Services (NSS) before 3.15.2 does not ensure that data structures are initialized before read operations, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger a decryption failure.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1739

LAYER: meta-oe
PACKAGE NAME: nss-native
PACKAGE VERSION: 3.98
CVE: CVE-2013-1740
CVE STATUS: Patched
CVE SUMMARY: The ssl_Do1stHandshake function in sslsecur.c in libssl in Mozilla Network Security Services (NSS) before 3.15.4, when the TLS False Start feature is enabled, allows man-in-the-middle attackers to spoof SSL servers by using an arbitrary X.509 certificate during certain handshake traffic.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1740

LAYER: meta-oe
PACKAGE NAME: nss-native
PACKAGE VERSION: 3.98
CVE: CVE-2013-1741
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in Mozilla Network Security Services (NSS) 3.15 before 3.15.3 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a large size value.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1741

LAYER: meta-oe
PACKAGE NAME: nss-native
PACKAGE VERSION: 3.98
CVE: CVE-2013-5605
CVE STATUS: Patched
CVE SUMMARY: Mozilla Network Security Services (NSS) 3.14 before 3.14.5 and 3.15 before 3.15.3 allows remote attackers to cause a denial of service or possibly have unspecified other impact via invalid handshake packets.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-5605

LAYER: meta-oe
PACKAGE NAME: nss-native
PACKAGE VERSION: 3.98
CVE: CVE-2013-5606
CVE STATUS: Patched
CVE SUMMARY: The CERT_VerifyCert function in lib/certhigh/certvfy.c in Mozilla Network Security Services (NSS) 3.15 before 3.15.3 provides an unexpected return value for an incompatible key-usage certificate when the CERTVerifyLog argument is valid, which might allow remote attackers to bypass intended access restrictions via a crafted certificate.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-5606

LAYER: meta-oe
PACKAGE NAME: nss-native
PACKAGE VERSION: 3.98
CVE: CVE-2014-1490
CVE STATUS: Patched
CVE SUMMARY: Race condition in libssl in Mozilla Network Security Services (NSS) before 3.15.4, as used in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, SeaMonkey before 2.24, and other products, allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via vectors involving a resumption handshake that triggers incorrect replacement of a session ticket.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-1490

LAYER: meta-oe
PACKAGE NAME: nss-native
PACKAGE VERSION: 3.98
CVE: CVE-2014-1491
CVE STATUS: Patched
CVE SUMMARY: Mozilla Network Security Services (NSS) before 3.15.4, as used in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, SeaMonkey before 2.24, and other products, does not properly restrict public values in Diffie-Hellman key exchanges, which makes it easier for remote attackers to bypass cryptographic protection mechanisms in ticket handling by leveraging use of a certain value.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-1491

LAYER: meta-oe
PACKAGE NAME: nss-native
PACKAGE VERSION: 3.98
CVE: CVE-2014-1492
CVE STATUS: Patched
CVE SUMMARY: The cert_TestHostName function in lib/certdb/certdb.c in the certificate-checking implementation in Mozilla Network Security Services (NSS) before 3.16 accepts a wildcard character that is embedded in an internationalized domain name's U-label, which might allow man-in-the-middle attackers to spoof SSL servers via a crafted certificate.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-1492

LAYER: meta-oe
PACKAGE NAME: nss-native
PACKAGE VERSION: 3.98
CVE: CVE-2014-1544
CVE STATUS: Patched
CVE SUMMARY: Use-after-free vulnerability in the CERT_DestroyCertificate function in libnss3.so in Mozilla Network Security Services (NSS) 3.x, as used in Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7, allows remote attackers to execute arbitrary code via vectors that trigger certain improper removal of an NSSCertificate structure from a trust domain.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-1544

LAYER: meta-oe
PACKAGE NAME: nss-native
PACKAGE VERSION: 3.98
CVE: CVE-2014-1568
CVE STATUS: Patched
CVE SUMMARY: Mozilla Network Security Services (NSS) before 3.16.2.1, 3.16.x before 3.16.5, and 3.17.x before 3.17.1, as used in Mozilla Firefox before 32.0.3, Mozilla Firefox ESR 24.x before 24.8.1 and 31.x before 31.1.1, Mozilla Thunderbird before 24.8.1 and 31.x before 31.1.2, Mozilla SeaMonkey before 2.29.1, Google Chrome before 37.0.2062.124 on Windows and OS X, and Google Chrome OS before 37.0.2062.120, does not properly parse ASN.1 values in X.509 certificates, which makes it easier for remote attackers to spoof RSA signatures via a crafted certificate, aka a "signature malleability" issue.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-1568

LAYER: meta-oe
PACKAGE NAME: nss-native
PACKAGE VERSION: 3.98
CVE: CVE-2014-1569
CVE STATUS: Patched
CVE SUMMARY: The definite_length_decoder function in lib/util/quickder.c in Mozilla Network Security Services (NSS) before 3.16.2.4 and 3.17.x before 3.17.3 does not ensure that the DER encoding of an ASN.1 length is properly formed, which allows remote attackers to conduct data-smuggling attacks by using a long byte sequence for an encoding, as demonstrated by the SEC_QuickDERDecodeItem function's improper handling of an arbitrary-length encoding of 0x00.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-1569

LAYER: meta-oe
PACKAGE NAME: nss-native
PACKAGE VERSION: 3.98
CVE: CVE-2015-2721
CVE STATUS: Patched
CVE SUMMARY: Mozilla Network Security Services (NSS) before 3.19, as used in Mozilla Firefox before 39.0, Firefox ESR 31.x before 31.8 and 38.x before 38.1, Thunderbird before 38.1, and other products, does not properly determine state transitions for the TLS state machine, which allows man-in-the-middle attackers to defeat cryptographic protection mechanisms by blocking messages, as demonstrated by removing a forward-secrecy property by blocking a ServerKeyExchange message, aka a "SMACK SKIP-TLS" issue.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-2721

LAYER: meta-oe
PACKAGE NAME: nss-native
PACKAGE VERSION: 3.98
CVE: CVE-2015-2730
CVE STATUS: Patched
CVE SUMMARY: Mozilla Network Security Services (NSS) before 3.19.1, as used in Mozilla Firefox before 39.0, Firefox ESR 31.x before 31.8 and 38.x before 38.1, and other products, does not properly perform Elliptical Curve Cryptography (ECC) multiplications, which makes it easier for remote attackers to spoof ECDSA signatures via unspecified vectors.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-2730

LAYER: meta-oe
PACKAGE NAME: nss-native
PACKAGE VERSION: 3.98
CVE: CVE-2015-4000
CVE STATUS: Patched
CVE SUMMARY: The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, does not properly convey a DHE_EXPORT choice, which allows man-in-the-middle attackers to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by DHE_EXPORT and then rewriting a ServerHello with DHE_EXPORT replaced by DHE, aka the "Logjam" issue.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 3.7
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-4000

LAYER: meta-oe
PACKAGE NAME: nss-native
PACKAGE VERSION: 3.98
CVE: CVE-2015-7181
CVE STATUS: Patched
CVE SUMMARY: The sec_asn1d_parse_leaf function in Mozilla Network Security Services (NSS) before 3.19.2.1 and 3.20.x before 3.20.1, as used in Firefox before 42.0 and Firefox ESR 38.x before 38.4 and other products, improperly restricts access to an unspecified data structure, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via crafted OCTET STRING data, related to a "use-after-poison" issue.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7181

LAYER: meta-oe
PACKAGE NAME: nss-native
PACKAGE VERSION: 3.98
CVE: CVE-2015-7182
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the ASN.1 decoder in Mozilla Network Security Services (NSS) before 3.19.2.1 and 3.20.x before 3.20.1, as used in Firefox before 42.0 and Firefox ESR 38.x before 38.4 and other products, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via crafted OCTET STRING data.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7182

LAYER: meta-oe
PACKAGE NAME: nss-native
PACKAGE VERSION: 3.98
CVE: CVE-2015-7183
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the PL_ARENA_ALLOCATE implementation in Netscape Portable Runtime (NSPR) in Mozilla Network Security Services (NSS) before 3.19.2.1 and 3.20.x before 3.20.1, as used in Firefox before 42.0 and Firefox ESR 38.x before 38.4 and other products, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via unspecified vectors.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7183

LAYER: meta-oe
PACKAGE NAME: nss-native
PACKAGE VERSION: 3.98
CVE: CVE-2015-7575
CVE STATUS: Patched
CVE SUMMARY: Mozilla Network Security Services (NSS) before 3.20.2, as used in Mozilla Firefox before 43.0.2 and Firefox ESR 38.x before 38.5.2, does not reject MD5 signatures in Server Key Exchange messages in TLS 1.2 Handshake Protocol traffic, which makes it easier for man-in-the-middle attackers to spoof servers by triggering a collision.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7575

LAYER: meta-oe
PACKAGE NAME: nss-native
PACKAGE VERSION: 3.98
CVE: CVE-2016-1950
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in Mozilla Network Security Services (NSS) before 3.19.2.3 and 3.20.x and 3.21.x before 3.21.1, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7, allows remote attackers to execute arbitrary code via crafted ASN.1 data in an X.509 certificate.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-1950

LAYER: meta-oe
PACKAGE NAME: nss-native
PACKAGE VERSION: 3.98
CVE: CVE-2016-1978
CVE STATUS: Patched
CVE SUMMARY: Use-after-free vulnerability in the ssl3_HandleECDHServerKeyExchange function in Mozilla Network Security Services (NSS) before 3.21, as used in Mozilla Firefox before 44.0, allows remote attackers to cause a denial of service or possibly have unspecified other impact by making an SSL (1) DHE or (2) ECDHE handshake at a time of high memory consumption.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 7.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-1978

LAYER: meta-oe
PACKAGE NAME: nss-native
PACKAGE VERSION: 3.98
CVE: CVE-2016-1979
CVE STATUS: Patched
CVE SUMMARY: Use-after-free vulnerability in the PK11_ImportDERPrivateKeyInfoAndReturnKey function in Mozilla Network Security Services (NSS) before 3.21.1, as used in Mozilla Firefox before 45.0, allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted key data with DER encoding.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-1979

LAYER: meta-oe
PACKAGE NAME: nss-native
PACKAGE VERSION: 3.98
CVE: CVE-2016-2834
CVE STATUS: Patched
CVE SUMMARY: Mozilla Network Security Services (NSS) before 3.23, as used in Mozilla Firefox before 47.0, allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via unknown vectors.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2834

LAYER: meta-oe
PACKAGE NAME: nss-native
PACKAGE VERSION: 3.98
CVE: CVE-2016-8635
CVE STATUS: Patched
CVE SUMMARY: It was found that Diffie Hellman Client key exchange handling in NSS 3.21.x was vulnerable to small subgroup confinement attack. An attacker could use this flaw to recover private keys by confining the client DH key to small subgroup of the desired group.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8635

LAYER: meta-oe
PACKAGE NAME: nss-native
PACKAGE VERSION: 3.98
CVE: CVE-2016-9574
CVE STATUS: Patched
CVE SUMMARY: nss before version 3.30 is vulnerable to a remote denial of service during the session handshake when using SessionTicket extension and ECDHE-ECDSA.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9574

LAYER: meta-oe
PACKAGE NAME: nss-native
PACKAGE VERSION: 3.98
CVE: CVE-2017-11695
CVE STATUS: Ignored
CVE DETAIL: not-applicable-config
CVE DESCRIPTION: This only affect the legacy db (libnssdbm), only compiled with --enable-legacy-db
CVE SUMMARY: Heap-based buffer overflow in the alloc_segs function in lib/dbm/src/hash.c in Mozilla Network Security Services (NSS) allows context-dependent attackers to have unspecified impact using a crafted cert8.db file.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-11695

LAYER: meta-oe
PACKAGE NAME: nss-native
PACKAGE VERSION: 3.98
CVE: CVE-2017-11696
CVE STATUS: Ignored
CVE DETAIL: not-applicable-config
CVE DESCRIPTION: This only affect the legacy db (libnssdbm), only compiled with --enable-legacy-db
CVE SUMMARY: Heap-based buffer overflow in the __hash_open function in lib/dbm/src/hash.c in Mozilla Network Security Services (NSS) allows context-dependent attackers to have unspecified impact using a crafted cert8.db file.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-11696

LAYER: meta-oe
PACKAGE NAME: nss-native
PACKAGE VERSION: 3.98
CVE: CVE-2017-11697
CVE STATUS: Ignored
CVE DETAIL: not-applicable-config
CVE DESCRIPTION: This only affect the legacy db (libnssdbm), only compiled with --enable-legacy-db
CVE SUMMARY: The __hash_open function in hash.c:229 in Mozilla Network Security Services (NSS) allows context-dependent attackers to cause a denial of service (floating point exception and crash) via a crafted cert8.db file.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-11697

LAYER: meta-oe
PACKAGE NAME: nss-native
PACKAGE VERSION: 3.98
CVE: CVE-2017-11698
CVE STATUS: Ignored
CVE DETAIL: not-applicable-config
CVE DESCRIPTION: This only affect the legacy db (libnssdbm), only compiled with --enable-legacy-db
CVE SUMMARY: Heap-based buffer overflow in the __get_page function in lib/dbm/src/h_page.c in Mozilla Network Security Services (NSS) allows context-dependent attackers to have unspecified impact using a crafted cert8.db file.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-11698

LAYER: meta-oe
PACKAGE NAME: nss-native
PACKAGE VERSION: 3.98
CVE: CVE-2017-5461
CVE STATUS: Patched
CVE SUMMARY: Mozilla Network Security Services (NSS) before 3.21.4, 3.22.x through 3.28.x before 3.28.4, 3.29.x before 3.29.5, and 3.30.x before 3.30.1 allows remote attackers to cause a denial of service (out-of-bounds write) or possibly have unspecified other impact by leveraging incorrect base64 operations.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5461

LAYER: meta-oe
PACKAGE NAME: nss-native
PACKAGE VERSION: 3.98
CVE: CVE-2017-5462
CVE STATUS: Patched
CVE SUMMARY: A flaw in DRBG number generation within the Network Security Services (NSS) library where the internal state V does not correctly carry bits over. The NSS library has been updated to fix this issue to address this issue and Firefox ESR 52.1 has been updated with NSS version 3.28.4. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5462

LAYER: meta-oe
PACKAGE NAME: nss-native
PACKAGE VERSION: 3.98
CVE: CVE-2017-7502
CVE STATUS: Patched
CVE SUMMARY: Null pointer dereference vulnerability in NSS since 3.24.0 was found when server receives empty SSLv2 messages resulting into denial of service by remote attacker.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7502

LAYER: meta-oe
PACKAGE NAME: nss-native
PACKAGE VERSION: 3.98
CVE: CVE-2018-12384
CVE STATUS: Patched
CVE SUMMARY: When handling a SSLv2-compatible ClientHello request, the server doesn't generate a new random value but sends an all-zero value instead. This results in full malleability of the ClientHello for SSLv2 used for TLS 1.2 in all versions prior to NSS 3.39. This does not impact TLS 1.3.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-12384

LAYER: meta-oe
PACKAGE NAME: nss-native
PACKAGE VERSION: 3.98
CVE: CVE-2018-12404
CVE STATUS: Patched
CVE SUMMARY: A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) and affects all NSS versions prior to NSS 3.41.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-12404

LAYER: meta-oe
PACKAGE NAME: nss-native
PACKAGE VERSION: 3.98
CVE: CVE-2018-18508
CVE STATUS: Patched
CVE SUMMARY: In Network Security Services (NSS) before 3.36.7 and before 3.41.1, a malformed signature can cause a crash due to a null dereference, resulting in a Denial of Service.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-18508

LAYER: meta-oe
PACKAGE NAME: nss-native
PACKAGE VERSION: 3.98
CVE: CVE-2019-17006
CVE STATUS: Patched
CVE SUMMARY: In Network Security Services (NSS) before 3.46, several cryptographic primitives had missing length checks. In cases where the application calling the library did not perform a sanity check on the inputs it could result in a crash due to a buffer overflow.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-17006

LAYER: meta-oe
PACKAGE NAME: nss-native
PACKAGE VERSION: 3.98
CVE: CVE-2019-17007
CVE STATUS: Patched
CVE SUMMARY: In Network Security Services before 3.44, a malformed Netscape Certificate Sequence can cause NSS to crash, resulting in a denial of service.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-17007

LAYER: meta-oe
PACKAGE NAME: nss-native
PACKAGE VERSION: 3.98
CVE: CVE-2020-25648
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the way NSS handled CCS (ChangeCipherSpec) messages in TLS 1.3. This flaw allows a remote attacker to send multiple CCS messages, causing a denial of service for servers compiled with the NSS library. The highest threat from this vulnerability is to system availability. This flaw affects NSS versions before 3.58.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-25648

LAYER: meta-oe
PACKAGE NAME: nss-native
PACKAGE VERSION: 3.98
CVE: CVE-2022-3479
CVE STATUS: Ignored
CVE DETAIL: not-applicable-config
CVE DESCRIPTION: vulnerability was introduced in 3.77 and fixed in 3.87
CVE SUMMARY: A vulnerability found in nss. By this security vulnerability, nss client auth crash without a user certificate in the database and this can lead us to a segmentation fault or crash.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3479

LAYER: meta-qt5
PACKAGE NAME: qtxmlpatterns
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2004-0691
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the BMP image format parser for the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0691

LAYER: meta-qt5
PACKAGE NAME: qtxmlpatterns
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2004-0692
CVE STATUS: Patched
CVE SUMMARY: The XPM parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0693.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0692

LAYER: meta-qt5
PACKAGE NAME: qtxmlpatterns
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2004-0693
CVE STATUS: Patched
CVE SUMMARY: The GIF parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0692.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0693

LAYER: meta-qt5
PACKAGE NAME: qtxmlpatterns
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2005-0627
CVE STATUS: Patched
CVE SUMMARY: Qt before 3.3.4 searches the BUILD_PREFIX directory, which could be world-writable, to load shared libraries regardless of the LD_LIBRARY_PATH environment variable, which allows local users to execute arbitrary programs.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-0627

LAYER: meta-qt5
PACKAGE NAME: qtxmlpatterns
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2006-4811
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in Qt 3.3 before 3.3.7, 4.1 before 4.1.5, and 4.2 before 4.2.1, as used in the KDE khtml library, kdelibs 3.1.3, and possibly other packages, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted pixmap image.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-4811

LAYER: meta-qt5
PACKAGE NAME: qtxmlpatterns
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2007-0242
CVE STATUS: Patched
CVE SUMMARY: The UTF-8 decoder in codecs/qutfcodec.cpp in Qt 3.3.8 and 4.2.3 does not reject long UTF-8 sequences as required by the standard, which allows remote attackers to conduct cross-site scripting (XSS) and directory traversal attacks via long sequences that decode to dangerous metacharacters.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-0242

LAYER: meta-qt5
PACKAGE NAME: qtxmlpatterns
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2007-3388
CVE STATUS: Patched
CVE SUMMARY: Multiple format string vulnerabilities in (1) qtextedit.cpp, (2) qdatatable.cpp, (3) qsqldatabase.cpp, (4) qsqlindex.cpp, (5) qsqlrecord.cpp, (6) qglobal.cpp, and (7) qsvgdevice.cpp in QTextEdit in Trolltech Qt 3 before 3.3.8 20070727 allow remote attackers to execute arbitrary code via format string specifiers in text used to compose an error message.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-3388

LAYER: meta-qt5
PACKAGE NAME: qtxmlpatterns
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2007-4137
CVE STATUS: Patched
CVE SUMMARY: Off-by-one error in the QUtf8Decoder::toUnicode function in Trolltech Qt 3 allows context-dependent attackers to cause a denial of service (crash) via a crafted Unicode string that triggers a heap-based buffer overflow.  NOTE: Qt 4 has the same error in the QUtf8Codec::convertToUnicode function, but it is not exploitable.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-4137

LAYER: meta-qt5
PACKAGE NAME: qtxmlpatterns
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2009-2700
CVE STATUS: Patched
CVE SUMMARY: src/network/ssl/qsslcertificate.cpp in Nokia Trolltech Qt 4.x does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-2700

LAYER: meta-qt5
PACKAGE NAME: qtxmlpatterns
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2010-1766
CVE STATUS: Patched
CVE SUMMARY: Off-by-one error in the WebSocketHandshake::readServerHandshake function in websockets/WebSocketHandshake.cpp in WebCore in WebKit before r56380, as used in Qt and other products, allows remote websockets servers to cause a denial of service (memory corruption) or possibly have unspecified other impact via an upgrade header that is long and invalid.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-1766

LAYER: meta-qt5
PACKAGE NAME: qtxmlpatterns
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2010-2621
CVE STATUS: Patched
CVE SUMMARY: The QSslSocketBackendPrivate::transmit function in src_network_ssl_qsslsocket_openssl.cpp in Qt 4.6.3 and earlier allows remote attackers to cause a denial of service (infinite loop) via a malformed request.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2621

LAYER: meta-qt5
PACKAGE NAME: qtxmlpatterns
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2010-5076
CVE STATUS: Patched
CVE SUMMARY: QSslSocket in Qt before 4.7.0-rc1 recognizes a wildcard IP address in the subject's Common Name field of an X.509 certificate, which might allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-5076

LAYER: meta-qt5
PACKAGE NAME: qtxmlpatterns
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2011-3193
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the Lookup_MarkMarkPos function in the HarfBuzz module (harfbuzz-gpos.c), as used by Qt before 4.7.4 and Pango, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted font file.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3193

LAYER: meta-qt5
PACKAGE NAME: qtxmlpatterns
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2011-3194
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the TIFF reader in gui/image/qtiffhandler.cpp in Qt 4.7.4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the TIFFTAG_SAMPLESPERPIXEL tag in a greyscale TIFF image with multiple samples per pixel.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3194

LAYER: meta-qt5
PACKAGE NAME: qtxmlpatterns
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2012-5624
CVE STATUS: Patched
CVE SUMMARY: The XMLHttpRequest object in Qt before 4.8.4 enables http redirection to the file scheme, which allows man-in-the-middle attackers to force the read of arbitrary local files and possibly obtain sensitive information via a file: URL to a QML application.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-5624

LAYER: meta-qt5
PACKAGE NAME: qtxmlpatterns
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2012-6093
CVE STATUS: Patched
CVE SUMMARY: The QSslSocket::sslErrors function in Qt before 4.6.5, 4.7.x before 4.7.6, 4.8.x before 4.8.5, when using certain versions of openSSL, uses an "incompatible structure layout" that can read memory from the wrong location, which causes Qt to report an incorrect error when certificate validation fails and might cause users to make unsafe security decisions to accept a certificate.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-6093

LAYER: meta-qt5
PACKAGE NAME: qtxmlpatterns
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2013-0254
CVE STATUS: Patched
CVE SUMMARY: The QSharedMemory class in Qt 5.0.0, 4.8.x before 4.8.5, 4.7.x before 4.7.6, and other versions including 4.4.0 uses weak permissions (world-readable and world-writable) for shared memory segments, which allows local users to read sensitive information or modify critical program data, as demonstrated by reading a pixmap being sent to an X server.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0254

LAYER: meta-qt5
PACKAGE NAME: qtxmlpatterns
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2013-4549
CVE STATUS: Patched
CVE SUMMARY: QXmlSimpleReader in Qt before 5.2 allows context-dependent attackers to cause a denial of service (memory consumption) via an XML Entity Expansion (XEE) attack.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4549

LAYER: meta-qt5
PACKAGE NAME: qtxmlpatterns
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2014-0190
CVE STATUS: Patched
CVE SUMMARY: The GIF decoder in QtGui in Qt before 5.3 allows remote attackers to cause a denial of service (NULL pointer dereference) via invalid width and height values in a GIF image.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0190

LAYER: meta-qt5
PACKAGE NAME: qtxmlpatterns
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2015-0295
CVE STATUS: Patched
CVE SUMMARY: The BMP decoder in QtGui in QT before 5.5 does not properly calculate the masks used to extract the color components, which allows remote attackers to cause a denial of service (divide-by-zero and crash) via a crafted BMP file.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0295

LAYER: meta-qt5
PACKAGE NAME: qtxmlpatterns
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2015-1290
CVE STATUS: Patched
CVE SUMMARY: The Google V8 engine, as used in Google Chrome before 44.0.2403.89 and QtWebEngineCore in Qt before 5.5.1, allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a crafted web site.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1290

LAYER: meta-qt5
PACKAGE NAME: qtxmlpatterns
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2015-1858
CVE STATUS: Patched
CVE SUMMARY: Multiple buffer overflows in gui/image/qbmphandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted BMP image.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1858

LAYER: meta-qt5
PACKAGE NAME: qtxmlpatterns
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2015-1859
CVE STATUS: Patched
CVE SUMMARY: Multiple buffer overflows in plugins/imageformats/ico/qicohandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted ICO image.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1859

LAYER: meta-qt5
PACKAGE NAME: qtxmlpatterns
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2015-1860
CVE STATUS: Patched
CVE SUMMARY: Multiple buffer overflows in gui/image/qgifhandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a crafted GIF image.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1860

LAYER: meta-qt5
PACKAGE NAME: qtxmlpatterns
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2015-7298
CVE STATUS: Patched
CVE SUMMARY: ownCloud Desktop Client before 2.0.1, when compiled with a Qt release after 5.3.x, does not call QNetworkReply::ignoreSslErrors with the list of errors to be ignored, which makes it easier for remote attackers to conduct man-in-the-middle (MITM) attacks by leveraging a server using a self-signed certificate.  NOTE: this vulnerability exists because of a partial CVE-2015-4456 regression.
CVSS v2 BASE SCORE: 5.1
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7298

LAYER: meta-qt5
PACKAGE NAME: qtxmlpatterns
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2015-9541
CVE STATUS: Patched
CVE SUMMARY: Qt through 5.14 allows an exponential XML entity expansion attack via a crafted SVG document that is mishandled in QXmlStreamReader, a related issue to CVE-2003-1564.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-9541

LAYER: meta-qt5
PACKAGE NAME: qtxmlpatterns
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2017-10904
CVE STATUS: Patched
CVE SUMMARY: Qt for Android prior to 5.9.0 allows remote attackers to execute arbitrary OS commands via unspecified vectors.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-10904

LAYER: meta-qt5
PACKAGE NAME: qtxmlpatterns
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2017-10905
CVE STATUS: Patched
CVE SUMMARY: A vulnerability in applications created using Qt for Android prior to 5.9.3 allows attackers to alter environment variables via unspecified vectors.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-10905

LAYER: meta-qt5
PACKAGE NAME: qtxmlpatterns
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2017-15011
CVE STATUS: Patched
CVE SUMMARY: The named pipes in qtsingleapp in Qt 5.x, as used in qBittorrent and SugarSync, are configured for remote access and allow remote attackers to cause a denial of service (application crash) via an unspecified string.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15011

LAYER: meta-qt5
PACKAGE NAME: qtxmlpatterns
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-15518
CVE STATUS: Patched
CVE SUMMARY: QXmlStream in Qt 5.x before 5.11.3 has a double-free or corruption during parsing of a specially crafted illegal XML document.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-15518

LAYER: meta-qt5
PACKAGE NAME: qtxmlpatterns
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-19865
CVE STATUS: Patched
CVE SUMMARY: A keystroke logging issue was discovered in Virtual Keyboard in Qt 5.7.x, 5.8.x, 5.9.x, 5.10.x, and 5.11.x before 5.11.3.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19865

LAYER: meta-qt5
PACKAGE NAME: qtxmlpatterns
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-19869
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt before 5.11.3. A malformed SVG image causes a segmentation fault in qsvghandler.cpp.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19869

LAYER: meta-qt5
PACKAGE NAME: qtxmlpatterns
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-19870
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt before 5.11.3. A malformed GIF image causes a NULL pointer dereference in QGifHandler resulting in a segmentation fault.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19870

LAYER: meta-qt5
PACKAGE NAME: qtxmlpatterns
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-19871
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt before 5.11.3. There is QTgaFile Uncontrolled Resource Consumption.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19871

LAYER: meta-qt5
PACKAGE NAME: qtxmlpatterns
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-19872
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt 5.11. A malformed PPM image causes a division by zero and a crash in qppmhandler.cpp.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19872

LAYER: meta-qt5
PACKAGE NAME: qtxmlpatterns
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-19873
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt before 5.11.3. QBmpHandler has a buffer overflow via BMP data.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19873

LAYER: meta-qt5
PACKAGE NAME: qtxmlpatterns
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-21035
CVE STATUS: Patched
CVE SUMMARY: In Qt through 5.14.1, the WebSocket implementation accepts up to 2GB for frames and 2GB for messages. Smaller limits cannot be configured. This makes it easier for attackers to cause a denial of service (memory consumption).
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 8.6
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-21035

LAYER: meta-qt5
PACKAGE NAME: qtxmlpatterns
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2020-0569
CVE STATUS: Patched
CVE SUMMARY: Out of bounds write in Intel(R) PROSet/Wireless WiFi products on Windows 10 may allow an authenticated user to potentially enable denial of service via local access.
CVSS v2 BASE SCORE: 2.7
CVSS v3 BASE SCORE: 5.7
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:L/Au:S/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-0569

LAYER: meta-qt5
PACKAGE NAME: qtxmlpatterns
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2020-0570
CVE STATUS: Patched
CVE SUMMARY: Uncontrolled search path in the QT Library before 5.14.0, 5.12.7 and 5.9.10 may allow an authenticated user to potentially enable elevation of privilege via local access.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 7.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-0570

LAYER: meta-qt5
PACKAGE NAME: qtxmlpatterns
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2020-12267
CVE STATUS: Patched
CVE SUMMARY: setMarkdown in Qt before 5.14.2 has a use-after-free related to QTextMarkdownImporter::insertBlock.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-12267

LAYER: meta-qt5
PACKAGE NAME: qtxmlpatterns
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2020-13962
CVE STATUS: Patched
CVE SUMMARY: Qt 5.12.2 through 5.14.2, as used in unofficial builds of Mumble 1.3.0 and other products, mishandles OpenSSL's error queue, which can cause a denial of service to QSslSocket users. Because errors leak in unrelated TLS sessions, an unrelated session may be disconnected when any handshake fails. (Mumble 1.3.1 is not affected, regardless of the Qt version.)
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-13962

LAYER: meta-qt5
PACKAGE NAME: qtxmlpatterns
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2020-17507
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt through 5.12.9, and 5.13.x through 5.15.x before 5.15.1. read_xbm_body in gui/image/qxbmhandler.cpp has a buffer over-read.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-17507

LAYER: meta-qt5
PACKAGE NAME: qtxmlpatterns
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2020-24742
CVE STATUS: Patched
CVE SUMMARY: An issue has been fixed in Qt versions 5.14.0 where QPluginLoader attempts to load plugins relative to the working directory, allowing attackers to execute arbitrary code via crafted files.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-24742

LAYER: meta-qt5
PACKAGE NAME: qtxmlpatterns
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2021-28025
CVE STATUS: Patched
CVE SUMMARY: Integer Overflow vulnerability in qsvghandler.cpp in Qt qtsvg versions 5.15.1, 6.0.0, 6.0.2, and 6.2, allows local attackers to cause a denial of service (DoS).
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-28025

LAYER: meta-qt5
PACKAGE NAME: qtxmlpatterns
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2021-3481
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in Qt. An out-of-bounds read vulnerability was found in QRadialFetchSimd in qt/qtbase/src/gui/painting/qdrawhelper_p.h in Qt/Qtbase. While rendering and displaying a crafted Scalable Vector Graphics (SVG) file this flaw may lead to an unauthorized memory access. The highest threat from this vulnerability is to data confidentiality and the application availability.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3481

LAYER: meta-qt5
PACKAGE NAME: qtxmlpatterns
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2021-38593
CVE STATUS: Patched
CVE SUMMARY: Qt 5.x before 5.15.6 and 6.x through 6.1.2 has an out-of-bounds write in QOutlineMapper::convertPath (called from QRasterPaintEngine::fill and QPaintEngineEx::stroke).
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-38593

LAYER: meta-qt5
PACKAGE NAME: qtxmlpatterns
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2022-25255
CVE STATUS: Patched
CVE SUMMARY: In Qt 5.9.x through 5.15.x before 5.15.9 and 6.x before 6.2.4 on Linux and UNIX, QProcess could execute a binary from the current working directory when not found in the PATH.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-25255

LAYER: meta-qt5
PACKAGE NAME: qtxmlpatterns
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2022-25634
CVE STATUS: Patched
CVE SUMMARY: Qt through 5.15.8 and 6.x through 6.2.3 can load system library files from an unintended working directory.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-25634

LAYER: meta-qt5
PACKAGE NAME: qtxmlpatterns
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2022-40983
CVE STATUS: Patched
CVE SUMMARY: An integer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an integer overflow during memory allocation, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-40983

LAYER: meta-qt5
PACKAGE NAME: qtxmlpatterns
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2022-43591
CVE STATUS: Patched
CVE SUMMARY: A buffer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an out-of-bounds memory access, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-43591

LAYER: meta-qt5
PACKAGE NAME: qtxmlpatterns
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-24607
CVE STATUS: Patched
CVE SUMMARY: Qt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13, 6.x before 6.2.8, and 6.3.x before 6.4.3.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-24607

LAYER: meta-qt5
PACKAGE NAME: qtxmlpatterns
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-32573
CVE STATUS: Unpatched
CVE SUMMARY: In Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-32573

LAYER: meta-qt5
PACKAGE NAME: qtxmlpatterns
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-32762
CVE STATUS: Unpatched
CVE SUMMARY: An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-32762

LAYER: meta-qt5
PACKAGE NAME: qtxmlpatterns
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-32763
CVE STATUS: Unpatched
CVE SUMMARY: An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. When a SVG file with an image inside it is rendered, a QTextLayout buffer overflow can be triggered.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-32763

LAYER: meta-qt5
PACKAGE NAME: qtxmlpatterns
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-33285
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. QDnsLookup has a buffer over-read via a crafted reply from a DNS server.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-33285

LAYER: meta-qt5
PACKAGE NAME: qtxmlpatterns
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-34410
CVE STATUS: Unpatched
CVE SUMMARY: An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-34410

LAYER: meta-qt5
PACKAGE NAME: qtxmlpatterns
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-37369
CVE STATUS: Unpatched
CVE SUMMARY: In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-37369

LAYER: meta-qt5
PACKAGE NAME: qtxmlpatterns
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-38197
CVE STATUS: Unpatched
CVE SUMMARY: An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-38197

LAYER: meta-qt5
PACKAGE NAME: qtxmlpatterns
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-43114
CVE STATUS: Unpatched
CVE SUMMARY: An issue was discovered in Qt before 5.15.16, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3 on Windows. When using the GDI font engine, if a corrupted font is loaded via QFontDatabase::addApplicationFont{FromData], then it can cause the application to crash because of missing length checks.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-43114

LAYER: meta-qt5
PACKAGE NAME: qtxmlpatterns
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-51714
CVE STATUS: Unpatched
CVE SUMMARY: An issue was discovered in the HTTP2 implementation in Qt before 5.15.17, 6.x before 6.2.11, 6.3.x through 6.5.x before 6.5.4, and 6.6.x before 6.6.2. network/access/http2/hpacktable.cpp has an incorrect HPack integer overflow check.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-51714

LAYER: meta-qt5
PACKAGE NAME: qtxmlpatterns
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2024-39936
CVE STATUS: Unpatched
CVE SUMMARY: An issue was discovered in HTTP2 in Qt before 5.15.18, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.7, and 6.6.x through 6.7.x before 6.7.3. Code to make security-relevant decisions about an established connection may execute too early, because the encrypted() signal has not yet been emitted and processed..
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.6
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-39936

LAYER: meta-oe
PACKAGE NAME: c-ares
PACKAGE VERSION: 1.27.0
CVE: CVE-2007-3152
CVE STATUS: Patched
CVE SUMMARY: c-ares before 1.4.0 uses a predictable seed for the random number generator for the DNS Transaction ID field, which might allow remote attackers to spoof DNS responses by guessing the field value.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-3152

LAYER: meta-oe
PACKAGE NAME: c-ares
PACKAGE VERSION: 1.27.0
CVE: CVE-2007-3153
CVE STATUS: Patched
CVE SUMMARY: The ares_init:randomize_key function in c-ares, on platforms other than Windows, uses a weak facility for producing a random number sequence (Unix rand), which makes it easier for remote attackers to spoof DNS responses by guessing certain values.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-3153

LAYER: meta-oe
PACKAGE NAME: c-ares
PACKAGE VERSION: 1.27.0
CVE: CVE-2016-5180
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the ares_create_query function in c-ares 1.x before 1.12.0 allows remote attackers to cause a denial of service (out-of-bounds write) or possibly execute arbitrary code via a hostname with an escaped trailing dot.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5180

LAYER: meta-oe
PACKAGE NAME: c-ares
PACKAGE VERSION: 1.27.0
CVE: CVE-2017-1000381
CVE STATUS: Patched
CVE SUMMARY: The c-ares function `ares_parse_naptr_reply()`, which is used for parsing NAPTR responses, could be triggered to read memory outside of the given input buffer if the passed in DNS response packet was crafted in a particular way.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-1000381

LAYER: meta-oe
PACKAGE NAME: c-ares
PACKAGE VERSION: 1.27.0
CVE: CVE-2020-14354
CVE STATUS: Patched
CVE SUMMARY: A possible use-after-free and double-free in c-ares lib version 1.16.0 if ares_destroy() is called prior to ares_getaddrinfo() completing. This flaw possibly allows an attacker to crash the service that uses c-ares lib. The highest threat from this vulnerability is to this service availability.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 3.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-14354

LAYER: meta-oe
PACKAGE NAME: c-ares
PACKAGE VERSION: 1.27.0
CVE: CVE-2020-22217
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow vulnerability in c-ares before 1_16_1 thru 1_17_0 via function ares_parse_soa_reply in ares_parse_soa_reply.c.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-22217

LAYER: meta-oe
PACKAGE NAME: c-ares
PACKAGE VERSION: 1.27.0
CVE: CVE-2020-8277
CVE STATUS: Patched
CVE SUMMARY: A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of Service in versions < 15.2.1, < 14.15.1, and < 12.19.1 by getting the application to resolve a DNS record with a larger number of responses. This is fixed in 15.2.1, 14.15.1, and 12.19.1.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-8277

LAYER: meta-oe
PACKAGE NAME: c-ares
PACKAGE VERSION: 1.27.0
CVE: CVE-2021-3672
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Servers) can lead to output of wrong hostnames which might potentially lead to Domain Hijacking. The highest threat from this vulnerability is to confidentiality and integrity as well as system availability.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 5.6
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3672

LAYER: meta-oe
PACKAGE NAME: c-ares
PACKAGE VERSION: 1.27.0
CVE: CVE-2022-4904
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the c-ares package. The ares_set_sortlist is missing checks about the validity of the input string, which allows a possible arbitrary length stack overflow. This issue may cause a denial of service or a limited impact on confidentiality and integrity.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.6
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-4904

LAYER: meta-oe
PACKAGE NAME: c-ares
PACKAGE VERSION: 1.27.0
CVE: CVE-2023-31124
CVE STATUS: Patched
CVE SUMMARY: c-ares is an asynchronous resolver library. When cross-compiling c-ares and using the autotools build system, CARES_RANDOM_FILE will not be set, as seen when cross compiling aarch64 android.  This will downgrade to using rand() as a fallback which could allow an attacker to take advantage of the lack of entropy by not using a CSPRNG. This issue was patched in version 1.19.1.

CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 3.7
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-31124

LAYER: meta-oe
PACKAGE NAME: c-ares
PACKAGE VERSION: 1.27.0
CVE: CVE-2023-31130
CVE STATUS: Patched
CVE SUMMARY: c-ares is an asynchronous resolver library. ares_inet_net_pton() is vulnerable to a buffer underflow for certain ipv6 addresses, in particular "0::00:00:00/2" was found to cause an issue.  C-ares only uses this function internally for configuration purposes which would require an administrator to configure such an address via ares_set_sortlist(). However, users may externally use ares_inet_net_pton() for other purposes and thus be vulnerable to more severe issues. This issue has been fixed in 1.19.1.

CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-31130

LAYER: meta-oe
PACKAGE NAME: c-ares
PACKAGE VERSION: 1.27.0
CVE: CVE-2023-31147
CVE STATUS: Patched
CVE SUMMARY: c-ares is an asynchronous resolver library. When /dev/urandom or RtlGenRandom() are unavailable, c-ares uses rand() to generate random numbers used for DNS query ids. This is not a CSPRNG, and it is also not seeded by srand() so will generate predictable output. Input from the random number generator is fed into a non-compilant RC4 implementation and may not be as strong as the original RC4 implementation. No attempt is made to look for modern OS-provided CSPRNGs like arc4random() that is widely available. This issue has been fixed in version 1.19.1.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-31147

LAYER: meta-oe
PACKAGE NAME: c-ares
PACKAGE VERSION: 1.27.0
CVE: CVE-2023-32067
CVE STATUS: Patched
CVE SUMMARY: c-ares is an asynchronous resolver library. c-ares is vulnerable to denial of service. If a target resolver sends a query, the attacker forges a malformed UDP packet with a length of 0 and returns them to the target resolver. The target resolver erroneously interprets the 0 length as a graceful shutdown of the connection. This issue has been patched in version 1.19.1.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-32067

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2004-0691
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the BMP image format parser for the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0691

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2004-0692
CVE STATUS: Patched
CVE SUMMARY: The XPM parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0693.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0692

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2004-0693
CVE STATUS: Patched
CVE SUMMARY: The GIF parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0692.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0693

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2005-0627
CVE STATUS: Patched
CVE SUMMARY: Qt before 3.3.4 searches the BUILD_PREFIX directory, which could be world-writable, to load shared libraries regardless of the LD_LIBRARY_PATH environment variable, which allows local users to execute arbitrary programs.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-0627

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2006-4811
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in Qt 3.3 before 3.3.7, 4.1 before 4.1.5, and 4.2 before 4.2.1, as used in the KDE khtml library, kdelibs 3.1.3, and possibly other packages, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted pixmap image.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-4811

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2007-0242
CVE STATUS: Patched
CVE SUMMARY: The UTF-8 decoder in codecs/qutfcodec.cpp in Qt 3.3.8 and 4.2.3 does not reject long UTF-8 sequences as required by the standard, which allows remote attackers to conduct cross-site scripting (XSS) and directory traversal attacks via long sequences that decode to dangerous metacharacters.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-0242

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2007-3388
CVE STATUS: Patched
CVE SUMMARY: Multiple format string vulnerabilities in (1) qtextedit.cpp, (2) qdatatable.cpp, (3) qsqldatabase.cpp, (4) qsqlindex.cpp, (5) qsqlrecord.cpp, (6) qglobal.cpp, and (7) qsvgdevice.cpp in QTextEdit in Trolltech Qt 3 before 3.3.8 20070727 allow remote attackers to execute arbitrary code via format string specifiers in text used to compose an error message.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-3388

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2007-4137
CVE STATUS: Patched
CVE SUMMARY: Off-by-one error in the QUtf8Decoder::toUnicode function in Trolltech Qt 3 allows context-dependent attackers to cause a denial of service (crash) via a crafted Unicode string that triggers a heap-based buffer overflow.  NOTE: Qt 4 has the same error in the QUtf8Codec::convertToUnicode function, but it is not exploitable.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-4137

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2009-2700
CVE STATUS: Patched
CVE SUMMARY: src/network/ssl/qsslcertificate.cpp in Nokia Trolltech Qt 4.x does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-2700

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2010-1766
CVE STATUS: Patched
CVE SUMMARY: Off-by-one error in the WebSocketHandshake::readServerHandshake function in websockets/WebSocketHandshake.cpp in WebCore in WebKit before r56380, as used in Qt and other products, allows remote websockets servers to cause a denial of service (memory corruption) or possibly have unspecified other impact via an upgrade header that is long and invalid.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-1766

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2010-2621
CVE STATUS: Patched
CVE SUMMARY: The QSslSocketBackendPrivate::transmit function in src_network_ssl_qsslsocket_openssl.cpp in Qt 4.6.3 and earlier allows remote attackers to cause a denial of service (infinite loop) via a malformed request.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2621

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2010-5076
CVE STATUS: Patched
CVE SUMMARY: QSslSocket in Qt before 4.7.0-rc1 recognizes a wildcard IP address in the subject's Common Name field of an X.509 certificate, which might allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-5076

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2011-3193
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the Lookup_MarkMarkPos function in the HarfBuzz module (harfbuzz-gpos.c), as used by Qt before 4.7.4 and Pango, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted font file.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3193

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2011-3194
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the TIFF reader in gui/image/qtiffhandler.cpp in Qt 4.7.4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the TIFFTAG_SAMPLESPERPIXEL tag in a greyscale TIFF image with multiple samples per pixel.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3194

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2012-5624
CVE STATUS: Patched
CVE SUMMARY: The XMLHttpRequest object in Qt before 4.8.4 enables http redirection to the file scheme, which allows man-in-the-middle attackers to force the read of arbitrary local files and possibly obtain sensitive information via a file: URL to a QML application.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-5624

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2012-6093
CVE STATUS: Patched
CVE SUMMARY: The QSslSocket::sslErrors function in Qt before 4.6.5, 4.7.x before 4.7.6, 4.8.x before 4.8.5, when using certain versions of openSSL, uses an "incompatible structure layout" that can read memory from the wrong location, which causes Qt to report an incorrect error when certificate validation fails and might cause users to make unsafe security decisions to accept a certificate.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-6093

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2013-0254
CVE STATUS: Patched
CVE SUMMARY: The QSharedMemory class in Qt 5.0.0, 4.8.x before 4.8.5, 4.7.x before 4.7.6, and other versions including 4.4.0 uses weak permissions (world-readable and world-writable) for shared memory segments, which allows local users to read sensitive information or modify critical program data, as demonstrated by reading a pixmap being sent to an X server.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0254

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2013-4549
CVE STATUS: Patched
CVE SUMMARY: QXmlSimpleReader in Qt before 5.2 allows context-dependent attackers to cause a denial of service (memory consumption) via an XML Entity Expansion (XEE) attack.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4549

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2014-0190
CVE STATUS: Patched
CVE SUMMARY: The GIF decoder in QtGui in Qt before 5.3 allows remote attackers to cause a denial of service (NULL pointer dereference) via invalid width and height values in a GIF image.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0190

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2015-0295
CVE STATUS: Patched
CVE SUMMARY: The BMP decoder in QtGui in QT before 5.5 does not properly calculate the masks used to extract the color components, which allows remote attackers to cause a denial of service (divide-by-zero and crash) via a crafted BMP file.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0295

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2015-1290
CVE STATUS: Patched
CVE SUMMARY: The Google V8 engine, as used in Google Chrome before 44.0.2403.89 and QtWebEngineCore in Qt before 5.5.1, allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a crafted web site.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1290

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2015-1858
CVE STATUS: Patched
CVE SUMMARY: Multiple buffer overflows in gui/image/qbmphandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted BMP image.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1858

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2015-1859
CVE STATUS: Patched
CVE SUMMARY: Multiple buffer overflows in plugins/imageformats/ico/qicohandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted ICO image.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1859

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2015-1860
CVE STATUS: Patched
CVE SUMMARY: Multiple buffer overflows in gui/image/qgifhandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a crafted GIF image.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1860

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2015-7298
CVE STATUS: Patched
CVE SUMMARY: ownCloud Desktop Client before 2.0.1, when compiled with a Qt release after 5.3.x, does not call QNetworkReply::ignoreSslErrors with the list of errors to be ignored, which makes it easier for remote attackers to conduct man-in-the-middle (MITM) attacks by leveraging a server using a self-signed certificate.  NOTE: this vulnerability exists because of a partial CVE-2015-4456 regression.
CVSS v2 BASE SCORE: 5.1
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7298

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2015-9541
CVE STATUS: Patched
CVE SUMMARY: Qt through 5.14 allows an exponential XML entity expansion attack via a crafted SVG document that is mishandled in QXmlStreamReader, a related issue to CVE-2003-1564.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-9541

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2017-10904
CVE STATUS: Patched
CVE SUMMARY: Qt for Android prior to 5.9.0 allows remote attackers to execute arbitrary OS commands via unspecified vectors.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-10904

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2017-10905
CVE STATUS: Patched
CVE SUMMARY: A vulnerability in applications created using Qt for Android prior to 5.9.3 allows attackers to alter environment variables via unspecified vectors.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-10905

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2017-15011
CVE STATUS: Patched
CVE SUMMARY: The named pipes in qtsingleapp in Qt 5.x, as used in qBittorrent and SugarSync, are configured for remote access and allow remote attackers to cause a denial of service (application crash) via an unspecified string.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15011

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-15518
CVE STATUS: Patched
CVE SUMMARY: QXmlStream in Qt 5.x before 5.11.3 has a double-free or corruption during parsing of a specially crafted illegal XML document.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-15518

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-19865
CVE STATUS: Patched
CVE SUMMARY: A keystroke logging issue was discovered in Virtual Keyboard in Qt 5.7.x, 5.8.x, 5.9.x, 5.10.x, and 5.11.x before 5.11.3.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19865

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-19869
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt before 5.11.3. A malformed SVG image causes a segmentation fault in qsvghandler.cpp.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19869

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-19870
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt before 5.11.3. A malformed GIF image causes a NULL pointer dereference in QGifHandler resulting in a segmentation fault.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19870

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-19871
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt before 5.11.3. There is QTgaFile Uncontrolled Resource Consumption.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19871

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-19872
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt 5.11. A malformed PPM image causes a division by zero and a crash in qppmhandler.cpp.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19872

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-19873
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt before 5.11.3. QBmpHandler has a buffer overflow via BMP data.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19873

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-21035
CVE STATUS: Patched
CVE SUMMARY: In Qt through 5.14.1, the WebSocket implementation accepts up to 2GB for frames and 2GB for messages. Smaller limits cannot be configured. This makes it easier for attackers to cause a denial of service (memory consumption).
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 8.6
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-21035

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2020-0569
CVE STATUS: Patched
CVE SUMMARY: Out of bounds write in Intel(R) PROSet/Wireless WiFi products on Windows 10 may allow an authenticated user to potentially enable denial of service via local access.
CVSS v2 BASE SCORE: 2.7
CVSS v3 BASE SCORE: 5.7
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:L/Au:S/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-0569

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2020-0570
CVE STATUS: Patched
CVE SUMMARY: Uncontrolled search path in the QT Library before 5.14.0, 5.12.7 and 5.9.10 may allow an authenticated user to potentially enable elevation of privilege via local access.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 7.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-0570

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2020-12267
CVE STATUS: Patched
CVE SUMMARY: setMarkdown in Qt before 5.14.2 has a use-after-free related to QTextMarkdownImporter::insertBlock.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-12267

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2020-13962
CVE STATUS: Patched
CVE SUMMARY: Qt 5.12.2 through 5.14.2, as used in unofficial builds of Mumble 1.3.0 and other products, mishandles OpenSSL's error queue, which can cause a denial of service to QSslSocket users. Because errors leak in unrelated TLS sessions, an unrelated session may be disconnected when any handshake fails. (Mumble 1.3.1 is not affected, regardless of the Qt version.)
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-13962

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2020-17507
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt through 5.12.9, and 5.13.x through 5.15.x before 5.15.1. read_xbm_body in gui/image/qxbmhandler.cpp has a buffer over-read.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-17507

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2020-24742
CVE STATUS: Patched
CVE SUMMARY: An issue has been fixed in Qt versions 5.14.0 where QPluginLoader attempts to load plugins relative to the working directory, allowing attackers to execute arbitrary code via crafted files.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-24742

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2021-28025
CVE STATUS: Patched
CVE SUMMARY: Integer Overflow vulnerability in qsvghandler.cpp in Qt qtsvg versions 5.15.1, 6.0.0, 6.0.2, and 6.2, allows local attackers to cause a denial of service (DoS).
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-28025

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2021-3481
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in Qt. An out-of-bounds read vulnerability was found in QRadialFetchSimd in qt/qtbase/src/gui/painting/qdrawhelper_p.h in Qt/Qtbase. While rendering and displaying a crafted Scalable Vector Graphics (SVG) file this flaw may lead to an unauthorized memory access. The highest threat from this vulnerability is to data confidentiality and the application availability.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3481

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2021-38593
CVE STATUS: Patched
CVE SUMMARY: Qt 5.x before 5.15.6 and 6.x through 6.1.2 has an out-of-bounds write in QOutlineMapper::convertPath (called from QRasterPaintEngine::fill and QPaintEngineEx::stroke).
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-38593

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2022-25255
CVE STATUS: Patched
CVE SUMMARY: In Qt 5.9.x through 5.15.x before 5.15.9 and 6.x before 6.2.4 on Linux and UNIX, QProcess could execute a binary from the current working directory when not found in the PATH.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-25255

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2022-25634
CVE STATUS: Patched
CVE SUMMARY: Qt through 5.15.8 and 6.x through 6.2.3 can load system library files from an unintended working directory.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-25634

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2022-40983
CVE STATUS: Patched
CVE SUMMARY: An integer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an integer overflow during memory allocation, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-40983

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2022-43591
CVE STATUS: Patched
CVE SUMMARY: A buffer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an out-of-bounds memory access, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-43591

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-24607
CVE STATUS: Patched
CVE SUMMARY: Qt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13, 6.x before 6.2.8, and 6.3.x before 6.4.3.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-24607

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-32573
CVE STATUS: Unpatched
CVE SUMMARY: In Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-32573

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-32762
CVE STATUS: Unpatched
CVE SUMMARY: An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-32762

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-32763
CVE STATUS: Unpatched
CVE SUMMARY: An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. When a SVG file with an image inside it is rendered, a QTextLayout buffer overflow can be triggered.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-32763

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-33285
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. QDnsLookup has a buffer over-read via a crafted reply from a DNS server.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-33285

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-34410
CVE STATUS: Unpatched
CVE SUMMARY: An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-34410

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-37369
CVE STATUS: Unpatched
CVE SUMMARY: In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-37369

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-38197
CVE STATUS: Unpatched
CVE SUMMARY: An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-38197

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-43114
CVE STATUS: Unpatched
CVE SUMMARY: An issue was discovered in Qt before 5.15.16, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3 on Windows. When using the GDI font engine, if a corrupted font is loaded via QFontDatabase::addApplicationFont{FromData], then it can cause the application to crash because of missing length checks.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-43114

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-51714
CVE STATUS: Unpatched
CVE SUMMARY: An issue was discovered in the HTTP2 implementation in Qt before 5.15.17, 6.x before 6.2.11, 6.3.x through 6.5.x before 6.5.4, and 6.6.x before 6.6.2. network/access/http2/hpacktable.cpp has an incorrect HPack integer overflow check.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-51714

LAYER: meta-qt5
PACKAGE NAME: qtdeclarative-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2024-39936
CVE STATUS: Unpatched
CVE SUMMARY: An issue was discovered in HTTP2 in Qt before 5.15.18, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.7, and 6.6.x through 6.7.x before 6.7.3. Code to make security-relevant decisions about an established connection may execute too early, because the encrypted() signal has not yet been emitted and processed..
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.6
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-39936

LAYER: meta-qt5
PACKAGE NAME: qtwebsockets
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2004-0691
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the BMP image format parser for the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0691

LAYER: meta-qt5
PACKAGE NAME: qtwebsockets
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2004-0692
CVE STATUS: Patched
CVE SUMMARY: The XPM parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0693.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0692

LAYER: meta-qt5
PACKAGE NAME: qtwebsockets
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2004-0693
CVE STATUS: Patched
CVE SUMMARY: The GIF parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0692.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0693

LAYER: meta-qt5
PACKAGE NAME: qtwebsockets
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2005-0627
CVE STATUS: Patched
CVE SUMMARY: Qt before 3.3.4 searches the BUILD_PREFIX directory, which could be world-writable, to load shared libraries regardless of the LD_LIBRARY_PATH environment variable, which allows local users to execute arbitrary programs.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-0627

LAYER: meta-qt5
PACKAGE NAME: qtwebsockets
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2006-4811
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in Qt 3.3 before 3.3.7, 4.1 before 4.1.5, and 4.2 before 4.2.1, as used in the KDE khtml library, kdelibs 3.1.3, and possibly other packages, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted pixmap image.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-4811

LAYER: meta-qt5
PACKAGE NAME: qtwebsockets
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2007-0242
CVE STATUS: Patched
CVE SUMMARY: The UTF-8 decoder in codecs/qutfcodec.cpp in Qt 3.3.8 and 4.2.3 does not reject long UTF-8 sequences as required by the standard, which allows remote attackers to conduct cross-site scripting (XSS) and directory traversal attacks via long sequences that decode to dangerous metacharacters.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-0242

LAYER: meta-qt5
PACKAGE NAME: qtwebsockets
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2007-3388
CVE STATUS: Patched
CVE SUMMARY: Multiple format string vulnerabilities in (1) qtextedit.cpp, (2) qdatatable.cpp, (3) qsqldatabase.cpp, (4) qsqlindex.cpp, (5) qsqlrecord.cpp, (6) qglobal.cpp, and (7) qsvgdevice.cpp in QTextEdit in Trolltech Qt 3 before 3.3.8 20070727 allow remote attackers to execute arbitrary code via format string specifiers in text used to compose an error message.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-3388

LAYER: meta-qt5
PACKAGE NAME: qtwebsockets
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2007-4137
CVE STATUS: Patched
CVE SUMMARY: Off-by-one error in the QUtf8Decoder::toUnicode function in Trolltech Qt 3 allows context-dependent attackers to cause a denial of service (crash) via a crafted Unicode string that triggers a heap-based buffer overflow.  NOTE: Qt 4 has the same error in the QUtf8Codec::convertToUnicode function, but it is not exploitable.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-4137

LAYER: meta-qt5
PACKAGE NAME: qtwebsockets
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2009-2700
CVE STATUS: Patched
CVE SUMMARY: src/network/ssl/qsslcertificate.cpp in Nokia Trolltech Qt 4.x does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-2700

LAYER: meta-qt5
PACKAGE NAME: qtwebsockets
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2010-1766
CVE STATUS: Patched
CVE SUMMARY: Off-by-one error in the WebSocketHandshake::readServerHandshake function in websockets/WebSocketHandshake.cpp in WebCore in WebKit before r56380, as used in Qt and other products, allows remote websockets servers to cause a denial of service (memory corruption) or possibly have unspecified other impact via an upgrade header that is long and invalid.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-1766

LAYER: meta-qt5
PACKAGE NAME: qtwebsockets
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2010-2621
CVE STATUS: Patched
CVE SUMMARY: The QSslSocketBackendPrivate::transmit function in src_network_ssl_qsslsocket_openssl.cpp in Qt 4.6.3 and earlier allows remote attackers to cause a denial of service (infinite loop) via a malformed request.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2621

LAYER: meta-qt5
PACKAGE NAME: qtwebsockets
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2010-5076
CVE STATUS: Patched
CVE SUMMARY: QSslSocket in Qt before 4.7.0-rc1 recognizes a wildcard IP address in the subject's Common Name field of an X.509 certificate, which might allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-5076

LAYER: meta-qt5
PACKAGE NAME: qtwebsockets
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2011-3193
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the Lookup_MarkMarkPos function in the HarfBuzz module (harfbuzz-gpos.c), as used by Qt before 4.7.4 and Pango, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted font file.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3193

LAYER: meta-qt5
PACKAGE NAME: qtwebsockets
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2011-3194
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the TIFF reader in gui/image/qtiffhandler.cpp in Qt 4.7.4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the TIFFTAG_SAMPLESPERPIXEL tag in a greyscale TIFF image with multiple samples per pixel.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3194

LAYER: meta-qt5
PACKAGE NAME: qtwebsockets
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2012-5624
CVE STATUS: Patched
CVE SUMMARY: The XMLHttpRequest object in Qt before 4.8.4 enables http redirection to the file scheme, which allows man-in-the-middle attackers to force the read of arbitrary local files and possibly obtain sensitive information via a file: URL to a QML application.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-5624

LAYER: meta-qt5
PACKAGE NAME: qtwebsockets
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2012-6093
CVE STATUS: Patched
CVE SUMMARY: The QSslSocket::sslErrors function in Qt before 4.6.5, 4.7.x before 4.7.6, 4.8.x before 4.8.5, when using certain versions of openSSL, uses an "incompatible structure layout" that can read memory from the wrong location, which causes Qt to report an incorrect error when certificate validation fails and might cause users to make unsafe security decisions to accept a certificate.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-6093

LAYER: meta-qt5
PACKAGE NAME: qtwebsockets
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2013-0254
CVE STATUS: Patched
CVE SUMMARY: The QSharedMemory class in Qt 5.0.0, 4.8.x before 4.8.5, 4.7.x before 4.7.6, and other versions including 4.4.0 uses weak permissions (world-readable and world-writable) for shared memory segments, which allows local users to read sensitive information or modify critical program data, as demonstrated by reading a pixmap being sent to an X server.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0254

LAYER: meta-qt5
PACKAGE NAME: qtwebsockets
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2013-4549
CVE STATUS: Patched
CVE SUMMARY: QXmlSimpleReader in Qt before 5.2 allows context-dependent attackers to cause a denial of service (memory consumption) via an XML Entity Expansion (XEE) attack.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4549

LAYER: meta-qt5
PACKAGE NAME: qtwebsockets
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2014-0190
CVE STATUS: Patched
CVE SUMMARY: The GIF decoder in QtGui in Qt before 5.3 allows remote attackers to cause a denial of service (NULL pointer dereference) via invalid width and height values in a GIF image.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0190

LAYER: meta-qt5
PACKAGE NAME: qtwebsockets
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2015-0295
CVE STATUS: Patched
CVE SUMMARY: The BMP decoder in QtGui in QT before 5.5 does not properly calculate the masks used to extract the color components, which allows remote attackers to cause a denial of service (divide-by-zero and crash) via a crafted BMP file.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0295

LAYER: meta-qt5
PACKAGE NAME: qtwebsockets
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2015-1290
CVE STATUS: Patched
CVE SUMMARY: The Google V8 engine, as used in Google Chrome before 44.0.2403.89 and QtWebEngineCore in Qt before 5.5.1, allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a crafted web site.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1290

LAYER: meta-qt5
PACKAGE NAME: qtwebsockets
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2015-1858
CVE STATUS: Patched
CVE SUMMARY: Multiple buffer overflows in gui/image/qbmphandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted BMP image.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1858

LAYER: meta-qt5
PACKAGE NAME: qtwebsockets
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2015-1859
CVE STATUS: Patched
CVE SUMMARY: Multiple buffer overflows in plugins/imageformats/ico/qicohandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted ICO image.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1859

LAYER: meta-qt5
PACKAGE NAME: qtwebsockets
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2015-1860
CVE STATUS: Patched
CVE SUMMARY: Multiple buffer overflows in gui/image/qgifhandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a crafted GIF image.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1860

LAYER: meta-qt5
PACKAGE NAME: qtwebsockets
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2015-7298
CVE STATUS: Patched
CVE SUMMARY: ownCloud Desktop Client before 2.0.1, when compiled with a Qt release after 5.3.x, does not call QNetworkReply::ignoreSslErrors with the list of errors to be ignored, which makes it easier for remote attackers to conduct man-in-the-middle (MITM) attacks by leveraging a server using a self-signed certificate.  NOTE: this vulnerability exists because of a partial CVE-2015-4456 regression.
CVSS v2 BASE SCORE: 5.1
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7298

LAYER: meta-qt5
PACKAGE NAME: qtwebsockets
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2015-9541
CVE STATUS: Patched
CVE SUMMARY: Qt through 5.14 allows an exponential XML entity expansion attack via a crafted SVG document that is mishandled in QXmlStreamReader, a related issue to CVE-2003-1564.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-9541

LAYER: meta-qt5
PACKAGE NAME: qtwebsockets
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2017-10904
CVE STATUS: Patched
CVE SUMMARY: Qt for Android prior to 5.9.0 allows remote attackers to execute arbitrary OS commands via unspecified vectors.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-10904

LAYER: meta-qt5
PACKAGE NAME: qtwebsockets
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2017-10905
CVE STATUS: Patched
CVE SUMMARY: A vulnerability in applications created using Qt for Android prior to 5.9.3 allows attackers to alter environment variables via unspecified vectors.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-10905

LAYER: meta-qt5
PACKAGE NAME: qtwebsockets
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2017-15011
CVE STATUS: Patched
CVE SUMMARY: The named pipes in qtsingleapp in Qt 5.x, as used in qBittorrent and SugarSync, are configured for remote access and allow remote attackers to cause a denial of service (application crash) via an unspecified string.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15011

LAYER: meta-qt5
PACKAGE NAME: qtwebsockets
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-15518
CVE STATUS: Patched
CVE SUMMARY: QXmlStream in Qt 5.x before 5.11.3 has a double-free or corruption during parsing of a specially crafted illegal XML document.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-15518

LAYER: meta-qt5
PACKAGE NAME: qtwebsockets
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-19865
CVE STATUS: Patched
CVE SUMMARY: A keystroke logging issue was discovered in Virtual Keyboard in Qt 5.7.x, 5.8.x, 5.9.x, 5.10.x, and 5.11.x before 5.11.3.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19865

LAYER: meta-qt5
PACKAGE NAME: qtwebsockets
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-19869
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt before 5.11.3. A malformed SVG image causes a segmentation fault in qsvghandler.cpp.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19869

LAYER: meta-qt5
PACKAGE NAME: qtwebsockets
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-19870
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt before 5.11.3. A malformed GIF image causes a NULL pointer dereference in QGifHandler resulting in a segmentation fault.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19870

LAYER: meta-qt5
PACKAGE NAME: qtwebsockets
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-19871
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt before 5.11.3. There is QTgaFile Uncontrolled Resource Consumption.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19871

LAYER: meta-qt5
PACKAGE NAME: qtwebsockets
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-19872
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt 5.11. A malformed PPM image causes a division by zero and a crash in qppmhandler.cpp.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19872

LAYER: meta-qt5
PACKAGE NAME: qtwebsockets
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-19873
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt before 5.11.3. QBmpHandler has a buffer overflow via BMP data.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19873

LAYER: meta-qt5
PACKAGE NAME: qtwebsockets
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-21035
CVE STATUS: Patched
CVE SUMMARY: In Qt through 5.14.1, the WebSocket implementation accepts up to 2GB for frames and 2GB for messages. Smaller limits cannot be configured. This makes it easier for attackers to cause a denial of service (memory consumption).
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 8.6
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-21035

LAYER: meta-qt5
PACKAGE NAME: qtwebsockets
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2020-0569
CVE STATUS: Patched
CVE SUMMARY: Out of bounds write in Intel(R) PROSet/Wireless WiFi products on Windows 10 may allow an authenticated user to potentially enable denial of service via local access.
CVSS v2 BASE SCORE: 2.7
CVSS v3 BASE SCORE: 5.7
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:L/Au:S/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-0569

LAYER: meta-qt5
PACKAGE NAME: qtwebsockets
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2020-0570
CVE STATUS: Patched
CVE SUMMARY: Uncontrolled search path in the QT Library before 5.14.0, 5.12.7 and 5.9.10 may allow an authenticated user to potentially enable elevation of privilege via local access.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 7.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-0570

LAYER: meta-qt5
PACKAGE NAME: qtwebsockets
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2020-12267
CVE STATUS: Patched
CVE SUMMARY: setMarkdown in Qt before 5.14.2 has a use-after-free related to QTextMarkdownImporter::insertBlock.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-12267

LAYER: meta-qt5
PACKAGE NAME: qtwebsockets
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2020-13962
CVE STATUS: Patched
CVE SUMMARY: Qt 5.12.2 through 5.14.2, as used in unofficial builds of Mumble 1.3.0 and other products, mishandles OpenSSL's error queue, which can cause a denial of service to QSslSocket users. Because errors leak in unrelated TLS sessions, an unrelated session may be disconnected when any handshake fails. (Mumble 1.3.1 is not affected, regardless of the Qt version.)
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-13962

LAYER: meta-qt5
PACKAGE NAME: qtwebsockets
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2020-17507
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt through 5.12.9, and 5.13.x through 5.15.x before 5.15.1. read_xbm_body in gui/image/qxbmhandler.cpp has a buffer over-read.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-17507

LAYER: meta-qt5
PACKAGE NAME: qtwebsockets
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2020-24742
CVE STATUS: Patched
CVE SUMMARY: An issue has been fixed in Qt versions 5.14.0 where QPluginLoader attempts to load plugins relative to the working directory, allowing attackers to execute arbitrary code via crafted files.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-24742

LAYER: meta-qt5
PACKAGE NAME: qtwebsockets
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2021-28025
CVE STATUS: Patched
CVE SUMMARY: Integer Overflow vulnerability in qsvghandler.cpp in Qt qtsvg versions 5.15.1, 6.0.0, 6.0.2, and 6.2, allows local attackers to cause a denial of service (DoS).
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-28025

LAYER: meta-qt5
PACKAGE NAME: qtwebsockets
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2021-3481
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in Qt. An out-of-bounds read vulnerability was found in QRadialFetchSimd in qt/qtbase/src/gui/painting/qdrawhelper_p.h in Qt/Qtbase. While rendering and displaying a crafted Scalable Vector Graphics (SVG) file this flaw may lead to an unauthorized memory access. The highest threat from this vulnerability is to data confidentiality and the application availability.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3481

LAYER: meta-qt5
PACKAGE NAME: qtwebsockets
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2021-38593
CVE STATUS: Patched
CVE SUMMARY: Qt 5.x before 5.15.6 and 6.x through 6.1.2 has an out-of-bounds write in QOutlineMapper::convertPath (called from QRasterPaintEngine::fill and QPaintEngineEx::stroke).
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-38593

LAYER: meta-qt5
PACKAGE NAME: qtwebsockets
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2022-25255
CVE STATUS: Patched
CVE SUMMARY: In Qt 5.9.x through 5.15.x before 5.15.9 and 6.x before 6.2.4 on Linux and UNIX, QProcess could execute a binary from the current working directory when not found in the PATH.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-25255

LAYER: meta-qt5
PACKAGE NAME: qtwebsockets
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2022-25634
CVE STATUS: Patched
CVE SUMMARY: Qt through 5.15.8 and 6.x through 6.2.3 can load system library files from an unintended working directory.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-25634

LAYER: meta-qt5
PACKAGE NAME: qtwebsockets
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2022-40983
CVE STATUS: Patched
CVE SUMMARY: An integer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an integer overflow during memory allocation, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-40983

LAYER: meta-qt5
PACKAGE NAME: qtwebsockets
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2022-43591
CVE STATUS: Patched
CVE SUMMARY: A buffer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an out-of-bounds memory access, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-43591

LAYER: meta-qt5
PACKAGE NAME: qtwebsockets
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-24607
CVE STATUS: Patched
CVE SUMMARY: Qt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13, 6.x before 6.2.8, and 6.3.x before 6.4.3.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-24607

LAYER: meta-qt5
PACKAGE NAME: qtwebsockets
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-32573
CVE STATUS: Unpatched
CVE SUMMARY: In Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-32573

LAYER: meta-qt5
PACKAGE NAME: qtwebsockets
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-32762
CVE STATUS: Unpatched
CVE SUMMARY: An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-32762

LAYER: meta-qt5
PACKAGE NAME: qtwebsockets
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-32763
CVE STATUS: Unpatched
CVE SUMMARY: An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. When a SVG file with an image inside it is rendered, a QTextLayout buffer overflow can be triggered.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-32763

LAYER: meta-qt5
PACKAGE NAME: qtwebsockets
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-33285
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. QDnsLookup has a buffer over-read via a crafted reply from a DNS server.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-33285

LAYER: meta-qt5
PACKAGE NAME: qtwebsockets
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-34410
CVE STATUS: Unpatched
CVE SUMMARY: An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-34410

LAYER: meta-qt5
PACKAGE NAME: qtwebsockets
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-37369
CVE STATUS: Unpatched
CVE SUMMARY: In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-37369

LAYER: meta-qt5
PACKAGE NAME: qtwebsockets
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-38197
CVE STATUS: Unpatched
CVE SUMMARY: An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-38197

LAYER: meta-qt5
PACKAGE NAME: qtwebsockets
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-43114
CVE STATUS: Unpatched
CVE SUMMARY: An issue was discovered in Qt before 5.15.16, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3 on Windows. When using the GDI font engine, if a corrupted font is loaded via QFontDatabase::addApplicationFont{FromData], then it can cause the application to crash because of missing length checks.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-43114

LAYER: meta-qt5
PACKAGE NAME: qtwebsockets
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-51714
CVE STATUS: Unpatched
CVE SUMMARY: An issue was discovered in the HTTP2 implementation in Qt before 5.15.17, 6.x before 6.2.11, 6.3.x through 6.5.x before 6.5.4, and 6.6.x before 6.6.2. network/access/http2/hpacktable.cpp has an incorrect HPack integer overflow check.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-51714

LAYER: meta-qt5
PACKAGE NAME: qtwebsockets
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2024-39936
CVE STATUS: Unpatched
CVE SUMMARY: An issue was discovered in HTTP2 in Qt before 5.15.18, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.7, and 6.6.x through 6.7.x before 6.7.3. Code to make security-relevant decisions about an established connection may execute too early, because the encrypted() signal has not yet been emitted and processed..
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.6
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-39936

LAYER: meta
PACKAGE NAME: groff-native
PACKAGE VERSION: 1.23.0
CVE: CVE-2000-0803
CVE STATUS: Patched
CVE SUMMARY: GNU Groff uses the current working directory to find a device description file, which allows a local user to gain additional privileges by including a malicious postpro directive in the description file, which is executed when another user runs groff.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2000-0803

LAYER: meta
PACKAGE NAME: groff-native
PACKAGE VERSION: 1.23.0
CVE: CVE-2001-1022
CVE STATUS: Patched
CVE SUMMARY: Format string vulnerability in pic utility in groff 1.16.1 and other versions, and jgroff before 1.15, allows remote attackers to bypass the -S option and execute arbitrary commands via format string specifiers in the plot command.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2001-1022

LAYER: meta
PACKAGE NAME: groff-native
PACKAGE VERSION: 1.23.0
CVE: CVE-2002-0003
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the preprocessor in groff 1.16 and earlier allows remote attackers to gain privileges via lpd in the LPRng printing system.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-0003

LAYER: meta
PACKAGE NAME: groff-native
PACKAGE VERSION: 1.23.0
CVE: CVE-2004-0969
CVE STATUS: Patched
CVE SUMMARY: The groffer script in the Groff package 1.18 and later versions, as used in Trustix Secure Linux 1.5 through 2.1, and possibly other operating systems, allows local users to overwrite files via a symlink attack on temporary files.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0969

LAYER: meta
PACKAGE NAME: groff-native
PACKAGE VERSION: 1.23.0
CVE: CVE-2009-5044
CVE STATUS: Patched
CVE SUMMARY: contrib/pdfmark/pdfroff.sh in GNU troff (aka groff) before 1.21 allows local users to overwrite arbitrary files via a symlink attack on a pdf#####.tmp temporary file.
CVSS v2 BASE SCORE: 3.3
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-5044

LAYER: meta
PACKAGE NAME: groff-native
PACKAGE VERSION: 1.23.0
CVE: CVE-2009-5078
CVE STATUS: Patched
CVE SUMMARY: contrib/pdfmark/pdfroff.sh in GNU troff (aka groff) before 1.21 launches the Ghostscript program without the -dSAFER option, which allows remote attackers to create, overwrite, rename, or delete arbitrary files via a crafted document.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-5078

LAYER: meta
PACKAGE NAME: groff-native
PACKAGE VERSION: 1.23.0
CVE: CVE-2009-5079
CVE STATUS: Patched
CVE SUMMARY: The (1) gendef.sh, (2) doc/fixinfo.sh, and (3) contrib/gdiffmk/tests/runtests.in scripts in GNU troff (aka groff) 1.21 and earlier allow local users to overwrite arbitrary files via a symlink attack on a gro#####.tmp or /tmp/##### temporary file.
CVSS v2 BASE SCORE: 3.3
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-5079

LAYER: meta
PACKAGE NAME: groff-native
PACKAGE VERSION: 1.23.0
CVE: CVE-2009-5080
CVE STATUS: Patched
CVE SUMMARY: The (1) contrib/eqn2graph/eqn2graph.sh, (2) contrib/grap2graph/grap2graph.sh, and (3) contrib/pic2graph/pic2graph.sh scripts in GNU troff (aka groff) 1.21 and earlier do not properly handle certain failed attempts to create temporary directories, which might allow local users to overwrite arbitrary files via a symlink attack on a file in a temporary directory, a different vulnerability than CVE-2004-1296.
CVSS v2 BASE SCORE: 3.3
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-5080

LAYER: meta
PACKAGE NAME: groff-native
PACKAGE VERSION: 1.23.0
CVE: CVE-2009-5081
CVE STATUS: Patched
CVE SUMMARY: The (1) config.guess, (2) contrib/groffer/perl/groffer.pl, and (3) contrib/groffer/perl/roff2.pl scripts in GNU troff (aka groff) 1.21 and earlier use an insufficient number of X characters in the template argument to the tempfile function, which makes it easier for local users to overwrite arbitrary files via a symlink attack on a temporary file, a different vulnerability than CVE-2004-0969.
CVSS v2 BASE SCORE: 3.3
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-5081

LAYER: meta
PACKAGE NAME: groff-native
PACKAGE VERSION: 1.23.0
CVE: CVE-2009-5082
CVE STATUS: Patched
CVE SUMMARY: The (1) configure and (2) config.guess scripts in GNU troff (aka groff) 1.20.1 on Openwall GNU/*/Linux (aka Owl) improperly create temporary files upon a failure of the mktemp function, which makes it easier for local users to overwrite arbitrary files via a symlink attack on a temporary file.
CVSS v2 BASE SCORE: 3.3
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-5082

LAYER: meta
PACKAGE NAME: libsndfile1
PACKAGE VERSION: 1.2.2
CVE: CVE-2007-4974
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the flac_buffer_copy function in libsndfile 1.0.17 and earlier might allow remote attackers to execute arbitrary code via a FLAC file with crafted PCM data containing a block with a size that exceeds the previous block size.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-4974

LAYER: meta
PACKAGE NAME: libsndfile1
PACKAGE VERSION: 1.2.2
CVE: CVE-2009-0186
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in libsndfile 1.0.18, as used in Winamp and other products, allows context-dependent attackers to execute arbitrary code via crafted description chunks in a CAF audio file, leading to a heap-based buffer overflow.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-0186

LAYER: meta
PACKAGE NAME: libsndfile1
PACKAGE VERSION: 1.2.2
CVE: CVE-2009-1788
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in voc_read_header in libsndfile 1.0.15 through 1.0.19, as used in Winamp 5.552 and possibly other media programs, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a VOC file with an invalid header value.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-1788

LAYER: meta
PACKAGE NAME: libsndfile1
PACKAGE VERSION: 1.2.2
CVE: CVE-2009-1791
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in aiff_read_header in libsndfile 1.0.15 through 1.0.19, as used in Winamp 5.552 and possibly other media programs, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via an AIFF file with an invalid header value.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-1791

LAYER: meta
PACKAGE NAME: libsndfile1
PACKAGE VERSION: 1.2.2
CVE: CVE-2009-4835
CVE STATUS: Patched
CVE SUMMARY: The (1) htk_read_header, (2) alaw_init, (3) ulaw_init, (4) pcm_init, (5) float32_init, and (6) sds_read_header functions in libsndfile 1.0.20 allow context-dependent attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted audio file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-4835

LAYER: meta
PACKAGE NAME: libsndfile1
PACKAGE VERSION: 1.2.2
CVE: CVE-2011-2696
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in libsndfile before 1.0.25 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted PARIS Audio Format (PAF) file that triggers a heap-based buffer overflow.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2696

LAYER: meta
PACKAGE NAME: libsndfile1
PACKAGE VERSION: 1.2.2
CVE: CVE-2014-9496
CVE STATUS: Patched
CVE SUMMARY: The sd2_parse_rsrc_fork function in sd2.c in libsndfile allows attackers to have unspecified impact via vectors related to a (1) map offset or (2) rsrc marker, which triggers an out-of-bounds read.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9496

LAYER: meta
PACKAGE NAME: libsndfile1
PACKAGE VERSION: 1.2.2
CVE: CVE-2014-9756
CVE STATUS: Patched
CVE SUMMARY: The psf_fwrite function in file_io.c in libsndfile allows attackers to cause a denial of service (divide-by-zero error and application crash) via unspecified vectors related to the headindex variable.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9756

LAYER: meta
PACKAGE NAME: libsndfile1
PACKAGE VERSION: 1.2.2
CVE: CVE-2015-7805
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in libsndfile 1.0.25 allows remote attackers to have unspecified impact via the headindex value in the header in an AIFF file.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7805

LAYER: meta
PACKAGE NAME: libsndfile1
PACKAGE VERSION: 1.2.2
CVE: CVE-2017-12562
CVE STATUS: Patched
CVE SUMMARY: Heap-based Buffer Overflow in the psf_binheader_writef function in common.c in libsndfile through 1.0.28 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-12562

LAYER: meta
PACKAGE NAME: libsndfile1
PACKAGE VERSION: 1.2.2
CVE: CVE-2017-14245
CVE STATUS: Patched
CVE SUMMARY: An out of bounds read in the function d2alaw_array() in alaw.c of libsndfile 1.0.28 may lead to a remote DoS attack or information disclosure, related to mishandling of the NAN and INFINITY floating-point values.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 8.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14245

LAYER: meta
PACKAGE NAME: libsndfile1
PACKAGE VERSION: 1.2.2
CVE: CVE-2017-14246
CVE STATUS: Patched
CVE SUMMARY: An out of bounds read in the function d2ulaw_array() in ulaw.c of libsndfile 1.0.28 may lead to a remote DoS attack or information disclosure, related to mishandling of the NAN and INFINITY floating-point values.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 8.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14246

LAYER: meta
PACKAGE NAME: libsndfile1
PACKAGE VERSION: 1.2.2
CVE: CVE-2017-14634
CVE STATUS: Patched
CVE SUMMARY: In libsndfile 1.0.28, a divide-by-zero error exists in the function double64_init() in double64.c, which may lead to DoS when playing a crafted audio file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14634

LAYER: meta
PACKAGE NAME: libsndfile1
PACKAGE VERSION: 1.2.2
CVE: CVE-2017-16942
CVE STATUS: Patched
CVE SUMMARY: In libsndfile 1.0.25 (fixed in 1.0.26), a divide-by-zero error exists in the function wav_w64_read_fmt_chunk() in wav_w64.c, which may lead to DoS when playing a crafted audio file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-16942

LAYER: meta
PACKAGE NAME: libsndfile1
PACKAGE VERSION: 1.2.2
CVE: CVE-2017-6892
CVE STATUS: Patched
CVE SUMMARY: In libsndfile version 1.0.28, an error in the "aiff_read_chanmap()" function (aiff.c) can be exploited to cause an out-of-bounds read memory access via a specially crafted AIFF file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-6892

LAYER: meta
PACKAGE NAME: libsndfile1
PACKAGE VERSION: 1.2.2
CVE: CVE-2017-7585
CVE STATUS: Patched
CVE SUMMARY: In libsndfile before 1.0.28, an error in the "flac_buffer_copy()" function (flac.c) can be exploited to cause a stack-based buffer overflow via a specially crafted FLAC file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7585

LAYER: meta
PACKAGE NAME: libsndfile1
PACKAGE VERSION: 1.2.2
CVE: CVE-2017-7586
CVE STATUS: Patched
CVE SUMMARY: In libsndfile before 1.0.28, an error in the "header_read()" function (common.c) when handling ID3 tags can be exploited to cause a stack-based buffer overflow via a specially crafted FLAC file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7586

LAYER: meta
PACKAGE NAME: libsndfile1
PACKAGE VERSION: 1.2.2
CVE: CVE-2017-7741
CVE STATUS: Patched
CVE SUMMARY: In libsndfile before 1.0.28, an error in the "flac_buffer_copy()" function (flac.c) can be exploited to cause a segmentation violation (with write memory access) via a specially crafted FLAC file during a resample attempt, a similar issue to CVE-2017-7585.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7741

LAYER: meta
PACKAGE NAME: libsndfile1
PACKAGE VERSION: 1.2.2
CVE: CVE-2017-7742
CVE STATUS: Patched
CVE SUMMARY: In libsndfile before 1.0.28, an error in the "flac_buffer_copy()" function (flac.c) can be exploited to cause a segmentation violation (with read memory access) via a specially crafted FLAC file during a resample attempt, a similar issue to CVE-2017-7585.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7742

LAYER: meta
PACKAGE NAME: libsndfile1
PACKAGE VERSION: 1.2.2
CVE: CVE-2017-8361
CVE STATUS: Patched
CVE SUMMARY: The flac_buffer_copy function in flac.c in libsndfile 1.0.28 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted audio file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8361

LAYER: meta
PACKAGE NAME: libsndfile1
PACKAGE VERSION: 1.2.2
CVE: CVE-2017-8362
CVE STATUS: Patched
CVE SUMMARY: The flac_buffer_copy function in flac.c in libsndfile 1.0.28 allows remote attackers to cause a denial of service (invalid read and application crash) via a crafted audio file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8362

LAYER: meta
PACKAGE NAME: libsndfile1
PACKAGE VERSION: 1.2.2
CVE: CVE-2017-8363
CVE STATUS: Patched
CVE SUMMARY: The flac_buffer_copy function in flac.c in libsndfile 1.0.28 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted audio file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8363

LAYER: meta
PACKAGE NAME: libsndfile1
PACKAGE VERSION: 1.2.2
CVE: CVE-2017-8365
CVE STATUS: Patched
CVE SUMMARY: The i2les_array function in pcm.c in libsndfile 1.0.28 allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted audio file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8365

LAYER: meta
PACKAGE NAME: libsndfile1
PACKAGE VERSION: 1.2.2
CVE: CVE-2018-13139
CVE STATUS: Patched
CVE SUMMARY: A stack-based buffer overflow in psf_memset in common.c in libsndfile 1.0.28 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted audio file. The vulnerability can be triggered by the executable sndfile-deinterleave.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-13139

LAYER: meta
PACKAGE NAME: libsndfile1
PACKAGE VERSION: 1.2.2
CVE: CVE-2018-13419
CVE STATUS: Patched
CVE SUMMARY: An issue has been found in libsndfile 1.0.28. There is a memory leak in psf_allocate in common.c, as demonstrated by sndfile-convert. NOTE: The maintainer and third parties were unable to reproduce and closed the issue
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-13419

LAYER: meta
PACKAGE NAME: libsndfile1
PACKAGE VERSION: 1.2.2
CVE: CVE-2018-19432
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in libsndfile 1.0.28. There is a NULL pointer dereference in the function sf_write_int in sndfile.c, which will lead to a denial of service.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19432

LAYER: meta
PACKAGE NAME: libsndfile1
PACKAGE VERSION: 1.2.2
CVE: CVE-2018-19661
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in libsndfile 1.0.28. There is a buffer over-read in the function i2ulaw_array in ulaw.c that will lead to a denial of service.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19661

LAYER: meta
PACKAGE NAME: libsndfile1
PACKAGE VERSION: 1.2.2
CVE: CVE-2018-19662
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in libsndfile 1.0.28. There is a buffer over-read in the function i2alaw_array in alaw.c that will lead to a denial of service.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 8.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19662

LAYER: meta
PACKAGE NAME: libsndfile1
PACKAGE VERSION: 1.2.2
CVE: CVE-2018-19758
CVE STATUS: Patched
CVE SUMMARY: There is a heap-based buffer over-read at wav.c in wav_write_header in libsndfile 1.0.28 that will cause a denial of service.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19758

LAYER: meta
PACKAGE NAME: libsndfile1
PACKAGE VERSION: 1.2.2
CVE: CVE-2019-3832
CVE STATUS: Patched
CVE SUMMARY: It was discovered the fix for CVE-2018-19758 (libsndfile) was not complete and still allows a read beyond the limits of a buffer in wav_write_header() function in wav.c. A local attacker may use this flaw to make the application crash.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 3.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-3832

LAYER: meta
PACKAGE NAME: libsndfile1
PACKAGE VERSION: 1.2.2
CVE: CVE-2021-3246
CVE STATUS: Patched
CVE SUMMARY: A heap buffer overflow vulnerability in msadpcm_decode_block of libsndfile 1.0.30 allows attackers to execute arbitrary code via a crafted WAV file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3246

LAYER: meta
PACKAGE NAME: libsndfile1
PACKAGE VERSION: 1.2.2
CVE: CVE-2021-4156
CVE STATUS: Patched
CVE SUMMARY: An out-of-bounds read flaw was found in libsndfile's FLAC codec functionality. An attacker who is able to submit a specially crafted file (via tricking a user to open or otherwise) to an application linked with libsndfile and using the FLAC codec, could trigger an out-of-bounds read that would most likely cause a crash but could potentially leak memory information that could be used in further exploitation of other flaws.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 7.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-4156

LAYER: meta
PACKAGE NAME: libsndfile1
PACKAGE VERSION: 1.2.2
CVE: CVE-2022-33064
CVE STATUS: Patched
CVE SUMMARY: An off-by-one error in function wav_read_header in src/wav.c in Libsndfile 1.1.0, results in a write out of bound, which allows an attacker to execute arbitrary code, Denial of Service or other unspecified impacts.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-33064

LAYER: meta
PACKAGE NAME: libsndfile1
PACKAGE VERSION: 1.2.2
CVE: CVE-2022-33065
CVE STATUS: Patched
CVE SUMMARY: Multiple signed integers overflow in function au_read_header in src/au.c and in functions mat4_open and mat4_read_header in src/mat4.c in Libsndfile, allows an attacker to cause Denial of Service or other unspecified impacts.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-33065

LAYER: meta
PACKAGE NAME: libsndfile1
PACKAGE VERSION: 1.2.2
CVE: CVE-2024-50612
CVE STATUS: Unpatched
CVE SUMMARY: libsndfile through 1.2.2 has an ogg_vorbis.c vorbis_analysis_wrote out-of-bounds read.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50612

LAYER: meta
PACKAGE NAME: libsndfile1
PACKAGE VERSION: 1.2.2
CVE: CVE-2024-50613
CVE STATUS: Unpatched
CVE SUMMARY: libsndfile through 1.2.2 has a reachable assertion, that may lead to application exit, in mpeg_l3_encode.c mpeg_l3_encoder_close.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50613

LAYER: meta
PACKAGE NAME: fontconfig-native
PACKAGE VERSION: 2.15.0
CVE: CVE-2016-5384
CVE STATUS: Patched
CVE SUMMARY: fontconfig before 2.12.1 does not validate offsets, which allows local users to trigger arbitrary free calls and consequently conduct double free attacks and execute arbitrary code via a crafted cache file.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5384

LAYER: meta
PACKAGE NAME: gtk+3
PACKAGE VERSION: 3.24.41
CVE: CVE-2001-0084
CVE STATUS: Patched
CVE SUMMARY: GTK+ library allows local users to specify arbitrary modules via the GTK_MODULES environmental variable, which could allow local users to gain privileges if GTK+ is used by a setuid/setgid program.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2001-0084

LAYER: meta
PACKAGE NAME: gtk+3
PACKAGE VERSION: 3.24.41
CVE: CVE-2004-0753
CVE STATUS: Patched
CVE SUMMARY: The BMP image processor for (1) gdk-pixbuf before 0.22 and (2) gtk2 before 2.2.4 allows remote attackers to cause a denial of service (infinite loop) via a crafted BMP file.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0753

LAYER: meta
PACKAGE NAME: gtk+3
PACKAGE VERSION: 3.24.41
CVE: CVE-2004-0782
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in pixbuf_create_from_xpm (io-xpm.c) in the XPM image decoder for gtk+ 2.4.4 (gtk2) and earlier, and gdk-pixbuf before 0.22, allows remote attackers to execute arbitrary code via certain n_col and cpp values that enable a heap-based buffer overflow.  NOTE: this identifier is ONLY for gtk+.  It was incorrectly referenced in an advisory for a different issue (CVE-2004-0687).
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0782

LAYER: meta
PACKAGE NAME: gtk+3
PACKAGE VERSION: 3.24.41
CVE: CVE-2004-0783
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in xpm_extract_color (io-xpm.c) in the XPM image decoder for gtk+ 2.4.4 (gtk2) and earlier, and gdk-pixbuf before 0.22, may allow remote attackers to execute arbitrary code via a certain color string.  NOTE: this identifier is ONLY for gtk+.  It was incorrectly referenced in an advisory for a different issue (CVE-2004-0688).
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0783

LAYER: meta
PACKAGE NAME: gtk+3
PACKAGE VERSION: 3.24.41
CVE: CVE-2004-0788
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the ICO image decoder for (1) gdk-pixbuf before 0.22 and (2) gtk2 before 2.2.4 allows remote attackers to cause a denial of service (application crash) via a crafted ICO file.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0788

LAYER: meta
PACKAGE NAME: gtk+3
PACKAGE VERSION: 3.24.41
CVE: CVE-2005-0372
CVE STATUS: Patched
CVE SUMMARY: Directory traversal vulnerability in gftp before 2.0.18 for GTK+ allows remote malicious FTP servers to read arbitrary files via .. (dot dot) sequences in filenames returned from a LIST command.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-0372

LAYER: meta
PACKAGE NAME: gtk+3
PACKAGE VERSION: 3.24.41
CVE: CVE-2005-0891
CVE STATUS: Patched
CVE SUMMARY: Double free vulnerability in gtk 2 (gtk2) before 2.2.4 allows remote attackers to cause a denial of service (crash) via a crafted BMP image.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-0891

LAYER: meta
PACKAGE NAME: gtk+3
PACKAGE VERSION: 3.24.41
CVE: CVE-2005-2975
CVE STATUS: Patched
CVE SUMMARY: io-xpm.c in the gdk-pixbuf XPM image rendering library in GTK+ before 2.8.7 allows attackers to cause a denial of service (infinite loop) via a crafted XPM image with a large number of colors.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-2975

LAYER: meta
PACKAGE NAME: gtk+3
PACKAGE VERSION: 3.24.41
CVE: CVE-2005-2976
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in io-xpm.c in gdk-pixbuf 0.22.0 in GTK+ before 2.8.7 allows attackers to cause a denial of service (crash) or execute arbitrary code via an XPM file with large height, width, and colour values, a different vulnerability than CVE-2005-3186.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-2976

LAYER: meta
PACKAGE NAME: gtk+3
PACKAGE VERSION: 3.24.41
CVE: CVE-2007-0010
CVE STATUS: Patched
CVE SUMMARY: The GdkPixbufLoader function in GIMP ToolKit (GTK+) in GTK 2 (gtk2) before 2.4.13 allows context-dependent attackers to cause a denial of service (crash) via a malformed image file.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-0010

LAYER: meta
PACKAGE NAME: gtk+3
PACKAGE VERSION: 3.24.41
CVE: CVE-2010-0732
CVE STATUS: Patched
CVE SUMMARY: gdk/gdkwindow.c in GTK+ before 2.18.5, as used in gnome-screensaver before 2.28.1, performs implicit paints on windows of type GDK_WINDOW_FOREIGN, which triggers an X error in certain circumstances and consequently allows physically proximate attackers to bypass screen locking and access an unattended workstation by pressing the Enter key many times.
CVSS v2 BASE SCORE: 6.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-0732

LAYER: meta
PACKAGE NAME: gtk+3
PACKAGE VERSION: 3.24.41
CVE: CVE-2010-4831
CVE STATUS: Patched
CVE SUMMARY: Untrusted search path vulnerability in gdk/win32/gdkinput-win32.c in GTK+ before 2.21.8 allows local users to gain privileges via a Trojan horse Wintab32.dll file in the current working directory.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4831

LAYER: meta
PACKAGE NAME: gtk+3
PACKAGE VERSION: 3.24.41
CVE: CVE-2010-4833
CVE STATUS: Patched
CVE SUMMARY: Untrusted search path vulnerability in modules/engines/ms-windows/xp_theme.c in GTK+ before 2.24.0 allows local users to gain privileges via a Trojan horse uxtheme.dll file in the current working directory, a different vulnerability than CVE-2010-4831.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4833

LAYER: meta
PACKAGE NAME: gtk+3
PACKAGE VERSION: 3.24.41
CVE: CVE-2012-0828
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in Xchat-WDK before 1499-4 (2012-01-18) xchat 2.8.6 on Maemo architecture could allow remote attackers to cause a denial of service (xchat client crash) or execute arbitrary code via a UTF-8 line from server containing characters outside of the Basic Multilingual Plane (BMP).
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-0828

LAYER: meta
PACKAGE NAME: gtk+3
PACKAGE VERSION: 3.24.41
CVE: CVE-2014-1949
CVE STATUS: Patched
CVE SUMMARY: GTK+ 3.10.9 and earlier, as used in cinnamon-screensaver, gnome-screensaver, and other applications, allows physically proximate attackers to bypass the lock screen by pressing the menu button.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-1949

LAYER: meta-oe
PACKAGE NAME: protobuf
PACKAGE VERSION: 4.25.3
CVE: CVE-2015-5237
CVE STATUS: Patched
CVE SUMMARY: protobuf allows remote authenticated attackers to cause a heap-based buffer overflow.
CVSS v2 BASE SCORE: 6.5
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:S/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-5237

LAYER: meta-oe
PACKAGE NAME: protobuf
PACKAGE VERSION: 4.25.3
CVE: CVE-2021-22570
CVE STATUS: Patched
CVE SUMMARY: Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 6.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-22570

LAYER: meta-oe
PACKAGE NAME: protobuf
PACKAGE VERSION: 4.25.3
CVE: CVE-2021-3121
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the "skippy peanut butter" issue.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 8.6
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3121

LAYER: meta-oe
PACKAGE NAME: protobuf
PACKAGE VERSION: 4.25.3
CVE: CVE-2023-24535
CVE STATUS: Patched
CVE SUMMARY: Parsing invalid messages can panic. Parsing a text-format message which contains a potential number consisting of a minus sign, one or more characters of whitespace, and no further input will cause a panic.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-24535

LAYER: meta
PACKAGE NAME: gdk-pixbuf-native
PACKAGE VERSION: 2.42.12
CVE: CVE-2011-2485
CVE STATUS: Patched
CVE SUMMARY: The gdk_pixbuf__gif_image_load function in gdk-pixbuf/io-gif.c in gdk-pixbuf before 2.23.5 does not properly handle certain return values, which allows remote attackers to cause a denial of service (memory consumption) via a crafted GIF image file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2485

LAYER: meta
PACKAGE NAME: gdk-pixbuf-native
PACKAGE VERSION: 2.42.12
CVE: CVE-2011-2897
CVE STATUS: Patched
CVE SUMMARY: gdk-pixbuf through 2.31.1 has GIF loader buffer overflow when initializing decompression tables due to an input validation flaw
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2897

LAYER: meta
PACKAGE NAME: gdk-pixbuf-native
PACKAGE VERSION: 2.42.12
CVE: CVE-2012-2370
CVE STATUS: Patched
CVE SUMMARY: Multiple integer overflows in the read_bitmap_file_data function in io-xbm.c in gdk-pixbuf before 2.26.1 allow remote attackers to cause a denial of service (application crash) via a negative (1) height or (2) width in an XBM file, which triggers a heap-based buffer overflow.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2370

LAYER: meta
PACKAGE NAME: gdk-pixbuf-native
PACKAGE VERSION: 2.42.12
CVE: CVE-2015-4491
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the make_filter_table function in pixops/pixops.c in gdk-pixbuf before 2.31.5, as used in Mozilla Firefox before 40.0 and Firefox ESR 38.x before 38.2 on Linux, Google Chrome on Linux, and other products, allows remote attackers to execute arbitrary code or cause a denial of service (heap-based buffer overflow and application crash) via crafted bitmap dimensions that are mishandled during scaling.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-4491

LAYER: meta
PACKAGE NAME: gdk-pixbuf-native
PACKAGE VERSION: 2.42.12
CVE: CVE-2015-7673
CVE STATUS: Patched
CVE SUMMARY: io-tga.c in gdk-pixbuf before 2.32.0 uses heap memory after its allocation failed, which allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) and possibly execute arbitrary code via a crafted Truevision TGA (TARGA) file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7673

LAYER: meta
PACKAGE NAME: gdk-pixbuf-native
PACKAGE VERSION: 2.42.12
CVE: CVE-2015-7674
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the pixops_scale_nearest function in pixops/pixops.c in gdk-pixbuf before 2.32.1 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted GIF image file, which triggers a heap-based buffer overflow.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7674

LAYER: meta
PACKAGE NAME: gdk-pixbuf-native
PACKAGE VERSION: 2.42.12
CVE: CVE-2015-8875
CVE STATUS: Patched
CVE SUMMARY: Multiple integer overflows in the (1) pixops_composite_nearest, (2) pixops_composite_color_nearest, and (3) pixops_process functions in pixops/pixops.c in gdk-pixbuf before 2.33.1 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted image, which triggers a heap-based buffer overflow.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8875

LAYER: meta
PACKAGE NAME: gdk-pixbuf-native
PACKAGE VERSION: 2.42.12
CVE: CVE-2016-6352
CVE STATUS: Patched
CVE SUMMARY: The OneLine32 function in io-ico.c in gdk-pixbuf before 2.35.3 allows remote attackers to cause a denial of service (out-of-bounds write and crash) via crafted dimensions in an ICO file.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6352

LAYER: meta
PACKAGE NAME: gdk-pixbuf-native
PACKAGE VERSION: 2.42.12
CVE: CVE-2017-1000422
CVE STATUS: Patched
CVE SUMMARY: Gnome gdk-pixbuf 2.36.8 and older is vulnerable to several integer overflow in the gif_get_lzw function resulting in memory corruption and potential code execution
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-1000422

LAYER: meta
PACKAGE NAME: gdk-pixbuf-native
PACKAGE VERSION: 2.42.12
CVE: CVE-2017-12447
CVE STATUS: Patched
CVE SUMMARY: GdkPixBuf (aka gdk-pixbuf), possibly 2.32.2, as used by GNOME Nautilus 3.14.3 on Ubuntu 16.04, allows attackers to cause a denial of service (stack corruption) or possibly have unspecified other impact via a crafted file folder.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-12447

LAYER: meta
PACKAGE NAME: gdk-pixbuf-native
PACKAGE VERSION: 2.42.12
CVE: CVE-2017-2862
CVE STATUS: Patched
CVE SUMMARY: An exploitable heap overflow vulnerability exists in the gdk_pixbuf__jpeg_image_load_increment functionality of Gdk-Pixbuf 2.36.6. A specially crafted jpeg file can cause a heap overflow resulting in remote code execution. An attacker can send a file or url to trigger this vulnerability.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-2862

LAYER: meta
PACKAGE NAME: gdk-pixbuf-native
PACKAGE VERSION: 2.42.12
CVE: CVE-2017-2870
CVE STATUS: Patched
CVE SUMMARY: An exploitable integer overflow vulnerability exists in the tiff_image_parse functionality of Gdk-Pixbuf 2.36.6 when compiled with Clang. A specially crafted tiff file can cause a heap-overflow resulting in remote code execution. An attacker can send a file or a URL to trigger this vulnerability.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-2870

LAYER: meta
PACKAGE NAME: gdk-pixbuf-native
PACKAGE VERSION: 2.42.12
CVE: CVE-2017-6311
CVE STATUS: Patched
CVE SUMMARY: gdk-pixbuf-thumbnailer.c in gdk-pixbuf allows context-dependent attackers to cause a denial of service (NULL pointer dereference and application crash) via vectors related to printing an error message.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-6311

LAYER: meta
PACKAGE NAME: gdk-pixbuf-native
PACKAGE VERSION: 2.42.12
CVE: CVE-2017-6312
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in io-ico.c in gdk-pixbuf allows context-dependent attackers to cause a denial of service (segmentation fault and application crash) via a crafted image entry offset in an ICO file, which triggers an out-of-bounds read, related to compiler optimizations.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-6312

LAYER: meta
PACKAGE NAME: gdk-pixbuf-native
PACKAGE VERSION: 2.42.12
CVE: CVE-2017-6313
CVE STATUS: Patched
CVE SUMMARY: Integer underflow in the load_resources function in io-icns.c in gdk-pixbuf allows context-dependent attackers to cause a denial of service (out-of-bounds read and program crash) via a crafted image entry size in an ICO file.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 7.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-6313

LAYER: meta
PACKAGE NAME: gdk-pixbuf-native
PACKAGE VERSION: 2.42.12
CVE: CVE-2017-6314
CVE STATUS: Patched
CVE SUMMARY: The make_available_at_least function in io-tiff.c in gdk-pixbuf allows context-dependent attackers to cause a denial of service (infinite loop) via a large TIFF file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-6314

LAYER: meta
PACKAGE NAME: gdk-pixbuf-native
PACKAGE VERSION: 2.42.12
CVE: CVE-2020-29385
CVE STATUS: Patched
CVE SUMMARY: GNOME gdk-pixbuf (aka GdkPixbuf) before 2.42.2 allows a denial of service (infinite loop) in lzw.c in the function write_indexes. if c->self_code equals 10, self->code_table[10].extends will assign the value 11 to c. The next execution in the loop will assign self->code_table[11].extends to c, which will give the value of 10. This will make the loop run infinitely. This bug can, for example, be triggered by calling this function with a GIF image with LZW compression that is crafted in a special way.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-29385

LAYER: meta
PACKAGE NAME: gdk-pixbuf-native
PACKAGE VERSION: 2.42.12
CVE: CVE-2021-20240
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in gdk-pixbuf in versions before 2.42.0. An integer wraparound leading to an out of bounds write can occur when a crafted GIF image is loaded. An attacker may cause applications to crash or could potentially execute code on the victim system. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
CVSS v2 BASE SCORE: 8.3
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-20240

LAYER: meta
PACKAGE NAME: gdk-pixbuf-native
PACKAGE VERSION: 2.42.12
CVE: CVE-2021-46829
CVE STATUS: Patched
CVE SUMMARY: GNOME GdkPixbuf (aka GDK-PixBuf) before 2.42.8 allows a heap-based buffer overflow when compositing or clearing frames in GIF files, as demonstrated by io-gif-animation.c composite_frame. This overflow is controllable and could be abused for code execution, especially on 32-bit systems.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-46829

LAYER: meta
PACKAGE NAME: libwebp
PACKAGE VERSION: 1.3.2
CVE: CVE-2016-9085
CVE STATUS: Patched
CVE SUMMARY: Multiple integer overflows in libwebp allows attackers to have unspecified impact via unknown vectors.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 3.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9085

LAYER: meta
PACKAGE NAME: libwebp
PACKAGE VERSION: 1.3.2
CVE: CVE-2016-9969
CVE STATUS: Patched
CVE SUMMARY: In libwebp 0.5.1, there is a double free bug in libwebpmux.
CVSS v2 BASE SCORE: 5.1
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9969

LAYER: meta
PACKAGE NAME: libwebp
PACKAGE VERSION: 1.3.2
CVE: CVE-2018-25009
CVE STATUS: Patched
CVE SUMMARY: A heap-based buffer overflow was found in libwebp in versions before 1.0.1 in GetLE16().
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 9.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-25009

LAYER: meta
PACKAGE NAME: libwebp
PACKAGE VERSION: 1.3.2
CVE: CVE-2018-25010
CVE STATUS: Patched
CVE SUMMARY: A heap-based buffer overflow was found in libwebp in versions before 1.0.1 in ApplyFilter().
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 9.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-25010

LAYER: meta
PACKAGE NAME: libwebp
PACKAGE VERSION: 1.3.2
CVE: CVE-2018-25011
CVE STATUS: Patched
CVE SUMMARY: A heap-based buffer overflow was found in libwebp in versions before 1.0.1 in PutLE16().
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-25011

LAYER: meta
PACKAGE NAME: libwebp
PACKAGE VERSION: 1.3.2
CVE: CVE-2018-25012
CVE STATUS: Patched
CVE SUMMARY: A heap-based buffer overflow was found in libwebp in versions before 1.0.1 in GetLE24().
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 9.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-25012

LAYER: meta
PACKAGE NAME: libwebp
PACKAGE VERSION: 1.3.2
CVE: CVE-2018-25013
CVE STATUS: Patched
CVE SUMMARY: A heap-based buffer overflow was found in libwebp in versions before 1.0.1 in ShiftBytes().
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 9.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-25013

LAYER: meta
PACKAGE NAME: libwebp
PACKAGE VERSION: 1.3.2
CVE: CVE-2018-25014
CVE STATUS: Patched
CVE SUMMARY: A use of uninitialized value was found in libwebp in versions before 1.0.1 in ReadSymbol().
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-25014

LAYER: meta
PACKAGE NAME: libwebp
PACKAGE VERSION: 1.3.2
CVE: CVE-2020-36328
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in libwebp in versions before 1.0.1. A heap-based buffer overflow in function WebPDecodeRGBInto is possible due to an invalid check for buffer size. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-36328

LAYER: meta
PACKAGE NAME: libwebp
PACKAGE VERSION: 1.3.2
CVE: CVE-2020-36329
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in libwebp in versions before 1.0.1. A use-after-free was found due to a thread being killed too early. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-36329

LAYER: meta
PACKAGE NAME: libwebp
PACKAGE VERSION: 1.3.2
CVE: CVE-2020-36330
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in libwebp in versions before 1.0.1. An out-of-bounds read was found in function ChunkVerifyAndAssign. The highest threat from this vulnerability is to data confidentiality and to the service availability.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 9.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-36330

LAYER: meta
PACKAGE NAME: libwebp
PACKAGE VERSION: 1.3.2
CVE: CVE-2020-36331
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in libwebp in versions before 1.0.1. An out-of-bounds read was found in function ChunkAssignData. The highest threat from this vulnerability is to data confidentiality and to the service availability.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 9.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-36331

LAYER: meta
PACKAGE NAME: libwebp
PACKAGE VERSION: 1.3.2
CVE: CVE-2020-36332
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in libwebp in versions before 1.0.1. When reading a file libwebp allocates an excessive amount of memory. The highest threat from this vulnerability is to the service availability.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-36332

LAYER: meta
PACKAGE NAME: libwebp
PACKAGE VERSION: 1.3.2
CVE: CVE-2023-1999
CVE STATUS: Patched
CVE SUMMARY: There exists a use after free/double free in libwebp. An attacker can use the ApplyFiltersAndEncode() function and loop through to free best.bw and assign best = trial pointer. The second loop will then return 0 because of an Out of memory error in VP8 encoder, the pointer is still assigned to trial and the AddressSanitizer will attempt a double free. 

CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-1999

LAYER: meta
PACKAGE NAME: libwebp
PACKAGE VERSION: 1.3.2
CVE: CVE-2023-4863
CVE STATUS: Patched
CVE SUMMARY: Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical)
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-4863

LAYER: meta
PACKAGE NAME: orc-native
PACKAGE VERSION: 0.4.39
CVE: CVE-2018-8015
CVE STATUS: Patched
CVE SUMMARY: In Apache ORC 1.0.0 to 1.4.3 a malformed ORC file can trigger an endlessly recursive function call in the C++ or Java parser. The impact of this bug is most likely denial-of-service against software that uses the ORC file parser. With the C++ parser, the stack overflow might possibly corrupt the stack.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-8015

LAYER: meta
PACKAGE NAME: orc-native
PACKAGE VERSION: 0.4.39
CVE: CVE-2024-40897
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow vulnerability exists in orcparse.c of ORC versions prior to 0.4.39. If a developer is tricked to process a specially crafted file with the affected ORC compiler, an arbitrary code may be executed on the developer's build environment. This may lead to compromise of developer machines or CI build environments.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-40897

LAYER: meta
PACKAGE NAME: harfbuzz
PACKAGE VERSION: 8.3.0
CVE: CVE-2015-8947
CVE STATUS: Patched
CVE SUMMARY: hb-ot-layout-gpos-table.hh in HarfBuzz before 1.0.5 allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via crafted data, a different vulnerability than CVE-2016-2052.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 7.6
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8947

LAYER: meta
PACKAGE NAME: harfbuzz
PACKAGE VERSION: 8.3.0
CVE: CVE-2015-9274
CVE STATUS: Patched
CVE SUMMARY: HarfBuzz before 1.0.4 allows remote attackers to cause a denial of service (invalid read of two bytes and application crash) because of GPOS and GSUB table mishandling, related to hb-ot-layout-gpos-table.hh, hb-ot-layout-gsub-table.hh, and hb-ot-layout-gsubgpos-private.hh.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-9274

LAYER: meta
PACKAGE NAME: harfbuzz
PACKAGE VERSION: 8.3.0
CVE: CVE-2016-2052
CVE STATUS: Patched
CVE SUMMARY: Multiple unspecified vulnerabilities in HarfBuzz before 1.0.6, as used in Google Chrome before 48.0.2564.82, allow attackers to cause a denial of service or possibly have other impact via crafted data, as demonstrated by a buffer over-read resulting from an inverted length check in hb-ot-font.cc, a different issue than CVE-2015-8947.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.6
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2052

LAYER: meta
PACKAGE NAME: harfbuzz
PACKAGE VERSION: 8.3.0
CVE: CVE-2021-45931
CVE STATUS: Patched
CVE SUMMARY: HarfBuzz 2.9.0 has an out-of-bounds write in hb_bit_set_invertible_t::set (called from hb_sparseset_t<hb_bit_set_invertible_t>::set and hb_set_copy).
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-45931

LAYER: meta
PACKAGE NAME: harfbuzz
PACKAGE VERSION: 8.3.0
CVE: CVE-2022-33068
CVE STATUS: Patched
CVE SUMMARY: An integer overflow in the component hb-ot-shape-fallback.cc of Harfbuzz v4.3.0 allows attackers to cause a Denial of Service (DoS) via unspecified vectors.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-33068

LAYER: meta
PACKAGE NAME: harfbuzz
PACKAGE VERSION: 8.3.0
CVE: CVE-2023-25193
CVE STATUS: Patched
CVE SUMMARY: hb-ot-layout-gsubgpos.hh in HarfBuzz through 6.0.0 allows attackers to trigger O(n^2) growth via consecutive marks during the process of looking back for base glyphs when attaching marks.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-25193

LAYER: meta
PACKAGE NAME: zip-native
PACKAGE VERSION: 3.0
CVE: CVE-2004-1010
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in Info-Zip 2.3 and possibly earlier versions, when using recursive folder compression, allows remote attackers to execute arbitrary code via a ZIP file containing a long pathname.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-1010

LAYER: meta
PACKAGE NAME: zip-native
PACKAGE VERSION: 3.0
CVE: CVE-2018-13410
CVE STATUS: Ignored
CVE DETAIL: disputed
CVE DESCRIPTION: Disputed and also Debian doesn't consider a vulnerability
CVE SUMMARY: Info-ZIP Zip 3.0, when the -T and -TT command-line options are used, allows attackers to cause a denial of service (invalid free and application crash) or possibly have unspecified other impact because of an off-by-one error. NOTE: it is unclear whether there are realistic scenarios in which an untrusted party controls the -TT value, given that the entire purpose of -TT is execution of arbitrary commands
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-13410

LAYER: meta
PACKAGE NAME: zip-native
PACKAGE VERSION: 3.0
CVE: CVE-2018-13684
CVE STATUS: Ignored
CVE DETAIL: cpe-incorrect
CVE DESCRIPTION: Not for zip but for smart contract implementation for it
CVE SUMMARY: The mintToken function of a smart contract implementation for ZIP, an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-13684

LAYER: meta
PACKAGE NAME: zip-native
PACKAGE VERSION: 3.0
CVE: CVE-2023-39135
CVE STATUS: Patched
CVE SUMMARY: An issue in Zip Swift v2.1.2 allows attackers to execute a path traversal attack via a crafted zip entry.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-39135

LAYER: meta
PACKAGE NAME: alsa-lib
PACKAGE VERSION: 1.2.11
CVE: CVE-2005-0087
CVE STATUS: Patched
CVE SUMMARY: The alsa-lib package in Red Hat Linux 4 disables stack protection for the libasound.so library, which makes it easier for attackers to execute arbitrary code if there are other vulnerabilities in the library.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-0087

LAYER: meta-oe
PACKAGE NAME: protobuf-native
PACKAGE VERSION: 4.25.3
CVE: CVE-2015-5237
CVE STATUS: Patched
CVE SUMMARY: protobuf allows remote authenticated attackers to cause a heap-based buffer overflow.
CVSS v2 BASE SCORE: 6.5
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:S/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-5237

LAYER: meta-oe
PACKAGE NAME: protobuf-native
PACKAGE VERSION: 4.25.3
CVE: CVE-2021-22570
CVE STATUS: Patched
CVE SUMMARY: Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 6.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-22570

LAYER: meta-oe
PACKAGE NAME: protobuf-native
PACKAGE VERSION: 4.25.3
CVE: CVE-2021-3121
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the "skippy peanut butter" issue.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 8.6
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3121

LAYER: meta-oe
PACKAGE NAME: protobuf-native
PACKAGE VERSION: 4.25.3
CVE: CVE-2023-24535
CVE STATUS: Patched
CVE SUMMARY: Parsing invalid messages can panic. Parsing a text-format message which contains a potential number consisting of a minus sign, one or more characters of whitespace, and no further input will cause a panic.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-24535

LAYER: meta
PACKAGE NAME: orc
PACKAGE VERSION: 0.4.39
CVE: CVE-2018-8015
CVE STATUS: Patched
CVE SUMMARY: In Apache ORC 1.0.0 to 1.4.3 a malformed ORC file can trigger an endlessly recursive function call in the C++ or Java parser. The impact of this bug is most likely denial-of-service against software that uses the ORC file parser. With the C++ parser, the stack overflow might possibly corrupt the stack.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-8015

LAYER: meta
PACKAGE NAME: orc
PACKAGE VERSION: 0.4.39
CVE: CVE-2024-40897
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow vulnerability exists in orcparse.c of ORC versions prior to 0.4.39. If a developer is tricked to process a specially crafted file with the affected ORC compiler, an arbitrary code may be executed on the developer's build environment. This may lead to compromise of developer machines or CI build environments.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-40897

LAYER: meta-oe
PACKAGE NAME: c-ares-native
PACKAGE VERSION: 1.27.0
CVE: CVE-2007-3152
CVE STATUS: Patched
CVE SUMMARY: c-ares before 1.4.0 uses a predictable seed for the random number generator for the DNS Transaction ID field, which might allow remote attackers to spoof DNS responses by guessing the field value.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-3152

LAYER: meta-oe
PACKAGE NAME: c-ares-native
PACKAGE VERSION: 1.27.0
CVE: CVE-2007-3153
CVE STATUS: Patched
CVE SUMMARY: The ares_init:randomize_key function in c-ares, on platforms other than Windows, uses a weak facility for producing a random number sequence (Unix rand), which makes it easier for remote attackers to spoof DNS responses by guessing certain values.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-3153

LAYER: meta-oe
PACKAGE NAME: c-ares-native
PACKAGE VERSION: 1.27.0
CVE: CVE-2016-5180
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the ares_create_query function in c-ares 1.x before 1.12.0 allows remote attackers to cause a denial of service (out-of-bounds write) or possibly execute arbitrary code via a hostname with an escaped trailing dot.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5180

LAYER: meta-oe
PACKAGE NAME: c-ares-native
PACKAGE VERSION: 1.27.0
CVE: CVE-2017-1000381
CVE STATUS: Patched
CVE SUMMARY: The c-ares function `ares_parse_naptr_reply()`, which is used for parsing NAPTR responses, could be triggered to read memory outside of the given input buffer if the passed in DNS response packet was crafted in a particular way.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-1000381

LAYER: meta-oe
PACKAGE NAME: c-ares-native
PACKAGE VERSION: 1.27.0
CVE: CVE-2020-14354
CVE STATUS: Patched
CVE SUMMARY: A possible use-after-free and double-free in c-ares lib version 1.16.0 if ares_destroy() is called prior to ares_getaddrinfo() completing. This flaw possibly allows an attacker to crash the service that uses c-ares lib. The highest threat from this vulnerability is to this service availability.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 3.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-14354

LAYER: meta-oe
PACKAGE NAME: c-ares-native
PACKAGE VERSION: 1.27.0
CVE: CVE-2020-22217
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow vulnerability in c-ares before 1_16_1 thru 1_17_0 via function ares_parse_soa_reply in ares_parse_soa_reply.c.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-22217

LAYER: meta-oe
PACKAGE NAME: c-ares-native
PACKAGE VERSION: 1.27.0
CVE: CVE-2020-8277
CVE STATUS: Patched
CVE SUMMARY: A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of Service in versions < 15.2.1, < 14.15.1, and < 12.19.1 by getting the application to resolve a DNS record with a larger number of responses. This is fixed in 15.2.1, 14.15.1, and 12.19.1.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-8277

LAYER: meta-oe
PACKAGE NAME: c-ares-native
PACKAGE VERSION: 1.27.0
CVE: CVE-2021-3672
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Servers) can lead to output of wrong hostnames which might potentially lead to Domain Hijacking. The highest threat from this vulnerability is to confidentiality and integrity as well as system availability.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 5.6
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3672

LAYER: meta-oe
PACKAGE NAME: c-ares-native
PACKAGE VERSION: 1.27.0
CVE: CVE-2022-4904
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the c-ares package. The ares_set_sortlist is missing checks about the validity of the input string, which allows a possible arbitrary length stack overflow. This issue may cause a denial of service or a limited impact on confidentiality and integrity.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.6
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-4904

LAYER: meta-oe
PACKAGE NAME: c-ares-native
PACKAGE VERSION: 1.27.0
CVE: CVE-2023-31124
CVE STATUS: Patched
CVE SUMMARY: c-ares is an asynchronous resolver library. When cross-compiling c-ares and using the autotools build system, CARES_RANDOM_FILE will not be set, as seen when cross compiling aarch64 android.  This will downgrade to using rand() as a fallback which could allow an attacker to take advantage of the lack of entropy by not using a CSPRNG. This issue was patched in version 1.19.1.

CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 3.7
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-31124

LAYER: meta-oe
PACKAGE NAME: c-ares-native
PACKAGE VERSION: 1.27.0
CVE: CVE-2023-31130
CVE STATUS: Patched
CVE SUMMARY: c-ares is an asynchronous resolver library. ares_inet_net_pton() is vulnerable to a buffer underflow for certain ipv6 addresses, in particular "0::00:00:00/2" was found to cause an issue.  C-ares only uses this function internally for configuration purposes which would require an administrator to configure such an address via ares_set_sortlist(). However, users may externally use ares_inet_net_pton() for other purposes and thus be vulnerable to more severe issues. This issue has been fixed in 1.19.1.

CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-31130

LAYER: meta-oe
PACKAGE NAME: c-ares-native
PACKAGE VERSION: 1.27.0
CVE: CVE-2023-31147
CVE STATUS: Patched
CVE SUMMARY: c-ares is an asynchronous resolver library. When /dev/urandom or RtlGenRandom() are unavailable, c-ares uses rand() to generate random numbers used for DNS query ids. This is not a CSPRNG, and it is also not seeded by srand() so will generate predictable output. Input from the random number generator is fed into a non-compilant RC4 implementation and may not be as strong as the original RC4 implementation. No attempt is made to look for modern OS-provided CSPRNGs like arc4random() that is widely available. This issue has been fixed in version 1.19.1.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-31147

LAYER: meta-oe
PACKAGE NAME: c-ares-native
PACKAGE VERSION: 1.27.0
CVE: CVE-2023-32067
CVE STATUS: Patched
CVE SUMMARY: c-ares is an asynchronous resolver library. c-ares is vulnerable to denial of service. If a target resolver sends a query, the attacker forges a malformed UDP packet with a length of 0 and returns them to the target resolver. The target resolver erroneously interprets the 0 length as a graceful shutdown of the connection. This issue has been patched in version 1.19.1.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-32067

LAYER: meta
PACKAGE NAME: libvorbis
PACKAGE VERSION: 1.3.7
CVE: CVE-2007-3106
CVE STATUS: Patched
CVE SUMMARY: lib/info.c in libvorbis 1.1.2, and possibly other versions before 1.2.0, allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via invalid (1) blocksize_0 and (2) blocksize_1 values, which trigger a "heap overwrite" in the _01inverse function in res0.c.  NOTE: this issue has been RECAST so that CVE-2007-4029 handles additional vectors.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-3106

LAYER: meta
PACKAGE NAME: libvorbis
PACKAGE VERSION: 1.3.7
CVE: CVE-2007-4029
CVE STATUS: Patched
CVE SUMMARY: libvorbis 1.1.2, and possibly other versions before 1.2.0, allows context-dependent attackers to cause a denial of service via (1) an invalid mapping type, which triggers an out-of-bounds read in the vorbis_info_clear function in info.c, and (2) invalid blocksize values that trigger a segmentation fault in the read function in block.c.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-4029

LAYER: meta
PACKAGE NAME: libvorbis
PACKAGE VERSION: 1.3.7
CVE: CVE-2007-4065
CVE STATUS: Patched
CVE SUMMARY: lib/vorbisfile.c in libvorbisfile in Xiph.Org libvorbis before 1.2.0 allows context-dependent attackers to cause a denial of service (infinite loop) via a crafted OGG file, aka trac Changeset 13217.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-4065

LAYER: meta
PACKAGE NAME: libvorbis
PACKAGE VERSION: 1.3.7
CVE: CVE-2007-4066
CVE STATUS: Patched
CVE SUMMARY: Multiple buffer overflows in Xiph.Org libvorbis before 1.2.0 allow context-dependent attackers to cause a denial of service or have other unspecified impact via a crafted OGG file, aka trac Changesets 13162, 13168, 13169, 13170, 13172, 13211, and 13215, as demonstrated by an overflow in oggenc.exe related to the _psy_noiseguards_8 array.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-4066

LAYER: meta
PACKAGE NAME: libvorbis
PACKAGE VERSION: 1.3.7
CVE: CVE-2008-1419
CVE STATUS: Patched
CVE SUMMARY: Xiph.org libvorbis 1.2.0 and earlier does not properly handle a zero value for codebook.dim, which allows remote attackers to cause a denial of service (crash or infinite loop) or trigger an integer overflow.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1419

LAYER: meta
PACKAGE NAME: libvorbis
PACKAGE VERSION: 1.3.7
CVE: CVE-2008-1420
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in residue partition value (aka partvals) evaluation in Xiph.org libvorbis 1.2.0 and earlier allows remote attackers to execute arbitrary code via a crafted OGG file, which triggers a heap overflow.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1420

LAYER: meta
PACKAGE NAME: libvorbis
PACKAGE VERSION: 1.3.7
CVE: CVE-2008-1423
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in a certain quantvals and quantlist calculation in Xiph.org libvorbis 1.2.0 and earlier allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted OGG file with a large virtual space for its codebook, which triggers a heap overflow.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1423

LAYER: meta
PACKAGE NAME: libvorbis
PACKAGE VERSION: 1.3.7
CVE: CVE-2008-2009
CVE STATUS: Patched
CVE SUMMARY: Xiph.org libvorbis before 1.0 does not properly check for underpopulated Huffman trees, which allows remote attackers to cause a denial of service (crash) via a crafted OGG file that triggers memory corruption during execution of the _make_decode_tree function.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-2009

LAYER: meta
PACKAGE NAME: libvorbis
PACKAGE VERSION: 1.3.7
CVE: CVE-2017-11333
CVE STATUS: Patched
CVE SUMMARY: The vorbis_analysis_wrote function in lib/block.c in Xiph.Org libvorbis 1.3.5 allows remote attackers to cause a denial of service (OOM) via a crafted wav file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-11333

LAYER: meta
PACKAGE NAME: libvorbis
PACKAGE VERSION: 1.3.7
CVE: CVE-2017-14160
CVE STATUS: Patched
CVE SUMMARY: The bark_noise_hybridmp function in psy.c in Xiph.Org libvorbis 1.3.5 allows remote attackers to cause a denial of service (out-of-bounds access and application crash) or possibly have unspecified other impact via a crafted mp4 file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14160

LAYER: meta
PACKAGE NAME: libvorbis
PACKAGE VERSION: 1.3.7
CVE: CVE-2017-14632
CVE STATUS: Patched
CVE SUMMARY: Xiph.Org libvorbis 1.3.5 allows Remote Code Execution upon freeing uninitialized memory in the function vorbis_analysis_headerout() in info.c when vi->channels<=0, a similar issue to Mozilla bug 550184.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14632

LAYER: meta
PACKAGE NAME: libvorbis
PACKAGE VERSION: 1.3.7
CVE: CVE-2017-14633
CVE STATUS: Patched
CVE SUMMARY: In Xiph.Org libvorbis 1.3.5, an out-of-bounds array read vulnerability exists in the function mapping0_forward() in mapping0.c, which may lead to DoS when operating on a crafted audio file with vorbis_analysis().
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14633

LAYER: meta
PACKAGE NAME: libvorbis
PACKAGE VERSION: 1.3.7
CVE: CVE-2018-10392
CVE STATUS: Patched
CVE SUMMARY: mapping0_forward in mapping0.c in Xiph.Org libvorbis 1.3.6 does not validate the number of channels, which allows remote attackers to cause a denial of service (heap-based buffer overflow or over-read) or possibly have unspecified other impact via a crafted file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-10392

LAYER: meta
PACKAGE NAME: libvorbis
PACKAGE VERSION: 1.3.7
CVE: CVE-2018-10393
CVE STATUS: Patched
CVE SUMMARY: bark_noise_hybridmp in psy.c in Xiph.Org libvorbis 1.3.6 has a stack-based buffer over-read.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-10393

LAYER: meta
PACKAGE NAME: libvorbis
PACKAGE VERSION: 1.3.7
CVE: CVE-2020-20412
CVE STATUS: Patched
CVE SUMMARY: lib/codebook.c in libvorbis before 1.3.6, as used in StepMania 5.0.12 and other products, has insufficient array bounds checking via a crafted OGG file. NOTE: this may overlap CVE-2018-5146.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-20412

LAYER: meta
PACKAGE NAME: librsvg
PACKAGE VERSION: 2.57.1
CVE: CVE-2011-3146
CVE STATUS: Patched
CVE SUMMARY: librsvg before 2.34.1 uses the node name to identify the type of node, which allows context-dependent attackers to cause a denial of service (NULL pointer dereference) and possibly execute arbitrary code via a SVG file with a node with the element name starting with "fe," which is misidentified as a RsvgFilterPrimitive.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3146

LAYER: meta
PACKAGE NAME: librsvg
PACKAGE VERSION: 2.57.1
CVE: CVE-2013-1881
CVE STATUS: Patched
CVE SUMMARY: GNOME libsvg before 2.39.0 allows remote attackers to read arbitrary files via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1881

LAYER: meta
PACKAGE NAME: librsvg
PACKAGE VERSION: 2.57.1
CVE: CVE-2015-7557
CVE STATUS: Patched
CVE SUMMARY: The _rsvg_node_poly_build_path function in rsvg-shapes.c in librsvg before 2.40.7 allows context-dependent attackers to cause a denial of service (out-of-bounds heap read) via an odd number of elements in a coordinate pair in an SVG document.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7557

LAYER: meta
PACKAGE NAME: librsvg
PACKAGE VERSION: 2.57.1
CVE: CVE-2015-7558
CVE STATUS: Patched
CVE SUMMARY: librsvg before 2.40.12 allows context-dependent attackers to cause a denial of service (infinite loop, stack consumption, and application crash) via cyclic references in an SVG document.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7558

LAYER: meta
PACKAGE NAME: librsvg
PACKAGE VERSION: 2.57.1
CVE: CVE-2016-4348
CVE STATUS: Patched
CVE SUMMARY: The _rsvg_css_normalize_font_size function in librsvg 2.40.2 allows context-dependent attackers to cause a denial of service (stack consumption and application crash) via circular definitions in an SVG document.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4348

LAYER: meta
PACKAGE NAME: librsvg
PACKAGE VERSION: 2.57.1
CVE: CVE-2016-6163
CVE STATUS: Patched
CVE SUMMARY: The rsvg_pattern_fix_fallback function in rsvg-paint_server.c in librsvg2 2.40.2 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted svg file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6163

LAYER: meta
PACKAGE NAME: librsvg
PACKAGE VERSION: 2.57.1
CVE: CVE-2017-11464
CVE STATUS: Patched
CVE SUMMARY: A SIGFPE is raised in the function box_blur_line of rsvg-filter.c in GNOME librsvg 2.40.17 during an attempted parse of a crafted SVG file, because of incorrect protection against division by zero.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-11464

LAYER: meta
PACKAGE NAME: librsvg
PACKAGE VERSION: 2.57.1
CVE: CVE-2018-1000041
CVE STATUS: Ignored
CVE DETAIL: not-applicable-platform
CVE DESCRIPTION: Issue only applies on Windows
CVE SUMMARY: GNOME librsvg version before commit c6ddf2ed4d768fd88adbea2b63f575cd523022ea contains a Improper input validation vulnerability in rsvg-io.c that can result in the victim's Windows username and NTLM password hash being leaked to remote attackers through SMB. This attack appear to be exploitable via The victim must process a specially crafted SVG file containing an UNC path on Windows.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1000041

LAYER: meta
PACKAGE NAME: librsvg
PACKAGE VERSION: 2.57.1
CVE: CVE-2019-20446
CVE STATUS: Patched
CVE SUMMARY: In xml.rs in GNOME librsvg before 2.46.2, a crafted SVG file with nested patterns can cause denial of service when passed to the library for processing. The attacker constructs pattern elements so that the number of final rendered objects grows exponentially.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-20446

LAYER: meta
PACKAGE NAME: librsvg
PACKAGE VERSION: 2.57.1
CVE: CVE-2023-38633
CVE STATUS: Patched
CVE SUMMARY: A directory traversal problem in the URL decoder of librsvg before 2.56.3 could be used by local or remote attackers to disclose files (on the local filesystem outside of the expected area), as demonstrated by href=".?../../../../../../../../../../etc/passwd" in an xi:include element.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-38633

LAYER: meta-selinux
PACKAGE NAME: checkpolicy
PACKAGE VERSION: 3.6
CVE: CVE-2020-10751
CVE STATUS: Unpatched
CVE SUMMARY: A flaw was found in the Linux kernels SELinux LSM hook implementation before version 5.7, where it incorrectly assumed that an skb would only contain a single netlink message. The hook would incorrectly only validate the first netlink message in the skb and allow or deny the rest of the messages within the skb with the granted permission without further processing.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 6.1
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-10751

LAYER: meta
PACKAGE NAME: connman
PACKAGE VERSION: 1.42
CVE: CVE-2012-2320
CVE STATUS: Patched
CVE SUMMARY: ConnMan before 0.85 does not ensure that netlink messages originate from the kernel, which allows remote attackers to bypass intended access restrictions and cause a denial of service via a crafted netlink message.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2320

LAYER: meta
PACKAGE NAME: connman
PACKAGE VERSION: 1.42
CVE: CVE-2012-2321
CVE STATUS: Patched
CVE SUMMARY: The loopback plug-in in ConnMan before 0.85 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) host name or (2) domain name in a DHCP reply.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2321

LAYER: meta
PACKAGE NAME: connman
PACKAGE VERSION: 1.42
CVE: CVE-2012-2322
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the dhcpv6_get_option function in gdhcp/client.c in ConnMan before 0.85 allows remote attackers to cause a denial of service (infinite loop and crash) via an invalid length value in a DHCP packet.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2322

LAYER: meta
PACKAGE NAME: connman
PACKAGE VERSION: 1.42
CVE: CVE-2012-6459
CVE STATUS: Patched
CVE SUMMARY: ConnMan 1.3 on Tizen continues to list the bluetooth service after offline mode has been enabled, which might allow remote attackers to obtain sensitive information via Bluetooth packets.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-6459

LAYER: meta
PACKAGE NAME: connman
PACKAGE VERSION: 1.42
CVE: CVE-2017-12865
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in "dnsproxy.c" in connman 1.34 and earlier allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted response query string passed to the "name" variable.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-12865

LAYER: meta
PACKAGE NAME: connman
PACKAGE VERSION: 1.42
CVE: CVE-2021-26675
CVE STATUS: Patched
CVE SUMMARY: A stack-based buffer overflow in dnsproxy in ConnMan before 1.39 could be used by network adjacent attackers to execute code.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 8.8
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-26675

LAYER: meta
PACKAGE NAME: connman
PACKAGE VERSION: 1.42
CVE: CVE-2021-26676
CVE STATUS: Patched
CVE SUMMARY: gdhcp in ConnMan before 1.39 could be used by network-adjacent attackers to leak sensitive stack information, allowing further exploitation of bugs in gdhcp.
CVSS v2 BASE SCORE: 3.3
CVSS v3 BASE SCORE: 6.5
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-26676

LAYER: meta
PACKAGE NAME: connman
PACKAGE VERSION: 1.42
CVE: CVE-2021-33833
CVE STATUS: Patched
CVE SUMMARY: ConnMan (aka Connection Manager) 1.30 through 1.39 has a stack-based buffer overflow in uncompress in dnsproxy.c via NAME, RDATA, or RDLENGTH (for A or AAAA).
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-33833

LAYER: meta
PACKAGE NAME: connman
PACKAGE VERSION: 1.42
CVE: CVE-2022-23096
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the DNS proxy in Connman through 1.40. The TCP server reply implementation lacks a check for the presence of sufficient Header Data, leading to an out-of-bounds read.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 9.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-23096

LAYER: meta
PACKAGE NAME: connman
PACKAGE VERSION: 1.42
CVE: CVE-2022-23097
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the DNS proxy in Connman through 1.40. forward_dns_reply mishandles a strnlen call, leading to an out-of-bounds read.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 9.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-23097

LAYER: meta
PACKAGE NAME: connman
PACKAGE VERSION: 1.42
CVE: CVE-2022-23098
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the DNS proxy in Connman through 1.40. The TCP server reply implementation has an infinite loop if no data is received.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-23098

LAYER: meta
PACKAGE NAME: connman
PACKAGE VERSION: 1.42
CVE: CVE-2022-32292
CVE STATUS: Patched
CVE SUMMARY: In ConnMan through 1.41, remote attackers able to send HTTP requests to the gweb component are able to exploit a heap-based buffer overflow in received_data to execute code.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-32292

LAYER: meta
PACKAGE NAME: connman
PACKAGE VERSION: 1.42
CVE: CVE-2022-32293
CVE STATUS: Patched
CVE SUMMARY: In ConnMan through 1.41, a man-in-the-middle attack against a WISPR HTTP query could be used to trigger a use-after-free in WISPR handling, leading to crashes or code execution.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.1
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-32293

LAYER: meta
PACKAGE NAME: connman
PACKAGE VERSION: 1.42
CVE: CVE-2023-28488
CVE STATUS: Patched
CVE SUMMARY: client.c in gdhcp in ConnMan through 1.41 could be used by network-adjacent attackers (operating a crafted DHCP server) to cause a stack-based buffer overflow and denial of service, terminating the connman process.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: ADJACENT_NETWORK
VECTORSTRING: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-28488

LAYER: meta
PACKAGE NAME: fribidi
PACKAGE VERSION: 1.0.14
CVE: CVE-2010-3444
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the log2vis_utf8 function in pyfribidi.c in GNU FriBidi 0.19.1, 0.19.2, and possibly other versions, as used in PyFriBidi 0.10.1, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted Arabic UTF-8 string that causes original 2-byte UTF-8 sequences to be transformed into 3-byte sequences.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-3444

LAYER: meta
PACKAGE NAME: fribidi
PACKAGE VERSION: 1.0.14
CVE: CVE-2019-18397
CVE STATUS: Patched
CVE SUMMARY: A buffer overflow in the fribidi_get_par_embedding_levels_ex() function in lib/fribidi-bidi.c of GNU FriBidi through 1.0.7 allows an attacker to cause a denial of service or possibly execute arbitrary code by delivering crafted text content to a user, when this content is then rendered by an application that uses FriBidi for text layout calculations. Examples include any GNOME or GTK+ based application that uses Pango for text layout, as this internally uses FriBidi for bidirectional text layout. For example, the attacker can construct a crafted text file to be opened in GEdit, or a crafted IRC message to be viewed in HexChat.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-18397

LAYER: meta
PACKAGE NAME: fribidi
PACKAGE VERSION: 1.0.14
CVE: CVE-2022-25308
CVE STATUS: Patched
CVE SUMMARY: A stack-based buffer overflow flaw was found in the Fribidi package. This flaw allows an attacker to pass a specially crafted file to the Fribidi application, which leads to a possible memory leak or a denial of service.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-25308

LAYER: meta
PACKAGE NAME: fribidi
PACKAGE VERSION: 1.0.14
CVE: CVE-2022-25309
CVE STATUS: Patched
CVE SUMMARY: A heap-based buffer overflow flaw was found in the Fribidi package and affects the fribidi_cap_rtl_to_unicode() function of the fribidi-char-sets-cap-rtl.c file. This flaw allows an attacker to pass a specially crafted file to the Fribidi application with the '--caprtl' option, leading to a crash and causing a denial of service.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-25309

LAYER: meta
PACKAGE NAME: fribidi
PACKAGE VERSION: 1.0.14
CVE: CVE-2022-25310
CVE STATUS: Patched
CVE SUMMARY: A segmentation fault (SEGV) flaw was found in the Fribidi package and affects the fribidi_remove_bidi_marks() function of the lib/fribidi.c file. This flaw allows an attacker to pass a specially crafted file to Fribidi, leading to a crash and causing a denial of service.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-25310

LAYER: meta
PACKAGE NAME: pango-native
PACKAGE VERSION: 1.52.1
CVE: CVE-2009-1194
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the pango_glyph_string_set_size function in pango/glyphstring.c in Pango before 1.24 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long glyph string that triggers a heap-based buffer overflow, as demonstrated by a long document.location value in Firefox.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-1194

LAYER: meta
PACKAGE NAME: pango-native
PACKAGE VERSION: 1.52.1
CVE: CVE-2010-0421
CVE STATUS: Patched
CVE SUMMARY: Array index error in the hb_ot_layout_build_glyph_classes function in pango/opentype/hb-ot-layout.cc in Pango before 1.27.1 allows context-dependent attackers to cause a denial of service (application crash) via a crafted font file, related to building a synthetic Glyph Definition (aka GDEF) table by using this font's charmap and the Unicode property database.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-0421

LAYER: meta
PACKAGE NAME: pango-native
PACKAGE VERSION: 1.52.1
CVE: CVE-2011-0020
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the pango_ft2_font_render_box_glyph function in pango/pangoft2-render.c in libpango in Pango 1.28.3 and earlier, when the FreeType2 backend is enabled, allows user-assisted remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file, related to the glyph box for an FT_Bitmap object.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-0020

LAYER: meta
PACKAGE NAME: pango-native
PACKAGE VERSION: 1.52.1
CVE: CVE-2011-0064
CVE STATUS: Patched
CVE SUMMARY: The hb_buffer_ensure function in hb-buffer.c in HarfBuzz, as used in Pango 1.28.3, Firefox, and other products, does not verify that memory reallocations succeed, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) or possibly execute arbitrary code via crafted OpenType font data that triggers use of an incorrect index.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-0064

LAYER: meta
PACKAGE NAME: pango-native
PACKAGE VERSION: 1.52.1
CVE: CVE-2011-3193
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the Lookup_MarkMarkPos function in the HarfBuzz module (harfbuzz-gpos.c), as used by Qt before 4.7.4 and Pango, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted font file.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3193

LAYER: meta
PACKAGE NAME: pango-native
PACKAGE VERSION: 1.52.1
CVE: CVE-2018-15120
CVE STATUS: Patched
CVE SUMMARY: libpango in Pango 1.40.8 through 1.42.3, as used in hexchat and other products, allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted text with invalid Unicode sequences.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-15120

LAYER: meta
PACKAGE NAME: pango-native
PACKAGE VERSION: 1.52.1
CVE: CVE-2019-1010238
CVE STATUS: Patched
CVE SUMMARY: Gnome Pango 1.42 and later is affected by: Buffer Overflow. The impact is: The heap based buffer overflow can be used to get code execution. The component is: function name: pango_log2vis_get_embedding_levels, assignment of nchars and the loop condition. The attack vector is: Bug can be used when application pass invalid utf-8 strings to functions like pango_itemize.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-1010238

LAYER: meta-selinux
PACKAGE NAME: semodule-utils
PACKAGE VERSION: 3.6
CVE: CVE-2020-10751
CVE STATUS: Unpatched
CVE SUMMARY: A flaw was found in the Linux kernels SELinux LSM hook implementation before version 5.7, where it incorrectly assumed that an skb would only contain a single netlink message. The hook would incorrectly only validate the first netlink message in the skb and allow or deny the rest of the messages within the skb with the granted permission without further processing.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 6.1
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-10751

LAYER: meta
PACKAGE NAME: gtk+3-native
PACKAGE VERSION: 3.24.41
CVE: CVE-2001-0084
CVE STATUS: Patched
CVE SUMMARY: GTK+ library allows local users to specify arbitrary modules via the GTK_MODULES environmental variable, which could allow local users to gain privileges if GTK+ is used by a setuid/setgid program.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2001-0084

LAYER: meta
PACKAGE NAME: gtk+3-native
PACKAGE VERSION: 3.24.41
CVE: CVE-2004-0753
CVE STATUS: Patched
CVE SUMMARY: The BMP image processor for (1) gdk-pixbuf before 0.22 and (2) gtk2 before 2.2.4 allows remote attackers to cause a denial of service (infinite loop) via a crafted BMP file.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0753

LAYER: meta
PACKAGE NAME: gtk+3-native
PACKAGE VERSION: 3.24.41
CVE: CVE-2004-0782
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in pixbuf_create_from_xpm (io-xpm.c) in the XPM image decoder for gtk+ 2.4.4 (gtk2) and earlier, and gdk-pixbuf before 0.22, allows remote attackers to execute arbitrary code via certain n_col and cpp values that enable a heap-based buffer overflow.  NOTE: this identifier is ONLY for gtk+.  It was incorrectly referenced in an advisory for a different issue (CVE-2004-0687).
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0782

LAYER: meta
PACKAGE NAME: gtk+3-native
PACKAGE VERSION: 3.24.41
CVE: CVE-2004-0783
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in xpm_extract_color (io-xpm.c) in the XPM image decoder for gtk+ 2.4.4 (gtk2) and earlier, and gdk-pixbuf before 0.22, may allow remote attackers to execute arbitrary code via a certain color string.  NOTE: this identifier is ONLY for gtk+.  It was incorrectly referenced in an advisory for a different issue (CVE-2004-0688).
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0783

LAYER: meta
PACKAGE NAME: gtk+3-native
PACKAGE VERSION: 3.24.41
CVE: CVE-2004-0788
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the ICO image decoder for (1) gdk-pixbuf before 0.22 and (2) gtk2 before 2.2.4 allows remote attackers to cause a denial of service (application crash) via a crafted ICO file.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0788

LAYER: meta
PACKAGE NAME: gtk+3-native
PACKAGE VERSION: 3.24.41
CVE: CVE-2005-0372
CVE STATUS: Patched
CVE SUMMARY: Directory traversal vulnerability in gftp before 2.0.18 for GTK+ allows remote malicious FTP servers to read arbitrary files via .. (dot dot) sequences in filenames returned from a LIST command.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-0372

LAYER: meta
PACKAGE NAME: gtk+3-native
PACKAGE VERSION: 3.24.41
CVE: CVE-2005-0891
CVE STATUS: Patched
CVE SUMMARY: Double free vulnerability in gtk 2 (gtk2) before 2.2.4 allows remote attackers to cause a denial of service (crash) via a crafted BMP image.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-0891

LAYER: meta
PACKAGE NAME: gtk+3-native
PACKAGE VERSION: 3.24.41
CVE: CVE-2005-2975
CVE STATUS: Patched
CVE SUMMARY: io-xpm.c in the gdk-pixbuf XPM image rendering library in GTK+ before 2.8.7 allows attackers to cause a denial of service (infinite loop) via a crafted XPM image with a large number of colors.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-2975

LAYER: meta
PACKAGE NAME: gtk+3-native
PACKAGE VERSION: 3.24.41
CVE: CVE-2005-2976
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in io-xpm.c in gdk-pixbuf 0.22.0 in GTK+ before 2.8.7 allows attackers to cause a denial of service (crash) or execute arbitrary code via an XPM file with large height, width, and colour values, a different vulnerability than CVE-2005-3186.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-2976

LAYER: meta
PACKAGE NAME: gtk+3-native
PACKAGE VERSION: 3.24.41
CVE: CVE-2007-0010
CVE STATUS: Patched
CVE SUMMARY: The GdkPixbufLoader function in GIMP ToolKit (GTK+) in GTK 2 (gtk2) before 2.4.13 allows context-dependent attackers to cause a denial of service (crash) via a malformed image file.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-0010

LAYER: meta
PACKAGE NAME: gtk+3-native
PACKAGE VERSION: 3.24.41
CVE: CVE-2010-0732
CVE STATUS: Patched
CVE SUMMARY: gdk/gdkwindow.c in GTK+ before 2.18.5, as used in gnome-screensaver before 2.28.1, performs implicit paints on windows of type GDK_WINDOW_FOREIGN, which triggers an X error in certain circumstances and consequently allows physically proximate attackers to bypass screen locking and access an unattended workstation by pressing the Enter key many times.
CVSS v2 BASE SCORE: 6.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-0732

LAYER: meta
PACKAGE NAME: gtk+3-native
PACKAGE VERSION: 3.24.41
CVE: CVE-2010-4831
CVE STATUS: Patched
CVE SUMMARY: Untrusted search path vulnerability in gdk/win32/gdkinput-win32.c in GTK+ before 2.21.8 allows local users to gain privileges via a Trojan horse Wintab32.dll file in the current working directory.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4831

LAYER: meta
PACKAGE NAME: gtk+3-native
PACKAGE VERSION: 3.24.41
CVE: CVE-2010-4833
CVE STATUS: Patched
CVE SUMMARY: Untrusted search path vulnerability in modules/engines/ms-windows/xp_theme.c in GTK+ before 2.24.0 allows local users to gain privileges via a Trojan horse uxtheme.dll file in the current working directory, a different vulnerability than CVE-2010-4831.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4833

LAYER: meta
PACKAGE NAME: gtk+3-native
PACKAGE VERSION: 3.24.41
CVE: CVE-2012-0828
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in Xchat-WDK before 1499-4 (2012-01-18) xchat 2.8.6 on Maemo architecture could allow remote attackers to cause a denial of service (xchat client crash) or execute arbitrary code via a UTF-8 line from server containing characters outside of the Basic Multilingual Plane (BMP).
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-0828

LAYER: meta
PACKAGE NAME: gtk+3-native
PACKAGE VERSION: 3.24.41
CVE: CVE-2014-1949
CVE STATUS: Patched
CVE SUMMARY: GTK+ 3.10.9 and earlier, as used in cinnamon-screensaver, gnome-screensaver, and other applications, allows physically proximate attackers to bypass the lock screen by pressing the menu button.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-1949

LAYER: meta
PACKAGE NAME: strace
PACKAGE VERSION: 6.7
CVE: CVE-2000-0006
CVE STATUS: Unpatched
CVE SUMMARY: strace allows local users to read arbitrary files via memory mapped file names.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2000-0006

LAYER: meta
PACKAGE NAME: dbus-native
PACKAGE VERSION: 1.14.10
CVE: CVE-2008-0595
CVE STATUS: Patched
CVE SUMMARY: dbus-daemon in D-Bus before 1.0.3, and 1.1.x before 1.1.20, recognizes send_interface attributes in allow directives in the security policy only for fully qualified method calls, which allows local users to bypass intended access restrictions via a method call with a NULL interface.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-0595

LAYER: meta
PACKAGE NAME: dbus-native
PACKAGE VERSION: 1.14.10
CVE: CVE-2008-3834
CVE STATUS: Patched
CVE SUMMARY: The dbus_signature_validate function in the D-bus library (libdbus) before 1.2.4 allows remote attackers to cause a denial of service (application abort) via a message containing a malformed signature, which triggers a failed assertion error.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-3834

LAYER: meta
PACKAGE NAME: dbus-native
PACKAGE VERSION: 1.14.10
CVE: CVE-2008-4311
CVE STATUS: Patched
CVE SUMMARY: The default configuration of system.conf in D-Bus (aka DBus) before 1.2.6 omits the send_type attribute in certain rules, which allows local users to bypass intended access restrictions by (1) sending messages, related to send_requested_reply; and possibly (2) receiving messages, related to receive_requested_reply.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-4311

LAYER: meta
PACKAGE NAME: dbus-native
PACKAGE VERSION: 1.14.10
CVE: CVE-2009-1189
CVE STATUS: Patched
CVE SUMMARY: The _dbus_validate_signature_with_reason function (dbus-marshal-validate.c) in D-Bus (aka DBus) before 1.2.14 uses incorrect logic to validate a basic type, which allows remote attackers to spoof a signature via a crafted key.  NOTE: this is due to an incorrect fix for CVE-2008-3834.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-1189

LAYER: meta
PACKAGE NAME: dbus-native
PACKAGE VERSION: 1.14.10
CVE: CVE-2010-4352
CVE STATUS: Patched
CVE SUMMARY: Stack consumption vulnerability in D-Bus (aka DBus) before 1.4.1 allows local users to cause a denial of service (daemon crash) via a message containing many nested variants.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4352

LAYER: meta
PACKAGE NAME: dbus-native
PACKAGE VERSION: 1.14.10
CVE: CVE-2011-2200
CVE STATUS: Patched
CVE SUMMARY: The _dbus_header_byteswap function in dbus-marshal-header.c in D-Bus (aka DBus) 1.2.x before 1.2.28, 1.4.x before 1.4.12, and 1.5.x before 1.5.4 does not properly handle a non-native byte order, which allows local users to cause a denial of service (connection loss), obtain potentially sensitive information, or conduct unspecified state-modification attacks via crafted messages.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2200

LAYER: meta
PACKAGE NAME: dbus-native
PACKAGE VERSION: 1.14.10
CVE: CVE-2011-2533
CVE STATUS: Patched
CVE SUMMARY: The configure script in D-Bus (aka DBus) 1.2.x before 1.2.28 allows local users to overwrite arbitrary files via a symlink attack on an unspecified file in /tmp/.
CVSS v2 BASE SCORE: 3.3
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2533

LAYER: meta
PACKAGE NAME: dbus-native
PACKAGE VERSION: 1.14.10
CVE: CVE-2012-3524
CVE STATUS: Patched
CVE SUMMARY: libdbus 1.5.x and earlier, when used in setuid or other privileged programs in X.org and possibly other products, allows local users to gain privileges and execute arbitrary code via the DBUS_SYSTEM_BUS_ADDRESS environment variable.  NOTE: libdbus maintainers state that this is a vulnerability in the applications that do not cleanse environment variables, not in libdbus itself: "we do not support use of libdbus in setuid binaries that do not sanitize their environment before their first call into libdbus."
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-3524

LAYER: meta
PACKAGE NAME: dbus-native
PACKAGE VERSION: 1.14.10
CVE: CVE-2013-2168
CVE STATUS: Patched
CVE SUMMARY: The _dbus_printf_string_upper_bound function in dbus/dbus-sysdeps-unix.c in D-Bus (aka DBus) 1.4.x before 1.4.26, 1.6.x before 1.6.12, and 1.7.x before 1.7.4 allows local users to cause a denial of service (service crash) via a crafted message.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2168

LAYER: meta
PACKAGE NAME: dbus-native
PACKAGE VERSION: 1.14.10
CVE: CVE-2014-3477
CVE STATUS: Patched
CVE SUMMARY: The dbus-daemon in D-Bus 1.2.x through 1.4.x, 1.6.x before 1.6.20, and 1.8.x before 1.8.4, sends an AccessDenied error to the service instead of a client when the client is prohibited from accessing the service, which allows local users to cause a denial of service (initialization failure and exit) or possibly conduct a side-channel attack via a D-Bus message to an inactive service.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3477

LAYER: meta
PACKAGE NAME: dbus-native
PACKAGE VERSION: 1.14.10
CVE: CVE-2014-3532
CVE STATUS: Patched
CVE SUMMARY: dbus 1.3.0 before 1.6.22 and 1.8.x before 1.8.6, when running on Linux 2.6.37-rc4 or later, allows local users to cause a denial of service (system-bus disconnect of other services or applications) by sending a message containing a file descriptor, then exceeding the maximum recursion depth before the initial message is forwarded.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3532

LAYER: meta
PACKAGE NAME: dbus-native
PACKAGE VERSION: 1.14.10
CVE: CVE-2014-3533
CVE STATUS: Patched
CVE SUMMARY: dbus 1.3.0 before 1.6.22 and 1.8.x before 1.8.6 allows local users to cause a denial of service (disconnect) via a certain sequence of crafted messages that cause the dbus-daemon to forward a message containing an invalid file descriptor.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3533

LAYER: meta
PACKAGE NAME: dbus-native
PACKAGE VERSION: 1.14.10
CVE: CVE-2014-3635
CVE STATUS: Patched
CVE SUMMARY: Off-by-one error in D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8, when running on a 64-bit system and the max_message_unix_fds limit is set to an odd number, allows local users to cause a denial of service (dbus-daemon crash) or possibly execute arbitrary code by sending one more file descriptor than the limit, which triggers a heap-based buffer overflow or an assertion failure.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3635

LAYER: meta
PACKAGE NAME: dbus-native
PACKAGE VERSION: 1.14.10
CVE: CVE-2014-3636
CVE STATUS: Patched
CVE SUMMARY: D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8 allows local users to (1) cause a denial of service (prevention of new connections and connection drop) by queuing the maximum number of file descriptors or (2) cause a denial of service (disconnect) via multiple messages that combine to have more than the allowed number of file descriptors for a single sendmsg call.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3636

LAYER: meta
PACKAGE NAME: dbus-native
PACKAGE VERSION: 1.14.10
CVE: CVE-2014-3637
CVE STATUS: Patched
CVE SUMMARY: D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8 does not properly close connections for processes that have terminated, which allows local users to cause a denial of service via a D-bus message containing a D-Bus connection file descriptor.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3637

LAYER: meta
PACKAGE NAME: dbus-native
PACKAGE VERSION: 1.14.10
CVE: CVE-2014-3638
CVE STATUS: Patched
CVE SUMMARY: The bus_connections_check_reply function in config-parser.c in D-Bus before 1.6.24 and 1.8.x before 1.8.8 allows local users to cause a denial of service (CPU consumption) via a large number of method calls.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3638

LAYER: meta
PACKAGE NAME: dbus-native
PACKAGE VERSION: 1.14.10
CVE: CVE-2014-3639
CVE STATUS: Patched
CVE SUMMARY: The dbus-daemon in D-Bus before 1.6.24 and 1.8.x before 1.8.8 does not properly close old connections, which allows local users to cause a denial of service (incomplete connection consumption and prevention of new connections) via a large number of incomplete connections.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3639

LAYER: meta
PACKAGE NAME: dbus-native
PACKAGE VERSION: 1.14.10
CVE: CVE-2014-7824
CVE STATUS: Patched
CVE SUMMARY: D-Bus 1.3.0 through 1.6.x before 1.6.26, 1.8.x before 1.8.10, and 1.9.x before 1.9.2 allows local users to cause a denial of service (prevention of new connections and connection drop) by queuing the maximum number of file descriptors.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-3636.1.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-7824

LAYER: meta
PACKAGE NAME: dbus-native
PACKAGE VERSION: 1.14.10
CVE: CVE-2015-0245
CVE STATUS: Patched
CVE SUMMARY: D-Bus 1.4.x through 1.6.x before 1.6.30, 1.8.x before 1.8.16, and 1.9.x before 1.9.10 does not validate the source of ActivationFailure signals, which allows local users to cause a denial of service (activation failure error returned) by leveraging a race condition involving sending an ActivationFailure signal before systemd responds.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0245

LAYER: meta
PACKAGE NAME: dbus-native
PACKAGE VERSION: 1.14.10
CVE: CVE-2019-12749
CVE STATUS: Patched
CVE SUMMARY: dbus before 1.10.28, 1.12.x before 1.12.16, and 1.13.x before 1.13.12, as used in DBusServer in Canonical Upstart in Ubuntu 14.04 (and in some, less common, uses of dbus-daemon), allows cookie spoofing because of symlink mishandling in the reference implementation of DBUS_COOKIE_SHA1 in the libdbus library. (This only affects the DBUS_COOKIE_SHA1 authentication mechanism.) A malicious client with write access to its own home directory could manipulate a ~/.dbus-keyrings symlink to cause a DBusServer with a different uid to read and write in unintended locations. In the worst case, this could result in the DBusServer reusing a cookie that is known to the malicious client, and treating that cookie as evidence that a subsequent client connection came from an attacker-chosen uid, allowing authentication bypass.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-12749

LAYER: meta
PACKAGE NAME: dbus-native
PACKAGE VERSION: 1.14.10
CVE: CVE-2020-12049
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in dbus >= 1.3.0 before 1.12.18. The DBusServer in libdbus, as used in dbus-daemon, leaks file descriptors when a message exceeds the per-message file descriptor limit. A local attacker with access to the D-Bus system bus or another system service's private AF_UNIX socket could use this to make the system service reach its file descriptor limit, denying service to subsequent D-Bus clients.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-12049

LAYER: meta
PACKAGE NAME: dbus-native
PACKAGE VERSION: 1.14.10
CVE: CVE-2020-35512
CVE STATUS: Patched
CVE SUMMARY: A use-after-free flaw was found in D-Bus Development branch <= 1.13.16, dbus-1.12.x stable branch <= 1.12.18, and dbus-1.10.x and older branches <= 1.10.30 when a system has multiple usernames sharing the same UID. When a set of policy rules references these usernames, D-Bus may free some memory in the heap, which is still used by data structures necessary for the other usernames sharing the UID, possibly leading to a crash or other undefined behaviors
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-35512

LAYER: meta
PACKAGE NAME: dbus-native
PACKAGE VERSION: 1.14.10
CVE: CVE-2022-42010
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in D-Bus before 1.12.24, 1.13.x and 1.14.x before 1.14.4, and 1.15.x before 1.15.2. An authenticated attacker can cause dbus-daemon and other programs that use libdbus to crash when receiving a message with certain invalid type signatures.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-42010

LAYER: meta
PACKAGE NAME: dbus-native
PACKAGE VERSION: 1.14.10
CVE: CVE-2022-42011
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in D-Bus before 1.12.24, 1.13.x and 1.14.x before 1.14.4, and 1.15.x before 1.15.2. An authenticated attacker can cause dbus-daemon and other programs that use libdbus to crash when receiving a message where an array length is inconsistent with the size of the element type.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-42011

LAYER: meta
PACKAGE NAME: dbus-native
PACKAGE VERSION: 1.14.10
CVE: CVE-2022-42012
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in D-Bus before 1.12.24, 1.13.x and 1.14.x before 1.14.4, and 1.15.x before 1.15.2. An authenticated attacker can cause dbus-daemon and other programs that use libdbus to crash by sending a message with attached file descriptors in an unexpected format.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-42012

LAYER: meta
PACKAGE NAME: dbus-native
PACKAGE VERSION: 1.14.10
CVE: CVE-2023-34969
CVE STATUS: Patched
CVE SUMMARY: D-Bus before 1.15.6 sometimes allows unprivileged users to crash dbus-daemon. If a privileged user with control over the dbus-daemon is using the org.freedesktop.DBus.Monitoring interface to monitor message bus traffic, then an unprivileged user with the ability to connect to the same dbus-daemon can cause a dbus-daemon crash under some circumstances via an unreplyable message. When done on the well-known system bus, this is a denial-of-service vulnerability. The fixed versions are 1.12.28, 1.14.8, and 1.15.6.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-34969

LAYER: meta
PACKAGE NAME: rsync
PACKAGE VERSION: 3.2.7
CVE: CVE-1999-0473
CVE STATUS: Patched
CVE SUMMARY: The rsync command before rsync 2.3.1 may inadvertently change the permissions of the client's working directory to the permissions of the directory being transferred.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-1999-0473

LAYER: meta
PACKAGE NAME: rsync
PACKAGE VERSION: 3.2.7
CVE: CVE-2002-0048
CVE STATUS: Patched
CVE SUMMARY: Multiple signedness errors (mixed signed and unsigned numbers) in the I/O functions of rsync 2.4.6, 2.3.2, and other versions allow remote attackers to cause a denial of service and execute arbitrary code in the rsync client or server.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-0048

LAYER: meta
PACKAGE NAME: rsync
PACKAGE VERSION: 3.2.7
CVE: CVE-2002-0080
CVE STATUS: Patched
CVE SUMMARY: rsync, when running in daemon mode, does not properly call setgroups before dropping privileges, which could provide supplemental group privileges to local users, who could then read certain files that would otherwise be disallowed.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-0080

LAYER: meta
PACKAGE NAME: rsync
PACKAGE VERSION: 3.2.7
CVE: CVE-2003-0962
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in rsync before 2.5.7, when running in server mode, allows remote attackers to execute arbitrary code and possibly escape the chroot jail.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-0962

LAYER: meta
PACKAGE NAME: rsync
PACKAGE VERSION: 3.2.7
CVE: CVE-2004-0426
CVE STATUS: Patched
CVE SUMMARY: rsync before 2.6.1 does not properly sanitize paths when running a read/write daemon without using chroot, which allows remote attackers to write files outside of the module's path.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0426

LAYER: meta
PACKAGE NAME: rsync
PACKAGE VERSION: 3.2.7
CVE: CVE-2004-0792
CVE STATUS: Patched
CVE SUMMARY: Directory traversal vulnerability in the sanitize_path function in util.c for rsync 2.6.2 and earlier, when chroot is disabled, allows attackers to read or write certain files.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0792

LAYER: meta
PACKAGE NAME: rsync
PACKAGE VERSION: 3.2.7
CVE: CVE-2006-2083
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the receive_xattr function in the extended attributes patch (xattr.c) for rsync before 2.6.8 might allow attackers to execute arbitrary code via crafted extended attributes that trigger a buffer overflow.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-2083

LAYER: meta
PACKAGE NAME: rsync
PACKAGE VERSION: 3.2.7
CVE: CVE-2007-4091
CVE STATUS: Patched
CVE SUMMARY: Multiple off-by-one errors in the sender.c in rsync 2.6.9 might allow remote attackers to execute arbitrary code via directory names that are not properly handled when calling the f_name function.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-4091

LAYER: meta
PACKAGE NAME: rsync
PACKAGE VERSION: 3.2.7
CVE: CVE-2007-6199
CVE STATUS: Patched
CVE SUMMARY: rsync before 3.0.0pre6, when running a writable rsync daemon that is not using chroot, allows remote attackers to access restricted files via unknown vectors that cause rsync to create a symlink that points outside of the module's hierarchy.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-6199

LAYER: meta
PACKAGE NAME: rsync
PACKAGE VERSION: 3.2.7
CVE: CVE-2007-6200
CVE STATUS: Patched
CVE SUMMARY: Unspecified vulnerability in rsync before 3.0.0pre6, when running a writable rsync daemon, allows remote attackers to bypass exclude, exclude_from, and filter and read or write hidden files via (1) symlink, (2) partial-dir, (3) backup-dir, and unspecified (4) dest options.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-6200

LAYER: meta
PACKAGE NAME: rsync
PACKAGE VERSION: 3.2.7
CVE: CVE-2008-1720
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in rsync 2.6.9 to 3.0.1, with extended attribute (xattr) support enabled, might allow remote attackers to execute arbitrary code via unknown vectors.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1720

LAYER: meta
PACKAGE NAME: rsync
PACKAGE VERSION: 3.2.7
CVE: CVE-2011-1097
CVE STATUS: Patched
CVE SUMMARY: rsync 3.x before 3.0.8, when certain recursion, deletion, and ownership options are used, allows remote rsync servers to cause a denial of service (heap memory corruption and application crash) or possibly execute arbitrary code via malformed data.
CVSS v2 BASE SCORE: 5.1
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1097

LAYER: meta
PACKAGE NAME: rsync
PACKAGE VERSION: 3.2.7
CVE: CVE-2014-2855
CVE STATUS: Patched
CVE SUMMARY: The check_secret function in authenticate.c in rsync 3.1.0 and earlier allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a user name which does not exist in the secrets file.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-2855

LAYER: meta
PACKAGE NAME: rsync
PACKAGE VERSION: 3.2.7
CVE: CVE-2014-9512
CVE STATUS: Patched
CVE SUMMARY: rsync 3.1.1 allows remote attackers to write to arbitrary files via a symlink attack on a file in the synchronization path.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9512

LAYER: meta
PACKAGE NAME: rsync
PACKAGE VERSION: 3.2.7
CVE: CVE-2017-15994
CVE STATUS: Patched
CVE SUMMARY: rsync 3.1.3-development before 2017-10-24 mishandles archaic checksums, which makes it easier for remote attackers to bypass intended access restrictions. NOTE: the rsync development branch has significant use beyond the rsync developers, e.g., the code has been copied for use in various GitHub projects.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15994

LAYER: meta
PACKAGE NAME: rsync
PACKAGE VERSION: 3.2.7
CVE: CVE-2017-16548
CVE STATUS: Patched
CVE SUMMARY: The receive_xattr function in xattrs.c in rsync 3.1.2 and 3.1.3-development does not check for a trailing '\0' character in an xattr name, which allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) or possibly have unspecified other impact by sending crafted data to the daemon.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-16548

LAYER: meta
PACKAGE NAME: rsync
PACKAGE VERSION: 3.2.7
CVE: CVE-2017-17433
CVE STATUS: Patched
CVE SUMMARY: The recv_files function in receiver.c in the daemon in rsync 3.1.2, and 3.1.3-development before 2017-12-03, proceeds with certain file metadata updates before checking for a filename in the daemon_filter_list data structure, which allows remote attackers to bypass intended access restrictions.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 3.7
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17433

LAYER: meta
PACKAGE NAME: rsync
PACKAGE VERSION: 3.2.7
CVE: CVE-2017-17434
CVE STATUS: Patched
CVE SUMMARY: The daemon in rsync 3.1.2, and 3.1.3-development before 2017-12-03, does not check for fnamecmp filenames in the daemon_filter_list data structure (in the recv_files function in receiver.c) and also does not apply the sanitize_paths protection mechanism to pathnames found in "xname follows" strings (in the read_ndx_and_attrs function in rsync.c), which allows remote attackers to bypass intended access restrictions.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17434

LAYER: meta
PACKAGE NAME: rsync
PACKAGE VERSION: 3.2.7
CVE: CVE-2018-5764
CVE STATUS: Patched
CVE SUMMARY: The parse_arguments function in options.c in rsyncd in rsync before 3.1.3 does not prevent multiple --protect-args uses, which allows remote attackers to bypass an argument-sanitization protection mechanism.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-5764

LAYER: meta
PACKAGE NAME: rsync
PACKAGE VERSION: 3.2.7
CVE: CVE-2020-14387
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in rsync in versions since 3.2.0pre1. Rsync improperly validates certificate with host mismatch vulnerability. A remote, unauthenticated attacker could exploit the flaw by performing a man-in-the-middle attack using a valid certificate for another hostname which could compromise confidentiality and integrity of data transmitted using rsync-ssl. The highest threat from this vulnerability is to data confidentiality and integrity. This flaw affects rsync versions before 3.2.4.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 7.4
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-14387

LAYER: meta
PACKAGE NAME: rsync
PACKAGE VERSION: 3.2.7
CVE: CVE-2022-29154
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in rsync before 3.2.5 that allows malicious remote servers to write arbitrary files inside the directories of connecting peers. The server chooses which files/directories are sent to the client. However, the rsync client performs insufficient validation of file names. A malicious rsync server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the rsync client target directory and subdirectories (for example, overwrite the .ssh/authorized_keys file).
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.4
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-29154

LAYER: meta-selinux
PACKAGE NAME: selinux-python
PACKAGE VERSION: 3.6
CVE: CVE-2020-10751
CVE STATUS: Unpatched
CVE SUMMARY: A flaw was found in the Linux kernels SELinux LSM hook implementation before version 5.7, where it incorrectly assumed that an skb would only contain a single netlink message. The hook would incorrectly only validate the first netlink message in the skb and allow or deny the rest of the messages within the skb with the granted permission without further processing.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 6.1
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-10751

LAYER: meta
PACKAGE NAME: gnupg
PACKAGE VERSION: 2.4.4
CVE: CVE-2005-0366
CVE STATUS: Patched
CVE SUMMARY: The integrity check feature in OpenPGP, when handling a message that was encrypted using cipher feedback (CFB) mode, allows remote attackers to recover part of the plaintext via a chosen-ciphertext attack when the first 2 bytes of a message block are known, and an oracle or other mechanism is available to determine whether an integrity check failed.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-0366

LAYER: meta
PACKAGE NAME: gnupg
PACKAGE VERSION: 2.4.4
CVE: CVE-2006-3082
CVE STATUS: Patched
CVE SUMMARY: parse-packet.c in GnuPG (gpg) 1.4.3 and 1.9.20, and earlier versions, allows remote attackers to cause a denial of service (gpg crash) and possibly overwrite memory via a message packet with a large length (long user ID string), which could lead to an integer overflow, as demonstrated using the --no-armor option.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-3082

LAYER: meta
PACKAGE NAME: gnupg
PACKAGE VERSION: 2.4.4
CVE: CVE-2006-3746
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in parse_comment in GnuPG (gpg) 1.4.4 allows remote attackers to cause a denial of service (segmentation fault) via a crafted message.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-3746

LAYER: meta
PACKAGE NAME: gnupg
PACKAGE VERSION: 2.4.4
CVE: CVE-2006-6169
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the ask_outfile_name function in openfile.c for GnuPG (gpg) 1.4 and 2.0, when running interactively, might allow attackers to execute arbitrary code via messages with "C-escape" expansions, which cause the make_printable_string function to return a longer string than expected while constructing a prompt.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-6169

LAYER: meta
PACKAGE NAME: gnupg
PACKAGE VERSION: 2.4.4
CVE: CVE-2007-1263
CVE STATUS: Patched
CVE SUMMARY: GnuPG 1.4.6 and earlier and GPGME before 1.1.4, when run from the command line, does not visually distinguish signed and unsigned portions of OpenPGP messages with multiple components, which might allow remote attackers to forge the contents of a message without detection.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-1263

LAYER: meta
PACKAGE NAME: gnupg
PACKAGE VERSION: 2.4.4
CVE: CVE-2008-1530
CVE STATUS: Patched
CVE SUMMARY: GnuPG (gpg) 1.4.8 and 2.0.8 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted duplicate keys that are imported from key servers, which triggers "memory corruption around deduplication of user IDs."
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1530

LAYER: meta
PACKAGE NAME: gnupg
PACKAGE VERSION: 2.4.4
CVE: CVE-2010-2547
CVE STATUS: Patched
CVE SUMMARY: Use-after-free vulnerability in kbx/keybox-blob.c in GPGSM in GnuPG 2.x through 2.0.16 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a certificate with a large number of Subject Alternate Names, which is not properly handled in a realloc operation when importing the certificate or verifying its signature.
CVSS v2 BASE SCORE: 5.1
CVSS v3 BASE SCORE: 8.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2547

LAYER: meta
PACKAGE NAME: gnupg
PACKAGE VERSION: 2.4.4
CVE: CVE-2011-2207
CVE STATUS: Patched
CVE SUMMARY: dirmngr before 2.1.0 improperly handles certain system calls, which allows remote attackers to cause a denial of service (DOS) via a specially-crafted certificate.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2207

LAYER: meta
PACKAGE NAME: gnupg
PACKAGE VERSION: 2.4.4
CVE: CVE-2012-6085
CVE STATUS: Patched
CVE SUMMARY: The read_block function in g10/import.c in GnuPG 1.4.x before 1.4.13 and 2.0.x through 2.0.19, when importing a key, allows remote attackers to corrupt the public keyring database or cause a denial of service (application crash) via a crafted length field of an OpenPGP packet.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-6085

LAYER: meta
PACKAGE NAME: gnupg
PACKAGE VERSION: 2.4.4
CVE: CVE-2013-4242
CVE STATUS: Patched
CVE SUMMARY: GnuPG before 1.4.14, and Libgcrypt before 1.5.3 as used in GnuPG 2.0.x and possibly other products, allows local users to obtain private RSA keys via a cache side-channel attack involving the L3 cache, aka Flush+Reload.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4242

LAYER: meta
PACKAGE NAME: gnupg
PACKAGE VERSION: 2.4.4
CVE: CVE-2013-4351
CVE STATUS: Patched
CVE SUMMARY: GnuPG 1.4.x, 2.0.x, and 2.1.x treats a key flags subpacket with all bits cleared (no usage permitted) as if it has all bits set (all usage permitted), which might allow remote attackers to bypass intended cryptographic protection mechanisms by leveraging the subkey.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4351

LAYER: meta
PACKAGE NAME: gnupg
PACKAGE VERSION: 2.4.4
CVE: CVE-2013-4402
CVE STATUS: Patched
CVE SUMMARY: The compressed packet parser in GnuPG 1.4.x before 1.4.15 and 2.0.x before 2.0.22 allows remote attackers to cause a denial of service (infinite recursion) via a crafted OpenPGP message.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4402

LAYER: meta
PACKAGE NAME: gnupg
PACKAGE VERSION: 2.4.4
CVE: CVE-2013-4576
CVE STATUS: Patched
CVE SUMMARY: GnuPG 1.x before 1.4.16 generates RSA keys using sequences of introductions with certain patterns that introduce a side channel, which allows physically proximate attackers to extract RSA keys via a chosen-ciphertext attack and acoustic cryptanalysis during decryption. NOTE: applications are not typically expected to protect themselves from acoustic side-channel attacks, since this is arguably the responsibility of the physical device. Accordingly, issues of this type would not normally receive a CVE identifier. However, for this issue, the developer has specified a security policy in which GnuPG should offer side-channel resistance, and developer-specified security-policy violations are within the scope of CVE.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4576

LAYER: meta
PACKAGE NAME: gnupg
PACKAGE VERSION: 2.4.4
CVE: CVE-2014-3591
CVE STATUS: Patched
CVE SUMMARY: Libgcrypt before 1.6.3 and GnuPG before 1.4.19 does not implement ciphertext blinding for Elgamal decryption, which allows physically proximate attackers to obtain the server's private key by determining factors using crafted ciphertext and the fluctuations in the electromagnetic field during multiplication.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 4.2
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3591

LAYER: meta
PACKAGE NAME: gnupg
PACKAGE VERSION: 2.4.4
CVE: CVE-2014-4617
CVE STATUS: Patched
CVE SUMMARY: The do_uncompress function in g10/compress.c in GnuPG 1.x before 1.4.17 and 2.x before 2.0.24 allows context-dependent attackers to cause a denial of service (infinite loop) via malformed compressed packets, as demonstrated by an a3 01 5b ff byte sequence.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-4617

LAYER: meta
PACKAGE NAME: gnupg
PACKAGE VERSION: 2.4.4
CVE: CVE-2014-9087
CVE STATUS: Patched
CVE SUMMARY: Integer underflow in the ksba_oid_to_str function in Libksba before 1.3.2, as used in GnuPG, allows remote attackers to cause a denial of service (crash) via a crafted OID in a (1) S/MIME message or (2) ECC based OpenPGP data, which triggers a buffer overflow.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9087

LAYER: meta
PACKAGE NAME: gnupg
PACKAGE VERSION: 2.4.4
CVE: CVE-2015-0837
CVE STATUS: Patched
CVE SUMMARY: The mpi_powm function in Libgcrypt before 1.6.3 and GnuPG before 1.4.19 allows attackers to obtain sensitive information by leveraging timing differences when accessing a pre-computed table during modular exponentiation, related to a "Last-Level Cache Side-Channel Attack."
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0837

LAYER: meta
PACKAGE NAME: gnupg
PACKAGE VERSION: 2.4.4
CVE: CVE-2015-1606
CVE STATUS: Patched
CVE SUMMARY: The keyring DB in GnuPG before 2.1.2 does not properly handle invalid packets, which allows remote attackers to cause a denial of service (invalid read and use-after-free) via a crafted keyring file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1606

LAYER: meta
PACKAGE NAME: gnupg
PACKAGE VERSION: 2.4.4
CVE: CVE-2015-1607
CVE STATUS: Patched
CVE SUMMARY: kbx/keybox-search.c in GnuPG before 1.4.19, 2.0.x before 2.0.27, and 2.1.x before 2.1.2 does not properly handle bitwise left-shifts, which allows remote attackers to cause a denial of service (invalid read operation) via a crafted keyring file, related to sign extensions and "memcpy with overlapping ranges."
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1607

LAYER: meta
PACKAGE NAME: gnupg
PACKAGE VERSION: 2.4.4
CVE: CVE-2016-6313
CVE STATUS: Patched
CVE SUMMARY: The mixing functions in the random number generator in Libgcrypt before 1.5.6, 1.6.x before 1.6.6, and 1.7.x before 1.7.3 and GnuPG before 1.4.21 make it easier for attackers to obtain the values of 160 bits by leveraging knowledge of the previous 4640 bits.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6313

LAYER: meta
PACKAGE NAME: gnupg
PACKAGE VERSION: 2.4.4
CVE: CVE-2018-1000858
CVE STATUS: Patched
CVE SUMMARY: GnuPG version 2.1.12 - 2.2.11 contains a Cross ite Request Forgery (CSRF) vulnerability in dirmngr that can result in Attacker controlled CSRF, Information Disclosure, DoS. This attack appear to be exploitable via Victim must perform a WKD request, e.g. enter an email address in the composer window of Thunderbird/Enigmail. This vulnerability appears to have been fixed in after commit 4a4bb874f63741026bd26264c43bb32b1099f060.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1000858

LAYER: meta
PACKAGE NAME: gnupg
PACKAGE VERSION: 2.4.4
CVE: CVE-2018-12020
CVE STATUS: Patched
CVE SUMMARY: mainproc.c in GnuPG before 2.2.8 mishandles the original filename during decryption and verification actions, which allows remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the "--status-fd 2" option. For example, the OpenPGP data might represent an original filename that contains line feed characters in conjunction with GOODSIG or VALIDSIG status codes.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-12020

LAYER: meta
PACKAGE NAME: gnupg
PACKAGE VERSION: 2.4.4
CVE: CVE-2018-9234
CVE STATUS: Patched
CVE SUMMARY: GnuPG 2.2.4 and 2.2.5 does not enforce a configuration in which key certification requires an offline master Certify key, which results in apparently valid certifications that occurred only with access to a signing subkey.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-9234

LAYER: meta
PACKAGE NAME: gnupg
PACKAGE VERSION: 2.4.4
CVE: CVE-2019-13050
CVE STATUS: Patched
CVE SUMMARY: Interaction between the sks-keyserver code through 1.2.0 of the SKS keyserver network, and GnuPG through 2.2.16, makes it risky to have a GnuPG keyserver configuration line referring to a host on the SKS keyserver network. Retrieving data from this network may cause a persistent denial of service, because of a Certificate Spamming Attack.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-13050

LAYER: meta
PACKAGE NAME: gnupg
PACKAGE VERSION: 2.4.4
CVE: CVE-2019-14855
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the way certificate signatures could be forged using collisions found in the SHA-1 algorithm. An attacker could use this weakness to create forged certificate signatures. This issue affects GnuPG versions before 2.2.18.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-14855

LAYER: meta
PACKAGE NAME: gnupg
PACKAGE VERSION: 2.4.4
CVE: CVE-2020-25125
CVE STATUS: Patched
CVE SUMMARY: GnuPG 2.2.21 and 2.2.22 (and Gpg4win 3.1.12) has an array overflow, leading to a crash or possibly unspecified other impact, when a victim imports an attacker's OpenPGP key, and this key has AEAD preferences. The overflow is caused by a g10/key-check.c error. NOTE: GnuPG 2.3.x is unaffected. GnuPG 2.2.23 is a fixed version.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-25125

LAYER: meta
PACKAGE NAME: gnupg
PACKAGE VERSION: 2.4.4
CVE: CVE-2022-3219
CVE STATUS: Unpatched
CVE SUMMARY: GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 3.3
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3219

LAYER: meta
PACKAGE NAME: gnupg
PACKAGE VERSION: 2.4.4
CVE: CVE-2022-34903
CVE STATUS: Patched
CVE SUMMARY: GnuPG through 2.3.6, in unusual situations where an attacker possesses any secret-key information from a victim's keyring and other constraints (e.g., use of GPGME) are met, allows signature forgery via injection into the status line.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-34903

LAYER: meta
PACKAGE NAME: gnupg
PACKAGE VERSION: 2.4.4
CVE: CVE-2022-3515
CVE STATUS: Patched
CVE SUMMARY: A vulnerability was found in the Libksba library due to an integer overflow within the CRL parser. The vulnerability can be exploited remotely for code execution on the target system by passing specially crafted data to the application, for example, a malicious S/MIME attachment.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3515

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2001-0408
CVE STATUS: Patched
CVE SUMMARY: vim (aka gvim) processes VIM control codes that are embedded in a file, which could allow attackers to execute arbitrary commands when another user opens a file containing malicious VIM control codes.
CVSS v2 BASE SCORE: 5.1
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2001-0408

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2001-0409
CVE STATUS: Patched
CVE SUMMARY: vim (aka gvim) allows local users to modify files being edited by other users via a symlink attack on the backup and swap files, when the victim is editing the file in a world writable directory.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2001-0409

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2002-1377
CVE STATUS: Patched
CVE SUMMARY: vim 6.0 and 6.1, and possibly other versions, allows attackers to execute arbitrary commands using the libcall feature in modelines, which are not sandboxed but may be executed when vim is used to edit a malicious file, as demonstrated using mutt.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-1377

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2004-1138
CVE STATUS: Patched
CVE SUMMARY: VIM before 6.3 and gVim before 6.3 allow local users to execute arbitrary commands via a file containing a crafted modeline that is executed when the file is viewed using options such as (1) termcap, (2) printdevice, (3) titleold, (4) filetype, (5) syntax, (6) backupext, (7) keymap, (8) patchmode, or (9) langmenu.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-1138

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2005-0069
CVE STATUS: Patched
CVE SUMMARY: The (1) tcltags or (2) vimspell.sh scripts in vim 6.3 allow local users to overwrite or create arbitrary files via a symlink attack on temporary files.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-0069

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2005-2368
CVE STATUS: Patched
CVE SUMMARY: vim 6.3 before 6.3.082, with modelines enabled, allows external user-assisted attackers to execute arbitrary commands via shell metacharacters in the (1) glob or (2) expand commands of a foldexpr expression for calculating fold levels.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-2368

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2007-2438
CVE STATUS: Patched
CVE SUMMARY: The sandbox for vim allows dangerous functions such as (1) writefile, (2) feedkeys, and (3) system, which might allow user-assisted attackers to execute shell commands and write files via modelines.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-2438

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2007-2953
CVE STATUS: Patched
CVE SUMMARY: Format string vulnerability in the helptags_one function in src/ex_cmds.c in Vim 6.4 and earlier, and 7.x up to 7.1, allows user-assisted remote attackers to execute arbitrary code via format string specifiers in a help-tags tag in a help file, related to the helptags command.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-2953

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2008-2712
CVE STATUS: Patched
CVE SUMMARY: Vim 7.1.314, 6.4, and other versions allows user-assisted remote attackers to execute arbitrary commands via Vim scripts that do not properly sanitize inputs before invoking the execute or system functions, as demonstrated using (1) filetype.vim, (3) xpm.vim, (4) gzip_vim, and (5) netrw.  NOTE: the originally reported version was 7.1.314, but the researcher actually found this set of issues in 7.1.298.  NOTE: the zipplugin issue (originally vector 2 in this identifier) has been subsumed by CVE-2008-3075.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-2712

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2008-3074
CVE STATUS: Patched
CVE SUMMARY: The shellescape function in Vim 7.0 through 7.2, including 7.2a.10, allows user-assisted attackers to execute arbitrary code via the "!" (exclamation point) shell metacharacter in (1) the filename of a tar archive and possibly (2) the filename of the first file in a tar archive, which is not properly handled by the VIM TAR plugin (tar.vim) v.10 through v.22, as demonstrated by the shellescape, tarplugin.v2, tarplugin, and tarplugin.updated test cases.  NOTE: this issue reportedly exists because of an incomplete fix for CVE-2008-2712. NOTE: this issue has the same root cause as CVE-2008-3075.  NOTE: due to the complexity of the associated disclosures and the incomplete information related to them, there may be inaccuracies in this CVE description and in external mappings to this identifier.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-3074

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2008-3075
CVE STATUS: Patched
CVE SUMMARY: The shellescape function in Vim 7.0 through 7.2, including 7.2a.10, allows user-assisted attackers to execute arbitrary code via the "!" (exclamation point) shell metacharacter in (1) the filename of a ZIP archive and possibly (2) the filename of the first file in a ZIP archive, which is not properly handled by zip.vim in the VIM ZIP plugin (zipPlugin.vim) v.11 through v.21, as demonstrated by the zipplugin and zipplugin.v2 test cases.  NOTE: this issue reportedly exists because of an incomplete fix for CVE-2008-2712.  NOTE: this issue has the same root cause as CVE-2008-3074.  NOTE: due to the complexity of the associated disclosures and the incomplete information related to them, there may be inaccuracies in this CVE description and in external mappings to this identifier.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-3075

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2008-3076
CVE STATUS: Patched
CVE SUMMARY: The Netrw plugin 125 in netrw.vim in Vim 7.2a.10 allows user-assisted attackers to execute arbitrary code via shell metacharacters in filenames used by the execute and system functions within the (1) mz and (2) mc commands, as demonstrated by the netrw.v2 and netrw.v3 test cases.  NOTE: this issue reportedly exists because of an incomplete fix for CVE-2008-2712.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-3076

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2008-3294
CVE STATUS: Patched
CVE SUMMARY: src/configure.in in Vim 5.0 through 7.1, when used for a build with Python support, does not ensure that the Makefile-conf temporary file has the intended ownership and permissions, which allows local users to execute arbitrary code by modifying this file during a time window, or by creating it ahead of time with permissions that prevent its modification by configure.
CVSS v2 BASE SCORE: 3.7
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-3294

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2008-3432
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the mch_expand_wildcards function in os_unix.c in Vim 6.2 and 6.3 allows user-assisted attackers to execute arbitrary code via shell metacharacters in filenames, as demonstrated by the netrw.v3 test case.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-3432

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2008-4101
CVE STATUS: Patched
CVE SUMMARY: Vim 3.0 through 7.x before 7.2.010 does not properly escape characters, which allows user-assisted attackers to (1) execute arbitrary shell commands by entering a K keystroke on a line that contains a ";" (semicolon) followed by a command, or execute arbitrary Ex commands by entering an argument after a (2) "Ctrl-]" (control close-square-bracket) or (3) "g]" (g close-square-bracket) keystroke sequence, a different issue than CVE-2008-2712.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-4101

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2008-6235
CVE STATUS: Patched
CVE SUMMARY: The Netrw plugin (netrw.vim) in Vim 7.0 and 7.1 allows user-assisted attackers to execute arbitrary commands via shell metacharacters in a filename used by the (1) "D" (delete) command or (2) b:netrw_curdir variable, as demonstrated using the netrw.v4 and netrw.v5 test cases.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-6235

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2009-0316
CVE STATUS: Patched
CVE SUMMARY: Untrusted search path vulnerability in src/if_python.c in the Python interface in Vim before 7.2.045 allows local users to execute arbitrary code via a Trojan horse Python file in the current working directory, related to a vulnerability in the PySys_SetArgv function (CVE-2008-5983), as demonstrated by an erroneous search path for plugin/bike.vim in bicyclerepair.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-0316

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2016-1248
CVE STATUS: Patched
CVE SUMMARY: vim before patch 8.0.0056 does not properly validate values for the 'filetype', 'syntax' and 'keymap' options, which may result in the execution of arbitrary code if a file with a specially crafted modeline is opened.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-1248

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2017-1000382
CVE STATUS: Patched
CVE SUMMARY: VIM version 8.0.1187 (and other versions most likely) ignores umask when creating a swap file ("[ORIGINAL_FILENAME].swp") resulting in files that may be world readable or otherwise accessible in ways not intended by the user running the vi binary.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-1000382

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2017-11109
CVE STATUS: Patched
CVE SUMMARY: Vim 8.0 allows attackers to cause a denial of service (invalid free) or possibly have unspecified other impact via a crafted source (aka -S) file. NOTE: there might be a limited number of scenarios in which this has security relevance.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-11109

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2017-17087
CVE STATUS: Patched
CVE SUMMARY: fileio.c in Vim prior to 8.0.1263 sets the group ownership of a .swp file to the editor's primary group (which may be different from the group ownership of the original file), which allows local users to obtain sensitive information by leveraging an applicable group membership, as demonstrated by /etc/shadow owned by root:shadow mode 0640, but /etc/.shadow.swp owned by root:users mode 0640, a different vulnerability than CVE-2017-1000382.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17087

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2017-5953
CVE STATUS: Patched
CVE SUMMARY: vim before patch 8.0.0322 does not properly validate values for tree length when handling a spell file, which may result in an integer overflow at a memory allocation site and a resultant buffer overflow.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5953

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2017-6349
CVE STATUS: Patched
CVE SUMMARY: An integer overflow at a u_read_undo memory allocation site would occur for vim before patch 8.0.0377, if it does not properly validate values for tree length when reading a corrupted undo file, which may lead to resultant buffer overflows.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-6349

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2017-6350
CVE STATUS: Patched
CVE SUMMARY: An integer overflow at an unserialize_uep memory allocation site would occur for vim before patch 8.0.0378, if it does not properly validate values for tree length when reading a corrupted undo file, which may lead to resultant buffer overflows.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-6350

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2019-12735
CVE STATUS: Patched
CVE SUMMARY: getchar.c in Vim before 8.1.1365 and Neovim before 0.3.6 allows remote attackers to execute arbitrary OS commands via the :source! command in a modeline, as demonstrated by execute in Vim, and assert_fails or nvim_input in Neovim.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 8.6
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-12735

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2019-14957
CVE STATUS: Patched
CVE SUMMARY: The JetBrains Vim plugin before version 0.52 was storing individual project data in the global vim_settings.xml file. This xml file could be synchronized to a publicly accessible GitHub repository.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-14957

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2019-20079
CVE STATUS: Patched
CVE SUMMARY: The autocmd feature in window.c in Vim before 8.1.2136 accesses freed memory.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-20079

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2019-20807
CVE STATUS: Patched
CVE SUMMARY: In Vim before 8.1.0881, users can circumvent the rvim restricted mode and execute arbitrary OS commands via scripting interfaces (e.g., Python, Ruby, or Lua).
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 5.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-20807

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2020-20703
CVE STATUS: Patched
CVE SUMMARY: Buffer Overflow vulnerability in VIM v.8.1.2135 allows a remote attacker to execute arbitrary code via the operand parameter.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-20703

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2021-28832
CVE STATUS: Patched
CVE SUMMARY: VSCodeVim before 1.19.0 allows attackers to execute arbitrary code via a crafted workspace configuration.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-28832

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2021-3236
CVE STATUS: Patched
CVE SUMMARY: vim 8.2.2348 is affected by null pointer dereference, allows local attackers to cause a denial of service (DoS) via the ex_buffer_all method.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3236

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2021-3770
CVE STATUS: Patched
CVE SUMMARY: vim is vulnerable to Heap-based Buffer Overflow
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 8.6
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3770

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2021-3778
CVE STATUS: Patched
CVE SUMMARY: vim is vulnerable to Heap-based Buffer Overflow
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3778

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2021-3796
CVE STATUS: Patched
CVE SUMMARY: vim is vulnerable to Use After Free
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.2
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3796

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2021-3872
CVE STATUS: Patched
CVE SUMMARY: vim is vulnerable to Heap-based Buffer Overflow
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3872

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2021-3875
CVE STATUS: Patched
CVE SUMMARY: vim is vulnerable to Heap-based Buffer Overflow
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3875

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2021-3903
CVE STATUS: Patched
CVE SUMMARY: vim is vulnerable to Heap-based Buffer Overflow
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3903

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2021-3927
CVE STATUS: Patched
CVE SUMMARY: vim is vulnerable to Heap-based Buffer Overflow
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3927

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2021-3928
CVE STATUS: Patched
CVE SUMMARY: vim is vulnerable to Use of Uninitialized Variable
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3928

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2021-3968
CVE STATUS: Patched
CVE SUMMARY: vim is vulnerable to Heap-based Buffer Overflow
CVSS v2 BASE SCORE: 8.5
CVSS v3 BASE SCORE: 8.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:S/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3968

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2021-3973
CVE STATUS: Patched
CVE SUMMARY: vim is vulnerable to Heap-based Buffer Overflow
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 7.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3973

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2021-3974
CVE STATUS: Patched
CVE SUMMARY: vim is vulnerable to Use After Free
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3974

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2021-3984
CVE STATUS: Patched
CVE SUMMARY: vim is vulnerable to Heap-based Buffer Overflow
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3984

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2021-4019
CVE STATUS: Patched
CVE SUMMARY: vim is vulnerable to Heap-based Buffer Overflow
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-4019

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2021-4069
CVE STATUS: Patched
CVE SUMMARY: vim is vulnerable to Use After Free
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-4069

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2021-4136
CVE STATUS: Patched
CVE SUMMARY: vim is vulnerable to Heap-based Buffer Overflow
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-4136

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2021-4166
CVE STATUS: Patched
CVE SUMMARY: vim is vulnerable to Out-of-bounds Read
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 7.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-4166

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2021-4173
CVE STATUS: Patched
CVE SUMMARY: vim is vulnerable to Use After Free
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 6.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-4173

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2021-4187
CVE STATUS: Patched
CVE SUMMARY: vim is vulnerable to Use After Free
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 6.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-4187

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2021-4192
CVE STATUS: Patched
CVE SUMMARY: vim is vulnerable to Use After Free
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-4192

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2021-4193
CVE STATUS: Patched
CVE SUMMARY: vim is vulnerable to Out-of-bounds Read
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-4193

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-0128
CVE STATUS: Patched
CVE SUMMARY: vim is vulnerable to Out-of-bounds Read
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0128

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-0156
CVE STATUS: Patched
CVE SUMMARY: vim is vulnerable to Use After Free
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0156

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-0158
CVE STATUS: Patched
CVE SUMMARY: vim is vulnerable to Heap-based Buffer Overflow
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0158

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-0213
CVE STATUS: Patched
CVE SUMMARY: vim is vulnerable to Heap-based Buffer Overflow
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 6.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0213

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-0261
CVE STATUS: Patched
CVE SUMMARY: Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0261

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-0318
CVE STATUS: Patched
CVE SUMMARY: Heap-based Buffer Overflow in vim/vim prior to 8.2.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 6.6
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0318

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-0319
CVE STATUS: Patched
CVE SUMMARY: Out-of-bounds Read in vim/vim prior to 8.2.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0319

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-0351
CVE STATUS: Patched
CVE SUMMARY: Access of Memory Location Before Start of Buffer in GitHub repository vim/vim prior to 8.2.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 8.4
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0351

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-0359
CVE STATUS: Patched
CVE SUMMARY: Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 6.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0359

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-0361
CVE STATUS: Patched
CVE SUMMARY: Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.4
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0361

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-0368
CVE STATUS: Patched
CVE SUMMARY: Out-of-bounds Read in GitHub repository vim/vim prior to 8.2.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0368

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-0392
CVE STATUS: Patched
CVE SUMMARY: Heap-based Buffer Overflow in GitHub repository vim prior to 8.2.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 6.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0392

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-0393
CVE STATUS: Patched
CVE SUMMARY: Out-of-bounds Read in GitHub repository vim/vim prior to 8.2.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 8.4
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0393

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-0407
CVE STATUS: Patched
CVE SUMMARY: Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 5.7
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0407

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-0408
CVE STATUS: Patched
CVE SUMMARY: Stack-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.4
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0408

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-0413
CVE STATUS: Patched
CVE SUMMARY: Use After Free in GitHub repository vim/vim prior to 8.2.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.4
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0413

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-0417
CVE STATUS: Patched
CVE SUMMARY: Heap-based Buffer Overflow GitHub repository vim/vim prior to 8.2.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.4
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0417

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-0443
CVE STATUS: Patched
CVE SUMMARY: Use After Free in GitHub repository vim/vim prior to 8.2.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.4
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0443

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-0554
CVE STATUS: Patched
CVE SUMMARY: Use of Out-of-range Pointer Offset in GitHub repository vim/vim prior to 8.2.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.4
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0554

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-0572
CVE STATUS: Patched
CVE SUMMARY: Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.4
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0572

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-0629
CVE STATUS: Patched
CVE SUMMARY: Stack-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.4
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0629

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-0685
CVE STATUS: Patched
CVE SUMMARY: Use of Out-of-range Pointer Offset in GitHub repository vim/vim prior to 8.2.4418.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.4
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0685

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-0696
CVE STATUS: Patched
CVE SUMMARY: NULL Pointer Dereference in GitHub repository vim/vim prior to 8.2.4428.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.2
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0696

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-0714
CVE STATUS: Patched
CVE SUMMARY: Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.4436.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 8.4
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0714

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-0729
CVE STATUS: Patched
CVE SUMMARY: Use of Out-of-range Pointer Offset in GitHub repository vim/vim prior to 8.2.4440.
CVSS v2 BASE SCORE: 6.5
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:S/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0729

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-0943
CVE STATUS: Patched
CVE SUMMARY: Heap-based Buffer Overflow occurs in vim in GitHub repository vim/vim prior to 8.2.4563.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 8.4
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0943

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-1154
CVE STATUS: Patched
CVE SUMMARY: Use after free in utf_ptr2char in GitHub repository vim/vim prior to 8.2.4646.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1154

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-1160
CVE STATUS: Patched
CVE SUMMARY: heap buffer overflow in get_one_sourceline in GitHub repository vim/vim prior to 8.2.4647.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1160

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-1381
CVE STATUS: Patched
CVE SUMMARY: global heap buffer overflow in skip_range in GitHub repository vim/vim prior to 8.2.4763. This vulnerability is capable of crashing software, Bypass Protection Mechanism, Modify Memory, and possible remote execution
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1381

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-1420
CVE STATUS: Patched
CVE SUMMARY: Use of Out-of-range Pointer Offset in GitHub repository vim/vim prior to 8.2.4774.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1420

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-1616
CVE STATUS: Patched
CVE SUMMARY: Use after free in append_command in GitHub repository vim/vim prior to 8.2.4895. This vulnerability is capable of crashing software, Bypass Protection Mechanism, Modify Memory, and possible remote execution
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1616

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-1619
CVE STATUS: Patched
CVE SUMMARY: Heap-based Buffer Overflow in function cmdline_erase_chars in GitHub repository vim/vim prior to 8.2.4899. This vulnerabilities are capable of crashing software, modify memory, and possible remote execution
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 6.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1619

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-1620
CVE STATUS: Patched
CVE SUMMARY: NULL Pointer Dereference in function vim_regexec_string at regexp.c:2729 in GitHub repository vim/vim prior to 8.2.4901. NULL Pointer Dereference in function vim_regexec_string at regexp.c:2729 allows attackers to cause a denial of service (application crash) via a crafted input.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 6.6
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1620

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-1621
CVE STATUS: Patched
CVE SUMMARY: Heap buffer overflow in vim_strncpy find_word in GitHub repository vim/vim prior to 8.2.4919. This vulnerability is capable of crashing software, Bypass Protection Mechanism, Modify Memory, and possible remote execution
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1621

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-1629
CVE STATUS: Patched
CVE SUMMARY: Buffer Over-read in function find_next_quote in GitHub repository vim/vim prior to 8.2.4925. This vulnerabilities are capable of crashing software, Modify Memory, and possible remote execution
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 6.6
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1629

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-1674
CVE STATUS: Patched
CVE SUMMARY: NULL Pointer Dereference in function vim_regexec_string at regexp.c:2733 in GitHub repository vim/vim prior to 8.2.4938. NULL Pointer Dereference in function vim_regexec_string at regexp.c:2733 allows attackers to cause a denial of service (application crash) via a crafted input.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.6
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1674

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-1720
CVE STATUS: Patched
CVE SUMMARY: Buffer Over-read in function grab_file_name in GitHub repository vim/vim prior to 8.2.4956. This vulnerability is capable of crashing the software, memory modification, and possible remote execution.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 6.6
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1720

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-1725
CVE STATUS: Patched
CVE SUMMARY: NULL Pointer Dereference in GitHub repository vim/vim prior to 8.2.4959.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.6
VECTOR: LOCAL
VECTORSTRING: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1725

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-1733
CVE STATUS: Patched
CVE SUMMARY: Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.4968.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 6.6
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1733

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-1735
CVE STATUS: Patched
CVE SUMMARY: Classic Buffer Overflow in GitHub repository vim/vim prior to 8.2.4969.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 6.6
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1735

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-1769
CVE STATUS: Patched
CVE SUMMARY: Buffer Over-read in GitHub repository vim/vim prior to 8.2.4974.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 6.6
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1769

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-1771
CVE STATUS: Patched
CVE SUMMARY: Uncontrolled Recursion in GitHub repository vim/vim prior to 8.2.4975.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1771

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-1785
CVE STATUS: Patched
CVE SUMMARY: Out-of-bounds Write in GitHub repository vim/vim prior to 8.2.4977.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1785

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-1796
CVE STATUS: Patched
CVE SUMMARY: Use After Free in GitHub repository vim/vim prior to 8.2.4979.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 6.6
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1796

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-1851
CVE STATUS: Patched
CVE SUMMARY: Out-of-bounds Read in GitHub repository vim/vim prior to 8.2.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1851

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-1886
CVE STATUS: Patched
CVE SUMMARY: Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1886

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-1897
CVE STATUS: Patched
CVE SUMMARY: Out-of-bounds Write in GitHub repository vim/vim prior to 8.2.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1897

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-1898
CVE STATUS: Patched
CVE SUMMARY: Use After Free in GitHub repository vim/vim prior to 8.2.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1898

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-1927
CVE STATUS: Patched
CVE SUMMARY: Buffer Over-read in GitHub repository vim/vim prior to 8.2.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1927

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-1942
CVE STATUS: Patched
CVE SUMMARY: Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1942

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-1968
CVE STATUS: Patched
CVE SUMMARY: Use After Free in GitHub repository vim/vim prior to 8.2.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1968

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-2000
CVE STATUS: Patched
CVE SUMMARY: Out-of-bounds Write in GitHub repository vim/vim prior to 8.2.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2000

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-2042
CVE STATUS: Patched
CVE SUMMARY: Use After Free in GitHub repository vim/vim prior to 8.2.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.4
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2042

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-2124
CVE STATUS: Patched
CVE SUMMARY: Buffer Over-read in GitHub repository vim/vim prior to 8.2.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2124

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-2125
CVE STATUS: Patched
CVE SUMMARY: Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2125

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-2126
CVE STATUS: Patched
CVE SUMMARY: Out-of-bounds Read in GitHub repository vim/vim prior to 8.2.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2126

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-2129
CVE STATUS: Patched
CVE SUMMARY: Out-of-bounds Write in GitHub repository vim/vim prior to 8.2.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2129

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-2175
CVE STATUS: Patched
CVE SUMMARY: Buffer Over-read in GitHub repository vim/vim prior to 8.2.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2175

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-2182
CVE STATUS: Patched
CVE SUMMARY: Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2182

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-2183
CVE STATUS: Patched
CVE SUMMARY: Out-of-bounds Read in GitHub repository vim/vim prior to 8.2.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2183

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-2206
CVE STATUS: Patched
CVE SUMMARY: Out-of-bounds Read in GitHub repository vim/vim prior to 8.2.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2206

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-2207
CVE STATUS: Patched
CVE SUMMARY: Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2207

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-2208
CVE STATUS: Patched
CVE SUMMARY: NULL Pointer Dereference in GitHub repository vim/vim prior to 8.2.5163.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2208

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-2210
CVE STATUS: Patched
CVE SUMMARY: Out-of-bounds Write in GitHub repository vim/vim prior to 8.2.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2210

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-2231
CVE STATUS: Patched
CVE SUMMARY: NULL Pointer Dereference in GitHub repository vim/vim prior to 8.2.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2231

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-2257
CVE STATUS: Patched
CVE SUMMARY: Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2257

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-2264
CVE STATUS: Patched
CVE SUMMARY: Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2264

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-2284
CVE STATUS: Patched
CVE SUMMARY: Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2284

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-2285
CVE STATUS: Patched
CVE SUMMARY: Integer Overflow or Wraparound in GitHub repository vim/vim prior to 9.0.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2285

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-2286
CVE STATUS: Patched
CVE SUMMARY: Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2286

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-2287
CVE STATUS: Patched
CVE SUMMARY: Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 8.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2287

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-2288
CVE STATUS: Patched
CVE SUMMARY: Out-of-bounds Write in GitHub repository vim/vim prior to 9.0.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2288

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-2289
CVE STATUS: Patched
CVE SUMMARY: Use After Free in GitHub repository vim/vim prior to 9.0.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2289

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-2304
CVE STATUS: Patched
CVE SUMMARY: Stack-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2304

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-2343
CVE STATUS: Patched
CVE SUMMARY: Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0044.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2343

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-2344
CVE STATUS: Patched
CVE SUMMARY: Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0045.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2344

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-2345
CVE STATUS: Patched
CVE SUMMARY: Use After Free in GitHub repository vim/vim prior to 9.0.0046.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2345

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-2522
CVE STATUS: Patched
CVE SUMMARY: Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0061.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2522

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-2571
CVE STATUS: Patched
CVE SUMMARY: Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0101.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2571

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-2580
CVE STATUS: Patched
CVE SUMMARY: Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0102.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.3
VECTOR: LOCAL
VECTORSTRING: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2580

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-2581
CVE STATUS: Patched
CVE SUMMARY: Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.0104.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2581

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-2598
CVE STATUS: Patched
CVE SUMMARY: Out-of-bounds Write to API in GitHub repository vim/vim prior to 9.0.0100.


CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2598

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-2816
CVE STATUS: Patched
CVE SUMMARY: Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.0212.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2816

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-2817
CVE STATUS: Patched
CVE SUMMARY: Use After Free in GitHub repository vim/vim prior to 9.0.0213.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2817

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-2819
CVE STATUS: Patched
CVE SUMMARY: Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0211.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2819

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-2845
CVE STATUS: Patched
CVE SUMMARY: Improper Validation of Specified Quantity in Input in GitHub repository vim/vim prior to 9.0.0218.


CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2845

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-2849
CVE STATUS: Patched
CVE SUMMARY: Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0220.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2849

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-2862
CVE STATUS: Patched
CVE SUMMARY: Use After Free in GitHub repository vim/vim prior to 9.0.0221.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.6
VECTOR: NETWORK
VECTORSTRING: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2862

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-2874
CVE STATUS: Patched
CVE SUMMARY: NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.0224.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.6
VECTOR: LOCAL
VECTORSTRING: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2874

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-2889
CVE STATUS: Patched
CVE SUMMARY: Use After Free in GitHub repository vim/vim prior to 9.0.0225.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2889

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-2923
CVE STATUS: Patched
CVE SUMMARY: NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.0240.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.6
VECTOR: LOCAL
VECTORSTRING: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2923

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-2946
CVE STATUS: Patched
CVE SUMMARY: Use After Free in GitHub repository vim/vim prior to 9.0.0246.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2946

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-2980
CVE STATUS: Patched
CVE SUMMARY: NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.0259.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.3
VECTOR: NETWORK
VECTORSTRING: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2980

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-2982
CVE STATUS: Patched
CVE SUMMARY: Use After Free in GitHub repository vim/vim prior to 9.0.0260.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.6
VECTOR: NETWORK
VECTORSTRING: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2982

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-3016
CVE STATUS: Patched
CVE SUMMARY: Use After Free in GitHub repository vim/vim prior to 9.0.0286.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3016

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-3037
CVE STATUS: Patched
CVE SUMMARY: Use After Free in GitHub repository vim/vim prior to 9.0.0322.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3037

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-3099
CVE STATUS: Patched
CVE SUMMARY: Use After Free in GitHub repository vim/vim prior to 9.0.0360.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3099

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-3134
CVE STATUS: Patched
CVE SUMMARY: Use After Free in GitHub repository vim/vim prior to 9.0.0389.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3134

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-3153
CVE STATUS: Patched
CVE SUMMARY: NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.0404.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3153

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-3234
CVE STATUS: Patched
CVE SUMMARY: Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0483.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3234

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-3235
CVE STATUS: Patched
CVE SUMMARY: Use After Free in GitHub repository vim/vim prior to 9.0.0490.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3235

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-3256
CVE STATUS: Patched
CVE SUMMARY: Use After Free in GitHub repository vim/vim prior to 9.0.0530.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3256

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-3278
CVE STATUS: Patched
CVE SUMMARY: NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.0552.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3278

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-3296
CVE STATUS: Patched
CVE SUMMARY: Stack-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0577.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3296

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-3297
CVE STATUS: Patched
CVE SUMMARY: Use After Free in GitHub repository vim/vim prior to 9.0.0579.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3297

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-3324
CVE STATUS: Patched
CVE SUMMARY: Stack-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0598.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3324

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-3352
CVE STATUS: Patched
CVE SUMMARY: Use After Free in GitHub repository vim/vim prior to 9.0.0614.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3352

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-3491
CVE STATUS: Patched
CVE SUMMARY: Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0742.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3491

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-3520
CVE STATUS: Patched
CVE SUMMARY: Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0765.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3520

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-3591
CVE STATUS: Patched
CVE SUMMARY: Use After Free in GitHub repository vim/vim prior to 9.0.0789.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3591

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-3705
CVE STATUS: Patched
CVE SUMMARY: A vulnerability was found in vim and classified as problematic. Affected by this issue is the function qf_update_buffer of the file quickfix.c of the component autocmd Handler. The manipulation leads to use after free. The attack may be launched remotely. Upgrading to version 9.0.0805 is able to address this issue. The name of the patch is d0fab10ed2a86698937e3c3fed2f10bd9bb5e731. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-212324.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.0
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3705

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-4141
CVE STATUS: Patched
CVE SUMMARY: Heap based buffer overflow in vim/vim 9.0.0946 and below by allowing an attacker to CTRL-W gf in the expression used in the RHS of the substitute command.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.3
VECTOR: LOCAL
VECTORSTRING: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-4141

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-4292
CVE STATUS: Patched
CVE SUMMARY: Use After Free in GitHub repository vim/vim prior to 9.0.0882.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-4292

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-4293
CVE STATUS: Patched
CVE SUMMARY: Floating Point Comparison with Incorrect Operator in GitHub repository vim/vim prior to 9.0.0804.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-4293

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2022-47024
CVE STATUS: Patched
CVE SUMMARY: A null pointer dereference issue was discovered in function gui_x11_create_blank_mouse in gui_x11.c in vim 8.1.2269 thru 9.0.0339 allows attackers to cause denial of service or other unspecified impacts.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-47024

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2023-0049
CVE STATUS: Patched
CVE SUMMARY: Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.1143.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.3
VECTOR: LOCAL
VECTORSTRING: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-0049

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2023-0051
CVE STATUS: Patched
CVE SUMMARY: Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1144.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.3
VECTOR: LOCAL
VECTORSTRING: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-0051

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2023-0054
CVE STATUS: Patched
CVE SUMMARY: Out-of-bounds Write in GitHub repository vim/vim prior to 9.0.1145.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.3
VECTOR: LOCAL
VECTORSTRING: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-0054

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2023-0288
CVE STATUS: Patched
CVE SUMMARY: Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1189.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.3
VECTOR: LOCAL
VECTORSTRING: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-0288

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2023-0433
CVE STATUS: Patched
CVE SUMMARY: Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1225.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-0433

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2023-0512
CVE STATUS: Patched
CVE SUMMARY: Divide By Zero in GitHub repository vim/vim prior to 9.0.1247.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.3
VECTOR: LOCAL
VECTORSTRING: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-0512

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2023-1127
CVE STATUS: Patched
CVE SUMMARY: Divide By Zero in GitHub repository vim/vim prior to 9.0.1367.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.3
VECTOR: LOCAL
VECTORSTRING: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-1127

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2023-1170
CVE STATUS: Patched
CVE SUMMARY: Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1376.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.3
VECTOR: LOCAL
VECTORSTRING: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-1170

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2023-1175
CVE STATUS: Patched
CVE SUMMARY: Incorrect Calculation of Buffer Size in GitHub repository vim/vim prior to 9.0.1378.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.3
VECTOR: LOCAL
VECTORSTRING: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-1175

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2023-1264
CVE STATUS: Patched
CVE SUMMARY: NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.1392.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.6
VECTOR: LOCAL
VECTORSTRING: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-1264

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2023-1355
CVE STATUS: Patched
CVE SUMMARY: NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.1402.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.4
VECTOR: LOCAL
VECTORSTRING: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-1355

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2023-2426
CVE STATUS: Patched
CVE SUMMARY: Use of Out-of-range Pointer Offset in GitHub repository vim/vim prior to 9.0.1499.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-2426

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2023-2609
CVE STATUS: Patched
CVE SUMMARY: NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.1531.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-2609

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2023-2610
CVE STATUS: Patched
CVE SUMMARY: Integer Overflow or Wraparound in GitHub repository vim/vim prior to 9.0.1532.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-2610

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2023-3896
CVE STATUS: Patched
CVE SUMMARY: Divide By Zero in vim/vim from 9.0.1367-1 to 9.0.1367-3

CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-3896

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2023-46246
CVE STATUS: Patched
CVE SUMMARY: Vim is an improved version of the good old UNIX editor Vi. Heap-use-after-free in memory allocated in the function `ga_grow_inner` in in the file `src/alloc.c` at line 748, which is freed in the file `src/ex_docmd.c` in the function `do_cmdline` at line 1010 and then used again in `src/cmdhist.c` at line 759. When using the `:history` command, it's possible that the provided argument overflows the accepted value. Causing an Integer Overflow and potentially later an use-after-free. This vulnerability has been patched in version 9.0.2068.

CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-46246

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2023-4733
CVE STATUS: Patched
CVE SUMMARY: Use After Free in GitHub repository vim/vim prior to 9.0.1840.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.3
VECTOR: LOCAL
VECTORSTRING: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-4733

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2023-4734
CVE STATUS: Patched
CVE SUMMARY: Integer Overflow or Wraparound in GitHub repository vim/vim prior to 9.0.1846.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-4734

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2023-4735
CVE STATUS: Patched
CVE SUMMARY: Out-of-bounds Write in GitHub repository vim/vim prior to 9.0.1847.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-4735

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2023-4736
CVE STATUS: Patched
CVE SUMMARY: Untrusted Search Path in GitHub repository vim/vim prior to 9.0.1833.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-4736

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2023-4738
CVE STATUS: Patched
CVE SUMMARY: Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1848.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-4738

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2023-4750
CVE STATUS: Patched
CVE SUMMARY: Use After Free in GitHub repository vim/vim prior to 9.0.1857.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-4750

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2023-4751
CVE STATUS: Patched
CVE SUMMARY: Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1331.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-4751

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2023-4752
CVE STATUS: Patched
CVE SUMMARY: Use After Free in GitHub repository vim/vim prior to 9.0.1858.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-4752

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2023-4781
CVE STATUS: Patched
CVE SUMMARY: Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1873.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-4781

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2023-48231
CVE STATUS: Patched
CVE SUMMARY: Vim is an open source command line text editor. When closing a window, vim may try to access already freed window structure. Exploitation beyond crashing the application has not been shown to be viable. This issue has been addressed in commit `25aabc2b` which has been included in release version 9.0.2106. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 3.9
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-48231

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2023-48232
CVE STATUS: Patched
CVE SUMMARY: Vim is an open source command line text editor. A floating point exception may occur when calculating the line offset for overlong lines and smooth scrolling is enabled and the cpo-settings include the 'n' flag. This may happen when a window border is present and when the wrapped line continues on the next physical line directly in the window border because the 'cpo' setting includes the 'n' flag. Only users with non-default settings are affected and the exception should only result in a crash. This issue has been addressed in commit `cb0b99f0` which has been included in release version 9.0.2107. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 3.9
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-48232

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2023-48233
CVE STATUS: Patched
CVE SUMMARY: Vim is an open source command line text editor. If the count after the :s command is larger than what fits into a (signed) long variable, abort with e_value_too_large. Impact is low, user interaction is required and a crash may not even happen in all situations. This issue has been addressed in commit `ac6378773` which has been included in release version 9.0.2108. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 2.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-48233

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2023-48234
CVE STATUS: Patched
CVE SUMMARY: Vim is an open source command line text editor. When getting the count for a normal mode z command, it may overflow for large counts given. Impact is low, user interaction is required and a crash may not even happen in all situations. This issue has been addressed in commit `58f9befca1` which has been included in release version 9.0.2109. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 2.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-48234

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2023-48235
CVE STATUS: Patched
CVE SUMMARY: Vim is an open source command line text editor. When parsing relative ex addresses one may unintentionally cause an
overflow. Ironically this happens in the existing overflow check, because the line number becomes negative and LONG_MAX - lnum will cause the overflow. Impact is low, user interaction is required and a crash may not even happen in all situations. This issue has been addressed in commit `060623e` which has been included in release version 9.0.2110. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 2.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-48235

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2023-48236
CVE STATUS: Patched
CVE SUMMARY: Vim is an open source command line text editor. When using the z= command, the user may overflow the count with values larger
than MAX_INT. Impact is low, user interaction is required and a crash may not even happen in all situations. This vulnerability has been addressed in commit `73b2d379` which has been included in release version 9.0.2111. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 2.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-48236

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2023-48237
CVE STATUS: Patched
CVE SUMMARY: Vim is an open source command line text editor. In affected versions when shifting lines in operator pending mode and using a very large value, it may be possible to overflow the size of integer. Impact is low, user interaction is required and a crash may not even happen in all situations. This issue has been addressed in commit `6bf131888` which has been included in version 9.0.2112. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 2.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-48237

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2023-48706
CVE STATUS: Patched
CVE SUMMARY: Vim is a UNIX editor that, prior to version 9.0.2121, has a heap-use-after-free vulnerability. When executing a `:s` command for the very first time and using a sub-replace-special atom inside the substitution part, it is possible that the recursive `:s` call causes free-ing of memory which may later then be accessed by the initial `:s` command. The user must intentionally execute the payload and the whole process is a bit tricky to do since it seems to work only reliably for the very first :s command. It may also cause a crash of Vim. Version 9.0.2121 contains a fix for this issue.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 3.6
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-48706

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2023-5344
CVE STATUS: Patched
CVE SUMMARY: Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1969.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-5344

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2023-5441
CVE STATUS: Patched
CVE SUMMARY: NULL Pointer Dereference in GitHub repository vim/vim prior to 20d161ace307e28690229b68584f2d84556f8960.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.2
VECTOR: LOCAL
VECTORSTRING: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-5441

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2023-5535
CVE STATUS: Patched
CVE SUMMARY: Use After Free in GitHub repository vim/vim prior to v9.0.2010.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-5535

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2024-22667
CVE STATUS: Patched
CVE SUMMARY: Vim before 9.0.2142 has a stack-based buffer overflow because did_set_langmap in map.c calls sprintf to write to the error buffer that is passed down to the option callback functions.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-22667

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2024-41957
CVE STATUS: Patched
CVE SUMMARY: Vim is an open source command line text editor. Vim < v9.1.0647 has double free in src/alloc.c:616. When closing a window, the corresponding tagstack data will be cleared and freed. However a bit later, the quickfix list belonging to that window will also be cleared and if that quickfix list points to the same tagstack data, Vim will try to free it again, resulting in a double-free/use-after-free access exception. Impact is low since the user must intentionally execute vim with several non-default flags,
but it may cause a crash of Vim. The issue has been fixed as of Vim patch v9.1.0647
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-41957

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2024-41965
CVE STATUS: Patched
CVE SUMMARY: Vim is an open source command line text editor. double-free in dialog_changed() in Vim < v9.1.0648. When abandoning a buffer, Vim may ask the user what to do with the modified buffer. If the user wants the changed buffer to be saved, Vim may create a new Untitled file, if the buffer did not have a name yet. However, when setting the buffer name to Unnamed, Vim will falsely free a pointer twice, leading to a double-free and possibly later to a heap-use-after-free, which can lead to a crash. The issue has been fixed as of Vim patch v9.1.0648.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.2
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-41965

LAYER: meta
PACKAGE NAME: vim
PACKAGE VERSION: 9.1.0698
CVE: CVE-2024-45306
CVE STATUS: Unpatched
CVE SUMMARY: Vim is an open source, command line text editor. Patch v9.1.0038 optimized how the cursor position is calculated and removed a loop, that verified that the cursor position always points inside a line and does not become invalid by pointing beyond the end of
a line. Back then we assumed this loop is unnecessary. However, this change made it possible that the cursor position stays invalid and points beyond the end of a line, which would eventually cause a heap-buffer-overflow when trying to access the line pointer at
the specified cursor position. It's not quite clear yet, what can lead to this situation that the cursor points to an invalid position. That's why patch v9.1.0707 does not include a test case. The only observed impact has been a program crash. This issue has been addressed in with the patch v9.1.0707. All users are advised to upgrade.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-45306

LAYER: meta-agl-demo
PACKAGE NAME: flite
PACKAGE VERSION: 1.06
CVE: CVE-2014-0027
CVE STATUS: Patched
CVE SUMMARY: The play_wave_from_socket function in audio/auserver.c in Flite 1.4 allows local users to modify arbitrary files via a symlink attack on /tmp/awb.wav.  NOTE: some of these details are obtained from third party information.
CVSS v2 BASE SCORE: 3.3
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0027

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-1999-1010
CVE STATUS: Patched
CVE SUMMARY: An SSH 1.2.27 server allows a client to use the "none" cipher, even if it is not allowed by the server policy.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-1999-1010

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2000-0143
CVE STATUS: Patched
CVE SUMMARY: The SSH protocol server sshd allows local users without shell access to redirect a TCP connection through a service that uses the standard system password database for authentication, such as POP or FTP.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2000-0143

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2000-0217
CVE STATUS: Patched
CVE SUMMARY: The default configuration of SSH allows X forwarding, which could allow a remote attacker to control a client's X sessions via a malicious xauth program.
CVSS v2 BASE SCORE: 5.1
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2000-0217

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2000-0525
CVE STATUS: Patched
CVE SUMMARY: OpenSSH does not properly drop privileges when the UseLogin option is enabled, which allows local users to execute arbitrary commands by providing the command to the ssh daemon.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2000-0525

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2000-0992
CVE STATUS: Patched
CVE SUMMARY: Directory traversal vulnerability in scp in sshd 1.2.xx allows a remote malicious scp server to overwrite arbitrary files via a .. (dot dot) attack.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2000-0992

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2000-0999
CVE STATUS: Patched
CVE SUMMARY: Format string vulnerabilities in OpenBSD ssh program (and possibly other BSD-based operating systems) allow attackers to gain root privileges.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2000-0999

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2000-1169
CVE STATUS: Patched
CVE SUMMARY: OpenSSH SSH client before 2.3.0 does not properly disable X11 or agent forwarding, which could allow a malicious SSH server to gain access to the X11 display and sniff X11 events, or gain access to the ssh-agent.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2000-1169

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2001-0144
CVE STATUS: Patched
CVE SUMMARY: CORE SDI SSH1 CRC-32 compensation attack detector allows remote attackers to execute arbitrary commands on an SSH server or client via an integer overflow.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2001-0144

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2001-0361
CVE STATUS: Patched
CVE SUMMARY: Implementations of SSH version 1.5, including (1) OpenSSH up to version 2.3.0, (2) AppGate, and (3) ssh-1 up to version 1.2.31, in certain configurations, allow a remote attacker to decrypt and/or alter traffic via a "Bleichenbacher attack" on PKCS#1 version 1.5.
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2001-0361

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2001-0529
CVE STATUS: Patched
CVE SUMMARY: OpenSSH version 2.9 and earlier, with X forwarding enabled, allows a local attacker to delete any file named 'cookies' via a symlink attack.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2001-0529

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2001-0572
CVE STATUS: Patched
CVE SUMMARY: The SSH protocols 1 and 2 (aka SSH-2) as implemented in OpenSSH and other packages have various weaknesses which can allow a remote attacker to obtain the following information via sniffing: (1) password lengths or ranges of lengths, which simplifies brute force password guessing, (2) whether RSA or DSA authentication is being used, (3) the number of authorized_keys in RSA authentication, or (4) the lengths of shell commands.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2001-0572

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2001-0816
CVE STATUS: Patched
CVE SUMMARY: OpenSSH before 2.9.9, when running sftp using sftp-server and using restricted keypairs, allows remote authenticated users to bypass authorized_keys2 command= restrictions using sftp commands.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2001-0816

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2001-0872
CVE STATUS: Patched
CVE SUMMARY: OpenSSH 3.0.1 and earlier with UseLogin enabled does not properly cleanse critical environment variables such as LD_PRELOAD, which allows local users to gain root privileges.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2001-0872

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2001-1029
CVE STATUS: Patched
CVE SUMMARY: libutil in OpenSSH on FreeBSD 4.4 and earlier does not drop privileges before verifying the capabilities for reading the copyright and welcome files, which allows local users to bypass the capabilities checks and read arbitrary files by specifying alternate copyright or welcome files.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2001-1029

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2001-1380
CVE STATUS: Patched
CVE SUMMARY: OpenSSH before 2.9.9, while using keypairs and multiple keys of different types in the ~/.ssh/authorized_keys2 file, may not properly handle the "from" option associated with a key, which could allow remote attackers to login from unauthorized IP addresses.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2001-1380

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2001-1382
CVE STATUS: Patched
CVE SUMMARY: The "echo simulation" traffic analysis countermeasure in OpenSSH before 2.9.9p2 sends an additional echo packet after the password and carriage return is entered, which could allow remote attackers to determine that the countermeasure is being used.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2001-1382

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2001-1459
CVE STATUS: Patched
CVE SUMMARY: OpenSSH 2.9 and earlier does not initiate a Pluggable Authentication Module (PAM) session if commands are executed with no pty, which allows local users to bypass resource limits (rlimits) set in pam.d.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2001-1459

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2001-1507
CVE STATUS: Patched
CVE SUMMARY: OpenSSH before 3.0.1 with Kerberos V enabled does not properly authenticate users, which could allow remote attackers to login unchallenged.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2001-1507

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2001-1585
CVE STATUS: Patched
CVE SUMMARY: SSH protocol 2 (aka SSH-2) public key authentication in the development snapshot of OpenSSH 2.3.1, available from 2001-01-18 through 2001-02-08, does not perform a challenge-response step to ensure that the client has the proper private key, which allows remote attackers to bypass authentication as other users by supplying a public key from that user's authorized_keys file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2001-1585

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2002-0083
CVE STATUS: Patched
CVE SUMMARY: Off-by-one error in the channel code of OpenSSH 2.0 through 3.0.2 allows local users or remote malicious servers to gain privileges.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-0083

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2002-0575
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in OpenSSH before 2.9.9, and 3.x before 3.2.1, with Kerberos/AFS support and KerberosTgtPassing or AFSTokenPassing enabled, allows remote and local authenticated users to gain privileges.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-0575

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2002-0639
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in sshd in OpenSSH 2.9.9 through 3.3 allows remote attackers to execute arbitrary code during challenge response authentication (ChallengeResponseAuthentication) when OpenSSH is using SKEY or BSD_AUTH authentication.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-0639

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2002-0640
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in sshd in OpenSSH 2.3.1 through 3.3 may allow remote attackers to execute arbitrary code via a large number of responses during challenge response authentication when OpenBSD is using PAM modules with interactive keyboard authentication (PAMAuthenticationViaKbdInt).
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-0640

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2002-0765
CVE STATUS: Patched
CVE SUMMARY: sshd in OpenSSH 3.2.2, when using YP with netgroups and under certain conditions, may allow users to successfully authenticate and log in with another user's password.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-0765

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2003-0190
CVE STATUS: Patched
CVE SUMMARY: OpenSSH-portable (OpenSSH) 3.6.1p1 and earlier with PAM support enabled immediately sends an error message when a user does not exist, which allows remote attackers to determine valid usernames via a timing attack.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-0190

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2003-0386
CVE STATUS: Patched
CVE SUMMARY: OpenSSH 3.6.1 and earlier, when restricting host access by numeric IP addresses and with VerifyReverseMapping disabled, allows remote attackers to bypass "from=" and "user@host" address restrictions by connecting to a host from a system whose reverse DNS hostname contains the numeric IP address.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-0386

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2003-0682
CVE STATUS: Patched
CVE SUMMARY: "Memory bugs" in OpenSSH 3.7.1 and earlier, with unknown impact, a different set of vulnerabilities than CVE-2003-0693 and CVE-2003-0695.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-0682

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2003-0693
CVE STATUS: Patched
CVE SUMMARY: A "buffer management error" in buffer_append_space of buffer.c for OpenSSH before 3.7 may allow remote attackers to execute arbitrary code by causing an incorrect amount of memory to be freed and corrupting the heap, a different vulnerability than CVE-2003-0695.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-0693

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2003-0695
CVE STATUS: Patched
CVE SUMMARY: Multiple "buffer management errors" in OpenSSH before 3.7.1 may allow attackers to cause a denial of service or execute arbitrary code using (1) buffer_init in buffer.c, (2) buffer_free in buffer.c, or (3) a separate function in channels.c, a different vulnerability than CVE-2003-0693.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-0695

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2003-0786
CVE STATUS: Patched
CVE SUMMARY: The SSH1 PAM challenge response authentication in OpenSSH 3.7.1 and 3.7.1p1, when Privilege Separation is disabled, does not check the result of the authentication attempt, which can allow remote attackers to gain privileges.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-0786

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2003-0787
CVE STATUS: Patched
CVE SUMMARY: The PAM conversation function in OpenSSH 3.7.1 and 3.7.1p1 interprets an array of structures as an array of pointers, which allows attackers to modify the stack and possibly gain privileges.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-0787

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2003-1562
CVE STATUS: Patched
CVE SUMMARY: sshd in OpenSSH 3.6.1p2 and earlier, when PermitRootLogin is disabled and using PAM keyboard-interactive authentication, does not insert a delay after a root login attempt with the correct password, which makes it easier for remote attackers to use timing differences to determine if the password step of a multi-step authentication is successful, a different vulnerability than CVE-2003-0190.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-1562

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2004-0175
CVE STATUS: Patched
CVE SUMMARY: Directory traversal vulnerability in scp for OpenSSH before 3.4p1 allows remote malicious servers to overwrite arbitrary files.  NOTE: this may be a rediscovery of CVE-2000-0992.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0175

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2004-1653
CVE STATUS: Patched
CVE SUMMARY: The default configuration for OpenSSH enables AllowTcpForwarding, which could allow remote authenticated users to perform a port bounce, when configured with an anonymous access program such as AnonCVS.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-1653

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2004-2069
CVE STATUS: Patched
CVE SUMMARY: sshd.c in OpenSSH 3.6.1p2 and 3.7.1p2 and possibly other versions, when using privilege separation, does not properly signal the non-privileged process when a session has been terminated after exceeding the LoginGraceTime setting, which leaves the connection open and allows remote attackers to cause a denial of service (connection consumption).
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-2069

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2004-2760
CVE STATUS: Patched
CVE SUMMARY: sshd in OpenSSH 3.5p1, when PermitRootLogin is disabled, immediately closes the TCP connection after a root login attempt with the correct password, but leaves the connection open after an attempt with an incorrect password, which makes it easier for remote attackers to guess the password by observing the connection state, a different vulnerability than CVE-2003-0190.  NOTE: it could be argued that in most environments, this does not cross privilege boundaries without requiring leverage of a separate vulnerability.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-2760

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2005-2666
CVE STATUS: Patched
CVE SUMMARY: SSH, as implemented in OpenSSH before 4.0 and possibly other implementations, stores hostnames, IP addresses, and keys in plaintext in the known_hosts file, which makes it easier for an attacker that has compromised an SSH user's account to generate a list of additional targets that are more likely to have the same password or key.
CVSS v2 BASE SCORE: 1.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-2666

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2005-2797
CVE STATUS: Patched
CVE SUMMARY: OpenSSH 4.0, and other versions before 4.2, does not properly handle dynamic port forwarding ("-D" option) when a listen address is not provided, which may cause OpenSSH to enable the GatewayPorts functionality.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-2797

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2005-2798
CVE STATUS: Patched
CVE SUMMARY: sshd in OpenSSH before 4.2, when GSSAPIDelegateCredentials is enabled, allows GSSAPI credentials to be delegated to clients who log in using non-GSSAPI methods, which could cause those credentials to be exposed to untrusted users or hosts.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-2798

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2006-0225
CVE STATUS: Patched
CVE SUMMARY: scp in OpenSSH 4.2p1 allows attackers to execute arbitrary commands via filenames that contain shell metacharacters or spaces, which are expanded twice.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-0225

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2006-0883
CVE STATUS: Patched
CVE SUMMARY: OpenSSH on FreeBSD 5.3 and 5.4, when used with OpenPAM, does not properly handle when a forked child process terminates during PAM authentication, which allows remote attackers to cause a denial of service (client connection refusal) by connecting multiple times to the SSH server, waiting for the password prompt, then disconnecting.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-0883

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2006-4924
CVE STATUS: Patched
CVE SUMMARY: sshd in OpenSSH before 4.4, when using the version 1 SSH protocol, allows remote attackers to cause a denial of service (CPU consumption) via an SSH packet that contains duplicate blocks, which is not properly handled by the CRC compensation attack detector.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-4924

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2006-4925
CVE STATUS: Patched
CVE SUMMARY: packet.c in ssh in OpenSSH allows remote attackers to cause a denial of service (crash) by sending an invalid protocol sequence with USERAUTH_SUCCESS before NEWKEYS, which causes newkeys[mode] to be NULL.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-4925

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2006-5051
CVE STATUS: Patched
CVE SUMMARY: Signal handler race condition in OpenSSH before 4.4 allows remote attackers to cause a denial of service (crash), and possibly execute arbitrary code if GSSAPI authentication is enabled, via unspecified vectors that lead to a double-free.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 8.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-5051

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2006-5052
CVE STATUS: Patched
CVE SUMMARY: Unspecified vulnerability in portable OpenSSH before 4.4, when running on some platforms, allows remote attackers to determine the validity of usernames via unknown vectors involving a GSSAPI "authentication abort."
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-5052

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2006-5229
CVE STATUS: Patched
CVE SUMMARY: OpenSSH portable 4.1 on SUSE Linux, and possibly other platforms and versions, and possibly under limited configurations, allows remote attackers to determine valid usernames via timing discrepancies in which responses take longer for valid usernames than invalid ones, as demonstrated by sshtime.  NOTE: as of 20061014, it appears that this issue is dependent on the use of manually-set passwords that causes delays when processing /etc/shadow due to an increased number of rounds.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-5229

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2006-5794
CVE STATUS: Patched
CVE SUMMARY: Unspecified vulnerability in the sshd Privilege Separation Monitor in OpenSSH before 4.5 causes weaker verification that authentication has been successful, which might allow attackers to bypass authentication. NOTE: as of 20061108, it is believed that this issue is only exploitable by leveraging vulnerabilities in the unprivileged process, which are not known to exist.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-5794

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2007-2243
CVE STATUS: Patched
CVE SUMMARY: OpenSSH 4.6 and earlier, when ChallengeResponseAuthentication is enabled, allows remote attackers to determine the existence of user accounts by attempting to authenticate via S/KEY, which displays a different response if the user account exists, a similar issue to CVE-2001-1483.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-2243

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2007-2768
CVE STATUS: Ignored
CVE DETAIL: not-applicable-config
CVE DESCRIPTION: This CVE is specific to OpenSSH with the pam opie which we don't build/use here.
CVE SUMMARY: OpenSSH, when using OPIE (One-Time Passwords in Everything) for PAM, allows remote attackers to determine the existence of certain user accounts, which displays a different response if the user account exists and is configured to use one-time passwords (OTP), a similar issue to CVE-2007-2243.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-2768

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2007-3102
CVE STATUS: Patched
CVE SUMMARY: Unspecified vulnerability in the linux_audit_record_event function in OpenSSH 4.3p2, as used on Fedora Core 6 and possibly other systems, allows remote attackers to write arbitrary characters to an audit log via a crafted username.  NOTE: some of these details are obtained from third party information.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-3102

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2007-4654
CVE STATUS: Patched
CVE SUMMARY: Unspecified vulnerability in SSHield 1.6.1 with OpenSSH 3.0.2p1 on Cisco WebNS 8.20.0.1 on Cisco Content Services Switch (CSS) series 11000 devices allows remote attackers to cause a denial of service (connection slot exhaustion and device crash) via a series of large packets designed to exploit the SSH CRC32 attack detection overflow (CVE-2001-0144), possibly a related issue to CVE-2002-1024.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-4654

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2007-4752
CVE STATUS: Patched
CVE SUMMARY: ssh in OpenSSH before 4.7 does not properly handle when an untrusted cookie cannot be created and uses a trusted X11 cookie instead, which allows attackers to violate intended policy and gain privileges by causing an X client to be treated as trusted.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-4752

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2008-1483
CVE STATUS: Patched
CVE SUMMARY: OpenSSH 4.3p2, and probably other versions, allows local users to hijack forwarded X connections by causing ssh to set DISPLAY to :10, even when another process is listening on the associated port, as demonstrated by opening TCP port 6010 (IPv4) and sniffing a cookie sent by Emacs.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1483

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2008-1657
CVE STATUS: Patched
CVE SUMMARY: OpenSSH 4.4 up to versions before 4.9 allows remote authenticated users to bypass the sshd_config ForceCommand directive by modifying the .ssh/rc session file.
CVSS v2 BASE SCORE: 6.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:S/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1657

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2008-3234
CVE STATUS: Patched
CVE SUMMARY: sshd in OpenSSH 4 on Debian GNU/Linux, and the 20070303 OpenSSH snapshot, allows remote authenticated users to obtain access to arbitrary SELinux roles by appending a :/ (colon slash) sequence, followed by the role name, to the username.
CVSS v2 BASE SCORE: 6.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:S/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-3234

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2008-3259
CVE STATUS: Patched
CVE SUMMARY: OpenSSH before 5.1 sets the SO_REUSEADDR socket option when the X11UseLocalhost configuration setting is disabled, which allows local users on some platforms to hijack the X11 forwarding port via a bind to a single IP address, as demonstrated on the HP-UX platform.
CVSS v2 BASE SCORE: 1.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:H/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-3259

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2008-3844
CVE STATUS: Ignored
CVE DETAIL: not-applicable-platform
CVE DESCRIPTION: Only applies to some distributed RHEL binaries.
CVE SUMMARY: Certain Red Hat Enterprise Linux (RHEL) 4 and 5 packages for OpenSSH, as signed in August 2008 using a legitimate Red Hat GPG key, contain an externally introduced modification (Trojan Horse) that allows the package authors to have an unknown impact.  NOTE: since the malicious packages were not distributed from any official Red Hat sources, the scope of this issue is restricted to users who may have obtained these packages through unofficial distribution points.  As of 20080827, no unofficial distributions of this software are known.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-3844

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2008-4109
CVE STATUS: Patched
CVE SUMMARY: A certain Debian patch for OpenSSH before 4.3p2-9etch3 on etch; before 4.6p1-1 on sid and lenny; and on other distributions such as SUSE uses functions that are not async-signal-safe in the signal handler for login timeouts, which allows remote attackers to cause a denial of service (connection slot exhaustion) via multiple login attempts. NOTE: this issue exists because of an incorrect fix for CVE-2006-5051.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-4109

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2008-5161
CVE STATUS: Patched
CVE SUMMARY: Error handling in the SSH protocol in (1) SSH Tectia Client and Server and Connector 4.0 through 4.4.11, 5.0 through 5.2.4, and 5.3 through 5.3.8; Client and Server and ConnectSecure 6.0 through 6.0.4; Server for Linux on IBM System z 6.0.4; Server for IBM z/OS 5.5.1 and earlier, 6.0.0, and 6.0.1; and Client 4.0-J through 4.3.3-J and 4.0-K through 4.3.10-K; and (2) OpenSSH 4.7p1 and possibly other versions, when using a block cipher algorithm in Cipher Block Chaining (CBC) mode, makes it easier for remote attackers to recover certain plaintext data from an arbitrary block of ciphertext in an SSH session via unknown vectors.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-5161

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2009-2904
CVE STATUS: Patched
CVE SUMMARY: A certain Red Hat modification to the ChrootDirectory feature in OpenSSH 4.8, as used in sshd in OpenSSH 4.3 in Red Hat Enterprise Linux (RHEL) 5.4 and Fedora 11, allows local users to gain privileges via hard links to setuid programs that use configuration files within the chroot directory, related to requirements for directory ownership.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-2904

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2010-4478
CVE STATUS: Patched
CVE SUMMARY: OpenSSH 5.6 and earlier, when J-PAKE is enabled, does not properly validate the public parameters in the J-PAKE protocol, which allows remote attackers to bypass the need for knowledge of the shared secret, and successfully authenticate, by sending crafted values in each round of the protocol, a related issue to CVE-2010-4252.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4478

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2010-4755
CVE STATUS: Patched
CVE SUMMARY: The (1) remote_glob function in sftp-glob.c and the (2) process_put function in sftp.c in OpenSSH 5.8 and earlier, as used in FreeBSD 7.3 and 8.1, NetBSD 5.0.2, OpenBSD 4.7, and other products, allow remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in SSH_FXP_STAT requests to an sftp daemon, a different vulnerability than CVE-2010-2632.
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:S/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4755

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2010-5107
CVE STATUS: Patched
CVE SUMMARY: The default configuration of OpenSSH through 6.1 enforces a fixed time limit between establishing a TCP connection and completing a login, which makes it easier for remote attackers to cause a denial of service (connection-slot exhaustion) by periodically making many new TCP connections.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-5107

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2011-0539
CVE STATUS: Patched
CVE SUMMARY: The key_certify function in usr.bin/ssh/key.c in OpenSSH 5.6 and 5.7, when generating legacy certificates using the -t command-line option in ssh-keygen, does not initialize the nonce field, which might allow remote attackers to obtain sensitive stack memory contents or make it easier to conduct hash collision attacks.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-0539

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2011-4327
CVE STATUS: Patched
CVE SUMMARY: ssh-keysign.c in ssh-keysign in OpenSSH before 5.8p2 on certain platforms executes ssh-rand-helper with unintended open file descriptors, which allows local users to obtain sensitive key information via the ptrace system call.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-4327

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2011-5000
CVE STATUS: Patched
CVE SUMMARY: The ssh_gssapi_parse_ename function in gss-serv.c in OpenSSH 5.8 and earlier, when gssapi-with-mic authentication is enabled, allows remote authenticated users to cause a denial of service (memory consumption) via a large value in a certain length field.  NOTE: there may be limited scenarios in which this issue is relevant.
CVSS v2 BASE SCORE: 3.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:S/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-5000

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2012-0814
CVE STATUS: Patched
CVE SUMMARY: The auth_parse_options function in auth-options.c in sshd in OpenSSH before 5.7 provides debug messages containing authorized_keys command options, which allows remote authenticated users to obtain potentially sensitive information by reading these messages, as demonstrated by the shared user account required by Gitolite.  NOTE: this can cross privilege boundaries because a user account may intentionally have no shell or filesystem access, and therefore may have no supported way to read an authorized_keys file in its own home directory.
CVSS v2 BASE SCORE: 3.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:S/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-0814

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2013-4548
CVE STATUS: Patched
CVE SUMMARY: The mm_newkeys_from_blob function in monitor_wrap.c in sshd in OpenSSH 6.2 and 6.3, when an AES-GCM cipher is used, does not properly initialize memory for a MAC context data structure, which allows remote authenticated users to bypass intended ForceCommand and login-shell restrictions via packet data that provides a crafted callback address.
CVSS v2 BASE SCORE: 6.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:S/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4548

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2014-1692
CVE STATUS: Patched
CVE SUMMARY: The hash_buffer function in schnorr.c in OpenSSH through 6.4, when Makefile.inc is modified to enable the J-PAKE protocol, does not initialize certain data structures, which might allow remote attackers to cause a denial of service (memory corruption) or have unspecified other impact via vectors that trigger an error condition.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-1692

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2014-2532
CVE STATUS: Patched
CVE SUMMARY: sshd in OpenSSH before 6.6 does not properly support wildcards on AcceptEnv lines in sshd_config, which allows remote attackers to bypass intended environment restrictions by using a substring located before a wildcard character.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 4.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-2532

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2014-2653
CVE STATUS: Patched
CVE SUMMARY: The verify_host_key function in sshconnect.c in the client in OpenSSH 6.6 and earlier allows remote servers to trigger the skipping of SSHFP DNS RR checking by presenting an unacceptable HostCertificate.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-2653

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2014-9278
CVE STATUS: Ignored
CVE DETAIL: not-applicable-platform
CVE DESCRIPTION: This CVE is specific to OpenSSH server, as used in Fedora and Red Hat Enterprise Linux 7 and when running in a Kerberos environment
CVE SUMMARY: The OpenSSH server, as used in Fedora and Red Hat Enterprise Linux 7 and when running in a Kerberos environment, allows remote authenticated users to log in as another user when they are listed in the .k5users file of that user, which might bypass intended authentication requirements that would force a local login.
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:S/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9278

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2015-5352
CVE STATUS: Patched
CVE SUMMARY: The x11_open_helper function in channels.c in ssh in OpenSSH before 6.9, when ForwardX11Trusted mode is not used, lacks a check of the refusal deadline for X connections, which makes it easier for remote attackers to bypass intended access restrictions via a connection outside of the permitted time window.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-5352

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2015-5600
CVE STATUS: Patched
CVE SUMMARY: The kbdint_next_device function in auth2-chall.c in sshd in OpenSSH through 6.9 does not properly restrict the processing of keyboard-interactive devices within a single connection, which makes it easier for remote attackers to conduct brute-force attacks or cause a denial of service (CPU consumption) via a long and duplicative list in the ssh -oKbdInteractiveDevices option, as demonstrated by a modified client that provides a different password for each pam element on this list.
CVSS v2 BASE SCORE: 8.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-5600

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2015-6563
CVE STATUS: Patched
CVE SUMMARY: The monitor component in sshd in OpenSSH before 7.0 on non-OpenBSD platforms accepts extraneous username data in MONITOR_REQ_PAM_INIT_CTX requests, which allows local users to conduct impersonation attacks by leveraging any SSH login access in conjunction with control of the sshd uid to send a crafted MONITOR_REQ_PWNAM request, related to monitor.c and monitor_wrap.c.
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-6563

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2015-6564
CVE STATUS: Patched
CVE SUMMARY: Use-after-free vulnerability in the mm_answer_pam_free_ctx function in monitor.c in sshd in OpenSSH before 7.0 on non-OpenBSD platforms might allow local users to gain privileges by leveraging control of the sshd uid to send an unexpectedly early MONITOR_REQ_PAM_FREE_CTX request.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-6564

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2015-6565
CVE STATUS: Patched
CVE SUMMARY: sshd in OpenSSH 6.8 and 6.9 uses world-writable permissions for TTY devices, which allows local users to cause a denial of service (terminal disruption) or possibly have unspecified other impact by writing to a device, as demonstrated by writing an escape sequence.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-6565

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2015-8325
CVE STATUS: Patched
CVE SUMMARY: The do_setup_env function in session.c in sshd in OpenSSH through 7.2p2, when the UseLogin feature is enabled and PAM is configured to read .pam_environment files in user home directories, allows local users to gain privileges by triggering a crafted environment for the /bin/login program, as demonstrated by an LD_PRELOAD environment variable.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8325

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2016-0777
CVE STATUS: Patched
CVE SUMMARY: The resend_bytes function in roaming_common.c in the client in OpenSSH 5.x, 6.x, and 7.x before 7.1p2 allows remote servers to obtain sensitive information from process memory by requesting transmission of an entire buffer, as demonstrated by reading a private key.
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:S/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-0777

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2016-0778
CVE STATUS: Patched
CVE SUMMARY: The (1) roaming_read and (2) roaming_write functions in roaming_common.c in the client in OpenSSH 5.x, 6.x, and 7.x before 7.1p2, when certain proxy and forward options are enabled, do not properly maintain connection file descriptors, which allows remote servers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact by requesting many forwardings.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 8.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:S/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-0778

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2016-10009
CVE STATUS: Patched
CVE SUMMARY: Untrusted search path vulnerability in ssh-agent.c in ssh-agent in OpenSSH before 7.4 allows remote attackers to execute arbitrary local PKCS#11 modules by leveraging control over a forwarded agent-socket.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 7.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10009

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2016-10010
CVE STATUS: Patched
CVE SUMMARY: sshd in OpenSSH before 7.4, when privilege separation is not used, creates forwarded Unix-domain sockets as root, which might allow local users to gain privileges via unspecified vectors, related to serverloop.c.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10010

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2016-10011
CVE STATUS: Patched
CVE SUMMARY: authfile.c in sshd in OpenSSH before 7.4 does not properly consider the effects of realloc on buffer contents, which might allow local users to obtain sensitive private-key information by leveraging access to a privilege-separated child process.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10011

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2016-10012
CVE STATUS: Patched
CVE SUMMARY: The shared memory manager (associated with pre-authentication compression) in sshd in OpenSSH before 7.4 does not ensure that a bounds check is enforced by all compilers, which might allows local users to gain privileges by leveraging access to a sandboxed privilege-separation process, related to the m_zback and m_zlib data structures.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10012

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2016-10708
CVE STATUS: Patched
CVE SUMMARY: sshd in OpenSSH before 7.4 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an out-of-sequence NEWKEYS message, as demonstrated by Honggfuzz, related to kex.c and packet.c.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10708

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2016-1907
CVE STATUS: Patched
CVE SUMMARY: The ssh_packet_read_poll2 function in packet.c in OpenSSH before 7.1p2 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via crafted network traffic.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-1907

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2016-1908
CVE STATUS: Patched
CVE SUMMARY: The client in OpenSSH before 7.2 mishandles failed cookie generation for untrusted X11 forwarding and relies on the local X11 server for access-control decisions, which allows remote X11 clients to trigger a fallback and obtain trusted X11 forwarding privileges by leveraging configuration issues on this X11 server, as demonstrated by lack of the SECURITY extension on this X11 server.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-1908

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2016-20012
CVE STATUS: Patched
CVE SUMMARY: OpenSSH through 8.7 allows remote attackers, who have a suspicion that a certain combination of username and public key is known to an SSH server, to test whether this suspicion is correct. This occurs because a challenge is sent only when that combination could be valid for a login session. NOTE: the vendor does not recognize user enumeration as a vulnerability for this product
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-20012

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2016-3115
CVE STATUS: Patched
CVE SUMMARY: Multiple CRLF injection vulnerabilities in session.c in sshd in OpenSSH before 7.2p2 allow remote authenticated users to bypass intended shell-command restrictions via crafted X11 forwarding data, related to the (1) do_authenticated1 and (2) session_x11_req functions.
CVSS v2 BASE SCORE: 5.5
CVSS v3 BASE SCORE: 6.4
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:S/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3115

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2016-6210
CVE STATUS: Patched
CVE SUMMARY: sshd in OpenSSH before 7.3, when SHA256 or SHA512 are used for user password hashing, uses BLOWFISH hashing on a static password when the username does not exist, which allows remote attackers to enumerate users by leveraging the timing difference between responses when a large password is provided.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6210

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2016-6515
CVE STATUS: Patched
CVE SUMMARY: The auth_password function in auth-passwd.c in sshd in OpenSSH before 7.3 does not limit password lengths for password authentication, which allows remote attackers to cause a denial of service (crypt CPU consumption) via a long string.
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6515

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2016-8858
CVE STATUS: Patched
CVE SUMMARY: The kex_input_kexinit function in kex.c in OpenSSH 6.x and 7.x through 7.3 allows remote attackers to cause a denial of service (memory consumption) by sending many duplicate KEXINIT requests.  NOTE: a third party reports that "OpenSSH upstream does not consider this as a security issue."
CVSS v2 BASE SCORE: 7.8
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8858

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2017-15906
CVE STATUS: Patched
CVE SUMMARY: The process_open function in sftp-server.c in OpenSSH before 7.6 does not properly prevent write operations in readonly mode, which allows attackers to create zero-length files.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15906

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2018-15473
CVE STATUS: Patched
CVE SUMMARY: OpenSSH through 7.7 is prone to a user enumeration vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-15473

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2018-15919
CVE STATUS: Patched
CVE SUMMARY: Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or "oracle") as a vulnerability.'
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-15919

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2018-20685
CVE STATUS: Patched
CVE SUMMARY: In OpenSSH 7.9, scp.c in the scp client allows remote SSH servers to bypass intended access restrictions via the filename of . or an empty filename. The impact is modifying the permissions of the target directory on the client side.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20685

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2019-16905
CVE STATUS: Patched
CVE SUMMARY: OpenSSH 7.7 through 7.9 and 8.x before 8.1, when compiled with an experimental key type, has a pre-authentication integer overflow if a client or server is configured to use a crafted XMSS key. This leads to memory corruption and local code execution because of an error in the XMSS key parsing algorithm. NOTE: the XMSS implementation is considered experimental in all released OpenSSH versions, and there is no supported way to enable it when building portable OpenSSH.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-16905

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2019-6109
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in OpenSSH 7.9. Due to missing character encoding in the progress display, a malicious server (or Man-in-The-Middle attacker) can employ crafted object names to manipulate the client output, e.g., by using ANSI control codes to hide additional files being transferred. This affects refresh_progress_meter() in progressmeter.c.
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 6.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-6109

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2019-6110
CVE STATUS: Patched
CVE SUMMARY: In OpenSSH 7.9, due to accepting and displaying arbitrary stderr output from the server, a malicious server (or Man-in-The-Middle attacker) can manipulate the client output, for example to use ANSI control codes to hide additional files being transferred.
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 6.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-6110

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2019-6111
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in OpenSSH 7.9. Due to the scp implementation being derived from 1983 rcp, the server chooses which files/directories are sent to the client. However, the scp client only performs cursory validation of the object name returned (only directory traversal attacks are prevented). A malicious scp server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the scp client target directory. If recursive operation (-r) is performed, the server can manipulate subdirectories as well (for example, to overwrite the .ssh/authorized_keys file).
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-6111

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2020-12062
CVE STATUS: Patched
CVE SUMMARY: The scp client in OpenSSH 8.2 incorrectly sends duplicate responses to the server upon a utimes system call failure, which allows a malicious unprivileged user on the remote server to overwrite arbitrary files in the client's download directory by creating a crafted subdirectory anywhere on the remote server. The victim must use the command scp -rp to download a file hierarchy containing, anywhere inside, this crafted subdirectory. NOTE: the vendor points out that "this attack can achieve no more than a hostile peer is already able to achieve within the scp protocol" and "utimes does not fail under normal circumstances.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-12062

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2020-14145
CVE STATUS: Patched
CVE SUMMARY: The client side in OpenSSH 5.7 through 8.4 has an Observable Discrepancy leading to an information leak in the algorithm negotiation. This allows man-in-the-middle attackers to target initial connection attempts (where no host key for the server has been cached by the client). NOTE: some reports state that 8.5 and 8.6 are also affected.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-14145

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2020-15778
CVE STATUS: Patched
CVE SUMMARY: scp in OpenSSH through 8.3p1 allows command injection in the scp.c toremote function, as demonstrated by backtick characters in the destination argument. NOTE: the vendor reportedly has stated that they intentionally omit validation of "anomalous argument transfers" because that could "stand a great chance of breaking existing workflows."
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-15778

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2021-28041
CVE STATUS: Patched
CVE SUMMARY: ssh-agent in OpenSSH before 8.5 has a double free that may be relevant in a few less-common scenarios, such as unconstrained agent-socket access on a legacy operating system, or the forwarding of an agent to an attacker-controlled host.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:S/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-28041

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2021-36368
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in OpenSSH before 8.9. If a client is using public-key authentication with agent forwarding but without -oLogLevel=verbose, and an attacker has silently modified the server to support the None authentication option, then the user cannot determine whether FIDO authentication is going to confirm that the user wishes to connect to that server, or that the user wishes to allow that server to connect to a different server on the user's behalf. NOTE: the vendor's position is "this is not an authentication bypass, since nothing is being bypassed.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 3.7
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-36368

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2021-41617
CVE STATUS: Patched
CVE SUMMARY: sshd in OpenSSH 6.2 through 8.x before 8.8, when certain non-default configurations are used, allows privilege escalation because supplemental groups are not initialized as expected. Helper programs for AuthorizedKeysCommand and AuthorizedPrincipalsCommand may run with privileges associated with group memberships of the sshd process, if the configuration specifies running the command as a different user.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-41617

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2023-25136
CVE STATUS: Patched
CVE SUMMARY: OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. This is fixed in OpenSSH 9.2. The double free can be leveraged, by an unauthenticated remote attacker in the default configuration, to jump to any location in the sshd address space. One third-party report states "remote code execution is theoretically possible."
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-25136

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2023-28531
CVE STATUS: Patched
CVE SUMMARY: ssh-add in OpenSSH before 9.3 adds smartcard keys to ssh-agent without the intended per-hop destination constraints. The earliest affected version is 8.9.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-28531

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2023-38408
CVE STATUS: Patched
CVE SUMMARY: The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-38408

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2023-48795
CVE STATUS: Patched
CVE SUMMARY: The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-48795

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2023-51384
CVE STATUS: Patched
CVE SUMMARY: In ssh-agent in OpenSSH before 9.6, certain destination constraints can be incompletely applied. When destination constraints are specified during addition of PKCS#11-hosted private keys, these constraints are only applied to the first key, even if a PKCS#11 token returns multiple keys.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-51384

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2023-51385
CVE STATUS: Patched
CVE SUMMARY: In ssh in OpenSSH before 9.6, OS command injection might occur if a user name or host name has shell metacharacters, and this name is referenced by an expansion token in certain situations. For example, an untrusted Git repository can have a submodule with shell metacharacters in a user name or host name.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-51385

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2023-51767
CVE STATUS: Unpatched
CVE SUMMARY: OpenSSH through 9.6, when common types of DRAM are used, might allow row hammer attacks (for authentication bypass) because the integer value of authenticated in mm_answer_authpassword does not resist flips of a single bit. NOTE: this is applicable to a certain threat model of attacker-victim co-location in which the attacker has user privileges.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-51767

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2024-39894
CVE STATUS: Patched
CVE SUMMARY: OpenSSH 9.5 through 9.7 before 9.8 sometimes allows timing attacks against echo-off password entry (e.g., for su and Sudo) because of an ObscureKeystrokeTiming logic error. Similarly, other timing attacks against keystroke entry could occur.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-39894

LAYER: meta
PACKAGE NAME: openssh
PACKAGE VERSION: 9.6p1
CVE: CVE-2024-6387
CVE STATUS: Patched
CVE SUMMARY: A security regression (CVE-2006-5051) was discovered in OpenSSH's server (sshd). There is a race condition which can lead sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.1
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-6387

LAYER: meta
PACKAGE NAME: gdb
PACKAGE VERSION: 14.2
CVE: CVE-2005-1704
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the Binary File Descriptor (BFD) library for gdb before 6.3, binutils, elfutils, and possibly other packages, allows user-assisted attackers to execute arbitrary code via a crafted object file that specifies a large number of section headers, leading to a heap-based buffer overflow.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-1704

LAYER: meta
PACKAGE NAME: gdb
PACKAGE VERSION: 14.2
CVE: CVE-2005-1705
CVE STATUS: Patched
CVE SUMMARY: gdb before 6.3 searches the current working directory to load the .gdbinit configuration file, which allows local users to execute arbitrary commands as the user running gdb.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-1705

LAYER: meta
PACKAGE NAME: gdb
PACKAGE VERSION: 14.2
CVE: CVE-2006-4146
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the (1) DWARF (dwarfread.c) and (2) DWARF2 (dwarf2read.c) debugging code in GNU Debugger (GDB) 6.5 allows user-assisted attackers, or restricted users, to execute arbitrary code via a crafted file with a location block (DW_FORM_block) that contains a large number of operations.
CVSS v2 BASE SCORE: 5.1
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-4146

LAYER: meta
PACKAGE NAME: gdb
PACKAGE VERSION: 14.2
CVE: CVE-2011-4355
CVE STATUS: Patched
CVE SUMMARY: GNU Project Debugger (GDB) before 7.5, when .debug_gdb_scripts is defined, automatically loads certain files from the current working directory, which allows local users to gain privileges via crafted files such as Python scripts.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-4355

LAYER: meta
PACKAGE NAME: gdb
PACKAGE VERSION: 14.2
CVE: CVE-2017-9778
CVE STATUS: Patched
CVE SUMMARY: GNU Debugger (GDB) 8.0 and earlier fails to detect a negative length field in a DWARF section. A malformed section in an ELF binary or a core file can cause GDB to repeatedly allocate memory until a process limit is reached. This can, for example, impede efforts to analyze malware with GDB.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9778

LAYER: meta
PACKAGE NAME: gdb
PACKAGE VERSION: 14.2
CVE: CVE-2019-1010180
CVE STATUS: Patched
CVE SUMMARY: GNU gdb All versions is affected by: Buffer Overflow - Out of bound memory access. The impact is: Deny of Service, Memory Disclosure, and Possible Code Execution. The component is: The main gdb module. The attack vector is: Open an ELF for debugging. The fixed version is: Not fixed yet.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-1010180

LAYER: meta
PACKAGE NAME: gdb
PACKAGE VERSION: 14.2
CVE: CVE-2023-39128
CVE STATUS: Patched
CVE SUMMARY: GNU gdb (GDB) 13.0.50.20220805-git was discovered to contain a stack overflow via the function ada_decode at /gdb/ada-lang.c.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-39128

LAYER: meta
PACKAGE NAME: gdb
PACKAGE VERSION: 14.2
CVE: CVE-2023-39129
CVE STATUS: Patched
CVE SUMMARY: GNU gdb (GDB) 13.0.50.20220805-git was discovered to contain a heap use after free via the function add_pe_exported_sym() at /gdb/coff-pe-read.c.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-39129

LAYER: meta
PACKAGE NAME: gdb
PACKAGE VERSION: 14.2
CVE: CVE-2023-39130
CVE STATUS: Patched
CVE SUMMARY: GNU gdb (GDB) 13.0.50.20220805-git was discovered to contain a heap buffer overflow via the function pe_as16() at /gdb/coff-pe-read.c.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-39130

LAYER: meta
PACKAGE NAME: less
PACKAGE VERSION: 643
CVE: CVE-2004-2264
CVE STATUS: Patched
CVE SUMMARY: Format string bug in the open_altfile function in filename.c for GNU less 382, 381, and 358 might allow local users to cause a denial of service or possibly execute arbitrary code via format strings in the LESSOPEN environment variable. NOTE: since less is not setuid or setgid, then this is not a vulnerability unless there are plausible scenarios under which privilege boundaries could be crossed
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-2264

LAYER: meta
PACKAGE NAME: less
PACKAGE VERSION: 643
CVE: CVE-2014-9488
CVE STATUS: Patched
CVE SUMMARY: The is_utf8_well_formed function in GNU less before 475 allows remote attackers to have unspecified impact via malformed UTF-8 characters, which triggers an out-of-bounds read.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9488

LAYER: meta
PACKAGE NAME: less
PACKAGE VERSION: 643
CVE: CVE-2022-46663
CVE STATUS: Patched
CVE SUMMARY: In GNU Less before 609, crafted data can result in "less -R" not filtering ANSI escape sequences sent to the terminal.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-46663

LAYER: meta
PACKAGE NAME: less
PACKAGE VERSION: 643
CVE: CVE-2024-32487
CVE STATUS: Patched
CVE SUMMARY: less through 653 allows OS command execution via a newline character in the name of a file, because quoting is mishandled in filename.c. Exploitation typically requires use with attacker-controlled file names, such as the files extracted from an untrusted archive. Exploitation also requires the LESSOPEN environment variable, but this is set by default in many common cases.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.6
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-32487

LAYER: meta-multimedia
PACKAGE NAME: mpd
PACKAGE VERSION: 0.23.14
CVE: CVE-2020-7465
CVE STATUS: Ignored
CVE DETAIL: cpe-incorrect
CVE DESCRIPTION: The recipe used in the meta-openembedded is a different mpd package compared to the one which has the CVE issue.
CVE SUMMARY: The L2TP implementation of MPD before 5.9 allows a remote attacker who can send specifically crafted L2TP control packet with AVP Q.931 Cause Code to execute arbitrary code or cause a denial of service (memory corruption).
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-7465

LAYER: meta-multimedia
PACKAGE NAME: mpd
PACKAGE VERSION: 0.23.14
CVE: CVE-2020-7466
CVE STATUS: Ignored
CVE DETAIL: cpe-incorrect
CVE DESCRIPTION: The recipe used in the meta-openembedded is a different mpd package compared to the one which has the CVE issue.
CVE SUMMARY: The PPP implementation of MPD before 5.9 allows a remote attacker who can send specifically crafted PPP authentication message to cause the daemon to read beyond allocated memory buffer, which would result in a denial of service condition.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-7466

LAYER: meta
PACKAGE NAME: ofono
PACKAGE VERSION: 2.4
CVE: CVE-2023-2794
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in ofono, an Open Source Telephony on Linux. A stack overflow bug is triggered within the decode_deliver() function during the SMS decoding. It is assumed that the attack scenario is accessible from a compromised modem, a malicious base station, or just SMS. There is a bound check for this memcpy length in decode_submit(), but it was forgotten in decode_deliver().
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.1
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-2794

LAYER: meta
PACKAGE NAME: ofono
PACKAGE VERSION: 2.4
CVE: CVE-2024-7537
CVE STATUS: Patched
CVE SUMMARY: oFono QMI SMS Handling Out-Of-Bounds Read Information Disclosure Vulnerability. This vulnerability allows local attackers to disclose sensitive information on affected installations of oFono. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the processing of SMS message lists. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-23157.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 3.3
VECTOR: LOCAL
VECTORSTRING: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-7537

LAYER: meta
PACKAGE NAME: ofono
PACKAGE VERSION: 2.4
CVE: CVE-2024-7538
CVE STATUS: Patched
CVE SUMMARY: oFono CUSD AT Command Stack-based Buffer Overflow Code Execution Vulnerability. This vulnerability allows local attackers to execute arbitrary code on affected installations of oFono. An attacker must first obtain the ability to execute code on the target modem in order to exploit this vulnerability.

The specific flaw exists within the parsing of responses from AT Commands. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-23190.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-7538

LAYER: meta
PACKAGE NAME: ofono
PACKAGE VERSION: 2.4
CVE: CVE-2024-7539
CVE STATUS: Patched
CVE SUMMARY: oFono CUSD Stack-based Buffer Overflow Code Execution Vulnerability. This vulnerability allows local attackers to execute arbitrary code on affected installations of oFono. An attacker must first obtain the ability to execute code on the target modem in order to exploit this vulnerability.

The specific flaw exists within the parsing of responses from AT+CUSD commands. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-23195.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-7539

LAYER: meta
PACKAGE NAME: ofono
PACKAGE VERSION: 2.4
CVE: CVE-2024-7540
CVE STATUS: Patched
CVE SUMMARY: oFono AT CMGL Command Uninitialized Variable Information Disclosure Vulnerability. This vulnerability allows local attackers to disclose sensitive information on affected installations of oFono. An attacker must first obtain the ability to execute code on the target modem in order to exploit this vulnerability.

The specific flaw exists within the parsing of responses from AT+CMGL commands. The issue results from the lack of proper initialization of memory prior to accessing it. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-23307.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 3.3
VECTOR: LOCAL
VECTORSTRING: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-7540

LAYER: meta
PACKAGE NAME: ofono
PACKAGE VERSION: 2.4
CVE: CVE-2024-7541
CVE STATUS: Patched
CVE SUMMARY: oFono AT CMT Command Uninitialized Variable Information Disclosure Vulnerability. This vulnerability allows local attackers to disclose sensitive information on affected installations of oFono. An attacker must first obtain the ability to execute code on the target modem in order to exploit this vulnerability.

The specific flaw exists within the parsing of responses from AT+CMT commands. The issue results from the lack of proper initialization of memory prior to accessing it. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-23308.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 3.3
VECTOR: LOCAL
VECTORSTRING: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-7541

LAYER: meta
PACKAGE NAME: ofono
PACKAGE VERSION: 2.4
CVE: CVE-2024-7542
CVE STATUS: Patched
CVE SUMMARY: oFono AT CMGR Command Uninitialized Variable Information Disclosure Vulnerability. This vulnerability allows local attackers to disclose sensitive information on affected installations of oFono. An attacker must first obtain the ability to execute code on the target modem in order to exploit this vulnerability.

The specific flaw exists within the parsing of responses from AT+CMGR commands. The issue results from the lack of proper initialization of memory prior to accessing it. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-23309.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 3.3
VECTOR: LOCAL
VECTORSTRING: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-7542

LAYER: meta
PACKAGE NAME: ofono
PACKAGE VERSION: 2.4
CVE: CVE-2024-7543
CVE STATUS: Patched
CVE SUMMARY: oFono SimToolKit Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to execute arbitrary code on affected installations of oFono. An attacker must first obtain the ability to execute code on the target modem in order to exploit this vulnerability.

The specific flaw exists within the parsing of STK command PDUs. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-23456.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-7543

LAYER: meta
PACKAGE NAME: ofono
PACKAGE VERSION: 2.4
CVE: CVE-2024-7544
CVE STATUS: Patched
CVE SUMMARY: oFono SimToolKit Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to execute arbitrary code on affected installations of oFono. An attacker must first obtain the ability to execute code on the target modem in order to exploit this vulnerability.

The specific flaw exists within the parsing of STK command PDUs. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-23457.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-7544

LAYER: meta
PACKAGE NAME: ofono
PACKAGE VERSION: 2.4
CVE: CVE-2024-7545
CVE STATUS: Patched
CVE SUMMARY: oFono SimToolKit Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to execute arbitrary code on affected installations of oFono. An attacker must first obtain the ability to execute code on the target modem in order to exploit this vulnerability.

The specific flaw exists within the parsing of STK command PDUs. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-23458.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-7545

LAYER: meta
PACKAGE NAME: ofono
PACKAGE VERSION: 2.4
CVE: CVE-2024-7546
CVE STATUS: Patched
CVE SUMMARY: oFono SimToolKit Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to execute arbitrary code on affected installations of oFono. An attacker must first obtain the ability to execute code on the target modem in order to exploit this vulnerability.

The specific flaw exists within the parsing of STK command PDUs. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-23459.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-7546

LAYER: meta
PACKAGE NAME: ofono
PACKAGE VERSION: 2.4
CVE: CVE-2024-7547
CVE STATUS: Patched
CVE SUMMARY: oFono SMS Decoder Stack-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to execute arbitrary code on affected installations of oFono. An attacker must first obtain the ability to execute code on the target modem in order to exploit this vulnerability.

The specific flaw exists within the parsing of SMS PDUs. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-23460.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-7547

LAYER: meta-qt5
PACKAGE NAME: qtbase
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2004-0691
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the BMP image format parser for the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0691

LAYER: meta-qt5
PACKAGE NAME: qtbase
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2004-0692
CVE STATUS: Patched
CVE SUMMARY: The XPM parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0693.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0692

LAYER: meta-qt5
PACKAGE NAME: qtbase
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2004-0693
CVE STATUS: Patched
CVE SUMMARY: The GIF parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0692.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0693

LAYER: meta-qt5
PACKAGE NAME: qtbase
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2005-0627
CVE STATUS: Patched
CVE SUMMARY: Qt before 3.3.4 searches the BUILD_PREFIX directory, which could be world-writable, to load shared libraries regardless of the LD_LIBRARY_PATH environment variable, which allows local users to execute arbitrary programs.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-0627

LAYER: meta-qt5
PACKAGE NAME: qtbase
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2006-4811
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in Qt 3.3 before 3.3.7, 4.1 before 4.1.5, and 4.2 before 4.2.1, as used in the KDE khtml library, kdelibs 3.1.3, and possibly other packages, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted pixmap image.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-4811

LAYER: meta-qt5
PACKAGE NAME: qtbase
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2007-0242
CVE STATUS: Patched
CVE SUMMARY: The UTF-8 decoder in codecs/qutfcodec.cpp in Qt 3.3.8 and 4.2.3 does not reject long UTF-8 sequences as required by the standard, which allows remote attackers to conduct cross-site scripting (XSS) and directory traversal attacks via long sequences that decode to dangerous metacharacters.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-0242

LAYER: meta-qt5
PACKAGE NAME: qtbase
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2007-3388
CVE STATUS: Patched
CVE SUMMARY: Multiple format string vulnerabilities in (1) qtextedit.cpp, (2) qdatatable.cpp, (3) qsqldatabase.cpp, (4) qsqlindex.cpp, (5) qsqlrecord.cpp, (6) qglobal.cpp, and (7) qsvgdevice.cpp in QTextEdit in Trolltech Qt 3 before 3.3.8 20070727 allow remote attackers to execute arbitrary code via format string specifiers in text used to compose an error message.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-3388

LAYER: meta-qt5
PACKAGE NAME: qtbase
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2007-4137
CVE STATUS: Patched
CVE SUMMARY: Off-by-one error in the QUtf8Decoder::toUnicode function in Trolltech Qt 3 allows context-dependent attackers to cause a denial of service (crash) via a crafted Unicode string that triggers a heap-based buffer overflow.  NOTE: Qt 4 has the same error in the QUtf8Codec::convertToUnicode function, but it is not exploitable.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-4137

LAYER: meta-qt5
PACKAGE NAME: qtbase
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2009-2700
CVE STATUS: Patched
CVE SUMMARY: src/network/ssl/qsslcertificate.cpp in Nokia Trolltech Qt 4.x does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-2700

LAYER: meta-qt5
PACKAGE NAME: qtbase
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2010-1766
CVE STATUS: Patched
CVE SUMMARY: Off-by-one error in the WebSocketHandshake::readServerHandshake function in websockets/WebSocketHandshake.cpp in WebCore in WebKit before r56380, as used in Qt and other products, allows remote websockets servers to cause a denial of service (memory corruption) or possibly have unspecified other impact via an upgrade header that is long and invalid.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-1766

LAYER: meta-qt5
PACKAGE NAME: qtbase
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2010-2621
CVE STATUS: Patched
CVE SUMMARY: The QSslSocketBackendPrivate::transmit function in src_network_ssl_qsslsocket_openssl.cpp in Qt 4.6.3 and earlier allows remote attackers to cause a denial of service (infinite loop) via a malformed request.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2621

LAYER: meta-qt5
PACKAGE NAME: qtbase
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2010-5076
CVE STATUS: Patched
CVE SUMMARY: QSslSocket in Qt before 4.7.0-rc1 recognizes a wildcard IP address in the subject's Common Name field of an X.509 certificate, which might allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-5076

LAYER: meta-qt5
PACKAGE NAME: qtbase
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2011-3193
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the Lookup_MarkMarkPos function in the HarfBuzz module (harfbuzz-gpos.c), as used by Qt before 4.7.4 and Pango, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted font file.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3193

LAYER: meta-qt5
PACKAGE NAME: qtbase
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2011-3194
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the TIFF reader in gui/image/qtiffhandler.cpp in Qt 4.7.4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the TIFFTAG_SAMPLESPERPIXEL tag in a greyscale TIFF image with multiple samples per pixel.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3194

LAYER: meta-qt5
PACKAGE NAME: qtbase
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2012-5624
CVE STATUS: Patched
CVE SUMMARY: The XMLHttpRequest object in Qt before 4.8.4 enables http redirection to the file scheme, which allows man-in-the-middle attackers to force the read of arbitrary local files and possibly obtain sensitive information via a file: URL to a QML application.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-5624

LAYER: meta-qt5
PACKAGE NAME: qtbase
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2012-6093
CVE STATUS: Patched
CVE SUMMARY: The QSslSocket::sslErrors function in Qt before 4.6.5, 4.7.x before 4.7.6, 4.8.x before 4.8.5, when using certain versions of openSSL, uses an "incompatible structure layout" that can read memory from the wrong location, which causes Qt to report an incorrect error when certificate validation fails and might cause users to make unsafe security decisions to accept a certificate.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-6093

LAYER: meta-qt5
PACKAGE NAME: qtbase
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2013-0254
CVE STATUS: Patched
CVE SUMMARY: The QSharedMemory class in Qt 5.0.0, 4.8.x before 4.8.5, 4.7.x before 4.7.6, and other versions including 4.4.0 uses weak permissions (world-readable and world-writable) for shared memory segments, which allows local users to read sensitive information or modify critical program data, as demonstrated by reading a pixmap being sent to an X server.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0254

LAYER: meta-qt5
PACKAGE NAME: qtbase
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2013-4549
CVE STATUS: Patched
CVE SUMMARY: QXmlSimpleReader in Qt before 5.2 allows context-dependent attackers to cause a denial of service (memory consumption) via an XML Entity Expansion (XEE) attack.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4549

LAYER: meta-qt5
PACKAGE NAME: qtbase
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2014-0190
CVE STATUS: Patched
CVE SUMMARY: The GIF decoder in QtGui in Qt before 5.3 allows remote attackers to cause a denial of service (NULL pointer dereference) via invalid width and height values in a GIF image.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0190

LAYER: meta-qt5
PACKAGE NAME: qtbase
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2015-0295
CVE STATUS: Patched
CVE SUMMARY: The BMP decoder in QtGui in QT before 5.5 does not properly calculate the masks used to extract the color components, which allows remote attackers to cause a denial of service (divide-by-zero and crash) via a crafted BMP file.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0295

LAYER: meta-qt5
PACKAGE NAME: qtbase
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2015-1290
CVE STATUS: Patched
CVE SUMMARY: The Google V8 engine, as used in Google Chrome before 44.0.2403.89 and QtWebEngineCore in Qt before 5.5.1, allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a crafted web site.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1290

LAYER: meta-qt5
PACKAGE NAME: qtbase
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2015-1858
CVE STATUS: Patched
CVE SUMMARY: Multiple buffer overflows in gui/image/qbmphandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted BMP image.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1858

LAYER: meta-qt5
PACKAGE NAME: qtbase
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2015-1859
CVE STATUS: Patched
CVE SUMMARY: Multiple buffer overflows in plugins/imageformats/ico/qicohandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted ICO image.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1859

LAYER: meta-qt5
PACKAGE NAME: qtbase
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2015-1860
CVE STATUS: Patched
CVE SUMMARY: Multiple buffer overflows in gui/image/qgifhandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a crafted GIF image.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1860

LAYER: meta-qt5
PACKAGE NAME: qtbase
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2015-7298
CVE STATUS: Patched
CVE SUMMARY: ownCloud Desktop Client before 2.0.1, when compiled with a Qt release after 5.3.x, does not call QNetworkReply::ignoreSslErrors with the list of errors to be ignored, which makes it easier for remote attackers to conduct man-in-the-middle (MITM) attacks by leveraging a server using a self-signed certificate.  NOTE: this vulnerability exists because of a partial CVE-2015-4456 regression.
CVSS v2 BASE SCORE: 5.1
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7298

LAYER: meta-qt5
PACKAGE NAME: qtbase
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2015-9541
CVE STATUS: Patched
CVE SUMMARY: Qt through 5.14 allows an exponential XML entity expansion attack via a crafted SVG document that is mishandled in QXmlStreamReader, a related issue to CVE-2003-1564.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-9541

LAYER: meta-qt5
PACKAGE NAME: qtbase
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2017-10904
CVE STATUS: Patched
CVE SUMMARY: Qt for Android prior to 5.9.0 allows remote attackers to execute arbitrary OS commands via unspecified vectors.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-10904

LAYER: meta-qt5
PACKAGE NAME: qtbase
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2017-10905
CVE STATUS: Patched
CVE SUMMARY: A vulnerability in applications created using Qt for Android prior to 5.9.3 allows attackers to alter environment variables via unspecified vectors.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-10905

LAYER: meta-qt5
PACKAGE NAME: qtbase
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2017-15011
CVE STATUS: Patched
CVE SUMMARY: The named pipes in qtsingleapp in Qt 5.x, as used in qBittorrent and SugarSync, are configured for remote access and allow remote attackers to cause a denial of service (application crash) via an unspecified string.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15011

LAYER: meta-qt5
PACKAGE NAME: qtbase
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-15518
CVE STATUS: Patched
CVE SUMMARY: QXmlStream in Qt 5.x before 5.11.3 has a double-free or corruption during parsing of a specially crafted illegal XML document.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-15518

LAYER: meta-qt5
PACKAGE NAME: qtbase
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-19865
CVE STATUS: Patched
CVE SUMMARY: A keystroke logging issue was discovered in Virtual Keyboard in Qt 5.7.x, 5.8.x, 5.9.x, 5.10.x, and 5.11.x before 5.11.3.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19865

LAYER: meta-qt5
PACKAGE NAME: qtbase
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-19869
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt before 5.11.3. A malformed SVG image causes a segmentation fault in qsvghandler.cpp.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19869

LAYER: meta-qt5
PACKAGE NAME: qtbase
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-19870
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt before 5.11.3. A malformed GIF image causes a NULL pointer dereference in QGifHandler resulting in a segmentation fault.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19870

LAYER: meta-qt5
PACKAGE NAME: qtbase
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-19871
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt before 5.11.3. There is QTgaFile Uncontrolled Resource Consumption.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19871

LAYER: meta-qt5
PACKAGE NAME: qtbase
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-19872
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt 5.11. A malformed PPM image causes a division by zero and a crash in qppmhandler.cpp.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19872

LAYER: meta-qt5
PACKAGE NAME: qtbase
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-19873
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt before 5.11.3. QBmpHandler has a buffer overflow via BMP data.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19873

LAYER: meta-qt5
PACKAGE NAME: qtbase
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-21035
CVE STATUS: Patched
CVE SUMMARY: In Qt through 5.14.1, the WebSocket implementation accepts up to 2GB for frames and 2GB for messages. Smaller limits cannot be configured. This makes it easier for attackers to cause a denial of service (memory consumption).
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 8.6
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-21035

LAYER: meta-qt5
PACKAGE NAME: qtbase
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2019-18281
CVE STATUS: Patched
CVE SUMMARY: An out-of-bounds memory access in the generateDirectionalRuns() function in qtextengine.cpp in Qt qtbase 5.11.x and 5.12.x before 5.12.5 allows attackers to cause a denial of service by crashing an application via a text file containing many directional characters.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 4.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-18281

LAYER: meta-qt5
PACKAGE NAME: qtbase
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2020-0569
CVE STATUS: Patched
CVE SUMMARY: Out of bounds write in Intel(R) PROSet/Wireless WiFi products on Windows 10 may allow an authenticated user to potentially enable denial of service via local access.
CVSS v2 BASE SCORE: 2.7
CVSS v3 BASE SCORE: 5.7
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:L/Au:S/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-0569

LAYER: meta-qt5
PACKAGE NAME: qtbase
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2020-0570
CVE STATUS: Patched
CVE SUMMARY: Uncontrolled search path in the QT Library before 5.14.0, 5.12.7 and 5.9.10 may allow an authenticated user to potentially enable elevation of privilege via local access.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 7.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-0570

LAYER: meta-qt5
PACKAGE NAME: qtbase
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2020-12267
CVE STATUS: Patched
CVE SUMMARY: setMarkdown in Qt before 5.14.2 has a use-after-free related to QTextMarkdownImporter::insertBlock.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-12267

LAYER: meta-qt5
PACKAGE NAME: qtbase
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2020-13962
CVE STATUS: Patched
CVE SUMMARY: Qt 5.12.2 through 5.14.2, as used in unofficial builds of Mumble 1.3.0 and other products, mishandles OpenSSL's error queue, which can cause a denial of service to QSslSocket users. Because errors leak in unrelated TLS sessions, an unrelated session may be disconnected when any handshake fails. (Mumble 1.3.1 is not affected, regardless of the Qt version.)
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-13962

LAYER: meta-qt5
PACKAGE NAME: qtbase
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2020-17507
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt through 5.12.9, and 5.13.x through 5.15.x before 5.15.1. read_xbm_body in gui/image/qxbmhandler.cpp has a buffer over-read.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-17507

LAYER: meta-qt5
PACKAGE NAME: qtbase
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2020-24742
CVE STATUS: Patched
CVE SUMMARY: An issue has been fixed in Qt versions 5.14.0 where QPluginLoader attempts to load plugins relative to the working directory, allowing attackers to execute arbitrary code via crafted files.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-24742

LAYER: meta-qt5
PACKAGE NAME: qtbase
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2021-28025
CVE STATUS: Patched
CVE SUMMARY: Integer Overflow vulnerability in qsvghandler.cpp in Qt qtsvg versions 5.15.1, 6.0.0, 6.0.2, and 6.2, allows local attackers to cause a denial of service (DoS).
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-28025

LAYER: meta-qt5
PACKAGE NAME: qtbase
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2021-3481
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in Qt. An out-of-bounds read vulnerability was found in QRadialFetchSimd in qt/qtbase/src/gui/painting/qdrawhelper_p.h in Qt/Qtbase. While rendering and displaying a crafted Scalable Vector Graphics (SVG) file this flaw may lead to an unauthorized memory access. The highest threat from this vulnerability is to data confidentiality and the application availability.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3481

LAYER: meta-qt5
PACKAGE NAME: qtbase
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2021-38593
CVE STATUS: Patched
CVE SUMMARY: Qt 5.x before 5.15.6 and 6.x through 6.1.2 has an out-of-bounds write in QOutlineMapper::convertPath (called from QRasterPaintEngine::fill and QPaintEngineEx::stroke).
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-38593

LAYER: meta-qt5
PACKAGE NAME: qtbase
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2022-25255
CVE STATUS: Patched
CVE SUMMARY: In Qt 5.9.x through 5.15.x before 5.15.9 and 6.x before 6.2.4 on Linux and UNIX, QProcess could execute a binary from the current working directory when not found in the PATH.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-25255

LAYER: meta-qt5
PACKAGE NAME: qtbase
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2022-25634
CVE STATUS: Patched
CVE SUMMARY: Qt through 5.15.8 and 6.x through 6.2.3 can load system library files from an unintended working directory.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-25634

LAYER: meta-qt5
PACKAGE NAME: qtbase
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2022-40983
CVE STATUS: Patched
CVE SUMMARY: An integer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an integer overflow during memory allocation, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-40983

LAYER: meta-qt5
PACKAGE NAME: qtbase
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2022-43591
CVE STATUS: Patched
CVE SUMMARY: A buffer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an out-of-bounds memory access, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-43591

LAYER: meta-qt5
PACKAGE NAME: qtbase
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-24607
CVE STATUS: Patched
CVE SUMMARY: Qt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13, 6.x before 6.2.8, and 6.3.x before 6.4.3.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-24607

LAYER: meta-qt5
PACKAGE NAME: qtbase
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-32573
CVE STATUS: Unpatched
CVE SUMMARY: In Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-32573

LAYER: meta-qt5
PACKAGE NAME: qtbase
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-32762
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-32762

LAYER: meta-qt5
PACKAGE NAME: qtbase
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-32763
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. When a SVG file with an image inside it is rendered, a QTextLayout buffer overflow can be triggered.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-32763

LAYER: meta-qt5
PACKAGE NAME: qtbase
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-33285
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. QDnsLookup has a buffer over-read via a crafted reply from a DNS server.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-33285

LAYER: meta-qt5
PACKAGE NAME: qtbase
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-34410
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-34410

LAYER: meta-qt5
PACKAGE NAME: qtbase
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-37369
CVE STATUS: Patched
CVE SUMMARY: In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-37369

LAYER: meta-qt5
PACKAGE NAME: qtbase
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-38197
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-38197

LAYER: meta-qt5
PACKAGE NAME: qtbase
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-43114
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt before 5.15.16, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3 on Windows. When using the GDI font engine, if a corrupted font is loaded via QFontDatabase::addApplicationFont{FromData], then it can cause the application to crash because of missing length checks.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-43114

LAYER: meta-qt5
PACKAGE NAME: qtbase
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-51714
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the HTTP2 implementation in Qt before 5.15.17, 6.x before 6.2.11, 6.3.x through 6.5.x before 6.5.4, and 6.6.x before 6.6.2. network/access/http2/hpacktable.cpp has an incorrect HPack integer overflow check.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-51714

LAYER: meta-qt5
PACKAGE NAME: qtbase
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2024-25580
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in gui/util/qktxhandler.cpp in Qt before 5.15.17, 6.x before 6.2.12, 6.3.x through 6.5.x before 6.5.5, and 6.6.x before 6.6.2. A buffer overflow and application crash can occur via a crafted KTX image file.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.2
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-25580

LAYER: meta-qt5
PACKAGE NAME: qtbase
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2024-39936
CVE STATUS: Unpatched
CVE SUMMARY: An issue was discovered in HTTP2 in Qt before 5.15.18, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.7, and 6.6.x through 6.7.x before 6.7.3. Code to make security-relevant decisions about an established connection may execute too early, because the encrypted() signal has not yet been emitted and processed..
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.6
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-39936

LAYER: meta-qt5
PACKAGE NAME: qtwayland
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2004-0691
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the BMP image format parser for the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0691

LAYER: meta-qt5
PACKAGE NAME: qtwayland
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2004-0692
CVE STATUS: Patched
CVE SUMMARY: The XPM parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0693.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0692

LAYER: meta-qt5
PACKAGE NAME: qtwayland
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2004-0693
CVE STATUS: Patched
CVE SUMMARY: The GIF parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0692.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0693

LAYER: meta-qt5
PACKAGE NAME: qtwayland
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2005-0627
CVE STATUS: Patched
CVE SUMMARY: Qt before 3.3.4 searches the BUILD_PREFIX directory, which could be world-writable, to load shared libraries regardless of the LD_LIBRARY_PATH environment variable, which allows local users to execute arbitrary programs.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-0627

LAYER: meta-qt5
PACKAGE NAME: qtwayland
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2006-4811
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in Qt 3.3 before 3.3.7, 4.1 before 4.1.5, and 4.2 before 4.2.1, as used in the KDE khtml library, kdelibs 3.1.3, and possibly other packages, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted pixmap image.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-4811

LAYER: meta-qt5
PACKAGE NAME: qtwayland
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2007-0242
CVE STATUS: Patched
CVE SUMMARY: The UTF-8 decoder in codecs/qutfcodec.cpp in Qt 3.3.8 and 4.2.3 does not reject long UTF-8 sequences as required by the standard, which allows remote attackers to conduct cross-site scripting (XSS) and directory traversal attacks via long sequences that decode to dangerous metacharacters.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-0242

LAYER: meta-qt5
PACKAGE NAME: qtwayland
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2007-3388
CVE STATUS: Patched
CVE SUMMARY: Multiple format string vulnerabilities in (1) qtextedit.cpp, (2) qdatatable.cpp, (3) qsqldatabase.cpp, (4) qsqlindex.cpp, (5) qsqlrecord.cpp, (6) qglobal.cpp, and (7) qsvgdevice.cpp in QTextEdit in Trolltech Qt 3 before 3.3.8 20070727 allow remote attackers to execute arbitrary code via format string specifiers in text used to compose an error message.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-3388

LAYER: meta-qt5
PACKAGE NAME: qtwayland
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2007-4137
CVE STATUS: Patched
CVE SUMMARY: Off-by-one error in the QUtf8Decoder::toUnicode function in Trolltech Qt 3 allows context-dependent attackers to cause a denial of service (crash) via a crafted Unicode string that triggers a heap-based buffer overflow.  NOTE: Qt 4 has the same error in the QUtf8Codec::convertToUnicode function, but it is not exploitable.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-4137

LAYER: meta-qt5
PACKAGE NAME: qtwayland
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2009-2700
CVE STATUS: Patched
CVE SUMMARY: src/network/ssl/qsslcertificate.cpp in Nokia Trolltech Qt 4.x does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-2700

LAYER: meta-qt5
PACKAGE NAME: qtwayland
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2010-1766
CVE STATUS: Patched
CVE SUMMARY: Off-by-one error in the WebSocketHandshake::readServerHandshake function in websockets/WebSocketHandshake.cpp in WebCore in WebKit before r56380, as used in Qt and other products, allows remote websockets servers to cause a denial of service (memory corruption) or possibly have unspecified other impact via an upgrade header that is long and invalid.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-1766

LAYER: meta-qt5
PACKAGE NAME: qtwayland
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2010-2621
CVE STATUS: Patched
CVE SUMMARY: The QSslSocketBackendPrivate::transmit function in src_network_ssl_qsslsocket_openssl.cpp in Qt 4.6.3 and earlier allows remote attackers to cause a denial of service (infinite loop) via a malformed request.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2621

LAYER: meta-qt5
PACKAGE NAME: qtwayland
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2010-5076
CVE STATUS: Patched
CVE SUMMARY: QSslSocket in Qt before 4.7.0-rc1 recognizes a wildcard IP address in the subject's Common Name field of an X.509 certificate, which might allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-5076

LAYER: meta-qt5
PACKAGE NAME: qtwayland
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2011-3193
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the Lookup_MarkMarkPos function in the HarfBuzz module (harfbuzz-gpos.c), as used by Qt before 4.7.4 and Pango, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted font file.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3193

LAYER: meta-qt5
PACKAGE NAME: qtwayland
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2011-3194
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the TIFF reader in gui/image/qtiffhandler.cpp in Qt 4.7.4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the TIFFTAG_SAMPLESPERPIXEL tag in a greyscale TIFF image with multiple samples per pixel.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3194

LAYER: meta-qt5
PACKAGE NAME: qtwayland
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2012-5624
CVE STATUS: Patched
CVE SUMMARY: The XMLHttpRequest object in Qt before 4.8.4 enables http redirection to the file scheme, which allows man-in-the-middle attackers to force the read of arbitrary local files and possibly obtain sensitive information via a file: URL to a QML application.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-5624

LAYER: meta-qt5
PACKAGE NAME: qtwayland
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2012-6093
CVE STATUS: Patched
CVE SUMMARY: The QSslSocket::sslErrors function in Qt before 4.6.5, 4.7.x before 4.7.6, 4.8.x before 4.8.5, when using certain versions of openSSL, uses an "incompatible structure layout" that can read memory from the wrong location, which causes Qt to report an incorrect error when certificate validation fails and might cause users to make unsafe security decisions to accept a certificate.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-6093

LAYER: meta-qt5
PACKAGE NAME: qtwayland
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2013-0254
CVE STATUS: Patched
CVE SUMMARY: The QSharedMemory class in Qt 5.0.0, 4.8.x before 4.8.5, 4.7.x before 4.7.6, and other versions including 4.4.0 uses weak permissions (world-readable and world-writable) for shared memory segments, which allows local users to read sensitive information or modify critical program data, as demonstrated by reading a pixmap being sent to an X server.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0254

LAYER: meta-qt5
PACKAGE NAME: qtwayland
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2013-4549
CVE STATUS: Patched
CVE SUMMARY: QXmlSimpleReader in Qt before 5.2 allows context-dependent attackers to cause a denial of service (memory consumption) via an XML Entity Expansion (XEE) attack.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4549

LAYER: meta-qt5
PACKAGE NAME: qtwayland
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2014-0190
CVE STATUS: Patched
CVE SUMMARY: The GIF decoder in QtGui in Qt before 5.3 allows remote attackers to cause a denial of service (NULL pointer dereference) via invalid width and height values in a GIF image.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0190

LAYER: meta-qt5
PACKAGE NAME: qtwayland
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2015-0295
CVE STATUS: Patched
CVE SUMMARY: The BMP decoder in QtGui in QT before 5.5 does not properly calculate the masks used to extract the color components, which allows remote attackers to cause a denial of service (divide-by-zero and crash) via a crafted BMP file.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0295

LAYER: meta-qt5
PACKAGE NAME: qtwayland
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2015-1290
CVE STATUS: Patched
CVE SUMMARY: The Google V8 engine, as used in Google Chrome before 44.0.2403.89 and QtWebEngineCore in Qt before 5.5.1, allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a crafted web site.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1290

LAYER: meta-qt5
PACKAGE NAME: qtwayland
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2015-1858
CVE STATUS: Patched
CVE SUMMARY: Multiple buffer overflows in gui/image/qbmphandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted BMP image.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1858

LAYER: meta-qt5
PACKAGE NAME: qtwayland
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2015-1859
CVE STATUS: Patched
CVE SUMMARY: Multiple buffer overflows in plugins/imageformats/ico/qicohandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted ICO image.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1859

LAYER: meta-qt5
PACKAGE NAME: qtwayland
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2015-1860
CVE STATUS: Patched
CVE SUMMARY: Multiple buffer overflows in gui/image/qgifhandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a crafted GIF image.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1860

LAYER: meta-qt5
PACKAGE NAME: qtwayland
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2015-7298
CVE STATUS: Patched
CVE SUMMARY: ownCloud Desktop Client before 2.0.1, when compiled with a Qt release after 5.3.x, does not call QNetworkReply::ignoreSslErrors with the list of errors to be ignored, which makes it easier for remote attackers to conduct man-in-the-middle (MITM) attacks by leveraging a server using a self-signed certificate.  NOTE: this vulnerability exists because of a partial CVE-2015-4456 regression.
CVSS v2 BASE SCORE: 5.1
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7298

LAYER: meta-qt5
PACKAGE NAME: qtwayland
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2015-9541
CVE STATUS: Patched
CVE SUMMARY: Qt through 5.14 allows an exponential XML entity expansion attack via a crafted SVG document that is mishandled in QXmlStreamReader, a related issue to CVE-2003-1564.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-9541

LAYER: meta-qt5
PACKAGE NAME: qtwayland
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2017-10904
CVE STATUS: Patched
CVE SUMMARY: Qt for Android prior to 5.9.0 allows remote attackers to execute arbitrary OS commands via unspecified vectors.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-10904

LAYER: meta-qt5
PACKAGE NAME: qtwayland
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2017-10905
CVE STATUS: Patched
CVE SUMMARY: A vulnerability in applications created using Qt for Android prior to 5.9.3 allows attackers to alter environment variables via unspecified vectors.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-10905

LAYER: meta-qt5
PACKAGE NAME: qtwayland
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2017-15011
CVE STATUS: Patched
CVE SUMMARY: The named pipes in qtsingleapp in Qt 5.x, as used in qBittorrent and SugarSync, are configured for remote access and allow remote attackers to cause a denial of service (application crash) via an unspecified string.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15011

LAYER: meta-qt5
PACKAGE NAME: qtwayland
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-15518
CVE STATUS: Patched
CVE SUMMARY: QXmlStream in Qt 5.x before 5.11.3 has a double-free or corruption during parsing of a specially crafted illegal XML document.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-15518

LAYER: meta-qt5
PACKAGE NAME: qtwayland
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-19865
CVE STATUS: Patched
CVE SUMMARY: A keystroke logging issue was discovered in Virtual Keyboard in Qt 5.7.x, 5.8.x, 5.9.x, 5.10.x, and 5.11.x before 5.11.3.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19865

LAYER: meta-qt5
PACKAGE NAME: qtwayland
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-19869
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt before 5.11.3. A malformed SVG image causes a segmentation fault in qsvghandler.cpp.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19869

LAYER: meta-qt5
PACKAGE NAME: qtwayland
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-19870
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt before 5.11.3. A malformed GIF image causes a NULL pointer dereference in QGifHandler resulting in a segmentation fault.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19870

LAYER: meta-qt5
PACKAGE NAME: qtwayland
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-19871
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt before 5.11.3. There is QTgaFile Uncontrolled Resource Consumption.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19871

LAYER: meta-qt5
PACKAGE NAME: qtwayland
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-19872
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt 5.11. A malformed PPM image causes a division by zero and a crash in qppmhandler.cpp.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19872

LAYER: meta-qt5
PACKAGE NAME: qtwayland
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-19873
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt before 5.11.3. QBmpHandler has a buffer overflow via BMP data.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19873

LAYER: meta-qt5
PACKAGE NAME: qtwayland
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-21035
CVE STATUS: Patched
CVE SUMMARY: In Qt through 5.14.1, the WebSocket implementation accepts up to 2GB for frames and 2GB for messages. Smaller limits cannot be configured. This makes it easier for attackers to cause a denial of service (memory consumption).
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 8.6
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-21035

LAYER: meta-qt5
PACKAGE NAME: qtwayland
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2020-0569
CVE STATUS: Patched
CVE SUMMARY: Out of bounds write in Intel(R) PROSet/Wireless WiFi products on Windows 10 may allow an authenticated user to potentially enable denial of service via local access.
CVSS v2 BASE SCORE: 2.7
CVSS v3 BASE SCORE: 5.7
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:L/Au:S/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-0569

LAYER: meta-qt5
PACKAGE NAME: qtwayland
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2020-0570
CVE STATUS: Patched
CVE SUMMARY: Uncontrolled search path in the QT Library before 5.14.0, 5.12.7 and 5.9.10 may allow an authenticated user to potentially enable elevation of privilege via local access.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 7.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-0570

LAYER: meta-qt5
PACKAGE NAME: qtwayland
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2020-12267
CVE STATUS: Patched
CVE SUMMARY: setMarkdown in Qt before 5.14.2 has a use-after-free related to QTextMarkdownImporter::insertBlock.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-12267

LAYER: meta-qt5
PACKAGE NAME: qtwayland
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2020-13962
CVE STATUS: Patched
CVE SUMMARY: Qt 5.12.2 through 5.14.2, as used in unofficial builds of Mumble 1.3.0 and other products, mishandles OpenSSL's error queue, which can cause a denial of service to QSslSocket users. Because errors leak in unrelated TLS sessions, an unrelated session may be disconnected when any handshake fails. (Mumble 1.3.1 is not affected, regardless of the Qt version.)
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-13962

LAYER: meta-qt5
PACKAGE NAME: qtwayland
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2020-17507
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt through 5.12.9, and 5.13.x through 5.15.x before 5.15.1. read_xbm_body in gui/image/qxbmhandler.cpp has a buffer over-read.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-17507

LAYER: meta-qt5
PACKAGE NAME: qtwayland
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2020-24742
CVE STATUS: Patched
CVE SUMMARY: An issue has been fixed in Qt versions 5.14.0 where QPluginLoader attempts to load plugins relative to the working directory, allowing attackers to execute arbitrary code via crafted files.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-24742

LAYER: meta-qt5
PACKAGE NAME: qtwayland
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2021-28025
CVE STATUS: Patched
CVE SUMMARY: Integer Overflow vulnerability in qsvghandler.cpp in Qt qtsvg versions 5.15.1, 6.0.0, 6.0.2, and 6.2, allows local attackers to cause a denial of service (DoS).
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-28025

LAYER: meta-qt5
PACKAGE NAME: qtwayland
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2021-3481
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in Qt. An out-of-bounds read vulnerability was found in QRadialFetchSimd in qt/qtbase/src/gui/painting/qdrawhelper_p.h in Qt/Qtbase. While rendering and displaying a crafted Scalable Vector Graphics (SVG) file this flaw may lead to an unauthorized memory access. The highest threat from this vulnerability is to data confidentiality and the application availability.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3481

LAYER: meta-qt5
PACKAGE NAME: qtwayland
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2021-38593
CVE STATUS: Patched
CVE SUMMARY: Qt 5.x before 5.15.6 and 6.x through 6.1.2 has an out-of-bounds write in QOutlineMapper::convertPath (called from QRasterPaintEngine::fill and QPaintEngineEx::stroke).
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-38593

LAYER: meta-qt5
PACKAGE NAME: qtwayland
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2022-25255
CVE STATUS: Patched
CVE SUMMARY: In Qt 5.9.x through 5.15.x before 5.15.9 and 6.x before 6.2.4 on Linux and UNIX, QProcess could execute a binary from the current working directory when not found in the PATH.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-25255

LAYER: meta-qt5
PACKAGE NAME: qtwayland
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2022-25634
CVE STATUS: Patched
CVE SUMMARY: Qt through 5.15.8 and 6.x through 6.2.3 can load system library files from an unintended working directory.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-25634

LAYER: meta-qt5
PACKAGE NAME: qtwayland
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2022-40983
CVE STATUS: Patched
CVE SUMMARY: An integer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an integer overflow during memory allocation, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-40983

LAYER: meta-qt5
PACKAGE NAME: qtwayland
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2022-43591
CVE STATUS: Patched
CVE SUMMARY: A buffer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an out-of-bounds memory access, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-43591

LAYER: meta-qt5
PACKAGE NAME: qtwayland
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-24607
CVE STATUS: Patched
CVE SUMMARY: Qt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13, 6.x before 6.2.8, and 6.3.x before 6.4.3.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-24607

LAYER: meta-qt5
PACKAGE NAME: qtwayland
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-32573
CVE STATUS: Unpatched
CVE SUMMARY: In Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-32573

LAYER: meta-qt5
PACKAGE NAME: qtwayland
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-32762
CVE STATUS: Unpatched
CVE SUMMARY: An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-32762

LAYER: meta-qt5
PACKAGE NAME: qtwayland
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-32763
CVE STATUS: Unpatched
CVE SUMMARY: An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. When a SVG file with an image inside it is rendered, a QTextLayout buffer overflow can be triggered.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-32763

LAYER: meta-qt5
PACKAGE NAME: qtwayland
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-33285
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. QDnsLookup has a buffer over-read via a crafted reply from a DNS server.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-33285

LAYER: meta-qt5
PACKAGE NAME: qtwayland
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-34410
CVE STATUS: Unpatched
CVE SUMMARY: An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-34410

LAYER: meta-qt5
PACKAGE NAME: qtwayland
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-37369
CVE STATUS: Unpatched
CVE SUMMARY: In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-37369

LAYER: meta-qt5
PACKAGE NAME: qtwayland
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-38197
CVE STATUS: Unpatched
CVE SUMMARY: An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-38197

LAYER: meta-qt5
PACKAGE NAME: qtwayland
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-43114
CVE STATUS: Unpatched
CVE SUMMARY: An issue was discovered in Qt before 5.15.16, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3 on Windows. When using the GDI font engine, if a corrupted font is loaded via QFontDatabase::addApplicationFont{FromData], then it can cause the application to crash because of missing length checks.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-43114

LAYER: meta-qt5
PACKAGE NAME: qtwayland
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-51714
CVE STATUS: Unpatched
CVE SUMMARY: An issue was discovered in the HTTP2 implementation in Qt before 5.15.17, 6.x before 6.2.11, 6.3.x through 6.5.x before 6.5.4, and 6.6.x before 6.6.2. network/access/http2/hpacktable.cpp has an incorrect HPack integer overflow check.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-51714

LAYER: meta-qt5
PACKAGE NAME: qtwayland
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2024-39936
CVE STATUS: Unpatched
CVE SUMMARY: An issue was discovered in HTTP2 in Qt before 5.15.18, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.7, and 6.6.x through 6.7.x before 6.7.3. Code to make security-relevant decisions about an established connection may execute too early, because the encrypted() signal has not yet been emitted and processed..
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.6
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-39936

LAYER: meta
PACKAGE NAME: bluez5
PACKAGE VERSION: 5.72
CVE: CVE-2005-2547
CVE STATUS: Patched
CVE SUMMARY: security.c in hcid for BlueZ 2.16, 2.17, and 2.18 allows remote attackers to execute arbitrary commands via shell metacharacters in the Bluetooth device name when invoking the PIN helper.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-2547

LAYER: meta
PACKAGE NAME: bluez5
PACKAGE VERSION: 5.72
CVE: CVE-2006-6899
CVE STATUS: Patched
CVE SUMMARY: hidd in BlueZ (bluez-utils) before 2.25 allows remote attackers to obtain control of the (1) Mouse and (2) Keyboard Human Interface Device (HID) via a certain configuration of two HID (PSM) endpoints, operating as a server, aka HidAttack.
CVSS v2 BASE SCORE: 5.4
CVSS v3 BASE SCORE: 0.0
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-6899

LAYER: meta
PACKAGE NAME: bluez5
PACKAGE VERSION: 5.72
CVE: CVE-2016-7837
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in BlueZ 5.41 and earlier allows an attacker to execute arbitrary code via the parse_line function used in some userland utilities.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7837

LAYER: meta
PACKAGE NAME: bluez5
PACKAGE VERSION: 5.72
CVE: CVE-2016-9797
CVE STATUS: Patched
CVE SUMMARY: In BlueZ 5.42, a buffer over-read was observed in "l2cap_dump" function in "tools/parser/l2cap.c" source file. This issue can be triggered by processing a corrupted dump file and will result in hcidump crash.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9797

LAYER: meta
PACKAGE NAME: bluez5
PACKAGE VERSION: 5.72
CVE: CVE-2016-9798
CVE STATUS: Patched
CVE SUMMARY: In BlueZ 5.42, a use-after-free was identified in "conf_opt" function in "tools/parser/l2cap.c" source file. This issue can be triggered by processing a corrupted dump file and will result in hcidump crash.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9798

LAYER: meta
PACKAGE NAME: bluez5
PACKAGE VERSION: 5.72
CVE: CVE-2016-9799
CVE STATUS: Patched
CVE SUMMARY: In BlueZ 5.42, a buffer overflow was observed in "pklg_read_hci" function in "btsnoop.c" source file. This issue can be triggered by processing a corrupted dump file and will result in btmon crash.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9799

LAYER: meta
PACKAGE NAME: bluez5
PACKAGE VERSION: 5.72
CVE: CVE-2016-9800
CVE STATUS: Patched
CVE SUMMARY: In BlueZ 5.42, a buffer overflow was observed in "pin_code_reply_dump" function in "tools/parser/hci.c" source file. The issue exists because "pin" array is overflowed by supplied parameter due to lack of boundary checks on size of the buffer from frame "pin_code_reply_cp *cp" parameter.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9800

LAYER: meta
PACKAGE NAME: bluez5
PACKAGE VERSION: 5.72
CVE: CVE-2016-9801
CVE STATUS: Patched
CVE SUMMARY: In BlueZ 5.42, a buffer overflow was observed in "set_ext_ctrl" function in "tools/parser/l2cap.c" source file when processing corrupted dump file.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9801

LAYER: meta
PACKAGE NAME: bluez5
PACKAGE VERSION: 5.72
CVE: CVE-2016-9802
CVE STATUS: Patched
CVE SUMMARY: In BlueZ 5.42, a buffer over-read was identified in "l2cap_packet" function in "monitor/packet.c" source file. This issue can be triggered by processing a corrupted dump file and will result in btmon crash.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9802

LAYER: meta
PACKAGE NAME: bluez5
PACKAGE VERSION: 5.72
CVE: CVE-2016-9803
CVE STATUS: Patched
CVE SUMMARY: In BlueZ 5.42, an out-of-bounds read was observed in "le_meta_ev_dump" function in "tools/parser/hci.c" source file. This issue exists because 'subevent' (which is used to read correct element from 'ev_le_meta_str' array) is overflowed.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9803

LAYER: meta
PACKAGE NAME: bluez5
PACKAGE VERSION: 5.72
CVE: CVE-2016-9804
CVE STATUS: Patched
CVE SUMMARY: In BlueZ 5.42, a buffer overflow was observed in "commands_dump" function in "tools/parser/csr.c" source file. The issue exists because "commands" array is overflowed by supplied parameter due to lack of boundary checks on size of the buffer from frame "frm->ptr" parameter. This issue can be triggered by processing a corrupted dump file and will result in hcidump crash.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9804

LAYER: meta
PACKAGE NAME: bluez5
PACKAGE VERSION: 5.72
CVE: CVE-2016-9917
CVE STATUS: Patched
CVE SUMMARY: In BlueZ 5.42, a buffer overflow was observed in "read_n" function in "tools/hcidump.c" source file. This issue can be triggered by processing a corrupted dump file and will result in hcidump crash.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9917

LAYER: meta
PACKAGE NAME: bluez5
PACKAGE VERSION: 5.72
CVE: CVE-2016-9918
CVE STATUS: Patched
CVE SUMMARY: In BlueZ 5.42, an out-of-bounds read was identified in "packet_hexdump" function in "monitor/packet.c" source file. This issue can be triggered by processing a corrupted dump file and will result in btmon crash.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9918

LAYER: meta
PACKAGE NAME: bluez5
PACKAGE VERSION: 5.72
CVE: CVE-2017-1000250
CVE STATUS: Patched
CVE SUMMARY: All versions of the SDP server in BlueZ 5.46 and earlier are vulnerable to an information disclosure vulnerability which allows remote attackers to obtain sensitive information from the bluetoothd process memory. This vulnerability lies in the processing of SDP search attribute requests.
CVSS v2 BASE SCORE: 3.3
CVSS v3 BASE SCORE: 6.5
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-1000250

LAYER: meta
PACKAGE NAME: bluez5
PACKAGE VERSION: 5.72
CVE: CVE-2018-10910
CVE STATUS: Patched
CVE SUMMARY: A bug in Bluez may allow for the Bluetooth Discoverable state being set to on when no Bluetooth agent is registered with the system. This situation could lead to the unauthorized pairing of certain Bluetooth devices without any form of authentication. Versions before bluez 5.51 are vulnerable.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 4.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-10910

LAYER: meta
PACKAGE NAME: bluez5
PACKAGE VERSION: 5.72
CVE: CVE-2019-8921
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in bluetoothd in BlueZ through 5.48. The vulnerability lies in the handling of a SVC_ATTR_REQ by the SDP implementation. By crafting a malicious CSTATE, it is possible to trick the server into returning more bytes than the buffer actually holds, resulting in leaking arbitrary heap data. The root cause can be found in the function service_attr_req of sdpd-request.c. The server does not check whether the CSTATE data is the same in consecutive requests, and instead simply trusts that it is the same.
CVSS v2 BASE SCORE: 3.3
CVSS v3 BASE SCORE: 6.5
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-8921

LAYER: meta
PACKAGE NAME: bluez5
PACKAGE VERSION: 5.72
CVE: CVE-2019-8922
CVE STATUS: Patched
CVE SUMMARY: A heap-based buffer overflow was discovered in bluetoothd in BlueZ through 5.48. There isn't any check on whether there is enough space in the destination buffer. The function simply appends all data passed to it. The values of all attributes that are requested are appended to the output buffer. There are no size checks whatsoever, resulting in a simple heap overflow if one can craft a request where the response is large enough to overflow the preallocated buffer. This issue exists in service_attr_req gets called by process_request (in sdpd-request.c), which also allocates the response buffer.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 8.8
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-8922

LAYER: meta
PACKAGE NAME: bluez5
PACKAGE VERSION: 5.72
CVE: CVE-2020-0556
CVE STATUS: Patched
CVE SUMMARY: Improper access control in subsystem for BlueZ before version 5.54 may allow an unauthenticated user to potentially enable escalation of privilege and denial of service via adjacent access
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 7.1
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-0556

LAYER: meta
PACKAGE NAME: bluez5
PACKAGE VERSION: 5.72
CVE: CVE-2020-24490
CVE STATUS: Ignored
CVE DETAIL: cpe-incorrect
CVE DESCRIPTION: This issue has kernel fixes rather than bluez fixes
CVE SUMMARY: Improper buffer restrictions in BlueZ may allow an unauthenticated user to potentially enable denial of service via adjacent access. This affects all Linux kernel versions that support BlueZ.
CVSS v2 BASE SCORE: 3.3
CVSS v3 BASE SCORE: 6.5
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-24490

LAYER: meta
PACKAGE NAME: bluez5
PACKAGE VERSION: 5.72
CVE: CVE-2020-27153
CVE STATUS: Patched
CVE SUMMARY: In BlueZ before 5.55, a double free was found in the gatttool disconnect_cb() routine from shared/att.c. A remote attacker could potentially cause a denial of service or code execution, during service discovery, due to a redundant disconnect MGMT event.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 8.6
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-27153

LAYER: meta
PACKAGE NAME: bluez5
PACKAGE VERSION: 5.72
CVE: CVE-2021-0129
CVE STATUS: Patched
CVE SUMMARY: Improper access control in BlueZ may allow an authenticated user to potentially enable information disclosure via adjacent access.
CVSS v2 BASE SCORE: 2.7
CVSS v3 BASE SCORE: 5.7
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:L/Au:S/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-0129

LAYER: meta
PACKAGE NAME: bluez5
PACKAGE VERSION: 5.72
CVE: CVE-2021-3588
CVE STATUS: Patched
CVE SUMMARY: The cli_feat_read_cb() function in src/gatt-database.c does not perform bounds checks on the 'offset' variable before using it as an index into an array for reading.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 3.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3588

LAYER: meta
PACKAGE NAME: bluez5
PACKAGE VERSION: 5.72
CVE: CVE-2021-3658
CVE STATUS: Patched
CVE SUMMARY: bluetoothd from bluez incorrectly saves adapters' Discoverable status when a device is powered down, and restores it when powered up. If a device is powered down while discoverable, it will be discoverable when powered on again. This could lead to inadvertent exposure of the bluetooth stack to physically nearby attackers.
CVSS v2 BASE SCORE: 3.3
CVSS v3 BASE SCORE: 6.5
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3658

LAYER: meta
PACKAGE NAME: bluez5
PACKAGE VERSION: 5.72
CVE: CVE-2021-41229
CVE STATUS: Patched
CVE SUMMARY: BlueZ is a Bluetooth protocol stack for Linux. In affected versions a vulnerability exists in sdp_cstate_alloc_buf which allocates memory which will always be hung in the singly linked list of cstates and will not be freed. This will cause a memory leak over time. The data can be a very large object, which can be caused by an attacker continuously sending sdp packets and this may cause the service of the target device to crash.
CVSS v2 BASE SCORE: 3.3
CVSS v3 BASE SCORE: 4.3
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-41229

LAYER: meta
PACKAGE NAME: bluez5
PACKAGE VERSION: 5.72
CVE: CVE-2021-43400
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in gatt-database.c in BlueZ 5.61. A use-after-free can occur when a client disconnects during D-Bus processing of a WriteValue call.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 9.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-43400

LAYER: meta
PACKAGE NAME: bluez5
PACKAGE VERSION: 5.72
CVE: CVE-2022-0204
CVE STATUS: Patched
CVE SUMMARY: A heap overflow vulnerability was found in bluez in versions prior to 5.63. An attacker with local network access could pass specially crafted files causing an application to halt or crash, leading to a denial of service.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 8.8
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0204

LAYER: meta
PACKAGE NAME: bluez5
PACKAGE VERSION: 5.72
CVE: CVE-2022-3563
CVE STATUS: Patched
CVE SUMMARY: A vulnerability classified as problematic has been found in Linux Kernel. Affected is the function read_50_controller_cap_complete of the file tools/mgmt-tester.c of the component BlueZ. The manipulation of the argument cap_len leads to null pointer dereference. It is recommended to apply a patch to fix this issue. VDB-211086 is the identifier assigned to this vulnerability.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 3.5
VECTOR: ADJACENT_NETWORK
VECTORSTRING: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3563

LAYER: meta
PACKAGE NAME: bluez5
PACKAGE VERSION: 5.72
CVE: CVE-2022-3637
CVE STATUS: Patched
CVE SUMMARY: A vulnerability has been found in Linux Kernel and classified as problematic. This vulnerability affects the function jlink_init of the file monitor/jlink.c of the component BlueZ. The manipulation leads to denial of service. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211936.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 2.6
VECTOR: ADJACENT_NETWORK
VECTORSTRING: CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3637

LAYER: meta
PACKAGE NAME: bluez5
PACKAGE VERSION: 5.72
CVE: CVE-2022-39176
CVE STATUS: Patched
CVE SUMMARY: BlueZ before 5.59 allows physically proximate attackers to obtain sensitive information because profiles/audio/avrcp.c does not validate params_len.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.8
VECTOR: ADJACENT_NETWORK
VECTORSTRING: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-39176

LAYER: meta
PACKAGE NAME: bluez5
PACKAGE VERSION: 5.72
CVE: CVE-2022-39177
CVE STATUS: Patched
CVE SUMMARY: BlueZ before 5.59 allows physically proximate attackers to cause a denial of service because malformed and invalid capabilities can be processed in profiles/audio/avdtp.c.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.8
VECTOR: ADJACENT_NETWORK
VECTORSTRING: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-39177

LAYER: meta-qt5
PACKAGE NAME: qtgraphicaleffects
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2004-0691
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the BMP image format parser for the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0691

LAYER: meta-qt5
PACKAGE NAME: qtgraphicaleffects
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2004-0692
CVE STATUS: Patched
CVE SUMMARY: The XPM parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0693.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0692

LAYER: meta-qt5
PACKAGE NAME: qtgraphicaleffects
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2004-0693
CVE STATUS: Patched
CVE SUMMARY: The GIF parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0692.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0693

LAYER: meta-qt5
PACKAGE NAME: qtgraphicaleffects
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2005-0627
CVE STATUS: Patched
CVE SUMMARY: Qt before 3.3.4 searches the BUILD_PREFIX directory, which could be world-writable, to load shared libraries regardless of the LD_LIBRARY_PATH environment variable, which allows local users to execute arbitrary programs.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-0627

LAYER: meta-qt5
PACKAGE NAME: qtgraphicaleffects
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2006-4811
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in Qt 3.3 before 3.3.7, 4.1 before 4.1.5, and 4.2 before 4.2.1, as used in the KDE khtml library, kdelibs 3.1.3, and possibly other packages, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted pixmap image.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-4811

LAYER: meta-qt5
PACKAGE NAME: qtgraphicaleffects
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2007-0242
CVE STATUS: Patched
CVE SUMMARY: The UTF-8 decoder in codecs/qutfcodec.cpp in Qt 3.3.8 and 4.2.3 does not reject long UTF-8 sequences as required by the standard, which allows remote attackers to conduct cross-site scripting (XSS) and directory traversal attacks via long sequences that decode to dangerous metacharacters.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-0242

LAYER: meta-qt5
PACKAGE NAME: qtgraphicaleffects
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2007-3388
CVE STATUS: Patched
CVE SUMMARY: Multiple format string vulnerabilities in (1) qtextedit.cpp, (2) qdatatable.cpp, (3) qsqldatabase.cpp, (4) qsqlindex.cpp, (5) qsqlrecord.cpp, (6) qglobal.cpp, and (7) qsvgdevice.cpp in QTextEdit in Trolltech Qt 3 before 3.3.8 20070727 allow remote attackers to execute arbitrary code via format string specifiers in text used to compose an error message.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-3388

LAYER: meta-qt5
PACKAGE NAME: qtgraphicaleffects
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2007-4137
CVE STATUS: Patched
CVE SUMMARY: Off-by-one error in the QUtf8Decoder::toUnicode function in Trolltech Qt 3 allows context-dependent attackers to cause a denial of service (crash) via a crafted Unicode string that triggers a heap-based buffer overflow.  NOTE: Qt 4 has the same error in the QUtf8Codec::convertToUnicode function, but it is not exploitable.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-4137

LAYER: meta-qt5
PACKAGE NAME: qtgraphicaleffects
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2009-2700
CVE STATUS: Patched
CVE SUMMARY: src/network/ssl/qsslcertificate.cpp in Nokia Trolltech Qt 4.x does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-2700

LAYER: meta-qt5
PACKAGE NAME: qtgraphicaleffects
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2010-1766
CVE STATUS: Patched
CVE SUMMARY: Off-by-one error in the WebSocketHandshake::readServerHandshake function in websockets/WebSocketHandshake.cpp in WebCore in WebKit before r56380, as used in Qt and other products, allows remote websockets servers to cause a denial of service (memory corruption) or possibly have unspecified other impact via an upgrade header that is long and invalid.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-1766

LAYER: meta-qt5
PACKAGE NAME: qtgraphicaleffects
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2010-2621
CVE STATUS: Patched
CVE SUMMARY: The QSslSocketBackendPrivate::transmit function in src_network_ssl_qsslsocket_openssl.cpp in Qt 4.6.3 and earlier allows remote attackers to cause a denial of service (infinite loop) via a malformed request.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2621

LAYER: meta-qt5
PACKAGE NAME: qtgraphicaleffects
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2010-5076
CVE STATUS: Patched
CVE SUMMARY: QSslSocket in Qt before 4.7.0-rc1 recognizes a wildcard IP address in the subject's Common Name field of an X.509 certificate, which might allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-5076

LAYER: meta-qt5
PACKAGE NAME: qtgraphicaleffects
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2011-3193
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the Lookup_MarkMarkPos function in the HarfBuzz module (harfbuzz-gpos.c), as used by Qt before 4.7.4 and Pango, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted font file.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3193

LAYER: meta-qt5
PACKAGE NAME: qtgraphicaleffects
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2011-3194
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the TIFF reader in gui/image/qtiffhandler.cpp in Qt 4.7.4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the TIFFTAG_SAMPLESPERPIXEL tag in a greyscale TIFF image with multiple samples per pixel.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3194

LAYER: meta-qt5
PACKAGE NAME: qtgraphicaleffects
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2012-5624
CVE STATUS: Patched
CVE SUMMARY: The XMLHttpRequest object in Qt before 4.8.4 enables http redirection to the file scheme, which allows man-in-the-middle attackers to force the read of arbitrary local files and possibly obtain sensitive information via a file: URL to a QML application.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-5624

LAYER: meta-qt5
PACKAGE NAME: qtgraphicaleffects
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2012-6093
CVE STATUS: Patched
CVE SUMMARY: The QSslSocket::sslErrors function in Qt before 4.6.5, 4.7.x before 4.7.6, 4.8.x before 4.8.5, when using certain versions of openSSL, uses an "incompatible structure layout" that can read memory from the wrong location, which causes Qt to report an incorrect error when certificate validation fails and might cause users to make unsafe security decisions to accept a certificate.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-6093

LAYER: meta-qt5
PACKAGE NAME: qtgraphicaleffects
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2013-0254
CVE STATUS: Patched
CVE SUMMARY: The QSharedMemory class in Qt 5.0.0, 4.8.x before 4.8.5, 4.7.x before 4.7.6, and other versions including 4.4.0 uses weak permissions (world-readable and world-writable) for shared memory segments, which allows local users to read sensitive information or modify critical program data, as demonstrated by reading a pixmap being sent to an X server.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0254

LAYER: meta-qt5
PACKAGE NAME: qtgraphicaleffects
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2013-4549
CVE STATUS: Patched
CVE SUMMARY: QXmlSimpleReader in Qt before 5.2 allows context-dependent attackers to cause a denial of service (memory consumption) via an XML Entity Expansion (XEE) attack.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4549

LAYER: meta-qt5
PACKAGE NAME: qtgraphicaleffects
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2014-0190
CVE STATUS: Patched
CVE SUMMARY: The GIF decoder in QtGui in Qt before 5.3 allows remote attackers to cause a denial of service (NULL pointer dereference) via invalid width and height values in a GIF image.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0190

LAYER: meta-qt5
PACKAGE NAME: qtgraphicaleffects
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2015-0295
CVE STATUS: Patched
CVE SUMMARY: The BMP decoder in QtGui in QT before 5.5 does not properly calculate the masks used to extract the color components, which allows remote attackers to cause a denial of service (divide-by-zero and crash) via a crafted BMP file.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0295

LAYER: meta-qt5
PACKAGE NAME: qtgraphicaleffects
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2015-1290
CVE STATUS: Patched
CVE SUMMARY: The Google V8 engine, as used in Google Chrome before 44.0.2403.89 and QtWebEngineCore in Qt before 5.5.1, allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a crafted web site.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1290

LAYER: meta-qt5
PACKAGE NAME: qtgraphicaleffects
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2015-1858
CVE STATUS: Patched
CVE SUMMARY: Multiple buffer overflows in gui/image/qbmphandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted BMP image.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1858

LAYER: meta-qt5
PACKAGE NAME: qtgraphicaleffects
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2015-1859
CVE STATUS: Patched
CVE SUMMARY: Multiple buffer overflows in plugins/imageformats/ico/qicohandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted ICO image.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1859

LAYER: meta-qt5
PACKAGE NAME: qtgraphicaleffects
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2015-1860
CVE STATUS: Patched
CVE SUMMARY: Multiple buffer overflows in gui/image/qgifhandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a crafted GIF image.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1860

LAYER: meta-qt5
PACKAGE NAME: qtgraphicaleffects
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2015-7298
CVE STATUS: Patched
CVE SUMMARY: ownCloud Desktop Client before 2.0.1, when compiled with a Qt release after 5.3.x, does not call QNetworkReply::ignoreSslErrors with the list of errors to be ignored, which makes it easier for remote attackers to conduct man-in-the-middle (MITM) attacks by leveraging a server using a self-signed certificate.  NOTE: this vulnerability exists because of a partial CVE-2015-4456 regression.
CVSS v2 BASE SCORE: 5.1
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7298

LAYER: meta-qt5
PACKAGE NAME: qtgraphicaleffects
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2015-9541
CVE STATUS: Patched
CVE SUMMARY: Qt through 5.14 allows an exponential XML entity expansion attack via a crafted SVG document that is mishandled in QXmlStreamReader, a related issue to CVE-2003-1564.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-9541

LAYER: meta-qt5
PACKAGE NAME: qtgraphicaleffects
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2017-10904
CVE STATUS: Patched
CVE SUMMARY: Qt for Android prior to 5.9.0 allows remote attackers to execute arbitrary OS commands via unspecified vectors.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-10904

LAYER: meta-qt5
PACKAGE NAME: qtgraphicaleffects
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2017-10905
CVE STATUS: Patched
CVE SUMMARY: A vulnerability in applications created using Qt for Android prior to 5.9.3 allows attackers to alter environment variables via unspecified vectors.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-10905

LAYER: meta-qt5
PACKAGE NAME: qtgraphicaleffects
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2017-15011
CVE STATUS: Patched
CVE SUMMARY: The named pipes in qtsingleapp in Qt 5.x, as used in qBittorrent and SugarSync, are configured for remote access and allow remote attackers to cause a denial of service (application crash) via an unspecified string.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15011

LAYER: meta-qt5
PACKAGE NAME: qtgraphicaleffects
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-15518
CVE STATUS: Patched
CVE SUMMARY: QXmlStream in Qt 5.x before 5.11.3 has a double-free or corruption during parsing of a specially crafted illegal XML document.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-15518

LAYER: meta-qt5
PACKAGE NAME: qtgraphicaleffects
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-19865
CVE STATUS: Patched
CVE SUMMARY: A keystroke logging issue was discovered in Virtual Keyboard in Qt 5.7.x, 5.8.x, 5.9.x, 5.10.x, and 5.11.x before 5.11.3.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19865

LAYER: meta-qt5
PACKAGE NAME: qtgraphicaleffects
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-19869
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt before 5.11.3. A malformed SVG image causes a segmentation fault in qsvghandler.cpp.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19869

LAYER: meta-qt5
PACKAGE NAME: qtgraphicaleffects
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-19870
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt before 5.11.3. A malformed GIF image causes a NULL pointer dereference in QGifHandler resulting in a segmentation fault.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19870

LAYER: meta-qt5
PACKAGE NAME: qtgraphicaleffects
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-19871
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt before 5.11.3. There is QTgaFile Uncontrolled Resource Consumption.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19871

LAYER: meta-qt5
PACKAGE NAME: qtgraphicaleffects
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-19872
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt 5.11. A malformed PPM image causes a division by zero and a crash in qppmhandler.cpp.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19872

LAYER: meta-qt5
PACKAGE NAME: qtgraphicaleffects
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-19873
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt before 5.11.3. QBmpHandler has a buffer overflow via BMP data.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19873

LAYER: meta-qt5
PACKAGE NAME: qtgraphicaleffects
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-21035
CVE STATUS: Patched
CVE SUMMARY: In Qt through 5.14.1, the WebSocket implementation accepts up to 2GB for frames and 2GB for messages. Smaller limits cannot be configured. This makes it easier for attackers to cause a denial of service (memory consumption).
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 8.6
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-21035

LAYER: meta-qt5
PACKAGE NAME: qtgraphicaleffects
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2020-0569
CVE STATUS: Patched
CVE SUMMARY: Out of bounds write in Intel(R) PROSet/Wireless WiFi products on Windows 10 may allow an authenticated user to potentially enable denial of service via local access.
CVSS v2 BASE SCORE: 2.7
CVSS v3 BASE SCORE: 5.7
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:L/Au:S/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-0569

LAYER: meta-qt5
PACKAGE NAME: qtgraphicaleffects
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2020-0570
CVE STATUS: Patched
CVE SUMMARY: Uncontrolled search path in the QT Library before 5.14.0, 5.12.7 and 5.9.10 may allow an authenticated user to potentially enable elevation of privilege via local access.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 7.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-0570

LAYER: meta-qt5
PACKAGE NAME: qtgraphicaleffects
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2020-12267
CVE STATUS: Patched
CVE SUMMARY: setMarkdown in Qt before 5.14.2 has a use-after-free related to QTextMarkdownImporter::insertBlock.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-12267

LAYER: meta-qt5
PACKAGE NAME: qtgraphicaleffects
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2020-13962
CVE STATUS: Patched
CVE SUMMARY: Qt 5.12.2 through 5.14.2, as used in unofficial builds of Mumble 1.3.0 and other products, mishandles OpenSSL's error queue, which can cause a denial of service to QSslSocket users. Because errors leak in unrelated TLS sessions, an unrelated session may be disconnected when any handshake fails. (Mumble 1.3.1 is not affected, regardless of the Qt version.)
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-13962

LAYER: meta-qt5
PACKAGE NAME: qtgraphicaleffects
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2020-17507
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt through 5.12.9, and 5.13.x through 5.15.x before 5.15.1. read_xbm_body in gui/image/qxbmhandler.cpp has a buffer over-read.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-17507

LAYER: meta-qt5
PACKAGE NAME: qtgraphicaleffects
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2020-24742
CVE STATUS: Patched
CVE SUMMARY: An issue has been fixed in Qt versions 5.14.0 where QPluginLoader attempts to load plugins relative to the working directory, allowing attackers to execute arbitrary code via crafted files.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-24742

LAYER: meta-qt5
PACKAGE NAME: qtgraphicaleffects
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2021-28025
CVE STATUS: Patched
CVE SUMMARY: Integer Overflow vulnerability in qsvghandler.cpp in Qt qtsvg versions 5.15.1, 6.0.0, 6.0.2, and 6.2, allows local attackers to cause a denial of service (DoS).
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-28025

LAYER: meta-qt5
PACKAGE NAME: qtgraphicaleffects
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2021-3481
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in Qt. An out-of-bounds read vulnerability was found in QRadialFetchSimd in qt/qtbase/src/gui/painting/qdrawhelper_p.h in Qt/Qtbase. While rendering and displaying a crafted Scalable Vector Graphics (SVG) file this flaw may lead to an unauthorized memory access. The highest threat from this vulnerability is to data confidentiality and the application availability.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3481

LAYER: meta-qt5
PACKAGE NAME: qtgraphicaleffects
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2021-38593
CVE STATUS: Patched
CVE SUMMARY: Qt 5.x before 5.15.6 and 6.x through 6.1.2 has an out-of-bounds write in QOutlineMapper::convertPath (called from QRasterPaintEngine::fill and QPaintEngineEx::stroke).
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-38593

LAYER: meta-qt5
PACKAGE NAME: qtgraphicaleffects
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2022-25255
CVE STATUS: Patched
CVE SUMMARY: In Qt 5.9.x through 5.15.x before 5.15.9 and 6.x before 6.2.4 on Linux and UNIX, QProcess could execute a binary from the current working directory when not found in the PATH.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-25255

LAYER: meta-qt5
PACKAGE NAME: qtgraphicaleffects
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2022-25634
CVE STATUS: Patched
CVE SUMMARY: Qt through 5.15.8 and 6.x through 6.2.3 can load system library files from an unintended working directory.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-25634

LAYER: meta-qt5
PACKAGE NAME: qtgraphicaleffects
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2022-40983
CVE STATUS: Patched
CVE SUMMARY: An integer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an integer overflow during memory allocation, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-40983

LAYER: meta-qt5
PACKAGE NAME: qtgraphicaleffects
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2022-43591
CVE STATUS: Patched
CVE SUMMARY: A buffer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an out-of-bounds memory access, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-43591

LAYER: meta-qt5
PACKAGE NAME: qtgraphicaleffects
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-24607
CVE STATUS: Patched
CVE SUMMARY: Qt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13, 6.x before 6.2.8, and 6.3.x before 6.4.3.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-24607

LAYER: meta-qt5
PACKAGE NAME: qtgraphicaleffects
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-32573
CVE STATUS: Unpatched
CVE SUMMARY: In Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-32573

LAYER: meta-qt5
PACKAGE NAME: qtgraphicaleffects
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-32762
CVE STATUS: Unpatched
CVE SUMMARY: An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-32762

LAYER: meta-qt5
PACKAGE NAME: qtgraphicaleffects
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-32763
CVE STATUS: Unpatched
CVE SUMMARY: An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. When a SVG file with an image inside it is rendered, a QTextLayout buffer overflow can be triggered.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-32763

LAYER: meta-qt5
PACKAGE NAME: qtgraphicaleffects
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-33285
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. QDnsLookup has a buffer over-read via a crafted reply from a DNS server.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-33285

LAYER: meta-qt5
PACKAGE NAME: qtgraphicaleffects
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-34410
CVE STATUS: Unpatched
CVE SUMMARY: An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-34410

LAYER: meta-qt5
PACKAGE NAME: qtgraphicaleffects
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-37369
CVE STATUS: Unpatched
CVE SUMMARY: In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-37369

LAYER: meta-qt5
PACKAGE NAME: qtgraphicaleffects
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-38197
CVE STATUS: Unpatched
CVE SUMMARY: An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-38197

LAYER: meta-qt5
PACKAGE NAME: qtgraphicaleffects
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-43114
CVE STATUS: Unpatched
CVE SUMMARY: An issue was discovered in Qt before 5.15.16, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3 on Windows. When using the GDI font engine, if a corrupted font is loaded via QFontDatabase::addApplicationFont{FromData], then it can cause the application to crash because of missing length checks.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-43114

LAYER: meta-qt5
PACKAGE NAME: qtgraphicaleffects
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-51714
CVE STATUS: Unpatched
CVE SUMMARY: An issue was discovered in the HTTP2 implementation in Qt before 5.15.17, 6.x before 6.2.11, 6.3.x through 6.5.x before 6.5.4, and 6.6.x before 6.6.2. network/access/http2/hpacktable.cpp has an incorrect HPack integer overflow check.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-51714

LAYER: meta-qt5
PACKAGE NAME: qtgraphicaleffects
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2024-39936
CVE STATUS: Unpatched
CVE SUMMARY: An issue was discovered in HTTP2 in Qt before 5.15.18, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.7, and 6.6.x through 6.7.x before 6.7.3. Code to make security-relevant decisions about an established connection may execute too early, because the encrypted() signal has not yet been emitted and processed..
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.6
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-39936

LAYER: meta-oe
PACKAGE NAME: gpsd
PACKAGE VERSION: 3.24
CVE: CVE-2013-2038
CVE STATUS: Patched
CVE SUMMARY: The NMEA0183 driver in gpsd before 3.9 allows remote attackers to cause a denial of service (daemon termination) and possibly execute arbitrary code via a GPS packet with a malformed $GPGGA interpreted sentence that lacks certain fields and a terminator.  NOTE: a separate issue in the AIS driver was also reported, but it might not be a vulnerability.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2038

LAYER: meta-oe
PACKAGE NAME: gpsd
PACKAGE VERSION: 3.24
CVE: CVE-2018-17937
CVE STATUS: Patched
CVE SUMMARY: gpsd versions 2.90 to 3.17 and microjson versions 1.0 to 1.3, an open source project, allow a stack-based buffer overflow, which may allow remote attackers to execute arbitrary code on embedded platforms via traffic on Port 2947/TCP or crafted JSON inputs.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 8.8
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-17937

LAYER: meta-oe
PACKAGE NAME: gpsd
PACKAGE VERSION: 3.24
CVE: CVE-2023-43628
CVE STATUS: Patched
CVE SUMMARY: An integer underflow vulnerability exists in the NTRIP Stream Parsing functionality of GPSd 3.25.1~dev. A specially crafted network packet can lead to memory corruption. An attacker can send a malicious packet to trigger this vulnerability.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-43628

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2004-0691
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the BMP image format parser for the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0691

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2004-0692
CVE STATUS: Patched
CVE SUMMARY: The XPM parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0693.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0692

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2004-0693
CVE STATUS: Patched
CVE SUMMARY: The GIF parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0692.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0693

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2005-0627
CVE STATUS: Patched
CVE SUMMARY: Qt before 3.3.4 searches the BUILD_PREFIX directory, which could be world-writable, to load shared libraries regardless of the LD_LIBRARY_PATH environment variable, which allows local users to execute arbitrary programs.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-0627

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2006-4811
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in Qt 3.3 before 3.3.7, 4.1 before 4.1.5, and 4.2 before 4.2.1, as used in the KDE khtml library, kdelibs 3.1.3, and possibly other packages, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted pixmap image.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-4811

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2007-0242
CVE STATUS: Patched
CVE SUMMARY: The UTF-8 decoder in codecs/qutfcodec.cpp in Qt 3.3.8 and 4.2.3 does not reject long UTF-8 sequences as required by the standard, which allows remote attackers to conduct cross-site scripting (XSS) and directory traversal attacks via long sequences that decode to dangerous metacharacters.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-0242

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2007-3388
CVE STATUS: Patched
CVE SUMMARY: Multiple format string vulnerabilities in (1) qtextedit.cpp, (2) qdatatable.cpp, (3) qsqldatabase.cpp, (4) qsqlindex.cpp, (5) qsqlrecord.cpp, (6) qglobal.cpp, and (7) qsvgdevice.cpp in QTextEdit in Trolltech Qt 3 before 3.3.8 20070727 allow remote attackers to execute arbitrary code via format string specifiers in text used to compose an error message.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-3388

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2007-4137
CVE STATUS: Patched
CVE SUMMARY: Off-by-one error in the QUtf8Decoder::toUnicode function in Trolltech Qt 3 allows context-dependent attackers to cause a denial of service (crash) via a crafted Unicode string that triggers a heap-based buffer overflow.  NOTE: Qt 4 has the same error in the QUtf8Codec::convertToUnicode function, but it is not exploitable.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-4137

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2009-2700
CVE STATUS: Patched
CVE SUMMARY: src/network/ssl/qsslcertificate.cpp in Nokia Trolltech Qt 4.x does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-2700

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2010-1766
CVE STATUS: Patched
CVE SUMMARY: Off-by-one error in the WebSocketHandshake::readServerHandshake function in websockets/WebSocketHandshake.cpp in WebCore in WebKit before r56380, as used in Qt and other products, allows remote websockets servers to cause a denial of service (memory corruption) or possibly have unspecified other impact via an upgrade header that is long and invalid.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-1766

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2010-2621
CVE STATUS: Patched
CVE SUMMARY: The QSslSocketBackendPrivate::transmit function in src_network_ssl_qsslsocket_openssl.cpp in Qt 4.6.3 and earlier allows remote attackers to cause a denial of service (infinite loop) via a malformed request.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2621

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2010-5076
CVE STATUS: Patched
CVE SUMMARY: QSslSocket in Qt before 4.7.0-rc1 recognizes a wildcard IP address in the subject's Common Name field of an X.509 certificate, which might allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-5076

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2011-3193
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the Lookup_MarkMarkPos function in the HarfBuzz module (harfbuzz-gpos.c), as used by Qt before 4.7.4 and Pango, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted font file.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3193

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2011-3194
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the TIFF reader in gui/image/qtiffhandler.cpp in Qt 4.7.4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the TIFFTAG_SAMPLESPERPIXEL tag in a greyscale TIFF image with multiple samples per pixel.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3194

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2012-5624
CVE STATUS: Patched
CVE SUMMARY: The XMLHttpRequest object in Qt before 4.8.4 enables http redirection to the file scheme, which allows man-in-the-middle attackers to force the read of arbitrary local files and possibly obtain sensitive information via a file: URL to a QML application.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-5624

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2012-6093
CVE STATUS: Patched
CVE SUMMARY: The QSslSocket::sslErrors function in Qt before 4.6.5, 4.7.x before 4.7.6, 4.8.x before 4.8.5, when using certain versions of openSSL, uses an "incompatible structure layout" that can read memory from the wrong location, which causes Qt to report an incorrect error when certificate validation fails and might cause users to make unsafe security decisions to accept a certificate.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-6093

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2013-0254
CVE STATUS: Patched
CVE SUMMARY: The QSharedMemory class in Qt 5.0.0, 4.8.x before 4.8.5, 4.7.x before 4.7.6, and other versions including 4.4.0 uses weak permissions (world-readable and world-writable) for shared memory segments, which allows local users to read sensitive information or modify critical program data, as demonstrated by reading a pixmap being sent to an X server.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0254

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2013-4549
CVE STATUS: Patched
CVE SUMMARY: QXmlSimpleReader in Qt before 5.2 allows context-dependent attackers to cause a denial of service (memory consumption) via an XML Entity Expansion (XEE) attack.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4549

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2014-0190
CVE STATUS: Patched
CVE SUMMARY: The GIF decoder in QtGui in Qt before 5.3 allows remote attackers to cause a denial of service (NULL pointer dereference) via invalid width and height values in a GIF image.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0190

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2015-0295
CVE STATUS: Patched
CVE SUMMARY: The BMP decoder in QtGui in QT before 5.5 does not properly calculate the masks used to extract the color components, which allows remote attackers to cause a denial of service (divide-by-zero and crash) via a crafted BMP file.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0295

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2015-1290
CVE STATUS: Patched
CVE SUMMARY: The Google V8 engine, as used in Google Chrome before 44.0.2403.89 and QtWebEngineCore in Qt before 5.5.1, allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a crafted web site.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1290

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2015-1858
CVE STATUS: Patched
CVE SUMMARY: Multiple buffer overflows in gui/image/qbmphandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted BMP image.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1858

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2015-1859
CVE STATUS: Patched
CVE SUMMARY: Multiple buffer overflows in plugins/imageformats/ico/qicohandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted ICO image.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1859

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2015-1860
CVE STATUS: Patched
CVE SUMMARY: Multiple buffer overflows in gui/image/qgifhandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a crafted GIF image.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1860

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2015-7298
CVE STATUS: Patched
CVE SUMMARY: ownCloud Desktop Client before 2.0.1, when compiled with a Qt release after 5.3.x, does not call QNetworkReply::ignoreSslErrors with the list of errors to be ignored, which makes it easier for remote attackers to conduct man-in-the-middle (MITM) attacks by leveraging a server using a self-signed certificate.  NOTE: this vulnerability exists because of a partial CVE-2015-4456 regression.
CVSS v2 BASE SCORE: 5.1
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7298

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2015-9541
CVE STATUS: Patched
CVE SUMMARY: Qt through 5.14 allows an exponential XML entity expansion attack via a crafted SVG document that is mishandled in QXmlStreamReader, a related issue to CVE-2003-1564.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-9541

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2017-10904
CVE STATUS: Patched
CVE SUMMARY: Qt for Android prior to 5.9.0 allows remote attackers to execute arbitrary OS commands via unspecified vectors.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-10904

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2017-10905
CVE STATUS: Patched
CVE SUMMARY: A vulnerability in applications created using Qt for Android prior to 5.9.3 allows attackers to alter environment variables via unspecified vectors.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-10905

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2017-15011
CVE STATUS: Patched
CVE SUMMARY: The named pipes in qtsingleapp in Qt 5.x, as used in qBittorrent and SugarSync, are configured for remote access and allow remote attackers to cause a denial of service (application crash) via an unspecified string.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15011

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-15518
CVE STATUS: Patched
CVE SUMMARY: QXmlStream in Qt 5.x before 5.11.3 has a double-free or corruption during parsing of a specially crafted illegal XML document.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-15518

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-19865
CVE STATUS: Patched
CVE SUMMARY: A keystroke logging issue was discovered in Virtual Keyboard in Qt 5.7.x, 5.8.x, 5.9.x, 5.10.x, and 5.11.x before 5.11.3.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19865

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-19869
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt before 5.11.3. A malformed SVG image causes a segmentation fault in qsvghandler.cpp.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19869

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-19870
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt before 5.11.3. A malformed GIF image causes a NULL pointer dereference in QGifHandler resulting in a segmentation fault.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19870

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-19871
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt before 5.11.3. There is QTgaFile Uncontrolled Resource Consumption.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19871

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-19872
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt 5.11. A malformed PPM image causes a division by zero and a crash in qppmhandler.cpp.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19872

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-19873
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt before 5.11.3. QBmpHandler has a buffer overflow via BMP data.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19873

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-21035
CVE STATUS: Patched
CVE SUMMARY: In Qt through 5.14.1, the WebSocket implementation accepts up to 2GB for frames and 2GB for messages. Smaller limits cannot be configured. This makes it easier for attackers to cause a denial of service (memory consumption).
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 8.6
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-21035

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2020-0569
CVE STATUS: Patched
CVE SUMMARY: Out of bounds write in Intel(R) PROSet/Wireless WiFi products on Windows 10 may allow an authenticated user to potentially enable denial of service via local access.
CVSS v2 BASE SCORE: 2.7
CVSS v3 BASE SCORE: 5.7
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:L/Au:S/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-0569

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2020-0570
CVE STATUS: Patched
CVE SUMMARY: Uncontrolled search path in the QT Library before 5.14.0, 5.12.7 and 5.9.10 may allow an authenticated user to potentially enable elevation of privilege via local access.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 7.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-0570

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2020-12267
CVE STATUS: Patched
CVE SUMMARY: setMarkdown in Qt before 5.14.2 has a use-after-free related to QTextMarkdownImporter::insertBlock.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-12267

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2020-13962
CVE STATUS: Patched
CVE SUMMARY: Qt 5.12.2 through 5.14.2, as used in unofficial builds of Mumble 1.3.0 and other products, mishandles OpenSSL's error queue, which can cause a denial of service to QSslSocket users. Because errors leak in unrelated TLS sessions, an unrelated session may be disconnected when any handshake fails. (Mumble 1.3.1 is not affected, regardless of the Qt version.)
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-13962

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2020-17507
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt through 5.12.9, and 5.13.x through 5.15.x before 5.15.1. read_xbm_body in gui/image/qxbmhandler.cpp has a buffer over-read.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-17507

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2020-24742
CVE STATUS: Patched
CVE SUMMARY: An issue has been fixed in Qt versions 5.14.0 where QPluginLoader attempts to load plugins relative to the working directory, allowing attackers to execute arbitrary code via crafted files.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-24742

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2021-28025
CVE STATUS: Patched
CVE SUMMARY: Integer Overflow vulnerability in qsvghandler.cpp in Qt qtsvg versions 5.15.1, 6.0.0, 6.0.2, and 6.2, allows local attackers to cause a denial of service (DoS).
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-28025

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2021-3481
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in Qt. An out-of-bounds read vulnerability was found in QRadialFetchSimd in qt/qtbase/src/gui/painting/qdrawhelper_p.h in Qt/Qtbase. While rendering and displaying a crafted Scalable Vector Graphics (SVG) file this flaw may lead to an unauthorized memory access. The highest threat from this vulnerability is to data confidentiality and the application availability.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3481

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2021-38593
CVE STATUS: Patched
CVE SUMMARY: Qt 5.x before 5.15.6 and 6.x through 6.1.2 has an out-of-bounds write in QOutlineMapper::convertPath (called from QRasterPaintEngine::fill and QPaintEngineEx::stroke).
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-38593

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2022-25255
CVE STATUS: Patched
CVE SUMMARY: In Qt 5.9.x through 5.15.x before 5.15.9 and 6.x before 6.2.4 on Linux and UNIX, QProcess could execute a binary from the current working directory when not found in the PATH.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-25255

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2022-25634
CVE STATUS: Patched
CVE SUMMARY: Qt through 5.15.8 and 6.x through 6.2.3 can load system library files from an unintended working directory.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-25634

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2022-40983
CVE STATUS: Patched
CVE SUMMARY: An integer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an integer overflow during memory allocation, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-40983

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2022-43591
CVE STATUS: Patched
CVE SUMMARY: A buffer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an out-of-bounds memory access, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-43591

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-24607
CVE STATUS: Patched
CVE SUMMARY: Qt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13, 6.x before 6.2.8, and 6.3.x before 6.4.3.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-24607

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-32573
CVE STATUS: Unpatched
CVE SUMMARY: In Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-32573

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-32762
CVE STATUS: Unpatched
CVE SUMMARY: An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-32762

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-32763
CVE STATUS: Unpatched
CVE SUMMARY: An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. When a SVG file with an image inside it is rendered, a QTextLayout buffer overflow can be triggered.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-32763

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-33285
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. QDnsLookup has a buffer over-read via a crafted reply from a DNS server.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-33285

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-34410
CVE STATUS: Unpatched
CVE SUMMARY: An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-34410

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-37369
CVE STATUS: Unpatched
CVE SUMMARY: In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-37369

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-38197
CVE STATUS: Unpatched
CVE SUMMARY: An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-38197

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-43114
CVE STATUS: Unpatched
CVE SUMMARY: An issue was discovered in Qt before 5.15.16, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3 on Windows. When using the GDI font engine, if a corrupted font is loaded via QFontDatabase::addApplicationFont{FromData], then it can cause the application to crash because of missing length checks.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-43114

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-51714
CVE STATUS: Unpatched
CVE SUMMARY: An issue was discovered in the HTTP2 implementation in Qt before 5.15.17, 6.x before 6.2.11, 6.3.x through 6.5.x before 6.5.4, and 6.6.x before 6.6.2. network/access/http2/hpacktable.cpp has an incorrect HPack integer overflow check.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-51714

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2024-39936
CVE STATUS: Unpatched
CVE SUMMARY: An issue was discovered in HTTP2 in Qt before 5.15.18, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.7, and 6.6.x through 6.7.x before 6.7.3. Code to make security-relevant decisions about an established connection may execute too early, because the encrypted() signal has not yet been emitted and processed..
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.6
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-39936

LAYER: meta
PACKAGE NAME: xkeyboard-config
PACKAGE VERSION: 2.41
CVE: CVE-2012-0064
CVE STATUS: Patched
CVE SUMMARY: xkeyboard-config before 2.5 in X.Org before 7.6 enables certain XKB debugging functions by default, which allows physically proximate attackers to bypass an X screen lock via keyboard combinations that break the input grab.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-0064

LAYER: meta
PACKAGE NAME: libdnf
PACKAGE VERSION: 0.73.2
CVE: CVE-2021-3445
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in libdnf's signature verification functionality in versions before 0.60.1. This flaw allows an attacker to achieve code execution if they can alter the header information of an RPM package and then trick a user or system into installing it. The highest risk of this vulnerability is to confidentiality, integrity, as well as system availability.
CVSS v2 BASE SCORE: 5.1
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3445

LAYER: meta
PACKAGE NAME: libcomps
PACKAGE VERSION: 0.1.20
CVE: CVE-2019-3817
CVE STATUS: Patched
CVE SUMMARY: A use-after-free flaw has been discovered in libcomps before version 0.1.10 in the way ObjMRTrees are merged. An attacker, who is able to make an application read a crafted comps XML file, may be able to crash the application or execute malicious code.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-3817

LAYER: meta-oe
PACKAGE NAME: nspr
PACKAGE VERSION: 4.35
CVE: CVE-2013-5607
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the PL_ArenaAllocate function in Mozilla Netscape Portable Runtime (NSPR) before 4.10.2, as used in Firefox before 25.0.1, Firefox ESR 17.x before 17.0.11 and 24.x before 24.1.1, and SeaMonkey before 2.22.1, allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted X.509 certificate, a related issue to CVE-2013-1741.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-5607

LAYER: meta-oe
PACKAGE NAME: nspr
PACKAGE VERSION: 4.35
CVE: CVE-2014-1545
CVE STATUS: Patched
CVE SUMMARY: Mozilla Netscape Portable Runtime (NSPR) before 4.10.6 allows remote attackers to execute arbitrary code or cause a denial of service (out-of-bounds write) via vectors involving the sprintf and console functions.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-1545

LAYER: meta-oe
PACKAGE NAME: nspr
PACKAGE VERSION: 4.35
CVE: CVE-2016-1951
CVE STATUS: Patched
CVE SUMMARY: Multiple integer overflows in io/prprf.c in Mozilla Netscape Portable Runtime (NSPR) before 4.12 allow remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a long string to a PR_*printf function.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 8.6
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-1951

LAYER: meta
PACKAGE NAME: libxslt
PACKAGE VERSION: 1.1.39
CVE: CVE-2008-2935
CVE STATUS: Patched
CVE SUMMARY: Multiple heap-based buffer overflows in the rc4 (1) encryption (aka exsltCryptoRc4EncryptFunction) and (2) decryption (aka exsltCryptoRc4DecryptFunction) functions in crypto.c in libexslt in libxslt 1.1.8 through 1.1.24 allow context-dependent attackers to execute arbitrary code via an XML file containing a long string as "an argument in the XSL input."
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-2935

LAYER: meta
PACKAGE NAME: libxslt
PACKAGE VERSION: 1.1.39
CVE: CVE-2011-1202
CVE STATUS: Patched
CVE SUMMARY: The xsltGenerateIdFunction function in functions.c in libxslt 1.1.26 and earlier, as used in Google Chrome before 10.0.648.127 and other products, allows remote attackers to obtain potentially sensitive information about heap memory addresses via an XML document containing a call to the XSLT generate-id XPath function.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1202

LAYER: meta
PACKAGE NAME: libxslt
PACKAGE VERSION: 1.1.39
CVE: CVE-2011-3970
CVE STATUS: Patched
CVE SUMMARY: libxslt, as used in Google Chrome before 17.0.963.46, allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3970

LAYER: meta
PACKAGE NAME: libxslt
PACKAGE VERSION: 1.1.39
CVE: CVE-2012-2870
CVE STATUS: Patched
CVE SUMMARY: libxslt 1.1.26 and earlier, as used in Google Chrome before 21.0.1180.89, does not properly manage memory, which might allow remote attackers to cause a denial of service (application crash) via a crafted XSLT expression that is not properly identified during XPath navigation, related to (1) the xsltCompileLocationPathPattern function in libxslt/pattern.c and (2) the xsltGenerateIdFunction function in libxslt/functions.c.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2870

LAYER: meta
PACKAGE NAME: libxslt
PACKAGE VERSION: 1.1.39
CVE: CVE-2012-6139
CVE STATUS: Patched
CVE SUMMARY: libxslt before 1.1.28 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via an (1) empty match attribute in a XSL key to the xsltAddKey function in keys.c or (2) uninitialized variable to the xsltDocumentFunction function in functions.c.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-6139

LAYER: meta
PACKAGE NAME: libxslt
PACKAGE VERSION: 1.1.39
CVE: CVE-2013-4520
CVE STATUS: Patched
CVE SUMMARY: xslt.c in libxslt before 1.1.25 allows context-dependent attackers to cause a denial of service (crash) via a stylesheet that embeds a DTD, which causes a structure to be accessed as a different type.  NOTE: this issue is due to an incomplete fix for CVE-2012-2825.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4520

LAYER: meta
PACKAGE NAME: libxslt
PACKAGE VERSION: 1.1.39
CVE: CVE-2015-7995
CVE STATUS: Patched
CVE SUMMARY: The xsltStylePreCompute function in preproc.c in libxslt 1.1.28 does not check if the parent node is an element, which allows attackers to cause a denial of service via a crafted XML file, related to a "type confusion" issue.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7995

LAYER: meta
PACKAGE NAME: libxslt
PACKAGE VERSION: 1.1.39
CVE: CVE-2015-9019
CVE STATUS: Patched
CVE SUMMARY: In libxslt 1.1.29 and earlier, the EXSLT math.random function was not initialized with a random seed during startup, which could cause usage of this function to produce predictable outputs.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-9019

LAYER: meta
PACKAGE NAME: libxslt
PACKAGE VERSION: 1.1.39
CVE: CVE-2016-1683
CVE STATUS: Patched
CVE SUMMARY: numbers.c in libxslt before 1.1.29, as used in Google Chrome before 51.0.2704.63, mishandles namespace nodes, which allows remote attackers to cause a denial of service (out-of-bounds heap memory access) or possibly have unspecified other impact via a crafted document.
CVSS v2 BASE SCORE: 5.1
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-1683

LAYER: meta
PACKAGE NAME: libxslt
PACKAGE VERSION: 1.1.39
CVE: CVE-2016-1684
CVE STATUS: Patched
CVE SUMMARY: numbers.c in libxslt before 1.1.29, as used in Google Chrome before 51.0.2704.63, mishandles the i format token for xsl:number data, which allows remote attackers to cause a denial of service (integer overflow or resource consumption) or possibly have unspecified other impact via a crafted document.
CVSS v2 BASE SCORE: 5.1
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-1684

LAYER: meta
PACKAGE NAME: libxslt
PACKAGE VERSION: 1.1.39
CVE: CVE-2016-4607
CVE STATUS: Patched
CVE SUMMARY: libxslt in Apple iOS before 9.3.3, OS X before 10.11.6, iTunes before 12.4.2 on Windows, iCloud before 5.2.1 on Windows, tvOS before 9.2.2, and watchOS before 2.2.2 allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors, a different vulnerability than CVE-2016-4608, CVE-2016-4609, CVE-2016-4610, and CVE-2016-4612.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4607

LAYER: meta
PACKAGE NAME: libxslt
PACKAGE VERSION: 1.1.39
CVE: CVE-2016-4608
CVE STATUS: Patched
CVE SUMMARY: libxslt in Apple iOS before 9.3.3, OS X before 10.11.6, iTunes before 12.4.2 on Windows, iCloud before 5.2.1 on Windows, tvOS before 9.2.2, and watchOS before 2.2.2 allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors, a different vulnerability than CVE-2016-4607, CVE-2016-4609, CVE-2016-4610, and CVE-2016-4612.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4608

LAYER: meta
PACKAGE NAME: libxslt
PACKAGE VERSION: 1.1.39
CVE: CVE-2016-4609
CVE STATUS: Patched
CVE SUMMARY: libxslt in Apple iOS before 9.3.3, OS X before 10.11.6, iTunes before 12.4.2 on Windows, iCloud before 5.2.1 on Windows, tvOS before 9.2.2, and watchOS before 2.2.2 allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors, a different vulnerability than CVE-2016-4607, CVE-2016-4608, CVE-2016-4610, and CVE-2016-4612.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4609

LAYER: meta
PACKAGE NAME: libxslt
PACKAGE VERSION: 1.1.39
CVE: CVE-2016-4610
CVE STATUS: Patched
CVE SUMMARY: libxslt in Apple iOS before 9.3.3, OS X before 10.11.6, iTunes before 12.4.2 on Windows, iCloud before 5.2.1 on Windows, tvOS before 9.2.2, and watchOS before 2.2.2 allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors, a different vulnerability than CVE-2016-4607, CVE-2016-4608, CVE-2016-4609, and CVE-2016-4612.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4610

LAYER: meta
PACKAGE NAME: libxslt
PACKAGE VERSION: 1.1.39
CVE: CVE-2017-5029
CVE STATUS: Patched
CVE SUMMARY: The xsltAddTextString function in transform.c in libxslt 1.1.29, as used in Blink in Google Chrome prior to 57.0.2987.98 for Mac, Windows, and Linux and 57.0.2987.108 for Android, lacked a check for integer overflow during a size calculation, which allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5029

LAYER: meta
PACKAGE NAME: libxslt
PACKAGE VERSION: 1.1.39
CVE: CVE-2019-11068
CVE STATUS: Patched
CVE SUMMARY: libxslt through 1.1.33 allows bypass of a protection mechanism because callers of xsltCheckRead and xsltCheckWrite permit access even upon receiving a -1 error code. xsltCheckRead can return -1 for a crafted URL that is not actually invalid and is subsequently loaded.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-11068

LAYER: meta
PACKAGE NAME: libxslt
PACKAGE VERSION: 1.1.39
CVE: CVE-2019-13117
CVE STATUS: Patched
CVE SUMMARY: In numbers.c in libxslt 1.1.33, an xsl:number with certain format strings could lead to a uninitialized read in xsltNumberFormatInsertNumbers. This could allow an attacker to discern whether a byte on the stack contains the characters A, a, I, i, or 0, or any other character.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-13117

LAYER: meta
PACKAGE NAME: libxslt
PACKAGE VERSION: 1.1.39
CVE: CVE-2019-13118
CVE STATUS: Patched
CVE SUMMARY: In numbers.c in libxslt 1.1.33, a type holding grouping characters of an xsl:number instruction was too narrow and an invalid character/length combination could be passed to xsltNumberFormatDecimal, leading to a read of uninitialized stack data.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-13118

LAYER: meta
PACKAGE NAME: libxslt
PACKAGE VERSION: 1.1.39
CVE: CVE-2019-18197
CVE STATUS: Patched
CVE SUMMARY: In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclosed.
CVSS v2 BASE SCORE: 5.1
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-18197

LAYER: meta
PACKAGE NAME: libxslt
PACKAGE VERSION: 1.1.39
CVE: CVE-2019-5815
CVE STATUS: Patched
CVE SUMMARY: Type confusion in xsltNumberFormatGetMultipleLevel prior to libxslt 1.1.33 could allow attackers to potentially exploit heap corruption via crafted XML data.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-5815

LAYER: meta
PACKAGE NAME: libxslt
PACKAGE VERSION: 1.1.39
CVE: CVE-2021-30560
CVE STATUS: Patched
CVE SUMMARY: Use after free in Blink XSLT in Google Chrome prior to 91.0.4472.164 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-30560

LAYER: meta
PACKAGE NAME: libxslt
PACKAGE VERSION: 1.1.39
CVE: CVE-2022-29824
CVE STATUS: Ignored
CVE DETAIL: not-applicable-config
CVE DESCRIPTION: Static linking to libxml2 is not enabled.
CVE SUMMARY: In libxml2 before 2.9.14, several buffer handling functions in buf.c (xmlBuf*) and tree.c (xmlBuffer*) don't check for integer overflows. This can result in out-of-bounds memory writes. Exploitation requires a victim to open a crafted, multi-gigabyte XML file. Other software using libxml2's buffer functions, for example libxslt through 1.1.35, is affected as well.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-29824

LAYER: meta
PACKAGE NAME: libtool
PACKAGE VERSION: 2.4.7
CVE: CVE-2004-0256
CVE STATUS: Patched
CVE SUMMARY: GNU libtool before 1.5.2, during compile time, allows local users to overwrite arbitrary files via a symlink attack on libtool directories in /tmp.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0256

LAYER: meta
PACKAGE NAME: libtool
PACKAGE VERSION: 2.4.7
CVE: CVE-2009-3736
CVE STATUS: Patched
CVE SUMMARY: ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b, as used in Ham Radio Control Libraries, Q, and possibly other products, attempts to open a .la file in the current working directory, which allows local users to gain privileges via a Trojan horse file.
CVSS v2 BASE SCORE: 6.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-3736

LAYER: meta-oe
PACKAGE NAME: nss
PACKAGE VERSION: 3.98
CVE: CVE-2004-0826
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in Netscape Network Security Services (NSS) library allows remote attackers to execute arbitrary code via a modified record length field in an SSLv2 client hello message.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0826

LAYER: meta-oe
PACKAGE NAME: nss
PACKAGE VERSION: 3.98
CVE: CVE-2006-4340
CVE STATUS: Patched
CVE SUMMARY: Mozilla Network Security Service (NSS) library before 3.11.3, as used in Mozilla Firefox before 1.5.0.7, Thunderbird before 1.5.0.7, and SeaMonkey before 1.0.5, when using an RSA key with exponent 3, does not properly handle extra data in a signature, which allows remote attackers to forge signatures for SSL/TLS and email certificates, a similar vulnerability to CVE-2006-4339.  NOTE: on 20061107, Mozilla released an advisory stating that these versions were not completely patched by MFSA2006-60. The newer fixes for 1.5.0.7 are covered by CVE-2006-5462.
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-4340

LAYER: meta-oe
PACKAGE NAME: nss
PACKAGE VERSION: 3.98
CVE: CVE-2006-5462
CVE STATUS: Patched
CVE SUMMARY: Mozilla Network Security Service (NSS) library before 3.11.3, as used in Mozilla Firefox before 1.5.0.8, Thunderbird before 1.5.0.8, and SeaMonkey before 1.0.6, when using an RSA key with exponent 3, does not properly handle extra data in a signature, which allows remote attackers to forge signatures for SSL/TLS and email certificates. NOTE: this identifier is for unpatched product versions that were originally intended to be addressed by CVE-2006-4340.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-5462

LAYER: meta-oe
PACKAGE NAME: nss
PACKAGE VERSION: 3.98
CVE: CVE-2007-0008
CVE STATUS: Patched
CVE SUMMARY: Integer underflow in the SSLv2 support in Mozilla Network Security Services (NSS) before 3.11.5, as used by Firefox before 1.5.0.10 and 2.x before 2.0.0.2, SeaMonkey before 1.0.8, Thunderbird before 1.5.0.10, and certain Sun Java System server products before 20070611, allows remote attackers to execute arbitrary code via a crafted SSLv2 server message containing a public key that is too short to encrypt the "Master Secret", which results in a heap-based overflow.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-0008

LAYER: meta-oe
PACKAGE NAME: nss
PACKAGE VERSION: 3.98
CVE: CVE-2007-0009
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in the SSLv2 support in Mozilla Network Security Services (NSS) before 3.11.5, as used by Firefox before 1.5.0.10 and 2.x before 2.0.0.2, Thunderbird before 1.5.0.10, SeaMonkey before 1.0.8, and certain Sun Java System server products before 20070611, allows remote attackers to execute arbitrary code via invalid "Client Master Key" length values.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-0009

LAYER: meta-oe
PACKAGE NAME: nss
PACKAGE VERSION: 3.98
CVE: CVE-2009-2404
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in a regular-expression parser in Mozilla Network Security Services (NSS) before 3.12.3, as used in Firefox, Thunderbird, SeaMonkey, Evolution, Pidgin, and AOL Instant Messenger (AIM), allows remote SSL servers to cause a denial of service (application crash) or possibly execute arbitrary code via a long domain name in the subject's Common Name (CN) field of an X.509 certificate, related to the cert_TestHostName function.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-2404

LAYER: meta-oe
PACKAGE NAME: nss
PACKAGE VERSION: 3.98
CVE: CVE-2009-2408
CVE STATUS: Patched
CVE SUMMARY: Mozilla Network Security Services (NSS) before 3.12.3, Firefox before 3.0.13, Thunderbird before 2.0.0.23, and SeaMonkey before 1.1.18 do not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority. NOTE: this was originally reported for Firefox before 3.5.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-2408

LAYER: meta-oe
PACKAGE NAME: nss
PACKAGE VERSION: 3.98
CVE: CVE-2011-5094
CVE STATUS: Patched
CVE SUMMARY: Mozilla Network Security Services (NSS) 3.x, with certain settings of the SSL_ENABLE_RENEGOTIATION option, does not properly restrict client-initiated renegotiation within the SSL and TLS protocols, which might make it easier for remote attackers to cause a denial of service (CPU consumption) by performing many renegotiations within a single connection, a different vulnerability than CVE-2011-1473.  NOTE: it can also be argued that it is the responsibility of server deployments, not a security library, to prevent or limit renegotiation when it is inappropriate within a specific environment
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-5094

LAYER: meta-oe
PACKAGE NAME: nss
PACKAGE VERSION: 3.98
CVE: CVE-2012-0441
CVE STATUS: Patched
CVE SUMMARY: The ASN.1 decoder in the QuickDER decoder in Mozilla Network Security Services (NSS) before 3.13.4, as used in Firefox 4.x through 12.0, Firefox ESR 10.x before 10.0.5, Thunderbird 5.0 through 12.0, Thunderbird ESR 10.x before 10.0.5, and SeaMonkey before 2.10, allows remote attackers to cause a denial of service (application crash) via a zero-length item, as demonstrated by (1) a zero-length basic constraint or (2) a zero-length field in an OCSP response.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-0441

LAYER: meta-oe
PACKAGE NAME: nss
PACKAGE VERSION: 3.98
CVE: CVE-2013-0791
CVE STATUS: Patched
CVE SUMMARY: The CERT_DecodeCertPackage function in Mozilla Network Security Services (NSS), as used in Mozilla Firefox before 20.0, Firefox ESR 17.x before 17.0.5, Thunderbird before 17.0.5, Thunderbird ESR 17.x before 17.0.5, SeaMonkey before 2.17, and other products, allows remote attackers to cause a denial of service (out-of-bounds read and memory corruption) via a crafted certificate.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0791

LAYER: meta-oe
PACKAGE NAME: nss
PACKAGE VERSION: 3.98
CVE: CVE-2013-1620
CVE STATUS: Patched
CVE SUMMARY: The TLS implementation in Mozilla Network Security Services (NSS) does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1620

LAYER: meta-oe
PACKAGE NAME: nss
PACKAGE VERSION: 3.98
CVE: CVE-2013-1739
CVE STATUS: Patched
CVE SUMMARY: Mozilla Network Security Services (NSS) before 3.15.2 does not ensure that data structures are initialized before read operations, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger a decryption failure.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1739

LAYER: meta-oe
PACKAGE NAME: nss
PACKAGE VERSION: 3.98
CVE: CVE-2013-1740
CVE STATUS: Patched
CVE SUMMARY: The ssl_Do1stHandshake function in sslsecur.c in libssl in Mozilla Network Security Services (NSS) before 3.15.4, when the TLS False Start feature is enabled, allows man-in-the-middle attackers to spoof SSL servers by using an arbitrary X.509 certificate during certain handshake traffic.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1740

LAYER: meta-oe
PACKAGE NAME: nss
PACKAGE VERSION: 3.98
CVE: CVE-2013-1741
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in Mozilla Network Security Services (NSS) 3.15 before 3.15.3 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a large size value.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1741

LAYER: meta-oe
PACKAGE NAME: nss
PACKAGE VERSION: 3.98
CVE: CVE-2013-5605
CVE STATUS: Patched
CVE SUMMARY: Mozilla Network Security Services (NSS) 3.14 before 3.14.5 and 3.15 before 3.15.3 allows remote attackers to cause a denial of service or possibly have unspecified other impact via invalid handshake packets.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-5605

LAYER: meta-oe
PACKAGE NAME: nss
PACKAGE VERSION: 3.98
CVE: CVE-2013-5606
CVE STATUS: Patched
CVE SUMMARY: The CERT_VerifyCert function in lib/certhigh/certvfy.c in Mozilla Network Security Services (NSS) 3.15 before 3.15.3 provides an unexpected return value for an incompatible key-usage certificate when the CERTVerifyLog argument is valid, which might allow remote attackers to bypass intended access restrictions via a crafted certificate.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-5606

LAYER: meta-oe
PACKAGE NAME: nss
PACKAGE VERSION: 3.98
CVE: CVE-2014-1490
CVE STATUS: Patched
CVE SUMMARY: Race condition in libssl in Mozilla Network Security Services (NSS) before 3.15.4, as used in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, SeaMonkey before 2.24, and other products, allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via vectors involving a resumption handshake that triggers incorrect replacement of a session ticket.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-1490

LAYER: meta-oe
PACKAGE NAME: nss
PACKAGE VERSION: 3.98
CVE: CVE-2014-1491
CVE STATUS: Patched
CVE SUMMARY: Mozilla Network Security Services (NSS) before 3.15.4, as used in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, SeaMonkey before 2.24, and other products, does not properly restrict public values in Diffie-Hellman key exchanges, which makes it easier for remote attackers to bypass cryptographic protection mechanisms in ticket handling by leveraging use of a certain value.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-1491

LAYER: meta-oe
PACKAGE NAME: nss
PACKAGE VERSION: 3.98
CVE: CVE-2014-1492
CVE STATUS: Patched
CVE SUMMARY: The cert_TestHostName function in lib/certdb/certdb.c in the certificate-checking implementation in Mozilla Network Security Services (NSS) before 3.16 accepts a wildcard character that is embedded in an internationalized domain name's U-label, which might allow man-in-the-middle attackers to spoof SSL servers via a crafted certificate.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-1492

LAYER: meta-oe
PACKAGE NAME: nss
PACKAGE VERSION: 3.98
CVE: CVE-2014-1544
CVE STATUS: Patched
CVE SUMMARY: Use-after-free vulnerability in the CERT_DestroyCertificate function in libnss3.so in Mozilla Network Security Services (NSS) 3.x, as used in Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7, allows remote attackers to execute arbitrary code via vectors that trigger certain improper removal of an NSSCertificate structure from a trust domain.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-1544

LAYER: meta-oe
PACKAGE NAME: nss
PACKAGE VERSION: 3.98
CVE: CVE-2014-1568
CVE STATUS: Patched
CVE SUMMARY: Mozilla Network Security Services (NSS) before 3.16.2.1, 3.16.x before 3.16.5, and 3.17.x before 3.17.1, as used in Mozilla Firefox before 32.0.3, Mozilla Firefox ESR 24.x before 24.8.1 and 31.x before 31.1.1, Mozilla Thunderbird before 24.8.1 and 31.x before 31.1.2, Mozilla SeaMonkey before 2.29.1, Google Chrome before 37.0.2062.124 on Windows and OS X, and Google Chrome OS before 37.0.2062.120, does not properly parse ASN.1 values in X.509 certificates, which makes it easier for remote attackers to spoof RSA signatures via a crafted certificate, aka a "signature malleability" issue.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-1568

LAYER: meta-oe
PACKAGE NAME: nss
PACKAGE VERSION: 3.98
CVE: CVE-2014-1569
CVE STATUS: Patched
CVE SUMMARY: The definite_length_decoder function in lib/util/quickder.c in Mozilla Network Security Services (NSS) before 3.16.2.4 and 3.17.x before 3.17.3 does not ensure that the DER encoding of an ASN.1 length is properly formed, which allows remote attackers to conduct data-smuggling attacks by using a long byte sequence for an encoding, as demonstrated by the SEC_QuickDERDecodeItem function's improper handling of an arbitrary-length encoding of 0x00.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-1569

LAYER: meta-oe
PACKAGE NAME: nss
PACKAGE VERSION: 3.98
CVE: CVE-2015-2721
CVE STATUS: Patched
CVE SUMMARY: Mozilla Network Security Services (NSS) before 3.19, as used in Mozilla Firefox before 39.0, Firefox ESR 31.x before 31.8 and 38.x before 38.1, Thunderbird before 38.1, and other products, does not properly determine state transitions for the TLS state machine, which allows man-in-the-middle attackers to defeat cryptographic protection mechanisms by blocking messages, as demonstrated by removing a forward-secrecy property by blocking a ServerKeyExchange message, aka a "SMACK SKIP-TLS" issue.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-2721

LAYER: meta-oe
PACKAGE NAME: nss
PACKAGE VERSION: 3.98
CVE: CVE-2015-2730
CVE STATUS: Patched
CVE SUMMARY: Mozilla Network Security Services (NSS) before 3.19.1, as used in Mozilla Firefox before 39.0, Firefox ESR 31.x before 31.8 and 38.x before 38.1, and other products, does not properly perform Elliptical Curve Cryptography (ECC) multiplications, which makes it easier for remote attackers to spoof ECDSA signatures via unspecified vectors.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-2730

LAYER: meta-oe
PACKAGE NAME: nss
PACKAGE VERSION: 3.98
CVE: CVE-2015-4000
CVE STATUS: Patched
CVE SUMMARY: The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, does not properly convey a DHE_EXPORT choice, which allows man-in-the-middle attackers to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by DHE_EXPORT and then rewriting a ServerHello with DHE_EXPORT replaced by DHE, aka the "Logjam" issue.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 3.7
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-4000

LAYER: meta-oe
PACKAGE NAME: nss
PACKAGE VERSION: 3.98
CVE: CVE-2015-7181
CVE STATUS: Patched
CVE SUMMARY: The sec_asn1d_parse_leaf function in Mozilla Network Security Services (NSS) before 3.19.2.1 and 3.20.x before 3.20.1, as used in Firefox before 42.0 and Firefox ESR 38.x before 38.4 and other products, improperly restricts access to an unspecified data structure, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via crafted OCTET STRING data, related to a "use-after-poison" issue.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7181

LAYER: meta-oe
PACKAGE NAME: nss
PACKAGE VERSION: 3.98
CVE: CVE-2015-7182
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the ASN.1 decoder in Mozilla Network Security Services (NSS) before 3.19.2.1 and 3.20.x before 3.20.1, as used in Firefox before 42.0 and Firefox ESR 38.x before 38.4 and other products, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via crafted OCTET STRING data.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7182

LAYER: meta-oe
PACKAGE NAME: nss
PACKAGE VERSION: 3.98
CVE: CVE-2015-7183
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the PL_ARENA_ALLOCATE implementation in Netscape Portable Runtime (NSPR) in Mozilla Network Security Services (NSS) before 3.19.2.1 and 3.20.x before 3.20.1, as used in Firefox before 42.0 and Firefox ESR 38.x before 38.4 and other products, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via unspecified vectors.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7183

LAYER: meta-oe
PACKAGE NAME: nss
PACKAGE VERSION: 3.98
CVE: CVE-2015-7575
CVE STATUS: Patched
CVE SUMMARY: Mozilla Network Security Services (NSS) before 3.20.2, as used in Mozilla Firefox before 43.0.2 and Firefox ESR 38.x before 38.5.2, does not reject MD5 signatures in Server Key Exchange messages in TLS 1.2 Handshake Protocol traffic, which makes it easier for man-in-the-middle attackers to spoof servers by triggering a collision.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7575

LAYER: meta-oe
PACKAGE NAME: nss
PACKAGE VERSION: 3.98
CVE: CVE-2016-1950
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in Mozilla Network Security Services (NSS) before 3.19.2.3 and 3.20.x and 3.21.x before 3.21.1, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7, allows remote attackers to execute arbitrary code via crafted ASN.1 data in an X.509 certificate.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-1950

LAYER: meta-oe
PACKAGE NAME: nss
PACKAGE VERSION: 3.98
CVE: CVE-2016-1978
CVE STATUS: Patched
CVE SUMMARY: Use-after-free vulnerability in the ssl3_HandleECDHServerKeyExchange function in Mozilla Network Security Services (NSS) before 3.21, as used in Mozilla Firefox before 44.0, allows remote attackers to cause a denial of service or possibly have unspecified other impact by making an SSL (1) DHE or (2) ECDHE handshake at a time of high memory consumption.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 7.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-1978

LAYER: meta-oe
PACKAGE NAME: nss
PACKAGE VERSION: 3.98
CVE: CVE-2016-1979
CVE STATUS: Patched
CVE SUMMARY: Use-after-free vulnerability in the PK11_ImportDERPrivateKeyInfoAndReturnKey function in Mozilla Network Security Services (NSS) before 3.21.1, as used in Mozilla Firefox before 45.0, allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted key data with DER encoding.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-1979

LAYER: meta-oe
PACKAGE NAME: nss
PACKAGE VERSION: 3.98
CVE: CVE-2016-2834
CVE STATUS: Patched
CVE SUMMARY: Mozilla Network Security Services (NSS) before 3.23, as used in Mozilla Firefox before 47.0, allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via unknown vectors.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2834

LAYER: meta-oe
PACKAGE NAME: nss
PACKAGE VERSION: 3.98
CVE: CVE-2016-8635
CVE STATUS: Patched
CVE SUMMARY: It was found that Diffie Hellman Client key exchange handling in NSS 3.21.x was vulnerable to small subgroup confinement attack. An attacker could use this flaw to recover private keys by confining the client DH key to small subgroup of the desired group.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8635

LAYER: meta-oe
PACKAGE NAME: nss
PACKAGE VERSION: 3.98
CVE: CVE-2016-9574
CVE STATUS: Patched
CVE SUMMARY: nss before version 3.30 is vulnerable to a remote denial of service during the session handshake when using SessionTicket extension and ECDHE-ECDSA.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9574

LAYER: meta-oe
PACKAGE NAME: nss
PACKAGE VERSION: 3.98
CVE: CVE-2017-11695
CVE STATUS: Ignored
CVE DETAIL: not-applicable-config
CVE DESCRIPTION: This only affect the legacy db (libnssdbm), only compiled with --enable-legacy-db
CVE SUMMARY: Heap-based buffer overflow in the alloc_segs function in lib/dbm/src/hash.c in Mozilla Network Security Services (NSS) allows context-dependent attackers to have unspecified impact using a crafted cert8.db file.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-11695

LAYER: meta-oe
PACKAGE NAME: nss
PACKAGE VERSION: 3.98
CVE: CVE-2017-11696
CVE STATUS: Ignored
CVE DETAIL: not-applicable-config
CVE DESCRIPTION: This only affect the legacy db (libnssdbm), only compiled with --enable-legacy-db
CVE SUMMARY: Heap-based buffer overflow in the __hash_open function in lib/dbm/src/hash.c in Mozilla Network Security Services (NSS) allows context-dependent attackers to have unspecified impact using a crafted cert8.db file.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-11696

LAYER: meta-oe
PACKAGE NAME: nss
PACKAGE VERSION: 3.98
CVE: CVE-2017-11697
CVE STATUS: Ignored
CVE DETAIL: not-applicable-config
CVE DESCRIPTION: This only affect the legacy db (libnssdbm), only compiled with --enable-legacy-db
CVE SUMMARY: The __hash_open function in hash.c:229 in Mozilla Network Security Services (NSS) allows context-dependent attackers to cause a denial of service (floating point exception and crash) via a crafted cert8.db file.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-11697

LAYER: meta-oe
PACKAGE NAME: nss
PACKAGE VERSION: 3.98
CVE: CVE-2017-11698
CVE STATUS: Ignored
CVE DETAIL: not-applicable-config
CVE DESCRIPTION: This only affect the legacy db (libnssdbm), only compiled with --enable-legacy-db
CVE SUMMARY: Heap-based buffer overflow in the __get_page function in lib/dbm/src/h_page.c in Mozilla Network Security Services (NSS) allows context-dependent attackers to have unspecified impact using a crafted cert8.db file.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-11698

LAYER: meta-oe
PACKAGE NAME: nss
PACKAGE VERSION: 3.98
CVE: CVE-2017-5461
CVE STATUS: Patched
CVE SUMMARY: Mozilla Network Security Services (NSS) before 3.21.4, 3.22.x through 3.28.x before 3.28.4, 3.29.x before 3.29.5, and 3.30.x before 3.30.1 allows remote attackers to cause a denial of service (out-of-bounds write) or possibly have unspecified other impact by leveraging incorrect base64 operations.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5461

LAYER: meta-oe
PACKAGE NAME: nss
PACKAGE VERSION: 3.98
CVE: CVE-2017-5462
CVE STATUS: Patched
CVE SUMMARY: A flaw in DRBG number generation within the Network Security Services (NSS) library where the internal state V does not correctly carry bits over. The NSS library has been updated to fix this issue to address this issue and Firefox ESR 52.1 has been updated with NSS version 3.28.4. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5462

LAYER: meta-oe
PACKAGE NAME: nss
PACKAGE VERSION: 3.98
CVE: CVE-2017-7502
CVE STATUS: Patched
CVE SUMMARY: Null pointer dereference vulnerability in NSS since 3.24.0 was found when server receives empty SSLv2 messages resulting into denial of service by remote attacker.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7502

LAYER: meta-oe
PACKAGE NAME: nss
PACKAGE VERSION: 3.98
CVE: CVE-2018-12384
CVE STATUS: Patched
CVE SUMMARY: When handling a SSLv2-compatible ClientHello request, the server doesn't generate a new random value but sends an all-zero value instead. This results in full malleability of the ClientHello for SSLv2 used for TLS 1.2 in all versions prior to NSS 3.39. This does not impact TLS 1.3.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-12384

LAYER: meta-oe
PACKAGE NAME: nss
PACKAGE VERSION: 3.98
CVE: CVE-2018-12404
CVE STATUS: Patched
CVE SUMMARY: A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) and affects all NSS versions prior to NSS 3.41.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-12404

LAYER: meta-oe
PACKAGE NAME: nss
PACKAGE VERSION: 3.98
CVE: CVE-2018-18508
CVE STATUS: Patched
CVE SUMMARY: In Network Security Services (NSS) before 3.36.7 and before 3.41.1, a malformed signature can cause a crash due to a null dereference, resulting in a Denial of Service.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-18508

LAYER: meta-oe
PACKAGE NAME: nss
PACKAGE VERSION: 3.98
CVE: CVE-2019-17006
CVE STATUS: Patched
CVE SUMMARY: In Network Security Services (NSS) before 3.46, several cryptographic primitives had missing length checks. In cases where the application calling the library did not perform a sanity check on the inputs it could result in a crash due to a buffer overflow.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-17006

LAYER: meta-oe
PACKAGE NAME: nss
PACKAGE VERSION: 3.98
CVE: CVE-2019-17007
CVE STATUS: Patched
CVE SUMMARY: In Network Security Services before 3.44, a malformed Netscape Certificate Sequence can cause NSS to crash, resulting in a denial of service.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-17007

LAYER: meta-oe
PACKAGE NAME: nss
PACKAGE VERSION: 3.98
CVE: CVE-2020-25648
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the way NSS handled CCS (ChangeCipherSpec) messages in TLS 1.3. This flaw allows a remote attacker to send multiple CCS messages, causing a denial of service for servers compiled with the NSS library. The highest threat from this vulnerability is to system availability. This flaw affects NSS versions before 3.58.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-25648

LAYER: meta-oe
PACKAGE NAME: nss
PACKAGE VERSION: 3.98
CVE: CVE-2022-3479
CVE STATUS: Ignored
CVE DETAIL: not-applicable-config
CVE DESCRIPTION: vulnerability was introduced in 3.77 and fixed in 3.87
CVE SUMMARY: A vulnerability found in nss. By this security vulnerability, nss client auth crash without a user certificate in the database and this can lead us to a segmentation fault or crash.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3479

LAYER: meta
PACKAGE NAME: librepo
PACKAGE VERSION: 1.17.0
CVE: CVE-2020-14352
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in librepo in versions before 1.12.1. A directory traversal vulnerability was found where it failed to sanitize paths in remote repository metadata. An attacker controlling a remote repository may be able to copy files outside of the destination directory on the targeted system via path traversal. This flaw could potentially result in system compromise via the overwriting of critical system files. The highest threat from this flaw is to users that make use of untrusted third-party repositories.
CVSS v2 BASE SCORE: 8.5
CVSS v3 BASE SCORE: 8.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:S/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-14352

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols2
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2004-0691
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the BMP image format parser for the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0691

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols2
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2004-0692
CVE STATUS: Patched
CVE SUMMARY: The XPM parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0693.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0692

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols2
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2004-0693
CVE STATUS: Patched
CVE SUMMARY: The GIF parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0692.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0693

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols2
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2005-0627
CVE STATUS: Patched
CVE SUMMARY: Qt before 3.3.4 searches the BUILD_PREFIX directory, which could be world-writable, to load shared libraries regardless of the LD_LIBRARY_PATH environment variable, which allows local users to execute arbitrary programs.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-0627

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols2
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2006-4811
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in Qt 3.3 before 3.3.7, 4.1 before 4.1.5, and 4.2 before 4.2.1, as used in the KDE khtml library, kdelibs 3.1.3, and possibly other packages, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted pixmap image.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-4811

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols2
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2007-0242
CVE STATUS: Patched
CVE SUMMARY: The UTF-8 decoder in codecs/qutfcodec.cpp in Qt 3.3.8 and 4.2.3 does not reject long UTF-8 sequences as required by the standard, which allows remote attackers to conduct cross-site scripting (XSS) and directory traversal attacks via long sequences that decode to dangerous metacharacters.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-0242

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols2
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2007-3388
CVE STATUS: Patched
CVE SUMMARY: Multiple format string vulnerabilities in (1) qtextedit.cpp, (2) qdatatable.cpp, (3) qsqldatabase.cpp, (4) qsqlindex.cpp, (5) qsqlrecord.cpp, (6) qglobal.cpp, and (7) qsvgdevice.cpp in QTextEdit in Trolltech Qt 3 before 3.3.8 20070727 allow remote attackers to execute arbitrary code via format string specifiers in text used to compose an error message.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-3388

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols2
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2007-4137
CVE STATUS: Patched
CVE SUMMARY: Off-by-one error in the QUtf8Decoder::toUnicode function in Trolltech Qt 3 allows context-dependent attackers to cause a denial of service (crash) via a crafted Unicode string that triggers a heap-based buffer overflow.  NOTE: Qt 4 has the same error in the QUtf8Codec::convertToUnicode function, but it is not exploitable.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-4137

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols2
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2009-2700
CVE STATUS: Patched
CVE SUMMARY: src/network/ssl/qsslcertificate.cpp in Nokia Trolltech Qt 4.x does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-2700

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols2
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2010-1766
CVE STATUS: Patched
CVE SUMMARY: Off-by-one error in the WebSocketHandshake::readServerHandshake function in websockets/WebSocketHandshake.cpp in WebCore in WebKit before r56380, as used in Qt and other products, allows remote websockets servers to cause a denial of service (memory corruption) or possibly have unspecified other impact via an upgrade header that is long and invalid.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-1766

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols2
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2010-2621
CVE STATUS: Patched
CVE SUMMARY: The QSslSocketBackendPrivate::transmit function in src_network_ssl_qsslsocket_openssl.cpp in Qt 4.6.3 and earlier allows remote attackers to cause a denial of service (infinite loop) via a malformed request.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2621

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols2
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2010-5076
CVE STATUS: Patched
CVE SUMMARY: QSslSocket in Qt before 4.7.0-rc1 recognizes a wildcard IP address in the subject's Common Name field of an X.509 certificate, which might allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-5076

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols2
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2011-3193
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the Lookup_MarkMarkPos function in the HarfBuzz module (harfbuzz-gpos.c), as used by Qt before 4.7.4 and Pango, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted font file.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3193

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols2
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2011-3194
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the TIFF reader in gui/image/qtiffhandler.cpp in Qt 4.7.4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the TIFFTAG_SAMPLESPERPIXEL tag in a greyscale TIFF image with multiple samples per pixel.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3194

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols2
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2012-5624
CVE STATUS: Patched
CVE SUMMARY: The XMLHttpRequest object in Qt before 4.8.4 enables http redirection to the file scheme, which allows man-in-the-middle attackers to force the read of arbitrary local files and possibly obtain sensitive information via a file: URL to a QML application.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-5624

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols2
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2012-6093
CVE STATUS: Patched
CVE SUMMARY: The QSslSocket::sslErrors function in Qt before 4.6.5, 4.7.x before 4.7.6, 4.8.x before 4.8.5, when using certain versions of openSSL, uses an "incompatible structure layout" that can read memory from the wrong location, which causes Qt to report an incorrect error when certificate validation fails and might cause users to make unsafe security decisions to accept a certificate.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-6093

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols2
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2013-0254
CVE STATUS: Patched
CVE SUMMARY: The QSharedMemory class in Qt 5.0.0, 4.8.x before 4.8.5, 4.7.x before 4.7.6, and other versions including 4.4.0 uses weak permissions (world-readable and world-writable) for shared memory segments, which allows local users to read sensitive information or modify critical program data, as demonstrated by reading a pixmap being sent to an X server.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0254

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols2
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2013-4549
CVE STATUS: Patched
CVE SUMMARY: QXmlSimpleReader in Qt before 5.2 allows context-dependent attackers to cause a denial of service (memory consumption) via an XML Entity Expansion (XEE) attack.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4549

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols2
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2014-0190
CVE STATUS: Patched
CVE SUMMARY: The GIF decoder in QtGui in Qt before 5.3 allows remote attackers to cause a denial of service (NULL pointer dereference) via invalid width and height values in a GIF image.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0190

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols2
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2015-0295
CVE STATUS: Patched
CVE SUMMARY: The BMP decoder in QtGui in QT before 5.5 does not properly calculate the masks used to extract the color components, which allows remote attackers to cause a denial of service (divide-by-zero and crash) via a crafted BMP file.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0295

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols2
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2015-1290
CVE STATUS: Patched
CVE SUMMARY: The Google V8 engine, as used in Google Chrome before 44.0.2403.89 and QtWebEngineCore in Qt before 5.5.1, allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a crafted web site.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1290

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols2
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2015-1858
CVE STATUS: Patched
CVE SUMMARY: Multiple buffer overflows in gui/image/qbmphandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted BMP image.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1858

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols2
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2015-1859
CVE STATUS: Patched
CVE SUMMARY: Multiple buffer overflows in plugins/imageformats/ico/qicohandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted ICO image.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1859

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols2
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2015-1860
CVE STATUS: Patched
CVE SUMMARY: Multiple buffer overflows in gui/image/qgifhandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a crafted GIF image.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1860

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols2
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2015-7298
CVE STATUS: Patched
CVE SUMMARY: ownCloud Desktop Client before 2.0.1, when compiled with a Qt release after 5.3.x, does not call QNetworkReply::ignoreSslErrors with the list of errors to be ignored, which makes it easier for remote attackers to conduct man-in-the-middle (MITM) attacks by leveraging a server using a self-signed certificate.  NOTE: this vulnerability exists because of a partial CVE-2015-4456 regression.
CVSS v2 BASE SCORE: 5.1
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7298

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols2
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2015-9541
CVE STATUS: Patched
CVE SUMMARY: Qt through 5.14 allows an exponential XML entity expansion attack via a crafted SVG document that is mishandled in QXmlStreamReader, a related issue to CVE-2003-1564.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-9541

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols2
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2017-10904
CVE STATUS: Patched
CVE SUMMARY: Qt for Android prior to 5.9.0 allows remote attackers to execute arbitrary OS commands via unspecified vectors.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-10904

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols2
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2017-10905
CVE STATUS: Patched
CVE SUMMARY: A vulnerability in applications created using Qt for Android prior to 5.9.3 allows attackers to alter environment variables via unspecified vectors.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-10905

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols2
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2017-15011
CVE STATUS: Patched
CVE SUMMARY: The named pipes in qtsingleapp in Qt 5.x, as used in qBittorrent and SugarSync, are configured for remote access and allow remote attackers to cause a denial of service (application crash) via an unspecified string.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15011

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols2
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-15518
CVE STATUS: Patched
CVE SUMMARY: QXmlStream in Qt 5.x before 5.11.3 has a double-free or corruption during parsing of a specially crafted illegal XML document.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-15518

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols2
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-19865
CVE STATUS: Patched
CVE SUMMARY: A keystroke logging issue was discovered in Virtual Keyboard in Qt 5.7.x, 5.8.x, 5.9.x, 5.10.x, and 5.11.x before 5.11.3.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19865

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols2
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-19869
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt before 5.11.3. A malformed SVG image causes a segmentation fault in qsvghandler.cpp.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19869

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols2
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-19870
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt before 5.11.3. A malformed GIF image causes a NULL pointer dereference in QGifHandler resulting in a segmentation fault.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19870

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols2
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-19871
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt before 5.11.3. There is QTgaFile Uncontrolled Resource Consumption.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19871

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols2
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-19872
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt 5.11. A malformed PPM image causes a division by zero and a crash in qppmhandler.cpp.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19872

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols2
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-19873
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt before 5.11.3. QBmpHandler has a buffer overflow via BMP data.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19873

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols2
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-21035
CVE STATUS: Patched
CVE SUMMARY: In Qt through 5.14.1, the WebSocket implementation accepts up to 2GB for frames and 2GB for messages. Smaller limits cannot be configured. This makes it easier for attackers to cause a denial of service (memory consumption).
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 8.6
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-21035

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols2
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2020-0569
CVE STATUS: Patched
CVE SUMMARY: Out of bounds write in Intel(R) PROSet/Wireless WiFi products on Windows 10 may allow an authenticated user to potentially enable denial of service via local access.
CVSS v2 BASE SCORE: 2.7
CVSS v3 BASE SCORE: 5.7
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:L/Au:S/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-0569

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols2
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2020-0570
CVE STATUS: Patched
CVE SUMMARY: Uncontrolled search path in the QT Library before 5.14.0, 5.12.7 and 5.9.10 may allow an authenticated user to potentially enable elevation of privilege via local access.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 7.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-0570

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols2
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2020-12267
CVE STATUS: Patched
CVE SUMMARY: setMarkdown in Qt before 5.14.2 has a use-after-free related to QTextMarkdownImporter::insertBlock.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-12267

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols2
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2020-13962
CVE STATUS: Patched
CVE SUMMARY: Qt 5.12.2 through 5.14.2, as used in unofficial builds of Mumble 1.3.0 and other products, mishandles OpenSSL's error queue, which can cause a denial of service to QSslSocket users. Because errors leak in unrelated TLS sessions, an unrelated session may be disconnected when any handshake fails. (Mumble 1.3.1 is not affected, regardless of the Qt version.)
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-13962

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols2
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2020-17507
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt through 5.12.9, and 5.13.x through 5.15.x before 5.15.1. read_xbm_body in gui/image/qxbmhandler.cpp has a buffer over-read.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-17507

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols2
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2020-24742
CVE STATUS: Patched
CVE SUMMARY: An issue has been fixed in Qt versions 5.14.0 where QPluginLoader attempts to load plugins relative to the working directory, allowing attackers to execute arbitrary code via crafted files.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-24742

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols2
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2021-28025
CVE STATUS: Patched
CVE SUMMARY: Integer Overflow vulnerability in qsvghandler.cpp in Qt qtsvg versions 5.15.1, 6.0.0, 6.0.2, and 6.2, allows local attackers to cause a denial of service (DoS).
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-28025

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols2
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2021-3481
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in Qt. An out-of-bounds read vulnerability was found in QRadialFetchSimd in qt/qtbase/src/gui/painting/qdrawhelper_p.h in Qt/Qtbase. While rendering and displaying a crafted Scalable Vector Graphics (SVG) file this flaw may lead to an unauthorized memory access. The highest threat from this vulnerability is to data confidentiality and the application availability.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3481

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols2
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2021-38593
CVE STATUS: Patched
CVE SUMMARY: Qt 5.x before 5.15.6 and 6.x through 6.1.2 has an out-of-bounds write in QOutlineMapper::convertPath (called from QRasterPaintEngine::fill and QPaintEngineEx::stroke).
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-38593

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols2
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2022-25255
CVE STATUS: Patched
CVE SUMMARY: In Qt 5.9.x through 5.15.x before 5.15.9 and 6.x before 6.2.4 on Linux and UNIX, QProcess could execute a binary from the current working directory when not found in the PATH.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-25255

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols2
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2022-25634
CVE STATUS: Patched
CVE SUMMARY: Qt through 5.15.8 and 6.x through 6.2.3 can load system library files from an unintended working directory.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-25634

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols2
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2022-40983
CVE STATUS: Patched
CVE SUMMARY: An integer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an integer overflow during memory allocation, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-40983

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols2
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2022-43591
CVE STATUS: Patched
CVE SUMMARY: A buffer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an out-of-bounds memory access, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-43591

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols2
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-24607
CVE STATUS: Patched
CVE SUMMARY: Qt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13, 6.x before 6.2.8, and 6.3.x before 6.4.3.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-24607

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols2
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-32573
CVE STATUS: Unpatched
CVE SUMMARY: In Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-32573

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols2
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-32762
CVE STATUS: Unpatched
CVE SUMMARY: An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-32762

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols2
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-32763
CVE STATUS: Unpatched
CVE SUMMARY: An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. When a SVG file with an image inside it is rendered, a QTextLayout buffer overflow can be triggered.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-32763

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols2
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-33285
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. QDnsLookup has a buffer over-read via a crafted reply from a DNS server.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-33285

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols2
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-34410
CVE STATUS: Unpatched
CVE SUMMARY: An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-34410

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols2
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-37369
CVE STATUS: Unpatched
CVE SUMMARY: In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-37369

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols2
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-38197
CVE STATUS: Unpatched
CVE SUMMARY: An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-38197

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols2
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-43114
CVE STATUS: Unpatched
CVE SUMMARY: An issue was discovered in Qt before 5.15.16, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3 on Windows. When using the GDI font engine, if a corrupted font is loaded via QFontDatabase::addApplicationFont{FromData], then it can cause the application to crash because of missing length checks.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-43114

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols2
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-51714
CVE STATUS: Unpatched
CVE SUMMARY: An issue was discovered in the HTTP2 implementation in Qt before 5.15.17, 6.x before 6.2.11, 6.3.x through 6.5.x before 6.5.4, and 6.6.x before 6.6.2. network/access/http2/hpacktable.cpp has an incorrect HPack integer overflow check.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-51714

LAYER: meta-qt5
PACKAGE NAME: qtquickcontrols2
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2024-39936
CVE STATUS: Unpatched
CVE SUMMARY: An issue was discovered in HTTP2 in Qt before 5.15.18, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.7, and 6.6.x through 6.7.x before 6.7.3. Code to make security-relevant decisions about an established connection may execute too early, because the encrypted() signal has not yet been emitted and processed..
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.6
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-39936

LAYER: meta-qt5
PACKAGE NAME: qtbase-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2004-0691
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the BMP image format parser for the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0691

LAYER: meta-qt5
PACKAGE NAME: qtbase-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2004-0692
CVE STATUS: Patched
CVE SUMMARY: The XPM parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0693.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0692

LAYER: meta-qt5
PACKAGE NAME: qtbase-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2004-0693
CVE STATUS: Patched
CVE SUMMARY: The GIF parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0692.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0693

LAYER: meta-qt5
PACKAGE NAME: qtbase-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2005-0627
CVE STATUS: Patched
CVE SUMMARY: Qt before 3.3.4 searches the BUILD_PREFIX directory, which could be world-writable, to load shared libraries regardless of the LD_LIBRARY_PATH environment variable, which allows local users to execute arbitrary programs.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-0627

LAYER: meta-qt5
PACKAGE NAME: qtbase-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2006-4811
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in Qt 3.3 before 3.3.7, 4.1 before 4.1.5, and 4.2 before 4.2.1, as used in the KDE khtml library, kdelibs 3.1.3, and possibly other packages, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted pixmap image.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-4811

LAYER: meta-qt5
PACKAGE NAME: qtbase-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2007-0242
CVE STATUS: Patched
CVE SUMMARY: The UTF-8 decoder in codecs/qutfcodec.cpp in Qt 3.3.8 and 4.2.3 does not reject long UTF-8 sequences as required by the standard, which allows remote attackers to conduct cross-site scripting (XSS) and directory traversal attacks via long sequences that decode to dangerous metacharacters.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-0242

LAYER: meta-qt5
PACKAGE NAME: qtbase-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2007-3388
CVE STATUS: Patched
CVE SUMMARY: Multiple format string vulnerabilities in (1) qtextedit.cpp, (2) qdatatable.cpp, (3) qsqldatabase.cpp, (4) qsqlindex.cpp, (5) qsqlrecord.cpp, (6) qglobal.cpp, and (7) qsvgdevice.cpp in QTextEdit in Trolltech Qt 3 before 3.3.8 20070727 allow remote attackers to execute arbitrary code via format string specifiers in text used to compose an error message.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-3388

LAYER: meta-qt5
PACKAGE NAME: qtbase-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2007-4137
CVE STATUS: Patched
CVE SUMMARY: Off-by-one error in the QUtf8Decoder::toUnicode function in Trolltech Qt 3 allows context-dependent attackers to cause a denial of service (crash) via a crafted Unicode string that triggers a heap-based buffer overflow.  NOTE: Qt 4 has the same error in the QUtf8Codec::convertToUnicode function, but it is not exploitable.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-4137

LAYER: meta-qt5
PACKAGE NAME: qtbase-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2009-2700
CVE STATUS: Patched
CVE SUMMARY: src/network/ssl/qsslcertificate.cpp in Nokia Trolltech Qt 4.x does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-2700

LAYER: meta-qt5
PACKAGE NAME: qtbase-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2010-1766
CVE STATUS: Patched
CVE SUMMARY: Off-by-one error in the WebSocketHandshake::readServerHandshake function in websockets/WebSocketHandshake.cpp in WebCore in WebKit before r56380, as used in Qt and other products, allows remote websockets servers to cause a denial of service (memory corruption) or possibly have unspecified other impact via an upgrade header that is long and invalid.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-1766

LAYER: meta-qt5
PACKAGE NAME: qtbase-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2010-2621
CVE STATUS: Patched
CVE SUMMARY: The QSslSocketBackendPrivate::transmit function in src_network_ssl_qsslsocket_openssl.cpp in Qt 4.6.3 and earlier allows remote attackers to cause a denial of service (infinite loop) via a malformed request.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2621

LAYER: meta-qt5
PACKAGE NAME: qtbase-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2010-5076
CVE STATUS: Patched
CVE SUMMARY: QSslSocket in Qt before 4.7.0-rc1 recognizes a wildcard IP address in the subject's Common Name field of an X.509 certificate, which might allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-5076

LAYER: meta-qt5
PACKAGE NAME: qtbase-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2011-3193
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the Lookup_MarkMarkPos function in the HarfBuzz module (harfbuzz-gpos.c), as used by Qt before 4.7.4 and Pango, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted font file.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3193

LAYER: meta-qt5
PACKAGE NAME: qtbase-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2011-3194
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the TIFF reader in gui/image/qtiffhandler.cpp in Qt 4.7.4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the TIFFTAG_SAMPLESPERPIXEL tag in a greyscale TIFF image with multiple samples per pixel.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3194

LAYER: meta-qt5
PACKAGE NAME: qtbase-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2012-5624
CVE STATUS: Patched
CVE SUMMARY: The XMLHttpRequest object in Qt before 4.8.4 enables http redirection to the file scheme, which allows man-in-the-middle attackers to force the read of arbitrary local files and possibly obtain sensitive information via a file: URL to a QML application.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-5624

LAYER: meta-qt5
PACKAGE NAME: qtbase-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2012-6093
CVE STATUS: Patched
CVE SUMMARY: The QSslSocket::sslErrors function in Qt before 4.6.5, 4.7.x before 4.7.6, 4.8.x before 4.8.5, when using certain versions of openSSL, uses an "incompatible structure layout" that can read memory from the wrong location, which causes Qt to report an incorrect error when certificate validation fails and might cause users to make unsafe security decisions to accept a certificate.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-6093

LAYER: meta-qt5
PACKAGE NAME: qtbase-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2013-0254
CVE STATUS: Patched
CVE SUMMARY: The QSharedMemory class in Qt 5.0.0, 4.8.x before 4.8.5, 4.7.x before 4.7.6, and other versions including 4.4.0 uses weak permissions (world-readable and world-writable) for shared memory segments, which allows local users to read sensitive information or modify critical program data, as demonstrated by reading a pixmap being sent to an X server.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0254

LAYER: meta-qt5
PACKAGE NAME: qtbase-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2013-4549
CVE STATUS: Patched
CVE SUMMARY: QXmlSimpleReader in Qt before 5.2 allows context-dependent attackers to cause a denial of service (memory consumption) via an XML Entity Expansion (XEE) attack.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4549

LAYER: meta-qt5
PACKAGE NAME: qtbase-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2014-0190
CVE STATUS: Patched
CVE SUMMARY: The GIF decoder in QtGui in Qt before 5.3 allows remote attackers to cause a denial of service (NULL pointer dereference) via invalid width and height values in a GIF image.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0190

LAYER: meta-qt5
PACKAGE NAME: qtbase-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2015-0295
CVE STATUS: Patched
CVE SUMMARY: The BMP decoder in QtGui in QT before 5.5 does not properly calculate the masks used to extract the color components, which allows remote attackers to cause a denial of service (divide-by-zero and crash) via a crafted BMP file.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0295

LAYER: meta-qt5
PACKAGE NAME: qtbase-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2015-1290
CVE STATUS: Patched
CVE SUMMARY: The Google V8 engine, as used in Google Chrome before 44.0.2403.89 and QtWebEngineCore in Qt before 5.5.1, allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a crafted web site.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1290

LAYER: meta-qt5
PACKAGE NAME: qtbase-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2015-1858
CVE STATUS: Patched
CVE SUMMARY: Multiple buffer overflows in gui/image/qbmphandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted BMP image.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1858

LAYER: meta-qt5
PACKAGE NAME: qtbase-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2015-1859
CVE STATUS: Patched
CVE SUMMARY: Multiple buffer overflows in plugins/imageformats/ico/qicohandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted ICO image.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1859

LAYER: meta-qt5
PACKAGE NAME: qtbase-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2015-1860
CVE STATUS: Patched
CVE SUMMARY: Multiple buffer overflows in gui/image/qgifhandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a crafted GIF image.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1860

LAYER: meta-qt5
PACKAGE NAME: qtbase-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2015-7298
CVE STATUS: Patched
CVE SUMMARY: ownCloud Desktop Client before 2.0.1, when compiled with a Qt release after 5.3.x, does not call QNetworkReply::ignoreSslErrors with the list of errors to be ignored, which makes it easier for remote attackers to conduct man-in-the-middle (MITM) attacks by leveraging a server using a self-signed certificate.  NOTE: this vulnerability exists because of a partial CVE-2015-4456 regression.
CVSS v2 BASE SCORE: 5.1
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7298

LAYER: meta-qt5
PACKAGE NAME: qtbase-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2015-9541
CVE STATUS: Patched
CVE SUMMARY: Qt through 5.14 allows an exponential XML entity expansion attack via a crafted SVG document that is mishandled in QXmlStreamReader, a related issue to CVE-2003-1564.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-9541

LAYER: meta-qt5
PACKAGE NAME: qtbase-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2017-10904
CVE STATUS: Patched
CVE SUMMARY: Qt for Android prior to 5.9.0 allows remote attackers to execute arbitrary OS commands via unspecified vectors.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-10904

LAYER: meta-qt5
PACKAGE NAME: qtbase-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2017-10905
CVE STATUS: Patched
CVE SUMMARY: A vulnerability in applications created using Qt for Android prior to 5.9.3 allows attackers to alter environment variables via unspecified vectors.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-10905

LAYER: meta-qt5
PACKAGE NAME: qtbase-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2017-15011
CVE STATUS: Patched
CVE SUMMARY: The named pipes in qtsingleapp in Qt 5.x, as used in qBittorrent and SugarSync, are configured for remote access and allow remote attackers to cause a denial of service (application crash) via an unspecified string.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15011

LAYER: meta-qt5
PACKAGE NAME: qtbase-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-15518
CVE STATUS: Patched
CVE SUMMARY: QXmlStream in Qt 5.x before 5.11.3 has a double-free or corruption during parsing of a specially crafted illegal XML document.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-15518

LAYER: meta-qt5
PACKAGE NAME: qtbase-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-19865
CVE STATUS: Patched
CVE SUMMARY: A keystroke logging issue was discovered in Virtual Keyboard in Qt 5.7.x, 5.8.x, 5.9.x, 5.10.x, and 5.11.x before 5.11.3.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19865

LAYER: meta-qt5
PACKAGE NAME: qtbase-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-19869
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt before 5.11.3. A malformed SVG image causes a segmentation fault in qsvghandler.cpp.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19869

LAYER: meta-qt5
PACKAGE NAME: qtbase-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-19870
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt before 5.11.3. A malformed GIF image causes a NULL pointer dereference in QGifHandler resulting in a segmentation fault.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19870

LAYER: meta-qt5
PACKAGE NAME: qtbase-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-19871
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt before 5.11.3. There is QTgaFile Uncontrolled Resource Consumption.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19871

LAYER: meta-qt5
PACKAGE NAME: qtbase-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-19872
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt 5.11. A malformed PPM image causes a division by zero and a crash in qppmhandler.cpp.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19872

LAYER: meta-qt5
PACKAGE NAME: qtbase-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-19873
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt before 5.11.3. QBmpHandler has a buffer overflow via BMP data.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19873

LAYER: meta-qt5
PACKAGE NAME: qtbase-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-21035
CVE STATUS: Patched
CVE SUMMARY: In Qt through 5.14.1, the WebSocket implementation accepts up to 2GB for frames and 2GB for messages. Smaller limits cannot be configured. This makes it easier for attackers to cause a denial of service (memory consumption).
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 8.6
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-21035

LAYER: meta-qt5
PACKAGE NAME: qtbase-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2019-18281
CVE STATUS: Patched
CVE SUMMARY: An out-of-bounds memory access in the generateDirectionalRuns() function in qtextengine.cpp in Qt qtbase 5.11.x and 5.12.x before 5.12.5 allows attackers to cause a denial of service by crashing an application via a text file containing many directional characters.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 4.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-18281

LAYER: meta-qt5
PACKAGE NAME: qtbase-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2020-0569
CVE STATUS: Patched
CVE SUMMARY: Out of bounds write in Intel(R) PROSet/Wireless WiFi products on Windows 10 may allow an authenticated user to potentially enable denial of service via local access.
CVSS v2 BASE SCORE: 2.7
CVSS v3 BASE SCORE: 5.7
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:L/Au:S/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-0569

LAYER: meta-qt5
PACKAGE NAME: qtbase-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2020-0570
CVE STATUS: Patched
CVE SUMMARY: Uncontrolled search path in the QT Library before 5.14.0, 5.12.7 and 5.9.10 may allow an authenticated user to potentially enable elevation of privilege via local access.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 7.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-0570

LAYER: meta-qt5
PACKAGE NAME: qtbase-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2020-12267
CVE STATUS: Patched
CVE SUMMARY: setMarkdown in Qt before 5.14.2 has a use-after-free related to QTextMarkdownImporter::insertBlock.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-12267

LAYER: meta-qt5
PACKAGE NAME: qtbase-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2020-13962
CVE STATUS: Patched
CVE SUMMARY: Qt 5.12.2 through 5.14.2, as used in unofficial builds of Mumble 1.3.0 and other products, mishandles OpenSSL's error queue, which can cause a denial of service to QSslSocket users. Because errors leak in unrelated TLS sessions, an unrelated session may be disconnected when any handshake fails. (Mumble 1.3.1 is not affected, regardless of the Qt version.)
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-13962

LAYER: meta-qt5
PACKAGE NAME: qtbase-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2020-17507
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt through 5.12.9, and 5.13.x through 5.15.x before 5.15.1. read_xbm_body in gui/image/qxbmhandler.cpp has a buffer over-read.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-17507

LAYER: meta-qt5
PACKAGE NAME: qtbase-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2020-24742
CVE STATUS: Patched
CVE SUMMARY: An issue has been fixed in Qt versions 5.14.0 where QPluginLoader attempts to load plugins relative to the working directory, allowing attackers to execute arbitrary code via crafted files.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-24742

LAYER: meta-qt5
PACKAGE NAME: qtbase-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2021-28025
CVE STATUS: Patched
CVE SUMMARY: Integer Overflow vulnerability in qsvghandler.cpp in Qt qtsvg versions 5.15.1, 6.0.0, 6.0.2, and 6.2, allows local attackers to cause a denial of service (DoS).
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-28025

LAYER: meta-qt5
PACKAGE NAME: qtbase-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2021-3481
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in Qt. An out-of-bounds read vulnerability was found in QRadialFetchSimd in qt/qtbase/src/gui/painting/qdrawhelper_p.h in Qt/Qtbase. While rendering and displaying a crafted Scalable Vector Graphics (SVG) file this flaw may lead to an unauthorized memory access. The highest threat from this vulnerability is to data confidentiality and the application availability.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3481

LAYER: meta-qt5
PACKAGE NAME: qtbase-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2021-38593
CVE STATUS: Patched
CVE SUMMARY: Qt 5.x before 5.15.6 and 6.x through 6.1.2 has an out-of-bounds write in QOutlineMapper::convertPath (called from QRasterPaintEngine::fill and QPaintEngineEx::stroke).
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-38593

LAYER: meta-qt5
PACKAGE NAME: qtbase-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2022-25255
CVE STATUS: Patched
CVE SUMMARY: In Qt 5.9.x through 5.15.x before 5.15.9 and 6.x before 6.2.4 on Linux and UNIX, QProcess could execute a binary from the current working directory when not found in the PATH.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-25255

LAYER: meta-qt5
PACKAGE NAME: qtbase-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2022-25634
CVE STATUS: Patched
CVE SUMMARY: Qt through 5.15.8 and 6.x through 6.2.3 can load system library files from an unintended working directory.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-25634

LAYER: meta-qt5
PACKAGE NAME: qtbase-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2022-40983
CVE STATUS: Patched
CVE SUMMARY: An integer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an integer overflow during memory allocation, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-40983

LAYER: meta-qt5
PACKAGE NAME: qtbase-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2022-43591
CVE STATUS: Patched
CVE SUMMARY: A buffer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an out-of-bounds memory access, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-43591

LAYER: meta-qt5
PACKAGE NAME: qtbase-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-24607
CVE STATUS: Patched
CVE SUMMARY: Qt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13, 6.x before 6.2.8, and 6.3.x before 6.4.3.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-24607

LAYER: meta-qt5
PACKAGE NAME: qtbase-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-32573
CVE STATUS: Unpatched
CVE SUMMARY: In Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-32573

LAYER: meta-qt5
PACKAGE NAME: qtbase-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-32762
CVE STATUS: Unpatched
CVE SUMMARY: An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-32762

LAYER: meta-qt5
PACKAGE NAME: qtbase-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-32763
CVE STATUS: Unpatched
CVE SUMMARY: An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. When a SVG file with an image inside it is rendered, a QTextLayout buffer overflow can be triggered.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-32763

LAYER: meta-qt5
PACKAGE NAME: qtbase-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-33285
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. QDnsLookup has a buffer over-read via a crafted reply from a DNS server.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-33285

LAYER: meta-qt5
PACKAGE NAME: qtbase-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-34410
CVE STATUS: Unpatched
CVE SUMMARY: An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-34410

LAYER: meta-qt5
PACKAGE NAME: qtbase-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-37369
CVE STATUS: Unpatched
CVE SUMMARY: In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-37369

LAYER: meta-qt5
PACKAGE NAME: qtbase-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-38197
CVE STATUS: Unpatched
CVE SUMMARY: An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-38197

LAYER: meta-qt5
PACKAGE NAME: qtbase-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-43114
CVE STATUS: Unpatched
CVE SUMMARY: An issue was discovered in Qt before 5.15.16, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3 on Windows. When using the GDI font engine, if a corrupted font is loaded via QFontDatabase::addApplicationFont{FromData], then it can cause the application to crash because of missing length checks.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-43114

LAYER: meta-qt5
PACKAGE NAME: qtbase-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-51714
CVE STATUS: Unpatched
CVE SUMMARY: An issue was discovered in the HTTP2 implementation in Qt before 5.15.17, 6.x before 6.2.11, 6.3.x through 6.5.x before 6.5.4, and 6.6.x before 6.6.2. network/access/http2/hpacktable.cpp has an incorrect HPack integer overflow check.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-51714

LAYER: meta-qt5
PACKAGE NAME: qtbase-native
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2024-39936
CVE STATUS: Unpatched
CVE SUMMARY: An issue was discovered in HTTP2 in Qt before 5.15.18, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.7, and 6.6.x through 6.7.x before 6.7.3. Code to make security-relevant decisions about an established connection may execute too early, because the encrypted() signal has not yet been emitted and processed..
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.6
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-39936

LAYER: meta
PACKAGE NAME: wayland-native
PACKAGE VERSION: 1.22.0
CVE: CVE-2021-3782
CVE STATUS: Patched
CVE SUMMARY: An internal reference count is held on the buffer pool, incremented every time a new buffer is created from the pool. The reference count is maintained as an int; on LP64 systems this can cause the reference count to overflow if the client creates a large number of wl_shm buffer objects, or if it can coerce the server to create a large number of external references to the buffer storage. With the reference count overflowing, a use-after-free can be constructed on the wl_shm_pool tracking structure, where values may be incremented or decremented; it may also be possible to construct a limited oracle to leak 4 bytes of server-side memory to the attacking client at a time.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.6
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3782

LAYER: meta
PACKAGE NAME: libjpeg-turbo
PACKAGE VERSION: 1_3.0.1
CVE: CVE-2012-2806
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the get_sos function in jdmarker.c in libjpeg-turbo 1.2.0 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a large component count in the header of a JPEG image.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2806

LAYER: meta
PACKAGE NAME: libjpeg-turbo
PACKAGE VERSION: 1_3.0.1
CVE: CVE-2013-6629
CVE STATUS: Patched
CVE SUMMARY: The get_sos function in jdmarker.c in (1) libjpeg 6b and (2) libjpeg-turbo through 1.3.0, as used in Google Chrome before 31.0.1650.48, Ghostscript, and other products, does not check for certain duplications of component data during the reading of segments that follow Start Of Scan (SOS) JPEG markers, which allows remote attackers to obtain sensitive information from uninitialized memory locations via a crafted JPEG image.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-6629

LAYER: meta
PACKAGE NAME: libjpeg-turbo
PACKAGE VERSION: 1_3.0.1
CVE: CVE-2014-9092
CVE STATUS: Patched
CVE SUMMARY: libjpeg-turbo before 1.3.1 allows remote attackers to cause a denial of service (crash) via a crafted JPEG file, related to the Exif marker.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9092

LAYER: meta
PACKAGE NAME: libjpeg-turbo
PACKAGE VERSION: 1_3.0.1
CVE: CVE-2016-3616
CVE STATUS: Patched
CVE SUMMARY: The cjpeg utility in libjpeg allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) or execute arbitrary code via a crafted file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3616

LAYER: meta
PACKAGE NAME: libjpeg-turbo
PACKAGE VERSION: 1_3.0.1
CVE: CVE-2017-15232
CVE STATUS: Patched
CVE SUMMARY: libjpeg-turbo 1.5.2 has a NULL Pointer Dereference in jdpostct.c and jquant1.c via a crafted JPEG file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15232

LAYER: meta
PACKAGE NAME: libjpeg-turbo
PACKAGE VERSION: 1_3.0.1
CVE: CVE-2017-9614
CVE STATUS: Patched
CVE SUMMARY: The fill_input_buffer function in jdatasrc.c in libjpeg-turbo 1.5.1 allows remote attackers to cause a denial of service (invalid memory access and application crash) or possibly have unspecified other impact via a crafted jpg file. NOTE: Maintainer asserts the issue is due to a bug in downstream code caused by misuse of the libjpeg API
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9614

LAYER: meta
PACKAGE NAME: libjpeg-turbo
PACKAGE VERSION: 1_3.0.1
CVE: CVE-2018-1152
CVE STATUS: Patched
CVE SUMMARY: libjpeg-turbo 1.5.90 is vulnerable to a denial of service vulnerability caused by a divide by zero when processing a crafted BMP image.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1152

LAYER: meta
PACKAGE NAME: libjpeg-turbo
PACKAGE VERSION: 1_3.0.1
CVE: CVE-2018-14498
CVE STATUS: Patched
CVE SUMMARY: get_8bit_row in rdbmp.c in libjpeg-turbo through 1.5.90 and MozJPEG through 3.3.1 allows attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted 8-bit BMP in which one or more of the color indices is out of range for the number of palette entries.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-14498

LAYER: meta
PACKAGE NAME: libjpeg-turbo
PACKAGE VERSION: 1_3.0.1
CVE: CVE-2018-19664
CVE STATUS: Patched
CVE SUMMARY: libjpeg-turbo 2.0.1 has a heap-based buffer over-read in the put_pixel_rows function in wrbmp.c, as demonstrated by djpeg.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19664

LAYER: meta
PACKAGE NAME: libjpeg-turbo
PACKAGE VERSION: 1_3.0.1
CVE: CVE-2018-20330
CVE STATUS: Patched
CVE SUMMARY: The tjLoadImage function in libjpeg-turbo 2.0.1 has an integer overflow with a resultant heap-based buffer overflow via a BMP image because multiplication of pitch and height is mishandled, as demonstrated by tjbench.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20330

LAYER: meta
PACKAGE NAME: libjpeg-turbo
PACKAGE VERSION: 1_3.0.1
CVE: CVE-2019-13960
CVE STATUS: Patched
CVE SUMMARY: In libjpeg-turbo 2.0.2, a large amount of memory can be used during processing of an invalid progressive JPEG image containing incorrect width and height values in the image header. NOTE: the vendor's expectation, for use cases in which this memory usage would be a denial of service, is that the application should interpret libjpeg warnings as fatal errors (aborting decompression) and/or set limits on resource consumption or image sizes
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-13960

LAYER: meta
PACKAGE NAME: libjpeg-turbo
PACKAGE VERSION: 1_3.0.1
CVE: CVE-2020-13790
CVE STATUS: Patched
CVE SUMMARY: libjpeg-turbo 2.0.4, and mozjpeg 4.0.0, has a heap-based buffer over-read in get_rgb_row() in rdppm.c via a malformed PPM input file.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 8.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-13790

LAYER: meta
PACKAGE NAME: libjpeg-turbo
PACKAGE VERSION: 1_3.0.1
CVE: CVE-2020-17541
CVE STATUS: Patched
CVE SUMMARY: Libjpeg-turbo all version have a stack-based buffer overflow in the "transform" component. A remote attacker can send a malformed jpeg file to the service and cause arbitrary code execution or denial of service of the target service.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-17541

LAYER: meta
PACKAGE NAME: libjpeg-turbo
PACKAGE VERSION: 1_3.0.1
CVE: CVE-2020-35538
CVE STATUS: Patched
CVE SUMMARY: A crafted input file could cause a null pointer dereference in jcopy_sample_rows() when processed by libjpeg-turbo.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-35538

LAYER: meta
PACKAGE NAME: libjpeg-turbo
PACKAGE VERSION: 1_3.0.1
CVE: CVE-2021-20205
CVE STATUS: Patched
CVE SUMMARY: Libjpeg-turbo versions 2.0.91 and 2.0.90 is vulnerable to a denial of service vulnerability caused by a divide by zero when processing a crafted GIF image.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-20205

LAYER: meta
PACKAGE NAME: libjpeg-turbo
PACKAGE VERSION: 1_3.0.1
CVE: CVE-2021-29390
CVE STATUS: Patched
CVE SUMMARY: libjpeg-turbo version 2.0.90 has a heap-based buffer over-read (2 bytes) in decompress_smooth_data in jdcoefct.c.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-29390

LAYER: meta
PACKAGE NAME: libjpeg-turbo
PACKAGE VERSION: 1_3.0.1
CVE: CVE-2021-46822
CVE STATUS: Patched
CVE SUMMARY: The PPM reader in libjpeg-turbo through 2.0.90 mishandles use of tjLoadImage for loading a 16-bit binary PPM file into a grayscale buffer and loading a 16-bit binary PGM file into an RGB buffer. This is related to a heap-based buffer overflow in the get_word_rgb_row function in rdppm.c.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-46822

LAYER: meta
PACKAGE NAME: libjpeg-turbo
PACKAGE VERSION: 1_3.0.1
CVE: CVE-2023-2804
CVE STATUS: Patched
CVE SUMMARY: A heap-based buffer overflow issue was discovered in libjpeg-turbo in h2v2_merged_upsample_internal() function of jdmrgext.c file. The vulnerability can only be exploited with 12-bit data precision for which the range of the sample data type exceeds the valid sample range, hence, an attacker could craft a 12-bit lossless JPEG image that contains out-of-range 12-bit samples. An application attempting to decompress such image using merged upsampling would lead to segmentation fault or buffer overflows, causing an application to crash.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-2804

LAYER: meta
PACKAGE NAME: libxkbcommon
PACKAGE VERSION: 1.6.0
CVE: CVE-2018-15853
CVE STATUS: Patched
CVE SUMMARY: Endless recursion exists in xkbcomp/expr.c in xkbcommon and libxkbcommon before 0.8.1, which could be used by local attackers to crash xkbcommon users by supplying a crafted keymap file that triggers boolean negation.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-15853

LAYER: meta
PACKAGE NAME: libxkbcommon
PACKAGE VERSION: 1.6.0
CVE: CVE-2018-15857
CVE STATUS: Patched
CVE SUMMARY: An invalid free in ExprAppendMultiKeysymList in xkbcomp/ast-build.c in xkbcommon before 0.8.1 could be used by local attackers to crash xkbcommon keymap parsers or possibly have unspecified other impact by supplying a crafted keymap file.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-15857

LAYER: meta
PACKAGE NAME: libxkbcommon
PACKAGE VERSION: 1.6.0
CVE: CVE-2018-15858
CVE STATUS: Patched
CVE SUMMARY: Unchecked NULL pointer usage when handling invalid aliases in CopyKeyAliasesToKeymap in xkbcomp/keycodes.c in xkbcommon before 0.8.1 could be used by local attackers to crash (NULL pointer dereference) the xkbcommon parser by supplying a crafted keymap file.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-15858

LAYER: meta
PACKAGE NAME: libxkbcommon
PACKAGE VERSION: 1.6.0
CVE: CVE-2018-15859
CVE STATUS: Patched
CVE SUMMARY: Unchecked NULL pointer usage when parsing invalid atoms in ExprResolveLhs in xkbcomp/expr.c in xkbcommon before 0.8.2 could be used by local attackers to crash (NULL pointer dereference) the xkbcommon parser by supplying a crafted keymap file, because lookup failures are mishandled.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-15859

LAYER: meta
PACKAGE NAME: libxkbcommon
PACKAGE VERSION: 1.6.0
CVE: CVE-2018-15861
CVE STATUS: Patched
CVE SUMMARY: Unchecked NULL pointer usage in ExprResolveLhs in xkbcomp/expr.c in xkbcommon before 0.8.2 could be used by local attackers to crash (NULL pointer dereference) the xkbcommon parser by supplying a crafted keymap file that triggers an xkb_intern_atom failure.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-15861

LAYER: meta
PACKAGE NAME: libxkbcommon
PACKAGE VERSION: 1.6.0
CVE: CVE-2018-15862
CVE STATUS: Patched
CVE SUMMARY: Unchecked NULL pointer usage in LookupModMask in xkbcomp/expr.c in xkbcommon before 0.8.2 could be used by local attackers to crash (NULL pointer dereference) the xkbcommon parser by supplying a crafted keymap file with invalid virtual modifiers.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-15862

LAYER: meta
PACKAGE NAME: libxkbcommon
PACKAGE VERSION: 1.6.0
CVE: CVE-2018-15863
CVE STATUS: Patched
CVE SUMMARY: Unchecked NULL pointer usage in ResolveStateAndPredicate in xkbcomp/compat.c in xkbcommon before 0.8.2 could be used by local attackers to crash (NULL pointer dereference) the xkbcommon parser by supplying a crafted keymap file with a no-op modmask expression.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-15863

LAYER: meta
PACKAGE NAME: libxkbcommon
PACKAGE VERSION: 1.6.0
CVE: CVE-2018-15864
CVE STATUS: Patched
CVE SUMMARY: Unchecked NULL pointer usage in resolve_keysym in xkbcomp/parser.y in xkbcommon before 0.8.2 could be used by local attackers to crash (NULL pointer dereference) the xkbcommon parser by supplying a crafted keymap file, because a map access attempt can occur for a map that was never created.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-15864

LAYER: meta
PACKAGE NAME: wayland
PACKAGE VERSION: 1.22.0
CVE: CVE-2021-3782
CVE STATUS: Patched
CVE SUMMARY: An internal reference count is held on the buffer pool, incremented every time a new buffer is created from the pool. The reference count is maintained as an int; on LP64 systems this can cause the reference count to overflow if the client creates a large number of wl_shm buffer objects, or if it can coerce the server to create a large number of external references to the buffer storage. With the reference count overflowing, a use-after-free can be constructed on the wl_shm_pool tracking structure, where values may be incremented or decremented; it may also be possible to construct a limited oracle to leak 4 bytes of server-side memory to the attacking client at a time.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.6
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3782

LAYER: meta-oe
PACKAGE NAME: grpc-native
PACKAGE VERSION: 1.60.1
CVE: CVE-2017-7860
CVE STATUS: Patched
CVE SUMMARY: Google gRPC before 2017-02-22 has an out-of-bounds write caused by a heap-based buffer overflow related to the parse_unix function in core/ext/client_channel/parse_address.c.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7860

LAYER: meta-oe
PACKAGE NAME: grpc-native
PACKAGE VERSION: 1.60.1
CVE: CVE-2017-7861
CVE STATUS: Patched
CVE SUMMARY: Google gRPC before 2017-02-22 has an out-of-bounds write related to the gpr_free function in core/lib/support/alloc.c.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7861

LAYER: meta-oe
PACKAGE NAME: grpc-native
PACKAGE VERSION: 1.60.1
CVE: CVE-2017-8359
CVE STATUS: Patched
CVE SUMMARY: Google gRPC before 2017-03-29 has an out-of-bounds write caused by a heap-based use-after-free related to the grpc_call_destroy function in core/lib/surface/call.c.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8359

LAYER: meta-oe
PACKAGE NAME: grpc-native
PACKAGE VERSION: 1.60.1
CVE: CVE-2017-9431
CVE STATUS: Patched
CVE SUMMARY: Google gRPC before 2017-04-05 has an out-of-bounds write caused by a heap-based buffer overflow related to core/lib/iomgr/error.c.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9431

LAYER: meta-oe
PACKAGE NAME: grpc-native
PACKAGE VERSION: 1.60.1
CVE: CVE-2020-7768
CVE STATUS: Patched
CVE SUMMARY: The package grpc before 1.24.4; the package @grpc/grpc-js before 1.1.8 are vulnerable to Prototype Pollution via loadPackageDefinition.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-7768

LAYER: meta-oe
PACKAGE NAME: grpc-native
PACKAGE VERSION: 1.60.1
CVE: CVE-2023-1428
CVE STATUS: Patched
CVE SUMMARY: There exists an vulnerability causing an abort() to be called in gRPC. 
The following headers cause gRPC's C++ implementation to abort() when called via http2:

te: x (x != trailers)

:scheme: x (x != http, https)

grpclb_client_stats: x (x == anything)

On top of sending one of those headers, a later header must be sent that gets the total header size past 8KB. We recommend upgrading past git commit 2485fa94bd8a723e5c977d55a3ce10b301b437f8 or v1.53 and above.


CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-1428

LAYER: meta-oe
PACKAGE NAME: grpc-native
PACKAGE VERSION: 1.60.1
CVE: CVE-2023-32731
CVE STATUS: Patched
CVE SUMMARY: When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. We recommend upgrading beyond the commit contained in  https://github.com/grpc/grpc/pull/33005 https://github.com/grpc/grpc/pull/33005 

CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.4
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-32731

LAYER: meta-oe
PACKAGE NAME: grpc-native
PACKAGE VERSION: 1.60.1
CVE: CVE-2023-32732
CVE STATUS: Patched
CVE SUMMARY: gRPC contains a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for `-bin` suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. We recommend upgrading beyond the commit in  https://github.com/grpc/grpc/pull/32309 https://www.google.com/url 

CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-32732

LAYER: meta-oe
PACKAGE NAME: grpc-native
PACKAGE VERSION: 1.60.1
CVE: CVE-2023-33953
CVE STATUS: Patched
CVE SUMMARY: gRPC contains a vulnerability that allows hpack table accounting errors could lead to unwanted disconnects between clients and servers in exceptional cases/ Three vectors were found that allow the following DOS attacks:

- Unbounded memory buffering in the HPACK parser
- Unbounded CPU consumption in the HPACK parser

The unbounded CPU consumption is down to a copy that occurred per-input-block in the parser, and because that could be unbounded due to the memory copy bug we end up with an O(n^2) parsing loop, with n selected by the client.

The unbounded memory buffering bugs:

- The header size limit check was behind the string reading code, so we needed to first buffer up to a 4 gigabyte string before rejecting it as longer than 8 or 16kb.
- HPACK varints have an encoding quirk whereby an infinite number of 0’s can be added at the start of an integer. gRPC’s hpack parser needed to read all of them before concluding a parse.
- gRPC’s metadata overflow check was performed per frame, so that the following sequence of frames could cause infinite buffering: HEADERS: containing a: 1 CONTINUATION: containing a: 2 CONTINUATION: containing a: 3 etc…
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-33953

LAYER: meta-oe
PACKAGE NAME: grpc-native
PACKAGE VERSION: 1.60.1
CVE: CVE-2023-44487
CVE STATUS: Patched
CVE SUMMARY: The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-44487

LAYER: meta-oe
PACKAGE NAME: grpc-native
PACKAGE VERSION: 1.60.1
CVE: CVE-2023-4785
CVE STATUS: Patched
CVE SUMMARY: Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Java, and Go are NOT affected. 
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-4785

LAYER: meta
PACKAGE NAME: mesa
PACKAGE VERSION: 2_24.0.7
CVE: CVE-2001-0474
CVE STATUS: Patched
CVE SUMMARY: Utah-glx in Mesa before 3.3-14 on Mandrake Linux 7.2 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/glxmemory file.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2001-0474

LAYER: meta
PACKAGE NAME: mesa
PACKAGE VERSION: 2_24.0.7
CVE: CVE-2013-1872
CVE STATUS: Patched
CVE SUMMARY: The Intel drivers in Mesa 8.0.x and 9.0.x allow context-dependent attackers to cause a denial of service (reachable assertion and crash) and possibly execute arbitrary code via vectors involving 3d graphics that trigger an out-of-bounds array access, related to the fs_visitor::remove_dead_constants function.  NOTE: this issue might be related to CVE-2013-0796.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1872

LAYER: meta
PACKAGE NAME: mesa
PACKAGE VERSION: 2_24.0.7
CVE: CVE-2013-1993
CVE STATUS: Patched
CVE SUMMARY: Multiple integer overflows in X.org libGLX in Mesa 9.1.1 and earlier allow X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the (1) XF86DRIOpenConnection and (2) XF86DRIGetClientDriverName functions.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1993

LAYER: meta
PACKAGE NAME: mesa
PACKAGE VERSION: 2_24.0.7
CVE: CVE-2019-5068
CVE STATUS: Patched
CVE SUMMARY: An exploitable shared memory permissions vulnerability exists in the functionality of X11 Mesa 3D Graphics Library 19.1.2. An attacker can access the shared memory without any specific permissions to trigger this vulnerability.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 5.1
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-5068

LAYER: meta
PACKAGE NAME: seatd
PACKAGE VERSION: 0.8.0
CVE: CVE-2021-41387
CVE STATUS: Patched
CVE SUMMARY: seatd-launch in seatd 0.6.x before 0.6.2 allows privilege escalation because it uses execlp and may be installed setuid root.
CVSS v2 BASE SCORE: 8.5
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:S/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-41387

LAYER: meta
PACKAGE NAME: seatd
PACKAGE VERSION: 0.8.0
CVE: CVE-2022-25643
CVE STATUS: Patched
CVE SUMMARY: seatd-launch in seatd 0.6.x before 0.6.4 allows removing files with escalated privileges when installed setuid root. The attack vector is a user-supplied socket pathname.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-25643

LAYER: meta-oe
PACKAGE NAME: grpc
PACKAGE VERSION: 1.60.1
CVE: CVE-2017-7860
CVE STATUS: Patched
CVE SUMMARY: Google gRPC before 2017-02-22 has an out-of-bounds write caused by a heap-based buffer overflow related to the parse_unix function in core/ext/client_channel/parse_address.c.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7860

LAYER: meta-oe
PACKAGE NAME: grpc
PACKAGE VERSION: 1.60.1
CVE: CVE-2017-7861
CVE STATUS: Patched
CVE SUMMARY: Google gRPC before 2017-02-22 has an out-of-bounds write related to the gpr_free function in core/lib/support/alloc.c.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7861

LAYER: meta-oe
PACKAGE NAME: grpc
PACKAGE VERSION: 1.60.1
CVE: CVE-2017-8359
CVE STATUS: Patched
CVE SUMMARY: Google gRPC before 2017-03-29 has an out-of-bounds write caused by a heap-based use-after-free related to the grpc_call_destroy function in core/lib/surface/call.c.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8359

LAYER: meta-oe
PACKAGE NAME: grpc
PACKAGE VERSION: 1.60.1
CVE: CVE-2017-9431
CVE STATUS: Patched
CVE SUMMARY: Google gRPC before 2017-04-05 has an out-of-bounds write caused by a heap-based buffer overflow related to core/lib/iomgr/error.c.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9431

LAYER: meta-oe
PACKAGE NAME: grpc
PACKAGE VERSION: 1.60.1
CVE: CVE-2020-7768
CVE STATUS: Patched
CVE SUMMARY: The package grpc before 1.24.4; the package @grpc/grpc-js before 1.1.8 are vulnerable to Prototype Pollution via loadPackageDefinition.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-7768

LAYER: meta-oe
PACKAGE NAME: grpc
PACKAGE VERSION: 1.60.1
CVE: CVE-2023-1428
CVE STATUS: Patched
CVE SUMMARY: There exists an vulnerability causing an abort() to be called in gRPC. 
The following headers cause gRPC's C++ implementation to abort() when called via http2:

te: x (x != trailers)

:scheme: x (x != http, https)

grpclb_client_stats: x (x == anything)

On top of sending one of those headers, a later header must be sent that gets the total header size past 8KB. We recommend upgrading past git commit 2485fa94bd8a723e5c977d55a3ce10b301b437f8 or v1.53 and above.


CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-1428

LAYER: meta-oe
PACKAGE NAME: grpc
PACKAGE VERSION: 1.60.1
CVE: CVE-2023-32731
CVE STATUS: Patched
CVE SUMMARY: When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. We recommend upgrading beyond the commit contained in  https://github.com/grpc/grpc/pull/33005 https://github.com/grpc/grpc/pull/33005 

CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.4
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-32731

LAYER: meta-oe
PACKAGE NAME: grpc
PACKAGE VERSION: 1.60.1
CVE: CVE-2023-32732
CVE STATUS: Patched
CVE SUMMARY: gRPC contains a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for `-bin` suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. We recommend upgrading beyond the commit in  https://github.com/grpc/grpc/pull/32309 https://www.google.com/url 

CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-32732

LAYER: meta-oe
PACKAGE NAME: grpc
PACKAGE VERSION: 1.60.1
CVE: CVE-2023-33953
CVE STATUS: Patched
CVE SUMMARY: gRPC contains a vulnerability that allows hpack table accounting errors could lead to unwanted disconnects between clients and servers in exceptional cases/ Three vectors were found that allow the following DOS attacks:

- Unbounded memory buffering in the HPACK parser
- Unbounded CPU consumption in the HPACK parser

The unbounded CPU consumption is down to a copy that occurred per-input-block in the parser, and because that could be unbounded due to the memory copy bug we end up with an O(n^2) parsing loop, with n selected by the client.

The unbounded memory buffering bugs:

- The header size limit check was behind the string reading code, so we needed to first buffer up to a 4 gigabyte string before rejecting it as longer than 8 or 16kb.
- HPACK varints have an encoding quirk whereby an infinite number of 0’s can be added at the start of an integer. gRPC’s hpack parser needed to read all of them before concluding a parse.
- gRPC’s metadata overflow check was performed per frame, so that the following sequence of frames could cause infinite buffering: HEADERS: containing a: 1 CONTINUATION: containing a: 2 CONTINUATION: containing a: 3 etc…
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-33953

LAYER: meta-oe
PACKAGE NAME: grpc
PACKAGE VERSION: 1.60.1
CVE: CVE-2023-44487
CVE STATUS: Patched
CVE SUMMARY: The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-44487

LAYER: meta-oe
PACKAGE NAME: grpc
PACKAGE VERSION: 1.60.1
CVE: CVE-2023-4785
CVE STATUS: Patched
CVE SUMMARY: Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Java, and Go are NOT affected. 
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-4785

LAYER: meta
PACKAGE NAME: pango
PACKAGE VERSION: 1.52.1
CVE: CVE-2009-1194
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the pango_glyph_string_set_size function in pango/glyphstring.c in Pango before 1.24 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long glyph string that triggers a heap-based buffer overflow, as demonstrated by a long document.location value in Firefox.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-1194

LAYER: meta
PACKAGE NAME: pango
PACKAGE VERSION: 1.52.1
CVE: CVE-2010-0421
CVE STATUS: Patched
CVE SUMMARY: Array index error in the hb_ot_layout_build_glyph_classes function in pango/opentype/hb-ot-layout.cc in Pango before 1.27.1 allows context-dependent attackers to cause a denial of service (application crash) via a crafted font file, related to building a synthetic Glyph Definition (aka GDEF) table by using this font's charmap and the Unicode property database.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-0421

LAYER: meta
PACKAGE NAME: pango
PACKAGE VERSION: 1.52.1
CVE: CVE-2011-0020
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the pango_ft2_font_render_box_glyph function in pango/pangoft2-render.c in libpango in Pango 1.28.3 and earlier, when the FreeType2 backend is enabled, allows user-assisted remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file, related to the glyph box for an FT_Bitmap object.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-0020

LAYER: meta
PACKAGE NAME: pango
PACKAGE VERSION: 1.52.1
CVE: CVE-2011-0064
CVE STATUS: Patched
CVE SUMMARY: The hb_buffer_ensure function in hb-buffer.c in HarfBuzz, as used in Pango 1.28.3, Firefox, and other products, does not verify that memory reallocations succeed, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) or possibly execute arbitrary code via crafted OpenType font data that triggers use of an incorrect index.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-0064

LAYER: meta
PACKAGE NAME: pango
PACKAGE VERSION: 1.52.1
CVE: CVE-2011-3193
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the Lookup_MarkMarkPos function in the HarfBuzz module (harfbuzz-gpos.c), as used by Qt before 4.7.4 and Pango, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted font file.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3193

LAYER: meta
PACKAGE NAME: pango
PACKAGE VERSION: 1.52.1
CVE: CVE-2018-15120
CVE STATUS: Patched
CVE SUMMARY: libpango in Pango 1.40.8 through 1.42.3, as used in hexchat and other products, allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted text with invalid Unicode sequences.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-15120

LAYER: meta
PACKAGE NAME: pango
PACKAGE VERSION: 1.52.1
CVE: CVE-2019-1010238
CVE STATUS: Patched
CVE SUMMARY: Gnome Pango 1.42 and later is affected by: Buffer Overflow. The impact is: The heap based buffer overflow can be used to get code execution. The component is: function name: pango_log2vis_get_embedding_levels, assignment of nchars and the loop condition. The attack vector is: Bug can be used when application pass invalid utf-8 strings to functions like pango_itemize.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-1010238

LAYER: meta
PACKAGE NAME: nasm-native
PACKAGE VERSION: 2.16.03
CVE: CVE-2004-1287
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the error function in preproc.c for NASM 0.98.38 1.2 allows attackers to execute arbitrary code via a crafted asm file, a different vulnerability than CVE-2005-1194.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-1287

LAYER: meta
PACKAGE NAME: nasm-native
PACKAGE VERSION: 2.16.03
CVE: CVE-2008-2719
CVE STATUS: Patched
CVE SUMMARY: Off-by-one error in the ppscan function (preproc.c) in Netwide Assembler (NASM) 2.02 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted file that triggers a stack-based buffer overflow.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-2719

LAYER: meta
PACKAGE NAME: nasm-native
PACKAGE VERSION: 2.16.03
CVE: CVE-2008-7177
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the listing module in Netwide Assembler (NASM) before 2.03.01 has unknown impact and attack vectors, a different vulnerability than CVE-2008-2719.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-7177

LAYER: meta
PACKAGE NAME: nasm-native
PACKAGE VERSION: 2.16.03
CVE: CVE-2017-10686
CVE STATUS: Patched
CVE SUMMARY: In Netwide Assembler (NASM) 2.14rc0, there are multiple heap use after free vulnerabilities in the tool nasm. The related heap is allocated in the token() function and freed in the detoken() function (called by pp_getline()) - it is used again at multiple positions later that could cause multiple damages. For example, it causes a corrupted double-linked list in detoken(), a double free or corruption in delete_Token(), and an out-of-bounds write in detoken(). It has a high possibility to lead to a remote code execution attack.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-10686

LAYER: meta
PACKAGE NAME: nasm-native
PACKAGE VERSION: 2.16.03
CVE: CVE-2017-11111
CVE STATUS: Patched
CVE SUMMARY: In Netwide Assembler (NASM) 2.14rc0, preproc.c allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-11111

LAYER: meta
PACKAGE NAME: nasm-native
PACKAGE VERSION: 2.16.03
CVE: CVE-2017-14228
CVE STATUS: Patched
CVE SUMMARY: In Netwide Assembler (NASM) 2.14rc0, there is an illegal address access in the function paste_tokens() in preproc.c, aka a NULL pointer dereference. It will lead to remote denial of service.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14228

LAYER: meta
PACKAGE NAME: nasm-native
PACKAGE VERSION: 2.16.03
CVE: CVE-2017-17810
CVE STATUS: Patched
CVE SUMMARY: In Netwide Assembler (NASM) 2.14rc0, there is a "SEGV on unknown address" that will cause a remote denial of service attack, because asm/preproc.c mishandles macro calls that have the wrong number of arguments.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17810

LAYER: meta
PACKAGE NAME: nasm-native
PACKAGE VERSION: 2.16.03
CVE: CVE-2017-17811
CVE STATUS: Patched
CVE SUMMARY: In Netwide Assembler (NASM) 2.14rc0, there is a heap-based buffer overflow that will cause a remote denial of service attack, related to a strcpy in paste_tokens in asm/preproc.c, a similar issue to CVE-2017-11111.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17811

LAYER: meta
PACKAGE NAME: nasm-native
PACKAGE VERSION: 2.16.03
CVE: CVE-2017-17812
CVE STATUS: Patched
CVE SUMMARY: In Netwide Assembler (NASM) 2.14rc0, there is a heap-based buffer over-read in the function detoken() in asm/preproc.c that will cause a remote denial of service attack.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17812

LAYER: meta
PACKAGE NAME: nasm-native
PACKAGE VERSION: 2.16.03
CVE: CVE-2017-17813
CVE STATUS: Patched
CVE SUMMARY: In Netwide Assembler (NASM) 2.14rc0, there is a use-after-free in the pp_list_one_macro function in asm/preproc.c that will cause a remote denial of service attack, related to mishandling of line-syntax errors.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17813

LAYER: meta
PACKAGE NAME: nasm-native
PACKAGE VERSION: 2.16.03
CVE: CVE-2017-17814
CVE STATUS: Patched
CVE SUMMARY: In Netwide Assembler (NASM) 2.14rc0, there is a use-after-free in do_directive in asm/preproc.c that will cause a remote denial of service attack.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17814

LAYER: meta
PACKAGE NAME: nasm-native
PACKAGE VERSION: 2.16.03
CVE: CVE-2017-17815
CVE STATUS: Patched
CVE SUMMARY: In Netwide Assembler (NASM) 2.14rc0, there is an illegal address access in is_mmacro() in asm/preproc.c that will cause a remote denial of service attack, because of a missing check for the relationship between minimum and maximum parameter counts.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17815

LAYER: meta
PACKAGE NAME: nasm-native
PACKAGE VERSION: 2.16.03
CVE: CVE-2017-17816
CVE STATUS: Patched
CVE SUMMARY: In Netwide Assembler (NASM) 2.14rc0, there is a use-after-free in pp_getline in asm/preproc.c that will cause a remote denial of service attack.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17816

LAYER: meta
PACKAGE NAME: nasm-native
PACKAGE VERSION: 2.16.03
CVE: CVE-2017-17817
CVE STATUS: Patched
CVE SUMMARY: In Netwide Assembler (NASM) 2.14rc0, there is a use-after-free in pp_verror in asm/preproc.c that will cause a remote denial of service attack.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17817

LAYER: meta
PACKAGE NAME: nasm-native
PACKAGE VERSION: 2.16.03
CVE: CVE-2017-17818
CVE STATUS: Patched
CVE SUMMARY: In Netwide Assembler (NASM) 2.14rc0, there is a heap-based buffer over-read that will cause a remote denial of service attack, related to a while loop in paste_tokens in asm/preproc.c.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17818

LAYER: meta
PACKAGE NAME: nasm-native
PACKAGE VERSION: 2.16.03
CVE: CVE-2017-17819
CVE STATUS: Patched
CVE SUMMARY: In Netwide Assembler (NASM) 2.14rc0, there is an illegal address access in the function find_cc() in asm/preproc.c that will cause a remote denial of service attack, because pointers associated with skip_white_ calls are not validated.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17819

LAYER: meta
PACKAGE NAME: nasm-native
PACKAGE VERSION: 2.16.03
CVE: CVE-2017-17820
CVE STATUS: Patched
CVE SUMMARY: In Netwide Assembler (NASM) 2.14rc0, there is a use-after-free in pp_list_one_macro in asm/preproc.c that will lead to a remote denial of service attack, related to mishandling of operand-type errors.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17820

LAYER: meta
PACKAGE NAME: nasm-native
PACKAGE VERSION: 2.16.03
CVE: CVE-2018-1000667
CVE STATUS: Patched
CVE SUMMARY: NASM nasm-2.13.03 nasm- 2.14rc15 version 2.14rc15 and earlier contains a memory corruption (crashed) of nasm when handling a crafted file due to function assemble_file(inname, depend_ptr) at asm/nasm.c:482. vulnerability in function assemble_file(inname, depend_ptr) at asm/nasm.c:482. that can result in aborting/crash nasm program. This attack appear to be exploitable via a specially crafted asm file..
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1000667

LAYER: meta
PACKAGE NAME: nasm-native
PACKAGE VERSION: 2.16.03
CVE: CVE-2018-1000886
CVE STATUS: Patched
CVE SUMMARY: nasm version 2.14.01rc5, 2.15 contains a Buffer Overflow vulnerability in asm/stdscan.c:130 that can result in Stack-overflow caused by triggering endless macro generation, crash the program. This attack appear to be exploitable via a crafted nasm input file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1000886

LAYER: meta
PACKAGE NAME: nasm-native
PACKAGE VERSION: 2.16.03
CVE: CVE-2018-10016
CVE STATUS: Patched
CVE SUMMARY: Netwide Assembler (NASM) 2.14rc0 has a division-by-zero vulnerability in the expr5 function in asm/eval.c via a malformed input file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-10016

LAYER: meta
PACKAGE NAME: nasm-native
PACKAGE VERSION: 2.16.03
CVE: CVE-2018-10254
CVE STATUS: Patched
CVE SUMMARY: Netwide Assembler (NASM) 2.13 has a stack-based buffer over-read in the disasm function of the disasm/disasm.c file. Remote attackers could leverage this vulnerability to cause a denial of service or possibly have unspecified other impact via a crafted ELF file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-10254

LAYER: meta
PACKAGE NAME: nasm-native
PACKAGE VERSION: 2.16.03
CVE: CVE-2018-10316
CVE STATUS: Patched
CVE SUMMARY: Netwide Assembler (NASM) 2.14rc0 has an endless while loop in the assemble_file function of asm/nasm.c because of a globallineno integer overflow.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-10316

LAYER: meta
PACKAGE NAME: nasm-native
PACKAGE VERSION: 2.16.03
CVE: CVE-2018-16382
CVE STATUS: Patched
CVE SUMMARY: Netwide Assembler (NASM) 2.14rc15 has a buffer over-read in x86/regflags.c.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-16382

LAYER: meta
PACKAGE NAME: nasm-native
PACKAGE VERSION: 2.16.03
CVE: CVE-2018-16517
CVE STATUS: Patched
CVE SUMMARY: asm/labels.c in Netwide Assembler (NASM) is prone to NULL Pointer Dereference, which allows the attacker to cause a denial of service via a crafted file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-16517

LAYER: meta
PACKAGE NAME: nasm-native
PACKAGE VERSION: 2.16.03
CVE: CVE-2018-16999
CVE STATUS: Patched
CVE SUMMARY: Netwide Assembler (NASM) 2.14rc15 has an invalid memory write (segmentation fault) in expand_smacro in preproc.c, which allows attackers to cause a denial of service via a crafted input file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-16999

LAYER: meta
PACKAGE NAME: nasm-native
PACKAGE VERSION: 2.16.03
CVE: CVE-2018-19209
CVE STATUS: Patched
CVE SUMMARY: Netwide Assembler (NASM) 2.14rc15 has a NULL pointer dereference in the function find_label in asm/labels.c that will lead to a DoS attack.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19209

LAYER: meta
PACKAGE NAME: nasm-native
PACKAGE VERSION: 2.16.03
CVE: CVE-2018-19213
CVE STATUS: Patched
CVE SUMMARY: Netwide Assembler (NASM) through 2.14rc16 has memory leaks that may lead to DoS, related to nasm_malloc in nasmlib/malloc.c.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19213

LAYER: meta
PACKAGE NAME: nasm-native
PACKAGE VERSION: 2.16.03
CVE: CVE-2018-19214
CVE STATUS: Patched
CVE SUMMARY: Netwide Assembler (NASM) 2.14rc15 has a heap-based buffer over-read in expand_mmac_params in asm/preproc.c for insufficient input.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19214

LAYER: meta
PACKAGE NAME: nasm-native
PACKAGE VERSION: 2.16.03
CVE: CVE-2018-19215
CVE STATUS: Patched
CVE SUMMARY: Netwide Assembler (NASM) 2.14rc16 has a heap-based buffer over-read in expand_mmac_params in asm/preproc.c for the special cases of the % and $ and ! characters.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19215

LAYER: meta
PACKAGE NAME: nasm-native
PACKAGE VERSION: 2.16.03
CVE: CVE-2018-19216
CVE STATUS: Patched
CVE SUMMARY: Netwide Assembler (NASM) before 2.13.02 has a use-after-free in detoken at asm/preproc.c.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19216

LAYER: meta
PACKAGE NAME: nasm-native
PACKAGE VERSION: 2.16.03
CVE: CVE-2018-19755
CVE STATUS: Patched
CVE SUMMARY: There is an illegal address access at asm/preproc.c (function: is_mmacro) in Netwide Assembler (NASM) 2.14rc16 that will cause a denial of service (out-of-bounds array access) because a certain conversion can result in a negative integer.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19755

LAYER: meta
PACKAGE NAME: nasm-native
PACKAGE VERSION: 2.16.03
CVE: CVE-2018-20535
CVE STATUS: Patched
CVE SUMMARY: There is a use-after-free at asm/preproc.c (function pp_getline) in Netwide Assembler (NASM) 2.14rc16 that will cause a denial of service during a line-number increment attempt.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20535

LAYER: meta
PACKAGE NAME: nasm-native
PACKAGE VERSION: 2.16.03
CVE: CVE-2018-20538
CVE STATUS: Patched
CVE SUMMARY: There is a use-after-free at asm/preproc.c (function pp_getline) in Netwide Assembler (NASM) 2.14rc16 that will cause a denial of service during certain finishes tests.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20538

LAYER: meta
PACKAGE NAME: nasm-native
PACKAGE VERSION: 2.16.03
CVE: CVE-2018-8881
CVE STATUS: Patched
CVE SUMMARY: Netwide Assembler (NASM) 2.13.02rc2 has a heap-based buffer over-read in the function tokenize in asm/preproc.c, related to an unterminated string.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-8881

LAYER: meta
PACKAGE NAME: nasm-native
PACKAGE VERSION: 2.16.03
CVE: CVE-2018-8882
CVE STATUS: Patched
CVE SUMMARY: Netwide Assembler (NASM) 2.13.02rc2 has a stack-based buffer under-read in the function ieee_shr in asm/float.c via a large shift value.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-8882

LAYER: meta
PACKAGE NAME: nasm-native
PACKAGE VERSION: 2.16.03
CVE: CVE-2018-8883
CVE STATUS: Patched
CVE SUMMARY: Netwide Assembler (NASM) 2.13.02rc2 has a buffer over-read in the parse_line function in asm/parser.c via uncontrolled access to nasm_reg_flags.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-8883

LAYER: meta
PACKAGE NAME: nasm-native
PACKAGE VERSION: 2.16.03
CVE: CVE-2019-14248
CVE STATUS: Patched
CVE SUMMARY: In libnasm.a in Netwide Assembler (NASM) 2.14.xx, asm/pragma.c allows a NULL pointer dereference in process_pragma, search_pragma_list, and nasm_set_limit when "%pragma limit" is mishandled.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-14248

LAYER: meta
PACKAGE NAME: nasm-native
PACKAGE VERSION: 2.16.03
CVE: CVE-2019-20334
CVE STATUS: Patched
CVE SUMMARY: In Netwide Assembler (NASM) 2.14.02, stack consumption occurs in expr# functions in asm/eval.c. This potentially affects the relationships among expr0, expr1, expr2, expr3, expr4, expr5, and expr6 (and stdscan in asm/stdscan.c). This is similar to CVE-2019-6290 and CVE-2019-6291.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-20334

LAYER: meta
PACKAGE NAME: nasm-native
PACKAGE VERSION: 2.16.03
CVE: CVE-2019-20352
CVE STATUS: Patched
CVE SUMMARY: In Netwide Assembler (NASM) 2.15rc0, a heap-based buffer over-read occurs (via a crafted .asm file) in set_text_free when called from expand_one_smacro in asm/preproc.c.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 7.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-20352

LAYER: meta
PACKAGE NAME: nasm-native
PACKAGE VERSION: 2.16.03
CVE: CVE-2019-6290
CVE STATUS: Patched
CVE SUMMARY: An infinite recursion issue was discovered in eval.c in Netwide Assembler (NASM) through 2.14.02. There is a stack exhaustion problem resulting from infinite recursion in the functions expr, rexp, bexpr and cexpr in certain scenarios involving lots of '{' characters. Remote attackers could leverage this vulnerability to cause a denial-of-service via a crafted asm file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-6290

LAYER: meta
PACKAGE NAME: nasm-native
PACKAGE VERSION: 2.16.03
CVE: CVE-2019-6291
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in the function expr6 in eval.c in Netwide Assembler (NASM) through 2.14.02. There is a stack exhaustion problem caused by the expr6 function making recursive calls to itself in certain scenarios involving lots of '!' or '+' or '-' characters. Remote attackers could leverage this vulnerability to cause a denial-of-service via a crafted asm file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-6291

LAYER: meta
PACKAGE NAME: nasm-native
PACKAGE VERSION: 2.16.03
CVE: CVE-2019-7147
CVE STATUS: Patched
CVE SUMMARY: A buffer over-read exists in the function crc64ib in crc64.c in nasmlib in Netwide Assembler (NASM) 2.14rc16. A crafted asm input can cause segmentation faults, leading to denial-of-service.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-7147

LAYER: meta
PACKAGE NAME: nasm-native
PACKAGE VERSION: 2.16.03
CVE: CVE-2019-8343
CVE STATUS: Patched
CVE SUMMARY: In Netwide Assembler (NASM) 2.14.02, there is a use-after-free in paste_tokens in asm/preproc.c.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-8343

LAYER: meta
PACKAGE NAME: nasm-native
PACKAGE VERSION: 2.16.03
CVE: CVE-2020-18780
CVE STATUS: Patched
CVE SUMMARY: A Use After Free vulnerability in function new_Token in asm/preproc.c in nasm 2.14.02 allows attackers to cause a denial of service via crafted nasm command.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-18780

LAYER: meta
PACKAGE NAME: nasm-native
PACKAGE VERSION: 2.16.03
CVE: CVE-2020-18974
CVE STATUS: Patched
CVE SUMMARY: Buffer Overflow in Netwide Assembler (NASM) v2.15.xx allows attackers to cause a denial of service via 'crc64i' in the component 'nasmlib/crc64'. This issue is different than CVE-2019-7147.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 3.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-18974

LAYER: meta
PACKAGE NAME: nasm-native
PACKAGE VERSION: 2.16.03
CVE: CVE-2020-21528
CVE STATUS: Patched
CVE SUMMARY: A Segmentation Fault issue discovered in in ieee_segment function in outieee.c in nasm 2.14.03 and 2.15 allows remote attackers to cause a denial of service via crafted assembly file.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-21528

LAYER: meta
PACKAGE NAME: nasm-native
PACKAGE VERSION: 2.16.03
CVE: CVE-2020-21685
CVE STATUS: Patched
CVE SUMMARY: Buffer Overflow vulnerability in hash_findi function in hashtbl.c in nasm 2.15rc0 allows remote attackers to cause a denial of service via crafted asm file.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-21685

LAYER: meta
PACKAGE NAME: nasm-native
PACKAGE VERSION: 2.16.03
CVE: CVE-2020-21686
CVE STATUS: Patched
CVE SUMMARY: A stack-use-after-scope issue discovered in expand_mmac_params function in preproc.c in nasm before 2.15.04 allows remote attackers to cause a denial of service via crafted asm file.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-21686

LAYER: meta
PACKAGE NAME: nasm-native
PACKAGE VERSION: 2.16.03
CVE: CVE-2020-21687
CVE STATUS: Patched
CVE SUMMARY: Buffer Overflow vulnerability in scan function in stdscan.c in nasm 2.15rc0 allows remote attackers to cause a denial of service via crafted asm file.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-21687

LAYER: meta
PACKAGE NAME: nasm-native
PACKAGE VERSION: 2.16.03
CVE: CVE-2020-24241
CVE STATUS: Patched
CVE SUMMARY: In Netwide Assembler (NASM) 2.15rc10, there is heap use-after-free in saa_wbytes in nasmlib/saa.c.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-24241

LAYER: meta
PACKAGE NAME: nasm-native
PACKAGE VERSION: 2.16.03
CVE: CVE-2020-24242
CVE STATUS: Patched
CVE SUMMARY: In Netwide Assembler (NASM) 2.15rc10, SEGV can be triggered in tok_text in asm/preproc.c by accessing READ memory.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-24242

LAYER: meta
PACKAGE NAME: nasm-native
PACKAGE VERSION: 2.16.03
CVE: CVE-2020-24978
CVE STATUS: Patched
CVE SUMMARY: In NASM 2.15.04rc3, there is a double-free vulnerability in pp_tokline asm/preproc.c. This is fixed in commit 8806c3ca007b84accac21dd88b900fb03614ceb7.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-24978

LAYER: meta
PACKAGE NAME: nasm-native
PACKAGE VERSION: 2.16.03
CVE: CVE-2021-33450
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in NASM version 2.16rc0. There are memory leaks in nasm_calloc() in nasmlib/alloc.c.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-33450

LAYER: meta
PACKAGE NAME: nasm-native
PACKAGE VERSION: 2.16.03
CVE: CVE-2021-33452
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in NASM version 2.16rc0. There are memory leaks in nasm_malloc() in nasmlib/alloc.c.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-33452

LAYER: meta
PACKAGE NAME: nasm-native
PACKAGE VERSION: 2.16.03
CVE: CVE-2021-45256
CVE STATUS: Patched
CVE SUMMARY: A Null Pointer Dereference vulnerability existfs in nasm 2.16rc0 via asm/preproc.c.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-45256

LAYER: meta
PACKAGE NAME: nasm-native
PACKAGE VERSION: 2.16.03
CVE: CVE-2021-45257
CVE STATUS: Patched
CVE SUMMARY: An infinite loop vulnerability exists in nasm 2.16rc0 via the gpaste_tokens function.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-45257

LAYER: meta
PACKAGE NAME: nasm-native
PACKAGE VERSION: 2.16.03
CVE: CVE-2022-29654
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow vulnerability in quote_for_pmake in asm/nasm.c in nasm before 2.15.05 allows attackers to cause a denial of service via crafted file.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-29654

LAYER: meta
PACKAGE NAME: nasm-native
PACKAGE VERSION: 2.16.03
CVE: CVE-2022-41420
CVE STATUS: Patched
CVE SUMMARY: nasm v2.16 was discovered to contain a stack overflow in the Ndisasm component
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-41420

LAYER: meta
PACKAGE NAME: nasm-native
PACKAGE VERSION: 2.16.03
CVE: CVE-2022-44368
CVE STATUS: Patched
CVE SUMMARY: NASM v2.16 was discovered to contain a null pointer deference in the NASM component
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-44368

LAYER: meta
PACKAGE NAME: nasm-native
PACKAGE VERSION: 2.16.03
CVE: CVE-2022-44369
CVE STATUS: Patched
CVE SUMMARY: NASM 2.16 (development) is vulnerable to 476: Null Pointer Dereference via output/outaout.c.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-44369

LAYER: meta
PACKAGE NAME: nasm-native
PACKAGE VERSION: 2.16.03
CVE: CVE-2022-44370
CVE STATUS: Patched
CVE SUMMARY: NASM v2.16 was discovered to contain a heap buffer overflow in the component quote_for_pmake() asm/nasm.c:856
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-44370

LAYER: meta
PACKAGE NAME: nasm-native
PACKAGE VERSION: 2.16.03
CVE: CVE-2022-46456
CVE STATUS: Patched
CVE SUMMARY: NASM v2.16 was discovered to contain a global buffer overflow in the component dbgdbg_typevalue at /output/outdbg.c.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-46456

LAYER: meta
PACKAGE NAME: nasm-native
PACKAGE VERSION: 2.16.03
CVE: CVE-2022-46457
CVE STATUS: Patched
CVE SUMMARY: NASM v2.16 was discovered to contain a segmentation violation in the component ieee_write_file at /output/outieee.c.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-46457

LAYER: meta
PACKAGE NAME: nasm-native
PACKAGE VERSION: 2.16.03
CVE: CVE-2023-31722
CVE STATUS: Patched
CVE SUMMARY: There exists a heap buffer overflow in nasm 2.16.02rc1 (GitHub commit: b952891).
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-31722

LAYER: meta
PACKAGE NAME: nasm-native
PACKAGE VERSION: 2.16.03
CVE: CVE-2023-38665
CVE STATUS: Patched
CVE SUMMARY: Null pointer dereference in ieee_write_file in nasm 2.16rc0 allows attackers to cause a denial of service (crash).
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-38665

LAYER: meta
PACKAGE NAME: nasm-native
PACKAGE VERSION: 2.16.03
CVE: CVE-2023-38667
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer over-read in function disasm in nasm 2.16 allows attackers to cause a denial of service.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-38667

LAYER: meta
PACKAGE NAME: nasm-native
PACKAGE VERSION: 2.16.03
CVE: CVE-2023-38668
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer over-read in disasm in nasm 2.16 allows attackers to cause a denial of service (crash).
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-38668

LAYER: meta
PACKAGE NAME: libinput
PACKAGE VERSION: 1.25.0
CVE: CVE-2022-1215
CVE STATUS: Patched
CVE SUMMARY: A format string vulnerability was found in libinput
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1215

LAYER: meta
PACKAGE NAME: gdk-pixbuf
PACKAGE VERSION: 2.42.12
CVE: CVE-2011-2485
CVE STATUS: Patched
CVE SUMMARY: The gdk_pixbuf__gif_image_load function in gdk-pixbuf/io-gif.c in gdk-pixbuf before 2.23.5 does not properly handle certain return values, which allows remote attackers to cause a denial of service (memory consumption) via a crafted GIF image file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2485

LAYER: meta
PACKAGE NAME: gdk-pixbuf
PACKAGE VERSION: 2.42.12
CVE: CVE-2011-2897
CVE STATUS: Patched
CVE SUMMARY: gdk-pixbuf through 2.31.1 has GIF loader buffer overflow when initializing decompression tables due to an input validation flaw
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2897

LAYER: meta
PACKAGE NAME: gdk-pixbuf
PACKAGE VERSION: 2.42.12
CVE: CVE-2012-2370
CVE STATUS: Patched
CVE SUMMARY: Multiple integer overflows in the read_bitmap_file_data function in io-xbm.c in gdk-pixbuf before 2.26.1 allow remote attackers to cause a denial of service (application crash) via a negative (1) height or (2) width in an XBM file, which triggers a heap-based buffer overflow.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2370

LAYER: meta
PACKAGE NAME: gdk-pixbuf
PACKAGE VERSION: 2.42.12
CVE: CVE-2015-4491
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the make_filter_table function in pixops/pixops.c in gdk-pixbuf before 2.31.5, as used in Mozilla Firefox before 40.0 and Firefox ESR 38.x before 38.2 on Linux, Google Chrome on Linux, and other products, allows remote attackers to execute arbitrary code or cause a denial of service (heap-based buffer overflow and application crash) via crafted bitmap dimensions that are mishandled during scaling.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-4491

LAYER: meta
PACKAGE NAME: gdk-pixbuf
PACKAGE VERSION: 2.42.12
CVE: CVE-2015-7673
CVE STATUS: Patched
CVE SUMMARY: io-tga.c in gdk-pixbuf before 2.32.0 uses heap memory after its allocation failed, which allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) and possibly execute arbitrary code via a crafted Truevision TGA (TARGA) file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7673

LAYER: meta
PACKAGE NAME: gdk-pixbuf
PACKAGE VERSION: 2.42.12
CVE: CVE-2015-7674
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the pixops_scale_nearest function in pixops/pixops.c in gdk-pixbuf before 2.32.1 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted GIF image file, which triggers a heap-based buffer overflow.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7674

LAYER: meta
PACKAGE NAME: gdk-pixbuf
PACKAGE VERSION: 2.42.12
CVE: CVE-2015-8875
CVE STATUS: Patched
CVE SUMMARY: Multiple integer overflows in the (1) pixops_composite_nearest, (2) pixops_composite_color_nearest, and (3) pixops_process functions in pixops/pixops.c in gdk-pixbuf before 2.33.1 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted image, which triggers a heap-based buffer overflow.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8875

LAYER: meta
PACKAGE NAME: gdk-pixbuf
PACKAGE VERSION: 2.42.12
CVE: CVE-2016-6352
CVE STATUS: Patched
CVE SUMMARY: The OneLine32 function in io-ico.c in gdk-pixbuf before 2.35.3 allows remote attackers to cause a denial of service (out-of-bounds write and crash) via crafted dimensions in an ICO file.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6352

LAYER: meta
PACKAGE NAME: gdk-pixbuf
PACKAGE VERSION: 2.42.12
CVE: CVE-2017-1000422
CVE STATUS: Patched
CVE SUMMARY: Gnome gdk-pixbuf 2.36.8 and older is vulnerable to several integer overflow in the gif_get_lzw function resulting in memory corruption and potential code execution
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-1000422

LAYER: meta
PACKAGE NAME: gdk-pixbuf
PACKAGE VERSION: 2.42.12
CVE: CVE-2017-12447
CVE STATUS: Patched
CVE SUMMARY: GdkPixBuf (aka gdk-pixbuf), possibly 2.32.2, as used by GNOME Nautilus 3.14.3 on Ubuntu 16.04, allows attackers to cause a denial of service (stack corruption) or possibly have unspecified other impact via a crafted file folder.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-12447

LAYER: meta
PACKAGE NAME: gdk-pixbuf
PACKAGE VERSION: 2.42.12
CVE: CVE-2017-2862
CVE STATUS: Patched
CVE SUMMARY: An exploitable heap overflow vulnerability exists in the gdk_pixbuf__jpeg_image_load_increment functionality of Gdk-Pixbuf 2.36.6. A specially crafted jpeg file can cause a heap overflow resulting in remote code execution. An attacker can send a file or url to trigger this vulnerability.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-2862

LAYER: meta
PACKAGE NAME: gdk-pixbuf
PACKAGE VERSION: 2.42.12
CVE: CVE-2017-2870
CVE STATUS: Patched
CVE SUMMARY: An exploitable integer overflow vulnerability exists in the tiff_image_parse functionality of Gdk-Pixbuf 2.36.6 when compiled with Clang. A specially crafted tiff file can cause a heap-overflow resulting in remote code execution. An attacker can send a file or a URL to trigger this vulnerability.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-2870

LAYER: meta
PACKAGE NAME: gdk-pixbuf
PACKAGE VERSION: 2.42.12
CVE: CVE-2017-6311
CVE STATUS: Patched
CVE SUMMARY: gdk-pixbuf-thumbnailer.c in gdk-pixbuf allows context-dependent attackers to cause a denial of service (NULL pointer dereference and application crash) via vectors related to printing an error message.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-6311

LAYER: meta
PACKAGE NAME: gdk-pixbuf
PACKAGE VERSION: 2.42.12
CVE: CVE-2017-6312
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in io-ico.c in gdk-pixbuf allows context-dependent attackers to cause a denial of service (segmentation fault and application crash) via a crafted image entry offset in an ICO file, which triggers an out-of-bounds read, related to compiler optimizations.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-6312

LAYER: meta
PACKAGE NAME: gdk-pixbuf
PACKAGE VERSION: 2.42.12
CVE: CVE-2017-6313
CVE STATUS: Patched
CVE SUMMARY: Integer underflow in the load_resources function in io-icns.c in gdk-pixbuf allows context-dependent attackers to cause a denial of service (out-of-bounds read and program crash) via a crafted image entry size in an ICO file.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 7.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-6313

LAYER: meta
PACKAGE NAME: gdk-pixbuf
PACKAGE VERSION: 2.42.12
CVE: CVE-2017-6314
CVE STATUS: Patched
CVE SUMMARY: The make_available_at_least function in io-tiff.c in gdk-pixbuf allows context-dependent attackers to cause a denial of service (infinite loop) via a large TIFF file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-6314

LAYER: meta
PACKAGE NAME: gdk-pixbuf
PACKAGE VERSION: 2.42.12
CVE: CVE-2020-29385
CVE STATUS: Patched
CVE SUMMARY: GNOME gdk-pixbuf (aka GdkPixbuf) before 2.42.2 allows a denial of service (infinite loop) in lzw.c in the function write_indexes. if c->self_code equals 10, self->code_table[10].extends will assign the value 11 to c. The next execution in the loop will assign self->code_table[11].extends to c, which will give the value of 10. This will make the loop run infinitely. This bug can, for example, be triggered by calling this function with a GIF image with LZW compression that is crafted in a special way.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-29385

LAYER: meta
PACKAGE NAME: gdk-pixbuf
PACKAGE VERSION: 2.42.12
CVE: CVE-2021-20240
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in gdk-pixbuf in versions before 2.42.0. An integer wraparound leading to an out of bounds write can occur when a crafted GIF image is loaded. An attacker may cause applications to crash or could potentially execute code on the victim system. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
CVSS v2 BASE SCORE: 8.3
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-20240

LAYER: meta
PACKAGE NAME: gdk-pixbuf
PACKAGE VERSION: 2.42.12
CVE: CVE-2021-46829
CVE STATUS: Patched
CVE SUMMARY: GNOME GdkPixbuf (aka GDK-PixBuf) before 2.42.8 allows a heap-based buffer overflow when compositing or clearing frames in GIF files, as demonstrated by io-gif-animation.c composite_frame. This overflow is controllable and could be abused for code execution, especially on 32-bit systems.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-46829

LAYER: meta
PACKAGE NAME: tar-native
PACKAGE VERSION: 1.35
CVE: CVE-2001-1267
CVE STATUS: Patched
CVE SUMMARY: Directory traversal vulnerability in GNU tar 1.13.19 and earlier allows local users to overwrite arbitrary files during archive extraction via a tar file whose filenames contain a .. (dot dot).
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2001-1267

LAYER: meta
PACKAGE NAME: tar-native
PACKAGE VERSION: 1.35
CVE: CVE-2002-0399
CVE STATUS: Patched
CVE SUMMARY: Directory traversal vulnerability in GNU tar 1.13.19 through 1.13.25, and possibly later versions, allows attackers to overwrite arbitrary files during archive extraction via a (1) "/.." or (2) "./.." string, which removes the leading slash but leaves the "..", a variant of CVE-2001-1267.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-0399

LAYER: meta
PACKAGE NAME: tar-native
PACKAGE VERSION: 1.35
CVE: CVE-2002-1216
CVE STATUS: Patched
CVE SUMMARY: GNU tar 1.13.19 and other versions before 1.13.25 allows remote attackers to overwrite arbitrary files via a symlink attack, as the result of a modification that effectively disabled the security check.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-1216

LAYER: meta
PACKAGE NAME: tar-native
PACKAGE VERSION: 1.35
CVE: CVE-2005-1918
CVE STATUS: Patched
CVE SUMMARY: The original patch for a GNU tar directory traversal vulnerability (CVE-2002-0399) in Red Hat Enterprise Linux 3 and 2.1 uses an "incorrect optimization" that allows user-assisted attackers to overwrite arbitrary files via a crafted tar file, probably involving "/../" sequences with a leading "/".
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-1918

LAYER: meta
PACKAGE NAME: tar-native
PACKAGE VERSION: 1.35
CVE: CVE-2005-2541
CVE STATUS: Patched
CVE SUMMARY: Tar 1.15.1 does not properly warn the user when extracting setuid or setgid files, which may allow local users or remote attackers to gain privileges.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-2541

LAYER: meta
PACKAGE NAME: tar-native
PACKAGE VERSION: 1.35
CVE: CVE-2006-0300
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in tar 1.14 through 1.15.90 allows user-assisted attackers to cause a denial of service (application crash) and possibly execute code via unspecified vectors involving PAX extended headers.
CVSS v2 BASE SCORE: 5.1
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-0300

LAYER: meta
PACKAGE NAME: tar-native
PACKAGE VERSION: 1.35
CVE: CVE-2006-6097
CVE STATUS: Patched
CVE SUMMARY: GNU tar 1.16 and 1.15.1, and possibly other versions, allows user-assisted attackers to overwrite arbitrary files via a tar file that contains a GNUTYPE_NAMES record with a symbolic link, which is not properly handled by the extract_archive function in extract.c and extract_mangle function in mangle.c, a variant of CVE-2002-1216.
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-6097

LAYER: meta
PACKAGE NAME: tar-native
PACKAGE VERSION: 1.35
CVE: CVE-2007-4131
CVE STATUS: Patched
CVE SUMMARY: Directory traversal vulnerability in the contains_dot_dot function in src/names.c in GNU tar allows user-assisted remote attackers to overwrite arbitrary files via certain //.. (slash slash dot dot) sequences in directory symlinks in a TAR archive.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-4131

LAYER: meta
PACKAGE NAME: tar-native
PACKAGE VERSION: 1.35
CVE: CVE-2007-4476
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the safer_name_suffix function in GNU tar has unspecified attack vectors and impact, resulting in a "crashing stack."
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-4476

LAYER: meta
PACKAGE NAME: tar-native
PACKAGE VERSION: 1.35
CVE: CVE-2010-0624
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the rmt_read__ function in lib/rtapelib.c in the rmt client functionality in GNU tar before 1.23 and GNU cpio before 2.11 allows remote rmt servers to cause a denial of service (memory corruption) or possibly execute arbitrary code by sending more data than was requested, related to archive filenames that contain a : (colon) character.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-0624

LAYER: meta
PACKAGE NAME: tar-native
PACKAGE VERSION: 1.35
CVE: CVE-2016-6321
CVE STATUS: Patched
CVE SUMMARY: Directory traversal vulnerability in the safer_name_suffix function in GNU tar 1.14 through 1.29 might allow remote attackers to bypass an intended protection mechanism and write to arbitrary files via vectors related to improper sanitization of the file_name parameter, aka POINTYFEATHER.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6321

LAYER: meta
PACKAGE NAME: tar-native
PACKAGE VERSION: 1.35
CVE: CVE-2018-20482
CVE STATUS: Patched
CVE SUMMARY: GNU Tar through 1.30, when --sparse is used, mishandles file shrinkage during read access, which allows local users to cause a denial of service (infinite read loop in sparse_dump_region in sparse.c) by modifying a file that is supposed to be archived by a different user's process (e.g., a system backup running as root).
CVSS v2 BASE SCORE: 1.9
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20482

LAYER: meta
PACKAGE NAME: tar-native
PACKAGE VERSION: 1.35
CVE: CVE-2019-9923
CVE STATUS: Patched
CVE SUMMARY: pax_decode_header in sparse.c in GNU Tar before 1.32 had a NULL pointer dereference when parsing certain archives that have malformed extended headers.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-9923

LAYER: meta
PACKAGE NAME: tar-native
PACKAGE VERSION: 1.35
CVE: CVE-2021-20193
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the src/list.c of tar 1.33 and earlier. This flaw allows an attacker who can submit a crafted input file to tar to cause uncontrolled consumption of memory. The highest threat from this vulnerability is to system availability.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 3.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-20193

LAYER: meta
PACKAGE NAME: tar-native
PACKAGE VERSION: 1.35
CVE: CVE-2022-48303
CVE STATUS: Patched
CVE SUMMARY: GNU Tar through 1.34 has a one-byte out-of-bounds read that results in use of uninitialized memory for a conditional jump. Exploitation to change the flow of control has not been demonstrated. The issue occurs in from_header in list.c via a V7 archive in which mtime has approximately 11 whitespace characters.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48303

LAYER: meta
PACKAGE NAME: gstreamer1.0
PACKAGE VERSION: 1.22.12
CVE: CVE-2009-0586
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the gst_vorbis_tag_add_coverart function (gst-libs/gst/tag/gstvorbistag.c) in vorbistag in gst-plugins-base (aka gstreamer-plugins-base) before 0.10.23 in GStreamer allows context-dependent attackers to execute arbitrary code via a crafted COVERART tag that is converted from a base64 representation, which triggers a heap-based buffer overflow.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-0586

LAYER: meta
PACKAGE NAME: gstreamer1.0
PACKAGE VERSION: 1.22.12
CVE: CVE-2015-0797
CVE STATUS: Patched
CVE SUMMARY: GStreamer before 1.4.5, as used in Mozilla Firefox before 38.0, Firefox ESR 31.x before 31.7, and Thunderbird before 31.7 on Linux, allows remote attackers to cause a denial of service (buffer over-read and application crash) or possibly execute arbitrary code via crafted H.264 video data in an m4v file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0797

LAYER: meta
PACKAGE NAME: gstreamer1.0
PACKAGE VERSION: 1.22.12
CVE: CVE-2016-10198
CVE STATUS: Patched
CVE SUMMARY: The gst_aac_parse_sink_setcaps function in gst/audioparsers/gstaacparse.c in gst-plugins-good in GStreamer before 1.10.3 allows remote attackers to cause a denial of service (invalid memory read and crash) via a crafted audio file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10198

LAYER: meta
PACKAGE NAME: gstreamer1.0
PACKAGE VERSION: 1.22.12
CVE: CVE-2016-10199
CVE STATUS: Patched
CVE SUMMARY: The qtdemux_tag_add_str_full function in gst/isomp4/qtdemux.c in gst-plugins-good in GStreamer before 1.10.3 allows remote attackers to cause a denial of service (out-of-bounds read and crash) via a crafted tag value.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10199

LAYER: meta
PACKAGE NAME: gstreamer1.0
PACKAGE VERSION: 1.22.12
CVE: CVE-2016-9445
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the vmnc decoder in the gstreamer allows remote attackers to cause a denial of service (crash) via large width and height values, which triggers a buffer overflow.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9445

LAYER: meta
PACKAGE NAME: gstreamer1.0
PACKAGE VERSION: 1.22.12
CVE: CVE-2016-9446
CVE STATUS: Patched
CVE SUMMARY: The vmnc decoder in the gstreamer does not initialize the render canvas, which allows remote attackers to obtain sensitive information as demonstrated by thumbnailing a simple 1 frame vmnc movie that does not draw to the allocated render canvas.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9446

LAYER: meta
PACKAGE NAME: gstreamer1.0
PACKAGE VERSION: 1.22.12
CVE: CVE-2016-9447
CVE STATUS: Patched
CVE SUMMARY: The ROM mappings in the NSF decoder in gstreamer 0.10.x allow remote attackers to cause a denial of service (out-of-bounds read or write) and possibly execute arbitrary code via a crafted NSF music file.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9447

LAYER: meta
PACKAGE NAME: gstreamer1.0
PACKAGE VERSION: 1.22.12
CVE: CVE-2016-9634
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the flx_decode_delta_fli function in gst/flx/gstflxdec.c in the FLIC decoder in GStreamer before 1.10.2 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via the start_line parameter.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9634

LAYER: meta
PACKAGE NAME: gstreamer1.0
PACKAGE VERSION: 1.22.12
CVE: CVE-2016-9635
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the flx_decode_delta_fli function in gst/flx/gstflxdec.c in the FLIC decoder in GStreamer before 1.10.2 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) by providing a 'skip count' that goes beyond initialized buffer.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9635

LAYER: meta
PACKAGE NAME: gstreamer1.0
PACKAGE VERSION: 1.22.12
CVE: CVE-2016-9636
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the flx_decode_delta_fli function in gst/flx/gstflxdec.c in the FLIC decoder in GStreamer before 1.10.2 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) by providing a 'write count' that goes beyond the initialized buffer.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9636

LAYER: meta
PACKAGE NAME: gstreamer1.0
PACKAGE VERSION: 1.22.12
CVE: CVE-2016-9807
CVE STATUS: Patched
CVE SUMMARY: The flx_decode_chunks function in gst/flx/gstflxdec.c in GStreamer before 1.10.2 allows remote attackers to cause a denial of service (invalid memory read and crash) via a crafted FLIC file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9807

LAYER: meta
PACKAGE NAME: gstreamer1.0
PACKAGE VERSION: 1.22.12
CVE: CVE-2016-9808
CVE STATUS: Patched
CVE SUMMARY: The FLIC decoder in GStreamer before 1.10.2 allows remote attackers to cause a denial of service (out-of-bounds write and crash) via a crafted series of skip and count pairs.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9808

LAYER: meta
PACKAGE NAME: gstreamer1.0
PACKAGE VERSION: 1.22.12
CVE: CVE-2016-9809
CVE STATUS: Patched
CVE SUMMARY: Off-by-one error in the gst_h264_parse_set_caps function in GStreamer before 1.10.2 allows remote attackers to have unspecified impact via a crafted file, which triggers an out-of-bounds read.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9809

LAYER: meta
PACKAGE NAME: gstreamer1.0
PACKAGE VERSION: 1.22.12
CVE: CVE-2016-9810
CVE STATUS: Patched
CVE SUMMARY: The gst_decode_chain_free_internal function in the flxdex decoder in gst-plugins-good in GStreamer before 1.10.2 allows remote attackers to cause a denial of service (invalid memory read and crash) via an invalid file, which triggers an incorrect unref call.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9810

LAYER: meta
PACKAGE NAME: gstreamer1.0
PACKAGE VERSION: 1.22.12
CVE: CVE-2016-9811
CVE STATUS: Patched
CVE SUMMARY: The windows_icon_typefind function in gst-plugins-base in GStreamer before 1.10.2, when G_SLICE is set to always-malloc, allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted ico file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 4.7
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9811

LAYER: meta
PACKAGE NAME: gstreamer1.0
PACKAGE VERSION: 1.22.12
CVE: CVE-2016-9812
CVE STATUS: Patched
CVE SUMMARY: The gst_mpegts_section_new function in the mpegts decoder in GStreamer before 1.10.2 allows remote attackers to cause a denial of service (out-of-bounds read) via a too small section.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9812

LAYER: meta
PACKAGE NAME: gstreamer1.0
PACKAGE VERSION: 1.22.12
CVE: CVE-2016-9813
CVE STATUS: Patched
CVE SUMMARY: The _parse_pat function in the mpegts parser in GStreamer before 1.10.2 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a crafted file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9813

LAYER: meta
PACKAGE NAME: gstreamer1.0
PACKAGE VERSION: 1.22.12
CVE: CVE-2017-5837
CVE STATUS: Patched
CVE SUMMARY: The gst_riff_create_audio_caps function in gst-libs/gst/riff/riff-media.c in gst-plugins-base in GStreamer before 1.10.3 allows remote attackers to cause a denial of service (floating point exception and crash) via a crafted video file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5837

LAYER: meta
PACKAGE NAME: gstreamer1.0
PACKAGE VERSION: 1.22.12
CVE: CVE-2017-5838
CVE STATUS: Patched
CVE SUMMARY: The gst_date_time_new_from_iso8601_string function in gst/gstdatetime.c in GStreamer before 1.10.3 allows remote attackers to cause a denial of service (out-of-bounds heap read) via a malformed datetime string.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5838

LAYER: meta
PACKAGE NAME: gstreamer1.0
PACKAGE VERSION: 1.22.12
CVE: CVE-2017-5839
CVE STATUS: Patched
CVE SUMMARY: The gst_riff_create_audio_caps function in gst-libs/gst/riff/riff-media.c in gst-plugins-base in GStreamer before 1.10.3 does not properly limit recursion, which allows remote attackers to cause a denial of service (stack overflow and crash) via vectors involving nested WAVEFORMATEX.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5839

LAYER: meta
PACKAGE NAME: gstreamer1.0
PACKAGE VERSION: 1.22.12
CVE: CVE-2017-5840
CVE STATUS: Patched
CVE SUMMARY: The qtdemux_parse_samples function in gst/isomp4/qtdemux.c in gst-plugins-good in GStreamer before 1.10.3 allows remote attackers to cause a denial of service (out-of-bounds heap read) via vectors involving the current stts index.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5840

LAYER: meta
PACKAGE NAME: gstreamer1.0
PACKAGE VERSION: 1.22.12
CVE: CVE-2017-5841
CVE STATUS: Patched
CVE SUMMARY: The gst_avi_demux_parse_ncdt function in gst/avi/gstavidemux.c in gst-plugins-good in GStreamer before 1.10.3 allows remote attackers to cause a denial of service (out-of-bounds heap read) via vectors involving ncdt tags.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5841

LAYER: meta
PACKAGE NAME: gstreamer1.0
PACKAGE VERSION: 1.22.12
CVE: CVE-2017-5842
CVE STATUS: Patched
CVE SUMMARY: The html_context_handle_element function in gst/subparse/samiparse.c in gst-plugins-base in GStreamer before 1.10.3 allows remote attackers to cause a denial of service (out-of-bounds write) via a crafted SMI file, as demonstrated by OneNote_Manager.smi.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5842

LAYER: meta
PACKAGE NAME: gstreamer1.0
PACKAGE VERSION: 1.22.12
CVE: CVE-2017-5843
CVE STATUS: Patched
CVE SUMMARY: Multiple use-after-free vulnerabilities in the (1) gst_mini_object_unref, (2) gst_tag_list_unref, and (3) gst_mxf_demux_update_essence_tracks functions in GStreamer before 1.10.3 allow remote attackers to cause a denial of service (crash) via vectors involving stream tags, as demonstrated by 02785736.mxf.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5843

LAYER: meta
PACKAGE NAME: gstreamer1.0
PACKAGE VERSION: 1.22.12
CVE: CVE-2017-5844
CVE STATUS: Patched
CVE SUMMARY: The gst_riff_create_audio_caps function in gst-libs/gst/riff/riff-media.c in gst-plugins-base in GStreamer before 1.10.3 allows remote attackers to cause a denial of service (floating point exception and crash) via a crafted ASF file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5844

LAYER: meta
PACKAGE NAME: gstreamer1.0
PACKAGE VERSION: 1.22.12
CVE: CVE-2017-5845
CVE STATUS: Patched
CVE SUMMARY: The gst_avi_demux_parse_ncdt function in gst/avi/gstavidemux.c in gst-plugins-good in GStreamer before 1.10.3 allows remote attackers to cause a denial of service (invalid memory read and crash) via a ncdt sub-tag that "goes behind" the surrounding tag.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5845

LAYER: meta
PACKAGE NAME: gstreamer1.0
PACKAGE VERSION: 1.22.12
CVE: CVE-2017-5846
CVE STATUS: Patched
CVE SUMMARY: The gst_asf_demux_process_ext_stream_props function in gst/asfdemux/gstasfdemux.c in gst-plugins-ugly in GStreamer before 1.10.3 allows remote attackers to cause a denial of service (invalid memory read and crash) via vectors related to the number of languages in a video file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5846

LAYER: meta
PACKAGE NAME: gstreamer1.0
PACKAGE VERSION: 1.22.12
CVE: CVE-2017-5847
CVE STATUS: Patched
CVE SUMMARY: The gst_asf_demux_process_ext_content_desc function in gst/asfdemux/gstasfdemux.c in gst-plugins-ugly in GStreamer allows remote attackers to cause a denial of service (out-of-bounds heap read) via vectors involving extended content descriptors.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5847

LAYER: meta
PACKAGE NAME: gstreamer1.0
PACKAGE VERSION: 1.22.12
CVE: CVE-2017-5848
CVE STATUS: Patched
CVE SUMMARY: The gst_ps_demux_parse_psm function in gst/mpegdemux/gstmpegdemux.c in gst-plugins-bad in GStreamer allows remote attackers to cause a denial of service (invalid memory read and crash) via vectors involving PSM parsing.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5848

LAYER: meta
PACKAGE NAME: gstreamer1.0
PACKAGE VERSION: 1.22.12
CVE: CVE-2019-9928
CVE STATUS: Patched
CVE SUMMARY: GStreamer before 1.16.0 has a heap-based buffer overflow in the RTSP connection parser via a crafted response from a server, potentially allowing remote code execution.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-9928

LAYER: meta
PACKAGE NAME: gstreamer1.0
PACKAGE VERSION: 1.22.12
CVE: CVE-2021-3497
CVE STATUS: Patched
CVE SUMMARY: GStreamer before 1.18.4 might access already-freed memory in error code paths when demuxing certain malformed Matroska files.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3497

LAYER: meta
PACKAGE NAME: gstreamer1.0
PACKAGE VERSION: 1.22.12
CVE: CVE-2021-3498
CVE STATUS: Patched
CVE SUMMARY: GStreamer before 1.18.4 might cause heap corruption when parsing certain malformed Matroska files.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3498

LAYER: meta
PACKAGE NAME: gstreamer1.0
PACKAGE VERSION: 1.22.12
CVE: CVE-2021-3522
CVE STATUS: Patched
CVE SUMMARY: GStreamer before 1.18.4 may perform an out-of-bounds read when handling certain ID3v2 tags.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3522

LAYER: meta
PACKAGE NAME: gstreamer1.0
PACKAGE VERSION: 1.22.12
CVE: CVE-2022-1920
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in matroskademux element in gst_matroska_demux_add_wvpk_header function which allows a heap overwrite while parsing matroska files. Potential for arbitrary code execution through heap overwrite.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1920

LAYER: meta
PACKAGE NAME: gstreamer1.0
PACKAGE VERSION: 1.22.12
CVE: CVE-2022-1921
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in avidemux element in gst_avi_demux_invert function which allows a heap overwrite while parsing avi files. Potential for arbitrary code execution through heap overwrite.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1921

LAYER: meta
PACKAGE NAME: gstreamer1.0
PACKAGE VERSION: 1.22.12
CVE: CVE-2022-1922
CVE STATUS: Patched
CVE SUMMARY: DOS / potential heap overwrite in mkv demuxing using zlib decompression. Integer overflow in matroskademux element in gst_matroska_decompress_data function which causes a segfault, or could cause a heap overwrite, depending on libc and OS. Depending on the libc used, and the underlying OS capabilities, it could be just a segfault or a heap overwrite. If the libc uses mmap for large chunks, and the OS supports mmap, then it is just a segfault (because the realloc before the integer overflow will use mremap to reduce the size of the chunk, and it will start to write to unmapped memory). However, if using a libc implementation that does not use mmap, or if the OS does not support mmap while using libc, then this could result in a heap overwrite.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1922

LAYER: meta
PACKAGE NAME: gstreamer1.0
PACKAGE VERSION: 1.22.12
CVE: CVE-2022-1923
CVE STATUS: Patched
CVE SUMMARY: DOS / potential heap overwrite in mkv demuxing using bzip decompression. Integer overflow in matroskademux element in bzip decompression function which causes a segfault, or could cause a heap overwrite, depending on libc and OS. Depending on the libc used, and the underlying OS capabilities, it could be just a segfault or a heap overwrite. If the libc uses mmap for large chunks, and the OS supports mmap, then it is just a segfault (because the realloc before the integer overflow will use mremap to reduce the size of the chunk, and it will start to write to unmapped memory). However, if using a libc implementation that does not use mmap, or if the OS does not support mmap while using libc, then this could result in a heap overwrite.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1923

LAYER: meta
PACKAGE NAME: gstreamer1.0
PACKAGE VERSION: 1.22.12
CVE: CVE-2022-1924
CVE STATUS: Patched
CVE SUMMARY: DOS / potential heap overwrite in mkv demuxing using lzo decompression. Integer overflow in matroskademux element in lzo decompression function which causes a segfault, or could cause a heap overwrite, depending on libc and OS. Depending on the libc used, and the underlying OS capabilities, it could be just a segfault or a heap overwrite. If the libc uses mmap for large chunks, and the OS supports mmap, then it is just a segfault (because the realloc before the integer overflow will use mremap to reduce the size of the chunk, and it will start to write to unmapped memory). However, if using a libc implementation that does not use mmap, or if the OS does not support mmap while using libc, then this could result in a heap overwrite.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1924

LAYER: meta
PACKAGE NAME: gstreamer1.0
PACKAGE VERSION: 1.22.12
CVE: CVE-2022-1925
CVE STATUS: Patched
CVE SUMMARY: DOS / potential heap overwrite in mkv demuxing using HEADERSTRIP decompression. Integer overflow in matroskaparse element in gst_matroska_decompress_data function which causes a heap overflow. Due to restrictions on chunk sizes in the matroskademux element, the overflow can't be triggered, however the matroskaparse element has no size checks.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1925

LAYER: meta
PACKAGE NAME: gstreamer1.0
PACKAGE VERSION: 1.22.12
CVE: CVE-2022-2122
CVE STATUS: Patched
CVE SUMMARY: DOS / potential heap overwrite in qtdemux using zlib decompression. Integer overflow in qtdemux element in qtdemux_inflate function which causes a segfault, or could cause a heap overwrite, depending on libc and OS. Depending on the libc used, and the underlying OS capabilities, it could be just a segfault or a heap overwrite.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2122

LAYER: meta
PACKAGE NAME: gstreamer1.0
PACKAGE VERSION: 1.22.12
CVE: CVE-2024-0444
CVE STATUS: Unpatched
CVE SUMMARY: GStreamer AV1 Video Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation.

The specific flaw exists within the parsing of tile list data within AV1-encoded video files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-22873.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-0444

LAYER: meta-qt5
PACKAGE NAME: qtlocation
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2004-0691
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the BMP image format parser for the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0691

LAYER: meta-qt5
PACKAGE NAME: qtlocation
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2004-0692
CVE STATUS: Patched
CVE SUMMARY: The XPM parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0693.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0692

LAYER: meta-qt5
PACKAGE NAME: qtlocation
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2004-0693
CVE STATUS: Patched
CVE SUMMARY: The GIF parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0692.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0693

LAYER: meta-qt5
PACKAGE NAME: qtlocation
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2005-0627
CVE STATUS: Patched
CVE SUMMARY: Qt before 3.3.4 searches the BUILD_PREFIX directory, which could be world-writable, to load shared libraries regardless of the LD_LIBRARY_PATH environment variable, which allows local users to execute arbitrary programs.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-0627

LAYER: meta-qt5
PACKAGE NAME: qtlocation
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2006-4811
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in Qt 3.3 before 3.3.7, 4.1 before 4.1.5, and 4.2 before 4.2.1, as used in the KDE khtml library, kdelibs 3.1.3, and possibly other packages, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted pixmap image.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-4811

LAYER: meta-qt5
PACKAGE NAME: qtlocation
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2007-0242
CVE STATUS: Patched
CVE SUMMARY: The UTF-8 decoder in codecs/qutfcodec.cpp in Qt 3.3.8 and 4.2.3 does not reject long UTF-8 sequences as required by the standard, which allows remote attackers to conduct cross-site scripting (XSS) and directory traversal attacks via long sequences that decode to dangerous metacharacters.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-0242

LAYER: meta-qt5
PACKAGE NAME: qtlocation
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2007-3388
CVE STATUS: Patched
CVE SUMMARY: Multiple format string vulnerabilities in (1) qtextedit.cpp, (2) qdatatable.cpp, (3) qsqldatabase.cpp, (4) qsqlindex.cpp, (5) qsqlrecord.cpp, (6) qglobal.cpp, and (7) qsvgdevice.cpp in QTextEdit in Trolltech Qt 3 before 3.3.8 20070727 allow remote attackers to execute arbitrary code via format string specifiers in text used to compose an error message.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-3388

LAYER: meta-qt5
PACKAGE NAME: qtlocation
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2007-4137
CVE STATUS: Patched
CVE SUMMARY: Off-by-one error in the QUtf8Decoder::toUnicode function in Trolltech Qt 3 allows context-dependent attackers to cause a denial of service (crash) via a crafted Unicode string that triggers a heap-based buffer overflow.  NOTE: Qt 4 has the same error in the QUtf8Codec::convertToUnicode function, but it is not exploitable.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-4137

LAYER: meta-qt5
PACKAGE NAME: qtlocation
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2009-2700
CVE STATUS: Patched
CVE SUMMARY: src/network/ssl/qsslcertificate.cpp in Nokia Trolltech Qt 4.x does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-2700

LAYER: meta-qt5
PACKAGE NAME: qtlocation
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2010-1766
CVE STATUS: Patched
CVE SUMMARY: Off-by-one error in the WebSocketHandshake::readServerHandshake function in websockets/WebSocketHandshake.cpp in WebCore in WebKit before r56380, as used in Qt and other products, allows remote websockets servers to cause a denial of service (memory corruption) or possibly have unspecified other impact via an upgrade header that is long and invalid.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-1766

LAYER: meta-qt5
PACKAGE NAME: qtlocation
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2010-2621
CVE STATUS: Patched
CVE SUMMARY: The QSslSocketBackendPrivate::transmit function in src_network_ssl_qsslsocket_openssl.cpp in Qt 4.6.3 and earlier allows remote attackers to cause a denial of service (infinite loop) via a malformed request.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2621

LAYER: meta-qt5
PACKAGE NAME: qtlocation
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2010-5076
CVE STATUS: Patched
CVE SUMMARY: QSslSocket in Qt before 4.7.0-rc1 recognizes a wildcard IP address in the subject's Common Name field of an X.509 certificate, which might allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-5076

LAYER: meta-qt5
PACKAGE NAME: qtlocation
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2011-3193
CVE STATUS: Patched
CVE SUMMARY: Heap-based buffer overflow in the Lookup_MarkMarkPos function in the HarfBuzz module (harfbuzz-gpos.c), as used by Qt before 4.7.4 and Pango, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted font file.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3193

LAYER: meta-qt5
PACKAGE NAME: qtlocation
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2011-3194
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the TIFF reader in gui/image/qtiffhandler.cpp in Qt 4.7.4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the TIFFTAG_SAMPLESPERPIXEL tag in a greyscale TIFF image with multiple samples per pixel.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3194

LAYER: meta-qt5
PACKAGE NAME: qtlocation
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2012-5624
CVE STATUS: Patched
CVE SUMMARY: The XMLHttpRequest object in Qt before 4.8.4 enables http redirection to the file scheme, which allows man-in-the-middle attackers to force the read of arbitrary local files and possibly obtain sensitive information via a file: URL to a QML application.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-5624

LAYER: meta-qt5
PACKAGE NAME: qtlocation
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2012-6093
CVE STATUS: Patched
CVE SUMMARY: The QSslSocket::sslErrors function in Qt before 4.6.5, 4.7.x before 4.7.6, 4.8.x before 4.8.5, when using certain versions of openSSL, uses an "incompatible structure layout" that can read memory from the wrong location, which causes Qt to report an incorrect error when certificate validation fails and might cause users to make unsafe security decisions to accept a certificate.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-6093

LAYER: meta-qt5
PACKAGE NAME: qtlocation
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2013-0254
CVE STATUS: Patched
CVE SUMMARY: The QSharedMemory class in Qt 5.0.0, 4.8.x before 4.8.5, 4.7.x before 4.7.6, and other versions including 4.4.0 uses weak permissions (world-readable and world-writable) for shared memory segments, which allows local users to read sensitive information or modify critical program data, as demonstrated by reading a pixmap being sent to an X server.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0254

LAYER: meta-qt5
PACKAGE NAME: qtlocation
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2013-4549
CVE STATUS: Patched
CVE SUMMARY: QXmlSimpleReader in Qt before 5.2 allows context-dependent attackers to cause a denial of service (memory consumption) via an XML Entity Expansion (XEE) attack.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4549

LAYER: meta-qt5
PACKAGE NAME: qtlocation
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2014-0190
CVE STATUS: Patched
CVE SUMMARY: The GIF decoder in QtGui in Qt before 5.3 allows remote attackers to cause a denial of service (NULL pointer dereference) via invalid width and height values in a GIF image.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0190

LAYER: meta-qt5
PACKAGE NAME: qtlocation
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2015-0295
CVE STATUS: Patched
CVE SUMMARY: The BMP decoder in QtGui in QT before 5.5 does not properly calculate the masks used to extract the color components, which allows remote attackers to cause a denial of service (divide-by-zero and crash) via a crafted BMP file.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0295

LAYER: meta-qt5
PACKAGE NAME: qtlocation
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2015-1290
CVE STATUS: Patched
CVE SUMMARY: The Google V8 engine, as used in Google Chrome before 44.0.2403.89 and QtWebEngineCore in Qt before 5.5.1, allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a crafted web site.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1290

LAYER: meta-qt5
PACKAGE NAME: qtlocation
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2015-1858
CVE STATUS: Patched
CVE SUMMARY: Multiple buffer overflows in gui/image/qbmphandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted BMP image.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1858

LAYER: meta-qt5
PACKAGE NAME: qtlocation
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2015-1859
CVE STATUS: Patched
CVE SUMMARY: Multiple buffer overflows in plugins/imageformats/ico/qicohandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted ICO image.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1859

LAYER: meta-qt5
PACKAGE NAME: qtlocation
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2015-1860
CVE STATUS: Patched
CVE SUMMARY: Multiple buffer overflows in gui/image/qgifhandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a crafted GIF image.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1860

LAYER: meta-qt5
PACKAGE NAME: qtlocation
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2015-7298
CVE STATUS: Patched
CVE SUMMARY: ownCloud Desktop Client before 2.0.1, when compiled with a Qt release after 5.3.x, does not call QNetworkReply::ignoreSslErrors with the list of errors to be ignored, which makes it easier for remote attackers to conduct man-in-the-middle (MITM) attacks by leveraging a server using a self-signed certificate.  NOTE: this vulnerability exists because of a partial CVE-2015-4456 regression.
CVSS v2 BASE SCORE: 5.1
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7298

LAYER: meta-qt5
PACKAGE NAME: qtlocation
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2015-9541
CVE STATUS: Patched
CVE SUMMARY: Qt through 5.14 allows an exponential XML entity expansion attack via a crafted SVG document that is mishandled in QXmlStreamReader, a related issue to CVE-2003-1564.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-9541

LAYER: meta-qt5
PACKAGE NAME: qtlocation
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2017-10904
CVE STATUS: Patched
CVE SUMMARY: Qt for Android prior to 5.9.0 allows remote attackers to execute arbitrary OS commands via unspecified vectors.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-10904

LAYER: meta-qt5
PACKAGE NAME: qtlocation
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2017-10905
CVE STATUS: Patched
CVE SUMMARY: A vulnerability in applications created using Qt for Android prior to 5.9.3 allows attackers to alter environment variables via unspecified vectors.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-10905

LAYER: meta-qt5
PACKAGE NAME: qtlocation
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2017-15011
CVE STATUS: Patched
CVE SUMMARY: The named pipes in qtsingleapp in Qt 5.x, as used in qBittorrent and SugarSync, are configured for remote access and allow remote attackers to cause a denial of service (application crash) via an unspecified string.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15011

LAYER: meta-qt5
PACKAGE NAME: qtlocation
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-15518
CVE STATUS: Patched
CVE SUMMARY: QXmlStream in Qt 5.x before 5.11.3 has a double-free or corruption during parsing of a specially crafted illegal XML document.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-15518

LAYER: meta-qt5
PACKAGE NAME: qtlocation
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-19865
CVE STATUS: Patched
CVE SUMMARY: A keystroke logging issue was discovered in Virtual Keyboard in Qt 5.7.x, 5.8.x, 5.9.x, 5.10.x, and 5.11.x before 5.11.3.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19865

LAYER: meta-qt5
PACKAGE NAME: qtlocation
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-19869
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt before 5.11.3. A malformed SVG image causes a segmentation fault in qsvghandler.cpp.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19869

LAYER: meta-qt5
PACKAGE NAME: qtlocation
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-19870
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt before 5.11.3. A malformed GIF image causes a NULL pointer dereference in QGifHandler resulting in a segmentation fault.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19870

LAYER: meta-qt5
PACKAGE NAME: qtlocation
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-19871
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt before 5.11.3. There is QTgaFile Uncontrolled Resource Consumption.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19871

LAYER: meta-qt5
PACKAGE NAME: qtlocation
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-19872
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt 5.11. A malformed PPM image causes a division by zero and a crash in qppmhandler.cpp.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19872

LAYER: meta-qt5
PACKAGE NAME: qtlocation
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-19873
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt before 5.11.3. QBmpHandler has a buffer overflow via BMP data.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19873

LAYER: meta-qt5
PACKAGE NAME: qtlocation
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2018-21035
CVE STATUS: Patched
CVE SUMMARY: In Qt through 5.14.1, the WebSocket implementation accepts up to 2GB for frames and 2GB for messages. Smaller limits cannot be configured. This makes it easier for attackers to cause a denial of service (memory consumption).
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 8.6
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-21035

LAYER: meta-qt5
PACKAGE NAME: qtlocation
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2020-0569
CVE STATUS: Patched
CVE SUMMARY: Out of bounds write in Intel(R) PROSet/Wireless WiFi products on Windows 10 may allow an authenticated user to potentially enable denial of service via local access.
CVSS v2 BASE SCORE: 2.7
CVSS v3 BASE SCORE: 5.7
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:L/Au:S/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-0569

LAYER: meta-qt5
PACKAGE NAME: qtlocation
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2020-0570
CVE STATUS: Patched
CVE SUMMARY: Uncontrolled search path in the QT Library before 5.14.0, 5.12.7 and 5.9.10 may allow an authenticated user to potentially enable elevation of privilege via local access.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 7.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-0570

LAYER: meta-qt5
PACKAGE NAME: qtlocation
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2020-12267
CVE STATUS: Patched
CVE SUMMARY: setMarkdown in Qt before 5.14.2 has a use-after-free related to QTextMarkdownImporter::insertBlock.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-12267

LAYER: meta-qt5
PACKAGE NAME: qtlocation
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2020-13962
CVE STATUS: Patched
CVE SUMMARY: Qt 5.12.2 through 5.14.2, as used in unofficial builds of Mumble 1.3.0 and other products, mishandles OpenSSL's error queue, which can cause a denial of service to QSslSocket users. Because errors leak in unrelated TLS sessions, an unrelated session may be disconnected when any handshake fails. (Mumble 1.3.1 is not affected, regardless of the Qt version.)
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-13962

LAYER: meta-qt5
PACKAGE NAME: qtlocation
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2020-17507
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt through 5.12.9, and 5.13.x through 5.15.x before 5.15.1. read_xbm_body in gui/image/qxbmhandler.cpp has a buffer over-read.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-17507

LAYER: meta-qt5
PACKAGE NAME: qtlocation
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2020-24742
CVE STATUS: Patched
CVE SUMMARY: An issue has been fixed in Qt versions 5.14.0 where QPluginLoader attempts to load plugins relative to the working directory, allowing attackers to execute arbitrary code via crafted files.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-24742

LAYER: meta-qt5
PACKAGE NAME: qtlocation
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2021-28025
CVE STATUS: Patched
CVE SUMMARY: Integer Overflow vulnerability in qsvghandler.cpp in Qt qtsvg versions 5.15.1, 6.0.0, 6.0.2, and 6.2, allows local attackers to cause a denial of service (DoS).
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-28025

LAYER: meta-qt5
PACKAGE NAME: qtlocation
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2021-3481
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in Qt. An out-of-bounds read vulnerability was found in QRadialFetchSimd in qt/qtbase/src/gui/painting/qdrawhelper_p.h in Qt/Qtbase. While rendering and displaying a crafted Scalable Vector Graphics (SVG) file this flaw may lead to an unauthorized memory access. The highest threat from this vulnerability is to data confidentiality and the application availability.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.1
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3481

LAYER: meta-qt5
PACKAGE NAME: qtlocation
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2021-38593
CVE STATUS: Patched
CVE SUMMARY: Qt 5.x before 5.15.6 and 6.x through 6.1.2 has an out-of-bounds write in QOutlineMapper::convertPath (called from QRasterPaintEngine::fill and QPaintEngineEx::stroke).
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-38593

LAYER: meta-qt5
PACKAGE NAME: qtlocation
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2022-25255
CVE STATUS: Patched
CVE SUMMARY: In Qt 5.9.x through 5.15.x before 5.15.9 and 6.x before 6.2.4 on Linux and UNIX, QProcess could execute a binary from the current working directory when not found in the PATH.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-25255

LAYER: meta-qt5
PACKAGE NAME: qtlocation
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2022-25634
CVE STATUS: Patched
CVE SUMMARY: Qt through 5.15.8 and 6.x through 6.2.3 can load system library files from an unintended working directory.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-25634

LAYER: meta-qt5
PACKAGE NAME: qtlocation
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2022-40983
CVE STATUS: Patched
CVE SUMMARY: An integer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an integer overflow during memory allocation, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-40983

LAYER: meta-qt5
PACKAGE NAME: qtlocation
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2022-43591
CVE STATUS: Patched
CVE SUMMARY: A buffer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an out-of-bounds memory access, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-43591

LAYER: meta-qt5
PACKAGE NAME: qtlocation
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-24607
CVE STATUS: Patched
CVE SUMMARY: Qt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13, 6.x before 6.2.8, and 6.3.x before 6.4.3.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-24607

LAYER: meta-qt5
PACKAGE NAME: qtlocation
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-32573
CVE STATUS: Unpatched
CVE SUMMARY: In Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-32573

LAYER: meta-qt5
PACKAGE NAME: qtlocation
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-32762
CVE STATUS: Unpatched
CVE SUMMARY: An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-32762

LAYER: meta-qt5
PACKAGE NAME: qtlocation
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-32763
CVE STATUS: Unpatched
CVE SUMMARY: An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. When a SVG file with an image inside it is rendered, a QTextLayout buffer overflow can be triggered.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-32763

LAYER: meta-qt5
PACKAGE NAME: qtlocation
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-33285
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. QDnsLookup has a buffer over-read via a crafted reply from a DNS server.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-33285

LAYER: meta-qt5
PACKAGE NAME: qtlocation
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-34410
CVE STATUS: Unpatched
CVE SUMMARY: An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-34410

LAYER: meta-qt5
PACKAGE NAME: qtlocation
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-37369
CVE STATUS: Unpatched
CVE SUMMARY: In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-37369

LAYER: meta-qt5
PACKAGE NAME: qtlocation
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-38197
CVE STATUS: Unpatched
CVE SUMMARY: An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-38197

LAYER: meta-qt5
PACKAGE NAME: qtlocation
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-43114
CVE STATUS: Unpatched
CVE SUMMARY: An issue was discovered in Qt before 5.15.16, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3 on Windows. When using the GDI font engine, if a corrupted font is loaded via QFontDatabase::addApplicationFont{FromData], then it can cause the application to crash because of missing length checks.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-43114

LAYER: meta-qt5
PACKAGE NAME: qtlocation
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2023-51714
CVE STATUS: Unpatched
CVE SUMMARY: An issue was discovered in the HTTP2 implementation in Qt before 5.15.17, 6.x before 6.2.11, 6.3.x through 6.5.x before 6.5.4, and 6.6.x before 6.6.2. network/access/http2/hpacktable.cpp has an incorrect HPack integer overflow check.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-51714

LAYER: meta-qt5
PACKAGE NAME: qtlocation
PACKAGE VERSION: 5.15.13+git
CVE: CVE-2024-39936
CVE STATUS: Unpatched
CVE SUMMARY: An issue was discovered in HTTP2 in Qt before 5.15.18, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.7, and 6.6.x through 6.7.x before 6.7.3. Code to make security-relevant decisions about an established connection may execute too early, because the encrypted() signal has not yet been emitted and processed..
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.6
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-39936

LAYER: meta-selinux
PACKAGE NAME: libsepol-native
PACKAGE VERSION: 3.6
CVE: CVE-2020-10751
CVE STATUS: Unpatched
CVE SUMMARY: A flaw was found in the Linux kernels SELinux LSM hook implementation before version 5.7, where it incorrectly assumed that an skb would only contain a single netlink message. The hook would incorrectly only validate the first netlink message in the skb and allow or deny the rest of the messages within the skb with the granted permission without further processing.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 6.1
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-10751

LAYER: meta-selinux
PACKAGE NAME: libsemanage-native
PACKAGE VERSION: 3.6
CVE: CVE-2020-10751
CVE STATUS: Unpatched
CVE SUMMARY: A flaw was found in the Linux kernels SELinux LSM hook implementation before version 5.7, where it incorrectly assumed that an skb would only contain a single netlink message. The hook would incorrectly only validate the first netlink message in the skb and allow or deny the rest of the messages within the skb with the granted permission without further processing.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 6.1
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-10751

LAYER: meta-selinux
PACKAGE NAME: libselinux-native
PACKAGE VERSION: 3.6
CVE: CVE-2020-10751
CVE STATUS: Unpatched
CVE SUMMARY: A flaw was found in the Linux kernels SELinux LSM hook implementation before version 5.7, where it incorrectly assumed that an skb would only contain a single netlink message. The hook would incorrectly only validate the first netlink message in the skb and allow or deny the rest of the messages within the skb with the granted permission without further processing.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 6.1
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-10751

LAYER: meta
PACKAGE NAME: lua
PACKAGE VERSION: 5.4.6
CVE: CVE-2014-5461
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the vararg functions in ldo.c in Lua 5.1 through 5.2.x before 5.2.3 allows context-dependent attackers to cause a denial of service (crash) via a small number of arguments to a function with a large number of fixed arguments.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-5461

LAYER: meta
PACKAGE NAME: lua
PACKAGE VERSION: 5.4.6
CVE: CVE-2019-6706
CVE STATUS: Patched
CVE SUMMARY: Lua 5.3.5 has a use-after-free in lua_upvaluejoin in lapi.c. For example, a crash outcome might be achieved by an attacker who is able to trigger a debug.upvaluejoin call in which the arguments have certain relationships.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-6706

LAYER: meta
PACKAGE NAME: lua
PACKAGE VERSION: 5.4.6
CVE: CVE-2020-15888
CVE STATUS: Patched
CVE SUMMARY: Lua through 5.4.0 mishandles the interaction between stack resizes and garbage collection, leading to a heap-based buffer overflow, heap-based buffer over-read, or use-after-free.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-15888

LAYER: meta
PACKAGE NAME: lua
PACKAGE VERSION: 5.4.6
CVE: CVE-2020-15889
CVE STATUS: Patched
CVE SUMMARY: Lua 5.4.0 has a getobjname heap-based buffer over-read because youngcollection in lgc.c uses markold for an insufficient number of list members.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-15889

LAYER: meta
PACKAGE NAME: lua
PACKAGE VERSION: 5.4.6
CVE: CVE-2020-15945
CVE STATUS: Patched
CVE SUMMARY: Lua through 5.4.0 has a segmentation fault in changedline in ldebug.c (e.g., when called by luaG_traceexec) because it incorrectly expects that an oldpc value is always updated upon a return of the flow of control to a function.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-15945

LAYER: meta
PACKAGE NAME: lua
PACKAGE VERSION: 5.4.6
CVE: CVE-2020-24342
CVE STATUS: Patched
CVE SUMMARY: Lua through 5.4.0 allows a stack redzone cross in luaO_pushvfstring because a protection mechanism wrongly calls luaD_callnoyield twice in a row.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-24342

LAYER: meta
PACKAGE NAME: lua
PACKAGE VERSION: 5.4.6
CVE: CVE-2020-24369
CVE STATUS: Patched
CVE SUMMARY: ldebug.c in Lua 5.4.0 attempts to access debug information via the line hook of a stripped function, leading to a NULL pointer dereference.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-24369

LAYER: meta
PACKAGE NAME: lua
PACKAGE VERSION: 5.4.6
CVE: CVE-2020-24370
CVE STATUS: Patched
CVE SUMMARY: ldebug.c in Lua 5.4.0 allows a negation overflow and segmentation fault in getlocal and setlocal, as demonstrated by getlocal(3,2^31).
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-24370

LAYER: meta
PACKAGE NAME: lua
PACKAGE VERSION: 5.4.6
CVE: CVE-2020-24371
CVE STATUS: Patched
CVE SUMMARY: lgc.c in Lua 5.4.0 mishandles the interaction between barriers and the sweep phase, leading to a memory access violation involving collectgarbage.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-24371

LAYER: meta
PACKAGE NAME: lua
PACKAGE VERSION: 5.4.6
CVE: CVE-2021-43519
CVE STATUS: Patched
CVE SUMMARY: Stack overflow in lua_resume of ldo.c in Lua Interpreter 5.1.0~5.4.4 allows attackers to perform a Denial of Service via a crafted script file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-43519

LAYER: meta
PACKAGE NAME: lua
PACKAGE VERSION: 5.4.6
CVE: CVE-2021-44647
CVE STATUS: Patched
CVE SUMMARY: Lua v5.4.3 and above are affected by SEGV by type confusion in funcnamefromcode function in ldebug.c which can cause a local denial of service.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-44647

LAYER: meta
PACKAGE NAME: lua
PACKAGE VERSION: 5.4.6
CVE: CVE-2021-44964
CVE STATUS: Patched
CVE SUMMARY: Use after free in garbage collector and finalizer of lgc.c in Lua interpreter 5.4.0~5.4.3 allows attackers to perform Sandbox Escape via a crafted script file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-44964

LAYER: meta
PACKAGE NAME: lua
PACKAGE VERSION: 5.4.6
CVE: CVE-2021-45985
CVE STATUS: Patched
CVE SUMMARY: In Lua 5.4.3, an erroneous finalizer called during a tail call leads to a heap-based buffer over-read.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-45985

LAYER: meta
PACKAGE NAME: lua
PACKAGE VERSION: 5.4.6
CVE: CVE-2022-28805
CVE STATUS: Patched
CVE SUMMARY: singlevar in lparser.c in Lua from (including) 5.4.0 up to (excluding) 5.4.4 lacks a certain luaK_exp2anyregup call, leading to a heap-based buffer over-read that might affect a system that compiles untrusted Lua code.
CVSS v2 BASE SCORE: 6.4
CVSS v3 BASE SCORE: 9.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-28805

LAYER: meta
PACKAGE NAME: lua
PACKAGE VERSION: 5.4.6
CVE: CVE-2022-33099
CVE STATUS: Patched
CVE SUMMARY: An issue in the component luaG_runerror of Lua v5.4.4 and below leads to a heap-buffer overflow when a recursive error occurs.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-33099

LAYER: meta
PACKAGE NAME: lz4-native
PACKAGE VERSION: 1_1.9.4
CVE: CVE-2014-4715
CVE STATUS: Patched
CVE DETAIL: fixed-version
CVE DESCRIPTION: Fixed in r118, which is larger than the current version.
CVE SUMMARY: Yann Collet LZ4 before r119, when used on certain 32-bit platforms that allocate memory beyond 0x80000000, does not properly detect integer overflows, which allows context-dependent attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted Literal Run, a different vulnerability than CVE-2014-4611.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-4715

LAYER: meta
PACKAGE NAME: lz4-native
PACKAGE VERSION: 1_1.9.4
CVE: CVE-2019-17543
CVE STATUS: Patched
CVE SUMMARY: LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (related to LZ4_compress_destSize), affecting applications that call LZ4_compress_fast with a large input. (This issue can also lead to data corruption.) NOTE: the vendor states "only a few specific / uncommon usages of the API are at risk."
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-17543

LAYER: meta
PACKAGE NAME: lz4-native
PACKAGE VERSION: 1_1.9.4
CVE: CVE-2021-3520
CVE STATUS: Patched
CVE SUMMARY: There's a flaw in lz4. An attacker who submits a crafted file to an application linked with lz4 may be able to trigger an integer overflow, leading to calling of memmove() on a negative size argument, causing an out-of-bounds write and/or a crash. The greatest impact of this flaw is to availability, with some potential impact to confidentiality and integrity as well.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3520

LAYER: meta-selinux
PACKAGE NAME: policycoreutils
PACKAGE VERSION: 3.6
CVE: CVE-2020-10751
CVE STATUS: Unpatched
CVE SUMMARY: A flaw was found in the Linux kernels SELinux LSM hook implementation before version 5.7, where it incorrectly assumed that an skb would only contain a single netlink message. The hook would incorrectly only validate the first netlink message in the skb and allow or deny the rest of the messages within the skb with the granted permission without further processing.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 6.1
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-10751

LAYER: meta
PACKAGE NAME: rpm
PACKAGE VERSION: 1_4.19.1.1
CVE: CVE-2005-4889
CVE STATUS: Patched
CVE SUMMARY: lib/fsm.c in RPM before 4.4.3 does not properly reset the metadata of an executable file during deletion of the file in an RPM package removal, which might allow local users to gain privileges by creating a hard link to a vulnerable (1) setuid or (2) setgid file, a related issue to CVE-2010-2059.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-4889

LAYER: meta
PACKAGE NAME: rpm
PACKAGE VERSION: 1_4.19.1.1
CVE: CVE-2010-2059
CVE STATUS: Patched
CVE SUMMARY: lib/fsm.c in RPM 4.8.0 and unspecified 4.7.x and 4.6.x versions, and RPM before 4.4.3, does not properly reset the metadata of an executable file during replacement of the file in an RPM package upgrade, which might allow local users to gain privileges by creating a hard link to a vulnerable (1) setuid or (2) setgid file.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2059

LAYER: meta
PACKAGE NAME: rpm
PACKAGE VERSION: 1_4.19.1.1
CVE: CVE-2010-2197
CVE STATUS: Patched
CVE SUMMARY: rpmbuild in RPM 4.8.0 and earlier does not properly parse the syntax of spec files, which allows user-assisted remote attackers to remove home directories via vectors involving a ;~ (semicolon tilde) sequence in a Name tag.
CVSS v2 BASE SCORE: 5.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2197

LAYER: meta
PACKAGE NAME: rpm
PACKAGE VERSION: 1_4.19.1.1
CVE: CVE-2010-2198
CVE STATUS: Patched
CVE SUMMARY: lib/fsm.c in RPM 4.8.0 and earlier does not properly reset the metadata of an executable file during replacement of the file in an RPM package upgrade or deletion of the file in an RPM package removal, which might allow local users to gain privileges or bypass intended access restrictions by creating a hard link to a vulnerable file that has (1) POSIX file capabilities or (2) SELinux context information, a related issue to CVE-2010-2059.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2198

LAYER: meta
PACKAGE NAME: rpm
PACKAGE VERSION: 1_4.19.1.1
CVE: CVE-2010-2199
CVE STATUS: Patched
CVE SUMMARY: lib/fsm.c in RPM 4.8.0 and earlier does not properly reset the metadata of an executable file during replacement of the file in an RPM package upgrade or deletion of the file in an RPM package removal, which might allow local users to bypass intended access restrictions by creating a hard link to a vulnerable file that has a POSIX ACL, a related issue to CVE-2010-2059.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2199

LAYER: meta
PACKAGE NAME: rpm
PACKAGE VERSION: 1_4.19.1.1
CVE: CVE-2011-3378
CVE STATUS: Patched
CVE SUMMARY: RPM 4.4.x through 4.9.x, probably before 4.9.1.2, allows remote attackers to cause a denial of service (memory corruption) and possibly execute arbitrary code via an rpm package with crafted headers and offsets that are not properly handled when a package is queried or installed, related to (1) the regionSwab function, (2) the headerLoad function, and (3) multiple functions in rpmio/rpmpgp.c.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3378

LAYER: meta
PACKAGE NAME: rpm
PACKAGE VERSION: 1_4.19.1.1
CVE: CVE-2012-0060
CVE STATUS: Patched
CVE SUMMARY: RPM before 4.9.1.3 does not properly validate region tags, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via an invalid region tag in a package header to the (1) headerLoad, (2) rpmReadSignature, or (3) headerVerify function.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-0060

LAYER: meta
PACKAGE NAME: rpm
PACKAGE VERSION: 1_4.19.1.1
CVE: CVE-2012-0061
CVE STATUS: Patched
CVE SUMMARY: The headerLoad function in lib/header.c in RPM before 4.9.1.3 does not properly validate region tags, which allows user-assisted remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large region size in a package header.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-0061

LAYER: meta
PACKAGE NAME: rpm
PACKAGE VERSION: 1_4.19.1.1
CVE: CVE-2012-0815
CVE STATUS: Patched
CVE SUMMARY: The headerVerifyInfo function in lib/header.c in RPM before 4.9.1.3 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a negative value in a region offset of a package header, which is not properly handled in a numeric range comparison.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-0815

LAYER: meta
PACKAGE NAME: rpm
PACKAGE VERSION: 1_4.19.1.1
CVE: CVE-2012-6088
CVE STATUS: Patched
CVE SUMMARY: The rpmpkgRead function in lib/package.c in RPM 4.10.x before 4.10.2 does not return an error code in certain situations involving an "unparseable signature," which allows remote attackers to bypass RPM signature checks via a crafted package.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-6088

LAYER: meta
PACKAGE NAME: rpm
PACKAGE VERSION: 1_4.19.1.1
CVE: CVE-2013-6435
CVE STATUS: Patched
CVE SUMMARY: Race condition in RPM 4.11.1 and earlier allows remote attackers to execute arbitrary code via a crafted RPM file whose installation extracts the contents to temporary files before validating the signature, as demonstrated by installing a file in the /etc/cron.d directory.
CVSS v2 BASE SCORE: 7.6
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-6435

LAYER: meta
PACKAGE NAME: rpm
PACKAGE VERSION: 1_4.19.1.1
CVE: CVE-2014-8118
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in RPM 4.12 and earlier allows remote attackers to execute arbitrary code via a crafted CPIO header in the payload section of an RPM file, which triggers a stack-based buffer overflow.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8118

LAYER: meta
PACKAGE NAME: rpm
PACKAGE VERSION: 1_4.19.1.1
CVE: CVE-2017-7500
CVE STATUS: Patched
CVE SUMMARY: It was found that rpm did not properly handle RPM installations when a destination path was a symbolic link to a directory, possibly changing ownership and permissions of an arbitrary directory, and RPM files being placed in an arbitrary destination. An attacker, with write access to a directory in which a subdirectory will be installed, could redirect that directory to an arbitrary location and gain root privilege.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.3
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7500

LAYER: meta
PACKAGE NAME: rpm
PACKAGE VERSION: 1_4.19.1.1
CVE: CVE-2017-7501
CVE STATUS: Patched
CVE SUMMARY: It was found that versions of rpm before 4.13.0.2 use temporary files with predictable names when installing an RPM. An attacker with ability to write in a directory where files will be installed could create symbolic links to an arbitrary location and modify content, and possibly permissions to arbitrary files, which could be used for denial of service or possibly privilege escalation.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7501

LAYER: meta
PACKAGE NAME: rpm
PACKAGE VERSION: 1_4.19.1.1
CVE: CVE-2021-20266
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in RPM's hdrblobInit() in lib/header.c. This flaw allows an attacker who can modify the rpmdb to cause an out-of-bounds read. The highest threat from this vulnerability is to system availability.
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 4.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:S/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-20266

LAYER: meta
PACKAGE NAME: rpm
PACKAGE VERSION: 1_4.19.1.1
CVE: CVE-2021-20271
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in RPM's signature check functionality when reading a package file. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package, whose signature header was modified, to cause RPM database corruption and execute code. The highest threat from this vulnerability is to data integrity, confidentiality, and system availability.
CVSS v2 BASE SCORE: 5.1
CVSS v3 BASE SCORE: 7.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-20271

LAYER: meta
PACKAGE NAME: rpm
PACKAGE VERSION: 1_4.19.1.1
CVE: CVE-2021-3421
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the RPM package in the read functionality. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package or compromise an RPM repository, to cause RPM database corruption. The highest threat from this vulnerability is to data integrity. This flaw affects RPM versions before 4.17.0-alpha.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3421

LAYER: meta
PACKAGE NAME: rpm
PACKAGE VERSION: 1_4.19.1.1
CVE: CVE-2021-3521
CVE STATUS: Patched
CVE SUMMARY: There is a flaw in RPM's signature functionality. OpenPGP subkeys are associated with a primary key via a "binding signature." RPM does not check the binding signature of subkeys prior to importing them. If an attacker is able to add or socially engineer another party to add a malicious subkey to a legitimate public key, RPM could wrongly trust a malicious signature. The greatest impact of this flaw is to data integrity. To exploit this flaw, an attacker must either compromise an RPM repository or convince an administrator to install an untrusted RPM or public key. It is strongly recommended to only use RPMs and public keys from trusted sources.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3521

LAYER: meta
PACKAGE NAME: rpm
PACKAGE VERSION: 1_4.19.1.1
CVE: CVE-2021-35937
CVE STATUS: Patched
CVE SUMMARY: A race condition vulnerability was found in rpm. A local unprivileged user could use this flaw to bypass the checks that were introduced in response to CVE-2017-7500 and CVE-2017-7501, potentially gaining root privileges. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.4
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-35937

LAYER: meta
PACKAGE NAME: rpm
PACKAGE VERSION: 1_4.19.1.1
CVE: CVE-2021-35938
CVE STATUS: Patched
CVE SUMMARY: A symbolic link issue was found in rpm. It occurs when rpm sets the desired permissions and credentials after installing a file. A local unprivileged user could use this flaw to exchange the original file with a symbolic link to a security-critical file and escalate their privileges on the system. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-35938

LAYER: meta
PACKAGE NAME: rpm
PACKAGE VERSION: 1_4.19.1.1
CVE: CVE-2021-35939
CVE STATUS: Patched
CVE SUMMARY: It was found that the fix for CVE-2017-7500 and CVE-2017-7501 was incomplete: the check was only implemented for the parent directory of the file to be created. A local unprivileged user who owns another ancestor directory could potentially use this flaw to gain root privileges. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-35939

LAYER: meta
PACKAGE NAME: lzo-native
PACKAGE VERSION: 2.10
CVE: CVE-2014-4607
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the LZO algorithm variant in Oberhumer liblzo2 and lzo-2 before 2.07 on 32-bit platforms might allow remote attackers to execute arbitrary code via a crafted Literal Run.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-4607

LAYER: meta
PACKAGE NAME: syslinux-native
PACKAGE VERSION: 6.04-pre2
CVE: CVE-2003-1422
CVE STATUS: Patched
CVE SUMMARY: Multiple unspecified vulnerabilities in the installer for SYSLINUX 2.01, when running setuid root, allow local users to gain privileges via unknown vectors.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-1422

LAYER: meta
PACKAGE NAME: erofs-utils-native
PACKAGE VERSION: 1.7.1
CVE: CVE-2023-33551
CVE STATUS: Patched
CVE SUMMARY: Heap Buffer Overflow in the erofsfsck_dirent_iter function in fsck/main.c in erofs-utils v1.6 allows remote attackers to execute arbitrary code via a crafted erofs filesystem image.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-33551

LAYER: meta
PACKAGE NAME: erofs-utils-native
PACKAGE VERSION: 1.7.1
CVE: CVE-2023-33552
CVE STATUS: Patched
CVE SUMMARY: Heap Buffer Overflow in the erofs_read_one_data function at data.c in erofs-utils v1.6 allows remote attackers to execute arbitrary code via a crafted erofs filesystem image.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-33552

LAYER: meta
PACKAGE NAME: cdrtools-native
PACKAGE VERSION: 3.01
CVE: CVE-2003-0655
CVE STATUS: Patched
CVE SUMMARY: rscsi in cdrtools 2.01 and earlier allows local users to overwrite arbitrary files and gain root privileges by specifying the target file as a command line argument, which is modified while rscsi is running with privileges.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-0655

LAYER: meta
PACKAGE NAME: squashfs-tools-native
PACKAGE VERSION: 4.6.1
CVE: CVE-2012-4024
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in the get_component function in unsquashfs.c in unsquashfs in Squashfs 4.2 and earlier allows remote attackers to execute arbitrary code via a crafted list file (aka a crafted file for the -ef option).  NOTE: probably in most cases, the list file is a trusted file constructed by the program's user; however, there are some realistic situations in which a list file would be obtained from an untrusted remote source.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-4024

LAYER: meta
PACKAGE NAME: squashfs-tools-native
PACKAGE VERSION: 4.6.1
CVE: CVE-2012-4025
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the queue_init function in unsquashfs.c in unsquashfs in Squashfs 4.2 and earlier allows remote attackers to execute arbitrary code via a crafted block_log field in the superblock of a .sqsh file, leading to a heap-based buffer overflow.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-4025

LAYER: meta
PACKAGE NAME: squashfs-tools-native
PACKAGE VERSION: 4.6.1
CVE: CVE-2015-4645
CVE STATUS: Patched
CVE SUMMARY: Integer overflow in the read_fragment_table_4 function in unsquash-4.c in Squashfs and sasquatch allows remote attackers to cause a denial of service (application crash) via a crafted input, which triggers a stack-based buffer overflow.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-4645

LAYER: meta
PACKAGE NAME: squashfs-tools-native
PACKAGE VERSION: 4.6.1
CVE: CVE-2015-4646
CVE STATUS: Patched
CVE SUMMARY: (1) unsquash-1.c, (2) unsquash-2.c, (3) unsquash-3.c, and (4) unsquash-4.c in Squashfs and sasquatch allow remote attackers to cause a denial of service (application crash) via a crafted input.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-4646

LAYER: meta
PACKAGE NAME: screen
PACKAGE VERSION: 4.9.1
CVE: CVE-2002-1602
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the Braille module for GNU screen 3.9.11, when HAVE_BRAILLE is defined, allows local users to execute arbitrary code.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-1602

LAYER: meta
PACKAGE NAME: screen
PACKAGE VERSION: 4.9.1
CVE: CVE-2003-0972
CVE STATUS: Patched
CVE SUMMARY: Integer signedness error in ansi.c for GNU screen 4.0.1 and earlier, and 3.9.15 and earlier, allows local users to execute arbitrary code via a large number of ";" (semicolon) characters in escape sequences, which leads to a buffer overflow.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-0972

LAYER: meta
PACKAGE NAME: screen
PACKAGE VERSION: 4.9.1
CVE: CVE-2006-4573
CVE STATUS: Patched
CVE SUMMARY: Multiple unspecified vulnerabilities in the "utf8 combining characters handling" (utf8_handle_comb function in encoding.c) in screen before 4.0.3 allows user-assisted attackers to cause a denial of service (crash or hang) via certain UTF8 sequences.
CVSS v2 BASE SCORE: 2.6
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:H/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-4573

LAYER: meta
PACKAGE NAME: screen
PACKAGE VERSION: 4.9.1
CVE: CVE-2007-3048
CVE STATUS: Patched
CVE SUMMARY: GNU screen 4.0.3 allows local users to unlock the screen via a CTRL-C sequence at the password prompt.  NOTE: multiple third parties report inability to reproduce this issue
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-3048

LAYER: meta
PACKAGE NAME: screen
PACKAGE VERSION: 4.9.1
CVE: CVE-2009-1214
CVE STATUS: Patched
CVE SUMMARY: GNU screen 4.0.3 creates the /tmp/screen-exchange temporary file with world-readable permissions, which might allow local users to obtain sensitive session information.
CVSS v2 BASE SCORE: 4.9
CVSS v3 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-1214

LAYER: meta
PACKAGE NAME: screen
PACKAGE VERSION: 4.9.1
CVE: CVE-2017-5618
CVE STATUS: Patched
CVE SUMMARY: GNU screen before 4.5.1 allows local users to modify arbitrary files and consequently gain root privileges by leveraging improper checking of logfile permissions.
CVSS v2 BASE SCORE: 7.2
CVSS v3 BASE SCORE: 7.8
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5618

LAYER: meta
PACKAGE NAME: screen
PACKAGE VERSION: 4.9.1
CVE: CVE-2020-9366
CVE STATUS: Patched
CVE SUMMARY: A buffer overflow was found in the way GNU Screen before 4.8.0 treated the special escape OSC 49. Specially crafted output, or a special program, could corrupt memory and crash Screen or possibly have unspecified other impact.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-9366

LAYER: meta
PACKAGE NAME: screen
PACKAGE VERSION: 4.9.1
CVE: CVE-2021-26937
CVE STATUS: Patched
CVE SUMMARY: encoding.c in GNU Screen through 4.8.0 allows remote attackers to cause a denial of service (invalid write access and application crash) or possibly have unspecified other impact via a crafted UTF-8 character sequence.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-26937

LAYER: meta
PACKAGE NAME: screen
PACKAGE VERSION: 4.9.1
CVE: CVE-2023-24626
CVE STATUS: Patched
CVE SUMMARY: socket.c in GNU Screen through 4.9.0, when installed setuid or setgid (the default on platforms such as Arch Linux and FreeBSD), allows local users to send a privileged SIGHUP signal to any PID, causing a denial of service or disruption of the target process.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-24626

LAYER: meta-selinux
PACKAGE NAME: policycoreutils-native
PACKAGE VERSION: 3.6
CVE: CVE-2020-10751
CVE STATUS: Unpatched
CVE SUMMARY: A flaw was found in the Linux kernels SELinux LSM hook implementation before version 5.7, where it incorrectly assumed that an skb would only contain a single netlink message. The hook would incorrectly only validate the first netlink message in the skb and allow or deny the rest of the messages within the skb with the granted permission without further processing.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 6.1
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-10751