-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian Security Advisory DSA-5480-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
August 18, 2023                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : linux
CVE ID         : CVE-2022-4269 CVE-2022-39189 CVE-2023-1206 CVE-2023-1380
                 CVE-2023-2002 CVE-2023-2007 CVE-2023-2124 CVE-2023-2269
                 CVE-2023-2898 CVE-2023-3090 CVE-2023-3111 CVE-2023-3212
                 CVE-2023-3268 CVE-2023-3338 CVE-2023-3389 CVE-2023-3609
                 CVE-2023-3611 CVE-2023-3776 CVE-2023-3863 CVE-2023-4004
                 CVE-2023-4128 CVE-2023-4132 CVE-2023-4147 CVE-2023-4194
                 CVE-2023-4273 CVE-2023-20588 CVE-2023-21255 CVE-2023-21400
                 CVE-2023-31084 CVE-2023-34319 CVE-2023-35788 CVE-2023-40283

Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information
leaks.

CVE-2022-4269

    William Zhao discovered that a flaw in the Traffic Control (TC)
    subsystem when using a specific networking configuration
    (redirecting egress packets to ingress using TC action "mirred"),
    may allow a local unprivileged user to cause a denial of service
    (triggering a CPU soft lockup).

CVE-2022-39189

    Jann Horn discovered that TLB flush operations are mishandled in the
    KVM subsystem in certain KVM_VCPU_PREEMPTED situations, which may
    allow an unprivileged guest user to compromise the guest kernel.

CVE-2023-1206

    It was discovered that the networking stack permits attackers to
    force hash collisions in the IPv6 connection lookup table, which may
    result in denial of service (significant increase in the cost of
    lookups, increased CPU utilization).

CVE-2023-1380

    Jisoo Jang reported a heap out-of-bounds read in the brcmfmac Wi-Fi
    driver. On systems using this driver, a local user could exploit
    this to read sensitive information or to cause a denial of service.

CVE-2023-2002

    Ruiahn Li reported an incorrect permissions check in the Bluetooth
    subsystem. A local user could exploit this to reconfigure local
    Bluetooth interfaces, resulting in information leaks, spoofing, or
    denial of service (loss of connection).

CVE-2023-2007

    Lucas Leong and Reno Robert discovered a time-of-check-to-time-of-
    use flaw in the dpt_i2o SCSI controller driver. A local user with
    access to a SCSI device using this driver could exploit this for
    privilege escalation.

    This flaw has been mitigated by removing support for the I2OUSRCMD
    operation.

CVE-2023-2124

    Kyle Zeng, Akshay Ajayan and Fish Wang discovered that missing
    metadata validation may result in denial of service or potential
    privilege escalation if a corrupted XFS disk image is mounted.

CVE-2023-2269

    Zheng Zhang reported that improper handling of locking in the device
    mapper implementation may result in denial of service.

CVE-2023-2898

    It was discovered that missing sanitising in the f2fs file
    system may result in denial of service if a malformed file
    system is accessed.

CVE-2023-3090

    It was discovered that missing initialization in ipvlan networking
    may lead to an out-of-bounds write vulnerability, resulting in
    denial of service or potentially the execution of arbitrary code.

CVE-2023-3111

    The TOTE Robot tool found a flaw in the Btrfs filesystem driver that
    can lead to a use-after-free. It's unclear whether an unprivileged
    user can exploit this.

CVE-2023-3212

    Yang Lan that missing validation in the GFS2 filesystem could result
    in denial of service via a NULL pointer dereference when mounting a
    malformed GFS2 filesystem.

CVE-2023-3268

    It was discovered that an out-of-bounds memory access in relayfs
    could result in denial of service or an information leak.

CVE-2023-3338

    Davide Ornaghi discovered a flaw in the DECnet protocol
    implementation which could lead to a null pointer dereference or
    use-after-free. A local user can exploit this to cause a denial of service
    (crash or memory corruption) and probably for privilege escalation.

    This flaw has been mitigated by removing the DECnet protocol
    implementation.

CVE-2023-3389

    Querijn Voet discovered a use-after-free in the io_uring subsystem,
    which may result in denial of service or privilege escalation.

CVE-2023-3611

    It was discovered that an out-of-bounds write in the traffic control
    subsystem for the Quick Fair Queueing scheduler (QFQ) may result in
    denial of service or privilege escalation.

CVE-2023-3609 / CVE-2023-3776 / CVE-2023-4128

    It was discovered that a use-after-free in the cls_fw, cls_u32,
    cls_route and network classifiers may result in denial of service or
    potential local privilege escalation.

CVE-2023-3863

    It was discovered that a use-after-free in the NFC implementation
    may result in denial of service, an information leak or potential
    local privilege escalation.

CVE-2023-4004

    It was discovered that a use-after-free in Netfilter's
    implementation of PIPAPO (PIle PAcket POlicies) may result in denial
    of service or potential local privilege escalation for a user with
    the CAP_NET_ADMIN capability in any user or network namespace.

CVE-2023-4132

    A use-after-free in the driver for Siano SMS1xxx based MDTV
    receivers may result in local denial of service.

CVE-2023-4147

    Kevin Rich discovered a use-after-free in Netfilter when adding a
    rule with NFTA_RULE_CHAIN_ID, which may result in local privilege
    escalation for a user with the CAP_NET_ADMIN capability in any user
    or network namespace.

CVE-2023-4194

    A type confusion in the implementation of TUN/TAP network devices
    may allow a local user to bypass network filters.

CVE-2023-4273

    Maxim Suhanov discovered a stack overflow in the exFAT driver, which
    may result in local denial of service via a malformed file system.

CVE-2023-20588

    Jana Hofmann, Emanuele Vannacci, Cedric Fournet, Boris Koepf and
    Oleksii Oleksenko discovered that on some AMD CPUs with the Zen1
    micro architecture an integer division by zero may leave stale
    quotient data from a previous division, resulting in a potential
    leak of sensitive data.

CVE-2023-21255

    A use-after-free was discovered in the in the Android binder driver,
    which may result in local privilege escalation on systems where the
    binder driver is loaded.

CVE-2023-21400

    Ye Zhang and Nicolas Wu discovered a double-free in the io_uring
    subsystem, which may result in denial of service or privilege
    escalation.

CVE-2023-31084

    It was discovered that the DVB Core driver does not properly handle
    locking of certain events, allowing a local user to cause a denial
    of service.

CVE-2023-34319

    Ross Lagerwall discovered a buffer overrun in Xen's netback driver
    which may allow a Xen guest to cause denial of service to the
    virtualisation host my sending malformed packets.

CVE-2023-35788

    Hangyu Hua that an off-by-one in the Flower traffic classifier may
    result in local of service or the execution of privilege escalation.

CVE-2023-40283

    A use-after-free was discovered in Bluetooth L2CAP socket handling.

For the oldstable distribution (bullseye), these problems have been fixed
in version 5.10.191-1.

We recommend that you upgrade your linux packages.

For the detailed security status of linux please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/linux

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmTfvC5fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0QmDBAAnjvIhfwWPmYeanAyC9Hwdx2L9ATqx235c5K4I9xOWCRR+1oiM3WIKDz1
jnFbRnCKEPMUeIMWaSwXj11OvjDIY31nnUqRzf/hoT8PQ6dHi1p/fpmjReLFL9sw
FoYhyabKtkGMBUXF4dCz2Qn62yPGFDgupBMlK1BQ1kJvxZABaKG0PGTqqPX4iOla
DkbNvwq2lLr0K6oYKp8Nu+tQ+1I6U8PI4EvAlYbybvo0WXvbZy9pOmBilJhBqYrC
6Ql1ndovBzDi3H8Qo+C8WJRdFcjP+dBOpW/lu9EcHbNmHG1cWLO8EexqvfoW8GAV
qf0CEtULUwsn6pM5uW+SEgfsiETFPXbzQt+FxH2L2NGLhLmb73dIK074/Ids8lx4
V4tNh+pVTli+sTCB6uGaRQvM4uNTxm5mV9+saacM6vel6KvD/qRreCMCDhvk9CkS
ETg3sJjbw/Hv83RwfqTlXicJh5KpA5JikrztMnHNAQKru93uSH6dOLpOd45/SeA8
KHw604LkeuzAiqFltE76HS1h/jDXO0Mfb0UvIH5N1tmgcr3qaRaFvZQ6sYy8NTHa
6N5pnfKJJXRuYe/aadjlC2xQmUMvU8HD39dqp6Z+XFjjzLmz5NN9rLHZKqaLSx6C
IFId+FMkkKLeQFWylM+mA5WwiUTEx0JvREFPjtOjJ4RDHf3Mmws=
=z/8h
-----END PGP SIGNATURE-----