| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2024052237-CVE-2021-47478-c124@gregkh> Date: Wed, 22 May 2024 10:19:38 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org> Subject: CVE-2021-47478: isofs: Fix out of bound access for corrupted isofs image Description =========== In the Linux kernel, the following vulnerability has been resolved: isofs: Fix out of bound access for corrupted isofs image When isofs image is suitably corrupted isofs_read_inode() can read data beyond the end of buffer. Sanity-check the directory entry length before using it. The Linux kernel CVE team has assigned CVE-2021-47478 to this issue. Affected and fixed versions =========================== Fixed in 4.4.292 with commit 156ce5bb6cc4 Fixed in 4.9.290 with commit 9ec33a9b8790 Fixed in 4.14.255 with commit afbd40f42522 Fixed in 4.19.217 with commit b0ddff8d68f2 Fixed in 5.4.159 with commit 6e80e9314f8b Fixed in 5.10.79 with commit 86d4aedcbc69 Fixed in 5.14.18 with commit b2fa1f52d22c Fixed in 5.15.2 with commit e7fb722586a2 Fixed in 5.16 with commit e96a1866b405 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2021-47478 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: fs/isofs/inode.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/156ce5bb6cc43a80a743810199defb1dc3f55b7f https://git.kernel.org/stable/c/9ec33a9b8790c212cc926a88c5e2105f97f3f57e https://git.kernel.org/stable/c/afbd40f425227e661d991757e11cc4db024e761f https://git.kernel.org/stable/c/b0ddff8d68f2e43857a84dce54c3deab181c8ae1 https://git.kernel.org/stable/c/6e80e9314f8bb52d9eabe1907698718ff01120f5 https://git.kernel.org/stable/c/86d4aedcbc69c0f84551fb70f953c24e396de2d7 https://git.kernel.org/stable/c/b2fa1f52d22c5455217b294629346ad23a744945 https://git.kernel.org/stable/c/e7fb722586a2936b37bdff096c095c30ca06404d https://git.kernel.org/stable/c/e96a1866b40570b5950cda8602c2819189c62a48
Powered by blists - more mailing lists