| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2024102109-CVE-2024-50007-0253@gregkh> Date: Mon, 21 Oct 2024 20:54:11 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org> Subject: CVE-2024-50007: ALSA: asihpi: Fix potential OOB array access Description =========== In the Linux kernel, the following vulnerability has been resolved: ALSA: asihpi: Fix potential OOB array access ASIHPI driver stores some values in the static array upon a response from the driver, and its index depends on the firmware. We shouldn't trust it blindly. This patch adds a sanity check of the array index to fit in the array size. The Linux kernel CVE team has assigned CVE-2024-50007 to this issue. Affected and fixed versions =========================== Fixed in 5.10.227 with commit 219587bca267 Fixed in 5.15.168 with commit 36ee4021bcc3 Fixed in 6.1.113 with commit e658227d9d4f Fixed in 6.6.55 with commit 7a5574099670 Fixed in 6.10.14 with commit ad7248a5e925 Fixed in 6.11.3 with commit 876d04bf5a8a Fixed in 6.12-rc1 with commit 7b986c7430a6 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2024-50007 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: sound/pci/asihpi/hpimsgx.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/219587bca2678e31700ef09ecec178ba1f735674 https://git.kernel.org/stable/c/36ee4021bcc37b834996e79740d095d6f8dd948f https://git.kernel.org/stable/c/e658227d9d4f4e122d81690fdbc0d438b10288f5 https://git.kernel.org/stable/c/7a55740996701f7b2bc46dc988b60ef2e416a747 https://git.kernel.org/stable/c/ad7248a5e92587b9266c62db8bcc4e58de53e372 https://git.kernel.org/stable/c/876d04bf5a8ac1d6af5afd258cd37ab83ab2cf3d https://git.kernel.org/stable/c/7b986c7430a6bb68d523dac7bfc74cbd5b44ef96
Powered by blists - more mailing lists