| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025011513-CVE-2024-57893-b263@gregkh> Date: Wed, 15 Jan 2025 14:06:16 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org> Subject: CVE-2024-57893: ALSA: seq: oss: Fix races at processing SysEx messages Description =========== In the Linux kernel, the following vulnerability has been resolved: ALSA: seq: oss: Fix races at processing SysEx messages OSS sequencer handles the SysEx messages split in 6 bytes packets, and ALSA sequencer OSS layer tries to combine those. It stores the data in the internal buffer and this access is racy as of now, which may lead to the out-of-bounds access. As a temporary band-aid fix, introduce a mutex for serializing the process of the SysEx message packets. The Linux kernel CVE team has assigned CVE-2024-57893 to this issue. Affected and fixed versions =========================== Fixed in 6.1.124 with commit cff1de87ed14fc0f2332213d2367100e7ad0753a Fixed in 6.6.70 with commit d2392b79d8af3714ea8878b71c66dc49d3110f44 Fixed in 6.12.9 with commit 9d382112b36382aa65aad765f189ebde9926c101 Fixed in 6.13-rc6 with commit 0179488ca992d79908b8e26b9213f1554fc5bacc Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2024-57893 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: sound/core/seq/oss/seq_oss_synth.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/cff1de87ed14fc0f2332213d2367100e7ad0753a https://git.kernel.org/stable/c/d2392b79d8af3714ea8878b71c66dc49d3110f44 https://git.kernel.org/stable/c/9d382112b36382aa65aad765f189ebde9926c101 https://git.kernel.org/stable/c/0179488ca992d79908b8e26b9213f1554fc5bacc
Powered by blists - more mailing lists