| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025061836-CVE-2025-38065-e91a@gregkh> Date: Wed, 18 Jun 2025 11:34:00 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2025-38065: orangefs: Do not truncate file size From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: orangefs: Do not truncate file size 'len' is used to store the result of i_size_read(), so making 'len' a size_t results in truncation to 4GiB on 32-bit systems. The Linux kernel CVE team has assigned CVE-2025-38065 to this issue. Affected and fixed versions =========================== Fixed in 5.4.294 with commit ceaf195ed285b77791e29016ee6344b3ded609b3 Fixed in 5.10.238 with commit 341e3a5984cf5761f3dab16029d7e9fb1641d5ff Fixed in 5.15.185 with commit 5111227d7f1f57f6804666b3abf780a23f44fc1d Fixed in 6.1.141 with commit 15602508ad2f923e228b9521960b4addcd27d9c4 Fixed in 6.6.93 with commit 121f0335d91e46369bf55b5da4167d82b099a166 Fixed in 6.12.31 with commit cd918ec24168fe08c6aafc077dd3b6d88364c5cf Fixed in 6.14.9 with commit 2323b806221e6268a4e17711bc72e2fc87c191a3 Fixed in 6.15 with commit 062e8093592fb866b8e016641a8b27feb6ac509d Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-38065 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: fs/orangefs/inode.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/ceaf195ed285b77791e29016ee6344b3ded609b3 https://git.kernel.org/stable/c/341e3a5984cf5761f3dab16029d7e9fb1641d5ff https://git.kernel.org/stable/c/5111227d7f1f57f6804666b3abf780a23f44fc1d https://git.kernel.org/stable/c/15602508ad2f923e228b9521960b4addcd27d9c4 https://git.kernel.org/stable/c/121f0335d91e46369bf55b5da4167d82b099a166 https://git.kernel.org/stable/c/cd918ec24168fe08c6aafc077dd3b6d88364c5cf https://git.kernel.org/stable/c/2323b806221e6268a4e17711bc72e2fc87c191a3 https://git.kernel.org/stable/c/062e8093592fb866b8e016641a8b27feb6ac509d
Powered by blists - more mailing lists