lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <2025072812-CVE-2025-38474-0663@gregkh>
Date: Mon, 28 Jul 2025 13:22:17 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2025-38474: usb: net: sierra: check for no status endpoint

From: Greg Kroah-Hartman <gregkh@...nel.org>

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

usb: net: sierra: check for no status endpoint

The driver checks for having three endpoints and
having bulk in and out endpoints, but not that
the third endpoint is interrupt input.
Rectify the omission.

The Linux kernel CVE team has assigned CVE-2025-38474 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 2.6.34 with commit eb4fd8cd355c8ec425a12ec6cbdac614e8a4819d and fixed in 6.1.147 with commit 5849980faea1c792d1d5e54fdbf1e69ac0a9bfb9
	Issue introduced in 2.6.34 with commit eb4fd8cd355c8ec425a12ec6cbdac614e8a4819d and fixed in 6.6.100 with commit 5dd6a441748dad2f02e27b256984ca0b2d4546b6
	Issue introduced in 2.6.34 with commit eb4fd8cd355c8ec425a12ec6cbdac614e8a4819d and fixed in 6.12.40 with commit 65c666aff44eb7f9079c55331abd9687fb77ba2d
	Issue introduced in 2.6.34 with commit eb4fd8cd355c8ec425a12ec6cbdac614e8a4819d and fixed in 6.15.8 with commit bfe8ef373986e8f185d3d6613eb1801a8749837a
	Issue introduced in 2.6.34 with commit eb4fd8cd355c8ec425a12ec6cbdac614e8a4819d and fixed in 6.16 with commit 4c4ca3c46167518f8534ed70f6e3b4bf86c4d158

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-38474
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	drivers/net/usb/sierra_net.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/5849980faea1c792d1d5e54fdbf1e69ac0a9bfb9
	https://git.kernel.org/stable/c/5dd6a441748dad2f02e27b256984ca0b2d4546b6
	https://git.kernel.org/stable/c/65c666aff44eb7f9079c55331abd9687fb77ba2d
	https://git.kernel.org/stable/c/bfe8ef373986e8f185d3d6613eb1801a8749837a
	https://git.kernel.org/stable/c/4c4ca3c46167518f8534ed70f6e3b4bf86c4d158

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ