| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025090457-CVE-2025-38712-6273@gregkh> Date: Thu, 4 Sep 2025 17:33:17 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2025-38712: hfsplus: don't use BUG_ON() in hfsplus_create_attributes_file() From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: hfsplus: don't use BUG_ON() in hfsplus_create_attributes_file() When the volume header contains erroneous values that do not reflect the actual state of the filesystem, hfsplus_fill_super() assumes that the attributes file is not yet created, which later results in hitting BUG_ON() when hfsplus_create_attributes_file() is called. Replace this BUG_ON() with -EIO error with a message to suggest running fsck tool. The Linux kernel CVE team has assigned CVE-2025-38712 to this issue. Affected and fixed versions =========================== Fixed in 5.4.297 with commit bb0eea8e375677f586ad11c12e2525ed3fc698c2 Fixed in 5.10.241 with commit 9046566fa692f88954dac8c510f37ee17a15fdb7 Fixed in 5.15.190 with commit 03cd1db1494cf930e2fa042c9c13e32bffdb4eba Fixed in 6.1.149 with commit dee5c668ad71ddbcb4b48d95e8a4f371314ad41d Fixed in 6.6.103 with commit b3359392b75395a31af739a761f48f4041148226 Fixed in 6.12.43 with commit 1bb8da27ff15e346d4bc9e248e819c9a88ebf9d6 Fixed in 6.15.11 with commit d768e3ed430e89a699bf89d3214dcbbf4648c939 Fixed in 6.16.2 with commit ce5e387f396cbb5c061d9837abcac731e9e06f4d Fixed in 6.17-rc1 with commit c7c6363ca186747ebc2df10c8a1a51e66e0e32d9 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-38712 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: fs/hfsplus/xattr.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/bb0eea8e375677f586ad11c12e2525ed3fc698c2 https://git.kernel.org/stable/c/9046566fa692f88954dac8c510f37ee17a15fdb7 https://git.kernel.org/stable/c/03cd1db1494cf930e2fa042c9c13e32bffdb4eba https://git.kernel.org/stable/c/dee5c668ad71ddbcb4b48d95e8a4f371314ad41d https://git.kernel.org/stable/c/b3359392b75395a31af739a761f48f4041148226 https://git.kernel.org/stable/c/1bb8da27ff15e346d4bc9e248e819c9a88ebf9d6 https://git.kernel.org/stable/c/d768e3ed430e89a699bf89d3214dcbbf4648c939 https://git.kernel.org/stable/c/ce5e387f396cbb5c061d9837abcac731e9e06f4d https://git.kernel.org/stable/c/c7c6363ca186747ebc2df10c8a1a51e66e0e32d9
Powered by blists - more mailing lists