| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025091553-CVE-2023-53165-a7c4@gregkh> Date: Mon, 15 Sep 2025 16:02:19 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2023-53165: udf: Fix uninitialized array access for some pathnames From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: udf: Fix uninitialized array access for some pathnames For filenames that begin with . and are between 2 and 5 characters long, UDF charset conversion code would read uninitialized memory in the output buffer. The only practical impact is that the name may be prepended a "unification hash" when it is not actually needed but still it is good to fix this. The Linux kernel CVE team has assigned CVE-2023-53165 to this issue. Affected and fixed versions =========================== Fixed in 4.14.324 with commit 008ae78d1e12efa904dc819b1ec83e2bca6b2c56 Fixed in 4.19.293 with commit b37f998d357102e8eb0f8eeb33f03fff22e49cbf Fixed in 5.4.255 with commit 3f1368af47acf4d0b2a5fb0d2c0d6919d2234b6d Fixed in 5.10.192 with commit 4503f6fc95d6dee85fb2c54785848799e192c51c Fixed in 5.15.123 with commit 985f9666698960dfc87a106d6314203fa90fda75 Fixed in 6.1.42 with commit a6824149809395dfbb5bc36bc7057cc3cb84e56d Fixed in 6.4.7 with commit 4d50988da0db167aed6f38685145cb5cd526c4f8 Fixed in 6.5 with commit 028f6055c912588e6f72722d89c30b401bbcf013 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2023-53165 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: fs/udf/unicode.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/008ae78d1e12efa904dc819b1ec83e2bca6b2c56 https://git.kernel.org/stable/c/b37f998d357102e8eb0f8eeb33f03fff22e49cbf https://git.kernel.org/stable/c/3f1368af47acf4d0b2a5fb0d2c0d6919d2234b6d https://git.kernel.org/stable/c/4503f6fc95d6dee85fb2c54785848799e192c51c https://git.kernel.org/stable/c/985f9666698960dfc87a106d6314203fa90fda75 https://git.kernel.org/stable/c/a6824149809395dfbb5bc36bc7057cc3cb84e56d https://git.kernel.org/stable/c/4d50988da0db167aed6f38685145cb5cd526c4f8 https://git.kernel.org/stable/c/028f6055c912588e6f72722d89c30b401bbcf013
Powered by blists - more mailing lists