| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025091556-CVE-2023-53179-eb55@gregkh> Date: Mon, 15 Sep 2025 16:02:33 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2023-53179: netfilter: ipset: add the missing IP_SET_HASH_WITH_NET0 macro for ip_set_hash_netportnet.c From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: netfilter: ipset: add the missing IP_SET_HASH_WITH_NET0 macro for ip_set_hash_netportnet.c The missing IP_SET_HASH_WITH_NET0 macro in ip_set_hash_netportnet can lead to the use of wrong `CIDR_POS(c)` for calculating array offsets, which can lead to integer underflow. As a result, it leads to slab out-of-bound access. This patch adds back the IP_SET_HASH_WITH_NET0 macro to ip_set_hash_netportnet to address the issue. The Linux kernel CVE team has assigned CVE-2023-53179 to this issue. Affected and fixed versions =========================== Issue introduced in 4.14.84 with commit 0d5d0b5c41f766355f2b42c47d13ea001f754c7d and fixed in 4.14.326 with commit 7935b636dd693dfe4483cfef4a1e91366c8103fa Issue introduced in 4.19.5 with commit cb3e590df429ce151d5041884a4947099b8ad6a7 and fixed in 4.19.295 with commit e632d09dffc68b9602d6893a99bfe3001d36cefc Issue introduced in 4.20 with commit 886503f34d63e681662057448819edb5b1057a97 and fixed in 5.4.257 with commit 109e830585e89a03d554bf8ad0e668630d0a6260 Issue introduced in 4.20 with commit 886503f34d63e681662057448819edb5b1057a97 and fixed in 5.10.195 with commit 83091f8ac03f118086596f17c9a52d31d6ca94b3 Issue introduced in 4.20 with commit 886503f34d63e681662057448819edb5b1057a97 and fixed in 5.15.132 with commit a9e6142e5f8f6ac7d1bca45c1b2b13b084ea9e14 Issue introduced in 4.20 with commit 886503f34d63e681662057448819edb5b1057a97 and fixed in 6.1.53 with commit 7ca0706c68adadf86a36b60dca090f5e9481e808 Issue introduced in 4.20 with commit 886503f34d63e681662057448819edb5b1057a97 and fixed in 6.4.16 with commit d59b6fc405549f7caf31f6aa5da1d6bef746b166 Issue introduced in 4.20 with commit 886503f34d63e681662057448819edb5b1057a97 and fixed in 6.5.3 with commit d95c8420efe684b964e3aa28108e9a354bcd7225 Issue introduced in 4.20 with commit 886503f34d63e681662057448819edb5b1057a97 and fixed in 6.6 with commit 050d91c03b28ca479df13dfb02bcd2c60dd6a878 Issue introduced in 4.4.165 with commit 186642845b02e1a7944ef33c3a3ac41eba77517f Issue introduced in 4.9.141 with commit 919560afc21f91ca352a20394d5249aba1799690 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2023-53179 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: net/netfilter/ipset/ip_set_hash_netportnet.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/7935b636dd693dfe4483cfef4a1e91366c8103fa https://git.kernel.org/stable/c/e632d09dffc68b9602d6893a99bfe3001d36cefc https://git.kernel.org/stable/c/109e830585e89a03d554bf8ad0e668630d0a6260 https://git.kernel.org/stable/c/83091f8ac03f118086596f17c9a52d31d6ca94b3 https://git.kernel.org/stable/c/a9e6142e5f8f6ac7d1bca45c1b2b13b084ea9e14 https://git.kernel.org/stable/c/7ca0706c68adadf86a36b60dca090f5e9481e808 https://git.kernel.org/stable/c/d59b6fc405549f7caf31f6aa5da1d6bef746b166 https://git.kernel.org/stable/c/d95c8420efe684b964e3aa28108e9a354bcd7225 https://git.kernel.org/stable/c/050d91c03b28ca479df13dfb02bcd2c60dd6a878
Powered by blists - more mailing lists