| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025100128-CVE-2023-53506-2778@gregkh> Date: Wed, 1 Oct 2025 13:45:58 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2023-53506: udf: Do not bother merging very long extents From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: udf: Do not bother merging very long extents When merging very long extents we try to push as much length as possible to the first extent. However this is unnecessarily complicated and not really worth the trouble. Furthermore there was a bug in the logic resulting in corrupting extents in the file as syzbot reproducer shows. So just don't bother with the merging of extents that are too long together. The Linux kernel CVE team has assigned CVE-2023-53506 to this issue. Affected and fixed versions =========================== Fixed in 4.14.308 with commit d52252a1de4cf96a34f722b0cd8902d8ff78eb57 Fixed in 4.19.276 with commit 5d029799d381a9ee06209a222cae75f04c5d5304 Fixed in 5.4.235 with commit 3d20e3b768aff32112bdce8d3219d923ae75f9f1 Fixed in 5.10.173 with commit 965982feb333aefa9256c0fe188b5f1b958aef63 Fixed in 5.15.99 with commit 9a8d602f0723586e668bae7e65c832ceb9bcc8bc Fixed in 6.1.16 with commit adac9ac6d2e04ea0782b91a00ba10706002f3ec4 Fixed in 6.2.3 with commit 7a965da79f2d22601f329cbfce588386b0847544 Fixed in 6.3 with commit 53cafe1d6d8ef9f93318e5bfccc0d24f27d41ced Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2023-53506 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: fs/udf/inode.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/d52252a1de4cf96a34f722b0cd8902d8ff78eb57 https://git.kernel.org/stable/c/5d029799d381a9ee06209a222cae75f04c5d5304 https://git.kernel.org/stable/c/3d20e3b768aff32112bdce8d3219d923ae75f9f1 https://git.kernel.org/stable/c/965982feb333aefa9256c0fe188b5f1b958aef63 https://git.kernel.org/stable/c/9a8d602f0723586e668bae7e65c832ceb9bcc8bc https://git.kernel.org/stable/c/adac9ac6d2e04ea0782b91a00ba10706002f3ec4 https://git.kernel.org/stable/c/7a965da79f2d22601f329cbfce588386b0847544 https://git.kernel.org/stable/c/53cafe1d6d8ef9f93318e5bfccc0d24f27d41ced
Powered by blists - more mailing lists