| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025122426-CVE-2023-54054-292f@gregkh> Date: Wed, 24 Dec 2025 13:26:47 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2023-54054: scsi: qla2xxx: Fix buffer overrun From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Fix buffer overrun Klocwork warning: Buffer Overflow - Array Index Out of Bounds Driver uses fc_els_flogi to calculate size of buffer. The actual buffer is nested inside of fc_els_flogi which is smaller. Replace structure name to allow proper size calculation. The Linux kernel CVE team has assigned CVE-2023-54054 to this issue. Affected and fixed versions =========================== Fixed in 5.10.188 with commit eecb8a491c824a9376155d26ec95b6d0054c059c Fixed in 5.15.121 with commit 89250e775dcc4482d8e970ed92ad2c9458b14a8a Fixed in 6.1.40 with commit 2dddbf8de128289a3fb7ae38d9bc4b2217205ec1 Fixed in 6.4.5 with commit d5e7c9cd56e987c8687859a0bf38fd86aa8f3cec Fixed in 6.5 with commit b68710a8094fdffe8dd4f7a82c82649f479bb453 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2023-54054 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/scsi/qla2xxx/qla_init.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/eecb8a491c824a9376155d26ec95b6d0054c059c https://git.kernel.org/stable/c/89250e775dcc4482d8e970ed92ad2c9458b14a8a https://git.kernel.org/stable/c/2dddbf8de128289a3fb7ae38d9bc4b2217205ec1 https://git.kernel.org/stable/c/d5e7c9cd56e987c8687859a0bf38fd86aa8f3cec https://git.kernel.org/stable/c/b68710a8094fdffe8dd4f7a82c82649f479bb453
Powered by blists - more mailing lists