| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025123003-CVE-2023-54279-1dfa@gregkh> Date: Tue, 30 Dec 2025 13:20:45 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2023-54279: MIPS: fw: Allow firmware to pass a empty env From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: MIPS: fw: Allow firmware to pass a empty env fw_getenv will use env entry to determine style of env, however it is legal for firmware to just pass a empty list. Check if first entry exist before running strchr to avoid null pointer dereference. The Linux kernel CVE team has assigned CVE-2023-54279 to this issue. Affected and fixed versions =========================== Fixed in 4.14.315 with commit f334b31625683418aaa2a335470eec950a95a254 Fixed in 4.19.283 with commit 830181ddced5a05a711dc9da8043203b1f33a77e Fixed in 5.4.243 with commit 0f91290774c798199ba4b8df93de5c3156b5163d Fixed in 5.10.180 with commit 47e61cadc7a5f3dffd42d2d6fda81be163f1ab82 Fixed in 5.15.111 with commit 3ef93b7bd9e042db240843f24a80e14da38c6830 Fixed in 6.1.28 with commit a6b54af407873227caef6262e992f5422cdcb6ae Fixed in 6.2.15 with commit ad79828f133e98585ab2236cad04a55eb7141bbe Fixed in 6.3.2 with commit aeed787bbbbe1b842beec9a065a36c915226f704 Fixed in 6.4 with commit ee1809ed7bc456a72dc8410b475b73021a3a68d5 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2023-54279 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: arch/mips/fw/lib/cmdline.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/f334b31625683418aaa2a335470eec950a95a254 https://git.kernel.org/stable/c/830181ddced5a05a711dc9da8043203b1f33a77e https://git.kernel.org/stable/c/0f91290774c798199ba4b8df93de5c3156b5163d https://git.kernel.org/stable/c/47e61cadc7a5f3dffd42d2d6fda81be163f1ab82 https://git.kernel.org/stable/c/3ef93b7bd9e042db240843f24a80e14da38c6830 https://git.kernel.org/stable/c/a6b54af407873227caef6262e992f5422cdcb6ae https://git.kernel.org/stable/c/ad79828f133e98585ab2236cad04a55eb7141bbe https://git.kernel.org/stable/c/aeed787bbbbe1b842beec9a065a36c915226f704 https://git.kernel.org/stable/c/ee1809ed7bc456a72dc8410b475b73021a3a68d5
Powered by blists - more mailing lists