lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 10 May 2024 12:12:46 +0900
From: Dominique Martinet <asmadeus@...ewreck.org>
To: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Cc: cve@...nel.org, linux-kernel@...r.kernel.org
Subject: Re: CVE-2022-48655: firmware: arm_scmi: Harden accesses to the reset
 domains

meta-question: I've had a look at Documentation/process/cve.rst and
while it describes how to report newly fixed issues, it doesn't describe
how to add informations to already submitted CVEs.

For some reason one of our customers saw this CVE through some news
outlet and asked us if they were vulnerable (NVD flags this as
high[1]...); so I had a quick look at the minimum version that could be
updated for everyone.
[1] https://nvd.nist.gov/vuln/detail/CVE-2022-48655

I can submit an edit as a patch to vulns.git json, but this doesn't seem
overly important so for now a mail will probably do.

Greg Kroah-Hartman wrote on Sun, Apr 28, 2024 at 03:05:16PM +0200:
> Affected and fixed versions
> ===========================
> 
> 	Fixed in 5.15.71 with commit 1f08a1b26cfc
> 	Fixed in 5.19.12 with commit 8e65edf0d376
> 	Fixed in 6.0 with commit e9076ffbcaed

These commits lacked a Fixes tag, so this CVE does not have a minimum
version.

>From a quick look it would seem it fixes arm_scmi from the addition of
scmi_domain_reset() in 95a15d80aa0d ("firmware: arm_scmi: Add RESET
protocol in SCMI v2.0"), which first appeared in v5.4-rc1, and does not
appear to have been backported to older kernels, so v5.4+ can be added
as a requirement.

This means the current 5.4/5.10 trees are affected; the commit doesn't
backport cleanly because of a trivial context conflict so if that helps
I can send a couple of stable patch if that helps even if our systems
are not using arm_scmi (CVEs also don't have any way of expressing
whether the affected driver is used (or even built) at all, so I guess
people with affected versions will have to check that themselves...)

Thanks,
-- 
Dominique Martinet | Asmadeus

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ