{ "summary": { "snap": { "added": [], "removed": [], "diff": [] }, "deb": { "added": [ "linux-headers-5.15.0-130", "linux-headers-5.15.0-130-generic", "linux-image-5.15.0-130-generic", "linux-modules-5.15.0-130-generic" ], "removed": [ "linux-headers-5.15.0-127", "linux-headers-5.15.0-127-generic", "linux-image-5.15.0-127-generic", "linux-modules-5.15.0-127-generic" ], "diff": [ "bind9-dnsutils", "bind9-host", "bind9-libs", "cloud-init", "libgstreamer1.0-0", "linux-headers-generic", "linux-headers-virtual", "linux-image-virtual", "linux-virtual" ] } }, "diff": { "deb": [ { "name": "bind9-dnsutils", "from_version": { "source_package_name": "bind9", "source_package_version": "1:9.18.28-0ubuntu0.22.04.1", "version": "1:9.18.28-0ubuntu0.22.04.1" }, "to_version": { "source_package_name": "bind9", "source_package_version": "1:9.18.30-0ubuntu0.22.04.1", "version": "1:9.18.30-0ubuntu0.22.04.1" }, "cves": [], "launchpad_bugs_fixed": [ 2073310 ], "changes": [ { "cves": [], "log": [ "", " * New upstream release 9.18.30 (LP: #2073310)", " - Features:", " + Print initial working directory during named startup, and changed", " working directory when loading or reloading the configuration file", " + Add max-query-restarts configuration statement", " - Updates:", " + Restrain named to specified number of cores when running via taskset,", " cpuset, or numactl", " + Reduce default max-recursion-queries value from 100 to 32", " + Raise the log level of priming failures", " - Bug Fixes:", " + Fix privacy verification of EDDSA keys", " + Fix algorithm rollover bug when there are two keys with the same keytag", " + Return SERVFAIL for a too long CNAME chain", " + Reconfigure catz member zones during named reconfiguration", " + Update key lifetime and metadata after dnssec-policy reconfiguration", " + Fix generation of 6to4-self name expansion from IPv4 address", " + Fix invalid dig +yaml output", " + Reject zero-length ALPN during SVBC ALPN text parsing", " + Fix false QNAME minimisation error being reported", " + Fix dig +timeout argument when using +http", " - See https://bind9.readthedocs.io/en/v9.18.30/notes.html for additional", " information.", "" ], "package": "bind9", "version": "1:9.18.30-0ubuntu0.22.04.1", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2073310 ], "author": "Lena Voytek ", "date": "Mon, 23 Sep 2024 17:16:16 -0400" } ], "notes": null }, { "name": "bind9-host", "from_version": { "source_package_name": "bind9", "source_package_version": "1:9.18.28-0ubuntu0.22.04.1", "version": "1:9.18.28-0ubuntu0.22.04.1" }, "to_version": { "source_package_name": "bind9", "source_package_version": "1:9.18.30-0ubuntu0.22.04.1", "version": "1:9.18.30-0ubuntu0.22.04.1" }, "cves": [], "launchpad_bugs_fixed": [ 2073310 ], "changes": [ { "cves": [], "log": [ "", " * New upstream release 9.18.30 (LP: #2073310)", " - Features:", " + Print initial working directory during named startup, and changed", " working directory when loading or reloading the configuration file", " + Add max-query-restarts configuration statement", " - Updates:", " + Restrain named to specified number of cores when running via taskset,", " cpuset, or numactl", " + Reduce default max-recursion-queries value from 100 to 32", " + Raise the log level of priming failures", " - Bug Fixes:", " + Fix privacy verification of EDDSA keys", " + Fix algorithm rollover bug when there are two keys with the same keytag", " + Return SERVFAIL for a too long CNAME chain", " + Reconfigure catz member zones during named reconfiguration", " + Update key lifetime and metadata after dnssec-policy reconfiguration", " + Fix generation of 6to4-self name expansion from IPv4 address", " + Fix invalid dig +yaml output", " + Reject zero-length ALPN during SVBC ALPN text parsing", " + Fix false QNAME minimisation error being reported", " + Fix dig +timeout argument when using +http", " - See https://bind9.readthedocs.io/en/v9.18.30/notes.html for additional", " information.", "" ], "package": "bind9", "version": "1:9.18.30-0ubuntu0.22.04.1", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2073310 ], "author": "Lena Voytek ", "date": "Mon, 23 Sep 2024 17:16:16 -0400" } ], "notes": null }, { "name": "bind9-libs", "from_version": { "source_package_name": "bind9", "source_package_version": "1:9.18.28-0ubuntu0.22.04.1", "version": "1:9.18.28-0ubuntu0.22.04.1" }, "to_version": { "source_package_name": "bind9", "source_package_version": "1:9.18.30-0ubuntu0.22.04.1", "version": "1:9.18.30-0ubuntu0.22.04.1" }, "cves": [], "launchpad_bugs_fixed": [ 2073310 ], "changes": [ { "cves": [], "log": [ "", " * New upstream release 9.18.30 (LP: #2073310)", " - Features:", " + Print initial working directory during named startup, and changed", " working directory when loading or reloading the configuration file", " + Add max-query-restarts configuration statement", " - Updates:", " + Restrain named to specified number of cores when running via taskset,", " cpuset, or numactl", " + Reduce default max-recursion-queries value from 100 to 32", " + Raise the log level of priming failures", " - Bug Fixes:", " + Fix privacy verification of EDDSA keys", " + Fix algorithm rollover bug when there are two keys with the same keytag", " + Return SERVFAIL for a too long CNAME chain", " + Reconfigure catz member zones during named reconfiguration", " + Update key lifetime and metadata after dnssec-policy reconfiguration", " + Fix generation of 6to4-self name expansion from IPv4 address", " + Fix invalid dig +yaml output", " + Reject zero-length ALPN during SVBC ALPN text parsing", " + Fix false QNAME minimisation error being reported", " + Fix dig +timeout argument when using +http", " - See https://bind9.readthedocs.io/en/v9.18.30/notes.html for additional", " information.", "" ], "package": "bind9", "version": "1:9.18.30-0ubuntu0.22.04.1", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2073310 ], "author": "Lena Voytek ", "date": "Mon, 23 Sep 2024 17:16:16 -0400" } ], "notes": null }, { "name": "cloud-init", "from_version": { "source_package_name": "cloud-init", "source_package_version": "24.3.1-0ubuntu0~22.04.1", "version": "24.3.1-0ubuntu0~22.04.1" }, "to_version": { "source_package_name": "cloud-init", "source_package_version": "24.4-0ubuntu1~22.04.1", "version": "24.4-0ubuntu1~22.04.1" }, "cves": [], "launchpad_bugs_fixed": [ 2089577 ], "changes": [ { "cves": [], "log": [ "", " * add d/p/grub-dpkg-support.patch", " - Revert the removal of grub-dpkg from default modules", " * refresh patches:", " - d/p/cli-retain-file-argument-as-main-cmd-arg.patch", " - d/p/expire-on-hashed-users.patch", " - d/p/keep-dhclient-as-priority-client.patch", " - d/p/no-nocloud-network.patch", " - d/p/no-single-process.patch", " - d/p/revert-551f560d-cloud-config-after-snap-seeding.patch", " - d/p/status-do-not-remove-duplicated-data.patch", " * Upstream snapshot based on 24.4. (LP: #2089577).", " List of changes from upstream can be found at", " https://raw.githubusercontent.com/canonical/cloud-init/24.4/ChangeLog", "" ], "package": "cloud-init", "version": "24.4-0ubuntu1~22.04.1", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2089577 ], "author": "James Falcon ", "date": "Mon, 25 Nov 2024 11:51:07 -0600" } ], "notes": null }, { "name": "libgstreamer1.0-0", "from_version": { "source_package_name": "gstreamer1.0", "source_package_version": "1.20.3-0ubuntu1", "version": "1.20.3-0ubuntu1" }, "to_version": { "source_package_name": "gstreamer1.0", "source_package_version": "1.20.3-0ubuntu1.1", "version": "1.20.3-0ubuntu1.1" }, "cves": [ { "cve": "CVE-2024-47606", "url": "https://ubuntu.com/security/CVE-2024-47606", "cve_description": "GStreamer is a library for constructing graphs of media-handling components. An integer underflow has been detected in the function qtdemux_parse_theora_extension within qtdemux.c. The vulnerability occurs due to an underflow of the gint size variable, which causes size to hold a large unintended value when cast to an unsigned integer. This 32-bit negative value is then cast to a 64-bit unsigned integer (0xfffffffffffffffa) in a subsequent call to gst_buffer_new_and_alloc. The function gst_buffer_new_allocate then attempts to allocate memory, eventually calling _sysmem_new_block. The function _sysmem_new_block adds alignment and header size to the (unsigned) size, causing the overflow of the 'slice_size' variable. As a result, only 0x89 bytes are allocated, despite the large input size. When the following memcpy call occurs in gst_buffer_fill, the data from the input file will overwrite the content of the GstMapInfo info structure. Finally, during the call to gst_memory_unmap, the overwritten memory may cause a function pointer hijack, as the mem->allocator->mem_unmap_full function is called with a corrupted pointer. This function pointer overwrite could allow an attacker to alter the execution flow of the program, leading to arbitrary code execution. This vulnerability is fixed in 1.24.10.", "cve_priority": "medium", "cve_public_date": "2024-12-12 02:03:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-47606", "url": "https://ubuntu.com/security/CVE-2024-47606", "cve_description": "GStreamer is a library for constructing graphs of media-handling components. An integer underflow has been detected in the function qtdemux_parse_theora_extension within qtdemux.c. The vulnerability occurs due to an underflow of the gint size variable, which causes size to hold a large unintended value when cast to an unsigned integer. This 32-bit negative value is then cast to a 64-bit unsigned integer (0xfffffffffffffffa) in a subsequent call to gst_buffer_new_and_alloc. The function gst_buffer_new_allocate then attempts to allocate memory, eventually calling _sysmem_new_block. The function _sysmem_new_block adds alignment and header size to the (unsigned) size, causing the overflow of the 'slice_size' variable. As a result, only 0x89 bytes are allocated, despite the large input size. When the following memcpy call occurs in gst_buffer_fill, the data from the input file will overwrite the content of the GstMapInfo info structure. Finally, during the call to gst_memory_unmap, the overwritten memory may cause a function pointer hijack, as the mem->allocator->mem_unmap_full function is called with a corrupted pointer. This function pointer overwrite could allow an attacker to alter the execution flow of the program, leading to arbitrary code execution. This vulnerability is fixed in 1.24.10.", "cve_priority": "medium", "cve_public_date": "2024-12-12 02:03:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: code exec via integer overflow", " - debian/patches/CVE-2024-47606.patch: avoid integer overflow when", " allocating sysmem in gst/gstallocator.c.", " - CVE-2024-47606", "" ], "package": "gstreamer1.0", "version": "1.20.3-0ubuntu1.1", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Tue, 17 Dec 2024 07:54:32 -0500" } ], "notes": null }, { "name": "linux-headers-generic", "from_version": { "source_package_name": "linux-meta", "source_package_version": "5.15.0.127.126", "version": "5.15.0.127.126" }, "to_version": { "source_package_name": "linux-meta", "source_package_version": "5.15.0.130.128", "version": "5.15.0.130.128" }, "cves": [], "launchpad_bugs_fixed": [ 1786013 ], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 5.15.0-130", "" ], "package": "linux-meta", "version": "5.15.0.130.128", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [], "author": "Mehmet Basaran ", "date": "Wed, 18 Dec 2024 20:36:48 +0300" }, { "cves": [], "log": [ "", " * Bump ABI 5.15.0-128", "", " * Packaging resync (LP: #1786013)", " - [Packaging] resync git-ubuntu-log", "" ], "package": "linux-meta", "version": "5.15.0.128.127", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 1786013 ], "author": "Manuel Diewald ", "date": "Sat, 30 Nov 2024 20:09:17 +0100" } ], "notes": null }, { "name": "linux-headers-virtual", "from_version": { "source_package_name": "linux-meta", "source_package_version": "5.15.0.127.126", "version": "5.15.0.127.126" }, "to_version": { "source_package_name": "linux-meta", "source_package_version": "5.15.0.130.128", "version": "5.15.0.130.128" }, "cves": [], "launchpad_bugs_fixed": [ 1786013 ], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 5.15.0-130", "" ], "package": "linux-meta", "version": "5.15.0.130.128", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [], "author": "Mehmet Basaran ", "date": "Wed, 18 Dec 2024 20:36:48 +0300" }, { "cves": [], "log": [ "", " * Bump ABI 5.15.0-128", "", " * Packaging resync (LP: #1786013)", " - [Packaging] resync git-ubuntu-log", "" ], "package": "linux-meta", "version": "5.15.0.128.127", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 1786013 ], "author": "Manuel Diewald ", "date": "Sat, 30 Nov 2024 20:09:17 +0100" } ], "notes": null }, { "name": "linux-image-virtual", "from_version": { "source_package_name": "linux-meta", "source_package_version": "5.15.0.127.126", "version": "5.15.0.127.126" }, "to_version": { "source_package_name": "linux-meta", "source_package_version": "5.15.0.130.128", "version": "5.15.0.130.128" }, "cves": [], "launchpad_bugs_fixed": [ 1786013 ], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 5.15.0-130", "" ], "package": "linux-meta", "version": "5.15.0.130.128", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [], "author": "Mehmet Basaran ", "date": "Wed, 18 Dec 2024 20:36:48 +0300" }, { "cves": [], "log": [ "", " * Bump ABI 5.15.0-128", "", " * Packaging resync (LP: #1786013)", " - [Packaging] resync git-ubuntu-log", "" ], "package": "linux-meta", "version": "5.15.0.128.127", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 1786013 ], "author": "Manuel Diewald ", "date": "Sat, 30 Nov 2024 20:09:17 +0100" } ], "notes": null }, { "name": "linux-virtual", "from_version": { "source_package_name": "linux-meta", "source_package_version": "5.15.0.127.126", "version": "5.15.0.127.126" }, "to_version": { "source_package_name": "linux-meta", "source_package_version": "5.15.0.130.128", "version": "5.15.0.130.128" }, "cves": [], "launchpad_bugs_fixed": [ 1786013 ], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 5.15.0-130", "" ], "package": "linux-meta", "version": "5.15.0.130.128", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [], "author": "Mehmet Basaran ", "date": "Wed, 18 Dec 2024 20:36:48 +0300" }, { "cves": [], "log": [ "", " * Bump ABI 5.15.0-128", "", " * Packaging resync (LP: #1786013)", " - [Packaging] resync git-ubuntu-log", "" ], "package": "linux-meta", "version": "5.15.0.128.127", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 1786013 ], "author": "Manuel Diewald ", "date": "Sat, 30 Nov 2024 20:09:17 +0100" } ], "notes": null } ], "snap": [] }, "added": { "deb": [ { "name": "linux-headers-5.15.0-130", "from_version": { "source_package_name": "linux", "source_package_version": "5.15.0-127.137", "version": null }, "to_version": { "source_package_name": "linux", "source_package_version": "5.15.0-130.140", "version": "5.15.0-130.140" }, "cves": [ { "cve": "CVE-2024-50264", "url": "https://ubuntu.com/security/CVE-2024-50264", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: Initialization of the dangling pointer occurring in vsk->trans During loopback communication, a dangling pointer can be created in vsk->trans, potentially leading to a Use-After-Free condition. This issue is resolved by initializing vsk->trans to NULL.", "cve_priority": "high", "cve_public_date": "2024-11-19 02:16:00 UTC" }, { "cve": "CVE-2024-53057", "url": "https://ubuntu.com/security/CVE-2024-53057", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT In qdisc_tree_reduce_backlog, Qdiscs with major handle ffff: are assumed to be either root or ingress. This assumption is bogus since it's valid to create egress qdiscs with major handle ffff: Budimir Markovic found that for qdiscs like DRR that maintain an active class list, it will cause a UAF with a dangling class pointer. In 066a3b5b2346, the concern was to avoid iterating over the ingress qdisc since its parent is itself. The proper fix is to stop when parent TC_H_ROOT is reached because the only way to retrieve ingress is when a hierarchy which does not contain a ffff: major handle call into qdisc_lookup with TC_H_MAJ(TC_H_ROOT). In the scenario where major ffff: is an egress qdisc in any of the tree levels, the updates will also propagate to TC_H_ROOT, which then the iteration must stop. net/sched/sch_api.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)", "cve_priority": "medium", "cve_public_date": "2024-11-19 18:15:00 UTC" }, { "cve": "CVE-2024-43904", "url": "https://ubuntu.com/security/CVE-2024-43904", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add null checks for 'stream' and 'plane' before dereferencing This commit adds null checks for the 'stream' and 'plane' variables in the dcn30_apply_idle_power_optimizations function. These variables were previously assumed to be null at line 922, but they were used later in the code without checking if they were null. This could potentially lead to a null pointer dereference, which would cause a crash. The null checks ensure that 'stream' and 'plane' are not null before they are used, preventing potential crashes. Fixes the below static smatch checker: drivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c:938 dcn30_apply_idle_power_optimizations() error: we previously assumed 'stream' could be null (see line 922) drivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c:940 dcn30_apply_idle_power_optimizations() error: we previously assumed 'plane' could be null (see line 922)", "cve_priority": "medium", "cve_public_date": "2024-08-26 11:15:00 UTC" }, { "cve": "CVE-2024-40973", "url": "https://ubuntu.com/security/CVE-2024-40973", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: mtk-vcodec: potential null pointer deference in SCP The return value of devm_kzalloc() needs to be checked to avoid NULL pointer deference. This is similar to CVE-2022-3113.", "cve_priority": "medium", "cve_public_date": "2024-07-12 13:15:00 UTC" }, { "cve": "CVE-2024-38553", "url": "https://ubuntu.com/security/CVE-2024-38553", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: fec: remove .ndo_poll_controller to avoid deadlocks There is a deadlock issue found in sungem driver, please refer to the commit ac0a230f719b (\"eth: sungem: remove .ndo_poll_controller to avoid deadlocks\"). The root cause of the issue is that netpoll is in atomic context and disable_irq() is called by .ndo_poll_controller interface of sungem driver, however, disable_irq() might sleep. After analyzing the implementation of fec_poll_controller(), the fec driver should have the same issue. Due to the fec driver uses NAPI for TX completions, the .ndo_poll_controller is unnecessary to be implemented in the fec driver, so fec_poll_controller() can be safely removed.", "cve_priority": "medium", "cve_public_date": "2024-06-19 14:15:00 UTC" }, { "cve": "CVE-2024-26822", "url": "https://ubuntu.com/security/CVE-2024-26822", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: set correct id, uid and cruid for multiuser automounts When uid, gid and cruid are not specified, we need to dynamically set them into the filesystem context used for automounting otherwise they'll end up reusing the values from the parent mount.", "cve_priority": "medium", "cve_public_date": "2024-04-17 10:15:00 UTC" }, { "cve": "CVE-2020-12351", "url": "https://ubuntu.com/security/CVE-2020-12351", "cve_description": "Improper input validation in BlueZ may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access.", "cve_priority": "high", "cve_public_date": "2020-11-23 17:15:00 UTC" }, { "cve": "CVE-2020-12352", "url": "https://ubuntu.com/security/CVE-2020-12352", "cve_description": "Improper access control in BlueZ may allow an unauthenticated user to potentially enable information disclosure via adjacent access.", "cve_priority": "medium", "cve_public_date": "2020-11-23 17:15:00 UTC" }, { "cve": "CVE-2020-24490", "url": "https://ubuntu.com/security/CVE-2020-24490", "cve_description": "Improper buffer restrictions in BlueZ may allow an unauthenticated user to potentially enable denial of service via adjacent access. This affects all Linux kernel versions that support BlueZ.", "cve_priority": "medium", "cve_public_date": "2021-02-02 22:15:00 UTC" }, { "cve": "CVE-2024-40910", "url": "https://ubuntu.com/security/CVE-2024-40910", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ax25: Fix refcount imbalance on inbound connections When releasing a socket in ax25_release(), we call netdev_put() to decrease the refcount on the associated ax.25 device. However, the execution path for accepting an incoming connection never calls netdev_hold(). This imbalance leads to refcount errors, and ultimately to kernel crashes. A typical call trace for the above situation will start with one of the following errors: refcount_t: decrement hit 0; leaking memory. refcount_t: underflow; use-after-free. And will then have a trace like: Call Trace: ? show_regs+0x64/0x70 ? __warn+0x83/0x120 ? refcount_warn_saturate+0xb2/0x100 ? report_bug+0x158/0x190 ? prb_read_valid+0x20/0x30 ? handle_bug+0x3e/0x70 ? exc_invalid_op+0x1c/0x70 ? asm_exc_invalid_op+0x1f/0x30 ? refcount_warn_saturate+0xb2/0x100 ? refcount_warn_saturate+0xb2/0x100 ax25_release+0x2ad/0x360 __sock_release+0x35/0xa0 sock_close+0x19/0x20 [...] On reboot (or any attempt to remove the interface), the kernel gets stuck in an infinite loop: unregister_netdevice: waiting for ax0 to become free. Usage count = 0 This patch corrects these issues by ensuring that we call netdev_hold() and ax25_dev_hold() for new connections in ax25_accept(). This makes the logic leading to ax25_accept() match the logic for ax25_bind(): in both cases we increment the refcount, which is ultimately decremented in ax25_release().", "cve_priority": "medium", "cve_public_date": "2024-07-12 13:15:00 UTC" }, { "cve": "CVE-2024-35963", "url": "https://ubuntu.com/security/CVE-2024-35963", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sock: Fix not validating setsockopt user input Check user input length before copying data.", "cve_priority": "medium", "cve_public_date": "2024-05-20 10:15:00 UTC" }, { "cve": "CVE-2024-35965", "url": "https://ubuntu.com/security/CVE-2024-35965", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix not validating setsockopt user input Check user input length before copying data.", "cve_priority": "medium", "cve_public_date": "2024-05-20 10:15:00 UTC" }, { "cve": "CVE-2024-35966", "url": "https://ubuntu.com/security/CVE-2024-35966", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: RFCOMM: Fix not validating setsockopt user input syzbot reported rfcomm_sock_setsockopt_old() is copying data without checking user input length. BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset include/linux/sockptr.h:49 [inline] BUG: KASAN: slab-out-of-bounds in copy_from_sockptr include/linux/sockptr.h:55 [inline] BUG: KASAN: slab-out-of-bounds in rfcomm_sock_setsockopt_old net/bluetooth/rfcomm/sock.c:632 [inline] BUG: KASAN: slab-out-of-bounds in rfcomm_sock_setsockopt+0x893/0xa70 net/bluetooth/rfcomm/sock.c:673 Read of size 4 at addr ffff8880209a8bc3 by task syz-executor632/5064", "cve_priority": "medium", "cve_public_date": "2024-05-20 10:15:00 UTC" }, { "cve": "CVE-2024-35967", "url": "https://ubuntu.com/security/CVE-2024-35967", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: SCO: Fix not validating setsockopt user input syzbot reported sco_sock_setsockopt() is copying data without checking user input length. BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset include/linux/sockptr.h:49 [inline] BUG: KASAN: slab-out-of-bounds in copy_from_sockptr include/linux/sockptr.h:55 [inline] BUG: KASAN: slab-out-of-bounds in sco_sock_setsockopt+0xc0b/0xf90 net/bluetooth/sco.c:893 Read of size 4 at addr ffff88805f7b15a3 by task syz-executor.5/12578", "cve_priority": "medium", "cve_public_date": "2024-05-20 10:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2092132, 2091990, 2090163 ], "changes": [ { "cves": [], "log": [ "", " * jammy/linux: 5.15.0-130.140 -proposed tracker (LP: #2092132)", "", " * ovs/linuxbridge jobs running on ubuntu jammy broken with latest kernel", " 5.15.0-127.137 (LP: #2091990)", " - netfilter: xtables: fix typo causing some targets not to load on IPv6", "" ], "package": "linux", "version": "5.15.0-130.140", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2092132, 2091990 ], "author": "Mehmet Basaran ", "date": "Wed, 18 Dec 2024 20:19:08 +0300" }, { "cves": [ { "cve": "CVE-2024-50264", "url": "https://ubuntu.com/security/CVE-2024-50264", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: Initialization of the dangling pointer occurring in vsk->trans During loopback communication, a dangling pointer can be created in vsk->trans, potentially leading to a Use-After-Free condition. This issue is resolved by initializing vsk->trans to NULL.", "cve_priority": "high", "cve_public_date": "2024-11-19 02:16:00 UTC" }, { "cve": "CVE-2024-53057", "url": "https://ubuntu.com/security/CVE-2024-53057", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT In qdisc_tree_reduce_backlog, Qdiscs with major handle ffff: are assumed to be either root or ingress. This assumption is bogus since it's valid to create egress qdiscs with major handle ffff: Budimir Markovic found that for qdiscs like DRR that maintain an active class list, it will cause a UAF with a dangling class pointer. In 066a3b5b2346, the concern was to avoid iterating over the ingress qdisc since its parent is itself. The proper fix is to stop when parent TC_H_ROOT is reached because the only way to retrieve ingress is when a hierarchy which does not contain a ffff: major handle call into qdisc_lookup with TC_H_MAJ(TC_H_ROOT). In the scenario where major ffff: is an egress qdisc in any of the tree levels, the updates will also propagate to TC_H_ROOT, which then the iteration must stop. net/sched/sch_api.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)", "cve_priority": "medium", "cve_public_date": "2024-11-19 18:15:00 UTC" }, { "cve": "CVE-2024-43904", "url": "https://ubuntu.com/security/CVE-2024-43904", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add null checks for 'stream' and 'plane' before dereferencing This commit adds null checks for the 'stream' and 'plane' variables in the dcn30_apply_idle_power_optimizations function. These variables were previously assumed to be null at line 922, but they were used later in the code without checking if they were null. This could potentially lead to a null pointer dereference, which would cause a crash. The null checks ensure that 'stream' and 'plane' are not null before they are used, preventing potential crashes. Fixes the below static smatch checker: drivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c:938 dcn30_apply_idle_power_optimizations() error: we previously assumed 'stream' could be null (see line 922) drivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c:940 dcn30_apply_idle_power_optimizations() error: we previously assumed 'plane' could be null (see line 922)", "cve_priority": "medium", "cve_public_date": "2024-08-26 11:15:00 UTC" }, { "cve": "CVE-2024-40973", "url": "https://ubuntu.com/security/CVE-2024-40973", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: mtk-vcodec: potential null pointer deference in SCP The return value of devm_kzalloc() needs to be checked to avoid NULL pointer deference. This is similar to CVE-2022-3113.", "cve_priority": "medium", "cve_public_date": "2024-07-12 13:15:00 UTC" }, { "cve": "CVE-2024-38553", "url": "https://ubuntu.com/security/CVE-2024-38553", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: fec: remove .ndo_poll_controller to avoid deadlocks There is a deadlock issue found in sungem driver, please refer to the commit ac0a230f719b (\"eth: sungem: remove .ndo_poll_controller to avoid deadlocks\"). The root cause of the issue is that netpoll is in atomic context and disable_irq() is called by .ndo_poll_controller interface of sungem driver, however, disable_irq() might sleep. After analyzing the implementation of fec_poll_controller(), the fec driver should have the same issue. Due to the fec driver uses NAPI for TX completions, the .ndo_poll_controller is unnecessary to be implemented in the fec driver, so fec_poll_controller() can be safely removed.", "cve_priority": "medium", "cve_public_date": "2024-06-19 14:15:00 UTC" }, { "cve": "CVE-2024-26822", "url": "https://ubuntu.com/security/CVE-2024-26822", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: set correct id, uid and cruid for multiuser automounts When uid, gid and cruid are not specified, we need to dynamically set them into the filesystem context used for automounting otherwise they'll end up reusing the values from the parent mount.", "cve_priority": "medium", "cve_public_date": "2024-04-17 10:15:00 UTC" }, { "cve": "CVE-2020-12351", "url": "https://ubuntu.com/security/CVE-2020-12351", "cve_description": "Improper input validation in BlueZ may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access.", "cve_priority": "high", "cve_public_date": "2020-11-23 17:15:00 UTC" }, { "cve": "CVE-2020-12352", "url": "https://ubuntu.com/security/CVE-2020-12352", "cve_description": "Improper access control in BlueZ may allow an unauthenticated user to potentially enable information disclosure via adjacent access.", "cve_priority": "medium", "cve_public_date": "2020-11-23 17:15:00 UTC" }, { "cve": "CVE-2020-24490", "url": "https://ubuntu.com/security/CVE-2020-24490", "cve_description": "Improper buffer restrictions in BlueZ may allow an unauthenticated user to potentially enable denial of service via adjacent access. This affects all Linux kernel versions that support BlueZ.", "cve_priority": "medium", "cve_public_date": "2021-02-02 22:15:00 UTC" }, { "cve": "CVE-2024-40910", "url": "https://ubuntu.com/security/CVE-2024-40910", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ax25: Fix refcount imbalance on inbound connections When releasing a socket in ax25_release(), we call netdev_put() to decrease the refcount on the associated ax.25 device. However, the execution path for accepting an incoming connection never calls netdev_hold(). This imbalance leads to refcount errors, and ultimately to kernel crashes. A typical call trace for the above situation will start with one of the following errors: refcount_t: decrement hit 0; leaking memory. refcount_t: underflow; use-after-free. And will then have a trace like: Call Trace: ? show_regs+0x64/0x70 ? __warn+0x83/0x120 ? refcount_warn_saturate+0xb2/0x100 ? report_bug+0x158/0x190 ? prb_read_valid+0x20/0x30 ? handle_bug+0x3e/0x70 ? exc_invalid_op+0x1c/0x70 ? asm_exc_invalid_op+0x1f/0x30 ? refcount_warn_saturate+0xb2/0x100 ? refcount_warn_saturate+0xb2/0x100 ax25_release+0x2ad/0x360 __sock_release+0x35/0xa0 sock_close+0x19/0x20 [...] On reboot (or any attempt to remove the interface), the kernel gets stuck in an infinite loop: unregister_netdevice: waiting for ax0 to become free. Usage count = 0 This patch corrects these issues by ensuring that we call netdev_hold() and ax25_dev_hold() for new connections in ax25_accept(). This makes the logic leading to ax25_accept() match the logic for ax25_bind(): in both cases we increment the refcount, which is ultimately decremented in ax25_release().", "cve_priority": "medium", "cve_public_date": "2024-07-12 13:15:00 UTC" }, { "cve": "CVE-2024-35963", "url": "https://ubuntu.com/security/CVE-2024-35963", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sock: Fix not validating setsockopt user input Check user input length before copying data.", "cve_priority": "medium", "cve_public_date": "2024-05-20 10:15:00 UTC" }, { "cve": "CVE-2024-35965", "url": "https://ubuntu.com/security/CVE-2024-35965", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix not validating setsockopt user input Check user input length before copying data.", "cve_priority": "medium", "cve_public_date": "2024-05-20 10:15:00 UTC" }, { "cve": "CVE-2024-35966", "url": "https://ubuntu.com/security/CVE-2024-35966", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: RFCOMM: Fix not validating setsockopt user input syzbot reported rfcomm_sock_setsockopt_old() is copying data without checking user input length. BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset include/linux/sockptr.h:49 [inline] BUG: KASAN: slab-out-of-bounds in copy_from_sockptr include/linux/sockptr.h:55 [inline] BUG: KASAN: slab-out-of-bounds in rfcomm_sock_setsockopt_old net/bluetooth/rfcomm/sock.c:632 [inline] BUG: KASAN: slab-out-of-bounds in rfcomm_sock_setsockopt+0x893/0xa70 net/bluetooth/rfcomm/sock.c:673 Read of size 4 at addr ffff8880209a8bc3 by task syz-executor632/5064", "cve_priority": "medium", "cve_public_date": "2024-05-20 10:15:00 UTC" }, { "cve": "CVE-2024-35967", "url": "https://ubuntu.com/security/CVE-2024-35967", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: SCO: Fix not validating setsockopt user input syzbot reported sco_sock_setsockopt() is copying data without checking user input length. BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset include/linux/sockptr.h:49 [inline] BUG: KASAN: slab-out-of-bounds in copy_from_sockptr include/linux/sockptr.h:55 [inline] BUG: KASAN: slab-out-of-bounds in sco_sock_setsockopt+0xc0b/0xf90 net/bluetooth/sco.c:893 Read of size 4 at addr ffff88805f7b15a3 by task syz-executor.5/12578", "cve_priority": "medium", "cve_public_date": "2024-05-20 10:15:00 UTC" } ], "log": [ "", " * jammy/linux: 5.15.0-128.138 -proposed tracker (LP: #2090163)", "", " * CVE-2024-50264", " - vsock/virtio: Initialization of the dangling pointer occurring in vsk->trans", "", " * CVE-2024-53057", " - net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT", "", " * CVE-2024-43904", " - drm/amd/display: Add null checks for 'stream' and 'plane' before", " dereferencing", "", " * CVE-2024-40973", " - media: mtk-vcodec: potential null pointer deference in SCP", "", " * CVE-2024-38553", " - net: fec: remove .ndo_poll_controller to avoid deadlocks", "", " * CVE-2024-26822", " - smb: client: set correct id, uid and cruid for multiuser automounts", "", " * CVE-2020-12351 // CVE-2020-12352 // CVE-2020-24490", " - [Config] Disable BlueZ highspeed support", "", " * CVE-2024-40910", " - ax25: Fix refcount imbalance on inbound connections", "", " * CVE-2024-35963", " - Bluetooth: hci_sock: Fix not validating setsockopt user input", "", " * CVE-2024-35965", " - Bluetooth: L2CAP: Fix not validating setsockopt user input", "", " * CVE-2024-35966", " - Bluetooth: RFCOMM: Fix not validating setsockopt user input", "", " * CVE-2024-35967", " - Bluetooth: SCO: Fix not validating setsockopt user input", "" ], "package": "linux", "version": "5.15.0-128.138", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2090163 ], "author": "Manuel Diewald ", "date": "Sat, 30 Nov 2024 19:12:45 +0100" } ], "notes": "linux-headers-5.15.0-130 version '5.15.0-130.140' (source package linux version '5.15.0-130.140') was added. linux-headers-5.15.0-130 version '5.15.0-130.140' has the same source package name, linux, as removed package linux-headers-5.15.0-127. As such we can use the source package version of the removed package, '5.15.0-127.137', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." }, { "name": "linux-headers-5.15.0-130-generic", "from_version": { "source_package_name": "linux", "source_package_version": "5.15.0-127.137", "version": null }, "to_version": { "source_package_name": "linux", "source_package_version": "5.15.0-130.140", "version": "5.15.0-130.140" }, "cves": [ { "cve": "CVE-2024-50264", "url": "https://ubuntu.com/security/CVE-2024-50264", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: Initialization of the dangling pointer occurring in vsk->trans During loopback communication, a dangling pointer can be created in vsk->trans, potentially leading to a Use-After-Free condition. This issue is resolved by initializing vsk->trans to NULL.", "cve_priority": "high", "cve_public_date": "2024-11-19 02:16:00 UTC" }, { "cve": "CVE-2024-53057", "url": "https://ubuntu.com/security/CVE-2024-53057", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT In qdisc_tree_reduce_backlog, Qdiscs with major handle ffff: are assumed to be either root or ingress. This assumption is bogus since it's valid to create egress qdiscs with major handle ffff: Budimir Markovic found that for qdiscs like DRR that maintain an active class list, it will cause a UAF with a dangling class pointer. In 066a3b5b2346, the concern was to avoid iterating over the ingress qdisc since its parent is itself. The proper fix is to stop when parent TC_H_ROOT is reached because the only way to retrieve ingress is when a hierarchy which does not contain a ffff: major handle call into qdisc_lookup with TC_H_MAJ(TC_H_ROOT). In the scenario where major ffff: is an egress qdisc in any of the tree levels, the updates will also propagate to TC_H_ROOT, which then the iteration must stop. net/sched/sch_api.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)", "cve_priority": "medium", "cve_public_date": "2024-11-19 18:15:00 UTC" }, { "cve": "CVE-2024-43904", "url": "https://ubuntu.com/security/CVE-2024-43904", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add null checks for 'stream' and 'plane' before dereferencing This commit adds null checks for the 'stream' and 'plane' variables in the dcn30_apply_idle_power_optimizations function. These variables were previously assumed to be null at line 922, but they were used later in the code without checking if they were null. This could potentially lead to a null pointer dereference, which would cause a crash. The null checks ensure that 'stream' and 'plane' are not null before they are used, preventing potential crashes. Fixes the below static smatch checker: drivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c:938 dcn30_apply_idle_power_optimizations() error: we previously assumed 'stream' could be null (see line 922) drivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c:940 dcn30_apply_idle_power_optimizations() error: we previously assumed 'plane' could be null (see line 922)", "cve_priority": "medium", "cve_public_date": "2024-08-26 11:15:00 UTC" }, { "cve": "CVE-2024-40973", "url": "https://ubuntu.com/security/CVE-2024-40973", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: mtk-vcodec: potential null pointer deference in SCP The return value of devm_kzalloc() needs to be checked to avoid NULL pointer deference. This is similar to CVE-2022-3113.", "cve_priority": "medium", "cve_public_date": "2024-07-12 13:15:00 UTC" }, { "cve": "CVE-2024-38553", "url": "https://ubuntu.com/security/CVE-2024-38553", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: fec: remove .ndo_poll_controller to avoid deadlocks There is a deadlock issue found in sungem driver, please refer to the commit ac0a230f719b (\"eth: sungem: remove .ndo_poll_controller to avoid deadlocks\"). The root cause of the issue is that netpoll is in atomic context and disable_irq() is called by .ndo_poll_controller interface of sungem driver, however, disable_irq() might sleep. After analyzing the implementation of fec_poll_controller(), the fec driver should have the same issue. Due to the fec driver uses NAPI for TX completions, the .ndo_poll_controller is unnecessary to be implemented in the fec driver, so fec_poll_controller() can be safely removed.", "cve_priority": "medium", "cve_public_date": "2024-06-19 14:15:00 UTC" }, { "cve": "CVE-2024-26822", "url": "https://ubuntu.com/security/CVE-2024-26822", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: set correct id, uid and cruid for multiuser automounts When uid, gid and cruid are not specified, we need to dynamically set them into the filesystem context used for automounting otherwise they'll end up reusing the values from the parent mount.", "cve_priority": "medium", "cve_public_date": "2024-04-17 10:15:00 UTC" }, { "cve": "CVE-2020-12351", "url": "https://ubuntu.com/security/CVE-2020-12351", "cve_description": "Improper input validation in BlueZ may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access.", "cve_priority": "high", "cve_public_date": "2020-11-23 17:15:00 UTC" }, { "cve": "CVE-2020-12352", "url": "https://ubuntu.com/security/CVE-2020-12352", "cve_description": "Improper access control in BlueZ may allow an unauthenticated user to potentially enable information disclosure via adjacent access.", "cve_priority": "medium", "cve_public_date": "2020-11-23 17:15:00 UTC" }, { "cve": "CVE-2020-24490", "url": "https://ubuntu.com/security/CVE-2020-24490", "cve_description": "Improper buffer restrictions in BlueZ may allow an unauthenticated user to potentially enable denial of service via adjacent access. This affects all Linux kernel versions that support BlueZ.", "cve_priority": "medium", "cve_public_date": "2021-02-02 22:15:00 UTC" }, { "cve": "CVE-2024-40910", "url": "https://ubuntu.com/security/CVE-2024-40910", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ax25: Fix refcount imbalance on inbound connections When releasing a socket in ax25_release(), we call netdev_put() to decrease the refcount on the associated ax.25 device. However, the execution path for accepting an incoming connection never calls netdev_hold(). This imbalance leads to refcount errors, and ultimately to kernel crashes. A typical call trace for the above situation will start with one of the following errors: refcount_t: decrement hit 0; leaking memory. refcount_t: underflow; use-after-free. And will then have a trace like: Call Trace: ? show_regs+0x64/0x70 ? __warn+0x83/0x120 ? refcount_warn_saturate+0xb2/0x100 ? report_bug+0x158/0x190 ? prb_read_valid+0x20/0x30 ? handle_bug+0x3e/0x70 ? exc_invalid_op+0x1c/0x70 ? asm_exc_invalid_op+0x1f/0x30 ? refcount_warn_saturate+0xb2/0x100 ? refcount_warn_saturate+0xb2/0x100 ax25_release+0x2ad/0x360 __sock_release+0x35/0xa0 sock_close+0x19/0x20 [...] On reboot (or any attempt to remove the interface), the kernel gets stuck in an infinite loop: unregister_netdevice: waiting for ax0 to become free. Usage count = 0 This patch corrects these issues by ensuring that we call netdev_hold() and ax25_dev_hold() for new connections in ax25_accept(). This makes the logic leading to ax25_accept() match the logic for ax25_bind(): in both cases we increment the refcount, which is ultimately decremented in ax25_release().", "cve_priority": "medium", "cve_public_date": "2024-07-12 13:15:00 UTC" }, { "cve": "CVE-2024-35963", "url": "https://ubuntu.com/security/CVE-2024-35963", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sock: Fix not validating setsockopt user input Check user input length before copying data.", "cve_priority": "medium", "cve_public_date": "2024-05-20 10:15:00 UTC" }, { "cve": "CVE-2024-35965", "url": "https://ubuntu.com/security/CVE-2024-35965", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix not validating setsockopt user input Check user input length before copying data.", "cve_priority": "medium", "cve_public_date": "2024-05-20 10:15:00 UTC" }, { "cve": "CVE-2024-35966", "url": "https://ubuntu.com/security/CVE-2024-35966", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: RFCOMM: Fix not validating setsockopt user input syzbot reported rfcomm_sock_setsockopt_old() is copying data without checking user input length. BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset include/linux/sockptr.h:49 [inline] BUG: KASAN: slab-out-of-bounds in copy_from_sockptr include/linux/sockptr.h:55 [inline] BUG: KASAN: slab-out-of-bounds in rfcomm_sock_setsockopt_old net/bluetooth/rfcomm/sock.c:632 [inline] BUG: KASAN: slab-out-of-bounds in rfcomm_sock_setsockopt+0x893/0xa70 net/bluetooth/rfcomm/sock.c:673 Read of size 4 at addr ffff8880209a8bc3 by task syz-executor632/5064", "cve_priority": "medium", "cve_public_date": "2024-05-20 10:15:00 UTC" }, { "cve": "CVE-2024-35967", "url": "https://ubuntu.com/security/CVE-2024-35967", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: SCO: Fix not validating setsockopt user input syzbot reported sco_sock_setsockopt() is copying data without checking user input length. BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset include/linux/sockptr.h:49 [inline] BUG: KASAN: slab-out-of-bounds in copy_from_sockptr include/linux/sockptr.h:55 [inline] BUG: KASAN: slab-out-of-bounds in sco_sock_setsockopt+0xc0b/0xf90 net/bluetooth/sco.c:893 Read of size 4 at addr ffff88805f7b15a3 by task syz-executor.5/12578", "cve_priority": "medium", "cve_public_date": "2024-05-20 10:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2092132, 2091990, 2090163 ], "changes": [ { "cves": [], "log": [ "", " * jammy/linux: 5.15.0-130.140 -proposed tracker (LP: #2092132)", "", " * ovs/linuxbridge jobs running on ubuntu jammy broken with latest kernel", " 5.15.0-127.137 (LP: #2091990)", " - netfilter: xtables: fix typo causing some targets not to load on IPv6", "" ], "package": "linux", "version": "5.15.0-130.140", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2092132, 2091990 ], "author": "Mehmet Basaran ", "date": "Wed, 18 Dec 2024 20:19:08 +0300" }, { "cves": [ { "cve": "CVE-2024-50264", "url": "https://ubuntu.com/security/CVE-2024-50264", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: Initialization of the dangling pointer occurring in vsk->trans During loopback communication, a dangling pointer can be created in vsk->trans, potentially leading to a Use-After-Free condition. This issue is resolved by initializing vsk->trans to NULL.", "cve_priority": "high", "cve_public_date": "2024-11-19 02:16:00 UTC" }, { "cve": "CVE-2024-53057", "url": "https://ubuntu.com/security/CVE-2024-53057", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT In qdisc_tree_reduce_backlog, Qdiscs with major handle ffff: are assumed to be either root or ingress. This assumption is bogus since it's valid to create egress qdiscs with major handle ffff: Budimir Markovic found that for qdiscs like DRR that maintain an active class list, it will cause a UAF with a dangling class pointer. In 066a3b5b2346, the concern was to avoid iterating over the ingress qdisc since its parent is itself. The proper fix is to stop when parent TC_H_ROOT is reached because the only way to retrieve ingress is when a hierarchy which does not contain a ffff: major handle call into qdisc_lookup with TC_H_MAJ(TC_H_ROOT). In the scenario where major ffff: is an egress qdisc in any of the tree levels, the updates will also propagate to TC_H_ROOT, which then the iteration must stop. net/sched/sch_api.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)", "cve_priority": "medium", "cve_public_date": "2024-11-19 18:15:00 UTC" }, { "cve": "CVE-2024-43904", "url": "https://ubuntu.com/security/CVE-2024-43904", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add null checks for 'stream' and 'plane' before dereferencing This commit adds null checks for the 'stream' and 'plane' variables in the dcn30_apply_idle_power_optimizations function. These variables were previously assumed to be null at line 922, but they were used later in the code without checking if they were null. This could potentially lead to a null pointer dereference, which would cause a crash. The null checks ensure that 'stream' and 'plane' are not null before they are used, preventing potential crashes. Fixes the below static smatch checker: drivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c:938 dcn30_apply_idle_power_optimizations() error: we previously assumed 'stream' could be null (see line 922) drivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c:940 dcn30_apply_idle_power_optimizations() error: we previously assumed 'plane' could be null (see line 922)", "cve_priority": "medium", "cve_public_date": "2024-08-26 11:15:00 UTC" }, { "cve": "CVE-2024-40973", "url": "https://ubuntu.com/security/CVE-2024-40973", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: mtk-vcodec: potential null pointer deference in SCP The return value of devm_kzalloc() needs to be checked to avoid NULL pointer deference. This is similar to CVE-2022-3113.", "cve_priority": "medium", "cve_public_date": "2024-07-12 13:15:00 UTC" }, { "cve": "CVE-2024-38553", "url": "https://ubuntu.com/security/CVE-2024-38553", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: fec: remove .ndo_poll_controller to avoid deadlocks There is a deadlock issue found in sungem driver, please refer to the commit ac0a230f719b (\"eth: sungem: remove .ndo_poll_controller to avoid deadlocks\"). The root cause of the issue is that netpoll is in atomic context and disable_irq() is called by .ndo_poll_controller interface of sungem driver, however, disable_irq() might sleep. After analyzing the implementation of fec_poll_controller(), the fec driver should have the same issue. Due to the fec driver uses NAPI for TX completions, the .ndo_poll_controller is unnecessary to be implemented in the fec driver, so fec_poll_controller() can be safely removed.", "cve_priority": "medium", "cve_public_date": "2024-06-19 14:15:00 UTC" }, { "cve": "CVE-2024-26822", "url": "https://ubuntu.com/security/CVE-2024-26822", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: set correct id, uid and cruid for multiuser automounts When uid, gid and cruid are not specified, we need to dynamically set them into the filesystem context used for automounting otherwise they'll end up reusing the values from the parent mount.", "cve_priority": "medium", "cve_public_date": "2024-04-17 10:15:00 UTC" }, { "cve": "CVE-2020-12351", "url": "https://ubuntu.com/security/CVE-2020-12351", "cve_description": "Improper input validation in BlueZ may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access.", "cve_priority": "high", "cve_public_date": "2020-11-23 17:15:00 UTC" }, { "cve": "CVE-2020-12352", "url": "https://ubuntu.com/security/CVE-2020-12352", "cve_description": "Improper access control in BlueZ may allow an unauthenticated user to potentially enable information disclosure via adjacent access.", "cve_priority": "medium", "cve_public_date": "2020-11-23 17:15:00 UTC" }, { "cve": "CVE-2020-24490", "url": "https://ubuntu.com/security/CVE-2020-24490", "cve_description": "Improper buffer restrictions in BlueZ may allow an unauthenticated user to potentially enable denial of service via adjacent access. This affects all Linux kernel versions that support BlueZ.", "cve_priority": "medium", "cve_public_date": "2021-02-02 22:15:00 UTC" }, { "cve": "CVE-2024-40910", "url": "https://ubuntu.com/security/CVE-2024-40910", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ax25: Fix refcount imbalance on inbound connections When releasing a socket in ax25_release(), we call netdev_put() to decrease the refcount on the associated ax.25 device. However, the execution path for accepting an incoming connection never calls netdev_hold(). This imbalance leads to refcount errors, and ultimately to kernel crashes. A typical call trace for the above situation will start with one of the following errors: refcount_t: decrement hit 0; leaking memory. refcount_t: underflow; use-after-free. And will then have a trace like: Call Trace: ? show_regs+0x64/0x70 ? __warn+0x83/0x120 ? refcount_warn_saturate+0xb2/0x100 ? report_bug+0x158/0x190 ? prb_read_valid+0x20/0x30 ? handle_bug+0x3e/0x70 ? exc_invalid_op+0x1c/0x70 ? asm_exc_invalid_op+0x1f/0x30 ? refcount_warn_saturate+0xb2/0x100 ? refcount_warn_saturate+0xb2/0x100 ax25_release+0x2ad/0x360 __sock_release+0x35/0xa0 sock_close+0x19/0x20 [...] On reboot (or any attempt to remove the interface), the kernel gets stuck in an infinite loop: unregister_netdevice: waiting for ax0 to become free. Usage count = 0 This patch corrects these issues by ensuring that we call netdev_hold() and ax25_dev_hold() for new connections in ax25_accept(). This makes the logic leading to ax25_accept() match the logic for ax25_bind(): in both cases we increment the refcount, which is ultimately decremented in ax25_release().", "cve_priority": "medium", "cve_public_date": "2024-07-12 13:15:00 UTC" }, { "cve": "CVE-2024-35963", "url": "https://ubuntu.com/security/CVE-2024-35963", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sock: Fix not validating setsockopt user input Check user input length before copying data.", "cve_priority": "medium", "cve_public_date": "2024-05-20 10:15:00 UTC" }, { "cve": "CVE-2024-35965", "url": "https://ubuntu.com/security/CVE-2024-35965", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix not validating setsockopt user input Check user input length before copying data.", "cve_priority": "medium", "cve_public_date": "2024-05-20 10:15:00 UTC" }, { "cve": "CVE-2024-35966", "url": "https://ubuntu.com/security/CVE-2024-35966", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: RFCOMM: Fix not validating setsockopt user input syzbot reported rfcomm_sock_setsockopt_old() is copying data without checking user input length. BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset include/linux/sockptr.h:49 [inline] BUG: KASAN: slab-out-of-bounds in copy_from_sockptr include/linux/sockptr.h:55 [inline] BUG: KASAN: slab-out-of-bounds in rfcomm_sock_setsockopt_old net/bluetooth/rfcomm/sock.c:632 [inline] BUG: KASAN: slab-out-of-bounds in rfcomm_sock_setsockopt+0x893/0xa70 net/bluetooth/rfcomm/sock.c:673 Read of size 4 at addr ffff8880209a8bc3 by task syz-executor632/5064", "cve_priority": "medium", "cve_public_date": "2024-05-20 10:15:00 UTC" }, { "cve": "CVE-2024-35967", "url": "https://ubuntu.com/security/CVE-2024-35967", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: SCO: Fix not validating setsockopt user input syzbot reported sco_sock_setsockopt() is copying data without checking user input length. BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset include/linux/sockptr.h:49 [inline] BUG: KASAN: slab-out-of-bounds in copy_from_sockptr include/linux/sockptr.h:55 [inline] BUG: KASAN: slab-out-of-bounds in sco_sock_setsockopt+0xc0b/0xf90 net/bluetooth/sco.c:893 Read of size 4 at addr ffff88805f7b15a3 by task syz-executor.5/12578", "cve_priority": "medium", "cve_public_date": "2024-05-20 10:15:00 UTC" } ], "log": [ "", " * jammy/linux: 5.15.0-128.138 -proposed tracker (LP: #2090163)", "", " * CVE-2024-50264", " - vsock/virtio: Initialization of the dangling pointer occurring in vsk->trans", "", " * CVE-2024-53057", " - net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT", "", " * CVE-2024-43904", " - drm/amd/display: Add null checks for 'stream' and 'plane' before", " dereferencing", "", " * CVE-2024-40973", " - media: mtk-vcodec: potential null pointer deference in SCP", "", " * CVE-2024-38553", " - net: fec: remove .ndo_poll_controller to avoid deadlocks", "", " * CVE-2024-26822", " - smb: client: set correct id, uid and cruid for multiuser automounts", "", " * CVE-2020-12351 // CVE-2020-12352 // CVE-2020-24490", " - [Config] Disable BlueZ highspeed support", "", " * CVE-2024-40910", " - ax25: Fix refcount imbalance on inbound connections", "", " * CVE-2024-35963", " - Bluetooth: hci_sock: Fix not validating setsockopt user input", "", " * CVE-2024-35965", " - Bluetooth: L2CAP: Fix not validating setsockopt user input", "", " * CVE-2024-35966", " - Bluetooth: RFCOMM: Fix not validating setsockopt user input", "", " * CVE-2024-35967", " - Bluetooth: SCO: Fix not validating setsockopt user input", "" ], "package": "linux", "version": "5.15.0-128.138", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2090163 ], "author": "Manuel Diewald ", "date": "Sat, 30 Nov 2024 19:12:45 +0100" } ], "notes": "linux-headers-5.15.0-130-generic version '5.15.0-130.140' (source package linux version '5.15.0-130.140') was added. linux-headers-5.15.0-130-generic version '5.15.0-130.140' has the same source package name, linux, as removed package linux-headers-5.15.0-127. As such we can use the source package version of the removed package, '5.15.0-127.137', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." }, { "name": "linux-image-5.15.0-130-generic", "from_version": { "source_package_name": "linux-signed", "source_package_version": "5.15.0-127.137", "version": null }, "to_version": { "source_package_name": "linux-signed", "source_package_version": "5.15.0-130.140", "version": "5.15.0-130.140" }, "cves": [], "launchpad_bugs_fixed": [ 1786013, 1786013 ], "changes": [ { "cves": [], "log": [ "", " * Main version: 5.15.0-130.140", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/tracking-bug -- resync from main package", "" ], "package": "linux-signed", "version": "5.15.0-130.140", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 1786013 ], "author": "Mehmet Basaran ", "date": "Wed, 18 Dec 2024 20:38:31 +0300" }, { "cves": [], "log": [ "", " * Main version: 5.15.0-128.138", "", " * Packaging resync (LP: #1786013)", " - [Packaging] resync git-ubuntu-log", " - [Packaging] debian/tracking-bug -- resync from main package", "" ], "package": "linux-signed", "version": "5.15.0-128.138", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 1786013 ], "author": "Manuel Diewald ", "date": "Sat, 30 Nov 2024 20:09:27 +0100" } ], "notes": "linux-image-5.15.0-130-generic version '5.15.0-130.140' (source package linux-signed version '5.15.0-130.140') was added. linux-image-5.15.0-130-generic version '5.15.0-130.140' has the same source package name, linux-signed, as removed package linux-image-5.15.0-127-generic. As such we can use the source package version of the removed package, '5.15.0-127.137', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." }, { "name": "linux-modules-5.15.0-130-generic", "from_version": { "source_package_name": "linux", "source_package_version": "5.15.0-127.137", "version": null }, "to_version": { "source_package_name": "linux", "source_package_version": "5.15.0-130.140", "version": "5.15.0-130.140" }, "cves": [ { "cve": "CVE-2024-50264", "url": "https://ubuntu.com/security/CVE-2024-50264", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: Initialization of the dangling pointer occurring in vsk->trans During loopback communication, a dangling pointer can be created in vsk->trans, potentially leading to a Use-After-Free condition. This issue is resolved by initializing vsk->trans to NULL.", "cve_priority": "high", "cve_public_date": "2024-11-19 02:16:00 UTC" }, { "cve": "CVE-2024-53057", "url": "https://ubuntu.com/security/CVE-2024-53057", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT In qdisc_tree_reduce_backlog, Qdiscs with major handle ffff: are assumed to be either root or ingress. This assumption is bogus since it's valid to create egress qdiscs with major handle ffff: Budimir Markovic found that for qdiscs like DRR that maintain an active class list, it will cause a UAF with a dangling class pointer. In 066a3b5b2346, the concern was to avoid iterating over the ingress qdisc since its parent is itself. The proper fix is to stop when parent TC_H_ROOT is reached because the only way to retrieve ingress is when a hierarchy which does not contain a ffff: major handle call into qdisc_lookup with TC_H_MAJ(TC_H_ROOT). In the scenario where major ffff: is an egress qdisc in any of the tree levels, the updates will also propagate to TC_H_ROOT, which then the iteration must stop. net/sched/sch_api.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)", "cve_priority": "medium", "cve_public_date": "2024-11-19 18:15:00 UTC" }, { "cve": "CVE-2024-43904", "url": "https://ubuntu.com/security/CVE-2024-43904", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add null checks for 'stream' and 'plane' before dereferencing This commit adds null checks for the 'stream' and 'plane' variables in the dcn30_apply_idle_power_optimizations function. These variables were previously assumed to be null at line 922, but they were used later in the code without checking if they were null. This could potentially lead to a null pointer dereference, which would cause a crash. The null checks ensure that 'stream' and 'plane' are not null before they are used, preventing potential crashes. Fixes the below static smatch checker: drivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c:938 dcn30_apply_idle_power_optimizations() error: we previously assumed 'stream' could be null (see line 922) drivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c:940 dcn30_apply_idle_power_optimizations() error: we previously assumed 'plane' could be null (see line 922)", "cve_priority": "medium", "cve_public_date": "2024-08-26 11:15:00 UTC" }, { "cve": "CVE-2024-40973", "url": "https://ubuntu.com/security/CVE-2024-40973", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: mtk-vcodec: potential null pointer deference in SCP The return value of devm_kzalloc() needs to be checked to avoid NULL pointer deference. This is similar to CVE-2022-3113.", "cve_priority": "medium", "cve_public_date": "2024-07-12 13:15:00 UTC" }, { "cve": "CVE-2024-38553", "url": "https://ubuntu.com/security/CVE-2024-38553", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: fec: remove .ndo_poll_controller to avoid deadlocks There is a deadlock issue found in sungem driver, please refer to the commit ac0a230f719b (\"eth: sungem: remove .ndo_poll_controller to avoid deadlocks\"). The root cause of the issue is that netpoll is in atomic context and disable_irq() is called by .ndo_poll_controller interface of sungem driver, however, disable_irq() might sleep. After analyzing the implementation of fec_poll_controller(), the fec driver should have the same issue. Due to the fec driver uses NAPI for TX completions, the .ndo_poll_controller is unnecessary to be implemented in the fec driver, so fec_poll_controller() can be safely removed.", "cve_priority": "medium", "cve_public_date": "2024-06-19 14:15:00 UTC" }, { "cve": "CVE-2024-26822", "url": "https://ubuntu.com/security/CVE-2024-26822", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: set correct id, uid and cruid for multiuser automounts When uid, gid and cruid are not specified, we need to dynamically set them into the filesystem context used for automounting otherwise they'll end up reusing the values from the parent mount.", "cve_priority": "medium", "cve_public_date": "2024-04-17 10:15:00 UTC" }, { "cve": "CVE-2020-12351", "url": "https://ubuntu.com/security/CVE-2020-12351", "cve_description": "Improper input validation in BlueZ may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access.", "cve_priority": "high", "cve_public_date": "2020-11-23 17:15:00 UTC" }, { "cve": "CVE-2020-12352", "url": "https://ubuntu.com/security/CVE-2020-12352", "cve_description": "Improper access control in BlueZ may allow an unauthenticated user to potentially enable information disclosure via adjacent access.", "cve_priority": "medium", "cve_public_date": "2020-11-23 17:15:00 UTC" }, { "cve": "CVE-2020-24490", "url": "https://ubuntu.com/security/CVE-2020-24490", "cve_description": "Improper buffer restrictions in BlueZ may allow an unauthenticated user to potentially enable denial of service via adjacent access. This affects all Linux kernel versions that support BlueZ.", "cve_priority": "medium", "cve_public_date": "2021-02-02 22:15:00 UTC" }, { "cve": "CVE-2024-40910", "url": "https://ubuntu.com/security/CVE-2024-40910", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ax25: Fix refcount imbalance on inbound connections When releasing a socket in ax25_release(), we call netdev_put() to decrease the refcount on the associated ax.25 device. However, the execution path for accepting an incoming connection never calls netdev_hold(). This imbalance leads to refcount errors, and ultimately to kernel crashes. A typical call trace for the above situation will start with one of the following errors: refcount_t: decrement hit 0; leaking memory. refcount_t: underflow; use-after-free. And will then have a trace like: Call Trace: ? show_regs+0x64/0x70 ? __warn+0x83/0x120 ? refcount_warn_saturate+0xb2/0x100 ? report_bug+0x158/0x190 ? prb_read_valid+0x20/0x30 ? handle_bug+0x3e/0x70 ? exc_invalid_op+0x1c/0x70 ? asm_exc_invalid_op+0x1f/0x30 ? refcount_warn_saturate+0xb2/0x100 ? refcount_warn_saturate+0xb2/0x100 ax25_release+0x2ad/0x360 __sock_release+0x35/0xa0 sock_close+0x19/0x20 [...] On reboot (or any attempt to remove the interface), the kernel gets stuck in an infinite loop: unregister_netdevice: waiting for ax0 to become free. Usage count = 0 This patch corrects these issues by ensuring that we call netdev_hold() and ax25_dev_hold() for new connections in ax25_accept(). This makes the logic leading to ax25_accept() match the logic for ax25_bind(): in both cases we increment the refcount, which is ultimately decremented in ax25_release().", "cve_priority": "medium", "cve_public_date": "2024-07-12 13:15:00 UTC" }, { "cve": "CVE-2024-35963", "url": "https://ubuntu.com/security/CVE-2024-35963", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sock: Fix not validating setsockopt user input Check user input length before copying data.", "cve_priority": "medium", "cve_public_date": "2024-05-20 10:15:00 UTC" }, { "cve": "CVE-2024-35965", "url": "https://ubuntu.com/security/CVE-2024-35965", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix not validating setsockopt user input Check user input length before copying data.", "cve_priority": "medium", "cve_public_date": "2024-05-20 10:15:00 UTC" }, { "cve": "CVE-2024-35966", "url": "https://ubuntu.com/security/CVE-2024-35966", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: RFCOMM: Fix not validating setsockopt user input syzbot reported rfcomm_sock_setsockopt_old() is copying data without checking user input length. BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset include/linux/sockptr.h:49 [inline] BUG: KASAN: slab-out-of-bounds in copy_from_sockptr include/linux/sockptr.h:55 [inline] BUG: KASAN: slab-out-of-bounds in rfcomm_sock_setsockopt_old net/bluetooth/rfcomm/sock.c:632 [inline] BUG: KASAN: slab-out-of-bounds in rfcomm_sock_setsockopt+0x893/0xa70 net/bluetooth/rfcomm/sock.c:673 Read of size 4 at addr ffff8880209a8bc3 by task syz-executor632/5064", "cve_priority": "medium", "cve_public_date": "2024-05-20 10:15:00 UTC" }, { "cve": "CVE-2024-35967", "url": "https://ubuntu.com/security/CVE-2024-35967", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: SCO: Fix not validating setsockopt user input syzbot reported sco_sock_setsockopt() is copying data without checking user input length. BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset include/linux/sockptr.h:49 [inline] BUG: KASAN: slab-out-of-bounds in copy_from_sockptr include/linux/sockptr.h:55 [inline] BUG: KASAN: slab-out-of-bounds in sco_sock_setsockopt+0xc0b/0xf90 net/bluetooth/sco.c:893 Read of size 4 at addr ffff88805f7b15a3 by task syz-executor.5/12578", "cve_priority": "medium", "cve_public_date": "2024-05-20 10:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2092132, 2091990, 2090163 ], "changes": [ { "cves": [], "log": [ "", " * jammy/linux: 5.15.0-130.140 -proposed tracker (LP: #2092132)", "", " * ovs/linuxbridge jobs running on ubuntu jammy broken with latest kernel", " 5.15.0-127.137 (LP: #2091990)", " - netfilter: xtables: fix typo causing some targets not to load on IPv6", "" ], "package": "linux", "version": "5.15.0-130.140", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2092132, 2091990 ], "author": "Mehmet Basaran ", "date": "Wed, 18 Dec 2024 20:19:08 +0300" }, { "cves": [ { "cve": "CVE-2024-50264", "url": "https://ubuntu.com/security/CVE-2024-50264", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: Initialization of the dangling pointer occurring in vsk->trans During loopback communication, a dangling pointer can be created in vsk->trans, potentially leading to a Use-After-Free condition. This issue is resolved by initializing vsk->trans to NULL.", "cve_priority": "high", "cve_public_date": "2024-11-19 02:16:00 UTC" }, { "cve": "CVE-2024-53057", "url": "https://ubuntu.com/security/CVE-2024-53057", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT In qdisc_tree_reduce_backlog, Qdiscs with major handle ffff: are assumed to be either root or ingress. This assumption is bogus since it's valid to create egress qdiscs with major handle ffff: Budimir Markovic found that for qdiscs like DRR that maintain an active class list, it will cause a UAF with a dangling class pointer. In 066a3b5b2346, the concern was to avoid iterating over the ingress qdisc since its parent is itself. The proper fix is to stop when parent TC_H_ROOT is reached because the only way to retrieve ingress is when a hierarchy which does not contain a ffff: major handle call into qdisc_lookup with TC_H_MAJ(TC_H_ROOT). In the scenario where major ffff: is an egress qdisc in any of the tree levels, the updates will also propagate to TC_H_ROOT, which then the iteration must stop. net/sched/sch_api.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)", "cve_priority": "medium", "cve_public_date": "2024-11-19 18:15:00 UTC" }, { "cve": "CVE-2024-43904", "url": "https://ubuntu.com/security/CVE-2024-43904", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add null checks for 'stream' and 'plane' before dereferencing This commit adds null checks for the 'stream' and 'plane' variables in the dcn30_apply_idle_power_optimizations function. These variables were previously assumed to be null at line 922, but they were used later in the code without checking if they were null. This could potentially lead to a null pointer dereference, which would cause a crash. The null checks ensure that 'stream' and 'plane' are not null before they are used, preventing potential crashes. Fixes the below static smatch checker: drivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c:938 dcn30_apply_idle_power_optimizations() error: we previously assumed 'stream' could be null (see line 922) drivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c:940 dcn30_apply_idle_power_optimizations() error: we previously assumed 'plane' could be null (see line 922)", "cve_priority": "medium", "cve_public_date": "2024-08-26 11:15:00 UTC" }, { "cve": "CVE-2024-40973", "url": "https://ubuntu.com/security/CVE-2024-40973", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: mtk-vcodec: potential null pointer deference in SCP The return value of devm_kzalloc() needs to be checked to avoid NULL pointer deference. This is similar to CVE-2022-3113.", "cve_priority": "medium", "cve_public_date": "2024-07-12 13:15:00 UTC" }, { "cve": "CVE-2024-38553", "url": "https://ubuntu.com/security/CVE-2024-38553", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: fec: remove .ndo_poll_controller to avoid deadlocks There is a deadlock issue found in sungem driver, please refer to the commit ac0a230f719b (\"eth: sungem: remove .ndo_poll_controller to avoid deadlocks\"). The root cause of the issue is that netpoll is in atomic context and disable_irq() is called by .ndo_poll_controller interface of sungem driver, however, disable_irq() might sleep. After analyzing the implementation of fec_poll_controller(), the fec driver should have the same issue. Due to the fec driver uses NAPI for TX completions, the .ndo_poll_controller is unnecessary to be implemented in the fec driver, so fec_poll_controller() can be safely removed.", "cve_priority": "medium", "cve_public_date": "2024-06-19 14:15:00 UTC" }, { "cve": "CVE-2024-26822", "url": "https://ubuntu.com/security/CVE-2024-26822", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: set correct id, uid and cruid for multiuser automounts When uid, gid and cruid are not specified, we need to dynamically set them into the filesystem context used for automounting otherwise they'll end up reusing the values from the parent mount.", "cve_priority": "medium", "cve_public_date": "2024-04-17 10:15:00 UTC" }, { "cve": "CVE-2020-12351", "url": "https://ubuntu.com/security/CVE-2020-12351", "cve_description": "Improper input validation in BlueZ may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access.", "cve_priority": "high", "cve_public_date": "2020-11-23 17:15:00 UTC" }, { "cve": "CVE-2020-12352", "url": "https://ubuntu.com/security/CVE-2020-12352", "cve_description": "Improper access control in BlueZ may allow an unauthenticated user to potentially enable information disclosure via adjacent access.", "cve_priority": "medium", "cve_public_date": "2020-11-23 17:15:00 UTC" }, { "cve": "CVE-2020-24490", "url": "https://ubuntu.com/security/CVE-2020-24490", "cve_description": "Improper buffer restrictions in BlueZ may allow an unauthenticated user to potentially enable denial of service via adjacent access. This affects all Linux kernel versions that support BlueZ.", "cve_priority": "medium", "cve_public_date": "2021-02-02 22:15:00 UTC" }, { "cve": "CVE-2024-40910", "url": "https://ubuntu.com/security/CVE-2024-40910", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ax25: Fix refcount imbalance on inbound connections When releasing a socket in ax25_release(), we call netdev_put() to decrease the refcount on the associated ax.25 device. However, the execution path for accepting an incoming connection never calls netdev_hold(). This imbalance leads to refcount errors, and ultimately to kernel crashes. A typical call trace for the above situation will start with one of the following errors: refcount_t: decrement hit 0; leaking memory. refcount_t: underflow; use-after-free. And will then have a trace like: Call Trace: ? show_regs+0x64/0x70 ? __warn+0x83/0x120 ? refcount_warn_saturate+0xb2/0x100 ? report_bug+0x158/0x190 ? prb_read_valid+0x20/0x30 ? handle_bug+0x3e/0x70 ? exc_invalid_op+0x1c/0x70 ? asm_exc_invalid_op+0x1f/0x30 ? refcount_warn_saturate+0xb2/0x100 ? refcount_warn_saturate+0xb2/0x100 ax25_release+0x2ad/0x360 __sock_release+0x35/0xa0 sock_close+0x19/0x20 [...] On reboot (or any attempt to remove the interface), the kernel gets stuck in an infinite loop: unregister_netdevice: waiting for ax0 to become free. Usage count = 0 This patch corrects these issues by ensuring that we call netdev_hold() and ax25_dev_hold() for new connections in ax25_accept(). This makes the logic leading to ax25_accept() match the logic for ax25_bind(): in both cases we increment the refcount, which is ultimately decremented in ax25_release().", "cve_priority": "medium", "cve_public_date": "2024-07-12 13:15:00 UTC" }, { "cve": "CVE-2024-35963", "url": "https://ubuntu.com/security/CVE-2024-35963", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sock: Fix not validating setsockopt user input Check user input length before copying data.", "cve_priority": "medium", "cve_public_date": "2024-05-20 10:15:00 UTC" }, { "cve": "CVE-2024-35965", "url": "https://ubuntu.com/security/CVE-2024-35965", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix not validating setsockopt user input Check user input length before copying data.", "cve_priority": "medium", "cve_public_date": "2024-05-20 10:15:00 UTC" }, { "cve": "CVE-2024-35966", "url": "https://ubuntu.com/security/CVE-2024-35966", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: RFCOMM: Fix not validating setsockopt user input syzbot reported rfcomm_sock_setsockopt_old() is copying data without checking user input length. BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset include/linux/sockptr.h:49 [inline] BUG: KASAN: slab-out-of-bounds in copy_from_sockptr include/linux/sockptr.h:55 [inline] BUG: KASAN: slab-out-of-bounds in rfcomm_sock_setsockopt_old net/bluetooth/rfcomm/sock.c:632 [inline] BUG: KASAN: slab-out-of-bounds in rfcomm_sock_setsockopt+0x893/0xa70 net/bluetooth/rfcomm/sock.c:673 Read of size 4 at addr ffff8880209a8bc3 by task syz-executor632/5064", "cve_priority": "medium", "cve_public_date": "2024-05-20 10:15:00 UTC" }, { "cve": "CVE-2024-35967", "url": "https://ubuntu.com/security/CVE-2024-35967", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: SCO: Fix not validating setsockopt user input syzbot reported sco_sock_setsockopt() is copying data without checking user input length. BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset include/linux/sockptr.h:49 [inline] BUG: KASAN: slab-out-of-bounds in copy_from_sockptr include/linux/sockptr.h:55 [inline] BUG: KASAN: slab-out-of-bounds in sco_sock_setsockopt+0xc0b/0xf90 net/bluetooth/sco.c:893 Read of size 4 at addr ffff88805f7b15a3 by task syz-executor.5/12578", "cve_priority": "medium", "cve_public_date": "2024-05-20 10:15:00 UTC" } ], "log": [ "", " * jammy/linux: 5.15.0-128.138 -proposed tracker (LP: #2090163)", "", " * CVE-2024-50264", " - vsock/virtio: Initialization of the dangling pointer occurring in vsk->trans", "", " * CVE-2024-53057", " - net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT", "", " * CVE-2024-43904", " - drm/amd/display: Add null checks for 'stream' and 'plane' before", " dereferencing", "", " * CVE-2024-40973", " - media: mtk-vcodec: potential null pointer deference in SCP", "", " * CVE-2024-38553", " - net: fec: remove .ndo_poll_controller to avoid deadlocks", "", " * CVE-2024-26822", " - smb: client: set correct id, uid and cruid for multiuser automounts", "", " * CVE-2020-12351 // CVE-2020-12352 // CVE-2020-24490", " - [Config] Disable BlueZ highspeed support", "", " * CVE-2024-40910", " - ax25: Fix refcount imbalance on inbound connections", "", " * CVE-2024-35963", " - Bluetooth: hci_sock: Fix not validating setsockopt user input", "", " * CVE-2024-35965", " - Bluetooth: L2CAP: Fix not validating setsockopt user input", "", " * CVE-2024-35966", " - Bluetooth: RFCOMM: Fix not validating setsockopt user input", "", " * CVE-2024-35967", " - Bluetooth: SCO: Fix not validating setsockopt user input", "" ], "package": "linux", "version": "5.15.0-128.138", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2090163 ], "author": "Manuel Diewald ", "date": "Sat, 30 Nov 2024 19:12:45 +0100" } ], "notes": "linux-modules-5.15.0-130-generic version '5.15.0-130.140' (source package linux version '5.15.0-130.140') was added. linux-modules-5.15.0-130-generic version '5.15.0-130.140' has the same source package name, linux, as removed package linux-headers-5.15.0-127. As such we can use the source package version of the removed package, '5.15.0-127.137', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." } ], "snap": [] }, "removed": { "deb": [ { "name": "linux-headers-5.15.0-127", "from_version": { "source_package_name": "linux", "source_package_version": "5.15.0-127.137", "version": "5.15.0-127.137" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null }, { "name": "linux-headers-5.15.0-127-generic", "from_version": { "source_package_name": "linux", "source_package_version": "5.15.0-127.137", "version": "5.15.0-127.137" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null }, { "name": "linux-image-5.15.0-127-generic", "from_version": { "source_package_name": "linux-signed", "source_package_version": "5.15.0-127.137", "version": "5.15.0-127.137" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null }, { "name": "linux-modules-5.15.0-127-generic", "from_version": { "source_package_name": "linux", "source_package_version": "5.15.0-127.137", "version": "5.15.0-127.137" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null } ], "snap": [] }, "notes": "Changelog diff for Ubuntu 22.04 jammy image from daily image serial 20241217 to 20250108", "from_series": "jammy", "to_series": "jammy", "from_serial": "20241217", "to_serial": "20250108", "from_manifest_filename": "daily_manifest.previous", "to_manifest_filename": "manifest.current" }