[continued from previous message]

IOCTL in the XFS filesystem allowed for a size increase of files
with unaligned size. A local attacker can take advantage of this
flaw to leak data on the XFS filesystem.

CVE-2021-4203

Jann Horn reported a race condition in the local (Unix) sockets
implementation that can lead to a use-after-free. A local user
could exploit this to leak sensitive information from the kernel.

CVE-2021-20317

It was discovered that the timer queue structure could become
corrupt, leading to waiting tasks never being woken up. A local
user with certain privileges could exploit this to cause a denial
of service (system hang).

CVE-2021-20321

A race condition was discovered in the overlayfs filesystem
driver. A local user with access to an overlayfs mount and to its
underlying upper directory could exploit this for privilege
escalation.

CVE-2021-20322

An information leak was discovered in the IPv4 implementation. A
remote attacker could exploit this to quickly discover which UDP
ports a system is using, making it easier for them to carry out a
DNS poisoning attack against that system.

CVE-2021-22600

The syzbot tool found a flaw in the packet socket (AF_PACKET)
implementation which could lead to incorrectly freeing memory. A
local user with CAP_NET_RAW capability (in any user namespace)
could exploit this for denial of service (memory corruption or
crash) or possibly for privilege escalation.

CVE-2021-28711, CVE-2021-28712, CVE-2021-28713 (XSA-391)

Juergen Gross reported that malicious PV backends can cause a denial
of service to guests being serviced by those backends via high
frequency events, even if those backends are running in a less
privileged environment.

CVE-2021-28714, CVE-2021-28715 (XSA-392)

Juergen Gross discovered that Xen guests can force the Linux
netback driver to hog large amounts of kernel memory, resulting in
denial of service.

CVE-2021-38300

Piotr Krysiuk discovered a flaw in the classic BPF (cBPF) JIT
compiler for MIPS architectures. A local user could exploit
this to excute arbitrary code in the kernel.

This issue is mitigated by setting sysctl
net.core.bpf_jit_enable=0, which is the default. It is *not*
mitigated by disabling unprivileged use of eBPF.

CVE-2021-39685

Szymon Heidrich discovered a buffer overflow vulnerability in the
USB gadget subsystem, resulting in information disclosure, denial of
service or privilege escalation.

CVE-2021-39686

A race condition was discovered in the Android binder driver, that
could lead to incorrect security checks. On systems where the
binder driver is loaded, a local user could exploit this for
privilege escalation.

CVE-2021-39698

Linus Torvalds reported a flaw in the file polling implementation,
which could lead to a use-after-free. A local user could exploit
this for denial of service (memory corruption or crash) or
possibly for privilege escalation.

CVE-2021-39713

The syzbot tool found a race condition in the network scheduling
subsystem which could lead to a use-after-free. A local user
could exploit this for denial of service (memory corruption or
crash) or possibly for privilege escalation.

CVE-2021-41864

An integer overflow was discovered in the Extended BPF (eBPF)
subsystem. A local user could exploit this for denial of service
(memory corruption or crash), or possibly for privilege
escalation.

This can be mitigated by setting sysctl
kernel.unprivileged_bpf_disabled=1, which disables eBPF use by
unprivileged users.

CVE-2021-42739

A heap buffer overflow was discovered in the firedtv driver for
FireWire-connected DVB receivers. A local user with access to a
firedtv device could exploit this for denial of service (memory
corruption or crash), or possibly for privilege escalation.

CVE-2021-43389

The Active Defense Lab of Venustech discovered a flaw in the CMTP
subsystem as used by Bluetooth, which could lead to an
out-of-bounds read and object type confusion. A local user with
CAP_NET_ADMIN capability in the initial user namespace could
exploit this for denial of service (memory corruption or crash),
or possibly for privilege escalation.

CVE-2021-43975

Brendan Dolan-Gavitt reported a flaw in the
hw_atl_utils_fw_rpc_wait() function in the aQuantia AQtion ethernet
device driver which can result in denial of service or the execution
of arbitrary code.

CVE-2021-43976

Zekun Shen and Brendan Dolan-Gavitt discovered a flaw in the
mwifiex_usb_recv() function of the Marvell WiFi-Ex USB Driver. An
attacker able to connect a crafted USB device can take advantage of
this flaw to cause a denial of service.

CVE-2021-44733

A race condition was discovered in the Trusted Execution
Environment (TEE) subsystem for Arm processors, which could lead
to a use-after-free. A local user permitted to access a TEE
device could exploit this for denial of service (memory corruption
or crash) or possibly for privilege escalation.

CVE-2021-45095

It was discovered that the Phone Network protocol (PhoNet) driver
has a reference count leak in the pep_sock_accept() function.

CVE-2021-45469

Wenqing Liu reported an out-of-bounds memory access in the f2fs
implementation if an inode has an invalid last xattr entry. An
attacker able to mount a specially crafted image can take advantage
of this flaw for denial of service.

CVE-2021-45480

A memory leak flaw was discovered in the __rds_conn_create()
function in the RDS (Reliable Datagram Sockets) protocol subsystem.

CVE-2022-0001 (INTEL-SA-00598)

Researchers at VUSec discovered that the Branch History Buffer in
Intel processors can be exploited to create information side-
channels with speculative execution. This issue is similar to
Spectre variant 2, but requires additional mitigations on some
processors.

This can be exploited to obtain sensitive information from a
different security context, such as from user-space to the kernel,
or from a KVM guest to the kernel.

CVE-2022-0002 (INTEL-SA-00598)

This is a similar issue to CVE-2022-0001, but covers exploitation
within a security context, such as from JIT-compiled code in a
sandbox to hosting code in the same process.

This can be partly mitigated by disabling eBPF for unprivileged
users with the sysctl: kernel.unprivileged_bpf_disabled=2. This
update does that by default.

CVE-2022-0322

Eiichi Tsukata discovered a flaw in the sctp_make_strreset_req()
function in the SCTP network protocol implementation which can
result in denial of service.

CVE-2022-0330

Sushma Venkatesh Reddy discovered a missing GPU TLB flush in the
i915 driver, resulting in denial of service or privilege escalation.

CVE-2022-0435

Samuel Page and Eric Dumazet reported a stack overflow in the
networking module for the Transparent Inter-Process Communication
(TIPC) protocol, resulting in denial of service or potentially the
execution of arbitrary code.

CVE-2022-0487

A use-after-free was discovered in the MOXART SD/MMC Host Controller
support driver. This flaw does not impact the Debian binary packages

[continued in next message]

--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)