Debian Linux-6.1 vulnerabilities

CVE-2024-49973 [MEDIUM] CVE-2024-49973: linux - In the Linux kernel, the following vulnerability has been resolved: r8169: add ... In the Linux kernel, the following vulnerability has been resolved: r8169: add tally counter fields added with RTL8125 RTL8125 added fields to the tally counter, what may result in the chip dma'ing these new fields to unallocated memory. Therefore make sure that the allocated memory area is big enough to hold all of the tally counter values, even if we use only part

CVE-2024-49902 [MEDIUM] CVE-2024-49902: linux - In the Linux kernel, the following vulnerability has been resolved: jfs: check ... In the Linux kernel, the following vulnerability has been resolved: jfs: check if leafidx greater than num leaves per dmap tree syzbot report a out of bounds in dbSplit, it because dmt_leafidx greater than num leaves per dmap tree, add a checking for dmt_leafidx in dbFindLeaf. Shaggy: Modified sanity check to apply to control pages as well as leaf pages. Scope: loca

CVE-2024-56622 [MEDIUM] CVE-2024-56622: linux - In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: ... In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: sysfs: Prevent div by zero Prevent a division by 0 when monitoring is not enabled. Scope: local bookworm: resolved (fixed in 6.1.123-1) bullseye: resolved forky: resolved (fixed in 6.12.5-1) sid: resolved (fixed in 6.12.5-1) trixie: resolved (fixed in 6.12.5-1)

CVE-2024-41098 [MEDIUM] CVE-2024-41098: linux - In the Linux kernel, the following vulnerability has been resolved: ata: libata... In the Linux kernel, the following vulnerability has been resolved: ata: libata-core: Fix null pointer dereference on error If the ata_port_alloc() call in ata_host_alloc() fails, ata_host_release() will get called. However, the code in ata_host_release() tries to free ata_port struct members unconditionally, which can lead to the following: BUG: unable to handle pa

CVE-2024-49907 [MEDIUM] CVE-2024-49907: linux - In the Linux kernel, the following vulnerability has been resolved: drm/amd/dis... In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check null pointers before using dc->clk_mgr [WHY & HOW] dc->clk_mgr is null checked previously in the same function, indicating it might be null. Passing "dc" to "dc->hwss.apply_idle_power_optimizations", which dereferences null "dc->clk_mgr". (The function pointer resolves to "dcn

CVE-2024-46752 [MEDIUM] CVE-2024-46752: linux - In the Linux kernel, the following vulnerability has been resolved: btrfs: repl... In the Linux kernel, the following vulnerability has been resolved: btrfs: replace BUG_ON() with error handling at update_ref_for_cow() Instead of a BUG_ON() just return an error, log an error message and abort the transaction in case we find an extent buffer belonging to the relocation tree that doesn't have the full backref flag set. This is unexpected and should

CVE-2024-36903 [MEDIUM] CVE-2024-36903: linux - In the Linux kernel, the following vulnerability has been resolved: ipv6: Fix p... In the Linux kernel, the following vulnerability has been resolved: ipv6: Fix potential uninit-value access in __ip6_make_skb() As it was done in commit fc1092f51567 ("ipv4: Fix uninit-value access in __ip_make_skb()") for IPv4, check FLOWI_FLAG_KNOWN_NH on fl6->flowi6_flags instead of testing HDRINCL on the socket to avoid a race condition which causes uninit-value

CVE-2024-46794 [LOW] CVE-2024-46794: linux - In the Linux kernel, the following vulnerability has been resolved: x86/tdx: Fi... In the Linux kernel, the following vulnerability has been resolved: x86/tdx: Fix data leak in mmio_read() The mmio_read() function makes a TDVMCALL to retrieve MMIO data for an address from the VMM. Sean noticed that mmio_read() unintentionally exposes the value of an initialized variable (val) on the stack to the VMM. This variable is only needed as an output value. I

CVE-2024-50044 [LOW] CVE-2024-50044: linux - In the Linux kernel, the following vulnerability has been resolved: Bluetooth: ... In the Linux kernel, the following vulnerability has been resolved: Bluetooth: RFCOMM: FIX possible deadlock in rfcomm_sk_state_change rfcomm_sk_state_change attempts to use sock_lock so it must never be called with it locked but rfcomm_sock_ioctl always attempt to lock it causing the following trace: ====================================================== WARNING: poss

CVE-2024-47738 [LOW] CVE-2024-47738: linux - In the Linux kernel, the following vulnerability has been resolved: wifi: mac80... In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: don't use rate mask for offchannel TX either Like the commit ab9177d83c04 ("wifi: mac80211: don't use rate mask for scanning"), ignore incorrect settings to avoid no supported rate warning reported by syzbot. The syzbot did bisect and found cause is commit 9df66d5b9f45 ("cfg80211: fix d

CVE-2024-43841 [LOW] CVE-2024-43841: linux - In the Linux kernel, the following vulnerability has been resolved: wifi: virt_... In the Linux kernel, the following vulnerability has been resolved: wifi: virt_wifi: avoid reporting connection success with wrong SSID When user issues a connection with a different SSID than the one virt_wifi has advertised, the __cfg80211_connect_result() will trigger the warning: WARN_ON(bss_not_found). The issue is because the connection code in virt_wifi does not

CVE-2024-50191 [MEDIUM] CVE-2024-50191: linux - In the Linux kernel, the following vulnerability has been resolved: ext4: don't... In the Linux kernel, the following vulnerability has been resolved: ext4: don't set SB_RDONLY after filesystem errors When the filesystem is mounted with errors=remount-ro, we were setting SB_RDONLY flag to stop all filesystem modifications. We knew this misses proper locking (sb->s_umount) and does not go through proper filesystem remount procedure but it has been

CVE-2024-58077 [MEDIUM] CVE-2024-58077: linux - In the Linux kernel, the following vulnerability has been resolved: ASoC: soc-p... In the Linux kernel, the following vulnerability has been resolved: ASoC: soc-pcm: don't use soc_pcm_ret() on .prepare callback commit 1f5664351410 ("ASoC: lower "no backend DAIs enabled for ... Port" log severity") ignores -EINVAL error message on common soc_pcm_ret(). It is used from many functions, ignoring -EINVAL is over-kill. The reason why -EINVAL was ignored

CVE-2024-41027 [LOW] CVE-2024-41027: linux - In the Linux kernel, the following vulnerability has been resolved: Fix userfau... In the Linux kernel, the following vulnerability has been resolved: Fix userfaultfd_api to return EINVAL as expected Currently if we request a feature that is not set in the Kernel config we fail silently and return all the available features. However, the man page indicates we should return an EINVAL. We need to fix this issue since we can end up with a Kernel warning

CVE-2024-36331 [LOW] CVE-2024-36331: linux - Improper initialization of CPU cache memory could allow a privileged attacker wi... Improper initialization of CPU cache memory could allow a privileged attacker with hypervisor access to overwrite SEV-SNP guest memory resulting in loss of data integrity. Scope: local bookworm: resolved (fixed in 6.1.148-1) bullseye: open forky: resolved (fixed in 6.16.3-1) sid: resolved (fixed in 6.16.3-1) trixie: resolved (fixed in 6.12.43-1)

CVE-2024-41007 [LOW] CVE-2024-41007: linux - In the Linux kernel, the following vulnerability has been resolved: tcp: avoid ... In the Linux kernel, the following vulnerability has been resolved: tcp: avoid too many retransmit packets If a TCP socket is using TCP_USER_TIMEOUT, and the other peer retracted its window to zero, tcp_retransmit_timer() can retransmit a packet every two jiffies (2 ms for HZ=1000), for about 4 minutes after TCP_USER_TIMEOUT has 'expired'. The fix is to make sure tcp_r

CVE-2023-54285 [HIGH] CVE-2023-54285: linux - In the Linux kernel, the following vulnerability has been resolved: iomap: Fix ... In the Linux kernel, the following vulnerability has been resolved: iomap: Fix possible overflow condition in iomap_write_delalloc_scan folio_next_index() returns an unsigned long value which left shifted by PAGE_SHIFT could possibly cause an overflow on 32-bit system. Instead use folio_pos(folio) + folio_size(folio), which does this correctly. Scope: local bookworm:

CVE-2023-45896 [HIGH] CVE-2023-45896: linux - ntfs3 in the Linux kernel through 6.8.0 allows a physically proximate attacker t... ntfs3 in the Linux kernel through 6.8.0 allows a physically proximate attacker to read kernel memory by mounting a filesystem (e.g., if a Linux distribution is configured to allow unprivileged mounts of removable media) and then leveraging local access to trigger an out-of-bounds read. A length value can be larger than the amount of memory allocated. NOTE: the supplie

CVE-2023-52916 [HIGH] CVE-2023-52916: linux - In the Linux kernel, the following vulnerability has been resolved: media: aspe... In the Linux kernel, the following vulnerability has been resolved: media: aspeed: Fix memory overwrite if timing is 1600x900 When capturing 1600x900, system could crash when system memory usage is tight. The way to reproduce this issue: 1. Use 1600x900 to display on host 2. Mount ISO through 'Virtual media' on OpenBMC's web 3. Run script as below on host to do sha co

CVE-2023-52926 [HIGH] CVE-2023-52926: linux - In the Linux kernel, the following vulnerability has been resolved: IORING_OP_R... In the Linux kernel, the following vulnerability has been resolved: IORING_OP_READ did not correctly consume the provided buffer list when read i/o returned < 0 (except for -EAGAIN and -EIOCBQUEUED return). This can lead to a potential use-after-free when the completion via io_rw_done runs at separate context. Scope: local bookworm: resolved (fixed in 6.1.123-1) bulls