Chiencc / asuswrt-gt-ac5300

asuswrt-gt-ac5300
Other
0 stars 0 forks source link

linux-yocto-devv2.6.34.10: 5 vulnerabilities (highest severity is: 7.8) - autoclosed #44

Closed mend-for-github-com[bot] closed 1 year ago

mend-for-github-com[bot] commented 1 year ago
Vulnerable Library - linux-yocto-devv2.6.34.10

Linux Embedded Kernel - tracks the next mainline release

Library home page: https://git.yoctoproject.org/git/linux-yocto-dev

Found in HEAD commit: 0c45ce909374d16605095db4fce9a89b9b6bafd5

Vulnerable Source Files (1)

/release/src-rt-7.14.114.x/src/linux/linux-2.6.36/crypto/cryptd.c

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (linux-yocto-devv2.6.34.10 version) Remediation Available
CVE-2018-17182 High 7.8 linux-yocto-devv2.6.34.10 Direct v4.19-rc4
CVE-2011-2484 Medium 6.2 linux-yocto-devv2.6.34.10 Direct kernel-headers - 2.6.32-131.17.1,2.6.18-274.7.1,2.6.32-131.17.1;kernel-debuginfo-common-x86_64 - 2.6.32-131.17.1;kernel-PAE - 2.6.18-274.7.1;kernel-doc - 2.6.18-274.7.1,2.6.32-131.17.1;kernel-xen - 2.6.18-274.7.1,2.6.18-274.7.1;kernel-PAE-devel - 2.6.18-274.7.1;perf - 2.6.32-131.17.1,2.6.32-131.17.1;kernel-debuginfo - 2.6.32-131.17.1,2.6.32-131.17.1;kernel-debug-devel - 2.6.18-274.7.1,2.6.32-131.17.1,2.6.32-131.17.1,2.6.18-274.7.1;perf-debuginfo - 2.6.32-131.17.1,2.6.32-131.17.1;kernel-debug-debuginfo - 2.6.32-131.17.1,2.6.32-131.17.1;kernel-debug - 2.6.32-131.17.1,2.6.32-131.17.1,2.6.18-274.7.1,2.6.18-274.7.1;kernel-devel - 2.6.32-131.17.1,2.6.32-131.17.1,2.6.18-274.7.1,2.6.18-274.7.1;kernel-firmware - 2.6.32-131.17.1;kernel - 2.6.18-274.7.1,2.6.32-131.17.1,2.6.18-274.7.1,2.6.18-274.7.1,2.6.32-131.17.1,2.6.32-131.17.1;kernel-xen-devel - 2.6.18-274.7.1,2.6.18-274.7.1;kernel-debuginfo-common-i686 - 2.6.32-131.17.1;kernel-headers - 2.6.18-274.7.1
CVE-2014-9644 Medium 4.0 linux-yocto-devv2.6.34.10 Direct 3.18.5
CVE-2011-2494 Medium 4.0 linux-yocto-devv2.6.34.10 Direct 3.1
CVE-2014-4652 Low 2.9 linux-yocto-devv2.6.34.10 Direct 3.15.2

Details

CVE-2018-17182 ### Vulnerable Library - linux-yocto-devv2.6.34.10

Linux Embedded Kernel - tracks the next mainline release

Library home page: https://git.yoctoproject.org/git/linux-yocto-dev

Found in HEAD commit: 0c45ce909374d16605095db4fce9a89b9b6bafd5

Found in base branch: master

### Vulnerable Source Files (3)

/release/src-rt-7.14.114.x/src/linux/linux-2.6.36/include/linux/mm_types.h /release/src-rt-7.14.114.x/src/linux/linux-2.6.36/include/linux/mm_types.h /release/src-rt-7.14.114.x/src/linux/linux-2.6.36/include/linux/mm_types.h

### Vulnerability Details

An issue was discovered in the Linux kernel through 4.18.8. The vmacache_flush_all function in mm/vmacache.c mishandles sequence number overflows. An attacker can trigger a use-after-free (and possibly gain privileges) via certain thread creation, map, unmap, invalidation, and dereference operations.

Publish Date: 2018-09-19

URL: CVE-2018-17182

### CVSS 3 Score Details (7.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-17182

Release Date: 2018-09-19

Fix Resolution: v4.19-rc4

CVE-2011-2484 ### Vulnerable Library - linux-yocto-devv2.6.34.10

Linux Embedded Kernel - tracks the next mainline release

Library home page: https://git.yoctoproject.org/git/linux-yocto-dev

Found in HEAD commit: 0c45ce909374d16605095db4fce9a89b9b6bafd5

Found in base branch: master

### Vulnerable Source Files (3)

/release/src-rt-7.14.114.x/src/linux/linux-2.6.36/kernel/taskstats.c /release/src-rt-7.14.114.x/src/linux/linux-2.6.36/kernel/taskstats.c /release/src-rt-7.14.114.x/src/linux/linux-2.6.36/kernel/taskstats.c

### Vulnerability Details

The add_del_listener function in kernel/taskstats.c in the Linux kernel 2.6.39.1 and earlier does not prevent multiple registrations of exit handlers, which allows local users to cause a denial of service (memory and CPU consumption), and bypass the OOM Killer, via a crafted application.

Publish Date: 2011-06-24

URL: CVE-2011-2484

### CVSS 3 Score Details (6.2)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2011-2484

Release Date: 2011-06-24

Fix Resolution: kernel-headers - 2.6.32-131.17.1,2.6.18-274.7.1,2.6.32-131.17.1;kernel-debuginfo-common-x86_64 - 2.6.32-131.17.1;kernel-PAE - 2.6.18-274.7.1;kernel-doc - 2.6.18-274.7.1,2.6.32-131.17.1;kernel-xen - 2.6.18-274.7.1,2.6.18-274.7.1;kernel-PAE-devel - 2.6.18-274.7.1;perf - 2.6.32-131.17.1,2.6.32-131.17.1;kernel-debuginfo - 2.6.32-131.17.1,2.6.32-131.17.1;kernel-debug-devel - 2.6.18-274.7.1,2.6.32-131.17.1,2.6.32-131.17.1,2.6.18-274.7.1;perf-debuginfo - 2.6.32-131.17.1,2.6.32-131.17.1;kernel-debug-debuginfo - 2.6.32-131.17.1,2.6.32-131.17.1;kernel-debug - 2.6.32-131.17.1,2.6.32-131.17.1,2.6.18-274.7.1,2.6.18-274.7.1;kernel-devel - 2.6.32-131.17.1,2.6.32-131.17.1,2.6.18-274.7.1,2.6.18-274.7.1;kernel-firmware - 2.6.32-131.17.1;kernel - 2.6.18-274.7.1,2.6.32-131.17.1,2.6.18-274.7.1,2.6.18-274.7.1,2.6.32-131.17.1,2.6.32-131.17.1;kernel-xen-devel - 2.6.18-274.7.1,2.6.18-274.7.1;kernel-debuginfo-common-i686 - 2.6.32-131.17.1;kernel-headers - 2.6.18-274.7.1

CVE-2014-9644 ### Vulnerable Library - linux-yocto-devv2.6.34.10

Linux Embedded Kernel - tracks the next mainline release

Library home page: https://git.yoctoproject.org/git/linux-yocto-dev

Found in HEAD commit: 0c45ce909374d16605095db4fce9a89b9b6bafd5

Found in base branch: master

### Vulnerable Source Files (1)

/release/src-rt-7.14.114.x/src/linux/linux-2.6.36/crypto/cryptd.c

### Vulnerability Details

The Crypto API in the Linux kernel before 3.18.5 allows local users to load arbitrary kernel modules via a bind system call for an AF_ALG socket with a parenthesized module template expression in the salg_name field, as demonstrated by the vfat(aes) expression, a different vulnerability than CVE-2013-7421.

Publish Date: 2015-03-02

URL: CVE-2014-9644

### CVSS 3 Score Details (4.0)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-9644

Release Date: 2015-03-02

Fix Resolution: 3.18.5

CVE-2011-2494 ### Vulnerable Library - linux-yocto-devv2.6.34.10

Linux Embedded Kernel - tracks the next mainline release

Library home page: https://git.yoctoproject.org/git/linux-yocto-dev

Found in HEAD commit: 0c45ce909374d16605095db4fce9a89b9b6bafd5

Found in base branch: master

### Vulnerable Source Files (1)

/release/src-rt-7.14.114.x/src/linux/linux-2.6.36/kernel/taskstats.c

### Vulnerability Details

kernel/taskstats.c in the Linux kernel before 3.1 allows local users to obtain sensitive I/O statistics by sending taskstats commands to a netlink socket, as demonstrated by discovering the length of another user's password.

Publish Date: 2012-06-13

URL: CVE-2011-2494

### CVSS 3 Score Details (4.0)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2011-2494

Release Date: 2012-06-13

Fix Resolution: 3.1

CVE-2014-4652 ### Vulnerable Library - linux-yocto-devv2.6.34.10

Linux Embedded Kernel - tracks the next mainline release

Library home page: https://git.yoctoproject.org/git/linux-yocto-dev

Found in HEAD commit: 0c45ce909374d16605095db4fce9a89b9b6bafd5

Found in base branch: master

### Vulnerable Source Files (1)

### Vulnerability Details

Race condition in the tlv handler functionality in the snd_ctl_elem_user_tlv function in sound/core/control.c in the ALSA control implementation in the Linux kernel before 3.15.2 allows local users to obtain sensitive information from kernel memory by leveraging /dev/snd/controlCX access.

Publish Date: 2014-07-03

URL: CVE-2014-4652

### CVSS 3 Score Details (2.9)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-4652

Release Date: 2014-07-03

Fix Resolution: 3.15.2

mend-for-github-com[bot] commented 1 year ago

:information_source: This issue was automatically closed by Mend because it is a duplicate of an existing issue: #45

mend-for-github-com[bot] commented 1 year ago

:information_source: This issue was automatically closed by Mend because it is a duplicate of an existing issue: #45