search

witchcraze / NVD_CHECK

1 stars 0 forks source link

CHK NVD : CVE-2023-46838 - dbe1d48a #4580

Closed witchcraze closed 1 week ago

witchcraze commented 2 months ago

[CVE Configuration Update Request] Update Suggestion - CVE-2023-46838 - Cvss3 : 7.5

https://www.linuxkernelcves.com/cves/CVE-2023-46838 https://gitlab.com/cip-project/cip-kernel/cip-kernel-sec/-/blob/master/issues/CVE-2023-46838.yml https://github.com/witchcraze/NVD_CHECK/blob/main/kernel/CVE-2023-46838.json

- CVE-2023-46838
- Suggested Configuration
  - OR
     *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 4.19.0 up to (excluding) 4.19.306
     *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.10.0 up to (excluding) 5.10.209
     *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.15.0 up to (excluding) 5.15.148
     *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.4.0 up to (excluding) 5.4.268
     *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.1.0 up to (excluding) 6.1.75
     *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.6.0 up to (excluding) 6.6.14
     *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.7.0 up to (excluding) 6.7.2
     *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.8.0 up to (excluding) 6.8
- Reference
  - https://www.kernel.org/pub//linux/kernel/v4.x/ChangeLog-4.19.306
  - https://www.kernel.org/pub//linux/kernel/v5.x/ChangeLog-5.10.209
  - https://www.kernel.org/pub//linux/kernel/v5.x/ChangeLog-5.15.148
  - https://www.kernel.org/pub//linux/kernel/v5.x/ChangeLog-5.4.268
  - https://www.kernel.org/pub//linux/kernel/v6.x/ChangeLog-6.1.75
  - https://www.kernel.org/pub//linux/kernel/v6.x/ChangeLog-6.6.14
  - https://www.kernel.org/pub//linux/kernel/v6.x/ChangeLog-6.7.2
  - https://www.kernel.org/pub//linux/kernel/v6.x/ChangeLog-6.8
- Reference (Commit)
  - xen-netback: don't produce zero-size SKB frags
    - Fixed by
      - 4.19.306 (5bb8270789c88c0e4ad78c0de2f274f2275c7f6c)
      - 5.10.209 (cce8ba6fa4ec43ad778d64823a2f8ca120d362c1)
      - 5.15.148 (e03023fcdb5e959d4252b3a38e1b27afb6c1c23c)
      - 5.4.268 (4404c2b832cf0a842b6e3c63fb5749e97dc618ea)
      - 6.1.75 (437360133cbd1e9fb88b122e84fff0df08f18e23)
      - 6.6.14 (78376d4415602d97773f20b49f4aa5fc8666f7a9)
      - 6.7.2 (0179c6b07f7ed2f3ea7309596169e15a59e7ee0e)
      - 6.8 (c7ec4f2d684e17d69bbdd7c4324db0ef5daac26a) (upstream)
    - Will be introduced by
      - https://github.com/torvalds/linux/commit/3ece782693c4
- I Checked
  - XXXXXXXXXXXXXXXXXXXXXXXXXXXX is written as upstream commit in each ChangeLog
  - From XXXXXXXX commit page, XXXXXXXXXXX is the most oldest in commit-branches area
  - For 3.16.35, there is related post at lkml
  - For 3.16 series, 3.16.35 is the next release from 3.16.7 which was released at 2014
  - https://mirrors.edge.kernel.org/pub/linux/kernel/v3.x/
  - XXXX
https://nvd.nist.gov/vuln/detail/CVE-2023-46838 URI Start(Ex) Start(Inc) End(Ex) End(Inc)
cpe:/o:linux:linux_kernel 4.14 6.7
cpe:/o:fedoraproject:fedora:39
cpe:/o:fedoraproject:fedora:38
witchcraze commented 2 months ago 
- CVE-2023-46838
- Suggested Configuration
  - OR
     *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 4.14 up to (excluding) 4.19.306
     *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 4.20 up to (excluding) 5.4.268
     *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.5 up to (excluding) 5.10.209
     *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.11 up to (excluding) 5.15.148
     *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.16 up to (excluding) 6.1.75
     *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.2 up to (excluding) 6.6.14
     *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.7 up to (excluding) 6.7.2
- Reference
  - https://ubuntu.com/security/CVE-2023-46838
  - https://www.kernel.org/pub//linux/kernel/v4.x/ChangeLog-4.19.306
  - https://www.kernel.org/pub//linux/kernel/v5.x/ChangeLog-5.4.268
  - https://www.kernel.org/pub//linux/kernel/v5.x/ChangeLog-5.10.209
  - https://www.kernel.org/pub//linux/kernel/v5.x/ChangeLog-5.15.148
  - https://www.kernel.org/pub//linux/kernel/v6.x/ChangeLog-6.1.75
  - https://www.kernel.org/pub//linux/kernel/v6.x/ChangeLog-6.6.14
  - https://www.kernel.org/pub//linux/kernel/v6.x/ChangeLog-6.7.2
  - https://www.kernel.org/pub//linux/kernel/v6.x/ChangeLog-6.8
- Reference (Commit)
  - xen-netback: don't produce zero-size SKB frags
    - Fixed by
      - 4.19.306 (5bb8270789c88c0e4ad78c0de2f274f2275c7f6c)
      - 5.4.268 (4404c2b832cf0a842b6e3c63fb5749e97dc618ea)
      - 5.10.209 (cce8ba6fa4ec43ad778d64823a2f8ca120d362c1)
      - 5.15.148 (e03023fcdb5e959d4252b3a38e1b27afb6c1c23c)
      - 6.1.75 (437360133cbd1e9fb88b122e84fff0df08f18e23)
      - 6.6.14 (78376d4415602d97773f20b49f4aa5fc8666f7a9)
      - 6.7.2 (0179c6b07f7ed2f3ea7309596169e15a59e7ee0e)
      - 6.8 (c7ec4f2d684e17d69bbdd7c4324db0ef5daac26a) (upstream)
    - Will be introduced by
      - https://github.com/torvalds/linux/commit/3ece782693c4 (v4.14-rc1)
- I Checked
  - From ubuntu page
    - Introduced by 3ece782693c4b64d588dd217868558ab9a19bfe7 Fixed by c7ec4f2d684e17d69bbdd7c4324db0ef5daac26a
  - c7ec4f2d684e17d69bbdd7c4324db0ef5daac26a is written as upstream commit in each ChangeLog
  - From 3ece782693c4 commit page, Xv4.14-rc1 is the most oldest in commit-branches area