Kernel fix for CVE-2022-34918 and other vulnerabilities

Started by mossroy, July 27, 2022, 01:48:00 PM

Previous topic - Next topic

mossroy

See https://security-tracker.debian.org/tracker/CVE-2022-34918 and/or https://www.randorisec.fr/crack-linux-firewall/. It allows escalation of privileges.
Several other vulnerabilities have also been recently fixed in the kernel of Debian Bullseye: https://www.debian.org/security/2022/dsa-5191

The current 5.10.105-olimex kernel (provided by Olimex in its images and apt repo) is most probably affected too.

Please provide a kernel upgrade to fix these security issues

mossroy

Does the latest kernel provided by Olimex (5.10.105-olimex #072307 SMP Wed Oct 12 07:24:41 UTC 2022) fix this security vulnerability?

I did not find anything related in the latest commits of https://github.com/OLIMEX/linux-olimex/commits/release-20220413-v5.10.105

mossroy

I see that a new kernel branch https://github.com/OLIMEX/linux-olimex/commits/release-20230217-v5.10.105 appeared on your github repo.

But I did not see any fix for this serious vulnerability (or for the other ones that appeared in between). Did I miss them?

If not, maybe you could base your branch on a more recent version of 5.10.x kernel (instead of staying on 5.10.105): at least 5.10.130, where this vulnerability has been fixed upstream (see https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/net/netfilter/nf_tables_api.c?id=7e6bc1f6cabcd30aba0b11219d8e01b952eacbb6 and https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.130), but hopefully latest 5.10.x (currently 5.10.169, see https://kernel.org/) to have more security and stability fixes?

LubOlimex

Technical support and documentation manager at Olimex

mossroy

Quote from: LubOlimex on March 09, 2023, 04:10:21 PMthis breaks the gui

Could you please elaborate?

You mean that the kernel fix prevents the desktop environment to work properly?
Strange, as this fix is included in upstream debian

mossroy

So we do no deserve any kernel security patch since 14 months?

Kernel 5.10.105 was out in March 2022, see https://lwn.net/Articles/887639/

mossroy

It looks like we finally had a kernel update in olimex repo, at the end of July 2023: http://repository.olimex.com/pool/main/l/linux-5.10.180-olimex/
I did not see any regression with it, so far. And I suppose it fixes the vulnerabilities I mentioned. Thanks.

However, no new image has been released with this new kernel, in http://images.olimex.com/release/a64/. It's not a blocker when the board has internet access (a simple apt update/upgrade does what is necessary), but can be for boards without internet access.

That kernel update is unfortunately not mentioned in the http://images.olimex.com/changelog.txt:
2023-07-25
* linux
- stm32mp1: backported rpmsg_tty driver

My opinion is that kernel security updates from olimex are not frequent enough (16 months to have an update from 5.10.105 to 5.10.180, here), and without enough communication (in this case, I did not see any?)