[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] Details on this supposed Linux Kernel ksmbd RCE
From:       Marcus Meissner <meissner () suse ! de>
Date:       2022-12-31 14:59:09
Message-ID: 20221231150559.GB675 () suse ! de
[Download RAW message or body]

Hi,

I made a small mistake in this email, (CVE db is correct).

On Fri, Dec 23, 2022 at 05:21:29PM +0100, Marcus Meissner wrote:
> Hi,
> 
> Mitre has assigned following CVEs, also torvalds mainline commits:

> 
	> ZDI-22-1691 - CVE-2022-47940
	> 	158a66b245739e15858de42c0ba60fcf3de9b8e6

should be:

	> ZDI-22-1691 - CVE-2022-47943
	> 	ac60778b87e45576d7bfdbd6f53df902654e6f09

 
and this
	> Mitre assigned also from the stable patch, but was not in ZDI set - CVE-2022-47943
	> 	ac60778b87e45576d7bfdbd6f53df902654e6f09

should be:
	> Mitre assigned also from the stable patch, but was not in ZDI set - CVE-2022-47940
	> 	158a66b245739e15858de42c0ba60fcf3de9b8e6
	

so basically I had CVE-2022-47940 and CVE-2022-47943 switched.

Sorry for this mistake.

Ciao, Marcus

> 	(I did not request that in my batch, Mitre seemed to have
> 	picked this from the stable patch.)
> 
> I mistakenly declared 5.13-5.19 affectedness to Mitre in a hurry,
> but it is more 5.15 - 5.18.x / 5.19.x
> 
> Ciao, Marcus
> 
> 
> On Thu, Dec 22, 2022 at 04:49:04PM -0500, Jan Schaumann wrote:
> > Josh Bressers <josh@bress.net> wrote:
> >  
> > > I was wondering if anyone on the list has additional details about this ZDI
> > > advisory
> > > https://www.zerodayinitiative.com/advisories/ZDI-22-1690/
> > > 
> > > There aren't many usable details at the moment
> > 
> > Agreed.
> > 
> > The advisories link to a changelog in
> > https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.15.61
> > but it's unclear (to me) whether that implies v6.x
> > kernels are not affected?
> > 
> > Note also that this disclosure is accompanied by a few
> > others:
> > 
> > Authenticated remote information disclosure:
> > https://www.zerodayinitiative.com/advisories/ZDI-22-1691/
> > 
> > Unauthenticated remote DoS:
> > https://www.zerodayinitiative.com/advisories/ZDI-22-1687/
> > 
> > Authenticated RCE:
> > https://www.zerodayinitiative.com/advisories/ZDI-22-1688/
> > 
> > Authenticated DoS:
> > https://www.zerodayinitiative.com/advisories/ZDI-22-1689/
> > 
> > Lastly, given that this is a coordinated disclosure,
> > I don't know why there are no CVE IDs reserved for
> > these.
> > 
> > -Jan
> 
> -- 
> Marcus Meissner (he/him), Distinguished Engineer / Senior Project Manager Security
> SUSE Software Solutions Germany GmbH, Frankenstrasse 146, 90461 Nuernberg, Germany
> GF: Ivo Totev, Andrew Myers, Andrew McDonald, Martje Boudien Moerman, HRB 36809, AG Nuernberg

-- 
Marcus Meissner (he/him), Distinguished Engineer / Senior Project Manager Security
SUSE Software Solutions Germany GmbH, Frankenstrasse 146, 90461 Nuernberg, Germany
GF: Ivo Totev, Andrew Myers, Andrew McDonald, Martje Boudien Moerman, HRB 36809, AG Nuernberg
[prev in list] [next in list] [prev in thread] [next in thread]