{"id":"MGASA-2022-0442","summary":"Updated kernel packages fix security vulnerabilities","details":"This kernel update is based on upstream 5.15.79 and fixes at least the\nfollowing security issues:\n\nA flaw was found in the Linux kernel. A race issue occurs between an\nio_uring request and the Unix socket garbage collector, allowing an attacker\nlocal privilege escalation (CVE-2022-2602).\n\nA vulnerability was found in Linux Kernel. It has been declared as\nproblematic. Affected by this vulnerability is the function\nipv6_renew_options of the component IPv6 Handler. The manipulation leads\nto memory leak. The attack can be launched remotely (CVE-2022-3524).\n\nA vulnerability classified as problematic was found in Linux Kernel.\nAffected by this vulnerability is the function mvpp2_dbgfs_port_init of\nthe file drivers/net/ethernet/marvell/mvpp2/mvpp2_debugfs.c of the\ncomponent mvpp2. The manipulation leads to memory leak (CVE-2022-3535).\n\nA vulnerability classified as problematic was found in Linux Kernel. This\nvulnerability affects the function bnx2x_tpa_stop of the file drivers/net/\nethernet/broadcom/bnx2x/bnx2x_cmn.c of the component BPF. The manipulation\nleads to memory leak (CVE-2022-3542).\n\nA vulnerability, which was classified as problematic, has been found in\nLinux Kernel. This issue affects the function unix_sock_destructor/\nunix_release_sock of the file net/unix/af_unix.c of the component BPF.\nThe manipulation leads to memory leak (CVE-2022-3543).\n\nA vulnerability classified as critical was found in Linux Kernel. Affected\nby this vulnerability is the function l2cap_reassemble_sdu of the file\nnet/bluetooth/l2cap_core.c of the component Bluetooth. The manipulation\nleads to use after free (CVE-2022-3564).\n\nA vulnerability, which was classified as critical, has been found in Linux\nKernel. Affected by this issue is the function del_timer of the file\ndrivers/isdn/mISDN/l1oip_core.c of the component Bluetooth. The manipulation\nleads to use after free (CVE-2022-3565).\n\nA vulnerability was found in Linux Kernel. It has been declared as\nproblematic. Affected by this vulnerability is the function intr_callback\nof the file drivers/net/usb/r8152.c of the component BPF. The manipulation\nleads to logging of excessive data. The attack can be launched remotely\n(CVE-2022-3594).\n\nA vulnerability has been found in Linux Kernel and classified as\nproblematic. This vulnerability affects the function l2cap_recv_acldata\nof the file net/bluetooth/l2cap_core.c of the component Bluetooth. The\nmanipulation leads to memory leak (CVE-2022-3619).\n\nA vulnerability was found in Linux Kernel. It has been declared as\nproblematic. Affected by this vulnerability is the function follow_page_pte\nof the file mm/gup.c of the component BPF. The manipulation leads to race\ncondition (CVE-2022-3623).\n\nAn intra-object buffer overflow was found in brcmfmac, which can be\ntriggered by a malicious USB causing a Denial-of-Service (CVE-2022-3628).\n\ndrivers/video/fbdev/smscufx.c in the Linux kernel through 5.19.12 has a\nrace condition and resultant use-after-free if a physically proximate\nattacker removes a USB device while calling open(), aka a race condition\nbetween ufx_ops_open and ufx_usb_disconnect (CVE-2022-41849).\n\noccat_report_event in drivers/hid/hid-roccat.c in the Linux kernel through\n5.19.12 has a race condition and resultant use-after-free in certain\nsituations where a report is received while copying a report-\u003evalue is\nin progress (CVE-2022-41850).\n\nThere is an infoleak vulnerability in the Linux kernel's net/bluetooth/\nl2cap_core.c's l2cap_parse_conf_req function which can be used to leak\nkernel pointers remotely (CVE-2022-42895).\n\nThere are use-after-free vulnerabilities in the Linux kernel's \nnet/bluetooth/l2cap_core.c's l2cap_connect and l2cap_le_connect_req\nfunctions which may allow code execution and leaking kernel memory\n(respectively) remotely via Bluetooth. A remote attacker could execute\ncode leaking kernel memory via Bluetooth if within proximity of the\nvictim (CVE-2022-42896).\n\nThe Linux kernel NFSD implementation prior to versions 5.19.17 and 6.0.2\nare vulnerable to buffer overflow. NFSD tracks the number of pages held by\neach NFSD thread by combining the receive and send buffers of a remote\nprocedure call (RPC) into a single array of pages. A client can force the\nsend buffer to shrink by sending an RPC message over TCP with garbage data\nadded at the end of the message. The RPC message with garbage data is still\ncorrectly formed according to the specification and is passed forward to\nhandlers. Vulnerable code in NFSD is not expecting the oversized request\nand writes beyond the allocated buffer space (CVE-2022-43945).\n\nFor other upstream fixes in this update, see the referenced changelogs.\n","modified":"2026-01-30T07:14:25.542667Z","published":"2022-11-27T20:51:49Z","related":["CVE-2022-2602","CVE-2022-3524","CVE-2022-3535","CVE-2022-3542","CVE-2022-3543","CVE-2022-3564","CVE-2022-3565","CVE-2022-3594","CVE-2022-3619","CVE-2022-3623","CVE-2022-3628","CVE-2022-41849","CVE-2022-41850","CVE-2022-42895","CVE-2022-42896","CVE-2022-43945"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2022-0442.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=31148"},{"type":"REPORT","url":"https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.15.75"},{"type":"REPORT","url":"https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.15.76"},{"type":"REPORT","url":"https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.15.77"},{"type":"REPORT","url":"https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.15.78"},{"type":"REPORT","url":"https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.15.79"}],"affected":[{"package":{"name":"kernel","ecosystem":"Mageia:8","purl":"pkg:rpm/mageia/kernel?arch=source&distro=mageia-8"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.15.79-1.mga8"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2022-0442.json"}},{"package":{"name":"kmod-virtualbox","ecosystem":"Mageia:8","purl":"pkg:rpm/mageia/kmod-virtualbox?arch=source&distro=mageia-8"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"7.0.2-1.2.mga8"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2022-0442.json"}},{"package":{"name":"kmod-xtables-addons","ecosystem":"Mageia:8","purl":"pkg:rpm/mageia/kmod-xtables-addons?arch=source&distro=mageia-8"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.21-1.7.mga8"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2022-0442.json"}}],"schema_version":"1.7.3","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}