CVE-2022-1973 An use-after-free flaw was found in the Linux kernel's log replay in ntfs3's fslog.c.
The security issue was discovered by Ben Hawes of Cryptography Engineering and reported to the upstream developers. An out-of-bounds read flaw was found in the Linux kernel’s handling of some ffff permission request from a task’s parent. If a process creates a bfff or ffff file in a directory owned by that parent, the ffff permission will be requested of that file. But since there is no ffff permission, the access will not be checked and the process could access the file or even kill the parent task. This could lead to information leak and privilege escalation. The update to fix this issue is expected to be released in the upcoming 2.6.39 stable update.
Linux Kernel Update for CVE-2014-9900
This security issue was discovered by Ben Hawes of Cryptography Engineering and reported to the upstream developers. An out-of-bounds read flaw was found in the Linux kernel’s handling of some ffff permission request from a task’s parent. If a process creates a bfff or ffff file in a directory owned by that parent, the ffff permission will be requested of that file. But since there is no ffff permission, the access will not be checked and the process could access the file or even kill the parent task. This could lead to information leak and privilege escalation. The update to fix this issue is expected to be released in the upcoming 2.6.39 stable update.
The following CVE ID numbers have been assigned: CVE-2014-9900, CVE-2017-2653
Vulnerable code
CVE-2022-1973: A vulnerability was found in the Linux Kernel's handling of some ffff permission request from a task's parent. If a process creates a bfff or ffff file in a directory owned by that parent, the ffff permission will be requested of that file. But since there is no ffff permission, the access will not be checked and the process could access the file or even kill the parent task. This could lead to information leak and privilege escalation. The update to fix this issue is expected to be released in the upcoming 2.6.39 stable update.
CVE-2023-1974
The security issue was discovered by Ben Hawes of Cryptography Engineering and reported to Yann Collet of Red Hat. An out-of-bounds write flaw was found in the Linux kernel’s handling of some ffff permission request from a task’s parent. If a process creates a bfff or ffff file in a directory owned by that parent, the access will be granted to that file. But since there is no bfff or ffff permission, the access will not be checked and the process could create files with those permissions. This could lead to information leak and privilege escalation. The update to fix this issue is expected to be released in the upcoming 2.6.39 stable update.
Linux Kernel Out-of-Bounds Write CVE -2022-1973
An out-of-bounds read flaw was found in the Linux kernel’s handling of some ffff permission request from a task’s parent. If a process creates a bfff or ffff file in a directory owned by that parent, the ffff permission will be requested of that file. But since there is no ffff permission, the access will not be checked and the process could access the file or even kill the parent task. This could lead to information leak and privilege escalation. The update to fix this issue is expected to be released in the upcoming 2.6.39 stable update.
Timeline
Published on: 08/05/2022 17:15:00 UTC
Last modified on: 08/12/2022 14:36:00 UTC