Arch Linux Security Advisory ASA-202107-51 ========================================== Severity: High Date : 2021-07-21 CVE-ID : CVE-2021-3609 CVE-2021-3612 CVE-2021-33909 Package : linux-lts Type : privilege escalation Remote : No Link : https://security.archlinux.org/AVG-2184 Summary ======= The package linux-lts before version 5.10.52-1 is vulnerable to privilege escalation. Resolution ========== Upgrade to 5.10.52-1. # pacman -Syu "linux-lts>=5.10.52-1" The problems have been fixed upstream in version 5.10.52. Workaround ========== None. Description =========== - CVE-2021-3609 (privilege escalation) A race condition in net/can/bcm.c in the Linux kernel before version 5.13.2 allows for local privilege escalation to root. The CAN BCM networking protocol allows to register a CAN message receiver for a specified socket. The function bcm_rx_handler() is run for incoming CAN messages. Simultaneously to running this function, the socket can be closed and bcm_release() will be called. Inside bcm_release(), struct bcm_op and struct bcm_sock are freed while bcm_rx_handler() is still running, finally leading to multiple use-after-free's. - CVE-2021-3612 (privilege escalation) An out-of-bounds memory write security issue was found in the Linux kernel’s joystick devices subsystem before version 5.13.2, in the way the user calls ioctl JSIOCSBTNMAP. This flaw allows a local user to crash the system or possibly escalate their privileges on the system. - CVE-2021-33909 (privilege escalation) An privilege escalation security issue has been found in the filesystem layer of the Linux kernel before version 5.13.4. An unprivileged local attacker can obtain full root privileges by creating, mounting, and deleting a deep directory structure whose total path length exceeds 1GB, which leads to an uncontrolled out-of-bounds write. Impact ====== An unprivileged local attacker could obtain full root privileges or crash the system. References ========== https://www.openwall.com/lists/oss-security/2021/06/19/1 https://www.openwall.com/lists/oss-security/2021/06/19/2 https://github.com/nrb547/kernel-exploitation/blob/main/cve-2021-3609/cve-20... https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v... https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v... https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v... https://bugzilla.redhat.com/show_bug.cgi?id=1974079 https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v... https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v... https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v... https://www.qualys.com/2021/07/20/cve-2021-33909/sequoia-local-privilege-esc... https://www.qualys.com/2021/07/20/cve-2021-33909/cve-2021-33909-crasher.c https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v... https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v... https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v... https://security.archlinux.org/CVE-2021-3609 https://security.archlinux.org/CVE-2021-3612 https://security.archlinux.org/CVE-2021-33909