[ASA-202107-49] linux-zen: privilege escalation

Jonas Witschel diabonas at archlinux.org
Thu Jul 22 15:50:17 UTC 2021


Arch Linux Security Advisory ASA-202107-49
==========================================

Severity: High
Date    : 2021-07-21
CVE-ID  : CVE-2021-3609 CVE-2021-3612 CVE-2021-33909
Package : linux-zen
Type    : privilege escalation
Remote  : No
Link    : https://security.archlinux.org/AVG-2182

Summary
=======

The package linux-zen before version 5.13.4.zen1-1 is vulnerable to
privilege escalation.

Resolution
==========

Upgrade to 5.13.4.zen1-1.

# pacman -Syu "linux-zen>=5.13.4.zen1-1"

The problems have been fixed upstream in version 5.13.4.zen1.

Workaround
==========

None.

Description
===========

- CVE-2021-3609 (privilege escalation)

A race condition in net/can/bcm.c in the Linux kernel before version
5.13.2 allows for local privilege escalation to root. The CAN BCM
networking protocol allows to register a CAN message receiver for a
specified socket. The function bcm_rx_handler() is run for incoming CAN
messages. Simultaneously to running this function, the socket can be
closed and bcm_release() will be called. Inside bcm_release(), struct
bcm_op and struct bcm_sock are freed while bcm_rx_handler() is still
running, finally leading to multiple use-after-free's.

- CVE-2021-3612 (privilege escalation)

An out-of-bounds memory write security issue was found in the Linux
kernel’s joystick devices subsystem before version 5.13.2, in the way
the user calls ioctl JSIOCSBTNMAP. This flaw allows a local user to
crash the system or possibly escalate their privileges on the system.

- CVE-2021-33909 (privilege escalation)

An privilege escalation security issue has been found in the filesystem
layer of the Linux kernel before version 5.13.4. An unprivileged local
attacker can obtain full root privileges by creating, mounting, and
deleting a deep directory structure whose total path length exceeds
1GB, which leads to an uncontrolled out-of-bounds write.

Impact
======

An unprivileged local attacker could obtain full root privileges or
crash the system.

References
==========

https://www.openwall.com/lists/oss-security/2021/06/19/1
https://www.openwall.com/lists/oss-security/2021/06/19/2
https://github.com/nrb547/kernel-exploitation/blob/main/cve-2021-3609/cve-2021-3609.md
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v5.13.2&id=014f8baa9d240c4cf7180d37abd625fd4a4527c8
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v5.12.17&id=d8a5cf5cfc07a296c78bd515671e374b8d8db022
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v5.10.50&id=b52e0cf0bfc1ede495de36aec86f6013efa18f60
https://bugzilla.redhat.com/show_bug.cgi?id=1974079
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v5.13.2&id=81acf1015233b3ee1d9834ba4fcca087a75c0c1b
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v5.12.17&id=b88243d8f1c7eb2a834fd7cd1ea9691554240d3a
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v5.10.50&id=b4c35e9e8061b2386da1aa0d708e991204e76c45
https://www.qualys.com/2021/07/20/cve-2021-33909/sequoia-local-privilege-escalation-linux.txt
https://www.qualys.com/2021/07/20/cve-2021-33909/cve-2021-33909-crasher.c
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v5.13.4&id=71de462034c69525a5049fbdf3903c5833cbce04
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v5.12.19&id=514b6531b1cbb64199db63bfdb80953d71998cca
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v5.10.52&id=174c34d9cda1b5818419b8f5a332ced10755e52f
https://security.archlinux.org/CVE-2021-3609
https://security.archlinux.org/CVE-2021-3612
https://security.archlinux.org/CVE-2021-33909
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20210722/b8478dd5/attachment.sig>


More information about the arch-security mailing list