An update for kernel is now available for openEuler-20.03-LTS-SP1 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2022-1925 Final 1.0 1.0 2022-09-16 Initial 2022-09-16 2022-09-16 openEuler SA Tool V1.0 2022-09-16 kernel security update An update for kernel is now available for openEuler-20.03-LTS-SP1. The Linux Kernel, the operating system core itself. Security Fix(es): A heap-based buffer overflow was found in the Linux kernel s LightNVM subsystem. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. This vulnerability allows a local attacker to escalate privileges and execute arbitrary code in the context of the kernel. The attacker must first obtain the ability to execute high-privileged code on the target system to exploit this vulnerability.(CVE-2022-2991) A vulnerability was found in the Linux kernel, where accessing a deallocated instance in printer_ioctl() printer_ioctl() tries to access of a printer_dev instance. However, use-after-free arises because it had been freed by gprinter_free().(CVE-2020-27784) An issue was discovered the x86 KVM subsystem in the Linux kernel before 5.18.17. Unprivileged guest users can compromise the guest kernel because TLB flush operations are mishandled in certain KVM_VCPU_PREEMPTED situations.(CVE-2022-39189) Found Linux Kernel flaw in the i740 driver. The Userspace program could pass any values to the driver through ioctl() interface. The driver doesn t check the value of pixclock , so it may cause a divide by zero error.(CVE-2022-3061) An issue was found in the Linux kernel in nf_conntrack_irc where the message handling can be confused and incorrectly matches the message. A firewall may be able to be bypassed when users are using unencrypted IRC with nf_conntrack_irc configured.(CVE-2022-2663) An issue was discovered in the Linux kernel before 5.19. In pxa3xx_gcu_write in drivers/video/fbdev/pxa3xx-gcu.c, the count parameter has a type conflict of size_t versus int, causing an integer overflow and bypassing the size check. After that, because it is used as the third argument to copy_from_user(), a heap overflow may occur.(CVE-2022-39842) An issue was discovered in include/asm-generic/tlb.h in the Linux kernel before 5.19. Because of a race condition (unmap_mapping_range versus munmap), a device driver can free a page while it still has stale TLB entries. This only occurs in situations with VM_PFNMAP VMAs.(CVE-2022-39188) An update for kernel is now available for openEuler-20.03-LTS-SP1. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High kernel https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1925 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-2991 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2020-27784 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-39189 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-3061 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-2663 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-39842 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-39188 https://nvd.nist.gov/vuln/detail/CVE-2022-2991 https://nvd.nist.gov/vuln/detail/CVE-2020-27784 https://nvd.nist.gov/vuln/detail/CVE-2022-39189 https://nvd.nist.gov/vuln/detail/CVE-2022-3061 https://nvd.nist.gov/vuln/detail/CVE-2022-2663 https://nvd.nist.gov/vuln/detail/CVE-2022-39842 https://nvd.nist.gov/vuln/detail/CVE-2022-39188 openEuler-20.03-LTS-SP1 kernel-devel-4.19.90-2209.4.0.0168.oe1.aarch64.rpm bpftool-4.19.90-2209.4.0.0168.oe1.aarch64.rpm kernel-debugsource-4.19.90-2209.4.0.0168.oe1.aarch64.rpm python3-perf-debuginfo-4.19.90-2209.4.0.0168.oe1.aarch64.rpm kernel-source-4.19.90-2209.4.0.0168.oe1.aarch64.rpm kernel-tools-debuginfo-4.19.90-2209.4.0.0168.oe1.aarch64.rpm perf-debuginfo-4.19.90-2209.4.0.0168.oe1.aarch64.rpm kernel-debuginfo-4.19.90-2209.4.0.0168.oe1.aarch64.rpm kernel-tools-4.19.90-2209.4.0.0168.oe1.aarch64.rpm kernel-tools-devel-4.19.90-2209.4.0.0168.oe1.aarch64.rpm python3-perf-4.19.90-2209.4.0.0168.oe1.aarch64.rpm python2-perf-debuginfo-4.19.90-2209.4.0.0168.oe1.aarch64.rpm perf-4.19.90-2209.4.0.0168.oe1.aarch64.rpm python2-perf-4.19.90-2209.4.0.0168.oe1.aarch64.rpm kernel-4.19.90-2209.4.0.0168.oe1.aarch64.rpm bpftool-debuginfo-4.19.90-2209.4.0.0168.oe1.aarch64.rpm kernel-4.19.90-2209.4.0.0168.oe1.src.rpm kernel-4.19.90-2209.4.0.0168.oe1.x86_64.rpm kernel-devel-4.19.90-2209.4.0.0168.oe1.x86_64.rpm kernel-tools-devel-4.19.90-2209.4.0.0168.oe1.x86_64.rpm kernel-debugsource-4.19.90-2209.4.0.0168.oe1.x86_64.rpm kernel-source-4.19.90-2209.4.0.0168.oe1.x86_64.rpm perf-debuginfo-4.19.90-2209.4.0.0168.oe1.x86_64.rpm bpftool-4.19.90-2209.4.0.0168.oe1.x86_64.rpm bpftool-debuginfo-4.19.90-2209.4.0.0168.oe1.x86_64.rpm python3-perf-4.19.90-2209.4.0.0168.oe1.x86_64.rpm python2-perf-debuginfo-4.19.90-2209.4.0.0168.oe1.x86_64.rpm kernel-tools-4.19.90-2209.4.0.0168.oe1.x86_64.rpm perf-4.19.90-2209.4.0.0168.oe1.x86_64.rpm kernel-debuginfo-4.19.90-2209.4.0.0168.oe1.x86_64.rpm python2-perf-4.19.90-2209.4.0.0168.oe1.x86_64.rpm kernel-tools-debuginfo-4.19.90-2209.4.0.0168.oe1.x86_64.rpm python3-perf-debuginfo-4.19.90-2209.4.0.0168.oe1.x86_64.rpm A heap-based buffer overflow was found in the Linux kernel s LightNVM subsystem. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. This vulnerability allows a local attacker to escalate privileges and execute arbitrary code in the context of the kernel. The attacker must first obtain the ability to execute high-privileged code on the target system to exploit this vulnerability. 2022-09-16 CVE-2022-2991 openEuler-20.03-LTS-SP1 Medium 6.7 AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H kernel security update 2022-09-16 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1925 A vulnerability was found in the Linux kernel, where accessing a deallocated instance in printer_ioctl() printer_ioctl() tries to access of a printer_dev instance. However, use-after-free arises because it had been freed by gprinter_free(). 2022-09-16 CVE-2020-27784 openEuler-20.03-LTS-SP1 Medium 5.1 AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N kernel security update 2022-09-16 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1925 An issue was discovered the x86 KVM subsystem in the Linux kernel before 5.18.17. Unprivileged guest users can compromise the guest kernel because TLB flush operations are mishandled in certain KVM_VCPU_PREEMPTED situations. 2022-09-16 CVE-2022-39189 openEuler-20.03-LTS-SP1 High 7.8 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H kernel security update 2022-09-16 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1925 Found Linux Kernel flaw in the i740 driver. The Userspace program could pass any values to the driver through ioctl() interface. The driver doesn t check the value of pixclock , so it may cause a divide by zero error. 2022-09-16 CVE-2022-3061 openEuler-20.03-LTS-SP1 Medium 6.2 AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H kernel security update 2022-09-16 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1925 An issue was found in the Linux kernel in nf_conntrack_irc where the message handling can be confused and incorrectly matches the message. A firewall may be able to be bypassed when users are using unencrypted IRC with nf_conntrack_irc configured. 2022-09-16 CVE-2022-2663 openEuler-20.03-LTS-SP1 Medium 5.9 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N kernel security update 2022-09-16 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1925 An issue was discovered in the Linux kernel before 5.19. In pxa3xx_gcu_write in drivers/video/fbdev/pxa3xx-gcu.c, the count parameter has a type conflict of size_t versus int, causing an integer overflow and bypassing the size check. After that, because it is used as the third argument to copy_from_user(), a heap overflow may occur. 2022-09-16 CVE-2022-39842 openEuler-20.03-LTS-SP1 Medium 6.7 AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H kernel security update 2022-09-16 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1925 An issue was discovered in include/asm-generic/tlb.h in the Linux kernel before 5.19. Because of a race condition (unmap_mapping_range versus munmap), a device driver can free a page while it still has stale TLB entries. This only occurs in situations with VM_PFNMAP VMAs. 2022-09-16 CVE-2022-39188 openEuler-20.03-LTS-SP1 Medium 4.7 AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H kernel security update 2022-09-16 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1925