SB2024032560 - openEuler update for kernel

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Input validation error (CVE-ID: CVE-2022-48619)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input within the input_set_capability() function in drivers/input/input.c. A local user can crash the OS kernel.

2) Improper Initialization (CVE-ID: CVE-2024-0340)

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to improper initialization within the vhost_new_msg() function in drivers/vhost/vhost.c in the Linux kernel vhost driver. A local user can run a specially crafted application to gain access to sensitive kernel information.

3) Improper locking (CVE-ID: CVE-2024-0641)

The vulnerability allows a malicious guest to perform a denial of service attack (DoS) on the target system.

The vulnerability exists due to double-locking error within the tipc_crypto_key_revoke() function in net/tipc/crypto.c. A malicious guest can exploit this vulnerability to cause a deadlock, resulting in a denial of service.

Remediation

Install update from vendor's website.

References

• https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2024-1106