SB2024070180 - Out-of-bounds write in Linux kernel usb

Description

This security bulletin contains information about 1 security vulnerability.

1) Out-of-bounds write (CVE-ID: CVE-2024-27436)

The vulnerability allows a local user to execute arbitrary code.

The vulnerability exists due to an out-of-bounds write within the convert_chmap() function in sound/usb/stream.c. A local user can execute arbitrary code.

Remediation

Install update from vendor's website.

References

• https://git.kernel.org/stable/c/7e2c1b0f6dd9abde9e60f0f9730026714468770f
• https://git.kernel.org/stable/c/6d5dc96b154be371df0d62ecb07efe400701ed8a
• https://git.kernel.org/stable/c/5cd466673b34bac369334f66cbe14bb77b7d7827
• https://git.kernel.org/stable/c/9af1658ba293458ca6a13f70637b9654fa4be064
• https://git.kernel.org/stable/c/629af0d5fe94a35f498ba2c3f19bd78bfa591be6
• https://git.kernel.org/stable/c/22cad1b841a63635a38273b799b4791f202ade72
• https://git.kernel.org/stable/c/c8a24fd281dcdf3c926413dafbafcf35cde517a9
• https://git.kernel.org/stable/c/6d88b289fb0a8d055cb79d1c46a56aba7809d96d
• https://git.kernel.org/stable/c/a39d51ff1f52cd0b6fe7d379ac93bd8b4237d1b7
• https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html
• https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html
• https://mirrors.edge.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.311
• https://mirrors.edge.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.214
• https://mirrors.edge.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.15.153
• https://mirrors.edge.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.4.273
• https://mirrors.edge.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.1.83
• https://mirrors.edge.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.6.23
• https://mirrors.edge.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.7.11
• https://mirrors.edge.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.8.2