[Intel-wired-lan] Further information on CVE-2019-0145/CVE-2019-0146/CVE-2019-0147/CVE-2019-0148/CVE-2019-0149 for Linux?
Jesse Brandeburg
jbrandeb at intel.com
Tue Jul 28 18:10:27 UTC 2020
On Thu, 16 Jul 2020, Moritz Muehlenhoff wrote:
> Hi,
> https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00255.html refers
> to vulnerabilities in Intel Ethernet drivers and a few of them refer to the i40e driver
> specifically:
I'm sorry Moritz that we haven't gotten back to you. We are chasing down
the specific patches made upstream for software portions of the below
fixes.
> CVEID: CVE-2019-0145
> Description: Buffer overflow in i40e driver for Intel(R) Ethernet 700 Series Controllers
> versions before 7.0 may allow an authenticated user to potentially enable an escalation
> of privilege via local access.
>
> CVEID: CVE-2019-0146
> Description: Resource leak in i40e driver for Intel(R) Ethernet 700 Series Controllers
> versions before 2.8.43 may allow an authenticated user to potentially enable a denial of
> service via local access.
>
> CVEID: CVE-2019-0147
> Description: Insufficient input validation in i40e driver for Intel(R) Ethernet 700 Series
> Controllers versions before 7.0 may allow an authenticated user to potentially enable a
> denial of service via local access.
>
> CVEID: CVE-2019-0148
> Description: Resource leak in i40e driver for Intel(R) Ethernet 700 Series Controllers
> versions before 7.0 may allow an authenticated use to potentially enable a denial of
> service via local access.
>
> CVEID: CVE-2019-0149
> Description: Insufficient input validation in i40e driver for Intel(R) Ethernet 700
> Series Controllers versions before 2.8.43 may allow an authenticated user to potentially
> enable a denial of service via local access.
>
> Is there any further information which commits fixed these and if so, were they submitted
> to stable kernels? (The Debian kernels are based on 4.9.x and 4.19.x LTS kernels, so that
> we can make sure these are addressed in stable/oldstable releases)
We will get you the information, it was a mistake on our part to not
mention CVEs in the commit messages if/when we upstreamed the patches. The
only thing I can say for sure is that these have been addressed in our
Out-of-tree drivers, but I realize that is not your question.
Thanks for your patience,
Jesse
More information about the Intel-wired-lan
mailing list