Bug#1099138: linux: CVE-2024-45001 in bookworm
Source: linux
Version: 6.1.128-1
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team <team@security.debian.org>
I believe CVE-2024-45001 (RX buf alloc_size alignment and atomic op
panic) is miscategorized as not impacting bookworm. The issue is with
the net/ethernet/microsoft/mana driver and was introduced in linux 6.10,
which is likely why the security-tracker contains the note "Vulnerable
code not present" for bookworm. However, bookworm contains a backported
version of this driver from 6.10 in
debian/patches/features/all/ethernet-microsoft. [1] [2]
The upstream fix applies on top of our patched 6.1 kernel with an
offset. [3]
I didn't propose a fix to the security-tracker data because I don't know
the file format well enough.
I can prepare a merge request to the kernel package if that would help.
Thanks
noah
1. https://security-tracker.debian.org/tracker/CVE-2024-45001
2. https://salsa.debian.org/kernel-team/linux/-/tree/debian/6.1/bookworm/debian/patches/features/all/ethernet-microsoft?ref_type=heads
3. https://web.git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=32316f676b4ee87c0404d333d248ccf777f739bc
Reply to: