Bug#1099138: linux: CVE-2024-45001 in bookworm
Control: linux: Backports for fixes for CVE-2024-42069 and CVE-2024-45001 in bookworm
Hi Noah,
On Fri, Feb 28, 2025 at 08:30:27PM +0100, Salvatore Bonaccorso wrote:
> Hi Noah,
>
> On Fri, Feb 28, 2025 at 01:58:18PM -0500, Noah Meyerhans wrote:
> > Source: linux
> > Version: 6.1.128-1
> > Severity: important
> > Tags: security
> > X-Debbugs-Cc: Debian Security Team <team@security.debian.org>
> >
> > I believe CVE-2024-45001 (RX buf alloc_size alignment and atomic op
> > panic) is miscategorized as not impacting bookworm. The issue is with
> > the net/ethernet/microsoft/mana driver and was introduced in linux 6.10,
> > which is likely why the security-tracker contains the note "Vulnerable
> > code not present" for bookworm. However, bookworm contains a backported
> > version of this driver from 6.10 in
> > debian/patches/features/all/ethernet-microsoft. [1] [2]
> >
> > The upstream fix applies on top of our patched 6.1 kernel with an
> > offset. [3]
> >
> > I didn't propose a fix to the security-tracker data because I don't know
> > the file format well enough.
> >
> > I can prepare a merge request to the kernel package if that would help.
>
> Thanks I will shortly have a look at that as I'm rebasing 6.1.y for
> bookworm for the next upload.
Investigating this further I believe we have the same problem as well
for CVE-2024-42069.
Regards,
Salvatore
Reply to: