[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1099138: linux: CVE-2024-45001 in bookworm

On Sat, Mar 01, 2025 at 02:15:43PM +0100, Salvatore Bonaccorso wrote:
> > > Source: linux
> > > Version: 6.1.128-1
> > > Severity: important
> > > Tags: security
> > > X-Debbugs-Cc: Debian Security Team <team@security.debian.org>
> > > 
> > > I believe CVE-2024-45001 (RX buf alloc_size alignment and atomic op 
> > > panic) is miscategorized as not impacting bookworm.  The issue is with 
> > > the net/ethernet/microsoft/mana driver and was introduced in linux 6.10,
> > > which is likely why the security-tracker contains the note "Vulnerable 
> > > code not present" for bookworm.  However, bookworm contains a backported
> > > version of this driver from 6.10 in
> > > debian/patches/features/all/ethernet-microsoft. [1] [2]
> > > 
> > > The upstream fix applies on top of our patched 6.1 kernel with an 
> > > offset. [3]
> > > 
> > > I didn't propose a fix to the security-tracker data because I don't know
> > > the file format well enough.
> > > 
> > > I can prepare a merge request to the kernel package if that would help.
> > 
> > Thanks I will shortly have a look at that as I'm rebasing 6.1.y for
> > bookworm for the next upload.
> 
> Investigating this further I believe we have the same problem as well
> for CVE-2024-42069.

Yes, that seems likely.

noah
Reply to: