Bug#1023717: libbpf: CVE-2022-3533 CVE-2022-3534 CVE-2022-3606

Tue, 08 Nov 2022 14:03:15 -0800 

Source: libbpf
Version: 1.0.1-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>

Hi,

The following vulnerabilities were published for libbpf.

CVE-2022-3533[0]:
| A vulnerability was found in Linux Kernel. It has been rated as
| problematic. This issue affects the function parse_usdt_arg of the
| file tools/lib/bpf/usdt.c of the component BPF. The manipulation of
| the argument reg_name leads to memory leak. It is recommended to apply
| a patch to fix this issue. The associated identifier of this
| vulnerability is VDB-211031.


CVE-2022-3534[1]:
| A vulnerability classified as critical has been found in Linux Kernel.
| Affected is the function btf_dump_name_dups of the file
| tools/lib/bpf/btf_dump.c of the component libbpf. The manipulation
| leads to use after free. It is recommended to apply a patch to fix
| this issue. The identifier of this vulnerability is VDB-211032.


CVE-2022-3606[2]:
| A vulnerability was found in Linux Kernel. It has been classified as
| problematic. This affects the function find_prog_by_sec_insn of the
| file tools/lib/bpf/libbpf.c of the component BPF. The manipulation
| leads to null pointer dereference. It is recommended to apply a patch
| to fix this issue. The identifier VDB-211749 was assigned to this
| vulnerability.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2022-3533
    https://www.cve.org/CVERecord?id=CVE-2022-3533
    
https://github.com/libbpf/libbpf/commit/881a10980b7ded995da5d9cc1919992c36c9d2be
[1] https://security-tracker.debian.org/tracker/CVE-2022-3534
    https://www.cve.org/CVERecord?id=CVE-2022-3534
    
https://github.com/libbpf/libbpf/commit/54caf920db0e489de90f3aaaa41e2a51ddbcd084
[2] https://security-tracker.debian.org/tracker/CVE-2022-3606
    https://www.cve.org/CVERecord?id=CVE-2022-3606
    
https://github.com/libbpf/libbpf/commit/3a3ef0c1d09e1894740db71cdcb7be0bfd713671

Regards,
Salvatore

Reply via email to