Mageia: Security Advisory (MGASA-2022-0022)

# SPDX-FileCopyrightText: 2022 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.1.10.2022.0022");
  script_cve_id("CVE-2021-4155", "CVE-2021-4197", "CVE-2021-44733", "CVE-2021-45095", "CVE-2021-45100", "CVE-2022-23222");
  script_tag(name:"creation_date", value:"2022-01-28 10:58:44 +0000 (Fri, 28 Jan 2022)");
  script_version("2024-02-02T05:06:09+0000");
  script_tag(name:"last_modification", value:"2024-02-02 05:06:09 +0000 (Fri, 02 Feb 2024)");
  script_tag(name:"cvss_base", value:"7.2");
  script_tag(name:"cvss_base_vector", value:"AV:L/AC:L/Au:N/C:C/I:C/A:C");
  script_tag(name:"severity_vector", value:"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_tag(name:"severity_origin", value:"NVD");
  script_tag(name:"severity_date", value:"2022-01-21 16:54:33 +0000 (Fri, 21 Jan 2022)");

  script_name("Mageia: Security Advisory (MGASA-2022-0022)");
  script_category(ACT_GATHER_INFO);
  script_copyright("Copyright (C) 2022 Greenbone AG");
  script_family("Mageia Linux Local Security Checks");
  script_dependencies("gather-package-list.nasl");
  script_mandatory_keys("ssh/login/mageia_linux", "ssh/login/release", re:"ssh/login/release=MAGEIA8");

  script_xref(name:"Advisory-ID", value:"MGASA-2022-0022");
  script_xref(name:"URL", value:"https://advisories.mageia.org/MGASA-2022-0022.html");
  script_xref(name:"URL", value:"https://bugs.mageia.org/show_bug.cgi?id=29880");
  script_xref(name:"URL", value:"https://bugs.mageia.org/show_bug.cgi?id=29852");
  script_xref(name:"URL", value:"https://bugs.mageia.org/show_bug.cgi?id=29784");
  script_xref(name:"URL", value:"https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.15.12");
  script_xref(name:"URL", value:"https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.15.13");
  script_xref(name:"URL", value:"https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.15.14");
  script_xref(name:"URL", value:"https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.15.15");

  script_tag(name:"summary", value:"The remote host is missing an update for the 'kernel-linus' package(s) announced via the MGASA-2022-0022 advisory.");

  script_tag(name:"vuldetect", value:"Checks if a vulnerable package version is present on the target host.");

  script_tag(name:"insight", value:"This kernel-linus update is based on upstream 5.15.15 and fixes at least
the following security issues:

A data leak flaw was found in the way XFS_IOC_ALLOCSP IOCTL in the XFS
filesystem allowed for size increase of files with unaligned size. A
local attacker could use this flaw to leak data on the XFS filesystem
otherwise not accessible to them (CVE-2021-4155).

An unprivileged write to the file handler flaw in the Linux kernel's
control groups and namespaces subsystem was found in the way users have
access to some less privileged process that are controlled by cgroups and
have higher privileged parent process. It is actually both for cgroup2
and cgroup1 versions of control groups. A local user could use this flaw
to crash the system or escalate their privileges on the system
(CVE-2021-4197).

A use-after-free exists in drivers/tee/tee_shm.c in the TEE subsystem in
the Linux kernel through 5.15.11. This occurs because of a race condition
in tee_shm_get_from_id during an attempt to free a shared memory object
(CVE-2021-44733).

pep_sock_accept in net/phonet/pep.c in the Linux kernel through 5.15.8
has a refcount leak (CVE-2021-45095).

The ksmbd server through 3.4.2, as used in the Linux kernel through 5.15.8,
sometimes communicates in cleartext even though encryption has been enabled.
This occurs because it sets the SMB2_GLOBAL_CAP_ENCRYPTION flag when using
the SMB 3.1.1 protocol, which is a violation of the SMB protocol
specification. When Windows 10 detects this protocol violation, it disables
encryption (CVE-2021-45100).

kernel/bpf/verifier.c in the Linux kernel through 5.15.14 allows local
users to gain privileges because of the availability of pointer arithmetic
via certain *_OR_NULL pointer types (CVE-2022-23222).

In addition to the upstream changes, we also have changed the following:
- enable NF_TABLES_INET, NFT_REJECT_INET and NFT_FIB_INET (mga#29852)
- disable CIFS_SMB_DIRECT on desktop kernels as it makes loading cifs
 deps fail on some setups (mga#29784)
- disable unprivileged bpf by default to mitigate other potential security
 issues with bpf

For other upstream fixes, see the referenced changelogs.");

  script_tag(name:"affected", value:"'kernel-linus' package(s) on Mageia 8.");

  script_tag(name:"solution", value:"Please install the updated package(s).");

  script_tag(name:"solution_type", value:"VendorFix");
  script_tag(name:"qod_type", value:"package");

  exit(0);
}

include("revisions-lib.inc");
include("pkg-lib-rpm.inc");

release = rpm_get_ssh_release();
if(!release)
  exit(0);

res = "";
report = "";

if(release == "MAGEIA8") {

  if(!isnull(res = isrpmvuln(pkg:"kernel-linus-5.15.15-1.mga8", rpm:"kernel-linus-5.15.15-1.mga8~1~1.mga8", rls:"MAGEIA8"))) {
    report += res;
  }

  if(!isnull(res = isrpmvuln(pkg:"kernel-linus", rpm:"kernel-linus~5.15.15~1.mga8", rls:"MAGEIA8"))) {
    report += res;
  }

  if(!isnull(res = isrpmvuln(pkg:"kernel-linus-devel-5.15.15-1.mga8", rpm:"kernel-linus-devel-5.15.15-1.mga8~1~1.mga8", rls:"MAGEIA8"))) {
    report += res;
  }

  if(!isnull(res = isrpmvuln(pkg:"kernel-linus-devel-latest", rpm:"kernel-linus-devel-latest~5.15.15~1.mga8", rls:"MAGEIA8"))) {
    report += res;
  }

  if(!isnull(res = isrpmvuln(pkg:"kernel-linus-doc", rpm:"kernel-linus-doc~5.15.15~1.mga8", rls:"MAGEIA8"))) {
    report += res;
  }

  if(!isnull(res = isrpmvuln(pkg:"kernel-linus-latest", rpm:"kernel-linus-latest~5.15.15~1.mga8", rls:"MAGEIA8"))) {
    report += res;
  }

  if(!isnull(res = isrpmvuln(pkg:"kernel-linus-source-5.15.15-1.mga8", rpm:"kernel-linus-source-5.15.15-1.mga8~1~1.mga8", rls:"MAGEIA8"))) {
    report += res;
  }

  if(!isnull(res = isrpmvuln(pkg:"kernel-linus-source-latest", rpm:"kernel-linus-source-latest~5.15.15~1.mga8", rls:"MAGEIA8"))) {
    report += res;
  }

  if(report != "") {
    security_message(data:report);
  } else if(__pkg_match) {
    exit(99);
  }
  exit(0);
}

exit(0);