[main] [kernel] [CVEs] Address kernel CVEs (#2538)

* Address CVEs 1999-0524, 1999-0656, 2007-4998, 2008-4609, 2010-0298, 2010-4563, 2011-0640, 2022-0492, 2021-3743 * remove nopatches for CVE 1999-0656, 2007-4998; those will be disputed instead because not applicable to kernel * nopatch kernel CVE-2022-26966 * nits, spacing
2022-03-23 09:23:25 -07:00 · 2022-03-23 09:23:25 -07:00 · 54b9cadae7
--- a/SPECS/kernel/CVE-1999-0524.nopatch
+++ b/SPECS/kernel/CVE-1999-0524.nopatch
@ -0,0 +1,3 @@
+CVE-1999-0524 - No upstream fix. Vulnerability is low severity.
+Users can mitigate the vulnerability by configuring their system firewall to
+not respond to certain ICMP requests.
--- a/SPECS/kernel/CVE-2008-4609.nopatch
+++ b/SPECS/kernel/CVE-2008-4609.nopatch
@ -0,0 +1,2 @@
+CVE-2008-4609 - No upstream fix. Vulnerability exploits design limitations in TCP protocol.
+Recommend using iptables mitigation - https://bugzilla.redhat.com/show_bug.cgi?id=465932
--- a/SPECS/kernel/CVE-2010-0298.nopatch
+++ b/SPECS/kernel/CVE-2010-0298.nopatch
@ -0,0 +1,3 @@
+CVE-2010-0298 - already patched in linux-msft-5.4.72 stable kernel
+Upstream commit: 1871c6020d7308afb99127bba51f04548e7ca84e
+Stable commit: 1871c6020d7308afb99127bba51f04548e7ca84e
--- a/SPECS/kernel/CVE-2010-4563.nopatch
+++ b/SPECS/kernel/CVE-2010-4563.nopatch
@ -0,0 +1 @@
+CVE-2010-4563 - No upstream fix. Low security impact. No plans to fix.
--- a/SPECS/kernel/CVE-2011-0640.nopatch
+++ b/SPECS/kernel/CVE-2011-0640.nopatch
@ -0,0 +1,4 @@
+CVE-2011-0640 - Vulnerability disputed. No fix upstream.
+Vulnerability concerns arbitrary code execution when a malicious USB device is
+plugged in. The malicious USB device poses as a HID device and sends keystrokes
+to control the host system.
--- a/SPECS/kernel/CVE-2021-3743.nopatch
+++ b/SPECS/kernel/CVE-2021-3743.nopatch
@ -0,0 +1,3 @@
+CVE-2021-3743 - Already in 5.15.26.1:
+Upstream:  7e78c597c3ebfd0cb329aa09a838734147e4f117
+Stable:  7e78c597c3ebfd0cb329aa09a838734147e4f117
--- a/SPECS/kernel/CVE-2022-0492.nopatch
+++ b/SPECS/kernel/CVE-2022-0492.nopatch
@ -0,0 +1,3 @@
+CVE-2022-0492 - Already in 5.15.26.1:
+Upstream:  24f6008564183aa120d07c03d9289519c2fe02af
+Stable:  4b1c32bfaa02255a5df602b41587174004996477
--- a/SPECS/kernel/CVE-2022-26966.nopatch
+++ b/SPECS/kernel/CVE-2022-26966.nopatch
@ -0,0 +1,3 @@
+CVE-2022-26966 - Already backported to 5.15.26.1
+Upstream: e9da0b56fe27206b49f39805f7dcda8a89379062 
+Stable: 9f2d614779906f3d8ad4fb882c5b3e5ad6150bbe
--- a/SPECS/kernel/kernel.spec
+++ b/SPECS/kernel/kernel.spec
@ -51,6 +51,14 @@ Patch1023:      CVE-2022-25258.nopatch
 Patch1024:      CVE-2022-25375.nopatch
 Patch1025:      CVE-2022-0617.nopatch
 Patch1026:      CVE-2022-0847.nopatch
+Patch1027:      CVE-1999-0524.nopatch
+Patch1030:      CVE-2008-4609.nopatch
+Patch1031:      CVE-2010-0298.nopatch
+Patch1032:      CVE-2010-4563.nopatch
+Patch1033:      CVE-2011-0640.nopatch
+Patch1034:      CVE-2022-0492.nopatch
+Patch1035:      CVE-2021-3743.nopatch
+Patch1036:      CVE-2022-26966.nopatch
 BuildRequires:  audit-devel
 BuildRequires:  bash
 BuildRequires:  bc
@ -402,7 +410,8 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
 - Update source to 5.15.26.1
 - Address CVES: 2022-0617, 2022-25375, 2022-25258, 2021-4090, 2022-25265,
  2021-45402, 2022-0382, 2022-0185, 2021-44879, 2022-24959, 2022-0264, 
-  2022-24448, 2022-24122, 2021-20194, 2022-0847
+  2022-24448, 2022-24122, 2021-20194, 2022-0847, 1999-0524, 2008-4609,
+  2010-0298, 2010-4563, 2011-0640, 2022-0492, 2021-3743, 2022-26966

 * Mon Mar 07 2022 George Mileka <gmileka@microsoft.com> - 5.15.18.1-5
 - Enabled vfio noiommu.
				`@ -0,0 +1 @@`
				`CVE-2010-4563 - No upstream fix. Low security impact. No plans to fix.`