Bug 2096178 (CVE-2022-2078)

Summary: CVE-2022-2078 kernel: buffer overflow in nft_set_desc_concat_parse()
Product: [Other] Security Response Reporter: Rohit Keshri <rkeshri>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, adscvr, airlied, alciregi, bhu, bskeggs, carnil, chwhite, crwood, ddepaula, dhoward, dvlasenk, fhrbata, fpacheco, hdegoede, hkrzesin, hpa, jarod, jarodwilson, jburrell, jfaracco, jferlan, jforbes, jglisse, jlelli, joe.lawrence, jonathan, josef, jshortt, jstancek, jwboyer, jwyatt, kcarcia, kernel-maint, kernel-mgr, kyoshida, lgoncalv, linville, lzampier, masami256, mchehab, michal.skrivanek, mperina, mrehak, nmurray, ptalbert, qzhao, rvrbovsk, scweaver, steve.beattie, steved, vkumar, walters, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kernel 5.19-rc1 Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in the Linux kernel's nft_set_desc_concat_parse() function .This flaw allows an attacker to trigger a buffer overflow via nft_set_desc_concat_parse() , causing a denial of service and possibly to run code.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-12-05 18:21:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2096401, 2096402, 2096403, 2096404, 2096407, 2108199, 2127407    
Bug Blocks: 2092538, 2092539, 2096169, 2096617    

Description Rohit Keshri 2022-06-13 08:02:48 UTC 
An attacker can trigger a buffer overflow of the Linux kernel, via nft_set_desc_concat_parse(), in order to trigger a denial of service, and possibly to run code.

Reference:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/net/netfilter/nf_tables_api.c?id=fecf31ee395b0295f2d7260aa29946b7605f7c85
Comment 9 Steve Beattie 2022-07-20 07:51:15 UTC 
Is this a duplicate of CVE-2022-1972? Both cves list https://git.kernel.org/linus/fecf31ee395b0295f2d7260aa29946b7605f7c85 as the fix for the issue.

Thanks for any clarification you can give.
Comment 10 Alex 2022-07-31 11:27:30 UTC 
In reply to comment #9:
> Is this a duplicate of CVE-2022-1972? Both cves list
> https://git.kernel.org/linus/fecf31ee395b0295f2d7260aa29946b7605f7c85 as the
> fix for the issue.
> 
> Thanks for any clarification you can give.

Yes. Seems to be a duplicate of CVE-2022-2078,

both CVE-2022-1972 and CVE-2022-2078

link to
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/net/netfilter/nf_tables_api.c?id=fecf31ee395b0295f2d7260aa29946b7605f7c85
Comment 11 Alex 2022-07-31 11:56:20 UTC 
*** Bug 2092537 has been marked as a duplicate of this bug. ***
Comment 15 Salvatore Bonaccorso 2022-08-05 14:22:30 UTC 
(In reply to Alex from comment #10)
> In reply to comment #9:
> > Is this a duplicate of CVE-2022-1972? Both cves list
> > https://git.kernel.org/linus/fecf31ee395b0295f2d7260aa29946b7605f7c85 as the
> > fix for the issue.
> > 
> > Thanks for any clarification you can give.
> 
> Yes. Seems to be a duplicate of CVE-2022-2078,
> 
> both CVE-2022-1972 and CVE-2022-2078
> 
> link to
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/
> net/netfilter/nf_tables_api.c?id=fecf31ee395b0295f2d7260aa29946b7605f7c85

would it make sense to properly reject the CVE-2022-1972 CVE at 
CNA level. I believe this has potential for some confusion as
CVE-2022-1972 was probably assigned earlier, then referenced in 
https://www.openwall.com/lists/oss-security/2022/06/02/1 but CVE-2022-2078
is the one officially filled https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2078

Regards,
Salvatore
Comment 16 Salvatore Bonaccorso 2022-08-05 14:26:38 UTC 
OTOH unfortunately CVE-2022-1972 was already used widely as well in advisories (apart the oss-security post), so not sure what is the best outcome.
Comment 18 errata-xmlrpc 2022-09-20 13:36:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:6582 https://access.redhat.com/errata/RHSA-2022:6582
Comment 19 errata-xmlrpc 2022-09-20 14:19:07 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:6610 https://access.redhat.com/errata/RHSA-2022:6610
Comment 20 Marian Rehak 2022-09-23 10:40:19 UTC 
It does, I have requested that CVE-2022-1972 be marked as duplicate of this bug with Mitre.
Comment 21 errata-xmlrpc 2022-11-08 09:10:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7444 https://access.redhat.com/errata/RHSA-2022:7444
Comment 22 errata-xmlrpc 2022-11-08 10:09:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7683 https://access.redhat.com/errata/RHSA-2022:7683
Comment 24 Product Security DevOps Team 2022-12-05 18:21:20 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-2078
Comment 28 errata-xmlrpc 2024-02-07 16:29:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:0724 https://access.redhat.com/errata/RHSA-2024:0724