Bug 1225701 (CVE-2024-36023)

Summary:	VUL-0: CVE-2024-36023: kernel: orangefs: null pointer dereference in orangefs_mount in fs/orangefs/super.c
Product:	[Novell Products] SUSE Security Incidents	Reporter:	SMASH SMASH <smash_bz>
Component:	Incidents	Assignee:	Security Team bot <security-team>
Status:	RESOLVED FIXED	QA Contact:	Security Team bot <security-team>
Severity:	Normal
Priority:	P3 - Medium	CC:	ailiopoulos, andrea.mattiazzo, mhocko, rgoldwyn
Version:	unspecified
Target Milestone:	---
Hardware:	Other
OS:	Other
URL:	https://smash.suse.de/issue/408152/
Whiteboard:	CVSSv3.1:SUSE:CVE-2024-36023:5.5:(AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Found By:	Security Response Team	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---

Description SMASH SMASH 2024-05-31 08:54:14 UTC

In the Linux kernel, the following vulnerability has been resolved:

Julia Lawall reported this null pointer dereference, this should fix it.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-36023
https://www.cve.org/CVERecord?id=CVE-2024-36023
https://git.kernel.org/stable/c/214a6c4a28c11d67044e6cf3a0ab415050d9f03a
https://git.kernel.org/stable/c/2e2177f94c0e0bc41323d7b6975a5f4820ed347e
https://git.kernel.org/stable/c/9bf93dcfc453fae192fe5d7874b89699e8f800ac
https://git.kernel.org/stable/c/b972e8ac3f44f693127a2806031962d100dfc4d1
https://git.kernel.org/pub/scm/linux/security/vulns.git/plain/cve/published/2024/CVE-2024-36023.mbox

Comment 2 Anthony Iliopoulos 2024-06-04 10:49:00 UTC

orangefs is an unsupported module, but also commit 9bf93dcfc453 actually fixes commit ac2c63757f4f ("orangefs: Fix sb refcount leak when allocate sb info failed."), which we don't carry in SLE15-SP5. For SLE15-SP6 the fix is in the blacklist.

Comment 8 Gabriele Sonnu 2024-06-07 13:35:34 UTC

All done, closing.