1217158 – (CVE-2023-22313) VUL-0: CVE-2023-22313: qatlib: Improper buffer restrictions in some Intel(R) QAT Library software before version 22.07.1 may allow a privileged user to potentially enable information disclosure via local access.

Bug 1217158 (CVE-2023-22313) - VUL-0: CVE-2023-22313: qatlib: Improper buffer restrictions in some Intel(R) QAT Library software before version 22.07.1 may allow a privileged user to potentially enable information disclosure via local access.

Summary: VUL-0: CVE-2023-22313: qatlib: Improper buffer restrictions in some Intel(R) ...

Status:	NEW

Alias:	CVE-2023-22313

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Minor
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/385035/
Whiteboard:	CVSSv3.1:SUSE:CVE-2023-22313:2.3:(AV:...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2023-11-15 08:52 UTC by SMASH SMASH
Modified:	2024-01-30 10:13 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description SMASH SMASH 2023-11-15 08:52:19 UTC

Improper buffer restrictions in some Intel(R) QAT Library software before version 22.07.1 may allow a privileged user to potentially enable information disclosure via local access.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-22313
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00861.html
https://github.com/intel/qatlib/releases/tag/22.07.1

Comment 1 Gianluca Gabrielli 2023-11-15 09:08:01 UTC

Intel mentioned that the fix is part of v22.07.1. By looking at the diff with v22.07.0 [0] I only see 4 commits. By exclusion, only this commit [1] brings some changes to the source code, but the commit message is not that helpful in understanding if it is actually the correct one. Could you please double-check and provide your feedback?

Affected packages:
 - SUSE:SLE-15-SP3:Update/qatlib
 - SUSE:SLE-15-SP3:Update/qatlib


[0] https://github.com/intel/qatlib/compare/22.07.0...22.07.1
[1] https://github.com/intel/qatlib/commit/efa3465222e05445f368ec169e8d2dc4e74982e4

Comment 2 Petr Gajdos 2023-11-16 09:45:26 UTC

This sounds about correct to me as well, there are few hardenings in dump_message(). Torsten, do you agree with reasoning? Or should we rather ask Intel?

Comment 3 Petr Gajdos 2023-11-16 09:48:16 UTC

The patch applies almost cleanly against 15sp3/qatlib. Will submit there.

I believe all fixed.

Comment 7 Petr Gajdos 2024-01-30 10:13:23 UTC

Sure, done.
Oversight on my side as well.
https://build.suse.de/request/show/319787