SB2024062801 - Buffer overflow in Linux kernel firmware efi driver

Description

This security bulletin contains information about 1 security vulnerability.

1) Buffer overflow (CVE-ID: CVE-2024-27413)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to memory corruption within the efi_capsule_open() function in drivers/firmware/efi/capsule-loader.c. A local user can escalate privileges on the system.

Remediation

Install update from vendor's website.

References

• https://git.kernel.org/stable/c/00cf21ac526011a29fc708f8912da446fac19f7b
• https://git.kernel.org/stable/c/950d4d74d311a18baed6878dbfba8180d7e5dddd
• https://git.kernel.org/stable/c/537e3f49dbe88881a6f0752beaa596942d9efd64
• https://git.kernel.org/stable/c/4b73473c050a612fb4317831371073eda07c3050
• https://git.kernel.org/stable/c/ddc547dd05a46720866c32022300f7376c40119f
• https://git.kernel.org/stable/c/11aabd7487857b8e7d768fefb092f66dfde68492
• https://git.kernel.org/stable/c/62a5dcd9bd3097e9813de62fa6f22815e84a0172
• https://git.kernel.org/stable/c/fccfa646ef3628097d59f7d9c1a3e84d4b6bb45e
• https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html
• https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html
• https://mirrors.edge.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.309
• https://mirrors.edge.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.212
• https://mirrors.edge.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.15.151
• https://mirrors.edge.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.4.271
• https://mirrors.edge.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.1.81
• https://mirrors.edge.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.6.21
• https://mirrors.edge.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.7.9
• https://mirrors.edge.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.8