StackRot Vulnerability in kernels 6.1 through 6.4
Paride Legovini
paride at ubuntu.com
Tue Jul 25 11:24:46 UTC 2023
Andrei Datcu wrote on 24/07/2023:
> Hello!
>
> This is my first submission and as such I would like to report a vulnerability: CVE-2023-3269, named "Stack Rot".
>
> This is a flaw in the handling of stack expansion. I won't go into too many details, as I am a linux sysadmin, not a programmer and I will leave sources below from the discoverer of this vulnerability and the git merge message that Linus Torvalds published.
> An unprivileged local user could use this flaw to compromise the kernel and escalate their privileges. On June 28th, during the merge window for Linux kernel 6.5, the fix was merged into Linus' tree.
> The patches were also backported to stable kernel (6.1.37, 6.3.11 and 6.4.1), so the bug was resolved since July 1st. However, in my testing of Mantic Minotaur, the daily build from 24072023, I have noticed that the kernel it was using was version 6.3.0-7. And I haven't seen any submissions regarding this on lists.ubuntu.com, so I decided to post it here to. hopefully, apply the patch to the kernel.
Hello, the CVE is known already, how it affects Ubuntu is tracked here:
https://ubuntu.com/security/CVE-2023-3269
https://launchpad.net/bugs/cve/CVE-2023-3269
Please note that this mailing list is not the right channel to report
security issues in Ubuntu. Better ways are:
- Report a bug against the relevant Ubuntu package, setting the
information type to "Public Security" or "Private Security".
- Directly email the security team. See the "How to report an issue to
us" section here: https://ubuntu.com/security/disclosure-policy.
Thanks,
Paride
More information about the Ubuntu-quality
mailing list