<html>

    <head>

      <base href="https://bugzilla.rosalinux.ru/">

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Platform</th>

          <td>2021.1

          </td>

        </tr>

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_CONFIRMED "

   title="CONFIRMED - [CVE 21] multipath-tools 0.8.9 CVEs found"

   href="https://bugzilla.rosalinux.ru/show_bug.cgi?id=13278">13278</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>[CVE 21] multipath-tools 0.8.9  CVEs found

          </td>

        </tr>

        <tr>

          <th>Classification</th>

          <td>ROSA-based products

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>ROSA Fresh

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>All

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>All

          </td>

        </tr>

        <tr>

          <th>URL</th>

          <td>CVE-2022-41973, CVE-2022-41974,

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>Linux

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>CONFIRMED

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>normal

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>Normal

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>System (kernel, glibc, systemd, bash, PAM...)

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>bugs&#64;lists.rosalinux.ru

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>y.tumanov&#64;rosalinux.ru

          </td>

        </tr>

        <tr>

          <th>QA Contact</th>

          <td>bugs&#64;lists.rosalinux.ru

          </td>

        </tr>

        <tr>

          <th>CC</th>

          <td>s.matveev&#64;rosalinux.ru, y.tumanov&#64;rosalinux.ru

          </td>

        </tr>

        <tr>

          <th>Target Milestone</th>

          <td>---

          </td>

        </tr>

        <tr>

          <th>Flags</th>

          <td>secteam_verified?

          </td>

        </tr></table>

      <p>

        <div>

        <pre>Please patch CVEs for package multipath-tools version 0.8.9

INFO (CVEs are): multipath-tools 0.8.9

 cves found

CVE-2022-41973

Desc: multipath-tools 0.7.7 through 0.9.x before 0.9.2 allows local users to

obtain root access, as exploited in conjunction with CVE-2022-41974. Local

users able to access /dev/shm can change symlinks in multipathd due to

incorrect symlink handling, which could lead to controlled file writes outside

of the /dev/shm directory. This could be used indirectly for local privilege

escalation to root.

Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2022-41973">https://nvd.nist.gov/vuln/detail/CVE-2022-41973</a>

Severity: HIGH

CVE-2022-41974

Desc: multipath-tools 0.7.0 through 0.9.x before 0.9.2 allows local users to

obtain root access, as exploited alone or in conjunction with CVE-2022-41973.

Local users able to write to UNIX domain sockets can bypass access controls and

manipulate the multipath setup. This can lead to local privilege escalation to

root. This occurs because an attacker can repeat a keyword, which is mishandled

because arithmetic ADD is used instead of bitwise OR.

Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2022-41974">https://nvd.nist.gov/vuln/detail/CVE-2022-41974</a>

Severity: HIGH</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are the QA Contact for the bug.</li>

          <li>You are the assignee for the bug.</li>

      </ul>

    </body>

</html>