Bug 1207846

Summary: VUL-0: CVE-2023-25012: The Linux kernel through 6.1.9 has a Use-After-Free in bigben_remove in drivers/hid/hid-bigbenff.c via a crafted USB device because the LED controllers remain regist
Product: [Novell Products] SUSE Security Incidents Reporter: Stoyan Manolov <stoyan.manolov>
Component: IncidentsAssignee: Kernel Bugs <kernel-bugs>
Status: RESOLVED DUPLICATE QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: security-team, thomas.leroy
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/355951/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-25012:6.8:(AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Stoyan Manolov 2023-02-02 05:28:53 UTC 
CVE-2023-25012

The Linux kernel through 6.1.9 has a Use-After-Free in bigben_remove in
drivers/hid/hid-bigbenff.c via a crafted USB device because the LED controllers
remain registered for too long.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-25012
https://www.cve.org/CVERecord?id=CVE-2023-25012
https://seclists.org/oss-sec/2023/q1/53
https://lore.kernel.org/all/20230125-hid-unregister-leds-v1-1-9a5192dcef16@diag.uniroma1.it/
Comment 1 Thomas Leroy 2023-02-02 07:41:26 UTC 
Already opened as bsc#1207560

*** This bug has been marked as a duplicate of bug 1207560 ***
Comment 2 Maintenance Automation 2023-03-16 08:30:13 UTC 
SUSE-SU-2023:0749-1: An update that solves 12 vulnerabilities and has 25 fixes can now be installed.

Category: security (important)
Bug References: 1177529, 1193629, 1197534, 1198438, 1200054, 1202633, 1203331, 1204363, 1204993, 1205544, 1205846, 1206103, 1206232, 1206935, 1207051, 1207270, 1207560, 1207845, 1207846, 1208212, 1208420, 1208449, 1208534, 1208541, 1208542, 1208570, 1208607, 1208628, 1208700, 1208741, 1208759, 1208776, 1208784, 1208787, 1208816, 1208837, 1208843
CVE References: CVE-2022-3523, CVE-2022-38096, CVE-2023-0461, CVE-2023-0597, CVE-2023-1118, CVE-2023-22995, CVE-2023-22998, CVE-2023-23000, CVE-2023-23004, CVE-2023-23559, CVE-2023-25012, CVE-2023-26545
Sources used:
openSUSE Leap 15.4 (src): kernel-syms-rt-5.14.21-150400.15.14.1, kernel-source-rt-5.14.21-150400.15.14.2
SUSE Linux Enterprise Live Patching 15-SP4 (src): kernel-livepatch-SLE15-SP4-RT_Update_4-1-150400.1.3.1
SUSE Real Time Module 15-SP4 (src): kernel-syms-rt-5.14.21-150400.15.14.1, kernel-source-rt-5.14.21-150400.15.14.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 3 Maintenance Automation 2023-03-28 08:30:23 UTC 
SUSE-SU-2023:1609-1: An update that solves 17 vulnerabilities and has 44 fixes can now be installed.

Category: security (important)
Bug References: 1177529, 1193629, 1197534, 1197617, 1198438, 1200054, 1202353, 1202633, 1203200, 1203331, 1204363, 1204993, 1205544, 1205846, 1206103, 1206232, 1206492, 1206493, 1206824, 1206935, 1207051, 1207270, 1207529, 1207560, 1207845, 1207846, 1208179, 1208212, 1208420, 1208449, 1208534, 1208541, 1208542, 1208570, 1208598, 1208599, 1208601, 1208605, 1208607, 1208628, 1208700, 1208741, 1208759, 1208776, 1208777, 1208784, 1208787, 1208816, 1208837, 1208843, 1208848, 1209008, 1209159, 1209188, 1209256, 1209258, 1209262, 1209291, 1209436, 1209457, 1209504
CVE References: CVE-2022-3523, CVE-2022-38096, CVE-2023-0461, CVE-2023-0597, CVE-2023-1075, CVE-2023-1076, CVE-2023-1078, CVE-2023-1095, CVE-2023-1118, CVE-2023-22995, CVE-2023-22998, CVE-2023-23000, CVE-2023-23004, CVE-2023-23559, CVE-2023-25012, CVE-2023-26545, CVE-2023-28328
Sources used:
openSUSE Leap 15.4 (src): kernel-source-rt-5.14.21-150400.15.18.1, kernel-syms-rt-5.14.21-150400.15.18.1
SUSE Linux Enterprise Live Patching 15-SP4 (src): kernel-livepatch-SLE15-SP4-RT_Update_5-1-150400.1.3.1
SUSE Real Time Module 15-SP4 (src): kernel-source-rt-5.14.21-150400.15.18.1, kernel-syms-rt-5.14.21-150400.15.18.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 4 Maintenance Automation 2023-06-06 12:30:56 UTC 
SUSE-SU-2023:0749-2: An update that solves 12 vulnerabilities and has 27 fixes can now be installed.

Category: security (important)
Bug References: 1177529, 1193629, 1197534, 1198438, 1200054, 1202633, 1203331, 1204363, 1204993, 1205544, 1205846, 1206103, 1206232, 1206935, 1207051, 1207270, 1207560, 1207845, 1207846, 1208212, 1208420, 1208449, 1208534, 1208541, 1208542, 1208570, 1208607, 1208628, 1208700, 1208741, 1208759, 1208776, 1208784, 1208787, 1208816, 1208837, 1208843, 1209188, 1209436
CVE References: CVE-2022-3523, CVE-2022-38096, CVE-2023-0461, CVE-2023-0597, CVE-2023-1118, CVE-2023-22995, CVE-2023-22998, CVE-2023-23000, CVE-2023-23004, CVE-2023-23559, CVE-2023-25012, CVE-2023-26545
Sources used:
openSUSE Leap 15.4 (src): kernel-syms-rt-5.14.21-150400.15.14.1, kernel-source-rt-5.14.21-150400.15.14.2
SUSE Linux Enterprise Live Patching 15-SP4 (src): kernel-livepatch-SLE15-SP4-RT_Update_4-1-150400.1.3.1
SUSE Real Time Module 15-SP4 (src): kernel-syms-rt-5.14.21-150400.15.14.1, kernel-source-rt-5.14.21-150400.15.14.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.