Kernel Patch for DirtyCred (CVE-2022-2588)

[simon.n]

Hello,

is there a patch available for CVE-2022-2588 alias DirtyCred?
If yes which kernel version fixes this issue.

In general, how can I figure out myself which kernel update solves which vulnerability?

Regards,
Simon

 

[fabian]

apt changelog pve-kernel-XXX

usually gives you the answer. we don't explicitly call out every CVE fix that gets pulled in by updating the base Ubuntu kernel, so checking security.ubuntu.com in addition is sometimes necessary.

e.g., in this case:

apt changelog pve-kernel-5.15.53-1-pve

will contain the following entry:

pve-kernel (5.15.19-3) bullseye; urgency=medium

  * backport "lib/iov_iter: initialize "flags" in new pipe_buffer"
    fixing CVE-2022-0847 "dirty pipe"

 -- Proxmox Support Team <support@proxmox.com>  Mon, 07 Mar 2022 16:23:02 +0100

the same is true for our 5.13 kernel series which was still maintained back then, where the fix was in (package!) version 5.13.19-11

the changelogs are also published in our repositories, e.g.: http://download.proxmox.com/debian/pve/dists/bullseye/pve-no-subscription/binary-amd64/

 

[simon.n]

Thank´s a lot for your explanation.

Unfortunately I copied the wrong CVE-ID. DirtyCred´s is CVE-2022-2588 (already changed title).

But by following your advice I think I´ve just solved the problem myself:
The changelog of pve-kernel-5.15.53-1-pve says 'update to Ubuntu-5.15.0-48.54' and Ubuntu´s docs say CVE-2022-2588 is fix in kernel version 5.15.0-46.49 or later (jammy). This should imply that DirtyCred is fixed in PVE kernel 5.15.53-1.
Is this correct?

 

[fabian]

yes!