CVE-2024-42084

CVE Details

Release Date:	2024-07-29
Impact:	Moderate	What is this?

Description

In the Linux kernel, the following vulnerability has been resolved:\nftruncate: pass a signed offset\nThe old ftruncate() syscall, using the 32-bit off_t misses a sign\nextension when called in compat mode on 64-bit architectures. As a\nresult, passing a negative length accidentally succeeds in truncating\nto file size between 2GiB and 4GiB.\nChanging the type of the compat syscall to the signed compat_off_t\nchanges the behavior so it instead returns -EINVAL.\nThe native entry point, the truncate() syscall and the corresponding\nloff_t based variants are all correct already and do not suffer\nfrom this mistake.

See more information about CVE-2024-42084 from MITRE CVE dictionary and NIST NVD

NOTE: The following CVSS metrics and score provided are preliminary and subject to review.

CVSS v3 metrics

Base Score:	5.7
Vector String:	CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N
Version:	3.1
Attack Vector:	Local
Attack Complexity:	High
Privileges Required:	High
User Interaction:	None
Scope:	Unchanged
Confidentiality Impact:	High
Integrity Impact:	High
Availability Impact:	None

Errata information

Platform	Errata	Release Date
Oracle Linux version 7 (kernel-uek)	ELSA-2024-12610	2024-09-10
Oracle Linux version 7 (kernel-uek)	ELSA-2024-12779	2024-10-11
Oracle Linux version 7 (kernel-uek-container)	ELSA-2024-12612	2024-09-11
Oracle Linux version 8 (kernel)	ELSA-2024-7000	2024-09-24
Oracle Linux version 8 (kernel-uek)	ELSA-2024-12610	2024-09-10
Oracle Linux version 8 (kernel-uek)	ELSA-2024-12618	2024-09-12
Oracle Linux version 8 (kernel-uek-container)	ELSA-2024-12612	2024-09-11
Oracle Linux version 9 (kernel)	ELSA-2024-9315	2024-11-14
Oracle Linux version 9 (kernel-uek)	ELSA-2024-12618	2024-09-12