Andreas Gruenbacher

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified) Description: The issue is related to a potential glock use-after-free on unmount in the gfs2 filesystem. When a DLM lockspace is released and there are still locks in that lockspace, DLM will unlock those locks automatically. However, this behavior did not take into account the bast callbacks for asynchronous lock contention notifications, which remain active until a lock is unlocked or its lockspace is released. To prevent those callbacks from accessing deallocated objects, the glocks that should not be unlocked are put on the sd dead glocks list, the lockspace is released, and only then are those glocks freed. As an additional measure, unexpected ast and bast callbacks are ignored if the receiving glock is dead. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a NULL pointer dereference in the gfs2 log flush function. This occurs when outstanding glock work races with an unmount, specifically in the path from glock work func to gfs2 log flush through run queue, do xmote, and inode go sync. To prevent this, the code sets sdp->sd jdesc to NULL under the log flush lock in gfs2 jindex free and checks if sdp->sd jdesc is non-NULL before dereferencing it in gfs2 log flush. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Debian GNU/Linux kernel-image-2.4.27-* versions Debian GNU/Linux kernel-headers-2.4.27-* versions Debian GNU/Linux kernel-pcmcia-modules-2.4.27-* versions Debian GNU/Linux kernel-patch-2.4.27-* versions Debian GNU/Linux kernel-build-2.4.27-* versions Debian GNU/Linux kernel-tree-2.4.27 versions Debian GNU/Linux kernel-source-2.4.27 versions Debian GNU/Linux kernel-doc-2.4.27 versions Debian GNU/Linux mips-tools versions **Description** The issue is related to multiple vulnerabilities in the Debian GNU/Linux kernel packages, which can lead to a disruption of protected information. These vulnerabilities can be exploited remotely. The problem is also related to the ext2 and ext3 file system code for the Linux kernel 2.6, where the xattr.c does not properly compare the name index fields when sharing xattr blocks, potentially preventing default ACLs from being applied. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.