Re: Linux kernel: multiple vulnerabilities in the USB subsystem x2

[Tyler Hicks <tyhicks () canonical com>]

On 2019-09-27 19:01:48, Andrey Konovalov wrote:
> On Fri, Sep 27, 2019 at 6:51 PM Tyler Hicks <tyhicks () canonical com> wrote:
> > On 2019-08-20 20:20:34, Andrey Konovalov wrote:
> > > * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15290
> > >
> > > An issue was discovered in the Linux kernel through 5.2.9. There is a
> > > NULL pointer dereference caused by a malicious USB device in the
> > > ath6kl_usb_alloc_urb_from_pipe function in the
> > > drivers/net/wireless/ath/ath6kl/usb.c driver.
> >
> > This seems like it might be a duplicate of CVE-2019-15098. The fix for
> > CVE-2019-15098 was recently merged upstream:
> >
> >  
> > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=39d170b3cb62ba98567f5c4f40c27b5864b304e5
> >
> > If you agree, could you request that MITRE mark CVE-2019-15290 as a
> > duplicate of CVE-2019-15098?
>
> Oh, nice, Mathias and Hui found it as well and fixed it! =)
>
> Yes, these two CVEs are for the same issue, feel free to mark them as such.

I've requested that MITRE mark CVE-2019-15290 as a dupe of
CVE-2019-15098. Thanks!

Tyler