Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

amd64-microcode: CVE-2023-20593: use-after-free in AMD Zen2 processors

Related Vulnerabilities: CVE-2023-20593  

Source

Debian Bug report logs - #1041863
amd64-microcode: CVE-2023-20593: use-after-free in AMD Zen2 processors

version graph

Package: src:amd64-microcode; Maintainer for src:amd64-microcode is Henrique de Moraes Holschuh <hmh@debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Mon, 24 Jul 2023 16:03:01 UTC

Severity: grave

Tags: security, upstream

Found in versions amd64-microcode/3.20191218.1, amd64-microcode/3.20230414.1

Fixed in version amd64-microcode/3.20230719.1

Done: Henrique de Moraes Holschuh <hmh@debian.org>

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Henrique de Moraes Holschuh <hmh@debian.org>:
Bug#1041863; Package src:amd64-microcode. (Mon, 24 Jul 2023 16:03:03 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Henrique de Moraes Holschuh <hmh@debian.org>. (Mon, 24 Jul 2023 16:03:03 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: amd64-microcode: CVE-2023-20593: use-after-free in AMD Zen2 processors
Date: Mon, 24 Jul 2023 17:59:07 +0200
Source: amd64-microcode
Version: 3.20230414.1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: found -1  3.20191218.1

Hi,

The following vulnerability was published for amd64-microcode.

CVE-2023-20593[0]:
| use-after-free in AMD Zen2 processors

Merge request at [2].

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-20593
    https://www.cve.org/CVERecord?id=CVE-2023-20593
[1] https://lock.cmpxchg8b.com/zenbleed.html
[2] https://salsa.debian.org/hmh/amd64-microcode/-/merge_requests/5

Regards,
Salvatore

Marked as found in versions amd64-microcode/3.20191218.1. Request was from Salvatore Bonaccorso <carnil@debian.org> to submit@bugs.debian.org. (Mon, 24 Jul 2023 16:03:03 GMT) (full text, mbox, link).

Reply sent to Henrique de Moraes Holschuh <hmh@debian.org>:
You have taken responsibility. (Mon, 24 Jul 2023 16:51:07 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Mon, 24 Jul 2023 16:51:08 GMT) (full text, mbox, link).

Message #12 received at 1041863-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 1041863-close@bugs.debian.org
Subject: Bug#1041863: fixed in amd64-microcode 3.20230719.1
Date: Mon, 24 Jul 2023 16:49:02 +0000
Source: amd64-microcode
Source-Version: 3.20230719.1
Done: Henrique de Moraes Holschuh <hmh@debian.org>

We believe that the bug you reported is fixed in the latest version of
amd64-microcode, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1041863@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Henrique de Moraes Holschuh <hmh@debian.org> (supplier of updated amd64-microcode package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 24 Jul 2023 13:07:34 -0300
Source: amd64-microcode
Architecture: source
Version: 3.20230719.1
Distribution: unstable
Urgency: high
Maintainer: Henrique de Moraes Holschuh <hmh@debian.org>
Changed-By: Henrique de Moraes Holschuh <hmh@debian.org>
Closes: 1041863
Changes:
 amd64-microcode (3.20230719.1) unstable; urgency=high
 .
   * Update package data from linux-firmware 20230625-39-g59fbffa9:
     * Fixes for CVE-2023-20593 "Zenbleed" on AMD Zen2 processors
       (closes: #1041863)
     * New Microcode patches:
       + Family=0x17 Model=0xa0 Stepping=0x00: Patch=0x08a00008
     * Updated Microcode patches:
       + Family=0x17 Model=0x31 Stepping=0x00: Patch=0x0830107a
       + Family=0x19 Model=0x01 Stepping=0x00: Patch=0x0a001079
       + Family=0x19 Model=0x01 Stepping=0x01: Patch=0x0a0011d1
       + Family=0x19 Model=0x01 Stepping=0x02: Patch=0x0a001234
   * README: update for new release
Checksums-Sha1:
 1263b79d06590da1853024c4a00e3766336fb0a8 1695 amd64-microcode_3.20230719.1.dsc
 72c9fa45ac3882c8804e72a7f8f2c5ffee48e840 120676 amd64-microcode_3.20230719.1.tar.xz
 b4e617ab310d5f633e0c486f7a5cf48fbed49e48 6680 amd64-microcode_3.20230719.1_amd64.buildinfo
Checksums-Sha256:
 7038054ec4fe57add514dd3b4683617bd5781b24d3a6a1ce144035e47d147fec 1695 amd64-microcode_3.20230719.1.dsc
 c6942f14f798056f26ec9eeae93e03f57975e513ef07f4173366f0cb519d2a30 120676 amd64-microcode_3.20230719.1.tar.xz
 485421994a42d167e3201cac193f21161afa82bc8e6f7f4f495dd2821f8bebe2 6680 amd64-microcode_3.20230719.1_amd64.buildinfo
Files:
 62073b5eca489f0bab7984f88aad24ef 1695 non-free-firmware/admin standard amd64-microcode_3.20230719.1.dsc
 026554c25951d0f410933e1a67d43a5c 120676 non-free-firmware/admin standard amd64-microcode_3.20230719.1.tar.xz
 41f75b81b241f5969459b919c8b44450 6680 non-free-firmware/admin standard amd64-microcode_3.20230719.1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEIXEYtQeAQUHyKjs9TkVcVzAplOQFAmS+prMACgkQTkVcVzAp
lOQHTw/+K8avtXUHKXH/f7VvF8g65sd1BCKrEWHb2snJcrhulAlnOB7y9xrlf25T
H0vLlJVUAqc7MVf5PJpJJS6EC3MXznXaZlJElpcGIQWt1J/CoU+GjfCxyegxo3G9
LFRin4/zZJmP7R4XlKZ7OTYo0sMO1Wc+8rCFAmgRQnvKiTwCyCcp7nkaVMOP0BO3
oiJNh0q6JJajRV4Tv18kaRq28MwtxN4kFa0LgoUowlsz4dmmz4xuQv/zuYx+U40z
l+MxqTLiNIPt/VAxwyuwXPsZyCcJ7f2jO9q55y0+HxDy0wU5cH6tCsLskNocdNZF
fGebiIKk+1VI6yM+WWCmFtUMd1Tk/R1BQalDs3rFFpOQIj0mSRFzX//1WrYqu75i
ttu9rvhQZAJAE89aC4WuBkG3THMvjBKavRlpjyIp81wq5t98/hKhDjMB47hwKT+y
0obY0JXbrWRMZKGcJhPxUjfmdRm3vJ3CgR02+uH1YWLroQCWonYnUTMA6BFH3npx
cOZx+4bgvnhPMku/+pe8d1rHM3VJa6LlfzUojUOnXxHh9FJyO9yfSTrqjutttniw
WOUm3GbE+WAAXe5uGTXsfZmfozeGVQWAEiG3qComfHCZddzVbdaSv4rDTAijCpt9
Y1es5zPZamdBtpmEoynJvbsIuyZd4hpLUVB7uXypN6qbJVUXi6I=
=vp7x
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Tue Jul 25 11:50:01 2023; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started