- Security-bulletin - lists.openatom.io

2024年4月安全公告

by 王晨

发布于2024.04.02 CVE漏洞描述漏洞影响严重程度受影响的版本受影响的仓库修复链接 CVE-2024-21834Arkui类型混淆漏洞本地攻击者通过本漏洞造成app crash低危OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Releasearkui_ace_engine3.2.x CVE-2024-22177Audio权限管理不当漏洞本地攻击者通过本漏洞造成app crash低危OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Releasemultimedia_audio_framework3.2.x CVE-2024-22098AVSession释放后使用漏洞本地攻击者通过本漏洞可在任意应用中执行代码中危OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Releasemultimedia_av_session3.2.x CVE-2024-22180Camera释放后使用漏洞本地攻击者通过本漏洞造成DOS低危OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Releasemultimedia_camera_framework3.2.x 4.0.x CVE-2024-29074Telephony入参检测不完善漏洞本地攻击者通过本漏洞可在任意应用中执行代码中危OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Releasetelephony_cellular_call3.2.x 3.2.x CVE-2024-22092包管理权限管理不当漏洞远程攻击者通过本漏洞绕过管控安装应用, 但需要本地用户的交互高危OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Releasebundlemanager_bundle_framework3.2.x CVE-2024-24581方舟eTS运行时越界写漏洞本地攻击者通过本漏洞可在任意应用中执行代码中危OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Releasearkcompiler_ets_runtime3.2.x 4.0.x CVE-2024-28226文件系统入参检测不完善漏洞远程攻击者通过本漏洞造成DOS高危OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Releasekernel_linux_5.103.2.x 4.0.x CVE-2024-28951方舟eTS运行时释放后使用漏洞本地攻击者通过本漏洞可在预装应用中执行代码中危OpenHarmony-v4.0-Releasearkcompiler_ets_runtime4.0.x CVE-2024-29086方舟eTS运行时栈溢出漏洞本地攻击者通过本漏洞造成DOS低危OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Releasearkcompiler_ets_runtime3.2.x 以下为三方库漏洞，只提供CVE、严重程度、受影响的OpenHarmony版本 CVE严重程度CVSS 3.1 得分受影响的仓库受影响的OpenHarmony版本修复链接 CVE-2024-0641中危5.5kernel_linux_5.10OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x CVE-2022-48619中危5.5kernel_linux_5.10OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x CVE-2023-39197中危4.0kernel_linux_5.10OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x CVE-2024-0584中危5.5kernel_linux_5.10OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x CVE-2023-46343中危5.5kernel_linux_5.10OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x CVE-2024-23851中危5.5kernel_linux_5.10OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x CVE-2024-23850中危5.5kernel_linux_5.10OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x CVE-2024-23849中危5.5kernel_linux_5.10OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x CVE-2024-0639中危5.5kernel_linux_5.10OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x CVE-2024-0775高危7.1kernel_linux_5.10OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x CVE-2023-51043高危7.0kernel_linux_5.10OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x CVE-2023-52340高危7.5kernel_linux_5.10OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x CVE-2023-46838高危7.5kernel_linux_5.10OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x CVE-2022-2503中危6.7kernel_linux_5.10OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x CVE-2014-0069高危8.4kernel_linux_5.10OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x CVE-2024-1086高危7.8kernel_linux_5.10OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x CVE-2015-5157高危8.4kernel_linux_5.10OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x CVE-2021-46958高危7.8kernel_linux_5.10OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x CVE-2024-25062高危7.5third_party_libxml2OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x CVE-2024-24806致命9.8third_party_libuvOpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x CVE-2024-22195中危6.1third_party_jinja2OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x CVE-2024-0814中危6.5third_party_chromiumOpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x CVE-2024-0810中危4.3third_party_chromiumOpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x CVE-2023-6040高危7.8kernel_linux_5.10OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x 请在合入当月及之前全部已公开安全补丁之后，参考如下各维护版本的安全补丁标签更新方法，更新安全补丁标签至04月。对应维护版本安全补丁修改方式参考链接 3.2.xhttps://gitee.com/openharmony/startup_init/pulls/2633 4.0.xhttps://gitee.com/openharmony/startup_init/pulls/2632

3 weeks, 4 days

1
0
0 0

2024年3月安全公告

by 王晨

发布于2024.03.04 CVE漏洞描述漏洞影响CVSS3.1得分受影响的版本受影响的仓库修复链接 CVE-2023-25176剪切板越界读漏洞本地攻击者通过本漏洞造成信息泄露2.9OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Releasedistributeddatamgr_pasteboard3.2.x CVE-2023-46708WLAN UAF漏洞本地攻击者通过本漏洞可在任意应用中执行代码4.3OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Releasecommunication_wifi3.2.x CVE-2023-49602Arkui 类型混淆漏洞本地攻击者通过本漏洞造成应用崩溃2.9OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Releasearkui_ace_engine3.2.x 3.2.x CVE-2024-21816后台任务管理权限管理不当漏洞本地攻击者通过本漏洞绕过鉴权访问数据4.0OpenHarmony-v4.0-Releaseresourceschedule_background_task_mgr4.0.x CVE-2024-21826密钥管理敏感信息泄露漏洞近场攻击者通过本漏洞造成敏感信息泄露4.3OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Releasesecurity_huks3.2.x 以下为三方库漏洞，只提供CVE、严重程度、受影响的OpenHarmony版本 CVE严重程度CVSS 3.1 得分受影响的仓库受影响的OpenHarmony版本修复链接 CVE-2024-0519高危8.8third_party_chromiumOpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x CVE-2024-0518高危8.8third_party_chromiumOpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x CVE-2024-0333中危5.3third_party_chromiumOpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x CVE-2024-0224高危8.8third_party_chromiumOpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x CVE-2024-0223高危8.8third_party_chromiumOpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x CVE-2024-0222高危8.8third_party_chromiumOpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x CVE-2023-7192中危4.4kernel_linux_5.10OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x CVE-2023-7024高危8.8third_party_chromiumOpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x CVE-2023-6531高危7.0kernel_linux_5.10OpenHarmony-v4.0-Release4.0.x CVE-2023-6112高危8.8third_party_chromiumOpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x CVE-2023-5997高危8.8third_party_chromiumOpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x CVE-2023-5996高危8.8third_party_chromiumOpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x CVE-2023-5849高危8.8third_party_chromiumOpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x CVE-2023-5717高危7.8kernel_linux_5.10OpenHarmony-v4.0-Release4.0.x CVE-2023-5482高危8.8third_party_chromiumOpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x CVE-2023-5480中危6.1third_party_chromiumOpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x CVE-2023-51782中危4.6kernel_linux_5.10OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x CVE-2023-51781中危4.6kernel_linux_5.10OpenHarmony-v4.0-Release4.0.x CVE-2023-51780中危4.6kernel_linux_5.10OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x CVE-2023-45897致命9.1third_party_exfatprogsOpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release3.2.x CVE-2022-46908高危7.3third_party_sqliteOpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release3.2.x CVE-2021-44879中危5.5kernel_linux_5.10OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x 请在合入当月及之前全部已公开安全补丁之后，参考如下各维护版本的安全补丁标签更新方法，更新安全补丁标签至03月。对应维护版本安全补丁修改方式参考链接 3.2.xhttps://gitee.com/openharmony/startup_init/pulls/2550 4.0.xhttps://gitee.com/openharmony/startup_init/pulls/2549

1 month, 3 weeks

1
0
0 0

2024年2月安全公告

by 王晨

发布于2024.02.02 CVE漏洞描述漏洞影响CVSS3.1得分受影响的版本受影响的仓库修复链接 CVE-2023-49118软总线越界读漏洞本地攻击者通过本漏洞造成信息泄露2.9OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Releasecommunication_dsoftbus3.2.x CVE-2023-43756软总线越界读漏洞本地攻击者通过本漏洞造成信息泄露2.9OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Releasecommunication_dsoftbus3.2.x CVE-2023-45734软总线越界写漏洞近场攻击者通过本漏洞执行代码4.2OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Releasecommunication_dsoftbus3.2.x CVE-2024-21860软总线释放后使用漏洞近场攻击者通过本漏洞在任意应用中执行代码8.2OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Releasecommunication_dsoftbus3.2.x 4.0.x CVE-2024-21845软总线整数溢出漏洞近场攻击者通过本漏洞造成堆溢出2.9OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Releasecommunication_dsoftbus3.2.x 4.0.x CVE-2024-21851软总线整数溢出漏洞近场攻击者通过本漏洞造成堆溢出2.9OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Releasecommunication_dsoftbus3.2.x 4.0.x CVE-2024-21863软总线数据校验不完善的漏洞近场攻击者通过本漏洞造成DOS4.7OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Releasecommunication_dsoftbus3.2.x 4.0.x CVE-2024-0285软总线未判断数据长度的漏洞近场攻击者通过本漏洞造成DOS4.7OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Releasecommunication_ipc3.2.x 4.0.x 以下为三方库漏洞，只提供CVE、严重程度、受影响的OpenHarmony版本 CVECVSS 3.1 得分严重程度受影响的仓库受影响的OpenHarmony版本修复链接 CVE-2023-56785.3中危third_party_opensslOpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release3.2.x CVE-2023-444298.8高危third_party_gstreamerOpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release3.2.x CVE-2023-444468.8高危third_party_gstreamerOpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release3.2.x CVE-2023-65108.8高危third_party_chromiumOpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release3.2.x 4.0.x CVE-2023-63459.6致命third_party_chromiumOpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release3.2.x 4.0.x CVE-2023-63478.8高危third_party_chromiumOpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release3.2.x 4.0.x CVE-2023-65088.8高危third_party_chromiumOpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release3.2.x 4.0.x CVE-2023-68177.8高危kernel_linux_5.10OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release3.2.x 4.0.x CVE-2023-69317.8高危kernel_linux_5.10OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release3.2.x 4.0.x CVE-2023-69327.0高危kernel_linux_5.10OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release3.2.x 4.0.x CVE-2023-350017.8高危kernel_linux_5.10OpenHarmony-v4.0-Release4.0.x CVE-2023-71047.3高危third_party_sqliteOpenHarmony-v4.0-Release4.0.x CVE-2023-67058.8高危third_party_chromiumOpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release3.2.x 4.0.x CVE-2023-67028.8高危third_party_chromiumOpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release3.2.x 4.0.x CVE-2023-67038.8高危third_party_chromiumOpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release3.2.x 4.0.x 请在合入当月及之前全部已公开安全补丁之后，参考如下各维护版本的安全补丁标签更新方法，更新安全补丁标签至02月。对应维护版本安全补丁修改方式参考链接 3.2.xhttps://gitee.com/openharmony/startup_init/pulls/2478 4.0.xhttps://gitee.com/openharmony/startup_init/pulls/2481

2 months, 3 weeks

1
0
0 0

2024年1月安全公告

by 王晨

发布于2024.01.02 CVE漏洞描述漏洞影响CVSS3.1基础得分受影响的版本受影响的仓库修复链接 CVE-2023-47216Liteos-A 资源未释放的漏洞本地攻击者通过本漏洞造成DOS2.9OpenHarmony-v3.2-Release到OpenHarmony-v3.2.2third_party_musl3.2.x CVE-2023-49142多媒体音频组件指针释放后使用的漏洞本地攻击者通过本漏洞造成音频组件崩溃4.0OpenHarmony-v3.2-Release到OpenHarmony-v3.2.2multimedia_audio_framework3.2.x CVE-2023-47857多媒体相机组件指针释放后使用的漏洞本地攻击者通过本漏洞造成相机组件崩溃4.0OpenHarmony-v3.2-Release到OpenHarmony-v3.2.2multimedia_camera_framework3.2.x CVE-2023-49135多媒体播放器组件指针释放后使用的漏洞本地攻击者通过本漏洞造成播放器组件崩溃4.0OpenHarmony-v3.2-Release到OpenHarmony-v3.2.2multimedia_player_framework3.2.x CVE-2023-48360多媒体播放器组件指针释放后使用的漏洞本地攻击者通过本漏洞造成播放器组件崩溃4.0OpenHarmony-v3.2-Release到OpenHarmony-v3.2.2multimedia_player_framework3.2.x 以下为三方库漏洞，只提供CVE、严重程度、受影响的OpenHarmony版本，详细信息请参考三方公告。 CVE严重程度CVSS 3.1得分受影响的仓库受影响的OpenHarmony版本修复链接 CVE-2023-58498.8高危third_party_chromiumOpenHarmony-v3.2-Release到OpenHarmony-v3.2.2-Release OpenHarmony-v4.0-Release3.2.x 4.0.x CVE-2023-54806.1中危third_party_chromiumOpenHarmony-v3.2-Release到OpenHarmony-v3.2.2-Release OpenHarmony-v4.0-Release3.2.x 4.0.x CVE-2023-54828.8高危third_party_chromiumOpenHarmony-v3.2-Release到OpenHarmony-v3.2.2-Release OpenHarmony-v4.0-Release3.2.x 4.0.x CVE-2023-59968.8高危third_party_chromiumOpenHarmony-v3.2-Release到OpenHarmony-v3.2.2-Release OpenHarmony-v4.0-Release3.2.x 4.0.x CVE-2023-61128.8高危third_party_chromiumOpenHarmony-v3.2-Release到OpenHarmony-v3.2.2-Release OpenHarmony-v4.0-Release3.2.x 4.0.x CVE-2023-59978.8高危third_party_chromiumOpenHarmony-v3.2-Release到OpenHarmony-v3.2.2-Release OpenHarmony-v4.0-Release3.2.x 4.0.x CVE-2023-57177.8高危kernel_linux_5.10OpenHarmony-v4.0-Release4.0.x CVE-2023-53637.5中危third_party_opensslOpenHarmony-v4.0-Release4.0.x CVE-2022-469087.3中危third_party_sqliteOpenHarmony-v3.2-Release到OpenHarmony-v3.2.2-Release3.2.x CVE-2023-404756.3中危third_party_gstreamerOpenHarmony-v3.2-Release到OpenHarmony-v3.2.2-Release OpenHarmony-v4.0-Release3.2.x 4.0.x CVE-2023-404768.3高危third_party_gstreamerOpenHarmony-v3.2-Release到OpenHarmony-v3.2.2-Release OpenHarmony-v4.0-Release3.2.x 4.0.x CVE-2023-54728.8高危third_party_chromiumOpenHarmony-v3.2-Release到OpenHarmony-v3.2.2-Release OpenHarmony-v4.0-Release3.2.x 4.0.x CVE-2023-54846.5中危third_party_chromiumOpenHarmony-v3.2-Release到OpenHarmony-v3.2.2-Release OpenHarmony-v4.0-Release3.2.x 4.0.x 如下是各维护版本的安全补丁标签，请在合入当月及之前全部对应安全补丁之后，更新安全补丁标签。安全补丁标签链接 2024年01月[4.0.x] [3.2.x]

3 months, 3 weeks