Cloud Foundry Logo
blog single gear
Security Advisory

USN-6258-1: LLVM Toolchain vulnerabilities

Severity

Medium

Vendor

Canonical Ubuntu

Versions Affected

  • Canonical Ubuntu 22.04

Description

It was discovered that LLVM Toolchain did not properly manage memory under certain circumstances. If a user were tricked into opening a specially crafted MLIR file, an attacker could possibly use this issue to cause LLVM Toolchain to crash, resulting in a denial of service. (CVE-2023-29932, CVE-2023-29934, CVE-2023-29939) It was discovered that LLVM Toolchain did not properly manage memory under certain circumstances. If a user were tricked into opening a specially crafted MLIR file, an attacker could possibly use this issue to cause LLVM Toolchain to crash, resulting in a denial of service. This issue only affected llvm-toolchain-15. (CVE-2023-29933) Update Instructions: Run `sudo pro fix USN-6258-1` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libomp5-13 – 1:13.0.1-2ubuntu2.2 libc++abi-13-dev – 1:13.0.1-2ubuntu2.2 llvm-13-linker-tools – 1:13.0.1-2ubuntu2.2 python3-lldb-13 – 1:13.0.1-2ubuntu2.2 llvm-13-examples – 1:13.0.1-2ubuntu2.2 clang-format-13 – 1:13.0.1-2ubuntu2.2 libllvm-13-ocaml-dev – 1:13.0.1-2ubuntu2.2 libclang-cpp13 – 1:13.0.1-2ubuntu2.2 libc++-13-dev – 1:13.0.1-2ubuntu2.2 libllvm13 – 1:13.0.1-2ubuntu2.2 lld-13 – 1:13.0.1-2ubuntu2.2 liblld-13 – 1:13.0.1-2ubuntu2.2 libclang-13-dev – 1:13.0.1-2ubuntu2.2 libmlir-13-dev – 1:13.0.1-2ubuntu2.2 libomp-13-doc – 1:13.0.1-2ubuntu2.2 libclc-13 – 1:13.0.1-2ubuntu2.2 clang-tools-13 – 1:13.0.1-2ubuntu2.2 llvm-13-doc – 1:13.0.1-2ubuntu2.2 llvm-13-runtime – 1:13.0.1-2ubuntu2.2 libunwind-13-dev – 1:13.0.1-2ubuntu2.2 python3-clang-13 – 1:13.0.1-2ubuntu2.2 clangd-13 – 1:13.0.1-2ubuntu2.2 libmlir-13 – 1:13.0.1-2ubuntu2.2 libclang1-13 – 1:13.0.1-2ubuntu2.2 libomp-13-dev – 1:13.0.1-2ubuntu2.2 libc++abi1-13 – 1:13.0.1-2ubuntu2.2 liblldb-13 – 1:13.0.1-2ubuntu2.2 clang-13-doc – 1:13.0.1-2ubuntu2.2 llvm-13 – 1:13.0.1-2ubuntu2.2 libc++1-13 – 1:13.0.1-2ubuntu2.2 libclang-common-13-dev – 1:13.0.1-2ubuntu2.2 clang-13-examples – 1:13.0.1-2ubuntu2.2 libfuzzer-13-dev – 1:13.0.1-2ubuntu2.2 libclang-cpp13-dev – 1:13.0.1-2ubuntu2.2 llvm-13-dev – 1:13.0.1-2ubuntu2.2 lldb-13 – 1:13.0.1-2ubuntu2.2 liblld-13-dev – 1:13.0.1-2ubuntu2.2 clang-13 – 1:13.0.1-2ubuntu2.2 liblldb-13-dev – 1:13.0.1-2ubuntu2.2 mlir-13-tools – 1:13.0.1-2ubuntu2.2 clang-tidy-13 – 1:13.0.1-2ubuntu2.2 libclc-13-dev – 1:13.0.1-2ubuntu2.2 llvm-13-tools – 1:13.0.1-2ubuntu2.2 libunwind-13 – 1:13.0.1-2ubuntu2.2 No subscription required libomp5-14 – 1:14.0.0-1ubuntu1.1 libllvm-14-ocaml-dev – 1:14.0.0-1ubuntu1.1 libc++abi-14-dev – 1:14.0.0-1ubuntu1.1 liblldb-14 – 1:14.0.0-1ubuntu1.1 libclang-14-dev – 1:14.0.0-1ubuntu1.1 clang-format-14 – 1:14.0.0-1ubuntu1.1 libc++-14-dev – 1:14.0.0-1ubuntu1.1 llvm-14-doc – 1:14.0.0-1ubuntu1.1 libclang-cpp14 – 1:14.0.0-1ubuntu1.1 libomp-14-dev – 1:14.0.0-1ubuntu1.1 libllvm14 – 1:14.0.0-1ubuntu1.1 lld-14 – 1:14.0.0-1ubuntu1.1 liblld-14 – 1:14.0.0-1ubuntu1.1 libunwind-14-dev – 1:14.0.0-1ubuntu1.1 clang-14-doc – 1:14.0.0-1ubuntu1.1 libfuzzer-14-dev – 1:14.0.0-1ubuntu1.1 libclc-14 – 1:14.0.0-1ubuntu1.1 libclang-cpp14-dev – 1:14.0.0-1ubuntu1.1 libc++abi1-14 – 1:14.0.0-1ubuntu1.1 clang-tools-14 – 1:14.0.0-1ubuntu1.1 python3-lldb-14 – 1:14.0.0-1ubuntu1.1 clangd-14 – 1:14.0.0-1ubuntu1.1 python3-clang-14 – 1:14.0.0-1ubuntu1.1 libclang1-14 – 1:14.0.0-1ubuntu1.1 llvm-14-runtime – 1:14.0.0-1ubuntu1.1 llvm-14-tools – 1:14.0.0-1ubuntu1.1 libmlir-14 – 1:14.0.0-1ubuntu1.1 llvm-14-examples – 1:14.0.0-1ubuntu1.1 libmlir-14-dev – 1:14.0.0-1ubuntu1.1 liblldb-14-dev – 1:14.0.0-1ubuntu1.1 llvm-14 – 1:14.0.0-1ubuntu1.1 libclc-14-dev – 1:14.0.0-1ubuntu1.1 libc++1-14 – 1:14.0.0-1ubuntu1.1 mlir-14-tools – 1:14.0.0-1ubuntu1.1 libomp-14-doc – 1:14.0.0-1ubuntu1.1 liblld-14-dev – 1:14.0.0-1ubuntu1.1 llvm-14-linker-tools – 1:14.0.0-1ubuntu1.1 libclang-common-14-dev – 1:14.0.0-1ubuntu1.1 lldb-14 – 1:14.0.0-1ubuntu1.1 llvm-14-dev – 1:14.0.0-1ubuntu1.1 clang-14 – 1:14.0.0-1ubuntu1.1 clang-tidy-14 – 1:14.0.0-1ubuntu1.1 libunwind-14 – 1:14.0.0-1ubuntu1.1 clang-14-examples – 1:14.0.0-1ubuntu1.1 No subscription required mlir-15-tools – 1:15.0.7-0ubuntu0.22.04.3 libmlir-15 – 1:15.0.7-0ubuntu0.22.04.3 liblldb-15 – 1:15.0.7-0ubuntu0.22.04.3 clang-format-15 – 1:15.0.7-0ubuntu0.22.04.3 liblld-15-dev – 1:15.0.7-0ubuntu0.22.04.3 libclang-cpp15 – 1:15.0.7-0ubuntu0.22.04.3 libllvm15 – 1:15.0.7-0ubuntu0.22.04.3 libunwind-15-dev – 1:15.0.7-0ubuntu0.22.04.3 libfuzzer-15-dev – 1:15.0.7-0ubuntu0.22.04.3 lld-15 – 1:15.0.7-0ubuntu0.22.04.3 liblld-15 – 1:15.0.7-0ubuntu0.22.04.3 libclang-common-15-dev – 1:15.0.7-0ubuntu0.22.04.3 libomp-15-dev – 1:15.0.7-0ubuntu0.22.04.3 libomp-15-doc – 1:15.0.7-0ubuntu0.22.04.3 libllvm-15-ocaml-dev – 1:15.0.7-0ubuntu0.22.04.3 liblldb-15-dev – 1:15.0.7-0ubuntu0.22.04.3 libclc-15 – 1:15.0.7-0ubuntu0.22.04.3 libmlir-15-dev – 1:15.0.7-0ubuntu0.22.04.3 clang-tools-15 – 1:15.0.7-0ubuntu0.22.04.3 python3-lldb-15 – 1:15.0.7-0ubuntu0.22.04.3 python3-clang-15 – 1:15.0.7-0ubuntu0.22.04.3 libclang1-15 – 1:15.0.7-0ubuntu0.22.04.3 llvm-15-examples – 1:15.0.7-0ubuntu0.22.04.3 clang-15-examples – 1:15.0.7-0ubuntu0.22.04.3 libc++-15-dev – 1:15.0.7-0ubuntu0.22.04.3 bolt-15 – 1:15.0.7-0ubuntu0.22.04.3 llvm-15 – 1:15.0.7-0ubuntu0.22.04.3 libclc-15-dev – 1:15.0.7-0ubuntu0.22.04.3 libc++1-15 – 1:15.0.7-0ubuntu0.22.04.3 llvm-15-doc – 1:15.0.7-0ubuntu0.22.04.3 llvm-15-runtime – 1:15.0.7-0ubuntu0.22.04.3 clang-15-doc – 1:15.0.7-0ubuntu0.22.04.3 libc++abi-15-dev – 1:15.0.7-0ubuntu0.22.04.3 libunwind-15 – 1:15.0.7-0ubuntu0.22.04.3 lldb-15 – 1:15.0.7-0ubuntu0.22.04.3 llvm-15-linker-tools – 1:15.0.7-0ubuntu0.22.04.3 llvm-15-tools – 1:15.0.7-0ubuntu0.22.04.3 clang-15 – 1:15.0.7-0ubuntu0.22.04.3 libclang-cpp15-dev – 1:15.0.7-0ubuntu0.22.04.3 libc++abi1-15 – 1:15.0.7-0ubuntu0.22.04.3 libclang-15-dev – 1:15.0.7-0ubuntu0.22.04.3 libbolt-15-dev – 1:15.0.7-0ubuntu0.22.04.3 clangd-15 – 1:15.0.7-0ubuntu0.22.04.3 clang-tidy-15 – 1:15.0.7-0ubuntu0.22.04.3 llvm-15-dev – 1:15.0.7-0ubuntu0.22.04.3 libomp5-15 – 1:15.0.7-0ubuntu0.22.04.3 No subscription required

CVEs contained in this USN include: CVE-2023-29932, CVE-2023-29933, CVE-2023-29934, CVE-2023-29939.

Affected Cloud Foundry Products and Versions

Severity is medium unless otherwise noted.

  • cflinuxfs4
    • All versions prior to 1.25.0
  • Jammy Stemcells
    • 1.x versions prior to 1.199
    • All other stemcells not listed.
  • CF Deployment
    • All versions with Jammy Stemcells prior to 1.199

Mitigation

Users of affected products are strongly encouraged to follow the mitigations below. The Cloud Foundry project recommends upgrading the following releases:

  • cflinuxfs4
    • Upgrade all versions to 1.25.0 or greater
  • Jammy Stemcells
    • Upgrade 1.x versions to 1.199 or greater
    • All other stemcells should be upgraded to the latest version available on bosh.io.
  • CF Deployment
    • For all versions, upgrade Jammy Stemcells to 1.199 or greater

History

2023-08-16: Initial vulnerability report published.

Cloud Foundry Foundation Security Team Profile Image

Cloud Foundry Foundation Security Team, AUTHOR

SEE ALL ARTICLES