From 20ea490dc322640d52ee4d01ae5a61870f58ec8b Mon Sep 17 00:00:00 2001 From: wangchen Date: Tue, 6 May 2025 16:37:15 +0800 Subject: [PATCH] =?UTF-8?q?=E6=96=B0=E5=A2=9E2025=E5=B9=B405=E6=9C=88?= =?UTF-8?q?=E5=AE=89=E5=85=A8=E5=85=AC=E5=91=8A?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit close #IC5QWB Signed-off-by: wangchen --- en/security-disclosure/2025/2025-05.md | 40 +++++++++++++++++++++++ en/security-disclosure/README.md | 1 + zh/security-disclosure/2025/2025-05.md | 44 ++++++++++++++++++++++++++ zh/security-disclosure/README.md | 1 + 4 files changed, 86 insertions(+) create mode 100644 en/security-disclosure/2025/2025-05.md create mode 100644 zh/security-disclosure/2025/2025-05.md diff --git a/en/security-disclosure/2025/2025-05.md b/en/security-disclosure/2025/2025-05.md new file mode 100644 index 0000000..e5448ec --- /dev/null +++ b/en/security-disclosure/2025/2025-05.md @@ -0,0 +1,40 @@ +## Security Vulnerabilities in May 2025 +_published May 06,2025_
+_updated May 06,2025_ + +### Note: At the OpenHarmony 5.0 stage, among all the branches only the OpenHarmony-5.0.3-Release branch is currently maintained for security vulnerability fixes. + +| CVE | Vulnerability Description | Vulnerability Impact | severity | CVSS3.1 | affected versions | affected projects| fix link | +| ---- | -------- | -------- | --------------- | ------------ | ------------ | -------- | -------- | +| CVE-2025-25218 | third_party_mksh has a NULL pointer dereference vulnerability | allow a local attacker cause DOS | Low | 3.3 | OpenHarmony-v5.0.3-Release | third_party_mksh | [5.0.3.x](https://gitee.com/openharmony/third_party_mksh/pulls/68) +| CVE-2025-27132 | arkcompiler_ets_runtime has an out-of-bounds write vulnerability | in restricted scenarios allow a local attacker arbitrary code execution in pre-installed apps. | Low | 3.8 | OpenHarmony-v5.0.3-Release | arkcompiler_ets_runtime | [5.0.3.x](https://gitee.com/openharmony/arkcompiler_ets_runtime/pulls/11279) +| CVE-2025-22886 | distributeddatamgr_udmf has a memory leak vulnerability | allow a local attacker cause DOS | Low | 3.3 | OpenHarmony-v5.0.3-Release | distributeddatamgr_udmf | [5.0.3.x](https://gitee.com/openharmony/distributeddatamgr_udmf/pulls/526) +| CVE-2025-27248 | ai_neural_network_runtime has a NULL pointer dereference vulnerability | allow a local attacker cause DOS | Low | 3.3 | OpenHarmony-v5.0.3-Release | ai_neural_network_runtime | [5.0.3.x](https://gitee.com/openharmony/ai_neural_network_runtime/pulls/258) +| CVE-2025-27241 | multimedia_av_codec has a NULL pointer dereference vulnerability | allow a local attacker cause DOS | Low | 3.3 | OpenHarmony-v5.0.3-Release | multimedia_av_codec | [5.0.3.x](https://gitee.com/openharmony/multimedia_av_codec/pulls/4465) +| CVE-2025-25052 | arkcompiler_ets_runtime has a buffer overflow vulnerability | allow a local attacker cause DOS | Low | 3.3 | OpenHarmony-v4.1-Release
OpenHarmony-v5.0.3-Release | arkcompiler_ets_runtime | [5.0.3.x](https://gitee.com/openharmony/arkcompiler_ets_runtime/pulls/11067)
[4.1.x](https://gitee.com/openharmony/arkcompiler_ets_runtime/pulls/10951) + +### The following table lists the third-party library vulnerabilities with only the CVE, severity, and affected OpenHarmony versions provided. For more details, see the security bulletins released by third-parties. + +| CVE | severity | CVSS3.1 | affected repository |affected OpenHarmony versions | fix link | +| -------------- | -------- | ------------ |-------------| ------------------------------------------------------------ | ------------------------------------------------------ | +| CVE-2024-42315 | Medium | 5.5 | kernel_linux_5.10 | OpenHarmony-v4.1-Release
OpenHarmony-v5.0.3-Release | [4.1.x](https://gitee.com/openharmony/kernel_linux_5.10/commit/de7b4d9a28a2d1a2d6770f0c0d3e9b37aab35fe1)
[5.0.3.x](https://gitee.com/openharmony/kernel_linux_5.10/commit/de7b4d9a28a2d1a2d6770f0c0d3e9b37aab35fe1) +| CVE-2024-42265 | None | not yet provided | kernel_linux_5.10 | OpenHarmony-v4.1-Release
OpenHarmony-v5.0.3-Release | [4.1.x](https://gitee.com/openharmony/kernel_linux_5.10/commit/207689a76b6373878c34d91248db1c9954cfe4ed)
[5.0.3.x](https://gitee.com/openharmony/kernel_linux_5.10/commit/207689a76b6373878c34d91248db1c9954cfe4ed) +| CVE-2024-41014 | Medium | 3.5 | kernel_linux_5.10 | OpenHarmony-v4.1-Release
OpenHarmony-v5.0.3-Release | [4.1.x](https://gitee.com/openharmony/kernel_linux_5.10/commit/04bf2f2d6fc1933fe7212432cae0508f96adb516)
[5.0.3.x](https://gitee.com/openharmony/kernel_linux_5.10/commit/04bf2f2d6fc1933fe7212432cae0508f96adb516) +| CVE-2024-36927 | Medium | 4.7 | kernel_linux_5.10 | OpenHarmony-v4.1-Release
OpenHarmony-v5.0.3-Release | [4.1.x](https://gitee.com/openharmony/kernel_linux_5.10/commit/2661944db0acd0cab5a2b8d4d419da5aa5a36c3c)
[5.0.3.x](https://gitee.com/openharmony/kernel_linux_5.10/commit/2661944db0acd0cab5a2b8d4d419da5aa5a36c3c) +| CVE-2022-48944 | Medium | 5.5 | kernel_linux_5.10 | OpenHarmony-v4.1-Release
OpenHarmony-v5.0.3-Release | [4.1.x](https://gitee.com/openharmony/kernel_linux_5.10/commit/1ce5e4a4e76cac03eb1a17d090f64e47d58c2687)
[5.0.3.x](https://gitee.com/openharmony/kernel_linux_5.10/commit/1ce5e4a4e76cac03eb1a17d090f64e47d58c2687) + +### The following are the security patch labels for each maintenance version. Please update the security patch labels after incorporating all corresponding security patches of the current month or earlier. + + + + + + + + + + + + + +
Security patch labelfix links
May 2025[5.0.3.x]
[4.1.x]
\ No newline at end of file diff --git a/en/security-disclosure/README.md b/en/security-disclosure/README.md index cfea6a4..5fd153f 100644 --- a/en/security-disclosure/README.md +++ b/en/security-disclosure/README.md @@ -2,6 +2,7 @@ This document describes the security vulnerabilities of OpenHarmony. ## Security Vulnerabilities in 2025 +**[Security Vulnerabilities in May](https://gitee.com/openharmony/security/blob/master/en/security-disclosure/2025/2025-05.md)** **[Security Vulnerabilities in April](https://gitee.com/openharmony/security/blob/master/en/security-disclosure/2025/2025-04.md)** **[Security Vulnerabilities in March](https://gitee.com/openharmony/security/blob/master/en/security-disclosure/2025/2025-03.md)** **[Security Vulnerabilities in Feburary](https://gitee.com/openharmony/security/blob/master/en/security-disclosure/2025/2025-02.md)** diff --git a/zh/security-disclosure/2025/2025-05.md b/zh/security-disclosure/2025/2025-05.md new file mode 100644 index 0000000..9fc24c8 --- /dev/null +++ b/zh/security-disclosure/2025/2025-05.md @@ -0,0 +1,44 @@ +## 2025年05月安全漏洞 +_发布于2025.05.06_
+_最后更新于2025.05.06_ + +### 备注:OpenHarmony 5.0阶段各分支中当前主要对OpenHarmony-5.0.3-Release分支进行安全漏洞维护。 + +| CVE | 漏洞描述 | 漏洞影响 | 严重程度 |CVSS 3.1得分 | 受影响的版本 | 受影响的仓库 | 修复链接 | +| -------------- | ----------------------------------| ----------------------------------- | ----------- |------------ | -------------------------------------------- | --------------- | -------------------------------------------------------- | +| CVE-2025-25218 | third_party_mksh 空指针解引用 | 本地攻击者可造成DOS | 低危 | 3.3 | OpenHarmony-v5.0.3-Release | third_party_mksh | [5.0.3.x](https://gitee.com/openharmony/third_party_mksh/pulls/68) +| CVE-2025-27132 | arkcompiler_ets_runtime 越界写 | 本地攻击者可在受限场景造成任意代码执行 | 低危 | 3.8 | OpenHarmony-v5.0.3-Release | arkcompiler_ets_runtime | [5.0.3.x](https://gitee.com/openharmony/arkcompiler_ets_runtime/pulls/11279) +| CVE-2025-22886 | distributeddatamgr_udmf 内存泄露 | 本地攻击者可造成DOS | 低危 | 3.3 | OpenHarmony-v5.0.3-Release | distributeddatamgr_udmf | [5.0.3.x](https://gitee.com/openharmony/distributeddatamgr_udmf/pulls/526) +| CVE-2025-27248 | ai_neural_network_runtime 空指针解引用 | 本地攻击者可造成DOS | 低危 | 3.3 | OpenHarmony-v5.0.3-Release | ai_neural_network_runtime | [5.0.3.x](https://gitee.com/openharmony/ai_neural_network_runtime/pulls/258) +| CVE-2025-27241 | multimedia_av_codec 空指针解引用 | 本地攻击者可造成DOS | 低危 | 3.3 | OpenHarmony-v5.0.3-Release | multimedia_av_codec | [5.0.3.x](https://gitee.com/openharmony/multimedia_av_codec/pulls/4465) +| CVE-2025-25052 | arkcompiler_ets_runtime 栈溢出 | 本地攻击者可造成DOS | 低危 | 3.3 | OpenHarmony-v4.1-Release
OpenHarmony-v5.0.3-Release | arkcompiler_ets_runtime | [5.0.3.x](https://gitee.com/openharmony/arkcompiler_ets_runtime/pulls/11067)
[4.1.x](https://gitee.com/openharmony/arkcompiler_ets_runtime/pulls/10951) + + + +### 以下为三方库漏洞,只提供CVE、严重程度、受影响的OpenHarmony版本,详细信息请参考三方公告。 + +| CVE | 严重程度 | CVSS 3.1得分 |受影响的仓库 | 受影响的OpenHarmony版本 | 修复链接 | +| -------------- | -------- | ------------ |-------------| ------------------------------------------------------------ | ------------------------------------------------------ | +| CVE-2024-42315 | 中危 | 5.5 | kernel_linux_5.10 | OpenHarmony-v4.1-Release
OpenHarmony-v5.0.3-Release | [4.1.x](https://gitee.com/openharmony/kernel_linux_5.10/commit/de7b4d9a28a2d1a2d6770f0c0d3e9b37aab35fe1)
[5.0.3.x](https://gitee.com/openharmony/kernel_linux_5.10/commit/de7b4d9a28a2d1a2d6770f0c0d3e9b37aab35fe1) +| CVE-2024-42265 | 无 | 尚未提供 | kernel_linux_5.10 | OpenHarmony-v4.1-Release
OpenHarmony-v5.0.3-Release | [4.1.x](https://gitee.com/openharmony/kernel_linux_5.10/commit/207689a76b6373878c34d91248db1c9954cfe4ed)
[5.0.3.x](https://gitee.com/openharmony/kernel_linux_5.10/commit/207689a76b6373878c34d91248db1c9954cfe4ed) +| CVE-2024-41014 | 中危 | 3.5 | kernel_linux_5.10 | OpenHarmony-v4.1-Release
OpenHarmony-v5.0.3-Release | [4.1.x](https://gitee.com/openharmony/kernel_linux_5.10/commit/04bf2f2d6fc1933fe7212432cae0508f96adb516)
[5.0.3.x](https://gitee.com/openharmony/kernel_linux_5.10/commit/04bf2f2d6fc1933fe7212432cae0508f96adb516) +| CVE-2024-36927 | 中危 | 4.7 | kernel_linux_5.10 | OpenHarmony-v4.1-Release
OpenHarmony-v5.0.3-Release | [4.1.x](https://gitee.com/openharmony/kernel_linux_5.10/commit/2661944db0acd0cab5a2b8d4d419da5aa5a36c3c)
[5.0.3.x](https://gitee.com/openharmony/kernel_linux_5.10/commit/2661944db0acd0cab5a2b8d4d419da5aa5a36c3c) +| CVE-2022-48944 | 中危 | 5.5 | kernel_linux_5.10 | OpenHarmony-v4.1-Release
OpenHarmony-v5.0.3-Release | [4.1.x](https://gitee.com/openharmony/kernel_linux_5.10/commit/1ce5e4a4e76cac03eb1a17d090f64e47d58c2687)
[5.0.3.x](https://gitee.com/openharmony/kernel_linux_5.10/commit/1ce5e4a4e76cac03eb1a17d090f64e47d58c2687) + + +### 以下是各维护版本的安全补丁标签,请在合入当月及之前全部对应安全补丁之后,更新安全补丁标签。 + + + + + + + + + + + + +
安全补丁标签链接
2025年05月[5.0.3.x]
[4.1.x]
+ + diff --git a/zh/security-disclosure/README.md b/zh/security-disclosure/README.md index ffdf3ad..b23965f 100644 --- a/zh/security-disclosure/README.md +++ b/zh/security-disclosure/README.md @@ -2,6 +2,7 @@ 本文档主要发布OpenHarmony软件的安全漏洞公告。 ## 2025年安全漏洞 +**[2025年05月安全漏洞](https://gitee.com/openharmony/security/blob/master/zh/security-disclosure/2025/2025-05.md)** **[2025年04月安全漏洞](https://gitee.com/openharmony/security/blob/master/zh/security-disclosure/2025/2025-04.md)** **[2025年03月安全漏洞](https://gitee.com/openharmony/security/blob/master/zh/security-disclosure/2025/2025-03.md)** **[2025年02月安全漏洞](https://gitee.com/openharmony/security/blob/master/zh/security-disclosure/2025/2025-02.md)** -- Gitee