ALAS2-2022-1883

multipath-tools 0.7.0 through 0.9.x before 0.9.2 allows local users to obtain root access, as exploited alone or in conjunction with CVE-2022-41973. Local users able to write to UNIX domain sockets can bypass access controls and manipulate the multipath setup. This can lead to local privilege escalation to root. This occurs because an attacker can repeat a keyword, which is mishandled because arithmetic ADD is used instead of bitwise OR. (CVE-2022-41974)

aarch64:
    device-mapper-multipath-0.4.9-136.amzn2.aarch64
    device-mapper-multipath-libs-0.4.9-136.amzn2.aarch64
    device-mapper-multipath-devel-0.4.9-136.amzn2.aarch64
    device-mapper-multipath-sysvinit-0.4.9-136.amzn2.aarch64
    kpartx-0.4.9-136.amzn2.aarch64
    libdmmp-0.4.9-136.amzn2.aarch64
    libdmmp-devel-0.4.9-136.amzn2.aarch64
    device-mapper-multipath-debuginfo-0.4.9-136.amzn2.aarch64

i686:
    device-mapper-multipath-0.4.9-136.amzn2.i686
    device-mapper-multipath-libs-0.4.9-136.amzn2.i686
    device-mapper-multipath-devel-0.4.9-136.amzn2.i686
    device-mapper-multipath-sysvinit-0.4.9-136.amzn2.i686
    kpartx-0.4.9-136.amzn2.i686
    libdmmp-0.4.9-136.amzn2.i686
    libdmmp-devel-0.4.9-136.amzn2.i686
    device-mapper-multipath-debuginfo-0.4.9-136.amzn2.i686

src:
    device-mapper-multipath-0.4.9-136.amzn2.src

x86_64:
    device-mapper-multipath-0.4.9-136.amzn2.x86_64
    device-mapper-multipath-libs-0.4.9-136.amzn2.x86_64
    device-mapper-multipath-devel-0.4.9-136.amzn2.x86_64
    device-mapper-multipath-sysvinit-0.4.9-136.amzn2.x86_64
    kpartx-0.4.9-136.amzn2.x86_64
    libdmmp-0.4.9-136.amzn2.x86_64
    libdmmp-devel-0.4.9-136.amzn2.x86_64
    device-mapper-multipath-debuginfo-0.4.9-136.amzn2.x86_64