enh: add known fixed ucode versions for CVE-2023-23583 (Reptar) and CVE-2024-45332 (BPI)

2026-04-07 09:13:20 +02:00 · 2026-04-04 17:50:04 +02:00
parent 090f109c52
commit cccb3c0081
4 changed files with 135 additions and 26 deletions
--- a/src/vulns/CVE-2023-23583.sh
+++ b/src/vulns/CVE-2023-23583.sh
@@ -15,8 +15,13 @@ check_CVE_2023_23583_linux() {
    # there is no sysfs file for this vuln, and no kernel patch,
    # the mitigation is only ucode-based and there's no flag exposed,
    # so most of the work has already been done by is_cpu_affected()
+    # shellcheck disable=SC2154
    if ! is_cpu_affected "$cve"; then
        pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
+    elif [ -z "$g_reptar_fixed_ucode_version" ]; then
+        # CPU matched the model blacklist but has no known fixing microcode
+        # (likely an EOL stepping that Intel won't release a fix for)
+        pvulnstatus "$cve" VULN "your CPU is affected and no microcode update is available for your CPU stepping"
    else
        pr_info_nol "* Reptar is mitigated by microcode: "
        if [ "$cpu_ucode" -lt "$g_reptar_fixed_ucode_version" ]; then