[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 2385-1] linux-4.19 security update



-------------------------------------------------------------------------
Debian LTS Advisory DLA-2385-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                        Ben Hutchings
September 28, 2020                            https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package        : linux-4.19
Version        : 4.19.146-1~deb9u1
CVE ID         : CVE-2019-3874 CVE-2019-19448 CVE-2019-19813 CVE-2019-19816
                 CVE-2020-10781 CVE-2020-12888 CVE-2020-14314 CVE-2020-14331
                 CVE-2020-14356 CVE-2020-14385 CVE-2020-14386 CVE-2020-14390
                 CVE-2020-16166 CVE-2020-25212 CVE-2020-25284 CVE-2020-25285
                 CVE-2020-25641 CVE-2020-26088
Debian Bug     : 966846 966917 968567

Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service, or information
leak.

CVE-2019-3874

    Kernel buffers allocated by the SCTP network protocol were not
    limited by the memory cgroup controller.  A local user could
    potentially use this to evade container memory limits and to cause
    a denial of service (excessive memory use).

CVE-2019-19448, CVE-2019-19813, CVE-2019-19816

    "Team bobfuzzer" reported bugs in Btrfs that could lead to a
    use-after-free or heap buffer overflow, and could be triggered by
    crafted filesystem images.  A user permitted to mount and access
    arbitrary filesystems could use these to cause a denial of service
    (crash or memory corruption) or possibly for privilege escalation.

CVE-2020-10781

    Luca Bruno of Red Hat discovered that the zram control file
    /sys/class/zram-control/hot_add was readable by all users.  On a
    system with zram enabled, a local user could use this to cause a
    denial of service (memory exhaustion).

CVE-2020-12888

    It was discovered that the PCIe Virtual Function I/O (vfio-pci)
    driver allowed users to disable a device's memory space while it
    was still mapped into a process.  On some hardware platforms,
    local users or guest virtual machines permitted to access PCIe
    Virtual Functions could use this to cause a denial of service
    (hardware error and crash).

CVE-2020-14314

    A bug was discovered in the ext4 filesystem that could lead to an
    out-of-bound read.  A local user permitted to mount and access
    arbitrary filesystem images could use this to cause a denial of
    service (crash).

CVE-2020-14331

    A bug was discovered in the VGA console driver's soft-scrollback
    feature that could lead to a heap buffer overflow.  On a system
    with a custom kernel that has CONFIG_VGACON_SOFT_SCROLLBACK
    enabled, a local user with access to a console could use this to
    cause a denial of service (crash or memory corruption) or possibly
    for privilege escalation.

CVE-2020-14356

    A bug was discovered in the cgroup subsystem's handling of socket
    references to cgroups.  In some cgroup configurations, this could
    lead to a use-after-free.  A local user might be able to use this
    to cause a denial of service (crash or memory corruption) or
    possibly for privilege escalation.

CVE-2020-14385

    A bug was discovered in XFS, which could lead to an extended
    attribute (xattr) wrongly being detected as invalid.  A local user
    with access to an XFS filesystem could use this to cause a denial
    of service (filesystem shutdown).

CVE-2020-14386

    Or Cohen discovered a bug in the packet socket (AF_PACKET)
    implementation which could lead to a heap buffer overflow.  A
    local user with the CAP_NET_RAW capability (in any user namespace)
    could use this to cause a denial of service (crash or memory
    corruption) or possibly for privilege escalation.

CVE-2020-14390

    Minh Yuan discovered a bug in the framebuffer console driver's
    scrollback feature that could lead to a heap buffer overflow.  On
    a system using framebuffer consoles, a local user with access to a
    console could use this to cause a denial of service (crash or
    memory corruption) or possibly for privilege escalation.

    The scrollback feature has been disabled for now, as no other fix
    was available for this issue.

CVE-2020-16166

    Amit Klein reported that the random number generator used by the
    network stack might not be re-seeded for long periods of time,
    making e.g. client port number allocations more predictable.  This
    made it easier for remote attackers to carry out some network-
    based attacks such as DNS cache poisoning or device tracking.

CVE-2020-25212

    A bug was discovered in the NFSv4 client implementation that could
    lead to a heap buffer overflow.  A malicious NFS server could use
    this to cause a denial of service (crash or memory corruption) or
    possibly to execute arbitrary code on the client.

CVE-2020-25284

    It was discovered that the Rados block device (rbd) driver allowed
    tasks running as uid 0 to add and remove rbd devices, even if they
    dropped capabilities.  On a system with the rbd driver loaded,
    this might allow privilege escalation from a container with a task
    running as root.

CVE-2020-25285

    A race condition was discovered in the hugetlb filesystem's sysctl
    handlers, that could lead to stack corruption.  A local user
    permitted to write to hugepages sysctls could use this to cause a
    denial of service (crash or memory corruption) or possibly for
    privilege escalation.  By default only the root user can do this.

CVE-2020-25641

    The syzbot tool found a bug in the block layer that could lead to
    an infinite loop.  A local user with access to a raw block device
    could use this to cause a denial of service (unbounded CPU use and
    possible system hang).

CVE-2020-26088

    It was discovered that the NFC (Near Field Communication) socket
    implementation allowed any user to create raw sockets.  On a
    system with an NFC interface, this allowed local users to evade
    local network security policy.

For Debian 9 stretch, these problems have been fixed in version
4.19.146-1~deb9u1.  This update additionally fixes Debian bugs
#966846, #966917, and #968567; and includes many more bug fixes from
stable updates 4.19.133-4.19.146 inclusive.

We recommend that you upgrade your linux-4.19 packages.

For the detailed security status of linux-4.19 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/linux-4.19

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

-- 
Ben Hutchings - Debian developer, member of kernel, installer and LTS teams

Attachment: signature.asc
Description: This is a digitally signed message part


Reply to: