[SECURITY] [DLA 2785-1] linux-4.19 security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 2785-1] linux-4.19 security update
From: Ben Hutchings <benh@debian.org>
Date: Fri, 15 Oct 2021 23:50:44 +0200
Message-id: <[🔎] YWn3tOip6kKWRy1f@decadent.org.uk>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org
-------------------------------------------------------------------------
Debian LTS Advisory DLA-2785-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                        Ben Hutchings
October 15, 2021                              https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package        : linux-4.19
Version        : 4.19.208-1~deb9u1
CVE ID         : CVE-2020-3702 CVE-2020-16119 CVE-2021-3444 CVE-2021-3600
                 CVE-2021-3612 CVE-2021-3653 CVE-2021-3655 CVE-2021-3656
                 CVE-2021-3679 CVE-2021-3732 CVE-2021-3743 CVE-2021-3753
                 CVE-2021-22543 CVE-2021-33624 CVE-2021-34556 CVE-2021-35039
                 CVE-2021-35477 CVE-2021-37159 CVE-2021-38160 CVE-2021-38198
                 CVE-2021-38199 CVE-2021-38205 CVE-2021-40490

Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information
leaks.

CVE-2020-3702

    A flaw was found in the driver for Atheros IEEE 802.11n family of
    chipsets (ath9k) allowing information disclosure.

CVE-2020-16119

    Hadar Manor reported a use-after-free in the DCCP protocol
    implementation in the Linux kernel. A local attacker can take
    advantage of this flaw to cause a denial of service or potentially
    to execute arbitrary code.

CVE-2021-3444, CVE-2021-3600

    Two flaws were discovered in the Extended BPF (eBPF) verifier.  A
    local user could exploit these to read and write arbitrary memory
    in the kernel, which could be used for privilege escalation.

    This can be mitigated by setting sysctl
    kernel.unprivileged_bpf_disabled=1, which disables eBPF use by
    unprivileged users.

CVE-2021-3612

    Murray McAllister reported a flaw in the joystick input subsystem.
    A local user permitted to access a joystick device could exploit
    this to read and write out-of-bounds in the kernel, which could
    be used for privilege escalation.

CVE-2021-3653

   Maxim Levitsky discovered a vulnerability in the KVM hypervisor
   implementation for AMD processors in the Linux kernel: Missing
   validation of the `int_ctl` VMCB field could allow a malicious L1
   guest to enable AVIC support (Advanced Virtual Interrupt
   Controller) for the L2 guest. The L2 guest can take advantage of
   this flaw to write to a limited but still relatively large subset
   of the host physical memory.

CVE-2021-3655

    Ilja Van Sprundel and Marcelo Ricardo Leitner found multiple flaws
    in the SCTP implementation, where missing validation could lead to
    an out-of-bounds read.  On a system using SCTP, a networked
    attacker could exploit these to cause a denial of service (crash).

CVE-2021-3656

    Maxim Levitsky and Paolo Bonzini discovered a flaw in the KVM
    hypervisor implementation for AMD processors in the Linux
    kernel. Missing validation of the `virt_ext` VMCB field could
    allow a malicious L1 guest to disable both VMLOAD/VMSAVE
    intercepts and VLS (Virtual VMLOAD/VMSAVE) for the L2 guest. Under
    these circumstances, the L2 guest is able to run VMLOAD/VMSAVE
    unintercepted and thus read/write portions of the host's physical
    memory.

CVE-2021-3679

    A flaw in the Linux kernel tracing module functionality could
    allow a privileged local user (with CAP_SYS_ADMIN capability) to
    cause a denial of service (resource starvation).

CVE-2021-3732

    Alois Wohlschlager reported a flaw in the implementation of the
    overlayfs subsystem, allowing a local attacker with privileges to
    mount a filesystem to reveal files hidden in the original mount.

CVE-2021-3743

    An out-of-bounds memory read was discovered in the Qualcomm IPC
    router protocol implementation, allowing to cause a denial of
    service or information leak.

CVE-2021-3753

    Minh Yuan reported a race condition in the vt_k_ioctl in
    drivers/tty/vt/vt_ioctl.c, which may cause an out of bounds read
    in vt.

CVE-2021-22543

    David Stevens discovered a flaw in how the KVM hypervisor maps
    host memory into a guest.  A local user permitted to access
    /dev/kvm could use this to cause certain pages to be freed when
    they should not, leading to a use-after-free.  This could be used
    to cause a denial of service (crash or memory corruption) or
    possibly for privilege escalation.

CVE-2021-33624, CVE-2021-34556, CVE-2021-35477

    Multiple researchers discovered flaws in the Extended BPF (eBPF)
    verifier's protections against information leaks through
    speculation execution.  A local user could exploit these to read
    sensitive information.

    This can be mitigated by setting sysctl
    kernel.unprivileged_bpf_disabled=1, which disables eBPF use by
    unprivileged users.

CVE-2021-35039

    A flaw was discovered in module signature enforcement.  A custom
    kernel with IMA enabled might have allowed loading unsigned kernel
    modules when it should not have.

CVE-2021-37159

    A flaw was discovered in the hso driver for Option mobile
    broadband modems.  An error during initialisation could lead to a
    double-free or use-after-free.  An attacker able to plug in USB
    devices could use this to cause a denial of service (crash or
    memory corruption) or possibly to run arbitrary code.

CVE-2021-38160

    A flaw in the virtio_console was discovered allowing data
    corruption or data loss by an untrusted device.

CVE-2021-38198

    A flaw was discovered in the KVM implementation for x86
    processors, that could result in virtual memory protection within
    a guest not being applied correctly.  When shadow page tables are
    used - i.e. for nested virtualisation, or on CPUs lacking the EPT
    or NPT feature - a user of the guest OS might be able to exploit
    this for denial of service or privilege escalation within the
    guest.

CVE-2021-38199

    Michael Wakabayashi reported a flaw in the NFSv4 client
    implementation, where incorrect connection setup ordering allows
    operations of a remote NFSv4 server to cause a denial of service.

CVE-2021-38205

    An information leak was discovered in the xilinx_emaclite network
    driver.  On a custom kernel where this driver is enabled and used,
    this might make it easier to exploit other kernel bugs.

CVE-2021-40490

    A race condition was discovered in the ext4 subsystem when writing
    to an inline_data file while its xattrs are changing. This could
    result in denial of service.

For Debian 9 stretch, these problems have been fixed in version
4.19.208-1~deb9u1.

We recommend that you upgrade your linux-4.19 packages.

For the detailed security status of linux-4.19 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/linux-4.19

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

-- 
Ben Hutchings
The generation of random numbers is too important to be left to chance.
                                                       - Robert Coveyou
Attachment: signature.asc
Description: PGP signature
Reply to:
Prev by Date: [SECURITY] [DLA 2780-1] ruby2.3 security update
Next by Date: [SECURITY] [DLA 2786-1] nghttp2 security update
Previous by thread: [SECURITY] [DLA 2780-1] ruby2.3 security update
Next by thread: [SECURITY] [DLA 2786-1] nghttp2 security update
Index(es):
- Date
- Thread