[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 2241-1] linux security update



Package        : linux
Version        : 3.16.84-1
CVE ID         : CVE-2015-8839 CVE-2018-14610 CVE-2018-14611 CVE-2018-14612
                 CVE-2018-14613 CVE-2019-5108 CVE-2019-19319 CVE-2019-19447
                 CVE-2019-19768 CVE-2019-20636 CVE-2020-0009 CVE-2020-0543
                 CVE-2020-1749 CVE-2020-2732 CVE-2020-8647 CVE-2020-8648
                 CVE-2020-8649 CVE-2020-9383 CVE-2020-10690 CVE-2020-10751
                 CVE-2020-10942 CVE-2020-11494 CVE-2020-11565 CVE-2020-11608
                 CVE-2020-11609 CVE-2020-11668 CVE-2020-12114 CVE-2020-12464
                 CVE-2020-12652 CVE-2020-12653 CVE-2020-12654 CVE-2020-12769
                 CVE-2020-12770 CVE-2020-12826 CVE-2020-13143

Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information
leaks.

CVE-2015-8839

    A race condition was found in the ext4 filesystem implementation.
    A local user could exploit this to cause a denial of service
    (filesystem corruption).

CVE-2018-14610, CVE-2018-14611, CVE-2018-14612, CVE-2018-14613

    Wen Xu from SSLab at Gatech reported that crafted Btrfs volumes
    could trigger a crash (Oops) and/or out-of-bounds memory access.
    An attacker able to mount such a volume could use this to cause a
    denial of service or possibly for privilege escalation.

CVE-2019-5108

    Mitchell Frank of Cisco discovered that when the IEEE 802.11
    (WiFi) stack was used in AP mode with roaming, it would trigger
    roaming for a newly associated station before the station was
    authenticated.  An attacker within range of the AP could use this
    to cause a denial of service, either by filling up a switching
    table or by redirecting traffic away from other stations.

CVE-2019-19319

    Jungyeon discovered that a crafted filesystem can cause the ext4
    implementation to deallocate or reallocate journal blocks.  A user
    permitted to mount filesystems could use this to cause a denial of
    service (crash), or possibly for privilege escalation.

CVE-2019-19447

    It was discovered that the ext4 filesystem driver did not safely
    handle unlinking of an inode that, due to filesystem corruption,
    already has a link count of 0.  An attacker able to mount
    arbitrary ext4 volumes could use this to cause a denial of service
    (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-19768

    Tristan Madani reported a race condition in the blktrace debug
    facility that could result in a use-after-free.  A local user able
    to trigger removal of block devices could possibly use this to
    cause a denial of service (crash) or for privilege escalation.

CVE-2019-20636

    The syzbot tool found that the input subsystem did not fully
    validate keycode changes, which could result in a heap
    out-of-bounds write.  A local user permitted to access the device
    node for an input or VT device could possibly use this to cause a
    denial of service (crash or memory corruption) or for privilege
    escalation.

CVE-2020-0009

    Jann Horn reported that the Android ashmem driver did not prevent
    read-only files from being memory-mapped and then remapped as
    read-write.  However, Android drivers are not enabled in Debian
    kernel configurations.

CVE-2020-0543

    Researchers at VU Amsterdam discovered that on some Intel CPUs
    supporting the RDRAND and RDSEED instructions, part of a random
    value generated by these instructions may be used in a later
    speculative execution on any core of the same physical CPU.
    Depending on how these instructions are used by applications, a
    local user or VM guest could use this to obtain sensitive
    information such as cryptographic keys from other users or VMs.

    This vulnerability can be mitigated by a microcode update, either
    as part of system firmware (BIOS) or through the intel-microcode
    package in Debian's non-free archive section.  This kernel update
    only provides reporting of the vulnerability and the option to
    disable the mitigation if it is not needed.

CVE-2020-1749

    Xiumei Mu reported that some network protocols that can run on top
    of IPv6 would bypass the Transformation (XFRM) layer used by
    IPsec, IPcomp/IPcomp6, IPIP, and IPv6 Mobility.  This could result
    in disclosure of information over the network, since it would not
    be encrypted or routed according to the system policy.

CVE-2020-2732

    Paulo Bonzini discovered that the KVM implementation for Intel
    processors did not properly handle instruction emulation for L2
    guests when nested virtualization is enabled. This could allow an
    L2 guest to cause privilege escalation, denial of service, or
    information leaks in the L1 guest.

CVE-2020-8647, CVE-2020-8649

    The Hulk Robot tool found a potential MMIO out-of-bounds access in
    the vgacon driver.  A local user permitted to access a virtual
    terminal (/dev/tty1 etc.) on a system using the vgacon driver
    could use this to cause a denial of service (crash or memory
    corruption) or possibly for privilege escalation.

CVE-2020-8648

    The syzbot tool found a race condition in the the virtual terminal
    driver, which could result in a use-after-free.  A local user
    permitted to access a virtual terminal could use this to cause a
    denial of service (crash or memory corruption) or possibly for
    privilege escalation.

CVE-2020-9383

    Jordy Zomer reported an incorrect range check in the floppy driver
    which could lead to a static out-of-bounds access.  A local user
    permitted to access a floppy drive could use this to cause a
    denial of service (crash or memory corruption) or possibly for
    privilege escalation.

CVE-2020-10690

    It was discovered that the PTP hardware clock subsystem did not
    properly manage device lifetimes.  Removing a PTP hardware clock
    from the system while a user process was using it could lead to a
    use-after-free.  The security impact of this is unclear.

CVE-2020-10751

    Dmitry Vyukov reported that the SELinux subsystem did not properly
    handle validating multiple messages, which could allow a privileged
    attacker to bypass SELinux netlink restrictions.

CVE-2020-10942

    It was discovered that the vhost_net driver did not properly
    validate the type of sockets set as back-ends. A local user
    permitted to access /dev/vhost-net could use this to cause a stack
    corruption via crafted system calls, resulting in denial of
    service (crash) or possibly privilege escalation.

CVE-2020-11494

    It was discovered that the slcan (serial line CAN) network driver
    did not fully initialise CAN headers for received packets,
    resulting in an information leak from the kernel to user-space or
    over the CAN network.

CVE-2020-11565

    Entropy Moe reported that the shared memory filesystem (tmpfs) did
    not correctly handle an "mpol" mount option specifying an empty
    node list, leading to a stack-based out-of-bounds write. If user
    namespaces are enabled, a local user could use this to cause a
    denial of service (crash) or possibly for privilege escalation.

CVE-2020-11608, CVE-2020-11609, CVE-2020-11668

    It was discovered that the ov519, stv06xx, and xirlink_cit media
    drivers did not properly validate USB device descriptors.  A
    physically present user with a specially constructed USB device
    could use this to cause a denial-of-service (crash) or possibly
    for privilege escalation.

CVE-2020-12114

    Piotr Krysiuk discovered a race condition between the umount and
    pivot_root operations in the filesystem core (vfs).  A local user
    with the CAP_SYS_ADMIN capability in any user namespace could use
    this to cause a denial of service (crash).

CVE-2020-12464

    Kyungtae Kim reported a race condition in the USB core that can
    result in a use-after-free.  It is not clear how this can be
    exploited, but it could result in a denial of service (crash or
    memory corruption) or privilege escalation.

CVE-2020-12652

    Tom Hatskevich reported a bug in the mptfusion storage drivers.
    An ioctl handler fetched a parameter from user memory twice,
    creating a race condition which could result in incorrect locking
    of internal data structures.  A local user permitted to access
    /dev/mptctl could use this to cause a denial of service (crash or
    memory corruption) or for privilege escalation.

CVE-2020-12653

    It was discovered that the mwifiex WiFi driver did not
    sufficiently validate scan requests, resulting a potential heap
    buffer overflow.  A local user with CAP_NET_ADMIN capability could
    use this to cause a denial of service (crash or memory corruption)
    or possibly for privilege escalation.

CVE-2020-12654

    It was discovered that the mwifiex WiFi driver did not
    sufficiently validate WMM parameters received from an access point
    (AP), resulting a potential heap buffer overflow.  A malicious AP
    could use this to cause a denial of service (crash or memory
    corruption) or possibly to execute code on a vulnerable system.

CVE-2020-12769

    It was discovered that the spi-dw SPI host driver did not properly
    serialise access to its internal state.  The security impact of
    this is unclear, and this driver is not included in Debian's
    binary packages.

CVE-2020-12770

    It was discovered that the sg (SCSI generic) driver did not
    correctly release internal resources in a particular error case.
    A local user permitted to access an sg device could possibly use
    this to cause a denial of service (resource exhaustion).

CVE-2020-12826

    Adam Zabrocki reported a weakness in the signal subsystem's
    permission checks.  A parent process can choose an arbitary signal
    for a child process to send when it exits, but if the parent has
    executed a new program then the default SIGCHLD signal is sent.  A
    local user permitted to run a program for several days could
    bypass this check, execute a setuid program, and then send an
    arbitrary signal to it.  Depending on the setuid programs
    installed, this could have some security impact.

CVE-2020-13143

    Kyungtae Kim reported a potential heap out-of-bounds write in
    the USB gadget subsystem.  A local user permitted to write to
    the gadget configuration filesystem could use this to cause a
    denial of service (crash or memory corruption) or potentially
    for privilege escalation.

For Debian 8 "Jessie", these problems have been fixed in version
3.16.84-1.

We recommend that you upgrade your linux packages.  Binary packages for
the EABI ARM (armel) architecture are not yet available, and a separate
announcement will be made when they are.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

-- 
Ben Hutchings - Debian developer, member of kernel, installer and LTS teams

Attachment: signature.asc
Description: This is a digitally signed message part


Reply to: