Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.2008.2
linux security update
11 June 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: linux kernel
Publisher: Debian
Operating System: Debian GNU/Linux 8
Debian GNU/Linux 9
Debian GNU/Linux 10
Impact/Access: Root Compromise -- Existing Account
Execute Arbitrary Code/Commands -- Remote with User Interaction
Access Privileged Data -- Existing Account
Denial of Service -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2020-13143 CVE-2020-12826 CVE-2020-12770
CVE-2020-12769 CVE-2020-12768 CVE-2020-12654
CVE-2020-12653 CVE-2020-12652 CVE-2020-12464
CVE-2020-12114 CVE-2020-11668 CVE-2020-11609
CVE-2020-11608 CVE-2020-11565 CVE-2020-11494
CVE-2020-10942 CVE-2020-10757 CVE-2020-10751
CVE-2020-10732 CVE-2020-10711 CVE-2020-10690
CVE-2020-9383 CVE-2020-8649 CVE-2020-8648
CVE-2020-8647 CVE-2020-8428 CVE-2020-2732
CVE-2020-1749 CVE-2020-0543 CVE-2020-0009
CVE-2019-20811 CVE-2019-20806 CVE-2019-20636
CVE-2019-19768 CVE-2019-19462 CVE-2019-19447
CVE-2019-19319 CVE-2019-5108 CVE-2019-3016
CVE-2019-2182 CVE-2018-14613 CVE-2018-14612
CVE-2018-14611 CVE-2018-14610 CVE-2015-8839
Reference: ASB-2020.0002
ASB-2016.0089
ESB-2020.2003
ESB-2020.1853
Original Bulletin:
http://www.debian.org/security/2020/dsa-4699
https://www.debian.org/security/2020/dsa-4698
https://www.debian.org/lts/security/2020/dla-2241
https://www.debian.org/lts/security/2020/dla-2241-2
Comment: This bulletin contains three (3) Debian security advisories.
Revision History: June 11 2020: Vendor updated advisory dla-2241 to dla-2241-2
June 10 2020: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4699-1 security@debian.org
https://www.debian.org/security/ Ben Hutchings
June 09, 2020 https://www.debian.org/security/faq
- - -------------------------------------------------------------------------
Package : linux
CVE ID : CVE-2019-3016 CVE-2019-19462 CVE-2020-0543 CVE-2020-10711
CVE-2020-10732 CVE-2020-10751 CVE-2020-10757 CVE-2020-12114
CVE-2020-12464 CVE-2020-12768 CVE-2020-12770 CVE-2020-13143
Debian Bug : 960271
Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information
leaks.
CVE-2019-3016
It was discovered that the KVM implementation for x86 did not
always perform TLB flushes when needed, if the paravirtualised
TLB flush feature was enabled. This could lead to disclosure of
sensitive information within a guest VM.
CVE-2019-19462
The syzkaller tool found a missing error check in the 'relay'
library used to implement various files under debugfs. A local
user permitted to access debugfs could use this to cause a denial
of service (crash) or possibly for privilege escalation.
CVE-2020-0543
Researchers at VU Amsterdam discovered that on some Intel CPUs
supporting the RDRAND and RDSEED instructions, part of a random
value generated by these instructions may be used in a later
speculative execution on any core of the same physical CPU.
Depending on how these instructions are used by applications, a
local user or VM guest could use this to obtain sensitive
information such as cryptographic keys from other users or VMs.
This vulnerability can be mitigated by a microcode update, either
as part of system firmware (BIOS) or through the intel-microcode
package in Debian's non-free archive section. This kernel update
only provides reporting of the vulnerability and the option to
disable the mitigation if it is not needed.
CVE-2020-10711
Matthew Sheets reported NULL pointer dereference issues in the
SELinux subsystem while receiving CIPSO packet with null category. A
remote attacker can take advantage of this flaw to cause a denial of
service (crash). Note that this issue does not affect the binary
packages distributed in Debian as CONFIG_NETLABEL is not enabled.
CVE-2020-10732
An information leak of kernel private memory to userspace was found
in the kernel's implementation of core dumping userspace processes.
CVE-2020-10751
Dmitry Vyukov reported that the SELinux subsystem did not properly
handle validating multiple messages, which could allow a privileged
attacker to bypass SELinux netlink restrictions.
CVE-2020-10757
Fan Yang reported a flaw in the way mremap handled DAX hugepages,
allowing a local user to escalate their privileges.
CVE-2020-12114
Piotr Krysiuk discovered a race condition between the umount and
pivot_root operations in the filesystem core (vfs). A local user
with the CAP_SYS_ADMIN capability in any user namespace could use
this to cause a denial of service (crash).
CVE-2020-12464
Kyungtae Kim reported a race condition in the USB core that can
result in a use-after-free. It is not clear how this can be
exploited, but it could result in a denial of service (crash or
memory corruption) or privilege escalation.
CVE-2020-12768
A bug was discovered in the KVM implementation for AMD processors,
which could result in a memory leak. The security impact of this
is unclear.
CVE-2020-12770
It was discovered that the sg (SCSI generic) driver did not
correctly release internal resources in a particular error case.
A local user permitted to access an sg device could possibly use
this to cause a denial of service (resource exhaustion).
CVE-2020-13143
Kyungtae Kim reported a potential heap out-of-bounds write in
the USB gadget subsystem. A local user permitted to write to
the gadget configuration filesystem could use this to cause a
denial of service (crash or memory corruption) or potentially
for privilege escalation.
For the stable distribution (buster), these problems have been fixed
in version 4.19.118-2+deb10u1. This version also fixes some related
bugs that do not have their own CVE IDs, and a regression in the
<linux/swab.h> UAPI header introduced in the previous point release
(bug #960271).
We recommend that you upgrade your linux packages.
For the detailed security status of linux please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/linux
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl7f5cVfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0Q2Gg//b/hL9fW9Js1PYDU/VtS6r5Cca5xsCYlbAheAlMPMtm/Vym4NJOuEvyuI
DvPXbf0Bi7gjQ0gEgM/urJTzqjzIccwrUQe1aFHt0N9exC53z1xPWZDJepGkSQOB
2AB5YaFTxkuGur/HXbKomdMWvSVphpBM+id9v2V1iWY2iA6cI1sCjgziUKcDMECD
T7tCe4Hrjf6BY/W4xBiT0BEQNOO2i/rn7p9pNk+wi85BbC7g5ubKWGn9sSDd8KtA
u2z5tsicaM7kXaPsaW11fSPxu7YOz09qLgBQnY8B2gdMEAp3YjN9ibyHppjme3GK
02ZZUHQ+Y4MyQQgCzWxaqXCu6Aa+4B5i2nTY907BVBslrfulKRbr1qS3D2CJojT/
qYVub7C5RCW5VnbJZxCDLgSmGRbyPW2pVpnBTvID8czTUhd+M5e6fW932TzUW07w
18ueto1fRlcAauIO3SQV7Ai9froFGjH4L8XbUipiv0qwotSjcPb4HoZpp0xgNcRU
xjZW0MMhK/lyfe8gDx8wjpihbQVKtTtIaWbeoZPoMENE92yW8+7DbXjfXAylX3px
IdVaeo7iF3MOYuez4qEAsyPF4ver8Xl9HKS05J9NUYUeRf2BF3M6xFWjpTm5xjoH
bdIGBJ322sNjTAzkneriX5iO3szBDINPHII2V/AaqafhYZYWtoM=
=c00Y
- -----END PGP SIGNATURE-----
- --------------------------------------------------------------------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4698-1 security@debian.org
https://www.debian.org/security/ Ben Hutchings
June 09, 2020 https://www.debian.org/security/faq
- - -------------------------------------------------------------------------
Package : linux
CVE ID : CVE-2019-2182 CVE-2019-5108 CVE-2019-19319 CVE-2019-19462
CVE-2019-19768 CVE-2019-20806 CVE-2019-20811 CVE-2020-0543
CVE-2020-2732 CVE-2020-8428 CVE-2020-8647 CVE-2020-8648
CVE-2020-8649 CVE-2020-9383 CVE-2020-10711 CVE-2020-10732
CVE-2020-10751 CVE-2020-10757 CVE-2020-10942 CVE-2020-11494
CVE-2020-11565 CVE-2020-11608 CVE-2020-11609 CVE-2020-11668
CVE-2020-12114 CVE-2020-12464 CVE-2020-12652 CVE-2020-12653
CVE-2020-12654 CVE-2020-12770 CVE-2020-13143
Debian Bug : 952660
Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information
leaks.
CVE-2019-2182
Hanjun Guo and Lei Li reported a race condition in the arm64
virtual memory management code, which could lead to an information
disclosure, denial of service (crash), or possibly privilege
escalation.
CVE-2019-5108
Mitchell Frank of Cisco discovered that when the IEEE 802.11
(WiFi) stack was used in AP mode with roaming, it would trigger
roaming for a newly associated station before the station was
authenticated. An attacker within range of the AP could use this
to cause a denial of service, either by filling up a switching
table or by redirecting traffic away from other stations.
CVE-2019-19319
Jungyeon discovered that a crafted filesystem can cause the ext4
implementation to deallocate or reallocate journal blocks. A user
permitted to mount filesystems could use this to cause a denial of
service (crash), or possibly for privilege escalation.
CVE-2019-19462
The syzbot tool found a missing error check in the 'relay'
library used to implement various files under debugfs. A local
user permitted to access debugfs could use this to cause a denial
of service (crash) or possibly for privilege escalation.
CVE-2019-19768
Tristan Madani reported a race condition in the blktrace debug
facility that could result in a use-after-free. A local user able
to trigger removal of block devices could possibly use this to
cause a denial of service (crash) or for privilege escalation.
CVE-2019-20806
A potential null pointer dereference was discovered in the tw5864
media driver. The security impact of this is unclear.
CVE-2019-20811
The Hulk Robot tool found a reference-counting bug in an error
path in the network subsystem. The security impact of this is
unclear.
CVE-2020-0543
Researchers at VU Amsterdam discovered that on some Intel CPUs
supporting the RDRAND and RDSEED instructions, part of a random
value generated by these instructions may be used in a later
speculative execution on any core of the same physical CPU.
Depending on how these instructions are used by applications, a
local user or VM guest could use this to obtain sensitive
information such as cryptographic keys from other users or VMs.
This vulnerability can be mitigated by a microcode update, either
as part of system firmware (BIOS) or through the intel-microcode
package in Debian's non-free archive section. This kernel update
only provides reporting of the vulnerability and the option to
disable the mitigation if it is not needed.
CVE-2020-2732
Paulo Bonzini discovered that the KVM implementation for Intel
processors did not properly handle instruction emulation for L2
guests when nested virtualization is enabled. This could allow an
L2 guest to cause privilege escalation, denial of service, or
information leaks in the L1 guest.
CVE-2020-8428
Al Viro discovered a potential use-after-free in the filesystem
core (vfs). A local user could exploit this to cause a denial of
service (crash) or possibly to obtain sensitive information from
the kernel.
CVE-2020-8647, CVE-2020-8649
The Hulk Robot tool found a potential MMIO out-of-bounds access in
the vgacon driver. A local user permitted to access a virtual
terminal (/dev/tty1 etc.) on a system using the vgacon driver
could use this to cause a denial of service (crash or memory
corruption) or possibly for privilege escalation.
CVE-2020-8648
The syzbot tool found a race condition in the the virtual terminal
driver, which could result in a use-after-free. A local user
permitted to access a virtual terminal could use this to cause a
denial of service (crash or memory corruption) or possibly for
privilege escalation.
CVE-2020-9383
Jordy Zomer reported an incorrect range check in the floppy driver
which could lead to a static out-of-bounds access. A local user
permitted to access a floppy drive could use this to cause a
denial of service (crash or memory corruption) or possibly for
privilege escalation.
CVE-2020-10711
Matthew Sheets reported NULL pointer dereference issues in the
SELinux subsystem while receiving CIPSO packet with null category. A
remote attacker can take advantage of this flaw to cause a denial of
service (crash). Note that this issue does not affect the binary
packages distributed in Debian as CONFIG_NETLABEL is not enabled.
CVE-2020-10732
An information leak of kernel private memory to userspace was found
in the kernel's implementation of core dumping userspace processes.
CVE-2020-10751
Dmitry Vyukov reported that the SELinux subsystem did not properly
handle validating multiple messages, which could allow a privileged
attacker to bypass SELinux netlink restrictions.
CVE-2020-10757
Fan Yang reported a flaw in the way mremap handled DAX hugepages,
allowing a local user to escalate their privileges
CVE-2020-10942
It was discovered that the vhost_net driver did not properly
validate the type of sockets set as back-ends. A local user
permitted to access /dev/vhost-net could use this to cause a stack
corruption via crafted system calls, resulting in denial of
service (crash) or possibly privilege escalation.
CVE-2020-11494
It was discovered that the slcan (serial line CAN) network driver
did not fully initialise CAN headers for received packets,
resulting in an information leak from the kernel to user-space or
over the CAN network.
CVE-2020-11565
Entropy Moe reported that the shared memory filesystem (tmpfs) did
not correctly handle an "mpol" mount option specifying an empty
node list, leading to a stack-based out-of-bounds write. If user
namespaces are enabled, a local user could use this to cause a
denial of service (crash) or possibly for privilege escalation.
CVE-2020-11608, CVE-2020-11609, CVE-2020-11668
It was discovered that the ov519, stv06xx, and xirlink_cit media
drivers did not properly validate USB device descriptors. A
physically present user with a specially constructed USB device
could use this to cause a denial-of-service (crash) or possibly
for privilege escalation.
CVE-2020-12114
Piotr Krysiuk discovered a race condition between the umount and
pivot_root operations in the filesystem core (vfs). A local user
with the CAP_SYS_ADMIN capability in any user namespace could use
this to cause a denial of service (crash).
CVE-2020-12464
Kyungtae Kim reported a race condition in the USB core that can
result in a use-after-free. It is not clear how this can be
exploited, but it could result in a denial of service (crash or
memory corruption) or privilege escalation.
CVE-2020-12652
Tom Hatskevich reported a bug in the mptfusion storage drivers.
An ioctl handler fetched a parameter from user memory twice,
creating a race condition which could result in incorrect locking
of internal data structures. A local user permitted to access
/dev/mptctl could use this to cause a denial of service (crash or
memory corruption) or for privilege escalation.
CVE-2020-12653
It was discovered that the mwifiex WiFi driver did not
sufficiently validate scan requests, resulting a potential heap
buffer overflow. A local user with CAP_NET_ADMIN capability could
use this to cause a denial of service (crash or memory corruption)
or possibly for privilege escalation.
CVE-2020-12654
It was discovered that the mwifiex WiFi driver did not
sufficiently validate WMM parameters received from an access point
(AP), resulting a potential heap buffer overflow. A malicious AP
could use this to cause a denial of service (crash or memory
corruption) or possibly to execute code on a vulnerable system.
CVE-2020-12770
It was discovered that the sg (SCSI generic) driver did not
correctly release internal resources in a particular error case.
A local user permitted to access an sg device could possibly use
this to cause a denial of service (resource exhaustion).
CVE-2020-13143
Kyungtae Kim reported a potential heap out-of-bounds write in
the USB gadget subsystem. A local user permitted to write to
the gadget configuration filesystem could use this to cause a
denial of service (crash or memory corruption) or potentially
for privilege escalation.
For the oldstable distribution (stretch), these problems have been
fixed in version 4.9.210-1+deb9u1. This version also fixes some
related bugs that do not have their own CVE IDs, and a regression in
the macvlan driver introduced in the previous point release (bug
#952660).
We recommend that you upgrade your linux packages.
For the detailed security status of linux please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/linux
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl7f5blfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0Sh5RAAmfLUcD69AFSfY6hVPLCvTHS0gVYHUk57NSP7vHaUqQPWXMv4lV6pJ1sp
I6sB7tuDW8MWERVy9lBuZrLhnhlhAfqhzkJ+F/yh6ze703QCf1mMoHBAI44yXGtB
fZDV2vxreXpJ4LfoBfGP2+yFiJXBBCRASgyNEtiBoHYG0yt1gfqXP5OjlaRJ5p1I
yElJ5Uj0MkclVj3nbupUmPs7V/2o4tPavOgTyLplTHTDfOMkK1Z86M0fUfh7fS97
ffwJutFObQuxrkO/2vtzTvaXPnqHh5DUIEQzq5xKhK10+GUlkppqHvId1c//0krF
Wd1gZc2RXLkREQShh21BUaI2XxRTcOw7f6Nmz2QnwN/Q/dXGeWeCjPUGslna3BQs
d/pToA0OpbFNxkNKsbg+ovzMrB9C9aP03aDpSztbf/ZLReR+yOf74s9ypdeadGLC
qKmHcFRWP25ct/ZOxNnTquEwd2NT6qDc9Iu6VNdXb2ndRz1zFU/OZlZ3oEPkrCIp
FxJ+j8jpMFJsluE09UjAxH4AhyNAPjPcCr3M+fkgG+WPgzxSHdKComDN06O53iVi
kWbN/AQPXiLlWHuKpCWbS87dZUyT1K1Wf+7mJbsAUfrrd+1mgWSHTRw1QNii74CR
bD91B+70LVu2UCKKxtnOIJ3+iUiUwBNPYw70B0cc3vZTv9O7q7k=
=WzfN
- -----END PGP SIGNATURE-----
- --------------------------------------------------------------------------------
Package : linux
Version : 3.16.84-1
CVE ID : CVE-2015-8839 CVE-2018-14610 CVE-2018-14611 CVE-2018-14612
CVE-2018-14613 CVE-2019-5108 CVE-2019-19319 CVE-2019-19447
CVE-2019-19768 CVE-2019-20636 CVE-2020-0009 CVE-2020-0543
CVE-2020-1749 CVE-2020-2732 CVE-2020-8647 CVE-2020-8648
CVE-2020-8649 CVE-2020-9383 CVE-2020-10690 CVE-2020-10751
CVE-2020-10942 CVE-2020-11494 CVE-2020-11565 CVE-2020-11608
CVE-2020-11609 CVE-2020-11668 CVE-2020-12114 CVE-2020-12464
CVE-2020-12652 CVE-2020-12653 CVE-2020-12654 CVE-2020-12769
CVE-2020-12770 CVE-2020-12826 CVE-2020-13143
This update is now available for all supported architectures. For
reference the original advisory text follows.
Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information
leaks.
CVE-2015-8839
A race condition was found in the ext4 filesystem implementation.
A local user could exploit this to cause a denial of service
(filesystem corruption).
CVE-2018-14610, CVE-2018-14611, CVE-2018-14612, CVE-2018-14613
Wen Xu from SSLab at Gatech reported that crafted Btrfs volumes
could trigger a crash (Oops) and/or out-of-bounds memory access.
An attacker able to mount such a volume could use this to cause a
denial of service or possibly for privilege escalation.
CVE-2019-5108
Mitchell Frank of Cisco discovered that when the IEEE 802.11
(WiFi) stack was used in AP mode with roaming, it would trigger
roaming for a newly associated station before the station was
authenticated. An attacker within range of the AP could use this
to cause a denial of service, either by filling up a switching
table or by redirecting traffic away from other stations.
CVE-2019-19319
Jungyeon discovered that a crafted filesystem can cause the ext4
implementation to deallocate or reallocate journal blocks. A user
permitted to mount filesystems could use this to cause a denial of
service (crash), or possibly for privilege escalation.
CVE-2019-19447
It was discovered that the ext4 filesystem driver did not safely
handle unlinking of an inode that, due to filesystem corruption,
already has a link count of 0. An attacker able to mount
arbitrary ext4 volumes could use this to cause a denial of service
(memory corruption or crash) or possibly for privilege escalation.
CVE-2019-19768
Tristan Madani reported a race condition in the blktrace debug
facility that could result in a use-after-free. A local user able
to trigger removal of block devices could possibly use this to
cause a denial of service (crash) or for privilege escalation.
CVE-2019-20636
The syzbot tool found that the input subsystem did not fully
validate keycode changes, which could result in a heap
out-of-bounds write. A local user permitted to access the device
node for an input or VT device could possibly use this to cause a
denial of service (crash or memory corruption) or for privilege
escalation.
CVE-2020-0009
Jann Horn reported that the Android ashmem driver did not prevent
read-only files from being memory-mapped and then remapped as
read-write. However, Android drivers are not enabled in Debian
kernel configurations.
CVE-2020-0543
Researchers at VU Amsterdam discovered that on some Intel CPUs
supporting the RDRAND and RDSEED instructions, part of a random
value generated by these instructions may be used in a later
speculative execution on any core of the same physical CPU.
Depending on how these instructions are used by applications, a
local user or VM guest could use this to obtain sensitive
information such as cryptographic keys from other users or VMs.
This vulnerability can be mitigated by a microcode update, either
as part of system firmware (BIOS) or through the intel-microcode
package in Debian's non-free archive section. This kernel update
only provides reporting of the vulnerability and the option to
disable the mitigation if it is not needed.
CVE-2020-1749
Xiumei Mu reported that some network protocols that can run on top
of IPv6 would bypass the Transformation (XFRM) layer used by
IPsec, IPcomp/IPcomp6, IPIP, and IPv6 Mobility. This could result
in disclosure of information over the network, since it would not
be encrypted or routed according to the system policy.
CVE-2020-2732
Paulo Bonzini discovered that the KVM implementation for Intel
processors did not properly handle instruction emulation for L2
guests when nested virtualization is enabled. This could allow an
L2 guest to cause privilege escalation, denial of service, or
information leaks in the L1 guest.
CVE-2020-8647, CVE-2020-8649
The Hulk Robot tool found a potential MMIO out-of-bounds access in
the vgacon driver. A local user permitted to access a virtual
terminal (/dev/tty1 etc.) on a system using the vgacon driver
could use this to cause a denial of service (crash or memory
corruption) or possibly for privilege escalation.
CVE-2020-8648
The syzbot tool found a race condition in the the virtual terminal
driver, which could result in a use-after-free. A local user
permitted to access a virtual terminal could use this to cause a
denial of service (crash or memory corruption) or possibly for
privilege escalation.
CVE-2020-9383
Jordy Zomer reported an incorrect range check in the floppy driver
which could lead to a static out-of-bounds access. A local user
permitted to access a floppy drive could use this to cause a
denial of service (crash or memory corruption) or possibly for
privilege escalation.
CVE-2020-10690
It was discovered that the PTP hardware clock subsystem did not
properly manage device lifetimes. Removing a PTP hardware clock
from the system while a user process was using it could lead to a
use-after-free. The security impact of this is unclear.
CVE-2020-10751
Dmitry Vyukov reported that the SELinux subsystem did not properly
handle validating multiple messages, which could allow a privileged
attacker to bypass SELinux netlink restrictions.
CVE-2020-10942
It was discovered that the vhost_net driver did not properly
validate the type of sockets set as back-ends. A local user
permitted to access /dev/vhost-net could use this to cause a stack
corruption via crafted system calls, resulting in denial of
service (crash) or possibly privilege escalation.
CVE-2020-11494
It was discovered that the slcan (serial line CAN) network driver
did not fully initialise CAN headers for received packets,
resulting in an information leak from the kernel to user-space or
over the CAN network.
CVE-2020-11565
Entropy Moe reported that the shared memory filesystem (tmpfs) did
not correctly handle an "mpol" mount option specifying an empty
node list, leading to a stack-based out-of-bounds write. If user
namespaces are enabled, a local user could use this to cause a
denial of service (crash) or possibly for privilege escalation.
CVE-2020-11608, CVE-2020-11609, CVE-2020-11668
It was discovered that the ov519, stv06xx, and xirlink_cit media
drivers did not properly validate USB device descriptors. A
physically present user with a specially constructed USB device
could use this to cause a denial-of-service (crash) or possibly
for privilege escalation.
CVE-2020-12114
Piotr Krysiuk discovered a race condition between the umount and
pivot_root operations in the filesystem core (vfs). A local user
with the CAP_SYS_ADMIN capability in any user namespace could use
this to cause a denial of service (crash).
CVE-2020-12464
Kyungtae Kim reported a race condition in the USB core that can
result in a use-after-free. It is not clear how this can be
exploited, but it could result in a denial of service (crash or
memory corruption) or privilege escalation.
CVE-2020-12652
Tom Hatskevich reported a bug in the mptfusion storage drivers.
An ioctl handler fetched a parameter from user memory twice,
creating a race condition which could result in incorrect locking
of internal data structures. A local user permitted to access
/dev/mptctl could use this to cause a denial of service (crash or
memory corruption) or for privilege escalation.
CVE-2020-12653
It was discovered that the mwifiex WiFi driver did not
sufficiently validate scan requests, resulting a potential heap
buffer overflow. A local user with CAP_NET_ADMIN capability could
use this to cause a denial of service (crash or memory corruption)
or possibly for privilege escalation.
CVE-2020-12654
It was discovered that the mwifiex WiFi driver did not
sufficiently validate WMM parameters received from an access point
(AP), resulting a potential heap buffer overflow. A malicious AP
could use this to cause a denial of service (crash or memory
corruption) or possibly to execute code on a vulnerable system.
CVE-2020-12769
It was discovered that the spi-dw SPI host driver did not properly
serialise access to its internal state. The security impact of
this is unclear, and this driver is not included in Debian's
binary packages.
CVE-2020-12770
It was discovered that the sg (SCSI generic) driver did not
correctly release internal resources in a particular error case.
A local user permitted to access an sg device could possibly use
this to cause a denial of service (resource exhaustion).
CVE-2020-12826
Adam Zabrocki reported a weakness in the signal subsystem's
permission checks. A parent process can choose an arbitary signal
for a child process to send when it exits, but if the parent has
executed a new program then the default SIGCHLD signal is sent. A
local user permitted to run a program for several days could
bypass this check, execute a setuid program, and then send an
arbitrary signal to it. Depending on the setuid programs
installed, this could have some security impact.
CVE-2020-13143
Kyungtae Kim reported a potential heap out-of-bounds write in
the USB gadget subsystem. A local user permitted to write to
the gadget configuration filesystem could use this to cause a
denial of service (crash or memory corruption) or potentially
for privilege escalation.
For Debian 8 "Jessie", these problems have been fixed in version
3.16.84-1.
We recommend that you upgrade your linux packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXuHFtuNLKJtyKPYoAQgpKg//dheBZ2juFgRAa/2qx+tEHMab28ImdvAk
v1S2rpcfdn6yklWnZtvT0fgAG+BM0lOutG63b0Egf8wxSKKF2Sh6yyEVRf7fbwao
YiP/42pYO+KFXbWifq30VwyIdbVcNV/mJaDocYAwrP8DasZy13NfnM4DqxO6yxoQ
XIgX0aaGFS61/cnjHGmI2KUC4BjN6RbXXUB1AZHx2TvxB8T+VvrWmctygHTluJzx
RgI6fKh3O8IY0VGrQ/6tr3+ZhvW7SYPdDx6Tab1/KEZRDPXgcBBq1EPhxRylplxW
gKRU4x2lbtUqWAiojpdVXV91H2putyzuCA9IR3Xg/w8SQxv67LZJp9anvQj4CGDh
nH5R+V2lDQ2azkICdOkT31sl3IjQfwcC2FD2VdN1M8Hk8bsBHo2BBIww5vsivGQ3
43Epgerk/mZEUV1OCkF/XH60QSiohEPwAyrLLiTl3cfN+0hGpR6FDnKOBGzueYUZ
pXehc/OvC9DGQo2MN/YGE6rOmyYxed+ZJ8FCgS7/9t/pynywV4ovsXQbanu6YLiG
BuTr4icsrM7rZkVFaXAXJaPwFVuqzLyM3fXi32anrpETjB79fktyxCMNBBi2drCO
1ubPMiSdyWQTyu70Usa+JktLWLvAg8TOI3WpphQdCyIU6eigkwppUwIYZRKxwBfV
KfG70gRC0Jw=
=QpAc
-----END PGP SIGNATURE-----