diff options
| author | Ben Hutchings <ben@decadent.org.uk> | 2020-04-20 22:04:36 +0100 |
|---|---|---|
| committer | Ben Hutchings <ben@decadent.org.uk> | 2020-04-20 22:04:36 +0100 |
| commit | 5d3ae9fd09f1af75d49d8121da800c5f55762910 (patch) | |
| tree | d8ba7d9b4e1690f2f847bac9dad9b04f92a7a841 | |
| parent | ccf5afcaaac8a27b9e640c3de59071935fbe3885 (diff) | |
Add notes and status for many issues
| -rw-r--r-- | active/CVE-2019-18885 | 16 | ||||
| -rw-r--r-- | active/CVE-2019-19318 | 3 | ||||
| -rw-r--r-- | active/CVE-2019-19319 | 18 | ||||
| -rw-r--r-- | active/CVE-2019-19768 | 16 | ||||
| -rw-r--r-- | active/CVE-2019-19770 | 12 | ||||
| -rw-r--r-- | active/CVE-2019-20636 | 4 | ||||
| -rw-r--r-- | active/CVE-2020-0009 | 8 | ||||
| -rw-r--r-- | active/CVE-2020-0041 | 12 | ||||
| -rw-r--r-- | active/CVE-2020-0067 | 12 | ||||
| -rw-r--r-- | active/CVE-2020-10708 | 19 | ||||
| -rw-r--r-- | active/CVE-2020-11608 | 4 | ||||
| -rw-r--r-- | active/CVE-2020-11609 | 4 | ||||
| -rw-r--r-- | active/CVE-2020-2732 | 8 | ||||
| -rw-r--r-- | active/CVE-2020-8647 | 4 | ||||
| -rw-r--r-- | active/CVE-2020-8648 | 4 | ||||
| -rw-r--r-- | active/CVE-2020-8649 | 6 | ||||
| -rw-r--r-- | active/CVE-2020-8832 | 4 | ||||
| -rw-r--r-- | active/CVE-2020-8992 | 10 | ||||
| -rw-r--r-- | active/CVE-2020-9383 | 8 |
19 files changed, 98 insertions, 74 deletions
diff --git a/active/CVE-2019-18885 b/active/CVE-2019-18885 index 8c2e7a1f..eaf6516c 100644 --- a/active/CVE-2019-18885 +++ b/active/CVE-2019-18885 @@ -2,12 +2,16 @@ Description: btrfs: crafted image causes null deref in btrfs_verify_dev_extent References: https://github.com/bobfuzzer/CVE-2019-18885 Notes: + bwh> If this issue is strictly limited to btrfs_verify_dev_extent() + bwh> then it was introduced at the earliest by the introduction of that + bwh> function in 4.19 (commit cf90d884b347). There may be similar + bwh> issues elsewhere though. Bugs: upstream: released (5.1-rc1) [09ba3bc9dd150457c506e4661380a6183af651c1] -4.19-upstream-stable: -4.9-upstream-stable: -3.16-upstream-stable: +4.19-upstream-stable: needed +4.9-upstream-stable: N/A "Vulnerable code not present" +3.16-upstream-stable: N/A "Vulnerable code not present" sid: released (5.2.6-1) -4.19-buster-security: -4.9-stretch-security: -3.16-jessie-security: +4.19-buster-security: needed +4.9-stretch-security: N/A "Vulnerable code not present" +3.16-jessie-security: N/A "Vulnerable code not present" diff --git a/active/CVE-2019-19318 b/active/CVE-2019-19318 index 492b76d8..1d6cee30 100644 --- a/active/CVE-2019-19318 +++ b/active/CVE-2019-19318 @@ -4,6 +4,9 @@ References: Notes: carnil> Introduced in 78134300579a ("locking/rwsem: Don't call carnil> owner_on_cpu() on read-owner") in 5.3-rc2? + bwh> I don't think so. That commit did not introduce the dereference of + bwh> the owner pointer, and the issue is also said to be reproducible on + bwh> 5.0.21 (which does not have a backport of it). Bugs: upstream: released (5.4) 4.19-upstream-stable: diff --git a/active/CVE-2019-19319 b/active/CVE-2019-19319 index c5dcf6ff..ae495d4d 100644 --- a/active/CVE-2019-19319 +++ b/active/CVE-2019-19319 @@ -2,16 +2,24 @@ Description: ext4: crafted image causes heap OOB write in ext4_xattr_set_entry References: https://github.com/bobfuzzer/CVE/tree/master/CVE-2019-19319 Notes: - bwh> The fix is unknown but the PoC is reported to fail on 5.3.11 and 5.4.0. carnil> Introduced in dec214d00e0d ("ext4: xattr inode deduplication") carnil> in 4.13-rc1? Cf. carnil> https://bugzilla.suse.com/show_bug.cgi?id=1158021#c2 + bwh> SUSE has backported the fix as far as 3.12. It turns out that + bwh> they backported *part* of commit dec214d00e0d to fix CVE-2018-1094 + bwh> which I thought didn't affect older branches. See + bwh> <https://github.com/openSUSE/kernel-source/blob/SLE12-SP4/patches.suse/ext4-make-metadata-csum-checks-safer.patch> + bwh> and + bwh> <https://github.com/openSUSE/kernel-source/blob/SLE12-SP4/patches.suse/ext4-protect-journal-inode-s-blocks-using-block_vali.patch>. + bwh> So we should probably apply both of these to 3.16 and 4.9. + bwh> Note the follow-up fixes: commits fbbbbd2f28aec, 170417c8c7bb, + bwh> 0a944e8a6c66, af133ade9a40. Bugs: -upstream: released (5.4) -4.19-upstream-stable: +upstream: released (5.2-rc1) [345c0dbf3a30872d9b204db96b5857cd00808cae] +4.19-upstream-stable: released (4.19.73) [2fd4629de51974002f4e9cf1a35a1926dd6c9d99] 4.9-upstream-stable: 3.16-upstream-stable: -sid: released (5.3.15-1) -4.19-buster-security: +sid: released (5.2.6-1) +4.19-buster-security: released (4.19.87-1) 4.9-stretch-security: 3.16-jessie-security: diff --git a/active/CVE-2019-19768 b/active/CVE-2019-19768 index a3a108fb..feff8a3d 100644 --- a/active/CVE-2019-19768 +++ b/active/CVE-2019-19768 @@ -3,11 +3,11 @@ References: https://bugzilla.kernel.org/show_bug.cgi?id=205711 Notes: Bugs: -upstream: -4.19-upstream-stable: -4.9-upstream-stable: -3.16-upstream-stable: -sid: -4.19-buster-security: -4.9-stretch-security: -3.16-jessie-security: +upstream: released (5.6-rc4) [c780e86dd48ef6467a1146cf7d0fe1e05a635039] +4.19-upstream-stable: needed +4.9-upstream-stable: needed +3.16-upstream-stable: needed +sid: released (5.5.13-1) +4.19-buster-security: needed +4.9-stretch-security: needed +3.16-jessie-security: needed diff --git a/active/CVE-2019-19770 b/active/CVE-2019-19770 index 7c43d180..7bff8f54 100644 --- a/active/CVE-2019-19770 +++ b/active/CVE-2019-19770 @@ -1,15 +1,17 @@ -Description: debugfs_remove use-after-free +Description: blktrace: debugfs_remove use-after-free References: https://bugzilla.kernel.org/show_bug.cgi?id=205713 https://syzkaller.appspot.com/bug?extid=903b72a010ad6b7a40f2 https://lore.kernel.org/lkml/20200206111052.45356-1-yukuai3@huawei.com/ + https://lore.kernel.org/linux-block/20200402000002.7442-1-mcgrof@kernel.org/ Notes: + bwh> Note that only root can access debugfs by default. Bugs: -upstream: -4.19-upstream-stable: +upstream: needed +4.19-upstream-stable: needed 4.9-upstream-stable: 3.16-upstream-stable: -sid: -4.19-buster-security: +sid: needed +4.19-buster-security: needed 4.9-stretch-security: 3.16-jessie-security: diff --git a/active/CVE-2019-20636 b/active/CVE-2019-20636 index 77fda2d7..7348f7cc 100644 --- a/active/CVE-2019-20636 +++ b/active/CVE-2019-20636 @@ -5,8 +5,8 @@ Bugs: upstream: released (5.5-rc6) [cb222aed03d798fc074be55e59d9a112338ee784] 4.19-upstream-stable: released (4.19.96) [f5b9bfbe94a042a2e3806efa4c6e1b6ddb4292c4] 4.9-upstream-stable: released (4.9.210) [5f27f97dfed4aa29fb95b98bf5911763bd3ef038] -3.16-upstream-stable: +3.16-upstream-stable: needed sid: released (5.4.13-1) 4.19-buster-security: released (4.19.98-1) 4.9-stretch-security: released (4.9.210-1) -3.16-jessie-security: +3.16-jessie-security: needed diff --git a/active/CVE-2020-0009 b/active/CVE-2020-0009 index c5b6aebb..37309656 100644 --- a/active/CVE-2020-0009 +++ b/active/CVE-2020-0009 @@ -7,8 +7,8 @@ Bugs: upstream: released (5.6-rc3) [6d67b0290b4b84c477e6a2fc6e005e174d3c7786] 4.19-upstream-stable: released (4.19.107) [a4307700608e43dcf9b8abf1ee74f68227e9c61a] 4.9-upstream-stable: released (4.9.215) [a7fc5dbd17127c7301b0aefc2bcf1f54169c7383] -3.16-upstream-stable: +3.16-upstream-stable: needed sid: released (5.5.13-1) -4.19-buster-security: -4.9-stretch-security: -3.16-jessie-security: +4.19-buster-security: needed +4.9-stretch-security: needed +3.16-jessie-security: ignored "Driver is not enabled or supported" diff --git a/active/CVE-2020-0041 b/active/CVE-2020-0041 index e35b352a..211529d2 100644 --- a/active/CVE-2020-0041 +++ b/active/CVE-2020-0041 @@ -7,10 +7,10 @@ Notes: carnil> earlier releases. Bugs: upstream: released (5.5-rc2) [16981742717b04644a41052570fb502682a315d2] -4.19-upstream-stable: -4.9-upstream-stable: -3.16-upstream-stable: +4.19-upstream-stable: N/A "Vulnerability introduced later" +4.9-upstream-stable: N/A "Vulnerability introduced later" +3.16-upstream-stable: N/A "Vulnerability introduced later" sid: released (5.4.6-1) -4.19-buster-security: -4.9-stretch-security: -3.16-jessie-security: +4.19-buster-security: N/A "Vulnerability introduced later" +4.9-stretch-security: N/A "Vulnerability introduced later" +3.16-jessie-security: N/A "Vulnerability introduced later" diff --git a/active/CVE-2020-0067 b/active/CVE-2020-0067 index e0e784d4..a8fabcf0 100644 --- a/active/CVE-2020-0067 +++ b/active/CVE-2020-0067 @@ -4,10 +4,10 @@ References: Notes: Bugs: upstream: released (5.5-rc1) [688078e7f36c293dae25b338ddc9e0a2790f6e06] -4.19-upstream-stable: -4.9-upstream-stable: -3.16-upstream-stable: +4.19-upstream-stable: needed +4.9-upstream-stable: needed +3.16-upstream-stable: needed sid: released (5.5.13-1) -4.19-buster-security: -4.9-stretch-security: -3.16-jessie-security: +4.19-buster-security: needed +4.9-stretch-security: needed +3.16-jessie-security: needed diff --git a/active/CVE-2020-10708 b/active/CVE-2020-10708 index 07500e27..b2f61848 100644 --- a/active/CVE-2020-10708 +++ b/active/CVE-2020-10708 @@ -2,13 +2,16 @@ Description: race condition in kernel/audit.c may allow low privilege users trig References: https://www.openwall.com/lists/oss-security/2020/04/17/1 https://bugzilla.redhat.com/show_bug.cgi?id=1822593 + https://www.openwall.com/lists/oss-security/2020/04/17/4 Notes: + bwh> Disputed - it actually requires the administrator to do strange + bwh> things. Bugs: -upstream: -4.19-upstream-stable: -4.9-upstream-stable: -3.16-upstream-stable: -sid: -4.19-buster-security: -4.9-stretch-security: -3.16-jessie-security: +upstream: N/A "Not a security issue" +4.19-upstream-stable: N/A "Not a security issue" +4.9-upstream-stable: N/A "Not a security issue" +3.16-upstream-stable: N/A "Not a security issue" +sid: N/A "Not a security issue" +4.19-buster-security: N/A "Not a security issue" +4.9-stretch-security: N/A "Not a security issue" +3.16-jessie-security: N/A "Not a security issue" diff --git a/active/CVE-2020-11608 b/active/CVE-2020-11608 index 2004923c..d988be8f 100644 --- a/active/CVE-2020-11608 +++ b/active/CVE-2020-11608 @@ -5,8 +5,8 @@ Bugs: upstream: released (5.7-rc1) [998912346c0da53a6dbb71fab3a138586b596b30] 4.19-upstream-stable: released (4.19.114) [747a7431661ab3c22ad1e721558bdf9e3d53d4a6] 4.9-upstream-stable: released (4.9.218) [03e73c3ef017580482d8e4de2db2bac9505facca] -3.16-upstream-stable: +3.16-upstream-stable: needed sid: released (5.5.17-1) 4.19-buster-security: needed 4.9-stretch-security: needed -3.16-jessie-security: +3.16-jessie-security: needed diff --git a/active/CVE-2020-11609 b/active/CVE-2020-11609 index 5b12b04e..560a8c11 100644 --- a/active/CVE-2020-11609 +++ b/active/CVE-2020-11609 @@ -5,8 +5,8 @@ Bugs: upstream: released (5.7-rc1) [485b06aadb933190f4bc44e006076bc27a23f205] 4.19-upstream-stable: released (4.19.114) [70764334b2bcb15c67dfbd912d9a9f7076f6d0df] 4.9-upstream-stable: released (4.9.218) [be6fdd999bcc66cbfde80efbdc16cfd8a3290e38] -3.16-upstream-stable: +3.16-upstream-stable: needed sid: released (5.5.17-1) 4.19-buster-security: needed 4.9-stretch-security: needed -3.16-jessie-security: +3.16-jessie-security: needed diff --git a/active/CVE-2020-2732 b/active/CVE-2020-2732 index e3dfa1a1..97ae3a29 100644 --- a/active/CVE-2020-2732 +++ b/active/CVE-2020-2732 @@ -11,8 +11,8 @@ Bugs: upstream: released (5.6-rc4) [07721feee46b4b248402133228235318199b05ec, 35a571346a94fb93b5b3b6a599675ef3384bc75c, e71237d3ff1abf9f3388337cfebf53b96df2020d] 4.19-upstream-stable: released (4.19.107) [ed9e97c35b454ceb1da4f65c318015a7ab298dae, 85dd0eb771e8cef7839dbd4cb61acde0b86ecd9e, e5c0857bd5ccf34d93b5b1ea858ab3d81a685b08] 4.9-upstream-stable: released (4.9.215) [86dc39e580d8e3ffa42c8157d3e28249fd9a12c5, f3e0dfb310e6a6f0190dbb3d6b337513b548507b, 35523a2d9918e36ad4fa6c9c0176279d7c1f4291] -3.16-upstream-stable: +3.16-upstream-stable: needed sid: released (5.5.13-1) -4.19-buster-security: -4.9-stretch-security: -3.16-jessie-security: +4.19-buster-security: needed +4.9-stretch-security: needed +3.16-jessie-security: needed diff --git a/active/CVE-2020-8647 b/active/CVE-2020-8647 index 8e263319..175c1969 100644 --- a/active/CVE-2020-8647 +++ b/active/CVE-2020-8647 @@ -6,8 +6,8 @@ Bugs: upstream: released (5.6-rc5) [513dc792d6060d5ef572e43852683097a8420f56] 4.19-upstream-stable: released (4.19.109) [7abe1e0a874418b07524c9e07225df1cbb421ce9] 4.9-upstream-stable: released (4.9.216) 1f04adb4d691ed703b1fbc55d99f622b96cedecc] -3.16-upstream-stable: +3.16-upstream-stable: needed sid: released (5.5.13-1) 4.19-buster-security: needed 4.9-stretch-security: needed -3.16-jessie-security: +3.16-jessie-security: needed diff --git a/active/CVE-2020-8648 b/active/CVE-2020-8648 index 537fa588..861400e2 100644 --- a/active/CVE-2020-8648 +++ b/active/CVE-2020-8648 @@ -7,8 +7,8 @@ Bugs: upstream: released (5.6-rc3) [07e6124a1a46b4b5a9b3cacc0c306b50da87abf5] 4.19-upstream-stable: released (4.19.109) [31559b59040fc0e6ad363642112d4eb03ad4ebb7] 4.9-upstream-stable: released (4.9.216) [290a9381ccc16131c6ccc19940589141985db6b1] -3.16-upstream-stable: +3.16-upstream-stable: needed sid: released (5.5.13-1) 4.19-buster-security: needed 4.9-stretch-security: needed -3.16-jessie-security: +3.16-jessie-security: needed diff --git a/active/CVE-2020-8649 b/active/CVE-2020-8649 index 57576850..543c5911 100644 --- a/active/CVE-2020-8649 +++ b/active/CVE-2020-8649 @@ -2,12 +2,14 @@ Description: vgacon_invert_region use-after-free References: https://bugzilla.kernel.org/show_bug.cgi?id=206357 Notes: + bwh> I have a suspicion that this has been confused with CVE-2020-8647, + bwh> though it is possible the same fix covers both. Bugs: upstream: released (5.6-rc5) [513dc792d6060d5ef572e43852683097a8420f56] 4.19-upstream-stable: released (4.19.109) [7abe1e0a874418b07524c9e07225df1cbb421ce9] 4.9-upstream-stable: released (4.9.216) [1f04adb4d691ed703b1fbc55d99f622b96cedecc] -3.16-upstream-stable: +3.16-upstream-stable: needed sid: released (5.5.13-1) 4.19-buster-security: needed 4.9-stretch-security: needed -3.16-jessie-security: +3.16-jessie-security: needed diff --git a/active/CVE-2020-8832 b/active/CVE-2020-8832 index dbdc5a1f..16347962 100644 --- a/active/CVE-2020-8832 +++ b/active/CVE-2020-8832 @@ -16,8 +16,8 @@ Bugs: upstream: N/A "Incomplete fix not applied because prerequisite present before" 4.19-upstream-stable: N/A "Incomplete fix not applied because prerequisite present before" 4.9-upstream-stable: needed -3.16-upstream-stable: +3.16-upstream-stable: N/A "No support for this hardware" sid: N/A "Incomplete fix not applied because prerequisite present before" 4.19-buster-security: N/A "Incomplete fix not applied because prerequisite present before" 4.9-stretch-security: needed -3.16-jessie-security: +3.16-jessie-security: N/A "No support for this hardware" diff --git a/active/CVE-2020-8992 b/active/CVE-2020-8992 index 8f9f1386..f95dc091 100644 --- a/active/CVE-2020-8992 +++ b/active/CVE-2020-8992 @@ -2,12 +2,14 @@ Description: ext4: add cond_resched() to ext4_protect_reserved_inode References: https://patchwork.ozlabs.org/patch/1236118/ Notes: + bwh> Introduced by fix for CVE-2019-19319, so we can avoid it by + bwh> applying both fixes at the same time. Bugs: upstream: released (5.6-rc2) [af133ade9a40794a37104ecbcc2827c0ea373a3c] 4.19-upstream-stable: released (4.19.105) [a5c03b93e7b5f2080cc574ac65312f0433758158] -4.9-upstream-stable: -3.16-upstream-stable: +4.9-upstream-stable: N/A "Vulnerable code not present" +3.16-upstream-stable: N/A "Vulnerable code not present" sid: released (5.5.13-1) 4.19-buster-security: needed -4.9-stretch-security: -3.16-jessie-security: +4.9-stretch-security: N/A "Vulnerable code not present" +3.16-jessie-security: N/A "Vulnerable code not present" diff --git a/active/CVE-2020-9383 b/active/CVE-2020-9383 index b9dede30..de12cdc4 100644 --- a/active/CVE-2020-9383 +++ b/active/CVE-2020-9383 @@ -5,8 +5,8 @@ Bugs: upstream: released (5.6-rc4) [2e90ca68b0d2f5548804f22f0dd61145516171e3] 4.19-upstream-stable: released (4.19.107) [c8fd87c53a1509162b910cec91c0c46753c58f9a] 4.9-upstream-stable: released (4.9.215) [5fbaa66c2a51c2260add842bd12cbc79715c5249] -3.16-upstream-stable: +3.16-upstream-stable: needed sid: released (5.5.13-1) -4.19-buster-security: -4.9-stretch-security: -3.16-jessie-security: +4.19-buster-security: needed +4.9-stretch-security: needed +3.16-jessie-security: needed |