1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
|
<define-tag description>LTS security update</define-tag>
<define-tag moreinfo>
<p>Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information
leaks.</p>
<ul>
<li><a href="https://security-tracker.debian.org/tracker/CVE-2015-8839">CVE-2015-8839</a>
<p>A race condition was found in the ext4 filesystem implementation.
A local user could exploit this to cause a denial of service
(filesystem corruption).</p></li>
<li><a href="https://security-tracker.debian.org/tracker/CVE-2018-14610">CVE-2018-14610</a>, <a href="https://security-tracker.debian.org/tracker/CVE-2018-14611">CVE-2018-14611</a>, <a href="https://security-tracker.debian.org/tracker/CVE-2018-14612">CVE-2018-14612</a>, <a href="https://security-tracker.debian.org/tracker/CVE-2018-14613">CVE-2018-14613</a>
<p>Wen Xu from SSLab at Gatech reported that crafted Btrfs volumes
could trigger a crash (Oops) and/or out-of-bounds memory access.
An attacker able to mount such a volume could use this to cause a
denial of service or possibly for privilege escalation.</p></li>
<li><a href="https://security-tracker.debian.org/tracker/CVE-2019-5108">CVE-2019-5108</a>
<p>Mitchell Frank of Cisco discovered that when the IEEE 802.11
(WiFi) stack was used in AP mode with roaming, it would trigger
roaming for a newly associated station before the station was
authenticated. An attacker within range of the AP could use this
to cause a denial of service, either by filling up a switching
table or by redirecting traffic away from other stations.</p></li>
<li><a href="https://security-tracker.debian.org/tracker/CVE-2019-19319">CVE-2019-19319</a>
<p>Jungyeon discovered that a crafted filesystem can cause the ext4
implementation to deallocate or reallocate journal blocks. A user
permitted to mount filesystems could use this to cause a denial of
service (crash), or possibly for privilege escalation.</p></li>
<li><a href="https://security-tracker.debian.org/tracker/CVE-2019-19447">CVE-2019-19447</a>
<p>It was discovered that the ext4 filesystem driver did not safely
handle unlinking of an inode that, due to filesystem corruption,
already has a link count of 0. An attacker able to mount
arbitrary ext4 volumes could use this to cause a denial of service
(memory corruption or crash) or possibly for privilege escalation.</p></li>
<li><a href="https://security-tracker.debian.org/tracker/CVE-2019-19768">CVE-2019-19768</a>
<p>Tristan Madani reported a race condition in the blktrace debug
facility that could result in a use-after-free. A local user able
to trigger removal of block devices could possibly use this to
cause a denial of service (crash) or for privilege escalation.</p></li>
<li><a href="https://security-tracker.debian.org/tracker/CVE-2019-20636">CVE-2019-20636</a>
<p>The syzbot tool found that the input subsystem did not fully
validate keycode changes, which could result in a heap
out-of-bounds write. A local user permitted to access the device
node for an input or VT device could possibly use this to cause a
denial of service (crash or memory corruption) or for privilege
escalation.</p></li>
<li><a href="https://security-tracker.debian.org/tracker/CVE-2020-0009">CVE-2020-0009</a>
<p>Jann Horn reported that the Android ashmem driver did not prevent
read-only files from being memory-mapped and then remapped as
read-write. However, Android drivers are not enabled in Debian
kernel configurations.</p></li>
<li><a href="https://security-tracker.debian.org/tracker/CVE-2020-0543">CVE-2020-0543</a>
<p>Researchers at VU Amsterdam discovered that on some Intel CPUs
supporting the RDRAND and RDSEED instructions, part of a random
value generated by these instructions may be used in a later
speculative execution on any core of the same physical CPU.
Depending on how these instructions are used by applications, a
local user or VM guest could use this to obtain sensitive
information such as cryptographic keys from other users or VMs.</p>
<p>This vulnerability can be mitigated by a microcode update, either
as part of system firmware (BIOS) or through the intel-microcode
package in Debian's non-free archive section. This kernel update
only provides reporting of the vulnerability and the option to
disable the mitigation if it is not needed.</p></li>
<li><a href="https://security-tracker.debian.org/tracker/CVE-2020-1749">CVE-2020-1749</a>
<p>Xiumei Mu reported that some network protocols that can run on top
of IPv6 would bypass the Transformation (XFRM) layer used by
IPsec, IPcomp/IPcomp6, IPIP, and IPv6 Mobility. This could result
in disclosure of information over the network, since it would not
be encrypted or routed according to the system policy.</p></li>
<li><a href="https://security-tracker.debian.org/tracker/CVE-2020-2732">CVE-2020-2732</a>
<p>Paulo Bonzini discovered that the KVM implementation for Intel
processors did not properly handle instruction emulation for L2
guests when nested virtualization is enabled. This could allow an
L2 guest to cause privilege escalation, denial of service, or
information leaks in the L1 guest.</p></li>
<li><a href="https://security-tracker.debian.org/tracker/CVE-2020-8647">CVE-2020-8647</a>, <a href="https://security-tracker.debian.org/tracker/CVE-2020-8649">CVE-2020-8649</a>
<p>The Hulk Robot tool found a potential MMIO out-of-bounds access in
the vgacon driver. A local user permitted to access a virtual
terminal (/dev/tty1 etc.) on a system using the vgacon driver
could use this to cause a denial of service (crash or memory
corruption) or possibly for privilege escalation.</p></li>
<li><a href="https://security-tracker.debian.org/tracker/CVE-2020-8648">CVE-2020-8648</a>
<p>The syzbot tool found a race condition in the the virtual terminal
driver, which could result in a use-after-free. A local user
permitted to access a virtual terminal could use this to cause a
denial of service (crash or memory corruption) or possibly for
privilege escalation.</p></li>
<li><a href="https://security-tracker.debian.org/tracker/CVE-2020-9383">CVE-2020-9383</a>
<p>Jordy Zomer reported an incorrect range check in the floppy driver
which could lead to a static out-of-bounds access. A local user
permitted to access a floppy drive could use this to cause a
denial of service (crash or memory corruption) or possibly for
privilege escalation.</p></li>
<li><a href="https://security-tracker.debian.org/tracker/CVE-2020-10690">CVE-2020-10690</a>
<p>It was discovered that the PTP hardware clock subsystem did not
properly manage device lifetimes. Removing a PTP hardware clock
from the system while a user process was using it could lead to a
use-after-free. The security impact of this is unclear.</p></li>
<li><a href="https://security-tracker.debian.org/tracker/CVE-2020-10751">CVE-2020-10751</a>
<p>Dmitry Vyukov reported that the SELinux subsystem did not properly
handle validating multiple messages, which could allow a privileged
attacker to bypass SELinux netlink restrictions.</p></li>
<li><a href="https://security-tracker.debian.org/tracker/CVE-2020-10942">CVE-2020-10942</a>
<p>It was discovered that the vhost_net driver did not properly
validate the type of sockets set as back-ends. A local user
permitted to access /dev/vhost-net could use this to cause a stack
corruption via crafted system calls, resulting in denial of
service (crash) or possibly privilege escalation.</p></li>
<li><a href="https://security-tracker.debian.org/tracker/CVE-2020-11494">CVE-2020-11494</a>
<p>It was discovered that the slcan (serial line CAN) network driver
did not fully initialise CAN headers for received packets,
resulting in an information leak from the kernel to user-space or
over the CAN network.</p></li>
<li><a href="https://security-tracker.debian.org/tracker/CVE-2020-11565">CVE-2020-11565</a>
<p>Entropy Moe reported that the shared memory filesystem (tmpfs) did
not correctly handle an <q>mpol</q> mount option specifying an empty
node list, leading to a stack-based out-of-bounds write. If user
namespaces are enabled, a local user could use this to cause a
denial of service (crash) or possibly for privilege escalation.</p></li>
<li><a href="https://security-tracker.debian.org/tracker/CVE-2020-11608">CVE-2020-11608</a>, <a href="https://security-tracker.debian.org/tracker/CVE-2020-11609">CVE-2020-11609</a>, <a href="https://security-tracker.debian.org/tracker/CVE-2020-11668">CVE-2020-11668</a>
<p>It was discovered that the ov519, stv06xx, and xirlink_cit media
drivers did not properly validate USB device descriptors. A
physically present user with a specially constructed USB device
could use this to cause a denial-of-service (crash) or possibly
for privilege escalation.</p></li>
<li><a href="https://security-tracker.debian.org/tracker/CVE-2020-12114">CVE-2020-12114</a>
<p>Piotr Krysiuk discovered a race condition between the umount and
pivot_root operations in the filesystem core (vfs). A local user
with the CAP_SYS_ADMIN capability in any user namespace could use
this to cause a denial of service (crash).</p></li>
<li><a href="https://security-tracker.debian.org/tracker/CVE-2020-12464">CVE-2020-12464</a>
<p>Kyungtae Kim reported a race condition in the USB core that can
result in a use-after-free. It is not clear how this can be
exploited, but it could result in a denial of service (crash or
memory corruption) or privilege escalation.</p></li>
<li><a href="https://security-tracker.debian.org/tracker/CVE-2020-12652">CVE-2020-12652</a>
<p>Tom Hatskevich reported a bug in the mptfusion storage drivers.
An ioctl handler fetched a parameter from user memory twice,
creating a race condition which could result in incorrect locking
of internal data structures. A local user permitted to access
/dev/mptctl could use this to cause a denial of service (crash or
memory corruption) or for privilege escalation.</p></li>
<li><a href="https://security-tracker.debian.org/tracker/CVE-2020-12653">CVE-2020-12653</a>
<p>It was discovered that the mwifiex WiFi driver did not
sufficiently validate scan requests, resulting a potential heap
buffer overflow. A local user with CAP_NET_ADMIN capability could
use this to cause a denial of service (crash or memory corruption)
or possibly for privilege escalation.</p></li>
<li><a href="https://security-tracker.debian.org/tracker/CVE-2020-12654">CVE-2020-12654</a>
<p>It was discovered that the mwifiex WiFi driver did not
sufficiently validate WMM parameters received from an access point
(AP), resulting a potential heap buffer overflow. A malicious AP
could use this to cause a denial of service (crash or memory
corruption) or possibly to execute code on a vulnerable system.</p></li>
<li><a href="https://security-tracker.debian.org/tracker/CVE-2020-12769">CVE-2020-12769</a>
<p>It was discovered that the spi-dw SPI host driver did not properly
serialise access to its internal state. The security impact of
this is unclear, and this driver is not included in Debian's
binary packages.</p></li>
<li><a href="https://security-tracker.debian.org/tracker/CVE-2020-12770">CVE-2020-12770</a>
<p>It was discovered that the sg (SCSI generic) driver did not
correctly release internal resources in a particular error case.
A local user permitted to access an sg device could possibly use
this to cause a denial of service (resource exhaustion).</p></li>
<li><a href="https://security-tracker.debian.org/tracker/CVE-2020-12826">CVE-2020-12826</a>
<p>Adam Zabrocki reported a weakness in the signal subsystem's
permission checks. A parent process can choose an arbitary signal
for a child process to send when it exits, but if the parent has
executed a new program then the default SIGCHLD signal is sent. A
local user permitted to run a program for several days could
bypass this check, execute a setuid program, and then send an
arbitrary signal to it. Depending on the setuid programs
installed, this could have some security impact.</p></li>
<li><a href="https://security-tracker.debian.org/tracker/CVE-2020-13143">CVE-2020-13143</a>
<p>Kyungtae Kim reported a potential heap out-of-bounds write in
the USB gadget subsystem. A local user permitted to write to
the gadget configuration filesystem could use this to cause a
denial of service (crash or memory corruption) or potentially
for privilege escalation.</p></li>
</ul>
<p>For Debian 8 <q>Jessie</q>, these problems have been fixed in version
3.16.84-1.</p>
<p>We recommend that you upgrade your linux packages.</p>
<p>Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: <a href="https://wiki.debian.org/LTS">https://wiki.debian.org/LTS</a></p>
</define-tag>
# do not modify the following line
#include "$(ENGLISHDIR)/lts/security/2020/dla-2241.data"
# $Id: $
|