Headline
CVE-2020-25668: [SECURITY] [DLA 2494-1] linux security update
A flaw was found in Linux Kernel because access to the global variable fg_console is not properly synchronized leading to a use after free in con_font_op.
- To: [email protected]
- Subject: [SECURITY] [DLA 2494-1] linux security update
- From: Ben Hutchings <[email protected]>
- Date: Fri, 18 Dec 2020 13:14:03 +0100
- Message-id: <[🔎] [email protected]>
- Mail-followup-to: [email protected]
- Reply-to: [email protected]
------------------------------------------------------------------------- Debian LTS Advisory DLA-2494-1 [email protected] https://www.debian.org/lts/security/ Ben Hutchings December 18, 2020 https://wiki.debian.org/LTS
Package : linux Version : 4.9.246-2 CVE ID : CVE-2020-0427 CVE-2020-8694 CVE-2020-14351 CVE-2020-25645 CVE-2020-25656 CVE-2020-25668 CVE-2020-25669 CVE-2020-25704 CVE-2020-25705 CVE-2020-27673 CVE-2020-27675 CVE-2020-28974
Several vulnerabilities have been discovered in the Linux kernel that may lead to the execution of arbitrary code, privilege escalation, denial of service or information leaks.
CVE-2020-0427
Elena Petrova reported a bug in the pinctrl subsystem that can
lead to a use-after-free after a device is renamed. The security
impact of this is unclear.
CVE-2020-8694
Multiple researchers discovered that the powercap subsystem
allowed all users to read CPU energy meters, by default. On
systems using Intel CPUs, this provided a side channel that could
leak sensitive information between user processes, or from the
kernel to user processes. The energy meters are now readable only
by root, by default.
This issue can be mitigated by running:
chmod go-r /sys/devices/virtual/powercap/\*/\*/energy\_uj
This needs to be repeated each time the system is booted with
an unfixed kernel version.
CVE-2020-14351
A race condition was discovered in the performance events
subsystem, which could lead to a use-after-free. A local user
permitted to access performance events could use this to cause a
denial of service (crash or memory corruption) or possibly for
privilege escalation.
Debian's kernel configuration does not allow unprivileged users to
access peformance events by default, which fully mitigates this
issue.
CVE-2020-25645
A flaw was discovered in the interface driver for GENEVE
encapsulated traffic when combined with IPsec. If IPsec is
configured to encrypt traffic for the specific UDP port used by the
GENEVE tunnel, tunneled data isn't correctly routed over the
encrypted link and sent unencrypted instead.
CVE-2020-25656
Yuan Ming and Bodong Zhao discovered a race condition in the
virtual terminal (vt) driver that could lead to a use-after-free.
A local user with the CAP\_SYS\_TTY\_CONFIG capability could use this
to cause a denial of service (crash or memory corruption) or
possibly for privilege escalation.
CVE-2020-25668
Yuan Ming and Bodong Zhao discovered a race condition in the
virtual terminal (vt) driver that could lead to a use-after-free.
A local user with access to a virtual terminal, or with the
CAP\_SYS\_TTY\_CONFIG capability, could use this to cause a denial of
service (crash or memory corruption) or possibly for privilege
escalation.
CVE-2020-25669
Bodong Zhao discovered a bug in the Sun keyboard driver (sunkbd)
that could lead to a use-after-free. On a system using this
driver, a local user could use this to cause a denial of service
(crash or memory corruption) or possibly for privilege escalation.
CVE-2020-25704
kiyin(尹亮) discovered a potential memory leak in the performance
events subsystem. A local user permitted to access performance
events could use this to cause a denial of service (memory
exhaustion).
Debian's kernel configuration does not allow unprivileged users to
access peformance events by default, which fully mitigates this
issue.
CVE-2020-25705
Keyu Man reported that strict rate-limiting of ICMP packet
transmission provided a side-channel that could help networked
attackers to carry out packet spoofing. In particular, this made
it practical for off-path networked attackers to "poison" DNS
caches with spoofed responses ("SAD DNS" attack).
This issue has been mitigated by randomising whether packets are
counted against the rate limit.
CVE-2020-27673 / XSA-332
Julien Grall from Arm discovered a bug in the Xen event handling
code. Where Linux was used in a Xen dom0, unprivileged (domU)
guests could cause a denial of service (excessive CPU usage or
hang) in dom0.
CVE-2020-27675 / XSA-331
Jinoh Kang of Theori discovered a race condition in the Xen event
handling code. Where Linux was used in a Xen dom0, unprivileged
(domU) guests could cause a denial of service (crash) in dom0.
CVE-2020-28974
Yuan Ming discovered a bug in the virtual terminal (vt) driver
that could lead to an out-of-bounds read. A local user with
access to a virtual terminal, or with the CAP\_SYS\_TTY\_CONFIG
capability, could possibly use this to obtain sensitive
information from the kernel or to cause a denial of service
(crash).
The specific ioctl operation affected by this bug
(KD\_FONT\_OP\_COPY) has been disabled, as it is not believed that
any programs depended on it.
For Debian 9 stretch, these problems have been fixed in version 4.9.246-2.
We recommend that you upgrade your linux packages.
For the detailed security status of linux please refer to its security tracker page at: https://security-tracker.debian.org/tracker/linux
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS
– Ben Hutchings - Debian developer, member of kernel, installer and LTS teams
Attachment: signature.asc
Description: PGP signature
Reply to:
Ben Hutchings (on-list)
Ben Hutchings (off-list)
Prev by Date: [SECURITY] [DLA 2499-1] sympa security update
Next by Date: [SECURITY] [DLA 2467-2] lxml regression update
Previous by thread: [SECURITY] [DLA 2499-1] sympa security update
Next by thread: [SECURITY] [DLA 2467-2] lxml regression update
Index(es):
- Date
- Thread
Related news
Dell EMC Metro node, Version(s) prior to 7.1, contain a Code Injection Vulnerability. An authenticated nonprivileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application.
In getSerialForPackage of DeviceIdentifiersPolicyService.java, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12Android ID: A-192587406
An update for kernel is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2019-14615: kernel: Intel graphics card information leak. * CVE-2020-0427: kernel: out-of-bounds reads in pinctrl subsystem. * CVE-2020-24502: kernel: Improper input validation in some Intel(R) Ethernet E810 Adapter drivers * CVE-2020-24503: kernel: Insufficient access control in some Intel(R) Ethernet E810 Adapter drivers * CVE-2020-24504: kernel: Uncontroll...
An update for kernel-rt is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2019-14615: kernel: Intel graphics card information leak. * CVE-2020-0427: kernel: out-of-bounds reads in pinctrl subsystem. * CVE-2020-24502: kernel: Improper input validation in some Intel(R) Ethernet E810 Adapter drivers * CVE-2020-24503: kernel: Insufficient access control in some Intel(R) Ethernet E810 Adapter drivers * CVE-2020-24504: kernel: Uncontr...
A flaw was found in Linux Kernel because access to the global variable fg_console is not properly synchronized leading to a use after free in con_font_op.
A flaw was found in Linux Kernel because access to the global variable fg_console is not properly synchronized leading to a use after free in con_font_op.
A flaw was found in Linux Kernel because access to the global variable fg_console is not properly synchronized leading to a use after free in con_font_op.
A flaw was found in Linux Kernel because access to the global variable fg_console is not properly synchronized leading to a use after free in con_font_op.
A flaw was found in Linux Kernel because access to the global variable fg_console is not properly synchronized leading to a use after free in con_font_op.
A flaw was found in Linux Kernel because access to the global variable fg_console is not properly synchronized leading to a use after free in con_font_op.
A flaw was found in Linux Kernel because access to the global variable fg_console is not properly synchronized leading to a use after free in con_font_op.
A flaw was found in Linux Kernel because access to the global variable fg_console is not properly synchronized leading to a use after free in con_font_op.
A flaw was found in Linux Kernel because access to the global variable fg_console is not properly synchronized leading to a use after free in con_font_op.
A flaw was found in Linux Kernel because access to the global variable fg_console is not properly synchronized leading to a use after free in con_font_op.
A flaw was found in Linux Kernel because access to the global variable fg_console is not properly synchronized leading to a use after free in con_font_op.
A vulnerability was found in the Linux Kernel where the function sunkbd_reinit having been scheduled by sunkbd_interrupt before sunkbd being freed. Though the dangling pointer is set to NULL in sunkbd_disconnect, there is still an alias in sunkbd_reinit causing Use After Free.
A flaw was found in Linux Kernel because access to the global variable fg_console is not properly synchronized leading to a use after free in con_font_op.
An update for kernel-rt is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2019-19523: A flaw was found in the Linux kernel’s implementation for ADU devices from Ontrak Control Systems, where an attacker with administrative privileges and access to a local account could pre-groom the memory and physically disconnect or unload a module. The attacker must be able to access either of these two events to trigger the use-after-free, ...
An update for kernel is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2019-18811: kernel: memory leak in sof_set_get_large_ctrl_data() function in sound/soc/sof/ipc.c * CVE-2019-19523: kernel: use-after-free caused by a malicious USB device in the drivers/usb/misc/adutux.c driver * CVE-2019-19528: kernel: use-after-free bug caused by a malicious USB device in the drivers/usb/misc/iowarrior.c driver * CVE-2020-0431: kernel: pos...
A flaw was found in the Linux kernel. A use-after-free was found in the way the console subsystem was using ioctls KDGKBSENT and KDSKBSENT. A local user could use this flaw to get read memory access out of bounds. The highest threat from this vulnerability is to data confidentiality.
A flaw memory leak in the Linux kernel performance monitoring subsystem was found in the way if using PERF_EVENT_IOC_SET_FILTER. A local user could use this flaw to starve the resources causing denial of service.
An issue was discovered in the Linux kernel through 5.9.1, as used with Xen through 4.14.x. Guest OS users can cause a denial of service (host OS hang) via a high rate of events to dom0, aka CID-e99502f76271.