-------------------------------------------------------------------------
Debian LTS Advisory DLA-2483-1                [email protected]
https://www.debian.org/lts/security/                        Ben Hutchings
December 05, 2020                             https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package        : linux-4.19
Version        : 4.19.160-2~deb9u1
CVE ID         : CVE-2019-19039 CVE-2019-19377 CVE-2019-19770 CVE-2019-19816
                 CVE-2020-0423 CVE-2020-8694 CVE-2020-14351 CVE-2020-25656
                 CVE-2020-25668 CVE-2020-25669 CVE-2020-25704 CVE-2020-25705
                 CVE-2020-27673 CVE-2020-27675 CVE-2020-28941 CVE-2020-28974
Debian Bug     : 949863 968623 971058

Several vulnerabilities have been discovered in the Linux kernel that
may lead to the execution of arbitrary code, privilege escalation,
denial of service or information leaks.

CVE-2019-19039

    "Team bobfuzzer" reported a bug in Btrfs that could lead to an
    assertion failure (WARN).  A user permitted to mount and access
    arbitrary filesystems could use this to cause a denial of service
    (crash) if the panic_on_warn kernel parameter is set.

CVE-2019-19377

    "Team bobfuzzer" reported a bug in Btrfs that could lead to a
    use-after-free.  A user permitted to mount and access arbitrary
    filesystems could use this to cause a denial of service (crash or
    memory corruption) or possibly for privilege escalation.

CVE-2019-19770

    The syzbot tool discovered a race condition in the block I/O
    tracer (blktrace) that could lead to a system crash.  Since
    blktrace can only be controlled by privileged users, the security
    impact of this is unclear.

CVE-2019-19816

    "Team bobfuzzer" reported a bug in Btrfs that could lead to an
    out-of-bounds write.  A user permitted to mount and access
    arbitrary filesystems could use this to cause a denial of service
    (crash or memory corruption) or possibly for privilege escalation.

CVE-2020-0423

    A race condition was discovered in the Android binder driver, that
    could result in a use-after-free.  On systems using this driver, a
    local user could use this to cause a denial of service (crash or
    memory corruption) or possibly for privilege escalation.

CVE-2020-8694

    Multiple researchers discovered that the powercap subsystem
    allowed all users to read CPU energy meters, by default.  On
    systems using Intel CPUs, this provided a side channel that could
    leak sensitive information between user processes, or from the
    kernel to user processes.  The energy meters are now readable only
    by root, by default.

    This issue can be mitigated by running:

        chmod go-r /sys/devices/virtual/powercap/*/*/energy_uj

    This needs to be repeated each time the system is booted with
    an unfixed kernel version.

CVE-2020-14351

    A race condition was discovered in the performance events
    subsystem, which could lead to a use-after-free.  A local user
    permitted to access performance events could use this to cause a
    denial of service (crash or memory corruption) or possibly for
    privilege escalation.

    Debian's kernel configuration does not allow unprivileged users to
    access peformance events by default, which fully mitigates this
    issue.

CVE-2020-25656

    Yuan Ming and Bodong Zhao discovered a race condition in the
    virtual terminal (vt) driver that could lead to a use-after-free.
    A local user with the CAP_SYS_TTY_CONFIG capability could use this
    to cause a denial of service (crash or memory corruption) or
    possibly for privilege escalation.

CVE-2020-25668

    Yuan Ming and Bodong Zhao discovered a race condition in the
    virtual terminal (vt) driver that could lead to a use-after-free.
    A local user with access to a virtual terminal, or with the
    CAP_SYS_TTY_CONFIG capability, could use this to cause a denial of
    service (crash or memory corruption) or possibly for privilege
    escalation.

CVE-2020-25669

    Bodong Zhao discovered a bug in the Sun keyboard driver (sunkbd)
    that could lead to a use-after-free.  On a system using this
    driver, a local user could use this to cause a denial of service
    (crash or memory corruption) or possibly for privilege escalation.

CVE-2020-25704

    kiyin(尹亮) discovered a potential memory leak in the performance
    events subsystem.  A local user permitted to access performance
    events could use this to cause a denial of service (memory
    exhaustion).

    Debian's kernel configuration does not allow unprivileged users to
    access peformance events by default, which fully mitigates this
    issue.

CVE-2020-25705

    Keyu Man reported that strict rate-limiting of ICMP packet
    transmission provided a side-channel that could help networked
    attackers to carry out packet spoofing.  In particular, this made
    it practical for off-path networked attackers to "poison" DNS
    caches with spoofed responses ("SAD DNS" attack).

    This issue has been mitigated by randomising whether packets are
    counted against the rate limit.

CVE-2020-27673 / XSA-332

    Julien Grall from Arm discovered a bug in the Xen event handling
    code.  Where Linux was used in a Xen dom0, unprivileged (domU)
    guests could cause a denial of service (excessive CPU usage or
    hang) in dom0.

CVE-2020-27675 / XSA-331

    Jinoh Kang of Theori discovered a race condition in the Xen event
    handling code.  Where Linux was used in a Xen dom0, unprivileged
    (domU) guests could cause a denial of service (crash) in dom0.

CVE-2020-28941

    Shisong Qin and Bodong Zhao discovered a bug in the Speakup screen
    reader subsystem.  Speakup assumed that it would only be bound to
    one terminal (tty) device at a time, but did not enforce this.  A
    local user could exploit this bug to cause a denial of service
    (crash or memory exhaustion).

CVE-2020-28974

    Yuan Ming discovered a bug in the virtual terminal (vt) driver
    that could lead to an out-of-bounds read.  A local user with
    access to a virtual terminal, or with the CAP_SYS_TTY_CONFIG
    capability, could possibly use this to obtain sensitive
    information from the kernel or to cause a denial of service
    (crash).

    The specific ioctl operation affected by this bug
    (KD_FONT_OP_COPY) has been disabled, as it is not believed that
    any programs depended on it.

For Debian 9 stretch, these problems have been fixed in version
4.19.160-2~deb9u1.

We recommend that you upgrade your linux-4.19 packages.

For the detailed security status of linux-4.19 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/linux-4.19

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

-- 
Ben Hutchings - Debian developer, member of kernel, installer and LTS teams