MGASA-2021-0030 - Updated kernel packages fix security vulnerabilities

Publication date: 15 Jan 2021
URL: https://advisories.mageia.org/MGASA-2021-0030.html
Type: security
Affected Mageia releases: 7
CVE: CVE-2020-0423,
     CVE-2020-0465,
     CVE-2020-8694,
     CVE-2020-12912,
     CVE-2020-14351,
     CVE-2020-25656,
     CVE-2020-25668,
     CVE-2020-25669,
     CVE-2020-25704,
     CVE-2020-25705,
     CVE-2020-27152,
     CVE-2020-27194,
     CVE-2020-27673,
     CVE-2020-27675,
     CVE-2020-27825,
     CVE-2020-27830,
     CVE-2020-27835,
     CVE-2020-28588,
     CVE-2020-28915,
     CVE-2020-28941,
     CVE-2020-28974,
     CVE-2020-29534,
     CVE-2020-29660,
     CVE-2020-29661

This update provides an upgrade to the new upstream 5.10 longterm branch,
currently based on 5.10.6, adding new features and new and improved
hardware support.

This update also fixes atleast the following security issues:

In binder_release_work of binder.c, there is a possible use-after-free due
to improper locking. This could lead to local escalation of privilege in
the kernel with no additional execution privileges needed. User interaction
is not needed for exploitation (CVE-2020-0423).

In various methods of hid-multitouch.c, there is a possible out of bounds
write due to a missing bounds check. This could lead to local escalation of
privilege with no additional execution privileges needed. User interaction
is not needed for exploitation (CVE-2020-0465).

Insufficient access control in the Linux kernel driver for some Intel(R)
Processors may allow an authenticated user to potentially enable information
disclosure via local access (CVE-2020-8694).

A potential vulnerability in the AMD extension to Linux "hwmon" service may
allow an attacker to use the Linux-based Running Average Power Limit (RAPL)
interface to show various side channel attacks. In line with industry
partners, AMD has updated the RAPL interface to require privileged access
(CVE-2020-12912).

A use-after-free memory flaw was found in the perf subsystem allowing a
local attacker with permission to monitor perf events to corrupt memory and
possibly escalate privileges. The highest threat from this vulnerability
is to data confidentiality and integrity as well as system availability
(CVE-2020-14351).

A use-after-free was found in the way the console subsystem was using ioctls
KDGKBSENT and KDSKBSENT. A local user could use this flaw to get read
memory access out of bounds. The highest threat from this vulnerability is
to data confidentiality (CVE-2020-25656).

Linux kernel concurrency use-after-free in vt (CVE-2020-25668).

Linux Kernel use-after-free in sunkbd_reinit (CVE-2020-25669).

A flaw memory leak in the Linux kernel performance monitoring subsystem was
found in the way if using PERF_EVENT_IOC_SET_FILTER. A local user could use
this flaw to starve the resources causing denial of service (CVE-2020-25704).

A flaw in the way reply ICMP packets are limited in the Linux kernel
functionality was found that allows to quickly scan open UDP ports. This
flaw allows an off-path remote user to effectively bypassing source port UDP
randomization. The highest threat from this vulnerability is to
confidentiality and possibly integrity, because software that relies on UDP
source port randomization are indirectly affected as well (CVE-2020-25705).

An issue was discovered in ioapic_lazy_update_eoi in arch/x86/kvm/ioapic.c
in the Linux kernel before 5.9.2. It has an infinite loop related to
improper interaction between a resampler and edge triggering (CVE-2020-27152).

An issue was discovered in the Linux kernel before 5.8.15. scalar32_min_max_or
in kernel/bpf/verifier.c mishandles bounds tracking during use of 64-bit
values (CVE-2020-27194).

An issue was discovered in the Linux kernel through 5.9.1, as used with Xen
through 4.14.x. Guest OS users can cause a denial of service (host OS hang)
via a high rate of events to dom0 (CVE-2020-27673).

An issue was discovered in the Linux kernel through 5.9.1, as used with Xen
through 4.14.x. drivers/xen/events/events_base.c allows event-channel removal
during the event-handling loop (a race condition). This can cause a
use-after-free or NULL pointer dereference, as demonstrated by a dom0 crash
via events for an in-reconfiguration paravirtualized device (CVE-2020-27675).

A use-after-free flaw was found in kernel/trace/ring_buffer.c in Linux
kernel (before 5.10-rc1). There was a race problem in trace_open and resize
of cpu buffer running parallely on different cpus, may cause a denial of
service problem (DOS). This flaw could even allow a local attacker with
special user privilege to a kernel information leak threat (CVE-2020-27825).

Linux kernel NULL-ptr deref bug in spk_ttyio_receive_buf2 (CVE-2020-27830).

A use after free in the Linux kernel infiniband hfi1 driver in versions
prior to 5.10-rc6 was found in the way user calls Ioctl after open dev
file and fork. A local user could use this flaw to crash the system
(CVE-2020-27835).

lib/syscall: fix syscall registers retrieval on 32-bit platforms
(CVE-2020-28588).

A buffer over-read (at the framebuffer layer) in the fbcon code in the
Linux kernel before 5.8.15 could be used by local attackers to read kernel
memory (CVE-2020-28915).

An issue was discovered in drivers/accessibility/speakup/spk_ttyio.c in
the Linux kernel through 5.9.9. Local attackers on systems with the
speakup driver could cause a local denial of service attack (CVE-2020-28941).

A slab-out-of-bounds read in fbcon in the Linux kernel before 5.9.7 could
be used by local attackers to read privileged information or potentially
crash the kernel (CVE-2020-28974).

An issue was discovered in the Linux kernel before 5.9.3. io_uring takes a
non-refcounted reference to the files_struct of the process that submitted
a request, causing execve() to incorrectly optimize unshare_fd()
(CVE-2020-29534).

A locking inconsistency issue was discovered in the tty subsystem of the
Linux kernel through 5.9.13. drivers/tty/tty_io.c and
drivers/tty/tty_jobctrl.c may allow a read-after-free attack against
TIOCGSID (CVE-2020-29660).

A locking issue was discovered in the tty subsystem of the Linux kernel
through 5.9.13. drivers/tty/tty_jobctrl.c allows a use-after-free attack
against TIOCSPGRP (CVE-2020-29661).

Other changes in this update:
- xtables-addons have been updated to 3.13 for kernel 5.10 support.
- aufs-tools have been updated to 5.8.

For other upstream changes, see the referenced kernelnewbies and changelog
links.

References:
- https://bugs.mageia.org/show_bug.cgi?id=27938
- - - - https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.1
- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.2
- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.3
- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.4
- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.5
- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.6
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0423
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0465
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8694
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12912
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14351
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25656
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25668
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25669
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25704
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25705
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27152
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27194
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27673
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27675
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27825
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27830
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27835
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28588
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28915
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28941
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28974
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-29534
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-29660
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-29661

SRPMS:
- 7/core/kernel-5.10.6-1.mga7
- 7/core/kmod-virtualbox-6.1.16-8.mga7
- 7/core/kmod-xtables-addons-3.13-4.mga7
- 7/core/xtables-addons-3.13-1.mga7
- 7/core/aufs-tools-5.8-0.git20201212.1.mga7

Mageia 2021-0030: kernel security update

This update provides an upgrade to the new upstream 5.10 longterm branch, currently based on 5.10.6, adding new features and new and improved hardware support

Summary

This update provides an upgrade to the new upstream 5.10 longterm branch, currently based on 5.10.6, adding new features and new and improved hardware support.
This update also fixes atleast the following security issues:
In binder_release_work of binder.c, there is a possible use-after-free due to improper locking. This could lead to local escalation of privilege in the kernel with no additional execution privileges needed. User interaction is not needed for exploitation (CVE-2020-0423).
In various methods of hid-multitouch.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation (CVE-2020-0465).
Insufficient access control in the Linux kernel driver for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access (CVE-2020-8694).
A potential vulnerability in the AMD extension to Linux "hwmon" service may allow an attacker to use the Linux-based Running Average Power Limit (RAPL) interface to show various side channel attacks. In line with industry partners, AMD has updated the RAPL interface to require privileged access (CVE-2020-12912).
A use-after-free memory flaw was found in the perf subsystem allowing a local attacker with permission to monitor perf events to corrupt memory and possibly escalate privileges. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability (CVE-2020-14351).
A use-after-free was found in the way the console subsystem was using ioctls KDGKBSENT and KDSKBSENT. A local user could use this flaw to get read memory access out of bounds. The highest threat from this vulnerability is to data confidentiality (CVE-2020-25656).
Linux kernel concurrency use-after-free in vt (CVE-2020-25668).
Linux Kernel use-after-free in sunkbd_reinit (CVE-2020-25669).
A flaw memory leak in the Linux kernel performance monitoring subsystem was found in the way if using PERF_EVENT_IOC_SET_FILTER. A local user could use this flaw to starve the resources causing denial of service (CVE-2020-25704).
A flaw in the way reply ICMP packets are limited in the Linux kernel functionality was found that allows to quickly scan open UDP ports. This flaw allows an off-path remote user to effectively bypassing source port UDP randomization. The highest threat from this vulnerability is to confidentiality and possibly integrity, because software that relies on UDP source port randomization are indirectly affected as well (CVE-2020-25705).
An issue was discovered in ioapic_lazy_update_eoi in arch/x86/kvm/ioapic.c in the Linux kernel before 5.9.2. It has an infinite loop related to improper interaction between a resampler and edge triggering (CVE-2020-27152).
An issue was discovered in the Linux kernel before 5.8.15. scalar32_min_max_or in kernel/bpf/verifier.c mishandles bounds tracking during use of 64-bit values (CVE-2020-27194).
An issue was discovered in the Linux kernel through 5.9.1, as used with Xen through 4.14.x. Guest OS users can cause a denial of service (host OS hang) via a high rate of events to dom0 (CVE-2020-27673).
An issue was discovered in the Linux kernel through 5.9.1, as used with Xen through 4.14.x. drivers/xen/events/events_base.c allows event-channel removal during the event-handling loop (a race condition). This can cause a use-after-free or NULL pointer dereference, as demonstrated by a dom0 crash via events for an in-reconfiguration paravirtualized device (CVE-2020-27675).
A use-after-free flaw was found in kernel/trace/ring_buffer.c in Linux kernel (before 5.10-rc1). There was a race problem in trace_open and resize of cpu buffer running parallely on different cpus, may cause a denial of service problem (DOS). This flaw could even allow a local attacker with special user privilege to a kernel information leak threat (CVE-2020-27825).
Linux kernel NULL-ptr deref bug in spk_ttyio_receive_buf2 (CVE-2020-27830).
A use after free in the Linux kernel infiniband hfi1 driver in versions prior to 5.10-rc6 was found in the way user calls Ioctl after open dev file and fork. A local user could use this flaw to crash the system (CVE-2020-27835).
lib/syscall: fix syscall registers retrieval on 32-bit platforms (CVE-2020-28588).
A buffer over-read (at the framebuffer layer) in the fbcon code in the Linux kernel before 5.8.15 could be used by local attackers to read kernel memory (CVE-2020-28915).
An issue was discovered in drivers/accessibility/speakup/spk_ttyio.c in the Linux kernel through 5.9.9. Local attackers on systems with the speakup driver could cause a local denial of service attack (CVE-2020-28941).
A slab-out-of-bounds read in fbcon in the Linux kernel before 5.9.7 could be used by local attackers to read privileged information or potentially crash the kernel (CVE-2020-28974).
An issue was discovered in the Linux kernel before 5.9.3. io_uring takes a non-refcounted reference to the files_struct of the process that submitted a request, causing execve() to incorrectly optimize unshare_fd() (CVE-2020-29534).
A locking inconsistency issue was discovered in the tty subsystem of the Linux kernel through 5.9.13. drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c may allow a read-after-free attack against TIOCGSID (CVE-2020-29660).
A locking issue was discovered in the tty subsystem of the Linux kernel through 5.9.13. drivers/tty/tty_jobctrl.c allows a use-after-free attack against TIOCSPGRP (CVE-2020-29661).
Other changes in this update: - xtables-addons have been updated to 3.13 for kernel 5.10 support. - aufs-tools have been updated to 5.8.
For other upstream changes, see the referenced kernelnewbies and changelog links.

References

- https://bugs.mageia.org/show_bug.cgi?id=27938

- - - - https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.1

- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.2

- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.3

- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.4

- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.5

- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.6

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0423

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0465

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8694

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12912

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14351

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25656

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25668

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25669

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25704

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25705

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27152

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27194

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27673

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27675

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27825

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27830

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27835

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28588

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28915

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28941

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28974

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-29534

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-29660

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-29661

Resolution

MGASA-2021-0030 - Updated kernel packages fix security vulnerabilities

SRPMS

- 7/core/kernel-5.10.6-1.mga7

- 7/core/kmod-virtualbox-6.1.16-8.mga7

- 7/core/kmod-xtables-addons-3.13-4.mga7

- 7/core/xtables-addons-3.13-1.mga7

- 7/core/aufs-tools-5.8-0.git20201212.1.mga7

Severity
Publication date: 15 Jan 2021
URL: https://advisories.mageia.org/MGASA-2021-0030.html
Type: security
CVE: CVE-2020-0423, CVE-2020-0465, CVE-2020-8694, CVE-2020-12912, CVE-2020-14351, CVE-2020-25656, CVE-2020-25668, CVE-2020-25669, CVE-2020-25704, CVE-2020-25705, CVE-2020-27152, CVE-2020-27194, CVE-2020-27673, CVE-2020-27675, CVE-2020-27825, CVE-2020-27830, CVE-2020-27835, CVE-2020-28588, CVE-2020-28915, CVE-2020-28941, CVE-2020-28974, CVE-2020-29534, CVE-2020-29660, CVE-2020-29661

Related News

11.Locks IsometricPattern Esm H320
2 - 3 min read
Open Source maintainers and developers have been warned about the continued wave of attacks aimed at project maintainers similar to those recently
28.Lock Globe Esm H320
1 - 2 min read
A resurgence of cyberattacks targeting Linux systems in Asian campaigns through the utilization of the Pupy Remote Access Trojan (RAT) has been
27.Tablet Connections Blocks Lock Esm H320
2 - 4 min read
Canonical has recently announced the Beta release of Ubuntu Linux 24.04 LTS , codenamed "Noble Numbat." This release aims to continue Ubuntu's
21.Globe RadiatingCode Esm H320
2 - 3 min read
The open-source movement has come a long way, from its origins in the 1960s and 1970s to becoming an integral part of organizations worldwide.
13.Lock StylizedMotherboard Esm H320
2 - 3 min read
The Rust-based Edera project demonstrates a unique approach to container security that addresses cloud-native computing challenges. Let's examine
8.Locks HexConnections CodeGlobe Esm H320
2 - 3 min read
Canonical has launched Ubuntu Pro for Devices , a comprehensive offering emphasizing security and compliance for IoT device deployments. This
2.Motherboard Esm H320
2 - 3 min read
The recently uncovered "Native Branch History Injection (BHI)" exploit against the Linux kernel marks a significant milestone in the ongoing battle
1.Penguin Landscape Esm H320
1 - 2 min read
There are compelling arguments in favor of Linux over Windows for desktop usage. Let's explore some advantages of choosing Linux over Windows for

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved