Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.0200
linux security update
20 January 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: linux
Publisher: Debian
Operating System: Debian GNU/Linux 8
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Increased Privileges -- Existing Account
Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2019-19966 CVE-2019-19965 CVE-2019-19947
CVE-2019-19922 CVE-2019-19767 CVE-2019-19537
CVE-2019-19536 CVE-2019-19534 CVE-2019-19533
CVE-2019-19532 CVE-2019-19531 CVE-2019-19530
CVE-2019-19527 CVE-2019-19524 CVE-2019-19523
CVE-2019-19332 CVE-2019-19227 CVE-2019-19066
CVE-2019-19062 CVE-2019-19057 CVE-2019-19056
CVE-2019-19052 CVE-2019-19051 CVE-2019-17666
CVE-2019-17133 CVE-2019-17056 CVE-2019-17055
CVE-2019-17054 CVE-2019-17053 CVE-2019-17052
CVE-2019-16746 CVE-2019-15505 CVE-2019-15291
CVE-2019-15217 CVE-2019-15098 CVE-2019-14901
CVE-2019-14897 CVE-2019-14896 CVE-2019-14895
CVE-2019-10220 CVE-2019-2215 CVE-2019-1996
CVE-2019-1953 CVE-2019-1952 CVE-2019-1906
CVE-2019-1905 CVE-2019-1705 CVE-2019-1521
Reference: ESB-2020.0141
ESB-2020.0052.2
Original Bulletin:
https://lists.debian.org/debian-lts-announce/2020/01/msg00013.html
- --------------------------BEGIN INCLUDED TEXT--------------------
Package : linux
Version : 3.16.81-1
CVE ID : CVE-2019-2215 CVE-2019-10220 CVE-2019-14895 CVE-2019-14896
CVE-2019-14897 CVE-2019-14901 CVE-2019-15098 CVE-2019-15217
CVE-2019-15291 CVE-2019-15505 CVE-2019-16746 CVE-2019-17052
CVE-2019-17053 CVE-2019-17054 CVE-2019-17055 CVE-2019-17056
CVE-2019-17133 CVE-2019-17666 CVE-2019-19051 CVE-2019-19052
CVE-2019-19056 CVE-2019-19057 CVE-2019-19062 CVE-2019-19066
CVE-2019-19227 CVE-2019-19332 CVE-2019-19523 CVE-2019-19524
CVE-2019-19527 CVE-2019-19530 CVE-2019-19531 CVE-2019-19532
CVE-2019-19533 CVE-2019-19534 CVE-2019-19536 CVE-2019-19537
CVE-2019-19767 CVE-2019-19922 CVE-2019-19947 CVE-2019-19965
CVE-2019-19966
Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service, or information
leak.
CVE-2019-2215
The syzkaller tool discovered a use-after-free vulnerability in
the Android binder driver. A local user on a system with this
driver enabled could use this to cause a denial of service (memory
corruption or crash) or possibly for privilege escalation.
However, this driver is not enabled on Debian packaged kernels.
CVE-2019-10220
Various developers and researchers found that if a crafted file-
system or malicious file server presented a directory with
filenames including a '/' character, this could confuse and
possibly defeat security checks in applications that read the
directory.
The kernel will now return an error when reading such a directory,
rather than passing the invalid filenames on to user-space.
CVE-2019-14895, CVE-2019-14901
ADLab of Venustech discovered potential heap buffer overflows in
the mwifiex wifi driver. On systems using this driver, a
malicious Wireless Access Point or adhoc/P2P peer could use these
to cause a denial of service (memory corruption or crash) or
possibly for remote code execution.
CVE-2019-14896, CVE-2019-14897
ADLab of Venustech discovered potential heap and stack buffer
overflows in the libertas wifi driver. On systems using this
driver, a malicious Wireless Access Point or adhoc/P2P peer could
use these to cause a denial of service (memory corruption or
crash) or possibly for remote code execution.
CVE-2019-15098
Hui Peng and Mathias Payer reported that the ath6kl wifi driver
did not properly validate USB descriptors, which could lead to a
null pointer derefernce. An attacker able to add USB devices
could use this to cause a denial of service (BUG/oops).
CVE-2019-15217
The syzkaller tool discovered that the zr364xx mdia driver did not
correctly handle devices without a product name string, which
could lead to a null pointer dereference. An attacker able to add
USB devices could use this to cause a denial of service
(BUG/oops).
CVE-2019-15291
The syzkaller tool discovered that the b2c2-flexcop-usb media
driver did not properly validate USB descriptors, which could lead
to a null pointer dereference. An attacker able to add USB
devices could use this to cause a denial of service (BUG/oops).
CVE-2019-15505
The syzkaller tool discovered that the technisat-usb2 media driver
did not properly validate incoming IR packets, which could lead to
a heap buffer over-read. An attacker able to add USB devices
could use this to cause a denial of service (BUG/oops) or to read
sensitive information from kernel memory.
CVE-2019-16746
It was discovered that the wifi stack did not validate the content
of beacon heads provided by user-space for use on a wifi interface
in Access Point mode, which could lead to a heap buffer overflow.
A local user permitted to configure a wifi interface could use
this to cause a denial of service (memory corruption or crash) or
possibly for privilege escalation.
CVE-2019-17052, CVE-2019-17053, CVE-2019-17054, CVE-2019-17055,=20
CVE-2019-17056
Ori Nimron reported that various network protocol implementations
- AX.25, IEEE 802.15.4, Appletalk, ISDN, and NFC - allowed all
users to create raw sockets. A local user could use this to send
arbitrary packets on networks using those protocols.
CVE-2019-17133
Nicholas Waisman reported that the wifi stack did not valdiate
received SSID information before copying it, which could lead to a
buffer overflow if it is not validated by the driver or firmware.
A malicious Wireless Access Point might be able to use this to
cause a denial of service (memory corruption or crash) or for
remote code execution.
CVE-2019-17666
Nicholas Waisman reported that the rtlwifi wifi drivers did not
properly validate received P2P information, leading to a buffer
overflow. A malicious P2P peer could use this to cause a denial
of service (memory corruption or crash) or for remote code
execution.
CVE-2019-19051
Navid Emamdoost discovered a potential memory leak in the i2400m
wimax driver if the software rfkill operation fails. The security
impact of this is unclear.
CVE-2019-19052
Navid Emamdoost discovered a potential memory leak in the gs_usb
CAN driver if the open (interface-up) operation fails. The
security impact of this is unclear.
CVE-2019-19056, CVE-2019-19057
Navid Emamdoost discovered potential memory leaks in the mwifiex
wifi driver if the probe operation fails. The security impact of
this is unclear.
CVE-2019-19062
Navid Emamdoost discovered a potential memory leak in the AF_ALG
subsystem if the CRYPTO_MSG_GETALG operation fails. A local user
could possibly use this to cause a denial of service (memory
exhaustion).
CVE-2019-19066
Navid Emamdoost discovered a potential memory leak in the bfa SCSI
driver if the get_fc_host_stats operation fails. The security
impact of this is unclear.
CVE-2019-19227
Dan Carpenter reported missing error checks in the Appletalk
protocol implementation that could lead to a null pointer
dereference. The security impact of this is unclear.
CVE-2019-19332
The syzkaller tool discovered a missing bounds check in the KVM
implementation for x86, which could lead to a heap buffer overflow.
A local user permitted to use KVM could use this to cause a denial
of service (memory corruption or crash) or possibly for privilege
escalation.
CVE-2019-19523
The syzkaller tool discovered a use-after-free bug in the adutux
USB driver. An attacker able to add and remove USB devices could
use this to cause a denial of service (memory corruption or crash)
or possibly for privilege escalation.
CVE-2019-19524
The syzkaller tool discovered a race condition in the ff-memless
library used by input drivers. An attacker able to add and remove
USB devices could use this to cause a denial of service (memory
corruption or crash) or possibly for privilege escalation.
CVE-2019-19527
The syzkaller tool discovered that the hiddev driver did not
correctly handle races between a task opening the device and
disconnection of the underlying hardware. A local user permitted
to access hiddev devices, and able to add and remove USB devices,
could use this to cause a denial of service (memory corruption or
crash) or possibly for privilege escalation.
CVE-2019-19530
The syzkaller tool discovered a potential use-after-free in the
cdc-acm network driver. An attacker able to add USB devices could
use this to cause a denial of service (memory corruption or crash)
or possibly for privilege escalation.
CVE-2019-19531
The syzkaller tool discovered a use-after-free bug in the yurex
USB driver. An attacker able to add and remove USB devices could
use this to cause a denial of service (memory corruption or crash)
or possibly for privilege escalation.
CVE-2019-19532
The syzkaller tool discovered a potential heap buffer overflow in
the hid-gaff input driver, which was also found to exist in many
other input drivers. An attacker able to add USB devices could
use this to cause a denial of service (memory corruption or crash)
or possibly for privilege escalation.
CVE-2019-19533
The syzkaller tool discovered that the ttusb-dec media driver was
missing initialisation of a structure, which could leak sensitive
information from kernel memory.
CVE-2019-19534, CVE-2019-19536
The syzkaller tool discovered that the peak_usb CAN driver was
missing initialisation of some structures, which could leak
sensitive information from kernel memory.
CVE-2019-19537
The syzkaller tool discovered race conditions in the USB stack,
involving character device registration. An attacker able to add
USB devices could use this to cause a denial of service (memory
corruption or crash) or possibly for privilege escalation.
CVE-2019-19767
The syzkaller tool discovered that crafted ext4 volumes could
trigger a buffer overflow in the ext4 filesystem driver. An
attacker able to mount such a volume could use this to cause a
denial of service (memory corruption or crash) or possibly for
privilege escalation.
CVE-2019-19922
It was discovered that a change in Linux 3.16.61, "sched/fair: Fix
bandwidth timer clock drift condition", could lead to tasks being
throttled before using their full quota of CPU time. A local
user could use this bug to slow down other users' tasks. This
change has been reverted.
CVE-2019-19947
It was discovered that the kvaser_usb CAN driver was missing
initialisation of some structures, which could leak sensitive
information from kernel memory.
CVE-2019-19965
Gao Chuan reported a race condition in the libsas library used by
SCSI host drivers, which could lead to a null pointer dereference.
An attacker able to add and remove SCSI devices could use this to
cause a denial of service (BUG/oops).
CVE-2019-19966
The syzkaller tool discovered a missing error check in the cpia2
media driver, which could lead to a use-after-free. An attacker
able to add USB devices could use this to cause a denial of
service (memory corruption or crash) or possibly for privilege
escalation.
For Debian 8 "Jessie", these problems have been fixed in version
3.16.81-1.
We recommend that you upgrade your linux packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- --
Ben Hutchings - Debian developer, member of kernel, installer and LTS teams
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXiUsQ2aOgq3Tt24GAQhN5BAAzzq9/mK4rNcX+8n0d7WQNZGh5Z5xkFnG
dHQ4KFmrSN2j757WwYUXT/JgHW5ynHb9tebGfMMrcaEBhDnvXkPcnClhlnWgbdby
PWMMpS4Vk9AhxRjwgkWdsRqd2yv+TRc/PWgg4Qu8EHT96ESJwAJr56zu/DYuJxHY
ETR3Pp6ZgaD0vlUMxjXz/YOkaXqeU0d/mV5yTOWnvom8ffDqrg/KU6olUeeKeCIA
f6tBdXuVjoINA0NcLYjl3mFNEq57ojUOHGIAZZu9s/VsLiizI79EXQF82u6zrkU5
4pUtBSUCn8JCky0N0c7+gZgtappW9xNA7ryTRkIQcPDubzbWw62PXRzKIVVX4NIE
mqdsrf0Ur/+j+Pia1OOvJNuoxMjMOULtwg7BxQ4iCdmGWa/ZSMCbCqzvylQ6RVVE
LvRjIMNeWFh9B1C+l7BTEO0AKnwIUp2quUbQByydvGENKfGtsG8A9ibnqoDu+Bom
xtV5Ajcb3B92Mm8ah1zNpEI31NbXlmSF3/RpLEvK+0PRvGuLl7+UDtenIbEudtfW
3QMB8t7qXH0RQ0wksFNtSORbn6tijG1hzxRzjKTtdaBfmvoMHfOBl4LJoBj3MsOG
1S5PTP93DiHIvDUXPiVR80SgdUf8FvA3Qs0icXmAHAw4Ua/wBNITyavupRbS8P6N
KzGpeLkDC58=
=foMd
-----END PGP SIGNATURE-----