Operating System:

[Ubuntu]

Published:

07 February 2020

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.0447
                      USN-4271-1: Mesa vulnerability
                              7 February 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           mesa
Publisher:         Ubuntu
Operating System:  Ubuntu
Impact/Access:     Access Confidential Data -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-5068  

Reference:         ESB-2020.0217
                   ESB-2020.0204
                   ESB-2020.0175
                   ESB-2019.4354

Original Bulletin: 
   https://usn.ubuntu.com/4271-1/

- --------------------------BEGIN INCLUDED TEXT--------------------

USN-4271-1: Mesa vulnerability
6 February 2020

mesa vulnerability
A security issue affects these releases of Ubuntu and its derivatives:

  o Ubuntu 19.10
  o Ubuntu 18.04 LTS

Summary

Mesa could be made to expose sensitive information.

Software Description

  o mesa - free implementation of the EGL API

Details

Tim Brown discovered that Mesa incorrectly handled shared memory permissions. A
local attacker could use this issue to obtain and possibly alter sensitive
information belonging to another user.

Update instructions

The problem can be corrected by updating your system to the following package
versions:

Ubuntu 19.10
    libd3dadapter9-mesa - 19.2.8-0ubuntu0~19.10.2
    libegl-mesa0 - 19.2.8-0ubuntu0~19.10.2
    libegl1-mesa - 19.2.8-0ubuntu0~19.10.2
    libgbm1 - 19.2.8-0ubuntu0~19.10.2
    libgl1-mesa-dri - 19.2.8-0ubuntu0~19.10.2
    libgl1-mesa-glx - 19.2.8-0ubuntu0~19.10.2
    libglapi-mesa - 19.2.8-0ubuntu0~19.10.2
    libgles2-mesa - 19.2.8-0ubuntu0~19.10.2
    libglx-mesa0 - 19.2.8-0ubuntu0~19.10.2
    libosmesa6 - 19.2.8-0ubuntu0~19.10.2
    libwayland-egl1-mesa - 19.2.8-0ubuntu0~19.10.2
    libxatracker2 - 19.2.8-0ubuntu0~19.10.2
    mesa-opencl-icd - 19.2.8-0ubuntu0~19.10.2
    mesa-va-drivers - 19.2.8-0ubuntu0~19.10.2
    mesa-vdpau-drivers - 19.2.8-0ubuntu0~19.10.2
    mesa-vulkan-drivers - 19.2.8-0ubuntu0~19.10.2
Ubuntu 18.04 LTS
    libd3dadapter9-mesa - 19.2.8-0ubuntu0~18.04.2
    libegl-mesa0 - 19.2.8-0ubuntu0~18.04.2
    libegl1-mesa - 19.2.8-0ubuntu0~18.04.2
    libgbm1 - 19.2.8-0ubuntu0~18.04.2
    libgl1-mesa-dri - 19.2.8-0ubuntu0~18.04.2
    libgl1-mesa-glx - 19.2.8-0ubuntu0~18.04.2
    libglapi-mesa - 19.2.8-0ubuntu0~18.04.2
    libgles2-mesa - 19.2.8-0ubuntu0~18.04.2
    libglx-mesa0 - 19.2.8-0ubuntu0~18.04.2
    libosmesa6 - 19.2.8-0ubuntu0~18.04.2
    libwayland-egl1-mesa - 19.2.8-0ubuntu0~18.04.2
    libxatracker2 - 19.2.8-0ubuntu0~18.04.2
    mesa-opencl-icd - 19.2.8-0ubuntu0~18.04.2
    mesa-va-drivers - 19.2.8-0ubuntu0~18.04.2
    mesa-vdpau-drivers - 19.2.8-0ubuntu0~18.04.2
    mesa-vulkan-drivers - 19.2.8-0ubuntu0~18.04.2

To update your system, please follow these instructions: https://
wiki.ubuntu.com/Security/Upgrades .

After a standard system update you need to restart your session to make all the
necessary changes.

References

  o CVE-2019-5068

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXjyxdmaOgq3Tt24GAQh5dxAAy9vKZYmJfMkZyxkcao3tOpVsFqqGQlwC
x+uoz5UXvJ6n+oIgd2pQjwhteeSOo/b5eaoFl+ZHruf471AdkhYrASEOJxonjn+n
ZCrn7BCwZLydofXxddB5v9wDwY6jeYMsI5gt82m6FoS13qBfJRTxDy8EgGDUTZff
7zNcCd19cVI1lA3rch6z47s/7wcTl+YF+8hvDT6/4tMqSd2us70K33gbnfix2IBB
UKukRhpF5XevH0jAYN1R+u2du0WVZRDq4QUo9E7EEFSFs1usc2V3nsPkEo/3CNiz
7JdJKQ2AcJ+Ku46pvly68Ce8h0pfcPTOoRozjER/rzG7xwfFxvC2sLOJ2g42gT1S
86A6d8BLwdozvD4o/PifiS20ldhn2b/FzTfEez20yZUT6ow8ZIYKeyCMeRypgxgf
iceocjIXJ3+fhVd78ln8wYILVlZ/CrRwILT76tgff8T3okyy0kh6LOkHF08ppal0
lutEPZU94UREEFagmSPDAuPuxrIx/K29u9+Cy/x6WRrer74sTPzUZr3UUQLvOlZv
VBX9mbreMSyD3bCbOmgnKyJdMl0WR8lD7kTavfpA7SW9c4uOocjt8tFOKbs+U+yo
yHo+SSNwM8uGOewztOhM4xBVW5Mvwoic3R/9PyZi3vCSaZ11Asfzl+Pj6jwMg1rc
66Kw/rD0ils=
=nrDJ
-----END PGP SIGNATURE-----