-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.3341
                        linux-4.19 security update
                             29 September 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Linux kernel
Publisher:         Debian
Operating System:  Debian GNU/Linux 9
Impact/Access:     Root Compromise                 -- Existing Account      
                   Execute Arbitrary Code/Commands -- Existing Account      
                   Denial of Service               -- Existing Account      
                   Access Confidential Data        -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-26088 CVE-2020-25641 CVE-2020-25285
                   CVE-2020-25284 CVE-2020-25212 CVE-2020-16166
                   CVE-2020-14390 CVE-2020-14386 CVE-2020-14385
                   CVE-2020-14356 CVE-2020-14331 CVE-2020-14314
                   CVE-2020-12888 CVE-2020-10781 CVE-2020-2528
                   CVE-2020-1439 CVE-2020-1433 CVE-2019-19816
                   CVE-2019-19813 CVE-2019-19448 CVE-2019-3874

Reference:         ESB-2020.3236
                   ESB-2020.3125
                   ESB-2020.3067

Original Bulletin: 
   https://lists.debian.org/debian-lts-announce/2020/09/msg00025.html

- --------------------------BEGIN INCLUDED TEXT--------------------

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-2385-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                        Ben Hutchings
September 28, 2020                            https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : linux-4.19
Version        : 4.19.146-1~deb9u1
CVE ID         : CVE-2019-3874 CVE-2019-19448 CVE-2019-19813 CVE-2019-19816
                 CVE-2020-10781 CVE-2020-12888 CVE-2020-14314 CVE-2020-1433=
1
                 CVE-2020-14356 CVE-2020-14385 CVE-2020-14386 CVE-2020-1439=
0
                 CVE-2020-16166 CVE-2020-25212 CVE-2020-25284 CVE-2020-2528=
5
                 CVE-2020-25641 CVE-2020-26088
Debian Bug     : 966846 966917 968567

Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service, or information
leak.

CVE-2019-3874

    Kernel buffers allocated by the SCTP network protocol were not
    limited by the memory cgroup controller.  A local user could
    potentially use this to evade container memory limits and to cause
    a denial of service (excessive memory use).

CVE-2019-19448, CVE-2019-19813, CVE-2019-19816

    "Team bobfuzzer" reported bugs in Btrfs that could lead to a
    use-after-free or heap buffer overflow, and could be triggered by
    crafted filesystem images.  A user permitted to mount and access
    arbitrary filesystems could use these to cause a denial of service
    (crash or memory corruption) or possibly for privilege escalation.

CVE-2020-10781

    Luca Bruno of Red Hat discovered that the zram control file
    /sys/class/zram-control/hot_add was readable by all users.  On a
    system with zram enabled, a local user could use this to cause a
    denial of service (memory exhaustion).

CVE-2020-12888

    It was discovered that the PCIe Virtual Function I/O (vfio-pci)
    driver allowed users to disable a device's memory space while it
    was still mapped into a process.  On some hardware platforms,
    local users or guest virtual machines permitted to access PCIe
    Virtual Functions could use this to cause a denial of service
    (hardware error and crash).

CVE-2020-14314

    A bug was discovered in the ext4 filesystem that could lead to an
    out-of-bound read.  A local user permitted to mount and access
    arbitrary filesystem images could use this to cause a denial of
    service (crash).

CVE-2020-14331

    A bug was discovered in the VGA console driver's soft-scrollback
    feature that could lead to a heap buffer overflow.  On a system
    with a custom kernel that has CONFIG_VGACON_SOFT_SCROLLBACK
    enabled, a local user with access to a console could use this to
    cause a denial of service (crash or memory corruption) or possibly
    for privilege escalation.

CVE-2020-14356

    A bug was discovered in the cgroup subsystem's handling of socket
    references to cgroups.  In some cgroup configurations, this could
    lead to a use-after-free.  A local user might be able to use this
    to cause a denial of service (crash or memory corruption) or
    possibly for privilege escalation.

CVE-2020-14385

    A bug was discovered in XFS, which could lead to an extended
    attribute (xattr) wrongly being detected as invalid.  A local user
    with access to an XFS filesystem could use this to cause a denial
    of service (filesystem shutdown).

CVE-2020-14386

    Or Cohen discovered a bug in the packet socket (AF_PACKET)
    implementation which could lead to a heap buffer overflow.  A
    local user with the CAP_NET_RAW capability (in any user namespace)
    could use this to cause a denial of service (crash or memory
    corruption) or possibly for privilege escalation.

CVE-2020-14390

    Minh Yuan discovered a bug in the framebuffer console driver's
    scrollback feature that could lead to a heap buffer overflow.  On
    a system using framebuffer consoles, a local user with access to a
    console could use this to cause a denial of service (crash or
    memory corruption) or possibly for privilege escalation.

    The scrollback feature has been disabled for now, as no other fix
    was available for this issue.

CVE-2020-16166

    Amit Klein reported that the random number generator used by the
    network stack might not be re-seeded for long periods of time,
    making e.g. client port number allocations more predictable.  This
    made it easier for remote attackers to carry out some network-
    based attacks such as DNS cache poisoning or device tracking.

CVE-2020-25212

    A bug was discovered in the NFSv4 client implementation that could
    lead to a heap buffer overflow.  A malicious NFS server could use
    this to cause a denial of service (crash or memory corruption) or
    possibly to execute arbitrary code on the client.

CVE-2020-25284

    It was discovered that the Rados block device (rbd) driver allowed
    tasks running as uid 0 to add and remove rbd devices, even if they
    dropped capabilities.  On a system with the rbd driver loaded,
    this might allow privilege escalation from a container with a task
    running as root.

CVE-2020-25285

    A race condition was discovered in the hugetlb filesystem's sysctl
    handlers, that could lead to stack corruption.  A local user
    permitted to write to hugepages sysctls could use this to cause a
    denial of service (crash or memory corruption) or possibly for
    privilege escalation.  By default only the root user can do this.

CVE-2020-25641

    The syzbot tool found a bug in the block layer that could lead to
    an infinite loop.  A local user with access to a raw block device
    could use this to cause a denial of service (unbounded CPU use and
    possible system hang).

CVE-2020-26088

    It was discovered that the NFC (Near Field Communication) socket
    implementation allowed any user to create raw sockets.  On a
    system with an NFC interface, this allowed local users to evade
    local network security policy.

For Debian 9 stretch, these problems have been fixed in version
4.19.146-1~deb9u1.  This update additionally fixes Debian bugs
#966846, #966917, and #968567; and includes many more bug fixes from
stable updates 4.19.133-4.19.146 inclusive.

We recommend that you upgrade your linux-4.19 packages.

For the detailed security status of linux-4.19 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/linux-4.19

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


- -----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEErCspvTSmr92z9o8157/I7JWGEQkFAl9x5aoACgkQ57/I7JWG
EQmB1xAAsRxLiholmKradR/ed+YYOTCenZyKNw1XMm8Snad+OJhxryovqBi2a6NF
XBdCYuxQni/oODtNbjexzlqPQ7YIeOt+gHJe4x8bI7IBtUfxh9Ww1RfUyOMxPmv/
fMfG1D51XGCUD0/gXcej5RtNqxa6FneL5EYEJKEmM8bnbGP/poaA1Qb2DKfBJ99C
GgFhcv/fjfliwAg0xMBk9fJRvmxUdA2Jhm6uUt0eXRKs53TiGbY82rSLjuauA10V
rf4aa4oad+ZgHyLfiiX4WYJyAi7T9E7ZMHFB+eourPSXLOsw1aCQEEw++Ow622jK
ZEHspR9NF20ekiektQpklwxI+cmdDIUCTS554/WV0VKYbEr1161bsnGv+NNHx1Kn
MS6lqwwS/a0QjUAPXJVzYB8wpcMOfzyOlOZDK/C4p2v4FYPp/VN5TZ8MHUWmhIo/
MPO5LtE7tQKeNmkyjI45Au7DcxsFu9uktTE9etg0Ve5TX+VmPSyzejkB2b5xXDdH
LGMsfxAW+KDHOI4LGyWBmzH7cg6dzNfrtRiUpXc9vpiVhyoaIzCmIwz5qJI/y3m8
iY97Uhdobe+/I6XC+85wmYj1QYVxlVjyjQATICKDzeZ577e2f749jFEXj1220Gby
9KMtWhB0CbhFCWx1ynQAe0ELRf9CXI1OTTKY81jG51Dd1BqpejY=
=DXWu
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBX3KbveNLKJtyKPYoAQhHTBAAhP/YZEgagUkqH8rbMWwKCaCsX573KX5I
rO+DO5zkaI4Zdk1ImgAh85lJZTK1CjWX7wiCxTv5uqXMx3XprUSKkcbtHAj0iQoU
93Q0kvi1II+97aDmNOyERWzAIoltWjRxL+s4q1DIyCIW5+3OWe5Qiq3Eh4T3Z5/A
DlUUNNnnFvHvpNZG/EN203HkOhSyFlKPhaMDyyIZr2vE9wBgCccl4mr7UUNSbJ8K
XAK6qyFX/phiAIclY4qH8BqXeWa4eYgqAbS2CW97jFMB8EO6FuWDhp/qJJFqkhRm
Dy4sb5uvkY7KD2IC7Ifnxy8J5CSIBu4qFmzN5cBsXY7yt+2r4oiCLh2y2+2kcExP
jcvKUtdPHVfOikDMO16BAbDsPaQO09bwveXWhJ8DkMq1tIFum62U5xnHi/jeAohk
/qa7UXek1FEaMObhe2zsDGBCzhzEl+Bjm+UOCY1qoAwIDJvTJrrukffVUzzHQodK
NThFNSF1FUW3E5QSRXIdsGdJkXvQb4po97pDBlOgVYoXK1JfZfpj094TA31DzYmT
YplJ4FQmar2CI4Xezd7vNoaPR5ZusAw0v/Amc5yUB2SmfwNkdEwxEtbUJWCecCFp
skkbZO/y/YqvTM38bUfWbCMW8eZneKpY1+nEpbgpV8iva/lM+Nwuk8q3PgLmM7Pe
mfEsiEH6eRo=
=F0zd
-----END PGP SIGNATURE-----