-----BEGIN PGP SIGNED MESSAGE-----
AUSCERT External Security Bulletin Redistribution
linux-4.19 security update
29 September 2020
AusCERT Security Bulletin Summary
Product: Linux kernel
Operating System: Debian GNU/Linux 9
Impact/Access: Root Compromise -- Existing Account
Execute Arbitrary Code/Commands -- Existing Account
Denial of Service -- Existing Account
Access Confidential Data -- Remote/Unauthenticated
CVE Names: CVE-2020-26088 CVE-2020-25641 CVE-2020-25285
CVE-2020-25284 CVE-2020-25212 CVE-2020-16166
CVE-2020-14390 CVE-2020-14386 CVE-2020-14385
CVE-2020-14356 CVE-2020-14331 CVE-2020-14314
CVE-2020-12888 CVE-2020-10781 CVE-2020-2528
CVE-2020-1439 CVE-2020-1433 CVE-2019-19816
CVE-2019-19813 CVE-2019-19448 CVE-2019-3874
- --------------------------BEGIN INCLUDED TEXT--------------------
Debian LTS Advisory DLA-2385-1 firstname.lastname@example.org
https://www.debian.org/lts/security/ Ben Hutchings
September 28, 2020 https://wiki.debian.org/LTS
Package : linux-4.19
Version : 4.19.146-1~deb9u1
CVE ID : CVE-2019-3874 CVE-2019-19448 CVE-2019-19813 CVE-2019-19816
CVE-2020-10781 CVE-2020-12888 CVE-2020-14314 CVE-2020-1433=
CVE-2020-14356 CVE-2020-14385 CVE-2020-14386 CVE-2020-1439=
CVE-2020-16166 CVE-2020-25212 CVE-2020-25284 CVE-2020-2528=
Debian Bug : 966846 966917 968567
Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service, or information
Kernel buffers allocated by the SCTP network protocol were not
limited by the memory cgroup controller. A local user could
potentially use this to evade container memory limits and to cause
a denial of service (excessive memory use).
CVE-2019-19448, CVE-2019-19813, CVE-2019-19816
"Team bobfuzzer" reported bugs in Btrfs that could lead to a
use-after-free or heap buffer overflow, and could be triggered by
crafted filesystem images. A user permitted to mount and access
arbitrary filesystems could use these to cause a denial of service
(crash or memory corruption) or possibly for privilege escalation.
Luca Bruno of Red Hat discovered that the zram control file
/sys/class/zram-control/hot_add was readable by all users. On a
system with zram enabled, a local user could use this to cause a
denial of service (memory exhaustion).
It was discovered that the PCIe Virtual Function I/O (vfio-pci)
driver allowed users to disable a device's memory space while it
was still mapped into a process. On some hardware platforms,
local users or guest virtual machines permitted to access PCIe
Virtual Functions could use this to cause a denial of service
(hardware error and crash).
A bug was discovered in the ext4 filesystem that could lead to an
out-of-bound read. A local user permitted to mount and access
arbitrary filesystem images could use this to cause a denial of
A bug was discovered in the VGA console driver's soft-scrollback
feature that could lead to a heap buffer overflow. On a system
with a custom kernel that has CONFIG_VGACON_SOFT_SCROLLBACK
enabled, a local user with access to a console could use this to
cause a denial of service (crash or memory corruption) or possibly
for privilege escalation.
A bug was discovered in the cgroup subsystem's handling of socket
references to cgroups. In some cgroup configurations, this could
lead to a use-after-free. A local user might be able to use this
to cause a denial of service (crash or memory corruption) or
possibly for privilege escalation.
A bug was discovered in XFS, which could lead to an extended
attribute (xattr) wrongly being detected as invalid. A local user
with access to an XFS filesystem could use this to cause a denial
of service (filesystem shutdown).
Or Cohen discovered a bug in the packet socket (AF_PACKET)
implementation which could lead to a heap buffer overflow. A
local user with the CAP_NET_RAW capability (in any user namespace)
could use this to cause a denial of service (crash or memory
corruption) or possibly for privilege escalation.
Minh Yuan discovered a bug in the framebuffer console driver's
scrollback feature that could lead to a heap buffer overflow. On
a system using framebuffer consoles, a local user with access to a
console could use this to cause a denial of service (crash or
memory corruption) or possibly for privilege escalation.
The scrollback feature has been disabled for now, as no other fix
was available for this issue.
Amit Klein reported that the random number generator used by the
network stack might not be re-seeded for long periods of time,
making e.g. client port number allocations more predictable. This
made it easier for remote attackers to carry out some network-
based attacks such as DNS cache poisoning or device tracking.
A bug was discovered in the NFSv4 client implementation that could
lead to a heap buffer overflow. A malicious NFS server could use
this to cause a denial of service (crash or memory corruption) or
possibly to execute arbitrary code on the client.
It was discovered that the Rados block device (rbd) driver allowed
tasks running as uid 0 to add and remove rbd devices, even if they
dropped capabilities. On a system with the rbd driver loaded,
this might allow privilege escalation from a container with a task
running as root.
A race condition was discovered in the hugetlb filesystem's sysctl
handlers, that could lead to stack corruption. A local user
permitted to write to hugepages sysctls could use this to cause a
denial of service (crash or memory corruption) or possibly for
privilege escalation. By default only the root user can do this.
The syzbot tool found a bug in the block layer that could lead to
an infinite loop. A local user with access to a raw block device
could use this to cause a denial of service (unbounded CPU use and
possible system hang).
It was discovered that the NFC (Near Field Communication) socket
implementation allowed any user to create raw sockets. On a
system with an NFC interface, this allowed local users to evade
local network security policy.
For Debian 9 stretch, these problems have been fixed in version
4.19.146-1~deb9u1. This update additionally fixes Debian bugs
#966846, #966917, and #968567; and includes many more bug fixes from
stable updates 4.19.133-4.19.146 inclusive.
We recommend that you upgrade your linux-4.19 packages.
For the detailed security status of linux-4.19 please refer to
its security tracker page at:
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to email@example.com
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
Australian Computer Emergency Response Team
The University of Queensland
Internet Email: firstname.lastname@example.org
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----