ID

VAR-202103-0287

CVE

CVE-2020-35508

TITLE

Linux Kernel  Initialization vulnerabilities

DESCRIPTION

A flaw possibility of race condition and incorrect initialization of the process id was found in the Linux kernel child/parent process identification handling while filtering signal handlers. A local attacker is able to abuse this flaw to bypass checks to send any signal to a privileged process. Linux Kernel Contains an initialization vulnerability.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: kernel security, bug fix, and enhancement update Advisory ID: RHSA-2021:1578-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2021:1578 Issue date: 2021-05-18 CVE Names: CVE-2019-18811 CVE-2019-19523 CVE-2019-19528 CVE-2020-0431 CVE-2020-11608 CVE-2020-12114 CVE-2020-12362 CVE-2020-12464 CVE-2020-14314 CVE-2020-14356 CVE-2020-15437 CVE-2020-24394 CVE-2020-25212 CVE-2020-25284 CVE-2020-25285 CVE-2020-25643 CVE-2020-25704 CVE-2020-27786 CVE-2020-27835 CVE-2020-28974 CVE-2020-35508 CVE-2020-36322 CVE-2021-0342 ==================================================================== 1. Summary: An update for kernel is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat CodeReady Linux Builder (v. 8) - aarch64, ppc64le, x86_64 Red Hat Enterprise Linux BaseOS (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64 3. Security Fix(es): * kernel: Integer overflow in Intel(R) Graphics Drivers (CVE-2020-12362) * kernel: memory leak in sof_set_get_large_ctrl_data() function in sound/soc/sof/ipc.c (CVE-2019-18811) * kernel: use-after-free caused by a malicious USB device in the drivers/usb/misc/adutux.c driver (CVE-2019-19523) * kernel: use-after-free bug caused by a malicious USB device in the drivers/usb/misc/iowarrior.c driver (CVE-2019-19528) * kernel: possible out of bounds write in kbd_keycode of keyboard.c (CVE-2020-0431) * kernel: DoS by corrupting mountpoint reference counter (CVE-2020-12114) * kernel: use-after-free in usb_sg_cancel function in drivers/usb/core/message.c (CVE-2020-12464) * kernel: buffer uses out of index in ext3/4 filesystem (CVE-2020-14314) * kernel: Use After Free vulnerability in cgroup BPF component (CVE-2020-14356) * kernel: NULL pointer dereference in serial8250_isa_init_ports function in drivers/tty/serial/8250/8250_core.c (CVE-2020-15437) * kernel: umask not applied on filesystem without ACL support (CVE-2020-24394) * kernel: TOCTOU mismatch in the NFS client code (CVE-2020-25212) * kernel: incomplete permission checking for access to rbd devices (CVE-2020-25284) * kernel: race condition between hugetlb sysctl handlers in mm/hugetlb.c (CVE-2020-25285) * kernel: improper input validation in ppp_cp_parse_cr function leads to memory corruption and read overflow (CVE-2020-25643) * kernel: perf_event_parse_addr_filter memory (CVE-2020-25704) * kernel: use-after-free in kernel midi subsystem (CVE-2020-27786) * kernel: child process is able to access parent mm through hfi dev file handle (CVE-2020-27835) * kernel: slab-out-of-bounds read in fbcon (CVE-2020-28974) * kernel: fork: fix copy_process(CLONE_PARENT) race with the exiting - ->real_parent (CVE-2020-35508) * kernel: fuse: fuse_do_getattr() calls make_bad_inode() in inappropriate situations (CVE-2020-36322) * kernel: use after free in tun_get_user of tun.c could lead to local escalation of privilege (CVE-2021-0342) * kernel: NULL pointer dereferences in ov511_mode_init_regs and ov518_mode_init_regs in drivers/media/usb/gspca/ov519.c (CVE-2020-11608) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.4 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 The system must be rebooted for this update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1777455 - CVE-2019-18811 kernel: memory leak in sof_set_get_large_ctrl_data() function in sound/soc/sof/ipc.c 1783434 - CVE-2019-19523 kernel: use-after-free caused by a malicious USB device in the drivers/usb/misc/adutux.c driver 1783507 - CVE-2019-19528 kernel: use-after-free bug caused by a malicious USB device in the drivers/usb/misc/iowarrior.c driver 1831726 - CVE-2020-12464 kernel: use-after-free in usb_sg_cancel function in drivers/usb/core/message.c 1833445 - CVE-2020-11608 kernel: NULL pointer dereferences in ov511_mode_init_regs and ov518_mode_init_regs in drivers/media/usb/gspca/ov519.c 1848084 - i_version is turned off whenever filesystem is remounted 1848652 - CVE-2020-12114 kernel: DoS by corrupting mountpoint reference counter 1853922 - CVE-2020-14314 kernel: buffer uses out of index in ext3/4 filesystem 1859244 - Failure when modifying bridge multicast-snooping from 0 to 1 1860479 - Unable to attach VLAN-based logical networks to a bond 1868453 - CVE-2020-14356 kernel: Use After Free vulnerability in cgroup BPF component 1869141 - CVE-2020-24394 kernel: umask not applied on filesystem without ACL support 1876840 - logs are filled with: sending ioctl to DM device without required privilege 1877575 - CVE-2020-25212 kernel: TOCTOU mismatch in the NFS client code 1879981 - CVE-2020-25643 kernel: improper input validation in ppp_cp_parse_cr function leads to memory corruption and read overflow 1882591 - CVE-2020-25285 kernel: race condition between hugetlb sysctl handlers in mm/hugetlb.c 1882594 - CVE-2020-25284 kernel: incomplete permission checking for access to rbd devices 1890373 - kernel version update cause qemu live migration failed 1895961 - CVE-2020-25704 kernel: perf_event_parse_addr_filter memory 1900933 - CVE-2020-27786 kernel: use-after-free in kernel midi subsystem 1901161 - CVE-2020-15437 kernel: NULL pointer dereference in serial8250_isa_init_ports function in drivers/tty/serial/8250/8250_core.c 1901709 - CVE-2020-27835 kernel: child process is able to access parent mm through hfi dev file handle 1902724 - CVE-2020-35508 kernel: fork: fix copy_process(CLONE_PARENT) race with the exiting ->real_parent 1903126 - CVE-2020-28974 kernel: slab-out-of-bounds read in fbcon 1903387 - fsfreeze of xfs filesystem can be significantly delayed in xfs_wait_buftarg if a process continues to grab and release buffers 1903983 - rootless mode doesn't work 1911343 - blk_alloc_queue() ABI change 1915799 - CVE-2021-0342 kernel: use after free in tun_get_user of tun.c could lead to local escalation of privilege 1919889 - CVE-2020-0431 kernel: possible out of bounds write in kbd_keycode of keyboard.c 1930246 - CVE-2020-12362 kernel: Integer overflow in Intel(R) Graphics Drivers 1949560 - CVE-2020-36322 kernel: fuse: fuse_do_getattr() calls make_bad_inode() in inappropriate situations 6. Package List: Red Hat Enterprise Linux BaseOS (v. 8): Source: kernel-4.18.0-305.el8.src.rpm aarch64: bpftool-4.18.0-305.el8.aarch64.rpm bpftool-debuginfo-4.18.0-305.el8.aarch64.rpm kernel-4.18.0-305.el8.aarch64.rpm kernel-core-4.18.0-305.el8.aarch64.rpm kernel-cross-headers-4.18.0-305.el8.aarch64.rpm kernel-debug-4.18.0-305.el8.aarch64.rpm kernel-debug-core-4.18.0-305.el8.aarch64.rpm kernel-debug-debuginfo-4.18.0-305.el8.aarch64.rpm kernel-debug-devel-4.18.0-305.el8.aarch64.rpm kernel-debug-modules-4.18.0-305.el8.aarch64.rpm kernel-debug-modules-extra-4.18.0-305.el8.aarch64.rpm kernel-debuginfo-4.18.0-305.el8.aarch64.rpm kernel-debuginfo-common-aarch64-4.18.0-305.el8.aarch64.rpm kernel-devel-4.18.0-305.el8.aarch64.rpm kernel-headers-4.18.0-305.el8.aarch64.rpm kernel-modules-4.18.0-305.el8.aarch64.rpm kernel-modules-extra-4.18.0-305.el8.aarch64.rpm kernel-tools-4.18.0-305.el8.aarch64.rpm kernel-tools-debuginfo-4.18.0-305.el8.aarch64.rpm kernel-tools-libs-4.18.0-305.el8.aarch64.rpm perf-4.18.0-305.el8.aarch64.rpm perf-debuginfo-4.18.0-305.el8.aarch64.rpm python3-perf-4.18.0-305.el8.aarch64.rpm python3-perf-debuginfo-4.18.0-305.el8.aarch64.rpm noarch: kernel-abi-stablelists-4.18.0-305.el8.noarch.rpm kernel-doc-4.18.0-305.el8.noarch.rpm ppc64le: bpftool-4.18.0-305.el8.ppc64le.rpm bpftool-debuginfo-4.18.0-305.el8.ppc64le.rpm kernel-4.18.0-305.el8.ppc64le.rpm kernel-core-4.18.0-305.el8.ppc64le.rpm kernel-cross-headers-4.18.0-305.el8.ppc64le.rpm kernel-debug-4.18.0-305.el8.ppc64le.rpm kernel-debug-core-4.18.0-305.el8.ppc64le.rpm kernel-debug-debuginfo-4.18.0-305.el8.ppc64le.rpm kernel-debug-devel-4.18.0-305.el8.ppc64le.rpm kernel-debug-modules-4.18.0-305.el8.ppc64le.rpm kernel-debug-modules-extra-4.18.0-305.el8.ppc64le.rpm kernel-debuginfo-4.18.0-305.el8.ppc64le.rpm kernel-debuginfo-common-ppc64le-4.18.0-305.el8.ppc64le.rpm kernel-devel-4.18.0-305.el8.ppc64le.rpm kernel-headers-4.18.0-305.el8.ppc64le.rpm kernel-modules-4.18.0-305.el8.ppc64le.rpm kernel-modules-extra-4.18.0-305.el8.ppc64le.rpm kernel-tools-4.18.0-305.el8.ppc64le.rpm kernel-tools-debuginfo-4.18.0-305.el8.ppc64le.rpm kernel-tools-libs-4.18.0-305.el8.ppc64le.rpm perf-4.18.0-305.el8.ppc64le.rpm perf-debuginfo-4.18.0-305.el8.ppc64le.rpm python3-perf-4.18.0-305.el8.ppc64le.rpm python3-perf-debuginfo-4.18.0-305.el8.ppc64le.rpm s390x: bpftool-4.18.0-305.el8.s390x.rpm bpftool-debuginfo-4.18.0-305.el8.s390x.rpm kernel-4.18.0-305.el8.s390x.rpm kernel-core-4.18.0-305.el8.s390x.rpm kernel-cross-headers-4.18.0-305.el8.s390x.rpm kernel-debug-4.18.0-305.el8.s390x.rpm kernel-debug-core-4.18.0-305.el8.s390x.rpm kernel-debug-debuginfo-4.18.0-305.el8.s390x.rpm kernel-debug-devel-4.18.0-305.el8.s390x.rpm kernel-debug-modules-4.18.0-305.el8.s390x.rpm kernel-debug-modules-extra-4.18.0-305.el8.s390x.rpm kernel-debuginfo-4.18.0-305.el8.s390x.rpm kernel-debuginfo-common-s390x-4.18.0-305.el8.s390x.rpm kernel-devel-4.18.0-305.el8.s390x.rpm kernel-headers-4.18.0-305.el8.s390x.rpm kernel-modules-4.18.0-305.el8.s390x.rpm kernel-modules-extra-4.18.0-305.el8.s390x.rpm kernel-tools-4.18.0-305.el8.s390x.rpm kernel-tools-debuginfo-4.18.0-305.el8.s390x.rpm kernel-zfcpdump-4.18.0-305.el8.s390x.rpm kernel-zfcpdump-core-4.18.0-305.el8.s390x.rpm kernel-zfcpdump-debuginfo-4.18.0-305.el8.s390x.rpm kernel-zfcpdump-devel-4.18.0-305.el8.s390x.rpm kernel-zfcpdump-modules-4.18.0-305.el8.s390x.rpm kernel-zfcpdump-modules-extra-4.18.0-305.el8.s390x.rpm perf-4.18.0-305.el8.s390x.rpm perf-debuginfo-4.18.0-305.el8.s390x.rpm python3-perf-4.18.0-305.el8.s390x.rpm python3-perf-debuginfo-4.18.0-305.el8.s390x.rpm x86_64: bpftool-4.18.0-305.el8.x86_64.rpm bpftool-debuginfo-4.18.0-305.el8.x86_64.rpm kernel-4.18.0-305.el8.x86_64.rpm kernel-core-4.18.0-305.el8.x86_64.rpm kernel-cross-headers-4.18.0-305.el8.x86_64.rpm kernel-debug-4.18.0-305.el8.x86_64.rpm kernel-debug-core-4.18.0-305.el8.x86_64.rpm kernel-debug-debuginfo-4.18.0-305.el8.x86_64.rpm kernel-debug-devel-4.18.0-305.el8.x86_64.rpm kernel-debug-modules-4.18.0-305.el8.x86_64.rpm kernel-debug-modules-extra-4.18.0-305.el8.x86_64.rpm kernel-debuginfo-4.18.0-305.el8.x86_64.rpm kernel-debuginfo-common-x86_64-4.18.0-305.el8.x86_64.rpm kernel-devel-4.18.0-305.el8.x86_64.rpm kernel-headers-4.18.0-305.el8.x86_64.rpm kernel-modules-4.18.0-305.el8.x86_64.rpm kernel-modules-extra-4.18.0-305.el8.x86_64.rpm kernel-tools-4.18.0-305.el8.x86_64.rpm kernel-tools-debuginfo-4.18.0-305.el8.x86_64.rpm kernel-tools-libs-4.18.0-305.el8.x86_64.rpm perf-4.18.0-305.el8.x86_64.rpm perf-debuginfo-4.18.0-305.el8.x86_64.rpm python3-perf-4.18.0-305.el8.x86_64.rpm python3-perf-debuginfo-4.18.0-305.el8.x86_64.rpm Red Hat CodeReady Linux Builder (v. 8): aarch64: bpftool-debuginfo-4.18.0-305.el8.aarch64.rpm kernel-debug-debuginfo-4.18.0-305.el8.aarch64.rpm kernel-debuginfo-4.18.0-305.el8.aarch64.rpm kernel-debuginfo-common-aarch64-4.18.0-305.el8.aarch64.rpm kernel-tools-debuginfo-4.18.0-305.el8.aarch64.rpm kernel-tools-libs-devel-4.18.0-305.el8.aarch64.rpm perf-debuginfo-4.18.0-305.el8.aarch64.rpm python3-perf-debuginfo-4.18.0-305.el8.aarch64.rpm ppc64le: bpftool-debuginfo-4.18.0-305.el8.ppc64le.rpm kernel-debug-debuginfo-4.18.0-305.el8.ppc64le.rpm kernel-debuginfo-4.18.0-305.el8.ppc64le.rpm kernel-debuginfo-common-ppc64le-4.18.0-305.el8.ppc64le.rpm kernel-tools-debuginfo-4.18.0-305.el8.ppc64le.rpm kernel-tools-libs-devel-4.18.0-305.el8.ppc64le.rpm perf-debuginfo-4.18.0-305.el8.ppc64le.rpm python3-perf-debuginfo-4.18.0-305.el8.ppc64le.rpm x86_64: bpftool-debuginfo-4.18.0-305.el8.x86_64.rpm kernel-debug-debuginfo-4.18.0-305.el8.x86_64.rpm kernel-debuginfo-4.18.0-305.el8.x86_64.rpm kernel-debuginfo-common-x86_64-4.18.0-305.el8.x86_64.rpm kernel-tools-debuginfo-4.18.0-305.el8.x86_64.rpm kernel-tools-libs-devel-4.18.0-305.el8.x86_64.rpm perf-debuginfo-4.18.0-305.el8.x86_64.rpm python3-perf-debuginfo-4.18.0-305.el8.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYKPtUtzjgjWX9erEAQhNzw/9F6cpeKdpnVS3awWzATKfC4r16pIGJmLl je5fSRHlPqZPu1aO9PcxAQbW3WDQ0S2MWDZDko+XdZTcob7ekBg2F/UQh/wkN4dr 2SE+HlhoRMzykUwKXyVkeqHV8o3lhbbBWwLCO4Mvo/3EWZMwE84YkuYZGMlbkiP/ 5LXomS+exfm3IGe9u5ByyVVvl0JrDmvMxDULjqUoqoQwCO7pu37lPcnmk0D0z/RR eJzTK4Fg9bg74eGkZu1d7169CbXJ5/JMIO6mAfjCqCLzGqP1Dqy19rONbZfq5FYB LXkWmPW6uxecT+FVirUjS2l8almi+Vu9K9H0IcfnYxctMg80CcdAoNhkCfoSFb/Q eBFhDGU0w4X6ll5KtXFju+qZuYLp4nu7PiF9vvFHiM7kps13eoOShstgyyc7urtY M3rUSyM3ll31Ci6cmnTW6q1vc9HaLF+XfQtv4x/lMfDP+YhWpQJOefDRuQIqftLO NwjOTJOpbqTz8hvkRS1pZm4b3bppNs7dfygV1xKP96JuDVk107UjHZj5ygYKsWSw XrHUXRnVpgTrGBhOOnGRAA51fjfCYDmooaWCHpOyNqNoAcJTdPJFz3y/wEU4W4Dk hy/TIXykL0AHKFTcZpyjkVOfGCNtG1POP1MzwoAaY/gAbDqxyUHDnh4z2hYEmnNy EfZ3tn1MwzI=RRkk -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . Bugs fixed (https://bugzilla.redhat.com/): 1921650 - CVE-2021-3121 gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation 5. JIRA issues fixed (https://issues.jboss.org/): LOG-1328 - Port fix to 5.0.z for BZ-1945168 6. 8.2) - x86_64 3. Description: The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Bug Fix(es): * kernel-rt: update RT source tree to the latest RHEL-8.2.z10 Batch source tree (BZ#1968022) 4. Bug Fix(es): * RHEL8.2 Snapshot2 - tpm: ibmvtpm: Wait for buffer to be set before proceeding (BZ#1933986) * fnic crash from invalid request pointer (BZ#1961707) * [Azure][RHEL8.4] Two Patches Needed To Enable Azure Host Time-syncing in VMs (BZ#1963051) * RHEL kernel 8.2 and higher are affected by data corruption bug in raid1 arrays using bitmaps. (BZ#1969338) 4. Bugs fixed (https://bugzilla.redhat.com/): 1886285 - CVE-2020-26541 kernel: security bypass in certs/blacklist.c and certs/system_keyring.c 1895961 - CVE-2020-25704 kernel: perf_event_parse_addr_filter memory 1902724 - CVE-2020-35508 kernel: fork: fix copy_process(CLONE_PARENT) race with the exiting ->real_parent 1961305 - CVE-2021-33034 kernel: use-after-free in net/bluetooth/hci_event.c when destroying an hci_chan 1970273 - CVE-2021-33909 kernel: size_t-to-int conversion vulnerability in the filesystem layer 6. Description: Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.7.13. See the following advisory for the RPM packages for this release: https://access.redhat.com/errata/RHSA-2021:2122 Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes: https://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-rel ease-notes.html This update fixes the following bug among others: * Previously, resources for the ClusterOperator were being created early in the update process, which led to update failures when the ClusterOperator had no status condition while Operators were updating. This bug fix changes the timing of when these resources are created. As a result, updates can take place without errors. (BZ#1959238) Security Fix(es): * gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation (CVE-2021-3121) You may download the oc tool and use it to inspect release image metadata as follows: (For x86_64 architecture) $ oc adm release info quay.io/openshift-release-dev/ocp-release:4.7.13-x86_64 The image digest is sha256:783a2c963f35ccab38e82e6a8c7fa954c3a4551e07d2f43c06098828dd986ed4 (For s390x architecture) $ oc adm release info quay.io/openshift-release-dev/ocp-release:4.7.13-s390x The image digest is sha256:4cf44e68413acad063203e1ee8982fd01d8b9c1f8643a5b31cd7ff341b3199cd (For ppc64le architecture) $ oc adm release info quay.io/openshift-release-dev/ocp-release:4.7.13-ppc64le The image digest is sha256:d47ce972f87f14f1f3c5d50428d2255d1256dae3f45c938ace88547478643e36 All OpenShift Container Platform 4.7 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift Console or the CLI oc command. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.7/updating/updating-cluster - -between-minor.html#understanding-upgrade-channels_updating-cluster-between - -minor 3. Solution: For OpenShift Container Platform 4.7 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update: https://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-rel ease-notes.html Details on how to access this content are available at https://docs.openshift.com/container-platform/4.7/updating/updating-cluster - -cli.html 4. Bugs fixed (https://bugzilla.redhat.com/): 1921650 - CVE-2021-3121 gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation 1923268 - [Assisted-4.7] [Staging] Using two both spelling "canceled" "cancelled" 1947216 - [AWS] Missing iam:ListAttachedRolePolicies permission in permissions.go 1953963 - Enable/Disable host operations returns cluster resource with incomplete hosts list 1957749 - ovn-kubernetes pod should have CPU and memory requests set but not limits 1959238 - CVO creating cloud-controller-manager too early causing upgrade failures 1960103 - SR-IOV obliviously reboot the node 1961941 - Local Storage Operator using LocalVolume CR fails to create PV's when backend storage failure is simulated 1962302 - packageserver clusteroperator does not set reason or message for Available condition 1962312 - Deployment considered unhealthy despite being available and at latest generation 1962435 - Public DNS records were not deleted when destroying a cluster which is using byo private hosted zone 1963115 - Test verify /run filesystem contents failing 5. ========================================================================== Ubuntu Security Notice USN-4752-1 February 25, 2021 linux-oem-5.6 vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 20.04 LTS Summary: Several security issues were fixed in the Linux kernel. Software Description: - linux-oem-5.6: Linux kernel for OEM systems Details: Daniele Antonioli, Nils Ole Tippenhauer, and Kasper Rasmussen discovered that legacy pairing and secure-connections pairing authentication in the Bluetooth protocol could allow an unauthenticated user to complete authentication without pairing credentials via adjacent access. A physically proximate attacker could use this to impersonate a previously paired Bluetooth device. (CVE-2020-10135) Jay Shin discovered that the ext4 file system implementation in the Linux kernel did not properly handle directory access with broken indexing, leading to an out-of-bounds read vulnerability. A local attacker could use this to cause a denial of service (system crash). (CVE-2020-14314) It was discovered that the block layer implementation in the Linux kernel did not properly perform reference counting in some situations, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash). (CVE-2020-15436) It was discovered that the serial port driver in the Linux kernel did not properly initialize a pointer in some situations. A local attacker could possibly use this to cause a denial of service (system crash). (CVE-2020-15437) Andy Nguyen discovered that the Bluetooth HCI event packet parser in the Linux kernel did not properly handle event advertisements of certain sizes, leading to a heap-based buffer overflow. A physically proximate remote attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2020-24490) It was discovered that the NFS client implementation in the Linux kernel did not properly perform bounds checking before copying security labels in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2020-25212) It was discovered that the Rados block device (rbd) driver in the Linux kernel did not properly perform privilege checks for access to rbd devices in some situations. A local attacker could use this to map or unmap rbd block devices. (CVE-2020-25284) It was discovered that the block layer subsystem in the Linux kernel did not properly handle zero-length requests. A local attacker could use this to cause a denial of service. (CVE-2020-25641) It was discovered that the HDLC PPP implementation in the Linux kernel did not properly validate input in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2020-25643) Kiyin (尹亮) discovered that the perf subsystem in the Linux kernel did not properly deallocate memory in some situations. A privileged attacker could use this to cause a denial of service (kernel memory exhaustion). (CVE-2020-25704) It was discovered that the KVM hypervisor in the Linux kernel did not properly handle interrupts in certain situations. A local attacker in a guest VM could possibly use this to cause a denial of service (host system crash). (CVE-2020-27152) It was discovered that the jfs file system implementation in the Linux kernel contained an out-of-bounds read vulnerability. A local attacker could use this to possibly cause a denial of service (system crash). (CVE-2020-27815) It was discovered that an information leak existed in the syscall implementation in the Linux kernel on 32 bit systems. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2020-28588) It was discovered that the framebuffer implementation in the Linux kernel did not properly perform range checks in certain situations. A local attacker could use this to expose sensitive information (kernel memory). A local attacker could use this to gain unintended write access to read-only memory pages. A local attacker could use this to cause a denial of service (system crash) or possibly expose sensitive information. (CVE-2020-29369) Jann Horn discovered that the romfs file system in the Linux kernel did not properly validate file system meta-data, leading to an out-of-bounds read. An attacker could use this to construct a malicious romfs image that, when mounted, exposed sensitive information (kernel memory). (CVE-2020-29371) Jann Horn discovered that the tty subsystem of the Linux kernel did not use consistent locking in some situations, leading to a read-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly expose sensitive information (kernel memory). (CVE-2020-29660) Jann Horn discovered a race condition in the tty subsystem of the Linux kernel in the locking for the TIOCSPGRP ioctl(), leading to a use-after- free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2020-35508) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 20.04 LTS: linux-image-5.6.0-1048-oem 5.6.0-1048.52 linux-image-oem-20.04 5.6.0.1048.44 After a standard system update you need to reboot your computer to make all the necessary changes. ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well. References: https://usn.ubuntu.com/4752-1 CVE-2020-10135, CVE-2020-14314, CVE-2020-15436, CVE-2020-15437, CVE-2020-24490, CVE-2020-25212, CVE-2020-25284, CVE-2020-25641, CVE-2020-25643, CVE-2020-25704, CVE-2020-27152, CVE-2020-27815, CVE-2020-28588, CVE-2020-28915, CVE-2020-29368, CVE-2020-29369, CVE-2020-29371, CVE-2020-29660, CVE-2020-29661, CVE-2020-35508 Package Information: https://launchpad.net/ubuntu/+source/linux-oem-5.6/5.6.0-1048.52

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

local

TYPE

other

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Red Hat

SOURCES

LAST UPDATE DATE

2024-09-17T21:17:48.855000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE