advisories/26426.adv

type: security
subject: Updated kernel-linus packages fix security vulnerabilities
CVE:
 - CVE-2019-19768
 - CVE-2019-19769
 - CVE-2020-2732
 - CVE-2020-8647
 - CVE-2020-8648
 - CVE-2020-8649
 - CVE-2020-8835
 - CVE-2020-9383
 - CVE-2020-9391
src:
  7:
   core:
     - kernel-linus-5.5.15-1.mga7
description: |
  This update is based on upstream 5.5.15 and fixes atleast the following
  security vulnerabilities:

  In the Linux kernel 5.4.0-rc2, there is a use-after-free (read) in the
  __blk_add_trace function in kernel/trace/blktrace.c (which is used to
  fill out a blk_io_trace structure and place it in a per-cpu sub-buffer)
  (CVE-2019-19768).

  In the Linux kernel 5.3.10, there is a use-after-free (read) in the
  perf_trace_lock_acquire function (related to include/trace/events/lock.h)
  (CVE-2019-19769).
 
  A flaw was found in the way KVM hypervisor handled instruction emulation
  for the L2 guest when nested(=1) virtualization is enabled. In the
  instruction emulation, the L2 guest could trick the L0 hypervisor into
  accessing sensitive bits of the L1 hypervisor. An L2 guest could use this
  flaw to potentially access information of the L1 hypervisor
  (CVE-2020-2732).

  There is a use-after-free vulnerability in the Linux kernel through 5.5.2
  in the vc_do_resize function in drivers/tty/vt/vt.c (CVE-2020-8647).

  There is a use-after-free vulnerability in the Linux kernel through 5.5.2
  in the n_tty_receive_buf_common function in drivers/tty/n_tty.c
  (CVE-2020-8648).

  Manfred Paul discovered that the bpf verifier in the Linux kernel did not
  properly calculate register bounds for certain operations. A local attacker
  could use this to expose sensitive information (kernel memory) or gain
  administrative privileges (CVE-2020-8835).

  There is a use-after-free vulnerability in the Linux kernel through 5.5.2
  in the vgacon_invert_region function in drivers/video/console/vgacon.c. 
  (CVE-2020-8649).

  An issue was discovered in the Linux kernel through 5.5.6. set_fdc in
  drivers/block/floppy.c leads to a wait_til_ready out-of-bounds read
  because the FDC index is not checked for errors before assigning it,
  aka CID-2e90ca68b0d2 (CVE-2020-9383).

  An issue was discovered in the Linux kernel 5.4 and 5.5 through 5.5.6
  on the AArch64 architecture. It ignores the top byte in the address
  passed to the brk system call, potentially moving the memory break
  downwards when the application expects it to move upwards, aka CID-
  dcde237319e6. This has been observed to cause heap corruption with
  the GNU C Library malloc implementation (CVE-2020-9391).

  Security fixes and hardenings to the mac00211 layer to prevent leaking keys
  and frames.

  For other upstream fixes in this update, see the referenced changelogs.
references:
 - https://bugs.mageia.org/show_bug.cgi?id=26426
 - https://kernelnewbies.org/Linux_5.5
 - https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.5.1
 - https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.5.2
 - https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.5.3
 - https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.5.4
 - https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.5.5
 - https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.5.6
 - https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.5.7
 - https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.5.8
 - https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.5.9
 - https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.5.10
 - https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.5.11
 - https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.5.12
 - https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.5.13
 - https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.5.14
 - https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.5.15
ID: MGASA-2020-0158
1	type: security
2	subject: Updated kernel-linus packages fix security vulnerabilities
3	CVE:
4	- CVE-2019-19768
5	- CVE-2019-19769
6	- CVE-2020-2732
7	- CVE-2020-8647
8	- CVE-2020-8648
9	- CVE-2020-8649
10	- CVE-2020-8835
11	- CVE-2020-9383
12	- CVE-2020-9391
13	src:
14	7:
15	core:
16	- kernel-linus-5.5.15-1.mga7
17	description: \|
18	This update is based on upstream 5.5.15 and fixes atleast the following
19	security vulnerabilities:
20
21	In the Linux kernel 5.4.0-rc2, there is a use-after-free (read) in the
22	__blk_add_trace function in kernel/trace/blktrace.c (which is used to
23	fill out a blk_io_trace structure and place it in a per-cpu sub-buffer)
24	(CVE-2019-19768).
25
26	In the Linux kernel 5.3.10, there is a use-after-free (read) in the
27	perf_trace_lock_acquire function (related to include/trace/events/lock.h)
28	(CVE-2019-19769).
29
30	A flaw was found in the way KVM hypervisor handled instruction emulation
31	for the L2 guest when nested(=1) virtualization is enabled. In the
32	instruction emulation, the L2 guest could trick the L0 hypervisor into
33	accessing sensitive bits of the L1 hypervisor. An L2 guest could use this
34	flaw to potentially access information of the L1 hypervisor
35	(CVE-2020-2732).
36
37	There is a use-after-free vulnerability in the Linux kernel through 5.5.2
38	in the vc_do_resize function in drivers/tty/vt/vt.c (CVE-2020-8647).
39
40	There is a use-after-free vulnerability in the Linux kernel through 5.5.2
41	in the n_tty_receive_buf_common function in drivers/tty/n_tty.c
42	(CVE-2020-8648).
43
44	Manfred Paul discovered that the bpf verifier in the Linux kernel did not
45	properly calculate register bounds for certain operations. A local attacker
46	could use this to expose sensitive information (kernel memory) or gain
47	administrative privileges (CVE-2020-8835).
48
49	There is a use-after-free vulnerability in the Linux kernel through 5.5.2
50	in the vgacon_invert_region function in drivers/video/console/vgacon.c.
51	(CVE-2020-8649).
52
53	An issue was discovered in the Linux kernel through 5.5.6. set_fdc in
54	drivers/block/floppy.c leads to a wait_til_ready out-of-bounds read
55	because the FDC index is not checked for errors before assigning it,
56	aka CID-2e90ca68b0d2 (CVE-2020-9383).
57
58	An issue was discovered in the Linux kernel 5.4 and 5.5 through 5.5.6
59	on the AArch64 architecture. It ignores the top byte in the address
60	passed to the brk system call, potentially moving the memory break
61	downwards when the application expects it to move upwards, aka CID-
62	dcde237319e6. This has been observed to cause heap corruption with
63	the GNU C Library malloc implementation (CVE-2020-9391).
64
65	Security fixes and hardenings to the mac00211 layer to prevent leaking keys
66	and frames.
67
68	For other upstream fixes in this update, see the referenced changelogs.
69	references:
70	- https://bugs.mageia.org/show_bug.cgi?id=26426
71	- https://kernelnewbies.org/Linux_5.5
72	- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.5.1
73	- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.5.2
74	- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.5.3
75	- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.5.4
76	- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.5.5
77	- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.5.6
78	- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.5.7
79	- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.5.8
80	- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.5.9
81	- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.5.10
82	- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.5.11
83	- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.5.12
84	- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.5.13
85	- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.5.14
86	- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.5.15
87	ID: MGASA-2020-0158