1 |
type: security |
2 |
subject: Updated kernel packages fix security vulnerabilities |
3 |
CVE: |
4 |
- CVE-2018-16882 |
5 |
- CVE-2018-16884 |
6 |
- CVE-2018-19985 |
7 |
- CVE-2019-3701 |
8 |
- CVE-2019-3819 |
9 |
- CVE-2019-6974 |
10 |
- CVE-2019-7221 |
11 |
- CVE-2019-7222 |
12 |
src: |
13 |
6: |
14 |
core: |
15 |
- kernel-4.14.100-1.mga6 |
16 |
- kernel-userspace-headers-4.14.100-1.mga6 |
17 |
- kmod-vboxadditions-5.2.24-4.mga6 |
18 |
- kmod-virtualbox-5.2.24-4.mga6 |
19 |
- kmod-xtables-addons-2.13-78.mga6 |
20 |
- ndiswrapper-1.62-1.mga6 |
21 |
- wireguard-tools-0.0.20190123-1.mga6 |
22 |
description: | |
23 |
This kernel update is based on the upstream 4.14.100 and fixes atleast |
24 |
the following security issues: |
25 |
|
26 |
A use-after-free issue was found in the way the Linux kernel's KVM |
27 |
hypervisor processed posted interrupts when nested(=1) virtualization is |
28 |
enabled. In nested_get_vmcs12_pages(), in case of an error while |
29 |
processing posted interrupt address, it unmaps the 'pi_desc_page' without |
30 |
resetting 'pi_desc' descriptor address, which is later used in |
31 |
pi_test_and_clear_on(). A guest user/process could use this flaw to crash |
32 |
the host kernel resulting in DoS or potentially gain privileged access to |
33 |
a system (CVE-2018-16882). |
34 |
|
35 |
A flaw was found in the Linux kernel's NFS41+ subsystem. NFS41+ shares |
36 |
mounted in different network namespaces at the same time can make |
37 |
bc_svc_process() use wrong back-channel IDs and cause a use-after-free |
38 |
vulnerability. Thus a malicious container user can cause a host kernel |
39 |
memory corruption and a system panic. Due to the nature of the flaw, |
40 |
privilege escalation cannot be fully ruled out (CVE-2018-16884). |
41 |
|
42 |
A flaw was found in the Linux kernel in the function hso_probe() which |
43 |
reads if_num value from the USB device (as an u8) and uses it without a |
44 |
length check to index an array, resulting in an OOB memory read in |
45 |
hso_probe() or hso_get_config_data(). An attacker with a forged USB |
46 |
device and physical access to a system (needed to connect such a device) |
47 |
can cause a system crash and a denial of service (CVE-2018-19985). |
48 |
|
49 |
An issue was discovered in can_can_gw_rcv in net/can/gw.c in the Linux |
50 |
kernel through 4.19.13. The CAN frame modification rules allow bitwise |
51 |
logical operations that can be also applied to the can_dlc field. Because |
52 |
of a missing check, the CAN drivers may write arbitrary content beyond |
53 |
the data registers in the CAN controller's I/O memory when processing |
54 |
can-gw manipulated outgoing frames. This is related to cgw_csum_xor_rel. |
55 |
An unprivileged user can trigger a system crash (general protection fault) |
56 |
(CVE-2019-3701). |
57 |
|
58 |
A flaw was found in the Linux kernel in the function hid_debug_events_read() |
59 |
in drivers/hid/hid-debug.c file which may enter an infinite loop with |
60 |
certain parameters passed from a userspace. A local privileged user ("root") |
61 |
can cause a system lock up and a denial of service (CVE-2019-3819). |
62 |
|
63 |
In the Linux kernel before 4.20.8, kvm_ioctl_create_device in |
64 |
virt/kvm/kvm_main.c mishandles reference counting because of a race |
65 |
condition, leading to a use-after-free (CVE-2019-6974). |
66 |
|
67 |
A use-after-free vulnerability was found in the way the Linux kernel's KVM |
68 |
hypervisor emulates a preemption timer for L2 guests when nested (=1) |
69 |
virtualization is enabled. This high resolution timer(hrtimer) runs when |
70 |
a L2 guest is active. After VM exit, the sync_vmcs12() timer object is |
71 |
stopped. The use-after-free occurs if the timer object is freed before |
72 |
calling sync_vmcs12() routine. A guest user/process could use this flaw |
73 |
to crash the host kernel resulting in a denial of service or, potentially, |
74 |
gain privileged access to a system (CVE-2019-7221). |
75 |
|
76 |
An information leakage issue was found in the way Linux kernel's KVM |
77 |
hypervisor handled page fault exceptions while emulating instructions |
78 |
like VMXON, VMCLEAR, VMPTRLD, and VMWRITE with memory address as an |
79 |
operand. It occurs if the operand is a mmio address, as the returned |
80 |
exception object holds uninitialized stack memory contents. A guest |
81 |
user/process could use this flaw to leak host's stack memory contents |
82 |
to a guest (CVE-2019-7222). |
83 |
|
84 |
Other fixes in this update: |
85 |
* Ndiswrapper has been updated to 1.62 |
86 |
* WireGuard has been updated to 0.0.20190123 |
87 |
|
88 |
For other uptstream fixes in this update, see the referenced changelogs. |
89 |
references: |
90 |
- https://bugs.mageia.org/show_bug.cgi?id=24331 |
91 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.90 |
92 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.91 |
93 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.92 |
94 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.93 |
95 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.94 |
96 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.95 |
97 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.96 |
98 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.97 |
99 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.98 |
100 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.99 |
101 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.100 |
102 |
ID: MGASA-2019-0097 |