| 1 |
type: security |
| 2 |
subject: Updated kernel packages fix security vulnerabilities |
| 3 |
CVE: |
| 4 |
- CVE-2018-16882 |
| 5 |
- CVE-2018-16884 |
| 6 |
- CVE-2018-19985 |
| 7 |
- CVE-2019-3701 |
| 8 |
- CVE-2019-3819 |
| 9 |
- CVE-2019-6974 |
| 10 |
- CVE-2019-7221 |
| 11 |
- CVE-2019-7222 |
| 12 |
src: |
| 13 |
6: |
| 14 |
core: |
| 15 |
- kernel-4.14.100-1.mga6 |
| 16 |
- kernel-userspace-headers-4.14.100-1.mga6 |
| 17 |
- kmod-vboxadditions-5.2.24-4.mga6 |
| 18 |
- kmod-virtualbox-5.2.24-4.mga6 |
| 19 |
- kmod-xtables-addons-2.13-78.mga6 |
| 20 |
- ndiswrapper-1.62-1.mga6 |
| 21 |
- wireguard-tools-0.0.20190123-1.mga6 |
| 22 |
description: | |
| 23 |
This kernel update is based on the upstream 4.14.100 and fixes atleast |
| 24 |
the following security issues: |
| 25 |
|
| 26 |
A use-after-free issue was found in the way the Linux kernel's KVM |
| 27 |
hypervisor processed posted interrupts when nested(=1) virtualization is |
| 28 |
enabled. In nested_get_vmcs12_pages(), in case of an error while |
| 29 |
processing posted interrupt address, it unmaps the 'pi_desc_page' without |
| 30 |
resetting 'pi_desc' descriptor address, which is later used in |
| 31 |
pi_test_and_clear_on(). A guest user/process could use this flaw to crash |
| 32 |
the host kernel resulting in DoS or potentially gain privileged access to |
| 33 |
a system (CVE-2018-16882). |
| 34 |
|
| 35 |
A flaw was found in the Linux kernel's NFS41+ subsystem. NFS41+ shares |
| 36 |
mounted in different network namespaces at the same time can make |
| 37 |
bc_svc_process() use wrong back-channel IDs and cause a use-after-free |
| 38 |
vulnerability. Thus a malicious container user can cause a host kernel |
| 39 |
memory corruption and a system panic. Due to the nature of the flaw, |
| 40 |
privilege escalation cannot be fully ruled out (CVE-2018-16884). |
| 41 |
|
| 42 |
A flaw was found in the Linux kernel in the function hso_probe() which |
| 43 |
reads if_num value from the USB device (as an u8) and uses it without a |
| 44 |
length check to index an array, resulting in an OOB memory read in |
| 45 |
hso_probe() or hso_get_config_data(). An attacker with a forged USB |
| 46 |
device and physical access to a system (needed to connect such a device) |
| 47 |
can cause a system crash and a denial of service (CVE-2018-19985). |
| 48 |
|
| 49 |
An issue was discovered in can_can_gw_rcv in net/can/gw.c in the Linux |
| 50 |
kernel through 4.19.13. The CAN frame modification rules allow bitwise |
| 51 |
logical operations that can be also applied to the can_dlc field. Because |
| 52 |
of a missing check, the CAN drivers may write arbitrary content beyond |
| 53 |
the data registers in the CAN controller's I/O memory when processing |
| 54 |
can-gw manipulated outgoing frames. This is related to cgw_csum_xor_rel. |
| 55 |
An unprivileged user can trigger a system crash (general protection fault) |
| 56 |
(CVE-2019-3701). |
| 57 |
|
| 58 |
A flaw was found in the Linux kernel in the function hid_debug_events_read() |
| 59 |
in drivers/hid/hid-debug.c file which may enter an infinite loop with |
| 60 |
certain parameters passed from a userspace. A local privileged user ("root") |
| 61 |
can cause a system lock up and a denial of service (CVE-2019-3819). |
| 62 |
|
| 63 |
In the Linux kernel before 4.20.8, kvm_ioctl_create_device in |
| 64 |
virt/kvm/kvm_main.c mishandles reference counting because of a race |
| 65 |
condition, leading to a use-after-free (CVE-2019-6974). |
| 66 |
|
| 67 |
A use-after-free vulnerability was found in the way the Linux kernel's KVM |
| 68 |
hypervisor emulates a preemption timer for L2 guests when nested (=1) |
| 69 |
virtualization is enabled. This high resolution timer(hrtimer) runs when |
| 70 |
a L2 guest is active. After VM exit, the sync_vmcs12() timer object is |
| 71 |
stopped. The use-after-free occurs if the timer object is freed before |
| 72 |
calling sync_vmcs12() routine. A guest user/process could use this flaw |
| 73 |
to crash the host kernel resulting in a denial of service or, potentially, |
| 74 |
gain privileged access to a system (CVE-2019-7221). |
| 75 |
|
| 76 |
An information leakage issue was found in the way Linux kernel's KVM |
| 77 |
hypervisor handled page fault exceptions while emulating instructions |
| 78 |
like VMXON, VMCLEAR, VMPTRLD, and VMWRITE with memory address as an |
| 79 |
operand. It occurs if the operand is a mmio address, as the returned |
| 80 |
exception object holds uninitialized stack memory contents. A guest |
| 81 |
user/process could use this flaw to leak host's stack memory contents |
| 82 |
to a guest (CVE-2019-7222). |
| 83 |
|
| 84 |
Other fixes in this update: |
| 85 |
* Ndiswrapper has been updated to 1.62 |
| 86 |
* WireGuard has been updated to 0.0.20190123 |
| 87 |
|
| 88 |
For other uptstream fixes in this update, see the referenced changelogs. |
| 89 |
references: |
| 90 |
- https://bugs.mageia.org/show_bug.cgi?id=24331 |
| 91 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.90 |
| 92 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.91 |
| 93 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.92 |
| 94 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.93 |
| 95 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.94 |
| 96 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.95 |
| 97 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.96 |
| 98 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.97 |
| 99 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.98 |
| 100 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.99 |
| 101 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.100 |
| 102 |
ID: MGASA-2019-0097 |
Parent Directory
| 
Revision Log