advisories/27939.adv

type: security
subject: Updated kernel-linus packages fix security vulnerabilities
CVE:
 - CVE-2020-0423
 - CVE-2020-0465
 - CVE-2020-8694
 - CVE-2020-12912
 - CVE-2020-14351
 - CVE-2020-25656
 - CVE-2020-25668
 - CVE-2020-25669
 - CVE-2020-25704
 - CVE-2020-25705
 - CVE-2020-27152
 - CVE-2020-27194
 - CVE-2020-27673
 - CVE-2020-27675
 - CVE-2020-27825
 - CVE-2020-27830
 - CVE-2020-27835
 - CVE-2020-28588
 - CVE-2020-28915
 - CVE-2020-28941
 - CVE-2020-28974
 - CVE-2020-29534
 - CVE-2020-29660
 - CVE-2020-29661
src:
  7:
   core:
     - kernel-linus-5.10.6-1.mga7
description: |
  This update provides an upgrade to the new upstream 5.10 longterm branch,
  currently based on 5.10.6, adding new features and new and improved
  hardware support.

  This update also fixes atleast the following security issues:

  In binder_release_work of binder.c, there is a possible use-after-free due
  to improper locking. This could lead to local escalation of privilege in
  the kernel with no additional execution privileges needed. User interaction
  is not needed for exploitation (CVE-2020-0423).

  In various methods of hid-multitouch.c, there is a possible out of bounds
  write due to a missing bounds check. This could lead to local escalation of
  privilege with no additional execution privileges needed. User interaction
  is not needed for exploitation (CVE-2020-0465).

  Insufficient access control in the Linux kernel driver for some Intel(R)
  Processors may allow an authenticated user to potentially enable information
  disclosure via local access (CVE-2020-8694).

  A potential vulnerability in the AMD extension to Linux "hwmon" service may
  allow an attacker to use the Linux-based Running Average Power Limit (RAPL)
  interface to show various side channel attacks. In line with industry
  partners, AMD has updated the RAPL interface to require privileged access
  (CVE-2020-12912).

  A use-after-free memory flaw was found in the perf subsystem allowing a
  local attacker with permission to monitor perf events to corrupt memory and
  possibly escalate privileges. The highest threat from this vulnerability
  is to data confidentiality and integrity as well as system availability
  (CVE-2020-14351).

  A use-after-free was found in the way the console subsystem was using ioctls
  KDGKBSENT and KDSKBSENT. A local user could use this flaw to get read
  memory access out of bounds. The highest threat from this vulnerability is
  to data confidentiality (CVE-2020-25656).

  Linux kernel concurrency use-after-free in vt (CVE-2020-25668).

  Linux Kernel use-after-free in sunkbd_reinit (CVE-2020-25669).

  A flaw memory leak in the Linux kernel performance monitoring subsystem was
  found in the way if using PERF_EVENT_IOC_SET_FILTER. A local user could use
  this flaw to starve the resources causing denial of service (CVE-2020-25704).

  A flaw in the way reply ICMP packets are limited in the Linux kernel
  functionality was found that allows to quickly scan open UDP ports. This
  flaw allows an off-path remote user to effectively bypassing source port UDP
  randomization. The highest threat from this vulnerability is to
  confidentiality and possibly integrity, because software that relies on UDP
  source port randomization are indirectly affected as well (CVE-2020-25705).

  An issue was discovered in ioapic_lazy_update_eoi in arch/x86/kvm/ioapic.c
  in the Linux kernel before 5.9.2. It has an infinite loop related to
  improper interaction between a resampler and edge triggering (CVE-2020-27152).

  An issue was discovered in the Linux kernel before 5.8.15. scalar32_min_max_or
  in kernel/bpf/verifier.c mishandles bounds tracking during use of 64-bit
  values (CVE-2020-27194).

  An issue was discovered in the Linux kernel through 5.9.1, as used with Xen
  through 4.14.x. Guest OS users can cause a denial of service (host OS hang)
  via a high rate of events to dom0 (CVE-2020-27673).

  An issue was discovered in the Linux kernel through 5.9.1, as used with Xen
  through 4.14.x. drivers/xen/events/events_base.c allows event-channel removal
  during the event-handling loop (a race condition). This can cause a
  use-after-free or NULL pointer dereference, as demonstrated by a dom0 crash
  via events for an in-reconfiguration paravirtualized device (CVE-2020-27675).

  A use-after-free flaw was found in kernel/trace/ring_buffer.c in Linux
  kernel (before 5.10-rc1). There was a race problem in trace_open and resize
  of cpu buffer running parallely on different cpus, may cause a denial of
  service problem (DOS). This flaw could even allow a local attacker with
  special user privilege to a kernel information leak threat (CVE-2020-27825).

  Linux kernel NULL-ptr deref bug in spk_ttyio_receive_buf2 (CVE-2020-27830).

  A use after free in the Linux kernel infiniband hfi1 driver in versions
  prior to 5.10-rc6 was found in the way user calls Ioctl after open dev
  file and fork. A local user could use this flaw to crash the system
  (CVE-2020-27835).

  lib/syscall: fix syscall registers retrieval on 32-bit platforms
  (CVE-2020-28588).

  A buffer over-read (at the framebuffer layer) in the fbcon code in the
  Linux kernel before 5.8.15 could be used by local attackers to read kernel
  memory (CVE-2020-28915).

  An issue was discovered in drivers/accessibility/speakup/spk_ttyio.c in
  the Linux kernel through 5.9.9. Local attackers on systems with the
  speakup driver could cause a local denial of service attack (CVE-2020-28941).

  A slab-out-of-bounds read in fbcon in the Linux kernel before 5.9.7 could
  be used by local attackers to read privileged information or potentially
  crash the kernel (CVE-2020-28974).

  An issue was discovered in the Linux kernel before 5.9.3. io_uring takes a
  non-refcounted reference to the files_struct of the process that submitted
  a request, causing execve() to incorrectly optimize unshare_fd()
  (CVE-2020-29534).

  A locking inconsistency issue was discovered in the tty subsystem of the
  Linux kernel through 5.9.13. drivers/tty/tty_io.c and
  drivers/tty/tty_jobctrl.c may allow a read-after-free attack against
  TIOCGSID (CVE-2020-29660).

  A locking issue was discovered in the tty subsystem of the Linux kernel
  through 5.9.13. drivers/tty/tty_jobctrl.c allows a use-after-free attack
  against TIOCSPGRP (CVE-2020-29661).

  For other upstream changes, see the referenced kernelnewbies and changelog
  links.
references:
 - https://bugs.mageia.org/show_bug.cgi?id=27939
 - https://kernelnewbies.org/Linux_5.8
 - https://kernelnewbies.org/Linux_5.9
 - https://kernelnewbies.org/Linux_5.10
 - https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.1
 - https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.2
 - https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.3
 - https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.4
 - https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.5
 - https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.6
ID: MGASA-2021-0031
1	type: security
2	subject: Updated kernel-linus packages fix security vulnerabilities
3	CVE:
4	- CVE-2020-0423
5	- CVE-2020-0465
6	- CVE-2020-8694
7	- CVE-2020-12912
8	- CVE-2020-14351
9	- CVE-2020-25656
10	- CVE-2020-25668
11	- CVE-2020-25669
12	- CVE-2020-25704
13	- CVE-2020-25705
14	- CVE-2020-27152
15	- CVE-2020-27194
16	- CVE-2020-27673
17	- CVE-2020-27675
18	- CVE-2020-27825
19	- CVE-2020-27830
20	- CVE-2020-27835
21	- CVE-2020-28588
22	- CVE-2020-28915
23	- CVE-2020-28941
24	- CVE-2020-28974
25	- CVE-2020-29534
26	- CVE-2020-29660
27	- CVE-2020-29661
28	src:
29	7:
30	core:
31	- kernel-linus-5.10.6-1.mga7
32	description: \|
33	This update provides an upgrade to the new upstream 5.10 longterm branch,
34	currently based on 5.10.6, adding new features and new and improved
35	hardware support.
36
37	This update also fixes atleast the following security issues:
38
39	In binder_release_work of binder.c, there is a possible use-after-free due
40	to improper locking. This could lead to local escalation of privilege in
41	the kernel with no additional execution privileges needed. User interaction
42	is not needed for exploitation (CVE-2020-0423).
43
44	In various methods of hid-multitouch.c, there is a possible out of bounds
45	write due to a missing bounds check. This could lead to local escalation of
46	privilege with no additional execution privileges needed. User interaction
47	is not needed for exploitation (CVE-2020-0465).
48
49	Insufficient access control in the Linux kernel driver for some Intel(R)
50	Processors may allow an authenticated user to potentially enable information
51	disclosure via local access (CVE-2020-8694).
52
53	A potential vulnerability in the AMD extension to Linux "hwmon" service may
54	allow an attacker to use the Linux-based Running Average Power Limit (RAPL)
55	interface to show various side channel attacks. In line with industry
56	partners, AMD has updated the RAPL interface to require privileged access
57	(CVE-2020-12912).
58
59	A use-after-free memory flaw was found in the perf subsystem allowing a
60	local attacker with permission to monitor perf events to corrupt memory and
61	possibly escalate privileges. The highest threat from this vulnerability
62	is to data confidentiality and integrity as well as system availability
63	(CVE-2020-14351).
64
65	A use-after-free was found in the way the console subsystem was using ioctls
66	KDGKBSENT and KDSKBSENT. A local user could use this flaw to get read
67	memory access out of bounds. The highest threat from this vulnerability is
68	to data confidentiality (CVE-2020-25656).
69
70	Linux kernel concurrency use-after-free in vt (CVE-2020-25668).
71
72	Linux Kernel use-after-free in sunkbd_reinit (CVE-2020-25669).
73
74	A flaw memory leak in the Linux kernel performance monitoring subsystem was
75	found in the way if using PERF_EVENT_IOC_SET_FILTER. A local user could use
76	this flaw to starve the resources causing denial of service (CVE-2020-25704).
77
78	A flaw in the way reply ICMP packets are limited in the Linux kernel
79	functionality was found that allows to quickly scan open UDP ports. This
80	flaw allows an off-path remote user to effectively bypassing source port UDP
81	randomization. The highest threat from this vulnerability is to
82	confidentiality and possibly integrity, because software that relies on UDP
83	source port randomization are indirectly affected as well (CVE-2020-25705).
84
85	An issue was discovered in ioapic_lazy_update_eoi in arch/x86/kvm/ioapic.c
86	in the Linux kernel before 5.9.2. It has an infinite loop related to
87	improper interaction between a resampler and edge triggering (CVE-2020-27152).
88
89	An issue was discovered in the Linux kernel before 5.8.15. scalar32_min_max_or
90	in kernel/bpf/verifier.c mishandles bounds tracking during use of 64-bit
91	values (CVE-2020-27194).
92
93	An issue was discovered in the Linux kernel through 5.9.1, as used with Xen
94	through 4.14.x. Guest OS users can cause a denial of service (host OS hang)
95	via a high rate of events to dom0 (CVE-2020-27673).
96
97	An issue was discovered in the Linux kernel through 5.9.1, as used with Xen
98	through 4.14.x. drivers/xen/events/events_base.c allows event-channel removal
99	during the event-handling loop (a race condition). This can cause a
100	use-after-free or NULL pointer dereference, as demonstrated by a dom0 crash
101	via events for an in-reconfiguration paravirtualized device (CVE-2020-27675).
102
103	A use-after-free flaw was found in kernel/trace/ring_buffer.c in Linux
104	kernel (before 5.10-rc1). There was a race problem in trace_open and resize
105	of cpu buffer running parallely on different cpus, may cause a denial of
106	service problem (DOS). This flaw could even allow a local attacker with
107	special user privilege to a kernel information leak threat (CVE-2020-27825).
108
109	Linux kernel NULL-ptr deref bug in spk_ttyio_receive_buf2 (CVE-2020-27830).
110
111	A use after free in the Linux kernel infiniband hfi1 driver in versions
112	prior to 5.10-rc6 was found in the way user calls Ioctl after open dev
113	file and fork. A local user could use this flaw to crash the system
114	(CVE-2020-27835).
115
116	lib/syscall: fix syscall registers retrieval on 32-bit platforms
117	(CVE-2020-28588).
118
119	A buffer over-read (at the framebuffer layer) in the fbcon code in the
120	Linux kernel before 5.8.15 could be used by local attackers to read kernel
121	memory (CVE-2020-28915).
122
123	An issue was discovered in drivers/accessibility/speakup/spk_ttyio.c in
124	the Linux kernel through 5.9.9. Local attackers on systems with the
125	speakup driver could cause a local denial of service attack (CVE-2020-28941).
126
127	A slab-out-of-bounds read in fbcon in the Linux kernel before 5.9.7 could
128	be used by local attackers to read privileged information or potentially
129	crash the kernel (CVE-2020-28974).
130
131	An issue was discovered in the Linux kernel before 5.9.3. io_uring takes a
132	non-refcounted reference to the files_struct of the process that submitted
133	a request, causing execve() to incorrectly optimize unshare_fd()
134	(CVE-2020-29534).
135
136	A locking inconsistency issue was discovered in the tty subsystem of the
137	Linux kernel through 5.9.13. drivers/tty/tty_io.c and
138	drivers/tty/tty_jobctrl.c may allow a read-after-free attack against
139	TIOCGSID (CVE-2020-29660).
140
141	A locking issue was discovered in the tty subsystem of the Linux kernel
142	through 5.9.13. drivers/tty/tty_jobctrl.c allows a use-after-free attack
143	against TIOCSPGRP (CVE-2020-29661).
144
145	For other upstream changes, see the referenced kernelnewbies and changelog
146	links.
147	references:
148	- https://bugs.mageia.org/show_bug.cgi?id=27939
149	- https://kernelnewbies.org/Linux_5.8
150	- https://kernelnewbies.org/Linux_5.9
151	- https://kernelnewbies.org/Linux_5.10
152	- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.1
153	- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.2
154	- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.3
155	- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.4
156	- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.5
157	- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.6
158	ID: MGASA-2021-0031