1 |
type: security |
2 |
subject: Updated kernel-linus packages fix security vulnerabilities |
3 |
CVE: |
4 |
- CVE-2020-0423 |
5 |
- CVE-2020-0465 |
6 |
- CVE-2020-8694 |
7 |
- CVE-2020-12912 |
8 |
- CVE-2020-14351 |
9 |
- CVE-2020-25656 |
10 |
- CVE-2020-25668 |
11 |
- CVE-2020-25669 |
12 |
- CVE-2020-25704 |
13 |
- CVE-2020-25705 |
14 |
- CVE-2020-27152 |
15 |
- CVE-2020-27194 |
16 |
- CVE-2020-27673 |
17 |
- CVE-2020-27675 |
18 |
- CVE-2020-27825 |
19 |
- CVE-2020-27830 |
20 |
- CVE-2020-27835 |
21 |
- CVE-2020-28588 |
22 |
- CVE-2020-28915 |
23 |
- CVE-2020-28941 |
24 |
- CVE-2020-28974 |
25 |
- CVE-2020-29534 |
26 |
- CVE-2020-29660 |
27 |
- CVE-2020-29661 |
28 |
src: |
29 |
7: |
30 |
core: |
31 |
- kernel-linus-5.10.6-1.mga7 |
32 |
description: | |
33 |
This update provides an upgrade to the new upstream 5.10 longterm branch, |
34 |
currently based on 5.10.6, adding new features and new and improved |
35 |
hardware support. |
36 |
|
37 |
This update also fixes atleast the following security issues: |
38 |
|
39 |
In binder_release_work of binder.c, there is a possible use-after-free due |
40 |
to improper locking. This could lead to local escalation of privilege in |
41 |
the kernel with no additional execution privileges needed. User interaction |
42 |
is not needed for exploitation (CVE-2020-0423). |
43 |
|
44 |
In various methods of hid-multitouch.c, there is a possible out of bounds |
45 |
write due to a missing bounds check. This could lead to local escalation of |
46 |
privilege with no additional execution privileges needed. User interaction |
47 |
is not needed for exploitation (CVE-2020-0465). |
48 |
|
49 |
Insufficient access control in the Linux kernel driver for some Intel(R) |
50 |
Processors may allow an authenticated user to potentially enable information |
51 |
disclosure via local access (CVE-2020-8694). |
52 |
|
53 |
A potential vulnerability in the AMD extension to Linux "hwmon" service may |
54 |
allow an attacker to use the Linux-based Running Average Power Limit (RAPL) |
55 |
interface to show various side channel attacks. In line with industry |
56 |
partners, AMD has updated the RAPL interface to require privileged access |
57 |
(CVE-2020-12912). |
58 |
|
59 |
A use-after-free memory flaw was found in the perf subsystem allowing a |
60 |
local attacker with permission to monitor perf events to corrupt memory and |
61 |
possibly escalate privileges. The highest threat from this vulnerability |
62 |
is to data confidentiality and integrity as well as system availability |
63 |
(CVE-2020-14351). |
64 |
|
65 |
A use-after-free was found in the way the console subsystem was using ioctls |
66 |
KDGKBSENT and KDSKBSENT. A local user could use this flaw to get read |
67 |
memory access out of bounds. The highest threat from this vulnerability is |
68 |
to data confidentiality (CVE-2020-25656). |
69 |
|
70 |
Linux kernel concurrency use-after-free in vt (CVE-2020-25668). |
71 |
|
72 |
Linux Kernel use-after-free in sunkbd_reinit (CVE-2020-25669). |
73 |
|
74 |
A flaw memory leak in the Linux kernel performance monitoring subsystem was |
75 |
found in the way if using PERF_EVENT_IOC_SET_FILTER. A local user could use |
76 |
this flaw to starve the resources causing denial of service (CVE-2020-25704). |
77 |
|
78 |
A flaw in the way reply ICMP packets are limited in the Linux kernel |
79 |
functionality was found that allows to quickly scan open UDP ports. This |
80 |
flaw allows an off-path remote user to effectively bypassing source port UDP |
81 |
randomization. The highest threat from this vulnerability is to |
82 |
confidentiality and possibly integrity, because software that relies on UDP |
83 |
source port randomization are indirectly affected as well (CVE-2020-25705). |
84 |
|
85 |
An issue was discovered in ioapic_lazy_update_eoi in arch/x86/kvm/ioapic.c |
86 |
in the Linux kernel before 5.9.2. It has an infinite loop related to |
87 |
improper interaction between a resampler and edge triggering (CVE-2020-27152). |
88 |
|
89 |
An issue was discovered in the Linux kernel before 5.8.15. scalar32_min_max_or |
90 |
in kernel/bpf/verifier.c mishandles bounds tracking during use of 64-bit |
91 |
values (CVE-2020-27194). |
92 |
|
93 |
An issue was discovered in the Linux kernel through 5.9.1, as used with Xen |
94 |
through 4.14.x. Guest OS users can cause a denial of service (host OS hang) |
95 |
via a high rate of events to dom0 (CVE-2020-27673). |
96 |
|
97 |
An issue was discovered in the Linux kernel through 5.9.1, as used with Xen |
98 |
through 4.14.x. drivers/xen/events/events_base.c allows event-channel removal |
99 |
during the event-handling loop (a race condition). This can cause a |
100 |
use-after-free or NULL pointer dereference, as demonstrated by a dom0 crash |
101 |
via events for an in-reconfiguration paravirtualized device (CVE-2020-27675). |
102 |
|
103 |
A use-after-free flaw was found in kernel/trace/ring_buffer.c in Linux |
104 |
kernel (before 5.10-rc1). There was a race problem in trace_open and resize |
105 |
of cpu buffer running parallely on different cpus, may cause a denial of |
106 |
service problem (DOS). This flaw could even allow a local attacker with |
107 |
special user privilege to a kernel information leak threat (CVE-2020-27825). |
108 |
|
109 |
Linux kernel NULL-ptr deref bug in spk_ttyio_receive_buf2 (CVE-2020-27830). |
110 |
|
111 |
A use after free in the Linux kernel infiniband hfi1 driver in versions |
112 |
prior to 5.10-rc6 was found in the way user calls Ioctl after open dev |
113 |
file and fork. A local user could use this flaw to crash the system |
114 |
(CVE-2020-27835). |
115 |
|
116 |
lib/syscall: fix syscall registers retrieval on 32-bit platforms |
117 |
(CVE-2020-28588). |
118 |
|
119 |
A buffer over-read (at the framebuffer layer) in the fbcon code in the |
120 |
Linux kernel before 5.8.15 could be used by local attackers to read kernel |
121 |
memory (CVE-2020-28915). |
122 |
|
123 |
An issue was discovered in drivers/accessibility/speakup/spk_ttyio.c in |
124 |
the Linux kernel through 5.9.9. Local attackers on systems with the |
125 |
speakup driver could cause a local denial of service attack (CVE-2020-28941). |
126 |
|
127 |
A slab-out-of-bounds read in fbcon in the Linux kernel before 5.9.7 could |
128 |
be used by local attackers to read privileged information or potentially |
129 |
crash the kernel (CVE-2020-28974). |
130 |
|
131 |
An issue was discovered in the Linux kernel before 5.9.3. io_uring takes a |
132 |
non-refcounted reference to the files_struct of the process that submitted |
133 |
a request, causing execve() to incorrectly optimize unshare_fd() |
134 |
(CVE-2020-29534). |
135 |
|
136 |
A locking inconsistency issue was discovered in the tty subsystem of the |
137 |
Linux kernel through 5.9.13. drivers/tty/tty_io.c and |
138 |
drivers/tty/tty_jobctrl.c may allow a read-after-free attack against |
139 |
TIOCGSID (CVE-2020-29660). |
140 |
|
141 |
A locking issue was discovered in the tty subsystem of the Linux kernel |
142 |
through 5.9.13. drivers/tty/tty_jobctrl.c allows a use-after-free attack |
143 |
against TIOCSPGRP (CVE-2020-29661). |
144 |
|
145 |
For other upstream changes, see the referenced kernelnewbies and changelog |
146 |
links. |
147 |
references: |
148 |
- https://bugs.mageia.org/show_bug.cgi?id=27939 |
149 |
- https://kernelnewbies.org/Linux_5.8 |
150 |
- https://kernelnewbies.org/Linux_5.9 |
151 |
- https://kernelnewbies.org/Linux_5.10 |
152 |
- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.1 |
153 |
- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.2 |
154 |
- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.3 |
155 |
- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.4 |
156 |
- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.5 |
157 |
- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.6 |
158 |
ID: MGASA-2021-0031 |