Bug 51490 - linux: Multiple issues (4.4)
linux: Multiple issues (4.4)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.4
All Linux
: P3 normal (vote)
: UCS 4.4-4-errata
Assigned To: Quality Assurance
Philipp Hahn
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-06-15 08:59 CEST by Quality Assurance
Modified: 2020-06-17 15:39 CEST (History)
2 users (show)

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score: 7.8 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) NVD RedHat


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Quality Assurance univentionstaff 2020-06-15 08:59:30 CEST
New Debian linux 4.9.210-1+deb9u1 fixes:
This update addresses the following issues:
* possible execution path in MMU code leads to local escalation of privilege  (CVE-2019-2182)
* triggering AP to send IAPP location updates for stations before the  required authentication process has completed can lead to DoS  (CVE-2019-5108)
* out-of-bounds write in ext4_xattr_set_entry in fs/ext4/xattr.c  (CVE-2019-19319)
* NULL pointer dereference in relay_open in kernel/relay.c (CVE-2019-19462)
* use-after-free in __blk_add_trace in kernel/trace/blktrace.c  (CVE-2019-19768)
* NULL pointer dereference in tw5864_handle_frame function in  drivers/media/pci/tw5864/tw5864-video.c (CVE-2019-20806)
* An issue was discovered in the Linux kernel before 5.0.6. In  rx_queue_add_kobject() and netdev_queue_add_kobject() in  net/core/net-sysfs.c, a reference count is mishandled, aka  CID-a3e23f719f5c. (CVE-2019-20811)
* Special Register Buffer Data Sampling (SRBDS) (CVE-2020-0543)
* kvm: nVMX: L2 guest may trick the L0 hypervisor to access sensitive L1  resources (CVE-2020-2732)
* use-after-free in fs/namei.c (CVE-2020-8428)
* out-of-bounds read in in vc_do_resize function in drivers/tty/vt/vt.c  (CVE-2020-8647)
* use-after-free in n_tty_receive_buf_common function in drivers/tty/n_tty.c  (CVE-2020-8648)
* invalid read location in vgacon_invert_region function in  drivers/video/console/vgacon.c (CVE-2020-8649)
* out-of-bounds read in set_fdc in drivers/block/floppy.c (CVE-2020-9383)
* NetLabel: null pointer dereference while receiving CIPSO packet with null  category may cause kernel panic (CVE-2020-10711)
* uninitialized kernel data leak in userspace coredumps (CVE-2020-10732)
* SELinux netlink permission check bypass (CVE-2020-10751)
* kernel: DAX hugepages not considered during mremap (CVE-2020-10757)
* vhost-net: stack overflow in get_raw_socket while checking sk_family field  (CVE-2020-10942)
* transmission of uninitialized data allows attackers to read sensitive  information (CVE-2020-11494)
* out-of-bounds write in mpol_parse_str function in mm/mempolicy.c  (CVE-2020-11565)
* NULL pointer dereferences in ov511_mode_init_regs and ov518_mode_init_regs  in drivers/media/usb/gspca/ov519.c (CVE-2020-11608)
* NULL pointer dereference due to incorrect handling of invalid descriptors  in stv06xx subsystem (CVE-2020-11609)
* mishandles invalid descriptors in drivers/media/usb/gspca/xirlink_cit.c  (CVE-2020-11668)
* A pivot_root race condition in fs/namespace.c in the Linux kernel 4.4.x  before 4.4.221, 4.9.x before 4.9.221, 4.14.x before 4.14.178, 4.19.x before  4.19.119, and 5.x before 5.3 allows local users to cause a denial of  service (panic) by corrupting a mountpoint reference counter.  (CVE-2020-12114)
* use-after-free in usb_sg_cancel function in drivers/usb/core/message.c  (CVE-2020-12464)
* race condition in __mptctl_ioctl function in  drivers/message/fusion/mptctl.c allows local users to hold an incorrect  lock during the ioctl operation (CVE-2020-12652)
* buffer overflow in mwifiex_cmd_append_vsie_tlv function in  drivers/net/wireless/marvell/mwifiex/scan.c (CVE-2020-12653)
* heap-based buffer overflow in mwifiex_ret_wmm_get_status function in  drivers/net/wireless/marvell/mwifiex/wmm.c (CVE-2020-12654)
* sg_write function lacks an sg_remove_request call in a certain failure case  (CVE-2020-12770)
* gadget_dev_desc_UDC_store in drivers/usb/gadget/configfs.c in the Linux  kernel through 5.6.13 relies on kstrdup without considering the possibility  of an internal '\0' value, which allows attackers to trigger an  out-of-bounds read, aka CID-15753588bcd4. (CVE-2020-13143)
Comment 1 Quality Assurance univentionstaff 2020-06-15 10:00:12 CEST
--- mirror/ftp/4.4/unmaintained/4.4-4/source/linux_4.9.210-1.dsc
+++ apt/ucs_4.4-0-errata4.4-4/source/linux_4.9.210-1+deb9u1.dsc
@@ -1,3 +1,116 @@
+4.9.210-1+deb9u1 [Sun, 07 Jun 2020 22:34:10 +0100] Ben Hutchings <benh@debian.org>:
+
+  [ Salvatore Bonaccorso ]
+  * selinux: properly handle multiple messages in selinux_netlink_send()
+    (CVE-2020-10751)
+  * fs/namespace.c: fix mountpoint reference counter race (CVE-2020-12114)
+  * USB: core: Fix free-while-in-use bug in the USB S-Glibrary
+    (CVE-2020-12464)
+  * scsi: sg: add sg_remove_request in sg_common_write
+  * scsi: sg: add sg_remove_request in sg_write (CVE-2020-12770)
+  * USB: gadget: fix illegal array access in binding with UDC (CVE-2020-13143)
+  * netlabel: cope with NULL catmap (CVE-2020-10711)
+  * fs/binfmt_elf.c: allocate initialized memory in fill_thread_core_info()
+    (CVE-2020-10732)
+  * kernel/relay.c: handle alloc_percpu returning NULL in relay_open
+    (CVE-2019-19462)
+  * mm: Fix mremap not considering huge pmd devmap (CVE-2020-10757)
+
+  [ Ben Hutchings ]
+  * [arm64] Enforce BBM for huge IO/VMAP mappings (CVE-2019-2182):
+    - arm64: mm: BUG on unsupported manipulations of live kernel mappings
+    - arm64: don't open code page table entry creation
+    - arm64: mm: Change page table pointer name in p[md]_set_huge()
+    - arm64: Enforce BBM for huge IO/VMAP mappings
+    - arm64: Make sure permission updates happen for pmd/pud
+  * cfg80211/mac80211: make ieee80211_send_layer2_update a public function
+  * mac80211: Do not send Layer 2 Update frame before authorization
+    (CVE-2019-5108)
+  * ext4: Fix various bugs:
+    - ext4: Make checks for metadata_csum feature safer
+    - ext4: avoid declaring fs inconsistent due to invalid file handles
+    - ext4: protect journal inode's blocks using block_validity
+      (CVE-2019-19319)
+    - ext4: unsigned int compared against zero
+    - ext4: fix block validity checks for journal inodes using indirect blocks
+    - ext4: don't perform block validity checks on the journal inode
+    - ext4: add cond_resched() to ext4_protect_reserved_inode (CVE-2020-8992)
+  * blktrace: Fix various locking issues:
+    - blktrace: Fix potential deadlock between delete & sysfs ops
+    - blktrace: fix unlocked access to init/start-stop/teardown
+    - blktrace: fix trace mutex deadlock
+    - blktrace: Protect q->blk_trace with RCU (CVE-2019-19768)
+    - blktrace: fix dereference after null check
+  * media: tw5864: Fix possible NULL pointer dereference in tw5864_handle_frame
+    (CVE-2019-20806)
+  * [x86] KVM: nVMX: Fix incorrect instruction emulation (CVE-2020-2732):
+    - KVM: x86: emulate RDPID
+    - KVM: nVMX: Don't emulate instructions in guest mode
+    - KVM: nVMX: Refactor IO bitmap checks into helper function
+    - KVM: nVMX: Check IO instruction VM-exit conditions
+  * vfs: do_last(): fetch directory ->i_mode and ->i_uid before it's too late
+    (CVE-2020-8428)
+  * vfs: fix do_last() regression
+  * vgacon: Fix a UAF in vgacon_invert_region (CVE-2020-8647, CVE-2020-8649)
+  * locking/atomic, kref: Add kref_read()
+  * vt: Fix various bugs:
+    - vt: selection, handle pending signals in paste_selection
+    - VT_RESIZEX: get rid of field-by-field copyin
+    - vt: vt_ioctl: fix race in VT_RESIZEX
+    - vt: selection, close sel_buffer race (CVE-2020-8648)
+    - vt: selection, push console lock down
+    - vt: selection, push sel_lock up
+    - vt: selection, introduce vc_is_sel
+    - vt: ioctl, switch VT_IS_IN_USE and VT_BUSY to inlines
+    - vt: switch vt_dont_switch to bool
+    - vt: vt_ioctl: remove unnecessary console allocation checks
+    - vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual
+    - vt: vt_ioctl: fix use-after-free in vt_in_use()
+  * floppy: check FDC index for errors before assigning it (CVE-2020-9383)
+  * vhost: Check docket sk_family instead of call getname (CVE-2020-10942)
+  * slip, slcan: Fix various bugs:
+    - can, slip: Protect tty->disc_data in write_wakeup and close
+    - slcan: not call free_netdev before rtnl_unlock in slcan_open
+    - slcan: Fix double-free on slcan_open() error path
+    - slcan: Don't transmit uninitialized stack data in padding
+      (CVE-2020-11494)
+    - slip: stop double free sl->dev in slip_open
+    - slip: not call free_netdev before rtnl_unlock in slip_open
+    - slip: make slhc_compress() more robust against malicious
+  * mm: mempolicy: require at least one nodeid for MPOL_PREFERRED
+    (CVE-2020-11565)
+  * media: usb: Fix several descriptor checks:
+    - media: ov519: add missing endpoint sanity checks (CVE-2020-11608)
+    - media: stv06xx: add missing descriptor sanity checks (CVE-2020-11609)
+    - media: xirlink_cit: add missing descriptor sanity checks (CVE-2020-11668)
+  * scsi: mptfusion: Fix double fetch bug in ioctl (CVE-2020-12652)
+  * mwifiex: Fix possible buffer overflows in mwifiex_cmd_append_vsie_tlv()
+    (CVE-2020-12653)
+  * mwifiex: Fix possible buffer overflows in mwifiex_ret_wmm_get_status()
+    (CVE-2020-12654)
+  * macvlan: use skb_reset_mac_header() in macvlan_queue_xmit()
+    (Closes: #952660)
+  * block: Avoid ABI change for blktrace locking
+  * net-sysfs: Fix reference counting bugs:
+    - net: don't decrement kobj reference count on init failure
+    - net-sysfs: call dev_hold if kobject_init_and_add success
+      (CVE-2019-20811)
+    - net-sysfs: Fix reference count leak in rx|netdev_queue_add_kobject
+    - net-sysfs: fix netdev_queue_add_kobject() breakage
+    - net-sysfs: Call dev_hold always in netdev_queue_add_kobject
+    - net-sysfs: Call dev_hold always in rx_queue_add_kobject
+  * propagate_one(): mnt_set_mountpoint() needs mount_lock
+  * [x86] Add support for mitigation of Special Register Buffer Data Sampling
+    (SRBDS) (CVE-2020-0543):
+    - x86/cpu: Add 'table' argument to cpu_matches()
+    - x86/speculation: Add Special Register Buffer Data Sampling (SRBDS)
+      mitigation
+    - x86/speculation: Add SRBDS vulnerability and mitigation documentation
+    - x86/speculation: Add Ivy Bridge to affected list
+  * [x86] speculation: Do not match steppings, to avoid an ABI change
+  * random: always use batched entropy for get_random_u{32,64}
+  * [rt] Refresh "random: avoid preempt_disable()ed section"
+
 4.9.210-1 [Mon, 20 Jan 2020 18:38:08 +0000] Ben Hutchings <ben@decadent.org.uk>:
 
   * New upstream stable update:

<http://10.200.17.11/4.4-4/#6220744327999091175>
Comment 2 Felix Botner univentionstaff 2020-06-16 11:28:07 CEST
dvd install tests fail now, they are unable to install univention-kernel-image





E: Unable to correct problems, you have held broken packages.
Reading package lists...
Building dependency tree...
Reading state information...
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
 univention-kernel-image : Depends: linux-image-4.9.0-12-amd64-signed but it is not going to be installed
Reading package lists...
Building dependency tree...
Reading state information...
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
 linux-image-4.9.0-12-amd64-signed : Depends: linux-image-4.9.0-12-amd64 (= 4.9.210-1) but 4.9.210-1+deb9u1 is to be installed
Comment 3 Philipp Hahn univentionstaff 2020-06-16 12:26:24 CEST
univention-kernel-image[-signed] needs to be updates (after the singing, which is scheduled for tomorrow.)
Comment 4 Philipp Hahn univentionstaff 2020-06-17 11:58:52 CEST
[4.4-4] 89ff093cce Bug #51490: univention-kernel-image-signed 5.0.0-11A~4.4.0.202006171143
 doc/errata/staging/linux.yaml                      |   4 +-
 .../staging/univention-kernel-image-signed.yaml    | 107 +++++++++++++++++++++
 2 files changed, 110 insertions(+), 1 deletion(-)

[4.4-4] 357f1a32ed Bug #51490: Update to linux-4.9.210-1+deb9u1
 .../debian/changelog                               |   6 ++++++
 .../univention-kernel-image-signed/debian/control  |   4 ++--
 .../debian/control.in                              |   9 ++++++---
 .../vmlinuz-4.9.0-12-amd64.efi.signed              | Bin 4265584 -> 4265584 bytes
 4 files changed, 14 insertions(+), 5 deletions(-)
(END)
Comment 5 Quality Assurance univentionstaff 2020-06-17 12:00:09 CEST
--- mirror/ftp/4.4/unmaintained/4.4-4/source/univention-kernel-image-signed_5.0.0-10A~4.4.0.202002271558.dsc
+++ apt/ucs_4.4-0-errata4.4-4/source/univention-kernel-image-signed_5.0.0-11A~4.4.0.202006171143.dsc
@@ -1,6 +1,10 @@
-5.0.0-10A~4.4.0.202002271558 [Thu, 27 Feb 2020 15:58:40 +0100] Univention builddaemon <buildd@univention.de>:
+5.0.0-11A~4.4.0.202006171143 [Wed, 17 Jun 2020 11:43:04 +0200] Univention builddaemon <buildd@univention.de>:
 
   * UCS auto build. No patches were applied to the original source package
+
+5.0.0-11 [Wed, 17 Jun 2020 11:30:09 +0200] Philipp Hahn <hahn@univention.de>:
+
+  * Bug #51490: Update to linux-4.9.210-1+deb9u1
 
 5.0.0-10 [Thu, 27 Feb 2020 15:51:49 +0100] Philipp Hahn <hahn@univention.de>:
 

<http://10.200.17.11/4.4-4/#3918145900921532894>
Comment 6 Quality Assurance univentionstaff 2020-06-17 12:00:13 CEST
--- mirror/ftp/4.4/unmaintained/4.4-4/source/linux_4.9.210-1.dsc
+++ apt/ucs_4.4-0-errata4.4-4/source/linux_4.9.210-1+deb9u1.dsc
@@ -1,3 +1,116 @@
+4.9.210-1+deb9u1 [Sun, 07 Jun 2020 22:34:10 +0100] Ben Hutchings <benh@debian.org>:
+
+  [ Salvatore Bonaccorso ]
+  * selinux: properly handle multiple messages in selinux_netlink_send()
+    (CVE-2020-10751)
+  * fs/namespace.c: fix mountpoint reference counter race (CVE-2020-12114)
+  * USB: core: Fix free-while-in-use bug in the USB S-Glibrary
+    (CVE-2020-12464)
+  * scsi: sg: add sg_remove_request in sg_common_write
+  * scsi: sg: add sg_remove_request in sg_write (CVE-2020-12770)
+  * USB: gadget: fix illegal array access in binding with UDC (CVE-2020-13143)
+  * netlabel: cope with NULL catmap (CVE-2020-10711)
+  * fs/binfmt_elf.c: allocate initialized memory in fill_thread_core_info()
+    (CVE-2020-10732)
+  * kernel/relay.c: handle alloc_percpu returning NULL in relay_open
+    (CVE-2019-19462)
+  * mm: Fix mremap not considering huge pmd devmap (CVE-2020-10757)
+
+  [ Ben Hutchings ]
+  * [arm64] Enforce BBM for huge IO/VMAP mappings (CVE-2019-2182):
+    - arm64: mm: BUG on unsupported manipulations of live kernel mappings
+    - arm64: don't open code page table entry creation
+    - arm64: mm: Change page table pointer name in p[md]_set_huge()
+    - arm64: Enforce BBM for huge IO/VMAP mappings
+    - arm64: Make sure permission updates happen for pmd/pud
+  * cfg80211/mac80211: make ieee80211_send_layer2_update a public function
+  * mac80211: Do not send Layer 2 Update frame before authorization
+    (CVE-2019-5108)
+  * ext4: Fix various bugs:
+    - ext4: Make checks for metadata_csum feature safer
+    - ext4: avoid declaring fs inconsistent due to invalid file handles
+    - ext4: protect journal inode's blocks using block_validity
+      (CVE-2019-19319)
+    - ext4: unsigned int compared against zero
+    - ext4: fix block validity checks for journal inodes using indirect blocks
+    - ext4: don't perform block validity checks on the journal inode
+    - ext4: add cond_resched() to ext4_protect_reserved_inode (CVE-2020-8992)
+  * blktrace: Fix various locking issues:
+    - blktrace: Fix potential deadlock between delete & sysfs ops
+    - blktrace: fix unlocked access to init/start-stop/teardown
+    - blktrace: fix trace mutex deadlock
+    - blktrace: Protect q->blk_trace with RCU (CVE-2019-19768)
+    - blktrace: fix dereference after null check
+  * media: tw5864: Fix possible NULL pointer dereference in tw5864_handle_frame
+    (CVE-2019-20806)
+  * [x86] KVM: nVMX: Fix incorrect instruction emulation (CVE-2020-2732):
+    - KVM: x86: emulate RDPID
+    - KVM: nVMX: Don't emulate instructions in guest mode
+    - KVM: nVMX: Refactor IO bitmap checks into helper function
+    - KVM: nVMX: Check IO instruction VM-exit conditions
+  * vfs: do_last(): fetch directory ->i_mode and ->i_uid before it's too late
+    (CVE-2020-8428)
+  * vfs: fix do_last() regression
+  * vgacon: Fix a UAF in vgacon_invert_region (CVE-2020-8647, CVE-2020-8649)
+  * locking/atomic, kref: Add kref_read()
+  * vt: Fix various bugs:
+    - vt: selection, handle pending signals in paste_selection
+    - VT_RESIZEX: get rid of field-by-field copyin
+    - vt: vt_ioctl: fix race in VT_RESIZEX
+    - vt: selection, close sel_buffer race (CVE-2020-8648)
+    - vt: selection, push console lock down
+    - vt: selection, push sel_lock up
+    - vt: selection, introduce vc_is_sel
+    - vt: ioctl, switch VT_IS_IN_USE and VT_BUSY to inlines
+    - vt: switch vt_dont_switch to bool
+    - vt: vt_ioctl: remove unnecessary console allocation checks
+    - vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual
+    - vt: vt_ioctl: fix use-after-free in vt_in_use()
+  * floppy: check FDC index for errors before assigning it (CVE-2020-9383)
+  * vhost: Check docket sk_family instead of call getname (CVE-2020-10942)
+  * slip, slcan: Fix various bugs:
+    - can, slip: Protect tty->disc_data in write_wakeup and close
+    - slcan: not call free_netdev before rtnl_unlock in slcan_open
+    - slcan: Fix double-free on slcan_open() error path
+    - slcan: Don't transmit uninitialized stack data in padding
+      (CVE-2020-11494)
+    - slip: stop double free sl->dev in slip_open
+    - slip: not call free_netdev before rtnl_unlock in slip_open
+    - slip: make slhc_compress() more robust against malicious
+  * mm: mempolicy: require at least one nodeid for MPOL_PREFERRED
+    (CVE-2020-11565)
+  * media: usb: Fix several descriptor checks:
+    - media: ov519: add missing endpoint sanity checks (CVE-2020-11608)
+    - media: stv06xx: add missing descriptor sanity checks (CVE-2020-11609)
+    - media: xirlink_cit: add missing descriptor sanity checks (CVE-2020-11668)
+  * scsi: mptfusion: Fix double fetch bug in ioctl (CVE-2020-12652)
+  * mwifiex: Fix possible buffer overflows in mwifiex_cmd_append_vsie_tlv()
+    (CVE-2020-12653)
+  * mwifiex: Fix possible buffer overflows in mwifiex_ret_wmm_get_status()
+    (CVE-2020-12654)
+  * macvlan: use skb_reset_mac_header() in macvlan_queue_xmit()
+    (Closes: #952660)
+  * block: Avoid ABI change for blktrace locking
+  * net-sysfs: Fix reference counting bugs:
+    - net: don't decrement kobj reference count on init failure
+    - net-sysfs: call dev_hold if kobject_init_and_add success
+      (CVE-2019-20811)
+    - net-sysfs: Fix reference count leak in rx|netdev_queue_add_kobject
+    - net-sysfs: fix netdev_queue_add_kobject() breakage
+    - net-sysfs: Call dev_hold always in netdev_queue_add_kobject
+    - net-sysfs: Call dev_hold always in rx_queue_add_kobject
+  * propagate_one(): mnt_set_mountpoint() needs mount_lock
+  * [x86] Add support for mitigation of Special Register Buffer Data Sampling
+    (SRBDS) (CVE-2020-0543):
+    - x86/cpu: Add 'table' argument to cpu_matches()
+    - x86/speculation: Add Special Register Buffer Data Sampling (SRBDS)
+      mitigation
+    - x86/speculation: Add SRBDS vulnerability and mitigation documentation
+    - x86/speculation: Add Ivy Bridge to affected list
+  * [x86] speculation: Do not match steppings, to avoid an ABI change
+  * random: always use batched entropy for get_random_u{32,64}
+  * [rt] Refresh "random: avoid preempt_disable()ed section"
+
 4.9.210-1 [Mon, 20 Jan 2020 18:38:08 +0000] Ben Hutchings <ben@decadent.org.uk>:
 
   * New upstream stable update:

<http://10.200.17.11/4.4-4/#3918145900921532894>
Comment 7 Philipp Hahn univentionstaff 2020-06-17 12:19:15 CEST
Package: univention-kernel-image-signed
Version: 5.0.0-11A~4.4.0.202006171143
Branch: ucs_4.4-0
Scope: errata4.4-4

OK: apt install -t apt linux-image-4.9.0-12-amd64 linux-image-4.9.0-12-amd64-signed intel-microcode
OK: uname -rv # 4.9.210-1+deb9u1
OK: amd64 @ kvm + SeaBIOS
OK: amd64 @ kvm + OVMF + SB
OK: cat /sys/kernel/security/securelevel ; echo
OK: amd64 @ xen1
OK: apt install -t apt linux-image-4.9.0-12-686-pae
OK: i386 @ kvm
OK: dmesg -H
OK: YAML
OK: errata-announce -V --only linux.yaml
OK: errata-announce -V --only univention-kernel-image-signed.yaml