Univention Bugzilla – Bug 54541
linux: Multiple issues (5.0)
Last modified: 2022-03-16 15:36:52 CET
New Debian linux 4.19.232-1 fixes: This update addresses the following issues: * the get_user_pages implementation when used for a copy-on-write page does not properly consider the semantics of read operations and therefore can grant unintended write access (CVE-2020-29374) * fuse: fuse_do_getattr() calls make_bad_inode() in inappropriate situations (CVE-2020-36322) * use-after-free vulnerability in function sco_sock_sendmsg() (CVE-2021-3640) * crypto: ccp - fix resource leaks in ccp_run_aes_gcm_cmd() (CVE-2021-3744) * possible use-after-free in bluetooth module (CVE-2021-3752) * nfc: Use-After-Free vulnerability of ndev->rf_conn_info object (CVE-2021-3760) * DoS in ccp_run_aes_gcm_cmd() function (CVE-2021-3764) * sctp: Invalid chunks may be used to remotely remove existing associations (CVE-2021-3772) * possible leak or coruption of data residing on hugetlbfs (CVE-2021-4002) * fget: check that the fd still exists after getting a ref to it (CVE-2021-4083) * Heap information leak in map_lookup_elem function (CVE-2021-4135) * xfs: raw block device data leak in XFS_IOC_ALLOCSP IOCTL (CVE-2021-4155) * Race condition in races in sk_peer_pid and sk_peer_cred accesses (CVE-2021-4203) * timer tree corruption leads to missing wakeup and system freeze (CVE-2021-20317) * In Overlayfs missing a check for a negative dentry before calling vfs_rename() (CVE-2021-20321) * new DNS Cache Poisoning Attack based on ICMP fragment needed packets replies (CVE-2021-20322) * double free in packet_set_ring() in net/packet/af_packet.c (CVE-2021-22600) * rogue backends can cause DoS of guests via high frequency events (CVE-2021-28711) * rogue backends can cause DoS of guests via high frequency events (CVE-2021-28712) * rogue backends can cause DoS of guests via high frequency events (CVE-2021-28713) * Guest can force Linux netback driver to hog large amounts of kernel memory T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Incoming data packets for a guest in the Linux kernel's netback driver are buffered until the guest is ready to process them. There are some measures taken for avoiding to pile up too much data, but those can be bypassed by the guest: There is a timeout how long the client side of an interface can stop consuming new packets before it is assumed to have stalled, but this timeout is rather long (60 seconds by default). Using a UDP connection on a fast interface can easily accumulate gigabytes of data in that time. (CVE-2021-28715) The timeout could even never trigger if the guest manages to have only one free slot in its RX queue ring page and the next package would require more than one free slot, which may be the case when using GSO, XDP, or software hashing. (CVE-2021-28714) (CVE-2021-28714) * Guest can force Linux netback driver to hog large amounts of kernel memory T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Incoming data packets for a guest in the Linux kernel's netback driver are buffered until the guest is ready to process them. There are some measures taken for avoiding to pile up too much data, but those can be bypassed by the guest: There is a timeout how long the client side of an interface can stop consuming new packets before it is assumed to have stalled, but this timeout is rather long (60 seconds by default). Using a UDP connection on a fast interface can easily accumulate gigabytes of data in that time. (CVE-2021-28715) The timeout could even never trigger if the guest manages to have only one free slot in its RX queue ring page and the next package would require more than one free slot, which may be the case when using GSO, XDP, or software hashing. (CVE-2021-28714) (CVE-2021-28715) * fuse: stall on CPU can occur because a retry loop continually finds the same bad inode (CVE-2021-28950) * crafting anomalous machine code may lead to arbitrary Kernel code execution (CVE-2021-38300) * USB gadget buffer overflow (CVE-2021-39685) * linux (CVE-2021-39686) * linux (CVE-2021-39698) * linux (CVE-2021-39713) * eBPF multiplication integer overflow in prealloc_elems_and_freelist() in kernel/bpf/stackmap.c leads to out-of-bounds write (CVE-2021-41864) * Heap buffer overflow in firedtv driver (CVE-2021-42739) * an array-index-out-bounds in detach_capi_ctr in drivers/isdn/capi/kcapi.c (CVE-2021-43389) * out-of-bounds write in hw_atl_utils_fw_rpc_wait() in drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_utils.c (CVE-2021-43975) * mwifiex_usb_recv() in drivers/net/wireless/marvell/mwifiex/usb.c allows an attacker to cause DoS via crafted USB device (CVE-2021-43976) * use-after-free in the TEE subsystem (CVE-2021-44733) * refcount leak in pep_sock_accept() in net/phonet/pep.c (CVE-2021-45095) * out-of-bounds memory access in __f2fs_setxattr() in fs/f2fs/xattr.c when an inode has an invalid last xattr entry (CVE-2021-45469) * memory leak in the __rds_conn_create() in net/rds/connection.c (CVE-2021-45480) * cpu: intel: Branch History Injection (BHI) (CVE-2022-0001) * cpu: intel: Intra-Mode BTI (CVE-2022-0002) * DoS in sctp_addto_chunk in net/sctp/sm_make_chunk.c (CVE-2022-0322) * possible privileges escalation due to missing TLB flush (CVE-2022-0330) * remote stack overflow via kernel panic on systems using TIPC may lead to DoS (CVE-2022-0435) * Use after free in moxart_remove (CVE-2022-0487) * cgroups v1 release_agent feature may allow privilege escalation (CVE-2022-0492) * Null pointer dereference in udf_expand_file_adinicbdue() during writeback (CVE-2022-0617) * Assertion failure can happen if users trigger kernel_read_file_from_fd() (CVE-2022-0644) * failing usercopy allows for use-after-free exploitation (CVE-2022-22942) * nfs_atomic_open() returns uninitialized data instead of ENOTDIR (CVE-2022-24448) * memory leak in yam_siocdevprivate() in drivers/net/hamradio/yam.c (CVE-2022-24959) * An issue was discovered in drivers/usb/gadget/composite.c in the Linux kernel before 5.16.10. The USB Gadget subsystem lacks certain validation of interface OS descriptor requests (ones with a large array index and ones associated with NULL function pointer retrieval). Memory corruption might occur. (CVE-2022-25258) * information disclosure in drivers/usb/gadget/function/rndis.c (CVE-2022-25375) * Race condition in nci_request() leads to use after free while the device is getting removed (CVE-2021-4202) * An issue was discovered in the Linux kernel before 5.16.12. drivers/net/usb/sr9700.c allows attackers to obtain sensitive information from heap memory via crafted frame lengths from a device. (CVE-2022-26966)
--- mirror/ftp/pool/main/l/linux-latest/linux-latest_105+deb10u13.dsc +++ apt/ucs_5.0-0-errata5.0-1/source/linux-latest_105+deb10u14.dsc @@ -1,3 +1,8 @@ +105+deb10u14 [Mon, 07 Mar 2022 22:42:37 +0100] Ben Hutchings <benh@debian.org>: + + * Update to 4.19.0-19 + * linux-image: Add NEWS for unprivileged eBPF change + 105+deb10u13 [Thu, 30 Sep 2021 22:34:05 +0200] Salvatore Bonaccorso <carnil@debian.org>: * Update to 4.19.0-18 <http://piuparts.knut.univention.de/5.0-1/#4770693838861202865>
OK: yaml OK: announce_errata OK: patch OK: piuparts OK: apt install -t apt univention-kernel-image OK: amd64 @ kvm + SeaBIOS OK: amd64 @ kvm + OVMF + SB OK: cat /sys/kernel/security/securelevel ; echo SKIP: amd64 @ xenX OK: uname -a OK: dmesg -H OK ./linux-dmesg-norm -a OK: Rebuild latest ISO with new D-I [5.0-1] 21f207ceb4 Bug #54541: linux 4.19.232-1 doc/errata/staging/linux.yaml | 96 ++++++++++++++++++------------------------- 1 file changed, 40 insertions(+), 56 deletions(-) [5.0-1] d3fa55f743 Bug #54541: linux 4.19.232-1 doc/errata/staging/linux.yaml | 178 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 178 insertions(+)
<https://errata.software-univention.de/#/?erratum=5.0x247> <https://errata.software-univention.de/#/?erratum=5.0x248>
<https://errata.software-univention.de/#/?erratum=5.0x251>