Description Quality Assurance 2020-02-27 15:34:10 CET

New Debian linux 4.9.210-1 fixes:
This update addresses the following issues:
* NULL pointer dereference in lookup_slow function (CVE-2018-13093)
* NULL pointer dereference in xfs_da_shrink_inode function (CVE-2018-13094)
* use-after-free in fs/xfs/xfs_super.c (CVE-2018-20976)
* use-after-free can be caused by the function rsi_mac80211_detach in the  file drivers/net/wireless/rsi/rsi_91x_mac80211.c (CVE-2018-21008)
* Insufficient access control in the Intel(R) PROSet/Wireless WiFi Software  driver before version 21.10 may allow an unauthenticated user to  potentially enable denial of service via adjacent access. (CVE-2019-0136)
* A use-after-free in binder.c allows an elevation of privilege from an  application to the Linux Kernel. No user interaction is required to exploit  this vulnerability, however exploitation does require either the  installation of a malicious local application or a separate vulnerability  in a network facing application.Product: AndroidAndroid ID: A-141720095  (CVE-2019-2215)
* CIFS: Relative paths injection in directory entry lists (CVE-2019-10220)
* null pointer dereference in dlpar_parse_cc_property in  arch/powerrc/platforms/pseries/dlpar.c causing denial of service  (CVE-2019-12614)
* Intel graphics card information leak. (CVE-2019-14615)
* heap overflow in mwifiex_set_uap_rates() function of Marvell Wifi Driver  leading to DoS (CVE-2019-14814)
* heap-overflow in mwifiex_set_wmm_params() function of Marvell WiFi driver  leading to DoS (CVE-2019-14815)
* heap overflow in mwifiex_update_vs_ie() function of Marvell WiFi driver  (CVE-2019-14816)
* heap-based buffer overflow in mwifiex_process_country_ie() function in  drivers/net/wireless/marvell/mwifiex/sta_ioctl.c (CVE-2019-14895)
* heap-based buffer overflow in lbs_ibss_join_existing function in  drivers/net/wireless/marvell/libertas/cfg.c (CVE-2019-14896)
* stack-based buffer overflow in add_ie_rates function in  drivers/net/wireless/marvell/libertas/cfg.c (CVE-2019-14897)
* heap overflow in marvell/mwifiex/tdls.c (CVE-2019-14901)
* powerpc: local user can read vector registers of other users' processes via  a Facility Unavailable exception (CVE-2019-15030)
* a NULL pointer dereference in drivers/net/wireless/ath/ath6kl/usb.c leads  to a crash (CVE-2019-15098)
* null pointer dereference in drivers/media/usb/zr364xx/zr364xx.c driver  (CVE-2019-15217)
* Null pointer dereference in the flexcop_usb_probe function in the  drivers/media/usb/b2c2/flexcop-usb.c (CVE-2019-15291)
* out of bounds read in drivers/media/usb/dvb-usb/technisat-usb2.c  (CVE-2019-15505)
* use-after-free in drivers/bluetooth/hci_ldisc.c (CVE-2019-15917)
* buffer-overflow hardening in WiFi beacon validation code. (CVE-2019-16746)
* unprivileged users able to create RAW sockets in the the AF_AX25 network  protocol. (CVE-2019-17052)
* unprivileged users able to create RAW sockets in AF_IEEE802154 network  protocol. (CVE-2019-17053)
* privilege escalation in atalk_create in net/appletalk/ddp.c in the  AF_APPLETALK network module (CVE-2019-17054)
* unprivileged users able to create RAW sockets in AF_ISDN network protocol.  (CVE-2019-17055)
* unprivileged access to llcp_sock_create in net/nfc/llcp_sock.c in the  AF_NFC socket type. (CVE-2019-17056)
* denial of service in write_tpt_entry in drivers/infiniband/hw/cxgb4/mem.c  (CVE-2019-17075)
* buffer overflow in cfg80211_mgd_wext_giwessid in net/wireless/wext-sme.c  (CVE-2019-17133)
* rtl_p2p_noa_ie in drivers/net/wireless/realtek/rtlwifi/ps.c in the Linux  kernel lacks a certain upper-bound check, leading to a buffer overflow  (CVE-2019-17666)
* The flow_dissector feature allows device tracking (CVE-2019-18282)
* (powerpc) incomplete Spectre-RSB mitigation leads to information exposure  (CVE-2019-18660)
* race condition in  vivid_stop_generating_vid_cap(),vivid_stop_generating_vid_out(),  sdr_cap_stop_streaming() (CVE-2019-18683)
* memory leak in ql_alloc_large_buffers() function in  drivers/net/ethernet/qlogic/qla3xxx.c (CVE-2019-18806)
* memory leak in af9005_identify_state() function in  drivers/media/usb/dvb-usb/af9005.c (CVE-2019-18809)
* null-pointer dereference in ext4_empty_dir in fs/ext4/namei.c  (CVE-2019-19037)
* dos in unittest_data_add() function in drivers/of/unittest.c  (CVE-2019-19049)
* dos in i2400m_op_rfkill_sw_toggle() function in  drivers/net/wimax/i2400m/op-rfkill.c (CVE-2019-19051)
* dos in gs_can_open() function in drivers/net/can/usb/gs_usb.c  (CVE-2019-19052)
* A memory leak in the mwifiex_pcie_alloc_cmdrsp_buf() function in  drivers/net/wireless/marvell/mwifiex/pcie.c allows to cause DoS  (CVE-2019-19056)
* Two memory leaks in the mwifiex_pcie_init_evt_ring() function in  drivers/net/wireless/marvell/mwifiex/pcie.c allows for a DoS  (CVE-2019-19057)
* A memory leak in the crypto_report() function in crypto/crypto_user_base.c  allows for a DoS (CVE-2019-19062)
* Two memory leaks in the rtl_usb_probe() function in  drivers/net/wireless/realtek/rtlwifi/usb.c allow for a DoS (CVE-2019-19063)
* A memory leak in the bfad_im_get_stats() function in  drivers/scsi/bfa/bfad_attr.c allows for a DoS (CVE-2019-19066)
* A memory leak in the rtl8xxxu_submit_int_urb() function in  drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c allows for a DoS  (CVE-2019-19068)
* In the AppleTalk subsystem in the Linux kernel before 5.1, there is a  potential NULL pointer dereference because register_snap_client may return  NULL. This will lead to denial of service in net/appletalk/aarp.c and  net/appletalk/ddp.c, as demonstrated by unregister_snap_client, aka  CID-9804501fa122. (CVE-2019-19227)
* kvm: OOB memory write via kvm_dev_ioctl_get_cpuid (CVE-2019-19332)
* mounting a crafted ext4 filesystem image, performing some operations, and  unmounting can lead to a use-after-free in ext4_put_super in  fs/ext4/super.c (CVE-2019-19447)
* use-after-free caused by a malicious USB device in the  drivers/usb/misc/adutux.c driver (CVE-2019-19523)
* a malicious USB device in the drivers/input/ff-memless.c leads to  use-after-free (CVE-2019-19524)
* malicious USB device leads to use-after-free in the  drivers/net/ieee802154/atusb.c driver (CVE-2019-19525)
* use-after-free caused by a malicious USB device in the  drivers/hid/usbhid/hiddev.c driver (CVE-2019-19527)
* use-after-free caused by a malicious USB device in the  drivers/usb/class/cdc-acm.c driver (CVE-2019-19530)
* use-after-free bug caused by a malicious USB device in the  drivers/usb/misc/yurex.c driver leads to denial of service (CVE-2019-19531)
* malicious USB devices can lead to multiple out-of-bounds write  (CVE-2019-19532)
* information leak bug caused by a malicious USB device in the  drivers/media/usb/ttusb-dec/ttusb_dec.c (CVE-2019-19533)
* information leak bug caused by a malicious USB device in the  drivers/net/can/usb/peak_usb/pcan_usb_core.c driver (CVE-2019-19534)
* information leak bug caused by a malicious USB device in the  drivers/net/can/usb/peak_usb/pcan_usb_fd.cdriver (CVE-2019-19535)
* information leak bug caused by a malicious USB device in the  drivers/net/can/usb/peak_usb/pcan_usb_pro.c driver (CVE-2019-19536)
* race condition caused by a malicious USB device in the USB character device  driver layer (CVE-2019-19537)
* use-after-free in __ext4_expand_extra_isize and ext4_xattr_set_entry  related to fs/ext4/inode.c and fs/ext4/super.c (CVE-2019-19767)
* uninitialized memory allocation in  drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c leading to information  leak (CVE-2019-19947)
* NULL pointer dereference in drivers/scsi/libsas/sas_discover.c because of  mishandling of port disconnection during discovery (CVE-2019-19965)
* memory leak in __feat_register_sp() in net/dccp/feat.c (CVE-2019-20096)
* linux (CVE-2020-0030)