[SECURITY] [DLA 2483-1] linux-4.19 security update

---

Debian LTS Advisory DLA-2483-1 [email protected]
https://www.debian.org/lts/security/ Ben Hutchings
December 05, 2020 https://wiki.debian.org/LTS

Package : linux-4.19
Version : 4.19.160-2~deb9u1
CVE ID : CVE-2019-19039 CVE-2019-19377 CVE-2019-19770 CVE-2019-19816
CVE-2020-0423 CVE-2020-8694 CVE-2020-14351 CVE-2020-25656
CVE-2020-25668 CVE-2020-25669 CVE-2020-25704 CVE-2020-25705
CVE-2020-27673 CVE-2020-27675 CVE-2020-28941 CVE-2020-28974
Debian Bug : 949863 968623 971058

Several vulnerabilities have been discovered in the Linux kernel that
may lead to the execution of arbitrary code, privilege escalation,
denial of service or information leaks.

CVE-2019-19039

"Team bobfuzzer" reported a bug in Btrfs that could lead to an
assertion failure (WARN).  A user permitted to mount and access
arbitrary filesystems could use this to cause a denial of service
(crash) if the panic_on_warn kernel parameter is set.

CVE-2019-19377

"Team bobfuzzer" reported a bug in Btrfs that could lead to a
use-after-free.  A user permitted to mount and access arbitrary
filesystems could use this to cause a denial of service (crash or
memory corruption) or possibly for privilege escalation.

CVE-2019-19770

The syzbot tool discovered a race condition in the block I/O
tracer (blktrace) that could lead to a system crash.  Since
blktrace can only be controlled by privileged users, the security
impact of this is unclear.

CVE-2019-19816

"Team bobfuzzer" reported a bug in Btrfs that could lead to an
out-of-bounds write.  A user permitted to mount and access
arbitrary filesystems could use this to cause a denial of service
(crash or memory corruption) or possibly for privilege escalation.

CVE-2020-0423

A race condition was discovered in the Android binder driver, that
could result in a use-after-free.  On systems using this driver, a
local user could use this to cause a denial of service (crash or
memory corruption) or possibly for privilege escalation.

CVE-2020-8694

Multiple researchers discovered that the powercap subsystem
allowed all users to read CPU energy meters, by default.  On
systems using Intel CPUs, this provided a side channel that could
leak sensitive information between user processes, or from the
kernel to user processes.  The energy meters are now readable only
by root, by default.

This issue can be mitigated by running:

    chmod go-r /sys/devices/virtual/powercap/*/*/energy_uj

This needs to be repeated each time the system is booted with
an unfixed kernel version.

CVE-2020-14351

A race condition was discovered in the performance events
subsystem, which could lead to a use-after-free.  A local user
permitted to access performance events could use this to cause a
denial of service (crash or memory corruption) or possibly for
privilege escalation.

Debian's kernel configuration does not allow unprivileged users to
access peformance events by default, which fully mitigates this
issue.

CVE-2020-25656

Yuan Ming and Bodong Zhao discovered a race condition in the
virtual terminal (vt) driver that could lead to a use-after-free.
A local user with the CAP_SYS_TTY_CONFIG capability could use this
to cause a denial of service (crash or memory corruption) or
possibly for privilege escalation.

CVE-2020-25668

Yuan Ming and Bodong Zhao discovered a race condition in the
virtual terminal (vt) driver that could lead to a use-after-free.
A local user with access to a virtual terminal, or with the
CAP_SYS_TTY_CONFIG capability, could use this to cause a denial of
service (crash or memory corruption) or possibly for privilege
escalation.

CVE-2020-25669

Bodong Zhao discovered a bug in the Sun keyboard driver (sunkbd)
that could lead to a use-after-free.  On a system using this
driver, a local user could use this to cause a denial of service
(crash or memory corruption) or possibly for privilege escalation.

CVE-2020-25704

kiyin(尹亮) discovered a potential memory leak in the performance
events subsystem.  A local user permitted to access performance
events could use this to cause a denial of service (memory
exhaustion).

Debian's kernel configuration does not allow unprivileged users to
access peformance events by default, which fully mitigates this
issue.

CVE-2020-25705

Keyu Man reported that strict rate-limiting of ICMP packet
transmission provided a side-channel that could help networked
attackers to carry out packet spoofing.  In particular, this made
it practical for off-path networked attackers to "poison" DNS
caches with spoofed responses ("SAD DNS" attack).

This issue has been mitigated by randomising whether packets are
counted against the rate limit.

CVE-2020-27673 / XSA-332

Julien Grall from Arm discovered a bug in the Xen event handling
code.  Where Linux was used in a Xen dom0, unprivileged (domU)
guests could cause a denial of service (excessive CPU usage or
hang) in dom0.

CVE-2020-27675 / XSA-331

Jinoh Kang of Theori discovered a race condition in the Xen event
handling code.  Where Linux was used in a Xen dom0, unprivileged
(domU) guests could cause a denial of service (crash) in dom0.

CVE-2020-28941

Shisong Qin and Bodong Zhao discovered a bug in the Speakup screen
reader subsystem.  Speakup assumed that it would only be bound to
one terminal (tty) device at a time, but did not enforce this.  A
local user could exploit this bug to cause a denial of service
(crash or memory exhaustion).

CVE-2020-28974

Yuan Ming discovered a bug in the virtual terminal (vt) driver
that could lead to an out-of-bounds read.  A local user with
access to a virtual terminal, or with the CAP_SYS_TTY_CONFIG
capability, could possibly use this to obtain sensitive
information from the kernel or to cause a denial of service
(crash).

The specific ioctl operation affected by this bug
(KD_FONT_OP_COPY) has been disabled, as it is not believed that
any programs depended on it.

For Debian 9 stretch, these problems have been fixed in version
4.19.160-2~deb9u1.

We recommend that you upgrade your linux-4.19 packages.

For the detailed security status of linux-4.19 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/linux-4.19

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

–
Ben Hutchings - Debian developer, member of kernel, installer and LTS teams
Attachment:
signature.asc
Description: This is a digitally signed message part