https://github.com/bobfuzzer/CVE/tree/master/CVE-2019-19039

USN-4414-1

[debian-lts-announce] 20201210 [SECURITY] [DLA 2483-1] linux-4.19 security update

Several vulnerabilities have been discovered in the Linux kernel that may lead to the execution of arbitrary code, privilege escalation, denial of service or information leaks.

CVE-2019-19039

'Team bobfuzzer' reported a bug in Btrfs that could lead to an assertion failure (WARN). A user permitted to mount and access arbitrary filesystems could use this to cause a denial of service (crash) if the panic_on_warn kernel parameter is set.

CVE-2019-19377

'Team bobfuzzer' reported a bug in Btrfs that could lead to a use-after-free. A user permitted to mount and access arbitrary filesystems could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation.

CVE-2019-19770

The syzbot tool discovered a race condition in the block I/O tracer (blktrace) that could lead to a system crash. Since blktrace can only be controlled by privileged users, the security impact of this is unclear.

CVE-2019-19816

'Team bobfuzzer' reported a bug in Btrfs that could lead to an out-of-bounds write. A user permitted to mount and access arbitrary filesystems could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation.

CVE-2020-0423

A race condition was discovered in the Android binder driver, that could result in a use-after-free. On systems using this driver, a local user could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation.

CVE-2020-8694

Multiple researchers discovered that the powercap subsystem allowed all users to read CPU energy meters, by default. On systems using Intel CPUs, this provided a side channel that could leak sensitive information between user processes, or from the kernel to user processes. The energy meters are now readable only by root, by default.

This issue can be mitigated by running :

chmod go-r /sys/devices/virtual/powercap/*/*/energy_uj

This needs to be repeated each time the system is booted with an unfixed kernel version.

CVE-2020-14351

A race condition was discovered in the performance events subsystem, which could lead to a use-after-free. A local user permitted to access performance events could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation.

Debian's kernel configuration does not allow unprivileged users to access peformance events by default, which fully mitigates this issue.

CVE-2020-25656

Yuan Ming and Bodong Zhao discovered a race condition in the virtual terminal (vt) driver that could lead to a use-after-free. A local user with the CAP_SYS_TTY_CONFIG capability could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation.

CVE-2020-25668

Yuan Ming and Bodong Zhao discovered a race condition in the virtual terminal (vt) driver that could lead to a use-after-free. A local user with access to a virtual terminal, or with the CAP_SYS_TTY_CONFIG capability, could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation.

CVE-2020-25669

Bodong Zhao discovered a bug in the Sun keyboard driver (sunkbd) that could lead to a use-after-free. On a system using this driver, a local user could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation.

CVE-2020-25704

kiyin(&#x5C39;&#x4EAE;) discovered a potential memory leak in the performance events subsystem. A local user permitted to access performance events could use this to cause a denial of service (memory exhaustion).

Debian's kernel configuration does not allow unprivileged users to access peformance events by default, which fully mitigates this issue.

CVE-2020-25705

Keyu Man reported that strict rate-limiting of ICMP packet transmission provided a side-channel that could help networked attackers to carry out packet spoofing. In particular, this made it practical for off-path networked attackers to 'poison' DNS caches with spoofed responses ('SAD DNS' attack).

This issue has been mitigated by randomising whether packets are counted against the rate limit.

CVE-2020-27673 / XSA-332

Julien Grall from Arm discovered a bug in the Xen event handling code.
Where Linux was used in a Xen dom0, unprivileged (domU) guests could cause a denial of service (excessive CPU usage or hang) in dom0.

CVE-2020-27675 / XSA-331

Jinoh Kang of Theori discovered a race condition in the Xen event handling code. Where Linux was used in a Xen dom0, unprivileged (domU) guests could cause a denial of service (crash) in dom0.

CVE-2020-28941

Shisong Qin and Bodong Zhao discovered a bug in the Speakup screen reader subsystem. Speakup assumed that it would only be bound to one terminal (tty) device at a time, but did not enforce this. A local user could exploit this bug to cause a denial of service (crash or memory exhaustion).

CVE-2020-28974

Yuan Ming discovered a bug in the virtual terminal (vt) driver that could lead to an out-of-bounds read. A local user with access to a virtual terminal, or with the CAP_SYS_TTY_CONFIG capability, could possibly use this to obtain sensitive information from the kernel or to cause a denial of service (crash).

The specific ioctl operation affected by this bug (KD_FONT_OP_COPY) has been disabled, as it is not believed that any programs depended on it.

For Debian 9 stretch, these problems have been fixed in version 4.19.160-2~deb9u1.

We recommend that you upgrade your linux-4.19 packages.

For the detailed security status of linux-4.19 please refer to its security tracker page at:
https://security-tracker.debian.org/tracker/linux-4.19

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - In calc_vm_may_flags of ashmem.c, there is a possible     arbitrary write to shared memory due to a permissions     bypass. This could lead to local escalation of     privilege by corrupting memory shared between     processes, with no additional execution privileges     needed. User interaction is not needed for     exploitation. Product: Android Versions: Android kernel     Android ID: A-142938932(CVE-2020-0009)

  - A flaw was found in the Linux kernel's implementation     of Userspace core dumps. This flaw allows an attacker     with a local account to crash a trivial program and     exfiltrate private kernel data.(CVE-2020-10732)

  - An issue was discovered in the Linux kernel before     5.0.6. In rx_queue_add_kobject() and     netdev_queue_add_kobject() in net/core/net-sysfs.c, a     reference count is mishandled, aka     CID-a3e23f719f5c.(CVE-2019-20811)

  - go7007_snd_init in     drivers/media/usb/go7007/snd-go7007.c in the Linux     kernel before 5.6 does not call snd_card_free for a     failure path, which causes a memory leak, aka     CID-9453264ef586.(CVE-2019-20810)

  - A flaw was found in the Linux kernels SELinux LSM hook     implementation before version 5.7, where it incorrectly     assumed that an skb would only contain a single netlink     message. The hook would incorrectly only validate the     first netlink message in the skb and allow or deny the     rest of the messages within the skb with the granted     permission without further processing.(CVE-2020-10751)

  - A signal access-control issue was discovered in the     Linux kernel before 5.6.5, aka CID-7395ea4e65c2.
    Because exec_id in include/linux/sched.h is only 32     bits, an integer overflow can interfere with a     do_notify_parent protection mechanism. A child process     can send an arbitrary signal to a parent process in a     different security domain. Exploitation limitations     include the amount of elapsed time before an integer     overflow occurs, and the lack of scenarios where     signals to a parent process present a substantial     operational threat.(CVE-2020-12826)

  - A NULL pointer dereference flaw was found in the Linux     kernel's SELinux subsystem in versions before 5.7. This     flaw occurs while importing the Commercial IP Security     Option (CIPSO) protocol's category bitmap into the     SELinux extensible bitmap via the'     ebitmap_netlbl_import' routine. While processing the     CIPSO restricted bitmap tag in the     'cipso_v4_parsetag_rbm' routine, it sets the security     attribute to indicate that the category bitmap is     present, even if it has not been allocated. This issue     leads to a NULL pointer dereference issue while     importing the same category bitmap into SELinux. This     flaw allows a remote network user to crash the system     kernel, resulting in a denial of     service.(CVE-2020-10711)

  - gadget_dev_desc_UDC_store in     drivers/usb/gadget/configfs.c in the Linux kernel     through 5.6.13 relies on kstrdup without considering     the possibility of an internal '\0' value, which allows     attackers to trigger an out-of-bounds read, aka     CID-15753588bcd4.(CVE-2020-13143)

  - An issue was discovered in the Linux kernel through     5.6.11. sg_write lacks an sg_remove_request call in a     certain failure case, aka     CID-83c6f2390040.(CVE-2020-12770)

  - __btrfs_free_extent in fs/btrfs/extent-tree.c in the     Linux kernel through 5.3.12 calls btrfs_print_leaf in a     certain ENOENT case, which allows local users to obtain     potentially sensitive information about register values     via the dmesg program. NOTE: The BTRFS development team     disputes this issues as not being a vulnerability     because '1) The kernel provide facilities to restrict     access to dmesg - dmesg_restrict=1 sysctl option. So     it's really up to the system administrator to judge     whether dmesg access shall be disallowed or not. 2)     WARN/WARN_ON are widely used macros in the linux     kernel. If this CVE is considered valid this would mean     there are literally thousands CVE lurking in the kernel
    - something which clearly is not the     case.'(CVE-2019-19039)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that the network block device (nbd) implementation in the Linux kernel did not properly check for error conditions in some situations. An attacker could possibly use this to cause a denial of service (system crash). (CVE-2019-16089) It was discovered that the btrfs file system implementation in the Linux kernel did not properly validate file system metadata in some situations. An attacker could use this to construct a malicious btrfs image that, when mounted, could cause a denial of service (system crash). (CVE-2019-19036, CVE-2019-19318, CVE-2019-19813, CVE-2019-19816) It was discovered that the btrfs implementation in the Linux kernel did not properly detect that a block was marked dirty in some situations. An attacker could use this to specially craft a file system image that, when unmounted, could cause a denial of service (system crash). (CVE-2019-19377) It was discovered that the kernel->user space relay implementation in the Linux kernel did not properly check return values in some situations.
A local attacker could possibly use this to cause a denial of service (system crash). (CVE-2019-19462) Matthew Sheets discovered that the SELinux network label handling implementation in the Linux kernel could be coerced into de-referencing a NULL pointer. A remote attacker could use this to cause a denial of service (system crash).
(CVE-2020-10711) It was discovered that the SCSI generic (sg) driver in the Linux kernel did not properly handle certain error conditions correctly. A local privileged attacker could use this to cause a denial of service (system crash). (CVE-2020-12770) It was discovered that the USB Gadget device driver in the Linux kernel did not validate arguments passed from configfs in some situations. A local attacker could possibly use this to cause a denial of service (system crash) or possibly expose sensitive information. (CVE-2020-13143) It was discovered that the efi subsystem in the Linux kernel did not handle memory allocation failures during early boot in some situations. A local attacker could possibly use this to cause a denial of service (system crash). (CVE-2019-12380) It was discovered that the btrfs file system in the Linux kernel in some error conditions could report register information to the dmesg buffer. A local attacker could possibly use this to expose sensitive information. (CVE-2019-19039).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - In the Linux kernel 5.0.21, mounting a crafted f2fs     filesystem image can cause a NULL pointer dereference     in f2fs_recover_fsync_data in fs/f2fs/recovery.c. This     is related to F2FS_P_SB in     fs/f2fs/f2fs.h.(CVE-2019-19815)

  - ** DISPUTED ** __btrfs_free_extent in     fs/btrfs/extent-tree.c in the Linux kernel through     5.3.12 calls btrfs_print_leaf in a certain ENOENT case,     which allows local users to obtain potentially     sensitive information about register values via the     dmesg program. NOTE: The BTRFS development team     disputes this issues as not being a vulnerability     because '1) The kernel provide facilities to restrict     access to dmesg - dmesg_restrict=1 sysctl option. So     it's really up to the system administrator to judge     whether dmesg access shall be disallowed or not. 2)     WARN/WARN_ON are widely used macros in the linux     kernel. If this CVE is considered valid this would mean     there are literally thousands CVE lurking in the kernel
    - something which clearly is not the     case.'(CVE-2019-19039)

  - ext4_empty_dir in fs/ext4/namei.c in the Linux kernel     through 5.3.12 allows a NULL pointer dereference     because ext4_read_dirblock(inode,0,DIRENT_HTREE) can be     zero.(CVE-2019-19037)

  - btrfs_root_node in fs/btrfs/ctree.c in the Linux kernel     through 5.3.12 allows a NULL pointer dereference     because rcu_dereference(root->node) can be     zero.(CVE-2019-19036)

  - ** DISPUTED ** In the Linux kernel 4.19.83, there is a     use-after-free (read) in the debugfs_remove function in     fs/debugfs/inode.c (which is used to remove a file or     directory in debugfs that was previously created with a     call to another debugfs function such as     debugfs_create_file). NOTE: Linux kernel developers     dispute this issue as not being an issue with debugfs,     instead this is an issue with misuse of debugfs within     blktrace.(CVE-2019-19770)

  - An issue was discovered in slc_bump in     drivers/net/can/slcan.c in the Linux kernel through     5.6.2. It allows attackers to read uninitialized     can_frame data, potentially containing sensitive     information from kernel stack memory, if the     configuration lacks CONFIG_INIT_STACK_ALL, aka     CID-b9258a2cece4.(CVE-2020-11494)

  - ** DISPUTED ** An issue was discovered in the Linux     kernel through 5.6.2. mpol_parse_str in mm/mempolicy.c     has a stack-based out-of-bounds write because an empty     nodelist is mishandled during mount option parsing, aka     CID-aa9f7d5172fa. NOTE: Someone in the security     community disagrees that this is a vulnerability     because the issue 'is a bug in parsing mount options     which can only be specified by a privileged user, so     triggering the bug does not grant any powers not     already held.'.(CVE-2020-11565)

  - A flaw was found in the Linux kernel's implementation     of some networking protocols in IPsec, such as VXLAN     and GENEVE tunnels over IPv6. When an encrypted tunnel     is created between two hosts, the kernel isn't     correctly routing tunneled data over the encrypted link     rather sending the data unencrypted. This would allow     anyone in between the two endpoints to read the traffic     unencrypted. The main threat from this vulnerability is     to data confidentiality.(CVE-2020-1749)

  - An issue was discovered in the stv06xx subsystem in the     Linux kernel before 5.6.1.
    drivers/media/usb/gspca/stv06xx/stv06xx.c and     drivers/media/usb/gspca/stv06xx/stv06xx_pb0100.c     mishandle invalid descriptors, as demonstrated by a     NULL pointer dereference, aka     CID-485b06aadb93.(CVE-2020-11609)

  - An issue was discovered in the Linux kernel before     5.6.1. drivers/media/usb/gspca/ov519.c allows NULL     pointer dereferences in ov511_mode_init_regs and     ov518_mode_init_regs when there are zero endpoints, aka     CID-998912346c0d.(CVE-2020-11608)

  - In the Linux kernel before 5.4.12,     drivers/input/input.c has out-of-bounds writes via a     crafted keycode table, as demonstrated by     input_set_keycode, aka     CID-cb222aed03d7.(CVE-2019-20636)

  - In the Linux kernel before 5.6.1,     drivers/media/usb/gspca/xirlink_cit.c (aka the Xirlink     camera USB driver) mishandles invalid descriptors, aka     CID-a246b4d54770.(CVE-2020-11668)

  - In f2fs_xattr_generic_list of xattr.c, there is a     possible out of bounds read due to a missing bounds     check. This could lead to local information disclosure     with System execution privileges needed. User     interaction is not required for exploitation.Product:
    Android. Versions: Android kernel. Android ID:
    A-120551147.(CVE-2020-0067)

  - An issue was discovered in the Linux kernel before 5.2     on the powerpc platform.
    arch/powerpc/kernel/idle_book3s.S does not have     save/restore functionality for PNV_POWERSAVE_AMR,     PNV_POWERSAVE_UAMOR, and PNV_POWERSAVE_AMOR, aka     CID-53a712bae5dd.(CVE-2020-11669)

  - In the Linux kernel before 5.5.8, get_raw_socket in     drivers/vhost/net.c lacks validation of an sk_family     field, which might allow attackers to trigger kernel     stack corruption via crafted system     calls.(CVE-2020-10942)

  - In the Linux kernel 5.0.21, mounting a crafted btrfs     filesystem image, performing some operations, and     unmounting can lead to a use-after-free in     btrfs_queue_work in     fs/btrfs/async-thread.c.(CVE-2019-19377)

  - relay_open in kernel/relay.c in the Linux kernel     through 5.4.1 allows local users to cause a denial of     service (such as relay blockage) by triggering a NULL     alloc_percpu result.(CVE-2019-19462)

  - An issue was discovered in xfs_agf_verify in     fs/xfs/libxfs/xfs_alloc.c in the Linux kernel through     5.6.10. Attackers may trigger a sync of excessive     duration via an XFS v5 image with crafted metadata, aka     CID-d0c7feaf8767.(CVE-2020-12655)

  - The __mptctl_ioctl function in     drivers/message/fusion/mptctl.c in the Linux kernel     before 5.4.14 allows local users to hold an incorrect     lock during the ioctl operation and trigger a race     condition, i.e., a 'double fetch' vulnerability, aka     CID-28d76df18f0a. NOTE: the vendor states 'The security     impact of this bug is not as bad as it could have been     because these operations are all privileged and root     already has enormous destructive     power.'(CVE-2020-12652)

  - A pivot_root race condition in fs/namespace.c in the     Linux kernel 4.4.x before 4.4.221, 4.9.x before     4.9.221, 4.14.x before 4.14.178, 4.19.x before     4.19.119, and 5.x before 5.3 allows local users to     cause a denial of service (panic) by corrupting a     mountpoint reference counter.(CVE-2020-12114)

  - usb_sg_cancel in drivers/usb/core/message.c in the     Linux kernel before 5.6.8 has a use-after-free because     a transfer occurs without a reference, aka     CID-056ad39ee925.(CVE-2020-12464)

  - An issue was found in Linux kernel before 5.5.4.
    mwifiex_ret_wmm_get_status() in     drivers/net/wireless/marvell/mwifiex/wmm.c allows a     remote AP to trigger a heap-based buffer overflow     because of an incorrect memcpy, aka     CID-3a9b153c5591.(CVE-2020-12654)

  - An issue was found in Linux kernel before 5.5.4. The     mwifiex_cmd_append_vsie_tlv() function in     drivers/net/wireless/marvell/mwifiex/scan.c allows     local users to gain privileges or cause a denial of     service because of an incorrect memcpy and buffer     overflow, aka CID-b70261a288ea.(CVE-2020-12653)

  - An array overflow was discovered in mt76_add_fragment     in drivers/net/wireless/mediatek/mt76/dma.c in the     Linux kernel before 5.5.10, aka CID-b102f0c522cf. An     oversized packet with too many rx fragments can corrupt     memory of adjacent pages.(CVE-2020-12465)

  - An issue was discovered in the Linux kernel before     5.6.7. xdp_umem_reg in net/xdp/xdp_umem.c has an     out-of-bounds write (by a user with the CAP_NET_ADMIN     capability) because of a lack of headroom     validation.(CVE-2020-12659)

  - An issue was discovered in the Linux kernel through     5.6.11. btree_gc_coalesce in drivers/md/bcache/btree.c     has a deadlock if a coalescing operation     fails.(CVE-2020-12771)

  - An issue was discovered in the Linux kernel through     5.6.11. sg_write lacks an sg_remove_request call in a     certain failure case, aka     CID-83c6f2390040.(CVE-2020-12770)

  - A signal access-control issue was discovered in the     Linux kernel before 5.6.5, aka CID-7395ea4e65c2.
    Because exec_id in include/linux/sched.h is only 32     bits, an integer overflow can interfere with a     do_notify_parent protection mechanism. A child process     can send an arbitrary signal to a parent process in a     different security domain. Exploitation limitations     include the amount of elapsed time before an integer     overflow occurs, and the lack of scenarios where     signals to a parent process present a substantial     operational threat.(CVE-2020-12826)

  - A NULL pointer dereference flaw was found in the Linux     kernel's SELinux subsystem in versions before 5.7. This     flaw occurs while importing the Commercial IP Security     Option (CIPSO) protocol's category bitmap into the     SELinux extensible bitmap via the'     ebitmap_netlbl_import' routine. While processing the     CIPSO restricted bitmap tag in the     'cipso_v4_parsetag_rbm' routine, it sets the security     attribute to indicate that the category bitmap is     present, even if it has not been allocated. This issue     leads to a NULL pointer dereference issue while     importing the same category bitmap into SELinux. This     flaw allows a remote network user to crash the system     kernel, resulting in a denial of     service.(CVE-2020-10711)

  - gadget_dev_desc_UDC_store in     drivers/usb/gadget/configfs.c in the Linux kernel     through 5.6.13 relies on kstrdup without considering     the possibility of an internal '\0' value, which allows     attackers to trigger an out-of-bounds read, aka     CID-15753588bcd4.(CVE-2020-13143)

  - An issue was discovered in the Linux kernel before 5.2.
    There is a NULL pointer dereference in     tw5864_handle_frame() in     drivers/media/pci/tw5864/tw5864-video.c, which may     cause denial of service, aka     CID-2e7682ebfc75.(CVE-2019-20806)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - The kernel package contains the Linux kernel (vmlinuz),     the core of any Linux operating system. The kernel     handles the basic functions of the operating system:
    memory allocation, process allocation, device input and     output, etc. Security Fix(es):In the Linux kernel     before 5.2.9, there is an info-leak bug that can be     caused by a malicious USB device in the     driverset/can/usb/peak_usb/pcan_usb_pro.c driver, aka     CID-ead16e53c2f0.(CVE-2019-19536)In the Linux kernel     before 5.2.9, there is an info-leak bug that can be     caused by a malicious USB device in the     driverset/can/usb/peak_usb/pcan_usb_fd.c driver, aka     CID-30a8beeb3042.(CVE-2019-19535)vcs_write in     drivers/tty/vt/vc_screen.c in the Linux kernel through     5.3.13 does not prevent write access to vcsu devices,     aka CID-0c9acb1af77a.(CVE-2019-19252)In the AppleTalk     subsystem in the Linux kernel before 5.1, there is a     potential NULL pointer dereference because     register_snap_client may return NULL. This will lead to     denial of service in net/appletalk/aarp.c and     net/appletalk/ddp.c, as demonstrated by     unregister_snap_client, aka     CID-9804501fa122.(CVE-2019-19227)A memory leak in the     adis_update_scan_mode() function in     drivers/iio/imu/adis_buffer.c in the Linux kernel     before 5.3.9 allows attackers to cause a denial of     service (memory consumption), aka     CID-ab612b1daf41.(CVE-2019-19060)In the Linux kernel     before 5.3.11, there is an info-leak bug that can be     caused by a malicious USB device in the     driverset/can/usb/peak_usb/pcan_usb_core.c driver, aka     CID-f7a1337f0d29.(CVE-2019-19534)In the Linux kernel     before 5.3.11, there is a use-after-free bug that can     be caused by a malicious USB device in the     driverset/can/usb/mcba_usb.c driver, aka     CID-4d6636498c41.(CVE-2019-19529)In the Linux kernel     before 5.3.9, there is a use-after-free bug that can be     caused by a malicious USB device in the     driversfc/pn533/usb.c driver, aka     CID-6af3aa57a098.(CVE-2019-19526)In the Linux kernel     before 5.3.6, there is a use-after-free bug that can be     caused by a malicious USB device in the     driverset/ieee802154/atusb.c driver, aka     CID-7fd25e6fc035.(CVE-2019-19525)In the Linux kernel     before 5.3.9, there are multiple out-of-bounds write     bugs that can be caused by a malicious USB device in     the Linux kernel HID drivers, aka CID-d9d4b1e46d95.
    This affects drivers/hid/hid-axff.c,     drivers/hid/hid-dr.c, drivers/hid/hid-emsff.c,     drivers/hid/hid-gaff.c, drivers/hid/hid-holtekff.c,     drivers/hid/hid-lg2ff.c, drivers/hid/hid-lg3ff.c,     drivers/hid/hid-lg4ff.c, drivers/hid/hid-lgff.c,     drivers/hid/hid-logitech-hidpp.c,     drivers/hid/hid-microsoft.c, drivers/hid/hid-sony.c,     drivers/hid/hid-tmff.c, and     drivers/hid/hid-zpff.c.(CVE-2019-19532)In the Linux     kernel before 5.2.10, there is a use-after-free bug     that can be caused by a malicious USB device in the     drivers/hid/usbhid/hiddev.c driver, aka     CID-9c09b214f30e.(CVE-2019-19527)** DISPUTED ** The     Linux kernel through 5.0.7, when CONFIG_IA32_AOUT is     enabled and ia32_aout is loaded, allows local users to     bypass ASLR on setuid a.out programs (if any exist)     because install_exec_creds() is called too late in     load_aout_binary() in fs/binfmt_aout.c, and thus the     ptrace_may_access() check has a race condition when     reading /proc/pid/stat. NOTE: the software maintainer     disputes that this is a vulnerability because ASLR for     a.out format executables has never been     supported.(CVE-2019-11191)In the Linux kernel before     5.3.12, there is a use-after-free bug that can be     caused by a malicious USB device in the     drivers/input/ff-memless.c driver, aka     CID-fa3a5a1880c9.(CVE-2019-19524)driverset/wireless/mar     vell/libertas/if_sdio.c in the Linux kernel 5.2.14 does     not check the alloc_workqueue return value, leading to     a NULL pointer     dereference.(CVE-2019-16232)driverset/fjes/fjes_main.c     in the Linux kernel 5.2.14 does not check the     alloc_workqueue return value, leading to a NULL pointer     dereference.(CVE-2019-16231)** DISPUTED **     drivers/gpu/drm/amd/amdkfd/kfd_interrupt.c in the Linux     kernel 5.2.14 does not check the alloc_workqueue return     value, leading to a NULL pointer dereference. NOTE: The     security community disputes this issues as not being     serious enough to be deserving a CVE     id.(CVE-2019-16229)Linux kernel CIFS implementation,     version 4.9.0 is vulnerable to a relative paths     injection in directory entry lists.(CVE-2019-10220)A     heap overflow flaw was found in the Linux kernel, all     versions 3.x.x and 4.x.x before 4.18.0, in Marvell WiFi     chip driver. The vulnerability allows a remote attacker     to cause a system crash, resulting in a denial of     service, or execute arbitrary code. The highest threat     with this vulnerability is with the availability of the     system. If code execution occurs, the code will run     with the permissions of root. This will affect both     confidentiality and integrity of files on the     system.(CVE-2019-14901)The Linux kernel before 5.4.2     mishandles ext4_expand_extra_isize, as demonstrated by     use-after-free errors in __ext4_expand_extra_isize and     ext4_xattr_set_entry, related to fs/ext4/inode.c and     fs/ext4/super.c, aka CID-4ea99936a163.(CVE-2019-19767)A     heap-based buffer overflow was discovered in the Linux     kernel, all versions 3.x.x and 4.x.x before 4.18.0, in     Marvell WiFi chip driver. The flaw could occur when the     station attempts a connection negotiation during the     handling of the remote devices country settings. This     could allow the remote device to cause a denial of     service (system crash) or possibly execute arbitrary     code.(CVE-2019-14895)Linux Kernel could allow a local     authenticated attacker to obtain sensitive information,     caused by a Transaction Asynchronous Abort (TAA) h/w     issue in KVM. By sending a specially-crafted request,     an attacker could exploit this vulnerability to obtain     sensitive information, and use this information to     launch further attacks against the affected     system.(CVE-2019-19338)TSX Asynchronous Abort condition     on some CPUs utilizing speculative execution may allow     an authenticated user to potentially enable information     disclosure via a side channel with local     access.(CVE-2019-11135)An out-of-bounds memory write     issue was found in the Linux Kernel, version 3.13     through 5.4, in the way the Linux kernel's KVM     hypervisor handled the 'KVM_GET_EMULATED_CPUID'     ioctl(2) request to get CPUID features emulated by the     KVM hypervisor. A user or process able to access the     '/dev/kvm' device could use this flaw to crash the     system, resulting in a denial of     service.(CVE-2019-19332)kernel/sched/fair.c in the     Linux kernel before 5.3.9, when cpu.cfs_quota_us is     used (e.g., with Kubernetes), allows attackers to cause     a denial of service against non-cpu-bound applications     by generating a workload that triggers unwanted slice     expiration, aka CID-de53fd7aedb1. (In other words,     although this slice expiration would typically be seen     with benign workloads, it is possible that an attacker     could calculate how many stray requests are required to     force an entire Kubernetes cluster into a     low-performance state caused by slice expiration, and     ensure that a DDoS attack sent that number of stray     requests. An attack does not affect the stability of     the kernel it only causes mismanagement of application     execution.)(CVE-2019-19922)A stack-based buffer     overflow was found in the Linux kernel, version     kernel-2.6.32, in Marvell WiFi chip driver. An attacker     is able to cause a denial of service (system crash) or,     possibly execute arbitrary code, when a STA works in     IBSS mode (allows connecting stations together without     the use of an AP) and connects to another     STA.(CVE-2019-14897)A heap-based buffer overflow     vulnerability was found in the Linux kernel, version     kernel-2.6.32, in Marvell WiFi chip driver. A remote     attacker could cause a denial of service (system crash)     or, possibly execute arbitrary code, when the     lbs_ibss_join_existing function is called after a STA     connects to an AP.(CVE-2019-14896)In the Linux kernel     through 5.4.6, there are information leaks of     uninitialized memory to a USB device in the     driverset/can/usb/kvaser_usb/kvaser_usb_leaf.c driver,     aka CID-da2311a6385c.(CVE-2019-19947)In the Linux     kernel before 5.1, there is a memory leak in
    __feat_register_sp() in net/dccp/feat.c, which may     cause denial of service, aka     CID-1d3ff0950e2b.(CVE-2019-20096)mwifiex_tm_cmd in     driverset/wireless/marvell/mwifiex/cfg80211.c in the     Linux kernel before 5.1.6 has some error-handling cases     that did not free allocated hostcmd memory, aka     CID-003b686ace82. This will cause a memory leak and     denial of service.(CVE-2019-20095)An exploitable     denial-of-service vulnerability exists in the Linux     kernel prior to mainline 5.3. An attacker could exploit     this vulnerability by triggering AP to send IAPP     location updates for stations before the required     authentication process has completed. This could lead     to different denial-of-service scenarios, either by     causing CAM table attacks, or by leading to traffic     flapping if faking already existing clients in other     nearby APs of the same wireless infrastructure. An     attacker can forge Authentication and Association     Request packets to trigger this     vulnerability.(CVE-2019-5108)In a Linux KVM guest that     has PV TLB enabled, a process in the guest kernel may     be able to read memory locations from another process     in the same guest. This problem is limit to the host     running linux kernel 4.10 with a guest running linux     kernel 4.16 or later. The problem mainly affects AMD     processors but Intel CPUs cannot be ruled     out.(CVE-2019-3016)fsamei.c in the Linux kernel before     5.5 has a may_create_in_sticky use-after-free, which     allows local users to cause a denial of service (OOPS)     or possibly obtain sensitive information from kernel     memory, aka CID-d0cb50185ae9. One attack vector may be     an open system call for a UNIX domain socket, if the     socket is being moved to a new parent directory and its     old parent directory is being     removed.(CVE-2020-8428)There is a use-after-free     vulnerability in the Linux kernel through 5.5.2 in the     n_tty_receive_buf_common function in     drivers/tty_tty.c.(CVE-2020-8648)An issue was     discovered in the Linux kernel through 5.5.6. set_fdc     in drivers/block/floppy.c leads to a wait_til_ready     out-of-bounds read because the FDC index is not checked     for errors before assigning it, aka     CID-2e90ca68b0d2.(CVE-2020-9383)There is a     use-after-free vulnerability in the Linux kernel     through 5.5.2 in the vgacon_invert_region function in     drivers/video/console/vgacon.c.(CVE-2020-8649)There is     a use-after-free vulnerability in the Linux kernel     through 5.5.2 in the vc_do_resize function in     drivers/tty/vt/vt.c.(CVE-2020-8647)In the Linux kernel     5.0.21, mounting a crafted ext4 filesystem image,     performing some operations, and unmounting can lead to     a use-after-free in ext4_put_super in fs/ext4/super.c,     related to dump_orphan_list in     fs/ext4/super.c.(CVE-2019-19447)A flaw was discovered     in the way that the KVM hypervisor handled instruction     emulation for an L2 guest when nested virtualisation is     enabled. Under some circumstances, an L2 guest may     trick the L0 guest into accessing sensitive L1     resources that should be inaccessible to the L2     guest.(CVE-2020-2732)In the Linux kernel before 5.3.11,     sound/core/timer.c has a use-after-free caused by     erroneous code refactoring, aka CID-e7af6307a8a5. This     is related to snd_timer_open and     snd_timer_close_locked. The timeri variable was     originally intended to be for a newly created timer     instance, but was used for a different purpose after     refactoring.(CVE-2019-19807)In the Linux kernel     5.4.0-rc2, there is a use-after-free (read) in the
    __blk_add_trace function in kernel/trace/blktrace.c     (which is used to fill out a blk_io_trace structure and     place it in a per-cpu sub-buffer).(CVE-2019-19768)In     the Linux kernel 5.0.21, mounting a crafted f2fs     filesystem image can cause a NULL pointer dereference     in f2fs_recover_fsync_data in fs/f2fs/recovery.c. This     is related to F2FS_P_SB in     fs/f2fs/f2fs.h.(CVE-2019-19815)** DISPUTED **
    __btrfs_free_extent in fs/btrfs/extent-tree.c in the     Linux kernel through 5.3.12 calls btrfs_print_leaf in a     certain ENOENT case, which allows local users to obtain     potentially sensitive information about register values     via the dmesg program. NOTE: The BTRFS development team     disputes this issues as not being a vulnerability     because '1) The kernel provide facilities to restrict     access to dmesg - dmesg_restrict=1 sysctl option. So     it's really up to the system administrator to judge     whether dmesg access shall be disallowed or not. 2)     WARN/WARN_ON are widely used macros in the linux     kernel. If this CVE is considered valid this would mean     there are literally thousands CVE lurking in the kernel
    - something which clearly is not the     case.'(CVE-2019-19039)ext4_empty_dir in fs/ext4amei.c     in the Linux kernel through 5.3.12 allows a NULL     pointer dereference because     ext4_read_dirblock(inode,0,DIRENT_HTREE) can be     zero.(CVE-2019-19037)btrfs_root_node in     fs/btrfs/ctree.c in the Linux kernel through 5.3.12     allows a NULL pointer dereference because     rcu_dereference(root->node) can be     zero.(CVE-2019-19036)In the Linux kernel 4.19.83, there     is a use-after-free (read) in the debugfs_remove     function in fs/debugfs/inode.c (which is used to remove     a file or directory in debugfs that was previously     created with a call to another debugfs function such as     debugfs_create_file).(CVE-2019-19770)An issue was     discovered in slc_bump in driverset/can/slcan.c in the     Linux kernel through 5.6.2. It allows attackers to read     uninitialized can_frame data, potentially containing     sensitive information from kernel stack memory, if the     configuration lacks CONFIG_INIT_STACK_ALL, aka     CID-b9258a2cece4.(CVE-2020-11494)An issue was     discovered in the Linux kernel through 5.6.2.
    mpol_parse_str in mm/mempolicy.c has a stack-based     out-of-bounds write because an empty nodelist is     mishandled during mount option parsing, aka     CID-aa9f7d5172fa.(CVE-2020-11565)A flaw was found in     the Linux kernel's implementation of some networking     protocols in IPsec, such as VXLAN and GENEVE tunnels     over IPv6. When an encrypted tunnel is created between     two hosts, the kernel isn't correctly routing tunneled     data over the encrypted link rather sending the data     unencrypted. This would allow anyone in between the two     endpoints to read the traffic unencrypted. The main     threat from this vulnerability is to data     confidentiality.(CVE-2020-1749)An issue was discovered     in the stv06xx subsystem in the Linux kernel before     5.6.1. drivers/media/usb/gspca/stv06xx/stv06xx.c and     drivers/media/usb/gspca/stv06xx/stv06xx_pb0100.c     mishandle invalid descriptors, as demonstrated by a     NULL pointer dereference, aka     CID-485b06aadb93.(CVE-2020-11609)An issue was     discovered in the Linux kernel before 5.6.1.
    drivers/media/usb/gspca/ov519.c allows NULL pointer     dereferences in ov511_mode_init_regs and     ov518_mode_init_regs when there are zero endpoints, aka     CID-998912346c0d.(CVE-2020-11608)In the Linux kernel     before 5.4.12, drivers/input/input.c has out-of-bounds     writes via a crafted keycode table, as demonstrated by     input_set_keycode, aka     CID-cb222aed03d7.(CVE-2019-20636)In the Linux kernel     before 5.6.1, drivers/media/usb/gspca/xirlink_cit.c     (aka the Xirlink camera USB driver) mishandles invalid     descriptors, aka CID-a246b4d54770.(CVE-2020-11668)An     issue was discovered in the Linux kernel through 5.6.2.
    mpol_parse_str in mm/mempolicy.c has a stack-based     out-of-bounds write because an empty nodelist is     mishandled during mount option parsing, aka     CID-aa9f7d5172fa.(CVE-2020-0067)An issue was discovered     in the Linux kernel before 5.2 on the powerpc platform.
    arch/powerpc/kernel/idle_book3s.S does not have     save/restore functionality for PNV_POWERSAVE_AMR,     PNV_POWERSAVE_UAMOR, and PNV_POWERSAVE_AMOR, aka     CID-53a712bae5dd.(CVE-2020-11669)A flaw was found in     the Linux kernelaEUR?s implementation of GRO. This flaw     allows an attacker with local access to crash the     system.(CVE-2020-10720)A flaw was found in the Linux     kernel's implementation of the invert video code on VGA     consoles when a local attacker attempts to resize the     console, calling an ioctl VT_RESIZE, which causes an     out-of-bounds write to occur. This flaw allows a local     user with access to the VGA console to crash the     system, potentially escalating their privileges on the     system. The highest threat from this vulnerability is     to data confidentiality and integrity as well as system     availability.(CVE-2020-14331)An out-of-bounds (OOB)     memory access flaw was found in ttm_put_pages in     drivers/gpu/drm/ttm/ttm_page_alloc.c in the Linux     kernel's graphics module. Incrementing the page pointer     for huge pages was not in sync with the reference     counter, and this could lead to an out-of-bounds access     or a denial of service. This flaw allows a local     attacker with special user privileges (or root) to     cause memory exploitation.(CVE-2019-19927)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - In f2fs_xattr_generic_list of xattr.c, there is a     possible out of bounds read due to a missing bounds     check. This could lead to local information disclosure     with System execution privileges needed. User     interaction is not required for     exploitation.(CVE-2020-0067)

  - An issue was discovered in the Linux kernel before 5.2     on the powerpc platform.
    arch/powerpc/kernel/idle_book3s.S does not have     save/restore functionality for PNV_POWERSAVE_AMR,     PNV_POWERSAVE_UAMOR, and PNV_POWERSAVE_AMOR, aka     CID-53a712bae5dd.(CVE-2020-11669)

  - In the Linux kernel before 5.6.1,     drivers/media/usb/gspca/xirlink_cit.c (aka the Xirlink     camera USB driver) mishandles invalid descriptors, aka     CID-a246b4d54770.(CVE-2020-11668)

  - In the Linux kernel before 5.4.12,     drivers/input/input.c has out-of-bounds writes via a     crafted keycode table, as demonstrated by     input_set_keycode, aka     CID-cb222aed03d7.(CVE-2019-20636)

  - An issue was discovered in the Linux kernel before     5.6.1. drivers/media/usb/gspca/ov519.c allows NULL     pointer dereferences in ov511_mode_init_regs and     ov518_mode_init_regs when there are zero endpoints, aka     CID-998912346c0d.(CVE-2020-11608)

  - An issue was discovered in the stv06xx subsystem in the     Linux kernel before 5.6.1.
    drivers/media/usb/gspca/stv06xx/stv06xx.c and     drivers/media/usb/gspca/stv06xx/stv06xx_pb0100.c     mishandle invalid descriptors, as demonstrated by a     NULL pointer dereference, aka     CID-485b06aadb93.(CVE-2020-11609)

  - A flaw was found in the Linux kernel's implementation     of some networking protocols in IPsec, such as VXLAN     and GENEVE tunnels over IPv6. When an encrypted tunnel     is created between two hosts, the kernel isn't     correctly routing tunneled data over the encrypted link     rather sending the data unencrypted. This would allow     anyone in between the two endpoints to read the traffic     unencrypted. The main threat from this vulnerability is     to data confidentiality.(CVE-2020-1749)

  - An issue was discovered in the Linux kernel through     5.6.2. mpol_parse_str in mm/mempolicy.c has a     stack-based out-of-bounds write because an empty     nodelist is mishandled during mount option parsing, aka     CID-aa9f7d5172fa.(CVE-2020-11565)

  - An issue was discovered in slc_bump in     drivers/net/can/slcan.c in the Linux kernel through     5.6.2. It allows attackers to read uninitialized     can_frame data, potentially containing sensitive     information from kernel stack memory, if the     configuration lacks CONFIG_INIT_STACK_ALL, aka     CID-b9258a2cece4.(CVE-2020-11494)

  - btrfs_root_node in fs/btrfs/ctree.c in the Linux kernel     through 5.3.12 allows a NULL pointer dereference     because rcu_dereference(root->node) can be     zero.(CVE-2019-19036)

  - ext4_empty_dir in fs/ext4/namei.c in the Linux kernel     through 5.3.12 allows a NULL pointer dereference     because ext4_read_dirblock(inode,0,DIRENT_HTREE) can be     zero.(CVE-2019-19037)

  - __btrfs_free_extent in fs/btrfs/extent-tree.c in the     Linux kernel through 5.3.12 calls btrfs_print_leaf in a     certain ENOENT case, which allows local users to obtain     potentially sensitive information about register values     via the dmesg program.(CVE-2019-19039)

  - In the Linux kernel 5.0.21, mounting a crafted f2fs     filesystem image can cause a NULL pointer dereference     in f2fs_recover_fsync_data in fs/f2fs/recovery.c. This     is related to F2FS_P_SB in     fs/f2fs/f2fs.h.(CVE-2019-19815)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

SO-AND-SO reports :

XSS in Markdown Preview Using Mermaid

Bypass Email Verification using Salesforce Authentication

Account Takeover using SAML

Uncontrolled Resource Consumption in Markdown using Mermaid

Disclosure of Private Project Path and Labels

Disclosure of Assignees via Milestones

Disclosure of Project Path via Unsubscribe Link

Disclosure of Project Milestones via Groups

Disclosure of Private System Notes via GraphQL

GIT Command Injection via API

Bypass User Blocking via CI/CD token

IDOR Adding Groups to Protected Environments

Disclosure of Group Membership via Merge Request Approval Rules

Disclosure of Head Pipeline via Blocking Merge Request Feature

Grafana update

ID	Name	Product	Family	Severity
144097	Debian DLA-2483-1 : linux-4.19 security update	Nessus	Debian Local Security Checks	high
140141	EulerOS 2.0 SP5 : kernel (EulerOS-SA-2020-1920)	Nessus	Huawei Local Security Checks	medium
138139	Ubuntu 16.04 LTS / 18.04 LTS : Linux kernel vulnerabilities (USN-4414-1)	Nessus	Ubuntu Local Security Checks	high
137805	EulerOS Virtualization for ARM 64 3.0.6.0 : kernel (EulerOS-SA-2020-1698)	Nessus	Huawei Local Security Checks	medium
136239	EulerOS Virtualization for ARM 64 3.0.2.0 : kernel (EulerOS-SA-2020-1536)	Nessus	Huawei Local Security Checks	critical
135741	EulerOS 2.0 SP8 : kernel (EulerOS-SA-2020-1508)	Nessus	Huawei Local Security Checks	medium
129546	FreeBSD : Gitlab -- Multiple Vulnerabilities (b17c86b9-e52e-11e9-86e9-001b217b3468)	Nessus	FreeBSD Local Security Checks	medium

CVE-2019-19039

medium

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Tenable Plugins

high

medium

high

medium

critical

medium

medium