CVE-2020-16119 – DCCP CCID structure use-after-free
https://notcve.org/view.php?id=CVE-2020-16119
Use-after-free vulnerability in the Linux kernel exploitable by a local attacker due to reuse of a DCCP socket with an attached dccps_hc_tx_ccid object as a listener after being released. Fixed in Ubuntu Linux kernel 5.4.0-51.56, 5.3.0-68.63, 4.15.0-121.123, 4.4.0-193.224, 3.13.0.182.191 and 3.2.0-149.196. Una vulnerabilidad de uso de la memoria previamente liberada en el kernel de Linux explotable por un atacante local debido a la reutilización de un socket DCCP con un objeto dccps_hc_tx_ccid adjunto como oyente después de ser liberado. Corregido en el kernel de Ubuntu Linux versiones 5.4.0-51.56, 5.3.0-68.63, 4.15.0-121.123, 4.4.0-193.224, 3.13.0.182.191 y 3.2.0-149.196 • https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/focal/commit/?id=01872cb896c76cedeabe93a08456976ab55ad695 https://launchpad.net/bugs/1883840 https://lists.debian.org/debian-lts-announce/2021/10/msg00010.html https://lists.debian.org/debian-lts-announce/2021/12/msg00012.html https://lore.kernel.org/netdev/20201013171849.236025-1-kleber.souza%40canonical.com/T https://security.netapp.com/advisory/ntap-20210304-0006 https://ubuntu.com/USN-4576-1 https://ubuntu.com/USN-4 • CWE-416: Use After Free •
CVE-2020-16120 – Unprivileged overlay + shiftfs read access
https://notcve.org/view.php?id=CVE-2020-16120
Overlayfs did not properly perform permission checking when copying up files in an overlayfs and could be exploited from within a user namespace, if, for example, unprivileged user namespaces were allowed. It was possible to have a file not readable by an unprivileged user to be copied to a mountpoint controlled by the user, like a removable device. This was introduced in kernel version 4.19 by commit d1d04ef ("ovl: stack file ops"). This was fixed in kernel version 5.8 by commits 56230d9 ("ovl: verify permissions in ovl_path_open()"), 48bd024 ("ovl: switch to mounter creds in readdir") and 05acefb ("ovl: check permission to open real file"). Additionally, commits 130fdbc ("ovl: pass correct flags for opening real directory") and 292f902 ("ovl: call secutiry hook in ovl_real_ioctl()") in kernel 5.8 might also be desired or necessary. • https://git.kernel.org/linus/05acefb4872dae89e772729efb194af754c877e8 https://git.kernel.org/linus/48bd024b8a40d73ad6b086de2615738da0c7004f https://git.kernel.org/linus/56230d956739b9cb1cbde439d76227d77979a04d https://git.kernel.org/linus/b6650dab404c701d7fe08a108b746542a934da84 https://git.kernel.org/linus/d1d04ef8572bc8c22265057bd3d5a79f223f8f52 https://launchpad.net/bugs/1894980 https://launchpad.net/bugs/1900141 https://ubuntu.com/USN-4576-1 https://ubuntu.com/USN-4577-1 https://ubuntu.com/USN-4578-1 https://www.openwall • CWE-266: Incorrect Privilege Assignment •
CVE-2020-25645 – kernel: Geneve/IPsec traffic may be unencrypted between two Geneve endpoints
https://notcve.org/view.php?id=CVE-2020-25645
A flaw was found in the Linux kernel in versions before 5.9-rc7. Traffic between two Geneve endpoints may be unencrypted when IPsec is configured to encrypt traffic for the specific UDP port used by the GENEVE tunnel allowing anyone between the two endpoints to read the traffic unencrypted. The main threat from this vulnerability is to data confidentiality. Se encontró un fallo en el kernel de Linux en versiones anteriores a 5.9-rc7. El tráfico entre dos endpoints Geneve puede no estar cifrado cuando IPsec está configurado para cifrar el tráfico para el puerto UDP específico usado por el túnel GENEVE, permitiendo a cualquier persona entre los dos endpoints leer el tráfico sin cifrar. • http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00035.html http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00042.html http://packetstormsecurity.com/files/161229/Kernel-Live-Patch-Security-Notice-LSN-0074-1.html https://bugzilla.redhat.com/show_bug.cgi?id=1883988 https://lists.debian.org/debian-lts-announce/2020/10/msg00028.html https://lists.debian.org/debian-lts-announce/2020/12/msg00027.html https://security.netapp.com/advisory/ntap-20201103-0004 https://ww • CWE-319: Cleartext Transmission of Sensitive Information •
CVE-2020-14355 – spice: multiple buffer overflow vulnerabilities in QUIC decoding code
https://notcve.org/view.php?id=CVE-2020-14355
Multiple buffer overflow vulnerabilities were found in the QUIC image decoding process of the SPICE remote display system, before spice-0.14.2-1. Both the SPICE client (spice-gtk) and server are affected by these flaws. These flaws allow a malicious client or server to send specially crafted messages that, when processed by the QUIC image compression algorithm, result in a process crash or potential code execution. Se encontraron múltiples vulnerabilidades de desbordamiento de búfer en el proceso de decodificación de imágenes QUIC del sistema de visualización remota SPICE, versiones anteriores a spice-0.14.2-1. Tanto el cliente SPICE (spice-gtk) como el servidor están afectados por estos defectos. • http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00000.html http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00001.html https://bugzilla.redhat.com/show_bug.cgi?id=1868435 https://lists.debian.org/debian-lts-announce/2020/11/msg00001.html https://lists.debian.org/debian-lts-announce/2020/11/msg00002.html https://usn.ubuntu.com/4572-1 https://usn.ubuntu.com/4572-2 https://www.debian.org/security/2020/dsa-4771 https://www.openwall.com/lists/oss • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVE-2020-7070 – PHP parses encoded cookie names so malicious `__Host-` cookies can be sent
https://notcve.org/view.php?id=CVE-2020-7070
In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, when PHP is processing incoming HTTP cookie values, the cookie names are url-decoded. This may lead to cookies with prefixes like __Host confused with cookies that decode to such prefix, thus leading to an attacker being able to forge cookie which is supposed to be secure. See also CVE-2020-8184 for more information. En PHP versiones 7.2.x por debajo de 7.2.34, versiones 7.3.x por debajo de 7.3.23 y versiones 7.4.x por debajo de 7.4.11, cuando PHP procesa valores de cookies HTTP entrantes, los nombres de las cookies se decodifican de la URL. Esto puede conllevar a que las cookies con prefijos como __Host se confundan con las cookies que decodifican dicho prefijo, lo que conlleva a que un atacante pueda falsificar una cookie que se supone que es segura. • http://cve.circl.lu/cve/CVE-2020-8184 http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00045.html http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00067.html https://bugs.php.net/bug.php?id=79699 https://hackerone.com/reports/895727 https://lists.debian.org/debian-lts-announce/2020/10/msg00008.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7EVDN7D3IB4EAI4D3ZOM2OJKQ5SD7K4E https://lists.fedoraproject.org/archives/list/ • CWE-20: Improper Input Validation CWE-565: Reliance on Cookies without Validation and Integrity Checking •