CVSS: 6.0EPSS: 0%CPEs: 5EXPL: 0CVE-2020-11565 – kernel: out-of-bounds write in mpol_parse_str function in mm/mempolicy.c
https://notcve.org/view.php?id=CVE-2020-11565
An issue was discovered in the Linux kernel through 5.6.2. mpol_parse_str in mm/mempolicy.c has a stack-based out-of-bounds write because an empty nodelist is mishandled during mount option parsing, aka CID-aa9f7d5172fa. NOTE: Someone in the security community disagrees that this is a vulnerability because the issue “is a bug in parsing mount options which can only be specified by a privileged user, so triggering the bug does not grant any powers not already held.” ** EN DISPUTA ** Se detectó un problema en el kernel de Linux versiones hasta 5.6.2. La función mpol_parse_str en el archivo mm/mempolicy.c presenta una escritura fuera de límites en la región stack de la memoria porque una lista de nodos vacía es manejada inapropiadamente durante el análisis de la opción de montaje, también se conoce como CID-aa9f7d5172fa. NOTA: Alguien en la comunidad de seguridad no está de acuerdo en que se trata de una vulnerabilidad porque el problema "es un error en el análisis de las opciones de montaje que sólo puede ser especificado por un usuario privilegiado, por lo que la activación del error no otorga ningún poder que no se tenga ya". An out-of-bounds write flaw was found in the Linux kernel. • https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=aa9f7d5172fac9bf1f09e678c35e287a40a7b7dd https://github.com/torvalds/linux/commit/aa9f7d5172fac9bf1f09e678c35e287a40a7b7dd https://lists.debian.org/debian-lts-announce/2020/06/msg00011.html https://lists.debian.org/debian-lts-announce/2020/06/msg00012.html https://lists.debian.org/debian-lts-announce/2020/06/msg00013.html https://usn.ubuntu.com/4363-1 https://usn.ubuntu.com/4364-1 https://usn.ubuntu.com/4367-1 https:&# • CWE-787: Out-of-bounds Write •
CVSS: 4.4EPSS: 0%CPEs: 8EXPL: 0CVE-2020-11494
https://notcve.org/view.php?id=CVE-2020-11494
An issue was discovered in slc_bump in drivers/net/can/slcan.c in the Linux kernel 3.16 through 5.6.2. It allows attackers to read uninitialized can_frame data, potentially containing sensitive information from kernel stack memory, if the configuration lacks CONFIG_INIT_STACK_ALL, aka CID-b9258a2cece4. Se detectó un problema en la función slc_bump en el archivo drivers/net/can/slcan.c en el kernel de Linux versión 3.16 hasta la versión 5.6.2. Permite a atacantes leer datos de can_frame no inicializados, conteniendo potencialmente información confidencial de la memoria de la pila del kernel, si la configuración carece de CONFIG_INIT_STACK_ALL, también se conoce como CID-b9258a2cece4 • http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00035.html http://packetstormsecurity.com/files/159565/Kernel-Live-Patch-Security-Notice-LSN-0072-1.html https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/commit/?id=08fadc32ce6239dc75fd5e869590e29bc62bbc28 https://github.com/torvalds/linux/commit/b9258a2cece4ec1f020715fe3554bc2e360f6264 https://lists.debian.org/debian-lts-announce/2020/06/msg00011.html https://lists.debian.org/debian-lts-announce/2020/06/msg00012.html https://lists.debi • CWE-908: Use of Uninitialized Resource CWE-909: Missing Initialization of Resource •
CVSS: 5.6EPSS: 0%CPEs: 5EXPL: 1CVE-2020-8833 – Apport race condition in crash report permissions
https://notcve.org/view.php?id=CVE-2020-8833
Time-of-check Time-of-use Race Condition vulnerability on crash report ownership change in Apport allows for a possible privilege escalation opportunity. If fs.protected_symlinks is disabled, this can be exploited between the os.open and os.chown calls when the Apport cron script clears out crash files of size 0. A symlink with the same name as the deleted file can then be created upon which chown will be called, changing the file owner to root. Fixed in versions 2.20.1-0ubuntu2.23, 2.20.9-0ubuntu7.14, 2.20.11-0ubuntu8.8 and 2.20.11-0ubuntu22. Una vulnerabilidad de Condición de Carrera de tipo Time-of-check Time-of-use en el cambio de propiedad del reporte de bloqueo en Apport, permite una posible oportunidad de escalada de privilegios. • https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1862933 https://usn.ubuntu.com/4315-1 https://usn.ubuntu.com/4315-2 • CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition •
CVSS: 6.5EPSS: 0%CPEs: 5EXPL: 1CVE-2020-8831 – World writable root owned lock file created in user controllable location
https://notcve.org/view.php?id=CVE-2020-8831
Apport creates a world writable lock file with root ownership in the world writable /var/lock/apport directory. If the apport/ directory does not exist (this is not uncommon as /var/lock is a tmpfs), it will create the directory, otherwise it will simply continue execution using the existing directory. This allows for a symlink attack if an attacker were to create a symlink at /var/lock/apport, changing apport's lock file location. This file could then be used to escalate privileges, for example. Fixed in versions 2.20.1-0ubuntu2.23, 2.20.9-0ubuntu7.14, 2.20.11-0ubuntu8.8 and 2.20.11-0ubuntu22. • https://launchpad.net/bugs/1862348 https://usn.ubuntu.com/4315-1 https://usn.ubuntu.com/4315-2 • CWE-59: Improper Link Resolution Before File Access ('Link Following') CWE-379: Creation of Temporary File in Directory with Insecure Permissions •
CVSS: 8.8EPSS: 0%CPEs: 10EXPL: 1CVE-2020-7065 – mb_strtolower (UTF-32LE): stack-buffer-overflow at php_unicode_tolower_full
https://notcve.org/view.php?id=CVE-2020-7065
In PHP versions 7.3.x below 7.3.16 and 7.4.x below 7.4.4, while using mb_strtolower() function with UTF-32LE encoding, certain invalid strings could cause PHP to overwrite stack-allocated buffer. This could lead to memory corruption, crashes and potentially code execution. En PHP versiones 7.3.x por debajo de 7.3.16 y versiones 7.4.x por debajo de 7.4.4, mientras se usa la función mb_strtolower() con codificación UTF-32LE, determinadas cadenas no comprobadas pueden causar que PHP sobrescriba el búfer asignado de la pila. Esto podría conllevar a una corrupción de la memoria, bloqueos y potencialmente a una ejecución de código. A vulnerability was found in PHP while using the mb_strtolower() function with UTF-32LE encoding, where certain invalid strings cause PHP to overwrite the stack-allocated buffer. • https://bugs.php.net/bug.php?id=79371 https://security.netapp.com/advisory/ntap-20200403-0001 https://usn.ubuntu.com/4330-1 https://usn.ubuntu.com/4330-2 https://www.debian.org/security/2020/dsa-4719 https://www.oracle.com/security-alerts/cpuoct2021.html https://www.php.net/ChangeLog-7.php#7.4.4 https://www.tenable.com/security/tns-2021-14 https://access.redhat.com/security/cve/CVE-2020-7065 https://bugzilla.redhat.com/show_bug.cgi?id=1820627 • CWE-121: Stack-based Buffer Overflow CWE-787: Out-of-bounds Write •