CVE-2019-11190 – kernel: ASLR bypass for setuid binaries due to late install_exec_creds()
https://notcve.org/view.php?id=CVE-2019-11190
The Linux kernel before 4.8 allows local users to bypass ASLR on setuid programs (such as /bin/su) because install_exec_creds() is called too late in load_elf_binary() in fs/binfmt_elf.c, and thus the ptrace_may_access() check has a race condition when reading /proc/pid/stat. El kernel de Linux anterior a la versión 4.8 permite a los usuarios locales eludir ASLR en programas setuid (como /bin/su) porque install_exec_creds() es llamado demasiado tarde en load_elf_binary() en fs/binfmt_elf.c, y por lo tanto la comprobación ptrace_may_access() tiene una condición de carrera al leer /proc/pid/stat. A flaw in the load_elf_binary() function in the Linux kernel allows a local attacker to leak the base address of .text and stack sections for setuid binaries and bypass ASLR because install_exec_creds() is called too late in this function. • http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00039.html http://www.openwall.com/lists/oss-security/2019/04/15/1 http://www.securityfocus.com/bid/107890 https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git/commit/?id=a5b5352558f6808db0589644ea5401b3e3148a0d https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git/commit/?id=e1676b55d874a43646e8b2c46d87f2f3e45516ff https://lists.debian.org/debian-lts-announce/2019/05/msg00041.html https://lists • CWE-250: Execution with Unnecessary Privileges CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVE-2019-3459 – kernel: Heap address information leak while using L2CAP_GET_CONF_OPT
https://notcve.org/view.php?id=CVE-2019-3459
A heap address information leak while using L2CAP_GET_CONF_OPT was discovered in the Linux kernel before 5.1-rc1. Se descubrió una fuga de información de direcciones en memoria dinámica mientras se usaba L2CAP_GET_CONF_OPT en el kernel de Linux anterior a 5.1-rc1. A flaw was found in the Linux kernel's implementation of Logical Link Control and Adaptation Protocol (L2CAP), part of the Bluetooth stack. An attacker, within the range of standard Bluetooth transmissions, can create and send a specially crafted packet. The response to this specially crafted packet can contain part of the kernel stack which can be used in a further attack. • http://www.openwall.com/lists/oss-security/2019/06/27/2 http://www.openwall.com/lists/oss-security/2019/06/27/7 http://www.openwall.com/lists/oss-security/2019/06/28/1 http://www.openwall.com/lists/oss-security/2019/06/28/2 http://www.openwall.com/lists/oss-security/2019/08/12/1 https://access.redhat.com/errata/RHSA-2019:2029 https://access.redhat.com/errata/RHSA-2019:2043 https://access.redhat.com/errata/RHSA-2019:3309 https://access.redhat. • CWE-125: Out-of-bounds Read CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2019-3460 – kernel: Heap address information leak while using L2CAP_PARSE_CONF_RSP
https://notcve.org/view.php?id=CVE-2019-3460
A heap data infoleak in multiple locations including L2CAP_PARSE_CONF_RSP was found in the Linux kernel before 5.1-rc1. Se ha descubierto una fuga de información en múltiples ubicaciones en memoria dinámica, incluyendo L2CAP_GET_CONF_OPT en el kernel de Linux anterior a 5.1-rc1. A flaw was found in the Linux kernel's implementation of logical link control and adaptation protocol (L2CAP), part of the Bluetooth stack in the l2cap_parse_conf_rsp and l2cap_parse_conf_req functions. An attacker with physical access within the range of standard Bluetooth transmission can create a specially crafted packet. The response to this specially crafted packet can contain part of the kernel stack which can be used in a further attack. • http://www.openwall.com/lists/oss-security/2019/06/27/2 http://www.openwall.com/lists/oss-security/2019/06/27/7 http://www.openwall.com/lists/oss-security/2019/06/28/1 http://www.openwall.com/lists/oss-security/2019/06/28/2 http://www.openwall.com/lists/oss-security/2019/08/12/1 https://access.redhat.com/errata/RHSA-2019:2029 https://access.redhat.com/errata/RHSA-2019:2043 https://access.redhat.com/errata/RHSA-2019:3309 https://access.redhat. • CWE-20: Improper Input Validation CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2019-3874 – kernel: SCTP socket buffer memory leak leading to denial of service
https://notcve.org/view.php?id=CVE-2019-3874
The SCTP socket buffer used by a userspace application is not accounted by the cgroups subsystem. An attacker can use this flaw to cause a denial of service attack. Kernel 3.10.x and 4.18.x branches are believed to be vulnerable. El búfer del socket SCTP utilizado por una aplicación de espacio de usuario no es tenido en cuenta por el subsistema de cgroups. Un atacante podría explotar este error para lanzar un ataque de denegación de servicio. • https://access.redhat.com/errata/RHSA-2019:3309 https://access.redhat.com/errata/RHSA-2019:3517 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3874 https://lists.debian.org/debian-lts-announce/2020/09/msg00025.html https://security.netapp.com/advisory/ntap-20190411-0003 https://usn.ubuntu.com/3979-1 https://usn.ubuntu.com/3980-1 https://usn.ubuntu.com/3980-2 https://usn.ubuntu.com/3981-1 https://usn.ubuntu.com/3981-2 https://usn.ubuntu.com/398 • CWE-400: Uncontrolled Resource Consumption •
CVE-2019-9857
https://notcve.org/view.php?id=CVE-2019-9857
In the Linux kernel through 5.0.2, the function inotify_update_existing_watch() in fs/notify/inotify/inotify_user.c neglects to call fsnotify_put_mark() with IN_MASK_CREATE after fsnotify_find_mark(), which will cause a memory leak (aka refcount leak). Finally, this will cause a denial of service. En el kernel de Linux hasta la versión 5.0.2, la función inotify_update_existing_watch() en fs/notify/inotify/inotify_user.c no llama a fsnotify_put_mark() con IN_MASK_CREATE tras fsnotify_find_mark(), lo que provocará una fuga de memoria, también conocida como filtrado de refcount. Finalmente, esto provocará una denegación de servicio. • http://www.securityfocus.com/bid/107527 https://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs.git/commit/?h=fsnotify&id=62c9d2674b31d4c8a674bee86b7edc6da2803aea https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NXLZ2V2ES37A3J7DMK4MZYIWV2LEZFLM https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PPH3B7FJOMWD5JWUPZKB6T44KNT4PX2L https://patchwork.kernel.org/patch/10836283 https://security.netapp.com/advisory/ntap-20190404-0002 • CWE-401: Missing Release of Memory after Effective Lifetime •