CVE-2018-16884 – kernel: nfs: use-after-free in svc_process_common()
https://notcve.org/view.php?id=CVE-2018-16884
A flaw was found in the Linux kernel's NFS41+ subsystem. NFS41+ shares mounted in different network namespaces at the same time can make bc_svc_process() use wrong back-channel IDs and cause a use-after-free vulnerability. Thus a malicious container user can cause a host kernel memory corruption and a system panic. Due to the nature of the flaw, privilege escalation cannot be fully ruled out. Se ha encontrado un error en el subsistema de archivos NFS41+ del kernel de Linux. • http://www.securityfocus.com/bid/106253 https://access.redhat.com/errata/RHSA-2019:1873 https://access.redhat.com/errata/RHSA-2019:1891 https://access.redhat.com/errata/RHSA-2019:2696 https://access.redhat.com/errata/RHSA-2019:2730 https://access.redhat.com/errata/RHSA-2019:3309 https://access.redhat.com/errata/RHSA-2019:3517 https://access.redhat.com/errata/RHSA-2020:0204 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16884 https://lists.debian.org/debian-lts • CWE-416: Use After Free •
CVE-2018-20169 – kernel: usb: missing size check in the __usb_get_extra_descriptor() leading to DoS
https://notcve.org/view.php?id=CVE-2018-20169
An issue was discovered in the Linux kernel before 4.19.9. The USB subsystem mishandles size checks during the reading of an extra descriptor, related to __usb_get_extra_descriptor in drivers/usb/core/usb.c. Se ha descubierto un problema en el kernel de Linux hasta antes de la versión 4.19.9. El subsistema USB gestiona de manera incorrecta las comprobaciones de tamaño durante la lectura de un descriptor extra, relacionado con __usb_get_extra_descriptor en drivers/usb/core/usb.c. A flaw was discovered in the Linux kernel's USB subsystem in the __usb_get_extra_descriptor() function in the drivers/usb/core/usb.c which mishandles a size check during the reading of an extra descriptor data. • http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=704620afc70cf47abb9d6a1a57f3825d2bca49cf https://access.redhat.com/errata/RHSA-2019:3309 https://access.redhat.com/errata/RHSA-2019:3517 https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.9 https://github.com/torvalds/linux/commit/704620afc70cf47abb9d6a1a57f3825d2bca49cf https://lists.debian.org/debian-lts-announce/2019/03/msg00034.html https://lists.debian.org/debian-lts-announce/2019/04/msg00004.html https:/ • CWE-400: Uncontrolled Resource Consumption CWE-787: Out-of-bounds Write •
CVE-2018-18397 – kernel: userfaultfd bypasses tmpfs file permissions
https://notcve.org/view.php?id=CVE-2018-18397
The userfaultfd implementation in the Linux kernel before 4.19.7 mishandles access control for certain UFFDIO_ ioctl calls, as demonstrated by allowing local users to write data into holes in a tmpfs file (if the user has read-only access to that file, and that file contains holes), related to fs/userfaultfd.c and mm/userfaultfd.c. La implementación de userfaultfd en el kernel de Linux en versiones anteriores a la 4.17 gestiona de manera incorrecta para ciertas llamadas ioctl UFFDIO_, tal y como queda demostrado al permitir que usuarios locales escriban datos en huecos en un archivo tmpfs (si el usuario tiene acceso de solo lectura a dicho archivo que contiene huecos). Esto está relacionado con fs/userfaultfd.c y mm/userfaultfd.c. A flaw was found in the Linux kernel with files on tmpfs and hugetlbfs. An attacker is able to bypass file permissions on filesystems mounted with tmpfs/hugetlbs to modify a file and possibly disrupt normal system behavior. • http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=29ec90660d68bbdd69507c1c8b4e33aa299278b1 https://access.redhat.com/errata/RHBA-2019:0327 https://access.redhat.com/errata/RHSA-2019:0163 https://access.redhat.com/errata/RHSA-2019:0202 https://access.redhat.com/errata/RHSA-2019:0324 https://access.redhat.com/errata/RHSA-2019:0831 https://bugs.chromium.org/p/project-zero/issues/detail?id=1700 https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.87& • CWE-20: Improper Input Validation CWE-863: Incorrect Authorization •
CVE-2018-19854 – kernel: Information Disclosure in crypto_report_one in crypto/crypto_user.c
https://notcve.org/view.php?id=CVE-2018-19854
An issue was discovered in the Linux kernel before 4.19.3. crypto_report_one() and related functions in crypto/crypto_user.c (the crypto user configuration API) do not fully initialize structures that are copied to userspace, potentially leaking sensitive memory to user programs. NOTE: this is a CVE-2013-2547 regression but with easier exploitability because the attacker does not need a capability (however, the system must have the CONFIG_CRYPTO_USER kconfig option). Se ha descubierto un problema en el kernel de Linux hasta antes de la versión 4.19.3. crypto_report_one() y otras funciones relacionadas en crypto/crypto_user.c (la API de configuración de usuarios crypto) no inicializan completamente las estructuras que se copian en el espacio de usuario, lo que podría filtrar memoria sensible a los programas del usuario. NOTA: esta es una regresión de CVE-2013-2547, pero con una explotabilidad más sencilla. Esto se deba a que el atacante no necesita una capacidad (sin embargo, el sistema debe tener la opción de kconfig CONFIG_CRYPTO_USER). • http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f43f39958beb206b53292801e216d9b8a660f087 https://access.redhat.com/errata/RHSA-2019:3309 https://access.redhat.com/errata/RHSA-2019:3517 https://github.com/torvalds/linux/commit/f43f39958beb206b53292801e216d9b8a660f087 https://kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.3 https://usn.ubuntu.com/3872-1 https://usn.ubuntu.com/3878-1 https://usn.ubuntu.com/3878-2 https://usn.ubuntu.com/3901-1 https:/ • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2018-19824 – kernel: Use-after-free in sound/usb/card.c:usb_audio_probe()
https://notcve.org/view.php?id=CVE-2018-19824
In the Linux kernel through 4.19.6, a local user could exploit a use-after-free in the ALSA driver by supplying a malicious USB Sound device (with zero interfaces) that is mishandled in usb_audio_probe in sound/usb/card.c. En el kernel de Linux hasta la versión 4.19.6, un usuario local podría explotar memoria previamente liberada en el controlador ALSA suministrando un dispositivo de sonido USB malicioso (con cero interfaces) que no se maneja correctamente en usb_audio_probe en sound/usb/card.c. A flaw was found In the Linux kernel, through version 4.19.6, where a local user could exploit a use-after-free in the ALSA driver by supplying a malicious USB Sound device (with zero interfaces) that is mishandled in usb_audio_probe in sound/usb/card.c. An attacker could corrupt memory and possibly escalate privileges if the attacker is able to have physical access to the system. • http://www.securityfocus.com/bid/106109 https://access.redhat.com/errata/RHSA-2019:2703 https://bugzilla.suse.com/show_bug.cgi?id=1118152 https://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound.git/commit/?id=5f8cf712582617d523120df67d392059eaf2fc4b https://github.com/torvalds/linux/commit/5f8cf712582617d523120df67d392059eaf2fc4b https://lists.debian.org/debian-lts-announce/2019/03/msg00034.html https://lists.debian.org/debian-lts-announce/2019/04/msg00004.html https://lists.debian.org/debian- • CWE-416: Use After Free •