-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: kernel-rt security and bug fix update Advisory ID: RHSA-2020:4062-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:4062 Issue date: 2020-09-29 CVE Names: CVE-2017-18551 CVE-2018-20836 CVE-2019-9454 CVE-2019-9458 CVE-2019-15217 CVE-2019-15807 CVE-2019-15917 CVE-2019-16231 CVE-2019-16233 CVE-2019-16994 CVE-2019-17053 CVE-2019-17055 CVE-2019-18808 CVE-2019-19046 CVE-2019-19055 CVE-2019-19058 CVE-2019-19059 CVE-2019-19062 CVE-2019-19063 CVE-2019-19332 CVE-2019-19447 CVE-2019-19523 CVE-2019-19524 CVE-2019-19530 CVE-2019-19534 CVE-2019-19537 CVE-2019-19767 CVE-2019-19807 CVE-2019-20054 CVE-2019-20095 CVE-2019-20636 CVE-2020-1749 CVE-2020-2732 CVE-2020-8647 CVE-2020-8649 CVE-2020-9383 CVE-2020-10690 CVE-2020-10732 CVE-2020-10742 CVE-2020-10751 CVE-2020-10942 CVE-2020-11565 CVE-2020-12770 CVE-2020-12826 CVE-2020-14305 ==================================================================== 1. Summary: An update for kernel-rt is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux for Real Time (v. 7) - noarch, x86_64 Red Hat Enterprise Linux for Real Time for NFV (v. 7) - noarch, x86_64 3. Description: The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Security Fix(es): * kernel: use-after-free in sound/core/timer.c (CVE-2019-19807) * kernel: out of bounds write in function i2c_smbus_xfer_emulated in drivers/i2c/i2c-core-smbus.c (CVE-2017-18551) * kernel: race condition in smp_task_timedout() and smp_task_done() in drivers/scsi/libsas/sas_expander.c leads to use-after-free (CVE-2018-20836) * kernel: out of bounds write in i2c driver leads to local escalation of privilege (CVE-2019-9454) * kernel: use after free due to race condition in the video driver leads to local privilege escalation (CVE-2019-9458) Space precludes documenting all of the security fixes in this advisory. See the descriptions of the remaining security fixes in the related Knowledge Article: https://access.redhat.com/articles/5442481 For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.9 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 The system must be rebooted for this update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1427551 - mm/swap: Convert to percpu locked 1707796 - CVE-2018-20836 kernel: race condition in smp_task_timedout() and smp_task_done() in drivers/scsi/libsas/sas_expander.c leads to use-after-free 1745528 - CVE-2019-15217 kernel: null pointer dereference in drivers/media/usb/zr364xx/zr364xx.c driver 1747216 - CVE-2019-15807 kernel: Memory leak in drivers/scsi/libsas/sas_expander.c 1757368 - CVE-2017-18551 kernel: out of bounds write in function i2c_smbus_xfer_emulated in drivers/i2c/i2c-core-smbus.c 1758242 - CVE-2019-17053 kernel: unprivileged users able to create RAW sockets in AF_IEEE802154 network protocol 1758248 - CVE-2019-17055 kernel: unprivileged users able to create RAW sockets in AF_ISDN network protocol 1759681 - CVE-2019-16994 kernel: Memory leak in sit_init_net() in net/ipv6/sit.c 1760100 - CVE-2019-15917 kernel: use-after-free in drivers/bluetooth/hci_ldisc.c 1760310 - CVE-2019-16231 kernel: null-pointer dereference in drivers/net/fjes/fjes_main.c 1760420 - CVE-2019-16233 kernel: null pointer dereference in drivers/scsi/qla2xxx/qla_os.c 1774988 - CVE-2019-19046 kernel: Denial Of Service in the __ipmi_bmc_register() function in drivers/char/ipmi/ipmi_msghandler.c 1775015 - CVE-2019-19063 kernel: Two memory leaks in the rtl_usb_probe() function in drivers/net/wireless/realtek/rtlwifi/usb.c allow for a DoS 1775021 - CVE-2019-19062 kernel: memory leak in the crypto_report() function in crypto/crypto_user_base.c allows for DoS 1775042 - CVE-2019-19059 kernel: Multiple memory leaks in the iwl_pcie_ctxt_info_gen3_init() function in drivers/net/wireless/intel/iwlwifi/pcie/ctxt-info-gen3.c allows for a DoS 1775047 - CVE-2019-19058 kernel: A memory leak in the alloc_sgtable() function in drivers/net/wireless/intel/iwlwifi/fw/dbg.c allows for a DoS 1775074 - CVE-2019-19055 kernel: memory leak in the nl80211_get_ftm_responder_stats() function in net/wireless/nl80211.c allows DoS 1777418 - CVE-2019-18808 kernel: memory leak in ccp_run_sha_cmd() function in drivers/crypto/ccp/ccp-ops.c 1779594 - CVE-2019-19332 Kernel: kvm: OOB memory write via kvm_dev_ioctl_get_cpuid 1781679 - CVE-2019-19447 kernel: mounting a crafted ext4 filesystem image, performing some operations, and unmounting can lead to a use-after-free in ext4_put_super in fs/ext4/super.c 1783434 - CVE-2019-19523 kernel: use-after-free caused by a malicious USB device in the drivers/usb/misc/adutux.c driver 1783459 - CVE-2019-19524 kernel: a malicious USB device in the drivers/input/ff-memless.c leads to use-after-free 1783518 - CVE-2019-19530 kernel: use-after-free caused by a malicious USB device in the drivers/usb/class/cdc-acm.c driver 1783540 - CVE-2019-19534 kernel: information leak bug caused by a malicious USB device in the drivers/net/can/usb/peak_usb/pcan_usb_core.c driver 1783561 - CVE-2019-19537 kernel: race condition caused by a malicious USB device in the USB character device driver layer 1786078 - CVE-2019-19807 kernel: use-after-free in sound/core/timer.c 1786160 - CVE-2019-19767 kernel: use-after-free in __ext4_expand_extra_isize and ext4_xattr_set_entry related to fs/ext4/inode.c and fs/ext4/super.c 1788009 - Request nx_huge_pages=N as default value to avoid kvm-rt guest large latency spike 1790063 - CVE-2019-20054 kernel: Null pointer dereference in drop_sysctl_table() in fs/proc/proc_sysctl.c 1791954 - CVE-2019-20095 kernel: memory leak in mwifiex_tm_cmd in drivers/net/wireless/marvell/mwifiex/cfg80211.c 1802555 - CVE-2020-8649 kernel: invalid read location in vgacon_invert_region function in drivers/video/console/vgacon.c 1802563 - CVE-2020-8647 kernel: out-of-bounds read in in vc_do_resize function in drivers/tty/vt/vt.c 1805135 - CVE-2020-2732 Kernel: kvm: nVMX: L2 guest may trick the L0 hypervisor to access sensitive L1 resources 1809833 - CVE-2020-1749 kernel: some ipv6 protocols not encrypted over ipsec tunnel 1810685 - CVE-2020-9383 kernel: out-of-bounds read in set_fdc in drivers/block/floppy.c 1817141 - CVE-2020-10690 kernel: use-after-free in cdev_put() when a PTP device is removed while it's chardev is open 1817718 - CVE-2020-10942 kernel: vhost-net: stack overflow in get_raw_socket while checking sk_family field 1818818 - CVE-2019-9454 kernel: out of bounds write in i2c driver leads to local escalation of privilege 1819377 - CVE-2019-9458 kernel: use after free due to race condition in the video driver leads to local privilege escalation 1822077 - CVE-2020-12826 kernel: possible to send arbitrary signals to a privileged (suidroot) parent process 1824059 - CVE-2019-20636 kernel: out-of-bounds write via crafted keycode table 1824918 - CVE-2020-11565 kernel: out-of-bounds write in mpol_parse_str function in mm/mempolicy.c 1831399 - CVE-2020-10732 kernel: uninitialized kernel data leak in userspace coredumps 1834845 - CVE-2020-12770 kernel: sg_write function lacks an sg_remove_request call in a certain failure case 1835127 - CVE-2020-10742 kernel: NFS client crash due to index buffer overflow during Direct IO write causing kernel panic 1839634 - CVE-2020-10751 kernel: SELinux netlink permission check bypass 1850716 - CVE-2020-14305 kernel: memory corruption in Voice over IP nf_conntrack_h323 module 6. Package List: Red Hat Enterprise Linux for Real Time for NFV (v. 7): Source: kernel-rt-3.10.0-1160.rt56.1131.el7.src.rpm noarch: kernel-rt-doc-3.10.0-1160.rt56.1131.el7.noarch.rpm x86_64: kernel-rt-3.10.0-1160.rt56.1131.el7.x86_64.rpm kernel-rt-debug-3.10.0-1160.rt56.1131.el7.x86_64.rpm kernel-rt-debug-debuginfo-3.10.0-1160.rt56.1131.el7.x86_64.rpm kernel-rt-debug-devel-3.10.0-1160.rt56.1131.el7.x86_64.rpm kernel-rt-debug-kvm-3.10.0-1160.rt56.1131.el7.x86_64.rpm kernel-rt-debug-kvm-debuginfo-3.10.0-1160.rt56.1131.el7.x86_64.rpm kernel-rt-debuginfo-3.10.0-1160.rt56.1131.el7.x86_64.rpm kernel-rt-debuginfo-common-x86_64-3.10.0-1160.rt56.1131.el7.x86_64.rpm kernel-rt-devel-3.10.0-1160.rt56.1131.el7.x86_64.rpm kernel-rt-kvm-3.10.0-1160.rt56.1131.el7.x86_64.rpm kernel-rt-kvm-debuginfo-3.10.0-1160.rt56.1131.el7.x86_64.rpm kernel-rt-trace-3.10.0-1160.rt56.1131.el7.x86_64.rpm kernel-rt-trace-debuginfo-3.10.0-1160.rt56.1131.el7.x86_64.rpm kernel-rt-trace-devel-3.10.0-1160.rt56.1131.el7.x86_64.rpm kernel-rt-trace-kvm-3.10.0-1160.rt56.1131.el7.x86_64.rpm kernel-rt-trace-kvm-debuginfo-3.10.0-1160.rt56.1131.el7.x86_64.rpm Red Hat Enterprise Linux for Real Time (v. 7): Source: kernel-rt-3.10.0-1160.rt56.1131.el7.src.rpm noarch: kernel-rt-doc-3.10.0-1160.rt56.1131.el7.noarch.rpm x86_64: kernel-rt-3.10.0-1160.rt56.1131.el7.x86_64.rpm kernel-rt-debug-3.10.0-1160.rt56.1131.el7.x86_64.rpm kernel-rt-debug-debuginfo-3.10.0-1160.rt56.1131.el7.x86_64.rpm kernel-rt-debug-devel-3.10.0-1160.rt56.1131.el7.x86_64.rpm kernel-rt-debuginfo-3.10.0-1160.rt56.1131.el7.x86_64.rpm kernel-rt-debuginfo-common-x86_64-3.10.0-1160.rt56.1131.el7.x86_64.rpm kernel-rt-devel-3.10.0-1160.rt56.1131.el7.x86_64.rpm kernel-rt-trace-3.10.0-1160.rt56.1131.el7.x86_64.rpm kernel-rt-trace-debuginfo-3.10.0-1160.rt56.1131.el7.x86_64.rpm kernel-rt-trace-devel-3.10.0-1160.rt56.1131.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2017-18551 https://access.redhat.com/security/cve/CVE-2018-20836 https://access.redhat.com/security/cve/CVE-2019-9454 https://access.redhat.com/security/cve/CVE-2019-9458 https://access.redhat.com/security/cve/CVE-2019-15217 https://access.redhat.com/security/cve/CVE-2019-15807 https://access.redhat.com/security/cve/CVE-2019-15917 https://access.redhat.com/security/cve/CVE-2019-16231 https://access.redhat.com/security/cve/CVE-2019-16233 https://access.redhat.com/security/cve/CVE-2019-16994 https://access.redhat.com/security/cve/CVE-2019-17053 https://access.redhat.com/security/cve/CVE-2019-17055 https://access.redhat.com/security/cve/CVE-2019-18808 https://access.redhat.com/security/cve/CVE-2019-19046 https://access.redhat.com/security/cve/CVE-2019-19055 https://access.redhat.com/security/cve/CVE-2019-19058 https://access.redhat.com/security/cve/CVE-2019-19059 https://access.redhat.com/security/cve/CVE-2019-19062 https://access.redhat.com/security/cve/CVE-2019-19063 https://access.redhat.com/security/cve/CVE-2019-19332 https://access.redhat.com/security/cve/CVE-2019-19447 https://access.redhat.com/security/cve/CVE-2019-19523 https://access.redhat.com/security/cve/CVE-2019-19524 https://access.redhat.com/security/cve/CVE-2019-19530 https://access.redhat.com/security/cve/CVE-2019-19534 https://access.redhat.com/security/cve/CVE-2019-19537 https://access.redhat.com/security/cve/CVE-2019-19767 https://access.redhat.com/security/cve/CVE-2019-19807 https://access.redhat.com/security/cve/CVE-2019-20054 https://access.redhat.com/security/cve/CVE-2019-20095 https://access.redhat.com/security/cve/CVE-2019-20636 https://access.redhat.com/security/cve/CVE-2020-1749 https://access.redhat.com/security/cve/CVE-2020-2732 https://access.redhat.com/security/cve/CVE-2020-8647 https://access.redhat.com/security/cve/CVE-2020-8649 https://access.redhat.com/security/cve/CVE-2020-9383 https://access.redhat.com/security/cve/CVE-2020-10690 https://access.redhat.com/security/cve/CVE-2020-10732 https://access.redhat.com/security/cve/CVE-2020-10742 https://access.redhat.com/security/cve/CVE-2020-10751 https://access.redhat.com/security/cve/CVE-2020-10942 https://access.redhat.com/security/cve/CVE-2020-11565 https://access.redhat.com/security/cve/CVE-2020-12770 https://access.redhat.com/security/cve/CVE-2020-12826 https://access.redhat.com/security/cve/CVE-2020-14305 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.9_release_notes/index https://access.redhat.com/articles/5442481 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBX3OEB9zjgjWX9erEAQiuzw/+IFniE2/hnxrYUlyV8Q3kD7UFnBRh91AV C5Y0jEWQRfxMLYwnMfWnojBJBSbwRV/l5e3WYauWcdiNUxEBUuf9h7/w59FNC6+S +Zug4aZRqQb8ugtPtCXVjkllj2HGpUB7jb7RoxQuJoDbH+EM7kqIWoSpt9Z0F/hi 9NhZqvUhipSpBz2ogCAMx4rU8soUu13/NOXqPSGuezdtGVnOHvwJcTcTL0jk/oSI IlPHtzA8ccIgFztS30Lbu+pJy09ZKp+0rkWYJFyj4JX3hKM0iOA/NFLKrkNtNRIK 63rtMmvIHlFKCAifzdq0ES5LNr94Ic4b3ik/PngDBDNyTJRzaV1Nc5V5xwaOz0S7 OxTyyam6IKY2hu+KeU9p+68gne890RBnqnbBaMB4e7AJOv3Sq9egc7mLsd1X+Sa+ Y9ic4mGUY0a2jeqNxeuFHwk6s3CnA60RHn3qL07mmH+O3gcgUWjoevu7UiYgkJag mXTyziSv0tl66DbDIzkRuI/vcSS5DWpTGW/aZi0I5x5p1myA1LzQNXRcGJZrgKQh DoVtxQMvKWZ28PP5XzY9mImjlqsrp2YcPVs02EqbUiV9GKLLDHaVwzr9xQ+WE0d/ L1Hu5F0gIjshVo0XUXLqoyYXvj8LRftKWY9OcaMg4JWaLURBtAOfJotTGCOSVVht JV3JXmFiXu0=yWG6 -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce