Debian 9858 Published by

The following updates has been released for Debian GNU/Linux 8 LTS:

DLA 1799-1: linux security update
DLA 1799-2: linux security update
DLA 1808-1: sox security update
DLA 1809-1: libav security update



DLA 1799-1: linux security update

Package : linux
Version : 3.16.68-1
CVE ID : CVE-2018-5995 CVE-2018-12126 CVE-2018-12127 CVE-2018-12130
CVE-2019-2024 CVE-2019-3459 CVE-2019-3460 CVE-2019-3882
CVE-2019-3901 CVE-2019-6133 CVE-2019-9503 CVE-2019-11091
CVE-2019-11190 CVE-2019-11486 CVE-2019-11599
Debian Bug : 927781

Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information
leaks.

CVE-2018-5995

ADLab of VenusTech discovered that the kernel logged the virtual
addresses assigned to per-CPU data, which could make it easier to
exploit other vulnerabilities.

CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091

Multiple researchers have discovered vulnerabilities in the way
that Intel processor designs implement speculative forwarding of
data filled into temporary microarchitectural structures
(buffers). This flaw could allow an attacker controlling an
unprivileged process to read sensitive information, including from
the kernel and all other processes running on the system, or
across guest/host boundaries to read host memory.

See https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html
for more details.

To fully resolve these vulnerabilities it is also necessary to
install updated CPU microcode. An updated intel-microcode package
(only available in Debian non-free) was provided via DLA-1789-1.
The updated CPU microcode may also be available as part of a
system firmware ("BIOS") update.

CVE-2019-2024

A use-after-free bug was discovered in the em28xx video capture
driver. Local users might be able to use this for denial of
service (memory corruption or crash) or possibly for privilege
escalation.

CVE-2019-3459, CVE-2019-3460

Shlomi Oberman, Yuli Shapiro, and Karamba Security Ltd. research
team discovered missing range checks in the Bluetooth L2CAP
implementation. If Bluetooth is enabled, a nearby attacker
could use these to read sensitive information from the kernel.

CVE-2019-3882

It was found that the vfio implementation did not limit the number
of DMA mappings to device memory. A local user granted ownership
of a vfio device could use this to cause a denial of service
(out-of-memory condition).

CVE-2019-3901

Jann Horn of Google reported a race condition that would allow a
local user to read performance events from a task after it
executes a setuid program. This could leak sensitive information
processed by setuid programs. Debian's kernel configuration does
not allow unprivileged users to access peformance events by
default, which fully mitigates this issue.

CVE-2019-6133

Jann Horn of Google found that Policykit's authentication check
could be bypassed by a local user creating a process with the same
start time and process ID as an older authenticated process.
PolicyKit was already updated to fix this in DLA-1644-1. The
kernel has additionally been updated to avoid a delay between
assigning start time and process ID, which should make the attack
impractical.

CVE-2019-9503

Hugues Anguelkov and others at Quarkslab discovered that the
brcmfmac (Broadcom wifi FullMAC) driver did not correctly
distinguish messages sent by the wifi firmware from other packets.
An attacker using the same wifi network could use this for denial
of service or to exploit other vulnerabilities in the driver.

CVE-2019-11190

Robert Święcki reported that when a setuid program was executed it
was still possible to read performance events while the kernel set
up the program's address space. A local user could use this to
defeat ASLR in a setuid program, making it easier to exploit other
vulnerabilities in the program. Debian's kernel configuration
does not allow unprivileged users to access peformance events by
default, which fully mitigates this issue.

CVE-2019-11486

Jann Horn of Google reported numerous race conditions in the
Siemens R3964 line discipline. A local user could use these to
cause unspecified security impact. This module has therefore been
disabled.

CVE-2019-11599

Jann Horn of Google reported a race condition in the core dump
implementation which could lead to a use-after-free. A local
user could use this to read sensitive information, to cause a
denial of service (memory corruption), or for privilege
escalation.

For Debian 8 "Jessie", these problems have been fixed in version
3.16.68-1. This version also includes a fix for Debian bug #927781,
and other fixes included in upstream stable updates.

We recommend that you upgrade your linux packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

DLA 1799-2: linux security update

Package : linux
Version : 3.16.68-1
CVE ID : CVE-2018-5995 CVE-2018-12126 CVE-2018-12127 CVE-2018-12130
CVE-2019-2024 CVE-2019-3459 CVE-2019-3460 CVE-2019-3882
CVE-2019-3901 CVE-2019-6133 CVE-2019-9503 CVE-2019-11091
CVE-2019-11190 CVE-2019-11486 CVE-2019-11599
Debian Bug : 927781

Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information
leaks.

This updated advisory text adds a note about the need to install new
binary packages.

CVE-2018-5995

ADLab of VenusTech discovered that the kernel logged the virtual
addresses assigned to per-CPU data, which could make it easier to
exploit other vulnerabilities.

CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091

Multiple researchers have discovered vulnerabilities in the way
that Intel processor designs implement speculative forwarding of
data filled into temporary microarchitectural structures
(buffers). This flaw could allow an attacker controlling an
unprivileged process to read sensitive information, including from
the kernel and all other processes running on the system, or
across guest/host boundaries to read host memory.

See https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html
for more details.

To fully resolve these vulnerabilities it is also necessary to
install updated CPU microcode. An updated intel-microcode package
(only available in Debian non-free) was provided via DLA-1789-1.
The updated CPU microcode may also be available as part of a
system firmware ("BIOS") update.

CVE-2019-2024

A use-after-free bug was discovered in the em28xx video capture
driver. Local users might be able to use this for denial of
service (memory corruption or crash) or possibly for privilege
escalation.

CVE-2019-3459, CVE-2019-3460

Shlomi Oberman, Yuli Shapiro, and Karamba Security Ltd. research
team discovered missing range checks in the Bluetooth L2CAP
implementation. If Bluetooth is enabled, a nearby attacker
could use these to read sensitive information from the kernel.

CVE-2019-3882

It was found that the vfio implementation did not limit the number
of DMA mappings to device memory. A local user granted ownership
of a vfio device could use this to cause a denial of service
(out-of-memory condition).

CVE-2019-3901

Jann Horn of Google reported a race condition that would allow a
local user to read performance events from a task after it
executes a setuid program. This could leak sensitive information
processed by setuid programs. Debian's kernel configuration does
not allow unprivileged users to access peformance events by
default, which fully mitigates this issue.

CVE-2019-6133

Jann Horn of Google found that Policykit's authentication check
could be bypassed by a local user creating a process with the same
start time and process ID as an older authenticated process.
PolicyKit was already updated to fix this in DLA-1644-1. The
kernel has additionally been updated to avoid a delay between
assigning start time and process ID, which should make the attack
impractical.

CVE-2019-9503

Hugues Anguelkov and others at Quarkslab discovered that the
brcmfmac (Broadcom wifi FullMAC) driver did not correctly
distinguish messages sent by the wifi firmware from other packets.
An attacker using the same wifi network could use this for denial
of service or to exploit other vulnerabilities in the driver.

CVE-2019-11190

Robert Święcki reported that when a setuid program was executed it
was still possible to read performance events while the kernel set
up the program's address space. A local user could use this to
defeat ASLR in a setuid program, making it easier to exploit other
vulnerabilities in the program. Debian's kernel configuration
does not allow unprivileged users to access peformance events by
default, which fully mitigates this issue.

CVE-2019-11486

Jann Horn of Google reported numerous race conditions in the
Siemens R3964 line discipline. A local user could use these to
cause unspecified security impact. This module has therefore been
disabled.

CVE-2019-11599

Jann Horn of Google reported a race condition in the core dump
implementation which could lead to a use-after-free. A local
user could use this to read sensitive information, to cause a
denial of service (memory corruption), or for privilege
escalation.

For Debian 8 "Jessie", these problems have been fixed in version
3.16.68-1. This version also includes a fix for Debian bug #927781,
and other fixes included in upstream stable updates.

We recommend that you upgrade your linux and linux-latest
packages. You will need to use "apt-get upgrade --with-new-pkgs"
or "apt upgrade" as the binary package names have changed.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

DLA 1808-1: sox security update




Package : sox
Version : 14.4.1-5+deb8u4
CVE ID : CVE-2019-8354 CVE-2019-8355 CVE-2019-8356 CVE-2019-8357
Debian Bug : 927906

Several issues were found in SoX, the Swiss army knife of sound processing
programs, that could lead to denial of service via application crash or
potentially to arbitrary code execution by processing maliciously crafted
input files.

For Debian 8 "Jessie", these problems have been fixed in version
14.4.1-5+deb8u4.

We recommend that you upgrade your sox packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DLA 1809-1: libav security update

Package : libav
Version : 6:11.12-1~deb8u7
CVE ID : CVE-2018-15822 CVE-2019-11338


Two more security issues have been corrected in multiple demuxers and
decoders of the libav multimedia library.

CVE-2018-15822

The flv_write_packet function in libavformat/flvenc.c in libav did
not check for an empty audio packet, leading to an assertion failure.

CVE-2019-11338

libavcodec/hevcdec.c in libav mishandled detection of duplicate first
slices, which allowed remote attackers to cause a denial of service
(NULL pointer dereference and out-of-array access) or possibly have
unspecified other impact via crafted HEVC data.

For Debian 8 "Jessie", these problems have been fixed in version
6:11.12-1~deb8u7.

We recommend that you upgrade your libav packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS