{"id":"MGASA-2021-0031","summary":"Updated kernel-linus packages fix security vulnerabilities","details":"This update provides an upgrade to the new upstream 5.10 longterm branch,\ncurrently based on 5.10.6, adding new features and new and improved\nhardware support.\n\nThis update also fixes at least the following security issues:\n\nIn binder_release_work of binder.c, there is a possible use-after-free due\nto improper locking. This could lead to local escalation of privilege in\nthe kernel with no additional execution privileges needed. User interaction\nis not needed for exploitation (CVE-2020-0423).\n\nIn various methods of hid-multitouch.c, there is a possible out of bounds\nwrite due to a missing bounds check. This could lead to local escalation of\nprivilege with no additional execution privileges needed. User interaction\nis not needed for exploitation (CVE-2020-0465).\n\nInsufficient access control in the Linux kernel driver for some Intel(R)\nProcessors may allow an authenticated user to potentially enable information\ndisclosure via local access (CVE-2020-8694).\n\nA potential vulnerability in the AMD extension to Linux \"hwmon\" service may\nallow an attacker to use the Linux-based Running Average Power Limit (RAPL)\ninterface to show various side channel attacks. In line with industry\npartners, AMD has updated the RAPL interface to require privileged access\n(CVE-2020-12912).\n\nA use-after-free memory flaw was found in the perf subsystem allowing a\nlocal attacker with permission to monitor perf events to corrupt memory and\npossibly escalate privileges. The highest threat from this vulnerability\nis to data confidentiality and integrity as well as system availability\n(CVE-2020-14351).\n\nA use-after-free was found in the way the console subsystem was using ioctls\nKDGKBSENT and KDSKBSENT. A local user could use this flaw to get read\nmemory access out of bounds. The highest threat from this vulnerability is\nto data confidentiality (CVE-2020-25656).\n\nLinux kernel concurrency use-after-free in vt (CVE-2020-25668).\n\nLinux Kernel use-after-free in sunkbd_reinit (CVE-2020-25669).\n\nA flaw memory leak in the Linux kernel performance monitoring subsystem was\nfound in the way if using PERF_EVENT_IOC_SET_FILTER. A local user could use\nthis flaw to starve the resources causing denial of service (CVE-2020-25704).\n\nA flaw in the way reply ICMP packets are limited in the Linux kernel\nfunctionality was found that allows to quickly scan open UDP ports. This\nflaw allows an off-path remote user to effectively bypassing source port UDP\nrandomization. The highest threat from this vulnerability is to\nconfidentiality and possibly integrity, because software that relies on UDP\nsource port randomization are indirectly affected as well (CVE-2020-25705).\n\nAn issue was discovered in ioapic_lazy_update_eoi in arch/x86/kvm/ioapic.c\nin the Linux kernel before 5.9.2. It has an infinite loop related to\nimproper interaction between a resampler and edge triggering (CVE-2020-27152).\n\nAn issue was discovered in the Linux kernel before 5.8.15. scalar32_min_max_or\nin kernel/bpf/verifier.c mishandles bounds tracking during use of 64-bit\nvalues (CVE-2020-27194).\n\nAn issue was discovered in the Linux kernel through 5.9.1, as used with Xen\nthrough 4.14.x. Guest OS users can cause a denial of service (host OS hang)\nvia a high rate of events to dom0 (CVE-2020-27673).\n\nAn issue was discovered in the Linux kernel through 5.9.1, as used with Xen\nthrough 4.14.x. drivers/xen/events/events_base.c allows event-channel removal\nduring the event-handling loop (a race condition). This can cause a\nuse-after-free or NULL pointer dereference, as demonstrated by a dom0 crash\nvia events for an in-reconfiguration paravirtualized device (CVE-2020-27675).\n\nA use-after-free flaw was found in kernel/trace/ring_buffer.c in Linux\nkernel (before 5.10-rc1). There was a race problem in trace_open and resize\nof cpu buffer running parallely on different cpus, may cause a denial of\nservice problem (DOS). This flaw could even allow a local attacker with\nspecial user privilege to a kernel information leak threat (CVE-2020-27825).\n\nLinux kernel NULL-ptr deref bug in spk_ttyio_receive_buf2 (CVE-2020-27830).\n\nA use after free in the Linux kernel infiniband hfi1 driver in versions\nprior to 5.10-rc6 was found in the way user calls Ioctl after open dev\nfile and fork. A local user could use this flaw to crash the system\n(CVE-2020-27835).\n\nlib/syscall: fix syscall registers retrieval on 32-bit platforms\n(CVE-2020-28588).\n\nA buffer over-read (at the framebuffer layer) in the fbcon code in the\nLinux kernel before 5.8.15 could be used by local attackers to read kernel\nmemory (CVE-2020-28915).\n\nAn issue was discovered in drivers/accessibility/speakup/spk_ttyio.c in\nthe Linux kernel through 5.9.9. Local attackers on systems with the\nspeakup driver could cause a local denial of service attack (CVE-2020-28941).\n\nA slab-out-of-bounds read in fbcon in the Linux kernel before 5.9.7 could\nbe used by local attackers to read privileged information or potentially\ncrash the kernel (CVE-2020-28974).\n\nAn issue was discovered in the Linux kernel before 5.9.3. io_uring takes a\nnon-refcounted reference to the files_struct of the process that submitted\na request, causing execve() to incorrectly optimize unshare_fd()\n(CVE-2020-29534).\n\nA locking inconsistency issue was discovered in the tty subsystem of the\nLinux kernel through 5.9.13. drivers/tty/tty_io.c and\ndrivers/tty/tty_jobctrl.c may allow a read-after-free attack against\nTIOCGSID (CVE-2020-29660).\n\nA locking issue was discovered in the tty subsystem of the Linux kernel\nthrough 5.9.13. drivers/tty/tty_jobctrl.c allows a use-after-free attack\nagainst TIOCSPGRP (CVE-2020-29661).\n\nFor other upstream changes, see the referenced kernelnewbies and changelog\nlinks.\n","modified":"2026-02-01T17:53:08.358965Z","published":"2021-01-15T12:31:01Z","related":["CVE-2020-0423","CVE-2020-0465","CVE-2020-12912","CVE-2020-14351","CVE-2020-25656","CVE-2020-25668","CVE-2020-25669","CVE-2020-25704","CVE-2020-25705","CVE-2020-27152","CVE-2020-27194","CVE-2020-27673","CVE-2020-27675","CVE-2020-27825","CVE-2020-27830","CVE-2020-27835","CVE-2020-28588","CVE-2020-28915","CVE-2020-28941","CVE-2020-28974","CVE-2020-29534","CVE-2020-29660","CVE-2020-29661","CVE-2020-8694"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2021-0031.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=27939"},{"type":"REPORT","url":"https://kernelnewbies.org/Linux_5.8"},{"type":"REPORT","url":"https://kernelnewbies.org/Linux_5.9"},{"type":"REPORT","url":"https://kernelnewbies.org/Linux_5.10"},{"type":"REPORT","url":"https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.1"},{"type":"REPORT","url":"https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.2"},{"type":"REPORT","url":"https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.3"},{"type":"REPORT","url":"https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.4"},{"type":"REPORT","url":"https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.5"},{"type":"REPORT","url":"https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.6"}],"affected":[{"package":{"name":"kernel-linus","ecosystem":"Mageia:7","purl":"pkg:rpm/mageia/kernel-linus?arch=source&distro=mageia-7"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.10.6-1.mga7"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2021-0031.json"}}],"schema_version":"1.7.3","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}