system/easy-kernel*: multiple vulnerabilities
Bugzilla ID | 180 |
Alias(es) | CVE-2019-14814, CVE-2019-14815, CVE-2019-14816, CVE-2019-14821, CVE-2019-14835, CVE-2019-15117, CVE-2019-15118, CVE-2019-15239, CVE-2019-15505, CVE-2019-15538, CVE-2019-16746, CVE-2019-17054, CVE-2019-17055, CVE-2019-17056 |
Reporter | Max Rees (sroracle) |
Assignee | A. Wilcox (awilfox) |
Reported | 2019-08-14 11:19:01 -0500 |
Modified | 2019-10-16 20:34:30 -0500 |
Status | RESOLVED FIXED |
Version | 1.0-BETA3 |
Hardware | Adélie Linux / All |
Importance | --- / normal |
See also |
https://bts.adelielinux.org/show_bug.cgi?id=130 https://bts.adelielinux.org/show_bug.cgi?id=195 https://bts.adelielinux.org/show_bug.cgi?id=217 |
Description
CVE-2019-5489: https://nvd.nist.gov/vuln/detail/CVE-2019-5489
The mincore() implementation in mm/mincore.c in the Linux kernel
through 4.19.13 allowed local attackers to observe page cache access
patterns of other processes on the same system, potentially allowing
sniffing of secret information. (Fixing this affects the output of the
fincore program.) Limited remote exploitation may be possible, as
demonstrated by latency differences in accessing public files from an
Apache HTTP Server.
No fix in 4.14 yet.
https://www.linuxkernelcves.com/cves/CVE-2019-5489
CVE-2019-12614: https://nvd.nist.gov/vuln/detail/CVE-2019-12614
An issue was discovered in dlpar_parse_cc_property in
arch/powerpc/platforms/pseries/dlpar.c in the Linux kernel through
5.1.6. There is an unchecked kstrdup of prop->name, which might
allow an attacker to cause a denial of service (NULL pointer
dereference and system crash).
No fix in 4.14 yet.
https://www.linuxkernelcves.com/cves/CVE-2019-12614