安全公告详情

NS-SA-2019-0222

2019-11-22 16:16:53

简介

important: kernel-rt/opensc security update

严重级别

important

主题

An update for kernel-rt/opensc is now available for NewStart CGSL MAIN 5.04/CGSL CORE 5.04.
NewStart Security has rated this update as having a security impact of important. A Common Vunlnerability Scoring System(CVSS)base score, which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.

详细描述

kernel-rt: The kernel-rt package contains the Linux kernel (vmlinuz), the core of any Linux operating system. The kernel handles the basic functions of the operating system: memory allocation, process allocation, device input and output, etc. This kernel has been compiled with the RT patch applied and is intended for use in deterministic response-time situations
opensc: OpenSC provides a set of libraries and utilities to work with smart cards. Its main focus is on cards that support cryptographic operations, and facilitate their use in security applications such as authentication, mail encryption and digital signatures. OpenSC implements the PKCS#11 API so applications supporting this API (such as Mozilla Firefox and Thunderbird) can use it. On the card OpenSC implements the PKCS#15 standard and aims to be compatible with every software/card that does so, too.


Security Fix(es):
kernel-rt: Modern Intel microprocessors implement hardware-level micro-optimizations to improve the performance of writing data back to CPU caches. The write operation is split into STA (STore Address) and STD (STore Data) sub-operations. These sub-operations allow the processor to hand-off address generation logic into these sub-operations for optimized writes. Both of these sub-operations write to a shared distributed processor structure called the 'processor store buffer'. As a result, an unprivileged attacker could use this flaw to read private data resident within the CPU's processor store buffer.(CVE-2018-12126)
kernel-rt: Microprocessors use a ‘load port’ subcomponent to perform load operations from memory or IO. During a load operation, the load port receives data from the memory or IO subsystem and then provides the data to the CPU registers and operations in the CPU’s pipelines. Stale load operations results are stored in the 'load port' table until overwritten by newer operations. Certain load-port operations triggered by an attacker can be used to reveal data about previous stale requests leaking data back to the attacker via a timing side-channel.(CVE-2018-12127)
kernel-rt: A flaw was found in the implementation of the "fill buffer", a mechanism used by modern CPUs when a cache-miss is made on L1 CPU cache. If an attacker can generate a load operation that would create a page fault, the execution will continue speculatively with incorrect data from the fill buffer while the data is fetched from higher level caches. This response time can be measured to infer data in the fill buffer.(CVE-2018-12130)
kernel-rt: A flaw was found in the Linux kernel’s block driver implementation (blk_drain_queue() function) where a use-after-free condition could be triggered while draining the outstanding command queue in the systems block device subsystem. An attacker could use this flaw to crash the system or corrupt local memory, which may lead to privilege escalation.(CVE-2018-20856)
kernel-rt: A flaw was found in the mwifiex implementation in the Linux kernel. A system connecting to wireless access point could be manipulated by an attacker with advanced permissions on the access point into localized memory corruption or possibly privilege escalation.(CVE-2019-10126)
kernel-rt: A vulnerability was found in Linux kernel's implementation of overlayfs. An attacker with local access can create a denial of service situation via NULL pointer dereference in ovl_posix_acl_create function in fs/overlayfs/dir.c. This can allow attackers with ability to create directories on overlayfs to crash the kernel creating a denial of service (DOS).(CVE-2019-10140)
kernel-rt: Uncacheable memory on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access.(CVE-2019-11091)
kernel-rt: An out-of-bounds access issue was found in the way Linux kernel's KVM hypervisor implements the Coalesced MMIO write operation. It operates on an MMIO ring buffer 'struct kvm_coalesced_mmio' object, wherein write indices 'ring->first' and 'ring->last' value could be supplied by a host user-space process. An unprivileged host user or process with access to '/dev/kvm' device could use this flaw to crash the host kernel, resulting in a denial of service or potentially escalating privileges on the system.(CVE-2019-14821)
kernel-rt: A flaw was found in the Linux kernel's Marvell wifi chip driver. A heap overflow in mwifiex_update_bss_desc_with_ie function in marvell/mwifiex/scan.c allows remote attackers to cause a denial of service(system crash) or execute arbitrary code.(CVE-2019-3846)
kernel-rt: If the Wake-up on Wireless LAN functionality is configured in the brcmfmac driver, which only works with Broadcom FullMAC chipsets, a malicious event frame can be constructed to trigger a heap buffer overflow in the brcmf_wowl_nd_results() function. This vulnerability can be exploited by compromised chipsets to compromise the host, or when used in combination with another brcmfmac driver flaw (CVE-2019-9503), can be used remotely. This can result in a remote denial of service (DoS). Due to the nature of the flaw, a remote privilege escalation cannot be fully ruled out.(CVE-2019-9500)
kernel-rt: If the brcmfmac driver receives a firmware event frame from a remote source, the is_wlc_event_frame function will cause this frame to be discarded and not be processed. If the driver receives the firmware event frame from the host, the appropriate handler is called. This frame validation can be bypassed if the bus used is USB (for instance by a WiFi dongle). This can allow firmware event frames from a remote source to be processed and this can result in denial of service (DoS) condition.(CVE-2019-9503)
kernel-rt: A flaw was discovered in the Bluetooth protocol. An attacker within physical proximity to the Bluetooth connection could downgrade the encryption protocol to be trivially brute forced.(CVE-2019-9506)
kernel-rt: bugfix
opensc: Several buffer overflows when handling responses from a Muscle Card in muscle_list_files in libopensc/card-muscle.c in OpenSC before 0.19.0-rc1 could be used by attackers able to supply crafted smartcards to cause a denial of service (application crash) or possibly have unspecified other impact.(CVE-2018-16391)
opensc: Several buffer overflows when handling responses from a TCOS Card in tcos_select_file in libopensc/card-tcos.c in OpenSC before 0.19.0-rc1 could be used by attackers able to supply crafted smartcards to cause a denial of service (application crash) or possibly have unspecified other impact.(CVE-2018-16392)
opensc: Several buffer overflows when handling responses from a Gemsafe V1 Smartcard in gemsafe_get_cert_len in libopensc/pkcs15-gemsafeV1.c in OpenSC before 0.19.0-rc1 could be used by attackers able to supply crafted smartcards to cause a denial of service (application crash) or possibly have unspecified other impact.(CVE-2018-16393)
opensc: A buffer overflow when handling string concatenation in util_acl_to_str in tools/util.c in OpenSC before 0.19.0-rc1 could be used by attackers able to supply crafted smartcards to cause a denial of service (application crash) or possibly have unspecified other impact.(CVE-2018-16418)
opensc: Several buffer overflows when handling responses from a Cryptoflex card in read_public_key in tools/cryptoflex-tool.c in OpenSC before 0.19.0-rc1 could be used by attackers able to supply crafted smartcards to cause a denial of service (application crash) or possibly have unspecified other impact.(CVE-2018-16419)
opensc: A single byte buffer overflow when handling responses from an esteid Card in sc_pkcs15emu_esteid_init in libopensc/pkcs15-esteid.c in OpenSC before 0.19.0-rc1 could be used by attackers able to supply crafted smartcards to cause a denial of service (application crash) or possibly have unspecified other impact.(CVE-2018-16422)
opensc: A double free when handling responses from a smartcard in sc_file_set_sec_attr in libopensc/sc.c in OpenSC before 0.19.0-rc1 could be used by attackers able to supply crafted smartcards to cause a denial of service (application crash) or possibly have unspecified other impact.(CVE-2018-16423)
opensc: Several buffer overflows when handling responses from an ePass 2003 Card in decrypt_response in libopensc/card-epass2003.c in OpenSC before 0.19.0-rc1 could be used by attackers able to supply crafted smartcards to cause a denial of service (application crash) or possibly have unspecified other impact.(CVE-2018-16420)
opensc: Several buffer overflows when handling responses from a CAC Card in cac_get_serial_nr_from_CUID in libopensc/card-cac.c in OpenSC before 0.19.0-rc1 could be used by attackers able to supply crafted smartcards to cause a denial of service (application crash) or possibly have unspecified other impact.(CVE-2018-16421)
opensc: dless recursion when handling responses from an IAS-ECC card in iasecc_select_file in libopensc/card-iasecc.c in OpenSC before 0.19.0-rc1 could be used by attackers able to supply crafted smartcards to hang or crash the opensc library using programs.(CVE-2018-16426)
opensc: arious out of bounds reads when handling responses in OpenSC before 0.19.0-rc1 could be used by attackers able to supply crafted smartcards to potentially crash the opensc library using programs.(CVE-2018-16427)
opensc: bugfix


Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
http://security.gd-linux.com/how_to_apply_patch.html
Remember the build tag is 5.04.F19.

影响组件

  • kernel-rt
  • opensc

影响产品

  • CGSL MAIN 5.04
  • CGSL CORE 5.04

更新包

{"fix":[{"product":"CGSL MAIN 5.04","pkgs":[{"binary":["kernel-rt-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.24.366.g7fc66c5.x86_64.rpm","kernel-rt-debug-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.24.366.g7fc66c5.x86_64.rpm","kernel-rt-debug-debuginfo-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.24.366.g7fc66c5.x86_64.rpm","kernel-rt-debug-devel-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.24.366.g7fc66c5.x86_64.rpm","kernel-rt-debug-kvm-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.24.366.g7fc66c5.x86_64.rpm","kernel-rt-debug-kvm-debuginfo-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.24.366.g7fc66c5.x86_64.rpm","kernel-rt-debuginfo-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.24.366.g7fc66c5.x86_64.rpm","kernel-rt-debuginfo-common-x86_64-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.24.366.g7fc66c5.x86_64.rpm","kernel-rt-devel-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.24.366.g7fc66c5.x86_64.rpm","kernel-rt-doc-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.24.366.g7fc66c5.noarch.rpm","kernel-rt-kvm-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.24.366.g7fc66c5.x86_64.rpm","kernel-rt-kvm-debuginfo-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.24.366.g7fc66c5.x86_64.rpm","kernel-rt-trace-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.24.366.g7fc66c5.x86_64.rpm","kernel-rt-trace-debuginfo-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.24.366.g7fc66c5.x86_64.rpm","kernel-rt-trace-devel-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.24.366.g7fc66c5.x86_64.rpm","kernel-rt-trace-kvm-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.24.366.g7fc66c5.x86_64.rpm","kernel-rt-trace-kvm-debuginfo-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.24.366.g7fc66c5.x86_64.rpm"],"source":"kernel-rt-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.24.366.g7fc66c5.src.rpm"},{"binary":["opensc-0.19.0-3.el7.x86_64.rpm","opensc-debuginfo-0.19.0-3.el7.x86_64.rpm"],"source":"opensc-0.19.0-3.el7.src.rpm"}]},{"product":"CGSL CORE 5.04","pkgs":[{"binary":["kernel-rt-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.24.366.g7fc66c5.x86_64.rpm","kernel-rt-debug-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.24.366.g7fc66c5.x86_64.rpm","kernel-rt-debug-debuginfo-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.24.366.g7fc66c5.x86_64.rpm","kernel-rt-debug-devel-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.24.366.g7fc66c5.x86_64.rpm","kernel-rt-debug-kvm-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.24.366.g7fc66c5.x86_64.rpm","kernel-rt-debug-kvm-debuginfo-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.24.366.g7fc66c5.x86_64.rpm","kernel-rt-debuginfo-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.24.366.g7fc66c5.x86_64.rpm","kernel-rt-debuginfo-common-x86_64-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.24.366.g7fc66c5.x86_64.rpm","kernel-rt-devel-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.24.366.g7fc66c5.x86_64.rpm","kernel-rt-doc-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.24.366.g7fc66c5.noarch.rpm","kernel-rt-kvm-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.24.366.g7fc66c5.x86_64.rpm","kernel-rt-kvm-debuginfo-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.24.366.g7fc66c5.x86_64.rpm","kernel-rt-trace-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.24.366.g7fc66c5.x86_64.rpm","kernel-rt-trace-debuginfo-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.24.366.g7fc66c5.x86_64.rpm","kernel-rt-trace-devel-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.24.366.g7fc66c5.x86_64.rpm","kernel-rt-trace-kvm-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.24.366.g7fc66c5.x86_64.rpm","kernel-rt-trace-kvm-debuginfo-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.24.366.g7fc66c5.x86_64.rpm"],"source":"kernel-rt-3.10.0-693.21.1.rt56.639.el7.cgslv5_4.24.366.g7fc66c5.src.rpm"},{"binary":["opensc-0.19.0-3.el7.x86_64.rpm","opensc-debuginfo-0.19.0-3.el7.x86_64.rpm"],"source":"opensc-0.19.0-3.el7.src.rpm"}]}]}

CVE

参考