[Bug 1909486] Re: tiocspgrp()" Privilege Escalation Vulnerability

[Nick Moffitt]

** Description changed:

- A race condition error related to the "tiocspgrp()" function
- (drivers/tty/tty_jobctrl.c) can be exploited to trigger a use-after-free
- and subsequently gain elevated privileges.
+ CVE 2020-29661 https://bugs.launchpad.net/bugs/cve/2020-29661
  
- The vulnerability is reported in versions 5.9.x prior to 5.9.14, 5.4.x
- prior to 5.4.83, 4.19.x prior to 4.19.163, 4.14.x prior to 4.14.212,
- 4.9.x prior to 4.9.248, and 4.4.x prior to 4.4.248.
- 
- Affected Software
- 
- The following software is affected by the described vulnerability.
- Please check the vendor links below to see if exactly your version is
- affected.
- 
- Linux Kernel 4.14.x
- Linux Kernel 4.19.x
- Linux Kernel 4.4.x
- Linux Kernel 4.9.x
- Linux Kernel 5.4.x
- Linux Kernel 5.9.x
- 
- Solution
- 
- Update to a fixed version.
- 
- Versions 5.9.x:
- Update to version 5.9.14 or later.
- 
- Versions 5.4.x:
- Update to version 5.4.83 or later.
- 
- Versions 4.19.x:
- Update to version 4.19.163.
- 
- Versions 4.14.x:
- Update to version 4.14.212.
- 
- Versions 4.9.x:
- Update to version 4.9.248.
- 
- Versions 4.4.x:
- Update to version 4.4.248.
- 
- References
- 
- 1. https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.9.14 

- 2. https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.4.83 

- 3. https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.163 

- 4. https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.212 

- 5. https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.248 

- 6. https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.248 

- 7. https://bugs.chromium.org/p/project-zero/issues/detail?id=2125 

- 8. 
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=54ffccbf053b5b6ca4f6e45094b942fab92a25fc
 

- 
- 
- Detected in Ubuntu 16, which uses 4.4.x kernel.
+ A locking issue was discovered in the tty subsystem of the Linux kernel
+ through 5.9.13. drivers/tty/tty_jobctrl.c allows a use-after-free attack
+ against TIOCSPGRP, aka CID-54ffccbf053b.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1909486

Title:
  tiocspgrp()" Privilege Escalation Vulnerability

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1909486/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1909486] Re: tiocspgrp()" Privilege Escalation Vulnerability

[Steve Beattie]

** Information type changed from Private Security to Public Security

** Changed in: linux (Ubuntu)
   Status: New => Confirmed

** Changed in: linux (Ubuntu)
   Importance: Undecided => Medium

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1909486

Title:
  tiocspgrp()" Privilege Escalation Vulnerability

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1909486/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs