| Revision Date: | 2019-04-22 | Version: | 1 | | Title: | CVE-2019-3901 on Ubuntu 18.04 LTS (bionic) - medium. | | Description: | A race condition in perf_event_open() allows local attackers to leak sensitive data from setuid programs. As no relevant locks (in particular the cred_guard_mutex) are held during the ptrace_may_access() call, it is possible for the specified target task to perform an execve() syscall with setuid execution before perf_event_alloc() actually attaches to it, allowing an attacker to bypass the ptrace_may_access() check and the perf_event_exit_task(current) call that is performed in install_exec_creds() during privileged execve() calls. This issue affects kernel versions before 4.8.
| | Family: | unix | Class: | vulnerability | | Status: | | Reference(s): | CVE-2019-3901
| | Platform(s): | Ubuntu 18.04 LTS
| Product(s): | | | Definition Synopsis | | Ubuntu 18.04 LTS (bionic) is installed. AND Package Information
linux package in bionic, is related to the CVE in some way and has been fixed (note: '4.13.0-16.19').
OR linux-aws package in bionic, is related to the CVE in some way and has been fixed (note: '4.15.0-1001.1').
OR linux-azure package in bionic, is related to the CVE in some way and has been fixed (note: '4.15.0-1002.2').
OR linux-gcp package in bionic, is related to the CVE in some way and has been fixed (note: '4.15.0-1001.1').
OR linux-hwe package in bionic, is related to the CVE in some way and has been fixed (note: '4.18.0-13.14~18.04.1').
OR linux-kvm package in bionic, is related to the CVE in some way and has been fixed (note: '4.15.0-1002.2').
OR linux-meta package in bionic, is related to the CVE in some way and has been fixed (note: '4.13.0-16.19').
OR linux-meta-aws package in bionic, is related to the CVE in some way and has been fixed (note: '4.15.0-1001.1').
OR linux-meta-azure package in bionic, is related to the CVE in some way and has been fixed (note: '4.15.0-1002.2').
OR linux-meta-gcp package in bionic, is related to the CVE in some way and has been fixed (note: '4.15.0-1001.1').
OR linux-meta-hwe package in bionic, is related to the CVE in some way and has been fixed (note: '4.18.0-13.14~18.04.1').
OR linux-meta-kvm package in bionic, is related to the CVE in some way and has been fixed (note: '4.15.0-1002.2').
OR linux-meta-oem package in bionic, is related to the CVE in some way and has been fixed (note: '4.15.0-1002.3').
OR linux-meta-oracle package in bionic, is related to the CVE in some way and has been fixed (note: '4.15.0-1007.9').
OR linux-meta-raspi2 package in bionic, is related to the CVE in some way and has been fixed (note: '4.13.0-1005.5').
OR linux-meta-snapdragon package in bionic, is related to the CVE in some way and has been fixed (note: '4.4.0-1077.82').
OR linux-oem package in bionic, is related to the CVE in some way and has been fixed (note: '4.15.0-1002.3').
OR linux-oracle package in bionic, is related to the CVE in some way and has been fixed (note: '4.15.0-1007.9').
OR linux-raspi2 package in bionic, is related to the CVE in some way and has been fixed (note: '4.13.0-1005.5').
OR linux-signed package in bionic, is related to the CVE in some way and has been fixed (note: '4.13.0-16.19').
OR linux-signed-azure package in bionic, is related to the CVE in some way and has been fixed (note: '4.15.0-1002.2').
OR linux-signed-gcp package in bionic, is related to the CVE in some way and has been fixed (note: '4.15.0-1001.1').
OR linux-signed-hwe package in bionic, is related to the CVE in some way and has been fixed (note: '4.18.0-13.14~18.04.1').
OR linux-signed-oem package in bionic, is related to the CVE in some way and has been fixed (note: '4.15.0-1002.3').
OR linux-signed-oracle package in bionic, is related to the CVE in some way and has been fixed (note: '4.15.0-1007.9').
OR linux-snapdragon package in bionic, is related to the CVE in some way and has been fixed (note: '4.4.0-1077.82').
|
|