A use-after-free flaw was found in the Linux kernels implementation of blktrace in the __blk_add_trace function. A local attacker with permissions to run block trace instructions against a device can create a situation where the core block_trace object is used after it is freed. The attacker can pre-groom memory to race this use-after-free to create a condition where memory is corrupted and also likely to be privilege escalation. The ability to create this condition requires elevated privileges, and it has been decided that this change in Red Hat Enterprise Linux 5 and 6 would risk introducing possible regressions and will not be backported. Reference: https://bugzilla.kernel.org/show_bug.cgi?id=205711 Patch: A patch may be attached to the bugzilla.kernel.org but no patch exists at this time.
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1786166]
While this flaw is rated as important, it was a difficult decision to make. Users who are granted permissions on system block devices can likely find other ways of doing this, such as modifying the setuid bits on mounted filesystems, or perverting the contents of setuid files, or just the password file itself if they can access it on that block device.
This was fixed for Fedora with the 5.5.8 stable kernel updates.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:1567 https://access.redhat.com/errata/RHSA-2020:1567
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:1769 https://access.redhat.com/errata/RHSA-2020:1769
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-19768
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions Via RHSA-2020:1966 https://access.redhat.com/errata/RHSA-2020:1966
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:2104 https://access.redhat.com/errata/RHSA-2020:2104
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:2082 https://access.redhat.com/errata/RHSA-2020:2082
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:2085 https://access.redhat.com/errata/RHSA-2020:2085
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2020:2199 https://access.redhat.com/errata/RHSA-2020:2199
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2020:2203 https://access.redhat.com/errata/RHSA-2020:2203
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.4 Advanced Update Support Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions Red Hat Enterprise Linux 7.4 Telco Extended Update Support Via RHSA-2020:2214 https://access.redhat.com/errata/RHSA-2020:2214
This issue has been addressed in the following products: Red Hat Enterprise MRG 2 Via RHSA-2020:2242 https://access.redhat.com/errata/RHSA-2020:2242
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.2 Advanced Update Support Via RHSA-2020:2285 https://access.redhat.com/errata/RHSA-2020:2285
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.3 Advanced Update Support Red Hat Enterprise Linux 7.3 Update Services for SAP Solutions Red Hat Enterprise Linux 7.3 Telco Extended Update Support Via RHSA-2020:2277 https://access.redhat.com/errata/RHSA-2020:2277
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.6 Extended Update Support Via RHSA-2020:2289 https://access.redhat.com/errata/RHSA-2020:2289
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.6 Extended Update Support Via RHSA-2020:2291 https://access.redhat.com/errata/RHSA-2020:2291
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.7 Extended Update Support Via RHSA-2020:2519 https://access.redhat.com/errata/RHSA-2020:2519
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.7 Extended Update Support Via RHSA-2020:2522 https://access.redhat.com/errata/RHSA-2020:2522