A NULL pointer dereference flaw was found in the Xirlink camera USB driver 'xirlink-cit' in the Linux kernel. The driver mishandles invalid descriptors leading to a denial-of-service (DoS). This could allow a local attacker with user privilege to crash the system or leak kernel internal information. Reference: https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.6.1 Upstream commit: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=a246b4d547708f33ff4d4b9a7a5dbac741dc89d8
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1824793]
This was fixed for Fedora with the 5.5.14 stable kernel updates.
Mitigation: Mitigation for this issue is to skip loading the affected module 'xirlink-cit' onto the system till we have a fix available, this can be done by a blacklist mechanism, this will ensure the driver is not loaded at the boot time. ~~~ How do I blacklist a kernel module to prevent it from loading automatically? https://access.redhat.com/solutions/41278 ~~~
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4431 https://access.redhat.com/errata/RHSA-2020:4431
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4609 https://access.redhat.com/errata/RHSA-2020:4609
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-11668
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2021:2725 https://access.redhat.com/errata/RHSA-2021:2725
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2021:2726 https://access.redhat.com/errata/RHSA-2021:2726