SB2019120338 - Information disclosure in Linux kernel USB driver
Published: December 3, 2019 Updated: July 15, 2020
Security Bulletin ID
SB2019120338
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Local access
Highest impact
Information disclosure
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Information disclosure (CVE-ID: CVE-2019-19536)
The vulnerability allows a local user to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output in drivers/net/can/usb/peak_usb/pcan_usb_pro.c USB driver. A local user can use a specially crafted USB device to gain unauthorized access to sensitive information on the system.
Remediation
Install update from vendor's website.
References
- http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00029.html
- http://www.openwall.com/lists/oss-security/2019/12/03/4
- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.2.9
- https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ead16e53c2f0ed946d82d4037c630e2f60f4ab69
- https://lists.debian.org/debian-lts-announce/2020/01/msg00013.html
- https://lists.debian.org/debian-lts-announce/2020/03/msg00001.html