ASA-2019-00658 – Linux kernel: Mounting a crafted btrfs filesystem image can lead to a use-after-free through syncfs system call

Mounting a crafted btrfs filesystem image, performing some operations, and then making a syncfs system call can lead to a use-after-free in try_merge_free_space in fs/btrfs/free-space-cache.c because the pointer to a left data structure can be the same as the pointer to a right data structure.

ASA-2019-00657 – Linux kernel: Use-after-free vulnerability when deleting a file from a recently unmounted specially crafted ext4 filesystem

A flaw was found in the Linux kernel's ext4_unlink function. An attacker could corrupt memory or escalate privileges when deleting a file from a recently unmounted specially crafted ext4 filesystem, including local, USB, and iSCSI.

ASA-2019-00654 – Linux kernel: Memory corruption due to the use of cached fpu_fpregs_owner_ctx

fpregs_state_valid in arch/x86/include/asm/fpu/internal.h in the Linux kernel, when GCC 9 is used, allows context-dependent attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact because of incorrect fpu_fpregs_owner_ctx caching, as demonstrated by mishandling of signal-based non-cooperative preemption in Go 1.14 prereleases on amd64.

ASA-2019-00669 – OpenBSD: Dynamic Loader Privilege Escalation

OpenBSD  allows local users to escalate to root because a check for LD_LIBRARY_PATH in setuid programs can be defeated by setting a very small RLIMIT_DATA resource limit. When executing chpass or passwd (which are setuid root), _dl_setup_env in tries to strip LD_LIBRARY_PATH from the environment, but fails when it cannot allocate memory. Thus, the attacker is able to execute their own library code as root.

ASA-2019-00653 – OpenBSD: Local privilege escalation via S/Key and YubiKey

OpenBSD, in a non-default configuration where S/Key or YubiKey authentication is enabled, allows local users to become root by leveraging membership in the auth group. This occurs because root's file can be written to /etc/skey or /var/db/yubikey, and need not be owned by root.