ALAS2LIVEPATCH-2020-017

Amazon Linux 2 Security Advisory: ALASLIVEPATCH-2020-017
Advisory Release Date: 2020-06-10 00:21 Pacific
Advisory Updated Date: 2020-06-17 23:36 Pacific

Severity: Important

References: CVE-2019-19319
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

In the Linux kernel 5.0.21, a setxattr operation, after a mount of a crafted ext4 image, can cause a slab-out-of-bounds write access because of an ext4_xattr_set_entry use-after-free in fs/ext4/xattr.c when a large old_size value is used in a memset call. (CVE-2019-19319)

Affected Packages:

kernel-livepatch-4.14.177-139.254

Issue Correction:
Please ensure you have live patching enabled.
Run yum update kernel-livepatch-4.14.177-139.254 to update your system.

New Packages:

src:
    kernel-livepatch-4.14.177-139.254-1.0-2.amzn2.src

x86_64:
    kernel-livepatch-4.14.177-139.254-1.0-2.amzn2.x86_64
    kernel-livepatch-4.14.177-139.254-debuginfo-1.0-2.amzn2.x86_64

Additional References

Red Hat: CVE-2019-19319

Mitre: CVE-2019-19319