CVE-2020-12655: Input Validation
First published: Mon Mar 02 2020(Updated: )
A flaw was discovered in the XFS source in the Linux kernel. This flaw allows an attacker with the ability to mount an XFS filesystem, to trigger a denial of service while attempting to sync a file located on an XFS v5 image with crafted metadata.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/kernel-alt | <0:4.14.0-115.29.1.el7a | 0:4.14.0-115.29.1.el7a |
| redhat/kernel-rt | <0:4.18.0-240.rt7.54.el8 | 0:4.18.0-240.rt7.54.el8 |
| redhat/kernel | <0:4.18.0-240.el8 | 0:4.18.0-240.el8 |
| Linux Linux kernel | <=5.6.10 | |
| debian/linux | 5.10.223-1 5.10.226-1 6.1.115-1 6.1.112-1 6.11.5-1 6.11.7-1 |
Remedy
This flaw requires an attacker being able to have the system mount a crafted filesystem. If the xfs filesystem is not in use, the 'xfs' kernel module can be blacklisted and the module will not be loaded when the filesystem is mounted, mounting will fail. However, if this filesystem is in use, this workaround will not be suitable. To find out how to blacklist the "xfs" kernel module please see https://access.redhat.com/solutions/41278 or contact Red hat Global Support services
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2020-12655 https://nvd.nist.gov/vuln/detail/CVE-2020-12655
- https://bugzilla.redhat.com/show_bug.cgi?id=1832543
- https://access.redhat.com/errata/RHSA-2020:3545
- https://access.redhat.com/errata/RHSA-2020:4609
- https://access.redhat.com/errata/RHSA-2020:4431
- https://access.redhat.com/security/cve/cve-2020-12655
- http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00022.html
- https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=d0c7feaf87678371c2c09b3709400be416b2dc62
- https://github.com/torvalds/linux/commit/d0c7feaf87678371c2c09b3709400be416b2dc62
- https://lists.debian.org/debian-lts-announce/2020/08/msg00019.html
- https://lists.debian.org/debian-lts-announce/2020/10/msg00032.html
- https://lists.debian.org/debian-lts-announce/2020/10/msg00034.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ES5C6ZCMALBEBMKNNCTBSLLSYGFZG3FF/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IO5XIQSRI747P4RVVTNX7TUPEOCF4OPU/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IZ2X3TM6RGRUS3KZAS26IJO5XGU7TBBR/
- https://lore.kernel.org/linux-xfs/20200221153803.GP9506@magnolia/
- https://security.netapp.com/advisory/ntap-20200608-0001/
- https://usn.ubuntu.com/4465-1/
- https://usn.ubuntu.com/4483-1/
- https://usn.ubuntu.com/4485-1/
- https://launchpad.net/bugs/cve/CVE-2020-12655
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1832545
- https://access.redhat.com/solutions/41278
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ES5C6ZCMALBEBMKNNCTBSLLSYGFZG3FF/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IO5XIQSRI747P4RVVTNX7TUPEOCF4OPU/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IZ2X3TM6RGRUS3KZAS26IJO5XGU7TBBR/
- https://lore.kernel.org/linux-xfs/20200221153803.GP9506%40magnolia/
- https://git.kernel.org/linus/d0c7feaf87678371c2c09b3709400be416b2dc62
- https://security-tracker.debian.org/tracker/CVE-2020-12655
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12655
- https://nvd.nist.gov/vuln/detail/CVE-2020-12655
- https://ubuntu.com/security/CVE-2020-12655
Parent vulnerabilities
(Appears in the following advisories)
- collector/redhat-cve
- collector/nvd-index
- agent/type
- collector/launchpad-cve
- source/Launchpad
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2020-12655
- agent/first-publish-date
- agent/author
- agent/severity
- agent/weakness
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- collector/usn-cve
- source/Ubuntu
- collector/security-tracker-debian
- source/Debian
- agent/remedy
- agent/references
- agent/softwarecombine
- agent/tags
- agent/description
- agent/event
- package-manager/redhat
- vendor/linux
- canonical/linux linux kernel
- version/linux linux kernel/5.6.10
- package-manager/debian