[Ksplice][Ubuntu-19.10-Updates] New Ksplice updates for Ubuntu 19.10 Eoan (USN-4208-1)

Tue Dec 17 01:21:05 PST 2019

Synopsis: USN-4208-1 can now be patched using Ksplice
CVEs: CVE-2019-15794 CVE-2019-19048 CVE-2019-19060 CVE-2019-19061 CVE-2019-19065 CVE-2019-19067 CVE-2019-19075 CVE-2019-19083 CVE-2019-19526 CVE-2019-19532

Systems running Ubuntu 19.10 Eoan can now use Ksplice to patch against
the latest Ubuntu Security Notice, USN-4208-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu 19.10
Eoan install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

DESCRIPTION

* CVE-2019-19048: Denial-of-service in Virtualbox guest ioctl().

A logic error when performing user data copying could result in a
resource leak and eventual memory exhaustion.  A local user with access
to the "vboxguest" device could use this flaw to crash the system.

* CVE-2019-19075: Memory leak when registering Cascoda CA8210 transceiver driver.

A logic error when registering Cascoda CA8210 transceiver driver could
lead to a memory leak. A local attacker could use this flaw to exhaust
kernel memory and cause a denial-of-service.

* CVE-2019-19067: Memory leaks when registering AMD Audio CoProcessor driver.

Multiple logic errors when registering AMD Audio CoProcessor driver
could to memory leaks. A local attacker could use this flaw to exhaust
kernel memory and cause a denial-of-service.

* CVE-2019-19083: Memory leak when registering clock for AMD display driver.

A missing free of resources when registering clock for AMD display
driver could lead to a memory leak. A local attacker could use this flaw
to exhaust kernel memory and cause a denial-of-service.

* CVE-2019-15794: Denial-of-service when using shiftfs and overlayfs in conjunction with AUFS.

A logic error in mmap implementation in shiftfs and overlayfs could lead
to an invalid memory access when used in conjunction with AUFS. A local
attacker could use this flaw to cause a denial-of-service.

* CVE-2019-19065: Memory leak when initializing Intel OPA Gen1 driver.

A missing free of resources in error path when initializing Intel OPA
Gen1 driver could lead to a memory leak. A local attacker could use this
flaw to exhaust kernel memory and cause a denial-of-service.

* CVE-2019-19532: Denial-of-service when initializing HID devices.

A failure to properly check a device-controlled parameter in the USB
HID (bluetooth) subsystem lead to reading or writing past memory
bounds. An attacker can exploit this bug with a specially crafted USB
device to escalate privileges or cause a denial-of-service.

* CVE-2019-19060: Memory leak in Analog Devices ADIS* driver when scanning devices.

A missing free of resources on allocation failure in Analog Devices
ADIS* driver when scanning devices could lead to a memory leak. A local
attacker could use this flaw to exhaust kernel memory and cause a
denial-of-service.

* CVE-2019-19061: Memory leak in Analog Devices ADIS* driver.

A missing free of resources on allocation failure in Analog Devices
ADIS* driver when scanning devices in burst mode could lead to a memory
leak. A local attacker could use this flaw to exhaust kernel memory and
cause a denial-of-service.

* CVE-2019-19526: Use-after-free when registering USB NFC PN533 device.

A logic error in error path when registering USB NFC PN533 device could
lead to a use-after-free. A local attacker could use this flaw to cause
a denial-of-service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.