[Ksplice][Ubuntu-20.04-Updates] New Ksplice updates for Ubuntu 20.04 Focal (USN-4525-1)

Mon Dec 21 14:29:51 PST 2020

Synopsis: USN-4525-1 can now be patched using Ksplice
CVEs: CVE-2019-18808 CVE-2019-19054 CVE-2019-19448 CVE-2019-19770 CVE-2020-12888 CVE-2020-14331 CVE-2020-16166 CVE-2020-25212

Systems running Ubuntu 20.04 Focal can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-4525-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu 20.04
Focal install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

DESCRIPTION

* CVE-2020-16166: Confidentiality vulnerability in the generation of the device ID.

A flaw in the generation of the device ID from the network RNG could
result in a potential issue allowing remote attackers to make
observations that help to obtain sensitive information about
the internal state of the network RNG and compromise the data
confidentiality.

Orabug: 31698078

* CVE-2020-14331: Out-of-bounds writes in ioctls of Console display driver.

Out-of-bounds writes in ioctls of Console display driver could happen
when calling an ioctl VT_RESIZE in order to resize the console. This
flaw could allow a local user with access to the VGA console to crash
the system or potentially escalating their privileges on the system.

* Out-of-bounds access in writes of Simplified Mandatory Access Control Kernel Support.

A missing check on user input when using Simplified Mandatory Access
Control Kernel Support driver could lead to an out-of-bounds access.
A local attacker could use this flaw to cause a denial-of-service.

* CVE-2019-19054: Denial-of-service in the cx2388x tv card driver.

Failure to handle error during initial setup on in the cx2388x tv card
driver causes memory leak. An attacker could exploit this to cause a
denial-of-service.

* Use-after-free in writes of Simplified Mandatory Access Control.

A missing synchronization mechanism in writes of Simplified Mandatory
Access Control Kernel Support driver could lead to a use-after-free
when multiple userspace tasks access the driver simultaneously.
A local attacker could use this flaw to cause a denial-of-service or
the execution of arbitrary code.

* Information leak in receives of Reliable Datagram Sockets protocol.

A flaw in receives of Reliable Datagram Sockets protocol implementation
could cause kernel memory leak to userspace. An local attacker could
use this flaw to leak information from kernel memory.

* Information leak in ioctls of AMDGPU Graphics driver.

A flaw in ioctl implementation of AMDGPU Graphics driver could cause
a leak of kernel memory to userspace. An local attacker could use this
flaw to leak information.

* CVE-2020-25212: Out-of-bounds writes in RPC operations of Network File System.

Out-of-bounds writes in RPC operations of Network File System
could cause a system crash. This flaw could allow a local user
to crash the system and cause a denial-of-service or potentially
escalating their privileges on the system.

* Out-of-bounds access in Minix filesystem when mapping a large logical block number.

Out-of-bounds memory access could happen in Minix filesystem when
mapping a very large logical block number to its on-disk location.
A local user could use this flaw to cause a denial-of-service.

* CVE-2019-18808: Memory leak in CCP device driver with invalid hash type.

The device driver for AMD cryptographic coprocessor devices contains a
flaw where specifying an invalid hash algorithm causes the driver to
leak memory. An attacker might exploit this to cause a
denial-of-service.

* Denial-of-service in Internet Protocol when converting IPv6 to IPv4 socket.

A flaw in Internet Protocol implementation can cause a memory leak when
performing an certain sequence of socket operations in userspace.
A local user could use this flaw to cause a denial-of-service.

* Use-after-free in ioctls of Direct Rendering Manager.

A flaw in ioctls implementation of Direct Rendering Manager could lead
to use-after-free. A local attacker could use this flaw to cause
a denial-of-service or potentially escalate privileges.

* Denial-of-service in 802.11 mesh network join of Generic IEEE 802.11 Networking Stack.

A flaw in 802.11 mesh network join implementation of Generic IEEE
802.11 Networking Stack could cause a memory leak. A local user
could exploited this flaw by repeatedly joining and leaving 802.11
mesh network and cause a denial-of-service.

* Information leak in Open vSwitch when transmitting flow key.

The Open vSwitch flow key structure can contain uninitialized kernel
stack memory when it is copied into a socket, potentially leaking
sensitive information to a malicious user.

* Memory corruption in key material handling of Marvell WiFi-Ex Driver.

An out-of-bounds write could happen in 802.11 key material handling
of Marvell WiFi-Ex Driver when a badly formatted network packet arrives
on the network interface. A remote attacker could use this flaw to
cause a denial-of-service or code execution.

* CVE-2019-19448: Use-after-free in Btrfs filesystem with a crafted btrfs filesystem image.

Mounting a crafted btrfs filesystem image, performing some operations
and making syncfs system call could lead to a use-after-free in Btrfs
filesystem. A local user with physical access to the system and
a malicious device could use this flaw to cause a system crash or
execution of arbitrary code on the system.

* Unauthorized access is possible using sym link on ceph filesystem in SELinux.

Security context is not set on creation of symlink. It allows unauthorized
access on a file using symlink.

* Memory leak on releasing lease in SMB filesystem.

A logic error in SMB code causes memory leak whenever it is releasing expired
lease. An usermode program can open file in remote server and trigger this SMB
path to consume memory without ever releasing it. It may make system memory
unavailable to run other program leading to denial-of-service.

* Denial-of-service when brtfs filesystem runs out of disk space.

A logic error in brtfs filesystem leading to deadlock will cause the whole
system to freeze. A malicious usermode program can exploit this vulnerability
to cause denial-of-service.

* Denial-of-service from NULL pointer dereference in btrfs.

NULL pointer derefence occurs on error in file compression path in btrfs
leading to denial-of-service.

* Use-after-free occurs when multiple device (RAID and LVM) is stopped.

A buffer is freed on md device stop but is accessed later that causes system
to panic due to use-after-free.

* Information leak in io_uring on IO request submit.

A logic error in io_uring causes kernel's memory data to be copied to
usermode io_uring driver.

* Kernel panic on accessing invalid memory in multiple devices (RAID & LVM).

On error in resizing a multiple device, a buffer is left initialized with
invalid pointer and accessing it to later causes kernel panic.

* Denial-of-service when invoking ptrace system call.

A logic in ptrace system call path can cause kernel panic leading to
denial-of-service.

* Denial-of-service in xfrm when SA is installed.

A logic error in xfrm (IP security) can cause dereferencing a NULL pointer
that leads to kernel panic.

* Denial-of-service on mounting btrfs on a loop device by possible deadlock.

A logic error in btrfs mount code can cause deadlock on a loop device that
leads to system freeze and denial-of-service.

* Possible memory corruption/system crash due to incorrect synchronization logic.

A logic error in a basic synchronization primitive named RCU lock designed to
allow concurrent reading while updating protected buffer causes the old buffer
to be accessed after update leads to possible memory corruption and/or
system crash.

* Memory leak in Direct Rendering Manager (DRM).

A logic error in the Direct Rendering Manager (DRM) during
error handling could cause a memory leak. A malicious local user
could use this to cause denial of service.

* Denial-of-service from NULL pointer reference in io_uring on read/write.

Usermode program can open a file without read or write function that causes
NULL pointer dereference leading to system crash and denial-of-service.

* NFC does not check permission creating raw socket.

A logic error in NFC raw socket creation code omits the check if an user
has the capability to create raw socket. It enables unauthorized user to
send data over network.

* Information leak can occur in io_uring from a system call.

A logic error in io_uring allows system memory data to be written to storage
thus gaining access by users from a usermode system call.

* Denial-of-service on kernel oops in Bluetooth module.

A logic error in Bluetooth module allows buffer overrun and corrupt the system
memory that causes kernel oops leading to denial-of-service.

* Denial-of-service in ALSA hdmi on out of bounds memory access.

A logic error in ALSA hdmi sound PCI card accessing out of bound memory causes
system to crash leading to denial-of-service.

* CVE-2019-19770: use-after-free in the debugfs from blktrace.

A race condition present in the use of debugfs from blktrace can cause
dereferencing a buffer which has been freed leading to use-afer-free.

* CVE-2020-12888: Denial-of-service when accessing PCI memory through VFIO.

The VFIO PCI driver can allow users to access disabled PCI memory
regions in certain scenarios, which can lead to a system crash on
some platforms.  This flaw could be exploited by a local attacker
to cause a denial-of-service both directly from the host via a
userspace device driver, or from a guest VM that uses VFIO passthrough.

* Denial-of-service in Bluetooth driver when accessing a buffer already freed.

Use-after-free in Bluetooth driver causes system crash leading to
denial-of-service.

* Integer overflow of KVM zero page reference count causes DoS.

The KVM virtual machine infrastructure erroneously takes references on
the shared zero page when creating virtual machines, and this reference
count is not sanitized from integer overflow. A malicious user with the
ability to create virtual machines on the system might exploit this to
cause a denial-of-VM-service.

* Use-after-free on submit an async IO using io_uring.

A logic error in io_uring module to submit async IO can access a buffer that
has been freed previously leads to system crash.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.