[Ksplice][Ubuntu-20.04-Updates] New Ksplice updates for Ubuntu 20.04 Focal (USN-5415-1)

Oracle Ksplice quentin.casasnovas at oracle.com
Tue May 17 09:31:15 UTC 2022 

Synopsis: USN-5415-1 can now be patched using Ksplice
CVEs: CVE-2020-27820 CVE-2022-1016 CVE-2022-20008 CVE-2022-25258 CVE-2022-25375 CVE-2022-26490

Systems running Ubuntu 20.04 Focal can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-5415-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu 20.04
Focal install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2022-1016: Information leak in the netfilter subsystem.

A flaw in the netfilter subsystem result in a use-after-free. This may
allow a local unprivileged user to cause an information leak, resulting
in loss of system confidentiality.


* CVE-2022-25375: Information leak in RNDIS message for USB Gadget driver.

The USB Gadget subsystem fails to validate the size of a received
RNDIS_MSG_SET command, potentially allowing for a buffer overrun. A
malicious user might exploit this to leak sensitive information from the
kernel.


* CVE-2022-26490: Buffer overflow in STMicroelectronics ST21NFCA NFC driver.

A missing error check in connectivity event handling of the ST21NFCA
NFC driver could result in a buffer overflow. A local user could use
this flaw to cause a denial-of-service or execute arbitrary code.


* CVE-2022-25258: Missing validation of descriptors in USB gadget subsystem.

The USB Gadget subsystem fails to correctly validate os descriptors
passed to it. Malicious data passed to the system might exploit this to
cause a NULL-pointer dereference and denial-of-service.


* Out-of-bounds accesses in ASIX AX88179/178A USB 3.0/2.0 to Gigabit Ethernet.

Missing sanity checks in receive data path of ASIX AX88179/178A USB
3.0/2.0 to Gigabit Ethernet could result in out-of-bounds accesses.
A local, privileged user could use this flaw to cause a denial of
service or information disclosure.


* CVE-2020-27820: Use-after-free in the Nouveau graphics driver.

A bad cleanup in the Nouveau graphics driver during device removal could
lead to a use-after-free. A privileged local user could use this flaw to
cause a denial-of-service.


* CVE-2022-20008: Information disclosure in MMC/SD subsystem.

Improper errors handling in MMC/SD subsystem when reading from SD cards
could allow reading of kernel heap memory. A local user could use this
flaw for information disclosure.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-Ubuntu-20.04-updates mailing list