[Ksplice][Ubuntu-20.10-Updates] New Ksplice updates for Ubuntu 20.10 Groovy (USN-4751-1)

Tue Mar 2 05:55:34 PST 2021

Synopsis: USN-4751-1 can now be patched using Ksplice
CVEs: CVE-2020-25656 CVE-2020-25668 CVE-2020-25669 CVE-2020-25704 CVE-2020-27673 CVE-2020-27675 CVE-2020-27815 CVE-2020-27835 CVE-2020-28588 CVE-2020-28941 CVE-2020-28974 CVE-2020-29568 CVE-2020-29569 CVE-2020-29660 CVE-2020-29661 CVE-2020-35508

Systems running Ubuntu 20.10 Groovy can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-4751-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu 20.10
Groovy install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

DESCRIPTION

* CVE-2020-28941: Denial-of-service in Speakup Screen Reader.

A invalid memory release in Speakup Screen Reader driver when using
the tty line discipline multiple times could lead to the system crash.
A local user could use this flaw for a denial-of-service.

* CVE-2020-28588: Information disclosure due to syscall registers misuse.

Due to a failure to correctly cast the syscall registers to 64-bit
values, sensitive kernel information can be disclosed to userspace.
A local attacker could use this flaw to facilitate a further attack
on the kernel.

* CVE-2020-27675: Race condition when reconfiguring para-virtualized Xen devices.

An event-channel removal when reconfiguring paravirtualized devices may cause a
race condition leading to a null pointer dereference. A local attacker could use
this flaw to cause a denial-of-service on a dom0.

* CVE-2020-29569: Use-after-free when disconnecting Xen block devices.

A logic error when disconnecting Xen block devices may cause a use-after-free.
A rouge guest instance may be able to use this to cause a Denial-of-Service
on dom0.

* Restrict NLM interval based host rebinding to UDP.

Time interval based rebinding of TCP clients is not needed and may
lead to an unrecoverable situation where connections are not able to
be established.

* CVE-2020-25704: Denial-of-service in the performance monitoring subsystem.

A possible memory leak when setting performance monitoring filter could lead to
kernel memory exhaustion. A local attacker could use this flaw to cause a
denial-of-service.

* CVE-2020-25656: Use-after-free in console subsystem.

Specific ioctls sent to the console subsystem could lead to a use-after-free.
A local attacker could use this flaw to read confidential data.

* CVE-2020-28974: Invalid memory access when manipulating framebuffer fonts.

A logic error when manipulating framebuffer console fonts may cause an
out-of-bounds memory read. A local attacker could use this flaw to read
privileged information or potentially cause a denial-of-service.

* Recover from memory pressure in the network layer.

After a memory pressure condition in the network layer, sockets buffers
ended up always being allocated as pfmemalloc pages even after the memory
condition was over instead of favouring the page fragment allocator.

* CVE-2020-25668: Race condition when sending ioctls to a virtual terminal.

A race condition can possibly occur when sending ioctls to a tty device may
cause a use-after-free. A local attacker may use this to cause memory
corruption or a denial-of-service.

* Note: Oracle will not provide a rebootless update for CVE-2020-27673.

Oracle has determined that patching this vulnerability live on a running system
would not be safe and is recommending to reboot the vulnerable hosts.  Only Xen
dom0 hosts running untrusted VMs are affected by this vulnerability.

* CVE-2020-29661: Use-after-free in ioctls of TTY subsystem.

A locking flaw in ioctls of TTY subsystem could lead to a use-after-free.
A local user could use this flaw to cause execution of arbitrary code or
a denial-of-service.

* CVE-2020-29660: Use-after-free in TTY subsystem due to locking inconsistency.

A locking inconsistency in TTY subsystem could lead to a use-after-free.
A local user could use this flaw to cause execution of arbitrary code or
a denial-of-service.

* Note: Oracle will not be providing a rebootless update for CVE-2020-29568.

Oracle has determined that patching this vulnerability live on a running system
would not be safe and is recommending to reboot the vulnerable hosts.

* Oracle has determined that CVE-2020-27815 is not applicable.

Oracle has determined that CVE-2020-27815 is not applicable and corrects a
false-positive linter warning.  Applying the patch has no resulting
changes in the generated object files.

* CVE-2020-35508: Multiple vulnerabilities due to a race condition.

A race condition and incorrect initialization of the process id in
the 'fork' system call implementation could lead to multiple
vulnerabilities. A local attacker could use this flaw to bypass checks
to send any signal to a privileged process.

* CVE-2020-25669: Denial-of-service in the Sun keyboard driver due to use-after-free.

A flaw in the Sun keyboard driver implementaion could lead to
a use-after-free. A local attacker could use this to cause
a denial-of-service or execute arbitrary code.

* Note: Oracle is still investigating potential zero-downtime mitigations for CVE-2020-27835.

Fixes for this CVE are still undergoing analysis and testing.
A zero-downtime update may be provided at a later date.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.