[Ksplice][Ubuntu-16.04-Updates] New Ksplice updates for Ubuntu 16.04 Xenial (USN-4419-1)

Oracle Ksplice ksplice-support_ww at oracle.com
Wed Jul 15 11:28:14 PDT 2020 

Synopsis: USN-4419-1 can now be patched using Ksplice
CVEs: CVE-2016-9919 CVE-2019-19768 CVE-2020-0543 CVE-2020-10711 CVE-2020-12770 CVE-2020-13143 CVE-2020-8992

Systems running Ubuntu 16.04 Xenial can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-4419-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu 16.04
Xenial install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Stack corruption when invoking elf loader directly.

A logic error in the memory mapping of a process when invoking an elf
loader directly could lead to a leak of the heap region to the stack
region and corrupt the stack. A local attacker could use this flaw to
cause a denial-of-service.


* CVE-2020-10711: NULL pointer dereference when using CIPSO network packet labeling.

A logic error when receiving CIPSO network packets could lead to a NULL
pointer dereference. A remote attacker could use this flaw to cause a
denial-of-service.


* CVE-2020-8992: Deadlock with too big journal size on ext4 filesystem.

Using a too big journal size on ext4 filesystem could lead to a
deadlock. A local attacker could use a specially crafted ext4 filesystem
to cause a denial-of-service.


* CVE-2020-12770: Information leak/DoS in SCSI generic userspace write.

When copying data from userspace to a SCSI generic (sg) device, the
associated list entry is not properly removed, potentially causing a
denial-of-service or leaking sensitive kernel information.


* CVE-2020-13143: Out-of-bounds read when connecting to UDC.

When connecting via USB in gadget mode, the USB gadgetfs copies input
fields with strcpy, which can result in the copied buffers being smaller
than the originals. Accessing these new buffers can then result in an
out-of-bounds memory access, potentially leaking information or causing
a denial-of-service.


* Improved fix for CVE-2019-19768: Use-after-free when reporting an IO trace.

Additional race conditions exist within the trace structure that could
result in a deadlock. A user able to activate tracing on the block IO
subsystem could exploit this to create a denial-of-service.


* CVE-2016-9919: Denial-of-service on fragmented ipv6 traffic.

A missing check when receiving fragmented IPv6 packet could cause a
panic after a timeout. A remote attacker could use this flaw to cause a
denial-of-service.


* Permission bypass when performing ptrace on processes.

A logic error in the exec code could lead to an unauthorized user being
able to ptrace and write to disk process memory.


* Improved fix for CVE-2020-0543: Side-channel information leak using SRBDS.

The mitigation for CVE-2020-0543 might attempt to erroneously access
the control MSR even if supported CPU microcode was not availble,
potentially reporting the system's vulnerability state incorrectly.


* Out-of-bounds access in Garmin USB GPS device.

Packet data from a Garmin USB GPS device is not properly validated in
length. A malicious device might be able to exploit this to cause an
out-of-bounds access, potentially causing an information leak or
denial-of-service.


* Infinite loop when dequeuing SFQ with a scaled_quantum value of 0.

The scaled_quantum field of the Stochastic Fairness Queueing scheduling
discipline is not properly validated. Values of 0 or 0x8000 could result
in infinite loops when attempting to read entries from the queue. A
malicious user with the ability to configure the scheduler might exploit
this to cause a denial-of-service.


* Potential information leak in ALSA virtual MIDI device driver.

When interacting with a virtual MIDI device, the ALSA audio subsystem
driver contains a race condition that might expose uninitalized memory
in a data buffer. A malicious user might exploit this to gain
information about the running system.


* Use-after-free when resizing buffer in RAWMidi driver.

A logic error when resizing buffer in RAWMidi driver while read and
write are on-going could lead to a use-after-free. A local unprivileged
user could use this flaw to cause a denial-of-service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-Ubuntu-16.04-updates mailing list