[Ksplice][Ubuntu-16.04-Updates] New Ksplice updates for Ubuntu 16.04 Xenial (USN-4346-1)

Wed May 6 04:59:07 PDT 2020

Synopsis: USN-4346-1 can now be patched using Ksplice
CVEs: CVE-2019-16233 CVE-2019-16234 CVE-2019-19768 CVE-2020-2732 CVE-2020-8647 CVE-2020-8648 CVE-2020-8649 CVE-2020-9383

Systems running Ubuntu 16.04 Xenial can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-4346-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu 16.04
Xenial install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

DESCRIPTION

* Invalid memory access in Fair Queue network scheduler.

A missing check on attribute from a netlink message in Fair Queue network scheduler
could lead to an invalid memory access. A local attacker
could use this flaw to cause a denial-of-service.

* NULL pointer dereference when transforming ipv6 socket to ipv4 socket.

A missing check when transforming ipv6 socket to ipv4 socket could lead
to a NULL pointer dereference. A local attacker could use this flaw to
cause a denial-of-service.

* Improved fix for CVE-2020-2732: Privilege escalation in Intel KVM nested emulation.

The original fix for CVE-2020-2732 prevented a windows guest with Hyper-V
enabled from booting.

* Memory corruption due to snprintf misuse in HD-audio driver.

A flaw in HD-audio driver due to misuse of snprintf return
value could lead to the memory corruption and the kernel crash.

* Invalid memory access in network FIB rules.

A missing check on attribute from a netlink message in network FIB rules
could lead to an invalid memory access. A local attacker could use this
flaw to cause a denial-of-service.

* CVE-2019-16233: NULL pointer dereference when registering QLogic Fibre Channel driver.

A missing check when registering QLogic Fibre Channel driver fails could
lead to a NULL pointer dereference. A local attacker could use this flaw
to cause a denial-of-service.

* CVE-2020-8648: Use-after-free in the virtual terminal driver.

A locking error in the virtual terminal driver could lead to a
use-after-free. A local attacker could use this flaw to cause a denial-
of-service or escalate privileges.

* Denial-of-service when destroying iscsi session.

A logic error when a user destroy an iscsi session whereas a connection
is still open could lead to a kernel assert. A local attacker could use
this flaw to cause a denial-of-service.

* CVE-2020-8647, CVE-2020-8649: Use-after-free in the VGA text console driver.

A missing check when resizing console in the VGA text console driver
could lead to a use-after-free. A local attacker could use this flaw to
cause a denial-of-service.

* Invalid memory access in Ethernet team driver.

A missing check on attribute from a netlink message in Ethernet team
driver could lead to an invalid memory access. A local attacker could
use this flaw to cause a denial-of-service.

* Invalid memory access in network Connection tracking helpers.

A missing check on attribute from a netlink message in network
Connection tracking helpers could lead to an invalid memory access. A
local attacker could use this flaw to cause a denial-of-service.

* Use-after-free in the B.A.T.M.A.N. Mesh Protocol driver.

Incorrect memory management during routing of a unicast packet in the
B.A.T.M.A.N Mesh Protocol driver leads to a use-after-free condition and
potential kernel crash. An adversary on the same network could utilize
this flaw to cause a Denial-of-service.

* Invalid memory access in IEEE Std 802.15.4 Low-Rate Wireless Personal Area Networks driver.

A missing check on attribute from a netlink message in IEEE Std 802.15.4
Low-Rate Wireless Personal Area Networks driver could lead to an
invalid memory access. A local attacker could use this flaw to cause a
denial-of-service.

* Invalid memory access when sending messages over bonding socket.

A logic error when sending messages over bonding socket could lead to an
invalid memory access. A local attacker could use this flaw to cause a
denial-of-service.

* Deadlock when using too many slaves on a MAC-VLAN socket.

A logic error when using too many slaves on a MAC-VLAN socket could lead
to a deadlock. A local attacker could use this flaw to cause a
denial-of- service.

* Invalid memory access in NFC driver.

A missing check on attribute from a netlink message in NFC driver could
lead to an invalid memory access. A local attacker could use this flaw
to cause a denial-of-service.

* Invalid memory access in cfg80211 driver.

A missing check on attribute from a netlink message in cfg80211 driver
could lead to an invalid memory access. A local attacker could use this
flaw to cause a denial-of-service.

* Kernel crash in eCryptfs when handling an error.

A flaw in error handling path of eCryptfs (Enterprise-Class Stacked
Cryptographic Filesystem) implementation could result in kernel crash.

* Deadlock when using too many slaves in IP-VLAN driver.

A logic error when using too many slaves in IP-VLAN driver could lead to
a deadlock. A local attacker could use this flaw to cause a denial-of-
service.

* Denial-of-service in KVM when handling an error.

Error handling code in KVM (Kernel-based Virtual Machine) uses
a variable that has not been initialized, leading to unpredictable
or unintended results including the kernel crash.

* Denial-of-service when receiving IPV4 packets over SLIP network device.

Missing checks when receiving IPV4 packets over SLIP network device
could lead to an invalid memory access. A local attacker could use this
flaw to cause a denial-of-service.

* Denial-of-service in InfiniBand driver.

A flaw in the InfiniBand driver implementation could result in a kernel
lockup. A local, privileged user could use this flaw to cause the kernel
lockup by repeatedly toggling network interfaces.

* Memory leak in control plane of eCryptfs.

A memory leak in the eCryptfs (Enterprise Cryptographic Filesystem)
allowed a malicious user to wasting kernel memory that could result
in out of memory situation. A local, unprivileged user could use
this flaw to exhaust the memory on the system and cause
a denial-of-service.

* Out-of-bounds memory write when reading EFI variables from sysfs.

Lack of proper synchronization when reading EFI variables from sysfs could
lead to an out-of-bounds memory write.  A local user with the ability to
read those files could use this flaw to cause a denial-of-service or
potentially escalate privileges.

* CVE-2020-9383: Information leak in floppy disk driver.

A flaw in floppy driver could lead to an out-of-bounds read causing
the information leak when assigning the floppy disk controller.

* Double-free when merging fragments in BATMAN wireless driver.

A logic error in the BATMAN wireless driver could corrupt memory when
merging fragments, potentially causing a denial-of-service.

* CVE-2019-16234: NULL pointer dereference when registering Intel Wireless WiFi driver.

A logic error in error path when registering Intel Wireless WiFi driver
fails on workqueue allocation could lead to a NULL pointer dereference.
A local attacker could use this flaw to cause a denial-of-service.

* Multiple privilege escalations in ioctl handling of Realtek WiFi drivers.

Multiple incorrect input validation on user provided lengths in various
staging Realtek WiFi drivers could lead to an out-of-bounds memory
write. A local user with the ability to send IOCTLs to those drivers
could use this flaw to cause a denial-of-service or potentially escalate
privileges.

* Denial-of-service in control plane of VT subsystem.

A NULL pointer dereference in the VT subsystem could result in a kernel
crash when issuing ioctl. A local user could use this flaw to crash
the system.

* Out-of-bounds access when using BPF netfilter.

A missing check on user input when using BPF netfilter could lead to an
out-of-bounds access. A local attacker could use this flaw to cause a
denial-of-service.

* CVE-2019-19768: Use-after-free when adding a new trace using the tracing block driver.

A locking error when adding a new trace using the tracing block driver
could lead to a use-after-free. A local attacker could use this flaw to
cause a denial-of-service or escalate privileges.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.