[Ksplice][Ubuntu-19.04-Updates] New Ksplice updates for Ubuntu 19.04 Disco (USN-4147-1)

Tue Oct 8 05:45:10 PDT 2019

Synopsis: USN-4147-1 can now be patched using Ksplice
CVEs: CVE-2019-0136 CVE-2019-10207 CVE-2019-13631 CVE-2019-15090 CVE-2019-15117 CVE-2019-15118 CVE-2019-15211 CVE-2019-15212 CVE-2019-15215 CVE-2019-15217 CVE-2019-15218 CVE-2019-15219 CVE-2019-15220 CVE-2019-15221 CVE-2019-15223 CVE-2019-15538 CVE-2019-15926 CVE-2019-9506

Systems running Ubuntu 19.04 Disco can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-4147-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu 19.04
Disco install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

DESCRIPTION

* CVE-2019-15219: Denial-of-service in USB 2.0 SVGA dongle driver when using a malicious USB device.

A logic error in USB 2.0 SVGA dongle driver could lead to a NULL pointer
deference. A local attacker could use this flaw and a malicious USB
device to cause a denial-of-service.

* CVE-2019-15212: Denial-of-service plugging in malicious USB device.

Unsynchronized access to global variable in the rio500 driver leads to
memory leak and kernel crash. A malicious USB device could trigger this
vulnerability to cause a denial-of-service.

* CVE-2019-15218: Denial-of-service in Siano Mobile Digital TV USB tuner probing.

Missing error checking when setting up endpoints for a Siano Mobile
Digital TV tuner could result in an invalid pointer dereference and
kernel crash.  A physically present user with a malicious device could
use this flaw to crash the system.

* CVE-2019-15090: Out-of-bounds access in debug messages of QLogic QEDI 25/40/100Gb iSCSI Initiator driver.

A logic error in debug messages of QLogic QEDI 25/40/100Gb iSCSI
Initiator driver could lead to an out-of-bounds access. A local attacker
could use this flaw to cause a denial-of-service.

* CVE-2019-0136: Denial-of-service in Intel(R) wifi driver.

Insufficient access control in the Intel(R) PROSet/Wireless WiFi driver
may allow an unauthenticated user in the same network to cause a
denial-of-service.

* CVE-2019-9506: Information disclosure when transmitting over bluetooth.

The Bluetooth BR/EDR specification permits sufficiently low encryption key
length and does not prevent an attacker from influencing the key length
negotiation. This allows practical brute-force attacks (aka "KNOB") that can
decrypt traffic and inject arbitrary ciphertext without the victim noticing.

This is the fix in kernel to disallow arbitrarily short encryption key.
However, the actual bug is in the protocol so we encourage customers to
also upgrade the firmware on their bluetooth device.

* CVE-2019-15221: Out-of-bounds write in Line6 POD USB audio interface driver.

The driver for Line6 POD USB audio interfaces allocates a buffer based
on the usb_maxpacket value reported by the device itself. A malicious
device could report a value of zero to cause an out-of-bounds write,
potentially resulting in memory corruption.

* Note: Oracle will not provide zero-downtime update for CVE-2019-15220.

The vulnerability is in firmware loading which is a privileged
operation. This also requires user interaction and physical access to
the system.

* CVE-2019-15926: Out-of-bounds access in Atheros mobile chipsets driver.

A missing check on received network packet in Atheros mobile chipsets
driver could lead to an out-of-bounds access. A local attacker could use
this flaw to cause a denial-of-service.

* CVE-2019-15215: Denial-of-service when disconnecting CPiA2 USB camera.

A use-after-free vulnerability in the V4L2 interface for CPiA2 USB
camera allows a malicious USB device to crash the kernel. An attacker
could exploit this to cause a denial-of-service.

* Note: Oracle will not provide a zero-downtime update for CVE-2019-15211.

* CVE-2019-10207: NULL pointer dereference in Bluetooth TTY operations.

A missing check in some Bluetooth drivers could lead to a NULL
pointer dereference triggered by an unprivileged user while executing
certain tty operations.  This could be exploited to cause a denial of
service attack.

* CVE-2019-15118: Stack overflow when checking input source type in ALSA USB driver.

A logic error when checking input source type in ALSA USB driver could
lead to a stack overflow. A local attacker could use this flaw to cause
a denial-of-service.

* CVE-2019-15117: Out-of-bounds access when parsing USB descriptor in ALSA USB driver.

A missing check when parsing USB descriptor in ALSA USB driver could
lead to an out-of-bounds access. A local attacker could use this flaw to
cause a denial-of-service.

* CVE-2019-15538: Denial-of-service in XFS filesystem with Quota support enabled.

A locking error when XFS filesystem raise its quota limit could let
a local or remote attacker cause a denial-of-service using chgrp on such
filesystem.

* Note: Oracle will not provide a zero downtime update for CVE-2019-15223.

The vulnerability requires physical access to connect/disconnect a USB
device.

* CVE-2019-15217: NULL pointer deference when using USB ZR364XX Camera driver.

A missing check when querying capabilities of USB ZR364XX Camera device
from user space could lead to a NULL pointer dereference. A local
attacker could use this flaw to cause a denial-of-service.

* CVE-2019-13631: Denial-of-service in GTCO CalComp/InterWrite tablet.

Missing range checks could allow an out-of-bounds stack memory write
when parsing USB descriptors.  A physically present user could use a
malicious device to trigger an out-of-bounds access leading to a kernel
crash.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.