[Ksplice][Ubuntu-19.04-Updates] New Ksplice updates for Ubuntu 19.04 Disco (5.0.0-27.28)

[Oracle Ksplice]

Synopsis: 5.0.0-27.28 can now be patched using Ksplice
CVEs: CVE-2015-2150 CVE-2019-14283 CVE-2019-14284 CVE-2019-3900

Systems running Ubuntu 19.04 Disco can now use Ksplice to patch
against the latest Ubuntu kernel update, 5.0.0-27.28.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu 19.04
Disco install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2019-14284: Denial-of-service in floppy disk formatting.

A division by zero in the setup_format_params function for the floppy
disk driver could result in a kernel crash.  A local user with access to
the floppy disk device could use this flaw to crash the system.


* NULL pointer dereference when setting writeback property on a block device as cache not attached.

A logic error when user set writeback property on a block device as
cache not attached could lead to a NULL pointer dereference. A local
attacker could use this flaw to cause a denial-of-service.


* Denial-of-service when re-adding a disk to RAID array.

A null-pointer dereference when re-adding a disk to a RAID array after
failure could cause a kernel crash. This leads to a denial-of-service.


* Denial-of-service in NFSv4 client when mounting.

A client bug in NFSv4 subsystem leads to state corruption when mounting
an NFS filesystem in the presence of server trunking. This could lead to
a denial-of-service.


* Data-loss when writing to a FUSE mount on 32-bit systems.

An integer overflow bug when writing to a memory-mapped file on a
FUSE-mounted filesystem causes data being silently discarded. This
could lead to data loss and corruption on 32-bit systems.


* Denial-of-service when validating packet against xfrm policy.

A use-after-free bug in the received packet validation path in the xfrm
subsystem could lead the kernel into executing arbitrary memory. This
could cause a denial-of-service and possibly be exploited by an attacker
to hijack control flow.


* Denial-of-service when writing in btrfs filesystem.

A race-condition when performing a sync operation in the btrfs
filesystem leads to a kernel crash. An unprivileged attacker could
exploit this bug to cause a denial-of-service and possible data
corruption.


* Denial-of-service when configuring framebuffer.

Failure to validate ioctl parameter in the framebuffer subsystem leads
to a division-by-zero error. A local attacker with permission to read
from / write to framebuffer could exploit this to cause a
denial-of-service.


* Denial-of-service when performing ioctl on vivid device.

When performing an ioctl operation to crop video capture from a vivid
device, incorrect attempt to release memory leads to kernel crash. A
local user with permission to capture video through V4L2 interface could
use this flaw to cause a denial-of-service.


* Denial-of-service when handling vendor command in cfg80211 subsystem.

A NULL-pointer dereference when handling vendor command leads to kernel
crash. This could allow an untrusted or faulty device to cause a
denial-of-service.


* Denial-of-service when receiving packet in miwifiex driver.

Failure to sanitize userspace data leads to an array overflow in the
miwifiex driver. This could cause kernel memory corruption and a
denial-of-service.


* Denial-of-service when opening video device in au0828 driver.

A race-condition when opening a video device before it is properly
initialized leads to a NULL pointer dereference in the au0828 driver. A
local user with privilege to capture video through V4L2 interface could
use this flaw to cause a denial-of-service.


* Denial-of-service when configuring video input in pvrusb2 driver.

An undefined operation when validating configuration parameter from
userspace leads to buffer overflow in the pvrusb2 driver. An attacker
with permission to read from video device could exploit this to cause a
denial-of-service.


* Denial-of-service when allocation fails in the Infiniband subsystem.

A missing check when memory allocation fails in the cxgb4 driver driver
could lead to a NULL pointer dereference. A local attacker could use
this flaw to cause a denial-of-service.


* Denial-of-service when disconnecting a Broadcom USB wifi device.

A race condition when disconnecting a Broadcom USB wifi device
immediately after connecting it could lead to a deadlock. An attacker
with physical access to the computer could exploit this to cause a
denial-of-service.


* Privilege escalation when handling signals in 32-bit emulation mode.

A bug in the 32-bit signal handling path allows userspace to bypass
Supervisor Mode Access Protection (SMAP). An malicious local process
could exploit this to escalate privilege.


* Denial-of-service in WL128x FM radio driver.

A buffer overflow when sending command to a WL128x radio device could
lead to kernel memory corruption and possibly crash the kernel. This
could cause a denial-of-service.


* Denial-of-service in IGMP source filters.

A memory leak when removing IGMP source filters could result in
exhaustion of system memory.  A local privileged user could use this
flaw to trigger a denial-of-service.


* Denial-of-service in ANSI/IEEE 802.2 LLC type 2 packet transmission.

Incorrect error handling when transmitting packets on an LLC connection
could result in a memory leak and subsequent denial of service.


* Use-after-free in generic receive offload fragmentation.

A use-after-free in the generic receive offload code could result in a
kernel crash when receiving a fragmented packet under specific
conditions.


* Use-after-free in USB networking disconnection.

Incorrect termination of timers on USB networking device disconnection
could result in a use-after-free and kernel crash.


* Information leak in Transparent Inter Process Communication TLV setting.

Incorrect bounds checks could result in copying beyond the end of an
array, leaking the contents of kernel stack memory to user-space.


* Denial-of-service in zerocopy IP sockets.

Incorrect reference counting on socket buffers for zerocopy sockets
could result in a reference count leak.  This could cause a memory leak
or potentially a use-after-free.


* CVE-2015-2150: Denial-of-service in Xen host from the guest.

A flaw in the Xen hypervisor allows guests to disable PCI_COMMAND on PCI
device reset, later causing a host crash when the guest tries to access the
device.  A local guest user could use this flaw to cause a
denial-of-service in the host.


* NULL pointer dereference when running fstrim on a bcache volume.

A missing check when running fstrim on a bcache volume could lead to a
NULL pointer dereference. A local attacker could use this flaw to cause
a denial-of-service.


* CVE-2019-14283: Denial-of-service in floppy disk geometry setting during insertion.

Missing input validation in the floppy disk geometry setting calls could
allow a malicious local user with access to the floppy device to cause
an out-of-bounds access either crashing the system or leaking the
contents of kernel memory.


* Note: Oracle will not be providing a zero downtime update for CVE-2019-3900.

CVE-2019-3900 is a denial-of-service for vhost devices.  Virtual Machine
hosts using vhost devices for networking untrusted guests should reboot
into a newer kernel to mitigate CVE-2019-3900.


* NULL pointer dereference when using zerocopy skb pointer.

A missing check when using zerocopy skb pointer could lead to a NULL
pointer dereference. A local attacker could use this flaw to cause a
denial-of-service.


* Memory leak when releasing virtual sockets.

A missing free of resources when releasing virtual sockets could lead to
a memory leak. A local attacker could use this flaw to exhaust kernel
memory and cause a denial-of-service.


* Out-of-bounds access when computing channel bitmap in System Trace Module.

A logic error when computing channel bitmap in System Trace Module could
lead to an out-of-bounds access. A local attacker could use this flaw to
cause a denial-of-service.


* NULL pointer dereference when using network ESP transformation offload.

A logic error in error path when using network ESP transformation
offload could lead to a NULL pointer dereference. A local attacker could
use this flaw to cause a denial-of-service.


* Use-after-free when removing a mac80211 network interface.

A missing canceling of operations when removing a mac80211 network
interface could lead to a use-after-free. A local attacker could use
this flaw to cause a denial-of-service.


* Invalid memory access when receiving packet from Intel Wireless WiFi MVM Firmware.

A missing check when receiving packet from Intel Wireless WiFi MVM
Firmware could lead to an invalid memory access. A local attacker could
use this flaw to cause a denial-of-service.


* Information leak when using ext4 filesystem in direct IO and nojournal mode.

A logic error when using ext4 filesystem in direct IO and nojournal mode
could lead to an information leak or on-disk corruption. A local
attacker could use this flaw to corrupt data or leak sensitive
information.


* Use-after-free when freeing map in BPF program.

A synchronization error when freeing map in BPF program could lead to a
use-after-free. A local attacker could use this flaw to cause a
denial-of-service.


* Buffer overflow when getting volume ID in Andrew File System.

A logic error when getting volume ID in Andrew File System could lead to
a buffer overflow. A local attacker could use this flaw to cause a
denial-of-service.


* Denial-of-service when relocating data in BTRFS.

A logic error when relocating data in BTRFS could lead to a kernel
assert. A local attacker could use this flaw to cause a
denial-of-service.


* Denial-of-service when not finding root key in BTRFS.

A logic error when not finding root key in BTRFS could lead to a kernel
assert. A local attacker could use this flaw to cause a
denial-of-service.


* NULL pointer dereference when using Redpine Signals Inc 91x WLAN driver.

A missing check when using Redpine Signals Inc 91x WLAN driver could
lead to a NULL pointer dereference. A local attacker could use this flaw
to cause a denial-of-service.


* NULL pointer dereference when configuring firmware in Realtek wireless drivers.

Missing checks when configuring firmware in Realtek wireless drivers
could lead to NULL pointer dereferences. A local attacker could use this
flaw to cause a denial-of-service.


* NULL pointer dereference when queuing command in QLogic QEDF 25/40/100Gb FCoE Initiator driver.

A missing return value when queuing command in QLogic QEDF 25/40/100Gb
FCoE Initiator driver could lead to a NULL pointer dereference. A local
attacker could use this flaw to cause a denial-of-service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.