[Ksplice][Ubuntu-Oracle-Updates] New Ksplice updates for Ubuntu OCI kernel (USN-4680-1)

Thu Jan 21 02:53:29 PST 2021

Synopsis: USN-4680-1 can now be patched using Ksplice
CVEs: CVE-2019-19770 CVE-2020-10135 CVE-2020-24490 CVE-2020-25656 CVE-2020-25668 CVE-2020-25705 CVE-2020-27675 CVE-2020-28974

Systems running Ubuntu OCI kernel can now use Ksplice to patch against
the latest Ubuntu Security Notice, USN-4680-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu OCI
kernel install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

DESCRIPTION

* CVE-2020-24490: Privilege escalation in Bluetooth subsystem due to heap buffer overflow.

A flaw in Bluetooth implementation could lead to a heap buffer overflow
when processing extended advertising report events. A remote attacker
could use this flaw to cause a denial of service or to potentially
execute arbitrary code on the system by sending a specially crafted
Bluetooth packet.

* CVE-2020-25656: Use-after-free in console subsystem.

Specific ioctls sent to the console subsystem could lead to a use-after-free.
A local attacker could use this flaw to read confidential data.

* CVE-2020-28974: Invalid memory access when manipulating framebuffer fonts.

A logic error when manipulating framebuffer console fonts may cause an
out-of-bounds memory read. A local attacker could use this flaw to read
privileged information or potentially cause a denial-of-service.

* CVE-2020-25705: ICMP rate-limiter can indirectly leak UDP port information.

The predictability of the rate at which ICMP messages are rate-limited
can be used by attackers to effectively scan for open UDP ports on a
remote system.

* CVE-2020-25668: Race condition when sending ioctls to a virtual terminal.

A race condition can possibly occur when sending ioctls to a tty device may
cause a use-after-free. A local attacker may use this to cause memory
corruption or a denial-of-service.

* CVE-2020-10135: Bluetooth devices can be paired without proper credentials.

Logic errors in the Bluetooth pairing code path can allow unauthenticated users
to pair devices without proper credentials.  An attacker in close proximity to
a target system could use this flaw to pair malicious Bluetooth devices to that
system without proper authentication.

* Btrfs hangs during second buffer writeback attempt.

Due to incorrect handling of an error condition, it is possible for
certain lock bits to remain set unexpectedly after a failed attempt to
write back an extent buffer.  A second attempt to write back the failed
data will hang forever waiting for the lock bit to clear.  This flaw
could potentially be exploited by a local attacker to cause a
denial-of-service to the filesystem.

* CVE-2020-27675: Race condition when reconfiguring para-virtualized Xen devices.

An event-channel removal when reconfiguring paravirtualized devices may cause a
race condition leading to a null pointer dereference. A local attacker could use
this flaw to cause a denial-of-service on a dom0.

* CVE-2019-19770: use-after-free in the debugfs from blktrace.

A race condition present in the use of debugfs from blktrace can cause
dereferencing a buffer which has been freed leading to use-after-free.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.