Vincent Dehors discovered that the shiftfs file system in the Ubuntu Linux kernel did not properly handle faults in copy_from_user() when passing through ioctls to an underlying file system. A local attacker could use this to cause a denial of service (memory exhaustion) or execute arbitrary code.
bdea505eb4fcf592e368d096a5525e292ae2730578fbf547edea57ce828b48fd
It was discovered that the eBPF implementation in the Linux kernel did not properly track bounds information for 32 bit registers when performing div and mod operations. A local attacker could use this to possibly execute arbitrary code. It was discovered that the virtual file system implementation in the Linux kernel contained an unsigned to signed integer conversion error. A local attacker could use this to cause a denial of service (system crash) or execute arbitrary code.
85ecff3443cabbbdfd95e276021ce53f9ded3558dc511597031bf1014cb24140
Norbert Slusarek discovered a race condition in the CAN BCM networking protocol of the Linux kernel leading to multiple use-after-free vulnerabilities. A local attacker could use this issue to execute arbitrary code.
e5626ea542e0e7cf4d21b7704ad137ab9dac2e0503a662b96c9d976e9d97f88c
It was discovered that the overlayfs implementation in the Linux kernel did not properly validate the application of file system capabilities with respect to user namespaces. A local attacker could use this to gain elevated privileges. Piotr Krysiuk discovered that the BPF JIT compiler for x86 in the Linux kernel did not properly validate computation of branch displacements in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
2804a214253fb2c002641f38c8aae9e4023d617f9897b0c5c01ff06e5794df2b
Ubuntu Security Notice 4917-1 - It was discovered that the overlayfs implementation in the Linux kernel did not properly validate the application of file system capabilities with respect to user namespaces. A local attacker could use this to gain elevated privileges. Vincent Dehors discovered that the shiftfs file system in the Ubuntu Linux kernel did not properly handle faults in copy_from_user when passing through ioctls to an underlying file system. A local attacker could use this to cause a denial of service or execute arbitrary code. Various other issues were also addressed.
0960410ba7e6e4040775aa7d07813ed851354f20fef02f6247a7d3b53d08796a
Ubuntu Security Notice 4915-1 - It was discovered that the overlayfs implementation in the Linux kernel did not properly validate the application of file system capabilities with respect to user namespaces. A local attacker could use this to gain elevated privileges. Vincent Dehors discovered that the shiftfs file system in the Ubuntu Linux kernel did not properly handle faults in copy_from_user when passing through ioctls to an underlying file system. A local attacker could use this to cause a denial of service or execute arbitrary code. Various other issues were also addressed.
2b1839252b77d24d87a54b70638bd57f0a4ba7b2d54f60cbe703b38834363ae3
Piotr Krysiuk discovered that the BPF subsystem in the Linux kernel did not properly apply speculative execution limits on some pointer types. A local attacker could use this to expose sensitive information (kernel memory). It was discovered that the memory management subsystem in the Linux kernel did not properly handle copy-on-write operations in some situations. A local attacker could possibly use this to gain unintended write access to read-only memory pages. Various other issues were also addressed.
469cc31bae7443b09e56a62b4aac4c6a731592910bda9c7097efee0cfc5ebb11
Elena Petrova discovered that the pin controller device tree implementation in the Linux kernel did not properly handle string references. A local attacker could use this to expose sensitive information (kernel memory). Andy Nguyen discovered that the Bluetooth A2MP implementation in the Linux kernel did not properly initialize memory in some situations. A physically proximate remote attacker could use this to expose sensitive information (kernel memory). Various other issues were also addressed.
682e52dd49535c7ff7a41efaf9cdf2164f511e0432317c6e2e9cafb8c2198527
Andy Nguyen discovered that the Bluetooth L2CAP implementation in the Linux kernel contained a type-confusion error. Andy Nguyen discovered that the Bluetooth A2MP implementation in the Linux kernel did not properly initialize memory in some situations. Andy Nguyen discovered that the Bluetooth HCI event packet parser in the Linux kernel did not properly handle event advertisements of certain sizes, leading to a heap-based buffer overflow.
512630109fdf9fe767bed1b49eba7332dc002fa3cdd83221748674a578aae27a
It was discovered that the F2FS file system implementation in the Linux kernel did not properly perform bounds checking on xattrs in some situations. A local attacker could possibly use this to expose sensitive information (kernel memory). It was discovered that the Serial CAN interface driver in the Linux kernel did not properly initialize data. A local attacker could use this to expose sensitive information (kernel memory). Other issues where also addressed.
93076523b60699a74659d86a99aa5642c64e2657baecd1f27345aa8fc2cd2b97
A security issue was fixed in the 4.15 kernel. This issue affects the 5.4 kernel as well, but a livepatch is not yet available. While work is continuing to develop livepatches for all affected kernels, due to the severity of the issue, they are releasing patches as they become ready. Or Cohen discovered that the AF_PACKET implementation in the Linux kernel did not properly perform bounds checking in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
a13ec104389455bc48ad854bb63cf714af2cc7fd1932c7dc38c32db57bf0e5c6
Andrew Honig reported a flaw in the way KVM (Kernel-based Virtual Machine) emulated the IOAPIC. A privileged guest user could exploit this flaw to read host memory or cause a denial of service (crash the host). It was discovered that the KVM implementation in the Linux kernel, when paravirtual TLB flushes are enabled in guests, the hypervisor in some situations could miss deferred TLB flushes or otherwise mishandle them. An attacker in a guest VM could use this to expose sensitive information (read memory from another guest VM). Al Viro discovered that the vfs layer in the Linux kernel contained a use- after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly expose sensitive information (kernel memory).
ca957b71b70ae09e8f907fcd801c5a9571b9a877407f563e8bd4dc3a7e21def9
Paulo Bonzini discovered that the KVM hypervisor implementation in the Linux kernel could improperly let a nested (level 2) guest access the resources of a parent (level 1) guest in certain situations. An attacker could use this to expose sensitive information.
013a0dfba70302c800eab63aa571da076d3bc4a87d14b9f7b138548d27333d78
Mitchell Frank discovered that the Wi-Fi implementation in the Linux kernel when used as an access point would send IAPP location updates for stations before client authentication had completed. A physically proximate attacker could use this to cause a denial of service. It was discovered that the Linux kernel did not properly clear data structures on context switches for certain Intel graphics processors. A local attacker could use this to expose sensitive information. Various other issues were also addressed.
3c905722a86d530e482e9a6b3bcee6079ea4d1a13dff3d803fadfd5fb541bc01
It was discovered that the binder IPC implementation in the Linux kernel did not properly perform bounds checking in some situations, leading to an out-of-bounds write. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. It was discovered that the Linux kernel did not properly clear data structures on context switches for certain Intel graphics processors. A local attacker could use this to expose sensitive information. Various other issues were also addressed.
dd9eb8a13d06fc9ad56d7a4bb1f0a271663ad5edcf7bf6387c09481d3c8486e9
It was discovered that a heap-based buffer overflow existed in the Marvell WiFi-Ex Driver for the Linux kernel. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. It was discovered that a heap-based buffer overflow existed in the Marvell Libertas WLAN Driver for the Linux kernel. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. Various other issues were also addressed.
7a78ab2637b0c415c10d8aece2f49d7cb0ffca96812fc550881491945ac50eac
On November 12, fixes for several high-severity Intel processor CVEs were released into the Ubuntu kernel, accompanied by a related processor microcode update. Due to the high complexity of the fixes and the required microcode update, we are unable to livepatch this set of CVEs. Please plan to reboot into an updated kernel as soon as possible. Various other issues were also addressed.
fff054687351f5cc49fca94a5fcdb39159f4d22bc5f7c2a6ae86bde91ebf2607
It was discovered that a race condition existed in the GFS2 file system in the Linux kernel. A local attacker could possibly use this to cause a denial of service (system crash). It was discovered that a use-after-free error existed in the block layer subsystem of the Linux kernel when certain failure conditions occurred. A local attacker could possibly use this to cause a denial of service (system crash) or possibly execute arbitrary code. Various other issues were also addressed.
5442de6a129171e9103a7acd9d861ab0fda6074505e32a4ad08db9df45b30c61
Peter Pi discovered a buffer overflow in the virtio network backend (vhost_net) implementation in the Linux kernel. An attacker in a guest may be able to use this to cause a denial of service (host OS crash) or possibly execute arbitrary code in the host OS.
2ae10bdb1c9632e027b75b76ad2d6e3b299967f41342245c237b87d05be2b799
It was discovered that a use-after-free error existed in the block layer subsystem of the Linux kernel when certain failure conditions occurred. A local attacker could possibly use this to cause a denial of service (system crash) or possibly execute arbitrary code. It was discovered that the Bluetooth UART implementation in the Linux kernel did not properly check for missing tty operations. A local attacker could use this to cause a denial of service. Various other issues were also addressed.
8660e81d1dad1d0ff9a78d762c78b37cd4c52f125cddd39f7636189484d3352f
It was discovered that the USB video device class implementation in the Linux kernel did not properly validate control bits, resulting in an out of bounds buffer read. A local attacker could use this to possibly expose sensitive information (kernel memory). It was discovered that the Marvell Wireless LAN device driver in the Linux kernel did not properly validate the BSS descriptor. A local attacker could possibly use this to cause a denial of service (system crash) or possibly execute arbitrary code. Various other vulnerabilities have also been addressed.
3bf6f3467455c33428751c5faf437aa7d6c64fe01342c90cc65e1d94808e2336
Vasiliy Kulikov discovered that the Bluetooth stack did not correctly check that device name strings were NULL terminated. A local attacker could exploit this to crash the system, leading to a denial of service, or leak contents of kernel stack memory, leading to a loss of privacy. It was discovered that the Linux kernel on ARM processors allowed a tracing process to modify a syscall after a seccomp decision had been made on that syscall. A local attacker could possibly use this to bypass seccomp restrictions. Various other issues were also addressed.
6816c4785b56430dc635ceb03383ffc424c8c6dc0006c08814cc9b42003fff08
Jonathan Looney discovered that an integer overflow existed in the Linux kernel when handling TCP Selective Acknowledgments (SACKs). A remote attacker could use this to cause a denial of service (system crash). Jonathan Looney discovered that the TCP retransmission queue implementation in the Linux kernel could be fragmented when handling certain TCP Selective Acknowledgment (SACK) sequences. A remote attacker could use this to cause a denial of service.
180fed7fbe08b89246da448a793e20ef76b9d263407b8a46ed5a13a5f4acca3b
On May 14, fixes for CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, and CVE-2019-11091 were released into the Ubuntu Xenial and Bionic kernels. These CVEs are security vulnerabilities caused by flaws in the design of speculative execution hardware in the computer's CPU. Researchers discovered that memory contents previously stored in microarchitectural buffers of an Intel CPU core may be visible to other processes running on the same core.
69de4e0db4eb9a888d3c2733071c2947fdcefa91285e6f095cc82c73f5ad5711
It was discovered that an integer overflow vulnerability existed in the CDRom driver of the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). It was discovered that a race condition existed in the raw MIDI driver for the Linux kernel, leading to a double free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. Various other issues were also addressed.
054a56994c9bd62549cd29e0464ca1a0a7be22a3004cc645c80c0b65070bbdc0
It was discovered that the generic SCSI driver in the Linux kernel did not properly enforce permissions on kernel memory access. A local attacker could use this to expose sensitive information or possibly elevate privileges. Wen Xu discovered that the ext4 filesystem implementation in the Linux kernel did not properly ensure that xattr information remained in inode bodies. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash). Various other issues were also addressed.
fbe29704c99306a1bca47b078a9a33c2572ec3b421ae2b3cfb6ccde48d2a5412