USN-4227-1

Description

linux, linux-aws, linux-aws-hwe, linux-azure, linux-gcp, linux-gke-4.15, linux-hwe, linux-kvm, linux-oem, linux-oracle, linux-raspi2, linux-snapdragon vulnerabilities It was discovered that a heap-based buffer overflow existed in the Marvell WiFi-Ex Driver for the Linux kernel. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-14895, CVE-2019-14901) It was discovered that a heap-based buffer overflow existed in the Marvell Libertas WLAN Driver for the Linux kernel. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-14896, CVE-2019-14897) It was discovered that the Fujitsu ES network device driver for the Linux kernel did not properly check for errors in some situations, leading to a NULL pointer dereference. A local attacker could use this to cause a denial of service. (CVE-2019-16231) It was discovered that the QLogic Fibre Channel driver in the Linux kernel did not properly check for error, leading to a NULL pointer dereference. A local attacker could possibly use this to cause a denial of service (system crash). (CVE-2019-16233) Anthony Steinhauser discovered that the Linux kernel did not properly perform Spectre_RSB mitigations to all processors for PowerPC architecture systems in some situations. A local attacker could use this to expose sensitive information. (CVE-2019-18660) It was discovered that the Mellanox Technologies Innova driver in the Linux kernel did not properly deallocate memory in certain failure conditions. A local attacker could use this to cause a denial of service (kernel memory exhaustion). (CVE-2019-19045) It was discovered that Geschwister Schneider USB CAN interface driver in the Linux kernel did not properly deallocate memory in certain failure conditions. A physically proximate attacker could use this to cause a denial of service (kernel memory exhaustion). (CVE-2019-19052) It was discovered that the AMD Display Engine Driver in the Linux kernel did not properly deallocate memory in certain error conditions. A local attack could use this to cause a denial of service (memory exhaustion). (CVE-2019-19083) It was discovered that the driver for memoryless force-feedback input devices in the Linux kernel contained a use-after-free vulnerability. A physically proximate attacker could possibly use this to cause a denial of service (system crash) or execute arbitrary code. (CVE-2019-19524) It was discovered that the Microchip CAN BUS Analyzer driver in the Linux kernel contained a use-after-free vulnerability on device disconnect. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-19529) It was discovered that the PEAK-System Technik USB driver in the Linux kernel did not properly sanitize memory before sending it to the device. A physically proximate attacker could use this to expose sensitive information (kernel memory). (CVE-2019-19534) Tristan Madani discovered that the ALSA timer implementation in the Linux kernel contained a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-19807)

Affected Systems

• ubuntu•linux

  < 4.15.0-74.84

• ubuntu•linux-aws

  < 4.15.0-1057.59

• ubuntu•linux-aws-hwe

  < 4.15.0-1057.59~16.04.1

• ubuntu•linux-azure

  < 4.15.0-1066.71

• ubuntu•linux-gcp

  < 4.15.0-1052.56

• ubuntu•linux-gke-4.15

  < 4.15.0-1050.53

• ubuntu•linux-hwe

  < 4.15.0-74.83~16.04.1

• ubuntu•linux-kvm

  < 4.15.0-1052.52

• ubuntu•linux-oem

  < 4.15.0-1066.76

• ubuntu•linux-oracle

  < 4.15.0-1031.34~16.04.1 | < 4.15.0-1031.34

• ubuntu•linux-raspi2

  < 4.15.0-1053.57

• ubuntu•linux-snapdragon

  < 4.15.0-1070.77

References (15)

• https://ubuntu.com/security/notices/USN-4227-1
• https://ubuntu.com/security/CVE-2019-14895
• https://ubuntu.com/security/CVE-2019-14896
• https://ubuntu.com/security/CVE-2019-14897
• https://ubuntu.com/security/CVE-2019-14901
• https://ubuntu.com/security/CVE-2019-16231
• https://ubuntu.com/security/CVE-2019-16233
• https://ubuntu.com/security/CVE-2019-18660
• https://ubuntu.com/security/CVE-2019-19045
• https://ubuntu.com/security/CVE-2019-19052
• https://ubuntu.com/security/CVE-2019-19083
• https://ubuntu.com/security/CVE-2019-19524
• https://ubuntu.com/security/CVE-2019-19529
• https://ubuntu.com/security/CVE-2019-19534
• https://ubuntu.com/security/CVE-2019-19807