New Ubuntu kernel update, and this is the good thing about using a Linux distribution with a major company behind it, such as Canonical. Updated kernel versions have been released for all supported Ubuntu versions, which matches Ubuntu 19.04 Disco Dingo, Ubuntu 18.04 Bionic Beaver, and Ubuntu 16.04 Xenial Xerus. It is a perfect time to remember how important it was / is to upgrade from Ubuntu 18.10 to Ubuntu 19.04, since it is the first security update that Cosmic Cuttlefish has not received since its arrival at the end of its life cycle.
The severity of the problems discovered has been labeled medium urgency and those detected in Disco Dingo are different from those detected in Bionic Beaver and Xenial Xerus. In fact, in the update for Ubuntu 16.04 we read that «This update provides the corresponding updates for Ubuntu 18.04 Linus Hardware Enablement (HWE) for Ubuntu 16.04 LTS«. Below we explain more details about the bugs discovered and repaired.
Disco Dingo kernel update fixes 4 security flaws
The new kernel version for Ubuntu 19.04 has been launched today and solve:
- CVE-2019-11487: it was discovered that an integer overflow existed in the Linux kernel when referencing pages, leading to potential usability issues after it was released. A local attacker could use this to cause a denial of service (unexpected shutdown) or possibly execute arbitrary code.
- CVE-2019-11599: Jann Horn discovered that a race condition existed in the Linux kernel when performing memory dumps. A local attacker could use this to cause a denial of service (system crash) or expose sensitive information.
- CVE-2019-11833: The ext4 file system implementation in the Linux kernel was found to not properly close memory in some situations. A local attacker could use this to expose sensitive information (kernel memory).
- CVE-2019-11884: Found that the Bluetooth Human Interface Device Protocol (HIDP) implementation in the Linux kernel did not correctly verify that strings were NULL terminated in certain situations. A local attacker could use this to expose sensitive information (kernel memory).
4 other bugs fixed in Ubuntu 18.04 / 16.04
Updates for Ubuntu 18.04 y Ubuntu 16.04 They have also been released today and fix, in addition to the bugs CVE-2019-11833 and CVE-2019-11884 explained above, the following:
- CVE-2019-11085: Adam Zabrocki found that the Intel i915 kernel mode graphics driver in the Linux kernel did not properly restrict mmap () ranges in some situations. A local attacker could use this to cause a denial of service (unexpected shutdown) or possibly execute arbitrary code.
- CVE-2019-11815: It was discovered that in the implementation of the Reliable Datagram Sockets (RDS) protocol in the Linux kernel there was a race condition that led to use after release. The RDS protocol is blacklisted by default in Ubuntu. If enabled, a local attacker could use this to cause a denial of service (unexpected shutdown) or possibly execute arbitrary code.
For the moment, it is unknown if these bugs are also present in Linux version 5.2 which already includes Ubuntu 19.10 Eoan Ermine, but Canonical has not updated their kernel, which may mean either that they are not in a rush as this is a development release or that they are not affected by recently discovered bugs.
Update now
Canonical recommends updating all users of Ubuntu 19.04, Ubuntu 18.04 and Ubuntu 16.04 as soon as possible, since the level of "medium" urgency it means that the bugs are not difficult to exploit. Personally, I would say this is another case in which I would not worry too much, since the bugs have to be exploited having physical access to the devices, but considering that to update we only have to launch the update tool and apply them, I would recommend do it in any time out. For the protection to take effect, the computer must be restarted after installing the new kernel versions.
