Coming hot on the heels of the latest Linux kernel security update released by Canonical on Tuesday, the new Linux kernel live patch security update fixes a total of five security vulnerabilities, which are documented as CVE-2018-11506, CVE-2018-11412, CVE-2018-13406, CVE-2018-13405, and CVE-2018-12233.
These include a stack-based buffer overflow (CVE-2018-11506) discovered by Piotr Gabriel Kosinski and Daniel Shapira in Linux kernel’s CDROM driver implementation, which could allow a local attacker to either execute arbitrary code or cause crash the system via a denial of service.
Discovered by Jann Horn, the kernel live patch also addresses a security vulnerability (CVE-2018-11412) in Linux kernel’s EXT4 file system implementation, which could allow an attacker to execute arbitrary code or crash the system via a denial of service by creating and mounting a malicious EXT4 image.
Also fixed are an integer overflow (CVE-2018-13406) discovered by Silvio Cesare in Linux kernel’s generic VESA frame buffer driver, as well as a buffer overflow (CVE-2018-12233) discovered by Shankara Pailoor in the JFS file system implementation, both allowing local attackers to either crash the system or execute arbitrary code.
The last security vulnerability (CVE-2018-13405) fixed in this latest Ubuntu Linux kernel live patch may allow a local attacker to gain elevated privileges due to Linux kernel’s failure to handle setgid file creation when the operation is performed by a non-member of the group.
Submitted by: Arnfried Walbrecht