Candidate: CVE-2019-15239 PublicDate: 2019-08-20 08:15:00 UTC References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15239 https://pulsesecurity.co.nz/advisories/linux-kernel-4.9-tcpsocketsuaf https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7f582b248d0a86bae5788c548d7bb5bca6f7691a https://lore.kernel.org/stable/41a61a2f87691d2bc839f26cdfe6f5ff2f51e472.camel@decadent.org.uk/ https://salsa.debian.org/kernel-team/kernel-sec/blob/f6273af2d956a87296b6b60379d0a186c9be4bbc/active/CVE-2019-15239 https://www.debian.org/security/2019/dsa-4497 https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/xenial/commit/?id=edff0f7fc52aa3fba1141755ae5aa008c51eb518 Description: In the Linux kernel, a certain net/ipv4/tcp_output.c change, which was properly incorporated into 4.16.12, was incorrectly backported to the earlier longterm kernels, introducing a new vulnerability that was potentially more severe than the issue that was intended to be fixed by backporting. Specifically, by adding to a write queue between disconnection and re-connection, a local attacker can trigger multiple use-after-free conditions. This can result in a kernel crash, or potentially in privilege escalation. NOTE: this affects (for example) Linux distributions that use 4.9.x longterm kernels before 4.9.190 or 4.14.x longterm kernels before 4.14.139. Ubuntu-Description: Notes: sbeattie> This vulnerability was introduced when 7f582b248d0a86bae5788c548d7bb5bca6f7691a was incorrectly backported to stable kernels; the upstream kernel was prevented from being vulnerable because 75c119afe14f74b4dd967d75ed9f57ab6c0ef045 had landed prior to it. Thus, for the upstream kernel, the fix for the issue predates the commit that introduced the issue. sbeattie> link to xenial kernel git commit above demonstrates the fix that landed to address backport kernels. Bugs: Priority: medium Discovered-by: Assigned-to: CVSS: nvd: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H [7.8 HIGH] Patches_linux: break-fix: 7f582b248d0a86bae5788c548d7bb5bca6f7691a 75c119afe14f74b4dd967d75ed9f57ab6c0ef045|local-2019-15239 upstream_linux: released (2.6.12~rc2) precise/esm_linux: ignored (was needs-triage ESM criteria) trusty_linux: ignored (out of standard support) trusty/esm_linux: ignored (was needs-triage ESM criteria) xenial_linux: released (4.4.0-165.193) esm-infra/xenial_linux: released (4.4.0-165.193) bionic_linux: not-affected (4.13.0-16.19) disco_linux: not-affected (4.18.0-10.11) devel_linux: not-affected (5.0.0-13.14) Patches_linux-hwe: upstream_linux-hwe: released (2.6.12~rc2) precise/esm_linux-hwe: DNE trusty_linux-hwe: DNE trusty/esm_linux-hwe: DNE xenial_linux-hwe: not-affected (4.8.0-36.36~16.04.1) esm-infra/xenial_linux-hwe: not-affected (4.8.0-36.36~16.04.1) bionic_linux-hwe: not-affected (4.18.0-13.14~18.04.1) disco_linux-hwe: DNE devel_linux-hwe: DNE Patches_linux-hwe-edge: upstream_linux-hwe-edge: released (2.6.12~rc2) precise/esm_linux-hwe-edge: DNE trusty_linux-hwe-edge: DNE trusty/esm_linux-hwe-edge: DNE xenial_linux-hwe-edge: not-affected (4.8.0-36.36~16.04.1) esm-infra/xenial_linux-hwe-edge: not-affected (4.8.0-36.36~16.04.1) bionic_linux-hwe-edge: not-affected (5.0.0-15.16~18.04.1) disco_linux-hwe-edge: DNE devel_linux-hwe-edge: DNE Patches_linux-lts-xenial: upstream_linux-lts-xenial: released (2.6.12~rc2) precise/esm_linux-lts-xenial: DNE trusty_linux-lts-xenial: ignored (out of standard support) trusty/esm_linux-lts-xenial: ignored (was needs-triage ESM criteria) xenial_linux-lts-xenial: DNE bionic_linux-lts-xenial: DNE disco_linux-lts-xenial: DNE devel_linux-lts-xenial: DNE Patches_linux-lts-trusty: upstream_linux-lts-trusty: released (2.6.12~rc2) precise/esm_linux-lts-trusty: ignored (was needs-triage ESM criteria) trusty_linux-lts-trusty: DNE trusty/esm_linux-lts-trusty: DNE xenial_linux-lts-trusty: DNE bionic_linux-lts-trusty: DNE disco_linux-lts-trusty: DNE devel_linux-lts-trusty: DNE Patches_linux-oem: upstream_linux-oem: released (2.6.12~rc2) precise/esm_linux-oem: DNE trusty_linux-oem: DNE trusty/esm_linux-oem: DNE xenial_linux-oem: ignored (was needs-triage now end-of-life) bionic_linux-oem: not-affected (4.15.0-1002.3) disco_linux-oem: not-affected (4.15.0-1021.24) devel_linux-oem: not-affected (4.15.0-1035.40) Patches_linux-kvm: upstream_linux-kvm: released (2.6.12~rc2) precise/esm_linux-kvm: DNE trusty_linux-kvm: DNE trusty/esm_linux-kvm: DNE xenial_linux-kvm: released (4.4.0-1059.66) esm-infra/xenial_linux-kvm: released (4.4.0-1059.66) bionic_linux-kvm: not-affected (4.15.0-1002.2) disco_linux-kvm: not-affected (4.18.0-1003.3) devel_linux-kvm: not-affected (5.0.0-1004.4) Patches_linux-aws: upstream_linux-aws: released (2.6.12~rc2) precise/esm_linux-aws: DNE trusty_linux-aws: ignored (out of standard support) trusty/esm_linux-aws: ignored (was needs-triage ESM criteria) xenial_linux-aws: released (4.4.0-1095.106) esm-infra/xenial_linux-aws: released (4.4.0-1095.106) bionic_linux-aws: not-affected (4.15.0-1001.1) disco_linux-aws: not-affected (4.18.0-1002.3) devel_linux-aws: not-affected (5.0.0-1004.4) Patches_linux-aws-hwe: upstream_linux-aws-hwe: released (2.6.12~rc2) precise/esm_linux-aws-hwe: DNE trusty_linux-aws-hwe: DNE trusty/esm_linux-aws-hwe: DNE xenial_linux-aws-hwe: not-affected (4.15.0-1030.31~16.04.1) esm-infra/xenial_linux-aws-hwe: not-affected (4.15.0-1030.31~16.04.1) bionic_linux-aws-hwe: DNE disco_linux-aws-hwe: DNE devel_linux-aws-hwe: DNE Patches_linux-azure: upstream_linux-azure: released (2.6.12~rc2) precise/esm_linux-azure: DNE trusty_linux-azure: ignored (out of standard support) trusty/esm_linux-azure: ignored (was needs-triage ESM criteria) xenial_linux-azure: not-affected (4.11.0-1009.9) esm-infra/xenial_linux-azure: not-affected (4.11.0-1009.9) bionic_linux-azure: not-affected (4.15.0-1002.2) disco_linux-azure: not-affected (4.18.0-1003.3) devel_linux-azure: not-affected (5.0.0-1004.4) Patches_linux-azure-edge: upstream_linux-azure-edge: released (2.6.12~rc2) precise/esm_linux-azure-edge: DNE trusty_linux-azure-edge: DNE trusty/esm_linux-azure-edge: DNE xenial_linux-azure-edge: not-affected (4.11.0-1009.9) bionic_linux-azure-edge: not-affected (4.15.0-1002.2) disco_linux-azure-edge: DNE devel_linux-azure-edge: DNE Patches_linux-gcp: upstream_linux-gcp: released (2.6.12~rc2) precise/esm_linux-gcp: DNE trusty_linux-gcp: DNE trusty/esm_linux-gcp: DNE xenial_linux-gcp: not-affected (4.10.0-1004.4) esm-infra/xenial_linux-gcp: not-affected (4.10.0-1004.4) bionic_linux-gcp: not-affected (4.15.0-1001.1) disco_linux-gcp: not-affected (4.18.0-1002.3) devel_linux-gcp: not-affected (5.0.0-1004.4) Patches_linux-gcp-edge: upstream_linux-gcp-edge: released (2.6.12~rc2) precise/esm_linux-gcp-edge: DNE trusty_linux-gcp-edge: DNE trusty/esm_linux-gcp-edge: DNE xenial_linux-gcp-edge: DNE bionic_linux-gcp-edge: not-affected (4.15.0-1001.1) disco_linux-gcp-edge: DNE devel_linux-gcp-edge: DNE Patches_linux-gke-4.15: upstream_linux-gke-4.15: released (2.6.12~rc2) precise/esm_linux-gke-4.15: DNE trusty_linux-gke-4.15: DNE trusty/esm_linux-gke-4.15: DNE xenial_linux-gke-4.15: DNE bionic_linux-gke-4.15: not-affected (4.15.0-1030.32) disco_linux-gke-4.15: DNE devel_linux-gke-4.15: DNE Patches_linux-gke-5.0: upstream_linux-gke-5.0: released (2.6.12~rc2) precise/esm_linux-gke-5.0: DNE trusty_linux-gke-5.0: DNE trusty/esm_linux-gke-5.0: DNE xenial_linux-gke-5.0: DNE bionic_linux-gke-5.0: not-affected (5.0.0-1011.11~18.04.1) disco_linux-gke-5.0: DNE devel_linux-gke-5.0: DNE Patches_linux-oracle: upstream_linux-oracle: released (2.6.12~rc2) precise/esm_linux-oracle: DNE trusty_linux-oracle: DNE trusty/esm_linux-oracle: DNE xenial_linux-oracle: not-affected (4.15.0-1007.9~16.04.1) esm-infra/xenial_linux-oracle: not-affected (4.15.0-1007.9~16.04.1) bionic_linux-oracle: not-affected (4.15.0-1007.9) disco_linux-oracle: not-affected (4.15.0-1007.9) devel_linux-oracle: not-affected (4.15.0-1011.13) Patches_linux-raspi2: upstream_linux-raspi2: released (2.6.12~rc2) precise/esm_linux-raspi2: DNE trusty_linux-raspi2: DNE trusty/esm_linux-raspi2: DNE xenial_linux-raspi2: released (4.4.0-1123.132) bionic_linux-raspi2: not-affected (4.13.0-1005.5) disco_linux-raspi2: not-affected (4.18.0-1005.7) devel_linux-raspi2: not-affected (5.0.0-1006.6) Patches_linux-snapdragon: upstream_linux-snapdragon: released (2.6.12~rc2) precise/esm_linux-snapdragon: DNE trusty_linux-snapdragon: DNE trusty/esm_linux-snapdragon: DNE xenial_linux-snapdragon: released (4.4.0-1127.135) bionic_linux-snapdragon: not-affected (4.4.0-1077.82) disco_linux-snapdragon: not-affected (5.0.0-1010.10) devel_linux-snapdragon: not-affected (5.0.0-1010.10)