SB2021010620 - Ubuntu update for linux

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Information disclosure (CVE-ID: CVE-2020-12912)

The vulnerability allows a local user to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application in the Running Average Power Limit (RAPL) interface. A local user can gain unauthorized access to sensitive information on the system.

2) Incorrect calculation (CVE-ID: CVE-2020-29534)

The vulnerability allows a local user to execute arbitrary code.

The vulnerability exists due to incorrect calculation within the __put_task_struct() and copy_process() functions in kernel/fork.c, within the __io_cqring_fill_event(), io_dismantle_req(), io_req_free_batch_finish(), io_req_free_batch(), io_close_prep(), io_req_drop_files(), io_req_set_file(), io_init_req(), io_submit_sqes(), io_sq_thread(), io_uring_alloc_task_context(), io_sq_offload_start(), io_wq_files_match(), io_uring_cancel_files(), io_cancel_task_cb(), SYSCALL_DEFINE6() and io_uring_get_fd() functions in fs/io_uring.c, within the exit_files() function in fs/file.c, within the bprm_execve() function in fs/exec.c. A local user can execute arbitrary code.

Remediation

Install update from vendor's website.

References

• https://ubuntu.com/security/notices/USN-4678-1