Canonical recently fixed a bunch of serious security flaws in Ubuntu 18.04, but it turns out that the major update introduced two more vulnerabilities. Apparently, “USN-3871-1 fixed vulnerabilities in the Linux kernel for Ubuntu 18.04 LTS. Unfortunately, that update introduced regressions with docking station displays and mounting ext4 file systems with the meta_bg option enabled”, the new security advisory reads.
Recent Ubuntu 18.04 Update Triggers Two Other Bugs, Patch Recommended
Even though the issues triggered by the update are not as serious asthe initial bugs, patching is still highly recommended. The new patch comes to take the place of the problematic linux-image 4.15.0-44.47 with the fixed linux-image 4.15.0-45.48 kernel.
It should be noted that because of an unavoidable ABI change, the kernel updates have been given a new version number, which requires users to recompile and reinstall all third party kernel modules they might have installed.
Unless users manually uninstalled the standard kernel metapackages (such as linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well, the advisory says.
The flaws addressed in the previous patch affect all the kernel’s derivatives such as Kubuntu, Xubuntu, Lubuntu, Ubuntu GNOME, Ubuntu Budge, Ubuntu Kylin, and Ubuntu Studio, meaning that the newly introduced issue also affects the same derivatives.
Seven of the previous fixes concern Linux kernel’s ext4 filesystem implementation; they were discovered by security researcher Wen Xu. Here’s the full list:
CVE-2018-10876, CVE-2018-10877, CVE-2018-10878, CVE-2018-10879, CVE-2018-10880, CVE-2018-10882, CVE-2018-10883
These flaws range from user-after-free and buffer overflow issues, to out-of-bounds writes. The vulnerabilities could also lead to arbitrary code execution or could even crash the system in denial-of-service attacks by exploiting a specially crafted ext4 image. That image could be mounted on a vulnerable system, researchers said.