CVE-2019-5489

Published: 07 January 2019

The mincore() implementation in mm/mincore.c in the Linux kernel through 4.19.13 allowed local attackers to observe page cache access patterns of other processes on the same system, potentially allowing sniffing of secret information. (Fixing this affects the output of the fincore program.) Limited remote exploitation may be possible, as demonstrated by latency differences in accessing public files from an Apache HTTP Server.

Priority

Medium

CVSS 3 base score: 5.5

Status

Package Release Status
linux
Launchpad, Ubuntu, Debian
Upstream
Released (5.2~rc1)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(5.4.0-9.12)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (4.15.0-60.67)
Ubuntu 16.04 LTS (Xenial Xerus)
Released (4.4.0-157.185)
Ubuntu 14.04 ESM (Trusty Tahr) Ignored
(was needed ESM criteria)
Patches:
Introduced by 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Fixed by 134fca9063ad4851de767d1768180e5dede9a881
linux-aws
Launchpad, Ubuntu, Debian
Upstream
Released (5.2~rc1)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(5.4.0-1004.4)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (4.15.0-1047.49)
Ubuntu 16.04 LTS (Xenial Xerus)
Released (4.4.0-1090.101)
Ubuntu 14.04 ESM (Trusty Tahr) Ignored
(was needed ESM criteria)
linux-aws-5.0
Launchpad, Ubuntu, Debian
Upstream
Released (5.2~rc1)
Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(5.0.0-1021.24~18.04.1)
Ubuntu 16.04 LTS (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

linux-aws-hwe
Launchpad, Ubuntu, Debian
Upstream
Released (5.2~rc1)
Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 LTS (Xenial Xerus)
Released (4.15.0-1047.49~16.04.1)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

linux-azure
Launchpad, Ubuntu, Debian
Upstream
Released (5.2~rc1)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(5.4.0-1005.5)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (5.0.0-1014.14~18.04.1)
Ubuntu 16.04 LTS (Xenial Xerus)
Released (4.15.0-1056.61)
Ubuntu 14.04 ESM (Trusty Tahr) Ignored
(was needed ESM criteria)
linux-azure-5.3
Launchpad, Ubuntu, Debian
Upstream
Released (5.2~rc1)
Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(5.3.0-1007.8~18.04.1)
Ubuntu 16.04 LTS (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

linux-azure-edge
Launchpad, Ubuntu, Debian
Upstream
Released (5.2~rc1)
Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver)
Released (5.0.0-1014.14~18.04.1)
Ubuntu 16.04 LTS (Xenial Xerus)
Released (4.15.0-1056.61)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

linux-euclid
Launchpad, Ubuntu, Debian
Upstream
Released (5.2~rc1)
Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 LTS (Xenial Xerus) Ignored
(was needed ESM criteria)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

linux-flo
Launchpad, Ubuntu, Debian
Upstream
Released (5.2~rc1)
Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 LTS (Xenial Xerus) Ignored
(abandoned)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was ignored [abandoned])
linux-gcp
Launchpad, Ubuntu, Debian
Upstream
Released (5.2~rc1)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(5.4.0-1002.2)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (4.15.0-1042.45)
Ubuntu 16.04 LTS (Xenial Xerus)
Released (4.15.0-1041.43)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

linux-gcp-5.3
Launchpad, Ubuntu, Debian
Upstream
Released (5.2~rc1)
Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(5.3.0-1008.9~18.04.1)
Ubuntu 16.04 LTS (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

linux-gcp-edge
Launchpad, Ubuntu, Debian
Upstream
Released (5.2~rc1)
Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver)
Released (4.15.0-1042.45)
Ubuntu 16.04 LTS (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

linux-gke
Launchpad, Ubuntu, Debian
Upstream
Released (5.2~rc1)
Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 LTS (Xenial Xerus) Ignored
(end-of-life)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

linux-gke-4.15
Launchpad, Ubuntu, Debian
Upstream
Released (5.2~rc1)
Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver)
Released (4.15.0-1041.43)
Ubuntu 16.04 LTS (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

linux-gke-5.0
Launchpad, Ubuntu, Debian
Upstream
Released (5.2~rc1)
Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver)
Released (5.0.0-1013.13~18.04.1)
Ubuntu 16.04 LTS (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

linux-goldfish
Launchpad, Ubuntu, Debian
Upstream
Released (5.2~rc1)
Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 LTS (Xenial Xerus) Ignored
(end-of-life)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was ignored [abandoned])
linux-grouper
Launchpad, Ubuntu, Debian
Upstream
Released (5.2~rc1)
Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 LTS (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was ignored [abandoned])
linux-hwe
Launchpad, Ubuntu, Debian
Upstream
Released (5.2~rc1)
Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver)
Released (5.0.0-25.26~18.04.1)
Ubuntu 16.04 LTS (Xenial Xerus)
Released (4.15.0-60.67~16.04.1)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

linux-hwe-edge
Launchpad, Ubuntu, Debian
Upstream
Released (5.2~rc1)
Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Ignored
(was pending \[5.3.0-19.20~18.04.2\] now end-of-life)
Ubuntu 16.04 LTS (Xenial Xerus)
Released (4.15.0-60.67~16.04.1)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

linux-kvm
Launchpad, Ubuntu, Debian
Upstream
Released (5.2~rc1)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(5.4.0-1003.3)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (4.15.0-1043.43)
Ubuntu 16.04 LTS (Xenial Xerus)
Released (4.4.0-1052.59)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

linux-lts-trusty
Launchpad, Ubuntu, Debian
Upstream
Released (5.2~rc1)
Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 LTS (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

linux-lts-utopic
Launchpad, Ubuntu, Debian
Upstream
Released (5.2~rc1)
Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 LTS (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was ignored [end-of-life])
linux-lts-vivid
Launchpad, Ubuntu, Debian
Upstream
Released (5.2~rc1)
Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 LTS (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was ignored [end-of-life])
linux-lts-wily
Launchpad, Ubuntu, Debian
Upstream
Released (5.2~rc1)
Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 LTS (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was ignored [end-of-life])
linux-lts-xenial
Launchpad, Ubuntu, Debian
Upstream
Released (5.2~rc1)
Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 LTS (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Ignored
(was needed ESM criteria)
linux-maguro
Launchpad, Ubuntu, Debian
Upstream
Released (5.2~rc1)
Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 LTS (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was ignored [abandoned])
linux-mako
Launchpad, Ubuntu, Debian
Upstream
Released (5.2~rc1)
Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 LTS (Xenial Xerus) Ignored
(abandoned)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was ignored [abandoned])
linux-manta
Launchpad, Ubuntu, Debian
Upstream
Released (5.2~rc1)
Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 LTS (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was ignored [abandoned])
linux-oem
Launchpad, Ubuntu, Debian
Upstream
Released (5.2~rc1)
Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver)
Released (4.15.0-1056.65)
Ubuntu 16.04 LTS (Xenial Xerus) Ignored
(was needs-triage now end-of-life)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

linux-oem-5.4
Launchpad, Ubuntu, Debian
Upstream
Released (5.2~rc1)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(5.4.0-1002.4)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 LTS (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

linux-oem-osp1
Launchpad, Ubuntu, Debian
Upstream
Released (5.2~rc1)
Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver)
Released (5.0.0-1018.20)
Ubuntu 16.04 LTS (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

linux-oracle
Launchpad, Ubuntu, Debian
Upstream
Released (5.2~rc1)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(5.4.0-1003.3)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (4.15.0-1022.25)
Ubuntu 16.04 LTS (Xenial Xerus)
Released (4.15.0-1022.25~16.04.1)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

linux-oracle-5.0
Launchpad, Ubuntu, Debian
Upstream
Released (5.2~rc1)
Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(5.0.0-1007.12~18.04.1)
Ubuntu 16.04 LTS (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

linux-raspi2
Launchpad, Ubuntu, Debian
Upstream
Released (5.2~rc1)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(5.4.0-1004.4)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (4.15.0-1044.47)
Ubuntu 16.04 LTS (Xenial Xerus)
Released (4.4.0-1117.126)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

linux-raspi2-5.3
Launchpad, Ubuntu, Debian
Upstream
Released (5.2~rc1)
Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(5.3.0-1017.19~18.04.1)
Ubuntu 16.04 LTS (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

linux-snapdragon
Launchpad, Ubuntu, Debian
Upstream
Released (5.2~rc1)
Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver)
Released (4.15.0-1062.69)
Ubuntu 16.04 LTS (Xenial Xerus)
Released (4.4.0-1121.127)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Notes

AuthorNote
tyhicks
On 2018-01-06, a potential fix for this issue was committed in the
upstream kernel git tree. The potential fix changes the behavior of the
mincore(2) system call in ways that could possibly break userspace
applications. The potential fix landed during the kernel's "merge window"
which allows for the change to mature and receive additional testing.
Applying the potential fix to Ubuntu kernels, at this time, could potentially
break some existing applications. Ubuntu will continue to monitor related
changes in the upstream kernel and evaluate/test the potential fix.
sbeattie
v1 fix was reverted. v2 of fix is now
134fca9063ad4851de767d1768180e5dede9a881

References