CVE-2019-11484: 
Linux Ubuntu vulnerability analysis and mitigation

Kevin Backhouse discovered an integer overflow vulnerability (CVE-2019-11484) in bson_ensure_space, as used in whoopsie, Ubuntu's error tracker submission system. The vulnerability was disclosed on April 23, 2019, affecting multiple versions of Ubuntu including 16.04 LTS, 18.04 LTS, 19.04, and 19.10 (MITRE, NVD).

The vulnerability is classified as an Integer Overflow or Wraparound (CWE-190) with a CVSS v3.1 base score of 7.8 (High) according to NVD's assessment. The vulnerability vector is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating local access, low attack complexity, low privileges required, no user interaction, unchanged scope, and high impact on confidentiality, integrity, and availability (NVD).

The vulnerability could allow a local attacker to cause a denial of service, expose sensitive information, or execute code as the whoopsie user by processing specially crafted crash reports. The issue specifically occurs when Whoopsie incorrectly handles very large crash reports (Ubuntu Security Notice).

The vulnerability was patched in multiple Ubuntu versions with the following package versions: Ubuntu 19.10 (0.2.66ubuntu0.1), Ubuntu 19.04 (0.2.64ubuntu0.2), Ubuntu 18.04 (0.2.62ubuntu0.2), and Ubuntu 16.04 (0.2.52.5ubuntu0.2). A standard system update will apply the necessary fixes. However, the initial fix (USN-4170-1) caused a regression that was later addressed in USN-4170-2 with updated package versions (Ubuntu Notice, Ubuntu Notice 2).