Overview
For the last episode of 2020, we look back at the most “popular”
packages on this podcast for this year as well as the biggest
vulnerabilities from 2020, plus a BootHole presentation at Ubuntu Masters
as well as vulnerability fixes from the past week too.
This week in Ubuntu Security Updates
21 unique CVEs addressed
[USN-4660-1] Linux kernel vulnerabilities [01:04]
- 10 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS)
- Episode 99
[USN-4661-1] Snapcraft vulnerability [01:36]
- 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS)
- itszn reported via Launchpad - LD_LIBRARY_PATH as generated by snapcraft
would contain an empty element - so cwd would be included - if an
attacker can drop a malicious library that will be loaded by a snap
(eg. libc.so) into your home dir (and since home plug is used by almost
all snaps - and is autoconnected on non-Ubuntu Core systems) would allow
the attacker to get code-execution in the context of any snap
- Fixed in snapcraft - as part of the snap USN notification service -
notified all affected snap publishers just need to rebuild their snaps
and users will get protected via snap refresh
[USN-4656-2] X.Org X Server vulnerabilities [04:20]
- 2 CVEs addressed in Trusty ESM (14.04 ESM)
- Episode 99
[USN-4662-1] OpenSSL vulnerability [04:34]
- 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
- NULL pointer dereference when comparing two GENERAL_NAMEs with an
EDIPARTYNAME - so if an attacker can cause this they can cause a crash ->
DoS in any application which uses openssl for TLS handling etc - this can
be done if an attacker can get a client to check a malicious cert against
a malicious CRL - and since some apps auto-download CRLs based on URLs
presented in the cert itself this is not an unreasonable scenario - hence
high priority as the attack complexity is not high in this case
[USN-4663-1] GDK-PixBuf vulnerability [05:53]
- 1 CVEs addressed in Focal (20.04 LTS), Groovy (20.10)
- infinite loop when handling crafted LZW compression code in gifs -> DoS
[USN-4664-1] Aptdaemon vulnerabilities [06:31]
- 2 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
- Kevin Backhouse from Github reported via Launchpad
- aptdaemon provides dbus API for installing packages - provides an
InstallFile method to install a local .deb - and uses policykit to ensure
that unprivileged users cannot use this to install packages - however,
that check only occurs after the deb has been parsed - so if there were
vulns in the parsing (which is provided by apt itself) - since aptd runs
as root could use these to get RCE - fixed by moving auth checks to occur
before parsing anything
[USN-4665-1] curl vulnerabilities [08:32]
- 4 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
- Various issues:
- memory leak in handling of FTP wildcard matchings -> DoS
- failure to properly validate OCSP responses
- incorrect handling of CONNECT_ONLY option -> could end up connecting to
wrong host -> info leak
- incorrect handling of FTP PASV responses - server can respond with
alternate IP address + port to connect to -> could then trick clients
into doing port-scanning on their behalf or other info gathering etc
Goings on in Ubuntu Security Community
Look back over 2020 of the Ubuntu Security Podcast
Top 20 most featured packages [10:09]
- 81 Linux kernel
- 16 Firefox
- 7 PHP
- 6 Thunderbird
- 6 Samba
- 6 NSS
- 6 Django
- 5 WebKitGTK+
- 5 Tomcat
- 5 Squid
- 5 QEMU
- 5 OpenLDAP
- 5 MySQL
- 5 ClamAV
- 4 X.Org X Server
- 4 SQLite
- 4 Python
- 4 ppp
- 4 OpenSSL
- 4 OpenJDK
Most high profile vulnerabilities [12:53]
Ubuntu Masters 4 - Together We Sink or Swim: Plugging the BootHole [14:12]
Hiring [15:58]
AppArmor Security Engineer
Engineering Director - Ubuntu Security
Engineering Manager - Ubuntu Security
Get in contact