Overview
This week we take a deep dive look at 2 recent vulnerabilities in the
popular application containerisation frameworks, snapd and flatpak, plus we
cover security updates for MiniDLNA, PHP-PEAR, the Linux kernel and more.
This week in Ubuntu Security Updates
26 unique CVEs addressed
[USN-4720-2] Apport vulnerabilities [00:53]
[USN-4721-1] Flatpak vulnerability [01:06]
- 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
- Flatpak sandbox escape - Flatpak isolates applications inside their own
mount / user / etc namespaces - allows sandboxed applications to
communicate with the host via various portals - ie. open a file via a
file chooser portal (aka powerbox)
- Portal D-Bus service provides the ability to launch other subprocesses in
a new sandbox instance, following a NNP model (ie same or less privileges
as caller) (eg. used by sandboxed webbrowers to process untrusted content
inside less privileged subprocesses)
- Would previous allow a confined process to specify various environment
variables which would then get passed to the `flatpak run` command to
launch the new subprocess in its own sandbox - so fix is to sanitize
environment variables
[USN-4722-1] ReadyMedia (MiniDLNA) vulnerabilities [01:11]
- 2 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
- Possible RCE via malicious UPnP requests - could send with chunked
encoding, this would exploit a signdness bug leading to a heap buffer
overflow
- Episode 91 - “CallStranger” - UPnP spec didn’t forbid subscription
requests with a URL on a different network segment - could allow an
attacker to cause a miniDLNA server to DoS a different endpoint
[USN-4723-1] PEAR vulnerability [02:30]
- 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
- Improper handling of symlinks in archives could result in arbitrary file
overwrite via directory traversal - since PHP PEAR runs installer as
root, could then overwrite arbitrary files as root and priv esc / code
execution etc
[USN-4724-1] OpenLDAP vulnerabilities [03:14]
- 10 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
- Various issues
[USN-4725-1] QEMU vulnerabilities [03:20]
- 6 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
- Usual sorts of issues in device emulation etc resulting in info
disclosure from host to guest or a crash of qemu host process etc
[USN-4717-2] Firefox regression [03:55]
- Affecting Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
- Upstream Firefox regression - 85.0.1
[USN-4726-1] OpenJDK vulnerability [04:04]
- Affecting Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
- Not much info from upstream on this one - “incorrectly handled direct
buffering of characters” -> DoS or other unspecified impact
[USN-4713-2] Linux kernel vulnerability [04:22]
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Bionic (18.04 LTS)
- Episode 102 - LIO SCSI XCOPY issue
[USN-4727-1] Linux kernel vulnerability [04:36]
- 1 CVEs addressed in Focal (20.04 LTS), Groovy (20.10)
- AF_VSOCK race conditions - local user could get code execution as root via memory corruption
[USN-4728-1] snapd vulnerability [05:11]
- 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
- Gilad Reti & Nimrod Stoler from CyberArk
- Thanks to Ian Johnson from snapd team for working on the fix
Get in contact