Episode 104

Overview

This week we take a look at a long-awaited update of Thunderbird in Ubuntu 20.04LTS, plus security updates for Open vSwitch, JUnit 4, PostSRSd, GNOME Autoar and more.

This week in Ubuntu Security Updates

14 unique CVEs addressed

[USN-4729-1] Open vSwitch vulnerability [00:55]

• 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
  • CVE-2020-35498
• Most convoluted CVE description: A vulnerability was found in openvswitch. A limitation in the implementation of userspace packet parsing can allow a malicious user to send a specially crafted packet causing the resulting megaflow in the kernel to be too wide, potentially causing a denial of service. The highest threat from this vulnerability is to system availability.

[USN-4731-1] JUnit 4 vulnerability [02:05]

• 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
  • CVE-2020-15250
• Tests that used rule TemporaryFolder would use /tmp which is world accessible - so contents could be read by other users - so if tests were writing API keys or passwords these would be able to be read by others users -> info disclosure. Fixed to create temp directory with permissions so it is only readable by the owner.

[USN-4730-1] PostSRSd vulnerability [02:57]

• 1 CVEs addressed in Bionic (18.04 LTS)
  • CVE-2020-35573
• Postfix Sender Rewriter Scheme Daemon - Used for rewriting sender email addresses when forwarding emails from hosts that use SPF - rewrites the address to appear to come from your hosts address and allows you to do the inverse and appropriately handle and bounces etc by reverse-rewriting the sender address to recover the original address
• Could cause a CPU based DoS by excessive processing if an email contained an exceedingly long SRS timestamp - fixed to just reject those which are past the expected regular size

[USN-4732-1] SQLite vulnerability [04:20]

• 1 CVEs addressed in Groovy (20.10)
  • CVE-2021-20227
• Only affected more recent releases of sqlite - could cause a crash on particular query constructs

[USN-4733-1] GNOME Autoar vulnerability [04:42]

• 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
  • CVE-2020-36241
• Another archive extraction symlink traversal issue - gnome-autoar is a library used by nautilus and other gnome components when handling archives - ie right click an archive in nautilus and select “extract here”
• If an archive contained a file whose parent was a symlink that pointed outside the destination directory, would blindly follow the symlink and overwrite arbitrary files - instead fixed to check if is a symlink with an absolute target OR one that points outside the destination folder via relative path and reject in that case

[USN-4734-1, USN-4734-2] wpa_supplicant and hostapd vulnerabilities [06:01]

• 2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
  • CVE-2020-12695
  • CVE-2021-0326
• Possible OOB write when doing a wifi-direct / p2p search - so an attacker just has to be in radio range when the victim performs a P2P discovery aka wifi direct search - discovered by Google’s OSS-Fuzz project
• CallStranger (Episode 91) - UPnP callback reflection

[USN-4735-1] PostgreSQL vulnerability [07:23]

• 1 CVEs addressed in Focal (20.04 LTS), Groovy (20.10)
  • CVE-2021-3393
• Latest upstream 12.6 release to fix a possible info leak which could occur when handling particular errors - if a user had the permission to UPDATE on a partitioned table but not the SELECT privilege on some column and tried to UPDATE on that column, the resulting error message concerning this constraint violation could leak values on the columns which the user did not have permission. Rare setup so unlikely to be affected in practice.

[USN-4736-1] Thunderbird vulnerabilities [08:18]

• 6 CVEs addressed in Groovy (20.10)
  • CVE-2020-15685
  • CVE-2021-23964
  • CVE-2021-23960
  • CVE-2021-23954
  • CVE-2021-23953
  • CVE-2020-26976
• Update to latest upstream release 78.7, usual spread of issues for TB (derived from firefox) - DoS, info leak, RCE. Also possible response injection attack from a person-in-the-middle during STARTTLS connection setup - ie could inject unencrypted response which would then be evaluated after the encrypted connection was setup so would get treated as coming from the trusted host.

Goings on in Ubuntu Security Community

Thunderbird to be upgraded to 78.x in Ubuntu 20.04 LTS [09:32]

• Lead by oSoMoN (Olivier Tilloy) from Desktop Team
• 68.x no longer supported upstream and not really practical to backport security fixes for this old codebase
• 78.x as a new major version introduces a bunch of breaking changes, in particular with handling of PGP - previously TB had no native support for PGP but Enigmail addon provided this
• Now does support PGP itself and enigmail is not supported anymore - new internal PGP is a bit different and requires migration - this should be handled automatically by the new version to migrate existing enigmail users across
• A couple other packages tinyjsd and junit are also not supported by TB 78
  • tinyjsd - JS debugger with a particular focus on being able to debug TB extensions etc
  • jsunit - unit testing tool for TB to allow add-on developers to setup unit tests for their extensions and to run these in TB/FF etc
  • these will be replaced by empty packages in the Ubuntu archive for 20.04
• Once this is done will then look to do Bionic (18.04 LTS) as well
• https://discourse.ubuntu.com/t/thunderbird-lts-update/20819

Get in contact

• [email protected]
• #ubuntu-security on the Libera.Chat IRC network
• ubuntu-hardened mailing list
• Security section on discourse.ubuntu.com
• @ubuntu_sec on twitter