Overview
This week we’re talking about moving IRC networks plus security updates for Pillow, Babel, Apport, X11 and more.
This week in Ubuntu Security Updates
24 unique CVEs addressed
[USN-4963-1] Pillow vulnerabilities [00:55]
- 6 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
- Python image handling library - used by many other packages for their
image handling
- All DoS issues via OOB read and similar so not critical
[USN-4962-1] Babel vulnerability [01:31]
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
- Internationalisation handling for python apps
- Directory traversal flaw - could be exploited to load arbitrary locale
.dat files - these contain serialized Python objects - so hence can get
arbitrary code execution as a result.
- Could use relative path to specify a file outside the locate-data
directory
[USN-4964-1] Exiv2 vulnerabilities [02:25]
- 5 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
- CLI util and library (C++) for reading+modifying metadata in image
files - more exiv2 - last only in Episode 115
- OOB reads on metadata write
- heap buffer overflow on m w
- quadratic complexity algorithm on metadata write - DoS
- stack info leak on m r
- 11 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
- Seems it’s time for more Apport vulns - every quarter or so
- Arbitrary file read / write vulns discovered by Maik Münch
- Apport parses various details out of /proc and some of these can be
crafted by the process, ie process name, current working dir etc - and
then goes to gather files etc - and so if can craft these details can get
it to read files which weren’t intended via symlinks etc (mitigated by
symlink protections in Ubuntu) - or from injection of data into say dpkg
queries to get it to include other files like /etc/passwd since this
operation happens as root by apport
- These end up in the crash dump and this can be read by the regular user
- Also when uploading via whoopsie, race condition where crash dump can be
replaced by a symlink and then the crash dump will be written to the dest
of the symlink - file write vuln - but again mitigated by
symlink-restriction
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
- When looking up a color, failed to properly validate it - app could then
get extra X protocol requests sent to the X server - ie. could then
disable X server authorisation etc so remote attackers could connect to
the local X server and snoop on inputs etc
Goings on in Ubuntu Security Community
#ubuntu-hardened -> #ubuntu-security on Libera.Chat [06:45]
Get in contact