Overview
This week we cover security updates for dpkg, logrotate, GnuPG, CUPS,
InfluxDB and more, plus we take a quick look at some open positions on the
team - come join us!
This week in Ubuntu Security Updates
31 unique CVEs addressed
- 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)
- Directory traversal vulnerability when extracting untrusted source packages
- debian source packages consist of two tarballs - orig and debian
- orig is unpacked and then debian in unpacked on top of that - if orig
is crafted to contain a symlink which pointed to a file outside of the
source code, then when unpacking debian it will follow that symlink and
hence would overwrite arbitrary files outside the source directory
- Only really a problem for debian/ubuntu developers
[USN-5447-1] logrotate vulnerability [02:58]
- 1 CVEs addressed in Impish (21.10), Jammy (22.04 LTS)
- logrotate creates a ‘state’ file to avoid parallel executions of itself -
each instance locks this file as a mutex mechanism
- if this doesn’t exist, it gets created - but is created world readable -
which allows unprivileged users to take the lock on this file
- as such the real logrotate will fail to run since it can’t get the lock
-> DoS
[USN-5402-2] OpenSSL vulnerabilities [04:13]
[USN-5448-1] ncurses vulnerabilities [04:21]
- 11 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
- Crafted inputs could cause ncurses to crash - most of these were found
via fuzzing and are stack buffer overflows - these are generally
mitigated via stack-protector, others are NULL ptr deref, but again same
outcome (crash -> DoS)
- Possible infinite loop as well -> cpu based DoS
[USN-5449-1] libXv vulnerability [04:58]
- 1 CVEs addressed in Xenial ESM (16.04 ESM)
- Remove X server could trigger OOB read in the X client via crafted
response -> crash -> DoS
[USN-5431-1] GnuPG vulnerability [04:24]
- 1 CVEs addressed in Bionic (18.04 LTS)
- Weakness in PGP/SKS keyserver design - if a key/certificate has many
signatures, GnuPG will take an inordinate amount of time to process these
when downloading the key from the keyserver -> DoS
- Certificate spamming attack - anyone can sign someone else’s cert
thereby attaching another signature to it on the SKS keyserver network
- The OpenPGP spec doesn’t limit the number of signatures (but SKS
keyserver network does - 150k)
- So anyone can poison someone else’s cert by attaching a large number of
signatures to it
- GnuPG would download all of these signatures when importing a key and
then proceed to validate them all
- Also would do this when say validating a signature from that poisoned
cert
- Fixed to not import key signatures by default anymore and to then
fallback to only import self-signatures on large keyblocks
[USN-5452-1] NTFS-3G vulnerability [07:55]
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
ntfsck
tool failed to perform proper bounds checking on filesystem
metadata - if could trick a user into running it on an untrusted
filesystem image could then possibly get code execution
- Upstream have deprecated this tool and it is only present in the
ntfs-3g-dev
package which is not installed by default
[USN-5453-1] FreeType vulnerability [08:38]
- 1 CVEs addressed in Xenial ESM (16.04 ESM)
- OOB read when processing a crafted font file -> DoS
- 3 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)
- Upstream Apple advisory describes this as:
- “Logic issue addressed with improved state management… An application
may be able to gain elevated privileges”
- Looks like it was discovered by Mandiant
- CUPS provides the ability to authenticate via Basic Web Authentication
or through a 32-byte randomly generated token created at runtime
- Comparison function would only compare the supplied token value against
the real one based on the length of the shortest input - so if supplied
an empty string then would compare 0 bytes of the two and return
success!
- Other two issues were memory handling issues in IPP printing - could
submit a print job which would cause an OOB read in CUPS -> crash -> DoS
[USN-5451-1] InfluxDB vulnerability [10:39]
- 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
- Similar authentication bug in InfluxDB - could bypass authentication by
supplying a JWT token with an empty SharedSecret
[USN-5442-2] Linux kernel vulnerabilities [11:06]
- 3 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
- 5.4 - GCP/GKE/IBM/Oracle/Raspi
- Bing-Jhong Billy Jheng found integer overflow in
io_uring
- an
unprivileged user can spam requests which would eventually overflow
counter and then could be used to trigger an OOB write -> controlled
memory corruption -> privesc
- Similarly, Jann Horn (GPZ) found kernel didn’t properly check privileges
of a process when allowing it to set a flag which would then disable
seccomp filters on another process or itself
- Could then allow an unprivileged process to turn of seccomp for itself
/ other processes and allow them to bypass intended access restrictions
- Regular kernel security bug - ref count issue in network queueing
subsystem -> UAF - able to be triggered by a local attacker -> crash /
code execution
[USN-5443-2] Linux kernel vulnerabilities [12:47]
- 2 CVEs addressed in Focal (20.04 LTS), Impish (21.10)
- 5.13 Oracle/GCP
[USN-5457-1] WebKitGTK vulnerabilities [12:58]
- 5 CVEs addressed in Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)
- Latest webkit point release - usual mix of issues fixed - XSS, DoS, RCE
etc
Goings on in Ubuntu Security Community
Hiring
Security Engineer - Ubuntu [13:25]
Security Certifications Product Manager - CIS, FIPS, FedRAMP and more [14:24]
Get in contact