Overview
You can’t test your way out of security vulnerabilities (at least when writing
your code in C), plus we cover security updates for Intel Microcode, vim,
Wayland, the Linux kernel, SQLite and more.
This week in Ubuntu Security Updates
68 unique CVEs addressed
[USN-5606-2] poppler regression [00:45]
- Affecting Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
- [USN-5606-1] poppler vulnerability from Episode 177 - integer overflow in
JBIG2 decoder
- When backporting the series of patches, missed one that updated the
CMakeLists.txt to ensure a new header file that was added as part of the
security update is actually installed by the libpoppler-dev package - without
this if installed the update and then tried to recompile something locally it
would fail
[USN-5612-1] Intel Microcode vulnerability [01:29]
- 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
- Latest upstream Intel Microcode release (IPU 2022.2) - only security relevant
for SGX
- 7 CVEs addressed in Trusty ESM (14.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
- Various buffer overflows and the like that could be triggered when editing
crafted files - have said in the past that vim is fast becoming one of the
most security-patched packages in Ubuntu - all driven by their bug-bounty
https://huntr.dev/repos/vim/vim/
[USN-5614-1] Wayland vulnerability [02:17]
- 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
- Reference count overflow - used a 32-bit int to count the number of
references - but on a 64-bit machine it is quite possible that a malicious
client could allocate a huge amount of buffers to overflow and then possibly
get a UAF - highly unlikely to be able to exploit in practice since would also
need a large number of connections to the compositor as well - fixed by
limiting the max number of objects that can be allocated
[USN-5615-1] SQLite vulnerabilities [03:01]
- 3 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
- NULL ptr deref, OOB read, unicode parsing issue - disputed by upstream as an
actual vuln
- Has such a large amount of tests - https://www.sqlite.org/testing.html
- for 151 KSLOC has 92,038 KSLOC of tests -> 608 times as much code in tests
that the actual library itself
- 4 different test harnesses, 100% branch coverage, OOM tests, I/O error
tests, fuzz tests, boundary conditions, regression tests, valgrind, UB etc
- yet still has new vulns discovered every now and then
- you can’t test your way out of security issues - at least when you write
your code in C which has just too many different operations that have UB
- you can perhaps do it via formal methods (seL4 etc) but is very expensive..
- $200-400/LoC
- eg. to formally prove SQLite would then cost ~$18.4M-$36.8M
- use rust?
- would hopefully help at least for the first 2 issues - can still have
logic flaws and hence security vulns (eg. failing to properly validate a
TLS cert or similar)
[USN-5616-1] Linux kernel (Intel IoTG) vulnerabilities [06:00]
- 10 CVEs addressed in Jammy (22.04 LTS)
- 5.15
- Some of these have covered previously
- Intel 10GbE PCI Express driver, IP source port randomisation failure, perf
UAF, KVM NULL ptr deref, various file-system OOB R/W etc
[USN-5621-1] Linux kernel vulnerabilities [06:32]
- 2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
- 4.15 GA 18.04 LTS, HWE 16.04 ESM
- console framebuffer and netfilter OOB writes covered in previous episodes
[USN-5622-1] Linux kernel vulnerabilities [06:57]
- 6 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
- 5.4 GA 20.04 LTS / HWE 18.04 LTS
x*** [USN-5624-1] Linux kernel vulnerabilities [07:05]
- 11 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
- 5.15 GA 22.04 LTS / Azure 20.04 LTS
[USN-5623-1] Linux kernel (HWE) vulnerabilities [07:12]
- 21 CVEs addressed in Focal (20.04 LTS)
- 5.15 20.04 HWE
- all the vulns mentioned earlier plus a bunch in Xen (kernel side) - impact
ranges from crashing guest and exposing its memory to DoS services on the host
[USN-5617-1] Xen vulnerabilities [07:45]
- 20 CVEs addressed in Focal (20.04 LTS)
- Community contributed update for xen - almost wins the award for the most CVEs
patched in a single update for this week
- Most issues allow a malicious guest to attack the host -> DoS, privesc,
code-exec etc
[USN-5619-1] LibTIFF vulnerabilities [08:17]
- 7 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
- Another package vying for most security updates recently
- Usual memory corruption issues when handling crafted files - stack / heap
buffer overflows etc
[USN-5618-1] Ghostscript vulnerability [08:49]
- 1 CVEs addressed in Xenial ESM (16.04 ESM)
- Heap buffer overflow when parsing a crafted PDF
[USN-5626-1] Bind vulnerabilities [08:58]
- 6 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
- Memory leaks when handling certain crypto algorithms with DNSSEC,
resource-based DoS, buffer over-read -> info leak / crash, assertion-based
crash via crafted query
[USN-5625-1] Mako vulnerability [09:22]
- 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
- ReDoS via crafted content
Goings on in Ubuntu Security Community
Preparing for the release of Ubuntu Pro [09:44]
- Team has worked on this for the last few years - finally will see the light of
day in the coming week or two - more details to come
Get in contact