Overview
This week we look at some recent security developments from PyPI, the Linux
Security Summit North America and the pending transition of Ubuntu 18.04 to ESM,
plus we cover security updates for cups-filter, the Linux kernel, Git, runC,
ncurses, cloud-init and more.
This week in Ubuntu Security Updates
83 unique CVEs addressed
[USN-6083-1] cups-filters vulnerability (01:03)
- 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
- Legacy BEH (Backend Error Handler) allows to create a network accessible
printer - allowed to do pretty easy RCE since used
system()
to run a command
which contained various values that can be controlled by the attacker
- Fixed by upstream to use
fork()
and execve()
plus some other smaller changes
to perform sanitisation of the input
[USN-6084-1] Linux kernel vulnerabilities (01:45)
- 5 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
- 4.15 18.04 GCP + Oracle, 16.04 Oracle
[USN-6085-1] Linux kernel (Raspberry Pi) vulnerabilities (02:00)
- 10 CVEs addressed in Jammy (22.04 LTS)
- 5.15 Raspi kernel
- Various UAFs in different drivers and subsystems, possible speculative
execution attack against AMD x86-64 processors with SMT enabled, a few type
confusion bugs leading to OOB reads etc
[USN-6090-1] Linux kernel vulnerabilities (02:26)
- 10 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
- Same set of vulns as above
- 5.15 22.04 GKE, GCP; 20.04 GKE, GCP, Oracle
[USN-6089-1] Linux kernel (OEM) vulnerability (02:45)
- 1 CVEs addressed in Jammy (22.04 LTS)
- 6.0 OEM
- i915 failed to flush GPU TLB in some cases -> DoS / RCE
[USN-6091-1] Linux kernel vulnerabilities (03:09)
- 25 CVEs addressed in Kinetic (22.10)
- 5.19 IBM + Oracle
- Lots of the previously mentioned issues and more - same kinds of issues though
(race conditions, UAFs, OOB writes etc in various drivers / subsystems)
[USN-6096-1] Linux kernel vulnerabilities (03:34)
- 25 CVEs addressed in Jammy (22.04 LTS), Kinetic (22.10)
- 22.10 GCP, 22.04 HWE
- Same as above
[USN-6092-1] Linux kernel (Azure) vulnerabilities (03:45)
- 5 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
- 4.15 Azure on both 18.04, 16.04 ESM + 14.04 ESM
[USN-6093-1] Linux kernel (BlueField) vulnerabilities (03:54)
- 9 CVEs addressed in Focal (20.04 LTS)
- 5.4
- NVIDIA BlueField platform
[USN-6094-1] Linux kernel vulnerabilities (04:02)
- 8 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
- 5.4 20.04 / 18.04 HWE on all generic, Azure, GKE, IBM, OEM, AWS, KVM, Low
latency etc
[USN-6095-1] Linux kernel vulnerabilities (04:29)
- 5 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
- 4.15 18.04 snapdragon + raspi2; 16.04 HWE etc
[USN-6050-2] Git vulnerabilities (04:50)
- 2 CVEs addressed in Xenial ESM (16.04 ESM)
- RCE via a crafted
.gitmodules
file with submodule URLs longer than 1024
chars - could inject arbitrary config into the users git config - eg. could
configure the pager or editor etc to run some arbitrary command
- Local file overwrite via crafted input to
git apply --reject
[USN-6088-1] runC vulnerabilities (05:39)
- 3 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
- Vuln where the cgroup hierarchy of the host may be exposed within the
container and be writable - could possibly use this to privesc
- Regression from a previous vuln fix in CVE-2019-19921 (see [USN-4297-1] runC vulnerabilities in Episode 66)
- Possible to bypass AppArmor (or SELinux) restrictions on runc if a container
[USN-6088-2] runC vulnerabilities (06:26)
- 6 CVEs addressed in Xenial ESM (16.04 ESM)
[USN-6086-1] minimatch vulnerability (06:31)
- 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
- ReDoS against nodejs package
[USN-6087-1] Ruby vulnerabilities (06:39)
- 2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS)
- Speaking of ReDoS - two in ruby - mentioned previously in
[USN-6055-2] Ruby regression Episode 194 - has been
fixed properly now without introducing the previous regression
[USN-5900-2] tar vulnerability (07:03)
[USN-5996-2] Libloius vulnerabilities (07:17)
- 3 CVEs addressed in Lunar (23.04)
- Braille translation library
- 3 different buffer overflows
[USN-6099-1] ncurses vulnerabilities (07:27)
- 5 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
- Most interesting vuln here was possible memory corruption via malformed
terminfo database which can be set via
TERMINFO
of though ~/.terminfo
- will
get used by a setuid
binary as well - turns out though that ncurses has a
build-time configuration option to disable the use of custom terminfo/termcap
when running - fixed this by enabling that
[USN-6073-6, USN-6073-7, USN-6073-8, USN-6073-9] Cinder, Glance store, Nova, os-brick regressions (08:34)
[USN-5725-2] Go vulnerability (08:50)
- 1 CVEs addressed in Xenial ESM (16.04 ESM)
[USN-6042-2] Cloud-init regression (08:55)
- Affecting Focal (20.04 LTS)
- Published an update to cloud-init a few weeks ago - this was due to a vuln
where credentials may get accidentally logged to the cloud-init log file -
this was a newer version of cloud-init and it relied on a feature in the
netplan package that was not published to the security pocket - easy fix would
be to publish this version of netplan to -security but this is not in the
spirit of the pocket - so instead cloud-init was updated to include a fallback
to ensure routes were appropriately retained
[USN-6098-1] Jhead vulnerabilities (09:48)
- 8 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS)
- EXIF JPEG header manipulation tool written in C
- Heap buffer overflows, NULL ptr derefs, OOB reads etc
[USN-6102-1] xmldom vulnerabilities (10:12)
- 3 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
- NodeJS javascript DOMParser and XMLSerializer
- Logic error where failed to preserve identifiers or namespaces when parsing
malicious documents
- Prototype pollution
- Parses documents with multiple top-level elements and combines all their
elements
[USN-6101-1] GNU binutils vulnerabilities (10:50)
- 6 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
- Assembler, linker and other utils for handling binary files
- Generally not expected to be fed untrusted input, but notheless
- various buffer overflows (read and write) - DoS / RCE
[USN-6074-3] Firefox regressions (11:38)
- 11 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
- 113.0.2
[USN-6103-1] JSON Schema vulnerability (11:50)
- 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
- NodeJS package for JSON document manipulation - prototype pollution vuln
Goings on in Ubuntu Security Community
Security related announcements from PyPI (12:21)
LSS NA 2023 (16:11)
Announcement of 18.04 LTS going into ESM on 31 May 2023 (18:55)
Get in contact