Overview
The venerable Ubuntu 18.04 LTS release has transitioned into ESM, plus we look
at Till Kamppeter’s excellent guide on how to set up your GitHub projects to
receive private vulnerability reports, and we cover the week in security updates
including PostgreSQL, Jhead, the Linux kernel, Linux PTP, snapd and a whole lot
more.
This week in Ubuntu Security Updates
56 unique CVEs addressed
[USN-6104-1] PostgreSQL vulnerabilities (00:55)
- 2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
- Two issues, both requiring to be an authenticated user. One in mishandling of
CREATE
privileges - could then allow an auth user to execute arbitrary code as
a the bootstrap supervisor - the other in row security properties which could
allow to bypass policies and get read/write contrary to security policy.
[USN-6105-1] ca-certificates update (01:32)
- Affecting Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
- Updates to the latest upstream 2.60 release from Mozilla, adds a bunch of new
CAs plus removes some that had either expired or that were now not used
anymore
[USN-6106-1] calamares-settings-ubuntu vulnerability (02:08)
- Affecting Jammy (22.04 LTS)
- When installing Lubuntu, it would allow to create the first user with an empty
password. Lubuntu uses it’s own installer called Calamares - so this issue
only affects Lubuntu, not regular Ubuntu or other Ubuntu flavors.
[USN-6100-1] HTML::StripScripts vulnerability (02:58)
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
- REDoS when parsing HTML with “certain style attributes”
[USN-6108-1] Jhead vulnerabilities (03:18)
- 2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
- [USN-6098-1] Jhead vulnerabilities in last week’s episode
- Code-exec - place OS commands into a JPEG filename and then using
jhead to rotate the file
- Buffer overflow when writing Exif data
[USN-6110-1] Jhead vulnerabilities
- 3 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
- Stack buffer overflow, heap buffer overflow and OOB read - DoS / code exec
[USN-6113-1] Jhead vulnerability
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
- Heap buffer OOB read -> DoS
[USN-6054-2] Django vulnerability (04:17)
[USN-6109-1, USN-6118-1] Linux kernel (Raspberry Pi + Oracle) vulnerabilities (04:29)
- 8 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
- 5.4 raspi + oracle on both 20.04 + 18.04
- Most issues covered on previous episodes
[USN-6122-1] Linux kernel (OEM) vulnerabilities (04:49)
- 2 CVEs addressed in Jammy (22.04 LTS)
- 6.1 OEM 22.04 LTS
- Race condition in netfilter able to be triggered by a local user -> UAF
- requires
CAP_NET_ADMIN
but can get this in an unprivileged user namespace ∴
can be triggered OOTB by an unpriv user on Ubuntu
- PoC was published for this last week - caused a bunch of folks to get
anxious but since can be mitigated by disabling unprivileged user namespaces
perhaps it was not worth all the hype? Also kernel updates take a while to
prepare and test etc so it is not easy to just drop everything and crank a
new kernel - so in general this would only occur for remotely exploitable
issues
[USN-6123-1] Linux kernel (OEM) vulnerabilities (06:48)
- 5 CVEs addressed in Jammy (22.04 LTS)
- 6.0 OEM
- Netfilter issue above, plus mishandling of control registers in nested KVM
VMs - could allow an guest VM to crash the VM host
[USN-6124-1] Linux kernel (OEM) vulnerabilities (07:10)
- 6 CVEs addressed in Jammy (22.04 LTS)
- 5.17 OEM
- Mostly same issues as above
[USN-6097-1] Linux PTP vulnerability (07:20)
- 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS)
- Precision time protocol implementation - allows to synchronise time between
servers to sub-microsecond accuracy - more accurate than NTP - uses a
leader/follower architecture - leader would be synchronised with high accuracy
via say a GPS then distributes this to other machines via PTP
- Failed to check length of received packet properly (but only for forwarded
packets) - results in a OOB R/W - so could either be an info leak or possible
RCE
[USN-6005-2] Sudo vulnerabilities (08:49)
[USN-6111-1] Flask vulnerability (09:02)
- 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
- Possibly sends a response intended for one client to a different client due to
mishandling of the
Vary:Cookie
header - requires the use of a caching proxy
and other conditions though so may not be a widespread issue
[USN-6112-1] Perl vulnerability (09:35)
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
- Failed to properly validate TLS certs when using CPAN with <:Tiny> to
download modules over HTTPS - failed to set
ssl_Verify
- parameter to
<:Tiny>
- Seems the upstream HTTP::Tiny dev’s thinks it would be discriminatory to
enable SSL verification by default as that would make applications etc that
use self-signed certs or community-driven CAs like CAcert.org fail - but this
seems pretty outdated since with Let’s Encrypt etc nowadays there is easy
access to trusted certs for anyone - and so this just does a disservice to all
applications that use <:Tiny> making them potentially insecure
out-of-the-box
- Won’t be surprised to see other similar vulns in the future as a result of
this foot-gun
[USN-6114-1] nth-check vulnerability (11:32)
- 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
- Node.js module for parsing and compiling CSS nth-checks (used in CSS 3
nth-child()
and nth-last-of-type()
functions) - can pass it a string and it
will compile that to an optimised function for calling by other code
- REDoS
[USN-6116-1] hawk vulnerability (12:11)
- 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
- Node.js HTTP Holder-of-key authentication scheme - a HTTP authentication
scheme that is similar to the regular HTTP Digest scheme - developed by Mozilla
- REDoS
[USN-6115-1] TeX Live vulnerability (12:47)
- 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
- Shell command execution in luatex if run against an untrusted document since
could access the io stream used by the underlying lua engine and inject
contents into it which would then be executed
[USN-6119-1] OpenSSL vulnerabilities (13:20)
- 2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
- CPU-based DoS when processing crafted ASN.1 object identifiers - requires to
have an object ID which itself is tens to hundreds of KBs - OpenSSL 3 has a
limit of 100KB on the peer cert chain which limits the ability to craft such
long IDs and have them be processed by OpenSSL
- An aarch64 specific issue - AES-XTS decryption algorithm would possibly read
past the end of the input buffer -> OOB read -> possible DoS but only if the
ciphertext is a certain size relative to the block size
[USN-6120-1] SpiderMonkey vulnerabilities (14:25)
- 9 CVEs addressed in Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
- mozjs 102.11 release - JS engine shipped in Firefox so has a lot of overlap
with CVEs in firefox etc.
- thanks to the Jeremy Bicha on the Ubuntu Desktop team for preparing these
updates
[USN-6121-1] Nanopb vulnerabilities (14:45)
- 2 CVEs addressed in Focal (20.04 LTS)
- Implementation of Protocol Buffers but with small code size - designed for embedded systems etc
- Memory leak on parsing of crafted messages plus an invalid
free()
or realloc()
on crafted messages - both only really an issue if parsing untrusted content
[USN-6117-1] Apache Batik vulnerabilities (15:16)
- 7 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
- Java SVG library
- 4 different XSRF issues
- 1 SSRF issue on handling of URLs in Jar’s - could allow to access local files
on the server
- 2 different issues that could allow untrusted Java code embedded in an SVG to
be executed
[USN-6125-1] snapd vulnerability (15:48)
- 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
- Very similar to a recent issue (CVE-2023-28100) in flatpak - seccomp sandbox failed to block
the
TIOCLINUX
ioctl()
request - could allow a snap to inject contents into the
controlling terminal when run on a virtual console - this would then be
executed when the snap finished running -> code exec outside the snap sandbox
- Now simply blocks
TIOCLINUX
as it already did for TIOCSTI
in the past
- Very similar to historic
TIOCSTI
CVEs such as CVE-2016-9016 in firejail,
CVE-2016-10124 in lxc, CVE-2017-5226 in bubblewrap, CVE-2019-10063 in flatpak
[USN-6126-1] libvirt vulnerabilities (17:44)
- 2 CVEs addressed in Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
- race condition within the nwfilter driver - allows a local unprivileged user
to race against the driver and corrupt the list of network filters and trigger
a crash in the libvirt daemon
- memory leak when reading SR-IOV PCI device capabilities
Goings on in Ubuntu Security Community
Ubuntu 18.04 has now entered ESM (18:21)
OpenPrinting tutorial on handling security bugs via GitHub (19:40)
Get in contact