Sveriges mest populära poddar

Ubuntu Security Podcast

Episode 21

18 min • 21 februari 2019

Overview

Double episode covering the security updates from the last 2 weeks, including snapd (DirtySock), systemd and more, plus we talk responsible disclosure and some open positions on the Ubuntu Security team.

This week in Ubuntu Security Updates

15 unique CVEs addressed

[USN-3886-1] poppler vulnerabilities

  • 2 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
  • Two DoS:
    • Out-of-bounds heap buffer read due to missing check for a negative index -> crash -> DoS
    • Crash due to hitting an assertion -> DoS

[USN-3888-1] GVfs vulnerability

  • 1 CVEs addressed in Bionic, Cosmic
  • Possible to allow a local user with admin privileges (eg. sudo group) to read arbitrary files without prompting for authorisation IF no policykit agents running
    • Policykit agents run by default so would require user to be running a difffent DE or to have uninstalled / disabled them
    • Also low impact since user has authority anyway

[USN-3889-1] WebKitGTK+ vulnerabilities

  • 2 CVEs addressed in Bionic, Cosmic
  • Memory corruption and type confusion errors - leading to possible remote code execution

[USN-3890-1] Django vulnerability

  • 1 CVEs addressed in Xenial, Bionic, Cosmic
  • Could cause Django to consume a large amount of memory when formatting a decimal number with a large number of digits or with a large exponent since it would simply print every single provided character
  • Possible DoS although would need a very large number to be input
  • Fix is to format numbers with more than 200 characters in scientific notation

[USN-3887-1] snapd vulnerability

  • 1 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
  • ‘DirtySock’ - discovered by Chris Moberly
  • Failed to correctly parse and validate the remote socket address
  • Code had undergone refactoring and introduced this bug
  • Allows to impersonate privileged user and therefore call privileged APIs via the snapd socket

[USN-3850-2] NSS vulnerabilities

[USN-3891-1] systemd vulnerability

  • 1 CVEs addressed in Xenial, Bionic, Cosmic
  • Discovered by Ubuntu Security team member Chris Coulson
  • Stack buffer overflow of DBus path field - declared as VLA, but sender could use a value larger than the stack size and therefore jump the entire stack and the guard pages
  • Segmentation violation -> crash -> DoS
    • systemd does not automatically restart so brings down entire system - reboot
  • Possible code execution but unlikely
  • DBus and systemd need to agree on what the maximum size of various elements are - DBus spec says path could be unlimited - but in practice is less than 32MB! (dbus-daemon limits messages to this size) - systemd now limits path to 64KB AND ensures it keeps running after receiving an invalid sized path

[USN-3892-1] GDM vulnerability

  • 1 CVEs addressed in Bionic, Cosmic
  • Logic error in handing of timed logins (not enabled by default)
  • If screen already locked, select to log in as different user - then select a user which has timed login enabled - after timeout will unlock screen of original user
  • Need administrator privileges to enabled timed login for a given user so low impact

[USN-3866-2] Ghostscript regression

  • Affecting Trusty, Xenial, Bionic, Cosmic
  • Previous update for Ghostscript (USN-3866-1 - Episode 18) caused a regression in printing 4"x6" (v9.26 - upstream bug)

[USN-3893-1] Bind vulnerabilities

  • 3 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
  • Fail to properly apply controls to zone transfers - could allow clients to request and receive a zone transfer to a dynamically loadable zone contrary to the allow-transfer ACL
  • Assertion failure if a trust anchor’s keys are replaced with keys using an unsupported algorithm during a key rollover when using the managed-keys feature for DNSSEC validation
  • Remotely triggerable memory leak when processing particular packets - DoS

Goings on in Ubuntu Security Community

snapd, systemd and handling of embargoed issues

  • 2 updates involving close communication between Ubuntu Security Team and external stakeholders - embargoed
  • Responsible Disclosure - allows to coordinate a fix in a timely manner and then release update once all parties are ready in a coordinated manner
  • Set CRD with stakeholders (reporter, upstream, other distros etc)
  • Coordinate fix with upstream and other distros
  • Plan coordinated updates to be released with other distros / upstream at CRD

Hiring

Ubuntu Security Generalist

Robotics Security Engineer

Security Automation Engineer

Get in contact

Kategorier
Förekommer på
00:00 -00:00