Overview
Mark Esler is our special guest on the podcast this week to discuss the
OpenSSF’s Compiler Options Hardening Guide for C/C++ plus we cover
vulnerabilities and updates for GIMP, FreeRDP, GStreamer, HAProxy and more.
This week in Ubuntu Security Updates
65 unique CVEs addressed
[USN-6521-1] GIMP vulnerabilities (00:50)
- 6 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04), Mantic (23.10)
- Includes 4 recent issues disclosed via Trend’s ZDI - all found by the same
researcher - 2 heap buffer overflows in DDS and PSD parsers, ab integer
overflow and a separate off-by-one error in the PSP parser which could
apparently lead to remote code execution plus a couple DoS related issues
(unhandled exception and an excessive memory allocation) - both leading to a
crash
[USN-6522-1] FreeRDP vulnerabilities (01:39)
- 3 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04), Mantic (23.10)
- Windows RDP client
- Malicious server could send a crafted drive redirect to the client -
triggering an OOB read, causing the client to disclose memory contents and
therefore possibly sensitive info to the server
- Plus an OOB write and an OOB read on crafted image data - both also likely
leading to a crash
[USN-6523-1] u-boot-nezha vulnerability (02:19)
- 3 CVEs addressed in Jammy (22.04 LTS), Lunar (23.04)
- u-boot for the Allwinner Nezha RISC-V board
- Missing length checks in DFU parser -> heap buffer overflow
- 2 other buffer overflows when handling fragmented IP packets
[USN-6524-1] PyPy vulnerability (03:06)
- 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
- Integer overflow leading to a buffer overflow in SHA3 - comes from the
original reference implementation of SHA3
- Has affected a range of packages in Ubuntu
- PHP, Python itself and now PyPy
[USN-6525-1] pysha3 vulnerability (03:06)
- 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
- Same as above
[USN-6519-2] EC2 hibagent update
- Affecting Xenial ESM (16.04 ESM)
[USN-6526-1] GStreamer Bad Plugins vulnerabilities (03:16)
- 6 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04), Mantic (23.10)
- Heap overflow in PGS subtitle overlay decoder
- Various integer overflows -> heap buffer overflows in MXF container handler
(Material Exchange Format) - apparently used for delivering advertisements to
TV stations and for movies in commercial theatres - specifically in handling
of files using AES3 audio
- MXF demuxer UAF
- AV1 buffer overflow
- Integer overflow -> stack overflow in H.256 parser
[USN-6527-1] OpenJDK vulnerabilities (04:09)
- 2 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04), Mantic (23.10)
- 11.0.21 + 17.0.9
[USN-6528-1] OpenJDK 8 vulnerabilities (04:25)
- 4 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04), Mantic (23.10)
- 8u392
[USN-6509-2] Firefox regressions (04:34)
- 10 CVEs addressed in Focal (20.04 LTS)
- 120.0.1 - in particular includes a fix where Firefox would crash immediately
on startup but only for aarch64 (arm64) on Linux when using page sizes other
than 4K - ie. as used in Apple silicon etc
[USN-6529-1] Request Tracker vulnerabilities (05:25)
- 4 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04), Mantic (23.10)
- Possible timing attack in the authentication module - could allow to enumerate
user accounts
- XSS plus some info leaks as well
[USN-6530-1] HAProxy vulnerability (06:12)
- 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
- Mishandling of # character in URIs could allow unexpected routing of a URI
containing say
index.html#.png
to a static server (since usually is configured
to route .png
to a static server, but in this case the request is really for
index.html
)
[USN-6531-1] Redis vulnerabilities (07:06)
- 6 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
- Heap overflow in cjson library able to be triggered by a Lua script -> RCE
- Race condition on setting permissions on the local unix socket - if using a
less restrictive umask could allow a local attacker to race redis on startup
- Also various integer overflows and other issues fixed too
[USN-6494-2] Linux kernel vulnerabilities (08:08)
- 9 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
[USN-6495-2] Linux kernel vulnerabilities
- 2 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS)
[USN-6496-2] Linux kernel vulnerabilities
- 3 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
[USN-6502-4] Linux kernel vulnerabilities
- 5 CVEs addressed in Jammy (22.04 LTS), Lunar (23.04)
[USN-6532-1] Linux kernel vulnerabilities
- 10 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
[USN-6533-1] Linux kernel (OEM) vulnerabilities
- 2 CVEs addressed in Jammy (22.04 LTS)
[USN-6534-1] Linux kernel vulnerabilities
- 12 CVEs addressed in Jammy (22.04 LTS), Lunar (23.04)
Goings on in Ubuntu Security Community
Alex discusses the OpenSSF’s Compiler Options Hardening Guide for C/C++ with Mark Esler (08:38)
Get in contact