Episode 215

Overview

Mark Esler is our special guest on the podcast this week to discuss the OpenSSF’s Compiler Options Hardening Guide for C/C++ plus we cover vulnerabilities and updates for GIMP, FreeRDP, GStreamer, HAProxy and more.

This week in Ubuntu Security Updates

65 unique CVEs addressed

[USN-6521-1] GIMP vulnerabilities (00:50)

• 6 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04), Mantic (23.10)
  • CVE-2023-44444
  • CVE-2023-44443
  • CVE-2023-44442
  • CVE-2023-44441
  • CVE-2022-32990
  • CVE-2022-30067
• Includes 4 recent issues disclosed via Trend’s ZDI - all found by the same researcher - 2 heap buffer overflows in DDS and PSD parsers, ab integer overflow and a separate off-by-one error in the PSP parser which could apparently lead to remote code execution plus a couple DoS related issues (unhandled exception and an excessive memory allocation) - both leading to a crash

[USN-6522-1] FreeRDP vulnerabilities (01:39)

• 3 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04), Mantic (23.10)
  • CVE-2023-39356
  • CVE-2023-39352
  • CVE-2022-41877
• Windows RDP client
• Malicious server could send a crafted drive redirect to the client - triggering an OOB read, causing the client to disclose memory contents and therefore possibly sensitive info to the server
• Plus an OOB write and an OOB read on crafted image data - both also likely leading to a crash

[USN-6523-1] u-boot-nezha vulnerability (02:19)

• 3 CVEs addressed in Jammy (22.04 LTS), Lunar (23.04)
  • CVE-2022-30790
  • CVE-2022-30552
  • CVE-2022-2347
• u-boot for the Allwinner Nezha RISC-V board
• Missing length checks in DFU parser -> heap buffer overflow
• 2 other buffer overflows when handling fragmented IP packets

[USN-6524-1] PyPy vulnerability (03:06)

• 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
  • CVE-2022-37454
• Integer overflow leading to a buffer overflow in SHA3 - comes from the original reference implementation of SHA3
• Has affected a range of packages in Ubuntu
  • PHP, Python itself and now PyPy

[USN-6525-1] pysha3 vulnerability (03:06)

• 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
  • CVE-2022-37454
• Same as above

[USN-6519-2] EC2 hibagent update

• Affecting Xenial ESM (16.04 ESM)

[USN-6526-1] GStreamer Bad Plugins vulnerabilities (03:16)

• 6 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04), Mantic (23.10)
  • CVE-2023-44446
  • CVE-2023-44429
  • CVE-2023-40476
  • CVE-2023-40475
  • CVE-2023-40474
  • CVE-2023-37329
• Heap overflow in PGS subtitle overlay decoder
• Various integer overflows -> heap buffer overflows in MXF container handler (Material Exchange Format) - apparently used for delivering advertisements to TV stations and for movies in commercial theatres - specifically in handling of files using AES3 audio
• MXF demuxer UAF
• AV1 buffer overflow
• Integer overflow -> stack overflow in H.256 parser

[USN-6527-1] OpenJDK vulnerabilities (04:09)

• 2 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04), Mantic (23.10)
  • CVE-2023-22081
  • CVE-2023-22025
• 11.0.21 + 17.0.9

[USN-6528-1] OpenJDK 8 vulnerabilities (04:25)

• 4 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04), Mantic (23.10)
  • CVE-2023-22081
  • CVE-2023-22067
  • CVE-2023-22025
  • CVE-2022-40433
• 8u392

[USN-6509-2] Firefox regressions (04:34)

• 10 CVEs addressed in Focal (20.04 LTS)
  • CVE-2023-6209
  • CVE-2023-6208
  • CVE-2023-6207
  • CVE-2023-6205
  • CVE-2023-6204
  • CVE-2023-6213
  • CVE-2023-6212
  • CVE-2023-6211
  • CVE-2023-6210
  • CVE-2023-6206
• 120.0.1 - in particular includes a fix where Firefox would crash immediately on startup but only for aarch64 (arm64) on Linux when using page sizes other than 4K - ie. as used in Apple silicon etc

[USN-6529-1] Request Tracker vulnerabilities (05:25)

• 4 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04), Mantic (23.10)
  • CVE-2023-41260
  • CVE-2023-41259
  • CVE-2022-25802
  • CVE-2021-38562
• Possible timing attack in the authentication module - could allow to enumerate user accounts
• XSS plus some info leaks as well

[USN-6530-1] HAProxy vulnerability (06:12)

• 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
  • CVE-2023-45539
• Mishandling of # character in URIs could allow unexpected routing of a URI containing say index.html#.png to a static server (since usually is configured to route .png to a static server, but in this case the request is really for index.html)

[USN-6531-1] Redis vulnerabilities (07:06)

• 6 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
  • CVE-2023-45145
  • CVE-2023-28856
  • CVE-2023-25155
  • CVE-2022-36021
  • CVE-2022-35977
  • CVE-2022-24834
• Heap overflow in cjson library able to be triggered by a Lua script -> RCE
• Race condition on setting permissions on the local unix socket - if using a less restrictive umask could allow a local attacker to race redis on startup
• Also various integer overflows and other issues fixed too

[USN-6494-2] Linux kernel vulnerabilities (08:08)

• 9 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
  • CVE-2023-5717
  • CVE-2023-45871
  • CVE-2023-45862
  • CVE-2023-42754
  • CVE-2023-39194
  • CVE-2023-39193
  • CVE-2023-39192
  • CVE-2023-39189
  • CVE-2023-31085

[USN-6495-2] Linux kernel vulnerabilities

• 2 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS)
  • CVE-2023-45871
  • CVE-2023-31085

[USN-6496-2] Linux kernel vulnerabilities

• 3 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
  • CVE-2023-45871
  • CVE-2023-31085
  • CVE-2023-25775

[USN-6502-4] Linux kernel vulnerabilities

• 5 CVEs addressed in Jammy (22.04 LTS), Lunar (23.04)
  • CVE-2023-5345
  • CVE-2023-5090
  • CVE-2023-45871
  • CVE-2023-31085
  • CVE-2023-25775

[USN-6532-1] Linux kernel vulnerabilities

• 10 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
  • CVE-2023-5717
  • CVE-2023-45871
  • CVE-2023-45862
  • CVE-2023-42754
  • CVE-2023-39194
  • CVE-2023-39193
  • CVE-2023-39192
  • CVE-2023-39189
  • CVE-2023-31085
  • CVE-2023-20593

[USN-6533-1] Linux kernel (OEM) vulnerabilities

• 2 CVEs addressed in Jammy (22.04 LTS)
  • CVE-2023-46862
  • CVE-2023-46813

[USN-6534-1] Linux kernel vulnerabilities

• 12 CVEs addressed in Jammy (22.04 LTS), Lunar (23.04)
  • CVE-2023-6039
  • CVE-2023-5717
  • CVE-2023-5178
  • CVE-2023-5158
  • CVE-2023-42754
  • CVE-2023-39198
  • CVE-2023-39194
  • CVE-2023-39193
  • CVE-2023-39192
  • CVE-2023-39189
  • CVE-2023-3773
  • CVE-2023-37453

Goings on in Ubuntu Security Community

Alex discusses the OpenSSF’s Compiler Options Hardening Guide for C/C++ with Mark Esler (08:38)

• https://openssf.org/blog/2023/11/29/strengthening-the-fort-openssf-releases-compiler-options-hardening-guide-for-c-and-c/

Get in contact

• [email protected]
• #ubuntu-security on the Libera.Chat IRC network
• ubuntu-hardened mailing list
• Security section on discourse.ubuntu.com
• @[email protected], @ubuntu_sec on twitter