Overview
This week we cover security updates including Firefox, Thunderbird, OpenSSL and another Ghostscript regression, plus we look at a recent report from Capsule8 comparing Linux hardening features across various distributions and we answer some listener questions.
This week in Ubuntu Security Updates
16 unique CVEs addressed
[USN-3893-2] Bind vulnerabilities
- 2 CVEs addressed in Precise ESM
- Covered last week in Episode 21 for regular Ubuntu releases
[USN-3866-3] Ghostscript regression
- Affecting Trusty, Xenial, Bionic, Cosmic
- Mentioned last week briefly
- Previous update to Ghostscript introduced a regression (blue background)
- See later for information
[USN-3894-1] GNOME Keyring vulnerability
- 1 CVEs addressed in Trusty, Xenial
- Already fixed upstream (hence doesn’t apply to Bionic / Cosmic etc)
- User’s login password kept in memory of child process after pam session is opened
- Could be dumped by root user or captured in crash dump etc and possibly exposed
- Other tools exist to try and extract from memory as well (minipenguin etc)
- Fix is to simply reset this after pam session is opened
- 1 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
- LDAP-like embedded database (used by Samba and others)
- Authenticated user can cause OOB read when searching LDAP backend of AD DC with a search string containing multiple wildcards - crash -> DoS
[USN-3896-1] Firefox vulnerabilities
- 3 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
- Firefox 65
- Use-after-free and integer overflow in Skia library (vector graphics library, similar to cairo)
- Cross-origin image theft - able to read from canvas element in violation of same-origin policy using transferFromImageBitmap() method
[USN-3897-1] Thunderbird vulnerabilities
- 7 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
- Thunderbird 60.5.1
- Use-after-free and integer overflow in Skia library (vector graphics library, similar to cairo)
- Show messages with an invalid (reused) S/MIME signature as being verified
- UAF parsing HTML5 stream with custom HTML elements
- UAF in embedded libical via a crafted ICS file
[USN-3898-1, USN-3898-2] NSS vulnerability
- 1 CVEs addressed in Precise ESM, Trusty, Xenial, Bionic, Cosmic
- Several NULL pointer dereferences -> crash -> DoS
[USN-3899-1] OpenSSL vulnerability
- 1 CVEs addressed in Xenial, Bionic, Cosmic
- Possible padding oracle (an application which uses OpenSSL could behave differently based on whether a record contained valid padding or not)
- Attacker can learn plaintext by modifying ciphertext and observing different behaviour
[USN-3900-1] GD vulnerabilities
- 2 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
- Double free if failed to properly extract image file - crash -> DoS
- Heap-based buffer overflow in color matching (able to be triggered by a specially crafted image) - crash -> DoS, possible code execution
Goings on in Ubuntu Security Community
Comparison of Linux Hardening across distributions
- https://capsule8.com/blog/millions-of-binaries-later-a-look-into-linux-hardening-in-the-wild/
- Analyses binaries from various Linux distributions looking for hardening features (OpenSUSE, Debian, CentOS, RHEL & Ubuntu)
- Compare kernel configuration vs KSPP recommendations
- Ubuntu 18.04 ranks highest, due to proactive hardening features baked into toolchain and newer kernel taking advantage of KSPP upstream features
- gcc is patched so anyone building on Ubuntu gets these features
- build.snapcraft.io too
- however is missing stack clash mitigation
- Plan to add more hardening features for 19.10 (stack clash and control-flow integrity support via gcc) and review kernel options cf. KSPP
Q&A
Does numerous bugs and regressions in Ghostscript indicate it is reaching it’s EOL?
- doc-E-brown via twitter
- Lots of recent focus -> finds bugs
- ghostscript codebase is old and gnarly and some fixes have been quite invasive
- Any new code could introduce new bugs - particularly complicated fixes -> creates more bugs (regressions)
- (as doc-E-brown suggests, regressions indicate old code-base)
- Tavis (and others) seem to be looking elsewhere but likely still more bugs to be found
- Would be great if GS could either be made safer or a safer alternative but no-one is stepping up
- Sadly No good viable alternative currently
Hiring
Ubuntu Security Generalist
Robotics Security Engineer
Security Automation Engineer
Get in contact