Overview
A look at recent fixes for vulnerabilities in poppler, WALinuxAgent, the
Linux kernel and more. We also talk about some listener feedback on
Ubuntu hardening and the launch of Ubuntu 14.04 ESM.
This week in Ubuntu Security Updates
18 unique CVEs addressed
[USN-3905-1] poppler vulnerability
- 1 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
- Heap-based buffer underwrite (index into array using negative index) -
write into heap memory which preceeds the intended buffer - heap
corruption - crash -> DoS, possible code execution
- Found by fuzzing and AddressSanitizer in clang
[USN-3906-1] LibTIFF vulnerabilities
- 6 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
- All DoS, one possible code-execution:
- Dereference of an invalid address (read from invalid memory location)
- Heap buffer overread
- 2x NULL pointer dereferences
- Memory leak
- Heap buffer overflow - possible code execution
[USN-3907-1] WALinuxAgent vulnerability
- 1 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
- WALinuxAgent used to manage instances of Ubuntu (and other Linux
distributions) running on Azure
- Can be used to configure swap space for a given image
- would then create a swap file (/mnt/swapfile) BUT would make it world-readable
- so any local user could read it - if keys or other sensitive items
were in memory that got swapped to disk could be read by all
- Fixed to make this readable only by root and to also correct the
permissions on any existing swapfile as well
[USN-3902-2] PHP vulnerabilities
- 4 CVEs addressed in Precise ESM
- See last week’s Episode 23 - discussed for Xenial and Trusty - fixed
now for Precise ESM as well
- 5 CVEs addressed in Xenial and Trusty (Xenial HWE)
- 2 of these discussed in previous episodes Episode 23 (PolicyKit start
time, DoS via mmaping a FUSE-backed file into processes memory
containing command-line args)
- Trigger of BUG_ON() in kernel (like assert() for kernel code) due to
integer overflow from large pgoff parameter to remap_file_pages() when
used in conjuction with an existing mmap() -> crash -> DoS
- OOB read in USB driver for Option High Speed mobile devices - would
read a descriptor from the USB device as a u8 and then index into an
array with this without checking whether it fell within the array
- NULL pointer dereference in f2fs driver via use of noflush_merge mount
option
- 1 CVEs addressed in Trusty and Precise ESM (Trusty HWE)
- See last week’s Episode 23 - discussed for Bionic kernel - now for
Trusty kernel (and the Trusty HWE kernel backported to Precise ESM)
- PolicyKit start time issue, fixed in kernel
[USN-3909-1] libvirt vulnerability
- 1 CVEs addressed in Xenial, Bionic, Cosmic
- NULL pointer dereference in libvirt if agent does not reply in time
(say guest is being shutdown) - crash host libvirt -> DoS
Goings on in Ubuntu Security Community
Ubuntu Hardening Response
Extended Security Maintenance for Ubuntu 14.04 (Trusty Tahr) begins April 25 2019
Hiring
Ubuntu Security Generalist
Robotics Security Engineer
Get in contact