Overview
Ghostscript is back to haunt us for another week, plus we look at vulnerabilities in ntfs-3g, snapd, firefox and more.
This week in Ubuntu Security Updates
39 unique CVEs addressed
[USN-3911-1] file vulnerabilities
- 4 CVEs addressed in Xenial, Bionic, Cosmic
- 4 DoS (crash) found via fuzzing:
- Stack overflow in readelf
- 2 different OOB read due to failure to NULL terminate a string before processing it
- Read past end of stack due to failing to properly keep track of buffer sizes
[USN-3906-2] LibTIFF vulnerabilities
- 8 CVEs addressed in Precise ESM
- Covered in Episode 18 and Episode 24 for standard Ubuntu releases (not
all CVEs covered in those updates applicable to Precise ESM)
[USN-3912-1] GDK-PixBuf vulnerability
- 1 CVEs addressed in Xenial
- Failure to properly validate BMP image palette parameters - leading to
OOB when decoding colormap later on
[USN-3914-1] NTFS-3G vulnerability
- 1 CVEs addressed in Xenial, Bionic, Cosmic
- Discovered recently by Chris Coulson during code-audit of ntfs-3g -
actually had been fixed upstream late last year but no CVE assigned
- Heap buffer overflow able to be triggered when mounting a filesystem
onto a mount point with path name greater than PATH_MAX, and from a
current working directory which has a path name also greater than
PATH_MAX
- Contents of buffers is attacker controlled so heap can be overflown
with attacker controlled input - likely to leverage into arbitrary
code execution
- Contrived example BUT in Debian and Ubuntu ntfs-3g is setuid root -
which then leads to root privilege escalation with arbitrary code
execution
- Update was released within hours of the bug being made public to fix
the heap buffer overflow
- Currently testing ntfs-3g as not-setuid root to release in a future
update to avoid any other possible privilege escalation bugs in the
future
[USN-3915-1] Ghostscript vulnerabilities
- 2 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
- Similar to previous CVE, forceput operator could be extracted from the
DefineResource method to allow access to the file-system outside of
the -dSAFER sandbox
- superexec operator was available in the internal dictionary - also
able to be extracted and hence used to access files outside the
sandbox
[USN-3913-1] P7ZIP vulnerabilities
- 2 CVEs addressed in Xenial
- Heap based OOB write when decompressing a crafted ZIP file (crash -> DoS, possible code execution)
- Heap based OOB read when decompressing a UDF file (universal disk format - used for DVD images) - crash, DoS
[USN-3918-1] Firefox vulnerabilities
- 17 CVEs addressed in Xenial, Bionic, Cosmic
- Almost latest Firefox release (this is 66, 66.0.1 was released Friday after Pwn2Own
last week so expect another Firefox update today or tomorrow)
- Multiple memory safety issues fixed, possible code execution as a result
- 3 issues in FTP modal dialogs allow to either DoS user via
successive dialogs, or conduct social engineering attacks against
the user
- Possible information leak from parent to child process via IPC channels
- Various UAFs, type-confusion etc -> memory corruption -> possible code execution
- Incorrect bounds checking on JS objects IF Spectre mitigations
disabled (these are enabled by default so user would have to
explicitly disable them)
- and more…
[USN-3917-1] snapd vulnerability
- 1 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
- Jann Horn reported the seccomp blacklist for TIOCSTI can be bypassed
- snapd creates a seccomp filter for each snap which is designed to
block TIOCSTI (as this can be used to fake input to other processes
outside of the sandbox)
- This is a 32-bit value to the ioctl system call, but on 64-bit
architectures the kernel does this comparison as a 64-bit integer - so
can be circumvented by using a 64-bit value to ioctl systemcall which
has other bits set in the upper 32 bits - since when seccomp does
comparison it uses the full 64 bits - so it won’t match the 32-bit
value of TIOCSTI and so will be allowed - but then when used as the
ioctl() argument it will correctly be truncated to 32-bits and the
ioctl will proceed
- Fixed in snapd to add a second seccomp filter to disallow anything in
the upper 32-bits
- Initially seemed like a kernel or libseccomp issue but both currently
document this as a limitation already so treated in the end as a
vulnerability in snapd
[USN-3916-1] libsolv vulnerabilities
- 3 CVEs addressed in Cosmic
- Dependency solver used by packaging systems to resolve dependencies
between packages etc
- 2 NULL pointer dereferences and 1 invalid memory read due to
mishandling of variable length function arguments - all crash -> DoS
Goings on in Ubuntu Security Community
Hiring
Ubuntu Security Generalist
Robotics Security Engineer
Get in contact