Sveriges mest populära poddar

Ubuntu Security Podcast

Episode 3

10 min • 3 september 2018

Overview

This week we look at 29 unique CVEs addressed across the supported Ubuntu releases, a discussion of the Main Inclusion Review process and recent news around the bubblewrap package, and open positions within the team.

This week in Ubuntu Security Updates

29 unique CVEs addressed

[USN-3756-1] Intel Microcode vulnerabilities

  • 3 CVEs addressed in Trusty, Xenial, Bionic
  • Intel microcode updates to address L1TF, Spectre Variant 4 and Rogue System Register Read (RSRE)
  • Intel initially released this with a brand new license which included terms around disallowing benchmarking and possibly preventing redistribution via the Ubuntu mirrors
    • As a result, we couldn’t provide updated microcode packages to full address L1TF etc
    • Intel have now reverted back to the license used on previous microcode packages and so this can now finally be released
  • https://perens.com/2018/08/22/new-intel-microcode-license-restriction-is-not-acceptable/

[USN-3755-1] GD vulnerabilities

  • 2 CVEs addressed in Trusty, Xenial, Bionic
  • Popular image manipulation and creating library used by PHP and therefore in many PHP web applications
  • Issue in handling of signed integers in GIF decoder allows an attacker to enter an infinite loop and cause DoS via a specially crafted GIF file
  • Double free in JPEG decoder could allow a user to possibly execute arbitrary code via specially crafted JPEG file

[USN-3757-1] poppler vulnerability

  • 1 CVEs addressed in Trusty, Xenial, Bionic
  • Fixed a crash (hence DoS) due to out-of-bounds read in PDF decoding

[USN-3758-1] libx11 vulnerabilities

  • 5 CVEs addressed in Trusty, Xenial, Bionic
  • Bundles some fixes for some low priority old CVEs with some new medium priority CVE fixes
  • Updates are usually done in this manner, where low priority fixes wait to get fixed along with higher priority fixes for a package
  • Fixes issues around handling of data from untrusted servers and image decoding
    • Usual failure to validate inputs, off-by-one, integer signedness confusion and incorrect freeing of dynamically allocated memory style issues

[USN-3758-2] libx11 vulnerabilities

[USN-3752-3] Linux kernel (Azure, GCP, OEM) vulnerabilities

Goings on in Ubuntu Security Community

MIR Process and bubblewrap

  • Security team is responsible for doing security audits of packages which are proposed to be included in the main section of the Ubuntu package repository
    • Packages in main are officially maintained, supported and recommended so deserve a high level of scrutiny before promotion into main
    • Security team historically only provides security updates to packages in main as well
    • So we have to be confident we can maintain and support a given package
  • To perform the security review we look at a number of things:
    • The code is evaluated to determine how easy or not it would be to maintain
    • The package itself is evaluated to look for potential issues
    • Code is then evaluated to look for potential existing security vulnerabilities
  • This can be a time consuming process, especially to do well
  • Recently this was in the news, when Hanno Böck (infosec journalist and researcher) and Tavis Ormandy (GPZ) raised the issue of lack of bubblewrap support for gnome desktop thumbnailers
    • bubblewrap provides support for sandboxing processes via namespaces and the use of it to sandbox desktop thumbnailers was introduced in the GNOME 3.26 release
    • It was planned to be supported for Ubuntu 18.04, but to do this the package had to be moved from universe into main, hence a MIR
    • Due to shifting priorities, the security team was not able to get this done in time and hence the feature had to be disabled
    • This MIR is being proritised now so this security hardening feature should be available in an upcoming release
    • Security team is also looking at how to strengthen the hardening via AppArmor MAC profiles in addition
    • Thanks to Hanno and Tavis for giving this greater visibility
  • https://wiki.ubuntu.com/MainInclusionProcess
  • https://www.bleepingcomputer.com/news/security/ubuntu-is-undoing-a-gnome-security-feature/

Hiring

Ubuntu Security Manager

Ubuntu Security Engineer

Get in contact

Kategorier
Förekommer på
00:00 -00:00