Overview
Fixes for 19 different vulnerabilities across MySQL, Dovecot, Memcached and others, plus we talk to Joe McManus about the recent iLnkP2P IoT hack and the compromise of DockerHub’s credentials database and more.
This week in Ubuntu Security Updates
19 unique CVEs addressed
[USN-3957-1] MySQL vulnerabilities
- 8 CVEs addressed in Xenial, Bionic, Cosmic, Disco
- Latest upstream version 5.7.26 includes fixes for 8 different issues including:
- Unauthenticated remote attacker could gain complete access to all MySQL server data
- Multiple versions of privileged attacker could hang / crash MySQL server
[USN-3958-1] GStreamer Base Plugins vulnerability
- 1 CVEs addressed in Xenial, Bionic, Cosmic
- Heap based buffer overflow in RTSP connection parser - could allow a
malicious server to gain remote code execution on the client - session id
can contain attributes separated by semi-colons - would assume when
encountering a semi-colon that this delimits the maximum size of the
session id - however the session id has a maximum size of 512 bytes -
would overflow by using the user-supplied session id length rather than
sticking to the maximum structure length - changed to only parse up to
the maximum size of the structure to ensure we then don’t overflow when
copying
[USN-3959-1] Evince vulnerability
- 1 CVEs addressed in Xenial, Bionic, Cosmic, Disco
- Failed to check return values when calling functions for libTIFF - these
return the pixel data from an embedded TIFF image - on failure would end
up rendering uninitialised memory rather than the TIFF image - fixed to
check return values and bail out on error
[USN-3960-1] WavPack vulnerability
- 1 CVEs addressed in Bionic, Cosmic, Disco
- Fuzzing via valgrind - found if no sample rate was specified then a stack
declared but uninitialized value would be used - could cause a crash etc
since could be anything - fixed to initialise it to 0 and to check if
still zero before proceeding to process
[USN-3961-1] Dovecot vulnerabilities
- 2 CVEs addressed in Cosmic, Disco
- Two issues related to authentication in recent versions of dovecot - if
client aborts authentication the serer could crash due to a NULL pointer
dereference, and if using TLS but send an invalid authentication message
could crash as well
[USN-3962-1] libpng vulnerability
- 1 CVEs addressed in Bionic, Cosmic
- Use after free in png image cleanup - originally was called under
png_safe_execute() - this is an internal function which itself calls
png_image_free() - so after freeing the image would free it a second time
in certain conditions - changed to just call the free function directly
rather than via png_safe_execute()
[USN-3963-1] Memcached vulnerability
- 1 CVEs addressed in Bionic, Cosmic, Disco
- Possible NULL pointer dereference via local command interface due to
insufficient checks when parsing input - commands require 4 input tokens
but only checked for 3 (off-by-one) - could allow an attacker with access
to the command interface to crash memcached
[USN-3953-2] PHP vulnerabilities
- 2 CVEs addressed in Precise ESM, Trusty ESM
- Episode 29 covered these for standard supported releases - this update is
for the ESM releases - two bugs in EXIF tag handling
[USN-3964-1] python-gnupg vulnerabilities
- 2 CVEs addressed in Bionic, Cosmic, Disco
- Possible to trick gnupg to decrypt ciphertext other than the intended one
when an attacker can control the passphrase to gnupg and the ciphertext
is assumed trusted - this uses the command-interface of gnupg and passes
the passphrase directly to it - along with the ciphertext - so if
attacker includes newlines in the supplied passphrase can then inject
their own ciphertext (or plaintext in the context of encryption) - fixed
to check passphrase does not contain line-feed or carriage return
characters
- Possible to trick by including what looks like the return response from
gnupg directly in the filename to be decrypted when using verbose output
mode - fixed by sanitising this filename first
Discussion with Joe McManus about another IoT compromise and DockerHub
Goings on in Ubuntu Security Community
Hiring
Robotics Security Engineer
Get in contact