Overview
This week we cover security fixes for GNOME Shell, FFmpeg, Sudo, Ghostscript and others, and we talk to Joe McManus about malicious Dockerhub images, Git repos being ransomed more.
This week in Ubuntu Security Updates
14 unique CVEs addressed
[USN-3966-1] GNOME Shell vulnerability
- 1 CVEs addressed in Bionic, Cosmic
- Local user could potentially bypass various restrictions of the lock
screen - menu items can be activated by keyboard combinations - these
could then be used to take screenshots (and fill up disk space), close
windows behind the lock screen or start the screen reader which could
read out the contents of windows behind the lock screen.
- Fixed by disabling all menu items when the screen is locked
[USN-3965-1] aria2 vulnerability
- 1 CVEs addressed in Cosmic, Disco
- CLI download tool (akin to curl / wget but can also do bittorrent and others)
- When logging would store credentials in log file which could be read by other users
- Fixed by masking out credentials
[USN-3967-1] FFmpeg vulnerabilities
- 5 CVEs addressed in Bionic, Cosmic, Disco
- CPU DoS in Matroska and HTML subtitle decoding
- Various issues discovered by Google’s oss-fuzz project:
- 2 x OOB read found by Google’s clusterfuzz / oss-fuzz project in MPEG-4 decoder
- NULL pointer dereference and OOB read in HEVC decoder
- Assertion failure for missing audio packet size in FLV encoder
[USN-3968-1] Sudo vulnerabilities
- 2 CVEs addressed in Xenial
- Fails to properly parse /proc/PID/stat - this is used to determine the
controlling tty - this name could contain newlines - sudo would only read
one line of input and so would get a truncated name - when sudo is used
with SELinux this allows to confuse sudo as to where the destination for
stdout / stderr and so cause sudo to overwrite and arbitrary file by
creating a symlink from the supposed tty to the destination file.
- Fixed by ensuring to parse the full name including any newlines
- sudo contains the ability to restrict users with sudo access to running
further commands via the NOEXEC tag
- Does this by LD_PRELOAD to replace exec() and other functions with
versions that return an error
- wordexp() performs shell expansion on a string and so can contain shell
directives to run a command and get the output $(foo) - this can run
commands and so would not be stopped by LD_PRELOAD lib - so a user can
run a binary which does wordexp() they could bypass this restriction
- Fixed by adding wordexp() to the LD_PRELOAD wrapper AND by adding a
seccomp filter to stop all execve() entirely
[USN-3969-1, USN-3969-2] wpa_supplicant and hostapd vulnerability
- 1 CVEs addressed in Trusty ESM, Xenial, Bionic, Cosmic, Disco
- Possible NULL pointer dereference if an attacker could construct out of
sequence EAP message fragments
- Fixed by validating and rejecting invalid fragments on both the peer and
server side
[USN-3970-1] Ghostscript vulnerability
- 1 CVEs addressed in Xenial, Bionic, Cosmic, Disco
- Follow up to CVE-2019-6116 (Episode 18)
- GS sandbox allowed access to system operators which allowed arbitrary code execution
- Missed some protections for pdf related operations which could also allow code execution
[USN-3971-1] Monit vulnerabilities
- 2 CVEs addressed in Cosmic, Disco
- Buffer over-read when decoding URLs could allow a remote authenticated
attacker to read other memory - information disclosure but could also
cause a crash via reading from an invalid memory location
- Persistent XSS in decoding Authorization header for HTTP Basic
Authorization could allow an unauthenticated remote attacker to inject
arbitrary JavaScript in the _viewlog operation - fixed by properly
escaping this data
[USN-3956-2] Bind vulnerability
- 1 CVEs addressed in Precise ESM, Trusty ESM
- Episode 29 covered for standard support releases - now fixed in ESM
Discussion with Joe McManus about malicious DockerHub images and Git repo takeover ransoms
Goings on in Ubuntu Security Community
Robotics Security Engineer
Security Certifications Engineer
Get in contact