Episode 42

Overview

This week we have a special interview with Ubuntu Security Team member Jamie Strandboge, talking about security aspects of the Snap packaging system, as well as the usual roundup of security fixes from the past week.

This week in Ubuntu Security Updates

7 unique CVEs addressed

[USN-4058-2] Bash vulnerability

• 1 CVEs addressed in Precise ESM, Trusty ESM
  • CVE-2019-9924
• Episode 40 (rbash, BASH_CMDS)

[USN-4049-3, USN-4049-4] GLib regression

• Affecting Precise ESM, Trusty ESM, Xenial
• Episode 40 - previous update introduced a memory leak due to backport using different API which didn’t just return a const string but allocated it and returned it but was not freed
  • https://bugs.launchpad.net/ubuntu/+source/glib2.0/+bug/1838890

[USN-4086-1] Mercurial vulnerability

• 1 CVEs addressed in Disco
  • CVE-2019-3902
• Able to write to files outside of the repository by using a combination of symlinks and subrepositories
  • Can be mitigated either by disabling support for subrepositories in your local configuration or by ensuring any cloned repos don’t contain malicious symlinks …

[USN-4087-1] BWA vulnerability

• 1 CVEs addressed in Bionic, Disco
  • CVE-2019-10269
• Genome sequencing - maps DNA sequences against large reference genome (aka human genome mapping)
• Takes input from .alt file - contains a name for the DNS sequence - which is read into a fixed sized buffer - stack buffer overflow if name too long (code even had a note - FIXME segfault here)

[USN-4088-1] PHP vulnerability

• 1 CVEs addressed in Precise ESM, Trusty ESM
  • CVE-2019-13224
• Use-after-free in the embedded oniguruma regular expression library if regular expression was multi-byte but input string was not (or vice-versa) - fix to disallow processing if either is not the same as the other

[USN-4089-1] Rack vulnerability

• 1 CVEs addressed in Xenial, Bionic
  • CVE-2018-16471
• XSS in Ruby webserver interface (used as middleware for writing Ruby web application)

[USN-4090-1] PostgreSQL vulnerabilities

• 2 CVEs addressed in Xenial, Bionic, Disco
  • CVE-2019-10209
  • CVE-2019-10208
• Disco only - if a database contained super-user defined hash-equality operators, could allow attacker to read arbitrary server memory
• If a function was declared as “SECURITY DEFINER” an attacker could execute arbitrary SQL as the identity of the function owner - needs EXECUTE permission on the function and then requires the function itself to have inexact argument type matching otherwise will be disallowed.

Goings on in Ubuntu Security Community

Discussion with Joe McManus on Capital One breach and special guest Jamie Strandboge on snaps and security

• https://www.zdnet.com/article/100-million-americans-and-6-million-canadians-caught-up-in-capital-one-breach/
• https://snapcraft.io
• https://forum.snapcraft.io/t/security-policy-and-sandboxing/554
• https://assets.ubuntu.com/v1/66fcd858-ubuntu-core-security-whitepaper.pdf

Get in contact

• [email protected]
• #ubuntu-security on the Libera.Chat IRC network
• @ubuntu_sec on twitter