Overview
This week we have a special interview with Ubuntu Security Team member
Jamie Strandboge, talking about security aspects of the Snap packaging
system, as well as the usual roundup of security fixes from the past week.
This week in Ubuntu Security Updates
7 unique CVEs addressed
[USN-4058-2] Bash vulnerability
- 1 CVEs addressed in Precise ESM, Trusty ESM
- Episode 40 (rbash, BASH_CMDS)
- Affecting Precise ESM, Trusty ESM, Xenial
- Episode 40 - previous update introduced a memory leak due to backport
using different API which didn’t just return a const string but allocated
it and returned it but was not freed
[USN-4086-1] Mercurial vulnerability
- 1 CVEs addressed in Disco
- Able to write to files outside of the repository by using a combination of symlinks and subrepositories
- Can be mitigated either by disabling support for subrepositories in
your local configuration or by ensuring any cloned repos don’t contain
malicious symlinks …
- 1 CVEs addressed in Bionic, Disco
- Genome sequencing - maps DNA sequences against large reference genome (aka human genome mapping)
- Takes input from .alt file - contains a name for the DNS sequence - which
is read into a fixed sized buffer - stack buffer overflow if name too
long (code even had a note - FIXME segfault here)
- 1 CVEs addressed in Precise ESM, Trusty ESM
- Use-after-free in the embedded oniguruma regular expression library if
regular expression was multi-byte but input string was not (or
vice-versa) - fix to disallow processing if either is not the same as the
other
[USN-4089-1] Rack vulnerability
- 1 CVEs addressed in Xenial, Bionic
- XSS in Ruby webserver interface (used as middleware for writing Ruby web
application)
[USN-4090-1] PostgreSQL vulnerabilities
- 2 CVEs addressed in Xenial, Bionic, Disco
- Disco only - if a database contained super-user defined hash-equality
operators, could allow attacker to read arbitrary server memory
- If a function was declared as “SECURITY DEFINER” an attacker could
execute arbitrary SQL as the identity of the function owner - needs
EXECUTE permission on the function and then requires the function itself
to have inexact argument type matching otherwise will be disallowed.
Goings on in Ubuntu Security Community
Discussion with Joe McManus on Capital One breach and special guest Jamie Strandboge on snaps and security
Get in contact