Episode 49

Overview

This week we look at updates for Sudo, Python, OpenStack Octavia and more, plus we discuss a recent CVE for Python which resulted in erroneous scientific research results, and we go over some of your feedback from Episode 48.

This week in Ubuntu Security Updates

27 unique CVEs addressed

[USN-4148-1] OpenEXR vulnerabilities [00:45]

• 8 CVEs addressed in Xenial, Bionic, Disco
  • CVE-2018-18444
  • CVE-2017-9115
  • CVE-2017-9113
  • CVE-2017-9111
  • CVE-2017-9116
  • CVE-2017-9112
  • CVE-2017-9110
  • CVE-2017-12596
• Image format developed by ILM with a high definition range for computer imaging applications
• Range of issues (c++ codebase)
  • OOB writes (usually only of a few bytes past the end of a buffer) - assertion failure or memory corruption -> crash / code execution
  • OOB reads (same) - crash

[USN-4149-1] Unbound vulnerability [02:06]

• 1 CVEs addressed in Disco
  • CVE-2019-16866
• Validating, recursive DNS resolver
• OOB read due to a remotely crafted NOTIFY query (source IP needs to match an ACL) -> crash

[USN-4151-1, USN-4151-2] Python vulnerabilities [02:40]

• 2 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Disco
  • CVE-2019-16935
  • CVE-2019-16056
• XML-RPC server module could end up serving arbitrary JS if set via the set_server_title() method as did not escape content
• Python email module tries to parse email address into sender + domain - if domain contains multiple @ chars could get confused and return wrong output - so applications which rely on this for validating email addresses could accept an email address which is actually invalid

[USN-4152-1] libsoup vulnerability [03:53]

• 1 CVEs addressed in Bionic, Disco
  • CVE-2019-17266
• Heap buffer OOB read - fails to check the specified length of message against the actual received message - could then memcpy past the end of the input message -> crash

[USN-4153-1] Octavia vulnerability [04:33]

• 1 CVEs addressed in Disco
  • CVE-2019-17134
• Amphora Images in OpenStack Octavia - fails to properly validate client certificates for management network clients -> could allow anyone with management network access to retrieve information / issue config commands

[USN-4154-1] Sudo vulnerability [05:06]

• 1 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Disco
  • CVE-2019-14287
• Lots of press around a seemingly high priority privilege escalation vulnerability - BUT requires an admin to have configured sudo with a particular configuration (ie specifying a user can run a command as any other user via the ALL keyword in a Runas rule). In this case if the rule had also been configured to explicitly deny running the command as root, this could be bypassed by the user specifying a UID of -1. So would only affect a very small number of installations.

[USN-4155-1] Aspell vulnerability [07:26]

• 1 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Disco
  • CVE-2019-17544
• Stack buffer over-read - found by Google’s oss-fuzz

[USN-4156-1] SDL vulnerabilities [08:03]

• 12 CVEs addressed in Xenial, Bionic
  • CVE-2019-7638
  • CVE-2019-7637
  • CVE-2019-7636
  • CVE-2019-7635
  • CVE-2019-7578
  • CVE-2019-7577
  • CVE-2019-7576
  • CVE-2019-7575
  • CVE-2019-7574
  • CVE-2019-7573
  • CVE-2019-7572
  • CVE-2019-13616
• Covered all the higher priority ones in Episode 48 for SDL 2.0 - fixed now for SDL1.2 as well, plus rolled in a bunch of fixes for lower priority issues (buffer over-reads in WAV handling etc)

Goings on in Ubuntu Security Community

Alex and Joe talk CVEs for bad documentation and resulting scientific research? [09:20]

• https://nvd.nist.gov/vuln/detail/CVE-2019-17514

Feedback on desired features for 20.04 [18:53]

• cafzo on discourse.ubuntu.com
  • encrypted home directories
  • guest-accounts

Get in contact

• [email protected]
• #ubuntu-security on the Libera.Chat IRC network
• ubuntu-hardened mailing list
• Security section on discourse.ubuntu.com
• @ubuntu_sec on twitter