Overview
Alex and Joe discuss the big news of this week - the release of Ubuntu
19.10 Eoan Ermine - plus we look at updates for the Linux kernel, libxslt,
UW IMAP and more.
This week in Ubuntu Security Updates
51 unique CVEs addressed
[USN-4156-2] SDL vulnerabilities [00:37]
[USN-4160-1] UW IMAP vulnerability [01:04]
- 1 CVEs addressed in Xenial, Bionic, Disco
- University of Washington IMAP toolkit (used by PHP for it’s IMAP implementation)
- Used rsh to implement various operations - wouldn’t try and sanitize the
provided hostname - so if attacker could provide a hostname/mailbox to
php’s IMAP without any validation could execute arbitrary commands on the
host
- Fixed by turning off the rsh based functionality by default in PHP - if
you still want this you can set imap.enable_insecure_rsh but this is
not advised…
[USN-4158-1] LibTIFF vulnerabilities [02:17]
- 2 CVEs addressed in Xenial, Bionic, Disco
- Integer overflow -> heap based buffer overflow -> crash, DoS or code
execution
- (Low) Integer overflow due to undefined behaviour in existing overflow
checking code when multiplying various elements -> no known way to
exploit
[USN-4155-2] Aspell vulnerability [03:13]
- 1 CVEs addressed in Eoan
- Episode 49 covered for older releases - Eoan is now out so updated there too
[USN-4159-1] Exiv2 vulnerability [03:31]
- 1 CVEs addressed in Xenial, Bionic, Disco, Eoan
- OOB read -> crash, DoS
[USN-4164-1] Libxslt vulnerabilities [03:44]
- 3 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Disco, Eoan
- OSS-Fuzz found 3 issues
- possible heap buffer overflow as a result of a dangling pointer - so
same memory area could be reused for future memory operations -> fixed
to reset the pointer when done
- 2 low priority issues - both stack memory info disclosures
[USN-4157-1, USN-4157-2] Linux kernel vulnerabilities [04:59]
- 9 CVEs addressed in Bionic (HWE) and Disco
- Integer overflow -> buffer overflow -> root privesc in binder
- Reintroduction of Spectre v1 vulnerability in ptrace subsystem - Brad
Spengler - fixed properly in Linus’ tree but not when it got backported
to the stable tree - two lines of code got reordered - so load of
possible speculative value occurred _after_it had been used - so the
speculative load barrier had no effect - Ubuntu regularly backports fixes
from the latest stable tree so we ended up affected as well
- Possible DoS (kernel crash) if users can write to /dev/kvm - by default
on Ubuntu users don’t have this privilege so generally not affected
- 2 different heap based buffer overflows in Marvell Wifi driver ->
occurred when setting parameters for the driver so could be triggered by
a local users -> crash, DoS or
possible code execution
[USN-4161-1] Linux kernel vulnerability [07:40]
- 1 CVEs addressed in Eoan
- Eoan kernel “0-day” - will discuss with Joe later
[USN-4162-1] Linux kernel vulnerabilities [07:58]
- 10 CVEs addressed in Trusty ESM (Azure), Xenial (HWE), Bionic
- SMB based buffer overread if try mounting a share with version specified
as 3.0 but the share itself is version 2.10 -> parameter size mismatch ->
read of too much memory -> info disclosure
- UAF in RSI 91x Wi-Fi driver -> able to be triggered by a remote network
peer -> crash, DoS or possible RCE
- ptrace spectrev1 reissue, KVM crash, Marvell Wifi Driver issues from above
- USB audio issues from Episode 48 (Disco kernel -> now fixed in Bionic
kernel as well)
[USN-4163-1, USN-4163-2] Linux kernel vulnerabilities [09:29]
- 10 CVEs addressed in Xenial and Trusty ESM (HWE)
- Spectrev1 reissue, USB Audio, KVM crash, Marvell and RSI 91x WiFi Driver
issues all covered earlier
- Serial attached SCSI implementation mishandled error condition leading to
deadlock -> local user could possibly trigger this leading to a DoS
[LSN-0058-1] Linux kernel vulnerability [10:09]
- 22 CVEs addressed in Bionic and Xenial + Xenial (HWE)
- Most all covered in previous episodes or previously in this episode
- 2 high priority issues
Goings on in Ubuntu Security Community
Joe and Alex on Ubuntu 19.10 (Eoan Ermine) released but with possible local user kernel DoS bug [11:02]
Get in contact