Episode 52

Overview

This week we look at security updates for FreeTDS, HAProxy, Nokogiri, plus some regressions in Whoopsie, Apport and Firefox, and Joe and Alex discuss the release of 14.04 ESM for personal use under the Ubuntu Advantage program.

This week in Ubuntu Security Updates

9 unique CVEs addressed

[USN-4171-2] Apport vulnerabilities [00:44]

• 5 CVEs addressed in Trusty ESM
  • CVE-2019-15790
  • CVE-2019-11485
  • CVE-2019-11483
  • CVE-2019-11482
  • CVE-2019-11481
• Episode 51

[USN-4172-1, USN-4172-2] file vulnerability [00:58]

• 1 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Disco, Eoan
  • CVE-2019-18218
• OSS-Fuzz using libFuzzer - heap based buffer overflow of up to 4 bytes in the CDF parser when handing vector elements - Composite Document File - used in MS Office prior to new zipped XML format - ie. the old .doc / .xls etc

[USN-4173-1] FreeTDS vulnerability [01:48]

• 1 CVEs addressed in Bionic, Disco, Eoan
  • CVE-2019-13508
• Felix Wilhelm for Google Security Team - if a server were to downgrade the protocol to version 5 and send a UDT type to the client, would cause a heap buffer overflow due to mismatch in size - fixed by forcing the size to an appropriate value

[USN-4170-2, USN-4170-3] Whoopsie regressions [02:22]

• Affecting Xenial, Bionic, Disco, Eoan
• Episode 51 - update caused crash on upload to server due to mismatch in size and resulting partial uninitialized variable - fixed to intialize but realised this could still potentially crash on big-endian architectures so fixed properly by changing size to 32-bit to match memcpy()

[USN-4171-3, USN-4171-4] Apport regression [04:07]

• 5 CVEs addressed in Trusty ESM, Xenial, Bionic, Disco, Eoan
  • CVE-2019-15790
  • CVE-2019-11485
  • CVE-2019-11483
  • CVE-2019-11482
  • CVE-2019-11481
• Episode 51 - regression due to missing change to python code to handle new internal API - fixed by updating the API to be backwards compatible

[USN-4174-1] HAproxy vulnerability [04:55]

• 1 CVEs addressed in Xenial, Bionic, Disco, Eoan
  • CVE-2019-18277
• HTTP Request Smuggling attack
  • https://nathandavison.com/blog/haproxy-http-request-smuggling
• Wouldn’t reject messages that specified transfer-encoding without “chunked” value
• Could be combined with http reuse for request smuggling - ie. the ability to get an attacker controlled chunk appended to a legitimate request and hence the response sent back to the attacker etc - fixed to reject if transfer-encoding is used without also specifying “chunked”

[USN-4175-1] Nokogiri vulnerability [06:36]

• 1 CVEs addressed in Xenial, Bionic, Disco, Eoan
  • CVE-2019-5477
• Ruby based parser for HTML/XML/SAS etc with XPath & CSS selector support etc
• Command-injection vulnerability - due to use of the Rexical gem - and would need to have code which then calls the undocumented load_file method within the CSS tokenizer with user supplied input for the filename - due to use of eval()…

[USN-4165-2] Firefox regressions [07:38]

• Affecting Xenial, Bionic, Disco, Eoan
• Upstream Firefox 70.0.1 release to fix a regression in the 70.0 release (some pages with dynamic javascript would fail to load - v 70.0 had enabled a new next-gen local storage feature which caused issues so this is now disabled by default)

Goings on in Ubuntu Security Community

Alex and Joe discuss news that 14.04 ESM is free for personal use via new UA client [08:19]

• https://ubuntu.com/blog/ua-services-deployed-from-the-command-line-with-ua-client
• https://ubuntu.com/esm
• https://wiki.ubuntu.com/SecurityTeam/ESM/14.04

Get in contact

• [email protected]
• #ubuntu-security on the Libera.Chat IRC network
• ubuntu-hardened mailing list
• Security section on discourse.ubuntu.com
• @ubuntu_sec on twitter