Sveriges mest populära poddar

Ubuntu Security Podcast

Episode 59

20 min • 23 januari 2020

Overview

After a weeks break we are back to look at updates for ClamAV, GnuTLS, nginx, Samba and more, plus we briefly discuss the current 20.04 Mid-Cycle Roadmap Review sprint for the Ubuntu Security Team

This week in Ubuntu Security Updates

73 unique CVEs addressed

[USN-4230-1] ClamAV vulnerability [01:16]

  • 1 CVEs addressed in Xenial, Bionic, Disco, Eoan
  • Backport latest upstream release (0.102.1) from focal
  • CPU based DoS when scanning crafted emails - parsing of MIME components in particular

[USN-4232-1] GraphicsMagick vulnerabilities [01:52]

[USN-4231-1] NSS vulnerability [03:04]

  • 1 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Disco, Eoan
  • UBSAN found possible buffer overflow due to failure to check lengths of inputs to various functions - so applications using libnss for crypto could be vulnerable to buffer overflow

[USN-4233-1] GnuTLS update [03:54]

  • Affecting Xenial, Bionic
  • Update marks SHA1 as being untrusted for digital signature operations - SHA1 has been broken in theory for a while and 2017 Google showed the first SHA1 collision - recently the first chosen-prefix attack was demonstrated against SHA1 as well - demonstrated by creating a GPG key which can impersonate another
  • As such GnuTLS will not trust SHA1 based digital signatures since these can relatively easily be forged now (but not for an arbitrary input)
  • As such libraries / applications which use GnuTLS (libsoup, Epiphany) will not trust SHA1 based digital signatures
  • https://sha-mbles.github.io/

[USN-4234-1] Firefox vulnerabilities [06:10]

[USN-4047-2] libvirt update vulnerability [06:48]

  • 1 CVEs addressed in Trusty ESM
  • Episode 40 libvirt updated for regular releases - various APIs which could cause effects were accessible to read-only users
  • Now backported for 14.04 ESM users / customers as well

[USN-4235-1, USN-4235-2] nginx vulnerability [07:18]

  • 1 CVEs addressed in Trusty ESM, Xenial, Bionic, Disco, Eoan
  • HTTP request smuggling (Episode 52) - allowed attacker to read unauthorized web pages where nginx is being fronted by a load balanced when used with certain error_page configurations

[USN-4236-1, USN-4236-2] Libgcrypt vulnerability [08:03]

  • 1 CVEs addressed in Xenial, Bionic, Disco, Eoan
  • ECDSA timing side-channel attack (Minerva)
    • observe timing of signature generation on known messages to indicate the bit-length of the random nonce scalar during scalar multiplication on an elliptic curve - full private key is able to be recovered using lattice techniques
  • https://minerva.crocs.fi.muni.cz/

[USN-4237-1, USN-4237-2] SpamAssassin vulnerabilities [09:04]

  • 2 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Disco, Eoan
  • DoS via excessive resource usage
  • RCE via crafted conf (CF) files - advised should only use trusted conf files

[USN-4238-1] SDL_image vulnerabilities [09:55]

[USN-4239-1] PHP vulnerabilities [10:32]

  • 4 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Disco, Eoan
  • 2 heap buffer over-reads in parsing EXIF information, 1 over-read in bcmath extension, and 1 issue with handling filenames with embedded NUL bytes

[USN-4221-2] libpcap vulnerability [11:28]

[USN-4240-1] Kamailio vulnerability [11:42]

  • 1 CVEs addressed in Xenial
  • SIP server written in C
  • Heap based buffer overflow when receiving a specially crafted REGISTER message

[USN-4241-1] Thunderbird vulnerabilities [11:59]

[USN-4225-2] Linux kernel (HWE) vulnerabilities [12:21]

[USN-4242-1] Sysstat vulnerabilities [13:07]

  • 2 CVEs addressed in Xenial, Bionic, Disco, Eoan
  • Both issues occur when reading a crafted input file using the sadf utility - likely the original reported is fuzzing this
  • Double free - heap corruption but on Ubuntu we enable the glibc heap-protector so this is just a crash -> DoS
  • Integer overflow -> heap buffer overflow when reading crafted input file

[USN-4243-1] libbsd vulnerabilities [14:12]

  • 2 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Disco
  • Library providing common BSD C functions which are not available on Linux (strlcpy() etc)
    • OOB read (crash -> DoS)
    • Off-by-one in fgetwln() (get line of wide characters from a stream) -> heap buffer overflow -> crash / RCE (doesn’t appear to be used by any software in Ubuntu)

[USN-4244-1] Samba vulnerabilities [15:15]

  • 3 CVEs addressed in Xenial, Bionic, Disco, Eoan
  • UAF in DNS zone scavenging in AD DC
  • Crash if fail to convert characters at log level 3
  • Does not automatically replicate ACLs which are set to inherit down a subtree (unable to be easily backported to Xenial so only fixed on Bionic, Disco and Eoan - instead can workaround by manually replication ACLs from one DC to another for a given naming context)

[USN-4245-1] PySAML2 vulnerability [16:32]

  • 1 CVEs addressed in Xenial, Bionic, Disco, Eoan
  • May fail to properly validate signatures in a particularly crafted SAML document by using the wrong data - so could assert a document has been fully signed when only a part of it has

Goings on in Ubuntu Security Community

Mid cycle product roadmap sprint [17:18]

  • Security team presents progress on plans for Ubuntu 20.04 Focal Fossa - ie. ESM offerings, AppArmor features, snapd security features, Ubuntu Core security features, MIR security reviews progress etc
  • Represented by Joe McManus, Mark Morlino, Chris Coulson and John Johansen

Get in contact

Kategorier
Förekommer på
00:00 -00:00