Overview
After a weeks break we are back to look at updates for ClamAV, GnuTLS,
nginx, Samba and more, plus we briefly discuss the current 20.04 Mid-Cycle
Roadmap Review sprint for the Ubuntu Security Team
This week in Ubuntu Security Updates
73 unique CVEs addressed
[USN-4230-1] ClamAV vulnerability [01:16]
- 1 CVEs addressed in Xenial, Bionic, Disco, Eoan
- Backport latest upstream release (0.102.1) from focal
- CPU based DoS when scanning crafted emails - parsing of MIME components
in particular
[USN-4232-1] GraphicsMagick vulnerabilities [01:52]
- 11 CVEs addressed in Xenial
- Episode 57, Episode 55
- Heap based buffer over-reads - info leak or crash -> DoS
- Heap based buffer over-flow - crash -> DoS, RCE
- NULL ptr derefs - crash -> DoS
- Memory overallocation -> memory based remote DoS
[USN-4231-1] NSS vulnerability [03:04]
- 1 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Disco, Eoan
- UBSAN found possible buffer overflow due to failure to check lengths of
inputs to various functions - so applications using libnss for crypto
could be vulnerable to buffer overflow
[USN-4233-1] GnuTLS update [03:54]
- Affecting Xenial, Bionic
- Update marks SHA1 as being untrusted for digital signature operations -
SHA1 has been broken in theory for a while and 2017 Google showed the
first SHA1 collision - recently the first chosen-prefix attack was
demonstrated against SHA1 as well - demonstrated by creating a GPG key
which can impersonate another
- As such GnuTLS will not trust SHA1 based digital signatures since these
can relatively easily be forged now (but not for an arbitrary input)
- As such libraries / applications which use GnuTLS (libsoup, Epiphany)
will not trust SHA1 based digital signatures
- https://sha-mbles.github.io/
[USN-4234-1] Firefox vulnerabilities [06:10]
- 8 CVEs addressed in Xenial, Bionic, Disco, Eoan
- Latest upstream Firefox release (72.0.1)
- Usual sorts of issues fixed: DoS, info disclosure, bypass content
security policy restrictions, conduct XSS attacks or execute arbitrary
code
[USN-4047-2] libvirt update vulnerability [06:48]
- 1 CVEs addressed in Trusty ESM
- Episode 40 libvirt updated for regular releases - various APIs which
could cause effects were accessible to read-only users
- Now backported for 14.04 ESM users / customers as well
- 1 CVEs addressed in Trusty ESM, Xenial, Bionic, Disco, Eoan
- HTTP request smuggling (Episode 52) - allowed attacker to read
unauthorized web pages where nginx is being fronted by a load balanced
when used with certain error_page configurations
[USN-4236-1, USN-4236-2] Libgcrypt vulnerability [08:03]
- 1 CVEs addressed in Xenial, Bionic, Disco, Eoan
- ECDSA timing side-channel attack (Minerva)
- observe timing of signature generation on known messages to indicate
the bit-length of the random nonce scalar during scalar multiplication
on an elliptic curve - full private key is able to be recovered using
lattice techniques
- https://minerva.crocs.fi.muni.cz/
[USN-4237-1, USN-4237-2] SpamAssassin vulnerabilities [09:04]
- 2 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Disco, Eoan
- DoS via excessive resource usage
- RCE via crafted conf (CF) files - advised should only use trusted conf
files
[USN-4238-1] SDL_image vulnerabilities [09:55]
- 12 CVEs addressed in Xenial, Bionic
- Image loading library for SDL1.2 (low level library used for various
games etc - provides common access to audio, input devices, graphics etc)
- Large C code-base - usual memory safety issues -> usual effects -> crash,
DoS or possible RCE
[USN-4239-1] PHP vulnerabilities [10:32]
- 4 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Disco, Eoan
- 2 heap buffer over-reads in parsing EXIF information, 1 over-read in
bcmath extension, and 1 issue with handling filenames with embedded NUL
bytes
[USN-4221-2] libpcap vulnerability [11:28]
[USN-4240-1] Kamailio vulnerability [11:42]
- 1 CVEs addressed in Xenial
- SIP server written in C
- Heap based buffer overflow when receiving a specially crafted REGISTER
message
[USN-4241-1] Thunderbird vulnerabilities [11:59]
- 11 CVEs addressed in Bionic, Eoan
- Latest upstream release (68.4.1)
- Derived from Firefox code-base so contains fixes for lots issues which
also affected Firefox above
[USN-4225-2] Linux kernel (HWE) vulnerabilities [12:21]
- 15 CVEs addressed in Bionic
- Episode 58 - eoan (19.10) 5.3 kernel is now used as the HWE kernel for
bionic (18.04 LTS)
[USN-4242-1] Sysstat vulnerabilities [13:07]
- 2 CVEs addressed in Xenial, Bionic, Disco, Eoan
- Both issues occur when reading a crafted input file using the sadf
utility - likely the original reported is fuzzing this
- Double free - heap corruption but on Ubuntu we enable the glibc
heap-protector so this is just a crash -> DoS
- Integer overflow -> heap buffer overflow when reading crafted input file
[USN-4243-1] libbsd vulnerabilities [14:12]
- 2 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Disco
- Library providing common BSD C functions which are not available on Linux
(strlcpy() etc)
- OOB read (crash -> DoS)
- Off-by-one in fgetwln() (get line of wide characters from a stream) ->
heap buffer overflow -> crash / RCE (doesn’t appear to be used by any
software in Ubuntu)
[USN-4244-1] Samba vulnerabilities [15:15]
- 3 CVEs addressed in Xenial, Bionic, Disco, Eoan
- UAF in DNS zone scavenging in AD DC
- Crash if fail to convert characters at log level 3
- Does not automatically replicate ACLs which are set to inherit down a
subtree (unable to be easily backported to Xenial so only fixed on
Bionic, Disco and Eoan - instead can workaround by manually replication
ACLs from one DC to another for a given naming context)
[USN-4245-1] PySAML2 vulnerability [16:32]
- 1 CVEs addressed in Xenial, Bionic, Disco, Eoan
- May fail to properly validate signatures in a particularly crafted SAML
document by using the wrong data - so could assert a document has been
fully signed when only a part of it has
Goings on in Ubuntu Security Community
Mid cycle product roadmap sprint [17:18]
- Security team presents progress on plans for Ubuntu 20.04 Focal Fossa -
ie. ESM offerings, AppArmor features, snapd security features, Ubuntu
Core security features, MIR security reviews progress etc
- Represented by Joe McManus, Mark Morlino, Chris Coulson and John Johansen
Get in contact