Overview
Dr. Levi Perigo is our special guest this week to discuss SDN and NFV with
Joe, plus Alex does the weekly roundup of security updates, including
Ghostscript, Squid, Apport, Whoopsie, libvirt and more.
This week in Ubuntu Security Updates
37 unique CVEs addressed
[USN-4444-1] WebKitGTK vulnerabilities [00:48]
- 6 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
- Various issues in web / JS engines - remote attacker with a malicious
website could cause XSS, DoS, RCE etc
[USN-4445-1] Ghostscript vulnerability [01:22]
- 1 CVEs addressed in Focal (20.04 LTS)
- Integer overflow via `rsearch` operator - could allow to override file
access controls and hence get code execution as the user who is viewing /
processing the PS file - only affects most recent versions
[USN-4446-1] Squid vulnerabilities [02:24]
- 4 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS)
- Jeriko One & Kristoffer Danielsson - incorrect cache handling -> cache
injection attacks. Incorrect URN / URL handling -> bypass access / rule
checks. Input validation failure -> crash, DoS
[USN-4298-2] SQLite vulnerabilities [03:07]
- 6 CVEs addressed in Trusty ESM (14.04 ESM)
- Episode 66
[USN-4447-1] libssh vulnerability [03:27]
- 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
- Under low memory conditions, could fail to allocate a buffer, would
result in a NULL pointer dereference and hence crash
[USN-4448-1] Tomcat vulnerabilities [04:01]
- 3 CVEs addressed in Xenial (16.04 LTS)
- Infinite loop if sent a WebSocket frame with an invalid payload length ->
DoS if then sent multiple requests
[USN-4449-1] Apport vulnerabilities [04:23]
- 3 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
- 2 from Ryota Shiga:
- Failed to drop privileges correctly when invoking gdbus to determine if
the user is closing their session -> would be invoked with root group
privileges and using the environement of the user - they could override
the DBUS_SESSION_BUS_ADDRESS environment variable, causing gdbus to
connect to a spoofed dbus server and in the process to read a 16-byte
nonce from a file of their choosing - allows to read arbitrary files
that are 16-bytes of length
- TOCTOU issue when handling crash dump - if process PID gets recycled
apport could include the wrong processes details in a crash dump that
is then readable by other users - fixed to check process start time is
at least before the time apport itself was invoked
- 1 from Seong-Joong Kim
- Unhandled exception when parsing users preferences configuration file
-> crash, DoS
[USN-4450-1] Whoopsie vulnerabilities [07:24]
- 3 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
- All 3 from Seong-Joong Kim
- Crash when trying to process a crafted crash file (tries to allocate
too large amount of memory and crashes) -> DoS
- Integer overflow in vendored bson library when parsing a crafted crash
dump -> heap overflow -> crash, RCE
- Memory leak when parsing crash dumps -> crafted report with many
repeated key / value pairs -> OOM, crash -> DoS
[USN-4451-1] ppp vulnerability [09:18]
- 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
- Ubuntu specific patch - pppd is setuid() root and would helpfully
modprobe ppp_generic module when needed - but would not clear
MODPROBE_OPTIONS environment module and so this could be used to either
load other modules or read other files as root etc - fixed by removing
this functionality since this has not been needed for a long time as
ppp_generic has been built into the kernel since 2012 (ie there is no
ppp_generic module to even load via modprobe)
[USN-4452-1] libvirt vulnerability [10:31]
- 1 CVEs addressed in Focal (20.04 LTS)
- libvirt package sets up the libvirt socket via systemd - systemd unit
specifies a SocketMode=0666 so is world writable :( - fixed to ensure
systemd unit specifies this as only owner/group writable and ensures the
owner is root and group is libvirt
[USN-4432-2] GRUB2 regression [11:10]
- 8 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
- Legacy BIOS systems - grub core (in MBR) and modules (in file-system)
could get out of sync if grub was not being installed onto the correct
disk (this was the case for some users with manually configured RAID
setups / particular cloud images etc) - fixed to just not do the grub
install on the update to ensure they don’t get out of sync (since these
vulnerabilities only are relevant to UEFI secure boot, no need for the
update in BIOS boot systems).
[USN-4441-2] MySQL regression [12:58]
- Affecting Focal (20.04 LTS)
- Compiler options changed upstream and this could affect other libraries /
apps which link against libmysqlclient - reverted this change since is
not security relevant anyway
Goings on in Ubuntu Security Community
Joe talks SDN & NFV with Dr. Levi Perigo of the University of Colorado [13:28]
Get in contact