This week we check on the status of the pending GRUB2 Secure Boot updates
and detail some open positions within the team, plus we look at security
updates for GLib, zstd, Go, Git and more.
Show Notes
Overview
This week we check on the status of the pending GRUB2 Secure Boot updates
and detail some open positions within the team, plus we look at security
updates for GLib, zstd, Go, Git and more.
This week in Ubuntu Security Updates
7 unique CVEs addressed
[USN-4757-2] wpa_supplicant and hostapd vulnerability [00:45]
Episode 104 - upstream patch caused a regression such that folders within
the archive may fail to be extracted - once noticed and fixed by upstream
we have now included this too
Possible integer overflow when allocation memory due to implicit cast
from a 64-bit long to a 32-bit int when allocating memory - g_memdup()
function takes an 32-bit int argument but is called by g_bytes_new()
which takes a gsize 64-bit argument. Ends up allocating much less memory
than expected, then later when this is copied into a buffer overflow can
occur.
Since g_memdup() is a public API, can’t just change it to take a gsize as
argument since this would break the ABI - so instead added g_memdup2()
and converted internal callers to use this - but other applications
should think about porting to this new API to avoid this sort of issue
(and audit their own code to check they don’t have similar implicit
integer overflow issues)
Files created with default permissions - so was patched to chmod() so
only owner could read/write them
But this introduced a race condition where the file initially still has
the default permissions so a different user could potentially access it
during that time until the chmod() call is made - so was deemed an
incomplete fix for the first CVE - second CVE allocated for this
incomplete fix - instead changed to set umask() before creating the file
in the first place so permissions get set properly at creation
Possible XSS issue in CGI and FastCGI impl since go would treat non-HTML
data as HTML and so would return a text/html content-type which would
then be served as such by the webserver even if it had been uploaded with
a different content type
Thanks to Dariusz Gadomski from SEG team for preparing these fixes (since
these versions of golang are in universe on these Ubuntu releases)
Possible code execution by local git client when cloning a malicious
remote repository - local client would need a git filter to be
installed - like git LFS - and would have to be on a case-insensitive
file-system - so would be a more common scenario for Windows users but
unlikely to affect Linux users - patched anyway
Goings on in Ubuntu Security Community
GRUB2 updates still in progress [08:54]
Still being tested internally by our hardware certification lab and
others and some minor tweaks being made, plus shim devel work is still
ongoing, thanks to Dimitri John Ledkov from Foundations team for handling
that work, as well as all the one-grub work too