With 21 CVEs fixed this week we look at updates for Dnsmasq, Firefox,
OpenJDK and more, plus we discuss the recent release of Ubuntu 21.04 and
malicious commits in the upstream Linux kernel.
Show Notes
Overview
With 21 CVEs fixed this week we look at updates for Dnsmasq, Firefox,
OpenJDK and more, plus we discuss the recent release of Ubuntu 21.04 and
malicious commits in the upstream Linux kernel.
2 DoS issues, one possible OOB read -> crash, the other a trust issue
where for DNSSEC configurations could end up having dnsmasq prove the
non-existence of hostnames that actually exist - so again a DoS but not
in the traditional sense
Usual web issues plus a possible UAF in responsive design mode as well as
an issue in FTP client where specially crafted FTP URL (ie one containing
newlines) could embed FTP commands and cause the client to execute
arbitrary FTP commands to the server
FTP client in Firefox is deprecated and disabled by default now -
expected to be removed in a future release
Latest upstream point release to fix an issue where would fail to
properly verify signatures on crafted JARs - could bypass security
restrictions if a JAR is signed with an algorithm that is disabled
Code injection via template function due to failure to properly handle
untrusted input
Goings on in Ubuntu Security Community
Ubuntu 21.04 Hirsute Hippo Released [05:05]
Standard support release, supported for 9 months
Private home dirs
Kernel 5.11
Stack protector for RISC-V
Improved performance for Spectre mitigations via static calls
Initial support for memory tagging for ARM64
Will require support in glibc etc but this is an initial start to
providing improved protection against memory corruption vulns
OpenSSH 8.4
Improved support for FIDO/U2F keys for 2FA
Hypocrite commits and the upstream Linux kernel [07:38]
First came to light in November 2020 when one of the authors of a paper
from University of Minnesota tweeted about the acceptance of their paper
to IEEE S&P 2021 - this showed the first page of the paper and seemed to
indicate that for the purposes of academic research a number of malicious
commits (ie commits that when added to the kernel would create a
vulnerability) had been introduced into the upstream kernel.
Lots of blowback at the time amongst both kernel devs, other researchers
etc regarding both the ethics of effectively experimenting on subjects
without their consent and the concept of purposely introducing vulns just
for the sake of research purposes
The researchers claimed they followed these up with subsequent commits to
fix the vulns and so none actually would have made it to end users so
they thought it was effectively done
At this stage as a team we thought this was interesting but effectively
just demonstrating something that most folks in OSS always knew was a
potential reality - that once a contributor to a project builds a certain
level of trust it would be relatively easy to introduce vulns like this
in a stealthy manner and that the best defence would be better automated
review tooling (static/dynamic analysis via CI etc) rather than trying to
rely on human reviewers to detect
Issue again came to light recently when the paper was made available in
full and it was revealed that 3 malicious commits were potentially
integrated into the upstream kernel - actually only 1 was ACKed and then
this was rejected and the other 2 were rejected outright. Recently,
GregKH weighed in and effectively blacklisted all contributions from UMN
and proposed to revert all commits that had come from umn.edu authors
Not surprisingly, most of these were NOT malicious and so took careful
review by various developers to decide which should NOT be reverted as
lots of them did actually fix legitimate issues
Researchers then apologised and so only a few commits actually got
reverted as a result
In the end it highlights how OSS development is built on trust and how
this can be abused in either direction - tempting to jump to technical
solutions (ie better static analysis/CI etc) but this will never be
foolproof - also need the ability to move fast so can get say reverts
done and delivered to users, and also to build good relationships BUT in
the end need to still be wary - “trust but verify” - both on a technical
basis and also on a personal basis so we can better understand the
provenance of code etc