Episode 115

Posted on Friday, May 14, 2021
This week we look at some details of the 90 unique CVEs addressed across the supported Ubuntu releases and more.

Show Notes

Overview

This week we look at some details of the 90 unique CVEs addressed across the supported Ubuntu releases and more.

This week in Ubuntu Security Updates

90 unique CVEs addressed

[USN-4934-2] Exim vulnerabilities [00:41]

[USN-4937-1] GNOME Autoar vulnerability [01:00]

  • 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
  • Directory traversal due to failure to properly handle symlinks (result of incomplete fix for previous CVE-2020-36241)

[USN-4936-1] Thunderbird vulnerabilities [01:47]

  • 5 CVEs addressed in Focal (20.04 LTS), Groovy (20.10)
  • 78.8.1
  • If used a PGP key but then a failure occurred, TB would keep the decrypted key in memory - on Ubuntu we enable Yama ptrace restrictions (ptrace_scope) - so this means processes can only ptrace their descendents by default and hence even other user-level processes cannot dump the memory of another process to say extract this private key
  • Various other CVEs inherited from Firefox

[USN-4938-1] Unbound vulnerabilities [03:21]

[USN-4939-1] WebKitGTK vulnerabilities [03:48]

[USN-4940-1] PyYAML vulnerability [04:12]

  • 1 CVEs addressed in Focal (20.04 LTS), Groovy (20.10)
  • RCE when processing untrusted YAML - due to incomplete fix for previous CVE-2020-1747 - that CVE not specifically patched in Ubuntu as either the versions of pyyaml were too old to be affected or were based on upstream releases that had already patched it

[USN-4941-1] Exiv2 vulnerabilities [04:35]

  • 4 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
  • EXIF/IPTC/XMP metadata manipulation tool
  • Heap buffer overflow or OOB read when writing metadata - so not so likely to be triggered by applications that are just extracting metadata etc
  • Heap buffer overflow for handling EXIF in JPG images

[USN-4942-1] Firefox vulnerability [05:09]

  • 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
  • 88.0.1
  • Race condition on destruction of WebRender components -> UAF? -> possible RCE

[USN-4943-1] XStream vulnerabilities [05:32]

[USN-4944-1] MariaDB vulnerabilities [06:04]

  • Affecting Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
  • Latest upstream point releases rolling in a large number of security fixes:
    • Ubuntu 18.04 LTS has been updated to MariaDB 10.1.48.
    • Ubuntu 20.04 LTS has been updated to MariaDB 10.3.29.
    • Ubuntu 20.10 has been updated to MariaDB 10.3.29.
    • Ubuntu 21.04 has been updated to MariaDB 10.5.10.
    • Thanks to Otto Kekäläinen from the MariaDB foundation for contributing and preparing these updates

[USN-4945-1] Linux kernel vulnerabilities [06:33]

[USN-4946-1] Linux kernel vulnerabilities

[USN-4947-1] Linux kernel (OEM) vulnerabilities

[USN-4948-1] Linux kernel (OEM) vulnerabilities

[USN-4949-1] Linux kernel vulnerabilities

[USN-4950-1] Linux kernel vulnerabilities

  • 3 CVEs addressed in Hirsute (21.04)
  • 5.11
  • Plus CAN ISOTP race condition - discovered by a Norbert Slusarek (high school student in Germany) - local privilege escalation
    • Introduced via recent broadcast mode support (normally a CAN socket registers a particular CAN ID to receive and only gets those frames - was only in 5.11 kernel so only affected hirsute) - this support has been removed from the hirsute kernel until a proper fix comes from upstream

[USN-4951-1] Flatpak vulnerability [10:16]

  • 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
  • File forwarding issue which could allow an attacker to get access to files that are not normally provided by the permissions granted to an app
  • Use special tokens in the Exec line of the desktop file for an app could trick flatpak runtime into providing access to a file as though this had been explicitly granted by the user
    • snapd generates desktop files so less likely to be affected by this sort of issue - less untrusted input in general (but perhaps also less flexible)

Goings on in Ubuntu Security Community

Hiring [11:47]

Linux Cryptography and Security Engineer

Security Engineer - Ubuntu

Get in contact