Episode 116

Show Notes

Overview

With 60 CVEs fixed across MySQL, Django, Please and the Linux kernel this week we take a look at some of these details, plus look at the recent announcement of 1Password for Linux and some open positions on the team too.

This week in Ubuntu Security Updates

60 unique CVEs addressed

[USN-4952-1] MySQL vulnerabilities [00:58]

• 33 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
  • CVE-2021-2308
  • CVE-2021-2307
  • CVE-2021-2305
  • CVE-2021-2304
  • CVE-2021-2301
  • CVE-2021-2300
  • CVE-2021-2299
  • CVE-2021-2298
  • CVE-2021-2293
  • CVE-2021-2278
  • CVE-2021-2232
  • CVE-2021-2230
  • CVE-2021-2226
  • CVE-2021-2217
  • CVE-2021-2215
  • CVE-2021-2212
  • CVE-2021-2208
  • CVE-2021-2203
  • CVE-2021-2201
  • CVE-2021-2196
  • CVE-2021-2194
  • CVE-2021-2193
  • CVE-2021-2180
  • CVE-2021-2179
  • CVE-2021-2172
  • CVE-2021-2171
  • CVE-2021-2170
  • CVE-2021-2169
  • CVE-2021-2166
  • CVE-2021-2164
  • CVE-2021-2162
  • CVE-2021-2154
  • CVE-2021-2146
• Latest upstream point releases - includes both security and bug fixes and possibly incompatible changes etc
• MySQL has been updated to 8.0.25 in Ubuntu 20.04 LTS, Ubuntu 20.10, and Ubuntu 21.04. Ubuntu 18.04 LTS has been updated to MySQL 5.7.34.

[USN-4932-2] Django vulnerability [01:37]

• 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS)
  • CVE-2021-31542
• Episode 114 - directory traversal via file upload

[USN-4953-1] AWStats vulnerabilities [01:56]

• 3 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
  • CVE-2017-1000501
  • CVE-2020-35176
  • CVE-2020-29600
• A-W-Stats - Advanced Web Statistics - log analyzer etc
• Incomplete fix for old CVE-2017-1000501 - this itself was incomplete too - hence CVE-2020-35176
  • Could be used to read an arbitrary file on the webserver via the config parameter - and this could allow code execution as this was not sanitised properly

[USN-4954-1] GNU C Library vulnerabilities [03:00]

• 2 CVEs addressed in Xenial (16.04 LTS)
  • CVE-2009-5155
  • CVE-2020-6096
• ARMv7 specific issue - memcpy() undefined behaviour if a negative length were specified
• DoS (assertion failure + abort) via crafted regex - so should not be passing untrusted regular expressions to posix regex implementation

[USN-4628-3] Intel Microcode vulnerabilities [04:08]

• 3 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
  • CVE-2020-8698
  • CVE-2020-8696
  • CVE-2020-8695
• Episode 96 - RAPL side-channel etc - corresponding update for some Xeon processors

[USN-4955-1] Please vulnerabilities [04:44]

• 3 CVEs addressed in Hirsute (21.04)
  • CVE-2021-31155
  • CVE-2021-31154
  • CVE-2021-31153
• sudo replacement written in rust
• Code analysis by Matthias Gerstner @ SuSE -
  • arbitrary file existence test and open (eg could open /dev/zero and consume memory -> OOM)
  • unsafe permissions for token directory - create world-writable - can allow an unprivileged user to get root privileges quite easily by creating their own token as though they had authenticated
  • pleaseedit uses predictable paths in /tmp - without symlink protections could allow a user to change ownership of arbitrary files as it would follow symlinks
• rust is not a panacea - not all vulnerabilities are memory corruption and writing setuid root binaries is always going to be challenging

[LSN-0077-1] Linux kernel vulnerability [07:04]

• 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
  • CVE-2021-3492
• shiftfs specific vuln reported via ZDI (found by Vincent Dehors) - Ubuntu carry this as an out-of-tree patch so doesn’t affect upstream kernel (used by LXD etc for UID mapping in containers)
• Failed to handle faults in copy_from_user() -> double-free or possible memory leak -> code execution/DoS

[USN-4956-1] Eventlet vulnerability [08:05]

• 1 CVEs addressed in Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
  • CVE-2021-21419
• Python eventlet (concurrent networking library)
• Used by a lot of other packages including openstack etc
• websocket peer could DoS via memory exhaustion by sending very large websocket frames

[USN-4957-1, USN-4957-2] DjVuLibre vulnerabilities [08:31]

• 5 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
  • CVE-2021-3500
  • CVE-2021-32493
  • CVE-2021-32492
  • CVE-2021-32491
  • CVE-2021-32490
• document format alternative to pdf - for storing scanned documents etc
• c++ - memory corruption vulns
  • heap buffer overflow
  • oob write
  • stack buffer overflow
  • oob read
  • integer overflow
  • DoS/RCE

[USN-4958-1] Caribou vulnerability [09:27]

• Affecting Focal (20.04 LTS), Groovy (20.10)
• Caribou on-screen keyboard could crash if given crafted input - in some cases, this would then cause the screensaver to crash -> unauthenticated access to a desktop session
  • Thanks to Fabio Fantoni and Joshua Peisach (itzswirlz) from the Ubuntu community for preparing these updates

[USN-4959-1] GStreamer Base Plugins vulnerability [10:11]

• 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
  • CVE-2021-3522
• OOB read on crafted input since failed to properly check size -> DoS

[USN-4945-2] Linux kernel (Raspberry Pi) vulnerabilities [10:18]

• 7 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
  • CVE-2021-30002
  • CVE-2021-29650
  • CVE-2021-29265
  • CVE-2021-28660
  • CVE-2021-28375
  • CVE-2021-28038
  • CVE-2020-25639
• Episode 115 - regular kernels for Ubuntu 20.04 / 18.04 LTS
• Update also for the raspi specific kernel build

Goings on in Ubuntu Security Community

1Password for Linux officially released [10:43]

• Episode 86 (August 2020) - beta was announced
• Now officially released, includes integration with browser extension to stay unlocked across both, use of regular desktop authentication to unlock as well - e.g. fingerprint / yubikey etc - both opt-in features.
• Great desktop integration, theme, clipboard, GNOME Keyring / KDE Wallet, kernel keyring, DBUS API, integration with system lock / idle etc
• Feature parity with Windows and MacOS clients PLUS extra features like Secure file attachment, Watchtower, item archiving / deletion, quick find and more
• Uses kernel keyring to store the key used to establish the connection between the browser and the desktop client
• Backend and lots of underlying libs written in Rust - UI is React
• Native packages for Ubuntu (Debian. CentOS, Fedora, RHEL)
• Snap

Hiring [13:56]

Linux Cryptography and Security Engineer

• https://canonical.com/careers/2612092/linux-cryptography-and-security-engineer-remote

Security Engineer - Ubuntu

• https://canonical.com/careers/2925180/security-engineer-ubuntu-remote

Get in contact

• security@ubuntu.com
• #ubuntu-security on the Libera.Chat IRC network
• ubuntu-hardened mailing list
• Security section on discourse.ubuntu.com
• @ubuntu_sec on twitter