Episode 117
Posted on Friday, May 28, 2021
This week we’re talking about moving IRC networks plus security updates for Pillow, Babel, Apport, X11 and more.
Show Notes
Overview
This week we’re talking about moving IRC networks plus security updates for Pillow, Babel, Apport, X11 and more.
This week in Ubuntu Security Updates
24 unique CVEs addressed
[USN-4963-1] Pillow vulnerabilities [00:55]
- 6 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
- Python image handling library - used by many other packages for their image handling
- All DoS issues via OOB read and similar so not critical
[USN-4962-1] Babel vulnerability [01:31]
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
- Internationalisation handling for python apps
- Directory traversal flaw - could be exploited to load arbitrary locale .dat files - these contain serialized Python objects - so hence can get arbitrary code execution as a result.
- Could use relative path to specify a file outside the locate-data directory
[USN-4964-1] Exiv2 vulnerabilities [02:25]
- 5 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
- CLI util and library (C++) for reading+modifying metadata in image files - more exiv2 - last only in Episode 115
- OOB reads on metadata write
- heap buffer overflow on m w
- quadratic complexity algorithm on metadata write - DoS
- stack info leak on m r
[USN-4965-1, USN-4965-2] Apport vulnerabilities [03:19]
- 11 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
- Seems it’s time for more Apport vulns - every quarter or so
- Arbitrary file read / write vulns discovered by Maik Münch
- Apport parses various details out of /proc and some of these can be crafted by the process, ie process name, current working dir etc - and then goes to gather files etc - and so if can craft these details can get it to read files which weren’t intended via symlinks etc (mitigated by symlink protections in Ubuntu) - or from injection of data into say dpkg queries to get it to include other files like /etc/passwd since this operation happens as root by apport
- These end up in the crash dump and this can be read by the regular user
- Also when uploading via whoopsie, race condition where crash dump can be replaced by a symlink and then the crash dump will be written to the dest of the symlink - file write vuln - but again mitigated by symlink-restriction
[USN-4966-1, USN-4966-2] libx11 vulnerability [05:57]
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
- When looking up a color, failed to properly validate it - app could then get extra X protocol requests sent to the X server - ie. could then disable X server authorisation etc so remote attackers could connect to the local X server and snoop on inputs etc
Goings on in Ubuntu Security Community
#ubuntu-hardened -> #ubuntu-security on Libera.Chat [06:45]
- LWN writeup https://lwn.net/Articles/857140/
- Volunteer staff resigned en masse after network was taken over by tech entrepreneur
- Ubuntu IRC council voted and approved a resolution to recommend moving Ubuntu IRC channels from freenode to Libera.Chat
- Community Council approved this so now all channels have moved to Libera.Chat
- Almost all of the old channels on freenode have now all been taken over by the new freenode staff
- irc.ubuntu.com now redirects to irc.libera.chat
- Finally took the opportunity to rename our channel - #ubuntu-security
- Come join us