Episode 117

Posted on Friday, May 28, 2021
This week we’re talking about moving IRC networks plus security updates for Pillow, Babel, Apport, X11 and more.

Show Notes

Overview

This week we’re talking about moving IRC networks plus security updates for Pillow, Babel, Apport, X11 and more.

This week in Ubuntu Security Updates

24 unique CVEs addressed

[USN-4963-1] Pillow vulnerabilities [00:55]

[USN-4962-1] Babel vulnerability [01:31]

  • 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
  • Internationalisation handling for python apps
  • Directory traversal flaw - could be exploited to load arbitrary locale .dat files - these contain serialized Python objects - so hence can get arbitrary code execution as a result.
  • Could use relative path to specify a file outside the locate-data directory

[USN-4964-1] Exiv2 vulnerabilities [02:25]

  • 5 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
  • CLI util and library (C++) for reading+modifying metadata in image files - more exiv2 - last only in Episode 115
  • OOB reads on metadata write
  • heap buffer overflow on m w
  • quadratic complexity algorithm on metadata write - DoS
  • stack info leak on m r

[USN-4965-1, USN-4965-2] Apport vulnerabilities [03:19]

  • 11 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
  • Seems it’s time for more Apport vulns - every quarter or so
  • Arbitrary file read / write vulns discovered by Maik M√ľnch
  • Apport parses various details out of /proc and some of these can be crafted by the process, ie process name, current working dir etc - and then goes to gather files etc - and so if can craft these details can get it to read files which weren’t intended via symlinks etc (mitigated by symlink protections in Ubuntu) - or from injection of data into say dpkg queries to get it to include other files like /etc/passwd since this operation happens as root by apport
  • These end up in the crash dump and this can be read by the regular user
  • Also when uploading via whoopsie, race condition where crash dump can be replaced by a symlink and then the crash dump will be written to the dest of the symlink - file write vuln - but again mitigated by symlink-restriction

[USN-4966-1, USN-4966-2] libx11 vulnerability [05:57]

  • 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
  • When looking up a color, failed to properly validate it - app could then get extra X protocol requests sent to the X server - ie. could then disable X server authorisation etc so remote attackers could connect to the local X server and snoop on inputs etc

Goings on in Ubuntu Security Community

#ubuntu-hardened -> #ubuntu-security on Libera.Chat [06:45]

Get in contact