Episode 123
Posted on Friday, Jul 9, 2021
Is npm audit more harm than good? Plus this week we look at security
updates for DjVuLibre, libuv, PHP and more.
Show Notes
Overview
Is npm audit more harm than good? Plus this week we look at security updates for DjVuLibre, libuv, PHP and more.
This week in Ubuntu Security Updates
8 unique CVEs addressed
[USN-4905-2] X.Org X Server vulnerability [00:42]
- 1 CVEs addressed in Trusty ESM (14.04 ESM)
- Episode 112 - Local user (X client) could crash the server via Xinput extension and ChangeFeedbackControl request - integer underflow -> heap buffer overflow
[USN-5005-1] DjVuLibre vulnerability [01:26]
- 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
- OOB write via crafted djvu file -> crash -> DoS, RCE
[USN-5007-1] libuv vulnerability [01:53]
- 1 CVEs addressed in Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
- Async event handling library - used by nodejs and others - supports async handling TCP/UDP sockets, DNS resolution, file system operations etc
- OOB read when converting strings to ASCII -> can be triggered via calls to uv_getaddrinfo() which are done by clients who handle TCP/UDP sockets async (ie nodejs, Julia,, BIND etc)
[USN-5006-1] PHP vulnerabilities [03:04]
- 5 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
- UAF in PHAR archive handling - generally these are trusted so low impact
- mishandling of URLs with embedded passwords - unspecified impact but could misparse the URL and cause unwanted behaviour
- Mishandling of XML when processing SOAP server responses -> NULL ptr deref (so malicious server could trigger a crash) -> DoS
- Ability to bypass Sever Side Request Forgery (SSRF) protections in FILTER_VALIDATE_URL