Episode 15

Show Notes

Overview

Security updates for 29 CVEs including Perl, the kernel, OpenSSL (PortSmash) and more, plus in response to some listener questions, we discuss how to make sure you always have the latest security updates by using unattended-upgrades.

This week in Ubuntu Security Updates

29 unique CVEs addressed

[USN-3834-1, USN-3834-2] Perl vulnerabilities

• 4 CVEs addressed in Precise ESM, Trusty, Xenial, Bionic, Cosmic
  • CVE-2018-18314
  • CVE-2018-18313
  • CVE-2018-18312
  • CVE-2018-18311
• Perl regex engine fuzzed with valgrind to detect memory errors
  • 2 different heap based buffer overflow in regex engine
  • Heap-based read past end of buffer in regex engine
• Integer overflow from environment variables
  • uses untrusted input from environment variables (length of values to calculate memory to allocate)
  • heap buffer overflow

[USN-3835-1, USN-3836-1, USN-3836-2] Linux kernel vulnerabilities

• 6 CVEs addressed in Cosmic, 2 in Bionic and Xenial

  • CVE-2018-6559
  • CVE-2018-18955
  • CVE-2018-18653
  • CVE-2018-18445
  • CVE-2018-18281
  • CVE-2018-17972

• Episode 14 covered CVE-2018-6559 (overlayfs / user namespace directory names disclosure)

  • Also fixed for Bionic and Xenial

• Episode 12 covered CVE-2018-17972 (procfs kernel stack disclosure)

• 3 CVEs discovered by Jann Horn (and one inadvertently caused by Jann too)

  • mremap() system call - used to expand or shrink an existing memory mapping and possibly move it - doesn’t properly flush TLB - could leave pages in page cache for a short time which can then be raced to obtain access afterwards and possible DoS crash or information disclosure etc depending on target memory
  • Previous fix for CVE-2017-17852 (BPF verifier) discovered and also fixed by Jann, introduced a new vulnerability which would allow BPF programs to access memory out-of-bounds
  • Nested user namespaces with more than 5 UID or GID mappings could allow processes with CAP_SYS_ADMIN within the namespace to access resources outside the namespace as the kernel would get confused on which UID to check against outside the namespace
    • Also fixed in Bionic and Xenial

• Vulnerability specific to the Ubuntu kernel used in Cosmic (18.10)

  • 2 bugs discovered as a result of using the secure boot lockdown patchset
    • Module signatures not properly enforced for UEFI Secure Boot - we had enabled the option to do this via IMA but had not then included the IMA policy to ensure this was enforced
      • Fixed by turning off option to verify modules using IMA
    • Secondary kernel keyring (ie where UEFI MOK goes from shim - used by DKMS) not trusted - so modules signed with it wouldn’t work (except they do due to above)
      • Fixed to trust keys in secondary keyring for module signing

[USN-3837-1] poppler vulnerabilities

• 5 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
  • CVE-2018-19149
  • CVE-2018-19060
  • CVE-2018-19059
  • CVE-2018-19058
  • CVE-2018-16646
• NULL pointer dereference when PDF references an embedded file that does not actually exist (crash -> DoS)
• Possible infinite recursion - DoS
• Exit on abort - DoS
• 2 for pdfdetach - CLI util to list / extract embedded files from PDFs
  • Out of bounds read due to fail to validate embedded files
  • NULL pointer dereference if embedded file names are invalid

[USN-3811-3] SpamAssassin vulnerabilities

• 2 CVEs addressed in Precise ESM
  • CVE-2018-11781
  • CVE-2018-11780
• SpamAssassin was updated to latest version for Trusty, Xenial and Bionic previously (Episode 11)
• This is the corresponding update for Precise ESM

[USN-3838-1] LibRaw vulnerabilities

• 7 CVEs addressed in Trusty, Xenial, Bionic
  • CVE-2018-5816
  • CVE-2018-5815
  • CVE-2018-5813
  • CVE-2018-5812
  • CVE-2018-5811
  • CVE-2018-5810
  • CVE-2018-5807
• Few OOB read -> crash -> DoS
• NULL pointer dereference -> crash -> DoS
• Integer overflow -> infinite loop -> DoS
• Integer overflow -> divide by zero -> crash -> DoS
• Heap-based buffer overflow -> crash -> DoS (possible code execution?)

[USN-3839-1] WavPack vulnerabilities

• 2 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
  • CVE-2018-19841
  • CVE-2018-19840
• Infinite loop if WAV file specifies a sample rate of 0 - DoS
• OOB read of heap allocated buffer - crash -> DoS

[USN-3840-1] OpenSSL vulnerabilities

• 3 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
  • CVE-2018-5407
  • CVE-2018-0735
  • CVE-2018-0734
• PortSmash (Episode 11) - purported new Intel CPU side-channel vulnerability - but really more an issue in OpenSSL due to needing crypto code to be both constant time and execution flow independent of secret key
• Timing side-channels in ECDSA and DSA signature algorithms found by Samuel Weiser
  • Usual thing - variations in time-to-sign can be measured by attacker to recover private signing key

[USN-3831-2] Ghostscript regression

• Affecting Trusty, Xenial, Bionic, Cosmic
• Latest GS updates (Episode 14) -> regression
  • when converting PDFs via ghostscript, would crash when using FirstPage and LastPage options
  • used by imagemagick (convert) util and others
  • backported addition fix from upstream to resolve this regression

Goings on in Ubuntu Security Community

Feedback

• Question regarding how to ensure latest updates applied?
  • https://help.ubuntu.com/community/AutomaticSecurityUpdates
  • If regularly update system (apt upgrade / software updater etc) will already have latest security updates
  • Can make this automatic with unattended-upgrades
    • Is automatically installed and configured for Ubuntu 18.04 Bionic and newer to install new updates daily
    • If want to manually
      • sudo apt install unattended-upgrades
      • sudo dpkg-reconfigure unattended-upgrades
  • Canonical Livepatch Service
    • https://www.ubuntu.com/livepatch

Get in contact

• security@ubuntu.com
• #ubuntu-security on the Libera.Chat IRC network
• @ubuntu_sec on twitter