Episode 162

Show Notes

Overview

This week we cover security updates for dpkg, logrotate, GnuPG, CUPS, InfluxDB and more, plus we take a quick look at some open positions on the team - come join us!

This week in Ubuntu Security Updates

31 unique CVEs addressed

[USN-5446-1, USN-5446-2] dpkg vulnerability [00:42]

• 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)
  • CVE-2022-1664
• Directory traversal vulnerability when extracting untrusted source packages
  • debian source packages consist of two tarballs - orig and debian
  • orig is unpacked and then debian in unpacked on top of that - if orig is crafted to contain a symlink which pointed to a file outside of the source code, then when unpacking debian it will follow that symlink and hence would overwrite arbitrary files outside the source directory
  • Only really a problem for debian/ubuntu developers

[USN-5447-1] logrotate vulnerability [02:58]

• 1 CVEs addressed in Impish (21.10), Jammy (22.04 LTS)
  • CVE-2022-1348
• logrotate creates a ‘state’ file to avoid parallel executions of itself - each instance locks this file as a mutex mechanism
• if this doesn’t exist, it gets created - but is created world readable - which allows unprivileged users to take the lock on this file
• as such the real logrotate will fail to run since it can’t get the lock -> DoS

[USN-5402-2] OpenSSL vulnerabilities [04:13]

• 2 CVEs addressed in Xenial ESM (16.04 ESM)
  • CVE-2022-1473
  • CVE-2022-1292
• Episode 159

[USN-5448-1] ncurses vulnerabilities [04:21]

• 11 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
  • CVE-2017-13728
  • CVE-2017-11113
  • CVE-2017-13734
  • CVE-2017-13733
  • CVE-2017-13732
  • CVE-2017-13731
  • CVE-2017-13730
  • CVE-2017-13729
  • CVE-2017-11112
  • CVE-2017-10685
  • CVE-2017-10684
• Crafted inputs could cause ncurses to crash - most of these were found via fuzzing and are stack buffer overflows - these are generally mitigated via stack-protector, others are NULL ptr deref, but again same outcome (crash -> DoS)
• Possible infinite loop as well -> cpu based DoS

[USN-5449-1] libXv vulnerability [04:58]

• 1 CVEs addressed in Xenial ESM (16.04 ESM)
  • CVE-2016-5407
• Remove X server could trigger OOB read in the X client via crafted response -> crash -> DoS

[USN-5431-1] GnuPG vulnerability [04:24]

• 1 CVEs addressed in Bionic (18.04 LTS)
  • CVE-2019-13050
• Weakness in PGP/SKS keyserver design - if a key/certificate has many signatures, GnuPG will take an inordinate amount of time to process these when downloading the key from the keyserver -> DoS
  • Certificate spamming attack - anyone can sign someone else’s cert thereby attaching another signature to it on the SKS keyserver network
  • The OpenPGP spec doesn’t limit the number of signatures (but SKS keyserver network does - 150k)
  • So anyone can poison someone else’s cert by attaching a large number of signatures to it
  • GnuPG would download all of these signatures when importing a key and then proceed to validate them all
    • Also would do this when say validating a signature from that poisoned cert
• Fixed to not import key signatures by default anymore and to then fallback to only import self-signatures on large keyblocks

[USN-5452-1] NTFS-3G vulnerability [07:55]

• 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
  • CVE-2021-46790
• ntfsck tool failed to perform proper bounds checking on filesystem metadata - if could trick a user into running it on an untrusted filesystem image could then possibly get code execution
  • Upstream have deprecated this tool and it is only present in the ntfs-3g-dev package which is not installed by default

[USN-5453-1] FreeType vulnerability [08:38]

• 1 CVEs addressed in Xenial ESM (16.04 ESM)
  • CVE-2022-27406
• OOB read when processing a crafted font file -> DoS

[USN-5454-1, USN-5454-2] CUPS vulnerabilities [08:50]

• 3 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)
  • CVE-2020-10001
  • CVE-2019-8842
  • CVE-2022-26691
• Upstream Apple advisory describes this as:
  • “Logic issue addressed with improved state management… An application may be able to gain elevated privileges”
• Looks like it was discovered by Mandiant
  • CUPS provides the ability to authenticate via Basic Web Authentication or through a 32-byte randomly generated token created at runtime
  • Comparison function would only compare the supplied token value against the real one based on the length of the shortest input - so if supplied an empty string then would compare 0 bytes of the two and return success!
• Other two issues were memory handling issues in IPP printing - could submit a print job which would cause an OOB read in CUPS -> crash -> DoS

[USN-5451-1] InfluxDB vulnerability [10:39]

• 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
  • CVE-2019-20933
• Similar authentication bug in InfluxDB - could bypass authentication by supplying a JWT token with an empty SharedSecret

[USN-5442-2] Linux kernel vulnerabilities [11:06]

• 3 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
  • CVE-2022-30594
  • CVE-2022-1116
  • CVE-2022-29581
• 5.4 - GCP/GKE/IBM/Oracle/Raspi
• Bing-Jhong Billy Jheng found integer overflow in io_uring - an unprivileged user can spam requests which would eventually overflow counter and then could be used to trigger an OOB write -> controlled memory corruption -> privesc
  • Not the first bug in io_uring found by this researcher - https://seclists.org/oss-sec/2021/q2/127
• Similarly, Jann Horn (GPZ) found kernel didn’t properly check privileges of a process when allowing it to set a flag which would then disable seccomp filters on another process or itself
  • Could then allow an unprivileged process to turn of seccomp for itself / other processes and allow them to bypass intended access restrictions
• Regular kernel security bug - ref count issue in network queueing subsystem -> UAF - able to be triggered by a local attacker -> crash / code execution

[USN-5443-2] Linux kernel vulnerabilities [12:47]

• 2 CVEs addressed in Focal (20.04 LTS), Impish (21.10)
  • CVE-2022-30594
  • CVE-2022-29581
• 5.13 Oracle/GCP

[USN-5457-1] WebKitGTK vulnerabilities [12:58]

• 5 CVEs addressed in Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)
  • CVE-2022-26719
  • CVE-2022-26717
  • CVE-2022-26716
  • CVE-2022-26709
  • CVE-2022-26700
• Latest webkit point release - usual mix of issues fixed - XSS, DoS, RCE etc

Goings on in Ubuntu Security Community

Hiring

Security Engineer - Ubuntu [13:25]

• https://canonical.com/careers/2925180/security-engineer-ubuntu-remote

Security Certifications Product Manager - CIS, FIPS, FedRAMP and more [14:24]

• https://canonical.com/careers/3781589/security-certifications-product-manager-cis-fips-fedramp-and-more-remote

Get in contact

• security@ubuntu.com
• #ubuntu-security on the Libera.Chat IRC network
• ubuntu-hardened mailing list
• Security section on discourse.ubuntu.com
• @ubuntu_sec on twitter