Episode 177

Posted on Friday, Sep 16, 2022
Alex talks with special guests Nishit Majithia and Matthew Ruffell about a recent systemd regression on Ubuntu 18.04 LTS plus we cover security updates for Dnsmasq, the Linux kernel, poppler, .NET 6, rust-regex and more.

Show Notes

Overview

Alex talks with special guests Nishit Majithia and Matthew Ruffell about a recent systemd regression on Ubuntu 18.04 LTS plus we cover security updates for Dnsmasq, the Linux kernel, poppler, .NET 6, rust-regex and more.

This week in Ubuntu Security Updates

28 unique CVEs addressed

[USN-4976-2] Dnsmasq vulnerability [00:55]

  • 1 CVEs addressed in Xenial ESM (16.04 ESM)
  • [USN-4976-1] Dnsmasq vulnerability for Episode 118
  • Failed to properly randomise source port (ie used a fixed port) when forwarding queries when configured to use a specific server for a given network interface - could then allow a remote attacker to more easily perform cache poisoning attacks (ie just need to guess the transmission ID once know the source port to get a forged reply accepted)
    • As I said back in Episode 118, this is very similar to the issues that were discovered back in 2008 by Dan Kaminsky - the whole reason source port randomisation was introduced as part of the DNS protocol

[USN-5602-1] Linux kernel (Raspberry Pi) vulnerabilities [02:11]

[USN-5603-1] Linux kernel (Raspberry Pi) vulnerabilities [02:29]

[USN-5605-1] Linux kernel (Azure CVM) vulnerabilities [02:38]

[USN-5523-2] LibTIFF vulnerabilities [02:45]

[USN-5604-1] LibTIFF vulnerabilities [03:13]

[USN-5606-1] poppler vulnerability [03:23]

  • 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
  • Integer overflow in JBIG2 decoder -> heap buffer overflow via crafted PDF / JBIG2 image - very similar to CVE-2022-38171 in xpdf
    • poppler started life as a fork of code from xpdf-3.0 but now has diverged so much that in general a vuln in one cannot be assumed to exist in the other, hence the separate CVE IDs for these two vulns

[USN-5607-1] GDK-PixBuf vulnerability [04:11]

  • 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
  • Heap buffer overflow when decoding lzw compressed stream from GIF files

[USN-5608-1] DPDK vulnerability [04:26]

  • 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
  • Crafted Vhost header could cause a DoS

[USN-5609-1] .NET 6 vulnerability [04:39]

[USN-5583-2] systemd regression [05:16]

  • 1 CVEs addressed in Bionic (18.04 LTS)
  • Mentioned in passing in both the last 2 weeks episodes

[USN-5610-1] rust-regex vulnerability

  • 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
  • ReDoS in regex crate - already includes various mitigations against DoS via untrusted regexes (and these can be tuned by users of the crate) - however was able to be bypassed by a regex that specified an empty subexpression that should be matched up to say 294 million times - this then gets compiled but is able to evade the existing mitigations since doesn’t take any memory - but it does take a lot of CPU time
  • Fixed by changing code such that it will take a fake amount of memory for each empty subexpression and therefore will trip the existing detection logic in a reasonable amount of time

[USN-5611-1] WebKitGTK vulnerability [06:53]

  • 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
  • OOB write via malicious web content - Apple reported that this was being actively exploited for iOS users (Safari uses Webkit)

Goings on in Ubuntu Security Community

Discussion of the recent systemd regression in Ubuntu 18.04 LTS with Nishit Majithia and Matthew Ruffell [07:49]

Get in contact