Episode 178

Show Notes

Overview

You can’t test your way out of security vulnerabilities (at least when writing your code in C), plus we cover security updates for Intel Microcode, vim, Wayland, the Linux kernel, SQLite and more.

This week in Ubuntu Security Updates

68 unique CVEs addressed

[USN-5606-2] poppler regression [00:45]

Affecting Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
[USN-5606-1] poppler vulnerability from Episode 177 - integer overflow in JBIG2 decoder
When backporting the series of patches, missed one that updated the CMakeLists.txt to ensure a new header file that was added as part of the security update is actually installed by the libpoppler-dev package - without this if installed the update and then tried to recompile something locally it would fail

[USN-5612-1] Intel Microcode vulnerability [01:29]

1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
- CVE-2022-21233
Latest upstream Intel Microcode release (IPU 2022.2) - only security relevant for SGX

[USN-5613-1, USN-5613-2] Vim vulnerabilities [01:54]

7 CVEs addressed in Trusty ESM (14.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
Various buffer overflows and the like that could be triggered when editing crafted files - have said in the past that vim is fast becoming one of the most security-patched packages in Ubuntu - all driven by their bug-bounty https://huntr.dev/repos/vim/vim/

[USN-5614-1] Wayland vulnerability [02:17]

1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
- CVE-2021-3782
Reference count overflow - used a 32-bit int to count the number of references - but on a 64-bit machine it is quite possible that a malicious client could allocate a huge amount of buffers to overflow and then possibly get a UAF - highly unlikely to be able to exploit in practice since would also need a large number of connections to the compositor as well - fixed by limiting the max number of objects that can be allocated

[USN-5615-1] SQLite vulnerabilities [03:01]

3 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
NULL ptr deref, OOB read, unicode parsing issue - disputed by upstream as an actual vuln
Has such a large amount of tests - https://www.sqlite.org/testing.html
- for 151 KSLOC has 92,038 KSLOC of tests -> 608 times as much code in tests that the actual library itself
- 4 different test harnesses, 100% branch coverage, OOM tests, I/O error tests, fuzz tests, boundary conditions, regression tests, valgrind, UB etc
- yet still has new vulns discovered every now and then
- you can’t test your way out of security issues - at least when you write your code in C which has just too many different operations that have UB
- you can perhaps do it via formal methods (seL4 etc) but is very expensive..
  - $200-400/LoC
  - eg. to formally prove SQLite would then cost ~$18.4M-$36.8M
- use rust?
  - would hopefully help at least for the first 2 issues - can still have logic flaws and hence security vulns (eg. failing to properly validate a TLS cert or similar)

[USN-5616-1] Linux kernel (Intel IoTG) vulnerabilities [06:00]

10 CVEs addressed in Jammy (22.04 LTS)
5.15
Some of these have covered previously
- Intel 10GbE PCI Express driver, IP source port randomisation failure, perf UAF, KVM NULL ptr deref, various file-system OOB R/W etc

[USN-5621-1] Linux kernel vulnerabilities [06:32]

2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
4.15 GA 18.04 LTS, HWE 16.04 ESM
- CVE-2022-36946
- CVE-2021-33655
console framebuffer and netfilter OOB writes covered in previous episodes

[USN-5622-1] Linux kernel vulnerabilities [06:57]

6 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
5.4 GA 20.04 LTS / HWE 18.04 LTS

x*** [USN-5624-1] Linux kernel vulnerabilities [07:05]

11 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
5.15 GA 22.04 LTS / Azure 20.04 LTS

[USN-5623-1] Linux kernel (HWE) vulnerabilities [07:12]

21 CVEs addressed in Focal (20.04 LTS)
5.15 20.04 HWE
all the vulns mentioned earlier plus a bunch in Xen (kernel side) - impact ranges from crashing guest and exposing its memory to DoS services on the host

[USN-5617-1] Xen vulnerabilities [07:45]

20 CVEs addressed in Focal (20.04 LTS)
Community contributed update for xen - almost wins the award for the most CVEs patched in a single update for this week
Most issues allow a malicious guest to attack the host -> DoS, privesc, code-exec etc

[USN-5619-1] LibTIFF vulnerabilities [08:17]

7 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
Another package vying for most security updates recently
Usual memory corruption issues when handling crafted files - stack / heap buffer overflows etc

[USN-5618-1] Ghostscript vulnerability [08:49]

1 CVEs addressed in Xenial ESM (16.04 ESM)
- CVE-2020-27792
Heap buffer overflow when parsing a crafted PDF

[USN-5626-1] Bind vulnerabilities [08:58]

6 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
Memory leaks when handling certain crypto algorithms with DNSSEC, resource-based DoS, buffer over-read -> info leak / crash, assertion-based crash via crafted query

[USN-5625-1] Mako vulnerability [09:22]

1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
- CVE-2022-40023
ReDoS via crafted content

Goings on in Ubuntu Security Community

Preparing for the release of Ubuntu Pro [09:44]

Team has worked on this for the last few years - finally will see the light of day in the coming week or two - more details to come