Episode 178

Posted on Friday, Sep 23, 2022
You can’t test your way out of security vulnerabilities (at least when writing your code in C), plus we cover security updates for Intel Microcode, vim, Wayland, the Linux kernel, SQLite and more.

Show Notes

Overview

You can’t test your way out of security vulnerabilities (at least when writing your code in C), plus we cover security updates for Intel Microcode, vim, Wayland, the Linux kernel, SQLite and more.

This week in Ubuntu Security Updates

68 unique CVEs addressed

[USN-5606-2] poppler regression [00:45]

  • Affecting Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
  • [USN-5606-1] poppler vulnerability from Episode 177 - integer overflow in JBIG2 decoder
  • When backporting the series of patches, missed one that updated the CMakeLists.txt to ensure a new header file that was added as part of the security update is actually installed by the libpoppler-dev package - without this if installed the update and then tried to recompile something locally it would fail

[USN-5612-1] Intel Microcode vulnerability [01:29]

  • 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
  • Latest upstream Intel Microcode release (IPU 2022.2) - only security relevant for SGX

[USN-5613-1, USN-5613-2] Vim vulnerabilities [01:54]

[USN-5614-1] Wayland vulnerability [02:17]

  • 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
  • Reference count overflow - used a 32-bit int to count the number of references - but on a 64-bit machine it is quite possible that a malicious client could allocate a huge amount of buffers to overflow and then possibly get a UAF - highly unlikely to be able to exploit in practice since would also need a large number of connections to the compositor as well - fixed by limiting the max number of objects that can be allocated

[USN-5615-1] SQLite vulnerabilities [03:01]

  • 3 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
  • NULL ptr deref, OOB read, unicode parsing issue - disputed by upstream as an actual vuln
  • Has such a large amount of tests - https://www.sqlite.org/testing.html
    • for 151 KSLOC has 92,038 KSLOC of tests -> 608 times as much code in tests that the actual library itself
    • 4 different test harnesses, 100% branch coverage, OOM tests, I/O error tests, fuzz tests, boundary conditions, regression tests, valgrind, UB etc
    • yet still has new vulns discovered every now and then
    • you can’t test your way out of security issues - at least when you write your code in C which has just too many different operations that have UB
    • you can perhaps do it via formal methods (seL4 etc) but is very expensive..
      • $200-400/LoC
      • eg. to formally prove SQLite would then cost ~$18.4M-$36.8M
    • use rust?
      • would hopefully help at least for the first 2 issues - can still have logic flaws and hence security vulns (eg. failing to properly validate a TLS cert or similar)

[USN-5616-1] Linux kernel (Intel IoTG) vulnerabilities [06:00]

[USN-5621-1] Linux kernel vulnerabilities [06:32]

  • 2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
  • 4.15 GA 18.04 LTS, HWE 16.04 ESM
  • console framebuffer and netfilter OOB writes covered in previous episodes

[USN-5622-1] Linux kernel vulnerabilities [06:57]

x*** [USN-5624-1] Linux kernel vulnerabilities [07:05]

[USN-5623-1] Linux kernel (HWE) vulnerabilities [07:12]

[USN-5617-1] Xen vulnerabilities [07:45]

[USN-5619-1] LibTIFF vulnerabilities [08:17]

[USN-5618-1] Ghostscript vulnerability [08:49]

  • 1 CVEs addressed in Xenial ESM (16.04 ESM)
  • Heap buffer overflow when parsing a crafted PDF

[USN-5626-1] Bind vulnerabilities [08:58]

[USN-5625-1] Mako vulnerability [09:22]

  • 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
  • ReDoS via crafted content

Goings on in Ubuntu Security Community

Preparing for the release of Ubuntu Pro [09:44]

  • Team has worked on this for the last few years - finally will see the light of day in the coming week or two - more details to come

Get in contact