Episode 184

Posted on Friday, Dec 9, 2022
This week we cover Mark Esler’s keynote address from UbuCon Asia 2022 on Improving FOSS Security, plus we look at security vulnerabilities and updates for snapd, the Linux kernel, ca-certificates and more.

Show Notes

Overview

This week we cover Mark Esler’s keynote address from UbuCon Asia 2022 on Improving FOSS Security, plus we look at security vulnerabilities and updates for snapd, the Linux kernel, ca-certificates and more.

This week in Ubuntu Security Updates

42 unique CVEs addressed

[USN-5753-1] snapd vulnerability [01:08]

  • 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
  • Follow-up to the last snapd vulnerability (see Oh Snap! More Lemmings (Local Privilege Escalation in snap-confine) from Episode 149)
  • https://blog.qualys.com/vulnerabilities-threat-research/2022/11/30/race-condition-in-snap-confines-must_mkdir_and_open_with_perms-cve-2022-3328
  • A slightly simplified explanation is as follows
  • Part of that vulnerability was that snap-confine creates a private tmp for each snap - and this is created under the system’s real /tmp so that its disk usage etc gets accounted for as part of the normal /tmp
  • But /tmp is world writable so it is trivial for a user to create the expected per-snap directory and place their own contents inside that such that they can have this be executed by snap-confine during the process of creating this private /tmp namespace for the snap - and hence get privilege escalation to root as snap-confine is suid
  • the original fix then relied on checking if this path was appropriately owned by root etc - and if not, it would create a new random directory then move the imposter out of the way and replace it with the one it just created via rename()
  • But this is not atomic so could be raced - and even though the fix included additional checks to try and catch any failed race, Qualys found a way to win this race and avoid those checks
  • New fix is to use systemd-tmpfiles to create a /tmp/snap-private-tmp/ directory on boot with the appropriate restrictive permissions
  • Then snap-confine can create the per-snap private /tmp within this without fear of being interfered with by unprivileged users
  • Thanks to Qualys for their help in reporting this and reviewing patches etc

[USN-5743-2] LibTIFF vulnerability [05:10]

[USN-5752-1] Linux kernel (Azure CVM) vulnerabilities [05:20]

[USN-5754-1] Linux kernel vulnerabilities [05:50]

[USN-5755-1] Linux kernel vulnerabilities [06:18]

[USN-5756-1] Linux kernel vulnerabilities [06:55]

[USN-5757-1] Linux kernel vulnerabilities

[USN-5757-2] Linux kernel vulnerabilities

[USN-5758-1] Linux kernel vulnerabilities

[USN-5756-2] Linux kernel (GKE) vulnerabilities

[USN-5755-2] Linux kernel vulnerabilities

[USN-5759-1] LibBPF vulnerabilities [07:06]

[USN-5760-1, USN-5760-2] libxml2 vulnerabilities [07:19]

  • 3 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
  • 2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM) (first two above)
  • NULL ptr deref, double-free, OOB read due to an integer overflow when parsing multigigabyte XML files

[USN-5761-1, USN-5761-2] ca-certificates update [07:37]

  • Affecting Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
  • Removal of the TrustCor CA cert - upstream Mozilla have marked this as distrusted after 30th November - ie don’t trust anything signed by this CA after that date - but there is no such functionality in ca-certificates to mark something as distrusted after a particular date - so instead we have removed it entirely so all things signed by TrustCor would now not be trusted
  • TrustCor appear to have very close ties (ie potentially the same owners) with other companies who have built spyware and surveillance technologies
  • https://www.washingtonpost.com/technology/2022/11/30/trustcor-internet-authority-mozilla/
  • Looking at certificate transparency logs, appears to only be a few downstream sites that would now be distrusted as a result - in particular a bunch of dynamic DNS provider noip.com
  • Thanks to JanC in #ubuntu-security for discussing this with the team

[USN-5762-1] GNU binutils vulnerability [09:51]

  • 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)

[USN-5764-1] U-Boot vulnerabilities

[USN-5763-1] NumPy vulnerabilities

Goings on in Ubuntu Security Community

Mark Esler at UbuCon Asia 2022 [10:00]

  • UbuCon Asia 2022 is conference held in Asia focussing on Ubuntu, Linux and F/OSS in general
  • First one was held last year as a fully virtual conference
  • This year was in person in Seoul, South Korea
  • Mark Esler from the Ubuntu Security team delivered the keynote address about how Canonical does security maintenance for Ubuntu as well as advice for how F/OSS projects can better handle security vulnerabilities and coordinate with downstreams like Ubuntu to help keep all users of their software safe
  • Covers things like how we maintain stable versions of each package in a given release and then backport fixes on top, how we handle any potential regressions, how CVEs are (unfortunately) a normal part of software and some common examples of different CVEs
  • How we handle disclosure of vulnerabilities
  • The process of how we do security updates in Ubuntu (patching, testing, releasing etc)
  • And then how upstream F/OSS projects can better handle security issues and work with the security community
  • https://2022.ubucon.asia/sessions/keynote/
  • Slides including speaker notes
  • Video of the session is at https://youtu.be/N5nVSXV9Hbk?t=480 - Mark’s presentation begins right at about 8 minutes in

Get in contact